dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

merge master & re-run generate.sh

Browse Source
This commit is contained in:
Johannes Kirschbauer 2022-08-22 16:21:06 +02:00
commit f46c9675a4
1239 changed files with 77563 additions and 9681 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.git-blame-ignore-revs
View File

@ -36,3 +36,6 @@ d08ede042b74b8199dc748323768227b88efcf7c
# fix indentation in mk-python-derivation.nix # fix indentation in mk-python-derivation.nix
d1c1a0c656ccd8bd3b25d3c4287f2d075faf3cf3 d1c1a0c656ccd8bd3b25d3c4287f2d075faf3cf3
# fix indentation in meteor default.nix
f76b359e4a55267ddd4e9e149e7cc13ae5cad98a

6
.github/CODEOWNERS vendored
View File

@ -108,9 +108,9 @@
/pkgs/top-level/haskell-packages.nix @cdepillabout @sternenseemann @maralorn /pkgs/top-level/haskell-packages.nix @cdepillabout @sternenseemann @maralorn
# Perl # Perl
/pkgs/development/interpreters/perl @stigtsp @zakame /pkgs/development/interpreters/perl @stigtsp @zakame @dasJ
/pkgs/top-level/perl-packages.nix @stigtsp @zakame /pkgs/top-level/perl-packages.nix @stigtsp @zakame @dasJ
/pkgs/development/perl-modules @stigtsp @zakame /pkgs/development/perl-modules @stigtsp @zakame @dasJ
# R # R
/pkgs/applications/science/math/R @jbedo /pkgs/applications/science/math/R @jbedo

7
doc/builders/images/dockertools.section.md
View File

@ -36,6 +36,9 @@ buildImage {
WorkingDir = "/data"; WorkingDir = "/data";
Volumes = { "/data" = { }; }; Volumes = { "/data" = { }; };
}; };
diskSize = 1024;
buildVMMemorySize = 512;
} }
``` ```
@ -59,6 +62,10 @@ The above example will build a Docker image `redis/latest` from the given base i
- `config` is used to specify the configuration of the containers that will be started off the built image in Docker. The available options are listed in the [Docker Image Specification v1.2.0](https://github.com/moby/moby/blob/master/image/spec/v1.2.md#image-json-field-descriptions). - `config` is used to specify the configuration of the containers that will be started off the built image in Docker. The available options are listed in the [Docker Image Specification v1.2.0](https://github.com/moby/moby/blob/master/image/spec/v1.2.md#image-json-field-descriptions).
- `diskSize` is used to specify the disk size of the VM used to build the image in megabytes. By default it's 1024 MiB.
- `buildVMMemorySize` is used to specify the memory size of the VM to build the image in megabytes. By default it's 512 MiB.
After the new layer has been created, its closure (to which `contents`, `config` and `runAsRoot` contribute) will be copied in the layer itself. Only new dependencies that are not already in the existing layers will be copied. After the new layer has been created, its closure (to which `contents`, `config` and `runAsRoot` contribute) will be copied in the layer itself. Only new dependencies that are not already in the existing layers will be copied.
At the end of the process, only one new single layer will be produced and added to the resulting image. At the end of the process, only one new single layer will be produced and added to the resulting image.

19
doc/stdenv/stdenv.chapter.md
View File

@ -871,12 +871,27 @@ Constructs a wrapper for a program with various possible arguments. It is define
# adds `FOOBAR=baz` to `$out/bin/foo`s environment # adds `FOOBAR=baz` to `$out/bin/foo`s environment
makeWrapper $out/bin/foo $wrapperfile --set FOOBAR baz makeWrapper $out/bin/foo $wrapperfile --set FOOBAR baz
# prefixes the binary paths of `hello` and `git` # Prefixes the binary paths of `hello` and `git`
# and suffixes the binary path of `xdg-utils`.
# Be advised that paths often should be patched in directly # Be advised that paths often should be patched in directly
# (via string replacements or in `configurePhase`). # (via string replacements or in `configurePhase`).
makeWrapper $out/bin/foo $wrapperfile --prefix PATH : ${lib.makeBinPath [ hello git ]} makeWrapper $out/bin/foo $wrapperfile \
--prefix PATH : ${lib.makeBinPath [ hello git ]} \
--suffix PATH : ${lib.makeBinPath [ xdg-utils ]}
``` ```
Packages may expect or require other utilities to be available at runtime.
`makeWrapper` can be used to add packages to a `PATH` environment variable local to a wrapper.
Use `--prefix` to explicitly set dependencies in `PATH`.
:::{note}
`--prefix` essentially hard-codes dependencies into the wrapper.
They cannot be overridden without rebuilding the package.
:::
If dependencies should be resolved at runtime, use `--suffix` to append fallback values to `PATH`.
Theres many more kinds of arguments, they are documented in `nixpkgs/pkgs/build-support/setup-hooks/make-wrapper.sh` for the `makeWrapper` implementation and in `nixpkgs/pkgs/build-support/setup-hooks/make-binary-wrapper/make-binary-wrapper.sh` for the `makeBinaryWrapper` implementation. Theres many more kinds of arguments, they are documented in `nixpkgs/pkgs/build-support/setup-hooks/make-wrapper.sh` for the `makeWrapper` implementation and in `nixpkgs/pkgs/build-support/setup-hooks/make-binary-wrapper/make-binary-wrapper.sh` for the `makeBinaryWrapper` implementation.
`wrapProgram` is a convenience function you probably want to use most of the time, implemented by both `makeWrapper` and `makeBinaryWrapper`. `wrapProgram` is a convenience function you probably want to use most of the time, implemented by both `makeWrapper` and `makeBinaryWrapper`.

2
lib/lists.nix
View File

@ -36,7 +36,7 @@ rec {
forEach = xs: f: map f xs; forEach = xs: f: map f xs;
/* right fold a binary function `op` between successive elements of /* right fold a binary function `op` between successive elements of
`list` with `nul' as the starting value, i.e., `list` with `nul` as the starting value, i.e.,
`foldr op nul [x_1 x_2 ... x_n] == op x_1 (op x_2 ... (op x_n nul))`. `foldr op nul [x_1 x_2 ... x_n] == op x_1 (op x_2 ... (op x_n nul))`.
Type: foldr :: (a -> b -> b) -> b -> [a] -> b Type: foldr :: (a -> b -> b) -> b -> [a] -> b

87
maintainers/maintainer-list.nix
View File

@ -115,6 +115,12 @@
githubId = 7414843; githubId = 7414843;
name = "Nicholas von Klitzing"; name = "Nicholas von Klitzing";
}; };
_360ied = {
name = "Brian Zhu";
email = "therealbarryplayer@gmail.com";
github = "360ied";
githubId = 19516527;
};
_13r0ck = { _13r0ck = {
name = "Brock Szuszczewicz"; name = "Brock Szuszczewicz";
email = "bnr@tuta.io"; email = "bnr@tuta.io";
@ -1359,6 +1365,12 @@
githubId = 9315; githubId = 9315;
name = "Zhong Jianxin"; name = "Zhong Jianxin";
}; };
a-kenji = {
email = "aks.kenji@protonmail.com";
github = "a-kenji";
githubId = 65275785;
name = "Alexander Kenji Berthold";
};
b4dm4n = { b4dm4n = {
email = "fabianm88@gmail.com"; email = "fabianm88@gmail.com";
github = "B4dM4n"; github = "B4dM4n";
@ -1778,7 +1790,7 @@
}; };
booklearner = { booklearner = {
name = "booklearner"; name = "booklearner";
email = "hey@booklearner.org"; email = "booklearner@proton.me";
matrix = "@booklearner:matrix.org"; matrix = "@booklearner:matrix.org";
github = "booklearner"; github = "booklearner";
githubId = 103979114; githubId = 103979114;
@ -3738,6 +3750,12 @@
githubId = 537775; githubId = 537775;
name = "Emery Hemingway"; name = "Emery Hemingway";
}; };
eigengrau = {
email = "seb@schattenkopie.de";
name = "Sebastian Reuße";
github = "eigengrau";
githubId = 4939947;
};
eikek = { eikek = {
email = "eike.kettner@posteo.de"; email = "eike.kettner@posteo.de";
github = "eikek"; github = "eikek";
@ -6343,6 +6361,16 @@
}]; }];
name = "Ioannis Koutras"; name = "Ioannis Koutras";
}; };
jonaenz = {
name = "Jona Enzinger";
email = "5xt3zyy5l@mozmail.com";
matrix = "@jona:matrix.jonaenz.de";
github = "jonaenz";
githubId = 57130301;
keys = [{
fingerprint = "1CC5 B67C EB9A 13A5 EDF6 F10E 0B4A 3662 FC58 9202";
}];
};
jonafato = { jonafato = {
email = "jon@jonafato.com"; email = "jon@jonafato.com";
github = "jonafato"; github = "jonafato";
@ -6957,12 +6985,6 @@
fingerprint = "8992 44FC D291 5CA2 0A97 802C 156C 88A5 B0A0 4B2A"; fingerprint = "8992 44FC D291 5CA2 0A97 802C 156C 88A5 B0A0 4B2A";
}]; }];
}; };
kiyengar = {
email = "hello@kiyengar.net";
github = "karthikiyengar";
githubId = 8260207;
name = "Karthik Iyengar";
};
kjeremy = { kjeremy = {
email = "kjeremy@gmail.com"; email = "kjeremy@gmail.com";
name = "Jeremy Kolb"; name = "Jeremy Kolb";
@ -7262,7 +7284,7 @@
}; };
lassulus = { lassulus = {
email = "lassulus@gmail.com"; email = "lassulus@gmail.com";
matrix = "@lassulus:nixos.dev"; matrix = "@lassulus:lassul.us";
github = "Lassulus"; github = "Lassulus";
githubId = 621759; githubId = 621759;
name = "Lassulus"; name = "Lassulus";
@ -7956,6 +7978,12 @@
githubId = 31056089; githubId = 31056089;
name = "Tom Ho"; name = "Tom Ho";
}; };
majewsky = {
email = "majewsky@gmx.net";
github = "majewsky";
githubId = 24696;
name = "Stefan Majewsky";
};
majiir = { majiir = {
email = "majiir@nabaal.net"; email = "majiir@nabaal.net";
github = "Majiir"; github = "Majiir";
@ -10178,6 +10206,16 @@
fingerprint = "5D69 CF04 B7BC 2BC1 A567 9267 00BC F29B 3208 0700"; fingerprint = "5D69 CF04 B7BC 2BC1 A567 9267 00BC F29B 3208 0700";
}]; }];
}; };
phfroidmont = {
name = "Paul-Henri Froidmont";
email = "nix.contact-j9dw4d@froidmont.org";
github = "phfroidmont";
githubId = 8150907;
keys = [{
fingerprint = "3AC6 F170 F011 33CE 393B CD94 BE94 8AFD 7E78 73BE";
}];
};
philandstuff = { philandstuff = {
email = "philip.g.potter@gmail.com"; email = "philip.g.potter@gmail.com";
github = "philandstuff"; github = "philandstuff";
@ -13488,6 +13526,15 @@
githubId = 619015; githubId = 619015;
name = "Svintsov Dmitry"; name = "Svintsov Dmitry";
}; };
urandom = {
email = "colin@urandom.co.uk";
github = "arnottcr";
githubId = 2526260;
keys = [{
fingerprint = "04A3 A2C6 0042 784A AEA7 D051 0447 A663 F7F3 E236";
}];
name = "Colin Arnott";
};
urbas = { urbas = {
email = "matej.urbas@gmail.com"; email = "matej.urbas@gmail.com";
github = "urbas"; github = "urbas";
@ -13856,6 +13903,12 @@
github = "wamserma"; github = "wamserma";
githubId = 60148; githubId = 60148;
}; };
water-sucks = {
email = "varun@cvte.org";
name = "Varun Narravula";
github = "water-sucks";
githubId = 68445574;
};
waynr = { waynr = {
name = "Wayne Warren"; name = "Wayne Warren";
email = "wayne.warren.s@gmail.com"; email = "wayne.warren.s@gmail.com";
@ -13911,6 +13964,15 @@
github = "wentasah"; github = "wentasah";
githubId = 140542; githubId = 140542;
}; };
wesnel = {
name = "Wesley Nelson";
email = "wgn@wesnel.dev";
github = "wesnel";
githubId = 43357387;
keys = [{
fingerprint = "F844 80B2 0CA9 D6CC C7F5 2479 A776 D2AD 099E 8BC0";
}];
};
wheelsandmetal = { wheelsandmetal = {
email = "jakob@schmutz.co.uk"; email = "jakob@schmutz.co.uk";
github = "wheelsandmetal"; github = "wheelsandmetal";
@ -14058,6 +14120,15 @@
github = "wr0belj"; github = "wr0belj";
githubId = 40501814; githubId = 40501814;
}; };
wrmilling = {
name = "Winston R. Milling";
email = "Winston@Milli.ng";
github = "WRMilling";
githubId = 6162814;
keys = [{
fingerprint = "21E1 6B8D 2EE8 7530 6A6C 9968 D830 77B9 9F8C 6643";
}];
};
wscott = { wscott = {
email = "wsc9tt@gmail.com"; email = "wsc9tt@gmail.com";
github = "wscott"; github = "wscott";

7
nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
View File

@ -2130,6 +2130,13 @@ sudo mkdir /var/lib/redis-peertube
sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb
</programlisting> </programlisting>
</listitem> </listitem>
<listitem>
<para>
Added the <literal>keter</literal> NixOS module. Keter reverse
proxies requests to your loaded application based on virtual
hostnames.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
If you are using Wayland you can choose to use the Ozone If you are using Wayland you can choose to use the Ozone

54
nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
View File

@ -70,6 +70,34 @@
with any supported NixOS release. with any supported NixOS release.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<literal>emacs</literal> enables native compilation which
means:
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
emacs packages from nixpkgs, builtin or not, will do
native compilation ahead of time so you can enjoy the
benefit of native compilation without compiling them on
you machine;
</para>
</listitem>
<listitem>
<para>
emacs packages from somewhere else, e.g.
<literal>package-install</literal>, will do asynchronously
deferred native compilation. If you do not want this,
maybe to avoid CPU consumption for compilation, you can
use
<literal>(setq native-comp-deferred-compilation nil)</literal>
to disable it while still enjoy the benefit of native
compilation for packages from nixpkgs.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem> <listitem>
<para> <para>
<literal>nixos-generate-config</literal> now generates <literal>nixos-generate-config</literal> now generates
@ -97,7 +125,9 @@
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
Cinnamon has been updated to 5.4. Cinnamon has been updated to 5.4. While at it, the cinnamon
module now defaults to blueman as bluetooth manager and
slick-greeter as lightdm greeter to match upstream.
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
@ -138,6 +168,13 @@
<link linkend="opt-services.dragonflydb.enable">services.dragonflydb</link>. <link linkend="opt-services.dragonflydb.enable">services.dragonflydb</link>.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<link xlink:href="https://komga.org/">Komga</link>, a free and
open source comics/mangas media server. Available as
<link linkend="opt-services.komga.enable">services.komga</link>.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
<link xlink:href="https://hbase.apache.org/">HBase <link xlink:href="https://hbase.apache.org/">HBase
@ -161,6 +198,13 @@
<link xlink:href="options.html#opt-services.kanata.enable">services.kanata</link>. <link xlink:href="options.html#opt-services.kanata.enable">services.kanata</link>.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<link xlink:href="https://www.getoutline.com/">Outline</link>,
a wiki and knowledge base similar to Notion. Available as
<link linkend="opt-services.outline.enable">services.outline</link>.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
<link xlink:href="https://github.com/aiberia/persistent-evdev">persistent-evdev</link>, <link xlink:href="https://github.com/aiberia/persistent-evdev">persistent-evdev</link>,
@ -191,6 +235,14 @@
<link linkend="opt-services.tempo.enable">services.tempo</link>. <link linkend="opt-services.tempo.enable">services.tempo</link>.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<link xlink:href="https://github.com/zalando/patroni">Patroni</link>,
a template for PostgreSQL HA with ZooKeeper, etcd or Consul.
Available as
<link xlink:href="options.html#opt-services.patroni.enable">services.patroni</link>.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>
<section xml:id="sec-release-22.11-incompatibilities"> <section xml:id="sec-release-22.11-incompatibilities">

1
nixos/doc/manual/release-notes/rl-2205.section.md
View File

@ -778,6 +778,7 @@ In addition to numerous new and upgraded packages, this release has the followin
sudo mkdir /var/lib/redis-peertube sudo mkdir /var/lib/redis-peertube
sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb
``` ```
- Added the `keter` NixOS module. Keter reverse proxies requests to your loaded application based on virtual hostnames.
- If you are using Wayland you can choose to use the Ozone Wayland support - If you are using Wayland you can choose to use the Ozone Wayland support
in Chrome and several Electron apps by setting the environment variable in Chrome and several Electron apps by setting the environment variable

14
nixos/doc/manual/release-notes/rl-2211.section.md
View File

@ -35,6 +35,10 @@ In addition to numerous new and upgraded packages, this release has the followin
for a transition period so that in time the ecosystem can switch without for a transition period so that in time the ecosystem can switch without
breaking compatibility with any supported NixOS release. breaking compatibility with any supported NixOS release.
- `emacs` enables native compilation which means:
- emacs packages from nixpkgs, builtin or not, will do native compilation ahead of time so you can enjoy the benefit of native compilation without compiling them on you machine;
- emacs packages from somewhere else, e.g. `package-install`, will do asynchronously deferred native compilation. If you do not want this, maybe to avoid CPU consumption for compilation, you can use `(setq native-comp-deferred-compilation nil)` to disable it while still enjoy the benefit of native compilation for packages from nixpkgs.
- `nixos-generate-config` now generates configurations that can be built in pure - `nixos-generate-config` now generates configurations that can be built in pure
mode. This is achieved by setting the new `nixpkgs.hostPlatform` option. mode. This is achieved by setting the new `nixpkgs.hostPlatform` option.
@ -46,7 +50,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- PHP now defaults to PHP 8.1, updated from 8.0. - PHP now defaults to PHP 8.1, updated from 8.0.
- Cinnamon has been updated to 5.4. - Cinnamon has been updated to 5.4. While at it, the cinnamon module now defaults to
blueman as bluetooth manager and slick-greeter as lightdm greeter to match upstream.
- `hardware.nvidia` has a new option `open` that can be used to opt in the opensource version of NVIDIA kernel driver. Note that the driver's support for GeForce and Workstation GPUs is still alpha quality, see [NVIDIA Releases Open-Source GPU Kernel Modules](https://developer.nvidia.com/blog/nvidia-releases-open-source-gpu-kernel-modules/) for the official announcement. - `hardware.nvidia` has a new option `open` that can be used to opt in the opensource version of NVIDIA kernel driver. Note that the driver's support for GeForce and Workstation GPUs is still alpha quality, see [NVIDIA Releases Open-Source GPU Kernel Modules](https://developer.nvidia.com/blog/nvidia-releases-open-source-gpu-kernel-modules/) for the official announcement.
@ -59,6 +64,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- [dragonflydb](https://dragonflydb.io/), a modern replacement for Redis and Memcached. Available as [services.dragonflydb](#opt-services.dragonflydb.enable). - [dragonflydb](https://dragonflydb.io/), a modern replacement for Redis and Memcached. Available as [services.dragonflydb](#opt-services.dragonflydb.enable).
- [Komga](https://komga.org/), a free and open source comics/mangas media server. Available as [services.komga](#opt-services.komga.enable).
- [HBase cluster](https://hbase.apache.org/), a distributed, scalable, big data store. Available as [services.hadoop.hbase](options.html#opt-services.hadoop.hbase.enable). - [HBase cluster](https://hbase.apache.org/), a distributed, scalable, big data store. Available as [services.hadoop.hbase](options.html#opt-services.hadoop.hbase.enable).
- [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle. - [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle.
@ -67,6 +74,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- [kanata](https://github.com/jtroo/kanata), a tool to improve keyboard comfort and usability with advanced customization. - [kanata](https://github.com/jtroo/kanata), a tool to improve keyboard comfort and usability with advanced customization.
Available as [services.kanata](options.html#opt-services.kanata.enable). Available as [services.kanata](options.html#opt-services.kanata.enable).
- [Outline](https://www.getoutline.com/), a wiki and knowledge base similar to Notion. Available as [services.outline](#opt-services.outline.enable).
- [persistent-evdev](https://github.com/aiberia/persistent-evdev), a daemon to add virtual proxy devices that mirror a physical input device but persist even if the underlying hardware is hot-plugged. Available as [services.persistent-evdev](#opt-services.persistent-evdev.enable). - [persistent-evdev](https://github.com/aiberia/persistent-evdev), a daemon to add virtual proxy devices that mirror a physical input device but persist even if the underlying hardware is hot-plugged. Available as [services.persistent-evdev](#opt-services.persistent-evdev.enable).
- [schleuder](https://schleuder.org/), a mailing list manager with PGP support. Enable using [services.schleuder](#opt-services.schleuder.enable). - [schleuder](https://schleuder.org/), a mailing list manager with PGP support. Enable using [services.schleuder](#opt-services.schleuder.enable).
@ -75,6 +84,9 @@ In addition to numerous new and upgraded packages, this release has the followin
- [Grafana Tempo](https://www.grafana.com/oss/tempo/), a distributed tracing store. Available as [services.tempo](#opt-services.tempo.enable). - [Grafana Tempo](https://www.grafana.com/oss/tempo/), a distributed tracing store. Available as [services.tempo](#opt-services.tempo.enable).
- [Patroni](https://github.com/zalando/patroni), a template for PostgreSQL HA with ZooKeeper, etcd or Consul.
Available as [services.patroni](options.html#opt-services.patroni.enable).
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
## Backward Incompatibilities {#sec-release-22.11-incompatibilities} ## Backward Incompatibilities {#sec-release-22.11-incompatibilities}

2
nixos/lib/systemd-lib.nix
View File

@ -285,6 +285,8 @@ in rec {
Documentation = toString config.documentation; } Documentation = toString config.documentation; }
// optionalAttrs (config.onFailure != []) { // optionalAttrs (config.onFailure != []) {
OnFailure = toString config.onFailure; } OnFailure = toString config.onFailure; }
// optionalAttrs (config.onSuccess != []) {
OnSuccess = toString config.onSuccess; }
// optionalAttrs (options.startLimitIntervalSec.isDefined) { // optionalAttrs (options.startLimitIntervalSec.isDefined) {
StartLimitIntervalSec = toString config.startLimitIntervalSec; StartLimitIntervalSec = toString config.startLimitIntervalSec;
} // optionalAttrs (options.startLimitBurst.isDefined) { } // optionalAttrs (options.startLimitBurst.isDefined) {

9
nixos/lib/systemd-unit-options.nix
View File

@ -206,6 +206,15 @@ in rec {
''; '';
}; };
onSuccess = mkOption {
default = [];
type = types.listOf unitNameType;
description = ''
A list of one or more units that are activated when
this unit enters the "inactive" state.
'';
};
startLimitBurst = mkOption { startLimitBurst = mkOption {
type = types.int; type = types.int;
description = '' description = ''

10
nixos/modules/config/krb5/default.nix
View File

@ -204,11 +204,11 @@ in {
admin_server = SYSLOG:NOTICE admin_server = SYSLOG:NOTICE
default = SYSLOG:NOTICE default = SYSLOG:NOTICE
''; '';
description = '' description = lib.mdDoc ''
These lines go to the end of <literal>krb5.conf</literal> verbatim. These lines go to the end of `krb5.conf` verbatim.
<literal>krb5.conf</literal> may include any of the relations that are `krb5.conf` may include any of the relations that are
valid for <literal>kdc.conf</literal> (see <literal>man valid for `kdc.conf` (see `man kdc.conf`),
kdc.conf</literal>), but it is not a recommended practice. but it is not a recommended practice.
''; '';
}; };

10
nixos/modules/config/ldap.nix
View File

@ -186,16 +186,16 @@ in
policy = mkOption { policy = mkOption {
default = "hard_open"; default = "hard_open";
type = types.enum [ "hard_open" "hard_init" "soft" ]; type = types.enum [ "hard_open" "hard_init" "soft" ];
description = '' description = lib.mdDoc ''
Specifies the policy to use for reconnecting to an unavailable Specifies the policy to use for reconnecting to an unavailable
LDAP server. The default is <literal>hard_open</literal>, which LDAP server. The default is `hard_open`, which
reconnects if opening the connection to the directory server reconnects if opening the connection to the directory server
failed. By contrast, <literal>hard_init</literal> reconnects if failed. By contrast, `hard_init` reconnects if
initializing the connection failed. Initializing may not initializing the connection failed. Initializing may not
actually contact the directory server, and it is possible that actually contact the directory server, and it is possible that
a malformed configuration file will trigger reconnection. If a malformed configuration file will trigger reconnection. If
<literal>soft</literal> is specified, then `soft` is specified, then
<package>nss_ldap</package> will return immediately on server `nss_ldap` will return immediately on server
failure. All hard reconnect policies block with exponential failure. All hard reconnect policies block with exponential
backoff before retrying. backoff before retrying.
''; '';

519
nixos/modules/config/mysql.nix Normal file
View File

@ -0,0 +1,519 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.users.mysql;
in
{
options = {
users.mysql = {
enable = mkEnableOption "Authentication against a MySQL/MariaDB database";
host = mkOption {
type = types.str;
example = "localhost";
description = "The hostname of the MySQL/MariaDB server";
};
database = mkOption {
type = types.str;
example = "auth";
description = "The name of the database containing the users";
};
user = mkOption {
type = types.str;
example = "nss-user";
description = "The username to use when connecting to the database";
};
passwordFile = mkOption {
type = types.path;
example = "/run/secrets/mysql-auth-db-passwd";
description = "The path to the file containing the password for the user";
};
pam = mkOption {
description = "Settings for <literal>pam_mysql</literal>";
type = types.submodule {
options = {
table = mkOption {
type = types.str;
example = "users";
description = "The name of table that maps unique login names to the passwords.";
};
updateTable = mkOption {
type = types.nullOr types.str;
default = null;
example = "users_updates";
description = ''
The name of the table used for password alteration. If not defined, the value
of the <literal>table</literal> option will be used instead.
'';
};
userColumn = mkOption {
type = types.str;
example = "username";
description = "The name of the column that contains a unix login name.";
};
passwordColumn = mkOption {
type = types.str;
example = "password";
description = "The name of the column that contains a (encrypted) password string.";
};
statusColumn = mkOption {
type = types.nullOr types.str;
default = null;
example = "status";
description = ''
The name of the column or an SQL expression that indicates the status of
the user. The status is expressed by the combination of two bitfields
shown below:
<itemizedlist>
<listitem>
<para>
<literal>bit 0 (0x01)</literal>:
if flagged, <literal>pam_mysql</literal> deems the account to be expired and
returns <literal>PAM_ACCT_EXPIRED</literal>. That is, the account is supposed
to no longer be available. Note this doesn't mean that <literal>pam_mysql</literal>
rejects further authentication operations.
</para>
</listitem>
<listitem>
<para>
<literal>bit 1 (0x02)</literal>:
if flagged, <literal>pam_mysql</literal> deems the authentication token
(password) to be expired and returns <literal>PAM_NEW_AUTHTOK_REQD</literal>.
This ends up requiring that the user enter a new password.
</para>
</listitem>
</itemizedlist>
'';
};
passwordCrypt = mkOption {
example = "2";
type = types.enum [
"0" "plain"
"1" "Y"
"2" "mysql"
"3" "md5"
"4" "sha1"
"5" "drupal7"
"6" "joomla15"
"7" "ssha"
"8" "sha512"
"9" "sha256"
];
description = ''
The method to encrypt the user's password:
<itemizedlist>
<listitem>
<para>
<literal>0</literal> (or <literal>"plain"</literal>):
No encryption. Passwords are stored in plaintext. HIGHLY DISCOURAGED.
</para>
</listitem>
<listitem>
<para>
<literal>1</literal> (or <literal>"Y"</literal>):
Use crypt(3) function.
</para>
</listitem>
<listitem>
<para>
<literal>2</literal> (or <literal>"mysql"</literal>):
Use the MySQL PASSWORD() function. It is possible that the encryption function used
by <literal>pam_mysql</literal> is different from that of the MySQL server, as
<literal>pam_mysql</literal> uses the function defined in MySQL's C-client API
instead of using PASSWORD() SQL function in the query.
</para>
</listitem>
<listitem>
<para>
<literal>3</literal> (or <literal>"md5"</literal>):
Use plain hex MD5.
</para>
</listitem>
<listitem>
<para>
<literal>4</literal> (or <literal>"sha1"</literal>):
Use plain hex SHA1.
</para>
</listitem>
<listitem>
<para>
<literal>5</literal> (or <literal>"drupal7"</literal>):
Use Drupal7 salted passwords.
</para>
</listitem>
<listitem>
<para>
<literal>6</literal> (or <literal>"joomla15"</literal>):
Use Joomla15 salted passwords.
</para>
</listitem>
<listitem>
<para>
<literal>7</literal> (or <literal>"ssha"</literal>):
Use ssha hashed passwords.
</para>
</listitem>
<listitem>
<para>
<literal>8</literal> (or <literal>"sha512"</literal>):
Use sha512 hashed passwords.
</para>
</listitem>
<listitem>
<para>
<literal>9</literal> (or <literal>"sha256"</literal>):
Use sha256 hashed passwords.
</para>
</listitem>
</itemizedlist>
'';
};
cryptDefault = mkOption {
type = types.nullOr (types.enum [ "md5" "sha256" "sha512" "blowfish" ]);
default = null;
example = "blowfish";
description = "The default encryption method to use for <literal>passwordCrypt = 1</literal>.";
};
where = mkOption {
type = types.nullOr types.str;
default = null;
example = "host.name='web' AND user.active=1";
description = "Additional criteria for the query.";
};
verbose = mkOption {
type = types.bool;
default = false;
description = ''
If enabled, produces logs with detailed messages that describes what
<literal>pam_mysql</literal> is doing. May be useful for debugging.
'';
};
disconnectEveryOperation = mkOption {
type = types.bool;
default = false;
description = ''
By default, <literal>pam_mysql</literal> keeps the connection to the MySQL
database until the session is closed. If this option is set to true it
disconnects every time the PAM operation has finished. This option may
be useful in case the session lasts quite long.
'';
};
logging = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enables logging of authentication attempts in the MySQL database.";
};
table = mkOption {
type = types.str;
example = "logs";
description = "The name of the table to which logs are written.";
};
msgColumn = mkOption {
type = types.str;
example = "msg";
description = ''
The name of the column in the log table to which the description
of the performed operation is stored.
'';
};
userColumn = mkOption {
type = types.str;
example = "user";
description = ''
The name of the column in the log table to which the name of the
user being authenticated is stored.
'';
};
pidColumn = mkOption {
type = types.str;
example = "pid";
description = ''
The name of the column in the log table to which the pid of the
process utilising the <literal>pam_mysql's</literal> authentication
service is stored.
'';
};
hostColumn = mkOption {
type = types.str;
example = "host";
description = ''
The name of the column in the log table to which the name of the user
being authenticated is stored.
'';
};
rHostColumn = mkOption {
type = types.str;
example = "rhost";
description = ''
The name of the column in the log table to which the name of the remote
host that initiates the session is stored. The value is supposed to be
set by the PAM-aware application with <literal>pam_set_item(PAM_RHOST)
</literal>.
'';
};
timeColumn = mkOption {
type = types.str;
example = "timestamp";
description = ''
The name of the column in the log table to which the timestamp of the
log entry is stored.
'';
};
};
};
};
};
nss = mkOption {
description = ''
Settings for <literal>libnss-mysql</literal>.
All examples are from the <link xlink:href="https://github.com/saknopper/libnss-mysql/tree/master/sample/minimal">minimal example</link>
of <literal>libnss-mysql</literal>, but they are modified with NixOS paths for bash.
'';
type = types.submodule {
options = {
getpwnam = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT username,'x',uid,'5000','MySQL User', CONCAT('/home/',username),'/run/sw/current-system/bin/bash' \
FROM users \
WHERE username='%1$s' \
LIMIT 1
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getpwnam.3.html">getpwnam</link>
syscall.
'';
};
getpwuid = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT username,'x',uid,'5000','MySQL User', CONCAT('/home/',username),'/run/sw/current-system/bin/bash' \
FROM users \
WHERE uid='%1$u' \
LIMIT 1
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getpwuid.3.html">getpwuid</link>
syscall.
'';
};
getspnam = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT username,password,'1','0','99999','0','0','-1','0' \
FROM users \
WHERE username='%1$s' \
LIMIT 1
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getspnam.3.html">getspnam</link>
syscall.
'';
};
getpwent = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT username,'x',uid,'5000','MySQL User', CONCAT('/home/',username),'/run/sw/current-system/bin/bash' FROM users
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getpwent.3.html">getpwent</link>
syscall.
'';
};
getspent = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT username,password,'1','0','99999','0','0','-1','0' FROM users
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getspent.3.html">getspent</link>
syscall.
'';
};
getgrnam = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT name,password,gid FROM groups WHERE name='%1$s' LIMIT 1
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getgrnam.3.html">getgrnam</link>
syscall.
'';
};
getgrgid = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT name,password,gid FROM groups WHERE gid='%1$u' LIMIT 1
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getgrgid.3.html">getgrgid</link>
syscall.
'';
};
getgrent = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT name,password,gid FROM groups
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getgrent.3.html">getgrent</link>
syscall.
'';
};
memsbygid = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT username FROM grouplist WHERE gid='%1$u'
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/memsbygid.3.html">memsbygid</link>
syscall.
'';
};
gidsbymem = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT gid FROM grouplist WHERE username='%1$s'
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/gidsbymem.3.html">gidsbymem</link>
syscall.
'';
};
};
};
};
};
};
config = mkIf cfg.enable {
system.nssModules = [ pkgs.libnss-mysql ];
system.nssDatabases.shadow = [ "mysql" ];
system.nssDatabases.group = [ "mysql" ];
system.nssDatabases.passwd = [ "mysql" ];
environment.etc."security/pam_mysql.conf" = {
user = "root";
group = "root";
mode = "0600";
# password will be added from password file in activation script
text = ''
users.host=${cfg.host}
users.db_user=${cfg.user}
users.database=${cfg.database}
users.table=${cfg.pam.table}
users.user_column=${cfg.pam.userColumn}
users.password_column=${cfg.pam.passwordColumn}
users.password_crypt=${cfg.pam.passwordCrypt}
users.disconnect_every_operation=${if cfg.pam.disconnectEveryOperation then "1" else "0"}
verbose=${if cfg.pam.verbose then "1" else "0"}
'' + optionalString (cfg.pam.cryptDefault != null) ''
users.use_${cfg.pam.cryptDefault}=1
'' + optionalString (cfg.pam.where != null) ''
users.where_clause=${cfg.pam.where}
'' + optionalString (cfg.pam.statusColumn != null) ''
users.status_column=${cfg.pam.statusColumn}
'' + optionalString (cfg.pam.updateTable != null) ''
users.update_table=${cfg.pam.updateTable}
'' + optionalString cfg.pam.logging.enable ''
log.enabled=true
log.table=${cfg.pam.logging.table}
log.message_column=${cfg.pam.logging.msgColumn}
log.pid_column=${cfg.pam.logging.pidColumn}
log.user_column=${cfg.pam.logging.userColumn}
log.host_column=${cfg.pam.logging.hostColumn}
log.rhost_column=${cfg.pam.logging.rHostColumn}
log.time_column=${cfg.pam.logging.timeColumn}
'';
};
environment.etc."libnss-mysql.cfg" = {
mode = "0600";
user = config.services.nscd.user;
group = config.services.nscd.group;
text = optionalString (cfg.nss.getpwnam != null) ''
getpwnam ${cfg.nss.getpwnam}
'' + optionalString (cfg.nss.getpwuid != null) ''
getpwuid ${cfg.nss.getpwuid}
'' + optionalString (cfg.nss.getspnam != null) ''
getspnam ${cfg.nss.getspnam}
'' + optionalString (cfg.nss.getpwent != null) ''
getpwent ${cfg.nss.getpwent}
'' + optionalString (cfg.nss.getspent != null) ''
getspent ${cfg.nss.getspent}
'' + optionalString (cfg.nss.getgrnam != null) ''
getgrnam ${cfg.nss.getgrnam}
'' + optionalString (cfg.nss.getgrgid != null) ''
getgrgid ${cfg.nss.getgrgid}
'' + optionalString (cfg.nss.getgrent != null) ''
getgrent ${cfg.nss.getgrent}
'' + optionalString (cfg.nss.memsbygid != null) ''
memsbygid ${cfg.nss.memsbygid}
'' + optionalString (cfg.nss.gidsbymem != null) ''
gidsbymem ${cfg.nss.gidsbymem}
'' + ''
host ${cfg.host}
database ${cfg.database}
'';
};
environment.etc."libnss-mysql-root.cfg" = {
mode = "0600";
user = config.services.nscd.user;
group = config.services.nscd.group;
# password will be added from password file in activation script
text = ''
username ${cfg.user}
'';
};
# Activation script to append the password from the password file
# to the configuration files. It also fixes the owner of the
# libnss-mysql-root.cfg because it is changed to root after the
# password is appended.
system.activationScripts.mysql-auth-passwords = ''
if [[ -r ${cfg.passwordFile} ]]; then
org_umask=$(umask)
umask 0077
conf_nss="$(mktemp)"
cp /etc/libnss-mysql-root.cfg $conf_nss
printf 'password %s\n' "$(cat ${cfg.passwordFile})" >> $conf_nss
mv -fT "$conf_nss" /etc/libnss-mysql-root.cfg
chown ${config.services.nscd.user}:${config.services.nscd.group} /etc/libnss-mysql-root.cfg
conf_pam="$(mktemp)"
cp /etc/security/pam_mysql.conf $conf_pam
printf 'users.db_passwd=%s\n' "$(cat ${cfg.passwordFile})" >> $conf_pam
mv -fT "$conf_pam" /etc/security/pam_mysql.conf
umask $org_umask
fi
'';
};
}

10
nixos/modules/config/system-path.nix
View File

@ -84,19 +84,19 @@ in
<programlisting>${defaultPackagesText}</programlisting> <programlisting>${defaultPackagesText}</programlisting>
''; '';
example = []; example = [];
description = '' description = lib.mdDoc ''
Set of default packages that aren't strictly necessary Set of default packages that aren't strictly necessary
for a running system, entries can be removed for a more for a running system, entries can be removed for a more
minimal NixOS installation. minimal NixOS installation.
Note: If <package>pkgs.nano</package> is removed from this list, Note: If `pkgs.nano` is removed from this list,
make sure another editor is installed and the make sure another editor is installed and the
<literal>EDITOR</literal> environment variable is set to it. `EDITOR` environment variable is set to it.
Environment variables can be set using Environment variables can be set using
<option>environment.variables</option>. {option}`environment.variables`.
Like with systemPackages, packages are installed to Like with systemPackages, packages are installed to
<filename>/run/current-system/sw</filename>. They are {file}`/run/current-system/sw`. They are
automatically available to all users, and are automatically available to all users, and are
automatically updated every time you rebuild the system automatically updated every time you rebuild the system
configuration. configuration.

6
nixos/modules/config/xdg/portal.nix
View File

@ -40,12 +40,12 @@ in
extraPortals = mkOption { extraPortals = mkOption {
type = types.listOf types.package; type = types.listOf types.package;
default = [ ]; default = [ ];
description = '' description = lib.mdDoc ''
List of additional portals to add to path. Portals allow interaction List of additional portals to add to path. Portals allow interaction
with system, like choosing files or taking screenshots. At minimum, with system, like choosing files or taking screenshots. At minimum,
a desktop portal implementation should be listed. GNOME and KDE already a desktop portal implementation should be listed. GNOME and KDE already
adds <package>xdg-desktop-portal-gtk</package>; and adds `xdg-desktop-portal-gtk`; and
<package>xdg-desktop-portal-kde</package> respectively. On other desktop `xdg-desktop-portal-kde` respectively. On other desktop
environments you probably want to add them yourself. environments you probably want to add them yourself.
''; '';
}; };

6
nixos/modules/config/xdg/portals/lxqt.nix
View File

@ -15,7 +15,7 @@ in
enable = mkEnableOption '' enable = mkEnableOption ''
the desktop portal for the LXQt desktop environment. the desktop portal for the LXQt desktop environment.
This will add the <package>lxqt.xdg-desktop-portal-lxqt</package> This will add the <literal>lxqt.xdg-desktop-portal-lxqt</literal>
package (with the extra Qt styles) into the package (with the extra Qt styles) into the
<option>xdg.portal.extraPortals</option> option <option>xdg.portal.extraPortals</option> option
''; '';
@ -29,9 +29,9 @@ in
pkgs.qtcurve pkgs.qtcurve
]; ];
''; '';
description = '' description = lib.mdDoc ''
Extra Qt styles that will be available to the Extra Qt styles that will be available to the
<package>lxqt.xdg-desktop-portal-lxqt</package>. `lxqt.xdg-desktop-portal-lxqt`.
''; '';
}; };
}; };

8
nixos/modules/config/xdg/portals/wlr.nix
View File

@ -17,16 +17,16 @@ in
enable = mkEnableOption '' enable = mkEnableOption ''
desktop portal for wlroots-based desktops desktop portal for wlroots-based desktops
This will add the <package>xdg-desktop-portal-wlr</package> package into This will add the <literal>xdg-desktop-portal-wlr</literal> package into
the <option>xdg.portal.extraPortals</option> option, and provide the the <option>xdg.portal.extraPortals</option> option, and provide the
configuration file configuration file
''; '';
settings = mkOption { settings = mkOption {
description = '' description = lib.mdDoc ''
Configuration for <package>xdg-desktop-portal-wlr</package>. Configuration for `xdg-desktop-portal-wlr`.
See <literal>xdg-desktop-portal-wlr(5)</literal> for supported See `xdg-desktop-portal-wlr(5)` for supported
values. values.
''; '';

10
nixos/modules/config/zram.nix
View File

@ -103,12 +103,12 @@ in
default = "zstd"; default = "zstd";
example = "lz4"; example = "lz4";
type = with types; either (enum [ "lzo" "lz4" "zstd" ]) str; type = with types; either (enum [ "lzo" "lz4" "zstd" ]) str;
description = '' description = lib.mdDoc ''
Compression algorithm. <literal>lzo</literal> has good compression, Compression algorithm. `lzo` has good compression,
but is slow. <literal>lz4</literal> has bad compression, but is fast. but is slow. `lz4` has bad compression, but is fast.
<literal>zstd</literal> is both good compression and fast, but requires newer kernel. `zstd` is both good compression and fast, but requires newer kernel.
You can check what other algorithms are supported by your zram device with You can check what other algorithms are supported by your zram device with
<programlisting>cat /sys/class/block/zram*/comp_algorithm</programlisting> {command}`cat /sys/class/block/zram*/comp_algorithm`
''; '';
}; };
}; };

2
nixos/modules/hardware/corectrl.nix
View File

@ -20,7 +20,7 @@ in
type = types.str; type = types.str;
default = "0xfffd7fff"; default = "0xfffd7fff";
example = "0xffffffff"; example = "0xffffffff";
description = '' description = lib.mdDoc ''
Sets the `amdgpu.ppfeaturemask` kernel option. Sets the `amdgpu.ppfeaturemask` kernel option.
In particular, it is used here to set the overdrive bit. In particular, it is used here to set the overdrive bit.
Default is `0xfffd7fff` as it is less likely to cause flicker issues. Default is `0xfffd7fff` as it is less likely to cause flicker issues.

6
nixos/modules/hardware/cpu/amd-sev.nix
View File

@ -8,17 +8,17 @@ in
options.hardware.cpu.amd.sev = { options.hardware.cpu.amd.sev = {
enable = mkEnableOption "access to the AMD SEV device"; enable = mkEnableOption "access to the AMD SEV device";
user = mkOption { user = mkOption {
description = "Owner to assign to the SEV device."; description = lib.mdDoc "Owner to assign to the SEV device.";
type = types.str; type = types.str;
default = "root"; default = "root";
}; };
group = mkOption { group = mkOption {
description = "Group to assign to the SEV device."; description = lib.mdDoc "Group to assign to the SEV device.";
type = types.str; type = types.str;
default = defaultGroup; default = defaultGroup;
}; };
mode = mkOption { mode = mkOption {
description = "Mode to set for the SEV device."; description = lib.mdDoc "Mode to set for the SEV device.";
type = types.str; type = types.str;
default = "0660"; default = "0660";
}; };

23
nixos/modules/hardware/device-tree.nix
View File

@ -56,23 +56,6 @@ let
}; };
}; };
# this requires kernel package
dtbsWithSymbols = pkgs.stdenv.mkDerivation {
name = "dtbs-with-symbols";
inherit (cfg.kernelPackage) src nativeBuildInputs depsBuildBuild;
patches = map (patch: patch.patch) cfg.kernelPackage.kernelPatches;
buildPhase = ''
patchShebangs scripts/*
substituteInPlace scripts/Makefile.lib \
--replace 'DTC_FLAGS += $(DTC_FLAGS_$(basetarget))' 'DTC_FLAGS += $(DTC_FLAGS_$(basetarget)) -@'
make ${pkgs.stdenv.hostPlatform.linux-kernel.baseConfig} ARCH="${pkgs.stdenv.hostPlatform.linuxArch}"
make dtbs ARCH="${pkgs.stdenv.hostPlatform.linuxArch}"
'';
installPhase = ''
make dtbs_install INSTALL_DTBS_PATH=$out/dtbs ARCH="${pkgs.stdenv.hostPlatform.linuxArch}"
'';
};
filterDTBs = src: if isNull cfg.filter filterDTBs = src: if isNull cfg.filter
then "${src}/dtbs" then "${src}/dtbs"
else else
@ -83,6 +66,8 @@ let
| xargs -0 cp -v --no-preserve=mode --target-directory $out --parents | xargs -0 cp -v --no-preserve=mode --target-directory $out --parents
''; '';
filteredDTBs = filterDTBs cfg.kernelPackage;
# Compile single Device Tree overlay source # Compile single Device Tree overlay source
# file (.dts) into its compiled variant (.dtbo) # file (.dts) into its compiled variant (.dtbo)
compileDTS = name: f: pkgs.callPackage({ stdenv, dtc }: stdenv.mkDerivation { compileDTS = name: f: pkgs.callPackage({ stdenv, dtc }: stdenv.mkDerivation {
@ -197,7 +182,7 @@ in
}; };
hardware.deviceTree.package = if (cfg.overlays != []) hardware.deviceTree.package = if (cfg.overlays != [])
then pkgs.deviceTree.applyOverlays (filterDTBs dtbsWithSymbols) (withDTBOs cfg.overlays) then pkgs.deviceTree.applyOverlays filteredDTBs (withDTBOs cfg.overlays)
else (filterDTBs cfg.kernelPackage); else filteredDTBs;
}; };
} }

8
nixos/modules/hardware/video/hidpi.nix
View File

@ -11,6 +11,14 @@ with lib;
console.earlySetup = mkDefault true; console.earlySetup = mkDefault true;
boot.loader.systemd-boot.consoleMode = mkDefault "1"; boot.loader.systemd-boot.consoleMode = mkDefault "1";
# Grayscale anti-aliasing for fonts
fonts.fontconfig.antialias = mkDefault true;
fonts.fontconfig.subpixel = {
rgba = mkDefault "none";
lcdfilter = mkDefault "none";
};
# TODO Find reasonable defaults X11 & wayland # TODO Find reasonable defaults X11 & wayland
}; };
} }

26
nixos/modules/installer/sd-card/sd-image.nix
View File

@ -35,14 +35,14 @@ in
options.sdImage = { options.sdImage = {
imageName = mkOption { imageName = mkOption {
default = "${config.sdImage.imageBaseName}-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.img"; default = "${config.sdImage.imageBaseName}-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.img";
description = '' description = lib.mdDoc ''
Name of the generated image file. Name of the generated image file.
''; '';
}; };
imageBaseName = mkOption { imageBaseName = mkOption {
default = "nixos-sd-image"; default = "nixos-sd-image";
description = '' description = lib.mdDoc ''
Prefix of the name of the generated image file. Prefix of the name of the generated image file.
''; '';
}; };
@ -50,7 +50,7 @@ in
storePaths = mkOption { storePaths = mkOption {
type = with types; listOf package; type = with types; listOf package;
example = literalExpression "[ pkgs.stdenv ]"; example = literalExpression "[ pkgs.stdenv ]";
description = '' description = lib.mdDoc ''
Derivations to be included in the Nix store in the generated SD image. Derivations to be included in the Nix store in the generated SD image.
''; '';
}; };
@ -74,7 +74,7 @@ in
firmwarePartitionID = mkOption { firmwarePartitionID = mkOption {
type = types.str; type = types.str;
default = "0x2178694e"; default = "0x2178694e";
description = '' description = lib.mdDoc ''
Volume ID for the /boot/firmware partition on the SD card. This value Volume ID for the /boot/firmware partition on the SD card. This value
must be a 32-bit hexadecimal number. must be a 32-bit hexadecimal number.
''; '';
@ -83,7 +83,7 @@ in
firmwarePartitionName = mkOption { firmwarePartitionName = mkOption {
type = types.str; type = types.str;
default = "FIRMWARE"; default = "FIRMWARE";
description = '' description = lib.mdDoc ''
Name of the filesystem which holds the boot firmware. Name of the filesystem which holds the boot firmware.
''; '';
}; };
@ -92,7 +92,7 @@ in
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = null;
example = "14e19a7b-0ae0-484d-9d54-43bd6fdc20c7"; example = "14e19a7b-0ae0-484d-9d54-43bd6fdc20c7";
description = '' description = lib.mdDoc ''
UUID for the filesystem on the main NixOS partition on the SD card. UUID for the filesystem on the main NixOS partition on the SD card.
''; '';
}; };
@ -101,14 +101,14 @@ in
type = types.int; type = types.int;
# As of 2019-08-18 the Raspberry pi firmware + u-boot takes ~18MiB # As of 2019-08-18 the Raspberry pi firmware + u-boot takes ~18MiB
default = 30; default = 30;
description = '' description = lib.mdDoc ''
Size of the /boot/firmware partition, in megabytes. Size of the /boot/firmware partition, in megabytes.
''; '';
}; };
populateFirmwareCommands = mkOption { populateFirmwareCommands = mkOption {
example = literalExpression "'' cp \${pkgs.myBootLoader}/u-boot.bin firmware/ ''"; example = literalExpression "'' cp \${pkgs.myBootLoader}/u-boot.bin firmware/ ''";
description = '' description = lib.mdDoc ''
Shell commands to populate the ./firmware directory. Shell commands to populate the ./firmware directory.
All files in that directory are copied to the All files in that directory are copied to the
/boot/firmware partition on the SD image. /boot/firmware partition on the SD image.
@ -117,7 +117,7 @@ in
populateRootCommands = mkOption { populateRootCommands = mkOption {
example = literalExpression "''\${config.boot.loader.generic-extlinux-compatible.populateCmd} -c \${config.system.build.toplevel} -d ./files/boot''"; example = literalExpression "''\${config.boot.loader.generic-extlinux-compatible.populateCmd} -c \${config.system.build.toplevel} -d ./files/boot''";
description = '' description = lib.mdDoc ''
Shell commands to populate the ./files directory. Shell commands to populate the ./files directory.
All files in that directory are copied to the All files in that directory are copied to the
root (/) partition on the SD image. Use this to root (/) partition on the SD image. Use this to
@ -128,7 +128,7 @@ in
postBuildCommands = mkOption { postBuildCommands = mkOption {
example = literalExpression "'' dd if=\${pkgs.myBootLoader}/SPL of=$img bs=1024 seek=1 conv=notrunc ''"; example = literalExpression "'' dd if=\${pkgs.myBootLoader}/SPL of=$img bs=1024 seek=1 conv=notrunc ''";
default = ""; default = "";
description = '' description = lib.mdDoc ''
Shell commands to run after the image is built. Shell commands to run after the image is built.
Can be used for boards requiring to dd u-boot SPL before actual partitions. Can be used for boards requiring to dd u-boot SPL before actual partitions.
''; '';
@ -137,16 +137,16 @@ in
compressImage = mkOption { compressImage = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
description = '' description = lib.mdDoc ''
Whether the SD image should be compressed using Whether the SD image should be compressed using
<command>zstd</command>. {command}`zstd`.
''; '';
}; };
expandOnBoot = mkOption { expandOnBoot = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
description = '' description = lib.mdDoc ''
Whether to configure the sd image to expand it's partition on boot. Whether to configure the sd image to expand it's partition on boot.
''; '';
}; };

2
nixos/modules/misc/documentation.nix
View File

@ -241,7 +241,7 @@ in
nixos.extraModules = mkOption { nixos.extraModules = mkOption {
type = types.listOf types.raw; type = types.listOf types.raw;
default = []; default = [];
description = '' description = lib.mdDoc ''
Modules for which to show options even when not imported. Modules for which to show options even when not imported.
''; '';
}; };

20
nixos/modules/misc/nixpkgs.nix
View File

@ -117,13 +117,13 @@ in
''; '';
type = pkgsType; type = pkgsType;
example = literalExpression "import <nixpkgs> {}"; example = literalExpression "import <nixpkgs> {}";
description = '' description = lib.mdDoc ''
If set, the pkgs argument to all NixOS modules is the value of If set, the pkgs argument to all NixOS modules is the value of
this option, extended with <literal>nixpkgs.overlays</literal>, if this option, extended with `nixpkgs.overlays`, if
that is also set. Either <literal>nixpkgs.crossSystem</literal> or that is also set. Either `nixpkgs.crossSystem` or
<literal>nixpkgs.localSystem</literal> will be used in an assertion `nixpkgs.localSystem` will be used in an assertion
to check that the NixOS and Nixpkgs architectures match. Any to check that the NixOS and Nixpkgs architectures match. Any
other options in <literal>nixpkgs.*</literal>, notably <literal>config</literal>, other options in `nixpkgs.*`, notably `config`,
will be ignored. will be ignored.
If unset, the pkgs argument to all NixOS modules is determined If unset, the pkgs argument to all NixOS modules is determined
@ -132,18 +132,18 @@ in
The default value imports the Nixpkgs source files The default value imports the Nixpkgs source files
relative to the location of this NixOS module, because relative to the location of this NixOS module, because
NixOS and Nixpkgs are distributed together for consistency, NixOS and Nixpkgs are distributed together for consistency,
so the <literal>nixos</literal> in the default value is in fact a so the `nixos` in the default value is in fact a
relative path. The <literal>config</literal>, <literal>overlays</literal>, relative path. The `config`, `overlays`,
<literal>localSystem</literal>, and <literal>crossSystem</literal> come `localSystem`, and `crossSystem` come
from this option's siblings. from this option's siblings.
This option can be used by applications like NixOps to increase This option can be used by applications like NixOps to increase
the performance of evaluation, or to create packages that depend the performance of evaluation, or to create packages that depend
on a container that should be built with the exact same evaluation on a container that should be built with the exact same evaluation
of Nixpkgs, for example. Applications like this should set of Nixpkgs, for example. Applications like this should set
their default value using <literal>lib.mkDefault</literal>, so their default value using `lib.mkDefault`, so
user-provided configuration can override it without using user-provided configuration can override it without using
<literal>lib</literal>. `lib`.
Note that using a distinct version of Nixpkgs with NixOS may Note that using a distinct version of Nixpkgs with NixOS may
be an unexpected source of problems. Use this option with care. be an unexpected source of problems. Use this option with care.

2
nixos/modules/misc/wordlist.nix
View File

@ -23,7 +23,7 @@ in
} }
''; '';
description = '' description = lib.mdDoc ''
A set with the key names being the environment variable you'd like to A set with the key names being the environment variable you'd like to
set and the values being a list of paths to text documents containing set and the values being a list of paths to text documents containing
lists of words. The various files will be merged, sorted, duplicates lists of words. The various files will be merged, sorted, duplicates

7
nixos/modules/module-list.nix
View File

@ -22,6 +22,7 @@
./config/ldap.nix ./config/ldap.nix
./config/locale.nix ./config/locale.nix
./config/malloc.nix ./config/malloc.nix
./config/mysql.nix
./config/networking.nix ./config/networking.nix
./config/no-x-libs.nix ./config/no-x-libs.nix
./config/nsswitch.nix ./config/nsswitch.nix
@ -329,6 +330,7 @@
./services/cluster/kubernetes/proxy.nix ./services/cluster/kubernetes/proxy.nix
./services/cluster/kubernetes/scheduler.nix ./services/cluster/kubernetes/scheduler.nix
./services/cluster/pacemaker/default.nix ./services/cluster/pacemaker/default.nix
./services/cluster/patroni/default.nix
./services/cluster/spark/default.nix ./services/cluster/spark/default.nix
./services/computing/boinc/client.nix ./services/computing/boinc/client.nix
./services/computing/foldingathome/client.nix ./services/computing/foldingathome/client.nix
@ -618,6 +620,7 @@
./services/misc/plikd.nix ./services/misc/plikd.nix
./services/misc/podgrab.nix ./services/misc/podgrab.nix
./services/misc/polaris.nix ./services/misc/polaris.nix
./services/misc/portunus.nix
./services/misc/prowlarr.nix ./services/misc/prowlarr.nix
./services/misc/tautulli.nix ./services/misc/tautulli.nix
./services/misc/pinnwand.nix ./services/misc/pinnwand.nix
@ -637,6 +640,7 @@
./services/misc/sonarr.nix ./services/misc/sonarr.nix
./services/misc/sourcehut ./services/misc/sourcehut
./services/misc/spice-vdagentd.nix ./services/misc/spice-vdagentd.nix
./services/misc/spice-webdavd.nix
./services/misc/ssm-agent.nix ./services/misc/ssm-agent.nix
./services/misc/sssd.nix ./services/misc/sssd.nix
./services/misc/subsonic.nix ./services/misc/subsonic.nix
@ -1074,6 +1078,7 @@
./services/web-apps/jirafeau.nix ./services/web-apps/jirafeau.nix
./services/web-apps/jitsi-meet.nix ./services/web-apps/jitsi-meet.nix
./services/web-apps/keycloak.nix ./services/web-apps/keycloak.nix
./services/web-apps/komga.nix
./services/web-apps/lemmy.nix ./services/web-apps/lemmy.nix
./services/web-apps/invidious.nix ./services/web-apps/invidious.nix
./services/web-apps/invoiceplane.nix ./services/web-apps/invoiceplane.nix
@ -1099,6 +1104,7 @@
./services/web-apps/prosody-filer.nix ./services/web-apps/prosody-filer.nix
./services/web-apps/matomo.nix ./services/web-apps/matomo.nix
./services/web-apps/openwebrx.nix ./services/web-apps/openwebrx.nix
./services/web-apps/outline.nix
./services/web-apps/restya-board.nix ./services/web-apps/restya-board.nix
./services/web-apps/sogo.nix ./services/web-apps/sogo.nix
./services/web-apps/rss-bridge.nix ./services/web-apps/rss-bridge.nix
@ -1134,6 +1140,7 @@
./services/web-servers/pomerium.nix ./services/web-servers/pomerium.nix
./services/web-servers/unit/default.nix ./services/web-servers/unit/default.nix
./services/web-servers/tomcat.nix ./services/web-servers/tomcat.nix
./services/web-servers/keter
./services/web-servers/traefik.nix ./services/web-servers/traefik.nix
./services/web-servers/trafficserver/default.nix ./services/web-servers/trafficserver/default.nix
./services/web-servers/ttyd.nix ./services/web-servers/ttyd.nix

6
nixos/modules/programs/captive-browser.nix
View File

@ -85,9 +85,9 @@ in
bindInterface = mkOption { bindInterface = mkOption {
default = true; default = true;
type = types.bool; type = types.bool;
description = '' description = lib.mdDoc ''
Binds <package>captive-browser</package> to the network interface declared in Binds `captive-browser` to the network interface declared in
<literal>cfg.interface</literal>. This can be used to avoid collisions `cfg.interface`. This can be used to avoid collisions
with private subnets. with private subnets.
''; '';
}; };

4
nixos/modules/programs/chromium.nix
View File

@ -76,10 +76,10 @@ in
extraOpts = mkOption { extraOpts = mkOption {
type = types.attrs; type = types.attrs;
description = '' description = lib.mdDoc ''
Extra chromium policy options. A list of available policies Extra chromium policy options. A list of available policies
can be found in the Chrome Enterprise documentation: can be found in the Chrome Enterprise documentation:
<link xlink:href="https://cloud.google.com/docs/chrome-enterprise/policies/">https://cloud.google.com/docs/chrome-enterprise/policies/</link> <https://cloud.google.com/docs/chrome-enterprise/policies/>
Make sure the selected policy is supported on Linux and your browser version. Make sure the selected policy is supported on Linux and your browser version.
''; '';
default = {}; default = {};

14
nixos/modules/programs/k3b.nix
View File

@ -8,15 +8,15 @@ with lib;
enable = mkOption { enable = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = '' description = lib.mdDoc ''
Whether to enable k3b, the KDE disk burning application. Whether to enable k3b, the KDE disk burning application.
Additionally to installing <package>k3b</package> enabling this will Additionally to installing `k3b` enabling this will
add <literal>setuid</literal> wrappers in <literal>/run/wrappers/bin</literal> add `setuid` wrappers in `/run/wrappers/bin`
for both <package>cdrdao</package> and <package>cdrecord</package>. On first for both `cdrdao` and `cdrecord`. On first
run you must manually configure the path of <package>cdrdae</package> and run you must manually configure the path of `cdrdae` and
<package>cdrecord</package> to correspond to the appropriate paths under `cdrecord` to correspond to the appropriate paths under
<literal>/run/wrappers/bin</literal> in the "Setup External Programs" menu. `/run/wrappers/bin` in the "Setup External Programs" menu.
''; '';
}; };
}; };

2
nixos/modules/programs/mosh.nix
View File

@ -17,7 +17,7 @@ in
type = lib.types.bool; type = lib.types.bool;
}; };
withUtempter = mkOption { withUtempter = mkOption {
description = '' description = lib.mdDoc ''
Whether to enable libutempter for mosh. Whether to enable libutempter for mosh.
This is required so that mosh can write to /var/run/utmp (which can be queried with `who` to display currently connected user sessions). This is required so that mosh can write to /var/run/utmp (which can be queried with `who` to display currently connected user sessions).
Note, this will add a guid wrapper for the group utmp! Note, this will add a guid wrapper for the group utmp!

2
nixos/modules/programs/msmtp.nix
View File

@ -45,7 +45,7 @@ in {
passwordeval = "cat /secrets/password.txt"; passwordeval = "cat /secrets/password.txt";
}; };
}; };
description = '' description = lib.mdDoc ''
Named accounts and their respective configurations. Named accounts and their respective configurations.
The special name "default" allows a default account to be defined. The special name "default" allows a default account to be defined.
See msmtp(1) for the available options. See msmtp(1) for the available options.

8
nixos/modules/programs/ssh.nix
View File

@ -93,10 +93,10 @@ in
extraConfig = mkOption { extraConfig = mkOption {
type = types.lines; type = types.lines;
default = ""; default = "";
description = '' description = lib.mdDoc ''
Extra configuration text prepended to <filename>ssh_config</filename>. Other generated Extra configuration text prepended to {file}`ssh_config`. Other generated
options will be added after a <literal>Host *</literal> pattern. options will be added after a `Host *` pattern.
See <citerefentry><refentrytitle>ssh_config</refentrytitle><manvolnum>5</manvolnum></citerefentry> See {manpage}`ssh_config(5)`
for help. for help.
''; '';
}; };

2
nixos/modules/programs/thefuck.nix
View File

@ -22,7 +22,7 @@ in
default = "fuck"; default = "fuck";
type = types.str; type = types.str;
description = '' description = lib.mdDoc ''
`thefuck` needs an alias to be configured. `thefuck` needs an alias to be configured.
The default value is `fuck`, but you can use anything else as well. The default value is `fuck`, but you can use anything else as well.
''; '';

10
nixos/modules/programs/tsm-client.nix
View File

@ -95,13 +95,13 @@ let
exclude.dir /nix/store exclude.dir /nix/store
include.encrypt /home/.../* include.encrypt /home/.../*
''; '';
description = '' description = lib.mdDoc ''
<literal>include.*</literal> and `include.*` and
<literal>exclude.*</literal> directives to be `exclude.*` directives to be
used when sending files to the IBM TSM server. used when sending files to the IBM TSM server.
The lines will be written into a file that the The lines will be written into a file that the
<literal>inclexcl</literal> `inclexcl`
directive in <filename>dsm.sys</filename> points to. directive in {file}`dsm.sys` points to.
''; '';
}; };
options.extraConfig = mkOption { options.extraConfig = mkOption {

2
nixos/modules/programs/yabar.nix
View File

@ -62,7 +62,7 @@ in
to use `yabar-unstable'. to use `yabar-unstable'.
''; '';
description = '' description = lib.mdDoc ''
The package which contains the `yabar` binary. The package which contains the `yabar` binary.
Nixpkgs provides the `yabar` and `yabar-unstable` Nixpkgs provides the `yabar` and `yabar-unstable`

8
nixos/modules/programs/zsh/oh-my-zsh.nix
View File

@ -49,7 +49,7 @@ in
package = mkOption { package = mkOption {
default = pkgs.oh-my-zsh; default = pkgs.oh-my-zsh;
defaultText = literalExpression "pkgs.oh-my-zsh"; defaultText = literalExpression "pkgs.oh-my-zsh";
description = '' description = lib.mdDoc ''
Package to install for `oh-my-zsh` usage. Package to install for `oh-my-zsh` usage.
''; '';
@ -67,7 +67,7 @@ in
custom = mkOption { custom = mkOption {
default = null; default = null;
type = with types; nullOr str; type = with types; nullOr str;
description = '' description = lib.mdDoc ''
Path to a custom oh-my-zsh package to override config of oh-my-zsh. Path to a custom oh-my-zsh package to override config of oh-my-zsh.
(Can't be used along with `customPkgs`). (Can't be used along with `customPkgs`).
''; '';
@ -76,7 +76,7 @@ in
customPkgs = mkOption { customPkgs = mkOption {
default = []; default = [];
type = types.listOf types.package; type = types.listOf types.package;
description = '' description = lib.mdDoc ''
List of custom packages that should be loaded into `oh-my-zsh`. List of custom packages that should be loaded into `oh-my-zsh`.
''; '';
}; };
@ -92,7 +92,7 @@ in
cacheDir = mkOption { cacheDir = mkOption {
default = "$HOME/.cache/oh-my-zsh"; default = "$HOME/.cache/oh-my-zsh";
type = types.str; type = types.str;
description = '' description = lib.mdDoc ''
Cache directory to be used by `oh-my-zsh`. Cache directory to be used by `oh-my-zsh`.
Without this option it would default to the read-only nix store. Without this option it would default to the read-only nix store.
''; '';

2
nixos/modules/programs/zsh/zsh-autoenv.nix
View File

@ -11,7 +11,7 @@ in {
package = mkOption { package = mkOption {
default = pkgs.zsh-autoenv; default = pkgs.zsh-autoenv;
defaultText = literalExpression "pkgs.zsh-autoenv"; defaultText = literalExpression "pkgs.zsh-autoenv";
description = '' description = lib.mdDoc ''
Package to install for `zsh-autoenv` usage. Package to install for `zsh-autoenv` usage.
''; '';

2
nixos/modules/programs/zsh/zsh-autosuggestions.nix
View File

@ -24,7 +24,7 @@ in
strategy = mkOption { strategy = mkOption {
type = types.listOf (types.enum [ "history" "completion" "match_prev_cmd" ]); type = types.listOf (types.enum [ "history" "completion" "match_prev_cmd" ]);
default = [ "history" ]; default = [ "history" ];
description = '' description = lib.mdDoc ''
`ZSH_AUTOSUGGEST_STRATEGY` is an array that specifies how suggestions should be generated. `ZSH_AUTOSUGGEST_STRATEGY` is an array that specifies how suggestions should be generated.
The strategies in the array are tried successively until a suggestion is found. The strategies in the array are tried successively until a suggestion is found.
There are currently three built-in strategies to choose from: There are currently three built-in strategies to choose from:

2
nixos/modules/security/acme/default.nix
View File

@ -676,7 +676,7 @@ let
inheritDefaults = mkOption { inheritDefaults = mkOption {
default = true; default = true;
example = true; example = true;
description = "Whether to inherit values set in `security.acme.defaults` or not."; description = lib.mdDoc "Whether to inherit values set in `security.acme.defaults` or not.";
type = lib.types.bool; type = lib.types.bool;
}; };
}; };

4
nixos/modules/security/acme/doc.xml
View File

@ -81,8 +81,8 @@ services.nginx = {
}; };
# We can also add a different vhost and reuse the same certificate # We can also add a different vhost and reuse the same certificate
# but we have to append extraDomainNames manually. # but we have to append extraDomainNames manually beforehand:
<link linkend="opt-security.acme.certs._name_.extraDomainNames">security.acme.certs."foo.example.com".extraDomainNames</link> = [ "baz.example.com" ]; # <link linkend="opt-security.acme.certs._name_.extraDomainNames">security.acme.certs."foo.example.com".extraDomainNames</link> = [ "baz.example.com" ];
"baz.example.com" = { "baz.example.com" = {
<link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true; <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true;
<link linkend="opt-services.nginx.virtualHosts._name_.useACMEHost">useACMEHost</link> = "foo.example.com"; <link linkend="opt-services.nginx.virtualHosts._name_.useACMEHost">useACMEHost</link> = "foo.example.com";

2
nixos/modules/security/dhparams.nix
View File

@ -94,7 +94,7 @@ in {
<note><para>If this is <literal>false</literal> the resulting store <note><para>If this is <literal>false</literal> the resulting store
path will be non-deterministic and will be rebuilt every time the path will be non-deterministic and will be rebuilt every time the
<package>openssl</package> package changes.</para></note> <literal>openssl</literal> package changes.</para></note>
''; '';
}; };

63
nixos/modules/security/pam.nix
View File

@ -142,6 +142,16 @@ let
''; '';
}; };
mysqlAuth = mkOption {
default = config.users.mysql.enable;
defaultText = literalExpression "config.users.mysql.enable";
type = types.bool;
description = ''
If set, the <literal>pam_mysql</literal> module will be used to
authenticate users against a MySQL/MariaDB database.
'';
};
fprintAuth = mkOption { fprintAuth = mkOption {
default = config.services.fprintd.enable; default = config.services.fprintd.enable;
defaultText = literalExpression "config.services.fprintd.enable"; defaultText = literalExpression "config.services.fprintd.enable";
@ -310,11 +320,10 @@ let
limits = mkOption { limits = mkOption {
default = []; default = [];
type = limitsType; type = limitsType;
description = '' description = lib.mdDoc ''
Attribute set describing resource limits. Defaults to the Attribute set describing resource limits. Defaults to the
value of <option>security.pam.loginLimits</option>. value of {option}`security.pam.loginLimits`.
The meaning of the values is explained in <citerefentry> The meaning of the values is explained in {manpage}`limits.conf(5)`.
<refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
''; '';
}; };
@ -441,11 +450,13 @@ let
( (
'' ''
# Account management. # Account management.
account required pam_unix.so
'' + '' +
optionalString use_ldap '' optionalString use_ldap ''
account sufficient ${pam_ldap}/lib/security/pam_ldap.so account sufficient ${pam_ldap}/lib/security/pam_ldap.so
'' + '' +
optionalString cfg.mysqlAuth ''
account sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
'' +
optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) '' optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) ''
account sufficient ${pkgs.sssd}/lib/security/pam_sss.so account sufficient ${pkgs.sssd}/lib/security/pam_sss.so
'' + '' +
@ -459,7 +470,11 @@ let
account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so
account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so
'' + '' +
# The required pam_unix.so module has to come after all the sufficient modules
# because otherwise, the account lookup will fail if the user does not exist
# locally, for example with MySQL- or LDAP-auth.
'' ''
account required pam_unix.so
# Authentication management. # Authentication management.
'' + '' +
@ -475,6 +490,9 @@ let
optionalString cfg.logFailures '' optionalString cfg.logFailures ''
auth required pam_faillock.so auth required pam_faillock.so
'' + '' +
optionalString cfg.mysqlAuth ''
auth sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
'' +
optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) '' optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) ''
auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles} auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}
'' + '' +
@ -503,7 +521,7 @@ let
# Modules in this block require having the password set in PAM_AUTHTOK. # Modules in this block require having the password set in PAM_AUTHTOK.
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run # pam_unix is marked as 'sufficient' on NixOS which means nothing will run
# after it succeeds. Certain modules need to run after pam_unix # after it succeeds. Certain modules need to run after pam_unix
# prompts the user for password so we run it once with 'required' at an # prompts the user for password so we run it once with 'optional' at an
# earlier point and it will run again with 'sufficient' further down. # earlier point and it will run again with 'sufficient' further down.
# We use try_first_pass the second time to avoid prompting password twice # We use try_first_pass the second time to avoid prompting password twice
(optionalString (cfg.unixAuth && (optionalString (cfg.unixAuth &&
@ -516,7 +534,7 @@ let
|| cfg.duoSecurity.enable)) || cfg.duoSecurity.enable))
( (
'' ''
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth auth optional pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth
'' + '' +
optionalString config.security.pam.enableEcryptfs '' optionalString config.security.pam.enableEcryptfs ''
auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap
@ -572,6 +590,9 @@ let
optionalString use_ldap '' optionalString use_ldap ''
password sufficient ${pam_ldap}/lib/security/pam_ldap.so password sufficient ${pam_ldap}/lib/security/pam_ldap.so
'' + '' +
optionalString cfg.mysqlAuth ''
password sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
'' +
optionalString config.services.sssd.enable '' optionalString config.services.sssd.enable ''
password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok
'' + '' +
@ -615,6 +636,9 @@ let
optionalString use_ldap '' optionalString use_ldap ''
session optional ${pam_ldap}/lib/security/pam_ldap.so session optional ${pam_ldap}/lib/security/pam_ldap.so
'' + '' +
optionalString cfg.mysqlAuth ''
session optional ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
'' +
optionalString config.services.sssd.enable '' optionalString config.services.sssd.enable ''
session optional ${pkgs.sssd}/lib/security/pam_sss.so session optional ${pkgs.sssd}/lib/security/pam_sss.so
'' + '' +
@ -749,18 +773,18 @@ in
} }
]; ];
description = description = ''
'' Define resource limits that should apply to users or groups. Define resource limits that should apply to users or groups.
Each item in the list should be an attribute set with a Each item in the list should be an attribute set with a
<varname>domain</varname>, <varname>type</varname>, <varname>domain</varname>, <varname>type</varname>,
<varname>item</varname>, and <varname>value</varname> <varname>item</varname>, and <varname>value</varname>
attribute. The syntax and semantics of these attributes attribute. The syntax and semantics of these attributes
must be that described in <citerefentry><refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>. must be that described in <citerefentry><refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
Note that these limits do not apply to systemd services, Note that these limits do not apply to systemd services,
whose limits can be changed via <option>systemd.extraConfig</option> whose limits can be changed via <option>systemd.extraConfig</option>
instead. instead.
''; '';
}; };
security.pam.services = mkOption { security.pam.services = mkOption {
@ -1236,6 +1260,9 @@ in
optionalString (isEnabled (cfg: cfg.oathAuth)) '' optionalString (isEnabled (cfg: cfg.oathAuth)) ''
"mr ${pkgs.oath-toolkit}/lib/security/pam_oath.so, "mr ${pkgs.oath-toolkit}/lib/security/pam_oath.so,
'' + '' +
optionalString (isEnabled (cfg: cfg.mysqlAuth)) ''
mr ${pkgs.pam_mysql}/lib/security/pam_mysql.so,
'' +
optionalString (isEnabled (cfg: cfg.yubicoAuth)) '' optionalString (isEnabled (cfg: cfg.yubicoAuth)) ''
mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so, mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,
'' + '' +

2
nixos/modules/security/sudo.nix
View File

@ -46,7 +46,7 @@ in
type = types.package; type = types.package;
default = pkgs.sudo; default = pkgs.sudo;
defaultText = literalExpression "pkgs.sudo"; defaultText = literalExpression "pkgs.sudo";
description = '' description = lib.mdDoc ''
Which package to use for `sudo`. Which package to use for `sudo`.
''; '';
}; };

18
nixos/modules/services/cluster/hadoop/hbase.nix
View File

@ -21,7 +21,7 @@ in
"hbase.cluster.distributed" = "true"; "hbase.cluster.distributed" = "true";
}; };
type = types.attrsOf types.anything; type = types.attrsOf types.anything;
description = '' description = lib.mdDoc ''
Default options for hbase-site.xml Default options for hbase-site.xml
''; '';
}; };
@ -30,9 +30,9 @@ in
type = with types; attrsOf anything; type = with types; attrsOf anything;
example = literalExpression '' example = literalExpression ''
''; '';
description = '' description = lib.mdDoc ''
Additional options and overrides for hbase-site.xml Additional options and overrides for hbase-site.xml
<link xlink:href="https://github.com/apache/hbase/blob/rel/2.4.11/hbase-common/src/main/resources/hbase-default.xml"/> <https://github.com/apache/hbase/blob/rel/2.4.11/hbase-common/src/main/resources/hbase-default.xml>
''; '';
}; };
hbaseSiteInternal = mkOption { hbaseSiteInternal = mkOption {
@ -50,11 +50,11 @@ in
type = types.package; type = types.package;
default = pkgs.hbase; default = pkgs.hbase;
defaultText = literalExpression "pkgs.hbase"; defaultText = literalExpression "pkgs.hbase";
description = "HBase package"; description = lib.mdDoc "HBase package";
}; };
rootdir = mkOption { rootdir = mkOption {
description = '' description = lib.mdDoc ''
This option will set "hbase.rootdir" in hbase-site.xml and determine This option will set "hbase.rootdir" in hbase-site.xml and determine
the directory shared by region servers and into which HBase persists. the directory shared by region servers and into which HBase persists.
The URL should be 'fully-qualified' to include the filesystem scheme. The URL should be 'fully-qualified' to include the filesystem scheme.
@ -68,7 +68,7 @@ in
default = "/hbase"; default = "/hbase";
}; };
zookeeperQuorum = mkOption { zookeeperQuorum = mkOption {
description = '' description = lib.mdDoc ''
This option will set "hbase.zookeeper.quorum" in hbase-site.xml. This option will set "hbase.zookeeper.quorum" in hbase-site.xml.
Comma separated list of servers in the ZooKeeper ensemble. Comma separated list of servers in the ZooKeeper ensemble.
''; '';
@ -83,7 +83,7 @@ in
openFirewall = mkOption { openFirewall = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = '' description = lib.mdDoc ''
Open firewall ports for HBase master. Open firewall ports for HBase master.
''; '';
}; };
@ -94,7 +94,7 @@ in
overrideHosts = mkOption { overrideHosts = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
description = '' description = lib.mdDoc ''
Remove /etc/hosts entries for "127.0.0.2" and "::1" defined in nixos/modules/config/networking.nix Remove /etc/hosts entries for "127.0.0.2" and "::1" defined in nixos/modules/config/networking.nix
Regionservers must be able to resolve their hostnames to their IP addresses, through PTR records Regionservers must be able to resolve their hostnames to their IP addresses, through PTR records
or /etc/hosts entries. or /etc/hosts entries.
@ -105,7 +105,7 @@ in
openFirewall = mkOption { openFirewall = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = '' description = lib.mdDoc ''
Open firewall ports for HBase master. Open firewall ports for HBase master.
''; '';
}; };

268
nixos/modules/services/cluster/patroni/default.nix Normal file
View File

@ -0,0 +1,268 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.patroni;
defaultUser = "patroni";
defaultGroup = "patroni";
format = pkgs.formats.yaml { };
#boto doesn't support python 3.10 yet
patroni = pkgs.patroni.override { pythonPackages = pkgs.python39Packages; };
configFileName = "patroni-${cfg.scope}-${cfg.name}.yaml";
configFile = format.generate configFileName cfg.settings;
in
{
options.services.patroni = {
enable = mkEnableOption "Patroni";
postgresqlPackage = mkOption {
type = types.package;
example = literalExpression "pkgs.postgresql_14";
description = mdDoc ''
PostgreSQL package to use.
Plugins can be enabled like this `pkgs.postgresql_14.withPackages (p: [ p.pg_safeupdate p.postgis ])`.
'';
};
postgresqlDataDir = mkOption {
type = types.path;
defaultText = literalExpression ''"/var/lib/postgresql/''${config.services.patroni.postgresqlPackage.psqlSchema}"'';
example = "/var/lib/postgresql/14";
default = "/var/lib/postgresql/${cfg.postgresqlPackage.psqlSchema}";
description = mdDoc ''
The data directory for PostgreSQL. If left as the default value
this directory will automatically be created before the PostgreSQL server starts, otherwise
the sysadmin is responsible for ensuring the directory exists with appropriate ownership
and permissions.
'';
};
postgresqlPort = mkOption {
type = types.port;
default = 5432;
description = mdDoc ''
The port on which PostgreSQL listens.
'';
};
user = mkOption {
type = types.str;
default = defaultUser;
example = "postgres";
description = mdDoc ''
The user for the service. If left as the default value this user will automatically be created,
otherwise the sysadmin is responsible for ensuring the user exists.
'';
};
group = mkOption {
type = types.str;
default = defaultGroup;
example = "postgres";
description = mdDoc ''
The group for the service. If left as the default value this group will automatically be created,
otherwise the sysadmin is responsible for ensuring the group exists.
'';
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/patroni";
description = mdDoc ''
Folder where Patroni data will be written, used by Raft as well if enabled.
'';
};
scope = mkOption {
type = types.str;
example = "cluster1";
description = mdDoc ''
Cluster name.
'';
};
name = mkOption {
type = types.str;
example = "node1";
description = mdDoc ''
The name of the host. Must be unique for the cluster.
'';
};
namespace = mkOption {
type = types.str;
default = "/service";
description = mdDoc ''
Path within the configuration store where Patroni will keep information about the cluster.
'';
};
nodeIp = mkOption {
type = types.str;
example = "192.168.1.1";
description = mdDoc ''
IP address of this node.
'';
};
otherNodesIps = mkOption {
type = types.listOf types.string;
example = [ "192.168.1.2" "192.168.1.3" ];
description = mdDoc ''
IP addresses of the other nodes.
'';
};
restApiPort = mkOption {
type = types.port;
default = 8008;
description = mdDoc ''
The port on Patroni's REST api listens.
'';
};
raft = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
This will configure Patroni to use its own RAFT implementation instead of using a dedicated DCS.
'';
};
raftPort = mkOption {
type = types.port;
default = 5010;
description = mdDoc ''
The port on which RAFT listens.
'';
};
softwareWatchdog = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
This will configure Patroni to use the software watchdog built into the Linux kernel
as described in the [documentation](https://patroni.readthedocs.io/en/latest/watchdog.html#setting-up-software-watchdog-on-linux).
'';
};
settings = mkOption {
type = format.type;
default = { };
description = mdDoc ''
The primary patroni configuration. See the [documentation](https://patroni.readthedocs.io/en/latest/SETTINGS.html)
for possible values.
Secrets should be passed in by using the `environmentFiles` option.
'';
};
environmentFiles = mkOption {
type = with types; attrsOf (nullOr (oneOf [ str path package ]));
default = { };
example = {
PATRONI_REPLICATION_PASSWORD = "/secret/file";
PATRONI_SUPERUSER_PASSWORD = "/secret/file";
};
description = mdDoc "Environment variables made available to Patroni as files content, useful for providing secrets from files.";
};
};
config = mkIf cfg.enable {
services.patroni.settings = {
scope = cfg.scope;
name = cfg.name;
namespace = cfg.namespace;
restapi = {
listen = "${cfg.nodeIp}:${toString cfg.restApiPort}";
connect_address = "${cfg.nodeIp}:${toString cfg.restApiPort}";
};
raft = mkIf cfg.raft {
data_dir = "${cfg.dataDir}/raft";
self_addr = "${cfg.nodeIp}:5010";
partner_addrs = map (ip: ip + ":5010") cfg.otherNodesIps;
};
postgresql = {
listen = "${cfg.nodeIp}:${toString cfg.postgresqlPort}";
connect_address = "${cfg.nodeIp}:${toString cfg.postgresqlPort}";
data_dir = cfg.postgresqlDataDir;
bin_dir = "${cfg.postgresqlPackage}/bin";
pgpass = "${cfg.dataDir}/pgpass";
};
watchdog = mkIf cfg.softwareWatchdog {
mode = "required";
device = "/dev/watchdog";
safety_margin = 5;
};
};
users = {
users = mkIf (cfg.user == defaultUser) {
patroni = {
group = cfg.group;
isSystemUser = true;
};
};
groups = mkIf (cfg.group == defaultGroup) {
patroni = { };
};
};
systemd.services = {
patroni = {
description = "Runners to orchestrate a high-availability PostgreSQL";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
script = ''
${concatStringsSep "\n" (attrValues (mapAttrs (name: path: ''export ${name}="$(< ${escapeShellArg path})"'') cfg.environmentFiles))}
exec ${patroni}/bin/patroni ${configFile}
'';
serviceConfig = mkMerge [
{
User = cfg.user;
Group = cfg.group;
Type = "simple";
Restart = "on-failure";
TimeoutSec = 30;
ExecReload = "${pkgs.coreutils}/bin/kill -s HUP $MAINPID";
KillMode = "process";
}
(mkIf (cfg.postgresqlDataDir == "/var/lib/postgresql/${cfg.postgresqlPackage.psqlSchema}" && cfg.dataDir == "/var/lib/patroni") {
StateDirectory = "patroni patroni/raft postgresql postgresql/${cfg.postgresqlPackage.psqlSchema}";
StateDirectoryMode = "0750";
})
];
};
};
boot.kernelModules = mkIf cfg.softwareWatchdog [ "softdog" ];
services.udev.extraRules = mkIf cfg.softwareWatchdog ''
KERNEL=="watchdog", OWNER="${cfg.user}", GROUP="${cfg.group}", MODE="0600"
'';
environment.systemPackages = [
patroni
cfg.postgresqlPackage
(mkIf cfg.raft pkgs.python310Packages.pysyncobj)
];
environment.etc."${configFileName}".source = configFile;
environment.sessionVariables = {
PATRONICTL_CONFIG_FILE = "/etc/${configFileName}";
};
};
meta.maintainers = [ maintainers.phfroidmont ];
}

4
nixos/modules/services/continuous-integration/buildbot/worker.nix
View File

@ -121,10 +121,10 @@ in {
keepalive = mkOption { keepalive = mkOption {
default = 600; default = 600;
type = types.int; type = types.int;
description = " description = lib.mdDoc ''
This is a number that indicates how frequently keepalive messages should be sent This is a number that indicates how frequently keepalive messages should be sent
from the worker to the buildmaster, expressed in seconds. from the worker to the buildmaster, expressed in seconds.
"; '';
}; };
package = mkOption { package = mkOption {

2
nixos/modules/services/continuous-integration/buildkite-agents.nix
View File

@ -193,7 +193,7 @@ in
options.services.buildkite-agents = mkOption { options.services.buildkite-agents = mkOption {
type = types.attrsOf (types.submodule buildkiteOptions); type = types.attrsOf (types.submodule buildkiteOptions);
default = {}; default = {};
description = '' description = lib.mdDoc ''
Attribute set of buildkite agents. Attribute set of buildkite agents.
The attribute key is combined with the hostname and a unique integer to The attribute key is combined with the hostname and a unique integer to
create the final agent name. This can be overridden by setting the `name` create the final agent name. This can be overridden by setting the `name`

19
nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix
View File

@ -103,15 +103,15 @@ let
defaultText = literalExpression ''baseDirectory + "/secrets"''; defaultText = literalExpression ''baseDirectory + "/secrets"'';
}; };
clusterJoinTokenPath = mkOption { clusterJoinTokenPath = mkOption {
description = '' description = lib.mdDoc ''
Location of the cluster-join-token.key file. Location of the cluster-join-token.key file.
You can retrieve the contents of the file when creating a new agent via You can retrieve the contents of the file when creating a new agent via
<link xlink:href="https://hercules-ci.com/dashboard">https://hercules-ci.com/dashboard</link>. <https://hercules-ci.com/dashboard>.
As this value is confidential, it should not be in the store, but As this value is confidential, it should not be in the store, but
installed using other means, such as agenix, NixOps installed using other means, such as agenix, NixOps
<literal>deployment.keys</literal>, or manual installation. `deployment.keys`, or manual installation.
The contents of the file are used for authentication between the agent and the API. The contents of the file are used for authentication between the agent and the API.
''; '';
@ -120,29 +120,28 @@ let
defaultText = literalExpression ''staticSecretsDirectory + "/cluster-join-token.key"''; defaultText = literalExpression ''staticSecretsDirectory + "/cluster-join-token.key"'';
}; };
binaryCachesPath = mkOption { binaryCachesPath = mkOption {
description = '' description = lib.mdDoc ''
Path to a JSON file containing binary cache secret keys. Path to a JSON file containing binary cache secret keys.
As these values are confidential, they should not be in the store, but As these values are confidential, they should not be in the store, but
copied over using other means, such as agenix, NixOps copied over using other means, such as agenix, NixOps
<literal>deployment.keys</literal>, or manual installation. `deployment.keys`, or manual installation.
The format is described on <link xlink:href="https://docs.hercules-ci.com/hercules-ci-agent/binary-caches-json/">https://docs.hercules-ci.com/hercules-ci-agent/binary-caches-json/</link>. The format is described on <https://docs.hercules-ci.com/hercules-ci-agent/binary-caches-json/>.
''; '';
type = types.path; type = types.path;
default = config.staticSecretsDirectory + "/binary-caches.json"; default = config.staticSecretsDirectory + "/binary-caches.json";
defaultText = literalExpression ''staticSecretsDirectory + "/binary-caches.json"''; defaultText = literalExpression ''staticSecretsDirectory + "/binary-caches.json"'';
}; };
secretsJsonPath = mkOption { secretsJsonPath = mkOption {
description = '' description = lib.mdDoc ''
Path to a JSON file containing secrets for effects. Path to a JSON file containing secrets for effects.
As these values are confidential, they should not be in the store, but As these values are confidential, they should not be in the store, but
copied over using other means, such as agenix, NixOps copied over using other means, such as agenix, NixOps
<literal>deployment.keys</literal>, or manual installation. `deployment.keys`, or manual installation.
The format is described on <link xlink:href="https://docs.hercules-ci.com/hercules-ci-agent/secrets-json/">https://docs.hercules-ci.com/hercules-ci-agent/secrets-json/</link>.
The format is described on <https://docs.hercules-ci.com/hercules-ci-agent/secrets-json/>.
''; '';
type = types.path; type = types.path;
default = config.staticSecretsDirectory + "/secrets.json"; default = config.staticSecretsDirectory + "/secrets.json";

6
nixos/modules/services/continuous-integration/hydra/default.nix
View File

@ -87,7 +87,7 @@ in
type = types.str; type = types.str;
default = localDB; default = localDB;
example = "dbi:Pg:dbname=hydra;host=postgres.example.org;user=foo;"; example = "dbi:Pg:dbname=hydra;host=postgres.example.org;user=foo;";
description = '' description = lib.mdDoc ''
The DBI string for Hydra database connection. The DBI string for Hydra database connection.
NOTE: Attempts to set `application_name` will be overridden by NOTE: Attempts to set `application_name` will be overridden by
@ -115,8 +115,8 @@ in
type = types.str; type = types.str;
default = "*"; default = "*";
example = "localhost"; example = "localhost";
description = '' description = lib.mdDoc ''
The hostname or address to listen on or <literal>*</literal> to listen The hostname or address to listen on or `*` to listen
on all interfaces. on all interfaces.
''; '';
}; };

4
nixos/modules/services/databases/foundationdb.nix
View File

@ -97,9 +97,9 @@ in
openFirewall = mkOption { openFirewall = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = '' description = lib.mdDoc ''
Open the firewall ports corresponding to FoundationDB processes and coordinators Open the firewall ports corresponding to FoundationDB processes and coordinators
using <option>config.networking.firewall.*</option>. using {option}`config.networking.firewall.*`.
''; '';
}; };

4
nixos/modules/services/databases/mongodb.nix
View File

@ -35,9 +35,9 @@ in
default = pkgs.mongodb; default = pkgs.mongodb;
defaultText = literalExpression "pkgs.mongodb"; defaultText = literalExpression "pkgs.mongodb";
type = types.package; type = types.package;
description = " description = lib.mdDoc ''
Which MongoDB derivation to use. Which MongoDB derivation to use.
"; '';
}; };
user = mkOption { user = mkOption {

4
nixos/modules/services/databases/mysql.nix
View File

@ -36,9 +36,9 @@ in
package = mkOption { package = mkOption {
type = types.package; type = types.package;
example = literalExpression "pkgs.mariadb"; example = literalExpression "pkgs.mariadb";
description = " description = lib.mdDoc ''
Which MySQL derivation to use. MariaDB packages are supported too. Which MySQL derivation to use. MariaDB packages are supported too.
"; '';
}; };
user = mkOption { user = mkOption {

6
nixos/modules/services/databases/postgresql.nix
View File

@ -79,15 +79,15 @@ in
authentication = mkOption { authentication = mkOption {
type = types.lines; type = types.lines;
default = ""; default = "";
description = '' description = lib.mdDoc ''
Defines how users authenticate themselves to the server. See the Defines how users authenticate themselves to the server. See the
<link xlink:href="https://www.postgresql.org/docs/current/auth-pg-hba-conf.html">PostgreSQL documentation for pg_hba.conf</link> [PostgreSQL documentation for pg_hba.conf](https://www.postgresql.org/docs/current/auth-pg-hba-conf.html)
for details on the expected format of this option. By default, for details on the expected format of this option. By default,
peer based authentication will be used for users connecting peer based authentication will be used for users connecting
via the Unix socket, and md5 password authentication will be via the Unix socket, and md5 password authentication will be
used for users connecting via TCP. Any added rules will be used for users connecting via TCP. Any added rules will be
inserted above the default rules. If you'd like to replace the inserted above the default rules. If you'd like to replace the
default rules entirely, you can use <function>lib.mkForce</function> in your default rules entirely, you can use `lib.mkForce` in your
module. module.
''; '';
}; };

1
nixos/modules/services/desktops/pipewire/daemon/pipewire.conf.json
View File

@ -10,6 +10,7 @@
}, },
"context.spa-libs": { "context.spa-libs": {
"audio.convert.*": "audioconvert/libspa-audioconvert", "audio.convert.*": "audioconvert/libspa-audioconvert",
"avb.*": "avb/libspa-avb",
"api.alsa.*": "alsa/libspa-alsa", "api.alsa.*": "alsa/libspa-alsa",
"api.v4l2.*": "v4l2/libspa-v4l2", "api.v4l2.*": "v4l2/libspa-v4l2",
"api.libcamera.*": "libcamera/libspa-libcamera", "api.libcamera.*": "libcamera/libspa-libcamera",

3
nixos/modules/services/desktops/system-config-printer.nix
View File

@ -34,7 +34,8 @@ with lib;
]; ];
# for $out/bin/install-printer-driver # for $out/bin/install-printer-driver
services.packagekit.enable = true; # TODO: Enable once #177946 is resolved
# services.packagekit.enable = true;
}; };

13
nixos/modules/services/development/jupyter/default.nix
View File

@ -149,13 +149,14 @@ in {
}; };
} }
''; '';
description = "Declarative kernel config description = lib.mdDoc ''
Declarative kernel config.
Kernels can be declared in any language that supports and has the required Kernels can be declared in any language that supports and has the required
dependencies to communicate with a jupyter server. dependencies to communicate with a jupyter server.
In python's case, it means that ipykernel package must always be included in In python's case, it means that ipykernel package must always be included in
the list of packages of the targeted environment. the list of packages of the targeted environment.
"; '';
}; };
}; };

2
nixos/modules/services/development/lorri.nix
View File

@ -9,7 +9,7 @@ in {
enable = lib.mkOption { enable = lib.mkOption {
default = false; default = false;
type = lib.types.bool; type = lib.types.bool;
description = '' description = lib.mdDoc ''
Enables the daemon for `lorri`, a nix-shell replacement for project Enables the daemon for `lorri`, a nix-shell replacement for project
development. The socket-activated daemon starts on the first request development. The socket-activated daemon starts on the first request
issued by the `lorri` command. issued by the `lorri` command.

2
nixos/modules/services/editors/infinoted.nix
View File

@ -36,7 +36,7 @@ in {
certificateChain = mkOption { certificateChain = mkOption {
type = types.nullOr types.path; type = types.nullOr types.path;
default = null; default = null;
description = '' description = lib.mdDoc ''
Chain of CA-certificates to which our `certificateFile` is relative. Chain of CA-certificates to which our `certificateFile` is relative.
Optional for TLS. Optional for TLS.
''; '';

6
nixos/modules/services/games/asf.nix
View File

@ -81,11 +81,11 @@ in
settings = mkOption { settings = mkOption {
type = format.type; type = format.type;
description = '' description = lib.mdDoc ''
The ASF.json file, all the options are documented <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#global-config">here</link>. The ASF.json file, all the options are documented [here](https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#global-config).
Do note that `AutoRestart` and `UpdateChannel` is always to `false` respectively `0` because NixOS takes care of updating everything. Do note that `AutoRestart` and `UpdateChannel` is always to `false` respectively `0` because NixOS takes care of updating everything.
`Headless` is also always set to `true` because there is no way to provide inputs via a systemd service. `Headless` is also always set to `true` because there is no way to provide inputs via a systemd service.
You should try to keep ASF up to date since upstream does not provide support for anything but the latest version and you're exposing yourself to all kinds of issues - as is outlined <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#updateperiod">here</link>. You should try to keep ASF up to date since upstream does not provide support for anything but the latest version and you're exposing yourself to all kinds of issues - as is outlined [here](https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#updateperiod).
''; '';
example = { example = {
Statistics = false; Statistics = false;

4
nixos/modules/services/games/crossfire-server.nix
View File

@ -41,7 +41,7 @@ in {
stateDir = mkOption { stateDir = mkOption {
type = types.str; type = types.str;
default = "/var/lib/crossfire"; default = "/var/lib/crossfire";
description = '' description = lib.mdDoc ''
Where to store runtime data (save files, persistent items, etc). Where to store runtime data (save files, persistent items, etc).
If left at the default, this will be automatically created on server If left at the default, this will be automatically created on server
@ -61,7 +61,7 @@ in {
configFiles = mkOption { configFiles = mkOption {
type = types.attrsOf types.str; type = types.attrsOf types.str;
description = '' description = lib.mdDoc ''
Text to append to the corresponding configuration files. Note that the Text to append to the corresponding configuration files. Note that the
files given in the example are *not* the complete set of files available files given in the example are *not* the complete set of files available
to customize; look in /etc/crossfire after enabling the server to see to customize; look in /etc/crossfire after enabling the server to see

2
nixos/modules/services/games/deliantra-server.nix
View File

@ -41,7 +41,7 @@ in {
stateDir = mkOption { stateDir = mkOption {
type = types.str; type = types.str;
default = "/var/lib/deliantra"; default = "/var/lib/deliantra";
description = '' description = lib.mdDoc ''
Where to store runtime data (save files, persistent items, etc). Where to store runtime data (save files, persistent items, etc).
If left at the default, this will be automatically created on server If left at the default, this will be automatically created on server

6
nixos/modules/services/games/minetest-server.nix
View File

@ -25,7 +25,7 @@ in
gameId = mkOption { gameId = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = null;
description = '' description = lib.mdDoc ''
Id of the game to use. To list available games run Id of the game to use. To list available games run
`minetestserver --gameid list`. `minetestserver --gameid list`.
@ -36,7 +36,7 @@ in
world = mkOption { world = mkOption {
type = types.nullOr types.path; type = types.nullOr types.path;
default = null; default = null;
description = '' description = lib.mdDoc ''
Name of the world to use. To list available worlds run Name of the world to use. To list available worlds run
`minetestserver --world list`. `minetestserver --world list`.
@ -47,7 +47,7 @@ in
configPath = mkOption { configPath = mkOption {
type = types.nullOr types.path; type = types.nullOr types.path;
default = null; default = null;
description = '' description = lib.mdDoc ''
Path to the config to use. Path to the config to use.
If set to null, the config of the running user will be used: If set to null, the config of the running user will be used:

2
nixos/modules/services/games/terraria.nix
View File

@ -131,6 +131,7 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
users.users.terraria = { users.users.terraria = {
description = "Terraria server service user"; description = "Terraria server service user";
group = "terraria";
home = cfg.dataDir; home = cfg.dataDir;
createHome = true; createHome = true;
uid = config.ids.uids.terraria; uid = config.ids.uids.terraria;
@ -138,7 +139,6 @@ in
users.groups.terraria = { users.groups.terraria = {
gid = config.ids.gids.terraria; gid = config.ids.gids.terraria;
members = [ "terraria" ];
}; };
systemd.services.terraria = { systemd.services.terraria = {

6
nixos/modules/services/hardware/fwupd.nix
View File

@ -15,9 +15,9 @@ let
DisabledPlugins=${lib.concatStringsSep ";" cfg.disabledPlugins} DisabledPlugins=${lib.concatStringsSep ";" cfg.disabledPlugins}
''; '';
}; };
"fwupd/uefi.conf" = { "fwupd/uefi_capsule.conf" = {
source = pkgs.writeText "uefi.conf" '' source = pkgs.writeText "uefi_capsule.conf" ''
[uefi] [uefi_capsule]
OverrideESPMountPoint=${config.boot.loader.efi.efiSysMountPoint} OverrideESPMountPoint=${config.boot.loader.efi.efiSysMountPoint}
''; '';
}; };

8
nixos/modules/services/hardware/kanata.nix
View File

@ -180,8 +180,8 @@ in
package = mkOption { package = mkOption {
type = types.package; type = types.package;
default = pkgs.kanata; default = pkgs.kanata;
defaultText = lib.literalExpression "pkgs.kanata"; defaultText = literalExpression "pkgs.kanata";
example = lib.literalExpression "pkgs.kanata-with-cmd"; example = literalExpression "pkgs.kanata-with-cmd";
description = mdDoc '' description = mdDoc ''
The kanata package to use. The kanata package to use.
@ -198,7 +198,7 @@ in
}; };
}; };
config = lib.mkIf cfg.enable { config = mkIf cfg.enable {
hardware.uinput.enable = true; hardware.uinput.enable = true;
systemd = { systemd = {
@ -211,5 +211,5 @@ in
}; };
}; };
meta.maintainers = with lib.maintainers; [ linj ]; meta.maintainers = with maintainers; [ linj ];
} }

4
nixos/modules/services/home-automation/home-assistant.nix
View File

@ -126,10 +126,10 @@ in {
psycopg2 psycopg2
]; ];
''; '';
description = '' description = lib.mdDoc ''
List of packages to add to propagatedBuildInputs. List of packages to add to propagatedBuildInputs.
A popular example is <package>python3Packages.psycopg2</package> A popular example is `python3Packages.psycopg2`
for PostgreSQL support in the recorder component. for PostgreSQL support in the recorder component.
''; '';
}; };

4
nixos/modules/services/logging/logrotate.nix
View File

@ -79,7 +79,7 @@ let
priority = mkOption { priority = mkOption {
type = types.int; type = types.int;
default = 1000; default = 1000;
description = '' description = lib.mdDoc ''
Order of this logrotate block in relation to the others. The semantics are Order of this logrotate block in relation to the others. The semantics are
the same as with `lib.mkOrder`. Smaller values have a greater priority. the same as with `lib.mkOrder`. Smaller values have a greater priority.
''; '';
@ -260,7 +260,7 @@ in
priority = mkOption { priority = mkOption {
type = types.int; type = types.int;
default = 1000; default = 1000;
description = '' description = lib.mdDoc ''
Order of this logrotate block in relation to the others. The semantics are Order of this logrotate block in relation to the others. The semantics are
the same as with `lib.mkOrder`. Smaller values are inserted first. the same as with `lib.mkOrder`. Smaller values are inserted first.
''; '';

72
nixos/modules/services/mail/postfix.nix
View File

@ -355,125 +355,125 @@ in
setgidGroup = mkOption { setgidGroup = mkOption {
type = types.str; type = types.str;
default = "postdrop"; default = "postdrop";
description = " description = lib.mdDoc ''
How to call postfix setgid group (for postdrop). Should How to call postfix setgid group (for postdrop). Should
be uniquely used group. be uniquely used group.
"; '';
}; };
networks = mkOption { networks = mkOption {
type = types.nullOr (types.listOf types.str); type = types.nullOr (types.listOf types.str);
default = null; default = null;
example = ["192.168.0.1/24"]; example = ["192.168.0.1/24"];
description = " description = lib.mdDoc ''
Net masks for trusted - allowed to relay mail to third parties - Net masks for trusted - allowed to relay mail to third parties -
hosts. Leave empty to use mynetworks_style configuration or use hosts. Leave empty to use mynetworks_style configuration or use
default (localhost-only). default (localhost-only).
"; '';
}; };
networksStyle = mkOption { networksStyle = mkOption {
type = types.str; type = types.str;
default = ""; default = "";
description = " description = lib.mdDoc ''
Name of standard way of trusted network specification to use, Name of standard way of trusted network specification to use,
leave blank if you specify it explicitly or if you want to use leave blank if you specify it explicitly or if you want to use
default (localhost-only). default (localhost-only).
"; '';
}; };
hostname = mkOption { hostname = mkOption {
type = types.str; type = types.str;
default = ""; default = "";
description =" description = lib.mdDoc ''
Hostname to use. Leave blank to use just the hostname of machine. Hostname to use. Leave blank to use just the hostname of machine.
It should be FQDN. It should be FQDN.
"; '';
}; };
domain = mkOption { domain = mkOption {
type = types.str; type = types.str;
default = ""; default = "";
description =" description = lib.mdDoc ''
Domain to use. Leave blank to use hostname minus first component. Domain to use. Leave blank to use hostname minus first component.
"; '';
}; };
origin = mkOption { origin = mkOption {
type = types.str; type = types.str;
default = ""; default = "";
description =" description = lib.mdDoc ''
Origin to use in outgoing e-mail. Leave blank to use hostname. Origin to use in outgoing e-mail. Leave blank to use hostname.
"; '';
}; };
destination = mkOption { destination = mkOption {
type = types.nullOr (types.listOf types.str); type = types.nullOr (types.listOf types.str);
default = null; default = null;
example = ["localhost"]; example = ["localhost"];
description = " description = lib.mdDoc ''
Full (!) list of domains we deliver locally. Leave blank for Full (!) list of domains we deliver locally. Leave blank for
acceptable Postfix default. acceptable Postfix default.
"; '';
}; };
relayDomains = mkOption { relayDomains = mkOption {
type = types.nullOr (types.listOf types.str); type = types.nullOr (types.listOf types.str);
default = null; default = null;
example = ["localdomain"]; example = ["localdomain"];
description = " description = lib.mdDoc ''
List of domains we agree to relay to. Default is empty. List of domains we agree to relay to. Default is empty.
"; '';
}; };
relayHost = mkOption { relayHost = mkOption {
type = types.str; type = types.str;
default = ""; default = "";
description = " description = lib.mdDoc ''
Mail relay for outbound mail. Mail relay for outbound mail.
"; '';
}; };
relayPort = mkOption { relayPort = mkOption {
type = types.int; type = types.int;
default = 25; default = 25;
description = " description = lib.mdDoc ''
SMTP port for relay mail relay. SMTP port for relay mail relay.
"; '';
}; };
lookupMX = mkOption { lookupMX = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = " description = lib.mdDoc ''
Whether relay specified is just domain whose MX must be used. Whether relay specified is just domain whose MX must be used.
"; '';
}; };
postmasterAlias = mkOption { postmasterAlias = mkOption {
type = types.str; type = types.str;
default = "root"; default = "root";
description = " description = lib.mdDoc ''
Who should receive postmaster e-mail. Multiple values can be added by Who should receive postmaster e-mail. Multiple values can be added by
separating values with comma. separating values with comma.
"; '';
}; };
rootAlias = mkOption { rootAlias = mkOption {
type = types.str; type = types.str;
default = ""; default = "";
description = " description = lib.mdDoc ''
Who should receive root e-mail. Blank for no redirection. Who should receive root e-mail. Blank for no redirection.
Multiple values can be added by separating values with comma. Multiple values can be added by separating values with comma.
"; '';
}; };
extraAliases = mkOption { extraAliases = mkOption {
type = types.lines; type = types.lines;
default = ""; default = "";
description = " description = lib.mdDoc ''
Additional entries to put verbatim into aliases file, cf. man-page aliases(8). Additional entries to put verbatim into aliases file, cf. man-page aliases(8).
"; '';
}; };
aliasMapType = mkOption { aliasMapType = mkOption {
@ -497,9 +497,9 @@ in
extraConfig = mkOption { extraConfig = mkOption {
type = types.lines; type = types.lines;
default = ""; default = "";
description = " description = lib.mdDoc ''
Extra lines to be added verbatim to the main.cf configuration file. Extra lines to be added verbatim to the main.cf configuration file.
"; '';
}; };
tlsTrustedAuthorities = mkOption { tlsTrustedAuthorities = mkOption {
@ -527,9 +527,9 @@ in
type = types.str; type = types.str;
default = ""; default = "";
example = "+"; example = "+";
description = " description = lib.mdDoc ''
Delimiter for address extension: so mail to user+test can be handled by ~user/.forward+test Delimiter for address extension: so mail to user+test can be handled by ~user/.forward+test
"; '';
}; };
canonical = mkOption { canonical = mkOption {
@ -543,9 +543,9 @@ in
virtual = mkOption { virtual = mkOption {
type = types.lines; type = types.lines;
default = ""; default = "";
description = " description = lib.mdDoc ''
Entries for the virtual alias map, cf. man-page virtual(5). Entries for the virtual alias map, cf. man-page virtual(5).
"; '';
}; };
virtualMapType = mkOption { virtualMapType = mkOption {
@ -572,9 +572,9 @@ in
transport = mkOption { transport = mkOption {
default = ""; default = "";
type = types.lines; type = types.lines;
description = " description = lib.mdDoc ''
Entries for the transport map, cf. man-page transport(8). Entries for the transport map, cf. man-page transport(8).
"; '';
}; };
dnsBlacklists = mkOption { dnsBlacklists = mkOption {

21
nixos/modules/services/matrix/dendrite.nix
View File

@ -26,24 +26,24 @@ in
type = lib.types.nullOr lib.types.path; type = lib.types.nullOr lib.types.path;
example = "/var/lib/dendrite/server.cert"; example = "/var/lib/dendrite/server.cert";
default = null; default = null;
description = '' description = lib.mdDoc ''
The path to the TLS certificate. The path to the TLS certificate.
<programlisting> ```
nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key" nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"
</programlisting> ```
''; '';
}; };
tlsKey = lib.mkOption { tlsKey = lib.mkOption {
type = lib.types.nullOr lib.types.path; type = lib.types.nullOr lib.types.path;
example = "/var/lib/dendrite/server.key"; example = "/var/lib/dendrite/server.key";
default = null; default = null;
description = '' description = lib.mdDoc ''
The path to the TLS key. The path to the TLS key.
<programlisting> ```
nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key" nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"
</programlisting> ```
''; '';
}; };
environmentFile = lib.mkOption { environmentFile = lib.mkOption {
@ -51,8 +51,7 @@ in
example = "/var/lib/dendrite/registration_secret"; example = "/var/lib/dendrite/registration_secret";
default = null; default = null;
description = '' description = ''
Environment file as defined in <citerefentry> Environment file as defined in <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
<refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
Secrets may be passed to the service without adding them to the world-readable Secrets may be passed to the service without adding them to the world-readable
Nix store, by specifying placeholder variables as the option value in Nix and Nix store, by specifying placeholder variables as the option value in Nix and
setting these variables accordingly in the environment file. Currently only used setting these variables accordingly in the environment file. Currently only used
@ -103,13 +102,13 @@ in
lib.types.path lib.types.path
(lib.types.strMatching "^\\$CREDENTIALS_DIRECTORY/.+"); (lib.types.strMatching "^\\$CREDENTIALS_DIRECTORY/.+");
example = "$CREDENTIALS_DIRECTORY/private_key"; example = "$CREDENTIALS_DIRECTORY/private_key";
description = '' description = lib.mdDoc ''
The path to the signing private key file, used to sign The path to the signing private key file, used to sign
requests and events. requests and events.
<programlisting> ```
nix-shell -p dendrite --command "generate-keys --private-key matrix_key.pem" nix-shell -p dendrite --command "generate-keys --private-key matrix_key.pem"
</programlisting> ```
''; '';
}; };
trusted_third_party_id_servers = lib.mkOption { trusted_third_party_id_servers = lib.mkOption {

8
nixos/modules/services/matrix/mautrix-facebook.nix
View File

@ -44,6 +44,12 @@ in {
encryption = { encryption = {
allow = true; allow = true;
default = true; default = true;
verification_levels = {
receive = "cross-signed-tofu";
send = "cross-signed-tofu";
share = "cross-signed-tofu";
};
}; };
username_template = "facebook_{userid}"; username_template = "facebook_{userid}";
}; };
@ -116,6 +122,8 @@ in {
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
users.groups.mautrix-facebook = {};
users.users.mautrix-facebook = { users.users.mautrix-facebook = {
group = "mautrix-facebook"; group = "mautrix-facebook";
isSystemUser = true; isSystemUser = true;

2
nixos/modules/services/matrix/synapse.nix
View File

@ -516,7 +516,7 @@ in {
type = types.bool; type = types.bool;
default = true; default = true;
example = false; example = false;
description = '' description = lib.mdDoc ''
Is the preview URL API enabled? If enabled, you *must* specify an Is the preview URL API enabled? If enabled, you *must* specify an
explicit url_preview_ip_range_blacklist of IPs that the spider is explicit url_preview_ip_range_blacklist of IPs that the spider is
denied from accessing. denied from accessing.

8
nixos/modules/services/misc/etebase-server.nix
View File

@ -133,10 +133,10 @@ in
}; };
}; };
default = {}; default = {};
description = '' description = lib.mdDoc ''
Configuration for <package>etebase-server</package>. Refer to Configuration for `etebase-server`. Refer to
<link xlink:href="https://github.com/etesync/server/blob/master/etebase-server.ini.example"/> <https://github.com/etesync/server/blob/master/etebase-server.ini.example>
and <link xlink:href="https://github.com/etesync/server/wiki"/> and <https://github.com/etesync/server/wiki>
for details on supported values. for details on supported values.
''; '';
example = { example = {

4
nixos/modules/services/misc/exhibitor.nix
View File

@ -71,9 +71,9 @@ in
enable = mkOption { enable = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = " description = lib.mdDoc ''
Whether to enable the exhibitor server. Whether to enable the exhibitor server.
"; '';
}; };
# See https://github.com/soabase/exhibitor/wiki/Running-Exhibitor for what these mean # See https://github.com/soabase/exhibitor/wiki/Running-Exhibitor for what these mean
# General options for any type of config # General options for any type of config

10
nixos/modules/services/misc/freeswitch.nix
View File

@ -22,11 +22,11 @@ in {
enableReload = mkOption { enableReload = mkOption {
default = false; default = false;
type = types.bool; type = types.bool;
description = '' description = lib.mdDoc ''
Issue the <literal>reloadxml</literal> command to FreeSWITCH when configuration directory changes (instead of restart). Issue the `reloadxml` command to FreeSWITCH when configuration directory changes (instead of restart).
See <link xlink:href="https://freeswitch.org/confluence/display/FREESWITCH/Reloading">FreeSWITCH documentation</link> for more info. See [FreeSWITCH documentation](https://freeswitch.org/confluence/display/FREESWITCH/Reloading) for more info.
The configuration directory is exposed at <filename>/etc/freeswitch</filename>. The configuration directory is exposed at {file}`/etc/freeswitch`.
See also <literal>systemd.services.*.restartIfChanged</literal>. See also `systemd.services.*.restartIfChanged`.
''; '';
}; };
configTemplate = mkOption { configTemplate = mkOption {

27
nixos/modules/services/misc/geoipupdate.nix
View File

@ -12,8 +12,7 @@ in
options = { options = {
services.geoipupdate = { services.geoipupdate = {
enable = lib.mkEnableOption '' enable = lib.mkEnableOption ''
periodic downloading of GeoIP databases using periodic downloading of GeoIP databases using geoipupdate.
<productname>geoipupdate</productname>.
''; '';
interval = lib.mkOption { interval = lib.mkOption {
@ -36,21 +35,20 @@ in
ProxyUserPassword = { _secret = "/run/keys/proxy_pass"; }; ProxyUserPassword = { _secret = "/run/keys/proxy_pass"; };
} }
''; '';
description = '' description = lib.mdDoc ''
<productname>geoipupdate</productname> configuration geoipupdate configuration options. See
options. See <https://github.com/maxmind/geoipupdate/blob/main/doc/GeoIP.conf.md>
<link xlink:href="https://github.com/maxmind/geoipupdate/blob/main/doc/GeoIP.conf.md"/>
for a full list of available options. for a full list of available options.
Settings containing secret data should be set to an Settings containing secret data should be set to an
attribute set containing the attribute attribute set containing the attribute
<literal>_secret</literal> - a string pointing to a file `_secret` - a string pointing to a file
containing the value the option should be set to. See the containing the value the option should be set to. See the
example to get a better picture of this: in the resulting example to get a better picture of this: in the resulting
<filename>GeoIP.conf</filename> file, the {file}`GeoIP.conf` file, the
<literal>ProxyUserPassword</literal> key will be set to the `ProxyUserPassword` key will be set to the
contents of the contents of the
<filename>/run/keys/proxy_pass</filename> file. {file}`/run/keys/proxy_pass` file.
''; '';
type = lib.types.submodule { type = lib.types.submodule {
freeformType = freeformType =
@ -85,13 +83,12 @@ in
LicenseKey = lib.mkOption { LicenseKey = lib.mkOption {
type = with lib.types; either path (attrsOf path); type = with lib.types; either path (attrsOf path);
description = '' description = lib.mdDoc ''
A file containing the A file containing the MaxMind license key.
<productname>MaxMind</productname> license key.
Always handled as a secret whether the value is Always handled as a secret whether the value is
wrapped in a <literal>{ _secret = ...; }</literal> wrapped in a `{ _secret = ...; }`
attrset or not (refer to <xref linkend="opt-services.geoipupdate.settings"/> for attrset or not (refer to [](#opt-services.geoipupdate.settings) for
details). details).
''; '';
apply = x: if isAttrs x then x else { _secret = x; }; apply = x: if isAttrs x then x else { _secret = x; };

12
nixos/modules/services/misc/gitea.nix
View File

@ -183,7 +183,7 @@ in
file = mkOption { file = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = null;
description = "Filename to be used for the dump. If `null` a default name is choosen by gitea."; description = lib.mdDoc "Filename to be used for the dump. If `null` a default name is choosen by gitea.";
example = "gitea-dump"; example = "gitea-dump";
}; };
}; };
@ -293,12 +293,12 @@ in
default = "${cfg.stateDir}/log"; default = "${cfg.stateDir}/log";
defaultText = literalExpression ''"''${config.${opt.stateDir}}/log"''; defaultText = literalExpression ''"''${config.${opt.stateDir}}/log"'';
type = types.str; type = types.str;
description = "Root path for log files."; description = lib.mdDoc "Root path for log files.";
}; };
LEVEL = mkOption { LEVEL = mkOption {
default = "Info"; default = "Info";
type = types.enum [ "Trace" "Debug" "Info" "Warn" "Error" "Critical" ]; type = types.enum [ "Trace" "Debug" "Info" "Warn" "Error" "Critical" ];
description = "General log level."; description = lib.mdDoc "General log level.";
}; };
}; };
@ -306,14 +306,14 @@ in
DISABLE_SSH = mkOption { DISABLE_SSH = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = "Disable external SSH feature."; description = lib.mdDoc "Disable external SSH feature.";
}; };
SSH_PORT = mkOption { SSH_PORT = mkOption {
type = types.int; type = types.int;
default = 22; default = 22;
example = 2222; example = 2222;
description = '' description = lib.mdDoc ''
SSH port displayed in clone URL. SSH port displayed in clone URL.
The option is required to configure a service when the external visible port The option is required to configure a service when the external visible port
differs from the local listening port i.e. if port forwarding is used. differs from the local listening port i.e. if port forwarding is used.
@ -339,7 +339,7 @@ in
COOKIE_SECURE = mkOption { COOKIE_SECURE = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = '' description = lib.mdDoc ''
Marks session cookies as "secure" as a hint for browsers to only send Marks session cookies as "secure" as a hint for browsers to only send
them via HTTPS. This option is recommend, if gitea is being served over HTTPS. them via HTTPS. This option is recommend, if gitea is being served over HTTPS.
''; '';

14
nixos/modules/services/misc/gitlab.nix
View File

@ -338,10 +338,9 @@ in {
default = 0; default = 0;
example = 48; example = 48;
apply = x: x * 60 * 60; apply = x: x * 60 * 60;
description = '' description = lib.mdDoc ''
How long to keep the backups around, in How long to keep the backups around, in
hours. <literal>0</literal> means <quote>keep hours. `0` means keep forever.
forever</quote>.
''; '';
}; };
@ -415,9 +414,9 @@ in {
databaseHost = mkOption { databaseHost = mkOption {
type = types.str; type = types.str;
default = ""; default = "";
description = '' description = lib.mdDoc ''
GitLab database hostname. An empty string means <quote>use GitLab database hostname. An empty string means
local unix socket connection</quote>. use local unix socket connection.
''; '';
}; };
@ -752,8 +751,7 @@ in {
description = '' description = ''
The number of worker processes Puma should spawn. This The number of worker processes Puma should spawn. This
controls the amount of parallel Ruby code can be controls the amount of parallel Ruby code can be
executed. GitLab recommends <quote>Number of CPU cores - executed. GitLab recommends <literal>Number of CPU cores - 1</literal>, but at least two.
1</quote>, but at least two.
<note> <note>
<para> <para>

25
nixos/modules/services/misc/gitolite.nix
View File

@ -14,12 +14,11 @@ in
enable = mkOption { enable = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = '' description = lib.mdDoc ''
Enable gitolite management under the Enable gitolite management under the
<literal>gitolite</literal> user. After `gitolite` user. After
switching to a configuration with Gitolite enabled, you can switching to a configuration with Gitolite enabled, you can
then run <literal>git clone then run `git clone gitolite@host:gitolite-admin.git` to manage it further.
gitolite@host:gitolite-admin.git</literal> to manage it further.
''; '';
}; };
@ -72,25 +71,25 @@ in
@{$RC{ENABLE}} = grep { $_ ne 'desc' } @{$RC{ENABLE}}; # disable the command/feature @{$RC{ENABLE}} = grep { $_ ne 'desc' } @{$RC{ENABLE}}; # disable the command/feature
''' '''
''; '';
description = '' description = lib.mdDoc ''
Extra configuration to append to the default <literal>~/.gitolite.rc</literal>. Extra configuration to append to the default `~/.gitolite.rc`.
This should be Perl code that modifies the <literal>%RC</literal> This should be Perl code that modifies the `%RC`
configuration variable. The default <literal>~/.gitolite.rc</literal> configuration variable. The default `~/.gitolite.rc`
content is generated by invoking <literal>gitolite print-default-rc</literal>, content is generated by invoking `gitolite print-default-rc`,
and extra configuration from this option is appended to it. The result and extra configuration from this option is appended to it. The result
is placed to Nix store, and the <literal>~/.gitolite.rc</literal> file is placed to Nix store, and the `~/.gitolite.rc` file
becomes a symlink to it. becomes a symlink to it.
If you already have a customized (or otherwise changed) If you already have a customized (or otherwise changed)
<literal>~/.gitolite.rc</literal> file, NixOS will refuse to replace `~/.gitolite.rc` file, NixOS will refuse to replace
it with a symlink, and the `gitolite-init` initialization service it with a symlink, and the `gitolite-init` initialization service
will fail. In this situation, in order to use this option, you will fail. In this situation, in order to use this option, you
will need to take any customizations you may have in will need to take any customizations you may have in
<literal>~/.gitolite.rc</literal>, convert them to appropriate Perl `~/.gitolite.rc`, convert them to appropriate Perl
statements, add them to this option, and remove the file. statements, add them to this option, and remove the file.
See also the <literal>enableGitAnnex</literal> option. See also the `enableGitAnnex` option.
''; '';
}; };

2
nixos/modules/services/misc/klipper.nix
View File

@ -82,7 +82,7 @@ in
''; '';
configFile = mkOption { configFile = mkOption {
type = path; type = path;
description = "Path to firmware config which is generated using `klipper-genconf`"; description = lib.mdDoc "Path to firmware config which is generated using `klipper-genconf`";
}; };
}; };
}); });

20
nixos/modules/services/misc/nix-daemon.nix
View File

@ -264,7 +264,7 @@ in
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = null;
example = "/root/.ssh/id_buildhost_builduser"; example = "/root/.ssh/id_buildhost_builduser";
description = '' description = lib.mdDoc ''
The path to the SSH private key with which to authenticate on The path to the SSH private key with which to authenticate on
the build machine. The private key must not have a passphrase. the build machine. The private key must not have a passphrase.
If null, the building user (root on NixOS machines) must have an If null, the building user (root on NixOS machines) must have an
@ -562,13 +562,13 @@ in
trusted-public-keys = mkOption { trusted-public-keys = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
description = '' description = lib.mdDoc ''
List of public keys used to sign binary caches. If List of public keys used to sign binary caches. If
<option>nix.settings.trusted-public-keys</option> is enabled, {option}`nix.settings.trusted-public-keys` is enabled,
then Nix will use a binary from a binary cache if and only then Nix will use a binary from a binary cache if and only
if it is signed by <emphasis>any</emphasis> of the keys if it is signed by *any* of the keys
listed here. By default, only the key for listed here. By default, only the key for
<uri>cache.nixos.org</uri> is included. `cache.nixos.org` is included.
''; '';
}; };
@ -605,13 +605,13 @@ in
type = types.listOf types.str; type = types.listOf types.str;
default = [ "*" ]; default = [ "*" ];
example = [ "@wheel" "@builders" "alice" "bob" ]; example = [ "@wheel" "@builders" "alice" "bob" ];
description = '' description = lib.mdDoc ''
A list of names of users (separated by whitespace) that are A list of names of users (separated by whitespace) that are
allowed to connect to the Nix daemon. As with allowed to connect to the Nix daemon. As with
<option>nix.settings.trusted-users</option>, you can specify groups by {option}`nix.settings.trusted-users`, you can specify groups by
prefixing them with <literal>@</literal>. Also, you can prefixing them with `@`. Also, you can
allow all users by specifying <literal>*</literal>. The allow all users by specifying `*`. The
default is <literal>*</literal>. Note that trusted users are default is `*`. Note that trusted users are
always allowed to connect. always allowed to connect.
''; '';
}; };

288
nixos/modules/services/misc/portunus.nix Normal file
View File

@ -0,0 +1,288 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.portunus;
in
{
options.services.portunus = {
enable = mkEnableOption "Portunus, a self-contained user/group management and authentication service for LDAP";
domain = mkOption {
type = types.str;
example = "sso.example.com";
description = "Subdomain which gets reverse proxied to Portunus webserver.";
};
port = mkOption {
type = types.port;
default = 8080;
description = ''
Port where the Portunus webserver should listen on.
This must be put behind a TLS-capable reverse proxy because Portunus only listens on localhost.
'';
};
package = mkOption {
type = types.package;
default = pkgs.portunus;
defaultText = "pkgs.portunus";
description = "The Portunus package to use.";
};
seedPath = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Path to a portunus seed file in json format.
See <link xlink:href="https://github.com/majewsky/portunus#seeding-users-and-groups-from-static-configuration"/> for available options.
'';
};
stateDir = mkOption {
type = types.path;
default = "/var/lib/portunus";
description = "Path where Portunus stores its state.";
};
user = mkOption {
type = types.str;
default = "portunus";
description = "User account under which Portunus runs its webserver.";
};
group = mkOption {
type = types.str;
default = "portunus";
description = "Group account under which Portunus runs its webserver.";
};
dex = {
enable = mkEnableOption ''
Dex ldap connector.
To activate dex, first a search user must be created in the Portunus web ui
and then the password must to be set as the <literal>DEX_SEARCH_USER_PASSWORD</literal> environment variable
in the <xref linkend="opt-services.dex.environmentFile"/> setting.
'';
oidcClients = mkOption {
type = types.listOf (types.submodule {
options = {
callbackURL = mkOption {
type = types.str;
description = "URL where the OIDC client should redirect";
};
id = mkOption {
type = types.str;
description = "ID of the OIDC client";
};
};
});
default = [ ];
example = [
{
callbackURL = "https://example.com/client/oidc/callback";
id = "service";
}
];
description = ''
List of OIDC clients.
The OIDC secret must be set as the <literal>DEX_CLIENT_''${id}</literal> environment variable
in the <xref linkend="opt-services.dex.environmentFile"/> setting.
'';
};
port = mkOption {
type = types.port;
default = 5556;
description = "Port where dex should listen on.";
};
};
ldap = {
package = mkOption {
type = types.package;
default = pkgs.openldap;
defaultText = "pkgs.openldap";
description = "The OpenLDAP package to use.";
};
searchUserName = mkOption {
type = types.str;
default = "";
example = "admin";
description = ''
The login name of the search user.
This user account must be configured in Portunus either manually or via seeding.
'';
};
suffix = mkOption {
type = types.str;
example = "dc=example,dc=org";
description = ''
The DN of the topmost entry in your LDAP directory.
Please refer to the Portunus documentation for more information on how this impacts the structure of the LDAP directory.
'';
};
tls = mkOption {
type = types.bool;
default = false;
description = ''
Wether to enable LDAPS protocol.
This also adds two entries to the <literal>/etc/hosts</literal> file to point <xref linkend="opt-services.portunus.domain"/> to localhost,
so that CLIs and programs can use ldaps protocol and verify the certificate without opening the firewall port for the protocol.
This requires a TLS certificate for <xref linkend="opt-services.portunus.domain"/> to be configured via <xref linkend="opt-security.acme.certs"/>.
'';
};
user = mkOption {
type = types.str;
default = "openldap";
description = "User account under which Portunus runs its LDAP server.";
};
group = mkOption {
type = types.str;
default = "openldap";
description = "Group account under which Portunus runs its LDAP server.";
};
};
};
config = mkIf cfg.enable {
assertions = [
{
assertion = cfg.dex.enable -> cfg.ldap.searchUserName != "";
message = "services.portunus.dex.enable requires services.portunus.ldap.searchUserName to be set.";
}
];
# add ldapsearch(1) etc. to interactive shells
environment.systemPackages = [ cfg.ldap.package ];
# allow connecting via ldaps /w certificate without opening ports
networking.hosts = mkIf cfg.ldap.tls {
"::1" = [ cfg.domain ];
"127.0.0.1" = [ cfg.domain ];
};
services.dex = mkIf cfg.dex.enable {
enable = true;
settings = {
issuer = "https://${cfg.domain}/dex";
web.http = "127.0.0.1:${toString cfg.dex.port}";
storage = {
type = "sqlite3";
config.file = "/var/lib/dex/dex.db";
};
enablePasswordDB = false;
connectors = [{
type = "ldap";
id = "ldap";
name = "LDAP";
config = {
host = "${cfg.domain}:636";
bindDN = "uid=${cfg.ldap.searchUserName},ou=users,${cfg.ldap.suffix}";
bindPW = "$DEX_SEARCH_USER_PASSWORD";
userSearch = {
baseDN = "ou=users,${cfg.ldap.suffix}";
filter = "(objectclass=person)";
username = "uid";
idAttr = "uid";
emailAttr = "mail";
nameAttr = "cn";
preferredUsernameAttr = "uid";
};
groupSearch = {
baseDN = "ou=groups,${cfg.ldap.suffix}";
filter = "(objectclass=groupOfNames)";
nameAttr = "cn";
userMatchers = [{ userAttr = "DN"; groupAttr = "member"; }];
};
};
}];
staticClients = forEach cfg.dex.oidcClients (client: {
inherit (client) id;
redirectURIs = [ client.callbackURI ];
name = "OIDC for ${client.id}";
secret = "$DEX_CLIENT_${client.id}";
});
};
};
systemd.services = {
dex.serviceConfig = mkIf cfg.dex.enable {
# `dex.service` is super locked down out of the box, but we need some
# place to write the SQLite database. This creates $STATE_DIRECTORY below
# /var/lib/private because DynamicUser=true, but it gets symlinked into
# /var/lib/dex inside the unit
StateDirectory = "dex";
};
portunus = {
description = "Self-contained authentication service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig.ExecStart = "${cfg.package.out}/bin/portunus-orchestrator";
environment = {
PORTUNUS_LDAP_SUFFIX = cfg.ldap.suffix;
PORTUNUS_SERVER_BINARY = "${cfg.package}/bin/portunus-server";
PORTUNUS_SERVER_GROUP = cfg.group;
PORTUNUS_SERVER_USER = cfg.user;
PORTUNUS_SERVER_HTTP_LISTEN = "[::]:${toString cfg.port}";
PORTUNUS_SERVER_STATE_DIR = cfg.stateDir;
PORTUNUS_SLAPD_BINARY = "${cfg.ldap.package}/libexec/slapd";
PORTUNUS_SLAPD_GROUP = cfg.ldap.group;
PORTUNUS_SLAPD_USER = cfg.ldap.user;
PORTUNUS_SLAPD_SCHEMA_DIR = "${cfg.ldap.package}/etc/schema";
} // (optionalAttrs (cfg.seedPath != null) ({
PORTUNUS_SEED_PATH = cfg.seedPath;
})) // (optionalAttrs cfg.ldap.tls (
let
acmeDirectory = config.security.acme.certs."${cfg.domain}".directory;
in
{
PORTUNUS_SLAPD_TLS_CA_CERTIFICATE = "/etc/ssl/certs/ca-certificates.crt";
PORTUNUS_SLAPD_TLS_CERTIFICATE = "${acmeDirectory}/cert.pem";
PORTUNUS_SLAPD_TLS_DOMAIN_NAME = cfg.domain;
PORTUNUS_SLAPD_TLS_PRIVATE_KEY = "${acmeDirectory}/key.pem";
}));
};
};
users.users = mkMerge [
(mkIf (cfg.ldap.user == "openldap") {
openldap = {
group = cfg.ldap.group;
isSystemUser = true;
};
})
(mkIf (cfg.user == "portunus") {
portunus = {
group = cfg.group;
isSystemUser = true;
};
})
];
users.groups = mkMerge [
(mkIf (cfg.ldap.user == "openldap") {
openldap = { };
})
(mkIf (cfg.user == "portunus") {
portunus = { };
})
];
};
meta.maintainers = [ majewsky ] ++ teams.c3d2.members;
}

2
nixos/modules/services/misc/rmfakecloud.nix
View File

@ -50,7 +50,7 @@ in {
type = with types; attrsOf str; type = with types; attrsOf str;
default = { }; default = { };
example = { DATADIR = "/custom/path/for/rmfakecloud/data"; }; example = { DATADIR = "/custom/path/for/rmfakecloud/data"; };
description = '' description = lib.mdDoc ''
Extra settings in the form of a set of key-value pairs. Extra settings in the form of a set of key-value pairs.
For tokens and secrets, use `environmentFile` instead. For tokens and secrets, use `environmentFile` instead.

38
nixos/modules/services/misc/spice-webdavd.nix Normal file
View File

@ -0,0 +1,38 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.spice-webdavd;
in
{
options = {
services.spice-webdavd = {
enable = mkEnableOption "the spice guest webdav proxy daemon";
package = mkOption {
default = pkgs.phodav;
defaultText = literalExpression "pkgs.phodav";
type = types.package;
description = "spice-webdavd provider package to use.";
};
};
};
config = mkIf cfg.enable {
# ensure the webdav fs this exposes can actually be mounted
services.davfs2.enable = true;
# add the udev rule which starts the proxy when the spice socket is present
services.udev.packages = [ cfg.package ];
systemd.services.spice-webdavd = {
description = "spice-webdav proxy daemon";
serviceConfig = {
Type = "simple";
ExecStart = "${cfg.package}/bin/spice-webdavd -p 9843";
Restart = "on-success";
};
};
};
}

49
nixos/modules/services/misc/sssd.nix
View File

@ -3,6 +3,10 @@ with lib;
let let
cfg = config.services.sssd; cfg = config.services.sssd;
nscd = config.services.nscd; nscd = config.services.nscd;
dataDir = "/var/lib/sssd";
settingsFile = "${dataDir}/sssd.conf";
settingsFileUnsubstituted = pkgs.writeText "${dataDir}/sssd-unsubstituted.conf" cfg.config;
in { in {
options = { options = {
services.sssd = { services.sssd = {
@ -47,6 +51,30 @@ in {
Kerberos will be configured to cache credentials in SSS. Kerberos will be configured to cache credentials in SSS.
''; '';
}; };
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Environment file as defined in <citerefentry>
<refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>.
Secrets may be passed to the service without adding them to the world-readable
Nix store, by specifying placeholder variables as the option value in Nix and
setting these variables accordingly in the environment file.
<programlisting>
# snippet of sssd-related config
[domain/LDAP]
ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK
</programlisting>
<programlisting>
# contents of the environment file
SSSD_LDAP_DEFAULT_AUTHTOK=verysecretpassword
</programlisting>
'';
};
}; };
}; };
config = mkMerge [ config = mkMerge [
@ -60,22 +88,29 @@ in {
wants = [ "nss-user-lookup.target" ]; wants = [ "nss-user-lookup.target" ];
restartTriggers = [ restartTriggers = [
config.environment.etc."nscd.conf".source config.environment.etc."nscd.conf".source
config.environment.etc."sssd/sssd.conf".source settingsFileUnsubstituted
]; ];
script = '' script = ''
export LDB_MODULES_PATH+="''${LDB_MODULES_PATH+:}${pkgs.ldb}/modules/ldb:${pkgs.sssd}/modules/ldb" export LDB_MODULES_PATH+="''${LDB_MODULES_PATH+:}${pkgs.ldb}/modules/ldb:${pkgs.sssd}/modules/ldb"
mkdir -p /var/lib/sss/{pubconf,db,mc,pipes,gpo_cache,secrets} /var/lib/sss/pipes/private /var/lib/sss/pubconf/krb5.include.d mkdir -p /var/lib/sss/{pubconf,db,mc,pipes,gpo_cache,secrets} /var/lib/sss/pipes/private /var/lib/sss/pubconf/krb5.include.d
${pkgs.sssd}/bin/sssd -D ${pkgs.sssd}/bin/sssd -D -c ${settingsFile}
''; '';
serviceConfig = { serviceConfig = {
Type = "forking"; Type = "forking";
PIDFile = "/run/sssd.pid"; PIDFile = "/run/sssd.pid";
StateDirectory = baseNameOf dataDir;
# We cannot use LoadCredential here because it's not available in ExecStartPre
EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
}; };
}; preStart = ''
[ -f ${settingsFile} ] && rm -f ${settingsFile}
environment.etc."sssd/sssd.conf" = { old_umask=$(umask)
text = cfg.config; umask 0177
mode = "0400"; ${pkgs.envsubst}/bin/envsubst \
-o ${settingsFile} \
-i ${settingsFileUnsubstituted}
umask $old_umask
'';
}; };
system.nssModules = [ pkgs.sssd ]; system.nssModules = [ pkgs.sssd ];

2
nixos/modules/services/misc/zoneminder.nix
View File

@ -80,7 +80,7 @@ in {
webserver = mkOption { webserver = mkOption {
type = types.enum [ "nginx" "none" ]; type = types.enum [ "nginx" "none" ];
default = "nginx"; default = "nginx";
description = '' description = lib.mdDoc ''
The webserver to configure for the PHP frontend. The webserver to configure for the PHP frontend.
Set it to `none` if you want to configure it yourself. PRs are welcome Set it to `none` if you want to configure it yourself. PRs are welcome

2
nixos/modules/services/monitoring/collectd.nix
View File

@ -52,7 +52,7 @@ in {
buildMinimalPackage = mkOption { buildMinimalPackage = mkOption {
default = false; default = false;
description = '' description = lib.mdDoc ''
Build a minimal collectd package with only the configured `services.collectd.plugins` Build a minimal collectd package with only the configured `services.collectd.plugins`
''; '';
type = bool; type = bool;

4
nixos/modules/services/monitoring/datadog-agent.nix
View File

@ -60,7 +60,7 @@ in {
package = mkOption { package = mkOption {
default = pkgs.datadog-agent; default = pkgs.datadog-agent;
defaultText = literalExpression "pkgs.datadog-agent"; defaultText = literalExpression "pkgs.datadog-agent";
description = '' description = lib.mdDoc ''
Which DataDog v7 agent package to use. Note that the provided Which DataDog v7 agent package to use. Note that the provided
package is expected to have an overridable `pythonPackages`-attribute package is expected to have an overridable `pythonPackages`-attribute
which configures the Python environment with the Datadog which configures the Python environment with the Datadog
@ -168,7 +168,7 @@ in {
}; };
checks = mkOption { checks = mkOption {
description = '' description = lib.mdDoc ''
Configuration for all Datadog checks. Keys of this attribute Configuration for all Datadog checks. Keys of this attribute
set will be used as the name of the check to create the set will be used as the name of the check to create the
appropriate configuration in `conf.d/$check.d/conf.yaml`. appropriate configuration in `conf.d/$check.d/conf.yaml`.

4
nixos/modules/services/monitoring/grafana-agent.nix
View File

@ -38,8 +38,8 @@ in
}; };
settings = mkOption { settings = mkOption {
description = '' description = lib.mdDoc ''
Configuration for <package>grafana-agent</package>. Configuration for `grafana-agent`.
See https://grafana.com/docs/agent/latest/configuration/ See https://grafana.com/docs/agent/latest/configuration/
''; '';

12
nixos/modules/services/monitoring/grafana-image-renderer.nix
View File

@ -63,7 +63,7 @@ in {
default = "default"; default = "default";
type = types.enum [ "default" "reusable" "clustered" ]; type = types.enum [ "default" "reusable" "clustered" ];
description = '' description = ''
Rendering mode of <package>grafana-image-renderer</package>: Rendering mode of <literal>grafana-image-renderer</literal>:
<itemizedlist> <itemizedlist>
<listitem><para><literal>default:</literal> Creates on browser-instance <listitem><para><literal>default:</literal> Creates on browser-instance
per rendering request.</para></listitem> per rendering request.</para></listitem>
@ -79,8 +79,8 @@ in {
args = mkOption { args = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ "--no-sandbox" ]; default = [ "--no-sandbox" ];
description = '' description = lib.mdDoc ''
List of CLI flags passed to <package>chromium</package>. List of CLI flags passed to `chromium`.
''; '';
}; };
}; };
@ -89,10 +89,10 @@ in {
default = {}; default = {};
description = '' description = lib.mdDoc ''
Configuration attributes for <package>grafana-image-renderer</package>. Configuration attributes for `grafana-image-renderer`.
See <link xlink:href="https://github.com/grafana/grafana-image-renderer/blob/ce1f81438e5f69c7fd7c73ce08bab624c4c92e25/default.json"/> See <https://github.com/grafana/grafana-image-renderer/blob/ce1f81438e5f69c7fd7c73ce08bab624c4c92e25/default.json>
for supported values. for supported values.
''; '';
}; };

4
nixos/modules/services/monitoring/mackerel-agent.nix
View File

@ -20,11 +20,11 @@ in {
apiKeyFile = mkOption { apiKeyFile = mkOption {
type = types.path; type = types.path;
example = "/run/keys/mackerel-api-key"; example = "/run/keys/mackerel-api-key";
description = '' description = lib.mdDoc ''
Path to file containing the Mackerel API key. The file should contain a Path to file containing the Mackerel API key. The file should contain a
single line of the following form: single line of the following form:
<literallayout>apikey = "EXAMPLE_API_KEY"</literallayout> `apikey = "EXAMPLE_API_KEY"`
''; '';
}; };

22
nixos/modules/services/monitoring/nagios.nix
View File

@ -91,11 +91,11 @@ in
enable = mkEnableOption ''<link xlink:href="http://www.nagios.org/">Nagios</link> to monitor your system or network.''; enable = mkEnableOption ''<link xlink:href="http://www.nagios.org/">Nagios</link> to monitor your system or network.'';
objectDefs = mkOption { objectDefs = mkOption {
description = " description = lib.mdDoc ''
A list of Nagios object configuration files that must define A list of Nagios object configuration files that must define
the hosts, host groups, services and contacts for the the hosts, host groups, services and contacts for the
network that you want Nagios to monitor. network that you want Nagios to monitor.
"; '';
type = types.listOf types.path; type = types.listOf types.path;
example = literalExpression "[ ./objects.cfg ]"; example = literalExpression "[ ./objects.cfg ]";
}; };
@ -104,18 +104,18 @@ in
type = types.listOf types.package; type = types.listOf types.package;
default = with pkgs; [ monitoring-plugins msmtp mailutils ]; default = with pkgs; [ monitoring-plugins msmtp mailutils ];
defaultText = literalExpression "[pkgs.monitoring-plugins pkgs.msmtp pkgs.mailutils]"; defaultText = literalExpression "[pkgs.monitoring-plugins pkgs.msmtp pkgs.mailutils]";
description = " description = ''
Packages to be added to the Nagios <envar>PATH</envar>. Packages to be added to the Nagios <envar>PATH</envar>.
Typically used to add plugins, but can be anything. Typically used to add plugins, but can be anything.
"; '';
}; };
mainConfigFile = mkOption { mainConfigFile = mkOption {
type = types.nullOr types.package; type = types.nullOr types.package;
default = null; default = null;
description = " description = lib.mdDoc ''
If non-null, overrides the main configuration file of Nagios. If non-null, overrides the main configuration file of Nagios.
"; '';
}; };
extraConfig = mkOption { extraConfig = mkOption {
@ -139,19 +139,19 @@ in
type = types.package; type = types.package;
default = nagiosCGICfgFile; default = nagiosCGICfgFile;
defaultText = literalExpression "nagiosCGICfgFile"; defaultText = literalExpression "nagiosCGICfgFile";
description = " description = lib.mdDoc ''
Derivation for the configuration file of Nagios CGI scripts Derivation for the configuration file of Nagios CGI scripts
that can be used in web servers for running the Nagios web interface. that can be used in web servers for running the Nagios web interface.
"; '';
}; };
enableWebInterface = mkOption { enableWebInterface = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = " description = lib.mdDoc ''
Whether to enable the Nagios web interface. You should also Whether to enable the Nagios web interface. You should also
enable Apache (<option>services.httpd.enable</option>). enable Apache ({option}`services.httpd.enable`).
"; '';
}; };
virtualHost = mkOption { virtualHost = mkOption {

17
nixos/modules/services/monitoring/prometheus/default.nix
View File

@ -251,7 +251,7 @@ let
authorization = mkOption { authorization = mkOption {
type = types.nullOr types.attrs; type = types.nullOr types.attrs;
default = null; default = null;
description = '' description = lib.mdDoc ''
Sets the `Authorization` header on every scrape request with the configured credentials. Sets the `Authorization` header on every scrape request with the configured credentials.
''; '';
}; };
@ -664,7 +664,7 @@ let
promTypes.dockerswarm_sd_config = mkDockerSdConfigModule { promTypes.dockerswarm_sd_config = mkDockerSdConfigModule {
role = mkOption { role = mkOption {
type = types.enum [ "services" "tasks" "nodes" ]; type = types.enum [ "services" "tasks" "nodes" ];
description = '' description = lib.mdDoc ''
Role of the targets to retrieve. Must be `services`, `tasks`, or `nodes`. Role of the targets to retrieve. Must be `services`, `tasks`, or `nodes`.
''; '';
}; };
@ -1222,7 +1222,7 @@ let
role = mkOption { role = mkOption {
type = types.enum [ "instance" "baremetal" ]; type = types.enum [ "instance" "baremetal" ];
description = '' description = lib.mdDoc ''
Role of the targets to retrieve. Must be `instance` or `baremetal`. Role of the targets to retrieve. Must be `instance` or `baremetal`.
''; '';
}; };
@ -1729,16 +1729,15 @@ in
type = with types; either bool (enum [ "syntax-only" ]); type = with types; either bool (enum [ "syntax-only" ]);
default = true; default = true;
example = "syntax-only"; example = "syntax-only";
description = '' description = lib.mdDoc ''
Check configuration with <literal>promtool Check configuration with `promtool check`. The call to `promtool` is
check</literal>. The call to <literal>promtool</literal> is
subject to sandboxing by Nix. subject to sandboxing by Nix.
If you use credentials stored in external files If you use credentials stored in external files
(<literal>password_file</literal>, <literal>bearer_token_file</literal>, etc), (`password_file`, `bearer_token_file`, etc),
they will not be visible to <literal>promtool</literal> they will not be visible to `promtool`
and it will report errors, despite a correct configuration. and it will report errors, despite a correct configuration.
To resolve this, you may set this option to <literal>"syntax-only"</literal> To resolve this, you may set this option to `"syntax-only"`
in order to only syntax check the Prometheus configuration. in order to only syntax check the Prometheus configuration.
''; '';
}; };

8
nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix
View File

@ -33,10 +33,10 @@ in
work with this exporter: work with this exporter:
<programlisting> <programlisting>
{ {
<xref linkend="opt-services.prometheus.exporters.dovecot.enable"/> = true; services.prometheus.exporters.dovecot.enable = true;
<xref linkend="opt-services.prometheus.exporters.dovecot.socketPath"/> = "/var/run/dovecot2/old-stats"; services.prometheus.exporters.dovecot.socketPath = "/var/run/dovecot2/old-stats";
<xref linkend="opt-services.dovecot2.mailPlugins.globally.enable"/> = [ "old_stats" ]; services.dovecot2.mailPlugins.globally.enable = [ "old_stats" ];
<xref linkend="opt-services.dovecot2.extraConfig"/> = ''' services.dovecot2.extraConfig = '''
service old-stats { service old-stats {
unix_listener old-stats { unix_listener old-stats {
user = dovecot-exporter user = dovecot-exporter

4
nixos/modules/services/monitoring/prometheus/exporters/knot.nix
View File

@ -11,8 +11,8 @@ in {
type = types.str; type = types.str;
default = "${pkgs.knot-dns.out}/lib/libknot.so"; default = "${pkgs.knot-dns.out}/lib/libknot.so";
defaultText = literalExpression ''"''${pkgs.knot-dns.out}/lib/libknot.so"''; defaultText = literalExpression ''"''${pkgs.knot-dns.out}/lib/libknot.so"'';
description = '' description = lib.mdDoc ''
Path to the library of <package>knot-dns</package>. Path to the library of `knot-dns`.
''; '';
}; };

2
nixos/modules/services/monitoring/prometheus/exporters/mail.nix
View File

@ -121,7 +121,7 @@ let
It's possible to work around the issue with a config like this: It's possible to work around the issue with a config like this:
<programlisting> <programlisting>
{ {
<link linkend="opt-services.rspamd.locals._name_.text">services.rspamd.locals."multimap.conf".text</link> = ''' services.rspamd.locals."multimap.conf".text = '''
ALLOWLIST_PROMETHEUS { ALLOWLIST_PROMETHEUS {
filter = "email:domain:tld"; filter = "email:domain:tld";
type = "from"; type = "from";

2
nixos/modules/services/monitoring/prometheus/exporters/nginxlog.nix
View File

@ -10,7 +10,7 @@ in {
settings = mkOption { settings = mkOption {
type = types.attrs; type = types.attrs;
default = {}; default = {};
description = '' description = lib.mdDoc ''
All settings of nginxlog expressed as an Nix attrset. All settings of nginxlog expressed as an Nix attrset.
Check the official documentation for the corresponding YAML Check the official documentation for the corresponding YAML

10
nixos/modules/services/monitoring/prometheus/exporters/openldap.nix
View File

@ -12,7 +12,7 @@ in {
example = "/run/keys/ldap_pass"; example = "/run/keys/ldap_pass";
description = '' description = ''
Environment file to contain the credentials to authenticate against Environment file to contain the credentials to authenticate against
<package>openldap</package>. <literal>openldap</literal>.
The file should look like this: The file should look like this:
<programlisting> <programlisting>
@ -26,15 +26,15 @@ in {
default = "tcp"; default = "tcp";
example = "udp"; example = "udp";
type = types.str; type = types.str;
description = '' description = lib.mdDoc ''
Which protocol to use to connect against <package>openldap</package>. Which protocol to use to connect against `openldap`.
''; '';
}; };
ldapAddr = mkOption { ldapAddr = mkOption {
default = "localhost:389"; default = "localhost:389";
type = types.str; type = types.str;
description = '' description = lib.mdDoc ''
Address of the <package>openldap</package>-instance. Address of the `openldap`-instance.
''; '';
}; };
metricsPath = mkOption { metricsPath = mkOption {

Some files were not shown because too many files have changed in this diff Show More