Merge master into haskell-updates

This commit is contained in:
github-actions[bot] 2024-11-01 00:18:16 +00:00 committed by GitHub
commit 3a826649ee
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1860 changed files with 75883 additions and 39593 deletions

View File

@ -40,6 +40,9 @@ d1c1a0c656ccd8bd3b25d3c4287f2d075faf3cf3
# fix indentation in meteor default.nix # fix indentation in meteor default.nix
a37a6de881ec4c6708e6b88fd16256bbc7f26bbd a37a6de881ec4c6708e6b88fd16256bbc7f26bbd
# pkgs/stdenv/make-derivation: Reindent
b4cc2a2479a7ab0f6440b2e1319221920ef72699
# treewide: automatically md-convert option descriptions # treewide: automatically md-convert option descriptions
2e751c0772b9d48ff6923569adfa661b030ab6a2 2e751c0772b9d48ff6923569adfa661b030ab6a2
@ -189,3 +192,14 @@ ce21e97a1f20dee15da85c084f9d1148d84f853b
# percona: apply nixfmt # percona: apply nixfmt
8d14fa2886fec877690c6d28cfcdba4503dbbcea 8d14fa2886fec877690c6d28cfcdba4503dbbcea
# nixos/virtualisation: format image-related files
# Original formatting commit that was reverted
04fadac429ca7d6b92025188652376c230205730
# Revert commit
4cec81a9959ce612b653860dcca53101a36f328a
# Final commit that does the formatting
88b285c01d84de82c0b2b052fd28eaf6709c2d26
# sqlc: format with nixfmt
2bdec131b2bb2c8563f4556d741d34ccb77409e2

View File

@ -8,4 +8,4 @@
## Technical details ## Technical details
Please run `nix-shell -p nix-info --run "nix-info -m"` and paste the result. <!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->

View File

@ -33,12 +33,8 @@ If in doubt, check `git blame` for whoever last touched something.
--> -->
### Metadata ### Metadata
Please run `nix-shell -p nix-info --run "nix-info -m"` and paste the result.
```console <!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->
[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
output here
```
--- ---

View File

@ -31,12 +31,7 @@ If in doubt, check `git blame` for whoever last touched something.
### Metadata ### Metadata
Please run `nix-shell -p nix-info --run "nix-info -m"` and paste the result. <!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->
```console
[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
output here
```
--- ---

15
.github/labeler.yml vendored
View File

@ -217,9 +217,9 @@
- changed-files: - changed-files:
- any-glob-to-any-file: - any-glob-to-any-file:
- doc/languages-frameworks/nim.section.md - doc/languages-frameworks/nim.section.md
- pkgs/development/compilers/nim/* - pkgs/build-support/build-nim-package.nix
- pkgs/development/nim-packages/**/* - pkgs/by-name/ni/nim*
- pkgs/top-level/nim-packages.nix - pkgs/top-level/nim-overrides.nix
"6.topic: nodejs": "6.topic: nodejs":
- any: - any:
@ -340,6 +340,15 @@
- pkgs/os-specific/linux/systemd/**/* - pkgs/os-specific/linux/systemd/**/*
- nixos/modules/system/boot/systemd*/**/* - nixos/modules/system/boot/systemd*/**/*
"6.topic: tcl":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/tcl.section.md
- pkgs/development/interpreters/tcl/*
- pkgs/development/tcl-modules/**/*
- pkgs/top-level/tcl-packages.nix
"6.topic: TeX": "6.topic: TeX":
- any: - any:
- changed-files: - changed-files:

View File

@ -20,7 +20,7 @@ jobs:
if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name)) if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
ref: ${{ github.event.pull_request.head.sha }} ref: ${{ github.event.pull_request.head.sha }}
- name: Create backport PRs - name: Create backport PRs

View File

@ -19,7 +19,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
# we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback # we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback
steps: steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
with: with:

View File

@ -14,7 +14,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS' if: github.repository_owner == 'NixOS'
steps: steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
fetch-depth: 0 fetch-depth: 0
filter: blob:none filter: blob:none

View File

@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS' if: github.repository_owner == 'NixOS'
steps: steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
# pull_request_target checks out the base branch by default # pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge ref: refs/pull/${{ github.event.pull_request.number }}/merge

View File

@ -18,7 +18,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: "!contains(github.event.pull_request.title, '[skip treewide]')" if: "!contains(github.event.pull_request.title, '[skip treewide]')"
steps: steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
# pull_request_target checks out the base branch by default # pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge ref: refs/pull/${{ github.event.pull_request.number }}/merge

View File

@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: "!contains(github.event.pull_request.title, '[skip treewide]')" if: "!contains(github.event.pull_request.title, '[skip treewide]')"
steps: steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
# pull_request_target checks out the base branch by default # pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge ref: refs/pull/${{ github.event.pull_request.number }}/merge

View File

@ -10,7 +10,7 @@ jobs:
name: shell-check-x86_64-linux name: shell-check-x86_64-linux
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
# pull_request_target checks out the base branch by default # pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge ref: refs/pull/${{ github.event.pull_request.number }}/merge
@ -22,7 +22,7 @@ jobs:
name: shell-check-aarch64-darwin name: shell-check-aarch64-darwin
runs-on: macos-latest runs-on: macos-latest
steps: steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
# pull_request_target checks out the base branch by default # pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge ref: refs/pull/${{ github.event.pull_request.number }}/merge

View File

@ -1,17 +1,32 @@
name: Codeowners name: Codeowners v2
# This workflow depends on a GitHub App with the following permissions: # This workflow depends on two GitHub Apps with the following permissions:
# - Repository > Administration: read-only # - For checking code owners:
# - Organization > Members: read-only # - Permissions:
# - Repository > Pull Requests: read-write # - Repository > Administration: read-only
# The App needs to be installed on this repository # - Organization > Members: read-only
# the OWNER_APP_ID repository variable needs to be set # - Install App on this repository, setting these variables:
# the OWNER_APP_PRIVATE_KEY repository secret needs to be set # - OWNER_RO_APP_ID (variable)
# - OWNER_RO_APP_PRIVATE_KEY (secret)
# - For requesting code owners:
# - Permissions:
# - Repository > Administration: read-only
# - Organization > Members: read-only
# - Repository > Pull Requests: read-write
# - Install App on this repository, setting these variables:
# - OWNER_APP_ID (variable)
# - OWNER_APP_PRIVATE_KEY (secret)
#
# This split is done because checking code owners requires handling untrusted PR input,
# while requesting code owners requires PR write access, and those shouldn't be mixed.
on: on:
pull_request_target: pull_request_target:
types: [opened, ready_for_review, synchronize, reopened, edited] types: [opened, ready_for_review, synchronize, reopened, edited]
# We don't need any default GitHub token
permissions: {}
env: env:
OWNERS_FILE: ci/OWNERS OWNERS_FILE: ci/OWNERS
# Don't do anything on draft PRs # Don't do anything on draft PRs
@ -35,7 +50,7 @@ jobs:
# Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself. # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
# We later build and run code from the base branch with access to secrets, # We later build and run code from the base branch with access to secrets,
# so it's important this is not the PRs code. # so it's important this is not the PRs code.
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
path: base path: base
@ -45,10 +60,10 @@ jobs:
- uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
id: app-token id: app-token
with: with:
app-id: ${{ vars.OWNER_APP_ID }} app-id: ${{ vars.OWNER_RO_APP_ID }}
private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }} private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
ref: refs/pull/${{ github.event.number }}/merge ref: refs/pull/${{ github.event.number }}/merge
path: pr path: pr
@ -72,7 +87,7 @@ jobs:
# Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head. # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
# This is intentional, because we need to request the review of owners as declared in the base branch. # This is intentional, because we need to request the review of owners as declared in the base branch.
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
id: app-token id: app-token

View File

@ -1,6 +1,8 @@
name: "Checking EditorConfig" name: "Checking EditorConfig v2"
permissions: read-all permissions:
pull-requests: read
contents: read
on: on:
# avoids approving first time contributors # avoids approving first time contributors
@ -25,7 +27,7 @@ jobs:
- name: print list of changed files - name: print list of changed files
run: | run: |
cat "$HOME/changed_files" cat "$HOME/changed_files"
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
# pull_request_target checks out the base branch by default # pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge ref: refs/pull/${{ github.event.pull_request.number }}/merge

View File

@ -1,6 +1,7 @@
name: "Build NixOS manual" name: "Build NixOS manual v2"
permissions: read-all permissions:
contents: read
on: on:
pull_request_target: pull_request_target:
@ -15,7 +16,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS' if: github.repository_owner == 'NixOS'
steps: steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
# pull_request_target checks out the base branch by default # pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge ref: refs/pull/${{ github.event.pull_request.number }}/merge

View File

@ -1,6 +1,7 @@
name: "Build Nixpkgs manual" name: "Build Nixpkgs manual v2"
permissions: read-all permissions:
contents: read
on: on:
pull_request_target: pull_request_target:
@ -17,7 +18,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS' if: github.repository_owner == 'NixOS'
steps: steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
# pull_request_target checks out the base branch by default # pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge ref: refs/pull/${{ github.event.pull_request.number }}/merge

View File

@ -1,6 +1,8 @@
name: "Check whether nix files are parseable" name: "Check whether nix files are parseable v2"
permissions: read-all permissions:
pull-requests: read
contents: read
on: on:
# avoids approving first time contributors # avoids approving first time contributors
@ -25,7 +27,7 @@ jobs:
if [[ -s "$HOME/changed_files" ]]; then if [[ -s "$HOME/changed_files" ]]; then
echo "CHANGED_FILES=$HOME/changed_files" > "$GITHUB_ENV" echo "CHANGED_FILES=$HOME/changed_files" > "$GITHUB_ENV"
fi fi
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
# pull_request_target checks out the base branch by default # pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge ref: refs/pull/${{ github.event.pull_request.number }}/merge

View File

@ -27,7 +27,7 @@ jobs:
timeout-minutes: 10 timeout-minutes: 10
steps: steps:
# This checks out the base branch because of pull_request_target # This checks out the base branch because of pull_request_target
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
path: base path: base
sparse-checkout: ci sparse-checkout: ci
@ -42,7 +42,7 @@ jobs:
echo "Skipping the rest..." echo "Skipping the rest..."
fi fi
rm -rf base rm -rf base
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
if: env.mergedSha if: env.mergedSha
with: with:
# pull_request_target checks out the base branch by default # pull_request_target checks out the base branch by default

View File

@ -41,7 +41,7 @@ jobs:
into: staging-24.05 into: staging-24.05
name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }} name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
steps: steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }} - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0 uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0

View File

@ -39,7 +39,7 @@ jobs:
into: staging into: staging
name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }} name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
steps: steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }} - name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0 uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0

View File

@ -11,13 +11,13 @@
# - There is no need for user/team listed here to have write access. # - There is no need for user/team listed here to have write access.
# - No reviews will be requested for PRs that target the wrong base branch. # - No reviews will be requested for PRs that target the wrong base branch.
# #
# Processing of this file is implemented in workflows/codeowners.yml # Processing of this file is implemented in workflows/codeowners-v2.yml
# CI # CI
/.github/workflows @NixOS/Security @Mic92 @zowoq /.github/workflows @NixOS/Security @Mic92 @zowoq
/.github/workflows/check-nix-format.yml @infinisil /.github/workflows/check-nix-format.yml @infinisil
/.github/workflows/nixpkgs-vet.yml @infinisil @philiptaron /.github/workflows/nixpkgs-vet.yml @infinisil @philiptaron
/.github/workflows/codeowners.yml @infinisil /.github/workflows/codeowners-v2.yml @infinisil
/ci/OWNERS @infinisil /ci/OWNERS @infinisil
/ci @infinisil @philiptaron @NixOS/Security /ci @infinisil @philiptaron @NixOS/Security
@ -173,10 +173,17 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobeza
/pkgs/development/r-modules @jbedo /pkgs/development/r-modules @jbedo
# Rust # Rust
/pkgs/development/compilers/rust @Mic92 @zowoq @winterqt @figsoda /pkgs/development/compilers/rust @alyssais @Mic92 @zowoq @winterqt @figsoda
/pkgs/build-support/rust @zowoq @winterqt @figsoda /pkgs/build-support/rust @zowoq @winterqt @figsoda
/doc/languages-frameworks/rust.section.md @zowoq @winterqt @figsoda /doc/languages-frameworks/rust.section.md @zowoq @winterqt @figsoda
# Tcl
/pkgs/development/interpreters/tcl @fgaz
/pkgs/development/libraries/tk @fgaz
/pkgs/top-level/tcl-packages.nix @fgaz
/pkgs/development/tcl-modules @fgaz
/doc/languages-frameworks/tcl.section.md @fgaz
# C compilers # C compilers
/pkgs/development/compilers/gcc /pkgs/development/compilers/gcc
/pkgs/development/compilers/llvm @alyssais @RossComputerGuy @NixOS/llvm /pkgs/development/compilers/llvm @alyssais @RossComputerGuy @NixOS/llvm
@ -332,7 +339,9 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
/pkgs/by-name/ne/nemo-* @mkg20001 /pkgs/by-name/ne/nemo-* @mkg20001
# nim # nim
/pkgs/development/compilers/nim @ehmry /doc/languages-frameworks/nim.section.md @ehmry
/pkgs/build-support/build-nim-package.nix @ehmry
/pkgs/top-level/nim-overrides.nix @ehmry
# terraform providers # terraform providers
/pkgs/applications/networking/cluster/terraform-providers @zowoq /pkgs/applications/networking/cluster/terraform-providers @zowoq

View File

@ -74,7 +74,7 @@
} }
{ {
name = "customisation"; name = "customisation";
description = "Functions to customise (derivation-related) functions, derivatons, or attribute sets"; description = "Functions to customise (derivation-related) functions, derivations, or attribute sets";
} }
{ {
name = "meta"; name = "meta";

View File

@ -6,7 +6,7 @@ This setup hook attempts to use [the `just` command runner](https://just.systems
## `buildPhase` {#just-hook-buildPhase} ## `buildPhase` {#just-hook-buildPhase}
This phase attempts to invoke `just` with [the default recipe](https://just.systems/man/en/chapter_23.html). This phase attempts to invoke `just` with [the default recipe](https://just.systems/man/en/the-default-recipe.html).
[]{#just-hook-dontUseJustBuild} This behavior can be disabled by setting `dontUseJustBuild` to `true`. []{#just-hook-dontUseJustBuild} This behavior can be disabled by setting `dontUseJustBuild` to `true`.

View File

@ -150,7 +150,7 @@ All new projects should use the CUDA redistributables available in [`cudaPackage
In the scenario you are unable to run the resulting binary: this is arguably the most complicated as it could be any combination of the previous reasons. This type of failure typically occurs when a library attempts to load or open a library it depends on that it does not declare in its `DT_NEEDED` section. As a first step, ensure that dependencies are patched with [`autoAddDriverRunpath`](https://search.nixos.org/packages?channel=unstable&type=packages&query=autoAddDriverRunpath). Failing that, try running the application with [`nixGL`](https://github.com/guibou/nixGL) or a similar wrapper tool. If that works, it likely means that the application is attempting to load a library that is not in the `RPATH` or `RUNPATH` of the binary. In the scenario you are unable to run the resulting binary: this is arguably the most complicated as it could be any combination of the previous reasons. This type of failure typically occurs when a library attempts to load or open a library it depends on that it does not declare in its `DT_NEEDED` section. As a first step, ensure that dependencies are patched with [`autoAddDriverRunpath`](https://search.nixos.org/packages?channel=unstable&type=packages&query=autoAddDriverRunpath). Failing that, try running the application with [`nixGL`](https://github.com/guibou/nixGL) or a similar wrapper tool. If that works, it likely means that the application is attempting to load a library that is not in the `RPATH` or `RUNPATH` of the binary.
## Running Docker or Podman containers with CUDA support {#running-docker-or-podman-containers-with-cuda-support} ## Running Docker or Podman containers with CUDA support {#cuda-docker-podman}
It is possible to run Docker or Podman containers with CUDA support. The recommended mechanism to perform this task is to use the [NVIDIA Container Toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/index.html). It is possible to run Docker or Podman containers with CUDA support. The recommended mechanism to perform this task is to use the [NVIDIA Container Toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/index.html).

View File

@ -93,6 +93,7 @@ ruby.section.md
rust.section.md rust.section.md
scheme.section.md scheme.section.md
swift.section.md swift.section.md
tcl.section.md
texlive.section.md texlive.section.md
titanium.section.md titanium.section.md
vim.section.md vim.section.md

View File

@ -0,0 +1,54 @@
# Tcl {#sec-language-tcl}
## User guide {#sec-language-tcl-user-guide}
Tcl interpreters are available under the `tcl` and `tcl-X_Y` attributes, where `X_Y` is the Tcl version.
Tcl libraries are available in the `tclPackages` attribute set.
They are only guaranteed to work with the default Tcl version, but will probably also work with others thanks to the [stubs mechanism](https://wiki.tcl-lang.org/page/Stubs).
## Packaging guide {#sec-language-tcl-packaging}
Tcl packages are typically built with `tclPackages.mkTclDerivation`.
Tcl dependencies go in `buildInputs`/`nativeBuildInputs`/... like other packages.
For more complex package definitions, such as packages with mixed languages, use `tcl.tclPackageHook`.
Where possible, make sure to enable stubs for maximum compatibility, usually with the `--enable-stubs` configure flag.
Here is a simple package example to be called with `tclPackages.callPackage`.
```
{ lib, fetchzip, mkTclDerivation, openssl }:
mkTclDerivation rec {
pname = "tcltls";
version = "1.7.22";
src = fetchzip {
url = "https://core.tcl-lang.org/tcltls/uv/tcltls-${version}.tar.gz";
hash = "sha256-TOouWcQc3MNyJtaAGUGbaQoaCWVe6g3BPERct/V65vk=";
};
buildInputs = [ openssl ];
configureFlags = [
"--with-ssl-dir=${openssl.dev}"
"--enable-stubs"
];
meta = {
homepage = "https://core.tcl-lang.org/tcltls/index";
description = "OpenSSL / RSA-bsafe Tcl extension";
maintainers = [ lib.maintainers.agbrooks ];
license = lib.licenses.tcltk;
platforms = lib.platforms.unix;
};
}
```
All Tcl libraries are declared in `pkgs/top-level/tcl-packages.nix` and are defined in `pkgs/development/tcl-modules/`.
If possible, prefer the by-name hierarchy in `pkgs/development/tcl-modules/by-name/`.
Its use is documented in `pkgs/development/tcl-modules/by-name/README.md`.
All Tcl applications reside elsewhere.
In case a package is used as both a library and an application (for example `expect`), it should be defined in `tcl-packages.nix`, with an alias elsewhere.

View File

@ -46,22 +46,198 @@ Some common issues when packaging software for Darwin:
} }
``` ```
- Some packages assume xcode is available and use `xcrun` to resolve build tools like `clang`, etc. This causes errors like `xcode-select: error: no developer tools were found at '/Applications/Xcode.app'` while the build doesnt actually depend on xcode. - Some packages assume Xcode is available and use `xcrun` to resolve build tools like `clang`, etc. The Darwin stdenv includes `xcrun`, and it will return the path to any binary available in a build.
```nix ```nix
stdenv.mkDerivation { stdenv.mkDerivation {
name = "libfoo-1.2.3"; name = "libfoo-1.2.3";
# ... # ...
nativeBuildInputs = [ bison ];
buildCommand = ''
xcrun bison foo.y # produces foo.tab.c
# ...
'';
}
```
The package `xcbuild` can be used to build projects that really depend on Xcode. However, this replacement is not 100% compatible with Xcode and can occasionally cause issues.
Note: Some packages may hardcode an absolute path to `xcrun`, `xcodebuild`, or `xcode-select`. Those paths should be removed or replaced.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
prePatch = '' prePatch = ''
substituteInPlace Makefile \ substituteInPlace Makefile \
--replace-fail '/usr/bin/xcrun clang' clang --replace-fail /usr/bin/xcrun xcrun
# or: --replace-fail /usr/bin/xcrun '${lib.getExe' buildPackages.xcbuild "xcrun"}'
''; '';
} }
``` ```
The package `xcbuild` can be used to build projects that really depend on Xcode. However, this replacement is not 100% compatible with Xcode and can occasionally cause issues. - Multiple SDKs are available for use in nixpkgs. Each platform has a default SDK (10.12.2 for x86_64-darwin and 11.3 for aarch64-darwin), which is available as the `apple-sdk` package.
- x86_64-darwin uses the 10.12 SDK by default, but some software is not compatible with that version of the SDK. In that case, The SDK provides the necessary headers and text-based stubs to link common frameworks and libraries (such as libSystem, which is effectively Darwins libc). Projects will sometimes indicate which SDK to use by the Xcode version. As a rule of thumb, subtract one from the Xcode version to get the available SDK in nixpkgs.
the 11.0 SDK used by aarch64-darwin is available for use on x86_64-darwin. To use it, reference `apple_sdk_11_0` instead of
`apple_sdk` in your derivation and use `pkgs.darwin.apple_sdk_11_0.callPackage` instead of `pkgs.callPackage`. On Linux, this will The `DEVELOPER_DIR` variable in the build environment has the path to the SDK in the build environment. The `SDKROOT` variable there contains a sysroot with the framework, header, and library paths. You can reference an SDKs sysroot from Nix using the `sdkroot` attribute on the SDK package. Note that it is preferable to use `SDKROOT` because the latter will be resolved to the highest SDK version of any available to your derivation.
have the same effect as `pkgs.callPackage`, so you can use `pkgs.darwin.apple_sdk_11_0.callPackage` regardless of platform.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
env.PACKAGE_SPECIFIC_SDK_VAR = apple-sdk_10_15.sdkroot;
# or
buildInputs = [ apple-sdk_10_15 ];
postPatch = ''
export PACKAGE_SPECIFIC_SDK_VAR=$SDKROOT
'';
}
```
The following is a list of Xcode versions, the SDK version in nixpkgs, and the attribute to use to add it. Generally, only the last SDK release for a major version is packaged (each _x_ in 10._x_ until 10.15 is considered a major version).
| Xcode version | SDK version | nixpkgs attribute |
|--------------------|---------------------------------------------------|-------------------|
| Varies by platform | 10.12.2 (x86_64-darwin)<br/>11.3 (aarch64-darwin) | `apple-sdk` |
| 8.08.3.3 | 10.12.2 | `apple-sdk_10_12` |
| 9.09.4.1 | 10.13.2 | `apple-sdk_10_13` |
| 10.010.3 | 10.14.6 | `apple-sdk_10_14` |
| 11.011.7 | 10.15.6 | `apple-sdk_10_15` |
| 12.012.5.1 | 11.3 | `apple-sdk_11` |
| 13.013.4.1 | 12.3 | `apple-sdk_12` |
| 14.014.3.1 | 13.3 | `apple-sdk_13` |
| 15.015.4 | 14.4 | `apple-sdk_14` |
| 16.0 | 15.0 | `apple-sdk_15` |
To use a non-default SDK, add it to your build inputs.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
buildInputs = [ apple-sdk_15 ]; # Uses the 15.0 SDK instead of the default SDK for the platform.
}
```
If your derivation has multiple SDKs its inputs (e.g., because they have been propagated by its dependencies), it will use the highest SDK version available.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3"; # Upstream specifies that it needs Xcode 12 to build, so use the 11.3 SDK.
# ...
buildInputs = [ apple-sdk_11 ];
nativeBuildInputs = [ swift ]; # Propagates the 13.3 SDK, so the 13.3 SDK package will be used instead of the 11.3 SDK.
}
```
- When a package indicates a minimum supported version, also called the deployment target, you can set it in your derivation using `darwinMinVersionHook`. If you need to set a minimum version higher than the default SDK, you should also add the corresponding SDK to your `buildInputs`.
The deployment target controls how Darwin handles availability and access to some APIs. In most cases, if a deployment target is newer than the first availability of an API, that API will be linked directly. Otherwise, the API will be weakly linked and checked at runtime.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3"; # Upstream specifies the minimum supported version as 12.5.
buildInputs = [ (darwinMinVersionHook "12.5") ];
}
```
If your derivation has multiple versions of this hook in its inputs (e.g., because it has been propagated by one of your dependencies), it will use the highest deployment target available.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3"; # Upstream specifies the minimum supported version as 10.15.
buildInputs = [ qt6.qtbase (darwinMinVersionHook "10.15") ];
}
# Qt 6 specifies a minimum version of 12.0, so the minimum version resolves to 12.0.
```
- You should rely on the default SDK when possible. If a package specifies a required SDK version, use that version (e.g., libuv requires 11.0, so it should use `apple-sdk_11`). When a package supports multiple SDKs, determine which SDK package to use based on the following rules of thumb:
- If a package supports multiple SDK versions, use the lowest supported SDK version by the package (but no lower than the default SDK). That ensures maximal platform compatibility for the package.
- If a package specifies a range of supported SDK versions _and_ a minimum supported version, assume the package is using availability checks to support the indicated minimum version. Add the highest supported SDK and a `darwinMinVersionHook` set to the minimum version supported by the upstream package.
Warning: Avoid using newer SDKs than an upstream package supports. When a binary is linked on Darwin, the SDK version used to build it is recorded in the binary. Runtime behavior can vary based on the SDK version, which may work fine but can also result in unexpected behavior or crashes when building with an unsupported SDK.
```nix
stdenv.mkDerivation {
name = "foo-1.2.3";
# ...
buildInputs = [ apple-sdk_15 (darwinMinVersionHook "10.15") ]; # Upstream builds with the 15.0 SDK but supports 10.15.
}
```
- Libraries that require a minimum version can propagate an appropriate SDK and `darwinMinVersionHook`. Derivations using that library will automatically use an appropriate SDK and minimum version. Even if the library builds with a newer SDK, it should propagate the minimum supported SDK. Derivations that need a newer SDK can add it to their `buildInputs`.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
buildInputs = [ apple-sdk_15 ]; # Upstream builds with the 15.0 SDK but supports 10.15.
propagatedBuildInputs = [ apple-sdk_10_15 (darwinMinVersionHook "10.15") ];
}
# ...
stdenv.mkDerivation {
name = "bar-1.2.3";
# ...
buildInputs = [ libfoo ]; # Builds with the 10.15 SDK
}
# ...
stdenv.mkDerivation {
name = "baz-1.2.3";
# ...
buildInputs = [ apple-sdk_12 libfoo ]; # Builds with the 12.3 SDK
}
```
- Many SDK libraries and frameworks use text-based stubs to link against system libraries and frameworks, but several are built from source (typically corresponding to the source releases for the latest release of macOS). Several of these are propagated to your package automatically. They can be accessed via the `darwin` package set along with others that are not propagated by default.
- libiconv
- libresolv
- libsbuf
Other common libraries are available in Darwin-specific versions with modifications from Apple. Note that these packages may be made the default on Darwin in the future.
- ICU (compatible with the top-level icu package, but it also provides `libicucore.B.dylib` with an ABI compatible with the Darwin system version)
- libpcap (compatible with the top-level libpcap, but it includes Darwin-specific extensions)
- The legacy SDKs packages are still available in the `darwin` package set under their existing names, but all packages in these SDKs (frameworks, libraries, etc) are stub packages for evaluation compatibility.
In most cases, a derivation can be updated by deleting all of its SDK inputs (frameworks, libraries, etc). If you had to override the SDK, see below for how to do that using the new SDK pattern. If your derivation depends on the layout of the old frameworks or other internal details, you have more work to do.
When a package depended on the location of frameworks, references to those framework packages can usually be replaced with `${apple-sdk.sdkroot}/System` or `$SDKROOT/System`. For example, if you substituted `${darwin.apple_sdk.frameworks.OpenGL}/Library/Frameworks/OpenGL.framework` in your derivation, you should replace it with `${apple-sdk.sdkroot}/System/Library/Frameworks/OpenGL.framework` or `$SDKROOT/System/Library/Frameworks`. The latter is preferred because it supports using the SDK that is resolved when multiple SDKs are propagated (see above).
Note: the new SDK pattern uses the name `apple-sdk` to better align with nixpkgs naming conventions. The old SDK pattern uses `apple_sdk`.
- There are two legacy patterns that are being phased out. These patterns were used in the past to change the SDK version. They have been reimplemented to use the `apple-sdk` packages.
- `pkgs.darwin.apple_sdk_11_0.callPackage` - this pattern was used to provide frameworks from the 11.0 SDK. It now adds the `apple-sdk_11` package to your derivations build inputs.
- `overrideSDK` - this stdenv adapter would try to replace the frameworks used by your derivation and its transitive dependencies. It now adds the `apple-sdk_11` package for `11.0` or the `apple-sdk_12` package for `12.3`. If `darwinMinVersion` is specified, it will add `darwinMinVersionHook` with the specified minimum version. No other SDK versions are supported.
- Darwin supports cross-compilation between Darwin platforms. Cross-compilation from Linux is not currently supported but may be supported in the future. To cross-compile to Darwin, you can set `crossSystem` or use one of the Darwin systems in `pkgsCross`. The `darwinMinVersionHook` and the SDKs support cross-compilation. If you need to specify a different SDK version for a `depsBuildBuild` compiler, add it to your `nativeBuildInputs`.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
depsBuildBuild = [ buildPackages.stdenv.cc ];
nativeBuildInputs = [ apple-sdk_12 ];
buildInputs = [ apple-sdk_13 ];
depsTargetTargetPropagated = [ apple-sdk_14 ];
}
# The build-build clang will use the 12.3 SDK while the package build itself will use the 13.3 SDK.
# Derivations that add this package as an input will have the 14.4 SDK propagated to them.
```
The different target SDK and hooks are mangled based on role:
- `DEVELOPER_DIR_FOR_BUILD` and `MACOSX_DEPLOYMENT_TARGET_FOR_BUILD` for the build platform;
- `DEVELOPER_DIR` and `MACOSX_DEPLOYMENT_TARGET` for the host platform; and
- `DEVELOPER_DIR_FOR_TARGET` and `MACOSX_DEPLOYMENT_TARGET_FOR_TARGET` for the build platform.
In static compilation situations, it is possible for the build and host platform to be the same platform but have different SDKs with the same version (one dynamic and one static). cc-wrapper takes care of handling this distinction.
- The current default versions of the deployment target (minimum version) and SDK are indicated by Darwin-specific attributes on the platform. Because of the ways that minimum version and SDK can be changed that are not visible to Nix, they should be treated as lower bounds. If you need to parameterize over a specific version, create a function that takes the version as a parameter instead of relying on these attributes.
- `darwinMinVersion` defaults to 10.12 on x86_64-darwin and 11.0 on aarch64-darwin. It sets the default `MACOSX_DEPLOYMENT_TARGET`.
- `darwinSdkVersion` defaults to 10.12 on x86-64-darwin and 11.0 on aarch64-darwin. Only the major version determines the SDK version, resulting in the 10.12.2 and 11.3 SDKs being used on these platforms respectively.

View File

@ -942,6 +942,11 @@ lib.mapAttrs mkLicense ({
url = "https://license.coscl.org.cn/MulanPSL2"; url = "https://license.coscl.org.cn/MulanPSL2";
}; };
naist-2003 = {
spdxId = "NAIST-2003";
fullName = "Nara Institute of Science and Technology License (2003)";
};
nasa13 = { nasa13 = {
spdxId = "NASA-1.3"; spdxId = "NASA-1.3";
fullName = "NASA Open Source Agreement 1.3"; fullName = "NASA Open Source Agreement 1.3";

View File

@ -414,6 +414,12 @@
githubId = 1174810; githubId = 1174810;
name = "Nikolay Amiantov"; name = "Nikolay Amiantov";
}; };
abcsds = {
email = "abcsds@gmail.com";
github = "abcsds";
githubId = 2694381;
name = "Alberto Barradas";
};
abdiramen = { abdiramen = {
email = "abdirahman.osmanthus@gmail.com"; email = "abdirahman.osmanthus@gmail.com";
github = "Abdiramen"; github = "Abdiramen";
@ -731,6 +737,12 @@
githubId = 79667753; githubId = 79667753;
keys = [ { fingerprint = "B0D7 2955 235F 6AB5 ACFA 1619 8C7F F5BB 1ADE F191"; } ]; keys = [ { fingerprint = "B0D7 2955 235F 6AB5 ACFA 1619 8C7F F5BB 1ADE F191"; } ];
}; };
ailsa-sun = {
name = "Ailsa Sun";
email = "jjshenw@gmail.com";
github = "ailsa-sun";
githubId = 135079815;
};
aimpizza = { aimpizza = {
email = "rickomo.us@gmail.com"; email = "rickomo.us@gmail.com";
name = "Rick Omonsky"; name = "Rick Omonsky";
@ -743,6 +755,11 @@
githubId = 37664775; githubId = 37664775;
name = "Yuto Oguchi"; name = "Yuto Oguchi";
}; };
airrnot = {
name = "airRnot";
github = "airRnot1106";
githubId = 62370527;
};
airwoodix = { airwoodix = {
email = "airwoodix@posteo.me"; email = "airwoodix@posteo.me";
github = "airwoodix"; github = "airwoodix";
@ -961,6 +978,12 @@
githubId = 173595; githubId = 173595;
name = "Caleb Maclennan"; name = "Caleb Maclennan";
}; };
alex = {
email = "alexander.cinnamon927@passmail.net";
github = "alexanderjkslfj";
githubId = 117545308;
name = "Alex";
};
ALEX11BR = { ALEX11BR = {
email = "alexioanpopa11@gmail.com"; email = "alexioanpopa11@gmail.com";
github = "ALEX11BR"; github = "ALEX11BR";
@ -1873,6 +1896,12 @@
githubId = 10285250; githubId = 10285250;
name = "Artur E. Ruuge"; name = "Artur E. Ruuge";
}; };
arunoruto = {
email = "mirza.arnaut45@gmail.com";
github = "arunoruto";
githubId = 21687187;
name = "Mirza Arnaut";
};
asbachb = { asbachb = {
email = "asbachb-nixpkgs-5c2a@impl.it"; email = "asbachb-nixpkgs-5c2a@impl.it";
matrix = "@asbachb:matrix.org"; matrix = "@asbachb:matrix.org";
@ -2480,6 +2509,7 @@
}; };
bbenno = { bbenno = {
email = "nix@bbenno.com"; email = "nix@bbenno.com";
matrix = "@bbenno:matrix.org";
github = "bbenno"; github = "bbenno";
githubId = 32938211; githubId = 32938211;
name = "Benno Bielmeier"; name = "Benno Bielmeier";
@ -2527,6 +2557,12 @@
githubId = 34620799; githubId = 34620799;
name = "Jacob Bachmann"; name = "Jacob Bachmann";
}; };
bcyran = {
email = "bazyli@cyran.dev";
github = "bcyran";
githubId = 8322846;
name = "Bazyli Cyran";
};
bdd = { bdd = {
email = "bdd@mindcast.org"; email = "bdd@mindcast.org";
github = "bdd"; github = "bdd";
@ -2915,6 +2951,12 @@
githubId = 535135; githubId = 535135;
name = "Brennon Loveless"; name = "Brennon Loveless";
}; };
bloxx12 = {
email = "charlie@charlieroot.dev";
github = "bloxx12";
githubId = 75451918;
name = "Charlie Root";
};
bluescreen303 = { bluescreen303 = {
email = "mathijs@bluescreen303.nl"; email = "mathijs@bluescreen303.nl";
github = "bluescreen303"; github = "bluescreen303";
@ -5401,6 +5443,12 @@
githubId = 4490283; githubId = 4490283;
name = "diadatp"; name = "diadatp";
}; };
diamond-deluxe = {
email = "carbon_lattice@proton.me";
github = "diamond-deluxe";
githubId = 112557036;
name = "Diamond";
};
DianaOlympos = { DianaOlympos = {
github = "DianaOlympos"; github = "DianaOlympos";
githubId = 15774340; githubId = 15774340;
@ -5826,6 +5874,12 @@
githubId = 1931963; githubId = 1931963;
name = "David Sferruzza"; name = "David Sferruzza";
}; };
dsluijk = {
name = "Dany Sluijk";
email = "nix@dany.dev";
github = "dsluijk";
githubId = 8537327;
};
dstengele = { dstengele = {
name = "Dennis Stengele"; name = "Dennis Stengele";
email = "dennis@stengele.me"; email = "dennis@stengele.me";
@ -5870,7 +5924,10 @@
github = "jollheef"; github = "jollheef";
githubId = 1749762; githubId = 1749762;
name = "Mikhail Klementev"; name = "Mikhail Klementev";
keys = [ { fingerprint = "5DD7 C6F6 0630 F08E DAE7 4711 1525 585D 1B43 C62A"; } ]; keys = [
{ fingerprint = "5AC8 C9A1 68C7 9451 1A91 2295 C990 5BA7 2B5E 02BB"; }
{ fingerprint = "5DD7 C6F6 0630 F08E DAE7 4711 1525 585D 1B43 C62A"; }
];
}; };
dunxen = { dunxen = {
email = "git@dunxen.dev"; email = "git@dunxen.dev";
@ -6264,6 +6321,12 @@
github = "elliottslaughter"; github = "elliottslaughter";
githubId = 3129; githubId = 3129;
}; };
ElliottSullingeFarrall = {
name = "Elliott Sullinge-Farrall";
email = "elliott.chalford@gmail.com";
github = "ElliottSullingeFarrall";
githubId = 108588212;
};
elliottvillars = { elliottvillars = {
email = "elliottvillars@gmail.com"; email = "elliottvillars@gmail.com";
github = "elliottvillars"; github = "elliottvillars";
@ -7166,6 +7229,11 @@
githubId = 183879; githubId = 183879;
name = "Florian Klink"; name = "Florian Klink";
}; };
florensie = {
github = "florensie";
githubId = 13403842;
name = "Florens Pauwels";
};
florentc = { florentc = {
github = "florentc"; github = "florentc";
githubId = 1149048; githubId = 1149048;
@ -7408,7 +7476,7 @@
matrix = "@frontear:matrix.org"; matrix = "@frontear:matrix.org";
github = "Frontear"; github = "Frontear";
githubId = 31909298; githubId = 31909298;
keys = [ { fingerprint = "C170 11B7 C0AA BB3F 7415 022C BCB5 CEFD E222 82F5"; } ]; keys = [ { fingerprint = "6A25 DEBE 41DB 0C15 3AB5 BB34 5290 E18B 8705 1A83"; } ];
}; };
frontsideair = { frontsideair = {
email = "photonia@gmail.com"; email = "photonia@gmail.com";
@ -8625,6 +8693,12 @@
githubId = 6430643; githubId = 6430643;
name = "Henry Till"; name = "Henry Till";
}; };
hensoko = {
email = "hensoko@pub.solar";
github = "hensoko";
githubId = 13552930;
name = "hensoko";
};
heph2 = { heph2 = {
email = "srht@mrkeebs.eu"; email = "srht@mrkeebs.eu";
github = "heph2"; github = "heph2";
@ -9438,6 +9512,13 @@
email = "itepastra@gmail.com"; email = "itepastra@gmail.com";
keys = [ { fingerprint = "E681 4CAF 06AE B076 D55D 3E32 A16C DCBF 1472 541F"; } ]; keys = [ { fingerprint = "E681 4CAF 06AE B076 D55D 3E32 A16C DCBF 1472 541F"; } ];
}; };
itsvic-dev = {
email = "contact@itsvic.dev";
name = "Victor B.";
github = "itsvic-dev";
githubId = 17727163;
keys = [ { fingerprint = "FBAA B86A 101B 4C5F D4F1 25D2 E93D DAC1 7E5D 6CA1"; } ];
};
ius = { ius = {
email = "j.de.gram@gmail.com"; email = "j.de.gram@gmail.com";
name = "Joerie de Gram"; name = "Joerie de Gram";
@ -9500,6 +9581,12 @@
githubId = 1318743; githubId = 1318743;
name = "Ivar"; name = "Ivar";
}; };
iv-nn = {
name = "iv-nn";
github = "iv-nn";
githubId = 49885246;
keys = [ { fingerprint = "6358 EF87 86E0 EF2F 1628 103F BAB5 F165 1C71 C9C3"; } ];
};
ivyfanchiang = { ivyfanchiang = {
email = "dev@ivyfanchiang.ca"; email = "dev@ivyfanchiang.ca";
github = "hexadecimalDinosaur"; github = "hexadecimalDinosaur";
@ -10494,6 +10581,13 @@
githubId = 168684553; githubId = 168684553;
name = "João Marques"; name = "João Marques";
}; };
joinemm = {
email = "joonas@rautiola.co";
github = "joinemm";
githubId = 26210439;
name = "Joonas Rautiola";
keys = [ { fingerprint = "87EC DD30 6614 E510 5299 F0D4 090E B48A 4669 AA54"; } ];
};
jojosch = { jojosch = {
name = "Johannes Schleifenbaum"; name = "Johannes Schleifenbaum";
email = "johannes@js-webcoding.de"; email = "johannes@js-webcoding.de";
@ -12383,6 +12477,13 @@
githubId = 169170; githubId = 169170;
name = "Mathias Schreck"; name = "Mathias Schreck";
}; };
loc = {
matrix = "@loc:locrealloc.de";
github = "LoCrealloc";
githubId = 64095253;
name = "LoC";
keys = [ { fingerprint = "DCCE F73B 209A 6024 CAE7 F926 5563 EB4A 8634 4F15"; } ];
};
locallycompact = { locallycompact = {
email = "dan.firth@homotopic.tech"; email = "dan.firth@homotopic.tech";
github = "locallycompact"; github = "locallycompact";
@ -14809,6 +14910,11 @@
githubId = 96225281; githubId = 96225281;
name = "Mustafa Çalışkan"; name = "Mustafa Çalışkan";
}; };
musjj = {
name = "musjj";
github = "musjj";
githubId = 72612857;
};
mvisonneau = { mvisonneau = {
name = "Maxime VISONNEAU"; name = "Maxime VISONNEAU";
email = "maxime@visonneau.fr"; email = "maxime@visonneau.fr";
@ -16354,6 +16460,11 @@
githubId = 33182938; githubId = 33182938;
name = "Pankaj"; name = "Pankaj";
}; };
PapayaJackal = {
github = "PapayaJackal";
githubId = 145766029;
name = "PapayaJackal";
};
paperdigits = { paperdigits = {
email = "mica@silentumbrella.com"; email = "mica@silentumbrella.com";
github = "paperdigits"; github = "paperdigits";
@ -16626,6 +16737,12 @@
githubId = 63069986; githubId = 63069986;
name = "Per Stark"; name = "Per Stark";
}; };
petee = {
name = "Pete Erickson";
email = "pete.perickson@gmail.com";
github = "petee";
githubId = 89916;
};
petercommand = { petercommand = {
email = "petercommand@gmail.com"; email = "petercommand@gmail.com";
github = "petercommand"; github = "petercommand";
@ -17479,6 +17596,12 @@
githubId = 43755002; githubId = 43755002;
name = "Dmitriy P"; name = "Dmitriy P";
}; };
pta2002 = {
email = "pta2002@pta2002.com";
github = "pta2002";
githubId = 7443916;
name = "Pedro Alves";
};
ptival = { ptival = {
email = "valentin.robert.42@gmail.com"; email = "valentin.robert.42@gmail.com";
github = "Ptival"; github = "Ptival";
@ -17584,6 +17707,12 @@
githubId = 12017109; githubId = 12017109;
name = "Rabindra Dhakal"; name = "Rabindra Dhakal";
}; };
qbisi = {
name = "qbisicwate";
email = "qbisicwate@gmail.com";
github = "qbisi";
githubId = 84267544;
};
qbit = { qbit = {
name = "Aaron Bieber"; name = "Aaron Bieber";
email = "aaron@bolddaemon.com"; email = "aaron@bolddaemon.com";
@ -18009,6 +18138,12 @@
name = "Roland Conybeare"; name = "Roland Conybeare";
keys = [ { fingerprint = "bw5Cr/4ul1C2UvxopphbZbFI1i5PCSnOmPID7mJ/Ogo"; } ]; keys = [ { fingerprint = "bw5Cr/4ul1C2UvxopphbZbFI1i5PCSnOmPID7mJ/Ogo"; } ];
}; };
rc-zb = {
name = "Xiao Haifan";
email = "rc-zb@outlook.com";
github = "rc-zb";
githubId = 161540043;
};
rdnetto = { rdnetto = {
email = "rdnetto@gmail.com"; email = "rdnetto@gmail.com";
github = "rdnetto"; github = "rdnetto";
@ -18154,6 +18289,11 @@
githubId = 3302; githubId = 3302;
name = "Renzo Carbonara"; name = "Renzo Carbonara";
}; };
reputable2772 = {
name = "Reputable2772";
github = "Reputable2772";
githubId = 153411261;
};
rettetdemdativ = { rettetdemdativ = {
email = "michael@koeppl.dev"; email = "michael@koeppl.dev";
github = "rettetdemdativ"; github = "rettetdemdativ";
@ -19165,6 +19305,12 @@
githubId = 695473; githubId = 695473;
name = "Sascha Grunert"; name = "Sascha Grunert";
}; };
satoqz = {
email = "mail@satoqz.net";
github = "satoqz";
githubId = 40795431;
name = "satoqz";
};
saturn745 = { saturn745 = {
email = "git-commits.rk7uq@aleeas.com"; email = "git-commits.rk7uq@aleeas.com";
github = "saturn745"; github = "saturn745";
@ -19721,12 +19867,24 @@
github = "shhht"; github = "shhht";
githubId = 118352823; githubId = 118352823;
}; };
shift = {
name = "Vincent Palmer";
email = "shift@someone.section.me";
github = "shift";
githubId = 1653;
};
shikanime = { shikanime = {
name = "William Phetsinorath"; name = "William Phetsinorath";
email = "deva.shikanime@protonmail.com"; email = "deva.shikanime@protonmail.com";
github = "shikanime"; github = "shikanime";
githubId = 22115108; githubId = 22115108;
}; };
shiphan = {
email = "timlin940511@gmail.com";
name = "Shiphan";
github = "Shiphan";
githubId = 140245703;
};
shiryel = { shiryel = {
email = "contact@shiryel.com"; email = "contact@shiryel.com";
name = "Shiryel"; name = "Shiryel";
@ -20041,6 +20199,12 @@
githubId = 49844593; githubId = 49844593;
name = "skovati"; name = "skovati";
}; };
skyesoss = {
name = "Skye Soss";
matrix = "@skyesoss:matrix.org";
github = "Skyb0rg007";
githubId = 30806179;
};
skykanin = { skykanin = {
github = "skykanin"; github = "skykanin";
githubId = 3789764; githubId = 3789764;
@ -20448,6 +20612,12 @@
github = "srounce"; github = "srounce";
githubId = 60792; githubId = 60792;
}; };
Srylax = {
name = "Srylax";
email = "srylax+nixpkgs@srylax.dev";
github = "Srylax";
githubId = 71783705;
};
sshine = { sshine = {
email = "simon@simonshine.dk"; email = "simon@simonshine.dk";
github = "sshine"; github = "sshine";
@ -20521,6 +20691,12 @@
githubId = 94006354; githubId = 94006354;
name = "steamwalker"; name = "steamwalker";
}; };
steeleduncan = {
email = "steeleduncan@hotmail.com";
github = "steeleduncan";
githubId = 866573;
name = "Duncan Steele";
};
steell = { steell = {
email = "steve@steellworks.com"; email = "steve@steellworks.com";
github = "Steell"; github = "Steell";
@ -21815,6 +21991,12 @@
githubId = 2164118; githubId = 2164118;
name = "Tobias Bora"; name = "Tobias Bora";
}; };
tobifroe = {
email = "hi@froelich.dev";
github = "tobifroe";
githubId = 40638719;
name = "Tobias Frölich";
};
tobim = { tobim = {
email = "nix@tobim.fastmail.fm"; email = "nix@tobim.fastmail.fm";
github = "tobim"; github = "tobim";
@ -23043,6 +23225,12 @@
githubId = 24979302; githubId = 24979302;
name = "Vladimír Zahradník"; name = "Vladimír Zahradník";
}; };
wfdewith = {
name = "Wim de With";
email = "wf@dewith.io";
github = "wfdewith";
githubId = 2306085;
};
wgunderwood = { wgunderwood = {
email = "wg.underwood13@gmail.com"; email = "wg.underwood13@gmail.com";
github = "WGUNDERWOOD"; github = "WGUNDERWOOD";
@ -23105,6 +23293,13 @@
githubId = 1215623; githubId = 1215623;
keys = [ { fingerprint = "DA03 D6C6 3F58 E796 AD26 E99B 366A 2940 479A 06FC"; } ]; keys = [ { fingerprint = "DA03 D6C6 3F58 E796 AD26 E99B 366A 2940 479A 06FC"; } ];
}; };
wilhelmines = {
email = "mail@aesz.org";
matrix = "@wilhelmines:matrix.org";
name = "Ronja Schwarz";
github = "wilhelmines";
githubId = 71409721;
};
willbush = { willbush = {
email = "git@willbush.dev"; email = "git@willbush.dev";
matrix = "@willbush:matrix.org"; matrix = "@willbush:matrix.org";
@ -23269,6 +23464,12 @@
githubId = 28888242; githubId = 28888242;
name = "WORLDofPEACE"; name = "WORLDofPEACE";
}; };
WoutSwinkels = {
name = "Wout Swinkels";
email = "nixpkgs@woutswinkels.com";
github = "WoutSwinkels";
githubId = 113464111;
};
wozeparrot = { wozeparrot = {
email = "wozeparrot@gmail.com"; email = "wozeparrot@gmail.com";
github = "wozeparrot"; github = "wozeparrot";
@ -24212,12 +24413,6 @@
githubId = 71881325; githubId = 71881325;
name = "Stefan Bordei"; name = "Stefan Bordei";
}; };
zzamboni = {
email = "diego@zzamboni.org";
github = "zzamboni";
githubId = 32876;
name = "Diego Zamboni";
};
zzzsy = { zzzsy = {
email = "me@zzzsy.top"; email = "me@zzzsy.top";
github = "zzzsyyy"; github = "zzzsyyy";

View File

@ -12,7 +12,7 @@ system has booted, you can make the selected configuration the default
for subsequent boots: for subsequent boots:
```ShellSession ```ShellSession
# /run/current-system/bin/switch-to-configuration boot # /run/current-system/bin/apply boot
``` ```
Second, you can switch to the previous configuration in a running Second, you can switch to the previous configuration in a running
@ -25,11 +25,11 @@ system:
This is equivalent to running: This is equivalent to running:
```ShellSession ```ShellSession
# /nix/var/nix/profiles/system-N-link/bin/switch-to-configuration switch # /nix/var/nix/profiles/system-N-link/bin/apply switch
``` ```
where `N` is the number of the NixOS system configuration. To get a where `N` is the number of the NixOS system configuration to roll back to.
list of the available configurations, do: To get a list of the available configurations, run:
```ShellSession ```ShellSession
$ ls -l /nix/var/nix/profiles/system-*-link $ ls -l /nix/var/nix/profiles/system-*-link

View File

@ -33,8 +33,8 @@ Unfortunately, Nixpkgs currently lacks a way to query available package configur
::: {.note} ::: {.note}
For example, many packages come with extensions one might add. For example, many packages come with extensions one might add.
Examples include: Examples include:
- [`passExtensions.pass-otp`](https://search.nixos.org/packages/query=passExtensions.pass-otp) - [`passExtensions.pass-otp`](https://search.nixos.org/packages?query=passExtensions.pass-otp)
- [`python310Packages.requests`](https://search.nixos.org/packages/query=python310Packages.requests) - [`python312Packages.requests`](https://search.nixos.org/packages?query=python312Packages.requests)
You can use them like this: You can use them like this:
```nix ```nix

View File

@ -16,6 +16,6 @@ profile:
The most notable deviation of this profile from a standard NixOS configuration The most notable deviation of this profile from a standard NixOS configuration
is that after building it, you cannot switch *to* the configuration anymore. is that after building it, you cannot switch *to* the configuration anymore.
The profile sets `config.system.switch.enable = false;`, which excludes The profile sets `config.system.switch.enable = false;`, which excludes
`switch-to-configuration`, the central script called by `nixos-rebuild`, from `apply` and `switch-to-configuration`, the central scripts called by `nixos-rebuild`, from
your system. Removing this script makes the image lighter and slightly more your system. Removing this script makes the image lighter and slightly more
secure. secure.

View File

@ -5,8 +5,8 @@ This chapter explains some of the internals of this command to make it simpler
for new module developers to configure their units correctly and to make it for new module developers to configure their units correctly and to make it
easier to understand what is happening and why for curious administrators. easier to understand what is happening and why for curious administrators.
`nixos-rebuild`, like many deployment solutions, calls `switch-to-configuration` `nixos-rebuild`, like many deployment solutions, calls `apply` (or for NixOS older than 24.11, `switch-to-configuration`)
which resides in a NixOS system at `$out/bin/switch-to-configuration`. The which resides in a NixOS system at `$out/bin/apply`. The
script is called with the action that is to be performed like `switch`, `test`, script is called with the action that is to be performed like `switch`, `test`,
`boot`. There is also the `dry-activate` action which does not really perform `boot`. There is also the `dry-activate` action which does not really perform
the actions but rather prints what it would do if you called it with `test`. the actions but rather prints what it would do if you called it with `test`.

View File

@ -71,20 +71,20 @@ nix-build -A nixosTests.hostname
### Testing outside the NixOS project {#sec-call-nixos-test-outside-nixos} ### Testing outside the NixOS project {#sec-call-nixos-test-outside-nixos}
Outside the `nixpkgs` repository, you can instantiate the test by first importing the NixOS library, Outside the `nixpkgs` repository, you can use the `runNixOSTest` function from
`pkgs.testers`:
```nix ```nix
let nixos-lib = import (nixpkgs + "/nixos/lib") { }; let pkgs = import <nixpkgs> {};
in in
nixos-lib.runTest { pkgs.testers.runNixOSTest {
imports = [ ./test.nix ]; imports = [ ./test.nix ];
hostPkgs = pkgs; # the Nixpkgs package set used outside the VMs
defaults.services.foo.package = mypkg; defaults.services.foo.package = mypkg;
} }
``` ```
`runTest` returns a derivation that runs the test. `runNixOSTest` returns a derivation that runs the test.
## Configuring the nodes {#sec-nixos-test-nodes} ## Configuring the nodes {#sec-nixos-test-nodes}

View File

@ -247,7 +247,7 @@ The first steps to all these are the same:
```ShellSession ```ShellSession
$ sudo mv -v /boot /boot.bak && $ sudo mv -v /boot /boot.bak &&
sudo /nix/var/nix/profiles/system/bin/switch-to-configuration boot sudo /nix/var/nix/profiles/system/bin/apply boot
``` ```
Cross your fingers, reboot, hopefully you should get a NixOS prompt! Cross your fingers, reboot, hopefully you should get a NixOS prompt!

View File

@ -54,6 +54,16 @@
If you experience any issues, please report them. If you experience any issues, please report them.
The original Perl script is deprecated and is planned for removal in the 25.05 release. It will remain accessible until then by setting `system.switch.enableNg` to `false`. The original Perl script is deprecated and is planned for removal in the 25.05 release. It will remain accessible until then by setting `system.switch.enableNg` to `false`.
- Built NixOS configurations now have a `$toplevel/bin/apply` script.
Unlike `switch-to-configuration`, it is capable of performing a complete `switch` operation.
If you call `switch-to-configuration` directly, you are recommended to use `apply` instead, and remove your call to `nix-env --profile /nix/var/nix/profiles/system --set $toplevel` or similar.
It will run the switch operation as a systemd unit if available, as `nixos-rebuild switch` would.
Benefits include:
- The `apply` script reduces the roundtrips required when performing a remote deployment with `nixos-rebuild switch --target-host HOST`.
- Developers and power users can now update NixOS in a single call.
- Alternative NixOS deployment methods have feature parity with `nixos-rebuild`, and NixOS can evolve all of its switching logic in one place.
- Support for mounting filesystems from block devices protected with [dm-verity](https://docs.kernel.org/admin-guide/device-mapper/verity.html) - Support for mounting filesystems from block devices protected with [dm-verity](https://docs.kernel.org/admin-guide/device-mapper/verity.html)
was added through the `boot.initrd.systemd.dmVerity` option. was added through the `boot.initrd.systemd.dmVerity` option.
@ -321,10 +331,23 @@
- The method to safely handle secrets in the `networking.wireless` module has been changed to benefit from a [new feature](https://w1.fi/cgit/hostap/commit/?id=e680a51e94a33591f61edb210926bcb71217a21a) of wpa_supplicant. - The method to safely handle secrets in the `networking.wireless` module has been changed to benefit from a [new feature](https://w1.fi/cgit/hostap/commit/?id=e680a51e94a33591f61edb210926bcb71217a21a) of wpa_supplicant.
The syntax to refer to secrets has changed slightly and the option `networking.wireless.environmentFile` has been replaced by `networking.wireless.secretsFile`; see the description of the latter for how to upgrade. The syntax to refer to secrets has changed slightly and the option `networking.wireless.environmentFile` has been replaced by `networking.wireless.secretsFile`; see the description of the latter for how to upgrade.
- NetBox was updated to `>= 4.1.0`.
Have a look at the breaking changes
of the [4.0 release](https://github.com/netbox-community/netbox/releases/tag/v4.0.0)
and the [4.1 release](https://github.com/netbox-community/netbox/releases/tag/v4.1.0),
make the required changes to your database, if needed,
then upgrade by setting `services.netbox.package = pkgs.netbox_4_1;`
in your configuration.
- `services.cgit` now runs as the cgit user by default instead of root. - `services.cgit` now runs as the cgit user by default instead of root.
This change requires granting access to the repositories to this user or This change requires granting access to the repositories to this user or
setting the appropriate one through `services.cgit.some-instance.user`. setting the appropriate one through `services.cgit.some-instance.user`.
- `gradle_6` was removed due to being [unsupported upstream as of 10 Feb 2023](https://endoflife.date/gradle).
Additionally, it had numerous security vulnerabilities that were only patched
in later versions, such as [CVE-2021-29429](https://nvd.nist.gov/vuln/detail/CVE-2021-32751),
[CVE-2021-29427](https://nvd.nist.gov/vuln/detail/CVE-2021-29427), [CVE-2021-29428](https://nvd.nist.gov/vuln/detail/CVE-2021-29428), and [CVE-2021-32751](https://nvd.nist.gov/vuln/detail/CVE-2021-32751).
- `nvimpager` was updated to version 0.13.0, which changes the order of user and - `nvimpager` was updated to version 0.13.0, which changes the order of user and
nvimpager settings: user commands in `-c` and `--cmd` now override the nvimpager settings: user commands in `-c` and `--cmd` now override the
respective default settings because they are executed later. respective default settings because they are executed later.
@ -385,6 +408,8 @@
`nodePackages.coc-eslint` and `vimPlugins.coc-eslint` packages offer comparable `nodePackages.coc-eslint` and `vimPlugins.coc-eslint` packages offer comparable
features for `eslint`, which replaced `tslint`. features for `eslint`, which replaced `tslint`.
- Tcl packages have been moved into the `tclPackages` scope.
- `teleport` has been upgraded from major version 15 to major version 16. - `teleport` has been upgraded from major version 15 to major version 16.
Refer to upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/) Refer to upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/)
and [release notes for v16](https://goteleport.com/docs/changelog/#1600-061324). and [release notes for v16](https://goteleport.com/docs/changelog/#1600-061324).
@ -553,8 +578,17 @@
- The `services.prometheus.exporters.minio` option has been removed, as it's upstream implementation was broken and unmaintained. - The `services.prometheus.exporters.minio` option has been removed, as it's upstream implementation was broken and unmaintained.
Minio now has built-in [Prometheus metrics exposure](https://min.io/docs/minio/linux/operations/monitoring/collect-minio-metrics-using-prometheus.html), which can be used instead. Minio now has built-in [Prometheus metrics exposure](https://min.io/docs/minio/linux/operations/monitoring/collect-minio-metrics-using-prometheus.html), which can be used instead.
- The `services.prometheus.exporters.tor` option has been removed, as its upstream implementation was broken and unmaintained.
- The `services.patroni.raft` option has been removed, as Raft has been [deprecated by upstream since 3.0.0](https://github.com/patroni/patroni/blob/master/docs/releases.rst#version-300) - The `services.patroni.raft` option has been removed, as Raft has been [deprecated by upstream since 3.0.0](https://github.com/patroni/patroni/blob/master/docs/releases.rst#version-300)
- The `jd-cli` package was removed due to an inactive upstream and a dependency on the shut down
JCenter JAR repository.
Java decompilers already packaged in Nixpkgs include `bytecode-viewer` (GUI), `cfr` (CLI), and `procyon` (CLI).
- The `jd-gui` package was removed due to an inactive upstream and a dependency on the end-of-life Gradle 6.
Java decompilers already packaged in Nixpkgs include `bytecode-viewer` (GUI), `cfr` (CLI), and `procyon` (CLI).
- `services.roundcube.maxAttachmentSize` will multiply the value set with `1.37` to offset overhead introduced by the base64 encoding applied to attachments. - `services.roundcube.maxAttachmentSize` will multiply the value set with `1.37` to offset overhead introduced by the base64 encoding applied to attachments.
- The `services.mxisd` module has been removed as both [mxisd](https://github.com/kamax-matrix/mxisd) and [ma1sd](https://github.com/ma1uta/ma1sd) are not maintained any longer. - The `services.mxisd` module has been removed as both [mxisd](https://github.com/kamax-matrix/mxisd) and [ma1sd](https://github.com/ma1uta/ma1sd) are not maintained any longer.
@ -747,6 +781,8 @@
- The arguments from [](#opt-services.postgresql.initdbArgs) now get shell-escaped. - The arguments from [](#opt-services.postgresql.initdbArgs) now get shell-escaped.
- Mattermost has been updated from 9.5 to 9.11 ESR. See the [changelog](https://docs.mattermost.com/about/mattermost-v9-changelog.html#release-v9-11-extended-support-release) for more details.
- `cargo-tauri.hook` was introduced to help users build [Tauri](https://tauri.app/) projects. It is meant to be used alongside - `cargo-tauri.hook` was introduced to help users build [Tauri](https://tauri.app/) projects. It is meant to be used alongside
`rustPlatform.buildRustPackage` and Node hooks such as `npmConfigHook`, `pnpm.configHook`, and the new `yarnConfig` `rustPlatform.buildRustPackage` and Node hooks such as `npmConfigHook`, `pnpm.configHook`, and the new `yarnConfig`

View File

@ -23,7 +23,7 @@ in
}; };
} }
({ config, ... }: { ({ config, ... }: {
# Don't pull in switch-to-configuration by default, except when specialisations or early boot shenanigans are involved. # Don't pull in apply and switch-to-configuration by default, except when specialisations or early boot shenanigans are involved.
# This is mostly a Hydra optimization, so we don't rebuild all the tests every time switch-to-configuration-ng changes. # This is mostly a Hydra optimization, so we don't rebuild all the tests every time switch-to-configuration-ng changes.
key = "no-switch-to-configuration"; key = "no-switch-to-configuration";
system.switch.enable = mkDefault (config.isSpecialisation || config.specialisation != {} || config.virtualisation.installBootLoader); system.switch.enable = mkDefault (config.isSpecialisation || config.specialisation != {} || config.virtualisation.installBootLoader);

View File

@ -13,7 +13,7 @@ let
types types
; ;
inherit (hostPkgs) hostPlatform; inherit (hostPkgs.stdenv) hostPlatform;
guestSystem = guestSystem =
if hostPlatform.isLinux if hostPlatform.isLinux

View File

@ -1,24 +1,47 @@
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
let let
inherit (lib) mkOption optionalString types versionAtLeast; inherit (lib)
mkOption
optionalString
types
versionAtLeast
;
inherit (lib.options) literalExpression; inherit (lib.options) literalExpression;
cfg = config.amazonImage; cfg = config.amazonImage;
amiBootMode = if config.ec2.efi then "uefi" else "legacy-bios"; amiBootMode = if config.ec2.efi then "uefi" else "legacy-bios";
in
in { {
imports = [
imports = [ ../../../modules/virtualisation/amazon-image.nix ]; ../../../modules/virtualisation/amazon-image.nix
../../../modules/virtualisation/disk-size-option.nix
(lib.mkRenamedOptionModuleWith {
sinceRelease = 2411;
from = [
"amazonImage"
"sizeMB"
];
to = [
"virtualisation"
"diskSize"
];
})
];
# Amazon recommends setting this to the highest possible value for a good EBS # Amazon recommends setting this to the highest possible value for a good EBS
# experience, which prior to 4.15 was 255. # experience, which prior to 4.15 was 255.
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nvme-ebs-volumes.html#timeout-nvme-ebs-volumes # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nvme-ebs-volumes.html#timeout-nvme-ebs-volumes
config.boot.kernelParams = config.boot.kernelParams =
let timeout = let
if versionAtLeast config.boot.kernelPackages.kernel.version "4.15" timeout =
then "4294967295" if versionAtLeast config.boot.kernelPackages.kernel.version "4.15" then "4294967295" else "255";
else "255"; in
in [ "nvme_core.io_timeout=${timeout}" ]; [ "nvme_core.io_timeout=${timeout}" ];
options.amazonImage = { options.amazonImage = {
name = mkOption { name = mkOption {
@ -34,30 +57,32 @@ in {
} }
] ]
''; '';
default = []; default = [ ];
description = '' description = ''
This option lists files to be copied to fixed locations in the This option lists files to be copied to fixed locations in the
generated image. Glob patterns work. generated image. Glob patterns work.
''; '';
}; };
sizeMB = mkOption {
type = with types; either (enum [ "auto" ]) int;
default = 3072;
example = 8192;
description = "The size in MB of the image";
};
format = mkOption { format = mkOption {
type = types.enum [ "raw" "qcow2" "vpc" ]; type = types.enum [
"raw"
"qcow2"
"vpc"
];
default = "vpc"; default = "vpc";
description = "The image format to output"; description = "The image format to output";
}; };
}; };
config.system.build.amazonImage = let # Use a priority just below mkOptionDefault (1500) instead of lib.mkDefault
configFile = pkgs.writeText "configuration.nix" # to avoid breaking existing configs using that.
'' config.virtualisation.diskSize = lib.mkOverride 1490 (3 * 1024);
config.virtualisation.diskSizeAutoSupported = !config.ec2.zfs.enable;
config.system.build.amazonImage =
let
configFile = pkgs.writeText "configuration.nix" ''
{ modulesPath, ... }: { { modulesPath, ... }: {
imports = [ "''${modulesPath}/virtualisation/amazon-image.nix" ]; imports = [ "''${modulesPath}/virtualisation/amazon-image.nix" ];
${optionalString config.ec2.efi '' ${optionalString config.ec2.efi ''
@ -70,91 +95,102 @@ in {
} }
''; '';
zfsBuilder = import ../../../lib/make-multi-disk-zfs-image.nix { zfsBuilder = import ../../../lib/make-multi-disk-zfs-image.nix {
inherit lib config configFile pkgs; inherit
inherit (cfg) contents format name; lib
config
configFile
pkgs
;
inherit (cfg) contents format name;
includeChannel = true; includeChannel = true;
bootSize = 1000; # 1G is the minimum EBS volume bootSize = 1000; # 1G is the minimum EBS volume
rootSize = cfg.sizeMB; rootSize = config.virtualisation.diskSize;
rootPoolProperties = { rootPoolProperties = {
ashift = 12; ashift = 12;
autoexpand = "on"; autoexpand = "on";
};
datasets = config.ec2.zfs.datasets;
postVM = ''
extension=''${rootDiskImage##*.}
friendlyName=$out/${cfg.name}
rootDisk="$friendlyName.root.$extension"
bootDisk="$friendlyName.boot.$extension"
mv "$rootDiskImage" "$rootDisk"
mv "$bootDiskImage" "$bootDisk"
mkdir -p $out/nix-support
echo "file ${cfg.format} $bootDisk" >> $out/nix-support/hydra-build-products
echo "file ${cfg.format} $rootDisk" >> $out/nix-support/hydra-build-products
${pkgs.jq}/bin/jq -n \
--arg system_label ${lib.escapeShellArg config.system.nixos.label} \
--arg system ${lib.escapeShellArg pkgs.stdenv.hostPlatform.system} \
--arg root_logical_bytes "$(${pkgs.qemu_kvm}/bin/qemu-img info --output json "$rootDisk" | ${pkgs.jq}/bin/jq '."virtual-size"')" \
--arg boot_logical_bytes "$(${pkgs.qemu_kvm}/bin/qemu-img info --output json "$bootDisk" | ${pkgs.jq}/bin/jq '."virtual-size"')" \
--arg boot_mode "${amiBootMode}" \
--arg root "$rootDisk" \
--arg boot "$bootDisk" \
'{}
| .label = $system_label
| .boot_mode = $boot_mode
| .system = $system
| .disks.boot.logical_bytes = $boot_logical_bytes
| .disks.boot.file = $boot
| .disks.root.logical_bytes = $root_logical_bytes
| .disks.root.file = $root
' > $out/nix-support/image-info.json
'';
}; };
datasets = config.ec2.zfs.datasets; extBuilder = import ../../../lib/make-disk-image.nix {
inherit
lib
config
configFile
pkgs
;
postVM = '' inherit (cfg) contents format name;
extension=''${rootDiskImage##*.}
friendlyName=$out/${cfg.name}
rootDisk="$friendlyName.root.$extension"
bootDisk="$friendlyName.boot.$extension"
mv "$rootDiskImage" "$rootDisk"
mv "$bootDiskImage" "$bootDisk"
mkdir -p $out/nix-support fsType = "ext4";
echo "file ${cfg.format} $bootDisk" >> $out/nix-support/hydra-build-products partitionTableType = if config.ec2.efi then "efi" else "legacy+gpt";
echo "file ${cfg.format} $rootDisk" >> $out/nix-support/hydra-build-products
${pkgs.jq}/bin/jq -n \ inherit (config.virtualisation) diskSize;
--arg system_label ${lib.escapeShellArg config.system.nixos.label} \
--arg system ${lib.escapeShellArg pkgs.stdenv.hostPlatform.system} \
--arg root_logical_bytes "$(${pkgs.qemu_kvm}/bin/qemu-img info --output json "$rootDisk" | ${pkgs.jq}/bin/jq '."virtual-size"')" \
--arg boot_logical_bytes "$(${pkgs.qemu_kvm}/bin/qemu-img info --output json "$bootDisk" | ${pkgs.jq}/bin/jq '."virtual-size"')" \
--arg boot_mode "${amiBootMode}" \
--arg root "$rootDisk" \
--arg boot "$bootDisk" \
'{}
| .label = $system_label
| .boot_mode = $boot_mode
| .system = $system
| .disks.boot.logical_bytes = $boot_logical_bytes
| .disks.boot.file = $boot
| .disks.root.logical_bytes = $root_logical_bytes
| .disks.root.file = $root
' > $out/nix-support/image-info.json
'';
};
extBuilder = import ../../../lib/make-disk-image.nix { postVM = ''
inherit lib config configFile pkgs; extension=''${diskImage##*.}
friendlyName=$out/${cfg.name}.$extension
mv "$diskImage" "$friendlyName"
diskImage=$friendlyName
inherit (cfg) contents format name; mkdir -p $out/nix-support
echo "file ${cfg.format} $diskImage" >> $out/nix-support/hydra-build-products
fsType = "ext4"; ${pkgs.jq}/bin/jq -n \
partitionTableType = if config.ec2.efi then "efi" else "legacy+gpt"; --arg system_label ${lib.escapeShellArg config.system.nixos.label} \
--arg system ${lib.escapeShellArg pkgs.stdenv.hostPlatform.system} \
diskSize = cfg.sizeMB; --arg logical_bytes "$(${pkgs.qemu_kvm}/bin/qemu-img info --output json "$diskImage" | ${pkgs.jq}/bin/jq '."virtual-size"')" \
--arg boot_mode "${amiBootMode}" \
postVM = '' --arg file "$diskImage" \
extension=''${diskImage##*.} '{}
friendlyName=$out/${cfg.name}.$extension | .label = $system_label
mv "$diskImage" "$friendlyName" | .boot_mode = $boot_mode
diskImage=$friendlyName | .system = $system
| .logical_bytes = $logical_bytes
mkdir -p $out/nix-support | .file = $file
echo "file ${cfg.format} $diskImage" >> $out/nix-support/hydra-build-products | .disks.root.logical_bytes = $logical_bytes
| .disks.root.file = $file
${pkgs.jq}/bin/jq -n \ ' > $out/nix-support/image-info.json
--arg system_label ${lib.escapeShellArg config.system.nixos.label} \ '';
--arg system ${lib.escapeShellArg pkgs.stdenv.hostPlatform.system} \ };
--arg logical_bytes "$(${pkgs.qemu_kvm}/bin/qemu-img info --output json "$diskImage" | ${pkgs.jq}/bin/jq '."virtual-size"')" \ in
--arg boot_mode "${amiBootMode}" \ if config.ec2.zfs.enable then zfsBuilder else extBuilder;
--arg file "$diskImage" \
'{}
| .label = $system_label
| .boot_mode = $boot_mode
| .system = $system
| .logical_bytes = $logical_bytes
| .file = $file
| .disks.root.logical_bytes = $logical_bytes
| .disks.root.file = $file
' > $out/nix-support/image-info.json
'';
};
in if config.ec2.zfs.enable then zfsBuilder else extBuilder;
meta.maintainers = with lib.maintainers; [ arianvp ]; meta.maintainers = with lib.maintainers; [ arianvp ];
} }

View File

@ -1,6 +1,11 @@
# nix-build '<nixpkgs/nixos>' -A config.system.build.openstackImage --arg configuration "{ imports = [ ./nixos/maintainers/scripts/openstack/openstack-image.nix ]; }" # nix-build '<nixpkgs/nixos>' -A config.system.build.openstackImage --arg configuration "{ imports = [ ./nixos/maintainers/scripts/openstack/openstack-image.nix ]; }"
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
let let
inherit (lib) mkOption types; inherit (lib) mkOption types;
copyChannel = true; copyChannel = true;
@ -10,9 +15,20 @@ in
{ {
imports = [ imports = [
../../../modules/virtualisation/openstack-config.nix ../../../modules/virtualisation/openstack-config.nix
../../../modules/virtualisation/disk-size-option.nix
(lib.mkRenamedOptionModuleWith {
sinceRelease = 2411;
from = [
"openstackImage"
"sizeMB"
];
to = [
"virtualisation"
"diskSize"
];
})
] ++ (lib.optional copyChannel ../../../modules/installer/cd-dvd/channel.nix); ] ++ (lib.optional copyChannel ../../../modules/installer/cd-dvd/channel.nix);
options.openstackImage = { options.openstackImage = {
name = mkOption { name = mkOption {
type = types.str; type = types.str;
@ -22,18 +38,15 @@ in
ramMB = mkOption { ramMB = mkOption {
type = types.int; type = types.int;
default = 1024; default = (3 * 1024);
description = "RAM allocation for build VM"; description = "RAM allocation for build VM";
}; };
sizeMB = mkOption {
type = types.int;
default = 8192;
description = "The size in MB of the image";
};
format = mkOption { format = mkOption {
type = types.enum [ "raw" "qcow2" ]; type = types.enum [
"raw"
"qcow2"
];
default = "qcow2"; default = "qcow2";
description = "The image format to output"; description = "The image format to output";
}; };
@ -54,24 +67,28 @@ in
}; };
}; };
# Use a priority just below mkOptionDefault (1500) instead of lib.mkDefault
# to avoid breaking existing configs using that.
virtualisation.diskSize = lib.mkOverride 1490 (8 * 1024);
virtualisation.diskSizeAutoSupported = false;
system.build.openstackImage = import ../../../lib/make-single-disk-zfs-image.nix { system.build.openstackImage = import ../../../lib/make-single-disk-zfs-image.nix {
inherit lib config; inherit lib config;
inherit (cfg) contents format name; inherit (cfg) contents format name;
pkgs = import ../../../.. { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package pkgs = import ../../../.. { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package
configFile = pkgs.writeText "configuration.nix" configFile = pkgs.writeText "configuration.nix" ''
'' { modulesPath, ... }: {
{ modulesPath, ... }: { imports = [ "''${modulesPath}/virtualisation/openstack-config.nix" ];
imports = [ "''${modulesPath}/virtualisation/openstack-config.nix" ]; openstack.zfs.enable = true;
openstack.zfs.enable = true; }
} '';
'';
includeChannel = copyChannel; includeChannel = copyChannel;
bootSize = 1000; bootSize = 1000;
memSize = cfg.ramMB; memSize = cfg.ramMB;
rootSize = cfg.sizeMB; rootSize = config.virtualisation.diskSize;
rootPoolProperties = { rootPoolProperties = {
ashift = 12; ashift = 12;
autoexpand = "on"; autoexpand = "on";

View File

@ -161,9 +161,12 @@ in
script = '' script = ''
${lib.getExe cfg.package} -u ${lib.getExe cfg.package} -u
files=(/run/resolvconf ${lib.escapeShellArgs cfg.subscriberFiles}) chgrp resolvconf ${lib.escapeShellArgs cfg.subscriberFiles}
chgrp -R resolvconf "''${files[@]}" chmod g=u ${lib.escapeShellArgs cfg.subscriberFiles}
chmod -R g=u "''${files[@]}" ${lib.getExe' pkgs.acl "setfacl"} -R \
-m group:resolvconf:rwx \
-m default:group:resolvconf:rwx \
/run/resolvconf
''; '';
}; };

View File

@ -6,6 +6,7 @@ let
attrNames attrNames
attrValues attrValues
concatMap concatMap
concatMapStringsSep
concatStrings concatStrings
elem elem
filter filter
@ -13,6 +14,7 @@ let
flatten flatten
flip flip
foldr foldr
generators
getAttr getAttr
hasAttr hasAttr
id id
@ -944,16 +946,18 @@ in {
warnings = warnings =
flip concatMap (attrValues cfg.users) (user: let flip concatMap (attrValues cfg.users) (user: let
unambiguousPasswordConfiguration = 1 >= length (filter (x: x != null) ([ passwordOptions = [
user.hashedPassword "hashedPassword"
user.hashedPasswordFile "hashedPasswordFile"
user.password "password"
] ++ optionals cfg.mutableUsers [ ] ++ optionals cfg.mutableUsers [
# For immutable users, initialHashedPassword is set to hashedPassword, # For immutable users, initialHashedPassword is set to hashedPassword,
# so using these options would always trigger the assertion. # so using these options would always trigger the assertion.
user.initialHashedPassword "initialHashedPassword"
user.initialPassword "initialPassword"
])); ];
unambiguousPasswordConfiguration = 1 >= length
(filter (x: x != null) (map (flip getAttr user) passwordOptions));
in optional (!unambiguousPasswordConfiguration) '' in optional (!unambiguousPasswordConfiguration) ''
The user '${user.name}' has multiple of the options The user '${user.name}' has multiple of the options
`hashedPassword`, `password`, `hashedPasswordFile`, `initialPassword` `hashedPassword`, `password`, `hashedPasswordFile`, `initialPassword`
@ -961,6 +965,13 @@ in {
The options silently discard others by the order of precedence The options silently discard others by the order of precedence
given above which can lead to surprising results. To resolve this warning, given above which can lead to surprising results. To resolve this warning,
set at most one of the options above to a non-`null` value. set at most one of the options above to a non-`null` value.
The values of these options are:
${concatMapStringsSep
"\n"
(value:
"* users.users.\"${user.name}\".${value}: ${generators.toPretty {} user.${value}}")
passwordOptions}
'') '')
++ filter (x: x != null) ( ++ filter (x: x != null) (
flip mapAttrsToList cfg.users (_: user: flip mapAttrsToList cfg.users (_: user:

View File

@ -12,6 +12,7 @@ in
description = '' description = ''
Enables hackrf udev rules and ensures 'plugdev' group exists. Enables hackrf udev rules and ensures 'plugdev' group exists.
This is a prerequisite to using HackRF devices without being root, since HackRF USB descriptors will be owned by plugdev through udev. This is a prerequisite to using HackRF devices without being root, since HackRF USB descriptors will be owned by plugdev through udev.
Ensure your user is a member of the 'plugdev' group after enabling.
''; '';
}; };
}; };

View File

@ -106,11 +106,12 @@ let
# isNormalUser = true; # isNormalUser = true;
# extraGroups = [ "wheel" ]; # Enable sudo for the user. # extraGroups = [ "wheel" ]; # Enable sudo for the user.
# packages = with pkgs; [ # packages = with pkgs; [
# firefox
# tree # tree
# ]; # ];
# }; # };
# programs.firefox.enable = true;
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# \$ nix search wget # \$ nix search wget
# environment.systemPackages = with pkgs; [ # environment.systemPackages = with pkgs; [

View File

@ -22,21 +22,26 @@ let
{ {
NAME = "${cfg.distroName}"; NAME = "${cfg.distroName}";
ID = "${cfg.distroId}"; ID = "${cfg.distroId}";
ID_LIKE = optionalString (!isNixos) "nixos";
VENDOR_NAME = cfg.vendorName;
VERSION = "${cfg.release} (${cfg.codeName})"; VERSION = "${cfg.release} (${cfg.codeName})";
VERSION_CODENAME = toLower cfg.codeName; VERSION_CODENAME = toLower cfg.codeName;
VERSION_ID = cfg.release; VERSION_ID = cfg.release;
BUILD_ID = cfg.version; BUILD_ID = cfg.version;
PRETTY_NAME = "${cfg.distroName} ${cfg.release} (${cfg.codeName})"; PRETTY_NAME = "${cfg.distroName} ${cfg.release} (${cfg.codeName})";
CPE_NAME = "cpe:/o:${cfg.vendorId}:${cfg.distroId}:${cfg.release}";
LOGO = "nix-snowflake"; LOGO = "nix-snowflake";
HOME_URL = optionalString isNixos "https://nixos.org/"; HOME_URL = optionalString isNixos "https://nixos.org/";
VENDOR_URL = optionalString isNixos "https://nixos.org/";
DOCUMENTATION_URL = optionalString isNixos "https://nixos.org/learn.html"; DOCUMENTATION_URL = optionalString isNixos "https://nixos.org/learn.html";
SUPPORT_URL = optionalString isNixos "https://nixos.org/community.html"; SUPPORT_URL = optionalString isNixos "https://nixos.org/community.html";
BUG_REPORT_URL = optionalString isNixos "https://github.com/NixOS/nixpkgs/issues"; BUG_REPORT_URL = optionalString isNixos "https://github.com/NixOS/nixpkgs/issues";
ANSI_COLOR = optionalString isNixos "1;34"; ANSI_COLOR = optionalString isNixos "1;34";
IMAGE_ID = optionalString (config.system.image.id != null) config.system.image.id; IMAGE_ID = optionalString (config.system.image.id != null) config.system.image.id;
IMAGE_VERSION = optionalString (config.system.image.version != null) config.system.image.version; IMAGE_VERSION = optionalString (config.system.image.version != null) config.system.image.version;
} // lib.optionalAttrs (cfg.variant_id != null) { VARIANT = optionalString (cfg.variantName != null) cfg.variantName;
VARIANT_ID = cfg.variant_id; VARIANT_ID = optionalString (cfg.variant_id != null) cfg.variant_id;
DEFAULT_HOSTNAME = config.networking.fqdnOrHostName;
}; };
initrdReleaseContents = (removeAttrs osReleaseContents [ "BUILD_ID" ]) // { initrdReleaseContents = (removeAttrs osReleaseContents [ "BUILD_ID" ]) // {
@ -116,6 +121,27 @@ in
description = "A lower-case string identifying a specific variant or edition of the operating system"; description = "A lower-case string identifying a specific variant or edition of the operating system";
example = "installer"; example = "installer";
}; };
variantName = mkOption {
type = types.nullOr types.str;
default = null;
description = "A string identifying a specific variant or edition of the operating system suitable for presentation to the user";
example = "NixOS Installer Image";
};
vendorId = mkOption {
internal = true;
type = types.str;
default = "nixos";
description = "The id of the operating system vendor";
};
vendorName = mkOption {
internal = true;
type = types.str;
default = "NixOS";
description = "The name of the operating system vendor";
};
}; };
image = { image = {

View File

@ -172,6 +172,7 @@
./programs/cpu-energy-meter.nix ./programs/cpu-energy-meter.nix
./programs/command-not-found/command-not-found.nix ./programs/command-not-found/command-not-found.nix
./programs/coolercontrol.nix ./programs/coolercontrol.nix
./programs/corefreq.nix
./programs/criu.nix ./programs/criu.nix
./programs/darling.nix ./programs/darling.nix
./programs/dconf.nix ./programs/dconf.nix
@ -1549,6 +1550,7 @@
./services/web-servers/phpfpm/default.nix ./services/web-servers/phpfpm/default.nix
./services/web-servers/pomerium.nix ./services/web-servers/pomerium.nix
./services/web-servers/rustus.nix ./services/web-servers/rustus.nix
./services/web-servers/send.nix
./services/web-servers/stargazer.nix ./services/web-servers/stargazer.nix
./services/web-servers/static-web-server.nix ./services/web-servers/static-web-server.nix
./services/web-servers/tomcat.nix ./services/web-servers/tomcat.nix

View File

@ -17,7 +17,7 @@ in
enable = lib.mkEnableOption "the 1Password CLI tool"; enable = lib.mkEnableOption "the 1Password CLI tool";
package = lib.mkPackageOption pkgs "1Password CLI" { package = lib.mkPackageOption pkgs "1Password CLI" {
default = [ "_1password" ]; default = [ "_1password-cli" ];
}; };
}; };
}; };

View File

@ -0,0 +1,42 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.programs.corefreq;
kernelPackages = config.boot.kernelPackages;
in
{
options = {
programs.corefreq = {
enable = lib.mkEnableOption "Whether to enable the corefreq daemon and kernel module";
package = lib.mkOption {
type = lib.types.package;
default = kernelPackages.corefreq;
defaultText = lib.literalExpression "config.boot.kernelPackages.corefreq";
description = ''
The corefreq package to use.
'';
};
};
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
boot.extraModulePackages = [ cfg.package ];
boot.kernelModules = [ "corefreqk" ];
# Create a systemd service for the corefreq daemon
systemd.services.corefreq = {
description = "CoreFreq daemon";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = lib.getExe' cfg.package "corefreqd";
};
};
};
}

View File

@ -34,7 +34,7 @@ in
environment.pathsToLink = [ "/share/nix-ld" ]; environment.pathsToLink = [ "/share/nix-ld" ];
environment.variables = { environment.sessionVariables = {
NIX_LD = "/run/current-system/sw/share/nix-ld/lib/ld.so"; NIX_LD = "/run/current-system/sw/share/nix-ld/lib/ld.so";
NIX_LD_LIBRARY_PATH = "/run/current-system/sw/share/nix-ld/lib"; NIX_LD_LIBRARY_PATH = "/run/current-system/sw/share/nix-ld/lib";
}; };

View File

@ -85,9 +85,10 @@ in
extraPackages = lib.mkOption { extraPackages = lib.mkOption {
type = with lib.types; listOf package; type = with lib.types; listOf package;
default = with pkgs; [ swaylock swayidle foot dmenu wmenu ]; # Packages used in default config
default = with pkgs; [ brightnessctl foot grim pulseaudio swayidle swaylock wmenu ];
defaultText = lib.literalExpression '' defaultText = lib.literalExpression ''
with pkgs; [ swaylock swayidle foot dmenu wmenu ]; with pkgs; [ brightnessctl foot grim pulseaudio swayidle swaylock wmenu ];
''; '';
example = lib.literalExpression '' example = lib.literalExpression ''
with pkgs; [ i3status i3status-rust termite rofi light ] with pkgs; [ i3status i3status-rust termite rofi light ]

View File

@ -108,18 +108,19 @@ in
systemd.packages = [ cfg.package ]; systemd.packages = [ cfg.package ];
environment.pathsToLink = [ "/share/uwsm" ]; environment.pathsToLink = [ "/share/uwsm" ];
services.graphical-desktop.enable = true;
# UWSM recommends dbus broker for better compatibility # UWSM recommends dbus broker for better compatibility
services.dbus.implementation = "broker"; services.dbus.implementation = "broker";
services.displayManager.sessionPackages = lib.mapAttrsToList ( services.displayManager = {
name: value: enable = true;
mk_uwsm_desktop_entry { sessionPackages = lib.mapAttrsToList (
inherit name; name: value:
inherit (value) prettyName comment binPath; mk_uwsm_desktop_entry {
} inherit name;
) cfg.waylandCompositors; inherit (value) prettyName comment binPath;
}
) cfg.waylandCompositors;
};
}; };
meta.maintainers = with lib.maintainers; [ meta.maintainers = with lib.maintainers; [

View File

@ -87,6 +87,15 @@ in
Without this option it would default to the read-only nix store. Without this option it would default to the read-only nix store.
''; '';
}; };
preLoaded = lib.mkOption {
type = lib.types.lines;
default = "";
description = ''
Shell commands executed before the `oh-my-zsh` is loaded.
For example, to disable async git prompt write `zstyle ':omz:alpha:lib:git' async-prompt no` (more information https://github.com/ohmyzsh/ohmyzsh?tab=readme-ov-file#async-git-prompt)
'';
};
}; };
}; };
@ -120,6 +129,7 @@ in
ZSH_CACHE_DIR=${cfg.cacheDir} ZSH_CACHE_DIR=${cfg.cacheDir}
''} ''}
${cfg.preLoaded}
source $ZSH/oh-my-zsh.sh source $ZSH/oh-my-zsh.sh
''; '';

View File

@ -24,7 +24,8 @@ in
internal = true; internal = true;
}; };
security.pki.useCompatibleBundle = mkEnableOption ''usage of a compatibility bundle. security.pki.useCompatibleBundle = mkEnableOption ''
usage of a compatibility bundle.
Such a bundle consists exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`, Such a bundle consists exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`,
which is an OpenSSL specific PEM format. which is an OpenSSL specific PEM format.

View File

@ -165,6 +165,10 @@ in
###### interface ###### interface
options = { options = {
security.enableWrappers = lib.mkEnableOption "SUID/SGID wrappers" // {
default = true;
};
security.wrappers = lib.mkOption { security.wrappers = lib.mkOption {
type = lib.types.attrsOf wrapperType; type = lib.types.attrsOf wrapperType;
default = {}; default = {};
@ -227,7 +231,7 @@ in
}; };
###### implementation ###### implementation
config = { config = lib.mkIf config.security.enableWrappers {
assertions = lib.mapAttrsToList assertions = lib.mapAttrsToList
(name: opts: (name: opts:

View File

@ -260,7 +260,7 @@ in {
systemd.services.jack-session = { systemd.services.jack-session = {
description = "JACK session"; description = "JACK session";
script = '' script = ''
jack_wait -w ${pkgs.jack-example-tools}/bin/jack_wait -w
${cfg.jackd.session} ${cfg.jackd.session}
${lib.optionalString cfg.loopback.enable cfg.loopback.session} ${lib.optionalString cfg.loopback.enable cfg.loopback.session}
''; '';

View File

@ -330,12 +330,12 @@ in
ln -sf ${hydraConf} ${baseDir}/hydra.conf ln -sf ${hydraConf} ${baseDir}/hydra.conf
mkdir -m 0700 -p ${baseDir}/www mkdir -m 0700 ${baseDir}/www || true
chown hydra-www:hydra ${baseDir}/www chown hydra-www:hydra ${baseDir}/www
mkdir -m 0700 -p ${baseDir}/queue-runner mkdir -m 0700 ${baseDir}/queue-runner || true
mkdir -m 0750 -p ${baseDir}/build-logs mkdir -m 0750 ${baseDir}/build-logs || true
mkdir -m 0750 -p ${baseDir}/runcommand-logs mkdir -m 0750 ${baseDir}/runcommand-logs || true
chown hydra-queue-runner:hydra \ chown hydra-queue-runner:hydra \
${baseDir}/queue-runner \ ${baseDir}/queue-runner \
${baseDir}/build-logs \ ${baseDir}/build-logs \
@ -362,8 +362,8 @@ in
# Move legacy hydra-www roots. # Move legacy hydra-www roots.
if [ -e /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots ]; then if [ -e /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots ]; then
find /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots/ -type f \ find /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots/ -type f -print0 \
| xargs -r mv -f -t ${cfg.gcRootsDir}/ | xargs -0 -r mv -f -t ${cfg.gcRootsDir}/
rmdir /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots rmdir /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots
fi fi
@ -520,7 +520,7 @@ in
elif [[ $compression == zstd ]]; then elif [[ $compression == zstd ]]; then
compression="zstd --rm" compression="zstd --rm"
fi fi
find ${baseDir}/build-logs -type f -name "*.drv" -mtime +3 -size +0c | xargs -r "$compression" --force --quiet find ${baseDir}/build-logs -type f -name "*.drv" -mtime +3 -size +0c -print0 | xargs -0 -r "$compression" --force --quiet
''; '';
startAt = "Sun 01:45"; startAt = "Sun 01:45";
serviceConfig.Slice = "system-hydra.slice"; serviceConfig.Slice = "system-hydra.slice";

View File

@ -93,6 +93,8 @@ in
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package ];
environment.pathsToLink = [ "/share/openxr" ]; environment.pathsToLink = [ "/share/openxr" ];
hardware.opengl.extraPackages = [ pkgs.monado-vulkan-layers ];
environment.etc."xdg/openxr/1/active_runtime.json" = mkIf cfg.defaultRuntime { environment.etc."xdg/openxr/1/active_runtime.json" = mkIf cfg.defaultRuntime {
source = "${cfg.package}/share/openxr/1/openxr_monado.json"; source = "${cfg.package}/share/openxr/1/openxr_monado.json";
}; };

View File

@ -42,6 +42,15 @@ Here, `passwordFile` is the path to a file containing just the password in
plaintext. Make sure to set permissions to make this file unreadable to any plaintext. Make sure to set permissions to make this file unreadable to any
user besides root. user besides root.
By default, synced data are stored in */var/lib/anki-sync-server/*ankiuser**.
You can change the directory by using `services.anki-sync-server.baseDirectory`
```nix
{
services.anki-sync-server.baseDirectory = "/home/anki/data";
}
```
By default, the server listen address {option}`services.anki-sync-server.host` By default, the server listen address {option}`services.anki-sync-server.host`
is set to localhost, listening on port is set to localhost, listening on port
{option}`services.anki-sync-server.port`, and does not open the firewall. This {option}`services.anki-sync-server.port`, and does not open the firewall. This

View File

@ -59,6 +59,13 @@ in {
description = "Port number anki-sync-server listens to."; description = "Port number anki-sync-server listens to.";
}; };
baseDirectory = mkOption {
type = types.str;
default = "%S/%N";
description = "Base directory where user(s) synchronized data will be stored.";
};
openFirewall = mkOption { openFirewall = mkOption {
default = false; default = false;
type = types.bool; type = types.bool;
@ -114,7 +121,7 @@ in {
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
path = [cfg.package]; path = [cfg.package];
environment = { environment = {
SYNC_BASE = "%S/%N"; SYNC_BASE = cfg.baseDirectory;
SYNC_HOST = specEscape cfg.address; SYNC_HOST = specEscape cfg.address;
SYNC_PORT = toString cfg.port; SYNC_PORT = toString cfg.port;
}; };

View File

@ -54,6 +54,8 @@ in
--no-update True --no-update True
''; '';
Restart = "on-failure"; Restart = "on-failure";
KillSignal = "SIGINT";
SuccessExitStatus = "0 156";
}; };
}; };

View File

@ -12,7 +12,7 @@ let
"--port" = cfg.port; "--port" = cfg.port;
"--auth-mode" = cfg.auth.mode; "--auth-mode" = cfg.auth.mode;
"--userdb" = cfg.auth.userDb; "--userdb" = cfg.auth.userDb;
}) ++ [(lib.optionalString (cfg.auth.enable == true) "--enable-auth")]) }) ++ [ (lib.optionalString (cfg.auth.enable == true) "--enable-auth") ] ++ cfg.extraFlags)
); );
in in
@ -42,6 +42,15 @@ in
''; '';
}; };
extraFlags = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = ''
Extra flags to pass to the calibre-server command.
See the [calibre-server documentation](${generatedDocumentationLink}) for details.
'';
};
user = lib.mkOption { user = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "calibre-server"; default = "calibre-server";
@ -73,6 +82,13 @@ in
''; '';
}; };
openFirewall = lib.mkOption {
type = lib.types.bool;
default = false;
description =
"Open ports in the firewall for the Calibre Server web interface.";
};
auth = { auth = {
enable = lib.mkOption { enable = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
@ -137,6 +153,9 @@ in
}; };
}; };
networking.firewall =
lib.mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.port ]; };
}; };
meta.maintainers = with lib.maintainers; [ gaelreyrol ]; meta.maintainers = with lib.maintainers; [ gaelreyrol ];

View File

@ -40,7 +40,7 @@ in
###### implementation ###### implementation
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
dysnomia.enable = true; services.dysnomia.enable = true;
environment.systemPackages = [ pkgs.disnix ] ++ lib.optional cfg.useWebServiceInterface pkgs.DisnixWebService; environment.systemPackages = [ pkgs.disnix ] ++ lib.optional cfg.useWebServiceInterface pkgs.DisnixWebService;
environment.variables.PATH = lib.optionals cfg.enableProfilePath (map (profileName: "/nix/var/nix/profiles/disnix/${profileName}/bin" ) cfg.profiles); environment.variables.PATH = lib.optionals cfg.enableProfilePath (map (profileName: "/nix/var/nix/profiles/disnix/${profileName}/bin" ) cfg.profiles);
@ -74,7 +74,7 @@ in
restartIfChanged = false; restartIfChanged = false;
path = [ config.nix.package cfg.package config.dysnomia.package "/run/current-system/sw" ]; path = [ config.nix.package cfg.package config.services.dysnomia.package "/run/current-system/sw" ];
environment = { environment = {
HOME = "/root"; HOME = "/root";

View File

@ -1,6 +1,6 @@
{pkgs, lib, config, ...}: {pkgs, lib, config, ...}:
let let
cfg = config.dysnomia; cfg = config.services.dysnomia;
printProperties = properties: printProperties = properties:
lib.concatMapStrings (propertyName: lib.concatMapStrings (propertyName:
@ -79,7 +79,7 @@ let
in in
{ {
options = { options = {
dysnomia = { services.dysnomia = {
enable = lib.mkOption { enable = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
@ -142,6 +142,10 @@ in
}; };
}; };
imports = [
(lib.mkRenamedOptionModule ["dysnomia"] ["services" "dysnomia"])
];
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
environment.etc = { environment.etc = {
@ -164,7 +168,7 @@ in
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package ];
dysnomia.package = pkgs.dysnomia.override (origArgs: dysnomiaFlags // lib.optionalAttrs (cfg.enableLegacyModules) { services.dysnomia.package = pkgs.dysnomia.override (origArgs: dysnomiaFlags // lib.optionalAttrs (cfg.enableLegacyModules) {
enableLegacy = builtins.trace '' enableLegacy = builtins.trace ''
WARNING: Dysnomia has been configured to use the legacy 'process' and 'wrapper' WARNING: Dysnomia has been configured to use the legacy 'process' and 'wrapper'
modules for compatibility reasons! If you rely on these modules, consider modules for compatibility reasons! If you rely on these modules, consider
@ -181,7 +185,7 @@ in
'' true; '' true;
}); });
dysnomia.properties = { services.dysnomia.properties = {
hostname = config.networking.hostName; hostname = config.networking.hostName;
inherit (pkgs.stdenv.hostPlatform) system; inherit (pkgs.stdenv.hostPlatform) system;
@ -208,7 +212,7 @@ in
++ lib.optional (dysnomiaFlags.enableSubversionRepository) "subversion-repository"; ++ lib.optional (dysnomiaFlags.enableSubversionRepository) "subversion-repository";
}; };
dysnomia.containers = lib.recursiveUpdate ({ services.dysnomia.containers = lib.recursiveUpdate ({
process = {}; process = {};
wrapper = {}; wrapper = {};
} }

View File

@ -113,6 +113,7 @@ in
''; '';
serial = lib.mkOption { serial = lib.mkOption {
type = lib.types.nullOr path; type = lib.types.nullOr path;
default = null;
description = "Path to serial port this printer is connected to. Leave `null` to derive it from `service.klipper.settings`."; description = "Path to serial port this printer is connected to. Leave `null` to derive it from `service.klipper.settings`.";
}; };
configFile = lib.mkOption { configFile = lib.mkOption {

View File

@ -5,10 +5,9 @@ let
baseConfig = { baseConfig = {
plugins.curalegacy.cura_engine = "${pkgs.curaengine_stable}/bin/CuraEngine"; plugins.curalegacy.cura_engine = "${pkgs.curaengine_stable}/bin/CuraEngine";
server.host = cfg.host;
server.port = cfg.port; server.port = cfg.port;
webcam.ffmpeg = "${pkgs.ffmpeg.bin}/bin/ffmpeg"; webcam.ffmpeg = "${pkgs.ffmpeg.bin}/bin/ffmpeg";
}; } // lib.optionalAttrs (cfg.host != null) {server.host = cfg.host;};
fullConfig = lib.recursiveUpdate cfg.extraConfig baseConfig; fullConfig = lib.recursiveUpdate cfg.extraConfig baseConfig;
@ -29,8 +28,8 @@ in
enable = lib.mkEnableOption "OctoPrint, web interface for 3D printers"; enable = lib.mkEnableOption "OctoPrint, web interface for 3D printers";
host = lib.mkOption { host = lib.mkOption {
type = lib.types.str; type = lib.types.nullOr lib.types.str;
default = "0.0.0.0"; default = null;
description = '' description = ''
Host to bind OctoPrint to. Host to bind OctoPrint to.
''; '';

View File

@ -290,11 +290,12 @@ in
'' ''
+ optionalString (cfg.passwordFile != null) '' + optionalString (cfg.passwordFile != null) ''
export PAPERLESS_ADMIN_USER="''${PAPERLESS_ADMIN_USER:-admin}" export PAPERLESS_ADMIN_USER="''${PAPERLESS_ADMIN_USER:-admin}"
export PAPERLESS_ADMIN_PASSWORD=$(cat $CREDENTIALS_DIRECTORY/PAPERLESS_ADMIN_PASSWORD) PAPERLESS_ADMIN_PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/PAPERLESS_ADMIN_PASSWORD")
export PAPERLESS_ADMIN_PASSWORD
superuserState="$PAPERLESS_ADMIN_USER:$PAPERLESS_ADMIN_PASSWORD" superuserState="$PAPERLESS_ADMIN_USER:$PAPERLESS_ADMIN_PASSWORD"
superuserStateFile="${cfg.dataDir}/superuser-state" superuserStateFile="${cfg.dataDir}/superuser-state"
if [[ $(cat "$superuserStateFile" 2>/dev/null) != $superuserState ]]; then if [[ $(cat "$superuserStateFile" 2>/dev/null) != "$superuserState" ]]; then
${cfg.package}/bin/paperless-ngx manage_superuser ${cfg.package}/bin/paperless-ngx manage_superuser
echo "$superuserState" > "$superuserStateFile" echo "$superuserState" > "$superuserStateFile"
fi fi
@ -353,7 +354,8 @@ in
tr -dc A-Za-z0-9 < /dev/urandom | head -c64 | ${pkgs.moreutils}/bin/sponge '${secretKeyFile}' tr -dc A-Za-z0-9 < /dev/urandom | head -c64 | ${pkgs.moreutils}/bin/sponge '${secretKeyFile}'
) )
fi fi
export PAPERLESS_SECRET_KEY=$(cat '${secretKeyFile}') PAPERLESS_SECRET_KEY="$(cat '${secretKeyFile}')"
export PAPERLESS_SECRET_KEY
if [[ ! $PAPERLESS_SECRET_KEY ]]; then if [[ ! $PAPERLESS_SECRET_KEY ]]; then
echo "PAPERLESS_SECRET_KEY is empty, refusing to start." echo "PAPERLESS_SECRET_KEY is empty, refusing to start."
exit 1 exit 1

View File

@ -92,6 +92,14 @@ in
Address to the dashboard Address to the dashboard
''; '';
}; };
extraFlags = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [ "--gpu" ];
description = ''
Extra command-line flags passed to nezha-agent.
'';
};
}; };
}; };
@ -125,6 +133,7 @@ in
++ lib.optional cfg.gpu "--gpu" ++ lib.optional cfg.gpu "--gpu"
++ lib.optional cfg.temperature "--temperature" ++ lib.optional cfg.temperature "--temperature"
++ lib.optional cfg.useIPv6CountryCode "--use-ipv6-countrycode" ++ lib.optional cfg.useIPv6CountryCode "--use-ipv6-countrycode"
++ cfg.extraFlags
); );
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
}; };

View File

@ -201,6 +201,26 @@ let
}; };
}; };
promTypes.sigv4 = types.submodule {
options = {
region = mkOpt types.str ''
The AWS region.
'';
access_key = mkOpt types.str ''
The Access Key ID.
'';
secret_key = mkOpt types.str ''
The Secret Access Key.
'';
profile = mkOpt types.str ''
The named AWS profile used to authenticate.
'';
role_arn = mkOpt types.str ''
The AWS role ARN.
'';
};
};
promTypes.tls_config = types.submodule { promTypes.tls_config = types.submodule {
options = { options = {
ca_file = mkOpt types.str '' ca_file = mkOpt types.str ''
@ -1464,6 +1484,9 @@ let
Sets the `Authorization` header on every remote write request with the bearer token Sets the `Authorization` header on every remote write request with the bearer token
read from the configured file. It is mutually exclusive with `bearer_token`. read from the configured file. It is mutually exclusive with `bearer_token`.
''; '';
sigv4 = mkOpt promTypes.sigv4 ''
Configures AWS Signature Version 4 settings.
'';
tls_config = mkOpt promTypes.tls_config '' tls_config = mkOpt promTypes.tls_config ''
Configures the remote write request's TLS settings. Configures the remote write request's TLS settings.
''; '';

View File

@ -88,7 +88,6 @@ let
"statsd" "statsd"
"surfboard" "surfboard"
"systemd" "systemd"
"tor"
"unbound" "unbound"
"unifi" "unifi"
"unpoller" "unpoller"
@ -299,6 +298,9 @@ in
The Minio exporter has been removed, as it was broken and unmaintained. The Minio exporter has been removed, as it was broken and unmaintained.
See the 24.11 release notes for more information. See the 24.11 release notes for more information.
'') '')
(lib.mkRemovedOptionModule [ "tor" ] ''
The Tor exporter has been removed, as it was broken and unmaintained.
'')
]; ];
}; };
description = "Prometheus exporter configuration"; description = "Prometheus exporter configuration";

View File

@ -1,43 +0,0 @@
{ config, lib, pkgs, options, ... }:
let
cfg = config.services.prometheus.exporters.tor;
inherit (lib) mkOption types concatStringsSep;
in
{
port = 9130;
extraOpts = {
torControlAddress = mkOption {
type = types.str;
default = "127.0.0.1";
description = ''
Tor control IP address or hostname.
'';
};
torControlPort = mkOption {
type = types.port;
default = 9051;
description = ''
Tor control port.
'';
};
};
serviceOpts = {
serviceConfig = {
ExecStart = ''
${pkgs.prometheus-tor-exporter}/bin/prometheus-tor-exporter \
-b ${cfg.listenAddress} \
-p ${toString cfg.port} \
-a ${cfg.torControlAddress} \
-c ${toString cfg.torControlPort} \
${concatStringsSep " \\\n " cfg.extraFlags}
'';
};
# CPython requires a process to either have $HOME defined or run as a UID
# defined in /etc/passwd. The latter is false with DynamicUser, so define a
# dummy $HOME. https://bugs.python.org/issue10496
environment = { HOME = "/var/empty"; };
};
}

View File

@ -3,6 +3,12 @@ let
TCPPorts = [21115 21116 21117 21118 21119]; TCPPorts = [21115 21116 21117 21118 21119];
UDPPorts = [21116]; UDPPorts = [21116];
in { in {
imports = [
(lib.mkRemovedOptionModule [ "services" "rustdesk-server" "relayIP" ] "This option has been replaced by services.rustdesk-server.signal.relayHosts")
(lib.mkRenamedOptionModule [ "services" "rustdesk-server" "extraRelayArgs" ] [ "services" "rustdesk-server" "relay" "extraArgs" ])
(lib.mkRenamedOptionModule [ "services" "rustdesk-server" "extraSignalArgs" ] [ "services" "rustdesk-server" "signal" "extraArgs" ])
];
options.services.rustdesk-server = with lib; with types; { options.services.rustdesk-server = with lib; with types; {
enable = mkEnableOption "RustDesk, a remote access and remote control software, allowing maintenance of computers and other devices"; enable = mkEnableOption "RustDesk, a remote access and remote control software, allowing maintenance of computers and other devices";
@ -18,30 +24,53 @@ in {
''; '';
}; };
relayIP = mkOption { signal = {
type = str; enable = mkOption {
description = '' type = bool;
The public facing IP of the RustDesk relay. default = true;
''; description = ''
Whether to enable the RustDesk signal server.
'';
};
relayHosts = mkOption {
type = listOf str;
default = [];
# reference: https://rustdesk.com/docs/en/self-host/rustdesk-server-pro/relay/
description = ''
The relay server IP addresses or DNS names of the RustDesk relay.
'';
};
extraArgs = mkOption {
type = listOf str;
default = [];
example = [ "-k" "_" ];
description = ''
A list of extra command line arguments to pass to the `hbbs` process.
'';
};
}; };
extraSignalArgs = mkOption { relay = {
type = listOf str; enable = mkOption {
default = []; type = bool;
example = [ "-k" "_" ]; default = true;
description = '' description = ''
A list of extra command line arguments to pass to the `hbbs` process. Whether to enable the RustDesk relay server.
''; '';
};
extraArgs = mkOption {
type = listOf str;
default = [];
example = [ "-k" "_" ];
description = ''
A list of extra command line arguments to pass to the `hbbr` process.
'';
};
}; };
extraRelayArgs = mkOption {
type = listOf str;
default = [];
example = [ "-k" "_" ];
description = ''
A list of extra command line arguments to pass to the `hbbr` process.
'';
};
}; };
config = let config = let
@ -96,13 +125,17 @@ in {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
}; };
systemd.services.rustdesk-signal = lib.mkMerge [ serviceDefaults { systemd.services.rustdesk-signal =
serviceConfig.ExecStart = "${cfg.package}/bin/hbbs -r ${cfg.relayIP} ${lib.escapeShellArgs cfg.extraSignalArgs}"; let
} ]; relayArg = builtins.concatStringsSep ":" cfg.signal.relayHosts;
in
lib.mkIf cfg.signal.enable (lib.mkMerge [ serviceDefaults {
serviceConfig.ExecStart = "${cfg.package}/bin/hbbs --relay-servers ${relayArg} ${lib.escapeShellArgs cfg.signal.extraArgs}";
} ]);
systemd.services.rustdesk-relay = lib.mkMerge [ serviceDefaults { systemd.services.rustdesk-relay = lib.mkIf cfg.relay.enable (lib.mkMerge [ serviceDefaults {
serviceConfig.ExecStart = "${cfg.package}/bin/hbbr ${lib.escapeShellArgs cfg.extraRelayArgs}"; serviceConfig.ExecStart = "${cfg.package}/bin/hbbr ${lib.escapeShellArgs cfg.relay.extraArgs}";
} ]; } ]);
}; };
meta.maintainers = with lib.maintainers; [ ppom ]; meta.maintainers = with lib.maintainers; [ ppom ];

View File

@ -317,6 +317,47 @@ in
Type = "dbus"; Type = "dbus";
ExecStart = "${cfg.package}/sbin/avahi-daemon --syslog -f ${avahiDaemonConf}"; ExecStart = "${cfg.package}/sbin/avahi-daemon --syslog -f ${avahiDaemonConf}";
ConfigurationDirectory = "avahi/services"; ConfigurationDirectory = "avahi/services";
# Hardening
CapabilityBoundingSet = [
# https://github.com/avahi/avahi/blob/v0.9-rc1/avahi-daemon/caps.c#L38
"CAP_SYS_CHROOT"
"CAP_SETUID"
"CAP_SETGID"
];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = false;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"@chown setgroups setresuid"
];
UMask = "0077";
}; };
}; };

View File

@ -1,41 +1,41 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, utils, ... }:
let let
cfg = config.services.coturn; cfg = config.services.coturn;
pidfile = "/run/turnserver/turnserver.pid"; pidfile = "/run/turnserver/turnserver.pid";
configFile = pkgs.writeText "turnserver.conf" '' configFile = pkgs.writeText "turnserver.conf" ''
listening-port=${toString cfg.listening-port} listening-port=${toString cfg.listening-port}
tls-listening-port=${toString cfg.tls-listening-port} tls-listening-port=${toString cfg.tls-listening-port}
alt-listening-port=${toString cfg.alt-listening-port} alt-listening-port=${toString cfg.alt-listening-port}
alt-tls-listening-port=${toString cfg.alt-tls-listening-port} alt-tls-listening-port=${toString cfg.alt-tls-listening-port}
${lib.concatStringsSep "\n" (map (x: "listening-ip=${x}") cfg.listening-ips)} ${lib.concatStringsSep "\n" (map (x: "listening-ip=${x}") cfg.listening-ips)}
${lib.concatStringsSep "\n" (map (x: "relay-ip=${x}") cfg.relay-ips)} ${lib.concatStringsSep "\n" (map (x: "relay-ip=${x}") cfg.relay-ips)}
min-port=${toString cfg.min-port} min-port=${toString cfg.min-port}
max-port=${toString cfg.max-port} max-port=${toString cfg.max-port}
${lib.optionalString cfg.lt-cred-mech "lt-cred-mech"} ${lib.optionalString cfg.lt-cred-mech "lt-cred-mech"}
${lib.optionalString cfg.no-auth "no-auth"} ${lib.optionalString cfg.no-auth "no-auth"}
${lib.optionalString cfg.use-auth-secret "use-auth-secret"} ${lib.optionalString cfg.use-auth-secret "use-auth-secret"}
${lib.optionalString (cfg.static-auth-secret != null) ("static-auth-secret=${cfg.static-auth-secret}")} ${lib.optionalString (cfg.static-auth-secret != null) "static-auth-secret=${cfg.static-auth-secret}"}
${lib.optionalString (cfg.static-auth-secret-file != null) ("static-auth-secret=#static-auth-secret#")} ${lib.optionalString (cfg.static-auth-secret-file != null) "static-auth-secret=#static-auth-secret#"}
realm=${cfg.realm} realm=${cfg.realm}
${lib.optionalString cfg.no-udp "no-udp"} ${lib.optionalString cfg.no-udp "no-udp"}
${lib.optionalString cfg.no-tcp "no-tcp"} ${lib.optionalString cfg.no-tcp "no-tcp"}
${lib.optionalString cfg.no-tls "no-tls"} ${lib.optionalString cfg.no-tls "no-tls"}
${lib.optionalString cfg.no-dtls "no-dtls"} ${lib.optionalString cfg.no-dtls "no-dtls"}
${lib.optionalString cfg.no-udp-relay "no-udp-relay"} ${lib.optionalString cfg.no-udp-relay "no-udp-relay"}
${lib.optionalString cfg.no-tcp-relay "no-tcp-relay"} ${lib.optionalString cfg.no-tcp-relay "no-tcp-relay"}
${lib.optionalString (cfg.cert != null) "cert=${cfg.cert}"} ${lib.optionalString (cfg.cert != null) "cert=${cfg.cert}"}
${lib.optionalString (cfg.pkey != null) "pkey=${cfg.pkey}"} ${lib.optionalString (cfg.pkey != null) "pkey=${cfg.pkey}"}
${lib.optionalString (cfg.dh-file != null) ("dh-file=${cfg.dh-file}")} ${lib.optionalString (cfg.dh-file != null) "dh-file=${cfg.dh-file}"}
no-stdout-log no-stdout-log
syslog syslog
pidfile=${pidfile} pidfile=${pidfile}
${lib.optionalString cfg.secure-stun "secure-stun"} ${lib.optionalString cfg.secure-stun "secure-stun"}
${lib.optionalString cfg.no-cli "no-cli"} ${lib.optionalString cfg.no-cli "no-cli"}
cli-ip=${cfg.cli-ip} cli-ip=${cfg.cli-ip}
cli-port=${toString cfg.cli-port} cli-port=${toString cfg.cli-port}
${lib.optionalString (cfg.cli-password != null) ("cli-password=${cfg.cli-password}")} ${lib.optionalString (cfg.cli-password != null) "cli-password=${cfg.cli-password}"}
${cfg.extraConfig} ${cfg.extraConfig}
''; '';
in { in {
options = { options = {
services.coturn = { services.coturn = {
@ -301,7 +301,7 @@ in {
}; };
}; };
config = lib.mkIf cfg.enable (lib.mkMerge ([ config = lib.mkIf cfg.enable (lib.mkMerge [
{ assertions = [ { assertions = [
{ assertion = cfg.static-auth-secret != null -> cfg.static-auth-secret-file == null ; { assertion = cfg.static-auth-secret != null -> cfg.static-auth-secret-file == null ;
message = "static-auth-secret and static-auth-secret-file cannot be set at the same time"; message = "static-auth-secret and static-auth-secret-file cannot be set at the same time";
@ -341,25 +341,66 @@ in {
'' } '' }
chmod 640 ${runConfig} chmod 640 ${runConfig}
''; '';
serviceConfig = { serviceConfig = rec {
Type = "simple"; Type = "simple";
ExecStart = "${pkgs.coturn}/bin/turnserver -c ${runConfig}"; ExecStart = utils.escapeSystemdExecArgs [
RuntimeDirectory = "turnserver"; (lib.getExe' pkgs.coturn "turnserver")
"-c"
runConfig
];
User = "turnserver"; User = "turnserver";
Group = "turnserver"; Group = "turnserver";
AmbientCapabilities = RuntimeDirectory = [
lib.mkIf ( "coturn"
cfg.listening-port < 1024 || "turnserver"
cfg.alt-listening-port < 1024 || ];
cfg.tls-listening-port < 1024 || RuntimeDirectoryMode = "0700";
cfg.alt-tls-listening-port < 1024 ||
cfg.min-port < 1024
) "cap_net_bind_service";
Restart = "on-abort"; Restart = "on-abort";
# Hardening
AmbientCapabilities = if
cfg.listening-port < 1024 ||
cfg.alt-listening-port < 1024 ||
cfg.tls-listening-port < 1024 ||
cfg.alt-tls-listening-port < 1024 ||
cfg.min-port < 1024
then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];
CapabilityBoundingSet = AmbientCapabilities;
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
] ++ lib.optionals (cfg.listening-ips == [ ]) [
# only used for interface discovery when no listening ips are configured
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged @resources"
];
UMask = "0077";
}; };
}; };
systemd.tmpfiles.rules = [ }]);
"d /run/coturn 0700 turnserver turnserver - -"
];
}]));
} }

View File

@ -249,7 +249,7 @@ in
ExecReload = "${dhcpcd}/sbin/dhcpcd --rebind"; ExecReload = "${dhcpcd}/sbin/dhcpcd --rebind";
Restart = "always"; Restart = "always";
AmbientCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_NET_BIND_SERVICE" ]; AmbientCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_NET_BIND_SERVICE" ];
ReadWritePaths = [ "/proc/sys/net/ipv6" ] ReadWritePaths = [ "/proc/sys/net/ipv4" "/proc/sys/net/ipv6" ]
++ lib.optionals useResolvConf ([ "/run/resolvconf" ] ++ config.networking.resolvconf.subscriberFiles); ++ lib.optionals useResolvConf ([ "/run/resolvconf" ] ++ config.networking.resolvconf.subscriberFiles);
DeviceAllow = ""; DeviceAllow = "";
LockPersonality = true; LockPersonality = true;

View File

@ -160,6 +160,8 @@ in {
} }
}); });
''; '';
# dbus/polkit with DynamicUser is broken with the default implementation
services.dbus.implementation = "broker";
# We don't use the existing gobgp NixOS module and package, because the gobgp # We don't use the existing gobgp NixOS module and package, because the gobgp
# version might not be compatible with fastnetmon. Also, the service name # version might not be compatible with fastnetmon. Also, the service name

View File

@ -6,7 +6,7 @@ let
cfg = config.services.murmur; cfg = config.services.murmur;
forking = cfg.logFile != null; forking = cfg.logFile != null;
configFile = pkgs.writeText "murmurd.ini" '' configFile = pkgs.writeText "murmurd.ini" ''
database=/var/lib/murmur/murmur.sqlite database=${cfg.stateDir}/murmur.sqlite
dbDriver=QSQLITE dbDriver=QSQLITE
autobanAttempts=${toString cfg.autobanAttempts} autobanAttempts=${toString cfg.autobanAttempts}
@ -69,6 +69,32 @@ in
''; '';
}; };
user = mkOption {
type = types.str;
default = "murmur";
description = ''
The name of an existing user to use to run the service.
If not specified, the default user will be created.
'';
};
group = mkOption {
type = types.str;
default = "murmur";
description = ''
The name of an existing group to use to run the service.
If not specified, the default group will be created.
'';
};
stateDir = mkOption {
type = types.path;
default = "/var/lib/murmur";
description = ''
Directory to store data for the server.
'';
};
autobanAttempts = mkOption { autobanAttempts = mkOption {
type = types.int; type = types.int;
default = 10; default = 10;
@ -257,7 +283,7 @@ in
environmentFile = mkOption { environmentFile = mkOption {
type = types.nullOr types.path; type = types.nullOr types.path;
default = null; default = null;
example = "/var/lib/murmur/murmurd.env"; example = literalExpression ''"''${config.services.murmur.stateDir}/murmurd.env"'';
description = '' description = ''
Environment file as defined in {manpage}`systemd.exec(5)`. Environment file as defined in {manpage}`systemd.exec(5)`.
@ -289,14 +315,14 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
users.users.murmur = { users.users.murmur = mkIf (cfg.user == "murmur") {
description = "Murmur Service user"; description = "Murmur Service user";
home = "/var/lib/murmur"; home = cfg.stateDir;
createHome = true; createHome = true;
uid = config.ids.uids.murmur; uid = config.ids.uids.murmur;
group = "murmur"; group = cfg.group;
}; };
users.groups.murmur = { users.groups.murmur = mkIf (cfg.group == "murmur") {
gid = config.ids.gids.murmur; gid = config.ids.gids.murmur;
}; };
@ -324,8 +350,8 @@ in
Restart = "always"; Restart = "always";
RuntimeDirectory = "murmur"; RuntimeDirectory = "murmur";
RuntimeDirectoryMode = "0700"; RuntimeDirectoryMode = "0700";
User = "murmur"; User = cfg.user;
Group = "murmur"; Group = cfg.group;
# service hardening # service hardening
AmbientCapabilities = "CAP_NET_BIND_SERVICE"; AmbientCapabilities = "CAP_NET_BIND_SERVICE";
@ -362,7 +388,7 @@ in
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig> <busconfig>
<policy user="murmur"> <policy user="${cfg.user}">
<allow own="net.sourceforge.mumble.murmur"/> <allow own="net.sourceforge.mumble.murmur"/>
</policy> </policy>
@ -387,9 +413,9 @@ in
r ${config.environment.etc."os-release".source}, r ${config.environment.etc."os-release".source},
r ${config.environment.etc."lsb-release".source}, r ${config.environment.etc."lsb-release".source},
owner rwk /var/lib/murmur/murmur.sqlite, owner rwk ${cfg.stateDir}/murmur.sqlite,
owner rw /var/lib/murmur/murmur.sqlite-journal, owner rw ${cfg.stateDir}/murmur.sqlite-journal,
owner r /var/lib/murmur/, owner r ${cfg.stateDir}/,
r /run/murmur/murmurd.pid, r /run/murmur/murmurd.pid,
r /run/murmur/murmurd.ini, r /run/murmur/murmurd.ini,
r ${configFile}, r ${configFile},

View File

@ -101,15 +101,12 @@ with lib;
secrets="/etc/ppp-pptpd/chap-secrets" secrets="/etc/ppp-pptpd/chap-secrets"
[ -f "$secrets" ] || cat > "$secrets" << EOF [ -f "$secrets" ] || install -m 600 -o root -g root /dev/stdin "$secrets" << EOF
# From: pptpd-1.4.0/samples/chap-secrets # From: pptpd-1.4.0/samples/chap-secrets
# Secrets for authentication using CHAP # Secrets for authentication using CHAP
# client server secret IP addresses # client server secret IP addresses
#username pptpd password * #username pptpd password *
EOF EOF
chown root:root "$secrets"
chmod 600 "$secrets"
''; '';
serviceConfig = { serviceConfig = {

View File

@ -52,7 +52,7 @@ in {
default = { }; default = { };
description = '' description = ''
Configuration for Radicale. See Configuration for Radicale. See
<https://radicale.org/3.0.html#documentation/configuration>. <https://radicale.org/v3.html#configuration>.
This option is mutually exclusive with {option}`config`. This option is mutually exclusive with {option}`config`.
''; '';
example = literalExpression '' example = literalExpression ''
@ -74,7 +74,7 @@ in {
type = format.type; type = format.type;
description = '' description = ''
Configuration for Radicale's rights file. See Configuration for Radicale's rights file. See
<https://radicale.org/3.0.html#documentation/authentication-and-rights>. <https://radicale.org/v3.html#authentication-and-rights>.
This option only works in conjunction with {option}`settings`. This option only works in conjunction with {option}`settings`.
Setting this will also set {option}`settings.rights.type` and Setting this will also set {option}`settings.rights.type` and
{option}`settings.rights.file` to appropriate values. {option}`settings.rights.file` to appropriate values.

View File

@ -12,7 +12,7 @@ let
tlsCfg = optionalString (cfg.tlsCertificate != null) tlsCfg = optionalString (cfg.tlsCertificate != null)
"tls ${cfg.tlsCertificate} ${cfg.tlsCertificateKey}"; "tls ${cfg.tlsCertificate} ${cfg.tlsCertificateKey}";
logCfg = optionalString cfg.enableMessageLogging logCfg = optionalString cfg.enableMessageLogging
"log fs ${stateDir}/logs"; "message-store fs ${stateDir}/logs";
configFile = pkgs.writeText "soju.conf" '' configFile = pkgs.writeText "soju.conf" ''
${listenCfg} ${listenCfg}

View File

@ -29,6 +29,12 @@ in {
description = "Username or user ID of the user allowed to to fetch Tailscale TLS certificates for the node."; description = "Username or user ID of the user allowed to to fetch Tailscale TLS certificates for the node.";
}; };
disableTaildrop = mkOption {
default = false;
type = types.bool;
description = "Whether to disable the Taildrop feature for sending files between nodes.";
};
package = lib.mkPackageOption pkgs "tailscale" {}; package = lib.mkPackageOption pkgs "tailscale" {};
openFirewall = mkOption { openFirewall = mkOption {
@ -129,6 +135,8 @@ in {
''"FLAGS=--tun ${lib.escapeShellArg cfg.interfaceName} ${lib.concatStringsSep " " cfg.extraDaemonFlags}"'' ''"FLAGS=--tun ${lib.escapeShellArg cfg.interfaceName} ${lib.concatStringsSep " " cfg.extraDaemonFlags}"''
] ++ (lib.optionals (cfg.permitCertUid != null) [ ] ++ (lib.optionals (cfg.permitCertUid != null) [
"TS_PERMIT_CERT_UID=${cfg.permitCertUid}" "TS_PERMIT_CERT_UID=${cfg.permitCertUid}"
]) ++ (lib.optionals (cfg.disableTaildrop) [
"TS_DISABLE_TAILDROP=true"
]); ]);
# Restart tailscaled with a single `systemctl restart` at the # Restart tailscaled with a single `systemctl restart` at the
# end of activation, rather than a `stop` followed by a later # end of activation, rather than a `stop` followed by a later

View File

@ -104,31 +104,18 @@ with lib;
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
preStart = '' preStart = ''
mkdir -p -m 700 /etc/xl2tpd install -m 700 -d /etc/xl2tpd/ppp
pushd /etc/xl2tpd > /dev/null [ -f /etc/xl2tpd/ppp/chap-secrets ] || install -m 600 -o root -g root /dev/stdin /etc/xl2tpd/ppp/chap-secrets <<EOF
mkdir -p -m 700 ppp
[ -f ppp/chap-secrets ] || cat > ppp/chap-secrets << EOF
# Secrets for authentication using CHAP # Secrets for authentication using CHAP
# client server secret IP addresses # client server secret IP addresses
#username xl2tpd password * #username xl2tpd password *
EOF EOF
chown root:root ppp/chap-secrets
chmod 600 ppp/chap-secrets
# The documentation says this file should be present but doesn't explain why and things work even if not there: # The documentation says this file should be present but doesn't explain why and things work even if not there:
[ -f l2tp-secrets ] || (echo -n "* * "; ${pkgs.apg}/bin/apg -n 1 -m 32 -x 32 -a 1 -M LCN) > l2tp-secrets [ -f /etc/xl2tpd/l2tp-secrets ] || install -m 600 -o root -g root <(echo -n "* * "; ${pkgs.apg}/bin/apg -n 1 -m 32 -x 32 -a 1 -M LCN) /etc/xl2tpd/l2tp-secrets
chown root:root l2tp-secrets
chmod 600 l2tp-secrets
popd > /dev/null install -m 701 -o root -g root -d /run/xl2tpd
mkdir -p /run/xl2tpd
chown root:root /run/xl2tpd
chmod 700 /run/xl2tpd
''; '';
serviceConfig = { serviceConfig = {

View File

@ -62,7 +62,7 @@ let
} // lib.optionalAttrs (cfg.passBasicAuth) { } // lib.optionalAttrs (cfg.passBasicAuth) {
basic-auth-password = cfg.basicAuthPassword; basic-auth-password = cfg.basicAuthPassword;
} // lib.optionalAttrs (cfg.htpasswd.file != null) { } // lib.optionalAttrs (cfg.htpasswd.file != null) {
display-htpasswd-file = cfg.htpasswd.displayForm; display-htpasswd-form = cfg.htpasswd.displayForm;
} // lib.optionalAttrs tls.enable { } // lib.optionalAttrs tls.enable {
tls-cert-file = tls.certificate; tls-cert-file = tls.certificate;
tls-key-file = tls.key; tls-key-file = tls.key;

View File

@ -523,6 +523,7 @@ in
intel-gpu-tools intel-gpu-tools
]; ];
serviceConfig = { serviceConfig = {
ExecStartPre = "-rm /var/cache/frigate/*.mp4";
ExecStart = "${cfg.package.python.interpreter} -m frigate"; ExecStart = "${cfg.package.python.interpreter} -m frigate";
Restart = "on-failure"; Restart = "on-failure";

View File

@ -20,6 +20,11 @@ in
systemd = { systemd = {
packages = [ cfg.package ]; packages = [ cfg.package ];
user.services.hypridle.wantedBy = [ "graphical-session.target" ]; user.services.hypridle.wantedBy = [ "graphical-session.target" ];
user.services.hypridle.path = [
config.programs.hyprland.package
config.programs.hyprlock.package
pkgs.procps
];
}; };
}; };

View File

@ -6,6 +6,7 @@
}: }:
let let
cfg = config.services.immich; cfg = config.services.immich;
format = pkgs.formats.json { };
isPostgresUnixSocket = lib.hasPrefix "/" cfg.database.host; isPostgresUnixSocket = lib.hasPrefix "/" cfg.database.host;
isRedisUnixSocket = lib.hasPrefix "/" cfg.redis.host; isRedisUnixSocket = lib.hasPrefix "/" cfg.redis.host;
@ -110,6 +111,37 @@ in
description = "The group immich should run as."; description = "The group immich should run as.";
}; };
settings = mkOption {
default = null;
description = ''
Configuration for Immich.
See <https://immich.app/docs/install/config-file/> or navigate to
<https://your-immich-domain/admin/system-settings> for
options and defaults.
Setting it to `null` allows configuring Immich in the web interface.
'';
type = types.nullOr (
types.submodule {
freeformType = format.type;
options = {
newVersionCheck.enabled = mkOption {
type = types.bool;
default = false;
description = ''
Check for new versions.
This feature relies on periodic communication with github.com.
'';
};
server.externalDomain = mkOption {
type = types.str;
default = "";
description = "Domain for publicly shared links, including `http(s)://`.";
};
};
}
);
};
machine-learning = { machine-learning = {
enable = enable =
mkEnableOption "immich's machine-learning functionality to detect faces and search for objects" mkEnableOption "immich's machine-learning functionality to detect faces and search for objects"
@ -258,10 +290,13 @@ in
postgresEnv postgresEnv
// redisEnv // redisEnv
// { // {
HOST = cfg.host; IMMICH_HOST = cfg.host;
IMMICH_PORT = toString cfg.port; IMMICH_PORT = toString cfg.port;
IMMICH_MEDIA_LOCATION = cfg.mediaLocation; IMMICH_MEDIA_LOCATION = cfg.mediaLocation;
IMMICH_MACHINE_LEARNING_URL = "http://localhost:3003"; IMMICH_MACHINE_LEARNING_URL = "http://localhost:3003";
}
// lib.optionalAttrs (cfg.settings != null) {
IMMICH_CONFIG_FILE = "${format.generate "immich.json" cfg.settings}";
}; };
services.immich.machine-learning.environment = { services.immich.machine-learning.environment = {
@ -272,6 +307,11 @@ in
IMMICH_PORT = "3003"; IMMICH_PORT = "3003";
}; };
systemd.slices.system-immich = {
description = "Immich (self-hosted photo and video backup solution) slice";
documentation = [ "https://immich.app/docs" ];
};
systemd.services.immich-server = { systemd.services.immich-server = {
description = "Immich backend server (Self-hosted photo and video backup solution)"; description = "Immich backend server (Self-hosted photo and video backup solution)";
after = [ "network.target" ]; after = [ "network.target" ];
@ -281,6 +321,7 @@ in
serviceConfig = commonServiceConfig // { serviceConfig = commonServiceConfig // {
ExecStart = lib.getExe cfg.package; ExecStart = lib.getExe cfg.package;
EnvironmentFile = mkIf (cfg.secretsFile != null) cfg.secretsFile; EnvironmentFile = mkIf (cfg.secretsFile != null) cfg.secretsFile;
Slice = "system-immich.slice";
StateDirectory = "immich"; StateDirectory = "immich";
SyslogIdentifier = "immich"; SyslogIdentifier = "immich";
RuntimeDirectory = "immich"; RuntimeDirectory = "immich";
@ -300,6 +341,7 @@ in
inherit (cfg.machine-learning) environment; inherit (cfg.machine-learning) environment;
serviceConfig = commonServiceConfig // { serviceConfig = commonServiceConfig // {
ExecStart = lib.getExe (cfg.package.machine-learning.override { immich = cfg.package; }); ExecStart = lib.getExe (cfg.package.machine-learning.override { immich = cfg.package; });
Slice = "system-immich.slice";
CacheDirectory = "immich"; CacheDirectory = "immich";
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;

View File

@ -75,21 +75,17 @@ in {
package = lib.mkOption { package = lib.mkOption {
type = lib.types.package; type = lib.types.package;
default = default =
if lib.versionAtLeast config.system.stateVersion "24.05" if lib.versionAtLeast config.system.stateVersion "24.11"
then pkgs.netbox_4_1
else if lib.versionAtLeast config.system.stateVersion "24.05"
then pkgs.netbox_3_7 then pkgs.netbox_3_7
else if lib.versionAtLeast config.system.stateVersion "23.11" else pkgs.netbox_3_6;
then pkgs.netbox_3_6
else if lib.versionAtLeast config.system.stateVersion "23.05"
then pkgs.netbox_3_5
else pkgs.netbox_3_3;
defaultText = lib.literalExpression '' defaultText = lib.literalExpression ''
if lib.versionAtLeast config.system.stateVersion "24.05" if lib.versionAtLeast config.system.stateVersion "24.11"
then pkgs.netbox_4_1
else if lib.versionAtLeast config.system.stateVersion "24.05"
then pkgs.netbox_3_7 then pkgs.netbox_3_7
else if lib.versionAtLeast config.system.stateVersion "23.11" else pkgs.netbox_3_6;
then pkgs.netbox_3_6
else if lib.versionAtLeast config.system.stateVersion "23.05"
then pkgs.netbox_3_5
else pkgs.netbox_3_3;
''; '';
description = '' description = ''
NetBox package to use. NetBox package to use.
@ -328,6 +324,7 @@ in {
--pythonpath ${pkg}/opt/netbox/netbox --pythonpath ${pkg}/opt/netbox/netbox
''; '';
PrivateTmp = true; PrivateTmp = true;
TimeoutStartSec = lib.mkDefault "5min";
}; };
}; };

View File

@ -432,7 +432,6 @@ in {
path = with pkgs; [ nodejs_18 yarn ffmpeg-headless openssl ]; path = with pkgs; [ nodejs_18 yarn ffmpeg-headless openssl ];
script = '' script = ''
#!/bin/sh
umask 077 umask 077
cat > /var/lib/peertube/config/local.yaml <<EOF cat > /var/lib/peertube/config/local.yaml <<EOF
${lib.optionalString (cfg.secrets.secretsFile != null) '' ${lib.optionalString (cfg.secrets.secretsFile != null) ''
@ -457,7 +456,7 @@ in {
ln -sf ${cfg.package}/config/default.yaml /var/lib/peertube/config/default.yaml ln -sf ${cfg.package}/config/default.yaml /var/lib/peertube/config/default.yaml
ln -sf ${cfg.package}/client/dist -T /var/lib/peertube/www/client ln -sf ${cfg.package}/client/dist -T /var/lib/peertube/www/client
ln -sf ${cfg.settings.storage.client_overrides} -T /var/lib/peertube/www/client-overrides ln -sf ${cfg.settings.storage.client_overrides} -T /var/lib/peertube/www/client-overrides
node dist/server exec node dist/server
''; '';
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";

View File

@ -35,13 +35,21 @@ in
}; };
dataDir = mkOption { dataDir = mkOption {
type = types.str; type = types.path;
default = "/var/lib/sftpgo"; default = "/var/lib/sftpgo";
description = '' description = ''
The directory where SFTPGo stores its data files. The directory where SFTPGo stores its data files.
''; '';
}; };
extraReadWriteDirs = mkOption {
type = types.listOf types.path;
default = [];
description = ''
Extra directories where SFTPGo is allowed to write to.
'';
};
user = mkOption { user = mkOption {
type = types.str; type = types.str;
default = defaultUser; default = defaultUser;
@ -63,7 +71,7 @@ in
type = with types; nullOr path; type = with types; nullOr path;
description = '' description = ''
Path to a json file containing users and folders to load (or update) on startup. Path to a json file containing users and folders to load (or update) on startup.
Check the [documentation](https://github.com/drakkan/sftpgo/blob/main/docs/full-configuration.md) Check the [documentation](https://sftpgo.github.io/latest/config-file/)
for the `--loaddata-from` command line argument for more info. for the `--loaddata-from` command line argument for more info.
''; '';
}; };
@ -72,7 +80,7 @@ in
default = {}; default = {};
description = '' description = ''
The primary sftpgo configuration. See the The primary sftpgo configuration. See the
[configuration reference](https://github.com/drakkan/sftpgo/blob/main/docs/full-configuration.md) [configuration reference](https://sftpgo.github.io/latest/config-file/)
for possible values. for possible values.
''; '';
type = with types; submodule { type = with types; submodule {
@ -324,7 +332,7 @@ in
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
WorkingDirectory = cfg.dataDir; WorkingDirectory = cfg.dataDir;
ReadWritePaths = [ cfg.dataDir ]; ReadWritePaths = [ cfg.dataDir ] ++ cfg.extraReadWriteDirs;
LimitNOFILE = 8192; # taken from upstream LimitNOFILE = 8192; # taken from upstream
KillMode = "mixed"; KillMode = "mixed";
ExecStart = "${cfg.package}/bin/sftpgo serve ${utils.escapeSystemdExecArgs cfg.extraArgs}"; ExecStart = "${cfg.package}/bin/sftpgo serve ${utils.escapeSystemdExecArgs cfg.extraArgs}";

View File

@ -1374,7 +1374,7 @@ in
]; ];
services.logrotate.settings.nginx = mapAttrs (_: mkDefault) { services.logrotate.settings.nginx = mapAttrs (_: mkDefault) {
files = "/var/log/nginx/*.log"; files = [ "/var/log/nginx/*.log" ];
frequency = "weekly"; frequency = "weekly";
su = "${cfg.user} ${cfg.group}"; su = "${cfg.user} ${cfg.group}";
rotate = 26; rotate = 26;

View File

@ -0,0 +1,228 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkOption types;
cfg = config.services.send;
in
{
options = {
services.send = {
enable = lib.mkEnableOption "Send, a file sharing web sevice for ffsend.";
package = lib.mkPackageOption pkgs "send" { };
environment = mkOption {
type =
with types;
attrsOf (
nullOr (oneOf [
bool
int
str
(listOf int)
])
);
description = ''
All the available config options and their defaults can be found here: https://github.com/timvisee/send/blob/master/server/config.js,
some descriptions can found here: https://github.com/timvisee/send/blob/master/docs/docker.md#environment-variables
Values under {option}`services.send.environment` will override the predefined values in the Send service.
- Time/duration should be in seconds
- Filesize values should be in bytes
'';
example = {
DEFAULT_DOWNLOADS = 1;
DETECT_BASE_URL = true;
EXPIRE_TIMES_SECONDS = [
300
3600
86400
604800
];
};
};
dataDir = lib.mkOption {
type = types.path;
readOnly = true;
default = "/var/lib/send";
description = ''
Directory for uploaded files.
Due to limitations in {option}`systemd.services.send.serviceConfig.DynamicUser`, this item is read only.
'';
};
baseUrl = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Base URL for the Send service.
Leave it blank to automatically detect the base url.
'';
};
host = lib.mkOption {
type = types.str;
default = "127.0.0.1";
description = "The hostname or IP address for Send to bind to.";
};
port = lib.mkOption {
type = types.port;
default = 1443;
description = "Port the Send service listens on.";
};
openFirewall = lib.mkOption {
type = types.bool;
default = false;
description = "Whether to open firewall ports for send";
};
redis = {
createLocally = lib.mkOption {
type = types.bool;
default = true;
description = "Whether to create a local redis automatically.";
};
name = lib.mkOption {
type = types.str;
default = "send";
description = ''
Name of the redis server.
Only used if {option}`services.send.redis.createLocally` is set to true.
'';
};
host = lib.mkOption {
type = types.str;
default = "localhost";
description = "Redis server address.";
};
port = lib.mkOption {
type = types.port;
default = 6379;
description = "Port of the redis server.";
};
passwordFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/run/agenix/send-redis-password";
description = ''
The path to the file containing the Redis password.
If {option}`services.send.redis.createLocally` is set to true,
the content of this file will be used as the password for the locally created Redis instance.
Leave it blank if no password is required.
'';
};
};
};
};
config = lib.mkIf cfg.enable {
services.send.environment.DETECT_BASE_URL = cfg.baseUrl == null;
assertions = [
{
assertion = cfg.redis.createLocally -> cfg.redis.host == "localhost";
message = "the redis host must be localhost if services.send.redis.createLocally is set to true";
}
];
networking.firewall.allowedTCPPorts = lib.optional cfg.openFirewall cfg.port;
services.redis = lib.optionalAttrs cfg.redis.createLocally {
servers."${cfg.redis.name}" = {
enable = true;
bind = "localhost";
port = cfg.redis.port;
};
};
systemd.services.send = {
serviceConfig = {
Type = "simple";
Restart = "always";
StateDirectory = "send";
WorkingDirectory = cfg.dataDir;
ReadWritePaths = cfg.dataDir;
LoadCredential = lib.optionalString (
cfg.redis.passwordFile != null
) "redis-password:${cfg.redis.passwordFile}";
# Hardening
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
];
AmbientCapabilities = lib.optionalString (cfg.port < 1024) "cap_net_bind_service";
DynamicUser = true;
CapabilityBoundingSet = "";
NoNewPrivileges = true;
RemoveIPC = true;
PrivateTmp = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
UMask = "0077";
};
environment =
{
IP_ADDRESS = cfg.host;
PORT = toString cfg.port;
BASE_URL = if (cfg.baseUrl == null) then "http://${cfg.host}:${toString cfg.port}" else cfg.baseUrl;
FILE_DIR = cfg.dataDir + "/uploads";
REDIS_HOST = cfg.redis.host;
REDIS_PORT = toString cfg.redis.port;
}
// (lib.mapAttrs (
name: value:
if lib.isList value then
"[" + lib.concatStringsSep ", " (map (x: toString x) value) + "]"
else if lib.isBool value then
lib.boolToString value
else
toString value
) cfg.environment);
after =
[
"network.target"
]
++ lib.optionals cfg.redis.createLocally [
"redis-${cfg.redis.name}.service"
];
description = "Send web service";
wantedBy = [ "multi-user.target" ];
script = ''
${lib.optionalString (cfg.redis.passwordFile != null) ''
export REDIS_PASSWORD="$(cat $CREDENTIALS_DIRECTORY/redis-password)"
''}
${lib.getExe cfg.package}
'';
};
};
meta.maintainers = with lib.maintainers; [ moraxyc ];
}

View File

@ -0,0 +1,163 @@
#!@bash@
# This is the NixOS apply script, typically located at
#
# ${config.system.build.toplevel}/bin/apply
#
# This script is responsible for managing the profile link and calling the
# appropriate scripts for its subcommands, such as switch, boot, and test.
set -euo pipefail
toplevel=@toplevel@
subcommand=
installBootloader=
specialisation=
profile=/nix/var/nix/profiles/system
log() {
echo "$@" >&2
}
die() {
log "NixOS apply error: $*"
exit 1
}
usage() {
log "NixOS apply invocation error: $*"
cat >&2 <<EOF
Usage: apply [switch|boot|test|dry-activate] [OPTIONS]
Subcommands:
switch make the configuration the boot default and activate it
boot make the configuration the boot default
test activate the configuration, but don\'t make it the boot default
dry-activate show what would be done if this configuration were activated
Options:
--install-bootloader install the bootloader
--profile PROFILE use PROFILE as the target profile (if applicable)
--specialisation NAME use the specialisation NAME
EOF
}
parse_args() {
while [[ $# -gt 0 ]]; do
case "$1" in
switch|boot|test|dry-activate)
subcommand="$1"
;;
--install-bootloader)
installBootloader=1
;;
--profile)
if [[ $# -lt 2 ]]; then
die "missing argument for --profile"
fi
profile="$2"
shift
;;
# --rollback is not an `apply` responsibility, and it should be
# implemented by the caller of `apply` instead.
--specialisation)
if [[ $# -lt 2 ]]; then
die "missing argument for --specialisation"
fi
specialisation="$2"
shift
;;
*)
if [[ -n "$subcommand" ]]; then
die "unexpected argument or flag: $1"
else
die "unexpected subcommand or flag: $1"
fi
;;
esac
shift
done
if [ -z "$subcommand" ]; then
die "no subcommand specified"
fi
}
main() {
local cmd activity
case "$subcommand" in
boot|switch)
nix-env -p "$profile" --set "$toplevel"
;;
esac
# Using systemd-run here to protect against PTY failures/network
# disconnections during rebuild.
# See: https://github.com/NixOS/nixpkgs/issues/39118
cmd=(
"systemd-run"
"-E" "LOCALE_ARCHIVE" # Will be set to new value early in switch-to-configuration script, but interpreter starts out with old value
"-E" "NIXOS_INSTALL_BOOTLOADER=$installBootloader"
"--collect"
"--no-ask-password"
"--pipe"
"--quiet"
"--same-dir"
"--service-type=exec"
"--unit=nixos-rebuild-switch-to-configuration"
"--wait"
)
# Check if we have a working systemd-run. In chroot environments we may have
# a non-working systemd, so we fallback to not using systemd-run.
if ! "${cmd[@]}" true; then
log "Skipping systemd-run to switch configuration since it is not working in target host."
cmd=(
"env"
"-i"
"LOCALE_ARCHIVE=${LOCALE_ARCHIVE:-}"
"NIXOS_INSTALL_BOOTLOADER=$installBootloader"
)
fi
if [[ -z "$specialisation" ]]; then
cmd+=("$toplevel/bin/switch-to-configuration")
else
cmd+=("$toplevel/specialisation/$specialisation/bin/switch-to-configuration")
if ! [[ -f "${cmd[-1]}" ]]; then
log "error: specialisation not found: $specialisation"
exit 1
fi
fi
if ! "${cmd[@]}" "$subcommand"; then
case "$subcommand" in
switch)
activity="switching to the new configuration"
;;
boot)
activity="switching the boot entry to the new configuration"
;;
test)
activity="switching to the new configuration (in test mode)"
;;
dry-activate)
activity="switching to the new configuration (in dry-activate mode)"
;;
*) # Should never happen
activity="running $subcommand"
;;
esac
log "warning: error(s) occurred while $activity"
exit 1
fi
}
if ! type test_run_tests &>/dev/null; then
# We're not loaded into the test.sh, so we run main.
parse_args "$@"
main
fi

View File

@ -0,0 +1,51 @@
# Run:
# nix-build -A nixosTests.apply
#
# These are not all tests. See also nixosTests.
{
lib,
stdenvNoCC,
testers,
...
}:
let
fileset = lib.fileset.unions [
./test.sh
./apply.sh
];
in
{
unitTests = stdenvNoCC.mkDerivation {
name = "nixos-apply-unit-tests";
src = lib.fileset.toSource {
root = ./.;
inherit fileset;
};
dontBuild = true;
checkPhase = ''
./test.sh
'';
installPhase = ''
touch $out
'';
};
shellcheck =
(testers.shellcheck {
src = lib.fileset.toSource {
# This makes the error messages include the full path
root = ../../../../..;
inherit fileset;
};
}).overrideAttrs
{
postUnpack = ''
for f in $(find . -type f); do
substituteInPlace $f --replace @bash@ /usr/bin/bash
done
'';
};
}

View File

@ -0,0 +1,176 @@
#!/usr/bin/env bash
# shellcheck disable=SC2317 disable=SC2031
# False positives:
# SC2317: Unreachable code: TEST_*
# SC2031: <variable> was modified in a subshell. That change might be lost.
# We have a lot of that, and that's expected.
# This is a unit test script for the NixOS apply script.
# It can be run quickly with the following command:
#
# ./test.sh
#
# Alternatively, run the following to run all tests and checks
#
# TODO
#
set -euo pipefail
# set -x
apply="${BASH_SOURCE[0]%/*}/apply.sh"
# source_apply() {
run_parse_args() {
bash -c "source $apply;"' parse_args "$@"' -- "$@"
}
TEST_parse_args_none() {
if errout="$(run_parse_args 2>&1)"; then
test_fail "apply without arguments should fail"
elif [[ $? -ne 1 ]]; then
test_fail "apply without arguments should exit with code 1"
fi
grep -F "no subcommand specified" <<<"$errout" >/dev/null
}
TEST_parse_args_switch() {
(
# shellcheck source=nixos/modules/system/activation/apply/apply.sh
source "$apply";
parse_args switch;
[[ $subcommand == switch ]]
[[ $specialisation == "" ]]
[[ $profile == "" ]]
)
}
TEST_parse_args_boot() {
(
# shellcheck source=nixos/modules/system/activation/apply/apply.sh
source "$apply";
parse_args boot;
[[ $subcommand == boot ]]
[[ $specialisation == "" ]]
[[ $profile == "" ]]
)
}
TEST_parse_args_test() {
(
# shellcheck source=nixos/modules/system/activation/apply/apply.sh
source "$apply";
parse_args test;
[[ $subcommand == test ]]
[[ $specialisation == "" ]]
[[ $profile == "" ]]
)
}
TEST_parse_args_dry_activate() {
(
# shellcheck source=nixos/modules/system/activation/apply/apply.sh
source "$apply";
parse_args dry-activate;
[[ $subcommand == dry-activate ]]
[[ $specialisation == "" ]]
[[ $profile == "" ]]
)
}
TEST_parse_args_unknown() {
if errout="$(run_parse_args foo 2>&1)"; then
test_fail "apply with unknown subcommand should fail"
fi
grep -F "unexpected argument or flag: foo" <<<"$errout" >/dev/null
}
TEST_parse_args_switch_specialisation_no_arg() {
if errout="$(run_parse_args switch --specialisation 2>&1)"; then
test_fail "apply with --specialisation without argument should fail"
fi
grep -F "missing argument for --specialisation" <<<"$errout" >/dev/null
}
TEST_parse_args_switch_specialisation() {
(
# shellcheck source=nixos/modules/system/activation/apply/apply.sh
source "$apply";
parse_args switch --specialisation low-power;
[[ $subcommand == switch ]]
[[ $specialisation == low-power ]]
[[ $profile == "" ]]
)
}
TEST_parse_args_switch_profile() {
(
# shellcheck source=nixos/modules/system/activation/apply/apply.sh
source "$apply";
parse_args switch --profile /nix/var/nix/profiles/system;
[[ $subcommand == switch ]]
[[ $specialisation == "" ]]
[[ $profile == /nix/var/nix/profiles/system ]]
)
}
# Support code
test_fail() {
echo "TEST FAILURE: $*" >&2
exit 1
}
test_print_trace() {
local frame=${1:0}
local caller
# shellcheck disable=SC2207 disable=SC2086
while caller=( $(caller $frame) ); do
echo " in ${caller[1]} at ${caller[2]}:${caller[0]}"
frame=$((frame+1));
done
}
test_on_err() {
echo "ERROR running: ${BASH_COMMAND}" >&2
test_print_trace 1 >&2
}
test_init() {
trap 'test_on_err' ERR
}
test_find() {
declare -F | grep -o 'TEST_.*' | sort
}
test_run_tests() {
local status=0
for test in $(test_find); do
set +e
(
set -eEuo pipefail
trap 'test_on_err' ERR
$test
)
r=$?
set -e
if [[ $r == 0 ]]; then
echo "ok: $test"
else
echo "TEST FAIL: $test"; status=1;
fi
done
if [[ $status == 0 ]]; then
echo "All good"
else
echo
echo "TEST SUITE FAILED"
fi
exit $status
}
# Main
test_init
test_run_tests

View File

@ -42,7 +42,7 @@ in
(e.g. `fewJobsManyCores`) at runtime, run: (e.g. `fewJobsManyCores`) at runtime, run:
``` ```
sudo /run/current-system/specialisation/fewJobsManyCores/bin/switch-to-configuration test sudo /run/current-system/specialisation/fewJobsManyCores/bin/apply test
``` ```
''; '';
type = types.attrsOf (types.submodule ( type = types.attrsOf (types.submodule (

View File

@ -80,12 +80,9 @@ if ("@localeArchive@" ne "") {
if (!defined($action) || ($action ne "switch" && $action ne "boot" && $action ne "test" && $action ne "dry-activate")) { if (!defined($action) || ($action ne "switch" && $action ne "boot" && $action ne "test" && $action ne "dry-activate")) {
print STDERR <<"EOF"; print STDERR <<"EOF";
error: Unknown action $action
Usage: $0 [switch|boot|test|dry-activate] Usage: $0 [switch|boot|test|dry-activate]
Consider calling `apply` instead of `switch-to-configuration`.
switch: make the configuration the boot default and activate now
boot: make the configuration the boot default
test: activate the configuration, but don\'t make it the boot default
dry-activate: show what would be done if this configuration were activated
EOF EOF
exit(1); exit(1);
} }

View File

@ -40,7 +40,30 @@ in
}; };
}; };
options.system.apply.enable = lib.mkOption {
type = lib.types.bool;
default = config.system.switch.enable;
internal = true;
description = ''
Whether to include the `bin/apply` script.
Disabling puts `nixos-rebuild` in a legacy mode that won't be maintained
and removes cheap and useful functionality. It's also slower over ssh.
This should only be used for testing the `nixos-rebuild` command, to
pretend that the configuration is an old NixOS.
'';
};
config = lib.mkMerge [ config = lib.mkMerge [
(lib.mkIf config.system.apply.enable {
system.activatableSystemBuilderCommands = ''
mkdir -p $out/bin
substitute ${./apply/apply.sh} $out/bin/apply \
--subst-var-by bash ${lib.getExe pkgs.bash} \
--subst-var-by toplevel ''${!toplevelVar}
chmod +x $out/bin/apply
'';
})
(lib.mkIf (config.system.switch.enable && !config.system.switch.enableNg) { (lib.mkIf (config.system.switch.enable && !config.system.switch.enableNg) {
warnings = [ warnings = [
'' ''
@ -54,7 +77,7 @@ in
]; ];
system.activatableSystemBuilderCommands = '' system.activatableSystemBuilderCommands = ''
mkdir $out/bin mkdir -p $out/bin
substitute ${./switch-to-configuration.pl} $out/bin/switch-to-configuration \ substitute ${./switch-to-configuration.pl} $out/bin/switch-to-configuration \
--subst-var out \ --subst-var out \
--subst-var-by toplevel ''${!toplevelVar} \ --subst-var-by toplevel ''${!toplevelVar} \
@ -86,7 +109,7 @@ in
( (
source ${pkgs.buildPackages.makeWrapper}/nix-support/setup-hook source ${pkgs.buildPackages.makeWrapper}/nix-support/setup-hook
mkdir $out/bin mkdir -p $out/bin
ln -sf ${lib.getExe pkgs.switch-to-configuration-ng} $out/bin/switch-to-configuration ln -sf ${lib.getExe pkgs.switch-to-configuration-ng} $out/bin/switch-to-configuration
wrapProgram $out/bin/switch-to-configuration \ wrapProgram $out/bin/switch-to-configuration \
--set OUT $out \ --set OUT $out \

View File

@ -49,8 +49,8 @@ let
# Putting it all together. This builds a store path containing # Putting it all together. This builds a store path containing
# symlinks to the various parts of the built configuration (the # symlinks to the various parts of the built configuration (the
# kernel, systemd units, init scripts, etc.) as well as a script # kernel, systemd units, init scripts, etc.) as well as a script
# `switch-to-configuration' that activates the configuration and # `bin/apply` that activates the configuration and
# makes it bootable. See `activatable-system.nix`. # makes it bootable. See `activatable-system.nix` and `switchable-system.nix`.
baseSystem = pkgs.stdenvNoCC.mkDerivation ({ baseSystem = pkgs.stdenvNoCC.mkDerivation ({
name = "nixos-system-${config.system.name}-${config.system.nixos.label}"; name = "nixos-system-${config.system.name}-${config.system.nixos.label}";
preferLocalBuild = true; preferLocalBuild = true;

View File

@ -405,7 +405,7 @@ let
${lib.optionalString (config.boot.initrd.secrets == {}) ${lib.optionalString (config.boot.initrd.secrets == {})
"exit 0"} "exit 0"}
export PATH=${pkgs.coreutils}/bin:${pkgs.libarchive}/bin:${pkgs.gzip}/bin:${pkgs.findutils}/bin export PATH=${pkgs.coreutils}/bin:${pkgs.cpio}/bin:${pkgs.gzip}/bin:${pkgs.findutils}/bin
function cleanup { function cleanup {
if [ -n "$tmp" -a -d "$tmp" ]; then if [ -n "$tmp" -a -d "$tmp" ]; then
@ -426,7 +426,7 @@ let
} }
# mindepth 1 so that we don't change the mode of / # mindepth 1 so that we don't change the mode of /
(cd "$tmp" && find . -mindepth 1 | xargs touch -amt 197001010000 && find . -mindepth 1 -print0 | sort -z | bsdtar --uid 0 --gid 0 -cnf - -T - | bsdtar --null -cf - --format=newc @-) | \ (cd "$tmp" && find . -mindepth 1 | xargs touch -amt 197001010000 && find . -mindepth 1 -print0 | sort -z | cpio --quiet -o -H newc -R +0:+0 --reproducible --null) | \
${compressorExe} ${lib.escapeShellArgs initialRamdisk.compressorArgs} >> "$1" ${compressorExe} ${lib.escapeShellArgs initialRamdisk.compressorArgs} >> "$1"
''; '';

View File

@ -160,6 +160,7 @@ let
# Misc. # Misc.
"systemd-sysctl.service" "systemd-sysctl.service"
"systemd-machine-id-commit.service"
] ++ optionals cfg.package.withTimedated [ ] ++ optionals cfg.package.withTimedated [
"dbus-org.freedesktop.timedate1.service" "dbus-org.freedesktop.timedate1.service"
"systemd-timedated.service" "systemd-timedated.service"

View File

@ -30,11 +30,11 @@ in
example = lib.literalExpression '' example = lib.literalExpression ''
{ {
general.animations = true; general.animations = true;
theme = { theme = {
default = "pmos-dark"; default = "pmos-dark";
alternate = "pmos-light"; alternate = "pmos-light";
}; };
} }
''; '';
default = { }; default = { };

Some files were not shown because too many files have changed in this diff Show More