merge master & re-run generate.sh

This commit is contained in:
Johannes Kirschbauer 2022-08-22 16:21:06 +02:00
commit f46c9675a4
1239 changed files with 77563 additions and 9681 deletions
.git-blame-ignore-revs
.github
doc
lib
maintainers
nixos
doc/manual
lib
modules

View File

@ -36,3 +36,6 @@ d08ede042b74b8199dc748323768227b88efcf7c
# fix indentation in mk-python-derivation.nix
d1c1a0c656ccd8bd3b25d3c4287f2d075faf3cf3
# fix indentation in meteor default.nix
f76b359e4a55267ddd4e9e149e7cc13ae5cad98a

6
.github/CODEOWNERS vendored
View File

@ -108,9 +108,9 @@
/pkgs/top-level/haskell-packages.nix @cdepillabout @sternenseemann @maralorn
# Perl
/pkgs/development/interpreters/perl @stigtsp @zakame
/pkgs/top-level/perl-packages.nix @stigtsp @zakame
/pkgs/development/perl-modules @stigtsp @zakame
/pkgs/development/interpreters/perl @stigtsp @zakame @dasJ
/pkgs/top-level/perl-packages.nix @stigtsp @zakame @dasJ
/pkgs/development/perl-modules @stigtsp @zakame @dasJ
# R
/pkgs/applications/science/math/R @jbedo

View File

@ -36,6 +36,9 @@ buildImage {
WorkingDir = "/data";
Volumes = { "/data" = { }; };
};
diskSize = 1024;
buildVMMemorySize = 512;
}
```
@ -59,6 +62,10 @@ The above example will build a Docker image `redis/latest` from the given base i
- `config` is used to specify the configuration of the containers that will be started off the built image in Docker. The available options are listed in the [Docker Image Specification v1.2.0](https://github.com/moby/moby/blob/master/image/spec/v1.2.md#image-json-field-descriptions).
- `diskSize` is used to specify the disk size of the VM used to build the image in megabytes. By default it's 1024 MiB.
- `buildVMMemorySize` is used to specify the memory size of the VM to build the image in megabytes. By default it's 512 MiB.
After the new layer has been created, its closure (to which `contents`, `config` and `runAsRoot` contribute) will be copied in the layer itself. Only new dependencies that are not already in the existing layers will be copied.
At the end of the process, only one new single layer will be produced and added to the resulting image.

View File

@ -871,12 +871,27 @@ Constructs a wrapper for a program with various possible arguments. It is define
# adds `FOOBAR=baz` to `$out/bin/foo`s environment
makeWrapper $out/bin/foo $wrapperfile --set FOOBAR baz
# prefixes the binary paths of `hello` and `git`
# Prefixes the binary paths of `hello` and `git`
# and suffixes the binary path of `xdg-utils`.
# Be advised that paths often should be patched in directly
# (via string replacements or in `configurePhase`).
makeWrapper $out/bin/foo $wrapperfile --prefix PATH : ${lib.makeBinPath [ hello git ]}
makeWrapper $out/bin/foo $wrapperfile \
--prefix PATH : ${lib.makeBinPath [ hello git ]} \
--suffix PATH : ${lib.makeBinPath [ xdg-utils ]}
```
Packages may expect or require other utilities to be available at runtime.
`makeWrapper` can be used to add packages to a `PATH` environment variable local to a wrapper.
Use `--prefix` to explicitly set dependencies in `PATH`.
:::{note}
`--prefix` essentially hard-codes dependencies into the wrapper.
They cannot be overridden without rebuilding the package.
:::
If dependencies should be resolved at runtime, use `--suffix` to append fallback values to `PATH`.
Theres many more kinds of arguments, they are documented in `nixpkgs/pkgs/build-support/setup-hooks/make-wrapper.sh` for the `makeWrapper` implementation and in `nixpkgs/pkgs/build-support/setup-hooks/make-binary-wrapper/make-binary-wrapper.sh` for the `makeBinaryWrapper` implementation.
`wrapProgram` is a convenience function you probably want to use most of the time, implemented by both `makeWrapper` and `makeBinaryWrapper`.

View File

@ -36,7 +36,7 @@ rec {
forEach = xs: f: map f xs;
/* right fold a binary function `op` between successive elements of
`list` with `nul' as the starting value, i.e.,
`list` with `nul` as the starting value, i.e.,
`foldr op nul [x_1 x_2 ... x_n] == op x_1 (op x_2 ... (op x_n nul))`.
Type: foldr :: (a -> b -> b) -> b -> [a] -> b

View File

@ -115,6 +115,12 @@
githubId = 7414843;
name = "Nicholas von Klitzing";
};
_360ied = {
name = "Brian Zhu";
email = "therealbarryplayer@gmail.com";
github = "360ied";
githubId = 19516527;
};
_13r0ck = {
name = "Brock Szuszczewicz";
email = "bnr@tuta.io";
@ -1359,6 +1365,12 @@
githubId = 9315;
name = "Zhong Jianxin";
};
a-kenji = {
email = "aks.kenji@protonmail.com";
github = "a-kenji";
githubId = 65275785;
name = "Alexander Kenji Berthold";
};
b4dm4n = {
email = "fabianm88@gmail.com";
github = "B4dM4n";
@ -1778,7 +1790,7 @@
};
booklearner = {
name = "booklearner";
email = "hey@booklearner.org";
email = "booklearner@proton.me";
matrix = "@booklearner:matrix.org";
github = "booklearner";
githubId = 103979114;
@ -3738,6 +3750,12 @@
githubId = 537775;
name = "Emery Hemingway";
};
eigengrau = {
email = "seb@schattenkopie.de";
name = "Sebastian Reuße";
github = "eigengrau";
githubId = 4939947;
};
eikek = {
email = "eike.kettner@posteo.de";
github = "eikek";
@ -6343,6 +6361,16 @@
}];
name = "Ioannis Koutras";
};
jonaenz = {
name = "Jona Enzinger";
email = "5xt3zyy5l@mozmail.com";
matrix = "@jona:matrix.jonaenz.de";
github = "jonaenz";
githubId = 57130301;
keys = [{
fingerprint = "1CC5 B67C EB9A 13A5 EDF6 F10E 0B4A 3662 FC58 9202";
}];
};
jonafato = {
email = "jon@jonafato.com";
github = "jonafato";
@ -6957,12 +6985,6 @@
fingerprint = "8992 44FC D291 5CA2 0A97 802C 156C 88A5 B0A0 4B2A";
}];
};
kiyengar = {
email = "hello@kiyengar.net";
github = "karthikiyengar";
githubId = 8260207;
name = "Karthik Iyengar";
};
kjeremy = {
email = "kjeremy@gmail.com";
name = "Jeremy Kolb";
@ -7262,7 +7284,7 @@
};
lassulus = {
email = "lassulus@gmail.com";
matrix = "@lassulus:nixos.dev";
matrix = "@lassulus:lassul.us";
github = "Lassulus";
githubId = 621759;
name = "Lassulus";
@ -7956,6 +7978,12 @@
githubId = 31056089;
name = "Tom Ho";
};
majewsky = {
email = "majewsky@gmx.net";
github = "majewsky";
githubId = 24696;
name = "Stefan Majewsky";
};
majiir = {
email = "majiir@nabaal.net";
github = "Majiir";
@ -10178,6 +10206,16 @@
fingerprint = "5D69 CF04 B7BC 2BC1 A567 9267 00BC F29B 3208 0700";
}];
};
phfroidmont = {
name = "Paul-Henri Froidmont";
email = "nix.contact-j9dw4d@froidmont.org";
github = "phfroidmont";
githubId = 8150907;
keys = [{
fingerprint = "3AC6 F170 F011 33CE 393B CD94 BE94 8AFD 7E78 73BE";
}];
};
philandstuff = {
email = "philip.g.potter@gmail.com";
github = "philandstuff";
@ -13488,6 +13526,15 @@
githubId = 619015;
name = "Svintsov Dmitry";
};
urandom = {
email = "colin@urandom.co.uk";
github = "arnottcr";
githubId = 2526260;
keys = [{
fingerprint = "04A3 A2C6 0042 784A AEA7 D051 0447 A663 F7F3 E236";
}];
name = "Colin Arnott";
};
urbas = {
email = "matej.urbas@gmail.com";
github = "urbas";
@ -13856,6 +13903,12 @@
github = "wamserma";
githubId = 60148;
};
water-sucks = {
email = "varun@cvte.org";
name = "Varun Narravula";
github = "water-sucks";
githubId = 68445574;
};
waynr = {
name = "Wayne Warren";
email = "wayne.warren.s@gmail.com";
@ -13911,6 +13964,15 @@
github = "wentasah";
githubId = 140542;
};
wesnel = {
name = "Wesley Nelson";
email = "wgn@wesnel.dev";
github = "wesnel";
githubId = 43357387;
keys = [{
fingerprint = "F844 80B2 0CA9 D6CC C7F5 2479 A776 D2AD 099E 8BC0";
}];
};
wheelsandmetal = {
email = "jakob@schmutz.co.uk";
github = "wheelsandmetal";
@ -14058,6 +14120,15 @@
github = "wr0belj";
githubId = 40501814;
};
wrmilling = {
name = "Winston R. Milling";
email = "Winston@Milli.ng";
github = "WRMilling";
githubId = 6162814;
keys = [{
fingerprint = "21E1 6B8D 2EE8 7530 6A6C 9968 D830 77B9 9F8C 6643";
}];
};
wscott = {
email = "wsc9tt@gmail.com";
github = "wscott";

View File

@ -2130,6 +2130,13 @@ sudo mkdir /var/lib/redis-peertube
sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb
</programlisting>
</listitem>
<listitem>
<para>
Added the <literal>keter</literal> NixOS module. Keter reverse
proxies requests to your loaded application based on virtual
hostnames.
</para>
</listitem>
<listitem>
<para>
If you are using Wayland you can choose to use the Ozone

View File

@ -70,6 +70,34 @@
with any supported NixOS release.
</para>
</listitem>
<listitem>
<para>
<literal>emacs</literal> enables native compilation which
means:
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
emacs packages from nixpkgs, builtin or not, will do
native compilation ahead of time so you can enjoy the
benefit of native compilation without compiling them on
you machine;
</para>
</listitem>
<listitem>
<para>
emacs packages from somewhere else, e.g.
<literal>package-install</literal>, will do asynchronously
deferred native compilation. If you do not want this,
maybe to avoid CPU consumption for compilation, you can
use
<literal>(setq native-comp-deferred-compilation nil)</literal>
to disable it while still enjoy the benefit of native
compilation for packages from nixpkgs.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
<literal>nixos-generate-config</literal> now generates
@ -97,7 +125,9 @@
</listitem>
<listitem>
<para>
Cinnamon has been updated to 5.4.
Cinnamon has been updated to 5.4. While at it, the cinnamon
module now defaults to blueman as bluetooth manager and
slick-greeter as lightdm greeter to match upstream.
</para>
</listitem>
<listitem>
@ -138,6 +168,13 @@
<link linkend="opt-services.dragonflydb.enable">services.dragonflydb</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://komga.org/">Komga</link>, a free and
open source comics/mangas media server. Available as
<link linkend="opt-services.komga.enable">services.komga</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://hbase.apache.org/">HBase
@ -161,6 +198,13 @@
<link xlink:href="options.html#opt-services.kanata.enable">services.kanata</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://www.getoutline.com/">Outline</link>,
a wiki and knowledge base similar to Notion. Available as
<link linkend="opt-services.outline.enable">services.outline</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/aiberia/persistent-evdev">persistent-evdev</link>,
@ -191,6 +235,14 @@
<link linkend="opt-services.tempo.enable">services.tempo</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/zalando/patroni">Patroni</link>,
a template for PostgreSQL HA with ZooKeeper, etcd or Consul.
Available as
<link xlink:href="options.html#opt-services.patroni.enable">services.patroni</link>.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-22.11-incompatibilities">

View File

@ -778,6 +778,7 @@ In addition to numerous new and upgraded packages, this release has the followin
sudo mkdir /var/lib/redis-peertube
sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb
```
- Added the `keter` NixOS module. Keter reverse proxies requests to your loaded application based on virtual hostnames.
- If you are using Wayland you can choose to use the Ozone Wayland support
in Chrome and several Electron apps by setting the environment variable

View File

@ -35,6 +35,10 @@ In addition to numerous new and upgraded packages, this release has the followin
for a transition period so that in time the ecosystem can switch without
breaking compatibility with any supported NixOS release.
- `emacs` enables native compilation which means:
- emacs packages from nixpkgs, builtin or not, will do native compilation ahead of time so you can enjoy the benefit of native compilation without compiling them on you machine;
- emacs packages from somewhere else, e.g. `package-install`, will do asynchronously deferred native compilation. If you do not want this, maybe to avoid CPU consumption for compilation, you can use `(setq native-comp-deferred-compilation nil)` to disable it while still enjoy the benefit of native compilation for packages from nixpkgs.
- `nixos-generate-config` now generates configurations that can be built in pure
mode. This is achieved by setting the new `nixpkgs.hostPlatform` option.
@ -46,7 +50,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- PHP now defaults to PHP 8.1, updated from 8.0.
- Cinnamon has been updated to 5.4.
- Cinnamon has been updated to 5.4. While at it, the cinnamon module now defaults to
blueman as bluetooth manager and slick-greeter as lightdm greeter to match upstream.
- `hardware.nvidia` has a new option `open` that can be used to opt in the opensource version of NVIDIA kernel driver. Note that the driver's support for GeForce and Workstation GPUs is still alpha quality, see [NVIDIA Releases Open-Source GPU Kernel Modules](https://developer.nvidia.com/blog/nvidia-releases-open-source-gpu-kernel-modules/) for the official announcement.
@ -59,6 +64,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- [dragonflydb](https://dragonflydb.io/), a modern replacement for Redis and Memcached. Available as [services.dragonflydb](#opt-services.dragonflydb.enable).
- [Komga](https://komga.org/), a free and open source comics/mangas media server. Available as [services.komga](#opt-services.komga.enable).
- [HBase cluster](https://hbase.apache.org/), a distributed, scalable, big data store. Available as [services.hadoop.hbase](options.html#opt-services.hadoop.hbase.enable).
- [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle.
@ -67,6 +74,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- [kanata](https://github.com/jtroo/kanata), a tool to improve keyboard comfort and usability with advanced customization.
Available as [services.kanata](options.html#opt-services.kanata.enable).
- [Outline](https://www.getoutline.com/), a wiki and knowledge base similar to Notion. Available as [services.outline](#opt-services.outline.enable).
- [persistent-evdev](https://github.com/aiberia/persistent-evdev), a daemon to add virtual proxy devices that mirror a physical input device but persist even if the underlying hardware is hot-plugged. Available as [services.persistent-evdev](#opt-services.persistent-evdev.enable).
- [schleuder](https://schleuder.org/), a mailing list manager with PGP support. Enable using [services.schleuder](#opt-services.schleuder.enable).
@ -75,6 +84,9 @@ In addition to numerous new and upgraded packages, this release has the followin
- [Grafana Tempo](https://www.grafana.com/oss/tempo/), a distributed tracing store. Available as [services.tempo](#opt-services.tempo.enable).
- [Patroni](https://github.com/zalando/patroni), a template for PostgreSQL HA with ZooKeeper, etcd or Consul.
Available as [services.patroni](options.html#opt-services.patroni.enable).
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
## Backward Incompatibilities {#sec-release-22.11-incompatibilities}

View File

@ -285,6 +285,8 @@ in rec {
Documentation = toString config.documentation; }
// optionalAttrs (config.onFailure != []) {
OnFailure = toString config.onFailure; }
// optionalAttrs (config.onSuccess != []) {
OnSuccess = toString config.onSuccess; }
// optionalAttrs (options.startLimitIntervalSec.isDefined) {
StartLimitIntervalSec = toString config.startLimitIntervalSec;
} // optionalAttrs (options.startLimitBurst.isDefined) {

View File

@ -206,6 +206,15 @@ in rec {
'';
};
onSuccess = mkOption {
default = [];
type = types.listOf unitNameType;
description = ''
A list of one or more units that are activated when
this unit enters the "inactive" state.
'';
};
startLimitBurst = mkOption {
type = types.int;
description = ''

View File

@ -204,11 +204,11 @@ in {
admin_server = SYSLOG:NOTICE
default = SYSLOG:NOTICE
'';
description = ''
These lines go to the end of <literal>krb5.conf</literal> verbatim.
<literal>krb5.conf</literal> may include any of the relations that are
valid for <literal>kdc.conf</literal> (see <literal>man
kdc.conf</literal>), but it is not a recommended practice.
description = lib.mdDoc ''
These lines go to the end of `krb5.conf` verbatim.
`krb5.conf` may include any of the relations that are
valid for `kdc.conf` (see `man kdc.conf`),
but it is not a recommended practice.
'';
};

View File

@ -186,16 +186,16 @@ in
policy = mkOption {
default = "hard_open";
type = types.enum [ "hard_open" "hard_init" "soft" ];
description = ''
description = lib.mdDoc ''
Specifies the policy to use for reconnecting to an unavailable
LDAP server. The default is <literal>hard_open</literal>, which
LDAP server. The default is `hard_open`, which
reconnects if opening the connection to the directory server
failed. By contrast, <literal>hard_init</literal> reconnects if
failed. By contrast, `hard_init` reconnects if
initializing the connection failed. Initializing may not
actually contact the directory server, and it is possible that
a malformed configuration file will trigger reconnection. If
<literal>soft</literal> is specified, then
<package>nss_ldap</package> will return immediately on server
`soft` is specified, then
`nss_ldap` will return immediately on server
failure. All hard reconnect policies block with exponential
backoff before retrying.
'';

View File

@ -0,0 +1,519 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.users.mysql;
in
{
options = {
users.mysql = {
enable = mkEnableOption "Authentication against a MySQL/MariaDB database";
host = mkOption {
type = types.str;
example = "localhost";
description = "The hostname of the MySQL/MariaDB server";
};
database = mkOption {
type = types.str;
example = "auth";
description = "The name of the database containing the users";
};
user = mkOption {
type = types.str;
example = "nss-user";
description = "The username to use when connecting to the database";
};
passwordFile = mkOption {
type = types.path;
example = "/run/secrets/mysql-auth-db-passwd";
description = "The path to the file containing the password for the user";
};
pam = mkOption {
description = "Settings for <literal>pam_mysql</literal>";
type = types.submodule {
options = {
table = mkOption {
type = types.str;
example = "users";
description = "The name of table that maps unique login names to the passwords.";
};
updateTable = mkOption {
type = types.nullOr types.str;
default = null;
example = "users_updates";
description = ''
The name of the table used for password alteration. If not defined, the value
of the <literal>table</literal> option will be used instead.
'';
};
userColumn = mkOption {
type = types.str;
example = "username";
description = "The name of the column that contains a unix login name.";
};
passwordColumn = mkOption {
type = types.str;
example = "password";
description = "The name of the column that contains a (encrypted) password string.";
};
statusColumn = mkOption {
type = types.nullOr types.str;
default = null;
example = "status";
description = ''
The name of the column or an SQL expression that indicates the status of
the user. The status is expressed by the combination of two bitfields
shown below:
<itemizedlist>
<listitem>
<para>
<literal>bit 0 (0x01)</literal>:
if flagged, <literal>pam_mysql</literal> deems the account to be expired and
returns <literal>PAM_ACCT_EXPIRED</literal>. That is, the account is supposed
to no longer be available. Note this doesn't mean that <literal>pam_mysql</literal>
rejects further authentication operations.
</para>
</listitem>
<listitem>
<para>
<literal>bit 1 (0x02)</literal>:
if flagged, <literal>pam_mysql</literal> deems the authentication token
(password) to be expired and returns <literal>PAM_NEW_AUTHTOK_REQD</literal>.
This ends up requiring that the user enter a new password.
</para>
</listitem>
</itemizedlist>
'';
};
passwordCrypt = mkOption {
example = "2";
type = types.enum [
"0" "plain"
"1" "Y"
"2" "mysql"
"3" "md5"
"4" "sha1"
"5" "drupal7"
"6" "joomla15"
"7" "ssha"
"8" "sha512"
"9" "sha256"
];
description = ''
The method to encrypt the user's password:
<itemizedlist>
<listitem>
<para>
<literal>0</literal> (or <literal>"plain"</literal>):
No encryption. Passwords are stored in plaintext. HIGHLY DISCOURAGED.
</para>
</listitem>
<listitem>
<para>
<literal>1</literal> (or <literal>"Y"</literal>):
Use crypt(3) function.
</para>
</listitem>
<listitem>
<para>
<literal>2</literal> (or <literal>"mysql"</literal>):
Use the MySQL PASSWORD() function. It is possible that the encryption function used
by <literal>pam_mysql</literal> is different from that of the MySQL server, as
<literal>pam_mysql</literal> uses the function defined in MySQL's C-client API
instead of using PASSWORD() SQL function in the query.
</para>
</listitem>
<listitem>
<para>
<literal>3</literal> (or <literal>"md5"</literal>):
Use plain hex MD5.
</para>
</listitem>
<listitem>
<para>
<literal>4</literal> (or <literal>"sha1"</literal>):
Use plain hex SHA1.
</para>
</listitem>
<listitem>
<para>
<literal>5</literal> (or <literal>"drupal7"</literal>):
Use Drupal7 salted passwords.
</para>
</listitem>
<listitem>
<para>
<literal>6</literal> (or <literal>"joomla15"</literal>):
Use Joomla15 salted passwords.
</para>
</listitem>
<listitem>
<para>
<literal>7</literal> (or <literal>"ssha"</literal>):
Use ssha hashed passwords.
</para>
</listitem>
<listitem>
<para>
<literal>8</literal> (or <literal>"sha512"</literal>):
Use sha512 hashed passwords.
</para>
</listitem>
<listitem>
<para>
<literal>9</literal> (or <literal>"sha256"</literal>):
Use sha256 hashed passwords.
</para>
</listitem>
</itemizedlist>
'';
};
cryptDefault = mkOption {
type = types.nullOr (types.enum [ "md5" "sha256" "sha512" "blowfish" ]);
default = null;
example = "blowfish";
description = "The default encryption method to use for <literal>passwordCrypt = 1</literal>.";
};
where = mkOption {
type = types.nullOr types.str;
default = null;
example = "host.name='web' AND user.active=1";
description = "Additional criteria for the query.";
};
verbose = mkOption {
type = types.bool;
default = false;
description = ''
If enabled, produces logs with detailed messages that describes what
<literal>pam_mysql</literal> is doing. May be useful for debugging.
'';
};
disconnectEveryOperation = mkOption {
type = types.bool;
default = false;
description = ''
By default, <literal>pam_mysql</literal> keeps the connection to the MySQL
database until the session is closed. If this option is set to true it
disconnects every time the PAM operation has finished. This option may
be useful in case the session lasts quite long.
'';
};
logging = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enables logging of authentication attempts in the MySQL database.";
};
table = mkOption {
type = types.str;
example = "logs";
description = "The name of the table to which logs are written.";
};
msgColumn = mkOption {
type = types.str;
example = "msg";
description = ''
The name of the column in the log table to which the description
of the performed operation is stored.
'';
};
userColumn = mkOption {
type = types.str;
example = "user";
description = ''
The name of the column in the log table to which the name of the
user being authenticated is stored.
'';
};
pidColumn = mkOption {
type = types.str;
example = "pid";
description = ''
The name of the column in the log table to which the pid of the
process utilising the <literal>pam_mysql's</literal> authentication
service is stored.
'';
};
hostColumn = mkOption {
type = types.str;
example = "host";
description = ''
The name of the column in the log table to which the name of the user
being authenticated is stored.
'';
};
rHostColumn = mkOption {
type = types.str;
example = "rhost";
description = ''
The name of the column in the log table to which the name of the remote
host that initiates the session is stored. The value is supposed to be
set by the PAM-aware application with <literal>pam_set_item(PAM_RHOST)
</literal>.
'';
};
timeColumn = mkOption {
type = types.str;
example = "timestamp";
description = ''
The name of the column in the log table to which the timestamp of the
log entry is stored.
'';
};
};
};
};
};
nss = mkOption {
description = ''
Settings for <literal>libnss-mysql</literal>.
All examples are from the <link xlink:href="https://github.com/saknopper/libnss-mysql/tree/master/sample/minimal">minimal example</link>
of <literal>libnss-mysql</literal>, but they are modified with NixOS paths for bash.
'';
type = types.submodule {
options = {
getpwnam = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT username,'x',uid,'5000','MySQL User', CONCAT('/home/',username),'/run/sw/current-system/bin/bash' \
FROM users \
WHERE username='%1$s' \
LIMIT 1
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getpwnam.3.html">getpwnam</link>
syscall.
'';
};
getpwuid = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT username,'x',uid,'5000','MySQL User', CONCAT('/home/',username),'/run/sw/current-system/bin/bash' \
FROM users \
WHERE uid='%1$u' \
LIMIT 1
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getpwuid.3.html">getpwuid</link>
syscall.
'';
};
getspnam = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT username,password,'1','0','99999','0','0','-1','0' \
FROM users \
WHERE username='%1$s' \
LIMIT 1
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getspnam.3.html">getspnam</link>
syscall.
'';
};
getpwent = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT username,'x',uid,'5000','MySQL User', CONCAT('/home/',username),'/run/sw/current-system/bin/bash' FROM users
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getpwent.3.html">getpwent</link>
syscall.
'';
};
getspent = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT username,password,'1','0','99999','0','0','-1','0' FROM users
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getspent.3.html">getspent</link>
syscall.
'';
};
getgrnam = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT name,password,gid FROM groups WHERE name='%1$s' LIMIT 1
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getgrnam.3.html">getgrnam</link>
syscall.
'';
};
getgrgid = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT name,password,gid FROM groups WHERE gid='%1$u' LIMIT 1
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getgrgid.3.html">getgrgid</link>
syscall.
'';
};
getgrent = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT name,password,gid FROM groups
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getgrent.3.html">getgrent</link>
syscall.
'';
};
memsbygid = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT username FROM grouplist WHERE gid='%1$u'
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/memsbygid.3.html">memsbygid</link>
syscall.
'';
};
gidsbymem = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT gid FROM grouplist WHERE username='%1$s'
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/gidsbymem.3.html">gidsbymem</link>
syscall.
'';
};
};
};
};
};
};
config = mkIf cfg.enable {
system.nssModules = [ pkgs.libnss-mysql ];
system.nssDatabases.shadow = [ "mysql" ];
system.nssDatabases.group = [ "mysql" ];
system.nssDatabases.passwd = [ "mysql" ];
environment.etc."security/pam_mysql.conf" = {
user = "root";
group = "root";
mode = "0600";
# password will be added from password file in activation script
text = ''
users.host=${cfg.host}
users.db_user=${cfg.user}
users.database=${cfg.database}
users.table=${cfg.pam.table}
users.user_column=${cfg.pam.userColumn}
users.password_column=${cfg.pam.passwordColumn}
users.password_crypt=${cfg.pam.passwordCrypt}
users.disconnect_every_operation=${if cfg.pam.disconnectEveryOperation then "1" else "0"}
verbose=${if cfg.pam.verbose then "1" else "0"}
'' + optionalString (cfg.pam.cryptDefault != null) ''
users.use_${cfg.pam.cryptDefault}=1
'' + optionalString (cfg.pam.where != null) ''
users.where_clause=${cfg.pam.where}
'' + optionalString (cfg.pam.statusColumn != null) ''
users.status_column=${cfg.pam.statusColumn}
'' + optionalString (cfg.pam.updateTable != null) ''
users.update_table=${cfg.pam.updateTable}
'' + optionalString cfg.pam.logging.enable ''
log.enabled=true
log.table=${cfg.pam.logging.table}
log.message_column=${cfg.pam.logging.msgColumn}
log.pid_column=${cfg.pam.logging.pidColumn}
log.user_column=${cfg.pam.logging.userColumn}
log.host_column=${cfg.pam.logging.hostColumn}
log.rhost_column=${cfg.pam.logging.rHostColumn}
log.time_column=${cfg.pam.logging.timeColumn}
'';
};
environment.etc."libnss-mysql.cfg" = {
mode = "0600";
user = config.services.nscd.user;
group = config.services.nscd.group;
text = optionalString (cfg.nss.getpwnam != null) ''
getpwnam ${cfg.nss.getpwnam}
'' + optionalString (cfg.nss.getpwuid != null) ''
getpwuid ${cfg.nss.getpwuid}
'' + optionalString (cfg.nss.getspnam != null) ''
getspnam ${cfg.nss.getspnam}
'' + optionalString (cfg.nss.getpwent != null) ''
getpwent ${cfg.nss.getpwent}
'' + optionalString (cfg.nss.getspent != null) ''
getspent ${cfg.nss.getspent}
'' + optionalString (cfg.nss.getgrnam != null) ''
getgrnam ${cfg.nss.getgrnam}
'' + optionalString (cfg.nss.getgrgid != null) ''
getgrgid ${cfg.nss.getgrgid}
'' + optionalString (cfg.nss.getgrent != null) ''
getgrent ${cfg.nss.getgrent}
'' + optionalString (cfg.nss.memsbygid != null) ''
memsbygid ${cfg.nss.memsbygid}
'' + optionalString (cfg.nss.gidsbymem != null) ''
gidsbymem ${cfg.nss.gidsbymem}
'' + ''
host ${cfg.host}
database ${cfg.database}
'';
};
environment.etc."libnss-mysql-root.cfg" = {
mode = "0600";
user = config.services.nscd.user;
group = config.services.nscd.group;
# password will be added from password file in activation script
text = ''
username ${cfg.user}
'';
};
# Activation script to append the password from the password file
# to the configuration files. It also fixes the owner of the
# libnss-mysql-root.cfg because it is changed to root after the
# password is appended.
system.activationScripts.mysql-auth-passwords = ''
if [[ -r ${cfg.passwordFile} ]]; then
org_umask=$(umask)
umask 0077
conf_nss="$(mktemp)"
cp /etc/libnss-mysql-root.cfg $conf_nss
printf 'password %s\n' "$(cat ${cfg.passwordFile})" >> $conf_nss
mv -fT "$conf_nss" /etc/libnss-mysql-root.cfg
chown ${config.services.nscd.user}:${config.services.nscd.group} /etc/libnss-mysql-root.cfg
conf_pam="$(mktemp)"
cp /etc/security/pam_mysql.conf $conf_pam
printf 'users.db_passwd=%s\n' "$(cat ${cfg.passwordFile})" >> $conf_pam
mv -fT "$conf_pam" /etc/security/pam_mysql.conf
umask $org_umask
fi
'';
};
}

View File

@ -84,19 +84,19 @@ in
<programlisting>${defaultPackagesText}</programlisting>
'';
example = [];
description = ''
description = lib.mdDoc ''
Set of default packages that aren't strictly necessary
for a running system, entries can be removed for a more
minimal NixOS installation.
Note: If <package>pkgs.nano</package> is removed from this list,
Note: If `pkgs.nano` is removed from this list,
make sure another editor is installed and the
<literal>EDITOR</literal> environment variable is set to it.
`EDITOR` environment variable is set to it.
Environment variables can be set using
<option>environment.variables</option>.
{option}`environment.variables`.
Like with systemPackages, packages are installed to
<filename>/run/current-system/sw</filename>. They are
{file}`/run/current-system/sw`. They are
automatically available to all users, and are
automatically updated every time you rebuild the system
configuration.

View File

@ -40,12 +40,12 @@ in
extraPortals = mkOption {
type = types.listOf types.package;
default = [ ];
description = ''
description = lib.mdDoc ''
List of additional portals to add to path. Portals allow interaction
with system, like choosing files or taking screenshots. At minimum,
a desktop portal implementation should be listed. GNOME and KDE already
adds <package>xdg-desktop-portal-gtk</package>; and
<package>xdg-desktop-portal-kde</package> respectively. On other desktop
adds `xdg-desktop-portal-gtk`; and
`xdg-desktop-portal-kde` respectively. On other desktop
environments you probably want to add them yourself.
'';
};

View File

@ -15,7 +15,7 @@ in
enable = mkEnableOption ''
the desktop portal for the LXQt desktop environment.
This will add the <package>lxqt.xdg-desktop-portal-lxqt</package>
This will add the <literal>lxqt.xdg-desktop-portal-lxqt</literal>
package (with the extra Qt styles) into the
<option>xdg.portal.extraPortals</option> option
'';
@ -29,9 +29,9 @@ in
pkgs.qtcurve
];
'';
description = ''
description = lib.mdDoc ''
Extra Qt styles that will be available to the
<package>lxqt.xdg-desktop-portal-lxqt</package>.
`lxqt.xdg-desktop-portal-lxqt`.
'';
};
};

View File

@ -17,16 +17,16 @@ in
enable = mkEnableOption ''
desktop portal for wlroots-based desktops
This will add the <package>xdg-desktop-portal-wlr</package> package into
This will add the <literal>xdg-desktop-portal-wlr</literal> package into
the <option>xdg.portal.extraPortals</option> option, and provide the
configuration file
'';
settings = mkOption {
description = ''
Configuration for <package>xdg-desktop-portal-wlr</package>.
description = lib.mdDoc ''
Configuration for `xdg-desktop-portal-wlr`.
See <literal>xdg-desktop-portal-wlr(5)</literal> for supported
See `xdg-desktop-portal-wlr(5)` for supported
values.
'';

View File

@ -103,12 +103,12 @@ in
default = "zstd";
example = "lz4";
type = with types; either (enum [ "lzo" "lz4" "zstd" ]) str;
description = ''
Compression algorithm. <literal>lzo</literal> has good compression,
but is slow. <literal>lz4</literal> has bad compression, but is fast.
<literal>zstd</literal> is both good compression and fast, but requires newer kernel.
description = lib.mdDoc ''
Compression algorithm. `lzo` has good compression,
but is slow. `lz4` has bad compression, but is fast.
`zstd` is both good compression and fast, but requires newer kernel.
You can check what other algorithms are supported by your zram device with
<programlisting>cat /sys/class/block/zram*/comp_algorithm</programlisting>
{command}`cat /sys/class/block/zram*/comp_algorithm`
'';
};
};

View File

@ -20,7 +20,7 @@ in
type = types.str;
default = "0xfffd7fff";
example = "0xffffffff";
description = ''
description = lib.mdDoc ''
Sets the `amdgpu.ppfeaturemask` kernel option.
In particular, it is used here to set the overdrive bit.
Default is `0xfffd7fff` as it is less likely to cause flicker issues.

View File

@ -8,17 +8,17 @@ in
options.hardware.cpu.amd.sev = {
enable = mkEnableOption "access to the AMD SEV device";
user = mkOption {
description = "Owner to assign to the SEV device.";
description = lib.mdDoc "Owner to assign to the SEV device.";
type = types.str;
default = "root";
};
group = mkOption {
description = "Group to assign to the SEV device.";
description = lib.mdDoc "Group to assign to the SEV device.";
type = types.str;
default = defaultGroup;
};
mode = mkOption {
description = "Mode to set for the SEV device.";
description = lib.mdDoc "Mode to set for the SEV device.";
type = types.str;
default = "0660";
};

View File

@ -56,23 +56,6 @@ let
};
};
# this requires kernel package
dtbsWithSymbols = pkgs.stdenv.mkDerivation {
name = "dtbs-with-symbols";
inherit (cfg.kernelPackage) src nativeBuildInputs depsBuildBuild;
patches = map (patch: patch.patch) cfg.kernelPackage.kernelPatches;
buildPhase = ''
patchShebangs scripts/*
substituteInPlace scripts/Makefile.lib \
--replace 'DTC_FLAGS += $(DTC_FLAGS_$(basetarget))' 'DTC_FLAGS += $(DTC_FLAGS_$(basetarget)) -@'
make ${pkgs.stdenv.hostPlatform.linux-kernel.baseConfig} ARCH="${pkgs.stdenv.hostPlatform.linuxArch}"
make dtbs ARCH="${pkgs.stdenv.hostPlatform.linuxArch}"
'';
installPhase = ''
make dtbs_install INSTALL_DTBS_PATH=$out/dtbs ARCH="${pkgs.stdenv.hostPlatform.linuxArch}"
'';
};
filterDTBs = src: if isNull cfg.filter
then "${src}/dtbs"
else
@ -83,6 +66,8 @@ let
| xargs -0 cp -v --no-preserve=mode --target-directory $out --parents
'';
filteredDTBs = filterDTBs cfg.kernelPackage;
# Compile single Device Tree overlay source
# file (.dts) into its compiled variant (.dtbo)
compileDTS = name: f: pkgs.callPackage({ stdenv, dtc }: stdenv.mkDerivation {
@ -197,7 +182,7 @@ in
};
hardware.deviceTree.package = if (cfg.overlays != [])
then pkgs.deviceTree.applyOverlays (filterDTBs dtbsWithSymbols) (withDTBOs cfg.overlays)
else (filterDTBs cfg.kernelPackage);
then pkgs.deviceTree.applyOverlays filteredDTBs (withDTBOs cfg.overlays)
else filteredDTBs;
};
}

View File

@ -11,6 +11,14 @@ with lib;
console.earlySetup = mkDefault true;
boot.loader.systemd-boot.consoleMode = mkDefault "1";
# Grayscale anti-aliasing for fonts
fonts.fontconfig.antialias = mkDefault true;
fonts.fontconfig.subpixel = {
rgba = mkDefault "none";
lcdfilter = mkDefault "none";
};
# TODO Find reasonable defaults X11 & wayland
};
}

View File

@ -35,14 +35,14 @@ in
options.sdImage = {
imageName = mkOption {
default = "${config.sdImage.imageBaseName}-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.img";
description = ''
description = lib.mdDoc ''
Name of the generated image file.
'';
};
imageBaseName = mkOption {
default = "nixos-sd-image";
description = ''
description = lib.mdDoc ''
Prefix of the name of the generated image file.
'';
};
@ -50,7 +50,7 @@ in
storePaths = mkOption {
type = with types; listOf package;
example = literalExpression "[ pkgs.stdenv ]";
description = ''
description = lib.mdDoc ''
Derivations to be included in the Nix store in the generated SD image.
'';
};
@ -74,7 +74,7 @@ in
firmwarePartitionID = mkOption {
type = types.str;
default = "0x2178694e";
description = ''
description = lib.mdDoc ''
Volume ID for the /boot/firmware partition on the SD card. This value
must be a 32-bit hexadecimal number.
'';
@ -83,7 +83,7 @@ in
firmwarePartitionName = mkOption {
type = types.str;
default = "FIRMWARE";
description = ''
description = lib.mdDoc ''
Name of the filesystem which holds the boot firmware.
'';
};
@ -92,7 +92,7 @@ in
type = types.nullOr types.str;
default = null;
example = "14e19a7b-0ae0-484d-9d54-43bd6fdc20c7";
description = ''
description = lib.mdDoc ''
UUID for the filesystem on the main NixOS partition on the SD card.
'';
};
@ -101,14 +101,14 @@ in
type = types.int;
# As of 2019-08-18 the Raspberry pi firmware + u-boot takes ~18MiB
default = 30;
description = ''
description = lib.mdDoc ''
Size of the /boot/firmware partition, in megabytes.
'';
};
populateFirmwareCommands = mkOption {
example = literalExpression "'' cp \${pkgs.myBootLoader}/u-boot.bin firmware/ ''";
description = ''
description = lib.mdDoc ''
Shell commands to populate the ./firmware directory.
All files in that directory are copied to the
/boot/firmware partition on the SD image.
@ -117,7 +117,7 @@ in
populateRootCommands = mkOption {
example = literalExpression "''\${config.boot.loader.generic-extlinux-compatible.populateCmd} -c \${config.system.build.toplevel} -d ./files/boot''";
description = ''
description = lib.mdDoc ''
Shell commands to populate the ./files directory.
All files in that directory are copied to the
root (/) partition on the SD image. Use this to
@ -128,7 +128,7 @@ in
postBuildCommands = mkOption {
example = literalExpression "'' dd if=\${pkgs.myBootLoader}/SPL of=$img bs=1024 seek=1 conv=notrunc ''";
default = "";
description = ''
description = lib.mdDoc ''
Shell commands to run after the image is built.
Can be used for boards requiring to dd u-boot SPL before actual partitions.
'';
@ -137,16 +137,16 @@ in
compressImage = mkOption {
type = types.bool;
default = true;
description = ''
description = lib.mdDoc ''
Whether the SD image should be compressed using
<command>zstd</command>.
{command}`zstd`.
'';
};
expandOnBoot = mkOption {
type = types.bool;
default = true;
description = ''
description = lib.mdDoc ''
Whether to configure the sd image to expand it's partition on boot.
'';
};

View File

@ -241,7 +241,7 @@ in
nixos.extraModules = mkOption {
type = types.listOf types.raw;
default = [];
description = ''
description = lib.mdDoc ''
Modules for which to show options even when not imported.
'';
};

View File

@ -117,13 +117,13 @@ in
'';
type = pkgsType;
example = literalExpression "import <nixpkgs> {}";
description = ''
description = lib.mdDoc ''
If set, the pkgs argument to all NixOS modules is the value of
this option, extended with <literal>nixpkgs.overlays</literal>, if
that is also set. Either <literal>nixpkgs.crossSystem</literal> or
<literal>nixpkgs.localSystem</literal> will be used in an assertion
this option, extended with `nixpkgs.overlays`, if
that is also set. Either `nixpkgs.crossSystem` or
`nixpkgs.localSystem` will be used in an assertion
to check that the NixOS and Nixpkgs architectures match. Any
other options in <literal>nixpkgs.*</literal>, notably <literal>config</literal>,
other options in `nixpkgs.*`, notably `config`,
will be ignored.
If unset, the pkgs argument to all NixOS modules is determined
@ -132,18 +132,18 @@ in
The default value imports the Nixpkgs source files
relative to the location of this NixOS module, because
NixOS and Nixpkgs are distributed together for consistency,
so the <literal>nixos</literal> in the default value is in fact a
relative path. The <literal>config</literal>, <literal>overlays</literal>,
<literal>localSystem</literal>, and <literal>crossSystem</literal> come
so the `nixos` in the default value is in fact a
relative path. The `config`, `overlays`,
`localSystem`, and `crossSystem` come
from this option's siblings.
This option can be used by applications like NixOps to increase
the performance of evaluation, or to create packages that depend
on a container that should be built with the exact same evaluation
of Nixpkgs, for example. Applications like this should set
their default value using <literal>lib.mkDefault</literal>, so
their default value using `lib.mkDefault`, so
user-provided configuration can override it without using
<literal>lib</literal>.
`lib`.
Note that using a distinct version of Nixpkgs with NixOS may
be an unexpected source of problems. Use this option with care.

View File

@ -23,7 +23,7 @@ in
}
'';
description = ''
description = lib.mdDoc ''
A set with the key names being the environment variable you'd like to
set and the values being a list of paths to text documents containing
lists of words. The various files will be merged, sorted, duplicates

View File

@ -22,6 +22,7 @@
./config/ldap.nix
./config/locale.nix
./config/malloc.nix
./config/mysql.nix
./config/networking.nix
./config/no-x-libs.nix
./config/nsswitch.nix
@ -329,6 +330,7 @@
./services/cluster/kubernetes/proxy.nix
./services/cluster/kubernetes/scheduler.nix
./services/cluster/pacemaker/default.nix
./services/cluster/patroni/default.nix
./services/cluster/spark/default.nix
./services/computing/boinc/client.nix
./services/computing/foldingathome/client.nix
@ -618,6 +620,7 @@
./services/misc/plikd.nix
./services/misc/podgrab.nix
./services/misc/polaris.nix
./services/misc/portunus.nix
./services/misc/prowlarr.nix
./services/misc/tautulli.nix
./services/misc/pinnwand.nix
@ -637,6 +640,7 @@
./services/misc/sonarr.nix
./services/misc/sourcehut
./services/misc/spice-vdagentd.nix
./services/misc/spice-webdavd.nix
./services/misc/ssm-agent.nix
./services/misc/sssd.nix
./services/misc/subsonic.nix
@ -1074,6 +1078,7 @@
./services/web-apps/jirafeau.nix
./services/web-apps/jitsi-meet.nix
./services/web-apps/keycloak.nix
./services/web-apps/komga.nix
./services/web-apps/lemmy.nix
./services/web-apps/invidious.nix
./services/web-apps/invoiceplane.nix
@ -1099,6 +1104,7 @@
./services/web-apps/prosody-filer.nix
./services/web-apps/matomo.nix
./services/web-apps/openwebrx.nix
./services/web-apps/outline.nix
./services/web-apps/restya-board.nix
./services/web-apps/sogo.nix
./services/web-apps/rss-bridge.nix
@ -1134,6 +1140,7 @@
./services/web-servers/pomerium.nix
./services/web-servers/unit/default.nix
./services/web-servers/tomcat.nix
./services/web-servers/keter
./services/web-servers/traefik.nix
./services/web-servers/trafficserver/default.nix
./services/web-servers/ttyd.nix

View File

@ -85,9 +85,9 @@ in
bindInterface = mkOption {
default = true;
type = types.bool;
description = ''
Binds <package>captive-browser</package> to the network interface declared in
<literal>cfg.interface</literal>. This can be used to avoid collisions
description = lib.mdDoc ''
Binds `captive-browser` to the network interface declared in
`cfg.interface`. This can be used to avoid collisions
with private subnets.
'';
};

View File

@ -76,10 +76,10 @@ in
extraOpts = mkOption {
type = types.attrs;
description = ''
description = lib.mdDoc ''
Extra chromium policy options. A list of available policies
can be found in the Chrome Enterprise documentation:
<link xlink:href="https://cloud.google.com/docs/chrome-enterprise/policies/">https://cloud.google.com/docs/chrome-enterprise/policies/</link>
<https://cloud.google.com/docs/chrome-enterprise/policies/>
Make sure the selected policy is supported on Linux and your browser version.
'';
default = {};

View File

@ -8,15 +8,15 @@ with lib;
enable = mkOption {
type = types.bool;
default = false;
description = ''
description = lib.mdDoc ''
Whether to enable k3b, the KDE disk burning application.
Additionally to installing <package>k3b</package> enabling this will
add <literal>setuid</literal> wrappers in <literal>/run/wrappers/bin</literal>
for both <package>cdrdao</package> and <package>cdrecord</package>. On first
run you must manually configure the path of <package>cdrdae</package> and
<package>cdrecord</package> to correspond to the appropriate paths under
<literal>/run/wrappers/bin</literal> in the "Setup External Programs" menu.
Additionally to installing `k3b` enabling this will
add `setuid` wrappers in `/run/wrappers/bin`
for both `cdrdao` and `cdrecord`. On first
run you must manually configure the path of `cdrdae` and
`cdrecord` to correspond to the appropriate paths under
`/run/wrappers/bin` in the "Setup External Programs" menu.
'';
};
};

View File

@ -17,7 +17,7 @@ in
type = lib.types.bool;
};
withUtempter = mkOption {
description = ''
description = lib.mdDoc ''
Whether to enable libutempter for mosh.
This is required so that mosh can write to /var/run/utmp (which can be queried with `who` to display currently connected user sessions).
Note, this will add a guid wrapper for the group utmp!

View File

@ -45,7 +45,7 @@ in {
passwordeval = "cat /secrets/password.txt";
};
};
description = ''
description = lib.mdDoc ''
Named accounts and their respective configurations.
The special name "default" allows a default account to be defined.
See msmtp(1) for the available options.

View File

@ -93,10 +93,10 @@ in
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Extra configuration text prepended to <filename>ssh_config</filename>. Other generated
options will be added after a <literal>Host *</literal> pattern.
See <citerefentry><refentrytitle>ssh_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>
description = lib.mdDoc ''
Extra configuration text prepended to {file}`ssh_config`. Other generated
options will be added after a `Host *` pattern.
See {manpage}`ssh_config(5)`
for help.
'';
};

View File

@ -22,7 +22,7 @@ in
default = "fuck";
type = types.str;
description = ''
description = lib.mdDoc ''
`thefuck` needs an alias to be configured.
The default value is `fuck`, but you can use anything else as well.
'';

View File

@ -95,13 +95,13 @@ let
exclude.dir /nix/store
include.encrypt /home/.../*
'';
description = ''
<literal>include.*</literal> and
<literal>exclude.*</literal> directives to be
description = lib.mdDoc ''
`include.*` and
`exclude.*` directives to be
used when sending files to the IBM TSM server.
The lines will be written into a file that the
<literal>inclexcl</literal>
directive in <filename>dsm.sys</filename> points to.
`inclexcl`
directive in {file}`dsm.sys` points to.
'';
};
options.extraConfig = mkOption {

View File

@ -62,7 +62,7 @@ in
to use `yabar-unstable'.
'';
description = ''
description = lib.mdDoc ''
The package which contains the `yabar` binary.
Nixpkgs provides the `yabar` and `yabar-unstable`

View File

@ -49,7 +49,7 @@ in
package = mkOption {
default = pkgs.oh-my-zsh;
defaultText = literalExpression "pkgs.oh-my-zsh";
description = ''
description = lib.mdDoc ''
Package to install for `oh-my-zsh` usage.
'';
@ -67,7 +67,7 @@ in
custom = mkOption {
default = null;
type = with types; nullOr str;
description = ''
description = lib.mdDoc ''
Path to a custom oh-my-zsh package to override config of oh-my-zsh.
(Can't be used along with `customPkgs`).
'';
@ -76,7 +76,7 @@ in
customPkgs = mkOption {
default = [];
type = types.listOf types.package;
description = ''
description = lib.mdDoc ''
List of custom packages that should be loaded into `oh-my-zsh`.
'';
};
@ -92,7 +92,7 @@ in
cacheDir = mkOption {
default = "$HOME/.cache/oh-my-zsh";
type = types.str;
description = ''
description = lib.mdDoc ''
Cache directory to be used by `oh-my-zsh`.
Without this option it would default to the read-only nix store.
'';

View File

@ -11,7 +11,7 @@ in {
package = mkOption {
default = pkgs.zsh-autoenv;
defaultText = literalExpression "pkgs.zsh-autoenv";
description = ''
description = lib.mdDoc ''
Package to install for `zsh-autoenv` usage.
'';

View File

@ -24,7 +24,7 @@ in
strategy = mkOption {
type = types.listOf (types.enum [ "history" "completion" "match_prev_cmd" ]);
default = [ "history" ];
description = ''
description = lib.mdDoc ''
`ZSH_AUTOSUGGEST_STRATEGY` is an array that specifies how suggestions should be generated.
The strategies in the array are tried successively until a suggestion is found.
There are currently three built-in strategies to choose from:

View File

@ -676,7 +676,7 @@ let
inheritDefaults = mkOption {
default = true;
example = true;
description = "Whether to inherit values set in `security.acme.defaults` or not.";
description = lib.mdDoc "Whether to inherit values set in `security.acme.defaults` or not.";
type = lib.types.bool;
};
};

View File

@ -81,8 +81,8 @@ services.nginx = {
};
# We can also add a different vhost and reuse the same certificate
# but we have to append extraDomainNames manually.
<link linkend="opt-security.acme.certs._name_.extraDomainNames">security.acme.certs."foo.example.com".extraDomainNames</link> = [ "baz.example.com" ];
# but we have to append extraDomainNames manually beforehand:
# <link linkend="opt-security.acme.certs._name_.extraDomainNames">security.acme.certs."foo.example.com".extraDomainNames</link> = [ "baz.example.com" ];
"baz.example.com" = {
<link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true;
<link linkend="opt-services.nginx.virtualHosts._name_.useACMEHost">useACMEHost</link> = "foo.example.com";

View File

@ -94,7 +94,7 @@ in {
<note><para>If this is <literal>false</literal> the resulting store
path will be non-deterministic and will be rebuilt every time the
<package>openssl</package> package changes.</para></note>
<literal>openssl</literal> package changes.</para></note>
'';
};

View File

@ -142,6 +142,16 @@ let
'';
};
mysqlAuth = mkOption {
default = config.users.mysql.enable;
defaultText = literalExpression "config.users.mysql.enable";
type = types.bool;
description = ''
If set, the <literal>pam_mysql</literal> module will be used to
authenticate users against a MySQL/MariaDB database.
'';
};
fprintAuth = mkOption {
default = config.services.fprintd.enable;
defaultText = literalExpression "config.services.fprintd.enable";
@ -310,11 +320,10 @@ let
limits = mkOption {
default = [];
type = limitsType;
description = ''
description = lib.mdDoc ''
Attribute set describing resource limits. Defaults to the
value of <option>security.pam.loginLimits</option>.
The meaning of the values is explained in <citerefentry>
<refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
value of {option}`security.pam.loginLimits`.
The meaning of the values is explained in {manpage}`limits.conf(5)`.
'';
};
@ -441,11 +450,13 @@ let
(
''
# Account management.
account required pam_unix.so
'' +
optionalString use_ldap ''
account sufficient ${pam_ldap}/lib/security/pam_ldap.so
'' +
optionalString cfg.mysqlAuth ''
account sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
'' +
optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) ''
account sufficient ${pkgs.sssd}/lib/security/pam_sss.so
'' +
@ -459,7 +470,11 @@ let
account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so
account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so
'' +
# The required pam_unix.so module has to come after all the sufficient modules
# because otherwise, the account lookup will fail if the user does not exist
# locally, for example with MySQL- or LDAP-auth.
''
account required pam_unix.so
# Authentication management.
'' +
@ -475,6 +490,9 @@ let
optionalString cfg.logFailures ''
auth required pam_faillock.so
'' +
optionalString cfg.mysqlAuth ''
auth sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
'' +
optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) ''
auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}
'' +
@ -503,7 +521,7 @@ let
# Modules in this block require having the password set in PAM_AUTHTOK.
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run
# after it succeeds. Certain modules need to run after pam_unix
# prompts the user for password so we run it once with 'required' at an
# prompts the user for password so we run it once with 'optional' at an
# earlier point and it will run again with 'sufficient' further down.
# We use try_first_pass the second time to avoid prompting password twice
(optionalString (cfg.unixAuth &&
@ -516,7 +534,7 @@ let
|| cfg.duoSecurity.enable))
(
''
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth
auth optional pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth
'' +
optionalString config.security.pam.enableEcryptfs ''
auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap
@ -572,6 +590,9 @@ let
optionalString use_ldap ''
password sufficient ${pam_ldap}/lib/security/pam_ldap.so
'' +
optionalString cfg.mysqlAuth ''
password sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
'' +
optionalString config.services.sssd.enable ''
password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok
'' +
@ -615,6 +636,9 @@ let
optionalString use_ldap ''
session optional ${pam_ldap}/lib/security/pam_ldap.so
'' +
optionalString cfg.mysqlAuth ''
session optional ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
'' +
optionalString config.services.sssd.enable ''
session optional ${pkgs.sssd}/lib/security/pam_sss.so
'' +
@ -749,18 +773,18 @@ in
}
];
description =
'' Define resource limits that should apply to users or groups.
Each item in the list should be an attribute set with a
<varname>domain</varname>, <varname>type</varname>,
<varname>item</varname>, and <varname>value</varname>
attribute. The syntax and semantics of these attributes
must be that described in <citerefentry><refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
description = ''
Define resource limits that should apply to users or groups.
Each item in the list should be an attribute set with a
<varname>domain</varname>, <varname>type</varname>,
<varname>item</varname>, and <varname>value</varname>
attribute. The syntax and semantics of these attributes
must be that described in <citerefentry><refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
Note that these limits do not apply to systemd services,
whose limits can be changed via <option>systemd.extraConfig</option>
instead.
'';
Note that these limits do not apply to systemd services,
whose limits can be changed via <option>systemd.extraConfig</option>
instead.
'';
};
security.pam.services = mkOption {
@ -1236,6 +1260,9 @@ in
optionalString (isEnabled (cfg: cfg.oathAuth)) ''
"mr ${pkgs.oath-toolkit}/lib/security/pam_oath.so,
'' +
optionalString (isEnabled (cfg: cfg.mysqlAuth)) ''
mr ${pkgs.pam_mysql}/lib/security/pam_mysql.so,
'' +
optionalString (isEnabled (cfg: cfg.yubicoAuth)) ''
mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,
'' +

View File

@ -46,7 +46,7 @@ in
type = types.package;
default = pkgs.sudo;
defaultText = literalExpression "pkgs.sudo";
description = ''
description = lib.mdDoc ''
Which package to use for `sudo`.
'';
};

View File

@ -21,7 +21,7 @@ in
"hbase.cluster.distributed" = "true";
};
type = types.attrsOf types.anything;
description = ''
description = lib.mdDoc ''
Default options for hbase-site.xml
'';
};
@ -30,9 +30,9 @@ in
type = with types; attrsOf anything;
example = literalExpression ''
'';
description = ''
description = lib.mdDoc ''
Additional options and overrides for hbase-site.xml
<link xlink:href="https://github.com/apache/hbase/blob/rel/2.4.11/hbase-common/src/main/resources/hbase-default.xml"/>
<https://github.com/apache/hbase/blob/rel/2.4.11/hbase-common/src/main/resources/hbase-default.xml>
'';
};
hbaseSiteInternal = mkOption {
@ -50,11 +50,11 @@ in
type = types.package;
default = pkgs.hbase;
defaultText = literalExpression "pkgs.hbase";
description = "HBase package";
description = lib.mdDoc "HBase package";
};
rootdir = mkOption {
description = ''
description = lib.mdDoc ''
This option will set "hbase.rootdir" in hbase-site.xml and determine
the directory shared by region servers and into which HBase persists.
The URL should be 'fully-qualified' to include the filesystem scheme.
@ -68,7 +68,7 @@ in
default = "/hbase";
};
zookeeperQuorum = mkOption {
description = ''
description = lib.mdDoc ''
This option will set "hbase.zookeeper.quorum" in hbase-site.xml.
Comma separated list of servers in the ZooKeeper ensemble.
'';
@ -83,7 +83,7 @@ in
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
description = lib.mdDoc ''
Open firewall ports for HBase master.
'';
};
@ -94,7 +94,7 @@ in
overrideHosts = mkOption {
type = types.bool;
default = true;
description = ''
description = lib.mdDoc ''
Remove /etc/hosts entries for "127.0.0.2" and "::1" defined in nixos/modules/config/networking.nix
Regionservers must be able to resolve their hostnames to their IP addresses, through PTR records
or /etc/hosts entries.
@ -105,7 +105,7 @@ in
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
description = lib.mdDoc ''
Open firewall ports for HBase master.
'';
};

View File

@ -0,0 +1,268 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.patroni;
defaultUser = "patroni";
defaultGroup = "patroni";
format = pkgs.formats.yaml { };
#boto doesn't support python 3.10 yet
patroni = pkgs.patroni.override { pythonPackages = pkgs.python39Packages; };
configFileName = "patroni-${cfg.scope}-${cfg.name}.yaml";
configFile = format.generate configFileName cfg.settings;
in
{
options.services.patroni = {
enable = mkEnableOption "Patroni";
postgresqlPackage = mkOption {
type = types.package;
example = literalExpression "pkgs.postgresql_14";
description = mdDoc ''
PostgreSQL package to use.
Plugins can be enabled like this `pkgs.postgresql_14.withPackages (p: [ p.pg_safeupdate p.postgis ])`.
'';
};
postgresqlDataDir = mkOption {
type = types.path;
defaultText = literalExpression ''"/var/lib/postgresql/''${config.services.patroni.postgresqlPackage.psqlSchema}"'';
example = "/var/lib/postgresql/14";
default = "/var/lib/postgresql/${cfg.postgresqlPackage.psqlSchema}";
description = mdDoc ''
The data directory for PostgreSQL. If left as the default value
this directory will automatically be created before the PostgreSQL server starts, otherwise
the sysadmin is responsible for ensuring the directory exists with appropriate ownership
and permissions.
'';
};
postgresqlPort = mkOption {
type = types.port;
default = 5432;
description = mdDoc ''
The port on which PostgreSQL listens.
'';
};
user = mkOption {
type = types.str;
default = defaultUser;
example = "postgres";
description = mdDoc ''
The user for the service. If left as the default value this user will automatically be created,
otherwise the sysadmin is responsible for ensuring the user exists.
'';
};
group = mkOption {
type = types.str;
default = defaultGroup;
example = "postgres";
description = mdDoc ''
The group for the service. If left as the default value this group will automatically be created,
otherwise the sysadmin is responsible for ensuring the group exists.
'';
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/patroni";
description = mdDoc ''
Folder where Patroni data will be written, used by Raft as well if enabled.
'';
};
scope = mkOption {
type = types.str;
example = "cluster1";
description = mdDoc ''
Cluster name.
'';
};
name = mkOption {
type = types.str;
example = "node1";
description = mdDoc ''
The name of the host. Must be unique for the cluster.
'';
};
namespace = mkOption {
type = types.str;
default = "/service";
description = mdDoc ''
Path within the configuration store where Patroni will keep information about the cluster.
'';
};
nodeIp = mkOption {
type = types.str;
example = "192.168.1.1";
description = mdDoc ''
IP address of this node.
'';
};
otherNodesIps = mkOption {
type = types.listOf types.string;
example = [ "192.168.1.2" "192.168.1.3" ];
description = mdDoc ''
IP addresses of the other nodes.
'';
};
restApiPort = mkOption {
type = types.port;
default = 8008;
description = mdDoc ''
The port on Patroni's REST api listens.
'';
};
raft = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
This will configure Patroni to use its own RAFT implementation instead of using a dedicated DCS.
'';
};
raftPort = mkOption {
type = types.port;
default = 5010;
description = mdDoc ''
The port on which RAFT listens.
'';
};
softwareWatchdog = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
This will configure Patroni to use the software watchdog built into the Linux kernel
as described in the [documentation](https://patroni.readthedocs.io/en/latest/watchdog.html#setting-up-software-watchdog-on-linux).
'';
};
settings = mkOption {
type = format.type;
default = { };
description = mdDoc ''
The primary patroni configuration. See the [documentation](https://patroni.readthedocs.io/en/latest/SETTINGS.html)
for possible values.
Secrets should be passed in by using the `environmentFiles` option.
'';
};
environmentFiles = mkOption {
type = with types; attrsOf (nullOr (oneOf [ str path package ]));
default = { };
example = {
PATRONI_REPLICATION_PASSWORD = "/secret/file";
PATRONI_SUPERUSER_PASSWORD = "/secret/file";
};
description = mdDoc "Environment variables made available to Patroni as files content, useful for providing secrets from files.";
};
};
config = mkIf cfg.enable {
services.patroni.settings = {
scope = cfg.scope;
name = cfg.name;
namespace = cfg.namespace;
restapi = {
listen = "${cfg.nodeIp}:${toString cfg.restApiPort}";
connect_address = "${cfg.nodeIp}:${toString cfg.restApiPort}";
};
raft = mkIf cfg.raft {
data_dir = "${cfg.dataDir}/raft";
self_addr = "${cfg.nodeIp}:5010";
partner_addrs = map (ip: ip + ":5010") cfg.otherNodesIps;
};
postgresql = {
listen = "${cfg.nodeIp}:${toString cfg.postgresqlPort}";
connect_address = "${cfg.nodeIp}:${toString cfg.postgresqlPort}";
data_dir = cfg.postgresqlDataDir;
bin_dir = "${cfg.postgresqlPackage}/bin";
pgpass = "${cfg.dataDir}/pgpass";
};
watchdog = mkIf cfg.softwareWatchdog {
mode = "required";
device = "/dev/watchdog";
safety_margin = 5;
};
};
users = {
users = mkIf (cfg.user == defaultUser) {
patroni = {
group = cfg.group;
isSystemUser = true;
};
};
groups = mkIf (cfg.group == defaultGroup) {
patroni = { };
};
};
systemd.services = {
patroni = {
description = "Runners to orchestrate a high-availability PostgreSQL";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
script = ''
${concatStringsSep "\n" (attrValues (mapAttrs (name: path: ''export ${name}="$(< ${escapeShellArg path})"'') cfg.environmentFiles))}
exec ${patroni}/bin/patroni ${configFile}
'';
serviceConfig = mkMerge [
{
User = cfg.user;
Group = cfg.group;
Type = "simple";
Restart = "on-failure";
TimeoutSec = 30;
ExecReload = "${pkgs.coreutils}/bin/kill -s HUP $MAINPID";
KillMode = "process";
}
(mkIf (cfg.postgresqlDataDir == "/var/lib/postgresql/${cfg.postgresqlPackage.psqlSchema}" && cfg.dataDir == "/var/lib/patroni") {
StateDirectory = "patroni patroni/raft postgresql postgresql/${cfg.postgresqlPackage.psqlSchema}";
StateDirectoryMode = "0750";
})
];
};
};
boot.kernelModules = mkIf cfg.softwareWatchdog [ "softdog" ];
services.udev.extraRules = mkIf cfg.softwareWatchdog ''
KERNEL=="watchdog", OWNER="${cfg.user}", GROUP="${cfg.group}", MODE="0600"
'';
environment.systemPackages = [
patroni
cfg.postgresqlPackage
(mkIf cfg.raft pkgs.python310Packages.pysyncobj)
];
environment.etc."${configFileName}".source = configFile;
environment.sessionVariables = {
PATRONICTL_CONFIG_FILE = "/etc/${configFileName}";
};
};
meta.maintainers = [ maintainers.phfroidmont ];
}

View File

@ -121,10 +121,10 @@ in {
keepalive = mkOption {
default = 600;
type = types.int;
description = "
description = lib.mdDoc ''
This is a number that indicates how frequently keepalive messages should be sent
from the worker to the buildmaster, expressed in seconds.
";
'';
};
package = mkOption {

View File

@ -193,7 +193,7 @@ in
options.services.buildkite-agents = mkOption {
type = types.attrsOf (types.submodule buildkiteOptions);
default = {};
description = ''
description = lib.mdDoc ''
Attribute set of buildkite agents.
The attribute key is combined with the hostname and a unique integer to
create the final agent name. This can be overridden by setting the `name`

View File

@ -103,15 +103,15 @@ let
defaultText = literalExpression ''baseDirectory + "/secrets"'';
};
clusterJoinTokenPath = mkOption {
description = ''
description = lib.mdDoc ''
Location of the cluster-join-token.key file.
You can retrieve the contents of the file when creating a new agent via
<link xlink:href="https://hercules-ci.com/dashboard">https://hercules-ci.com/dashboard</link>.
<https://hercules-ci.com/dashboard>.
As this value is confidential, it should not be in the store, but
installed using other means, such as agenix, NixOps
<literal>deployment.keys</literal>, or manual installation.
`deployment.keys`, or manual installation.
The contents of the file are used for authentication between the agent and the API.
'';
@ -120,29 +120,28 @@ let
defaultText = literalExpression ''staticSecretsDirectory + "/cluster-join-token.key"'';
};
binaryCachesPath = mkOption {
description = ''
description = lib.mdDoc ''
Path to a JSON file containing binary cache secret keys.
As these values are confidential, they should not be in the store, but
copied over using other means, such as agenix, NixOps
<literal>deployment.keys</literal>, or manual installation.
`deployment.keys`, or manual installation.
The format is described on <link xlink:href="https://docs.hercules-ci.com/hercules-ci-agent/binary-caches-json/">https://docs.hercules-ci.com/hercules-ci-agent/binary-caches-json/</link>.
The format is described on <https://docs.hercules-ci.com/hercules-ci-agent/binary-caches-json/>.
'';
type = types.path;
default = config.staticSecretsDirectory + "/binary-caches.json";
defaultText = literalExpression ''staticSecretsDirectory + "/binary-caches.json"'';
};
secretsJsonPath = mkOption {
description = ''
description = lib.mdDoc ''
Path to a JSON file containing secrets for effects.
As these values are confidential, they should not be in the store, but
copied over using other means, such as agenix, NixOps
<literal>deployment.keys</literal>, or manual installation.
The format is described on <link xlink:href="https://docs.hercules-ci.com/hercules-ci-agent/secrets-json/">https://docs.hercules-ci.com/hercules-ci-agent/secrets-json/</link>.
`deployment.keys`, or manual installation.
The format is described on <https://docs.hercules-ci.com/hercules-ci-agent/secrets-json/>.
'';
type = types.path;
default = config.staticSecretsDirectory + "/secrets.json";

View File

@ -87,7 +87,7 @@ in
type = types.str;
default = localDB;
example = "dbi:Pg:dbname=hydra;host=postgres.example.org;user=foo;";
description = ''
description = lib.mdDoc ''
The DBI string for Hydra database connection.
NOTE: Attempts to set `application_name` will be overridden by
@ -115,8 +115,8 @@ in
type = types.str;
default = "*";
example = "localhost";
description = ''
The hostname or address to listen on or <literal>*</literal> to listen
description = lib.mdDoc ''
The hostname or address to listen on or `*` to listen
on all interfaces.
'';
};

View File

@ -97,9 +97,9 @@ in
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
description = lib.mdDoc ''
Open the firewall ports corresponding to FoundationDB processes and coordinators
using <option>config.networking.firewall.*</option>.
using {option}`config.networking.firewall.*`.
'';
};

View File

@ -35,9 +35,9 @@ in
default = pkgs.mongodb;
defaultText = literalExpression "pkgs.mongodb";
type = types.package;
description = "
description = lib.mdDoc ''
Which MongoDB derivation to use.
";
'';
};
user = mkOption {

View File

@ -36,9 +36,9 @@ in
package = mkOption {
type = types.package;
example = literalExpression "pkgs.mariadb";
description = "
description = lib.mdDoc ''
Which MySQL derivation to use. MariaDB packages are supported too.
";
'';
};
user = mkOption {

View File

@ -79,15 +79,15 @@ in
authentication = mkOption {
type = types.lines;
default = "";
description = ''
description = lib.mdDoc ''
Defines how users authenticate themselves to the server. See the
<link xlink:href="https://www.postgresql.org/docs/current/auth-pg-hba-conf.html">PostgreSQL documentation for pg_hba.conf</link>
[PostgreSQL documentation for pg_hba.conf](https://www.postgresql.org/docs/current/auth-pg-hba-conf.html)
for details on the expected format of this option. By default,
peer based authentication will be used for users connecting
via the Unix socket, and md5 password authentication will be
used for users connecting via TCP. Any added rules will be
inserted above the default rules. If you'd like to replace the
default rules entirely, you can use <function>lib.mkForce</function> in your
default rules entirely, you can use `lib.mkForce` in your
module.
'';
};

View File

@ -10,6 +10,7 @@
},
"context.spa-libs": {
"audio.convert.*": "audioconvert/libspa-audioconvert",
"avb.*": "avb/libspa-avb",
"api.alsa.*": "alsa/libspa-alsa",
"api.v4l2.*": "v4l2/libspa-v4l2",
"api.libcamera.*": "libcamera/libspa-libcamera",

View File

@ -34,7 +34,8 @@ with lib;
];
# for $out/bin/install-printer-driver
services.packagekit.enable = true;
# TODO: Enable once #177946 is resolved
# services.packagekit.enable = true;
};

View File

@ -149,13 +149,14 @@ in {
};
}
'';
description = "Declarative kernel config
description = lib.mdDoc ''
Declarative kernel config.
Kernels can be declared in any language that supports and has the required
dependencies to communicate with a jupyter server.
In python's case, it means that ipykernel package must always be included in
the list of packages of the targeted environment.
";
Kernels can be declared in any language that supports and has the required
dependencies to communicate with a jupyter server.
In python's case, it means that ipykernel package must always be included in
the list of packages of the targeted environment.
'';
};
};

View File

@ -9,7 +9,7 @@ in {
enable = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
description = lib.mdDoc ''
Enables the daemon for `lorri`, a nix-shell replacement for project
development. The socket-activated daemon starts on the first request
issued by the `lorri` command.

View File

@ -36,7 +36,7 @@ in {
certificateChain = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
description = lib.mdDoc ''
Chain of CA-certificates to which our `certificateFile` is relative.
Optional for TLS.
'';

View File

@ -81,11 +81,11 @@ in
settings = mkOption {
type = format.type;
description = ''
The ASF.json file, all the options are documented <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#global-config">here</link>.
description = lib.mdDoc ''
The ASF.json file, all the options are documented [here](https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#global-config).
Do note that `AutoRestart` and `UpdateChannel` is always to `false` respectively `0` because NixOS takes care of updating everything.
`Headless` is also always set to `true` because there is no way to provide inputs via a systemd service.
You should try to keep ASF up to date since upstream does not provide support for anything but the latest version and you're exposing yourself to all kinds of issues - as is outlined <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#updateperiod">here</link>.
You should try to keep ASF up to date since upstream does not provide support for anything but the latest version and you're exposing yourself to all kinds of issues - as is outlined [here](https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#updateperiod).
'';
example = {
Statistics = false;

View File

@ -41,7 +41,7 @@ in {
stateDir = mkOption {
type = types.str;
default = "/var/lib/crossfire";
description = ''
description = lib.mdDoc ''
Where to store runtime data (save files, persistent items, etc).
If left at the default, this will be automatically created on server
@ -61,7 +61,7 @@ in {
configFiles = mkOption {
type = types.attrsOf types.str;
description = ''
description = lib.mdDoc ''
Text to append to the corresponding configuration files. Note that the
files given in the example are *not* the complete set of files available
to customize; look in /etc/crossfire after enabling the server to see

View File

@ -41,7 +41,7 @@ in {
stateDir = mkOption {
type = types.str;
default = "/var/lib/deliantra";
description = ''
description = lib.mdDoc ''
Where to store runtime data (save files, persistent items, etc).
If left at the default, this will be automatically created on server

View File

@ -25,7 +25,7 @@ in
gameId = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
description = lib.mdDoc ''
Id of the game to use. To list available games run
`minetestserver --gameid list`.
@ -36,7 +36,7 @@ in
world = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
description = lib.mdDoc ''
Name of the world to use. To list available worlds run
`minetestserver --world list`.
@ -47,7 +47,7 @@ in
configPath = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
description = lib.mdDoc ''
Path to the config to use.
If set to null, the config of the running user will be used:

View File

@ -131,6 +131,7 @@ in
config = mkIf cfg.enable {
users.users.terraria = {
description = "Terraria server service user";
group = "terraria";
home = cfg.dataDir;
createHome = true;
uid = config.ids.uids.terraria;
@ -138,7 +139,6 @@ in
users.groups.terraria = {
gid = config.ids.gids.terraria;
members = [ "terraria" ];
};
systemd.services.terraria = {

View File

@ -15,9 +15,9 @@ let
DisabledPlugins=${lib.concatStringsSep ";" cfg.disabledPlugins}
'';
};
"fwupd/uefi.conf" = {
source = pkgs.writeText "uefi.conf" ''
[uefi]
"fwupd/uefi_capsule.conf" = {
source = pkgs.writeText "uefi_capsule.conf" ''
[uefi_capsule]
OverrideESPMountPoint=${config.boot.loader.efi.efiSysMountPoint}
'';
};

View File

@ -180,8 +180,8 @@ in
package = mkOption {
type = types.package;
default = pkgs.kanata;
defaultText = lib.literalExpression "pkgs.kanata";
example = lib.literalExpression "pkgs.kanata-with-cmd";
defaultText = literalExpression "pkgs.kanata";
example = literalExpression "pkgs.kanata-with-cmd";
description = mdDoc ''
The kanata package to use.
@ -198,7 +198,7 @@ in
};
};
config = lib.mkIf cfg.enable {
config = mkIf cfg.enable {
hardware.uinput.enable = true;
systemd = {
@ -211,5 +211,5 @@ in
};
};
meta.maintainers = with lib.maintainers; [ linj ];
meta.maintainers = with maintainers; [ linj ];
}

View File

@ -126,10 +126,10 @@ in {
psycopg2
];
'';
description = ''
description = lib.mdDoc ''
List of packages to add to propagatedBuildInputs.
A popular example is <package>python3Packages.psycopg2</package>
A popular example is `python3Packages.psycopg2`
for PostgreSQL support in the recorder component.
'';
};

View File

@ -79,7 +79,7 @@ let
priority = mkOption {
type = types.int;
default = 1000;
description = ''
description = lib.mdDoc ''
Order of this logrotate block in relation to the others. The semantics are
the same as with `lib.mkOrder`. Smaller values have a greater priority.
'';
@ -260,7 +260,7 @@ in
priority = mkOption {
type = types.int;
default = 1000;
description = ''
description = lib.mdDoc ''
Order of this logrotate block in relation to the others. The semantics are
the same as with `lib.mkOrder`. Smaller values are inserted first.
'';

View File

@ -355,125 +355,125 @@ in
setgidGroup = mkOption {
type = types.str;
default = "postdrop";
description = "
description = lib.mdDoc ''
How to call postfix setgid group (for postdrop). Should
be uniquely used group.
";
'';
};
networks = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
example = ["192.168.0.1/24"];
description = "
description = lib.mdDoc ''
Net masks for trusted - allowed to relay mail to third parties -
hosts. Leave empty to use mynetworks_style configuration or use
default (localhost-only).
";
'';
};
networksStyle = mkOption {
type = types.str;
default = "";
description = "
description = lib.mdDoc ''
Name of standard way of trusted network specification to use,
leave blank if you specify it explicitly or if you want to use
default (localhost-only).
";
'';
};
hostname = mkOption {
type = types.str;
default = "";
description ="
description = lib.mdDoc ''
Hostname to use. Leave blank to use just the hostname of machine.
It should be FQDN.
";
'';
};
domain = mkOption {
type = types.str;
default = "";
description ="
description = lib.mdDoc ''
Domain to use. Leave blank to use hostname minus first component.
";
'';
};
origin = mkOption {
type = types.str;
default = "";
description ="
description = lib.mdDoc ''
Origin to use in outgoing e-mail. Leave blank to use hostname.
";
'';
};
destination = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
example = ["localhost"];
description = "
description = lib.mdDoc ''
Full (!) list of domains we deliver locally. Leave blank for
acceptable Postfix default.
";
'';
};
relayDomains = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
example = ["localdomain"];
description = "
description = lib.mdDoc ''
List of domains we agree to relay to. Default is empty.
";
'';
};
relayHost = mkOption {
type = types.str;
default = "";
description = "
description = lib.mdDoc ''
Mail relay for outbound mail.
";
'';
};
relayPort = mkOption {
type = types.int;
default = 25;
description = "
description = lib.mdDoc ''
SMTP port for relay mail relay.
";
'';
};
lookupMX = mkOption {
type = types.bool;
default = false;
description = "
description = lib.mdDoc ''
Whether relay specified is just domain whose MX must be used.
";
'';
};
postmasterAlias = mkOption {
type = types.str;
default = "root";
description = "
description = lib.mdDoc ''
Who should receive postmaster e-mail. Multiple values can be added by
separating values with comma.
";
'';
};
rootAlias = mkOption {
type = types.str;
default = "";
description = "
description = lib.mdDoc ''
Who should receive root e-mail. Blank for no redirection.
Multiple values can be added by separating values with comma.
";
'';
};
extraAliases = mkOption {
type = types.lines;
default = "";
description = "
description = lib.mdDoc ''
Additional entries to put verbatim into aliases file, cf. man-page aliases(8).
";
'';
};
aliasMapType = mkOption {
@ -497,9 +497,9 @@ in
extraConfig = mkOption {
type = types.lines;
default = "";
description = "
description = lib.mdDoc ''
Extra lines to be added verbatim to the main.cf configuration file.
";
'';
};
tlsTrustedAuthorities = mkOption {
@ -527,9 +527,9 @@ in
type = types.str;
default = "";
example = "+";
description = "
description = lib.mdDoc ''
Delimiter for address extension: so mail to user+test can be handled by ~user/.forward+test
";
'';
};
canonical = mkOption {
@ -543,9 +543,9 @@ in
virtual = mkOption {
type = types.lines;
default = "";
description = "
description = lib.mdDoc ''
Entries for the virtual alias map, cf. man-page virtual(5).
";
'';
};
virtualMapType = mkOption {
@ -572,9 +572,9 @@ in
transport = mkOption {
default = "";
type = types.lines;
description = "
description = lib.mdDoc ''
Entries for the transport map, cf. man-page transport(8).
";
'';
};
dnsBlacklists = mkOption {

View File

@ -26,24 +26,24 @@ in
type = lib.types.nullOr lib.types.path;
example = "/var/lib/dendrite/server.cert";
default = null;
description = ''
description = lib.mdDoc ''
The path to the TLS certificate.
<programlisting>
```
nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"
</programlisting>
```
'';
};
tlsKey = lib.mkOption {
type = lib.types.nullOr lib.types.path;
example = "/var/lib/dendrite/server.key";
default = null;
description = ''
description = lib.mdDoc ''
The path to the TLS key.
<programlisting>
```
nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"
</programlisting>
```
'';
};
environmentFile = lib.mkOption {
@ -51,8 +51,7 @@ in
example = "/var/lib/dendrite/registration_secret";
default = null;
description = ''
Environment file as defined in <citerefentry>
<refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
Environment file as defined in <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
Secrets may be passed to the service without adding them to the world-readable
Nix store, by specifying placeholder variables as the option value in Nix and
setting these variables accordingly in the environment file. Currently only used
@ -103,13 +102,13 @@ in
lib.types.path
(lib.types.strMatching "^\\$CREDENTIALS_DIRECTORY/.+");
example = "$CREDENTIALS_DIRECTORY/private_key";
description = ''
description = lib.mdDoc ''
The path to the signing private key file, used to sign
requests and events.
<programlisting>
```
nix-shell -p dendrite --command "generate-keys --private-key matrix_key.pem"
</programlisting>
```
'';
};
trusted_third_party_id_servers = lib.mkOption {

View File

@ -44,6 +44,12 @@ in {
encryption = {
allow = true;
default = true;
verification_levels = {
receive = "cross-signed-tofu";
send = "cross-signed-tofu";
share = "cross-signed-tofu";
};
};
username_template = "facebook_{userid}";
};
@ -116,6 +122,8 @@ in {
};
config = mkIf cfg.enable {
users.groups.mautrix-facebook = {};
users.users.mautrix-facebook = {
group = "mautrix-facebook";
isSystemUser = true;

View File

@ -516,7 +516,7 @@ in {
type = types.bool;
default = true;
example = false;
description = ''
description = lib.mdDoc ''
Is the preview URL API enabled? If enabled, you *must* specify an
explicit url_preview_ip_range_blacklist of IPs that the spider is
denied from accessing.

View File

@ -133,10 +133,10 @@ in
};
};
default = {};
description = ''
Configuration for <package>etebase-server</package>. Refer to
<link xlink:href="https://github.com/etesync/server/blob/master/etebase-server.ini.example"/>
and <link xlink:href="https://github.com/etesync/server/wiki"/>
description = lib.mdDoc ''
Configuration for `etebase-server`. Refer to
<https://github.com/etesync/server/blob/master/etebase-server.ini.example>
and <https://github.com/etesync/server/wiki>
for details on supported values.
'';
example = {

View File

@ -71,9 +71,9 @@ in
enable = mkOption {
type = types.bool;
default = false;
description = "
description = lib.mdDoc ''
Whether to enable the exhibitor server.
";
'';
};
# See https://github.com/soabase/exhibitor/wiki/Running-Exhibitor for what these mean
# General options for any type of config

View File

@ -22,11 +22,11 @@ in {
enableReload = mkOption {
default = false;
type = types.bool;
description = ''
Issue the <literal>reloadxml</literal> command to FreeSWITCH when configuration directory changes (instead of restart).
See <link xlink:href="https://freeswitch.org/confluence/display/FREESWITCH/Reloading">FreeSWITCH documentation</link> for more info.
The configuration directory is exposed at <filename>/etc/freeswitch</filename>.
See also <literal>systemd.services.*.restartIfChanged</literal>.
description = lib.mdDoc ''
Issue the `reloadxml` command to FreeSWITCH when configuration directory changes (instead of restart).
See [FreeSWITCH documentation](https://freeswitch.org/confluence/display/FREESWITCH/Reloading) for more info.
The configuration directory is exposed at {file}`/etc/freeswitch`.
See also `systemd.services.*.restartIfChanged`.
'';
};
configTemplate = mkOption {

View File

@ -12,8 +12,7 @@ in
options = {
services.geoipupdate = {
enable = lib.mkEnableOption ''
periodic downloading of GeoIP databases using
<productname>geoipupdate</productname>.
periodic downloading of GeoIP databases using geoipupdate.
'';
interval = lib.mkOption {
@ -36,21 +35,20 @@ in
ProxyUserPassword = { _secret = "/run/keys/proxy_pass"; };
}
'';
description = ''
<productname>geoipupdate</productname> configuration
options. See
<link xlink:href="https://github.com/maxmind/geoipupdate/blob/main/doc/GeoIP.conf.md"/>
description = lib.mdDoc ''
geoipupdate configuration options. See
<https://github.com/maxmind/geoipupdate/blob/main/doc/GeoIP.conf.md>
for a full list of available options.
Settings containing secret data should be set to an
attribute set containing the attribute
<literal>_secret</literal> - a string pointing to a file
`_secret` - a string pointing to a file
containing the value the option should be set to. See the
example to get a better picture of this: in the resulting
<filename>GeoIP.conf</filename> file, the
<literal>ProxyUserPassword</literal> key will be set to the
{file}`GeoIP.conf` file, the
`ProxyUserPassword` key will be set to the
contents of the
<filename>/run/keys/proxy_pass</filename> file.
{file}`/run/keys/proxy_pass` file.
'';
type = lib.types.submodule {
freeformType =
@ -85,13 +83,12 @@ in
LicenseKey = lib.mkOption {
type = with lib.types; either path (attrsOf path);
description = ''
A file containing the
<productname>MaxMind</productname> license key.
description = lib.mdDoc ''
A file containing the MaxMind license key.
Always handled as a secret whether the value is
wrapped in a <literal>{ _secret = ...; }</literal>
attrset or not (refer to <xref linkend="opt-services.geoipupdate.settings"/> for
wrapped in a `{ _secret = ...; }`
attrset or not (refer to [](#opt-services.geoipupdate.settings) for
details).
'';
apply = x: if isAttrs x then x else { _secret = x; };

View File

@ -183,7 +183,7 @@ in
file = mkOption {
type = types.nullOr types.str;
default = null;
description = "Filename to be used for the dump. If `null` a default name is choosen by gitea.";
description = lib.mdDoc "Filename to be used for the dump. If `null` a default name is choosen by gitea.";
example = "gitea-dump";
};
};
@ -293,12 +293,12 @@ in
default = "${cfg.stateDir}/log";
defaultText = literalExpression ''"''${config.${opt.stateDir}}/log"'';
type = types.str;
description = "Root path for log files.";
description = lib.mdDoc "Root path for log files.";
};
LEVEL = mkOption {
default = "Info";
type = types.enum [ "Trace" "Debug" "Info" "Warn" "Error" "Critical" ];
description = "General log level.";
description = lib.mdDoc "General log level.";
};
};
@ -306,14 +306,14 @@ in
DISABLE_SSH = mkOption {
type = types.bool;
default = false;
description = "Disable external SSH feature.";
description = lib.mdDoc "Disable external SSH feature.";
};
SSH_PORT = mkOption {
type = types.int;
default = 22;
example = 2222;
description = ''
description = lib.mdDoc ''
SSH port displayed in clone URL.
The option is required to configure a service when the external visible port
differs from the local listening port i.e. if port forwarding is used.
@ -339,7 +339,7 @@ in
COOKIE_SECURE = mkOption {
type = types.bool;
default = false;
description = ''
description = lib.mdDoc ''
Marks session cookies as "secure" as a hint for browsers to only send
them via HTTPS. This option is recommend, if gitea is being served over HTTPS.
'';

View File

@ -338,10 +338,9 @@ in {
default = 0;
example = 48;
apply = x: x * 60 * 60;
description = ''
description = lib.mdDoc ''
How long to keep the backups around, in
hours. <literal>0</literal> means <quote>keep
forever</quote>.
hours. `0` means keep forever.
'';
};
@ -415,9 +414,9 @@ in {
databaseHost = mkOption {
type = types.str;
default = "";
description = ''
GitLab database hostname. An empty string means <quote>use
local unix socket connection</quote>.
description = lib.mdDoc ''
GitLab database hostname. An empty string means
use local unix socket connection.
'';
};
@ -752,8 +751,7 @@ in {
description = ''
The number of worker processes Puma should spawn. This
controls the amount of parallel Ruby code can be
executed. GitLab recommends <quote>Number of CPU cores -
1</quote>, but at least two.
executed. GitLab recommends <literal>Number of CPU cores - 1</literal>, but at least two.
<note>
<para>

View File

@ -14,12 +14,11 @@ in
enable = mkOption {
type = types.bool;
default = false;
description = ''
description = lib.mdDoc ''
Enable gitolite management under the
<literal>gitolite</literal> user. After
`gitolite` user. After
switching to a configuration with Gitolite enabled, you can
then run <literal>git clone
gitolite@host:gitolite-admin.git</literal> to manage it further.
then run `git clone gitolite@host:gitolite-admin.git` to manage it further.
'';
};
@ -72,25 +71,25 @@ in
@{$RC{ENABLE}} = grep { $_ ne 'desc' } @{$RC{ENABLE}}; # disable the command/feature
'''
'';
description = ''
Extra configuration to append to the default <literal>~/.gitolite.rc</literal>.
description = lib.mdDoc ''
Extra configuration to append to the default `~/.gitolite.rc`.
This should be Perl code that modifies the <literal>%RC</literal>
configuration variable. The default <literal>~/.gitolite.rc</literal>
content is generated by invoking <literal>gitolite print-default-rc</literal>,
This should be Perl code that modifies the `%RC`
configuration variable. The default `~/.gitolite.rc`
content is generated by invoking `gitolite print-default-rc`,
and extra configuration from this option is appended to it. The result
is placed to Nix store, and the <literal>~/.gitolite.rc</literal> file
is placed to Nix store, and the `~/.gitolite.rc` file
becomes a symlink to it.
If you already have a customized (or otherwise changed)
<literal>~/.gitolite.rc</literal> file, NixOS will refuse to replace
`~/.gitolite.rc` file, NixOS will refuse to replace
it with a symlink, and the `gitolite-init` initialization service
will fail. In this situation, in order to use this option, you
will need to take any customizations you may have in
<literal>~/.gitolite.rc</literal>, convert them to appropriate Perl
`~/.gitolite.rc`, convert them to appropriate Perl
statements, add them to this option, and remove the file.
See also the <literal>enableGitAnnex</literal> option.
See also the `enableGitAnnex` option.
'';
};

View File

@ -82,7 +82,7 @@ in
'';
configFile = mkOption {
type = path;
description = "Path to firmware config which is generated using `klipper-genconf`";
description = lib.mdDoc "Path to firmware config which is generated using `klipper-genconf`";
};
};
});

View File

@ -264,7 +264,7 @@ in
type = types.nullOr types.str;
default = null;
example = "/root/.ssh/id_buildhost_builduser";
description = ''
description = lib.mdDoc ''
The path to the SSH private key with which to authenticate on
the build machine. The private key must not have a passphrase.
If null, the building user (root on NixOS machines) must have an
@ -562,13 +562,13 @@ in
trusted-public-keys = mkOption {
type = types.listOf types.str;
example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
description = ''
description = lib.mdDoc ''
List of public keys used to sign binary caches. If
<option>nix.settings.trusted-public-keys</option> is enabled,
{option}`nix.settings.trusted-public-keys` is enabled,
then Nix will use a binary from a binary cache if and only
if it is signed by <emphasis>any</emphasis> of the keys
if it is signed by *any* of the keys
listed here. By default, only the key for
<uri>cache.nixos.org</uri> is included.
`cache.nixos.org` is included.
'';
};
@ -605,13 +605,13 @@ in
type = types.listOf types.str;
default = [ "*" ];
example = [ "@wheel" "@builders" "alice" "bob" ];
description = ''
description = lib.mdDoc ''
A list of names of users (separated by whitespace) that are
allowed to connect to the Nix daemon. As with
<option>nix.settings.trusted-users</option>, you can specify groups by
prefixing them with <literal>@</literal>. Also, you can
allow all users by specifying <literal>*</literal>. The
default is <literal>*</literal>. Note that trusted users are
{option}`nix.settings.trusted-users`, you can specify groups by
prefixing them with `@`. Also, you can
allow all users by specifying `*`. The
default is `*`. Note that trusted users are
always allowed to connect.
'';
};

View File

@ -0,0 +1,288 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.portunus;
in
{
options.services.portunus = {
enable = mkEnableOption "Portunus, a self-contained user/group management and authentication service for LDAP";
domain = mkOption {
type = types.str;
example = "sso.example.com";
description = "Subdomain which gets reverse proxied to Portunus webserver.";
};
port = mkOption {
type = types.port;
default = 8080;
description = ''
Port where the Portunus webserver should listen on.
This must be put behind a TLS-capable reverse proxy because Portunus only listens on localhost.
'';
};
package = mkOption {
type = types.package;
default = pkgs.portunus;
defaultText = "pkgs.portunus";
description = "The Portunus package to use.";
};
seedPath = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Path to a portunus seed file in json format.
See <link xlink:href="https://github.com/majewsky/portunus#seeding-users-and-groups-from-static-configuration"/> for available options.
'';
};
stateDir = mkOption {
type = types.path;
default = "/var/lib/portunus";
description = "Path where Portunus stores its state.";
};
user = mkOption {
type = types.str;
default = "portunus";
description = "User account under which Portunus runs its webserver.";
};
group = mkOption {
type = types.str;
default = "portunus";
description = "Group account under which Portunus runs its webserver.";
};
dex = {
enable = mkEnableOption ''
Dex ldap connector.
To activate dex, first a search user must be created in the Portunus web ui
and then the password must to be set as the <literal>DEX_SEARCH_USER_PASSWORD</literal> environment variable
in the <xref linkend="opt-services.dex.environmentFile"/> setting.
'';
oidcClients = mkOption {
type = types.listOf (types.submodule {
options = {
callbackURL = mkOption {
type = types.str;
description = "URL where the OIDC client should redirect";
};
id = mkOption {
type = types.str;
description = "ID of the OIDC client";
};
};
});
default = [ ];
example = [
{
callbackURL = "https://example.com/client/oidc/callback";
id = "service";
}
];
description = ''
List of OIDC clients.
The OIDC secret must be set as the <literal>DEX_CLIENT_''${id}</literal> environment variable
in the <xref linkend="opt-services.dex.environmentFile"/> setting.
'';
};
port = mkOption {
type = types.port;
default = 5556;
description = "Port where dex should listen on.";
};
};
ldap = {
package = mkOption {
type = types.package;
default = pkgs.openldap;
defaultText = "pkgs.openldap";
description = "The OpenLDAP package to use.";
};
searchUserName = mkOption {
type = types.str;
default = "";
example = "admin";
description = ''
The login name of the search user.
This user account must be configured in Portunus either manually or via seeding.
'';
};
suffix = mkOption {
type = types.str;
example = "dc=example,dc=org";
description = ''
The DN of the topmost entry in your LDAP directory.
Please refer to the Portunus documentation for more information on how this impacts the structure of the LDAP directory.
'';
};
tls = mkOption {
type = types.bool;
default = false;
description = ''
Wether to enable LDAPS protocol.
This also adds two entries to the <literal>/etc/hosts</literal> file to point <xref linkend="opt-services.portunus.domain"/> to localhost,
so that CLIs and programs can use ldaps protocol and verify the certificate without opening the firewall port for the protocol.
This requires a TLS certificate for <xref linkend="opt-services.portunus.domain"/> to be configured via <xref linkend="opt-security.acme.certs"/>.
'';
};
user = mkOption {
type = types.str;
default = "openldap";
description = "User account under which Portunus runs its LDAP server.";
};
group = mkOption {
type = types.str;
default = "openldap";
description = "Group account under which Portunus runs its LDAP server.";
};
};
};
config = mkIf cfg.enable {
assertions = [
{
assertion = cfg.dex.enable -> cfg.ldap.searchUserName != "";
message = "services.portunus.dex.enable requires services.portunus.ldap.searchUserName to be set.";
}
];
# add ldapsearch(1) etc. to interactive shells
environment.systemPackages = [ cfg.ldap.package ];
# allow connecting via ldaps /w certificate without opening ports
networking.hosts = mkIf cfg.ldap.tls {
"::1" = [ cfg.domain ];
"127.0.0.1" = [ cfg.domain ];
};
services.dex = mkIf cfg.dex.enable {
enable = true;
settings = {
issuer = "https://${cfg.domain}/dex";
web.http = "127.0.0.1:${toString cfg.dex.port}";
storage = {
type = "sqlite3";
config.file = "/var/lib/dex/dex.db";
};
enablePasswordDB = false;
connectors = [{
type = "ldap";
id = "ldap";
name = "LDAP";
config = {
host = "${cfg.domain}:636";
bindDN = "uid=${cfg.ldap.searchUserName},ou=users,${cfg.ldap.suffix}";
bindPW = "$DEX_SEARCH_USER_PASSWORD";
userSearch = {
baseDN = "ou=users,${cfg.ldap.suffix}";
filter = "(objectclass=person)";
username = "uid";
idAttr = "uid";
emailAttr = "mail";
nameAttr = "cn";
preferredUsernameAttr = "uid";
};
groupSearch = {
baseDN = "ou=groups,${cfg.ldap.suffix}";
filter = "(objectclass=groupOfNames)";
nameAttr = "cn";
userMatchers = [{ userAttr = "DN"; groupAttr = "member"; }];
};
};
}];
staticClients = forEach cfg.dex.oidcClients (client: {
inherit (client) id;
redirectURIs = [ client.callbackURI ];
name = "OIDC for ${client.id}";
secret = "$DEX_CLIENT_${client.id}";
});
};
};
systemd.services = {
dex.serviceConfig = mkIf cfg.dex.enable {
# `dex.service` is super locked down out of the box, but we need some
# place to write the SQLite database. This creates $STATE_DIRECTORY below
# /var/lib/private because DynamicUser=true, but it gets symlinked into
# /var/lib/dex inside the unit
StateDirectory = "dex";
};
portunus = {
description = "Self-contained authentication service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig.ExecStart = "${cfg.package.out}/bin/portunus-orchestrator";
environment = {
PORTUNUS_LDAP_SUFFIX = cfg.ldap.suffix;
PORTUNUS_SERVER_BINARY = "${cfg.package}/bin/portunus-server";
PORTUNUS_SERVER_GROUP = cfg.group;
PORTUNUS_SERVER_USER = cfg.user;
PORTUNUS_SERVER_HTTP_LISTEN = "[::]:${toString cfg.port}";
PORTUNUS_SERVER_STATE_DIR = cfg.stateDir;
PORTUNUS_SLAPD_BINARY = "${cfg.ldap.package}/libexec/slapd";
PORTUNUS_SLAPD_GROUP = cfg.ldap.group;
PORTUNUS_SLAPD_USER = cfg.ldap.user;
PORTUNUS_SLAPD_SCHEMA_DIR = "${cfg.ldap.package}/etc/schema";
} // (optionalAttrs (cfg.seedPath != null) ({
PORTUNUS_SEED_PATH = cfg.seedPath;
})) // (optionalAttrs cfg.ldap.tls (
let
acmeDirectory = config.security.acme.certs."${cfg.domain}".directory;
in
{
PORTUNUS_SLAPD_TLS_CA_CERTIFICATE = "/etc/ssl/certs/ca-certificates.crt";
PORTUNUS_SLAPD_TLS_CERTIFICATE = "${acmeDirectory}/cert.pem";
PORTUNUS_SLAPD_TLS_DOMAIN_NAME = cfg.domain;
PORTUNUS_SLAPD_TLS_PRIVATE_KEY = "${acmeDirectory}/key.pem";
}));
};
};
users.users = mkMerge [
(mkIf (cfg.ldap.user == "openldap") {
openldap = {
group = cfg.ldap.group;
isSystemUser = true;
};
})
(mkIf (cfg.user == "portunus") {
portunus = {
group = cfg.group;
isSystemUser = true;
};
})
];
users.groups = mkMerge [
(mkIf (cfg.ldap.user == "openldap") {
openldap = { };
})
(mkIf (cfg.user == "portunus") {
portunus = { };
})
];
};
meta.maintainers = [ majewsky ] ++ teams.c3d2.members;
}

View File

@ -50,7 +50,7 @@ in {
type = with types; attrsOf str;
default = { };
example = { DATADIR = "/custom/path/for/rmfakecloud/data"; };
description = ''
description = lib.mdDoc ''
Extra settings in the form of a set of key-value pairs.
For tokens and secrets, use `environmentFile` instead.

View File

@ -0,0 +1,38 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.spice-webdavd;
in
{
options = {
services.spice-webdavd = {
enable = mkEnableOption "the spice guest webdav proxy daemon";
package = mkOption {
default = pkgs.phodav;
defaultText = literalExpression "pkgs.phodav";
type = types.package;
description = "spice-webdavd provider package to use.";
};
};
};
config = mkIf cfg.enable {
# ensure the webdav fs this exposes can actually be mounted
services.davfs2.enable = true;
# add the udev rule which starts the proxy when the spice socket is present
services.udev.packages = [ cfg.package ];
systemd.services.spice-webdavd = {
description = "spice-webdav proxy daemon";
serviceConfig = {
Type = "simple";
ExecStart = "${cfg.package}/bin/spice-webdavd -p 9843";
Restart = "on-success";
};
};
};
}

View File

@ -3,6 +3,10 @@ with lib;
let
cfg = config.services.sssd;
nscd = config.services.nscd;
dataDir = "/var/lib/sssd";
settingsFile = "${dataDir}/sssd.conf";
settingsFileUnsubstituted = pkgs.writeText "${dataDir}/sssd-unsubstituted.conf" cfg.config;
in {
options = {
services.sssd = {
@ -47,6 +51,30 @@ in {
Kerberos will be configured to cache credentials in SSS.
'';
};
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Environment file as defined in <citerefentry>
<refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>.
Secrets may be passed to the service without adding them to the world-readable
Nix store, by specifying placeholder variables as the option value in Nix and
setting these variables accordingly in the environment file.
<programlisting>
# snippet of sssd-related config
[domain/LDAP]
ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK
</programlisting>
<programlisting>
# contents of the environment file
SSSD_LDAP_DEFAULT_AUTHTOK=verysecretpassword
</programlisting>
'';
};
};
};
config = mkMerge [
@ -60,22 +88,29 @@ in {
wants = [ "nss-user-lookup.target" ];
restartTriggers = [
config.environment.etc."nscd.conf".source
config.environment.etc."sssd/sssd.conf".source
settingsFileUnsubstituted
];
script = ''
export LDB_MODULES_PATH+="''${LDB_MODULES_PATH+:}${pkgs.ldb}/modules/ldb:${pkgs.sssd}/modules/ldb"
mkdir -p /var/lib/sss/{pubconf,db,mc,pipes,gpo_cache,secrets} /var/lib/sss/pipes/private /var/lib/sss/pubconf/krb5.include.d
${pkgs.sssd}/bin/sssd -D
${pkgs.sssd}/bin/sssd -D -c ${settingsFile}
'';
serviceConfig = {
Type = "forking";
PIDFile = "/run/sssd.pid";
StateDirectory = baseNameOf dataDir;
# We cannot use LoadCredential here because it's not available in ExecStartPre
EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
};
};
environment.etc."sssd/sssd.conf" = {
text = cfg.config;
mode = "0400";
preStart = ''
[ -f ${settingsFile} ] && rm -f ${settingsFile}
old_umask=$(umask)
umask 0177
${pkgs.envsubst}/bin/envsubst \
-o ${settingsFile} \
-i ${settingsFileUnsubstituted}
umask $old_umask
'';
};
system.nssModules = [ pkgs.sssd ];

View File

@ -80,7 +80,7 @@ in {
webserver = mkOption {
type = types.enum [ "nginx" "none" ];
default = "nginx";
description = ''
description = lib.mdDoc ''
The webserver to configure for the PHP frontend.
Set it to `none` if you want to configure it yourself. PRs are welcome

View File

@ -52,7 +52,7 @@ in {
buildMinimalPackage = mkOption {
default = false;
description = ''
description = lib.mdDoc ''
Build a minimal collectd package with only the configured `services.collectd.plugins`
'';
type = bool;

View File

@ -60,7 +60,7 @@ in {
package = mkOption {
default = pkgs.datadog-agent;
defaultText = literalExpression "pkgs.datadog-agent";
description = ''
description = lib.mdDoc ''
Which DataDog v7 agent package to use. Note that the provided
package is expected to have an overridable `pythonPackages`-attribute
which configures the Python environment with the Datadog
@ -168,7 +168,7 @@ in {
};
checks = mkOption {
description = ''
description = lib.mdDoc ''
Configuration for all Datadog checks. Keys of this attribute
set will be used as the name of the check to create the
appropriate configuration in `conf.d/$check.d/conf.yaml`.

View File

@ -38,8 +38,8 @@ in
};
settings = mkOption {
description = ''
Configuration for <package>grafana-agent</package>.
description = lib.mdDoc ''
Configuration for `grafana-agent`.
See https://grafana.com/docs/agent/latest/configuration/
'';

View File

@ -63,7 +63,7 @@ in {
default = "default";
type = types.enum [ "default" "reusable" "clustered" ];
description = ''
Rendering mode of <package>grafana-image-renderer</package>:
Rendering mode of <literal>grafana-image-renderer</literal>:
<itemizedlist>
<listitem><para><literal>default:</literal> Creates on browser-instance
per rendering request.</para></listitem>
@ -79,8 +79,8 @@ in {
args = mkOption {
type = types.listOf types.str;
default = [ "--no-sandbox" ];
description = ''
List of CLI flags passed to <package>chromium</package>.
description = lib.mdDoc ''
List of CLI flags passed to `chromium`.
'';
};
};
@ -89,10 +89,10 @@ in {
default = {};
description = ''
Configuration attributes for <package>grafana-image-renderer</package>.
description = lib.mdDoc ''
Configuration attributes for `grafana-image-renderer`.
See <link xlink:href="https://github.com/grafana/grafana-image-renderer/blob/ce1f81438e5f69c7fd7c73ce08bab624c4c92e25/default.json"/>
See <https://github.com/grafana/grafana-image-renderer/blob/ce1f81438e5f69c7fd7c73ce08bab624c4c92e25/default.json>
for supported values.
'';
};

View File

@ -20,11 +20,11 @@ in {
apiKeyFile = mkOption {
type = types.path;
example = "/run/keys/mackerel-api-key";
description = ''
description = lib.mdDoc ''
Path to file containing the Mackerel API key. The file should contain a
single line of the following form:
<literallayout>apikey = "EXAMPLE_API_KEY"</literallayout>
`apikey = "EXAMPLE_API_KEY"`
'';
};

View File

@ -91,11 +91,11 @@ in
enable = mkEnableOption ''<link xlink:href="http://www.nagios.org/">Nagios</link> to monitor your system or network.'';
objectDefs = mkOption {
description = "
description = lib.mdDoc ''
A list of Nagios object configuration files that must define
the hosts, host groups, services and contacts for the
network that you want Nagios to monitor.
";
'';
type = types.listOf types.path;
example = literalExpression "[ ./objects.cfg ]";
};
@ -104,18 +104,18 @@ in
type = types.listOf types.package;
default = with pkgs; [ monitoring-plugins msmtp mailutils ];
defaultText = literalExpression "[pkgs.monitoring-plugins pkgs.msmtp pkgs.mailutils]";
description = "
description = ''
Packages to be added to the Nagios <envar>PATH</envar>.
Typically used to add plugins, but can be anything.
";
'';
};
mainConfigFile = mkOption {
type = types.nullOr types.package;
default = null;
description = "
description = lib.mdDoc ''
If non-null, overrides the main configuration file of Nagios.
";
'';
};
extraConfig = mkOption {
@ -139,19 +139,19 @@ in
type = types.package;
default = nagiosCGICfgFile;
defaultText = literalExpression "nagiosCGICfgFile";
description = "
description = lib.mdDoc ''
Derivation for the configuration file of Nagios CGI scripts
that can be used in web servers for running the Nagios web interface.
";
'';
};
enableWebInterface = mkOption {
type = types.bool;
default = false;
description = "
description = lib.mdDoc ''
Whether to enable the Nagios web interface. You should also
enable Apache (<option>services.httpd.enable</option>).
";
enable Apache ({option}`services.httpd.enable`).
'';
};
virtualHost = mkOption {

View File

@ -251,7 +251,7 @@ let
authorization = mkOption {
type = types.nullOr types.attrs;
default = null;
description = ''
description = lib.mdDoc ''
Sets the `Authorization` header on every scrape request with the configured credentials.
'';
};
@ -664,7 +664,7 @@ let
promTypes.dockerswarm_sd_config = mkDockerSdConfigModule {
role = mkOption {
type = types.enum [ "services" "tasks" "nodes" ];
description = ''
description = lib.mdDoc ''
Role of the targets to retrieve. Must be `services`, `tasks`, or `nodes`.
'';
};
@ -1222,7 +1222,7 @@ let
role = mkOption {
type = types.enum [ "instance" "baremetal" ];
description = ''
description = lib.mdDoc ''
Role of the targets to retrieve. Must be `instance` or `baremetal`.
'';
};
@ -1729,16 +1729,15 @@ in
type = with types; either bool (enum [ "syntax-only" ]);
default = true;
example = "syntax-only";
description = ''
Check configuration with <literal>promtool
check</literal>. The call to <literal>promtool</literal> is
description = lib.mdDoc ''
Check configuration with `promtool check`. The call to `promtool` is
subject to sandboxing by Nix.
If you use credentials stored in external files
(<literal>password_file</literal>, <literal>bearer_token_file</literal>, etc),
they will not be visible to <literal>promtool</literal>
(`password_file`, `bearer_token_file`, etc),
they will not be visible to `promtool`
and it will report errors, despite a correct configuration.
To resolve this, you may set this option to <literal>"syntax-only"</literal>
To resolve this, you may set this option to `"syntax-only"`
in order to only syntax check the Prometheus configuration.
'';
};

View File

@ -33,10 +33,10 @@ in
work with this exporter:
<programlisting>
{
<xref linkend="opt-services.prometheus.exporters.dovecot.enable"/> = true;
<xref linkend="opt-services.prometheus.exporters.dovecot.socketPath"/> = "/var/run/dovecot2/old-stats";
<xref linkend="opt-services.dovecot2.mailPlugins.globally.enable"/> = [ "old_stats" ];
<xref linkend="opt-services.dovecot2.extraConfig"/> = '''
services.prometheus.exporters.dovecot.enable = true;
services.prometheus.exporters.dovecot.socketPath = "/var/run/dovecot2/old-stats";
services.dovecot2.mailPlugins.globally.enable = [ "old_stats" ];
services.dovecot2.extraConfig = '''
service old-stats {
unix_listener old-stats {
user = dovecot-exporter

View File

@ -11,8 +11,8 @@ in {
type = types.str;
default = "${pkgs.knot-dns.out}/lib/libknot.so";
defaultText = literalExpression ''"''${pkgs.knot-dns.out}/lib/libknot.so"'';
description = ''
Path to the library of <package>knot-dns</package>.
description = lib.mdDoc ''
Path to the library of `knot-dns`.
'';
};

View File

@ -121,7 +121,7 @@ let
It's possible to work around the issue with a config like this:
<programlisting>
{
<link linkend="opt-services.rspamd.locals._name_.text">services.rspamd.locals."multimap.conf".text</link> = '''
services.rspamd.locals."multimap.conf".text = '''
ALLOWLIST_PROMETHEUS {
filter = "email:domain:tld";
type = "from";

View File

@ -10,7 +10,7 @@ in {
settings = mkOption {
type = types.attrs;
default = {};
description = ''
description = lib.mdDoc ''
All settings of nginxlog expressed as an Nix attrset.
Check the official documentation for the corresponding YAML

View File

@ -12,7 +12,7 @@ in {
example = "/run/keys/ldap_pass";
description = ''
Environment file to contain the credentials to authenticate against
<package>openldap</package>.
<literal>openldap</literal>.
The file should look like this:
<programlisting>
@ -26,15 +26,15 @@ in {
default = "tcp";
example = "udp";
type = types.str;
description = ''
Which protocol to use to connect against <package>openldap</package>.
description = lib.mdDoc ''
Which protocol to use to connect against `openldap`.
'';
};
ldapAddr = mkOption {
default = "localhost:389";
type = types.str;
description = ''
Address of the <package>openldap</package>-instance.
description = lib.mdDoc ''
Address of the `openldap`-instance.
'';
};
metricsPath = mkOption {

Some files were not shown because too many files have changed in this diff Show More