merge master & re-run generate.sh
This commit is contained in:
commit
f46c9675a4
.git-blame-ignore-revs
.github
doc
lib
maintainers
nixos
doc/manual
from_md/release-notes
release-notes
lib
modules
config
hardware
installer/sd-card
misc
module-list.nixprograms
security
services
cluster
continuous-integration
databases
desktops
development
editors
games
hardware
home-automation
logging
mail
matrix
misc
etebase-server.nixexhibitor.nixfreeswitch.nixgeoipupdate.nixgitea.nixgitlab.nixgitolite.nixklipper.nixnix-daemon.nixportunus.nixrmfakecloud.nixspice-webdavd.nixsssd.nixzoneminder.nix
monitoring
@ -36,3 +36,6 @@ d08ede042b74b8199dc748323768227b88efcf7c
|
||||
|
||||
# fix indentation in mk-python-derivation.nix
|
||||
d1c1a0c656ccd8bd3b25d3c4287f2d075faf3cf3
|
||||
|
||||
# fix indentation in meteor default.nix
|
||||
f76b359e4a55267ddd4e9e149e7cc13ae5cad98a
|
||||
|
6
.github/CODEOWNERS
vendored
6
.github/CODEOWNERS
vendored
@ -108,9 +108,9 @@
|
||||
/pkgs/top-level/haskell-packages.nix @cdepillabout @sternenseemann @maralorn
|
||||
|
||||
# Perl
|
||||
/pkgs/development/interpreters/perl @stigtsp @zakame
|
||||
/pkgs/top-level/perl-packages.nix @stigtsp @zakame
|
||||
/pkgs/development/perl-modules @stigtsp @zakame
|
||||
/pkgs/development/interpreters/perl @stigtsp @zakame @dasJ
|
||||
/pkgs/top-level/perl-packages.nix @stigtsp @zakame @dasJ
|
||||
/pkgs/development/perl-modules @stigtsp @zakame @dasJ
|
||||
|
||||
# R
|
||||
/pkgs/applications/science/math/R @jbedo
|
||||
|
@ -36,6 +36,9 @@ buildImage {
|
||||
WorkingDir = "/data";
|
||||
Volumes = { "/data" = { }; };
|
||||
};
|
||||
|
||||
diskSize = 1024;
|
||||
buildVMMemorySize = 512;
|
||||
}
|
||||
```
|
||||
|
||||
@ -59,6 +62,10 @@ The above example will build a Docker image `redis/latest` from the given base i
|
||||
|
||||
- `config` is used to specify the configuration of the containers that will be started off the built image in Docker. The available options are listed in the [Docker Image Specification v1.2.0](https://github.com/moby/moby/blob/master/image/spec/v1.2.md#image-json-field-descriptions).
|
||||
|
||||
- `diskSize` is used to specify the disk size of the VM used to build the image in megabytes. By default it's 1024 MiB.
|
||||
|
||||
- `buildVMMemorySize` is used to specify the memory size of the VM to build the image in megabytes. By default it's 512 MiB.
|
||||
|
||||
After the new layer has been created, its closure (to which `contents`, `config` and `runAsRoot` contribute) will be copied in the layer itself. Only new dependencies that are not already in the existing layers will be copied.
|
||||
|
||||
At the end of the process, only one new single layer will be produced and added to the resulting image.
|
||||
|
@ -871,12 +871,27 @@ Constructs a wrapper for a program with various possible arguments. It is define
|
||||
# adds `FOOBAR=baz` to `$out/bin/foo`’s environment
|
||||
makeWrapper $out/bin/foo $wrapperfile --set FOOBAR baz
|
||||
|
||||
# prefixes the binary paths of `hello` and `git`
|
||||
# Prefixes the binary paths of `hello` and `git`
|
||||
# and suffixes the binary path of `xdg-utils`.
|
||||
# Be advised that paths often should be patched in directly
|
||||
# (via string replacements or in `configurePhase`).
|
||||
makeWrapper $out/bin/foo $wrapperfile --prefix PATH : ${lib.makeBinPath [ hello git ]}
|
||||
makeWrapper $out/bin/foo $wrapperfile \
|
||||
--prefix PATH : ${lib.makeBinPath [ hello git ]} \
|
||||
--suffix PATH : ${lib.makeBinPath [ xdg-utils ]}
|
||||
```
|
||||
|
||||
Packages may expect or require other utilities to be available at runtime.
|
||||
`makeWrapper` can be used to add packages to a `PATH` environment variable local to a wrapper.
|
||||
|
||||
Use `--prefix` to explicitly set dependencies in `PATH`.
|
||||
|
||||
:::{note}
|
||||
`--prefix` essentially hard-codes dependencies into the wrapper.
|
||||
They cannot be overridden without rebuilding the package.
|
||||
:::
|
||||
|
||||
If dependencies should be resolved at runtime, use `--suffix` to append fallback values to `PATH`.
|
||||
|
||||
There’s many more kinds of arguments, they are documented in `nixpkgs/pkgs/build-support/setup-hooks/make-wrapper.sh` for the `makeWrapper` implementation and in `nixpkgs/pkgs/build-support/setup-hooks/make-binary-wrapper/make-binary-wrapper.sh` for the `makeBinaryWrapper` implementation.
|
||||
|
||||
`wrapProgram` is a convenience function you probably want to use most of the time, implemented by both `makeWrapper` and `makeBinaryWrapper`.
|
||||
|
@ -36,7 +36,7 @@ rec {
|
||||
forEach = xs: f: map f xs;
|
||||
|
||||
/* “right fold” a binary function `op` between successive elements of
|
||||
`list` with `nul' as the starting value, i.e.,
|
||||
`list` with `nul` as the starting value, i.e.,
|
||||
`foldr op nul [x_1 x_2 ... x_n] == op x_1 (op x_2 ... (op x_n nul))`.
|
||||
|
||||
Type: foldr :: (a -> b -> b) -> b -> [a] -> b
|
||||
|
@ -115,6 +115,12 @@
|
||||
githubId = 7414843;
|
||||
name = "Nicholas von Klitzing";
|
||||
};
|
||||
_360ied = {
|
||||
name = "Brian Zhu";
|
||||
email = "therealbarryplayer@gmail.com";
|
||||
github = "360ied";
|
||||
githubId = 19516527;
|
||||
};
|
||||
_13r0ck = {
|
||||
name = "Brock Szuszczewicz";
|
||||
email = "bnr@tuta.io";
|
||||
@ -1359,6 +1365,12 @@
|
||||
githubId = 9315;
|
||||
name = "Zhong Jianxin";
|
||||
};
|
||||
a-kenji = {
|
||||
email = "aks.kenji@protonmail.com";
|
||||
github = "a-kenji";
|
||||
githubId = 65275785;
|
||||
name = "Alexander Kenji Berthold";
|
||||
};
|
||||
b4dm4n = {
|
||||
email = "fabianm88@gmail.com";
|
||||
github = "B4dM4n";
|
||||
@ -1778,7 +1790,7 @@
|
||||
};
|
||||
booklearner = {
|
||||
name = "booklearner";
|
||||
email = "hey@booklearner.org";
|
||||
email = "booklearner@proton.me";
|
||||
matrix = "@booklearner:matrix.org";
|
||||
github = "booklearner";
|
||||
githubId = 103979114;
|
||||
@ -3738,6 +3750,12 @@
|
||||
githubId = 537775;
|
||||
name = "Emery Hemingway";
|
||||
};
|
||||
eigengrau = {
|
||||
email = "seb@schattenkopie.de";
|
||||
name = "Sebastian Reuße";
|
||||
github = "eigengrau";
|
||||
githubId = 4939947;
|
||||
};
|
||||
eikek = {
|
||||
email = "eike.kettner@posteo.de";
|
||||
github = "eikek";
|
||||
@ -6343,6 +6361,16 @@
|
||||
}];
|
||||
name = "Ioannis Koutras";
|
||||
};
|
||||
jonaenz = {
|
||||
name = "Jona Enzinger";
|
||||
email = "5xt3zyy5l@mozmail.com";
|
||||
matrix = "@jona:matrix.jonaenz.de";
|
||||
github = "jonaenz";
|
||||
githubId = 57130301;
|
||||
keys = [{
|
||||
fingerprint = "1CC5 B67C EB9A 13A5 EDF6 F10E 0B4A 3662 FC58 9202";
|
||||
}];
|
||||
};
|
||||
jonafato = {
|
||||
email = "jon@jonafato.com";
|
||||
github = "jonafato";
|
||||
@ -6957,12 +6985,6 @@
|
||||
fingerprint = "8992 44FC D291 5CA2 0A97 802C 156C 88A5 B0A0 4B2A";
|
||||
}];
|
||||
};
|
||||
kiyengar = {
|
||||
email = "hello@kiyengar.net";
|
||||
github = "karthikiyengar";
|
||||
githubId = 8260207;
|
||||
name = "Karthik Iyengar";
|
||||
};
|
||||
kjeremy = {
|
||||
email = "kjeremy@gmail.com";
|
||||
name = "Jeremy Kolb";
|
||||
@ -7262,7 +7284,7 @@
|
||||
};
|
||||
lassulus = {
|
||||
email = "lassulus@gmail.com";
|
||||
matrix = "@lassulus:nixos.dev";
|
||||
matrix = "@lassulus:lassul.us";
|
||||
github = "Lassulus";
|
||||
githubId = 621759;
|
||||
name = "Lassulus";
|
||||
@ -7956,6 +7978,12 @@
|
||||
githubId = 31056089;
|
||||
name = "Tom Ho";
|
||||
};
|
||||
majewsky = {
|
||||
email = "majewsky@gmx.net";
|
||||
github = "majewsky";
|
||||
githubId = 24696;
|
||||
name = "Stefan Majewsky";
|
||||
};
|
||||
majiir = {
|
||||
email = "majiir@nabaal.net";
|
||||
github = "Majiir";
|
||||
@ -10178,6 +10206,16 @@
|
||||
fingerprint = "5D69 CF04 B7BC 2BC1 A567 9267 00BC F29B 3208 0700";
|
||||
}];
|
||||
};
|
||||
phfroidmont = {
|
||||
name = "Paul-Henri Froidmont";
|
||||
email = "nix.contact-j9dw4d@froidmont.org";
|
||||
|
||||
github = "phfroidmont";
|
||||
githubId = 8150907;
|
||||
keys = [{
|
||||
fingerprint = "3AC6 F170 F011 33CE 393B CD94 BE94 8AFD 7E78 73BE";
|
||||
}];
|
||||
};
|
||||
philandstuff = {
|
||||
email = "philip.g.potter@gmail.com";
|
||||
github = "philandstuff";
|
||||
@ -13488,6 +13526,15 @@
|
||||
githubId = 619015;
|
||||
name = "Svintsov Dmitry";
|
||||
};
|
||||
urandom = {
|
||||
email = "colin@urandom.co.uk";
|
||||
github = "arnottcr";
|
||||
githubId = 2526260;
|
||||
keys = [{
|
||||
fingerprint = "04A3 A2C6 0042 784A AEA7 D051 0447 A663 F7F3 E236";
|
||||
}];
|
||||
name = "Colin Arnott";
|
||||
};
|
||||
urbas = {
|
||||
email = "matej.urbas@gmail.com";
|
||||
github = "urbas";
|
||||
@ -13856,6 +13903,12 @@
|
||||
github = "wamserma";
|
||||
githubId = 60148;
|
||||
};
|
||||
water-sucks = {
|
||||
email = "varun@cvte.org";
|
||||
name = "Varun Narravula";
|
||||
github = "water-sucks";
|
||||
githubId = 68445574;
|
||||
};
|
||||
waynr = {
|
||||
name = "Wayne Warren";
|
||||
email = "wayne.warren.s@gmail.com";
|
||||
@ -13911,6 +13964,15 @@
|
||||
github = "wentasah";
|
||||
githubId = 140542;
|
||||
};
|
||||
wesnel = {
|
||||
name = "Wesley Nelson";
|
||||
email = "wgn@wesnel.dev";
|
||||
github = "wesnel";
|
||||
githubId = 43357387;
|
||||
keys = [{
|
||||
fingerprint = "F844 80B2 0CA9 D6CC C7F5 2479 A776 D2AD 099E 8BC0";
|
||||
}];
|
||||
};
|
||||
wheelsandmetal = {
|
||||
email = "jakob@schmutz.co.uk";
|
||||
github = "wheelsandmetal";
|
||||
@ -14058,6 +14120,15 @@
|
||||
github = "wr0belj";
|
||||
githubId = 40501814;
|
||||
};
|
||||
wrmilling = {
|
||||
name = "Winston R. Milling";
|
||||
email = "Winston@Milli.ng";
|
||||
github = "WRMilling";
|
||||
githubId = 6162814;
|
||||
keys = [{
|
||||
fingerprint = "21E1 6B8D 2EE8 7530 6A6C 9968 D830 77B9 9F8C 6643";
|
||||
}];
|
||||
};
|
||||
wscott = {
|
||||
email = "wsc9tt@gmail.com";
|
||||
github = "wscott";
|
||||
|
@ -2130,6 +2130,13 @@ sudo mkdir /var/lib/redis-peertube
|
||||
sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb
|
||||
</programlisting>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Added the <literal>keter</literal> NixOS module. Keter reverse
|
||||
proxies requests to your loaded application based on virtual
|
||||
hostnames.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
If you are using Wayland you can choose to use the Ozone
|
||||
|
@ -70,6 +70,34 @@
|
||||
with any supported NixOS release.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>emacs</literal> enables native compilation which
|
||||
means:
|
||||
</para>
|
||||
<itemizedlist spacing="compact">
|
||||
<listitem>
|
||||
<para>
|
||||
emacs packages from nixpkgs, builtin or not, will do
|
||||
native compilation ahead of time so you can enjoy the
|
||||
benefit of native compilation without compiling them on
|
||||
you machine;
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
emacs packages from somewhere else, e.g.
|
||||
<literal>package-install</literal>, will do asynchronously
|
||||
deferred native compilation. If you do not want this,
|
||||
maybe to avoid CPU consumption for compilation, you can
|
||||
use
|
||||
<literal>(setq native-comp-deferred-compilation nil)</literal>
|
||||
to disable it while still enjoy the benefit of native
|
||||
compilation for packages from nixpkgs.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>nixos-generate-config</literal> now generates
|
||||
@ -97,7 +125,9 @@
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Cinnamon has been updated to 5.4.
|
||||
Cinnamon has been updated to 5.4. While at it, the cinnamon
|
||||
module now defaults to blueman as bluetooth manager and
|
||||
slick-greeter as lightdm greeter to match upstream.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
@ -138,6 +168,13 @@
|
||||
<link linkend="opt-services.dragonflydb.enable">services.dragonflydb</link>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://komga.org/">Komga</link>, a free and
|
||||
open source comics/mangas media server. Available as
|
||||
<link linkend="opt-services.komga.enable">services.komga</link>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://hbase.apache.org/">HBase
|
||||
@ -161,6 +198,13 @@
|
||||
<link xlink:href="options.html#opt-services.kanata.enable">services.kanata</link>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://www.getoutline.com/">Outline</link>,
|
||||
a wiki and knowledge base similar to Notion. Available as
|
||||
<link linkend="opt-services.outline.enable">services.outline</link>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://github.com/aiberia/persistent-evdev">persistent-evdev</link>,
|
||||
@ -191,6 +235,14 @@
|
||||
<link linkend="opt-services.tempo.enable">services.tempo</link>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://github.com/zalando/patroni">Patroni</link>,
|
||||
a template for PostgreSQL HA with ZooKeeper, etcd or Consul.
|
||||
Available as
|
||||
<link xlink:href="options.html#opt-services.patroni.enable">services.patroni</link>.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
<section xml:id="sec-release-22.11-incompatibilities">
|
||||
|
@ -778,6 +778,7 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||
sudo mkdir /var/lib/redis-peertube
|
||||
sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb
|
||||
```
|
||||
- Added the `keter` NixOS module. Keter reverse proxies requests to your loaded application based on virtual hostnames.
|
||||
|
||||
- If you are using Wayland you can choose to use the Ozone Wayland support
|
||||
in Chrome and several Electron apps by setting the environment variable
|
||||
|
@ -35,6 +35,10 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||
for a transition period so that in time the ecosystem can switch without
|
||||
breaking compatibility with any supported NixOS release.
|
||||
|
||||
- `emacs` enables native compilation which means:
|
||||
- emacs packages from nixpkgs, builtin or not, will do native compilation ahead of time so you can enjoy the benefit of native compilation without compiling them on you machine;
|
||||
- emacs packages from somewhere else, e.g. `package-install`, will do asynchronously deferred native compilation. If you do not want this, maybe to avoid CPU consumption for compilation, you can use `(setq native-comp-deferred-compilation nil)` to disable it while still enjoy the benefit of native compilation for packages from nixpkgs.
|
||||
|
||||
- `nixos-generate-config` now generates configurations that can be built in pure
|
||||
mode. This is achieved by setting the new `nixpkgs.hostPlatform` option.
|
||||
|
||||
@ -46,7 +50,8 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||
|
||||
- PHP now defaults to PHP 8.1, updated from 8.0.
|
||||
|
||||
- Cinnamon has been updated to 5.4.
|
||||
- Cinnamon has been updated to 5.4. While at it, the cinnamon module now defaults to
|
||||
blueman as bluetooth manager and slick-greeter as lightdm greeter to match upstream.
|
||||
|
||||
- `hardware.nvidia` has a new option `open` that can be used to opt in the opensource version of NVIDIA kernel driver. Note that the driver's support for GeForce and Workstation GPUs is still alpha quality, see [NVIDIA Releases Open-Source GPU Kernel Modules](https://developer.nvidia.com/blog/nvidia-releases-open-source-gpu-kernel-modules/) for the official announcement.
|
||||
|
||||
@ -59,6 +64,8 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||
|
||||
- [dragonflydb](https://dragonflydb.io/), a modern replacement for Redis and Memcached. Available as [services.dragonflydb](#opt-services.dragonflydb.enable).
|
||||
|
||||
- [Komga](https://komga.org/), a free and open source comics/mangas media server. Available as [services.komga](#opt-services.komga.enable).
|
||||
|
||||
- [HBase cluster](https://hbase.apache.org/), a distributed, scalable, big data store. Available as [services.hadoop.hbase](options.html#opt-services.hadoop.hbase.enable).
|
||||
|
||||
- [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle.
|
||||
@ -67,6 +74,8 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||
- [kanata](https://github.com/jtroo/kanata), a tool to improve keyboard comfort and usability with advanced customization.
|
||||
Available as [services.kanata](options.html#opt-services.kanata.enable).
|
||||
|
||||
- [Outline](https://www.getoutline.com/), a wiki and knowledge base similar to Notion. Available as [services.outline](#opt-services.outline.enable).
|
||||
|
||||
- [persistent-evdev](https://github.com/aiberia/persistent-evdev), a daemon to add virtual proxy devices that mirror a physical input device but persist even if the underlying hardware is hot-plugged. Available as [services.persistent-evdev](#opt-services.persistent-evdev.enable).
|
||||
|
||||
- [schleuder](https://schleuder.org/), a mailing list manager with PGP support. Enable using [services.schleuder](#opt-services.schleuder.enable).
|
||||
@ -75,6 +84,9 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||
|
||||
- [Grafana Tempo](https://www.grafana.com/oss/tempo/), a distributed tracing store. Available as [services.tempo](#opt-services.tempo.enable).
|
||||
|
||||
- [Patroni](https://github.com/zalando/patroni), a template for PostgreSQL HA with ZooKeeper, etcd or Consul.
|
||||
Available as [services.patroni](options.html#opt-services.patroni.enable).
|
||||
|
||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
||||
|
||||
## Backward Incompatibilities {#sec-release-22.11-incompatibilities}
|
||||
|
@ -285,6 +285,8 @@ in rec {
|
||||
Documentation = toString config.documentation; }
|
||||
// optionalAttrs (config.onFailure != []) {
|
||||
OnFailure = toString config.onFailure; }
|
||||
// optionalAttrs (config.onSuccess != []) {
|
||||
OnSuccess = toString config.onSuccess; }
|
||||
// optionalAttrs (options.startLimitIntervalSec.isDefined) {
|
||||
StartLimitIntervalSec = toString config.startLimitIntervalSec;
|
||||
} // optionalAttrs (options.startLimitBurst.isDefined) {
|
||||
|
@ -206,6 +206,15 @@ in rec {
|
||||
'';
|
||||
};
|
||||
|
||||
onSuccess = mkOption {
|
||||
default = [];
|
||||
type = types.listOf unitNameType;
|
||||
description = ''
|
||||
A list of one or more units that are activated when
|
||||
this unit enters the "inactive" state.
|
||||
'';
|
||||
};
|
||||
|
||||
startLimitBurst = mkOption {
|
||||
type = types.int;
|
||||
description = ''
|
||||
|
@ -204,11 +204,11 @@ in {
|
||||
admin_server = SYSLOG:NOTICE
|
||||
default = SYSLOG:NOTICE
|
||||
'';
|
||||
description = ''
|
||||
These lines go to the end of <literal>krb5.conf</literal> verbatim.
|
||||
<literal>krb5.conf</literal> may include any of the relations that are
|
||||
valid for <literal>kdc.conf</literal> (see <literal>man
|
||||
kdc.conf</literal>), but it is not a recommended practice.
|
||||
description = lib.mdDoc ''
|
||||
These lines go to the end of `krb5.conf` verbatim.
|
||||
`krb5.conf` may include any of the relations that are
|
||||
valid for `kdc.conf` (see `man kdc.conf`),
|
||||
but it is not a recommended practice.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -186,16 +186,16 @@ in
|
||||
policy = mkOption {
|
||||
default = "hard_open";
|
||||
type = types.enum [ "hard_open" "hard_init" "soft" ];
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Specifies the policy to use for reconnecting to an unavailable
|
||||
LDAP server. The default is <literal>hard_open</literal>, which
|
||||
LDAP server. The default is `hard_open`, which
|
||||
reconnects if opening the connection to the directory server
|
||||
failed. By contrast, <literal>hard_init</literal> reconnects if
|
||||
failed. By contrast, `hard_init` reconnects if
|
||||
initializing the connection failed. Initializing may not
|
||||
actually contact the directory server, and it is possible that
|
||||
a malformed configuration file will trigger reconnection. If
|
||||
<literal>soft</literal> is specified, then
|
||||
<package>nss_ldap</package> will return immediately on server
|
||||
`soft` is specified, then
|
||||
`nss_ldap` will return immediately on server
|
||||
failure. All hard reconnect policies block with exponential
|
||||
backoff before retrying.
|
||||
'';
|
||||
|
519
nixos/modules/config/mysql.nix
Normal file
519
nixos/modules/config/mysql.nix
Normal file
@ -0,0 +1,519 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.users.mysql;
|
||||
in
|
||||
{
|
||||
options = {
|
||||
users.mysql = {
|
||||
enable = mkEnableOption "Authentication against a MySQL/MariaDB database";
|
||||
host = mkOption {
|
||||
type = types.str;
|
||||
example = "localhost";
|
||||
description = "The hostname of the MySQL/MariaDB server";
|
||||
};
|
||||
database = mkOption {
|
||||
type = types.str;
|
||||
example = "auth";
|
||||
description = "The name of the database containing the users";
|
||||
};
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
example = "nss-user";
|
||||
description = "The username to use when connecting to the database";
|
||||
};
|
||||
passwordFile = mkOption {
|
||||
type = types.path;
|
||||
example = "/run/secrets/mysql-auth-db-passwd";
|
||||
description = "The path to the file containing the password for the user";
|
||||
};
|
||||
pam = mkOption {
|
||||
description = "Settings for <literal>pam_mysql</literal>";
|
||||
type = types.submodule {
|
||||
options = {
|
||||
table = mkOption {
|
||||
type = types.str;
|
||||
example = "users";
|
||||
description = "The name of table that maps unique login names to the passwords.";
|
||||
};
|
||||
updateTable = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "users_updates";
|
||||
description = ''
|
||||
The name of the table used for password alteration. If not defined, the value
|
||||
of the <literal>table</literal> option will be used instead.
|
||||
'';
|
||||
};
|
||||
userColumn = mkOption {
|
||||
type = types.str;
|
||||
example = "username";
|
||||
description = "The name of the column that contains a unix login name.";
|
||||
};
|
||||
passwordColumn = mkOption {
|
||||
type = types.str;
|
||||
example = "password";
|
||||
description = "The name of the column that contains a (encrypted) password string.";
|
||||
};
|
||||
statusColumn = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "status";
|
||||
description = ''
|
||||
The name of the column or an SQL expression that indicates the status of
|
||||
the user. The status is expressed by the combination of two bitfields
|
||||
shown below:
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>bit 0 (0x01)</literal>:
|
||||
if flagged, <literal>pam_mysql</literal> deems the account to be expired and
|
||||
returns <literal>PAM_ACCT_EXPIRED</literal>. That is, the account is supposed
|
||||
to no longer be available. Note this doesn't mean that <literal>pam_mysql</literal>
|
||||
rejects further authentication operations.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>bit 1 (0x02)</literal>:
|
||||
if flagged, <literal>pam_mysql</literal> deems the authentication token
|
||||
(password) to be expired and returns <literal>PAM_NEW_AUTHTOK_REQD</literal>.
|
||||
This ends up requiring that the user enter a new password.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
'';
|
||||
};
|
||||
passwordCrypt = mkOption {
|
||||
example = "2";
|
||||
type = types.enum [
|
||||
"0" "plain"
|
||||
"1" "Y"
|
||||
"2" "mysql"
|
||||
"3" "md5"
|
||||
"4" "sha1"
|
||||
"5" "drupal7"
|
||||
"6" "joomla15"
|
||||
"7" "ssha"
|
||||
"8" "sha512"
|
||||
"9" "sha256"
|
||||
];
|
||||
description = ''
|
||||
The method to encrypt the user's password:
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>0</literal> (or <literal>"plain"</literal>):
|
||||
No encryption. Passwords are stored in plaintext. HIGHLY DISCOURAGED.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>1</literal> (or <literal>"Y"</literal>):
|
||||
Use crypt(3) function.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>2</literal> (or <literal>"mysql"</literal>):
|
||||
Use the MySQL PASSWORD() function. It is possible that the encryption function used
|
||||
by <literal>pam_mysql</literal> is different from that of the MySQL server, as
|
||||
<literal>pam_mysql</literal> uses the function defined in MySQL's C-client API
|
||||
instead of using PASSWORD() SQL function in the query.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>3</literal> (or <literal>"md5"</literal>):
|
||||
Use plain hex MD5.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>4</literal> (or <literal>"sha1"</literal>):
|
||||
Use plain hex SHA1.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>5</literal> (or <literal>"drupal7"</literal>):
|
||||
Use Drupal7 salted passwords.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>6</literal> (or <literal>"joomla15"</literal>):
|
||||
Use Joomla15 salted passwords.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>7</literal> (or <literal>"ssha"</literal>):
|
||||
Use ssha hashed passwords.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>8</literal> (or <literal>"sha512"</literal>):
|
||||
Use sha512 hashed passwords.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>9</literal> (or <literal>"sha256"</literal>):
|
||||
Use sha256 hashed passwords.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
'';
|
||||
};
|
||||
cryptDefault = mkOption {
|
||||
type = types.nullOr (types.enum [ "md5" "sha256" "sha512" "blowfish" ]);
|
||||
default = null;
|
||||
example = "blowfish";
|
||||
description = "The default encryption method to use for <literal>passwordCrypt = 1</literal>.";
|
||||
};
|
||||
where = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "host.name='web' AND user.active=1";
|
||||
description = "Additional criteria for the query.";
|
||||
};
|
||||
verbose = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
If enabled, produces logs with detailed messages that describes what
|
||||
<literal>pam_mysql</literal> is doing. May be useful for debugging.
|
||||
'';
|
||||
};
|
||||
disconnectEveryOperation = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
By default, <literal>pam_mysql</literal> keeps the connection to the MySQL
|
||||
database until the session is closed. If this option is set to true it
|
||||
disconnects every time the PAM operation has finished. This option may
|
||||
be useful in case the session lasts quite long.
|
||||
'';
|
||||
};
|
||||
logging = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Enables logging of authentication attempts in the MySQL database.";
|
||||
};
|
||||
table = mkOption {
|
||||
type = types.str;
|
||||
example = "logs";
|
||||
description = "The name of the table to which logs are written.";
|
||||
};
|
||||
msgColumn = mkOption {
|
||||
type = types.str;
|
||||
example = "msg";
|
||||
description = ''
|
||||
The name of the column in the log table to which the description
|
||||
of the performed operation is stored.
|
||||
'';
|
||||
};
|
||||
userColumn = mkOption {
|
||||
type = types.str;
|
||||
example = "user";
|
||||
description = ''
|
||||
The name of the column in the log table to which the name of the
|
||||
user being authenticated is stored.
|
||||
'';
|
||||
};
|
||||
pidColumn = mkOption {
|
||||
type = types.str;
|
||||
example = "pid";
|
||||
description = ''
|
||||
The name of the column in the log table to which the pid of the
|
||||
process utilising the <literal>pam_mysql's</literal> authentication
|
||||
service is stored.
|
||||
'';
|
||||
};
|
||||
hostColumn = mkOption {
|
||||
type = types.str;
|
||||
example = "host";
|
||||
description = ''
|
||||
The name of the column in the log table to which the name of the user
|
||||
being authenticated is stored.
|
||||
'';
|
||||
};
|
||||
rHostColumn = mkOption {
|
||||
type = types.str;
|
||||
example = "rhost";
|
||||
description = ''
|
||||
The name of the column in the log table to which the name of the remote
|
||||
host that initiates the session is stored. The value is supposed to be
|
||||
set by the PAM-aware application with <literal>pam_set_item(PAM_RHOST)
|
||||
</literal>.
|
||||
'';
|
||||
};
|
||||
timeColumn = mkOption {
|
||||
type = types.str;
|
||||
example = "timestamp";
|
||||
description = ''
|
||||
The name of the column in the log table to which the timestamp of the
|
||||
log entry is stored.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
nss = mkOption {
|
||||
description = ''
|
||||
Settings for <literal>libnss-mysql</literal>.
|
||||
|
||||
All examples are from the <link xlink:href="https://github.com/saknopper/libnss-mysql/tree/master/sample/minimal">minimal example</link>
|
||||
of <literal>libnss-mysql</literal>, but they are modified with NixOS paths for bash.
|
||||
'';
|
||||
type = types.submodule {
|
||||
options = {
|
||||
getpwnam = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = literalExpression ''
|
||||
SELECT username,'x',uid,'5000','MySQL User', CONCAT('/home/',username),'/run/sw/current-system/bin/bash' \
|
||||
FROM users \
|
||||
WHERE username='%1$s' \
|
||||
LIMIT 1
|
||||
'';
|
||||
description = ''
|
||||
SQL query for the <link
|
||||
xlink:href="https://man7.org/linux/man-pages/man3/getpwnam.3.html">getpwnam</link>
|
||||
syscall.
|
||||
'';
|
||||
};
|
||||
getpwuid = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = literalExpression ''
|
||||
SELECT username,'x',uid,'5000','MySQL User', CONCAT('/home/',username),'/run/sw/current-system/bin/bash' \
|
||||
FROM users \
|
||||
WHERE uid='%1$u' \
|
||||
LIMIT 1
|
||||
'';
|
||||
description = ''
|
||||
SQL query for the <link
|
||||
xlink:href="https://man7.org/linux/man-pages/man3/getpwuid.3.html">getpwuid</link>
|
||||
syscall.
|
||||
'';
|
||||
};
|
||||
getspnam = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = literalExpression ''
|
||||
SELECT username,password,'1','0','99999','0','0','-1','0' \
|
||||
FROM users \
|
||||
WHERE username='%1$s' \
|
||||
LIMIT 1
|
||||
'';
|
||||
description = ''
|
||||
SQL query for the <link
|
||||
xlink:href="https://man7.org/linux/man-pages/man3/getspnam.3.html">getspnam</link>
|
||||
syscall.
|
||||
'';
|
||||
};
|
||||
getpwent = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = literalExpression ''
|
||||
SELECT username,'x',uid,'5000','MySQL User', CONCAT('/home/',username),'/run/sw/current-system/bin/bash' FROM users
|
||||
'';
|
||||
description = ''
|
||||
SQL query for the <link
|
||||
xlink:href="https://man7.org/linux/man-pages/man3/getpwent.3.html">getpwent</link>
|
||||
syscall.
|
||||
'';
|
||||
};
|
||||
getspent = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = literalExpression ''
|
||||
SELECT username,password,'1','0','99999','0','0','-1','0' FROM users
|
||||
'';
|
||||
description = ''
|
||||
SQL query for the <link
|
||||
xlink:href="https://man7.org/linux/man-pages/man3/getspent.3.html">getspent</link>
|
||||
syscall.
|
||||
'';
|
||||
};
|
||||
getgrnam = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = literalExpression ''
|
||||
SELECT name,password,gid FROM groups WHERE name='%1$s' LIMIT 1
|
||||
'';
|
||||
description = ''
|
||||
SQL query for the <link
|
||||
xlink:href="https://man7.org/linux/man-pages/man3/getgrnam.3.html">getgrnam</link>
|
||||
syscall.
|
||||
'';
|
||||
};
|
||||
getgrgid = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = literalExpression ''
|
||||
SELECT name,password,gid FROM groups WHERE gid='%1$u' LIMIT 1
|
||||
'';
|
||||
description = ''
|
||||
SQL query for the <link
|
||||
xlink:href="https://man7.org/linux/man-pages/man3/getgrgid.3.html">getgrgid</link>
|
||||
syscall.
|
||||
'';
|
||||
};
|
||||
getgrent = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = literalExpression ''
|
||||
SELECT name,password,gid FROM groups
|
||||
'';
|
||||
description = ''
|
||||
SQL query for the <link
|
||||
xlink:href="https://man7.org/linux/man-pages/man3/getgrent.3.html">getgrent</link>
|
||||
syscall.
|
||||
'';
|
||||
};
|
||||
memsbygid = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = literalExpression ''
|
||||
SELECT username FROM grouplist WHERE gid='%1$u'
|
||||
'';
|
||||
description = ''
|
||||
SQL query for the <link
|
||||
xlink:href="https://man7.org/linux/man-pages/man3/memsbygid.3.html">memsbygid</link>
|
||||
syscall.
|
||||
'';
|
||||
};
|
||||
gidsbymem = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = literalExpression ''
|
||||
SELECT gid FROM grouplist WHERE username='%1$s'
|
||||
'';
|
||||
description = ''
|
||||
SQL query for the <link
|
||||
xlink:href="https://man7.org/linux/man-pages/man3/gidsbymem.3.html">gidsbymem</link>
|
||||
syscall.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
system.nssModules = [ pkgs.libnss-mysql ];
|
||||
system.nssDatabases.shadow = [ "mysql" ];
|
||||
system.nssDatabases.group = [ "mysql" ];
|
||||
system.nssDatabases.passwd = [ "mysql" ];
|
||||
|
||||
environment.etc."security/pam_mysql.conf" = {
|
||||
user = "root";
|
||||
group = "root";
|
||||
mode = "0600";
|
||||
# password will be added from password file in activation script
|
||||
text = ''
|
||||
users.host=${cfg.host}
|
||||
users.db_user=${cfg.user}
|
||||
users.database=${cfg.database}
|
||||
users.table=${cfg.pam.table}
|
||||
users.user_column=${cfg.pam.userColumn}
|
||||
users.password_column=${cfg.pam.passwordColumn}
|
||||
users.password_crypt=${cfg.pam.passwordCrypt}
|
||||
users.disconnect_every_operation=${if cfg.pam.disconnectEveryOperation then "1" else "0"}
|
||||
verbose=${if cfg.pam.verbose then "1" else "0"}
|
||||
'' + optionalString (cfg.pam.cryptDefault != null) ''
|
||||
users.use_${cfg.pam.cryptDefault}=1
|
||||
'' + optionalString (cfg.pam.where != null) ''
|
||||
users.where_clause=${cfg.pam.where}
|
||||
'' + optionalString (cfg.pam.statusColumn != null) ''
|
||||
users.status_column=${cfg.pam.statusColumn}
|
||||
'' + optionalString (cfg.pam.updateTable != null) ''
|
||||
users.update_table=${cfg.pam.updateTable}
|
||||
'' + optionalString cfg.pam.logging.enable ''
|
||||
log.enabled=true
|
||||
log.table=${cfg.pam.logging.table}
|
||||
log.message_column=${cfg.pam.logging.msgColumn}
|
||||
log.pid_column=${cfg.pam.logging.pidColumn}
|
||||
log.user_column=${cfg.pam.logging.userColumn}
|
||||
log.host_column=${cfg.pam.logging.hostColumn}
|
||||
log.rhost_column=${cfg.pam.logging.rHostColumn}
|
||||
log.time_column=${cfg.pam.logging.timeColumn}
|
||||
'';
|
||||
};
|
||||
|
||||
environment.etc."libnss-mysql.cfg" = {
|
||||
mode = "0600";
|
||||
user = config.services.nscd.user;
|
||||
group = config.services.nscd.group;
|
||||
text = optionalString (cfg.nss.getpwnam != null) ''
|
||||
getpwnam ${cfg.nss.getpwnam}
|
||||
'' + optionalString (cfg.nss.getpwuid != null) ''
|
||||
getpwuid ${cfg.nss.getpwuid}
|
||||
'' + optionalString (cfg.nss.getspnam != null) ''
|
||||
getspnam ${cfg.nss.getspnam}
|
||||
'' + optionalString (cfg.nss.getpwent != null) ''
|
||||
getpwent ${cfg.nss.getpwent}
|
||||
'' + optionalString (cfg.nss.getspent != null) ''
|
||||
getspent ${cfg.nss.getspent}
|
||||
'' + optionalString (cfg.nss.getgrnam != null) ''
|
||||
getgrnam ${cfg.nss.getgrnam}
|
||||
'' + optionalString (cfg.nss.getgrgid != null) ''
|
||||
getgrgid ${cfg.nss.getgrgid}
|
||||
'' + optionalString (cfg.nss.getgrent != null) ''
|
||||
getgrent ${cfg.nss.getgrent}
|
||||
'' + optionalString (cfg.nss.memsbygid != null) ''
|
||||
memsbygid ${cfg.nss.memsbygid}
|
||||
'' + optionalString (cfg.nss.gidsbymem != null) ''
|
||||
gidsbymem ${cfg.nss.gidsbymem}
|
||||
'' + ''
|
||||
host ${cfg.host}
|
||||
database ${cfg.database}
|
||||
'';
|
||||
};
|
||||
|
||||
environment.etc."libnss-mysql-root.cfg" = {
|
||||
mode = "0600";
|
||||
user = config.services.nscd.user;
|
||||
group = config.services.nscd.group;
|
||||
# password will be added from password file in activation script
|
||||
text = ''
|
||||
username ${cfg.user}
|
||||
'';
|
||||
};
|
||||
|
||||
# Activation script to append the password from the password file
|
||||
# to the configuration files. It also fixes the owner of the
|
||||
# libnss-mysql-root.cfg because it is changed to root after the
|
||||
# password is appended.
|
||||
system.activationScripts.mysql-auth-passwords = ''
|
||||
if [[ -r ${cfg.passwordFile} ]]; then
|
||||
org_umask=$(umask)
|
||||
umask 0077
|
||||
|
||||
conf_nss="$(mktemp)"
|
||||
cp /etc/libnss-mysql-root.cfg $conf_nss
|
||||
printf 'password %s\n' "$(cat ${cfg.passwordFile})" >> $conf_nss
|
||||
mv -fT "$conf_nss" /etc/libnss-mysql-root.cfg
|
||||
chown ${config.services.nscd.user}:${config.services.nscd.group} /etc/libnss-mysql-root.cfg
|
||||
|
||||
conf_pam="$(mktemp)"
|
||||
cp /etc/security/pam_mysql.conf $conf_pam
|
||||
printf 'users.db_passwd=%s\n' "$(cat ${cfg.passwordFile})" >> $conf_pam
|
||||
mv -fT "$conf_pam" /etc/security/pam_mysql.conf
|
||||
|
||||
umask $org_umask
|
||||
fi
|
||||
'';
|
||||
};
|
||||
}
|
@ -84,19 +84,19 @@ in
|
||||
<programlisting>${defaultPackagesText}</programlisting>
|
||||
'';
|
||||
example = [];
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Set of default packages that aren't strictly necessary
|
||||
for a running system, entries can be removed for a more
|
||||
minimal NixOS installation.
|
||||
|
||||
Note: If <package>pkgs.nano</package> is removed from this list,
|
||||
Note: If `pkgs.nano` is removed from this list,
|
||||
make sure another editor is installed and the
|
||||
<literal>EDITOR</literal> environment variable is set to it.
|
||||
`EDITOR` environment variable is set to it.
|
||||
Environment variables can be set using
|
||||
<option>environment.variables</option>.
|
||||
{option}`environment.variables`.
|
||||
|
||||
Like with systemPackages, packages are installed to
|
||||
<filename>/run/current-system/sw</filename>. They are
|
||||
{file}`/run/current-system/sw`. They are
|
||||
automatically available to all users, and are
|
||||
automatically updated every time you rebuild the system
|
||||
configuration.
|
||||
|
@ -40,12 +40,12 @@ in
|
||||
extraPortals = mkOption {
|
||||
type = types.listOf types.package;
|
||||
default = [ ];
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
List of additional portals to add to path. Portals allow interaction
|
||||
with system, like choosing files or taking screenshots. At minimum,
|
||||
a desktop portal implementation should be listed. GNOME and KDE already
|
||||
adds <package>xdg-desktop-portal-gtk</package>; and
|
||||
<package>xdg-desktop-portal-kde</package> respectively. On other desktop
|
||||
adds `xdg-desktop-portal-gtk`; and
|
||||
`xdg-desktop-portal-kde` respectively. On other desktop
|
||||
environments you probably want to add them yourself.
|
||||
'';
|
||||
};
|
||||
|
@ -15,7 +15,7 @@ in
|
||||
enable = mkEnableOption ''
|
||||
the desktop portal for the LXQt desktop environment.
|
||||
|
||||
This will add the <package>lxqt.xdg-desktop-portal-lxqt</package>
|
||||
This will add the <literal>lxqt.xdg-desktop-portal-lxqt</literal>
|
||||
package (with the extra Qt styles) into the
|
||||
<option>xdg.portal.extraPortals</option> option
|
||||
'';
|
||||
@ -29,9 +29,9 @@ in
|
||||
pkgs.qtcurve
|
||||
];
|
||||
'';
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Extra Qt styles that will be available to the
|
||||
<package>lxqt.xdg-desktop-portal-lxqt</package>.
|
||||
`lxqt.xdg-desktop-portal-lxqt`.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
@ -17,16 +17,16 @@ in
|
||||
enable = mkEnableOption ''
|
||||
desktop portal for wlroots-based desktops
|
||||
|
||||
This will add the <package>xdg-desktop-portal-wlr</package> package into
|
||||
This will add the <literal>xdg-desktop-portal-wlr</literal> package into
|
||||
the <option>xdg.portal.extraPortals</option> option, and provide the
|
||||
configuration file
|
||||
'';
|
||||
|
||||
settings = mkOption {
|
||||
description = ''
|
||||
Configuration for <package>xdg-desktop-portal-wlr</package>.
|
||||
description = lib.mdDoc ''
|
||||
Configuration for `xdg-desktop-portal-wlr`.
|
||||
|
||||
See <literal>xdg-desktop-portal-wlr(5)</literal> for supported
|
||||
See `xdg-desktop-portal-wlr(5)` for supported
|
||||
values.
|
||||
'';
|
||||
|
||||
|
@ -103,12 +103,12 @@ in
|
||||
default = "zstd";
|
||||
example = "lz4";
|
||||
type = with types; either (enum [ "lzo" "lz4" "zstd" ]) str;
|
||||
description = ''
|
||||
Compression algorithm. <literal>lzo</literal> has good compression,
|
||||
but is slow. <literal>lz4</literal> has bad compression, but is fast.
|
||||
<literal>zstd</literal> is both good compression and fast, but requires newer kernel.
|
||||
description = lib.mdDoc ''
|
||||
Compression algorithm. `lzo` has good compression,
|
||||
but is slow. `lz4` has bad compression, but is fast.
|
||||
`zstd` is both good compression and fast, but requires newer kernel.
|
||||
You can check what other algorithms are supported by your zram device with
|
||||
<programlisting>cat /sys/class/block/zram*/comp_algorithm</programlisting>
|
||||
{command}`cat /sys/class/block/zram*/comp_algorithm`
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
@ -20,7 +20,7 @@ in
|
||||
type = types.str;
|
||||
default = "0xfffd7fff";
|
||||
example = "0xffffffff";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Sets the `amdgpu.ppfeaturemask` kernel option.
|
||||
In particular, it is used here to set the overdrive bit.
|
||||
Default is `0xfffd7fff` as it is less likely to cause flicker issues.
|
||||
|
@ -8,17 +8,17 @@ in
|
||||
options.hardware.cpu.amd.sev = {
|
||||
enable = mkEnableOption "access to the AMD SEV device";
|
||||
user = mkOption {
|
||||
description = "Owner to assign to the SEV device.";
|
||||
description = lib.mdDoc "Owner to assign to the SEV device.";
|
||||
type = types.str;
|
||||
default = "root";
|
||||
};
|
||||
group = mkOption {
|
||||
description = "Group to assign to the SEV device.";
|
||||
description = lib.mdDoc "Group to assign to the SEV device.";
|
||||
type = types.str;
|
||||
default = defaultGroup;
|
||||
};
|
||||
mode = mkOption {
|
||||
description = "Mode to set for the SEV device.";
|
||||
description = lib.mdDoc "Mode to set for the SEV device.";
|
||||
type = types.str;
|
||||
default = "0660";
|
||||
};
|
||||
|
@ -56,23 +56,6 @@ let
|
||||
};
|
||||
};
|
||||
|
||||
# this requires kernel package
|
||||
dtbsWithSymbols = pkgs.stdenv.mkDerivation {
|
||||
name = "dtbs-with-symbols";
|
||||
inherit (cfg.kernelPackage) src nativeBuildInputs depsBuildBuild;
|
||||
patches = map (patch: patch.patch) cfg.kernelPackage.kernelPatches;
|
||||
buildPhase = ''
|
||||
patchShebangs scripts/*
|
||||
substituteInPlace scripts/Makefile.lib \
|
||||
--replace 'DTC_FLAGS += $(DTC_FLAGS_$(basetarget))' 'DTC_FLAGS += $(DTC_FLAGS_$(basetarget)) -@'
|
||||
make ${pkgs.stdenv.hostPlatform.linux-kernel.baseConfig} ARCH="${pkgs.stdenv.hostPlatform.linuxArch}"
|
||||
make dtbs ARCH="${pkgs.stdenv.hostPlatform.linuxArch}"
|
||||
'';
|
||||
installPhase = ''
|
||||
make dtbs_install INSTALL_DTBS_PATH=$out/dtbs ARCH="${pkgs.stdenv.hostPlatform.linuxArch}"
|
||||
'';
|
||||
};
|
||||
|
||||
filterDTBs = src: if isNull cfg.filter
|
||||
then "${src}/dtbs"
|
||||
else
|
||||
@ -83,6 +66,8 @@ let
|
||||
| xargs -0 cp -v --no-preserve=mode --target-directory $out --parents
|
||||
'';
|
||||
|
||||
filteredDTBs = filterDTBs cfg.kernelPackage;
|
||||
|
||||
# Compile single Device Tree overlay source
|
||||
# file (.dts) into its compiled variant (.dtbo)
|
||||
compileDTS = name: f: pkgs.callPackage({ stdenv, dtc }: stdenv.mkDerivation {
|
||||
@ -197,7 +182,7 @@ in
|
||||
};
|
||||
|
||||
hardware.deviceTree.package = if (cfg.overlays != [])
|
||||
then pkgs.deviceTree.applyOverlays (filterDTBs dtbsWithSymbols) (withDTBOs cfg.overlays)
|
||||
else (filterDTBs cfg.kernelPackage);
|
||||
then pkgs.deviceTree.applyOverlays filteredDTBs (withDTBOs cfg.overlays)
|
||||
else filteredDTBs;
|
||||
};
|
||||
}
|
||||
|
@ -11,6 +11,14 @@ with lib;
|
||||
console.earlySetup = mkDefault true;
|
||||
boot.loader.systemd-boot.consoleMode = mkDefault "1";
|
||||
|
||||
|
||||
# Grayscale anti-aliasing for fonts
|
||||
fonts.fontconfig.antialias = mkDefault true;
|
||||
fonts.fontconfig.subpixel = {
|
||||
rgba = mkDefault "none";
|
||||
lcdfilter = mkDefault "none";
|
||||
};
|
||||
|
||||
# TODO Find reasonable defaults X11 & wayland
|
||||
};
|
||||
}
|
||||
|
@ -35,14 +35,14 @@ in
|
||||
options.sdImage = {
|
||||
imageName = mkOption {
|
||||
default = "${config.sdImage.imageBaseName}-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.img";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Name of the generated image file.
|
||||
'';
|
||||
};
|
||||
|
||||
imageBaseName = mkOption {
|
||||
default = "nixos-sd-image";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Prefix of the name of the generated image file.
|
||||
'';
|
||||
};
|
||||
@ -50,7 +50,7 @@ in
|
||||
storePaths = mkOption {
|
||||
type = with types; listOf package;
|
||||
example = literalExpression "[ pkgs.stdenv ]";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Derivations to be included in the Nix store in the generated SD image.
|
||||
'';
|
||||
};
|
||||
@ -74,7 +74,7 @@ in
|
||||
firmwarePartitionID = mkOption {
|
||||
type = types.str;
|
||||
default = "0x2178694e";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Volume ID for the /boot/firmware partition on the SD card. This value
|
||||
must be a 32-bit hexadecimal number.
|
||||
'';
|
||||
@ -83,7 +83,7 @@ in
|
||||
firmwarePartitionName = mkOption {
|
||||
type = types.str;
|
||||
default = "FIRMWARE";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Name of the filesystem which holds the boot firmware.
|
||||
'';
|
||||
};
|
||||
@ -92,7 +92,7 @@ in
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "14e19a7b-0ae0-484d-9d54-43bd6fdc20c7";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
UUID for the filesystem on the main NixOS partition on the SD card.
|
||||
'';
|
||||
};
|
||||
@ -101,14 +101,14 @@ in
|
||||
type = types.int;
|
||||
# As of 2019-08-18 the Raspberry pi firmware + u-boot takes ~18MiB
|
||||
default = 30;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Size of the /boot/firmware partition, in megabytes.
|
||||
'';
|
||||
};
|
||||
|
||||
populateFirmwareCommands = mkOption {
|
||||
example = literalExpression "'' cp \${pkgs.myBootLoader}/u-boot.bin firmware/ ''";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Shell commands to populate the ./firmware directory.
|
||||
All files in that directory are copied to the
|
||||
/boot/firmware partition on the SD image.
|
||||
@ -117,7 +117,7 @@ in
|
||||
|
||||
populateRootCommands = mkOption {
|
||||
example = literalExpression "''\${config.boot.loader.generic-extlinux-compatible.populateCmd} -c \${config.system.build.toplevel} -d ./files/boot''";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Shell commands to populate the ./files directory.
|
||||
All files in that directory are copied to the
|
||||
root (/) partition on the SD image. Use this to
|
||||
@ -128,7 +128,7 @@ in
|
||||
postBuildCommands = mkOption {
|
||||
example = literalExpression "'' dd if=\${pkgs.myBootLoader}/SPL of=$img bs=1024 seek=1 conv=notrunc ''";
|
||||
default = "";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Shell commands to run after the image is built.
|
||||
Can be used for boards requiring to dd u-boot SPL before actual partitions.
|
||||
'';
|
||||
@ -137,16 +137,16 @@ in
|
||||
compressImage = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Whether the SD image should be compressed using
|
||||
<command>zstd</command>.
|
||||
{command}`zstd`.
|
||||
'';
|
||||
};
|
||||
|
||||
expandOnBoot = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Whether to configure the sd image to expand it's partition on boot.
|
||||
'';
|
||||
};
|
||||
|
@ -241,7 +241,7 @@ in
|
||||
nixos.extraModules = mkOption {
|
||||
type = types.listOf types.raw;
|
||||
default = [];
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Modules for which to show options even when not imported.
|
||||
'';
|
||||
};
|
||||
|
@ -117,13 +117,13 @@ in
|
||||
'';
|
||||
type = pkgsType;
|
||||
example = literalExpression "import <nixpkgs> {}";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
If set, the pkgs argument to all NixOS modules is the value of
|
||||
this option, extended with <literal>nixpkgs.overlays</literal>, if
|
||||
that is also set. Either <literal>nixpkgs.crossSystem</literal> or
|
||||
<literal>nixpkgs.localSystem</literal> will be used in an assertion
|
||||
this option, extended with `nixpkgs.overlays`, if
|
||||
that is also set. Either `nixpkgs.crossSystem` or
|
||||
`nixpkgs.localSystem` will be used in an assertion
|
||||
to check that the NixOS and Nixpkgs architectures match. Any
|
||||
other options in <literal>nixpkgs.*</literal>, notably <literal>config</literal>,
|
||||
other options in `nixpkgs.*`, notably `config`,
|
||||
will be ignored.
|
||||
|
||||
If unset, the pkgs argument to all NixOS modules is determined
|
||||
@ -132,18 +132,18 @@ in
|
||||
The default value imports the Nixpkgs source files
|
||||
relative to the location of this NixOS module, because
|
||||
NixOS and Nixpkgs are distributed together for consistency,
|
||||
so the <literal>nixos</literal> in the default value is in fact a
|
||||
relative path. The <literal>config</literal>, <literal>overlays</literal>,
|
||||
<literal>localSystem</literal>, and <literal>crossSystem</literal> come
|
||||
so the `nixos` in the default value is in fact a
|
||||
relative path. The `config`, `overlays`,
|
||||
`localSystem`, and `crossSystem` come
|
||||
from this option's siblings.
|
||||
|
||||
This option can be used by applications like NixOps to increase
|
||||
the performance of evaluation, or to create packages that depend
|
||||
on a container that should be built with the exact same evaluation
|
||||
of Nixpkgs, for example. Applications like this should set
|
||||
their default value using <literal>lib.mkDefault</literal>, so
|
||||
their default value using `lib.mkDefault`, so
|
||||
user-provided configuration can override it without using
|
||||
<literal>lib</literal>.
|
||||
`lib`.
|
||||
|
||||
Note that using a distinct version of Nixpkgs with NixOS may
|
||||
be an unexpected source of problems. Use this option with care.
|
||||
|
@ -23,7 +23,7 @@ in
|
||||
}
|
||||
'';
|
||||
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
A set with the key names being the environment variable you'd like to
|
||||
set and the values being a list of paths to text documents containing
|
||||
lists of words. The various files will be merged, sorted, duplicates
|
||||
|
@ -22,6 +22,7 @@
|
||||
./config/ldap.nix
|
||||
./config/locale.nix
|
||||
./config/malloc.nix
|
||||
./config/mysql.nix
|
||||
./config/networking.nix
|
||||
./config/no-x-libs.nix
|
||||
./config/nsswitch.nix
|
||||
@ -329,6 +330,7 @@
|
||||
./services/cluster/kubernetes/proxy.nix
|
||||
./services/cluster/kubernetes/scheduler.nix
|
||||
./services/cluster/pacemaker/default.nix
|
||||
./services/cluster/patroni/default.nix
|
||||
./services/cluster/spark/default.nix
|
||||
./services/computing/boinc/client.nix
|
||||
./services/computing/foldingathome/client.nix
|
||||
@ -618,6 +620,7 @@
|
||||
./services/misc/plikd.nix
|
||||
./services/misc/podgrab.nix
|
||||
./services/misc/polaris.nix
|
||||
./services/misc/portunus.nix
|
||||
./services/misc/prowlarr.nix
|
||||
./services/misc/tautulli.nix
|
||||
./services/misc/pinnwand.nix
|
||||
@ -637,6 +640,7 @@
|
||||
./services/misc/sonarr.nix
|
||||
./services/misc/sourcehut
|
||||
./services/misc/spice-vdagentd.nix
|
||||
./services/misc/spice-webdavd.nix
|
||||
./services/misc/ssm-agent.nix
|
||||
./services/misc/sssd.nix
|
||||
./services/misc/subsonic.nix
|
||||
@ -1074,6 +1078,7 @@
|
||||
./services/web-apps/jirafeau.nix
|
||||
./services/web-apps/jitsi-meet.nix
|
||||
./services/web-apps/keycloak.nix
|
||||
./services/web-apps/komga.nix
|
||||
./services/web-apps/lemmy.nix
|
||||
./services/web-apps/invidious.nix
|
||||
./services/web-apps/invoiceplane.nix
|
||||
@ -1099,6 +1104,7 @@
|
||||
./services/web-apps/prosody-filer.nix
|
||||
./services/web-apps/matomo.nix
|
||||
./services/web-apps/openwebrx.nix
|
||||
./services/web-apps/outline.nix
|
||||
./services/web-apps/restya-board.nix
|
||||
./services/web-apps/sogo.nix
|
||||
./services/web-apps/rss-bridge.nix
|
||||
@ -1134,6 +1140,7 @@
|
||||
./services/web-servers/pomerium.nix
|
||||
./services/web-servers/unit/default.nix
|
||||
./services/web-servers/tomcat.nix
|
||||
./services/web-servers/keter
|
||||
./services/web-servers/traefik.nix
|
||||
./services/web-servers/trafficserver/default.nix
|
||||
./services/web-servers/ttyd.nix
|
||||
|
@ -85,9 +85,9 @@ in
|
||||
bindInterface = mkOption {
|
||||
default = true;
|
||||
type = types.bool;
|
||||
description = ''
|
||||
Binds <package>captive-browser</package> to the network interface declared in
|
||||
<literal>cfg.interface</literal>. This can be used to avoid collisions
|
||||
description = lib.mdDoc ''
|
||||
Binds `captive-browser` to the network interface declared in
|
||||
`cfg.interface`. This can be used to avoid collisions
|
||||
with private subnets.
|
||||
'';
|
||||
};
|
||||
|
@ -76,10 +76,10 @@ in
|
||||
|
||||
extraOpts = mkOption {
|
||||
type = types.attrs;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Extra chromium policy options. A list of available policies
|
||||
can be found in the Chrome Enterprise documentation:
|
||||
<link xlink:href="https://cloud.google.com/docs/chrome-enterprise/policies/">https://cloud.google.com/docs/chrome-enterprise/policies/</link>
|
||||
<https://cloud.google.com/docs/chrome-enterprise/policies/>
|
||||
Make sure the selected policy is supported on Linux and your browser version.
|
||||
'';
|
||||
default = {};
|
||||
|
@ -8,15 +8,15 @@ with lib;
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Whether to enable k3b, the KDE disk burning application.
|
||||
|
||||
Additionally to installing <package>k3b</package> enabling this will
|
||||
add <literal>setuid</literal> wrappers in <literal>/run/wrappers/bin</literal>
|
||||
for both <package>cdrdao</package> and <package>cdrecord</package>. On first
|
||||
run you must manually configure the path of <package>cdrdae</package> and
|
||||
<package>cdrecord</package> to correspond to the appropriate paths under
|
||||
<literal>/run/wrappers/bin</literal> in the "Setup External Programs" menu.
|
||||
Additionally to installing `k3b` enabling this will
|
||||
add `setuid` wrappers in `/run/wrappers/bin`
|
||||
for both `cdrdao` and `cdrecord`. On first
|
||||
run you must manually configure the path of `cdrdae` and
|
||||
`cdrecord` to correspond to the appropriate paths under
|
||||
`/run/wrappers/bin` in the "Setup External Programs" menu.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
@ -17,7 +17,7 @@ in
|
||||
type = lib.types.bool;
|
||||
};
|
||||
withUtempter = mkOption {
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Whether to enable libutempter for mosh.
|
||||
This is required so that mosh can write to /var/run/utmp (which can be queried with `who` to display currently connected user sessions).
|
||||
Note, this will add a guid wrapper for the group utmp!
|
||||
|
@ -45,7 +45,7 @@ in {
|
||||
passwordeval = "cat /secrets/password.txt";
|
||||
};
|
||||
};
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Named accounts and their respective configurations.
|
||||
The special name "default" allows a default account to be defined.
|
||||
See msmtp(1) for the available options.
|
||||
|
@ -93,10 +93,10 @@ in
|
||||
extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
description = ''
|
||||
Extra configuration text prepended to <filename>ssh_config</filename>. Other generated
|
||||
options will be added after a <literal>Host *</literal> pattern.
|
||||
See <citerefentry><refentrytitle>ssh_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||
description = lib.mdDoc ''
|
||||
Extra configuration text prepended to {file}`ssh_config`. Other generated
|
||||
options will be added after a `Host *` pattern.
|
||||
See {manpage}`ssh_config(5)`
|
||||
for help.
|
||||
'';
|
||||
};
|
||||
|
@ -22,7 +22,7 @@ in
|
||||
default = "fuck";
|
||||
type = types.str;
|
||||
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
`thefuck` needs an alias to be configured.
|
||||
The default value is `fuck`, but you can use anything else as well.
|
||||
'';
|
||||
|
@ -95,13 +95,13 @@ let
|
||||
exclude.dir /nix/store
|
||||
include.encrypt /home/.../*
|
||||
'';
|
||||
description = ''
|
||||
<literal>include.*</literal> and
|
||||
<literal>exclude.*</literal> directives to be
|
||||
description = lib.mdDoc ''
|
||||
`include.*` and
|
||||
`exclude.*` directives to be
|
||||
used when sending files to the IBM TSM server.
|
||||
The lines will be written into a file that the
|
||||
<literal>inclexcl</literal>
|
||||
directive in <filename>dsm.sys</filename> points to.
|
||||
`inclexcl`
|
||||
directive in {file}`dsm.sys` points to.
|
||||
'';
|
||||
};
|
||||
options.extraConfig = mkOption {
|
||||
|
@ -62,7 +62,7 @@ in
|
||||
to use `yabar-unstable'.
|
||||
'';
|
||||
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
The package which contains the `yabar` binary.
|
||||
|
||||
Nixpkgs provides the `yabar` and `yabar-unstable`
|
||||
|
@ -49,7 +49,7 @@ in
|
||||
package = mkOption {
|
||||
default = pkgs.oh-my-zsh;
|
||||
defaultText = literalExpression "pkgs.oh-my-zsh";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Package to install for `oh-my-zsh` usage.
|
||||
'';
|
||||
|
||||
@ -67,7 +67,7 @@ in
|
||||
custom = mkOption {
|
||||
default = null;
|
||||
type = with types; nullOr str;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Path to a custom oh-my-zsh package to override config of oh-my-zsh.
|
||||
(Can't be used along with `customPkgs`).
|
||||
'';
|
||||
@ -76,7 +76,7 @@ in
|
||||
customPkgs = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.package;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
List of custom packages that should be loaded into `oh-my-zsh`.
|
||||
'';
|
||||
};
|
||||
@ -92,7 +92,7 @@ in
|
||||
cacheDir = mkOption {
|
||||
default = "$HOME/.cache/oh-my-zsh";
|
||||
type = types.str;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Cache directory to be used by `oh-my-zsh`.
|
||||
Without this option it would default to the read-only nix store.
|
||||
'';
|
||||
|
@ -11,7 +11,7 @@ in {
|
||||
package = mkOption {
|
||||
default = pkgs.zsh-autoenv;
|
||||
defaultText = literalExpression "pkgs.zsh-autoenv";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Package to install for `zsh-autoenv` usage.
|
||||
'';
|
||||
|
||||
|
@ -24,7 +24,7 @@ in
|
||||
strategy = mkOption {
|
||||
type = types.listOf (types.enum [ "history" "completion" "match_prev_cmd" ]);
|
||||
default = [ "history" ];
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
`ZSH_AUTOSUGGEST_STRATEGY` is an array that specifies how suggestions should be generated.
|
||||
The strategies in the array are tried successively until a suggestion is found.
|
||||
There are currently three built-in strategies to choose from:
|
||||
|
@ -676,7 +676,7 @@ let
|
||||
inheritDefaults = mkOption {
|
||||
default = true;
|
||||
example = true;
|
||||
description = "Whether to inherit values set in `security.acme.defaults` or not.";
|
||||
description = lib.mdDoc "Whether to inherit values set in `security.acme.defaults` or not.";
|
||||
type = lib.types.bool;
|
||||
};
|
||||
};
|
||||
|
@ -81,8 +81,8 @@ services.nginx = {
|
||||
};
|
||||
|
||||
# We can also add a different vhost and reuse the same certificate
|
||||
# but we have to append extraDomainNames manually.
|
||||
<link linkend="opt-security.acme.certs._name_.extraDomainNames">security.acme.certs."foo.example.com".extraDomainNames</link> = [ "baz.example.com" ];
|
||||
# but we have to append extraDomainNames manually beforehand:
|
||||
# <link linkend="opt-security.acme.certs._name_.extraDomainNames">security.acme.certs."foo.example.com".extraDomainNames</link> = [ "baz.example.com" ];
|
||||
"baz.example.com" = {
|
||||
<link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true;
|
||||
<link linkend="opt-services.nginx.virtualHosts._name_.useACMEHost">useACMEHost</link> = "foo.example.com";
|
||||
|
@ -94,7 +94,7 @@ in {
|
||||
|
||||
<note><para>If this is <literal>false</literal> the resulting store
|
||||
path will be non-deterministic and will be rebuilt every time the
|
||||
<package>openssl</package> package changes.</para></note>
|
||||
<literal>openssl</literal> package changes.</para></note>
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -142,6 +142,16 @@ let
|
||||
'';
|
||||
};
|
||||
|
||||
mysqlAuth = mkOption {
|
||||
default = config.users.mysql.enable;
|
||||
defaultText = literalExpression "config.users.mysql.enable";
|
||||
type = types.bool;
|
||||
description = ''
|
||||
If set, the <literal>pam_mysql</literal> module will be used to
|
||||
authenticate users against a MySQL/MariaDB database.
|
||||
'';
|
||||
};
|
||||
|
||||
fprintAuth = mkOption {
|
||||
default = config.services.fprintd.enable;
|
||||
defaultText = literalExpression "config.services.fprintd.enable";
|
||||
@ -310,11 +320,10 @@ let
|
||||
limits = mkOption {
|
||||
default = [];
|
||||
type = limitsType;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Attribute set describing resource limits. Defaults to the
|
||||
value of <option>security.pam.loginLimits</option>.
|
||||
The meaning of the values is explained in <citerefentry>
|
||||
<refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
||||
value of {option}`security.pam.loginLimits`.
|
||||
The meaning of the values is explained in {manpage}`limits.conf(5)`.
|
||||
'';
|
||||
};
|
||||
|
||||
@ -441,11 +450,13 @@ let
|
||||
(
|
||||
''
|
||||
# Account management.
|
||||
account required pam_unix.so
|
||||
'' +
|
||||
optionalString use_ldap ''
|
||||
account sufficient ${pam_ldap}/lib/security/pam_ldap.so
|
||||
'' +
|
||||
optionalString cfg.mysqlAuth ''
|
||||
account sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
|
||||
'' +
|
||||
optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) ''
|
||||
account sufficient ${pkgs.sssd}/lib/security/pam_sss.so
|
||||
'' +
|
||||
@ -459,7 +470,11 @@ let
|
||||
account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so
|
||||
account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so
|
||||
'' +
|
||||
# The required pam_unix.so module has to come after all the sufficient modules
|
||||
# because otherwise, the account lookup will fail if the user does not exist
|
||||
# locally, for example with MySQL- or LDAP-auth.
|
||||
''
|
||||
account required pam_unix.so
|
||||
|
||||
# Authentication management.
|
||||
'' +
|
||||
@ -475,6 +490,9 @@ let
|
||||
optionalString cfg.logFailures ''
|
||||
auth required pam_faillock.so
|
||||
'' +
|
||||
optionalString cfg.mysqlAuth ''
|
||||
auth sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
|
||||
'' +
|
||||
optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) ''
|
||||
auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}
|
||||
'' +
|
||||
@ -503,7 +521,7 @@ let
|
||||
# Modules in this block require having the password set in PAM_AUTHTOK.
|
||||
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run
|
||||
# after it succeeds. Certain modules need to run after pam_unix
|
||||
# prompts the user for password so we run it once with 'required' at an
|
||||
# prompts the user for password so we run it once with 'optional' at an
|
||||
# earlier point and it will run again with 'sufficient' further down.
|
||||
# We use try_first_pass the second time to avoid prompting password twice
|
||||
(optionalString (cfg.unixAuth &&
|
||||
@ -516,7 +534,7 @@ let
|
||||
|| cfg.duoSecurity.enable))
|
||||
(
|
||||
''
|
||||
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth
|
||||
auth optional pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth
|
||||
'' +
|
||||
optionalString config.security.pam.enableEcryptfs ''
|
||||
auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap
|
||||
@ -572,6 +590,9 @@ let
|
||||
optionalString use_ldap ''
|
||||
password sufficient ${pam_ldap}/lib/security/pam_ldap.so
|
||||
'' +
|
||||
optionalString cfg.mysqlAuth ''
|
||||
password sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
|
||||
'' +
|
||||
optionalString config.services.sssd.enable ''
|
||||
password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok
|
||||
'' +
|
||||
@ -615,6 +636,9 @@ let
|
||||
optionalString use_ldap ''
|
||||
session optional ${pam_ldap}/lib/security/pam_ldap.so
|
||||
'' +
|
||||
optionalString cfg.mysqlAuth ''
|
||||
session optional ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
|
||||
'' +
|
||||
optionalString config.services.sssd.enable ''
|
||||
session optional ${pkgs.sssd}/lib/security/pam_sss.so
|
||||
'' +
|
||||
@ -749,18 +773,18 @@ in
|
||||
}
|
||||
];
|
||||
|
||||
description =
|
||||
'' Define resource limits that should apply to users or groups.
|
||||
Each item in the list should be an attribute set with a
|
||||
<varname>domain</varname>, <varname>type</varname>,
|
||||
<varname>item</varname>, and <varname>value</varname>
|
||||
attribute. The syntax and semantics of these attributes
|
||||
must be that described in <citerefentry><refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
||||
description = ''
|
||||
Define resource limits that should apply to users or groups.
|
||||
Each item in the list should be an attribute set with a
|
||||
<varname>domain</varname>, <varname>type</varname>,
|
||||
<varname>item</varname>, and <varname>value</varname>
|
||||
attribute. The syntax and semantics of these attributes
|
||||
must be that described in <citerefentry><refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
||||
|
||||
Note that these limits do not apply to systemd services,
|
||||
whose limits can be changed via <option>systemd.extraConfig</option>
|
||||
instead.
|
||||
'';
|
||||
Note that these limits do not apply to systemd services,
|
||||
whose limits can be changed via <option>systemd.extraConfig</option>
|
||||
instead.
|
||||
'';
|
||||
};
|
||||
|
||||
security.pam.services = mkOption {
|
||||
@ -1236,6 +1260,9 @@ in
|
||||
optionalString (isEnabled (cfg: cfg.oathAuth)) ''
|
||||
"mr ${pkgs.oath-toolkit}/lib/security/pam_oath.so,
|
||||
'' +
|
||||
optionalString (isEnabled (cfg: cfg.mysqlAuth)) ''
|
||||
mr ${pkgs.pam_mysql}/lib/security/pam_mysql.so,
|
||||
'' +
|
||||
optionalString (isEnabled (cfg: cfg.yubicoAuth)) ''
|
||||
mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,
|
||||
'' +
|
||||
|
@ -46,7 +46,7 @@ in
|
||||
type = types.package;
|
||||
default = pkgs.sudo;
|
||||
defaultText = literalExpression "pkgs.sudo";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Which package to use for `sudo`.
|
||||
'';
|
||||
};
|
||||
|
@ -21,7 +21,7 @@ in
|
||||
"hbase.cluster.distributed" = "true";
|
||||
};
|
||||
type = types.attrsOf types.anything;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Default options for hbase-site.xml
|
||||
'';
|
||||
};
|
||||
@ -30,9 +30,9 @@ in
|
||||
type = with types; attrsOf anything;
|
||||
example = literalExpression ''
|
||||
'';
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Additional options and overrides for hbase-site.xml
|
||||
<link xlink:href="https://github.com/apache/hbase/blob/rel/2.4.11/hbase-common/src/main/resources/hbase-default.xml"/>
|
||||
<https://github.com/apache/hbase/blob/rel/2.4.11/hbase-common/src/main/resources/hbase-default.xml>
|
||||
'';
|
||||
};
|
||||
hbaseSiteInternal = mkOption {
|
||||
@ -50,11 +50,11 @@ in
|
||||
type = types.package;
|
||||
default = pkgs.hbase;
|
||||
defaultText = literalExpression "pkgs.hbase";
|
||||
description = "HBase package";
|
||||
description = lib.mdDoc "HBase package";
|
||||
};
|
||||
|
||||
rootdir = mkOption {
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
This option will set "hbase.rootdir" in hbase-site.xml and determine
|
||||
the directory shared by region servers and into which HBase persists.
|
||||
The URL should be 'fully-qualified' to include the filesystem scheme.
|
||||
@ -68,7 +68,7 @@ in
|
||||
default = "/hbase";
|
||||
};
|
||||
zookeeperQuorum = mkOption {
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
This option will set "hbase.zookeeper.quorum" in hbase-site.xml.
|
||||
Comma separated list of servers in the ZooKeeper ensemble.
|
||||
'';
|
||||
@ -83,7 +83,7 @@ in
|
||||
openFirewall = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Open firewall ports for HBase master.
|
||||
'';
|
||||
};
|
||||
@ -94,7 +94,7 @@ in
|
||||
overrideHosts = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Remove /etc/hosts entries for "127.0.0.2" and "::1" defined in nixos/modules/config/networking.nix
|
||||
Regionservers must be able to resolve their hostnames to their IP addresses, through PTR records
|
||||
or /etc/hosts entries.
|
||||
@ -105,7 +105,7 @@ in
|
||||
openFirewall = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Open firewall ports for HBase master.
|
||||
'';
|
||||
};
|
||||
|
268
nixos/modules/services/cluster/patroni/default.nix
Normal file
268
nixos/modules/services/cluster/patroni/default.nix
Normal file
@ -0,0 +1,268 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.services.patroni;
|
||||
defaultUser = "patroni";
|
||||
defaultGroup = "patroni";
|
||||
format = pkgs.formats.yaml { };
|
||||
|
||||
#boto doesn't support python 3.10 yet
|
||||
patroni = pkgs.patroni.override { pythonPackages = pkgs.python39Packages; };
|
||||
|
||||
configFileName = "patroni-${cfg.scope}-${cfg.name}.yaml";
|
||||
configFile = format.generate configFileName cfg.settings;
|
||||
in
|
||||
{
|
||||
options.services.patroni = {
|
||||
|
||||
enable = mkEnableOption "Patroni";
|
||||
|
||||
postgresqlPackage = mkOption {
|
||||
type = types.package;
|
||||
example = literalExpression "pkgs.postgresql_14";
|
||||
description = mdDoc ''
|
||||
PostgreSQL package to use.
|
||||
Plugins can be enabled like this `pkgs.postgresql_14.withPackages (p: [ p.pg_safeupdate p.postgis ])`.
|
||||
'';
|
||||
};
|
||||
|
||||
postgresqlDataDir = mkOption {
|
||||
type = types.path;
|
||||
defaultText = literalExpression ''"/var/lib/postgresql/''${config.services.patroni.postgresqlPackage.psqlSchema}"'';
|
||||
example = "/var/lib/postgresql/14";
|
||||
default = "/var/lib/postgresql/${cfg.postgresqlPackage.psqlSchema}";
|
||||
description = mdDoc ''
|
||||
The data directory for PostgreSQL. If left as the default value
|
||||
this directory will automatically be created before the PostgreSQL server starts, otherwise
|
||||
the sysadmin is responsible for ensuring the directory exists with appropriate ownership
|
||||
and permissions.
|
||||
'';
|
||||
};
|
||||
|
||||
postgresqlPort = mkOption {
|
||||
type = types.port;
|
||||
default = 5432;
|
||||
description = mdDoc ''
|
||||
The port on which PostgreSQL listens.
|
||||
'';
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = defaultUser;
|
||||
example = "postgres";
|
||||
description = mdDoc ''
|
||||
The user for the service. If left as the default value this user will automatically be created,
|
||||
otherwise the sysadmin is responsible for ensuring the user exists.
|
||||
'';
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = defaultGroup;
|
||||
example = "postgres";
|
||||
description = mdDoc ''
|
||||
The group for the service. If left as the default value this group will automatically be created,
|
||||
otherwise the sysadmin is responsible for ensuring the group exists.
|
||||
'';
|
||||
};
|
||||
|
||||
dataDir = mkOption {
|
||||
type = types.path;
|
||||
default = "/var/lib/patroni";
|
||||
description = mdDoc ''
|
||||
Folder where Patroni data will be written, used by Raft as well if enabled.
|
||||
'';
|
||||
};
|
||||
|
||||
scope = mkOption {
|
||||
type = types.str;
|
||||
example = "cluster1";
|
||||
description = mdDoc ''
|
||||
Cluster name.
|
||||
'';
|
||||
};
|
||||
|
||||
name = mkOption {
|
||||
type = types.str;
|
||||
example = "node1";
|
||||
description = mdDoc ''
|
||||
The name of the host. Must be unique for the cluster.
|
||||
'';
|
||||
};
|
||||
|
||||
namespace = mkOption {
|
||||
type = types.str;
|
||||
default = "/service";
|
||||
description = mdDoc ''
|
||||
Path within the configuration store where Patroni will keep information about the cluster.
|
||||
'';
|
||||
};
|
||||
|
||||
nodeIp = mkOption {
|
||||
type = types.str;
|
||||
example = "192.168.1.1";
|
||||
description = mdDoc ''
|
||||
IP address of this node.
|
||||
'';
|
||||
};
|
||||
|
||||
otherNodesIps = mkOption {
|
||||
type = types.listOf types.string;
|
||||
example = [ "192.168.1.2" "192.168.1.3" ];
|
||||
description = mdDoc ''
|
||||
IP addresses of the other nodes.
|
||||
'';
|
||||
};
|
||||
|
||||
restApiPort = mkOption {
|
||||
type = types.port;
|
||||
default = 8008;
|
||||
description = mdDoc ''
|
||||
The port on Patroni's REST api listens.
|
||||
'';
|
||||
};
|
||||
|
||||
raft = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = mdDoc ''
|
||||
This will configure Patroni to use its own RAFT implementation instead of using a dedicated DCS.
|
||||
'';
|
||||
};
|
||||
|
||||
raftPort = mkOption {
|
||||
type = types.port;
|
||||
default = 5010;
|
||||
description = mdDoc ''
|
||||
The port on which RAFT listens.
|
||||
'';
|
||||
};
|
||||
|
||||
softwareWatchdog = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = mdDoc ''
|
||||
This will configure Patroni to use the software watchdog built into the Linux kernel
|
||||
as described in the [documentation](https://patroni.readthedocs.io/en/latest/watchdog.html#setting-up-software-watchdog-on-linux).
|
||||
'';
|
||||
};
|
||||
|
||||
settings = mkOption {
|
||||
type = format.type;
|
||||
default = { };
|
||||
description = mdDoc ''
|
||||
The primary patroni configuration. See the [documentation](https://patroni.readthedocs.io/en/latest/SETTINGS.html)
|
||||
for possible values.
|
||||
Secrets should be passed in by using the `environmentFiles` option.
|
||||
'';
|
||||
};
|
||||
|
||||
environmentFiles = mkOption {
|
||||
type = with types; attrsOf (nullOr (oneOf [ str path package ]));
|
||||
default = { };
|
||||
example = {
|
||||
PATRONI_REPLICATION_PASSWORD = "/secret/file";
|
||||
PATRONI_SUPERUSER_PASSWORD = "/secret/file";
|
||||
};
|
||||
description = mdDoc "Environment variables made available to Patroni as files content, useful for providing secrets from files.";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
services.patroni.settings = {
|
||||
scope = cfg.scope;
|
||||
name = cfg.name;
|
||||
namespace = cfg.namespace;
|
||||
|
||||
restapi = {
|
||||
listen = "${cfg.nodeIp}:${toString cfg.restApiPort}";
|
||||
connect_address = "${cfg.nodeIp}:${toString cfg.restApiPort}";
|
||||
};
|
||||
|
||||
raft = mkIf cfg.raft {
|
||||
data_dir = "${cfg.dataDir}/raft";
|
||||
self_addr = "${cfg.nodeIp}:5010";
|
||||
partner_addrs = map (ip: ip + ":5010") cfg.otherNodesIps;
|
||||
};
|
||||
|
||||
postgresql = {
|
||||
listen = "${cfg.nodeIp}:${toString cfg.postgresqlPort}";
|
||||
connect_address = "${cfg.nodeIp}:${toString cfg.postgresqlPort}";
|
||||
data_dir = cfg.postgresqlDataDir;
|
||||
bin_dir = "${cfg.postgresqlPackage}/bin";
|
||||
pgpass = "${cfg.dataDir}/pgpass";
|
||||
};
|
||||
|
||||
watchdog = mkIf cfg.softwareWatchdog {
|
||||
mode = "required";
|
||||
device = "/dev/watchdog";
|
||||
safety_margin = 5;
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
users = {
|
||||
users = mkIf (cfg.user == defaultUser) {
|
||||
patroni = {
|
||||
group = cfg.group;
|
||||
isSystemUser = true;
|
||||
};
|
||||
};
|
||||
groups = mkIf (cfg.group == defaultGroup) {
|
||||
patroni = { };
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
patroni = {
|
||||
description = "Runners to orchestrate a high-availability PostgreSQL";
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
|
||||
script = ''
|
||||
${concatStringsSep "\n" (attrValues (mapAttrs (name: path: ''export ${name}="$(< ${escapeShellArg path})"'') cfg.environmentFiles))}
|
||||
exec ${patroni}/bin/patroni ${configFile}
|
||||
'';
|
||||
|
||||
serviceConfig = mkMerge [
|
||||
{
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
Type = "simple";
|
||||
Restart = "on-failure";
|
||||
TimeoutSec = 30;
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -s HUP $MAINPID";
|
||||
KillMode = "process";
|
||||
}
|
||||
(mkIf (cfg.postgresqlDataDir == "/var/lib/postgresql/${cfg.postgresqlPackage.psqlSchema}" && cfg.dataDir == "/var/lib/patroni") {
|
||||
StateDirectory = "patroni patroni/raft postgresql postgresql/${cfg.postgresqlPackage.psqlSchema}";
|
||||
StateDirectoryMode = "0750";
|
||||
})
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
boot.kernelModules = mkIf cfg.softwareWatchdog [ "softdog" ];
|
||||
|
||||
services.udev.extraRules = mkIf cfg.softwareWatchdog ''
|
||||
KERNEL=="watchdog", OWNER="${cfg.user}", GROUP="${cfg.group}", MODE="0600"
|
||||
'';
|
||||
|
||||
environment.systemPackages = [
|
||||
patroni
|
||||
cfg.postgresqlPackage
|
||||
(mkIf cfg.raft pkgs.python310Packages.pysyncobj)
|
||||
];
|
||||
|
||||
environment.etc."${configFileName}".source = configFile;
|
||||
|
||||
environment.sessionVariables = {
|
||||
PATRONICTL_CONFIG_FILE = "/etc/${configFileName}";
|
||||
};
|
||||
};
|
||||
|
||||
meta.maintainers = [ maintainers.phfroidmont ];
|
||||
}
|
@ -121,10 +121,10 @@ in {
|
||||
keepalive = mkOption {
|
||||
default = 600;
|
||||
type = types.int;
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
This is a number that indicates how frequently keepalive messages should be sent
|
||||
from the worker to the buildmaster, expressed in seconds.
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
package = mkOption {
|
||||
|
@ -193,7 +193,7 @@ in
|
||||
options.services.buildkite-agents = mkOption {
|
||||
type = types.attrsOf (types.submodule buildkiteOptions);
|
||||
default = {};
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Attribute set of buildkite agents.
|
||||
The attribute key is combined with the hostname and a unique integer to
|
||||
create the final agent name. This can be overridden by setting the `name`
|
||||
|
@ -103,15 +103,15 @@ let
|
||||
defaultText = literalExpression ''baseDirectory + "/secrets"'';
|
||||
};
|
||||
clusterJoinTokenPath = mkOption {
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Location of the cluster-join-token.key file.
|
||||
|
||||
You can retrieve the contents of the file when creating a new agent via
|
||||
<link xlink:href="https://hercules-ci.com/dashboard">https://hercules-ci.com/dashboard</link>.
|
||||
<https://hercules-ci.com/dashboard>.
|
||||
|
||||
As this value is confidential, it should not be in the store, but
|
||||
installed using other means, such as agenix, NixOps
|
||||
<literal>deployment.keys</literal>, or manual installation.
|
||||
`deployment.keys`, or manual installation.
|
||||
|
||||
The contents of the file are used for authentication between the agent and the API.
|
||||
'';
|
||||
@ -120,29 +120,28 @@ let
|
||||
defaultText = literalExpression ''staticSecretsDirectory + "/cluster-join-token.key"'';
|
||||
};
|
||||
binaryCachesPath = mkOption {
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Path to a JSON file containing binary cache secret keys.
|
||||
|
||||
As these values are confidential, they should not be in the store, but
|
||||
copied over using other means, such as agenix, NixOps
|
||||
<literal>deployment.keys</literal>, or manual installation.
|
||||
`deployment.keys`, or manual installation.
|
||||
|
||||
The format is described on <link xlink:href="https://docs.hercules-ci.com/hercules-ci-agent/binary-caches-json/">https://docs.hercules-ci.com/hercules-ci-agent/binary-caches-json/</link>.
|
||||
The format is described on <https://docs.hercules-ci.com/hercules-ci-agent/binary-caches-json/>.
|
||||
'';
|
||||
type = types.path;
|
||||
default = config.staticSecretsDirectory + "/binary-caches.json";
|
||||
defaultText = literalExpression ''staticSecretsDirectory + "/binary-caches.json"'';
|
||||
};
|
||||
secretsJsonPath = mkOption {
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Path to a JSON file containing secrets for effects.
|
||||
|
||||
As these values are confidential, they should not be in the store, but
|
||||
copied over using other means, such as agenix, NixOps
|
||||
<literal>deployment.keys</literal>, or manual installation.
|
||||
|
||||
The format is described on <link xlink:href="https://docs.hercules-ci.com/hercules-ci-agent/secrets-json/">https://docs.hercules-ci.com/hercules-ci-agent/secrets-json/</link>.
|
||||
`deployment.keys`, or manual installation.
|
||||
|
||||
The format is described on <https://docs.hercules-ci.com/hercules-ci-agent/secrets-json/>.
|
||||
'';
|
||||
type = types.path;
|
||||
default = config.staticSecretsDirectory + "/secrets.json";
|
||||
|
@ -87,7 +87,7 @@ in
|
||||
type = types.str;
|
||||
default = localDB;
|
||||
example = "dbi:Pg:dbname=hydra;host=postgres.example.org;user=foo;";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
The DBI string for Hydra database connection.
|
||||
|
||||
NOTE: Attempts to set `application_name` will be overridden by
|
||||
@ -115,8 +115,8 @@ in
|
||||
type = types.str;
|
||||
default = "*";
|
||||
example = "localhost";
|
||||
description = ''
|
||||
The hostname or address to listen on or <literal>*</literal> to listen
|
||||
description = lib.mdDoc ''
|
||||
The hostname or address to listen on or `*` to listen
|
||||
on all interfaces.
|
||||
'';
|
||||
};
|
||||
|
@ -97,9 +97,9 @@ in
|
||||
openFirewall = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Open the firewall ports corresponding to FoundationDB processes and coordinators
|
||||
using <option>config.networking.firewall.*</option>.
|
||||
using {option}`config.networking.firewall.*`.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -35,9 +35,9 @@ in
|
||||
default = pkgs.mongodb;
|
||||
defaultText = literalExpression "pkgs.mongodb";
|
||||
type = types.package;
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
Which MongoDB derivation to use.
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
|
@ -36,9 +36,9 @@ in
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
example = literalExpression "pkgs.mariadb";
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
Which MySQL derivation to use. MariaDB packages are supported too.
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
|
@ -79,15 +79,15 @@ in
|
||||
authentication = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Defines how users authenticate themselves to the server. See the
|
||||
<link xlink:href="https://www.postgresql.org/docs/current/auth-pg-hba-conf.html">PostgreSQL documentation for pg_hba.conf</link>
|
||||
[PostgreSQL documentation for pg_hba.conf](https://www.postgresql.org/docs/current/auth-pg-hba-conf.html)
|
||||
for details on the expected format of this option. By default,
|
||||
peer based authentication will be used for users connecting
|
||||
via the Unix socket, and md5 password authentication will be
|
||||
used for users connecting via TCP. Any added rules will be
|
||||
inserted above the default rules. If you'd like to replace the
|
||||
default rules entirely, you can use <function>lib.mkForce</function> in your
|
||||
default rules entirely, you can use `lib.mkForce` in your
|
||||
module.
|
||||
'';
|
||||
};
|
||||
|
@ -10,6 +10,7 @@
|
||||
},
|
||||
"context.spa-libs": {
|
||||
"audio.convert.*": "audioconvert/libspa-audioconvert",
|
||||
"avb.*": "avb/libspa-avb",
|
||||
"api.alsa.*": "alsa/libspa-alsa",
|
||||
"api.v4l2.*": "v4l2/libspa-v4l2",
|
||||
"api.libcamera.*": "libcamera/libspa-libcamera",
|
||||
|
@ -34,7 +34,8 @@ with lib;
|
||||
];
|
||||
|
||||
# for $out/bin/install-printer-driver
|
||||
services.packagekit.enable = true;
|
||||
# TODO: Enable once #177946 is resolved
|
||||
# services.packagekit.enable = true;
|
||||
|
||||
};
|
||||
|
||||
|
@ -149,13 +149,14 @@ in {
|
||||
};
|
||||
}
|
||||
'';
|
||||
description = "Declarative kernel config
|
||||
description = lib.mdDoc ''
|
||||
Declarative kernel config.
|
||||
|
||||
Kernels can be declared in any language that supports and has the required
|
||||
dependencies to communicate with a jupyter server.
|
||||
In python's case, it means that ipykernel package must always be included in
|
||||
the list of packages of the targeted environment.
|
||||
";
|
||||
Kernels can be declared in any language that supports and has the required
|
||||
dependencies to communicate with a jupyter server.
|
||||
In python's case, it means that ipykernel package must always be included in
|
||||
the list of packages of the targeted environment.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -9,7 +9,7 @@ in {
|
||||
enable = lib.mkOption {
|
||||
default = false;
|
||||
type = lib.types.bool;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Enables the daemon for `lorri`, a nix-shell replacement for project
|
||||
development. The socket-activated daemon starts on the first request
|
||||
issued by the `lorri` command.
|
||||
|
@ -36,7 +36,7 @@ in {
|
||||
certificateChain = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Chain of CA-certificates to which our `certificateFile` is relative.
|
||||
Optional for TLS.
|
||||
'';
|
||||
|
@ -81,11 +81,11 @@ in
|
||||
|
||||
settings = mkOption {
|
||||
type = format.type;
|
||||
description = ''
|
||||
The ASF.json file, all the options are documented <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#global-config">here</link>.
|
||||
description = lib.mdDoc ''
|
||||
The ASF.json file, all the options are documented [here](https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#global-config).
|
||||
Do note that `AutoRestart` and `UpdateChannel` is always to `false` respectively `0` because NixOS takes care of updating everything.
|
||||
`Headless` is also always set to `true` because there is no way to provide inputs via a systemd service.
|
||||
You should try to keep ASF up to date since upstream does not provide support for anything but the latest version and you're exposing yourself to all kinds of issues - as is outlined <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#updateperiod">here</link>.
|
||||
You should try to keep ASF up to date since upstream does not provide support for anything but the latest version and you're exposing yourself to all kinds of issues - as is outlined [here](https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#updateperiod).
|
||||
'';
|
||||
example = {
|
||||
Statistics = false;
|
||||
|
@ -41,7 +41,7 @@ in {
|
||||
stateDir = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/crossfire";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Where to store runtime data (save files, persistent items, etc).
|
||||
|
||||
If left at the default, this will be automatically created on server
|
||||
@ -61,7 +61,7 @@ in {
|
||||
|
||||
configFiles = mkOption {
|
||||
type = types.attrsOf types.str;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Text to append to the corresponding configuration files. Note that the
|
||||
files given in the example are *not* the complete set of files available
|
||||
to customize; look in /etc/crossfire after enabling the server to see
|
||||
|
@ -41,7 +41,7 @@ in {
|
||||
stateDir = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/deliantra";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Where to store runtime data (save files, persistent items, etc).
|
||||
|
||||
If left at the default, this will be automatically created on server
|
||||
|
@ -25,7 +25,7 @@ in
|
||||
gameId = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Id of the game to use. To list available games run
|
||||
`minetestserver --gameid list`.
|
||||
|
||||
@ -36,7 +36,7 @@ in
|
||||
world = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Name of the world to use. To list available worlds run
|
||||
`minetestserver --world list`.
|
||||
|
||||
@ -47,7 +47,7 @@ in
|
||||
configPath = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Path to the config to use.
|
||||
|
||||
If set to null, the config of the running user will be used:
|
||||
|
@ -131,6 +131,7 @@ in
|
||||
config = mkIf cfg.enable {
|
||||
users.users.terraria = {
|
||||
description = "Terraria server service user";
|
||||
group = "terraria";
|
||||
home = cfg.dataDir;
|
||||
createHome = true;
|
||||
uid = config.ids.uids.terraria;
|
||||
@ -138,7 +139,6 @@ in
|
||||
|
||||
users.groups.terraria = {
|
||||
gid = config.ids.gids.terraria;
|
||||
members = [ "terraria" ];
|
||||
};
|
||||
|
||||
systemd.services.terraria = {
|
||||
|
@ -15,9 +15,9 @@ let
|
||||
DisabledPlugins=${lib.concatStringsSep ";" cfg.disabledPlugins}
|
||||
'';
|
||||
};
|
||||
"fwupd/uefi.conf" = {
|
||||
source = pkgs.writeText "uefi.conf" ''
|
||||
[uefi]
|
||||
"fwupd/uefi_capsule.conf" = {
|
||||
source = pkgs.writeText "uefi_capsule.conf" ''
|
||||
[uefi_capsule]
|
||||
OverrideESPMountPoint=${config.boot.loader.efi.efiSysMountPoint}
|
||||
'';
|
||||
};
|
||||
|
@ -180,8 +180,8 @@ in
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.kanata;
|
||||
defaultText = lib.literalExpression "pkgs.kanata";
|
||||
example = lib.literalExpression "pkgs.kanata-with-cmd";
|
||||
defaultText = literalExpression "pkgs.kanata";
|
||||
example = literalExpression "pkgs.kanata-with-cmd";
|
||||
description = mdDoc ''
|
||||
The kanata package to use.
|
||||
|
||||
@ -198,7 +198,7 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
config = mkIf cfg.enable {
|
||||
hardware.uinput.enable = true;
|
||||
|
||||
systemd = {
|
||||
@ -211,5 +211,5 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
meta.maintainers = with lib.maintainers; [ linj ];
|
||||
meta.maintainers = with maintainers; [ linj ];
|
||||
}
|
||||
|
@ -126,10 +126,10 @@ in {
|
||||
psycopg2
|
||||
];
|
||||
'';
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
List of packages to add to propagatedBuildInputs.
|
||||
|
||||
A popular example is <package>python3Packages.psycopg2</package>
|
||||
A popular example is `python3Packages.psycopg2`
|
||||
for PostgreSQL support in the recorder component.
|
||||
'';
|
||||
};
|
||||
|
@ -79,7 +79,7 @@ let
|
||||
priority = mkOption {
|
||||
type = types.int;
|
||||
default = 1000;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Order of this logrotate block in relation to the others. The semantics are
|
||||
the same as with `lib.mkOrder`. Smaller values have a greater priority.
|
||||
'';
|
||||
@ -260,7 +260,7 @@ in
|
||||
priority = mkOption {
|
||||
type = types.int;
|
||||
default = 1000;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Order of this logrotate block in relation to the others. The semantics are
|
||||
the same as with `lib.mkOrder`. Smaller values are inserted first.
|
||||
'';
|
||||
|
@ -355,125 +355,125 @@ in
|
||||
setgidGroup = mkOption {
|
||||
type = types.str;
|
||||
default = "postdrop";
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
How to call postfix setgid group (for postdrop). Should
|
||||
be uniquely used group.
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
networks = mkOption {
|
||||
type = types.nullOr (types.listOf types.str);
|
||||
default = null;
|
||||
example = ["192.168.0.1/24"];
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
Net masks for trusted - allowed to relay mail to third parties -
|
||||
hosts. Leave empty to use mynetworks_style configuration or use
|
||||
default (localhost-only).
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
networksStyle = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
Name of standard way of trusted network specification to use,
|
||||
leave blank if you specify it explicitly or if you want to use
|
||||
default (localhost-only).
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
hostname = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description ="
|
||||
description = lib.mdDoc ''
|
||||
Hostname to use. Leave blank to use just the hostname of machine.
|
||||
It should be FQDN.
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
domain = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description ="
|
||||
description = lib.mdDoc ''
|
||||
Domain to use. Leave blank to use hostname minus first component.
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
origin = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description ="
|
||||
description = lib.mdDoc ''
|
||||
Origin to use in outgoing e-mail. Leave blank to use hostname.
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
destination = mkOption {
|
||||
type = types.nullOr (types.listOf types.str);
|
||||
default = null;
|
||||
example = ["localhost"];
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
Full (!) list of domains we deliver locally. Leave blank for
|
||||
acceptable Postfix default.
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
relayDomains = mkOption {
|
||||
type = types.nullOr (types.listOf types.str);
|
||||
default = null;
|
||||
example = ["localdomain"];
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
List of domains we agree to relay to. Default is empty.
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
relayHost = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
Mail relay for outbound mail.
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
relayPort = mkOption {
|
||||
type = types.int;
|
||||
default = 25;
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
SMTP port for relay mail relay.
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
lookupMX = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
Whether relay specified is just domain whose MX must be used.
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
postmasterAlias = mkOption {
|
||||
type = types.str;
|
||||
default = "root";
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
Who should receive postmaster e-mail. Multiple values can be added by
|
||||
separating values with comma.
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
rootAlias = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
Who should receive root e-mail. Blank for no redirection.
|
||||
Multiple values can be added by separating values with comma.
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
extraAliases = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
Additional entries to put verbatim into aliases file, cf. man-page aliases(8).
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
aliasMapType = mkOption {
|
||||
@ -497,9 +497,9 @@ in
|
||||
extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
Extra lines to be added verbatim to the main.cf configuration file.
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
tlsTrustedAuthorities = mkOption {
|
||||
@ -527,9 +527,9 @@ in
|
||||
type = types.str;
|
||||
default = "";
|
||||
example = "+";
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
Delimiter for address extension: so mail to user+test can be handled by ~user/.forward+test
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
canonical = mkOption {
|
||||
@ -543,9 +543,9 @@ in
|
||||
virtual = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
Entries for the virtual alias map, cf. man-page virtual(5).
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
virtualMapType = mkOption {
|
||||
@ -572,9 +572,9 @@ in
|
||||
transport = mkOption {
|
||||
default = "";
|
||||
type = types.lines;
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
Entries for the transport map, cf. man-page transport(8).
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
dnsBlacklists = mkOption {
|
||||
|
@ -26,24 +26,24 @@ in
|
||||
type = lib.types.nullOr lib.types.path;
|
||||
example = "/var/lib/dendrite/server.cert";
|
||||
default = null;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
The path to the TLS certificate.
|
||||
|
||||
<programlisting>
|
||||
```
|
||||
nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"
|
||||
</programlisting>
|
||||
```
|
||||
'';
|
||||
};
|
||||
tlsKey = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.path;
|
||||
example = "/var/lib/dendrite/server.key";
|
||||
default = null;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
The path to the TLS key.
|
||||
|
||||
<programlisting>
|
||||
```
|
||||
nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"
|
||||
</programlisting>
|
||||
```
|
||||
'';
|
||||
};
|
||||
environmentFile = lib.mkOption {
|
||||
@ -51,8 +51,7 @@ in
|
||||
example = "/var/lib/dendrite/registration_secret";
|
||||
default = null;
|
||||
description = ''
|
||||
Environment file as defined in <citerefentry>
|
||||
<refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
||||
Environment file as defined in <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
||||
Secrets may be passed to the service without adding them to the world-readable
|
||||
Nix store, by specifying placeholder variables as the option value in Nix and
|
||||
setting these variables accordingly in the environment file. Currently only used
|
||||
@ -103,13 +102,13 @@ in
|
||||
lib.types.path
|
||||
(lib.types.strMatching "^\\$CREDENTIALS_DIRECTORY/.+");
|
||||
example = "$CREDENTIALS_DIRECTORY/private_key";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
The path to the signing private key file, used to sign
|
||||
requests and events.
|
||||
|
||||
<programlisting>
|
||||
```
|
||||
nix-shell -p dendrite --command "generate-keys --private-key matrix_key.pem"
|
||||
</programlisting>
|
||||
```
|
||||
'';
|
||||
};
|
||||
trusted_third_party_id_servers = lib.mkOption {
|
||||
|
@ -44,6 +44,12 @@ in {
|
||||
encryption = {
|
||||
allow = true;
|
||||
default = true;
|
||||
|
||||
verification_levels = {
|
||||
receive = "cross-signed-tofu";
|
||||
send = "cross-signed-tofu";
|
||||
share = "cross-signed-tofu";
|
||||
};
|
||||
};
|
||||
username_template = "facebook_{userid}";
|
||||
};
|
||||
@ -116,6 +122,8 @@ in {
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
users.groups.mautrix-facebook = {};
|
||||
|
||||
users.users.mautrix-facebook = {
|
||||
group = "mautrix-facebook";
|
||||
isSystemUser = true;
|
||||
|
@ -516,7 +516,7 @@ in {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
example = false;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Is the preview URL API enabled? If enabled, you *must* specify an
|
||||
explicit url_preview_ip_range_blacklist of IPs that the spider is
|
||||
denied from accessing.
|
||||
|
@ -133,10 +133,10 @@ in
|
||||
};
|
||||
};
|
||||
default = {};
|
||||
description = ''
|
||||
Configuration for <package>etebase-server</package>. Refer to
|
||||
<link xlink:href="https://github.com/etesync/server/blob/master/etebase-server.ini.example"/>
|
||||
and <link xlink:href="https://github.com/etesync/server/wiki"/>
|
||||
description = lib.mdDoc ''
|
||||
Configuration for `etebase-server`. Refer to
|
||||
<https://github.com/etesync/server/blob/master/etebase-server.ini.example>
|
||||
and <https://github.com/etesync/server/wiki>
|
||||
for details on supported values.
|
||||
'';
|
||||
example = {
|
||||
|
@ -71,9 +71,9 @@ in
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
Whether to enable the exhibitor server.
|
||||
";
|
||||
'';
|
||||
};
|
||||
# See https://github.com/soabase/exhibitor/wiki/Running-Exhibitor for what these mean
|
||||
# General options for any type of config
|
||||
|
@ -22,11 +22,11 @@ in {
|
||||
enableReload = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
description = ''
|
||||
Issue the <literal>reloadxml</literal> command to FreeSWITCH when configuration directory changes (instead of restart).
|
||||
See <link xlink:href="https://freeswitch.org/confluence/display/FREESWITCH/Reloading">FreeSWITCH documentation</link> for more info.
|
||||
The configuration directory is exposed at <filename>/etc/freeswitch</filename>.
|
||||
See also <literal>systemd.services.*.restartIfChanged</literal>.
|
||||
description = lib.mdDoc ''
|
||||
Issue the `reloadxml` command to FreeSWITCH when configuration directory changes (instead of restart).
|
||||
See [FreeSWITCH documentation](https://freeswitch.org/confluence/display/FREESWITCH/Reloading) for more info.
|
||||
The configuration directory is exposed at {file}`/etc/freeswitch`.
|
||||
See also `systemd.services.*.restartIfChanged`.
|
||||
'';
|
||||
};
|
||||
configTemplate = mkOption {
|
||||
|
@ -12,8 +12,7 @@ in
|
||||
options = {
|
||||
services.geoipupdate = {
|
||||
enable = lib.mkEnableOption ''
|
||||
periodic downloading of GeoIP databases using
|
||||
<productname>geoipupdate</productname>.
|
||||
periodic downloading of GeoIP databases using geoipupdate.
|
||||
'';
|
||||
|
||||
interval = lib.mkOption {
|
||||
@ -36,21 +35,20 @@ in
|
||||
ProxyUserPassword = { _secret = "/run/keys/proxy_pass"; };
|
||||
}
|
||||
'';
|
||||
description = ''
|
||||
<productname>geoipupdate</productname> configuration
|
||||
options. See
|
||||
<link xlink:href="https://github.com/maxmind/geoipupdate/blob/main/doc/GeoIP.conf.md"/>
|
||||
description = lib.mdDoc ''
|
||||
geoipupdate configuration options. See
|
||||
<https://github.com/maxmind/geoipupdate/blob/main/doc/GeoIP.conf.md>
|
||||
for a full list of available options.
|
||||
|
||||
Settings containing secret data should be set to an
|
||||
attribute set containing the attribute
|
||||
<literal>_secret</literal> - a string pointing to a file
|
||||
`_secret` - a string pointing to a file
|
||||
containing the value the option should be set to. See the
|
||||
example to get a better picture of this: in the resulting
|
||||
<filename>GeoIP.conf</filename> file, the
|
||||
<literal>ProxyUserPassword</literal> key will be set to the
|
||||
{file}`GeoIP.conf` file, the
|
||||
`ProxyUserPassword` key will be set to the
|
||||
contents of the
|
||||
<filename>/run/keys/proxy_pass</filename> file.
|
||||
{file}`/run/keys/proxy_pass` file.
|
||||
'';
|
||||
type = lib.types.submodule {
|
||||
freeformType =
|
||||
@ -85,13 +83,12 @@ in
|
||||
|
||||
LicenseKey = lib.mkOption {
|
||||
type = with lib.types; either path (attrsOf path);
|
||||
description = ''
|
||||
A file containing the
|
||||
<productname>MaxMind</productname> license key.
|
||||
description = lib.mdDoc ''
|
||||
A file containing the MaxMind license key.
|
||||
|
||||
Always handled as a secret whether the value is
|
||||
wrapped in a <literal>{ _secret = ...; }</literal>
|
||||
attrset or not (refer to <xref linkend="opt-services.geoipupdate.settings"/> for
|
||||
wrapped in a `{ _secret = ...; }`
|
||||
attrset or not (refer to [](#opt-services.geoipupdate.settings) for
|
||||
details).
|
||||
'';
|
||||
apply = x: if isAttrs x then x else { _secret = x; };
|
||||
|
@ -183,7 +183,7 @@ in
|
||||
file = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = "Filename to be used for the dump. If `null` a default name is choosen by gitea.";
|
||||
description = lib.mdDoc "Filename to be used for the dump. If `null` a default name is choosen by gitea.";
|
||||
example = "gitea-dump";
|
||||
};
|
||||
};
|
||||
@ -293,12 +293,12 @@ in
|
||||
default = "${cfg.stateDir}/log";
|
||||
defaultText = literalExpression ''"''${config.${opt.stateDir}}/log"'';
|
||||
type = types.str;
|
||||
description = "Root path for log files.";
|
||||
description = lib.mdDoc "Root path for log files.";
|
||||
};
|
||||
LEVEL = mkOption {
|
||||
default = "Info";
|
||||
type = types.enum [ "Trace" "Debug" "Info" "Warn" "Error" "Critical" ];
|
||||
description = "General log level.";
|
||||
description = lib.mdDoc "General log level.";
|
||||
};
|
||||
};
|
||||
|
||||
@ -306,14 +306,14 @@ in
|
||||
DISABLE_SSH = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Disable external SSH feature.";
|
||||
description = lib.mdDoc "Disable external SSH feature.";
|
||||
};
|
||||
|
||||
SSH_PORT = mkOption {
|
||||
type = types.int;
|
||||
default = 22;
|
||||
example = 2222;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
SSH port displayed in clone URL.
|
||||
The option is required to configure a service when the external visible port
|
||||
differs from the local listening port i.e. if port forwarding is used.
|
||||
@ -339,7 +339,7 @@ in
|
||||
COOKIE_SECURE = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Marks session cookies as "secure" as a hint for browsers to only send
|
||||
them via HTTPS. This option is recommend, if gitea is being served over HTTPS.
|
||||
'';
|
||||
|
@ -338,10 +338,9 @@ in {
|
||||
default = 0;
|
||||
example = 48;
|
||||
apply = x: x * 60 * 60;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
How long to keep the backups around, in
|
||||
hours. <literal>0</literal> means <quote>keep
|
||||
forever</quote>.
|
||||
hours. `0` means “keep forever”.
|
||||
'';
|
||||
};
|
||||
|
||||
@ -415,9 +414,9 @@ in {
|
||||
databaseHost = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description = ''
|
||||
GitLab database hostname. An empty string means <quote>use
|
||||
local unix socket connection</quote>.
|
||||
description = lib.mdDoc ''
|
||||
GitLab database hostname. An empty string means
|
||||
“use local unix socket connection”.
|
||||
'';
|
||||
};
|
||||
|
||||
@ -752,8 +751,7 @@ in {
|
||||
description = ''
|
||||
The number of worker processes Puma should spawn. This
|
||||
controls the amount of parallel Ruby code can be
|
||||
executed. GitLab recommends <quote>Number of CPU cores -
|
||||
1</quote>, but at least two.
|
||||
executed. GitLab recommends <literal>Number of CPU cores - 1</literal>, but at least two.
|
||||
|
||||
<note>
|
||||
<para>
|
||||
|
@ -14,12 +14,11 @@ in
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Enable gitolite management under the
|
||||
<literal>gitolite</literal> user. After
|
||||
`gitolite` user. After
|
||||
switching to a configuration with Gitolite enabled, you can
|
||||
then run <literal>git clone
|
||||
gitolite@host:gitolite-admin.git</literal> to manage it further.
|
||||
then run `git clone gitolite@host:gitolite-admin.git` to manage it further.
|
||||
'';
|
||||
};
|
||||
|
||||
@ -72,25 +71,25 @@ in
|
||||
@{$RC{ENABLE}} = grep { $_ ne 'desc' } @{$RC{ENABLE}}; # disable the command/feature
|
||||
'''
|
||||
'';
|
||||
description = ''
|
||||
Extra configuration to append to the default <literal>~/.gitolite.rc</literal>.
|
||||
description = lib.mdDoc ''
|
||||
Extra configuration to append to the default `~/.gitolite.rc`.
|
||||
|
||||
This should be Perl code that modifies the <literal>%RC</literal>
|
||||
configuration variable. The default <literal>~/.gitolite.rc</literal>
|
||||
content is generated by invoking <literal>gitolite print-default-rc</literal>,
|
||||
This should be Perl code that modifies the `%RC`
|
||||
configuration variable. The default `~/.gitolite.rc`
|
||||
content is generated by invoking `gitolite print-default-rc`,
|
||||
and extra configuration from this option is appended to it. The result
|
||||
is placed to Nix store, and the <literal>~/.gitolite.rc</literal> file
|
||||
is placed to Nix store, and the `~/.gitolite.rc` file
|
||||
becomes a symlink to it.
|
||||
|
||||
If you already have a customized (or otherwise changed)
|
||||
<literal>~/.gitolite.rc</literal> file, NixOS will refuse to replace
|
||||
`~/.gitolite.rc` file, NixOS will refuse to replace
|
||||
it with a symlink, and the `gitolite-init` initialization service
|
||||
will fail. In this situation, in order to use this option, you
|
||||
will need to take any customizations you may have in
|
||||
<literal>~/.gitolite.rc</literal>, convert them to appropriate Perl
|
||||
`~/.gitolite.rc`, convert them to appropriate Perl
|
||||
statements, add them to this option, and remove the file.
|
||||
|
||||
See also the <literal>enableGitAnnex</literal> option.
|
||||
See also the `enableGitAnnex` option.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -82,7 +82,7 @@ in
|
||||
'';
|
||||
configFile = mkOption {
|
||||
type = path;
|
||||
description = "Path to firmware config which is generated using `klipper-genconf`";
|
||||
description = lib.mdDoc "Path to firmware config which is generated using `klipper-genconf`";
|
||||
};
|
||||
};
|
||||
});
|
||||
|
@ -264,7 +264,7 @@ in
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "/root/.ssh/id_buildhost_builduser";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
The path to the SSH private key with which to authenticate on
|
||||
the build machine. The private key must not have a passphrase.
|
||||
If null, the building user (root on NixOS machines) must have an
|
||||
@ -562,13 +562,13 @@ in
|
||||
trusted-public-keys = mkOption {
|
||||
type = types.listOf types.str;
|
||||
example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
List of public keys used to sign binary caches. If
|
||||
<option>nix.settings.trusted-public-keys</option> is enabled,
|
||||
{option}`nix.settings.trusted-public-keys` is enabled,
|
||||
then Nix will use a binary from a binary cache if and only
|
||||
if it is signed by <emphasis>any</emphasis> of the keys
|
||||
if it is signed by *any* of the keys
|
||||
listed here. By default, only the key for
|
||||
<uri>cache.nixos.org</uri> is included.
|
||||
`cache.nixos.org` is included.
|
||||
'';
|
||||
};
|
||||
|
||||
@ -605,13 +605,13 @@ in
|
||||
type = types.listOf types.str;
|
||||
default = [ "*" ];
|
||||
example = [ "@wheel" "@builders" "alice" "bob" ];
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
A list of names of users (separated by whitespace) that are
|
||||
allowed to connect to the Nix daemon. As with
|
||||
<option>nix.settings.trusted-users</option>, you can specify groups by
|
||||
prefixing them with <literal>@</literal>. Also, you can
|
||||
allow all users by specifying <literal>*</literal>. The
|
||||
default is <literal>*</literal>. Note that trusted users are
|
||||
{option}`nix.settings.trusted-users`, you can specify groups by
|
||||
prefixing them with `@`. Also, you can
|
||||
allow all users by specifying `*`. The
|
||||
default is `*`. Note that trusted users are
|
||||
always allowed to connect.
|
||||
'';
|
||||
};
|
||||
|
288
nixos/modules/services/misc/portunus.nix
Normal file
288
nixos/modules/services/misc/portunus.nix
Normal file
@ -0,0 +1,288 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.portunus;
|
||||
|
||||
in
|
||||
{
|
||||
options.services.portunus = {
|
||||
enable = mkEnableOption "Portunus, a self-contained user/group management and authentication service for LDAP";
|
||||
|
||||
domain = mkOption {
|
||||
type = types.str;
|
||||
example = "sso.example.com";
|
||||
description = "Subdomain which gets reverse proxied to Portunus webserver.";
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
type = types.port;
|
||||
default = 8080;
|
||||
description = ''
|
||||
Port where the Portunus webserver should listen on.
|
||||
|
||||
This must be put behind a TLS-capable reverse proxy because Portunus only listens on localhost.
|
||||
'';
|
||||
};
|
||||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.portunus;
|
||||
defaultText = "pkgs.portunus";
|
||||
description = "The Portunus package to use.";
|
||||
};
|
||||
|
||||
seedPath = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Path to a portunus seed file in json format.
|
||||
See <link xlink:href="https://github.com/majewsky/portunus#seeding-users-and-groups-from-static-configuration"/> for available options.
|
||||
'';
|
||||
};
|
||||
|
||||
stateDir = mkOption {
|
||||
type = types.path;
|
||||
default = "/var/lib/portunus";
|
||||
description = "Path where Portunus stores its state.";
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "portunus";
|
||||
description = "User account under which Portunus runs its webserver.";
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "portunus";
|
||||
description = "Group account under which Portunus runs its webserver.";
|
||||
};
|
||||
|
||||
dex = {
|
||||
enable = mkEnableOption ''
|
||||
Dex ldap connector.
|
||||
|
||||
To activate dex, first a search user must be created in the Portunus web ui
|
||||
and then the password must to be set as the <literal>DEX_SEARCH_USER_PASSWORD</literal> environment variable
|
||||
in the <xref linkend="opt-services.dex.environmentFile"/> setting.
|
||||
'';
|
||||
|
||||
oidcClients = mkOption {
|
||||
type = types.listOf (types.submodule {
|
||||
options = {
|
||||
callbackURL = mkOption {
|
||||
type = types.str;
|
||||
description = "URL where the OIDC client should redirect";
|
||||
};
|
||||
id = mkOption {
|
||||
type = types.str;
|
||||
description = "ID of the OIDC client";
|
||||
};
|
||||
};
|
||||
});
|
||||
default = [ ];
|
||||
example = [
|
||||
{
|
||||
callbackURL = "https://example.com/client/oidc/callback";
|
||||
id = "service";
|
||||
}
|
||||
];
|
||||
description = ''
|
||||
List of OIDC clients.
|
||||
|
||||
The OIDC secret must be set as the <literal>DEX_CLIENT_''${id}</literal> environment variable
|
||||
in the <xref linkend="opt-services.dex.environmentFile"/> setting.
|
||||
'';
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
type = types.port;
|
||||
default = 5556;
|
||||
description = "Port where dex should listen on.";
|
||||
};
|
||||
};
|
||||
|
||||
ldap = {
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.openldap;
|
||||
defaultText = "pkgs.openldap";
|
||||
description = "The OpenLDAP package to use.";
|
||||
};
|
||||
|
||||
searchUserName = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
example = "admin";
|
||||
description = ''
|
||||
The login name of the search user.
|
||||
This user account must be configured in Portunus either manually or via seeding.
|
||||
'';
|
||||
};
|
||||
|
||||
suffix = mkOption {
|
||||
type = types.str;
|
||||
example = "dc=example,dc=org";
|
||||
description = ''
|
||||
The DN of the topmost entry in your LDAP directory.
|
||||
Please refer to the Portunus documentation for more information on how this impacts the structure of the LDAP directory.
|
||||
'';
|
||||
};
|
||||
|
||||
tls = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Wether to enable LDAPS protocol.
|
||||
This also adds two entries to the <literal>/etc/hosts</literal> file to point <xref linkend="opt-services.portunus.domain"/> to localhost,
|
||||
so that CLIs and programs can use ldaps protocol and verify the certificate without opening the firewall port for the protocol.
|
||||
|
||||
This requires a TLS certificate for <xref linkend="opt-services.portunus.domain"/> to be configured via <xref linkend="opt-security.acme.certs"/>.
|
||||
'';
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "openldap";
|
||||
description = "User account under which Portunus runs its LDAP server.";
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "openldap";
|
||||
description = "Group account under which Portunus runs its LDAP server.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
assertions = [
|
||||
{
|
||||
assertion = cfg.dex.enable -> cfg.ldap.searchUserName != "";
|
||||
message = "services.portunus.dex.enable requires services.portunus.ldap.searchUserName to be set.";
|
||||
}
|
||||
];
|
||||
|
||||
# add ldapsearch(1) etc. to interactive shells
|
||||
environment.systemPackages = [ cfg.ldap.package ];
|
||||
|
||||
# allow connecting via ldaps /w certificate without opening ports
|
||||
networking.hosts = mkIf cfg.ldap.tls {
|
||||
"::1" = [ cfg.domain ];
|
||||
"127.0.0.1" = [ cfg.domain ];
|
||||
};
|
||||
|
||||
services.dex = mkIf cfg.dex.enable {
|
||||
enable = true;
|
||||
settings = {
|
||||
issuer = "https://${cfg.domain}/dex";
|
||||
web.http = "127.0.0.1:${toString cfg.dex.port}";
|
||||
storage = {
|
||||
type = "sqlite3";
|
||||
config.file = "/var/lib/dex/dex.db";
|
||||
};
|
||||
enablePasswordDB = false;
|
||||
connectors = [{
|
||||
type = "ldap";
|
||||
id = "ldap";
|
||||
name = "LDAP";
|
||||
config = {
|
||||
host = "${cfg.domain}:636";
|
||||
bindDN = "uid=${cfg.ldap.searchUserName},ou=users,${cfg.ldap.suffix}";
|
||||
bindPW = "$DEX_SEARCH_USER_PASSWORD";
|
||||
userSearch = {
|
||||
baseDN = "ou=users,${cfg.ldap.suffix}";
|
||||
filter = "(objectclass=person)";
|
||||
username = "uid";
|
||||
idAttr = "uid";
|
||||
emailAttr = "mail";
|
||||
nameAttr = "cn";
|
||||
preferredUsernameAttr = "uid";
|
||||
};
|
||||
groupSearch = {
|
||||
baseDN = "ou=groups,${cfg.ldap.suffix}";
|
||||
filter = "(objectclass=groupOfNames)";
|
||||
nameAttr = "cn";
|
||||
userMatchers = [{ userAttr = "DN"; groupAttr = "member"; }];
|
||||
};
|
||||
};
|
||||
}];
|
||||
|
||||
staticClients = forEach cfg.dex.oidcClients (client: {
|
||||
inherit (client) id;
|
||||
redirectURIs = [ client.callbackURI ];
|
||||
name = "OIDC for ${client.id}";
|
||||
secret = "$DEX_CLIENT_${client.id}";
|
||||
});
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
dex.serviceConfig = mkIf cfg.dex.enable {
|
||||
# `dex.service` is super locked down out of the box, but we need some
|
||||
# place to write the SQLite database. This creates $STATE_DIRECTORY below
|
||||
# /var/lib/private because DynamicUser=true, but it gets symlinked into
|
||||
# /var/lib/dex inside the unit
|
||||
StateDirectory = "dex";
|
||||
};
|
||||
|
||||
portunus = {
|
||||
description = "Self-contained authentication service";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig.ExecStart = "${cfg.package.out}/bin/portunus-orchestrator";
|
||||
environment = {
|
||||
PORTUNUS_LDAP_SUFFIX = cfg.ldap.suffix;
|
||||
PORTUNUS_SERVER_BINARY = "${cfg.package}/bin/portunus-server";
|
||||
PORTUNUS_SERVER_GROUP = cfg.group;
|
||||
PORTUNUS_SERVER_USER = cfg.user;
|
||||
PORTUNUS_SERVER_HTTP_LISTEN = "[::]:${toString cfg.port}";
|
||||
PORTUNUS_SERVER_STATE_DIR = cfg.stateDir;
|
||||
PORTUNUS_SLAPD_BINARY = "${cfg.ldap.package}/libexec/slapd";
|
||||
PORTUNUS_SLAPD_GROUP = cfg.ldap.group;
|
||||
PORTUNUS_SLAPD_USER = cfg.ldap.user;
|
||||
PORTUNUS_SLAPD_SCHEMA_DIR = "${cfg.ldap.package}/etc/schema";
|
||||
} // (optionalAttrs (cfg.seedPath != null) ({
|
||||
PORTUNUS_SEED_PATH = cfg.seedPath;
|
||||
})) // (optionalAttrs cfg.ldap.tls (
|
||||
let
|
||||
acmeDirectory = config.security.acme.certs."${cfg.domain}".directory;
|
||||
in
|
||||
{
|
||||
PORTUNUS_SLAPD_TLS_CA_CERTIFICATE = "/etc/ssl/certs/ca-certificates.crt";
|
||||
PORTUNUS_SLAPD_TLS_CERTIFICATE = "${acmeDirectory}/cert.pem";
|
||||
PORTUNUS_SLAPD_TLS_DOMAIN_NAME = cfg.domain;
|
||||
PORTUNUS_SLAPD_TLS_PRIVATE_KEY = "${acmeDirectory}/key.pem";
|
||||
}));
|
||||
};
|
||||
};
|
||||
|
||||
users.users = mkMerge [
|
||||
(mkIf (cfg.ldap.user == "openldap") {
|
||||
openldap = {
|
||||
group = cfg.ldap.group;
|
||||
isSystemUser = true;
|
||||
};
|
||||
})
|
||||
(mkIf (cfg.user == "portunus") {
|
||||
portunus = {
|
||||
group = cfg.group;
|
||||
isSystemUser = true;
|
||||
};
|
||||
})
|
||||
];
|
||||
|
||||
users.groups = mkMerge [
|
||||
(mkIf (cfg.ldap.user == "openldap") {
|
||||
openldap = { };
|
||||
})
|
||||
(mkIf (cfg.user == "portunus") {
|
||||
portunus = { };
|
||||
})
|
||||
];
|
||||
};
|
||||
|
||||
meta.maintainers = [ majewsky ] ++ teams.c3d2.members;
|
||||
}
|
@ -50,7 +50,7 @@ in {
|
||||
type = with types; attrsOf str;
|
||||
default = { };
|
||||
example = { DATADIR = "/custom/path/for/rmfakecloud/data"; };
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Extra settings in the form of a set of key-value pairs.
|
||||
For tokens and secrets, use `environmentFile` instead.
|
||||
|
||||
|
38
nixos/modules/services/misc/spice-webdavd.nix
Normal file
38
nixos/modules/services/misc/spice-webdavd.nix
Normal file
@ -0,0 +1,38 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.services.spice-webdavd;
|
||||
in
|
||||
{
|
||||
options = {
|
||||
services.spice-webdavd = {
|
||||
enable = mkEnableOption "the spice guest webdav proxy daemon";
|
||||
|
||||
package = mkOption {
|
||||
default = pkgs.phodav;
|
||||
defaultText = literalExpression "pkgs.phodav";
|
||||
type = types.package;
|
||||
description = "spice-webdavd provider package to use.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# ensure the webdav fs this exposes can actually be mounted
|
||||
services.davfs2.enable = true;
|
||||
|
||||
# add the udev rule which starts the proxy when the spice socket is present
|
||||
services.udev.packages = [ cfg.package ];
|
||||
|
||||
systemd.services.spice-webdavd = {
|
||||
description = "spice-webdav proxy daemon";
|
||||
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
ExecStart = "${cfg.package}/bin/spice-webdavd -p 9843";
|
||||
Restart = "on-success";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -3,6 +3,10 @@ with lib;
|
||||
let
|
||||
cfg = config.services.sssd;
|
||||
nscd = config.services.nscd;
|
||||
|
||||
dataDir = "/var/lib/sssd";
|
||||
settingsFile = "${dataDir}/sssd.conf";
|
||||
settingsFileUnsubstituted = pkgs.writeText "${dataDir}/sssd-unsubstituted.conf" cfg.config;
|
||||
in {
|
||||
options = {
|
||||
services.sssd = {
|
||||
@ -47,6 +51,30 @@ in {
|
||||
Kerberos will be configured to cache credentials in SSS.
|
||||
'';
|
||||
};
|
||||
environmentFile = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Environment file as defined in <citerefentry>
|
||||
<refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum>
|
||||
</citerefentry>.
|
||||
|
||||
Secrets may be passed to the service without adding them to the world-readable
|
||||
Nix store, by specifying placeholder variables as the option value in Nix and
|
||||
setting these variables accordingly in the environment file.
|
||||
|
||||
<programlisting>
|
||||
# snippet of sssd-related config
|
||||
[domain/LDAP]
|
||||
ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK
|
||||
</programlisting>
|
||||
|
||||
<programlisting>
|
||||
# contents of the environment file
|
||||
SSSD_LDAP_DEFAULT_AUTHTOK=verysecretpassword
|
||||
</programlisting>
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
config = mkMerge [
|
||||
@ -60,22 +88,29 @@ in {
|
||||
wants = [ "nss-user-lookup.target" ];
|
||||
restartTriggers = [
|
||||
config.environment.etc."nscd.conf".source
|
||||
config.environment.etc."sssd/sssd.conf".source
|
||||
settingsFileUnsubstituted
|
||||
];
|
||||
script = ''
|
||||
export LDB_MODULES_PATH+="''${LDB_MODULES_PATH+:}${pkgs.ldb}/modules/ldb:${pkgs.sssd}/modules/ldb"
|
||||
mkdir -p /var/lib/sss/{pubconf,db,mc,pipes,gpo_cache,secrets} /var/lib/sss/pipes/private /var/lib/sss/pubconf/krb5.include.d
|
||||
${pkgs.sssd}/bin/sssd -D
|
||||
${pkgs.sssd}/bin/sssd -D -c ${settingsFile}
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "forking";
|
||||
PIDFile = "/run/sssd.pid";
|
||||
StateDirectory = baseNameOf dataDir;
|
||||
# We cannot use LoadCredential here because it's not available in ExecStartPre
|
||||
EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
|
||||
};
|
||||
};
|
||||
|
||||
environment.etc."sssd/sssd.conf" = {
|
||||
text = cfg.config;
|
||||
mode = "0400";
|
||||
preStart = ''
|
||||
[ -f ${settingsFile} ] && rm -f ${settingsFile}
|
||||
old_umask=$(umask)
|
||||
umask 0177
|
||||
${pkgs.envsubst}/bin/envsubst \
|
||||
-o ${settingsFile} \
|
||||
-i ${settingsFileUnsubstituted}
|
||||
umask $old_umask
|
||||
'';
|
||||
};
|
||||
|
||||
system.nssModules = [ pkgs.sssd ];
|
||||
|
@ -80,7 +80,7 @@ in {
|
||||
webserver = mkOption {
|
||||
type = types.enum [ "nginx" "none" ];
|
||||
default = "nginx";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
The webserver to configure for the PHP frontend.
|
||||
|
||||
Set it to `none` if you want to configure it yourself. PRs are welcome
|
||||
|
@ -52,7 +52,7 @@ in {
|
||||
|
||||
buildMinimalPackage = mkOption {
|
||||
default = false;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Build a minimal collectd package with only the configured `services.collectd.plugins`
|
||||
'';
|
||||
type = bool;
|
||||
|
@ -60,7 +60,7 @@ in {
|
||||
package = mkOption {
|
||||
default = pkgs.datadog-agent;
|
||||
defaultText = literalExpression "pkgs.datadog-agent";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Which DataDog v7 agent package to use. Note that the provided
|
||||
package is expected to have an overridable `pythonPackages`-attribute
|
||||
which configures the Python environment with the Datadog
|
||||
@ -168,7 +168,7 @@ in {
|
||||
};
|
||||
|
||||
checks = mkOption {
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Configuration for all Datadog checks. Keys of this attribute
|
||||
set will be used as the name of the check to create the
|
||||
appropriate configuration in `conf.d/$check.d/conf.yaml`.
|
||||
|
@ -38,8 +38,8 @@ in
|
||||
};
|
||||
|
||||
settings = mkOption {
|
||||
description = ''
|
||||
Configuration for <package>grafana-agent</package>.
|
||||
description = lib.mdDoc ''
|
||||
Configuration for `grafana-agent`.
|
||||
|
||||
See https://grafana.com/docs/agent/latest/configuration/
|
||||
'';
|
||||
|
@ -63,7 +63,7 @@ in {
|
||||
default = "default";
|
||||
type = types.enum [ "default" "reusable" "clustered" ];
|
||||
description = ''
|
||||
Rendering mode of <package>grafana-image-renderer</package>:
|
||||
Rendering mode of <literal>grafana-image-renderer</literal>:
|
||||
<itemizedlist>
|
||||
<listitem><para><literal>default:</literal> Creates on browser-instance
|
||||
per rendering request.</para></listitem>
|
||||
@ -79,8 +79,8 @@ in {
|
||||
args = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ "--no-sandbox" ];
|
||||
description = ''
|
||||
List of CLI flags passed to <package>chromium</package>.
|
||||
description = lib.mdDoc ''
|
||||
List of CLI flags passed to `chromium`.
|
||||
'';
|
||||
};
|
||||
};
|
||||
@ -89,10 +89,10 @@ in {
|
||||
|
||||
default = {};
|
||||
|
||||
description = ''
|
||||
Configuration attributes for <package>grafana-image-renderer</package>.
|
||||
description = lib.mdDoc ''
|
||||
Configuration attributes for `grafana-image-renderer`.
|
||||
|
||||
See <link xlink:href="https://github.com/grafana/grafana-image-renderer/blob/ce1f81438e5f69c7fd7c73ce08bab624c4c92e25/default.json"/>
|
||||
See <https://github.com/grafana/grafana-image-renderer/blob/ce1f81438e5f69c7fd7c73ce08bab624c4c92e25/default.json>
|
||||
for supported values.
|
||||
'';
|
||||
};
|
||||
|
@ -20,11 +20,11 @@ in {
|
||||
apiKeyFile = mkOption {
|
||||
type = types.path;
|
||||
example = "/run/keys/mackerel-api-key";
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Path to file containing the Mackerel API key. The file should contain a
|
||||
single line of the following form:
|
||||
|
||||
<literallayout>apikey = "EXAMPLE_API_KEY"</literallayout>
|
||||
`apikey = "EXAMPLE_API_KEY"`
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -91,11 +91,11 @@ in
|
||||
enable = mkEnableOption ''<link xlink:href="http://www.nagios.org/">Nagios</link> to monitor your system or network.'';
|
||||
|
||||
objectDefs = mkOption {
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
A list of Nagios object configuration files that must define
|
||||
the hosts, host groups, services and contacts for the
|
||||
network that you want Nagios to monitor.
|
||||
";
|
||||
'';
|
||||
type = types.listOf types.path;
|
||||
example = literalExpression "[ ./objects.cfg ]";
|
||||
};
|
||||
@ -104,18 +104,18 @@ in
|
||||
type = types.listOf types.package;
|
||||
default = with pkgs; [ monitoring-plugins msmtp mailutils ];
|
||||
defaultText = literalExpression "[pkgs.monitoring-plugins pkgs.msmtp pkgs.mailutils]";
|
||||
description = "
|
||||
description = ''
|
||||
Packages to be added to the Nagios <envar>PATH</envar>.
|
||||
Typically used to add plugins, but can be anything.
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
mainConfigFile = mkOption {
|
||||
type = types.nullOr types.package;
|
||||
default = null;
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
If non-null, overrides the main configuration file of Nagios.
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
@ -139,19 +139,19 @@ in
|
||||
type = types.package;
|
||||
default = nagiosCGICfgFile;
|
||||
defaultText = literalExpression "nagiosCGICfgFile";
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
Derivation for the configuration file of Nagios CGI scripts
|
||||
that can be used in web servers for running the Nagios web interface.
|
||||
";
|
||||
'';
|
||||
};
|
||||
|
||||
enableWebInterface = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "
|
||||
description = lib.mdDoc ''
|
||||
Whether to enable the Nagios web interface. You should also
|
||||
enable Apache (<option>services.httpd.enable</option>).
|
||||
";
|
||||
enable Apache ({option}`services.httpd.enable`).
|
||||
'';
|
||||
};
|
||||
|
||||
virtualHost = mkOption {
|
||||
|
@ -251,7 +251,7 @@ let
|
||||
authorization = mkOption {
|
||||
type = types.nullOr types.attrs;
|
||||
default = null;
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Sets the `Authorization` header on every scrape request with the configured credentials.
|
||||
'';
|
||||
};
|
||||
@ -664,7 +664,7 @@ let
|
||||
promTypes.dockerswarm_sd_config = mkDockerSdConfigModule {
|
||||
role = mkOption {
|
||||
type = types.enum [ "services" "tasks" "nodes" ];
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Role of the targets to retrieve. Must be `services`, `tasks`, or `nodes`.
|
||||
'';
|
||||
};
|
||||
@ -1222,7 +1222,7 @@ let
|
||||
|
||||
role = mkOption {
|
||||
type = types.enum [ "instance" "baremetal" ];
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
Role of the targets to retrieve. Must be `instance` or `baremetal`.
|
||||
'';
|
||||
};
|
||||
@ -1729,16 +1729,15 @@ in
|
||||
type = with types; either bool (enum [ "syntax-only" ]);
|
||||
default = true;
|
||||
example = "syntax-only";
|
||||
description = ''
|
||||
Check configuration with <literal>promtool
|
||||
check</literal>. The call to <literal>promtool</literal> is
|
||||
description = lib.mdDoc ''
|
||||
Check configuration with `promtool check`. The call to `promtool` is
|
||||
subject to sandboxing by Nix.
|
||||
|
||||
If you use credentials stored in external files
|
||||
(<literal>password_file</literal>, <literal>bearer_token_file</literal>, etc),
|
||||
they will not be visible to <literal>promtool</literal>
|
||||
(`password_file`, `bearer_token_file`, etc),
|
||||
they will not be visible to `promtool`
|
||||
and it will report errors, despite a correct configuration.
|
||||
To resolve this, you may set this option to <literal>"syntax-only"</literal>
|
||||
To resolve this, you may set this option to `"syntax-only"`
|
||||
in order to only syntax check the Prometheus configuration.
|
||||
'';
|
||||
};
|
||||
|
@ -33,10 +33,10 @@ in
|
||||
work with this exporter:
|
||||
<programlisting>
|
||||
{
|
||||
<xref linkend="opt-services.prometheus.exporters.dovecot.enable"/> = true;
|
||||
<xref linkend="opt-services.prometheus.exporters.dovecot.socketPath"/> = "/var/run/dovecot2/old-stats";
|
||||
<xref linkend="opt-services.dovecot2.mailPlugins.globally.enable"/> = [ "old_stats" ];
|
||||
<xref linkend="opt-services.dovecot2.extraConfig"/> = '''
|
||||
services.prometheus.exporters.dovecot.enable = true;
|
||||
services.prometheus.exporters.dovecot.socketPath = "/var/run/dovecot2/old-stats";
|
||||
services.dovecot2.mailPlugins.globally.enable = [ "old_stats" ];
|
||||
services.dovecot2.extraConfig = '''
|
||||
service old-stats {
|
||||
unix_listener old-stats {
|
||||
user = dovecot-exporter
|
||||
|
@ -11,8 +11,8 @@ in {
|
||||
type = types.str;
|
||||
default = "${pkgs.knot-dns.out}/lib/libknot.so";
|
||||
defaultText = literalExpression ''"''${pkgs.knot-dns.out}/lib/libknot.so"'';
|
||||
description = ''
|
||||
Path to the library of <package>knot-dns</package>.
|
||||
description = lib.mdDoc ''
|
||||
Path to the library of `knot-dns`.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -121,7 +121,7 @@ let
|
||||
It's possible to work around the issue with a config like this:
|
||||
<programlisting>
|
||||
{
|
||||
<link linkend="opt-services.rspamd.locals._name_.text">services.rspamd.locals."multimap.conf".text</link> = '''
|
||||
services.rspamd.locals."multimap.conf".text = '''
|
||||
ALLOWLIST_PROMETHEUS {
|
||||
filter = "email:domain:tld";
|
||||
type = "from";
|
||||
|
@ -10,7 +10,7 @@ in {
|
||||
settings = mkOption {
|
||||
type = types.attrs;
|
||||
default = {};
|
||||
description = ''
|
||||
description = lib.mdDoc ''
|
||||
All settings of nginxlog expressed as an Nix attrset.
|
||||
|
||||
Check the official documentation for the corresponding YAML
|
||||
|
@ -12,7 +12,7 @@ in {
|
||||
example = "/run/keys/ldap_pass";
|
||||
description = ''
|
||||
Environment file to contain the credentials to authenticate against
|
||||
<package>openldap</package>.
|
||||
<literal>openldap</literal>.
|
||||
|
||||
The file should look like this:
|
||||
<programlisting>
|
||||
@ -26,15 +26,15 @@ in {
|
||||
default = "tcp";
|
||||
example = "udp";
|
||||
type = types.str;
|
||||
description = ''
|
||||
Which protocol to use to connect against <package>openldap</package>.
|
||||
description = lib.mdDoc ''
|
||||
Which protocol to use to connect against `openldap`.
|
||||
'';
|
||||
};
|
||||
ldapAddr = mkOption {
|
||||
default = "localhost:389";
|
||||
type = types.str;
|
||||
description = ''
|
||||
Address of the <package>openldap</package>-instance.
|
||||
description = lib.mdDoc ''
|
||||
Address of the `openldap`-instance.
|
||||
'';
|
||||
};
|
||||
metricsPath = mkOption {
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user