dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge master into haskell-updates

Browse Source
This commit is contained in:
github-actions[bot] 2023-10-17 00:12:29 +00:00 committed by GitHub
commit fe082e6d4b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
201 changed files with 4453 additions and 2074 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CONTRIBUTING.md
View File

@ -538,7 +538,7 @@ To get a sense for what changes are considered mass rebuilds, see [previously me
When adding yourself as maintainer, in the same pull request, make a separate
commit with the message `maintainers: add <handle>`.
Add the commit before those making changes to the package or module.
See [Nixpkgs Maintainers](../maintainers/README.md) for details.
See [Nixpkgs Maintainers](./maintainers/README.md) for details.
### Writing good commit messages

1
doc/README.md
View File

@ -3,6 +3,7 @@
This directory houses the sources files for the Nixpkgs manual.
You can find the [rendered documentation for Nixpkgs `unstable` on nixos.org](https://nixos.org/manual/nixpkgs/unstable/).
The rendering tool is [nixos-render-docs](../pkgs/tools/nix/nixos-render-docs/src/nixos_render_docs), sometimes abbreviated `nrd`.
[Docs for Nixpkgs stable](https://nixos.org/manual/nixpkgs/stable/) are also available.

4
lib/fileset/internal.nix
View File

@ -172,11 +172,11 @@ rec {
else if ! isPath value then
if isStringLike value then
throw ''
${context} ("${toString value}") is a string-like value, but it should be a path instead.
${context} ("${toString value}") is a string-like value, but it should be a file set or a path instead.
Paths represented as strings are not supported by `lib.fileset`, use `lib.sources` or derivations instead.''
else
throw ''
${context} is of type ${typeOf value}, but it should be a path instead.''
${context} is of type ${typeOf value}, but it should be a file set or a path instead.''
else if ! pathExists value then
throw ''
${context} (${toString value}) does not exist.''

4
lib/fileset/tests.sh
View File

@ -355,8 +355,8 @@ expectFailure 'toSource { root = ./a; fileset = ./.; }' 'lib.fileset.toSource: `
rm -rf *
# Path coercion only works for paths
expectFailure 'toSource { root = ./.; fileset = 10; }' 'lib.fileset.toSource: `fileset` is of type int, but it should be a path instead.'
expectFailure 'toSource { root = ./.; fileset = "/some/path"; }' 'lib.fileset.toSource: `fileset` \("/some/path"\) is a string-like value, but it should be a path instead.
expectFailure 'toSource { root = ./.; fileset = 10; }' 'lib.fileset.toSource: `fileset` is of type int, but it should be a file set or a path instead.'
expectFailure 'toSource { root = ./.; fileset = "/some/path"; }' 'lib.fileset.toSource: `fileset` \("/some/path"\) is a string-like value, but it should be a file set or a path instead.
\s*Paths represented as strings are not supported by `lib.fileset`, use `lib.sources` or derivations instead.'
# Path coercion errors for non-existent paths

90
lib/options.nix
View File

@ -109,7 +109,13 @@ rec {
The package is specified in the third argument under `default` as a list of strings
representing its attribute path in nixpkgs (or another package set).
Because of this, you need to pass nixpkgs itself (or a subset) as the first argument.
Because of this, you need to pass nixpkgs itself (usually `pkgs` in a module;
alternatively to nixpkgs itself, another package set) as the first argument.
If you pass another package set you should set the `pkgsText` option.
This option is used to display the expression for the package set. It is `"pkgs"` by default.
If your expression is complex you should parenthesize it, as the `pkgsText` argument
is usually immediately followed by an attribute lookup (`.`).
The second argument may be either a string or a list of strings.
It provides the display name of the package in the description of the generated option
@ -118,68 +124,100 @@ rec {
To include extra information in the description, pass `extraDescription` to
append arbitrary text to the generated description.
You can also pass an `example` value, either a literal string or an attribute path.
The default argument can be omitted if the provided name is
an attribute of pkgs (if name is a string) or a
valid attribute path in pkgs (if name is a list).
The `default` argument can be omitted if the provided name is
an attribute of pkgs (if `name` is a string) or a valid attribute path in pkgs (if `name` is a list).
You can also set `default` to just a string in which case it is interpreted as an attribute name
(a singleton attribute path, if you will).
If you wish to explicitly provide no default, pass `null` as `default`.
Type: mkPackageOption :: pkgs -> (string|[string]) -> { default? :: [string], example? :: null|string|[string], extraDescription? :: string } -> option
If you want users to be able to set no package, pass `nullable = true`.
In this mode a `default = null` will not be interpreted as no default and is interpreted literally.
Type: mkPackageOption :: pkgs -> (string|[string]) -> { nullable? :: bool, default? :: string|[string], example? :: null|string|[string], extraDescription? :: string, pkgsText? :: string } -> option
Example:
mkPackageOption pkgs "hello" { }
=> { _type = "option"; default = «derivation /nix/store/3r2vg51hlxj3cx5vscp0vkv60bqxkaq0-hello-2.10.drv»; defaultText = { ... }; description = "The hello package to use."; type = { ... }; }
=> { ...; default = pkgs.hello; defaultText = literalExpression "pkgs.hello"; description = "The hello package to use."; type = package; }
Example:
mkPackageOption pkgs "GHC" {
default = [ "ghc" ];
example = "pkgs.haskell.packages.ghc92.ghc.withPackages (hkgs: [ hkgs.primes ])";
}
=> { _type = "option"; default = «derivation /nix/store/jxx55cxsjrf8kyh3fp2ya17q99w7541r-ghc-8.10.7.drv»; defaultText = { ... }; description = "The GHC package to use."; example = { ... }; type = { ... }; }
=> { ...; default = pkgs.ghc; defaultText = literalExpression "pkgs.ghc"; description = "The GHC package to use."; example = literalExpression "pkgs.haskell.packages.ghc92.ghc.withPackages (hkgs: [ hkgs.primes ])"; type = package; }
Example:
mkPackageOption pkgs [ "python39Packages" "pytorch" ] {
mkPackageOption pkgs [ "python3Packages" "pytorch" ] {
extraDescription = "This is an example and doesn't actually do anything.";
}
=> { _type = "option"; default = «derivation /nix/store/gvqgsnc4fif9whvwd9ppa568yxbkmvk8-python3.9-pytorch-1.10.2.drv»; defaultText = { ... }; description = "The pytorch package to use. This is an example and doesn't actually do anything."; type = { ... }; }
=> { ...; default = pkgs.python3Packages.pytorch; defaultText = literalExpression "pkgs.python3Packages.pytorch"; description = "The pytorch package to use. This is an example and doesn't actually do anything."; type = package; }
Example:
mkPackageOption pkgs "nushell" {
nullable = true;
}
=> { ...; default = pkgs.nushell; defaultText = literalExpression "pkgs.nushell"; description = "The nushell package to use."; type = nullOr package; }
Example:
mkPackageOption pkgs "coreutils" {
default = null;
}
=> { ...; description = "The coreutils package to use."; type = package; }
Example:
mkPackageOption pkgs "dbus" {
nullable = true;
default = null;
}
=> { ...; default = null; description = "The dbus package to use."; type = nullOr package; }
Example:
mkPackageOption pkgs.javaPackages "OpenJFX" {
default = "openjfx20";
pkgsText = "pkgs.javaPackages";
}
=> { ...; default = pkgs.javaPackages.openjfx20; defaultText = literalExpression "pkgs.javaPackages.openjfx20"; description = "The OpenJFX package to use."; type = package; }
*/
mkPackageOption =
# Package set (a specific version of nixpkgs or a subset)
# Package set (an instantiation of nixpkgs such as pkgs in modules or another package set)
pkgs:
# Name for the package, shown in option description
name:
{
# Whether the package can be null, for example to disable installing a package altogether.
# Whether the package can be null, for example to disable installing a package altogether (defaults to false)
nullable ? false,
# The attribute path where the default package is located (may be omitted)
# The attribute path where the default package is located (may be omitted, in which case it is copied from `name`)
default ? name,
# A string or an attribute path to use as an example (may be omitted)
example ? null,
# Additional text to include in the option description (may be omitted)
extraDescription ? "",
# Representation of the package set passed as pkgs (defaults to `"pkgs"`)
pkgsText ? "pkgs"
}:
let
name' = if isList name then last name else name;
in mkOption ({
type = with lib.types; (if nullable then nullOr else lib.id) package;
default' = if isList default then default else [ default ];
defaultText = concatStringsSep "." default';
defaultValue = attrByPath default'
(throw "${defaultText} cannot be found in ${pkgsText}") pkgs;
defaults = if default != null then {
default = defaultValue;
defaultText = literalExpression ("${pkgsText}." + defaultText);
} else optionalAttrs nullable {
default = null;
};
in mkOption (defaults // {
description = "The ${name'} package to use."
+ (if extraDescription == "" then "" else " ") + extraDescription;
} // (if default != null then let
default' = if isList default then default else [ default ];
defaultPath = concatStringsSep "." default';
defaultValue = attrByPath default'
(throw "${defaultPath} cannot be found in pkgs") pkgs;
in {
default = defaultValue;
defaultText = literalExpression ("pkgs." + defaultPath);
} else if nullable then {
default = null;
} else { }) // lib.optionalAttrs (example != null) {
type = with lib.types; (if nullable then nullOr else lib.id) package;
} // optionalAttrs (example != null) {
example = literalExpression
(if isList example then "pkgs." + concatStringsSep "." example else example);
(if isList example then "${pkgsText}." + concatStringsSep "." example else example);
});
/* Alias of mkPackageOption. Previously used to create options with markdown

8
lib/tests/modules.sh
View File

@ -227,8 +227,16 @@ checkConfigOutput '^false$' config.enableAlias ./alias-with-priority-can-overrid
# Check mkPackageOption
checkConfigOutput '^"hello"$' config.package.pname ./declare-mkPackageOption.nix
checkConfigOutput '^"hello"$' config.namedPackage.pname ./declare-mkPackageOption.nix
checkConfigOutput '^".*Hello.*"$' options.namedPackage.description ./declare-mkPackageOption.nix
checkConfigOutput '^"hello"$' config.pathPackage.pname ./declare-mkPackageOption.nix
checkConfigOutput '^"pkgs\.hello\.override \{ stdenv = pkgs\.clangStdenv; \}"$' options.packageWithExample.example.text ./declare-mkPackageOption.nix
checkConfigOutput '^".*Example extra description\..*"$' options.packageWithExtraDescription.description ./declare-mkPackageOption.nix
checkConfigError 'The option .undefinedPackage. is used but not defined' config.undefinedPackage ./declare-mkPackageOption.nix
checkConfigOutput '^null$' config.nullablePackage ./declare-mkPackageOption.nix
checkConfigOutput '^"null or package"$' options.nullablePackageWithDefault.type.description ./declare-mkPackageOption.nix
checkConfigOutput '^"myPkgs\.hello"$' options.packageWithPkgsText.defaultText.text ./declare-mkPackageOption.nix
checkConfigOutput '^"hello-other"$' options.packageFromOtherSet.default.pname ./declare-mkPackageOption.nix
# submoduleWith

34
lib/tests/modules/declare-mkPackageOption.nix
View File

@ -7,6 +7,28 @@ in {
options = {
package = lib.mkPackageOption pkgs "hello" { };
namedPackage = lib.mkPackageOption pkgs "Hello" {
default = [ "hello" ];
};
namedPackageSingletonDefault = lib.mkPackageOption pkgs "Hello" {
default = "hello";
};
pathPackage = lib.mkPackageOption pkgs [ "hello" ] { };
packageWithExample = lib.mkPackageOption pkgs "hello" {
example = "pkgs.hello.override { stdenv = pkgs.clangStdenv; }";
};
packageWithPathExample = lib.mkPackageOption pkgs "hello" {
example = [ "hello" ];
};
packageWithExtraDescription = lib.mkPackageOption pkgs "hello" {
extraDescription = "Example extra description.";
};
undefinedPackage = lib.mkPackageOption pkgs "hello" {
default = null;
};
@ -15,5 +37,17 @@ in {
nullable = true;
default = null;
};
nullablePackageWithDefault = lib.mkPackageOption pkgs "hello" {
nullable = true;
};
packageWithPkgsText = lib.mkPackageOption pkgs "hello" {
pkgsText = "myPkgs";
};
packageFromOtherSet = let myPkgs = {
hello = pkgs.hello // { pname = "hello-other"; };
}; in lib.mkPackageOption myPkgs "hello" { };
};
}

24
maintainers/maintainer-list.nix
View File

@ -4424,6 +4424,15 @@
githubId = 14034137;
name = "Mostly Void";
};
ditsuke = {
name = "Tushar";
email = "hello@ditsuke.com";
github = "ditsuke";
githubId = 72784348;
keys = [{
fingerprint = "8FD2 153F 4889 541A 54F1 E09E 71B6 C31C 8A5A 9D21";
}];
};
djacu = {
email = "daniel.n.baker@gmail.com";
github = "djacu";
@ -16420,6 +16429,11 @@
fingerprint = "75F0 AB7C FE01 D077 AEE6 CAFD 353E 4A18 EE0F AB72";
}];
};
spacefault = {
github = "spacefault";
githubId = 74156492;
name = "spacefault";
};
spacefrogg = {
email = "spacefrogg-nixos@meterriblecrew.net";
github = "spacefrogg";
@ -18048,6 +18062,16 @@
githubId = 1607770;
name = "Ulrik Strid";
};
unclamped = {
name = "Maru";
email = "clear6860@tutanota.com";
matrix = "@unhidden0174:matrix.org";
github = "unclamped";
githubId = 104658278;
keys = [{
fingerprint = "57A2 CC43 3068 CB62 89C1 F1DA 9137 BB2E 77AD DE7E";
}];
};
unclechu = {
name = "Viacheslav Lotsmanov";
email = "lotsmanov89@gmail.com";

8
nixos/doc/manual/release-notes/rl-2311.section.md
View File

@ -66,6 +66,8 @@
- [Prometheus MySQL exporter](https://github.com/prometheus/mysqld_exporter), a MySQL server exporter for Prometheus. Available as [services.prometheus.exporters.mysqld](#opt-services.prometheus.exporters.mysqld.enable).
- [LibreNMS](https://www.librenms.org), a auto-discovering PHP/MySQL/SNMP based network monitoring. Available as [services.librenms](#opt-services.librenms.enable).
- [sitespeed-io](https://sitespeed.io), a tool that can generate metrics (timings, diagnostics) for websites. Available as [services.sitespeed-io](#opt-services.sitespeed-io.enable).
- [stalwart-mail](https://stalw.art), an all-in-one email server (SMTP, IMAP, JMAP). Available as [services.stalwart-mail](#opt-services.stalwart-mail.enable).
@ -91,6 +93,8 @@
- [Honk](https://humungus.tedunangst.com/r/honk), a complete ActivityPub server with minimal setup and support costs.
Available as [services.honk](#opt-services.honk.enable).
- [ferretdb](https://www.ferretdb.io/), an open-source proxy, converting the MongoDB 6.0+ wire protocol queries to PostgreSQL or SQLite. Available as [services.ferretdb](options.html#opt-services.ferretdb.enable).
- [NNCP](http://www.nncpgo.org/). Added nncp-daemon and nncp-caller services. Configuration is set with [programs.nncp.settings](#opt-programs.nncp.settings) and the daemons are enabled at [services.nncp](#opt-services.nncp.caller.enable).
- [tuxedo-rs](https://github.com/AaronErhardt/tuxedo-rs), Rust utilities for interacting with hardware from TUXEDO Computers.
@ -271,6 +275,8 @@
- Package `noto-fonts-emoji` was renamed to `noto-fonts-color-emoji`;
see [#221181](https://github.com/NixOS/nixpkgs/issues/221181).
- Package `cloud-sql-proxy` was renamed to `google-cloud-sql-proxy` as it cannot be used with other cloud providers.;
- Package `pash` was removed due to being archived upstream. Use `powershell` as an alternative.
- `security.sudo.extraRules` now includes `root`'s default rule, with ordering
@ -295,6 +301,8 @@
- `service.borgmatic.settings.location` and `services.borgmatic.configurations.<name>.location` are deprecated, please move your options out of sections to the global scope.
- `dagger` was removed because using a package called `dagger` and packaging it from source violates their trademark policy.
## Other Notable Changes {#sec-release-23.11-notable-changes}
- The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your NixOS configuration.

4
nixos/modules/module-list.nix
View File

@ -415,6 +415,7 @@
./services/databases/couchdb.nix
./services/databases/dgraph.nix
./services/databases/dragonflydb.nix
./services/databases/ferretdb.nix
./services/databases/firebird.nix
./services/databases/foundationdb.nix
./services/databases/hbase-standalone.nix
@ -774,6 +775,7 @@
./services/monitoring/kapacitor.nix
./services/monitoring/karma.nix
./services/monitoring/kthxbye.nix
./services/monitoring/librenms.nix
./services/monitoring/loki.nix
./services/monitoring/longview.nix
./services/monitoring/mackerel-agent.nix
@ -880,6 +882,7 @@
./services/networking/croc.nix
./services/networking/dae.nix
./services/networking/dante.nix
./services/networking/deconz.nix
./services/networking/dhcpcd.nix
./services/networking/dnscache.nix
./services/networking/dnscrypt-proxy2.nix
@ -1163,6 +1166,7 @@
./services/security/sshguard.nix
./services/security/sslmate-agent.nix
./services/security/step-ca.nix
./services/security/tang.nix
./services/security/tor.nix
./services/security/torify.nix
./services/security/torsocks.nix

744
nixos/modules/security/pam.nix
View File

@ -6,6 +6,92 @@
with lib;
let
mkRulesTypeOption = type: mkOption {
# These options are experimental and subject to breaking changes without notice.
description = lib.mdDoc ''
PAM `${type}` rules for this service.
Attribute keys are the name of each rule.
'';
type = types.attrsOf (types.submodule ({ name, config, ... }: {
options = {
name = mkOption {
type = types.str;
description = lib.mdDoc ''
Name of this rule.
'';
internal = true;
readOnly = true;
};
enable = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc ''
Whether this rule is added to the PAM service config file.
'';
};
order = mkOption {
type = types.int;
description = lib.mdDoc ''
Order of this rule in the service file. Rules are arranged in ascending order of this value.
::: {.warning}
The `order` values for the built-in rules are subject to change. If you assign a constant value to this option, a system update could silently reorder your rule. You could be locked out of your system, or your system could be left wide open. When using this option, set it to a relative offset from another rule's `order` value:
```nix
{
security.pam.services.login.rules.auth.foo.order =
config.security.pam.services.login.rules.auth.unix.order + 10;
}
```
:::
'';
};
control = mkOption {
type = types.str;
description = lib.mdDoc ''
Indicates the behavior of the PAM-API should the module fail to succeed in its authentication task. See `control` in {manpage}`pam.conf(5)` for details.
'';
};
modulePath = mkOption {
type = types.str;
description = lib.mdDoc ''
Either the full filename of the PAM to be used by the application (it begins with a '/'), or a relative pathname from the default module location. See `module-path` in {manpage}`pam.conf(5)` for details.
'';
};
args = mkOption {
type = types.listOf types.str;
description = lib.mdDoc ''
Tokens that can be used to modify the specific behavior of the given PAM. Such arguments will be documented for each individual module. See `module-arguments` in {manpage}`pam.conf(5)` for details.
Escaping rules for spaces and square brackets are automatically applied.
{option}`settings` are automatically added as {option}`args`. It's recommended to use the {option}`settings` option whenever possible so that arguments can be overridden.
'';
};
settings = mkOption {
type = with types; attrsOf (nullOr (oneOf [ bool str int pathInStore ]));
default = {};
description = lib.mdDoc ''
Settings to add as `module-arguments`.
Boolean values render just the key if true, and nothing if false. Null values are ignored. All other values are rendered as key-value pairs.
'';
};
};
config = {
inherit name;
# Formats an attrset of settings as args for use as `module-arguments`.
args = concatLists (flip mapAttrsToList config.settings (name: value:
if isBool value
then optional value name
else optional (value != null) "${name}=${toString value}"
));
};
}));
};
parentConfig = config;
pamOpts = { config, name, ... }: let cfg = config; in let config = parentConfig; in {
@ -18,6 +104,28 @@ let
description = lib.mdDoc "Name of the PAM service.";
};
rules = mkOption {
# This option is experimental and subject to breaking changes without notice.
visible = false;
description = lib.mdDoc ''
PAM rules for this service.
::: {.warning}
This option and its suboptions are experimental and subject to breaking changes without notice.
If you use this option in your system configuration, you will need to manually monitor this module for any changes. Otherwise, failure to adjust your configuration properly could lead to you being locked out of your system, or worse, your system could be left wide open to attackers.
If you share configuration examples that use this option, you MUST include this warning so that users are informed.
You may freely use this option within `nixpkgs`, and future changes will account for those use sites.
:::
'';
type = types.submodule {
options = genAttrs [ "account" "auth" "password" "session" ] mkRulesTypeOption;
};
};
unixAuth = mkOption {
default = true;
type = types.bool;
@ -470,90 +578,114 @@ let
setLoginUid = mkDefault cfg.startSession;
limits = mkDefault config.security.pam.loginLimits;
text = let
ensureUniqueOrder = type: rules:
let
checkPair = a: b: assert assertMsg (a.order != b.order) "security.pam.services.${name}.rules.${type}: rules '${a.name}' and '${b.name}' cannot have the same order value (${toString a.order})"; b;
checked = zipListsWith checkPair rules (drop 1 rules);
in take 1 rules ++ checked;
# Formats a string for use in `module-arguments`. See `man pam.conf`.
formatModuleArgument = token:
if hasInfix " " token
then "[${replaceStrings ["]"] ["\\]"] token}]"
else token;
formatRules = type: pipe cfg.rules.${type} [
attrValues
(filter (rule: rule.enable))
(sort (a: b: a.order < b.order))
(ensureUniqueOrder type)
(map (rule: concatStringsSep " " (
[ type rule.control rule.modulePath ]
++ map formatModuleArgument rule.args
++ [ "# ${rule.name} (order ${toString rule.order})" ]
)))
(concatStringsSep "\n")
];
in mkDefault ''
# Account management.
${formatRules "account"}
# Authentication management.
${formatRules "auth"}
# Password management.
${formatRules "password"}
# Session management.
${formatRules "session"}
'';
# !!! TODO: move the LDAP stuff to the LDAP module, and the
# Samba stuff to the Samba module. This requires that the PAM
# module provides the right hooks.
text = mkDefault
(
''
# Account management.
'' +
optionalString use_ldap ''
account sufficient ${pam_ldap}/lib/security/pam_ldap.so
'' +
optionalString cfg.mysqlAuth ''
account sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
'' +
optionalString (config.services.kanidm.enablePam) ''
account sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user
'' +
optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) ''
account sufficient ${pkgs.sssd}/lib/security/pam_sss.so
'' +
optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) ''
account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so
'' +
optionalString config.security.pam.krb5.enable ''
account sufficient ${pam_krb5}/lib/security/pam_krb5.so
'' +
optionalString cfg.googleOsLoginAccountVerification ''
account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so
account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so
'' +
optionalString config.services.homed.enable ''
account sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so
'' +
rules = let
autoOrderRules = flip pipe [
(imap1 (index: rule: rule // { order = mkDefault (10000 + index * 100); } ))
(map (rule: nameValuePair rule.name (removeAttrs rule [ "name" ])))
listToAttrs
];
in {
account = autoOrderRules [
{ name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; }
{ name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; settings = {
config_file = "/etc/security/pam_mysql.conf";
}; }
{ name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; settings = {
ignore_unknown_user = true;
}; }
{ name = "sss"; enable = config.services.sssd.enable; control = if cfg.sssdStrictAccess then "[default=bad success=ok user_unknown=ignore]" else "sufficient"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; }
{ name = "krb5"; enable = config.security.pam.krb5.enable; control = "sufficient"; modulePath = "${pam_krb5}/lib/security/pam_krb5.so"; }
{ name = "oslogin_login"; enable = cfg.googleOsLoginAccountVerification; control = "[success=ok ignore=ignore default=die]"; modulePath = "${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so"; }
{ name = "oslogin_admin"; enable = cfg.googleOsLoginAccountVerification; control = "[success=ok default=ignore]"; modulePath = "${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so"; }
{ name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; }
# The required pam_unix.so module has to come after all the sufficient modules
# because otherwise, the account lookup will fail if the user does not exist
# locally, for example with MySQL- or LDAP-auth.
''
account required pam_unix.so
{ name = "unix"; control = "required"; modulePath = "pam_unix.so"; }
];
# Authentication management.
'' +
optionalString cfg.googleOsLoginAuthentication ''
auth [success=done perm_denied=die default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so
'' +
optionalString cfg.rootOK ''
auth sufficient pam_rootok.so
'' +
optionalString cfg.requireWheel ''
auth required pam_wheel.so use_uid
'' +
optionalString cfg.logFailures ''
auth required pam_faillock.so
'' +
optionalString cfg.mysqlAuth ''
auth sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
'' +
optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) ''
auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}
'' +
(let p11 = config.security.pam.p11; in optionalString cfg.p11Auth ''
auth ${p11.control} ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so
'') +
(let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth (''
auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ''
+ ''${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"} ${optionalString (u2f.origin != null) "origin=${u2f.origin}"}
'')) +
optionalString cfg.usbAuth ''
auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so
'' +
(let ussh = config.security.pam.ussh; in optionalString (config.security.pam.ussh.enable && cfg.usshAuth) ''
auth ${ussh.control} ${pkgs.pam_ussh}/lib/security/pam_ussh.so ${optionalString (ussh.caFile != null) "ca_file=${ussh.caFile}"} ${optionalString (ussh.authorizedPrincipals != null) "authorized_principals=${ussh.authorizedPrincipals}"} ${optionalString (ussh.authorizedPrincipalsFile != null) "authorized_principals_file=${ussh.authorizedPrincipalsFile}"} ${optionalString (ussh.group != null) "group=${ussh.group}"}
'') +
(let oath = config.security.pam.oath; in optionalString cfg.oathAuth ''
auth requisite ${pkgs.oath-toolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}
'') +
(let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth ''
auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}
'') +
(let dp9ik = config.security.pam.dp9ik; in optionalString dp9ik.enable ''
auth ${dp9ik.control} ${pkgs.pam_dp9ik}/lib/security/pam_p9.so ${dp9ik.authserver}
'') +
optionalString cfg.fprintAuth ''
auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
'' +
auth = autoOrderRules ([
{ name = "oslogin_login"; enable = cfg.googleOsLoginAuthentication; control = "[success=done perm_denied=die default=ignore]"; modulePath = "${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so"; }
{ name = "rootok"; enable = cfg.rootOK; control = "sufficient"; modulePath = "pam_rootok.so"; }
{ name = "wheel"; enable = cfg.requireWheel; control = "required"; modulePath = "pam_wheel.so"; settings = {
use_uid = true;
}; }
{ name = "faillock"; enable = cfg.logFailures; control = "required"; modulePath = "pam_faillock.so"; }
{ name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; settings = {
config_file = "/etc/security/pam_mysql.conf";
}; }
{ name = "ssh_agent_auth"; enable = config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth; control = "sufficient"; modulePath = "${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so"; settings = {
file = lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles;
}; }
(let p11 = config.security.pam.p11; in { name = "p11"; enable = cfg.p11Auth; control = p11.control; modulePath = "${pkgs.pam_p11}/lib/security/pam_p11.so"; args = [
"${pkgs.opensc}/lib/opensc-pkcs11.so"
]; })
(let u2f = config.security.pam.u2f; in { name = "u2f"; enable = cfg.u2fAuth; control = u2f.control; modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so"; settings = {
inherit (u2f) debug interactive cue origin;
authfile = u2f.authFile;
appid = u2f.appId;
}; })
{ name = "usb"; enable = cfg.usbAuth; control = "sufficient"; modulePath = "${pkgs.pam_usb}/lib/security/pam_usb.so"; }
(let ussh = config.security.pam.ussh; in { name = "ussh"; enable = config.security.pam.ussh.enable && cfg.usshAuth; control = ussh.control; modulePath = "${pkgs.pam_ussh}/lib/security/pam_ussh.so"; settings = {
ca_file = ussh.caFile;
authorized_principals = ussh.authorizedPrincipals;
authorized_principals_file = ussh.authorizedPrincipalsFile;
inherit (ussh) group;
}; })
(let oath = config.security.pam.oath; in { name = "oath"; enable = cfg.oathAuth; control = "requisite"; modulePath = "${pkgs.oath-toolkit}/lib/security/pam_oath.so"; settings = {
inherit (oath) window digits;
usersfile = oath.usersFile;
}; })
(let yubi = config.security.pam.yubico; in { name = "yubico"; enable = cfg.yubicoAuth; control = yubi.control; modulePath = "${pkgs.yubico-pam}/lib/security/pam_yubico.so"; settings = {
inherit (yubi) mode debug;
chalresp_path = yubi.challengeResponsePath;
id = mkIf (yubi.mode == "client") yubi.id;
}; })
(let dp9ik = config.security.pam.dp9ik; in { name = "p9"; enable = dp9ik.enable; control = dp9ik.control; modulePath = "${pkgs.pam_dp9ik}/lib/security/pam_p9.so"; args = [
dp9ik.authserver
]; })
{ name = "fprintd"; enable = cfg.fprintAuth; control = "sufficient"; modulePath = "${pkgs.fprintd}/lib/security/pam_fprintd.so"; }
] ++
# Modules in this block require having the password set in PAM_AUTHTOK.
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run
# after it succeeds. Certain modules need to run after pam_unix
@ -562,7 +694,7 @@ let
# We use try_first_pass the second time to avoid prompting password twice.
#
# The same principle applies to systemd-homed
(optionalString ((cfg.unixAuth || config.services.homed.enable) &&
(optionals ((cfg.unixAuth || config.services.homed.enable) &&
(config.security.pam.enableEcryptfs
|| config.security.pam.enableFscrypt
|| cfg.pamMount
@ -573,199 +705,173 @@ let
|| cfg.failDelay.enable
|| cfg.duoSecurity.enable
|| cfg.zfs))
(
optionalString config.services.homed.enable ''
auth optional ${config.systemd.package}/lib/security/pam_systemd_home.so
'' +
optionalString cfg.unixAuth ''
auth optional pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth
'' +
optionalString config.security.pam.enableEcryptfs ''
auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap
'' +
optionalString config.security.pam.enableFscrypt ''
auth optional ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so
'' +
optionalString cfg.zfs ''
auth optional ${config.boot.zfs.package}/lib/security/pam_zfs_key.so homes=${config.security.pam.zfs.homes}
'' +
optionalString cfg.pamMount ''
auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive
'' +
optionalString cfg.enableKwallet ''
auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5
'' +
optionalString cfg.enableGnomeKeyring ''
auth optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so
'' +
optionalString cfg.gnupg.enable ''
auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.storeOnly " store-only"}
'' +
optionalString cfg.failDelay.enable ''
auth optional ${pkgs.pam}/lib/security/pam_faildelay.so delay=${toString cfg.failDelay.delay}
'' +
optionalString cfg.googleAuthenticator.enable ''
auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so no_increment_hotp
'' +
optionalString cfg.duoSecurity.enable ''
auth required ${pkgs.duo-unix}/lib/security/pam_duo.so
''
)) +
optionalString config.services.homed.enable ''
auth sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so
'' +
optionalString cfg.unixAuth ''
auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass
'' +
optionalString cfg.otpwAuth ''
auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so
'' +
optionalString use_ldap ''
auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass
'' +
optionalString config.services.kanidm.enablePam ''
auth sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user use_first_pass
'' +
optionalString config.services.sssd.enable ''
auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass
'' +
optionalString config.security.pam.krb5.enable ''
auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
'' +
''
auth required pam_deny.so
[
{ name = "systemd_home-early"; enable = config.services.homed.enable; control = "optional"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; }
{ name = "unix-early"; enable = cfg.unixAuth; control = "optional"; modulePath = "pam_unix.so"; settings = {
nullok = cfg.allowNullPassword;
inherit (cfg) nodelay;
likeauth = true;
}; }
{ name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"; settings = {
unwrap = true;
}; }
{ name = "fscrypt"; enable = config.security.pam.enableFscrypt; control = "optional"; modulePath = "${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so"; }
{ name = "zfs_key"; enable = cfg.zfs; control = "optional"; modulePath = "${config.boot.zfs.package}/lib/security/pam_zfs_key.so"; settings = {
inherit (config.security.pam.zfs) homes;
}; }
{ name = "mount"; enable = cfg.pamMount; control = "optional"; modulePath = "${pkgs.pam_mount}/lib/security/pam_mount.so"; settings = {
disable_interactive = true;
}; }
{ name = "kwallet5"; enable = cfg.enableKwallet; control = "optional"; modulePath = "${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so"; settings = {
kwalletd = "${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5";
}; }
{ name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; }
{ name = "gnupg"; enable = cfg.gnupg.enable; control = "optional"; modulePath = "${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"; settings = {
store-only = cfg.gnupg.storeOnly;
}; }
{ name = "faildelay"; enable = cfg.failDelay.enable; control = "optional"; modulePath = "${pkgs.pam}/lib/security/pam_faildelay.so"; settings = {
inherit (cfg.failDelay) delay;
}; }
{ name = "google_authenticator"; enable = cfg.googleAuthenticator.enable; control = "required"; modulePath = "${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so"; settings = {
no_increment_hotp = true;
}; }
{ name = "duo"; enable = cfg.duoSecurity.enable; control = "required"; modulePath = "${pkgs.duo-unix}/lib/security/pam_duo.so"; }
]) ++ [
{ name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; }
{ name = "unix"; enable = cfg.unixAuth; control = "sufficient"; modulePath = "pam_unix.so"; settings = {
nullok = cfg.allowNullPassword;
inherit (cfg) nodelay;
likeauth = true;
try_first_pass = true;
}; }
{ name = "otpw"; enable = cfg.otpwAuth; control = "sufficient"; modulePath = "${pkgs.otpw}/lib/security/pam_otpw.so"; }
{ name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; settings = {
use_first_pass = true;
}; }
{ name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; settings = {
ignore_unknown_user = true;
use_first_pass = true;
}; }
{ name = "sss"; enable = config.services.sssd.enable; control = "sufficient"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; settings = {
use_first_pass = true;
}; }
{ name = "krb5"; enable = config.security.pam.krb5.enable; control = "[default=ignore success=1 service_err=reset]"; modulePath = "${pam_krb5}/lib/security/pam_krb5.so"; settings = {
use_first_pass = true;
}; }
{ name = "ccreds-validate"; enable = config.security.pam.krb5.enable; control = "[default=die success=done]"; modulePath = "${pam_ccreds}/lib/security/pam_ccreds.so"; settings = {
action = "validate";
use_first_pass = true;
}; }
{ name = "ccreds-store"; enable = config.security.pam.krb5.enable; control = "sufficient"; modulePath = "${pam_ccreds}/lib/security/pam_ccreds.so"; settings = {
action = "store";
use_first_pass = true;
}; }
{ name = "deny"; control = "required"; modulePath = "pam_deny.so"; }
]);
# Password management.
'' +
optionalString config.services.homed.enable ''
password sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so
'' + ''
password sufficient pam_unix.so nullok yescrypt
'' +
optionalString config.security.pam.enableEcryptfs ''
password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so
'' +
optionalString config.security.pam.enableFscrypt ''
password optional ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so
'' +
optionalString cfg.zfs ''
password optional ${config.boot.zfs.package}/lib/security/pam_zfs_key.so homes=${config.security.pam.zfs.homes}
'' +
optionalString cfg.pamMount ''
password optional ${pkgs.pam_mount}/lib/security/pam_mount.so
'' +
optionalString use_ldap ''
password sufficient ${pam_ldap}/lib/security/pam_ldap.so
'' +
optionalString cfg.mysqlAuth ''
password sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
'' +
optionalString config.services.kanidm.enablePam ''
password sufficient ${pkgs.kanidm}/lib/pam_kanidm.so
'' +
optionalString config.services.sssd.enable ''
password sufficient ${pkgs.sssd}/lib/security/pam_sss.so
'' +
optionalString config.security.pam.krb5.enable ''
password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
'' +
optionalString cfg.enableGnomeKeyring ''
password optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok
'' +
''
password = autoOrderRules [
{ name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; }
{ name = "unix"; control = "sufficient"; modulePath = "pam_unix.so"; settings = {
nullok = true;
yescrypt = true;
}; }
{ name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"; }
{ name = "fscrypt"; enable = config.security.pam.enableFscrypt; control = "optional"; modulePath = "${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so"; }
{ name = "zfs_key"; enable = cfg.zfs; control = "optional"; modulePath = "${config.boot.zfs.package}/lib/security/pam_zfs_key.so"; settings = {
inherit (config.security.pam.zfs) homes;
}; }
{ name = "mount"; enable = cfg.pamMount; control = "optional"; modulePath = "${pkgs.pam_mount}/lib/security/pam_mount.so"; }
{ name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; }
{ name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; settings = {
config_file = "/etc/security/pam_mysql.conf";
}; }
{ name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; }
{ name = "sss"; enable = config.services.sssd.enable; control = "sufficient"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; }
{ name = "krb5"; enable = config.security.pam.krb5.enable; control = "sufficient"; modulePath = "${pam_krb5}/lib/security/pam_krb5.so"; settings = {
use_first_pass = true;
}; }
{ name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; settings = {
use_authtok = true;
}; }
];
# Session management.
'' +
optionalString cfg.setEnvironment ''
session required pam_env.so conffile=/etc/pam/environment readenv=0
'' +
''
session required pam_unix.so
'' +
optionalString cfg.setLoginUid ''
session ${if config.boot.isContainer then "optional" else "required"} pam_loginuid.so
'' +
optionalString cfg.ttyAudit.enable (concatStringsSep " \\\n " ([
"session required ${pkgs.pam}/lib/security/pam_tty_audit.so"
] ++ optional cfg.ttyAudit.openOnly "open_only"
++ optional (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"
++ optional (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"
)) +
optionalString config.services.homed.enable ''
session required ${config.systemd.package}/lib/security/pam_systemd_home.so
'' +
optionalString cfg.makeHomeDir ''
session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=${config.security.pam.makeHomeDir.umask}
'' +
optionalString cfg.updateWtmp ''
session required ${pkgs.pam}/lib/security/pam_lastlog.so silent
'' +
optionalString config.security.pam.enableEcryptfs ''
session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so
'' +
optionalString config.security.pam.enableFscrypt ''
# Work around https://github.com/systemd/systemd/issues/8598
# Skips the pam_fscrypt module for systemd-user sessions which do not have a password
# anyways.
# See also https://github.com/google/fscrypt/issues/95
session [success=1 default=ignore] pam_succeed_if.so service = systemd-user
session optional ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so
'' +
optionalString cfg.zfs ''
session [success=1 default=ignore] pam_succeed_if.so service = systemd-user
session optional ${config.boot.zfs.package}/lib/security/pam_zfs_key.so homes=${config.security.pam.zfs.homes} ${optionalString config.security.pam.zfs.noUnmount "nounmount"}
'' +
optionalString cfg.pamMount ''
session optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive
'' +
optionalString use_ldap ''
session optional ${pam_ldap}/lib/security/pam_ldap.so
'' +
optionalString cfg.mysqlAuth ''
session optional ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
'' +
optionalString config.services.kanidm.enablePam ''
session optional ${pkgs.kanidm}/lib/pam_kanidm.so
'' +
optionalString config.services.sssd.enable ''
session optional ${pkgs.sssd}/lib/security/pam_sss.so
'' +
optionalString config.security.pam.krb5.enable ''
session optional ${pam_krb5}/lib/security/pam_krb5.so
'' +
optionalString cfg.otpwAuth ''
session optional ${pkgs.otpw}/lib/security/pam_otpw.so
'' +
optionalString cfg.startSession ''
session optional ${config.systemd.package}/lib/security/pam_systemd.so
'' +
optionalString cfg.forwardXAuth ''
session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99
'' +
optionalString (cfg.limits != []) ''
session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}
'' +
optionalString (cfg.showMotd && (config.users.motd != null || config.users.motdFile != null)) ''
session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}
'' +
optionalString (cfg.enableAppArmor && config.security.apparmor.enable) ''
session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug
'' +
optionalString (cfg.enableKwallet) ''
session optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5
'' +
optionalString (cfg.enableGnomeKeyring) ''
session optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start
'' +
optionalString cfg.gnupg.enable ''
session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.noAutostart " no-autostart"}
'' +
optionalString (config.virtualisation.lxc.lxcfs.enable) ''
session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all
''
);
session = autoOrderRules [
{ name = "env"; enable = cfg.setEnvironment; control = "required"; modulePath = "pam_env.so"; settings = {
conffile = "/etc/pam/environment";
readenv = 0;
}; }
{ name = "unix"; control = "required"; modulePath = "pam_unix.so"; }
{ name = "loginuid"; enable = cfg.setLoginUid; control = if config.boot.isContainer then "optional" else "required"; modulePath = "pam_loginuid.so"; }
{ name = "tty_audit"; enable = cfg.ttyAudit.enable; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_tty_audit.so"; settings = {
open_only = cfg.ttyAudit.openOnly;
enable = cfg.ttyAudit.enablePattern;
disable = cfg.ttyAudit.disablePattern;
}; }
{ name = "systemd_home"; enable = config.services.homed.enable; control = "required"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; }
{ name = "mkhomedir"; enable = cfg.makeHomeDir; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_mkhomedir.so"; settings = {
silent = true;
skel = config.security.pam.makeHomeDir.skelDirectory;
inherit (config.security.pam.makeHomeDir) umask;
}; }
{ name = "lastlog"; enable = cfg.updateWtmp; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_lastlog.so"; settings = {
silent = true;
}; }
{ name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"; }
# Work around https://github.com/systemd/systemd/issues/8598
# Skips the pam_fscrypt module for systemd-user sessions which do not have a password
# anyways.
# See also https://github.com/google/fscrypt/issues/95
{ name = "fscrypt-skip-systemd"; enable = config.security.pam.enableFscrypt; control = "[success=1 default=ignore]"; modulePath = "pam_succeed_if.so"; args = [
"service" "=" "systemd-user"
]; }
{ name = "fscrypt"; enable = config.security.pam.enableFscrypt; control = "optional"; modulePath = "${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so"; }
{ name = "zfs_key-skip-systemd"; enable = cfg.zfs; control = "[success=1 default=ignore]"; modulePath = "pam_succeed_if.so"; args = [
"service" "=" "systemd-user"
]; }
{ name = "zfs_key"; enable = cfg.zfs; control = "optional"; modulePath = "${config.boot.zfs.package}/lib/security/pam_zfs_key.so"; settings = {
inherit (config.security.pam.zfs) homes;
nounmount = config.security.pam.zfs.noUnmount;
}; }
{ name = "mount"; enable = cfg.pamMount; control = "optional"; modulePath = "${pkgs.pam_mount}/lib/security/pam_mount.so"; settings = {
disable_interactive = true;
}; }
{ name = "ldap"; enable = use_ldap; control = "optional"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; }
{ name = "mysql"; enable = cfg.mysqlAuth; control = "optional"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; settings = {
config_file = "/etc/security/pam_mysql.conf";
}; }
{ name = "kanidm"; enable = config.services.kanidm.enablePam; control = "optional"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; }
{ name = "sss"; enable = config.services.sssd.enable; control = "optional"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; }
{ name = "krb5"; enable = config.security.pam.krb5.enable; control = "optional"; modulePath = "${pam_krb5}/lib/security/pam_krb5.so"; }
{ name = "otpw"; enable = cfg.otpwAuth; control = "optional"; modulePath = "${pkgs.otpw}/lib/security/pam_otpw.so"; }
{ name = "systemd"; enable = cfg.startSession; control = "optional"; modulePath = "${config.systemd.package}/lib/security/pam_systemd.so"; }
{ name = "xauth"; enable = cfg.forwardXAuth; control = "optional"; modulePath = "pam_xauth.so"; settings = {
xauthpath = "${pkgs.xorg.xauth}/bin/xauth";
systemuser = 99;
}; }
{ name = "limits"; enable = cfg.limits != []; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_limits.so"; settings = {
conf = "${makeLimitsConf cfg.limits}";
}; }
{ name = "motd"; enable = cfg.showMotd && (config.users.motd != null || config.users.motdFile != null); control = "optional"; modulePath = "${pkgs.pam}/lib/security/pam_motd.so"; settings = {
inherit motd;
}; }
{ name = "apparmor"; enable = cfg.enableAppArmor && config.security.apparmor.enable; control = "optional"; modulePath = "${pkgs.apparmor-pam}/lib/security/pam_apparmor.so"; settings = {
order = "user,group,default";
debug = true;
}; }
{ name = "kwallet5"; enable = cfg.enableKwallet; control = "optional"; modulePath = "${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so"; settings = {
kwalletd = "${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5";
}; }
{ name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; settings = {
auto_start = true;
}; }
{ name = "gnupg"; enable = cfg.gnupg.enable; control = "optional"; modulePath = "${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"; settings = {
no-autostart = cfg.gnupg.noAutostart;
}; }
{ name = "cgfs"; enable = config.virtualisation.lxc.lxcfs.enable; control = "optional"; modulePath = "${pkgs.lxc}/lib/security/pam_cgfs.so"; args = [
"-c" "all"
]; }
];
};
};
};
@ -841,6 +947,8 @@ in
{
meta.maintainers = [ maintainers.majiir ];
imports = [
(mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ])
];
@ -1402,9 +1510,7 @@ in
fscrypt = {};
};
security.apparmor.includes."abstractions/pam" = let
isEnabled = test: fold or false (map test (attrValues config.security.pam.services));
in
security.apparmor.includes."abstractions/pam" =
lib.concatMapStrings
(name: "r ${config.environment.etc."pam.d/${name}".source},\n")
(attrNames config.security.pam.services) +
@ -1413,88 +1519,18 @@ in
mr ${getLib pkgs.pam}/lib/security/pam_*.so,
r ${getLib pkgs.pam}/lib/security/,
'' +
optionalString use_ldap ''
mr ${pam_ldap}/lib/security/pam_ldap.so,
'' +
optionalString config.services.kanidm.enablePam ''
mr ${pkgs.kanidm}/lib/pam_kanidm.so,
'' +
optionalString config.services.sssd.enable ''
mr ${pkgs.sssd}/lib/security/pam_sss.so,
'' +
optionalString config.security.pam.krb5.enable ''
mr ${pam_krb5}/lib/security/pam_krb5.so,
mr ${pam_ccreds}/lib/security/pam_ccreds.so,
'' +
optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) ''
mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so,
mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so,
'' +
optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) ''
mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so,
'' +
optionalString (config.security.pam.enableSSHAgentAuth
&& isEnabled (cfg: cfg.sshAgentAuth)) ''
mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so,
'' +
optionalString (isEnabled (cfg: cfg.fprintAuth)) ''
mr ${pkgs.fprintd}/lib/security/pam_fprintd.so,
'' +
optionalString (isEnabled (cfg: cfg.u2fAuth)) ''
mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so,
'' +
optionalString (isEnabled (cfg: cfg.usbAuth)) ''
mr ${pkgs.pam_usb}/lib/security/pam_usb.so,
'' +
optionalString (isEnabled (cfg: cfg.usshAuth)) ''
mr ${pkgs.pam_ussh}/lib/security/pam_ussh.so,
'' +
optionalString (isEnabled (cfg: cfg.oathAuth)) ''
"mr ${pkgs.oath-toolkit}/lib/security/pam_oath.so,
'' +
optionalString (isEnabled (cfg: cfg.mysqlAuth)) ''
mr ${pkgs.pam_mysql}/lib/security/pam_mysql.so,
'' +
optionalString (isEnabled (cfg: cfg.yubicoAuth)) ''
mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,
'' +
optionalString (isEnabled (cfg: cfg.duoSecurity.enable)) ''
mr ${pkgs.duo-unix}/lib/security/pam_duo.so,
'' +
optionalString (isEnabled (cfg: cfg.otpwAuth)) ''
mr ${pkgs.otpw}/lib/security/pam_otpw.so,
'' +
optionalString config.security.pam.enableEcryptfs ''
mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so,
'' +
optionalString config.security.pam.enableFscrypt ''
mr ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so,
'' +
optionalString (isEnabled (cfg: cfg.pamMount)) ''
mr ${pkgs.pam_mount}/lib/security/pam_mount.so,
'' +
optionalString (isEnabled (cfg: cfg.enableGnomeKeyring)) ''
mr ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so,
'' +
optionalString (isEnabled (cfg: cfg.startSession)) ''
mr ${config.systemd.package}/lib/security/pam_systemd.so,
'' +
optionalString (isEnabled (cfg: cfg.enableAppArmor)
&& config.security.apparmor.enable) ''
mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so,
'' +
optionalString (isEnabled (cfg: cfg.enableKwallet)) ''
mr ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so,
'' +
optionalString config.virtualisation.lxc.lxcfs.enable ''
mr ${pkgs.lxc}/lib/security/pam_cgfs.so,
'' +
optionalString (isEnabled (cfg: cfg.zfs)) ''
mr ${config.boot.zfs.package}/lib/security/pam_zfs_key.so,
'' +
optionalString config.services.homed.enable ''
mr ${config.systemd.package}/lib/security/pam_systemd_home.so
'';
(with lib; pipe config.security.pam.services [
attrValues
(catAttrs "rules")
(concatMap attrValues)
(concatMap attrValues)
(filter (rule: rule.enable))
(catAttrs "modulePath")
(filter (hasPrefix "/"))
unique
(map (module: "mr ${module},"))
concatLines
]);
};
}

79
nixos/modules/services/databases/ferretdb.nix Normal file
View File

@ -0,0 +1,79 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.ferretdb;
in
{
meta.maintainers = with lib.maintainers; [ julienmalka camillemndn ];
options = {
services.ferretdb = {
enable = mkEnableOption "FerretDB, an Open Source MongoDB alternative.";
package = mkOption {
type = types.package;
example = literalExpression "pkgs.ferretdb";
default = pkgs.ferretdb;
defaultText = "pkgs.ferretdb";
description = "FerretDB package to use.";
};
settings = lib.mkOption {
type =
lib.types.submodule { freeformType = with lib.types; attrsOf str; };
example = {
FERRETDB_LOG_LEVEL = "warn";
FERRETDB_MODE = "normal";
};
description = ''
Additional configuration for FerretDB, see
<https://docs.ferretdb.io/flags/>
for supported values.
'';
};
};
};
config = mkIf cfg.enable
{
services.ferretdb.settings = {
FERRETDB_HANDLER = lib.mkDefault "sqlite";
FERRETDB_SQLITE_URL = lib.mkDefault "file:/var/lib/ferretdb/";
};
systemd.services.ferretdb = {
description = "FerretDB";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = cfg.settings;
serviceConfig = {
Type = "simple";
StateDirectory = "ferretdb";
WorkingDirectory = "/var/lib/ferretdb";
ExecStart = "${cfg.package}/bin/ferretdb";
Restart = "on-failure";
ProtectHome = true;
ProtectSystem = "strict";
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
NoNewPrivileges = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
DynamicUser = true;
};
};
};
}

82
nixos/modules/services/matrix/synapse.nix
View File

@ -72,13 +72,12 @@ let
inherit (cfg) plugins;
};
logConfig = logName: {
defaultCommonLogConfig = {
version = 1;
formatters.journal_fmt.format = "%(name)s: [%(request)s] %(message)s";
handlers.journal = {
class = "systemd.journal.JournalHandler";
formatter = "journal_fmt";
SYSLOG_IDENTIFIER = logName;
};
root = {
level = "INFO";
@ -86,33 +85,27 @@ let
};
disable_existing_loggers = false;
};
defaultCommonLogConfigText = generators.toPretty { } defaultCommonLogConfig;
logConfigText = logName:
let
expr = ''
{
version = 1;
formatters.journal_fmt.format = "%(name)s: [%(request)s] %(message)s";
handlers.journal = {
class = "systemd.journal.JournalHandler";
formatter = "journal_fmt";
SYSLOG_IDENTIFIER = "${logName}";
};
root = {
level = "INFO";
handlers = [ "journal" ];
};
disable_existing_loggers = false;
};
'';
in
lib.literalMD ''
Path to a yaml file generated from this Nix expression:
```
${expr}
${generators.toPretty { } (
recursiveUpdate defaultCommonLogConfig { handlers.journal.SYSLOG_IDENTIFIER = logName; }
)}
```
'';
genLogConfigFile = logName: format.generate "synapse-log-${logName}.yaml" (logConfig logName);
genLogConfigFile = logName: format.generate
"synapse-log-${logName}.yaml"
(cfg.log // optionalAttrs (cfg.log?handlers.journal) {
handlers.journal = cfg.log.handlers.journal // {
SYSLOG_IDENTIFIER = logName;
};
});
in {
imports = [
@ -396,6 +389,49 @@ in {
'';
};
log = mkOption {
type = types.attrsOf format.type;
defaultText = literalExpression defaultCommonLogConfigText;
description = mdDoc ''
Default configuration for the loggers used by `matrix-synapse` and its workers.
The defaults are added with the default priority which means that
these will be merged with additional declarations. These additional
declarations also take precedence over the defaults when declared
with at least normal priority. For instance
the log-level for synapse and its workers can be changed like this:
```nix
{ lib, ... }: {
services.matrix-synapse.log.root.level = "WARNING";
}
```
And another field can be added like this:
```nix
{
services.matrix-synapse.log = {
loggers."synapse.http.matrixfederationclient".level = "DEBUG";
};
}
```
Additionally, the field `handlers.journal.SYSLOG_IDENTIFIER` will be added to
each log config, i.e.
* `synapse` for `matrix-synapse.service`
* `synapse-<worker name>` for `matrix-synapse-worker-<worker name>.service`
This is only done if this option has a `handlers.journal` field declared.
To discard all settings declared by this option for each worker and synapse,
`lib.mkForce` can be used.
To discard all settings declared by this option for a single worker or synapse only,
[](#opt-services.matrix-synapse.workers._name_.worker_log_config) or
[](#opt-services.matrix-synapse.settings.log_config) can be used.
'';
};
settings = mkOption {
default = { };
description = mdDoc ''
@ -993,6 +1029,8 @@ in {
# default them, so they are additive
services.matrix-synapse.extras = defaultExtras;
services.matrix-synapse.log = mapAttrsRecursive (const mkDefault) defaultCommonLogConfig;
users.users.matrix-synapse = {
group = "matrix-synapse";
home = cfg.dataDir;

624
nixos/modules/services/monitoring/librenms.nix Normal file
View File

@ -0,0 +1,624 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.librenms;
settingsFormat = pkgs.formats.json {};
configJson = settingsFormat.generate "librenms-config.json" cfg.settings;
package = pkgs.librenms.override {
logDir = cfg.logDir;
dataDir = cfg.dataDir;
};
phpOptions = ''
log_errors = on
post_max_size = 100M
upload_max_filesize = 100M
date.timezone = "${config.time.timeZone}"
'';
phpIni = pkgs.runCommand "php.ini" {
inherit (package) phpPackage;
inherit phpOptions;
preferLocalBuild = true;
passAsFile = [ "phpOptions" ];
} ''
cat $phpPackage/etc/php.ini $phpOptionsPath > $out
'';
artisanWrapper = pkgs.writeShellScriptBin "librenms-artisan" ''
cd ${package}
sudo=exec
if [[ "$USER" != ${cfg.user} ]]; then
sudo='exec /run/wrappers/bin/sudo -u ${cfg.user}'
fi
$sudo ${package}/artisan $*
'';
lnmsWrapper = pkgs.writeShellScriptBin "lnms" ''
cd ${package}
exec ${package}/lnms $*
'';
configFile = pkgs.writeText "config.php" ''
<?php
$new_config = json_decode(file_get_contents("${cfg.dataDir}/config.json"), true);
$config = ($config == null) ? $new_config : array_merge($config, $new_config);
${lib.optionalString (cfg.extraConfig != null) cfg.extraConfig}
'';
in {
options.services.librenms = with lib; {
enable = mkEnableOption "LibreNMS network monitoring system";
user = mkOption {
type = types.str;
default = "librenms";
description = ''
Name of the LibreNMS user.
'';
};
group = mkOption {
type = types.str;
default = "librenms";
description = ''
Name of the LibreNMS group.
'';
};
hostname = mkOption {
type = types.str;
default = config.networking.fqdnOrHostName;
defaultText = literalExpression "config.networking.fqdnOrHostName";
description = ''
The hostname to serve LibreNMS on.
'';
};
pollerThreads = mkOption {
type = types.int;
default = 16;
description = ''
Amount of threads of the cron-poller.
'';
};
enableOneMinutePolling = mkOption {
type = types.bool;
default = false;
description = ''
Enables the [1-Minute Polling](https://docs.librenms.org/Support/1-Minute-Polling/).
Changing this option will automatically convert your existing rrd files.
'';
};
useDistributedPollers = mkOption {
type = types.bool;
default = false;
description = ''
Enables (distributed pollers)[https://docs.librenms.org/Extensions/Distributed-Poller/]
for this LibreNMS instance. This will enable a local `rrdcached` and `memcached` server.
To use this feature, make sure to configure your firewall that the distributed pollers
can reach the local `mysql`, `rrdcached` and `memcached` ports.
'';
};
distributedPoller = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Configure this LibreNMS instance as a (distributed poller)[https://docs.librenms.org/Extensions/Distributed-Poller/].
This will disable all web features and just configure the poller features.
Use the `mysql` database of your main LibreNMS instance in the database settings.
'';
};
name = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Custom name of this poller.
'';
};
group = mkOption {
type = types.str;
default = "0";
example = "1,2";
description = ''
Group(s) of this poller.
'';
};
distributedBilling = mkOption {
type = types.bool;
default = false;
description = ''
Enable distributed billing on this poller.
'';
};
memcachedHost = mkOption {
type = types.str;
description = ''
Hostname or IP of the `memcached` server.
'';
};
memcachedPort = mkOption {
type = types.port;
default = 11211;
description = ''
Port of the `memcached` server.
'';
};
rrdcachedHost = mkOption {
type = types.str;
description = ''
Hostname or IP of the `rrdcached` server.
'';
};
rrdcachedPort = mkOption {
type = types.port;
default = 42217;
description = ''
Port of the `memcached` server.
'';
};
};
poolConfig = mkOption {
type = with types; attrsOf (oneOf [ str int bool ]);
default = {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
};
description = ''
Options for the LibreNMS PHP pool. See the documentation on `php-fpm.conf`
for details on configuration directives.
'';
};
nginx = mkOption {
type = types.submodule (
recursiveUpdate
(import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) {}
);
default = { };
example = literalExpression ''
{
serverAliases = [
"librenms.''${config.networking.domain}"
];
# To enable encryption and let let's encrypt take care of certificate
forceSSL = true;
enableACME = true;
# To set the LibreNMS virtualHost as the default virtualHost;
default = true;
}
'';
description = ''
With this option, you can customize the nginx virtualHost settings.
'';
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/librenms";
description = ''
Path of the LibreNMS state directory.
'';
};
logDir = mkOption {
type = types.path;
default = "/var/log/librenms";
description = ''
Path of the LibreNMS logging directory.
'';
};
database = {
createLocally = mkOption {
type = types.bool;
default = false;
description = ''
Whether to create a local database automatically.
'';
};
host = mkOption {
default = "localhost";
description = ''
Hostname or IP of the MySQL/MariaDB server.
'';
};
port = mkOption {
type = types.port;
default = 3306;
description = ''
Port of the MySQL/MariaDB server.
'';
};
database = mkOption {
type = types.str;
default = "librenms";
description = ''
Name of the database on the MySQL/MariaDB server.
'';
};
username = mkOption {
type = types.str;
default = "librenms";
description = ''
Name of the user on the MySQL/MariaDB server.
'';
};
passwordFile = mkOption {
type = types.path;
example = "/run/secrets/mysql.pass";
description = ''
A file containing the password for the user of the MySQL/MariaDB server.
Must be readable for the LibreNMS user.
'';
};
};
environmentFile = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
File containing env-vars to be substituted into the final config. Useful for secrets.
Does not apply to settings defined in `extraConfig`.
'';
};
settings = mkOption {
type = types.submodule {
freeformType = settingsFormat.type;
options = {};
};
description = ''
Attrset of the LibreNMS configuration.
See https://docs.librenms.org/Support/Configuration/ for reference.
All possible options are listed [here](https://github.com/librenms/librenms/blob/master/misc/config_definitions.json).
See https://docs.librenms.org/Extensions/Authentication/ for setting other authentication methods.
'';
default = { };
example = {
base_url = "/librenms/";
top_devices = true;
top_ports = false;
};
};
extraConfig = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Additional config for LibreNMS that will be appended to the `config.php`. See
https://github.com/librenms/librenms/blob/master/misc/config_definitions.json
for possible options. Useful if you want to use PHP-Functions in your config.
'';
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = config.time.timeZone != null;
message = "You must set `time.timeZone` to use the LibreNMS module.";
}
{
assertion = cfg.database.createLocally -> cfg.database.host == "localhost";
message = "The database host must be \"localhost\" if services.librenms.database.createLocally is set to true.";
}
{
assertion = !(cfg.useDistributedPollers && cfg.distributedPoller.enable);
message = "The LibreNMS instance can't be a distributed poller and a full instance at the same time.";
}
];
users.users.${cfg.user} = {
group = "${cfg.group}";
isSystemUser = true;
};
users.groups.${cfg.group} = { };
services.librenms.settings = {
# basic configs
"user" = cfg.user;
"own_hostname" = cfg.hostname;
"base_url" = lib.mkDefault "/";
"auth_mechanism" = lib.mkDefault "mysql";
# disable auto update function (won't work with NixOS)
"update" = false;
# enable fast ping by default
"ping_rrd_step" = 60;
# one minute polling
"rrd.step" = if cfg.enableOneMinutePolling then 60 else 300;
"rrd.heartbeat" = if cfg.enableOneMinutePolling then 120 else 600;
} // (lib.optionalAttrs cfg.distributedPoller.enable {
"distributed_poller" = true;
"distributed_poller_name" = lib.mkIf (cfg.distributedPoller.name != null) cfg.distributedPoller.name;
"distributed_poller_group" = cfg.distributedPoller.group;
"distributed_billing" = cfg.distributedPoller.distributedBilling;
"distributed_poller_memcached_host" = cfg.distributedPoller.memcachedHost;
"distributed_poller_memcached_port" = cfg.distributedPoller.memcachedPort;
"rrdcached" = "${cfg.distributedPoller.rrdcachedHost}:${toString cfg.distributedPoller.rrdcachedPort}";
}) // (lib.optionalAttrs cfg.useDistributedPollers {
"distributed_poller" = true;
# still enable a local poller with distributed polling
"distributed_poller_group" = lib.mkDefault "0";
"distributed_billing" = lib.mkDefault true;
"distributed_poller_memcached_host" = "localhost";
"distributed_poller_memcached_port" = 11211;
"rrdcached" = "localhost:42217";
});
services.memcached = lib.mkIf cfg.useDistributedPollers {
enable = true;
listen = "0.0.0.0";
};
systemd.services.rrdcached = lib.mkIf cfg.useDistributedPollers {
description = "rrdcached";
after = [ "librenms-setup.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "forking";
User = cfg.user;
Group = cfg.group;
LimitNOFILE = 16384;
RuntimeDirectory = "rrdcached";
PidFile = "/run/rrdcached/rrdcached.pid";
# rrdcached params from https://docs.librenms.org/Extensions/Distributed-Poller/#config-sample
ExecStart = "${pkgs.rrdtool}/bin/rrdcached -l 0:42217 -R -j ${cfg.dataDir}/rrdcached-journal/ -F -b ${cfg.dataDir}/rrd -B -w 1800 -z 900 -p /run/rrdcached/rrdcached.pid";
};
};
services.mysql = lib.mkIf cfg.database.createLocally {
enable = true;
package = lib.mkDefault pkgs.mariadb;
settings.mysqld = {
innodb_file_per_table = 1;
lower_case_table_names = 0;
} // (lib.optionalAttrs cfg.useDistributedPollers {
bind-address = "0.0.0.0";
});
ensureDatabases = [ cfg.database.database ];
ensureUsers = [
{
name = cfg.database.username;
ensurePermissions = {
"${cfg.database.database}.*" = "ALL PRIVILEGES";
};
}
];
initialScript = lib.mkIf cfg.useDistributedPollers (pkgs.writeText "mysql-librenms-init" ''
CREATE USER IF NOT EXISTS '${cfg.database.username}'@'%';
GRANT ALL PRIVILEGES ON ${cfg.database.database}.* TO '${cfg.database.username}'@'%';
'');
};
services.nginx = lib.mkIf (!cfg.distributedPoller.enable) {
enable = true;
virtualHosts."${cfg.hostname}" = lib.mkMerge [
cfg.nginx
{
root = lib.mkForce "${package}/html";
locations."/" = {
index = "index.php";
tryFiles = "$uri $uri/ /index.php?$query_string";
};
locations."~ .php$".extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools."librenms".socket};
fastcgi_split_path_info ^(.+\.php)(/.+)$;
'';
}
];
};
services.phpfpm.pools.librenms = lib.mkIf (!cfg.distributedPoller.enable) {
user = cfg.user;
group = cfg.group;
inherit (package) phpPackage;
inherit phpOptions;
settings = {
"listen.mode" = "0660";
"listen.owner" = config.services.nginx.user;
"listen.group" = config.services.nginx.group;
} // cfg.poolConfig;
};
systemd.services.librenms-scheduler = {
description = "LibreNMS Scheduler";
path = [ pkgs.unixtools.whereis ];
serviceConfig = {
Type = "oneshot";
WorkingDirectory = package;
User = cfg.user;
Group = cfg.group;
ExecStart = "${artisanWrapper}/bin/librenms-artisan schedule:run";
};
};
systemd.timers.librenms-scheduler = {
description = "LibreNMS Scheduler";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "minutely";
AccuracySec = "1second";
};
};
systemd.services.librenms-setup = {
description = "Preparation tasks for LibreNMS";
before = [ "phpfpm-librenms.service" ];
after = [ "systemd-tmpfiles-setup.service" ]
++ (lib.optional (cfg.database.host == "localhost") "mysql.service");
wantedBy = [ "multi-user.target" ];
restartTriggers = [ package configFile ];
path = [ pkgs.mariadb pkgs.unixtools.whereis pkgs.gnused ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
EnvironmentFile = lib.mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
User = cfg.user;
Group = cfg.group;
ExecStartPre = lib.mkIf cfg.database.createLocally [ "!${pkgs.writeShellScript "librenms-db-init" ''
DB_PASSWORD=$(cat ${cfg.database.passwordFile} | tr -d '\n')
echo "ALTER USER '${cfg.database.username}'@'localhost' IDENTIFIED BY '$DB_PASSWORD';" | ${pkgs.mariadb}/bin/mysql
${lib.optionalString cfg.useDistributedPollers ''
echo "ALTER USER '${cfg.database.username}'@'%' IDENTIFIED BY '$DB_PASSWORD';" | ${pkgs.mariadb}/bin/mysql
''}
''}"];
};
script = ''
set -euo pipefail
# config setup
ln -sf ${configFile} ${cfg.dataDir}/config.php
${pkgs.envsubst}/bin/envsubst -i ${configJson} -o ${cfg.dataDir}/config.json
export PHPRC=${phpIni}
if [[ ! -s ${cfg.dataDir}/.env ]]; then
# init .env file
echo "APP_KEY=" > ${cfg.dataDir}/.env
${artisanWrapper}/bin/librenms-artisan key:generate --ansi
${artisanWrapper}/bin/librenms-artisan webpush:vapid
echo "" >> ${cfg.dataDir}/.env
echo -n "NODE_ID=" >> ${cfg.dataDir}/.env
${package.phpPackage}/bin/php -r "echo uniqid();" >> ${cfg.dataDir}/.env
echo "" >> ${cfg.dataDir}/.env
else
# .env file already exists --> only update database and cache config
${pkgs.gnused}/bin/sed -i /^DB_/d ${cfg.dataDir}/.env
${pkgs.gnused}/bin/sed -i /^CACHE_DRIVER/d ${cfg.dataDir}/.env
fi
${lib.optionalString (cfg.useDistributedPollers || cfg.distributedPoller.enable) ''
echo "CACHE_DRIVER=memcached" >> ${cfg.dataDir}/.env
''}
echo "DB_HOST=${cfg.database.host}" >> ${cfg.dataDir}/.env
echo "DB_PORT=${toString cfg.database.port}" >> ${cfg.dataDir}/.env
echo "DB_DATABASE=${cfg.database.database}" >> ${cfg.dataDir}/.env
echo "DB_USERNAME=${cfg.database.username}" >> ${cfg.dataDir}/.env
echo -n "DB_PASSWORD=" >> ${cfg.dataDir}/.env
cat ${cfg.database.passwordFile} >> ${cfg.dataDir}/.env
# clear cache after update
OLD_VERSION=$(cat ${cfg.dataDir}/version)
if [[ $OLD_VERSION != "${package.version}" ]]; then
rm -r ${cfg.dataDir}/cache/*
echo "${package.version}" > ${cfg.dataDir}/version
fi
# convert rrd files when the oneMinutePolling option is changed
OLD_ENABLED=$(cat ${cfg.dataDir}/one_minute_enabled)
if [[ $OLD_ENABLED != "${lib.boolToString cfg.enableOneMinutePolling}" ]]; then
${package}/scripts/rrdstep.php -h all
echo "${lib.boolToString cfg.enableOneMinutePolling}" > ${cfg.dataDir}/one_minute_enabled
fi
# migrate db
${artisanWrapper}/bin/librenms-artisan migrate --force --no-interaction
'';
};
programs.mtr.enable = true;
services.logrotate = {
enable = true;
settings."${cfg.logDir}/librenms.log" = {
su = "${cfg.user} ${cfg.group}";
create = "0640 ${cfg.user} ${cfg.group}";
rotate = 6;
frequency = "weekly";
compress = true;
delaycompress = true;
missingok = true;
notifempty = true;
};
};
services.cron = {
enable = true;
systemCronJobs = let
env = "PHPRC=${phpIni}";
in [
# based on crontab provided by LibreNMS
"33 */6 * * * ${cfg.user} ${env} ${package}/cronic ${package}/discovery-wrapper.py 1"
"*/5 * * * * ${cfg.user} ${env} ${package}/discovery.php -h new >> /dev/null 2>&1"
"${if cfg.enableOneMinutePolling then "*" else "*/5"} * * * * ${cfg.user} ${env} ${package}/cronic ${package}/poller-wrapper.py ${toString cfg.pollerThreads}"
"* * * * * ${cfg.user} ${env} ${package}/alerts.php >> /dev/null 2>&1"
"*/5 * * * * ${cfg.user} ${env} ${package}/poll-billing.php >> /dev/null 2>&1"
"01 * * * * ${cfg.user} ${env} ${package}/billing-calculate.php >> /dev/null 2>&1"
"*/5 * * * * ${cfg.user} ${env} ${package}/check-services.php >> /dev/null 2>&1"
# extra: fast ping
"* * * * * ${cfg.user} ${env} ${package}/ping.php >> /dev/null 2>&1"
# daily.sh tasks are split to exclude update
"19 0 * * * ${cfg.user} ${env} ${package}/daily.sh cleanup >> /dev/null 2>&1"
"19 0 * * * ${cfg.user} ${env} ${package}/daily.sh notifications >> /dev/null 2>&1"
"19 0 * * * ${cfg.user} ${env} ${package}/daily.sh peeringdb >> /dev/null 2>&1"
"19 0 * * * ${cfg.user} ${env} ${package}/daily.sh mac_oui >> /dev/null 2>&1"
];
};
security.wrappers = {
fping = {
setuid = true;
owner = "root";
group = "root";
source = "${pkgs.fping}/bin/fping";
};
};
environment.systemPackages = [ artisanWrapper lnmsWrapper ];
systemd.tmpfiles.rules = [
"d ${cfg.logDir} 0750 ${cfg.user} ${cfg.group} - -"
"f ${cfg.logDir}/librenms.log 0640 ${cfg.user} ${cfg.group} - -"
"d ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group} - -"
"f ${cfg.dataDir}/.env 0600 ${cfg.user} ${cfg.group} - -"
"f ${cfg.dataDir}/version 0600 ${cfg.user} ${cfg.group} - -"
"f ${cfg.dataDir}/one_minute_enabled 0600 ${cfg.user} ${cfg.group} - -"
"f ${cfg.dataDir}/config.json 0600 ${cfg.user} ${cfg.group} - -"
"d ${cfg.dataDir}/storage 0700 ${cfg.user} ${cfg.group} - -"
"d ${cfg.dataDir}/storage/app 0700 ${cfg.user} ${cfg.group} - -"
"d ${cfg.dataDir}/storage/debugbar 0700 ${cfg.user} ${cfg.group} - -"
"d ${cfg.dataDir}/storage/framework 0700 ${cfg.user} ${cfg.group} - -"
"d ${cfg.dataDir}/storage/framework/cache 0700 ${cfg.user} ${cfg.group} - -"
"d ${cfg.dataDir}/storage/framework/sessions 0700 ${cfg.user} ${cfg.group} - -"
"d ${cfg.dataDir}/storage/framework/views 0700 ${cfg.user} ${cfg.group} - -"
"d ${cfg.dataDir}/storage/logs 0700 ${cfg.user} ${cfg.group} - -"
"d ${cfg.dataDir}/rrd 0700 ${cfg.user} ${cfg.group} - -"
"d ${cfg.dataDir}/cache 0700 ${cfg.user} ${cfg.group} - -"
] ++ lib.optionals cfg.useDistributedPollers [
"d ${cfg.dataDir}/rrdcached-journal 0700 ${cfg.user} ${cfg.group} - -"
];
};
meta.maintainers = lib.teams.wdz.members;
}

125
nixos/modules/services/networking/deconz.nix Normal file
View File

@ -0,0 +1,125 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.deconz;
name = "deconz";
stateDir = "/var/lib/${name}";
# ref. upstream deconz.service
capabilities =
lib.optionals (cfg.httpPort < 1024 || cfg.wsPort < 1024) [ "CAP_NET_BIND_SERVICE" ]
++ lib.optionals (cfg.allowRebootSystem) [ "CAP_SYS_BOOT" ]
++ lib.optionals (cfg.allowRestartService) [ "CAP_KILL" ]
++ lib.optionals (cfg.allowSetSystemTime) [ "CAP_SYS_TIME" ];
in
{
options.services.deconz = {
enable = lib.mkEnableOption "deCONZ, a Zigbee gateway for use with ConBee hardware (https://phoscon.de/en/conbee2)";
package = lib.mkOption {
type = lib.types.package;
default = pkgs.deconz;
defaultText = lib.literalExpression "pkgs.deconz";
description = "Which deCONZ package to use.";
};
device = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = ''
Force deCONZ to use a specific USB device (e.g. /dev/ttyACM0). By
default it does a search.
'';
};
listenAddress = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1";
description = ''
Pin deCONZ to the network interface specified through the provided IP
address. This applies for the webserver as well as the websocket
notifications.
'';
};
httpPort = lib.mkOption {
type = lib.types.port;
default = 80;
description = "TCP port for the web server.";
};
wsPort = lib.mkOption {
type = lib.types.port;
default = 443;
description = "TCP port for the WebSocket.";
};
openFirewall = lib.mkEnableOption "open up the service ports in the firewall";
allowRebootSystem = lib.mkEnableOption "allow rebooting the system";
allowRestartService = lib.mkEnableOption "allow killing/restarting processes";
allowSetSystemTime = lib.mkEnableOption "allow setting the system time";
extraArgs = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [
"--dbg-info=1"
"--dbg-err=2"
];
description = ''
Extra command line arguments for deCONZ, see
https://github.com/dresden-elektronik/deconz-rest-plugin/wiki/deCONZ-command-line-parameters.
'';
};
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [
cfg.httpPort
cfg.wsPort
];
services.udev.packages = [ cfg.package ];
systemd.services.deconz = {
description = "deCONZ Zigbee gateway";
wantedBy = [ "multi-user.target" ];
preStart = ''
# The service puts a nix store path reference in here, and that path can
# be garbage collected. Ensure the file gets "refreshed" on every start.
rm -f ${stateDir}/.local/share/dresden-elektronik/deCONZ/zcldb.txt
'';
environment = {
HOME = stateDir;
XDG_RUNTIME_DIR = "/run/${name}";
};
serviceConfig = {
ExecStart =
"${lib.getExe cfg.package}"
+ " -platform minimal"
+ " --http-listen=${cfg.listenAddress}"
+ " --http-port=${toString cfg.httpPort}"
+ " --ws-port=${toString cfg.wsPort}"
+ " --auto-connect=1"
+ (lib.optionalString (cfg.device != null) " --dev=${cfg.device}")
+ " " + (lib.escapeShellArgs cfg.extraArgs);
Restart = "on-failure";
AmbientCapabilities = capabilities;
CapabilityBoundingSet = capabilities;
UMask = "0027";
DynamicUser = true;
RuntimeDirectory = name;
RuntimeDirectoryMode = "0700";
StateDirectory = name;
WorkingDirectory = stateDir;
# For access to /dev/ttyACM0 (ConBee).
SupplementaryGroups = [ "dialout" ];
ProtectHome = true;
};
};
};
}

95
nixos/modules/services/security/tang.nix Normal file
View File

@ -0,0 +1,95 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.tang;
in
{
options.services.tang = {
enable = mkEnableOption "tang";
package = mkOption {
type = types.package;
default = pkgs.tang;
defaultText = literalExpression "pkgs.tang";
description = mdDoc "The tang package to use.";
};
listenStream = mkOption {
type = with types; listOf str;
default = [ "7654" ];
example = [ "198.168.100.1:7654" "[2001:db8::1]:7654" "7654" ];
description = mdDoc ''
Addresses and/or ports on which tang should listen.
For detailed syntax see ListenStream in {manpage}`systemd.socket(5)`.
'';
};
ipAddressAllow = mkOption {
example = [ "192.168.1.0/24" ];
type = types.listOf types.str;
description = ''
Whitelist a list of address prefixes.
Preferably, internal addresses should be used.
'';
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
systemd.services."tangd@" = {
description = "Tang server";
path = [ cfg.package ];
serviceConfig = {
StandardInput = "socket";
StandardOutput = "socket";
StandardError = "journal";
DynamicUser = true;
StateDirectory = "tang";
RuntimeDirectory = "tang";
StateDirectoryMode = "700";
UMask = "0077";
CapabilityBoundingSet = [ "" ];
ExecStart = "${cfg.package}/libexec/tangd %S/tang";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
DeviceAllow = [ "/dev/stdin" ];
RestrictAddressFamilies = [ "AF_UNIX" ];
DevicePolicy = "strict";
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
IPAddressDeny = "any";
IPAddressAllow = cfg.ipAddressAllow;
};
};
systemd.sockets.tangd = {
description = "Tang server";
wantedBy = [ "sockets.target" ];
socketConfig = {
ListenStream = cfg.listenStream;
Accept = "yes";
IPAddressDeny = "any";
IPAddressAllow = cfg.ipAddressAllow;
};
};
};
meta.maintainers = with lib.maintainers; [ jfroche julienmalka ];
}

2
nixos/modules/services/web-apps/writefreely.nix
View File

@ -120,7 +120,7 @@ let
withConfigFile ''
query () {
local result=$(${sqlite}/bin/sqlite3 \
'${cfg.stateDir}/${settings.database.filename}'
'${cfg.stateDir}/${settings.database.filename}' \
"$1" \
)

11
nixos/modules/virtualisation/nixos-containers.nix
View File

@ -649,6 +649,15 @@ in
'';
};
restartIfChanged = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc ''
Whether the container should be restarted during a NixOS
configuration switch if its definition has changed.
'';
};
timeoutStartSec = mkOption {
type = types.str;
default = "1min";
@ -826,7 +835,7 @@ in
containerConfig.path
config.environment.etc."${configurationDirectoryName}/${name}.conf".source
];
restartIfChanged = true;
restartIfChanged = containerConfig.restartIfChanged;
}
)
)) config.containers)

4
nixos/tests/all-tests.nix
View File

@ -216,6 +216,7 @@ in {
darling = handleTest ./darling.nix {};
dae = handleTest ./dae.nix {};
dconf = handleTest ./dconf.nix {};
deconz = handleTest ./deconz.nix {};
deepin = handleTest ./deepin.nix {};
deluge = handleTest ./deluge.nix {};
dendrite = handleTest ./matrix/dendrite.nix {};
@ -274,6 +275,7 @@ in {
fcitx5 = handleTest ./fcitx5 {};
fenics = handleTest ./fenics.nix {};
ferm = handleTest ./ferm.nix {};
ferretdb = handleTest ./ferretdb.nix {};
firefox = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox; };
firefox-beta = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-beta; };
firefox-devedition = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-devedition; };
@ -432,6 +434,7 @@ in {
lemmy = handleTest ./lemmy.nix {};
libinput = handleTest ./libinput.nix {};
libreddit = handleTest ./libreddit.nix {};
librenms = handleTest ./librenms.nix {};
libresprite = handleTest ./libresprite.nix {};
libreswan = handleTest ./libreswan.nix {};
librewolf = handleTest ./firefox.nix { firefoxPackage = pkgs.librewolf; };
@ -806,6 +809,7 @@ in {
systemd-userdbd = handleTest ./systemd-userdbd.nix {};
systemd-homed = handleTest ./systemd-homed.nix {};
tandoor-recipes = handleTest ./tandoor-recipes.nix {};
tang = handleTest ./tang.nix {};
taskserver = handleTest ./taskserver.nix {};
tayga = handleTest ./tayga.nix {};
teeworlds = handleTest ./teeworlds.nix {};

9
nixos/tests/buildbot.nix
View File

@ -1,11 +1,6 @@
# Test ensures buildbot master comes up correctly and workers can connect
{ system ? builtins.currentSystem,
config ? {},
pkgs ? import ../.. { inherit system config; }
}:
import ./make-test-python.nix {
import ./make-test-python.nix ({ pkgs, ... }: {
name = "buildbot";
nodes = {
@ -110,4 +105,4 @@ import ./make-test-python.nix {
'';
meta.maintainers = with pkgs.lib.maintainers; [ ];
} {}
})

28
nixos/tests/deconz.nix Normal file
View File

@ -0,0 +1,28 @@
import ./make-test-python.nix ({ pkgs, lib, ... }:
let
httpPort = 800;
in
{
name = "deconz";
meta.maintainers = with lib.maintainers; [
bjornfor
];
nodes.machine = { config, pkgs, lib, ... }: {
nixpkgs.config.allowUnfree = true;
services.deconz = {
enable = true;
inherit httpPort;
extraArgs = [
"--dbg-err=2"
"--dbg-info=2"
];
};
};
testScript = ''
machine.wait_for_unit("deconz.service")
machine.succeed("curl -sfL http://localhost:${toString httpPort}")
'';
})

64
nixos/tests/ferretdb.nix Normal file
View File

@ -0,0 +1,64 @@
{ system ? builtins.currentSystem
, pkgs ? import ../.. { inherit system; }
, ...
}:
let
lib = pkgs.lib;
testScript = ''
machine.start()
machine.wait_for_unit("ferretdb.service")
machine.wait_for_open_port(27017)
machine.succeed("mongosh --eval 'use myNewDatabase;' --eval 'db.myCollection.insertOne( { x: 1 } );'")
'';
in
with import ../lib/testing-python.nix { inherit system; };
{
postgresql = makeTest
{
inherit testScript;
name = "ferretdb-postgresql";
meta.maintainers = with lib.maintainers; [ julienmalka ];
nodes.machine =
{ pkgs, ... }:
{
services.ferretdb = {
enable = true;
settings.FERRETDB_HANDLER = "pg";
settings.FERRETDB_POSTGRESQL_URL = "postgres://ferretdb@localhost/ferretdb?host=/run/postgresql";
};
systemd.services.ferretdb.serviceConfig = {
Requires = "postgresql.service";
After = "postgresql.service";
};
services.postgresql = {
enable = true;
ensureDatabases = [ "ferretdb" ];
ensureUsers = [{
name = "ferretdb";
ensurePermissions."DATABASE ferretdb" = "ALL PRIVILEGES";
}];
};
environment.systemPackages = with pkgs; [ mongosh ];
};
};
sqlite = makeTest
{
inherit testScript;
name = "ferretdb-sqlite";
meta.maintainers = with lib.maintainers; [ julienmalka ];
nodes.machine =
{ pkgs, ... }:
{
services.ferretdb.enable = true;
environment.systemPackages = with pkgs; [ mongosh ];
};
};
}

108
nixos/tests/librenms.nix Normal file
View File

@ -0,0 +1,108 @@
import ./make-test-python.nix ({ pkgs, lib, ... }:
let
api_token = "f87f42114e44b63ad1b9e3c3d33d6fbe"; # random md5 hash
wrong_api_token = "e68ba041fcf1eab923a7a6de3af5f726"; # another random md5 hash
in {
name = "librenms";
meta.maintainers = lib.teams.wdz.members;
nodes.librenms = {
time.timeZone = "Europe/Berlin";
environment.systemPackages = with pkgs; [
curl
jq
];
services.librenms = {
enable = true;
hostname = "librenms";
database = {
createLocally = true;
host = "localhost";
database = "librenms";
username = "librenms";
passwordFile = pkgs.writeText "librenms-db-pass" "librenmsdbpass";
};
nginx = {
default = true;
};
enableOneMinutePolling = true;
settings = {
enable_billing = true;
};
};
# systemd oneshot to create a dummy admin user and a API token for testing
systemd.services.lnms-api-init = {
description = "LibreNMS API init";
after = [ "librenms-setup.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
User = "root";
Group = "root";
};
script = ''
API_USER_NAME=api
API_TOKEN=${api_token} # random md5 hash
# we don't need to know the password, it just has to exist
API_USER_PASS=$(${pkgs.pwgen}/bin/pwgen -s 64 1)
${pkgs.librenms}/artisan user:add $API_USER_NAME -r admin -p $API_USER_PASS
API_USER_ID=$(${pkgs.mariadb}/bin/mysql -D librenms -N -B -e "SELECT user_id FROM users WHERE username = '$API_USER_NAME';")
${pkgs.mariadb}/bin/mysql -D librenms -e "INSERT INTO api_tokens (user_id, token_hash, description) VALUES ($API_USER_ID, '$API_TOKEN', 'API User')"
'';
};
};
nodes.snmphost = {
networking.firewall.allowedUDPPorts = [ 161 ];
systemd.services.snmpd = {
description = "snmpd";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "forking";
User = "root";
Group = "root";
ExecStart = let
snmpd-config = pkgs.writeText "snmpd-config" ''
com2sec readonly default public
group MyROGroup v2c readonly
view all included .1 80
access MyROGroup "" any noauth exact all none none
syslocation Testcity, Testcountry
syscontact Testi mc Test <test@example.com>
'';
in "${pkgs.net-snmp}/bin/snmpd -c ${snmpd-config} -C";
};
};
};
testScript = ''
start_all()
snmphost.wait_until_succeeds("pgrep snmpd")
librenms.wait_for_unit("lnms-api-init.service")
librenms.wait_for_open_port(80)
# Test that we can authenticate against the API
librenms.succeed("curl --fail -H 'X-Auth-Token: ${api_token}' http://localhost/api/v0")
librenms.fail("curl --fail -H 'X-Auth-Token: ${wrong_api_token}' http://localhost/api/v0")
# add snmphost as a device
librenms.succeed("curl --fail -X POST -d '{\"hostname\":\"snmphost\",\"version\":\"v2c\",\"community\":\"public\"}' -H 'X-Auth-Token: ${api_token}' http://localhost/api/v0/devices")
# wait until snmphost gets polled
librenms.wait_until_succeeds("test $(curl -H 'X-Auth-Token: ${api_token}' http://localhost/api/v0/devices/snmphost | jq -Mr .devices[0].last_polled) != 'null'")
'';
})

2
nixos/tests/pam/pam-u2f.nix
View File

@ -20,7 +20,7 @@ import ../make-test-python.nix ({ ... }:
''
machine.wait_for_unit("multi-user.target")
machine.succeed(
'egrep "auth required .*/lib/security/pam_u2f.so.*debug.*interactive.*cue.*origin=nixos-test" /etc/pam.d/ -R'
'egrep "auth required .*/lib/security/pam_u2f.so.*cue.*debug.*interactive.*origin=nixos-test" /etc/pam.d/ -R'
)
'';
})

9
nixos/tests/pam/test_chfn.py
View File

@ -6,7 +6,7 @@ expected_lines = {
"auth required pam_deny.so",
"auth sufficient @@pam_ccreds@@/lib/security/pam_ccreds.so action=store use_first_pass",
"auth sufficient pam_rootok.so",
"auth sufficient pam_unix.so likeauth try_first_pass",
"auth sufficient pam_unix.so likeauth try_first_pass",
"password sufficient @@pam_krb5@@/lib/security/pam_krb5.so use_first_pass",
"password sufficient pam_unix.so nullok yescrypt",
"session optional @@pam_krb5@@/lib/security/pam_krb5.so",
@ -15,9 +15,10 @@ expected_lines = {
}
actual_lines = set(machine.succeed("cat /etc/pam.d/chfn").splitlines())
missing_lines = expected_lines - actual_lines
extra_lines = actual_lines - expected_lines
non_functional_lines = set([line for line in extra_lines if (line == "" or line.startswith("#"))])
stripped_lines = set([line.split("#")[0].rstrip() for line in actual_lines])
missing_lines = expected_lines - stripped_lines
extra_lines = stripped_lines - expected_lines
non_functional_lines = set([line for line in extra_lines if line == ""])
unexpected_functional_lines = extra_lines - non_functional_lines
with subtest("All expected lines are in the file"):

10
nixos/tests/systemd-repart.nix
View File

@ -29,16 +29,6 @@ let
"+32M",
])
# Fix the GPT table by moving the backup table to the end of the enlarged
# disk image. This is necessary because we increased the size of the disk
# before. The disk needs to be a raw disk because sgdisk can only run on
# raw images.
subprocess.run([
"${pkgs.gptfdisk}/bin/sgdisk",
"--move-second-header",
tmp_disk_image.name,
])
# Set NIX_DISK_IMAGE so that the qemu script finds the right disk image.
os.environ['NIX_DISK_IMAGE'] = tmp_disk_image.name
'';

81
nixos/tests/tang.nix Normal file
View File

@ -0,0 +1,81 @@
import ./make-test-python.nix ({ pkgs, ... }: {
name = "tang";
meta = with pkgs.lib.maintainers; {
maintainers = [ jfroche ];
};
nodes.server =
{ config
, pkgs
, modulesPath
, ...
}: {
imports = [
"${modulesPath}/../tests/common/auto-format-root-device.nix"
];
virtualisation = {
emptyDiskImages = [ 512 ];
useBootLoader = true;
useEFIBoot = true;
# This requires to have access
# to a host Nix store as
# the new root device is /dev/vdb
# an empty 512MiB drive, containing no Nix store.
mountHostNixStore = true;
};
boot.loader.systemd-boot.enable = true;
networking.interfaces.eth1.ipv4.addresses = [
{ address = "192.168.0.1"; prefixLength = 24; }
];
environment.systemPackages = with pkgs; [ clevis tang cryptsetup ];
services.tang = {
enable = true;
ipAddressAllow = [ "127.0.0.1/32" ];
};
};
testScript = ''
start_all()
machine.wait_for_unit("sockets.target")
with subtest("Check keys are generated"):
machine.wait_until_succeeds("curl -v http://127.0.0.1:7654/adv")
key = machine.wait_until_succeeds("tang-show-keys 7654")
with subtest("Check systemd access list"):
machine.succeed("ping -c 3 192.168.0.1")
machine.fail("curl -v --connect-timeout 3 http://192.168.0.1:7654/adv")
with subtest("Check basic encrypt and decrypt message"):
machine.wait_until_succeeds(f"""echo 'Hello World' | clevis encrypt tang '{{ "url": "http://127.0.0.1:7654", "thp":"{key}"}}' > /tmp/encrypted""")
decrypted = machine.wait_until_succeeds("clevis decrypt < /tmp/encrypted")
assert decrypted.strip() == "Hello World"
machine.wait_until_succeeds("tang-show-keys 7654")
with subtest("Check encrypt and decrypt disk"):
machine.succeed("cryptsetup luksFormat --force-password --batch-mode /dev/vdb <<<'password'")
machine.succeed(f"""clevis luks bind -s1 -y -f -d /dev/vdb tang '{{ "url": "http://127.0.0.1:7654", "thp":"{key}" }}' <<< 'password' """)
clevis_luks = machine.succeed("clevis luks list -d /dev/vdb")
assert clevis_luks.strip() == """1: tang '{"url":"http://127.0.0.1:7654"}'"""
machine.succeed("clevis luks unlock -d /dev/vdb")
machine.succeed("find /dev/mapper -name 'luks*' -exec cryptsetup close {} +")
machine.succeed("clevis luks unlock -d /dev/vdb")
machine.succeed("find /dev/mapper -name 'luks*' -exec cryptsetup close {} +")
# without tang available, unlock should fail
machine.succeed("systemctl stop tangd.socket")
machine.fail("clevis luks unlock -d /dev/vdb")
machine.succeed("systemctl start tangd.socket")
with subtest("Rotate server keys"):
machine.succeed("${pkgs.tang}/libexec/tangd-rotate-keys -d /var/lib/tang")
machine.succeed("clevis luks unlock -d /dev/vdb")
machine.succeed("find /dev/mapper -name 'luks*' -exec cryptsetup close {} +")
with subtest("Test systemd service security"):
output = machine.succeed("systemd-analyze security tangd@.service")
machine.log(output)
assert output[-9:-1] == "SAFE :-}"
'';
})

95
pkgs/applications/audio/bitwig-studio/bitwig-studio1.nix
View File

@ -1,95 +0,0 @@
{ stdenv, fetchurl, alsa-lib, bzip2, cairo, dpkg, freetype, gdk-pixbuf
, wrapGAppsHook, gtk2, gtk3, harfbuzz, jdk, lib, xorg
, libbsd, libjack2, libpng, ffmpeg
, libxkbcommon
, makeWrapper, pixman, autoPatchelfHook
, xdg-utils, zenity, zlib }:
stdenv.mkDerivation rec {
pname = "bitwig-studio";
version = "1.3.16";
src = fetchurl {
url = "https://downloads.bitwig.com/stable/${version}/bitwig-studio-${version}.deb";
sha256 = "0n0fxh9gnmilwskjcayvjsjfcs3fz9hn00wh7b3gg0cv3qqhich8";
};
nativeBuildInputs = [ dpkg makeWrapper autoPatchelfHook wrapGAppsHook ];
unpackCmd = "mkdir root ; dpkg-deb -x $curSrc root";
dontBuild = true;
dontWrapGApps = true; # we only want $gappsWrapperArgs here
buildInputs = with xorg; [
alsa-lib bzip2.out cairo freetype gdk-pixbuf gtk2 gtk3 harfbuzz libX11 libXau
libXcursor libXdmcp libXext libXfixes libXrender libbsd libjack2 libpng libxcb
libxkbfile pixman xcbutil xcbutilwm zlib
];
installPhase = ''
mkdir -p $out
cp -r opt/bitwig-studio $out/libexec
# Use NixOS versions of these libs instead of the bundled ones.
(
cd $out/libexec/lib/bitwig-studio
rm libbz2.so* libxkbfile.so* libXcursor.so* libXau.so* \
libXdmcp.so* libpng16.so* libxcb*.so* libharfbuzz.so* \
libcairo.so* libfreetype.so*
ln -s ${bzip2.out}/lib/libbz2.so.1.0.6 libbz2.so.1.0
)
# Use our OpenJDK instead of Bitwigs bundled—and commercial!—one.
rm -rf $out/libexec/lib/jre
ln -s ${jdk.home}/jre $out/libexec/lib/jre
mkdir -p $out/bin
ln -s $out/libexec/bitwig-studio $out/bin/bitwig-studio
cp -r usr/share $out/share
substitute usr/share/applications/bitwig-studio.desktop \
$out/share/applications/bitwig-studio.desktop \
--replace /usr/bin/bitwig-studio $out/bin/bitwig-studio
'';
postFixup = ''
# Bitwigs `libx11-windowing-system.so` has several problems:
#
# • has some old version of libxkbcommon linked statically (ಠ_ಠ),
#
# • hardcodes path to `/usr/share/X11/xkb`,
#
# • even if we redirected it with libredirect (after adding
# `eaccess()` to libredirect!), their version of libxkbcommon
# is unable to parse our xkeyboardconfig. Been there, done that.
#
# However, it suffices to override theirs with our libxkbcommon
# in LD_PRELOAD. :-)
find $out -type f -executable \
-not -name '*.so.*' \
-not -name '*.so' \
-not -path '*/resources/*' | \
while IFS= read -r f ; do
wrapProgram $f \
--suffix PATH : "${lib.makeBinPath [ ffmpeg zenity ]}" \
--prefix PATH : "${lib.makeBinPath [ xdg-utils ]}" \
"''${gappsWrapperArgs[@]}" \
--set LD_PRELOAD "${libxkbcommon.out}/lib/libxkbcommon.so" || true
done
'';
meta = with lib; {
description = "A digital audio workstation";
longDescription = ''
Bitwig Studio is a multi-platform music-creation system for
production, performance and DJing, with a focus on flexible
editing tools and a super-fast workflow.
'';
homepage = "https://www.bitwig.com/";
license = licenses.unfree;
platforms = [ "x86_64-linux" ];
maintainers = with maintainers; [ michalrus mrVanDalo ];
};
}

16
pkgs/applications/audio/bitwig-studio/bitwig-studio2.nix
View File

@ -1,16 +0,0 @@
{ fetchurl, bitwig-studio1,
pulseaudio }:
bitwig-studio1.overrideAttrs (oldAttrs: rec {
pname = "bitwig-studio";
version = "2.5";
src = fetchurl {
url = "https://downloads.bitwig.com/stable/${version}/bitwig-studio-${version}.deb";
sha256 = "1zkiz36lhck3qvl0cp0dq6pwbv4lx4sh9wh0ga92kx5zhvbjm098";
};
runtimeDependencies = [
pulseaudio
];
})

18
pkgs/applications/audio/espeak-ng/default.nix
View File

@ -15,6 +15,9 @@
, pcaudiolib
, sonicSupport ? true
, sonic
, CoreAudio
, AudioToolbox
, AudioUnit
, alsa-plugins
, makeWrapper
}:
@ -42,9 +45,20 @@ stdenv.mkDerivation rec {
buildInputs = lib.optional mbrolaSupport mbrola
++ lib.optional pcaudiolibSupport pcaudiolib
++ lib.optional sonicSupport sonic;
++ lib.optional sonicSupport sonic
++ lib.optionals stdenv.isDarwin [
CoreAudio
AudioToolbox
AudioUnit
];
preConfigure = "./autogen.sh";
# touch ChangeLog to avoid below error on darwin:
# Makefile.am: error: required file './ChangeLog.md' not found
preConfigure = lib.optionalString stdenv.isDarwin ''
touch ChangeLog
'' + ''
./autogen.sh
'';
configureFlags = [
"--with-mbrola=${if mbrolaSupport then "yes" else "no"}"

4
pkgs/applications/audio/faustPhysicalModeling/default.nix
View File

@ -1,13 +1,13 @@
{ stdenv, lib, fetchFromGitHub, faust2jaqt, faust2lv2 }:
stdenv.mkDerivation rec {
pname = "faustPhysicalModeling";
version = "2.60.3";
version = "2.68.1";
src = fetchFromGitHub {
owner = "grame-cncm";
repo = "faust";
rev = version;
sha256 = "sha256-kaKDZKs/UsrqYlGmGgpSRcqN7FypxLCcIF72klovD4k=";
sha256 = "sha256-jD6/ZeS0xdtajCg5e95E0Jo2lfXOn4OIVf4LJgAfPbo=";
};
buildInputs = [ faust2jaqt faust2lv2 ];

4
pkgs/applications/audio/giada/default.nix
View File

@ -24,13 +24,13 @@
stdenv.mkDerivation rec {
pname = "giada";
version = "0.25.1";
version = "0.26.0";
src = fetchFromGitHub {
owner = "monocasual";
repo = pname;
rev = version;
sha256 = "sha256-SW2qT+pMKTMBnkaL+Dg87tqutcLTqaY4nCeFfJjHIw4=";
sha256 = "sha256-q3Lu3UaEKfS7F59G6rPx+5cKcsaXk+xcdtJRIXPwVIs=";
fetchSubmodules = true;
};

2
pkgs/applications/audio/mbrola/default.nix
View File

@ -7,7 +7,7 @@ let
meta = with lib; {
license = licenses.agpl3Plus;
maintainers = with maintainers; [ davidak ];
platforms = platforms.linux;
platforms = platforms.all;
description = "Speech synthesizer based on the concatenation of diphones";
homepage = "https://github.com/numediart/MBROLA";
};

6
pkgs/applications/audio/songrec/default.nix
View File

@ -11,16 +11,16 @@
rustPlatform.buildRustPackage rec {
pname = "songrec";
version = "0.3.2";
version = "0.3.3";
src = fetchFromGitHub {
owner = "marin-m";
repo = pname;
rev = version;
sha256 = "sha256-cUiy8ApeUv1K8SEH4APMTvbieGTt4kZYhyB9iGJd/IY=";
hash = "sha256-K80uoMfwkyH/K8t6zdkq1ZYTpI0dAIvO2K2kzpzDoN0=";
};
cargoSha256 = "sha256-Tlq4qDp56PXP4N1UyHjtQoRgDrc/19vIv8uml/lAqqc=";
cargoHash = "sha256-Xmey+goHGTWMgKIJRzKMi9Y1bv677Yo2sfDaMauvZsM=";
nativeBuildInputs = [ pkg-config ];

4
pkgs/applications/blockchains/monero-gui/default.nix
View File

@ -88,8 +88,8 @@ stdenv.mkDerivation rec {
for n in 16 24 32 48 64 96 128 256; do
size=$n"x"$n
install -Dm644 \
-t $out/share/icons/hicolor/$size/apps/monero.png \
$src/images/appicons/$size.png
$src/images/appicons/$size.png \
$out/share/icons/hicolor/$size/apps/monero.png
done;
'';

5
pkgs/applications/editors/okteta/default.nix
View File

@ -4,11 +4,11 @@
mkDerivation rec {
pname = "okteta";
version = "0.26.10";
version = "0.26.13";
src = fetchurl {
url = "mirror://kde/stable/okteta/${version}/src/${pname}-${version}.tar.xz";
sha256 = "sha256-KKYU9+DDK0kXperKfgxuysqHsTGRq1NKtAT1Vps8M/o=";
sha256 = "0wlpv0rk4ys4rbcpf8lqpkm0yr5dxkaz60qk2lvm27w1s489ir8l";
};
nativeBuildInputs = [ qtscript extra-cmake-modules kdoctools ];
@ -31,6 +31,7 @@ mkDerivation rec {
meta = with lib; {
license = licenses.gpl2;
description = "A hex editor";
homepage = "https://apps.kde.org/okteta/";
maintainers = with maintainers; [ peterhoeg bkchr ];
platforms = platforms.linux;
};

9
pkgs/applications/editors/vim/plugins/nvim-treesitter/update.py
View File

@ -63,14 +63,14 @@ def update_grammars(nvim_treesitter_dir: str):
generated_file = """# generated by pkgs/applications/editors/vim/plugins/nvim-treesitter/update.py
{ buildGrammar, """
{ buildGrammar, """
generated_file += subprocess.check_output(["nurl", "-Ls", ", "], text=True)
generated_file += """ }:
{
"""
{
"""
lockfile_path = os.path.join(nvim_treesitter_dir, "lockfile.json")
log.debug("Opening %s", lockfile_path)
@ -88,7 +88,8 @@ def update_grammars(nvim_treesitter_dir: str):
_generate_grammar, lockfile.items()
):
generated_file += generated
generated_file += "}\n"
generated_file += "}\n"
return generated_file

10
pkgs/applications/editors/vim/plugins/update.py
View File

@ -138,15 +138,19 @@ class VimEditor(pluginupdate.Editor):
nvim_treesitter_dir = subprocess.check_output(cmd, text=True, timeout=90).strip()
generated = treesitter.update_grammars(nvim_treesitter_dir)
open(os.path.join(args.nixpkgs, "generated.nix"), "w").write(generated)
treesitter_generated_nix_path = os.path.join(
NIXPKGS_NVIMTREESITTER_FOLDER,
"generated.nix"
)
open(os.path.join(args.nixpkgs, treesitter_generated_nix_path), "w").write(generated)
if self.nixpkgs_repo:
index = self.nixpkgs_repo.index
for diff in index.diff(None):
if diff.a_path == f"{NIXPKGS_NVIMTREESITTER_FOLDER}/generated.nix":
if diff.a_path == treesitter_generated_nix_path:
msg = "vimPlugins.nvim-treesitter: update grammars"
print(f"committing to nixpkgs: {msg}")
index.add([str(nvim_treesitter_dir.joinpath("generated.nix"))])
index.add([treesitter_generated_nix_path])
index.commit(msg)
return
print("no updates to nvim-treesitter grammars")

4
pkgs/applications/editors/vscode/extensions/default.nix
View File

@ -1229,8 +1229,8 @@ let
mktplcRef = {
name = "elixir-ls";
publisher = "JakeBecker";
version = "0.17.0";
sha256 = "sha256-jb9WHX5jCdi4vzIRvh7i6ncicuISsEBBmlIHvqquqcA=";
version = "0.17.1";
sha256 = "sha256-WBtIdz+8zsyTl43ovU3Dz+8p154ZGvHp6BA3AQtXN/U=";
};
meta = {
changelog = "https://marketplace.visualstudio.com/items/JakeBecker.elixir-ls/changelog";

12
pkgs/applications/editors/vscode/vscodium.nix
View File

@ -15,11 +15,11 @@ let
archive_fmt = if stdenv.isDarwin then "zip" else "tar.gz";
sha256 = {
x86_64-linux = "1xzmfvkzqfxblahi2pc54fr7i6rynqm76p4wpbfzxrrh5a3xjwn3";
x86_64-darwin = "0lp6yqwqwfngl98nba8f77yypb44cfn7kcjhbc93s8kqd57m97zj";
aarch64-linux = "1hpwjdbfc8l4a7ln50s6h68abcb6djcc5y0h686s9k5v2axm7f3v";
aarch64-darwin = "0cbms9p8g2gjx9wmm78fzlscw62qasjv30al8v39bda3k694wnh5";
armv7l-linux = "0hvaray6b36j8s0fvffnkbsw7kf2rn2z4y8q4wlnqx3hfyalcvcn";
x86_64-linux = "0cqkxd4pywkrvg3b96f1dyain6vlrb3di8a0yskmq3h58qd6k8rc";
x86_64-darwin = "09y3whpp2z8fgb42pb9lw0b4wn0np3rdjkn5l1kldjljfrcwcn9g";
aarch64-linux = "1kh8qylj77km8jhmx9a2bck7y4bb0fjx46sll7swagxz27b8ahi0";
aarch64-darwin = "14g60sx3c5m02ly880sxwhmzvpxqw4pfij2ibgyprzdlpap0r2b0";
armv7l-linux = "1s4rpd5p4kwmi89cml1106l9dccdwnqq3lyr8ym781pj9p75i8wp";
}.${system} or throwSystem;
sourceRoot = lib.optionalString (!stdenv.isDarwin) ".";
@ -29,7 +29,7 @@ in
# Please backport all compatible updates to the stable release.
# This is important for the extension ecosystem.
version = "1.82.2.23257";
version = "1.83.1.23285";
pname = "vscodium";
executableName = "codium";

27
pkgs/applications/emulators/emulationstation/default.nix
View File

@ -1,34 +1,25 @@
{ lib, stdenv, fetchFromGitHub, pkg-config, cmake, curl, boost, eigen
, freeimage, freetype, libGLU, libGL, SDL2, alsa-lib, libarchive
, fetchpatch }:
, freeimage, freetype, libGLU, libGL, rapidjson, SDL2, alsa-lib
, vlc }:
stdenv.mkDerivation {
pname = "emulationstation";
version = "2.0.1a";
version = "2.11.2";
src = fetchFromGitHub {
owner = "Aloshi";
fetchSubmodules = true;
owner = "RetroPie";
repo = "EmulationStation";
rev = "646bede3d9ec0acf0ae378415edac136774a66c5";
sha256 = "0cm0sq2wri2l9cvab1l0g02za59q7klj0h3p028vr96n6njj4w9v";
rev = "cda7de687924c4c1ab83d6b0ceb88aa734fe6cfe";
hash = "sha256-J5h/578FVe4DXJx/AvpRnCIUpqBeFtmvFhUDYH5SErQ=";
};
patches = [
(fetchpatch {
url = "https://github.com/Aloshi/EmulationStation/commit/49ccd8fc7a7b1dfd974fc57eb13317c42842f22c.patch";
sha256 = "1v5d81l7bav0k5z4vybrc3rjcysph6lkm5pcfr6m42wlz7jmjw0p";
})
];
postPatch = ''
sed -i "7i #include <stack>" es-app/src/views/gamelist/ISimpleGameListView.h
'';
nativeBuildInputs = [ pkg-config cmake ];
buildInputs = [ alsa-lib boost curl eigen freeimage freetype libarchive libGLU libGL SDL2 ];
buildInputs = [ alsa-lib boost curl eigen freeimage freetype libGLU libGL rapidjson SDL2 vlc ];
installPhase = ''
install -D ../emulationstation $out/bin/emulationstation
cp -r ../resources/ $out/bin/resources/
'';
meta = {

4
pkgs/applications/gis/gmt/dcw.nix
View File

@ -2,10 +2,10 @@
stdenv.mkDerivation rec {
pname = "dcw-gmt";
version = "2.1.1";
version = "2.1.2";
src = fetchurl {
url = "ftp://ftp.soest.hawaii.edu/gmt/dcw-gmt-${version}.tar.gz";
sha256 = "sha256-q3LIJTB2OAyEd6EiU3C8QfSv+BHCjS9k11BS/z2QA68=";
sha256 = "sha256-S7hA0HXIuj4UrrQc8XwkI2v/eHVmMU+f91irmXd0XZk=";
};
installPhase = ''

41
pkgs/applications/graphics/scantailor/universal.nix Normal file
View File

@ -0,0 +1,41 @@
{ lib
, stdenv
, mkDerivation
, fetchFromGitHub
, cmake
, qtbase
, qttools
, wrapQtAppsHook
, zlib
, openjpeg
, libjpeg_turbo
, libpng
, libtiff
, boost
, libcanberra
}:
stdenv.mkDerivation rec {
pname = "scantailor-universal";
version = "0.2.14";
src = fetchFromGitHub {
owner = "trufanov-nok";
repo = pname;
rev = version;
fetchSubmodules = true;
hash = "sha256-n8NbokK+U0FAuYXtjRJcxlI1XAmI4hk5zV3sF86hB/s=";
};
buildInputs = [ qtbase zlib libjpeg_turbo libpng libtiff boost libcanberra openjpeg ];
nativeBuildInputs = [ cmake wrapQtAppsHook qttools ];
meta = with lib; {
description = "Interactive post-processing tool for scanned pages";
homepage = "https://github.com/trufanov-nok/scantailor";
license = licenses.gpl3Plus;
maintainers = with maintainers; [ unclamped ];
platforms = platforms.unix;
mainProgram = "scantailor-universal-cli";
};
}

6
pkgs/applications/misc/keepassxc/default.nix
View File

@ -97,6 +97,12 @@ stdenv.mkDerivation rec {
wrapQtApp "$out/Applications/KeePassXC.app/Contents/MacOS/KeePassXC"
'';
# See https://github.com/keepassxreboot/keepassxc/blob/cd7a53abbbb81e468efb33eb56eefc12739969b8/src/browser/NativeMessageInstaller.cpp#L317
postInstall = lib.optionalString withKeePassBrowser ''
mkdir -p "$out/lib/mozilla/native-messaging-hosts"
substituteAll "${./firefox-native-messaging-host.json}" "$out/lib/mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json"
'';
buildInputs = [
curl
botan2

9
pkgs/applications/misc/keepassxc/firefox-native-messaging-host.json Normal file
View File

@ -0,0 +1,9 @@
{
"name": "org.keepassxc.keepassxc_browser",
"description": "KeePassXC integration with native messaging support",
"path": "@out@/bin/keepassxc-proxy",
"type": "stdio",
"allowed_extensions": [
"keepassxc-browser@keepassxc.org"
]
}

110
pkgs/applications/misc/simplenote/default.nix
View File

@ -1,110 +0,0 @@
{ autoPatchelfHook
, dpkg
, fetchurl
, makeDesktopItem
, makeWrapper
, lib
, stdenv
, udev
, alsa-lib
, mesa
, nss
, nspr
, systemd
, wrapGAppsHook
, xorg
}:
let
inherit (stdenv.hostPlatform) system;
throwSystem = throw "Unsupported system: ${system}";
pname = "simplenote";
version = "2.9.0";
sha256 = {
x86_64-linux = "sha256-uwd9fYqZepJ/BBttprqkJhswqMepGsHDTd5Md9gjI68=";
}.${system} or throwSystem;
meta = with lib; {
description = "The simplest way to keep notes";
homepage = "https://github.com/Automattic/simplenote-electron";
license = licenses.gpl2;
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
maintainers = with maintainers; [
kiwi
];
platforms = [
"x86_64-linux"
];
};
linux = stdenv.mkDerivation rec {
inherit pname version meta;
src = fetchurl {
url = "https://github.com/Automattic/simplenote-electron/releases/download/v${version}/Simplenote-linux-${version}-amd64.deb";
inherit sha256;
};
desktopItem = makeDesktopItem {
categories = [ "Development" ];
comment = "Simplenote for Linux";
desktopName = "Simplenote";
exec = "simplenote %U";
icon = "simplenote";
name = "simplenote";
startupNotify = true;
};
dontBuild = true;
dontConfigure = true;
dontPatchELF = true;
dontWrapGApps = true;
# TODO: migrate off autoPatchelfHook and use nixpkgs' electron
nativeBuildInputs = [
autoPatchelfHook
dpkg
makeWrapper
wrapGAppsHook
];
buildInputs = [
alsa-lib
mesa
xorg.libXScrnSaver
xorg.libXtst
nss
nspr
stdenv.cc.cc
systemd
];
unpackPhase = "dpkg-deb -x $src .";
installPhase = ''
mkdir -p "$out/bin"
cp -R "opt" "$out"
cp -R "usr/share" "$out/share"
chmod -R g-w "$out"
mkdir -p "$out/share/applications"
cp "${desktopItem}/share/applications/"* "$out/share/applications"
'';
runtimeDependencies = [
(lib.getLib udev)
];
postFixup = ''
makeWrapper $out/opt/Simplenote/simplenote $out/bin/simplenote \
--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ stdenv.cc.cc ] }" \
"''${gappsWrapperArgs[@]}"
'';
};
in
linux

24
pkgs/applications/networking/browsers/chromium/common.nix
View File

@ -1,4 +1,5 @@
{ stdenv, lib, fetchurl, fetchpatch
, fetchzip, zstd
, buildPackages
, pkgsBuildBuild
, pkgsBuildTarget
@ -152,9 +153,30 @@ let
inherit (upstream-info) version;
inherit packageName buildType buildPath;
src = fetchurl {
src = fetchzip {
name = "chromium-${version}.tar.zstd";
url = "https://commondatastorage.googleapis.com/chromium-browser-official/chromium-${version}.tar.xz";
inherit (upstream-info) sha256;
nativeBuildInputs = [ zstd ];
postFetch = ''
echo removing unused code from tarball to stay under hydra limit
rm -r $out/third_party/{rust-src,llvm}
echo moving remains out of \$out
mv $out source
echo recompressing final contents into new tarball
# try to make a deterministic tarball
tar \
--use-compress-program "zstd -T$NIX_BUILD_CORES" \
--sort name \
--mtime 1970-01-01 \
--owner=root --group=root \
--numeric-owner --mode=go=rX,u+rw,a-s \
-cf $out source
'';
};
nativeBuildInputs = [

8
pkgs/applications/networking/browsers/chromium/upstream-info.nix
View File

@ -8,7 +8,7 @@
version = "2023-08-01";
};
};
sha256 = "1wf0j189cxpayy6ffmj5j6h5yg3amivryilimjc2ap0jkyj4xrbi";
sha256 = "0c3adrrgpnhm8g1546ask9pf17qj1sjgb950mj0rv4snxvddi75j";
sha256bin64 = "11w1di146mjb9ql30df9yk9x4b9amc6514jzyfbf09mqsrw88dvr";
version = "117.0.5938.22";
};
@ -21,7 +21,7 @@
version = "2023-08-10";
};
};
sha256 = "1z01b6w4sgndrlcd26jgimk3rhv3wzpn67nv1fd5ln7dwfwkyq20";
sha256 = "16dq27lsywrn2xlgr5g46gdv15p30sihfamli4vkv3zxzfxdjisv";
sha256bin64 = "11y09hsy7y1vg65xfilq44ffsmn15dqy80fa57psj1kin4a52v2x";
version = "118.0.5966.0";
};
@ -41,7 +41,7 @@
version = "2023-08-10";
};
};
sha256 = "0gcrnvm3ar7x0fv38kjvdzgb8lflx1sckcqy89yawgfy6jkh1vj9";
sha256 = "1g8rllmnmhmmpjzrmi3cww0nszxicq0kim2wd0l0ip2mzk2p8qlp";
sha256bin64 = "1bq170l0g9yq17x6xlg6fjar6gv3hdi0zijwmx4s02pmw6727484";
version = "118.0.5993.70";
};
@ -58,7 +58,7 @@
sha256 = "0k6684cy1ks6yba2bdz17g244f05qy9769cvis4h2jzhgbf5rysh";
};
};
sha256 = "0gcrnvm3ar7x0fv38kjvdzgb8lflx1sckcqy89yawgfy6jkh1vj9";
sha256 = "1g8rllmnmhmmpjzrmi3cww0nszxicq0kim2wd0l0ip2mzk2p8qlp";
sha256bin64 = "1bq170l0g9yq17x6xlg6fjar6gv3hdi0zijwmx4s02pmw6727484";
version = "118.0.5993.70";
};

2
pkgs/applications/networking/browsers/firefox/wrapper.nix
View File

@ -8,6 +8,7 @@
, browserpass, gnome-browser-connector, uget-integrator, plasma5Packages, bukubrow, pipewire
, tridactyl-native
, fx-cast-bridge
, keepassxc
, udev
, libkrb5
, libva
@ -70,6 +71,7 @@ let
++ lib.optional (cfg.enableUgetIntegrator or false) uget-integrator
++ lib.optional (cfg.enablePlasmaBrowserIntegration or false) plasma5Packages.plasma-browser-integration
++ lib.optional (cfg.enableFXCastBridge or false) fx-cast-bridge
++ lib.optional (cfg.enableKeePassXC or false) keepassxc
++ extraNativeMessagingHosts
;
libs = lib.optionals stdenv.isLinux [ udev libva mesa libnotify xorg.libXScrnSaver cups pciutils ]

12
pkgs/applications/networking/browsers/lynx/default.nix
View File

@ -13,28 +13,20 @@
stdenv.mkDerivation rec {
pname = "lynx";
version = "2.8.9rel.1";
version = "2.9.0dev.12";
src = fetchurl {
urls = [
"ftp://ftp.invisible-island.net/lynx/tarballs/lynx${version}.tar.bz2"
"https://invisible-mirror.net/archives/lynx/tarballs/lynx${version}.tar.bz2"
];
sha256 = "15cmyyma2kz1hfaa6mwjgli8zwdzq3jv0q2cl6nwzycjfwyijzrq";
hash = "sha256-pkVbFZ0Ad22OwQUShcly3B8MVS0FcaDP8Coj7BRu6OU=";
};
enableParallelBuilding = true;
hardeningEnable = [ "pie" ];
patches = [
(fetchpatch {
name = "CVE-2021-38165.patch";
url = "https://git.alpinelinux.org/aports/plain/main/lynx/CVE-2021-38165.patch?id=3400945dbbb8a87065360963e4caa0e17d3dcc61";
sha256 = "1aykb9y2g2vdpbbpvjlm4r40x7py2yv6jbywwcqcxrlciqcw4x57";
})
];
configureFlags = [
"--enable-default-colors"
"--enable-widec"

10
pkgs/applications/networking/instant-messengers/element/pin.nix
View File

@ -1,9 +1,9 @@
{
"version" = "1.11.45";
"version" = "1.11.46";
"hashes" = {
"desktopSrcHash" = "sha256-SxpnvIctV738mMRmMiuLgr1InMrlWH39/6lTO0wu+vQ=";
"desktopYarnHash" = "09a2swngqjz4hahzvczhw0lh38y39glc1dkkhjkp4jqvmds9ni7n";
"webSrcHash" = "sha256-hImwZ7vzpupRulk9g5jhfv0sgZqmPXnggJjUUwZ+UCE=";
"webYarnHash" = "0r2xzq9630vky32hqp3h1skdgv3jiiffi8553yzzk4zr45nlvf9d";
"desktopSrcHash" = "sha256-sgdvdTi3fi/vZohh/JPW3I24cQS0i84eM1dUgmEafWs=";
"desktopYarnHash" = "1nssv92yk1a53v7mvijkrb3gzif5xrz2j6lxvg7p340z42rm7f9v";
"webSrcHash" = "sha256-3ucitVtYnOc5UUn4y3u+L0sKWJLt+NNrd5T6mn0wNBg=";
"webYarnHash" = "19396p654zzzh6d18rpyckjd67lncch3r9a0zmjb7znsi7d78k63";
};
}

4
pkgs/applications/networking/instant-messengers/signalbackup-tools/default.nix
View File

@ -2,13 +2,13 @@
(if stdenv.isDarwin then darwin.apple_sdk_11_0.llvmPackages_14.stdenv else stdenv).mkDerivation rec {
pname = "signalbackup-tools";
version = "20231011-1";
version = "20231015";
src = fetchFromGitHub {
owner = "bepaald";
repo = pname;
rev = version;
hash = "sha256-AwlhKF7Tsx20v6t4P6j7E4XPlg9Nq+BSYOFVY+3byos=";
hash = "sha256-P3IbCWzc7V2yX8qZIPUncJXFFq9iFl7csDj2tiTZ7AY=";
};
postPatch = ''

4
pkgs/applications/networking/p2p/gnunet/default.nix
View File

@ -7,11 +7,11 @@
stdenv.mkDerivation rec {
pname = "gnunet";
version = "0.19.4";
version = "0.20.0";
src = fetchurl {
url = "mirror://gnu/gnunet/${pname}-${version}.tar.gz";
sha256 = "sha256-AKY99AjVmH9bqaUEQfKncYK9n7MvHjAq5WOslOesAJs=";
sha256 = "sha256-VgKeeKmcBNUrE1gJSuUHTkzY6puYz2hV9XrZryeslRg=";
};
enableParallelBuilding = true;

6
pkgs/applications/networking/rymdport/default.nix
View File

@ -11,16 +11,16 @@
buildGoModule rec {
pname = "rymdport";
version = "3.5.0";
version = "3.5.1";
src = fetchFromGitHub {
owner = "Jacalz";
repo = "rymdport";
rev = "v${version}";
hash = "sha256-aNLAj8rQSRp6fsEu052uc2gJE55A996YJY7tDApjHxA=";
hash = "sha256-wsFZN2qDp0XScqBdwLYZdRsS30g+ex+sYjw2GkBwwI4=";
};
vendorHash = "sha256-8TxuExcxiBTHVA9DTLfElKOq45a2EVLxqmByDyKJQ4c=";
vendorHash = "sha256-SDNCVROfwCTfoQpUyChxtX3rTf0OPFOTzH5PeH4ahUI=";
nativeBuildInputs = [
pkg-config

4
pkgs/applications/radio/freedv/default.nix
View File

@ -25,13 +25,13 @@
stdenv.mkDerivation rec {
pname = "freedv";
version = "1.9.2";
version = "1.9.3";
src = fetchFromGitHub {
owner = "drowe67";
repo = "freedv-gui";
rev = "v${version}";
hash = "sha256-SBWwAmIsa9HfaZpH8TioMm9IaoZ+x4HNHaOBps0vA0A=";
hash = "sha256-tlkD8Kem4HPwrk3E98UKcPoBNoFucqarEBo+oihnQSU=";
};
postPatch = lib.optionalString stdenv.isDarwin ''

16
pkgs/build-support/fetchgit/nix-prefetch-git
View File

@ -257,9 +257,15 @@ make_deterministic_repo(){
cd "$repo"
# Remove files that contain timestamps or otherwise have non-deterministic
# properties.
rm -rf .git/logs/ .git/hooks/ .git/index .git/FETCH_HEAD .git/ORIG_HEAD \
.git/refs/remotes/origin/HEAD .git/config
if [ -f .git ]; then
local dotgit_content=$(<.git)
local dotgit_dir="${dotgit_content#gitdir: }"
else
local dotgit_dir=".git"
fi
pushd "$dotgit_dir"
rm -rf logs/ hooks/ index FETCH_HEAD ORIG_HEAD refs/remotes/origin/HEAD config
popd
# Remove all remote branches.
git branch -r | while read -r branch; do
clean_git branch -rD "$branch"
@ -277,7 +283,7 @@ make_deterministic_repo(){
# Do a full repack. Must run single-threaded, or else we lose determinism.
clean_git config pack.threads 1
clean_git repack -A -d -f
rm -f .git/config
rm -f "$dotgit_dir/config"
# Garbage collect unreferenced objects.
# Note: --keep-largest-pack prevents non-deterministic ordering of packs
@ -323,7 +329,7 @@ clone_user_rev() {
find "$dir" -name .git -print0 | xargs -0 rm -rf
else
find "$dir" -name .git | while read -r gitdir; do
make_deterministic_repo "$(readlink -f "$gitdir/..")"
make_deterministic_repo "$(readlink -f "$(dirname "$gitdir")")"
done
fi
}

23
pkgs/by-name/al/algol68g/package.nix
View File

@ -1,29 +1,44 @@
{ lib
, stdenv
, fetchurl
, curl
, gmp
, gsl
, mpfr
, ncurses
, plotutils
, postgresql
, pkg-config
, withPDFDoc ? true
}:
stdenv.mkDerivation (finalAttrs: {
pname = "algol68g";
version = "3.3.24";
version = "3.4.2";
src = fetchurl {
url = "https://jmvdveer.home.xs4all.nl/algol68g-${finalAttrs.version}.tar.gz";
hash = "sha256-vSbj3YlyCs4bADpDqxAkcSC1VsoQZ2j+jIKe577WtDU=";
hash = "sha256-hKiRMU98sZhGgHhjgtwUNSIv2iPgb4T+dgYw58IGK8Q=";
};
outputs = [ "out" "man" ] ++ lib.optional withPDFDoc "doc";
outputs = [ "out" "man" ] ++ lib.optionals withPDFDoc [ "doc" ];
nativeBuildInputs = [
pkg-config
];
buildInputs = [
curl
mpfr
ncurses
gmp
gsl
plotutils
postgresql
];
strictDeps = true;
postInstall = let
pdfdoc = fetchurl {
url = "https://jmvdveer.home.xs4all.nl/learning-algol-68-genie.pdf";
@ -47,8 +62,8 @@ stdenv.mkDerivation (finalAttrs: {
scientific library and PostgreSQL.
'';
license = lib.licenses.gpl3Plus;
maintainers = with lib.maintainers; [ AndersonTorres ];
mainProgram = "a68g";
maintainers = with lib.maintainers; [ AndersonTorres ];
platforms = lib.platforms.unix;
};
})

65
pkgs/by-name/cb/cbmbasic/package.nix Normal file
View File

@ -0,0 +1,65 @@
{ lib
, stdenv
, fetchFromGitHub
, runCommand
}:
stdenv.mkDerivation (finalAttrs: {
pname = "cbmbasic";
version = "unstable-2022-12-18";
src = fetchFromGitHub {
owner = "mist64";
repo = "cbmbasic";
rev = "352a313313dd0a15a47288c8f8031b54ac8c92a2";
hash = "sha256-aA/ivRap+aDd2wi6KWXam9eP/21lOn6OWTeZ4i/S9Bs=";
};
installPhase = ''
runHook preInstall
mkdir -p $out/bin/
mv cbmbasic $out/bin/
runHook postInstall
'';
# NOTE: cbmbasic uses microsoft style linebreaks `\r\n`, and testing has to
# accommodate that, else you get very cryptic diffs
passthru = {
tests.run = runCommand "cbmbasic-test-run" {
nativeBuildInputs = [finalAttrs.finalPackage];
} ''
echo '#!${lib.getExe finalAttrs.finalPackage}' > helloI.bas;
echo 'PRINT"Hello, World!"' >> helloI.bas;
chmod +x helloI.bas
diff -U3 --color=auto <(./helloI.bas) <(echo -e "Hello, World!\r");
echo '#!/usr/bin/env cbmbasic' > hello.bas;
echo 'PRINT"Hello, World!"' >> hello.bas;
chmod +x hello.bas
diff -U3 --color=auto <(cbmbasic ./hello.bas) <(echo -e "Hello, World!\r");
touch $out;
'';
};
meta = with lib; {
description = "Portable version of Commodore's version of Microsoft BASIC 6502 as found on the Commodore 64";
longDescription = ''
"Commodore BASIC" (cbmbasic) is a 100% compatible version of Commodore's
version of Microsoft BASIC 6502 as found on the Commodore 64. You can use
it in interactive mode or pass a BASIC file as a command line parameter.
This source does not emulate 6502 code; all code is completely native. On
a 1 GHz CPU you get about 1000x speed compared to a 1 MHz 6502.
'';
homepage = "https://github.com/mist64/cbmbasic";
license = licenses.bsd2;
maintainers = [ maintainers.cafkafk ];
mainProgram = "cbmbasic";
platforms = platforms.all;
};
})

8
pkgs/by-name/co/cowsql/package.nix
View File

@ -10,14 +10,14 @@
, gitUpdater
}:
stdenv.mkDerivation rec {
stdenv.mkDerivation (finalAttrs: {
pname = "cowsql";
version = "0.15.2";
version = "1.15.3";
src = fetchFromGitHub {
owner = "cowsql";
repo = "cowsql";
rev = "refs/tags/v${version}";
rev = "refs/tags/v${finalAttrs.version}";
hash = "sha256-+za3pIcV4BhoImKvJlKatCK372wL4OyPbApQvGxGGGk=";
};
@ -55,4 +55,4 @@ stdenv.mkDerivation rec {
maintainers = with maintainers; [ adamcstephens ];
platforms = platforms.unix;
};
}
})

57
pkgs/by-name/mo/modern-cpp-kafka/package.nix Normal file
View File

@ -0,0 +1,57 @@
{ lib
, stdenv
, fetchFromGitHub
, fetchpatch
, cmake
, boost
, rdkafka
, gtest
, rapidjson
}:
stdenv.mkDerivation rec {
pname = "modern-cpp-kafka";
version = "2023.03.07";
src = fetchFromGitHub {
repo = "modern-cpp-kafka";
owner = "morganstanley";
rev = "v${version}";
hash = "sha256-7hkwM1YbveQpDRqwMZ3MXM88LTwlAT7uB8NL0t409To=";
};
patches = [
(fetchpatch {
name = "fix-avoid-overwriting-library-paths.patch";
url = "https://github.com/morganstanley/modern-cpp-kafka/pull/221.patch";
hash = "sha256-UsQcMvJoRTn5kgXhmXOyqfW3n59kGKO596U2WjtdqAY=";
})
(fetchpatch {
name = "add-pkg-config-cmake-config.patch";
url = "https://github.com/morganstanley/modern-cpp-kafka/pull/222.patch";
hash = "sha256-OjoSttnpgEwSZjCVKc888xJb5f1Dulu/rQqoGmqXNM4=";
})
];
nativeBuildInputs = [ cmake ];
buildInputs = [ boost ];
propagatedBuildInputs = [ rdkafka ];
cmakeFlags = [
"-DLIBRDKAFKA_INCLUDE_DIR=${rdkafka.out}/include"
"-DGTEST_LIBRARY_DIR=${gtest.out}/lib"
"-DGTEST_INCLUDE_DIR=${gtest.dev}/include"
"-DRAPIDJSON_INCLUDE_DIRS=${rapidjson.out}/include"
"-DCMAKE_CXX_FLAGS=-Wno-uninitialized"
];
checkInputs = [ gtest rapidjson ];
meta = with lib; {
description = "A C++ API for Kafka clients (i.e. KafkaProducer, KafkaConsumer, AdminClient)";
homepage = "https://github.com/morganstanley/modern-cpp-kafka";
license = licenses.asl20;
maintainers = with maintainers; [ ditsuke ];
platforms = platforms.unix;
};
}

12
pkgs/by-name/wa/waycheck/package.nix
View File

@ -10,16 +10,16 @@
, wrapGAppsHook
}:
stdenv.mkDerivation rec {
stdenv.mkDerivation (finalAttrs: {
pname = "waycheck";
version = "0.1.3";
version = "1.0.0";
src = fetchFromGitLab {
domain = "gitlab.freedesktop.org";
owner = "serebit";
repo = "waycheck";
rev = "v${version}";
hash = "sha256-DbXc1Q/ZIqlIMocFld3fOmUp44rU3fEzazHKSDdqMNs=";
rev = "v${finalAttrs.version}";
hash = "sha256-oGpiFwbPBQHF0wRHliltU8B+QmClcoFfbjpAYzOFPqs=";
};
nativeBuildInputs = [
@ -51,8 +51,8 @@ stdenv.mkDerivation rec {
description = "Simple GUI that displays the protocols implemented by a Wayland compositor";
homepage = "https://gitlab.freedesktop.org/serebit/waycheck";
license = licenses.asl20;
maintainers = with maintainers; [ julienmalka ];
maintainers = with maintainers; [ julienmalka federicoschonborn ];
mainProgram = "waycheck";
platforms = platforms.linux;
};
}
})

12
pkgs/data/misc/xorg-rgb/default.nix
View File

@ -1,12 +1,12 @@
{ lib, stdenv, fetchurl, pkg-config, xorgproto }:
stdenv.mkDerivation rec {
stdenv.mkDerivation (finalAttrs: {
pname = "rgb";
version = "1.0.6";
version = "1.1.0";
src = fetchurl {
url = "https://xorg.freedesktop.org/archive/individual/app/rgb-${version}.tar.bz2";
sha256 = "1c76zcjs39ljil6f6jpx1x17c8fnvwazz7zvl3vbjfcrlmm7rjmv";
url = "https://xorg.freedesktop.org/archive/individual/app/rgb-${finalAttrs.version}.tar.xz";
hash = "sha256-/APX9W5bKmF2aBZ/iSeUjM5U+TCX58zZ8FYHf0ee03s=";
};
nativeBuildInputs = [ pkg-config ];
@ -15,8 +15,8 @@ stdenv.mkDerivation rec {
meta = with lib; {
description = "X11 colorname to RGB mapping database";
license = licenses.mit;
maintainers = [ maintainers.raskin ];
maintainers = with maintainers; [ raskin ];
platforms = platforms.linux;
homepage = "https://xorg.freedesktop.org/";
};
}
})

12
pkgs/development/compilers/gambit/build.nix
View File

@ -5,7 +5,8 @@
stampYmd ? 0, stampHms ? 0,
gambit-support,
optimizationSetting ? "-O1",
gambit-params ? pkgs.gambit-support.stable-params }:
gambit-params ? pkgs.gambit-support.stable-params,
rev ? git-version }:
# Note that according to a benchmark run by Marc Feeley on May 2018,
# clang is 10x (with default settings) to 15% (with -O2) slower than GCC at compiling
@ -30,6 +31,11 @@ gccStdenv.mkDerivation rec {
inherit src version git-version;
bootstrap = gambit-support.gambit-bootstrap;
passthru = {
inherit src version git-version rev stampYmd stampHms optimizationSetting openssl;
};
nativeBuildInputs = [ git autoconf ];
# TODO: if/when we can get all the library packages we depend on to have static versions,
@ -47,6 +53,7 @@ gccStdenv.mkDerivation rec {
"--enable-c-opt=${optimizationSetting}"
"--enable-c-opt-rts=-O2"
"--enable-gcc-opts"
"--enable-trust-c-tco"
"--enable-shared"
"--enable-absolute-shared-libs" # Yes, NixOS will want an absolute path, and fix it.
"--enable-openssl"
@ -70,6 +77,9 @@ gccStdenv.mkDerivation rec {
# "--enable-char-size=1" # default is 4
# "--enable-march=native" # Nope, makes it not work on machines older than the builder
] ++ gambit-params.extraOptions
# TODO: pick an appropriate architecture to optimize on on x86-64?
# https://gcc.gnu.org/onlinedocs/gcc-4.8.4/gcc/i386-and-x86-64-Options.html#i386-and-x86-64-Options
# ++ lib.optional pkgs.stdenv.isx86_64 "--enable-march=core-avx2"
# Do not enable poll on darwin due to https://github.com/gambit/gambit/issues/498
++ lib.optional (!gccStdenv.isDarwin) "--enable-poll";

2
pkgs/development/compilers/gambit/default.nix
View File

@ -2,7 +2,7 @@
callPackage ./build.nix rec {
version = "4.9.5";
git-version = version;
git-version = "v${version}";
src = fetchurl {
url = "https://gambitscheme.org/4.9.5/gambit-v4_9_5.tgz";
sha256 = "sha256-4o74218OexFZcgwVAFPcq498TK4fDlyDiUR5cHP4wdw=";

9
pkgs/development/compilers/gambit/gambit-support.nix
View File

@ -13,16 +13,17 @@ rec {
--replace "$(grep '^PACKAGE_VERSION=.*$' configure)" 'PACKAGE_VERSION="v${git-version}"' \
--replace "$(grep '^PACKAGE_STRING=.*$' configure)" 'PACKAGE_STRING="Gambit v${git-version}"' ;
substituteInPlace include/makefile.in \
--replace "echo > stamp.h;" "(echo '#define ___STAMP_VERSION \"${git-version}\"'; echo '#define ___STAMP_YMD ${toString stampYmd}'; echo '#define ___STAMP_HMS ${toString stampHms}';) > stamp.h;";
--replace "\$\$(\$(GIT) describe --tag --always | sed 's/-bootstrap\$\$//')" "v${git-version}" \
--replace "echo > stamp.h;" "(echo '#define ___STAMP_VERSION \"v${git-version}\"'; echo '#define ___STAMP_YMD ${toString stampYmd}'; echo '#define ___STAMP_HMS ${toString stampHms}';) > stamp.h;";
grep -i ' version=\|echo..#define ___STAMP_VERSION' include/makefile.in # XXX DEBUG -- REMOVE ME
'';
modules = true;
#extraOptions = [];
extraOptions = ["--enable-trust-c-tco" "CFLAGS=-foptimize-sibling-calls"];
extraOptions = ["CFLAGS=-foptimize-sibling-calls"];
};
unstable-params = stable-params // {
stable = false;
extraOptions = ["--enable-trust-c-tco"]; # "CFLAGS=-foptimize-sibling-calls" not necessary in latest unstable
extraOptions = []; # "CFLAGS=-foptimize-sibling-calls" not necessary in latest unstable
};
export-gambopt = params : "export GAMBOPT=${params.buildRuntimeOptions} ;";

15
pkgs/development/compilers/gambit/unstable.nix
View File

@ -1,15 +1,16 @@
{ callPackage, fetchFromGitHub, gambit-support }:
callPackage ./build.nix {
version = "unstable-2023-08-06";
git-version = "4.9.5-5-gf1fbe9aa";
stampYmd = 20230806;
stampHms = 195822;
callPackage ./build.nix rec {
version = "unstable-2023-10-07";
git-version = "4.9.5-59-g342399c7";
stampYmd = 20231007;
stampHms = 170745;
rev = "342399c736ec560c0ff4faeaeb9599b45633f26c";
src = fetchFromGitHub {
owner = "gambit";
repo = "gambit";
rev = "f1fbe9aa0f461e89f2a91bc050c1373ee6d66482";
sha256 = "0b0gd6cwj8zxwcqglpsnmanysiq4mvma2mrgdfr6qy99avhbhzxm";
inherit rev;
sha256 = "121pj6lxihjjnfq33lq4m5hi461xbs9f41qd4l46556dr15cyf8f";
};
gambit-params = gambit-support.unstable-params;
}

83
pkgs/development/compilers/gerbil/build.nix
View File

@ -1,8 +1,11 @@
{ pkgs, gccStdenv, lib, coreutils,
openssl, zlib, sqlite, libxml2, libyaml, libmysqlclient, lmdb, leveldb, postgresql,
version, git-version,
openssl, zlib, sqlite,
version, git-version, src,
gambit-support,
gambit ? pkgs.gambit, gambit-params ? pkgs.gambit-support.stable-params, src }:
gambit-git-version,
gambit-stampYmd,
gambit-stampHms,
gambit-params }:
# We use Gambit, that works 10x better with GCC than Clang. See ../gambit/build.nix
let stdenv = gccStdenv; in
@ -12,16 +15,13 @@ stdenv.mkDerivation rec {
inherit version;
inherit src;
buildInputs_libraries = [ openssl zlib sqlite libxml2 libyaml libmysqlclient lmdb leveldb postgresql ];
buildInputs_libraries = [ openssl zlib sqlite ];
# TODO: either fix all of Gerbil's dependencies to provide static libraries,
# or give up and delete all tentative support for static libraries.
#buildInputs_staticLibraries = map makeStaticLibraries buildInputs_libraries;
buildInputs = [ gambit ]
++ buildInputs_libraries; # ++ buildInputs_staticLibraries;
env.NIX_CFLAGS_COMPILE = "-I${libmysqlclient}/include/mysql -L${libmysqlclient}/lib/mysql";
buildInputs = buildInputs_libraries;
postPatch = ''
echo '(define (gerbil-version-string) "v${git-version}")' > src/gerbil/runtime/gx-version.scm ;
@ -29,6 +29,17 @@ stdenv.mkDerivation rec {
grep -Fl '#!/usr/bin/env' `find . -type f -executable` | while read f ; do
substituteInPlace "$f" --replace '#!/usr/bin/env' '#!${coreutils}/bin/env' ;
done ;
substituteInPlace ./configure --replace 'set -e' 'set -e ; git () { echo "v${git-version}" ;}' ;
substituteInPlace ./src/build/build-version.scm --replace "with-exception-catcher" '(lambda _ "v${git-version}")' ;
#rmdir src/gambit
#cp -a ${pkgs.gambit-unstable.src} ./src/gambit
chmod -R u+w ./src/gambit
( cd src/gambit ; ${gambit-params.fixStamp gambit-git-version gambit-stampYmd gambit-stampHms} )
for f in src/bootstrap/gerbil/compiler/driver__0.scm \
src/build/build-libgerbil.ss \
src/gerbil/compiler/driver.ss ; do
substituteInPlace "$f" --replace '"gcc"' '"${gccStdenv.cc}/bin/${gccStdenv.cc.targetPrefix}gcc"' ;
done
'';
## TODO: make static compilation work.
@ -40,26 +51,42 @@ stdenv.mkDerivation rec {
# OPENSSL_LIBSSL=${makeStaticLibraries openssl}/lib/libssl.a # MISSING!
# ZLIB=${makeStaticLibraries zlib}/lib/libz.a
# SQLITE=${makeStaticLibraries sqlite}/lib/sqlite.a # MISSING!
# LIBXML2=${makeStaticLibraries libxml2}/lib/libxml2.a # MISSING!
# YAML=${makeStaticLibraries libyaml}/lib/libyaml.a # MISSING!
# MYSQL=${makeStaticLibraries libmysqlclient}/lib/mariadb/libmariadb.a
# LMDB=${makeStaticLibraries lmdb}/lib/mysql/libmysqlclient_r.a # MISSING!
# LEVELDB=${makeStaticLibraries leveldb}/lib/libleveldb.a
# EOF
configureFlags = [
"--prefix=$out/gerbil"
"--enable-zlib"
"--enable-sqlite"
"--enable-shared"
"--disable-deprecated"
"--enable-march=" # Avoid non-portable invalid instructions
];
configurePhase = ''
(cd src && ./configure \
--prefix=$out/gerbil \
--with-gambit=${gambit}/gambit \
--enable-libxml \
--enable-libyaml \
--enable-zlib \
--enable-sqlite \
--enable-mysql \
--enable-lmdb \
--enable-leveldb)
export CC=${gccStdenv.cc}/bin/${gccStdenv.cc.targetPrefix}gcc \
CXX=${gccStdenv.cc}/bin/${gccStdenv.cc.targetPrefix}g++ \
CPP=${gccStdenv.cc}/bin/${gccStdenv.cc.targetPrefix}cpp \
CXXCPP=${gccStdenv.cc}/bin/${gccStdenv.cc.targetPrefix}cpp \
LD=${gccStdenv.cc}/bin/${gccStdenv.cc.targetPrefix}ld \
XMKMF=${coreutils}/bin/false
unset CFLAGS LDFLAGS LIBS CPPFLAGS CXXFLAGS
(cd src/gambit ; ${gambit-params.fixStamp gambit-git-version gambit-stampYmd gambit-stampHms})
./configure ${builtins.concatStringsSep " " configureFlags}
(cd src/gambit ;
substituteInPlace config.status \
${lib.optionalString (gccStdenv.isDarwin && !gambit-params.stable)
''--replace "/usr/local/opt/openssl@1.1" "${lib.getLib openssl}"''} \
--replace "/usr/local/opt/openssl" "${lib.getLib openssl}"
./config.status
)
'';
extraLdOptions = [
"-L${zlib}/lib"
"-L${openssl.out}/lib"
"-L${sqlite.out}/lib"
];
buildPhase = ''
runHook preBuild
@ -68,7 +95,7 @@ stdenv.mkDerivation rec {
export GERBIL_BUILD_CORES=$NIX_BUILD_CORES
export GERBIL_GXC=$PWD/bin/gxc
export GERBIL_BASE=$PWD
export GERBIL_HOME=$PWD
export GERBIL_PREFIX=$PWD
export GERBIL_PATH=$PWD/lib
export PATH=$PWD/bin:$PATH
${gambit-support.export-gambopt gambit-params}
@ -76,13 +103,17 @@ stdenv.mkDerivation rec {
# Build, replacing make by build.sh
( cd src && sh build.sh )
f=build/lib/libgerbil.so.ldd ; [ -f $f ] && :
substituteInPlace "$f" --replace '(' \
'(${lib.strings.concatStrings (map (x: "\"${x}\" " ) extraLdOptions)}'
runHook postBuild
'';
installPhase = ''
runHook preInstall
mkdir -p $out/gerbil $out/bin
(cd src; ./install)
./install.sh
(cd $out/bin ; ln -s ../gerbil/bin/* .)
runHook postInstall
'';
@ -98,4 +129,6 @@ stdenv.mkDerivation rec {
platforms = lib.platforms.unix;
maintainers = with lib.maintainers; [ fare ];
};
outputsToInstall = [ "out" ];
}

18
pkgs/development/compilers/gerbil/default.nix
View File

@ -1,12 +1,18 @@
{ callPackage, fetchFromGitHub }:
{ callPackage, fetchFromGitHub, gambit-unstable, gambit-support, pkgs, gccStdenv }:
callPackage ./build.nix rec {
version = "0.17";
git-version = version;
version = "0.18";
git-version = "0.18";
src = fetchFromGitHub {
owner = "vyzo";
owner = "mighty-gerbils";
repo = "gerbil";
rev = "v${version}";
sha256 = "0xzi9mhrmzcajhlz5qcnz4yjlljvbkbm9426iifgjn47ac0965zw";
rev = "8ca36a928bc9345f9d28e5f2dfcb55ca558e85f9";
sha256 = "sha256-EMiYgQM/Gl+dh6AxLYRZ0BKZ+VKFd+Lkyy9Pw11ivE8=";
fetchSubmodules = true;
};
inherit gambit-support;
gambit-params = gambit-support.unstable-params;
gambit-git-version = "4.9.5-40-g24201248"; # pkgs.gambit-unstable.passthru.git-version
gambit-stampYmd = "20230917"; # pkgs.gambit-unstable.passthru.git-stampYmd
gambit-stampHms = "182043"; # pkgs.gambit-unstable.passthru.git-stampHms
}

10
pkgs/development/compilers/gerbil/gerbil-crypto.nix
View File

@ -2,8 +2,8 @@
{
pname = "gerbil-crypto";
version = "unstable-2023-03-27";
git-version = "0.0-18-ge57f887";
version = "unstable-2023-09-27";
git-version = "0.0-23-g341e09d";
gerbil-package = "clan/crypto";
gerbilInputs = with gerbilPackages; [ gerbil-utils gerbil-poo ];
nativeBuildInputs = [ pkgs.pkg-config ];
@ -13,10 +13,10 @@
pre-src = {
fun = fetchFromGitHub;
owner = "fare";
owner = "mighty-gerbils";
repo = "gerbil-crypto";
rev = "e57f88742d9b41640b4a7d9bd3e86c688d4a83f9";
sha256 = "08hrk3s82hbigvza75vgx9kc7qf64yhhn3xm5calc859sy6ai4ka";
rev = "341e09dcb15c09c836eae18093c0f63f71c0a72f";
sha256 = "1rq50q4p4vhr5drjvirmdkxaa4wszj1rxnhjaqz98bfpjm90yk4j";
};
meta = with lib; {

19
pkgs/development/compilers/gerbil/gerbil-ethereum.nix
View File

@ -2,24 +2,25 @@
rec {
pname = "gerbil-ethereum";
version = "unstable-2023-05-30";
git-version = "0.0-375-g989a5ca";
version = "unstable-2023-10-06";
git-version = "0.1-1-g08b08fc";
softwareName = "Gerbil-ethereum";
gerbil-package = "mukn/ethereum";
gerbil-package = "clan/ethereum";
version-path = "version";
gerbilInputs = with gerbilPackages; [ gerbil-utils gerbil-crypto gerbil-poo gerbil-persist ];
gerbilInputs = with gerbilPackages; [
gerbil-utils gerbil-crypto gerbil-poo gerbil-persist gerbil-leveldb ];
pre-src = {
fun = fetchFromGitHub;
owner = "fare";
owner = "mighty-gerbils";
repo = "gerbil-ethereum";
rev = "989a5ca78958e42c4a1ec242786ade89f1887e48";
sha256 = "0bs2knhx3hy3k72yidgaplwjd48y86arqscdik8hgxwmhm9z8kwp";
rev = "08b08fce8c83cb59bfb532eebb1c7a2dd4bd57ab";
sha256 = "1sy7l869d2xqhq2qflsmkvr343jfhzsq43ixx75rqfpr3cdljz0b";
};
postInstall = ''
cp scripts/{croesus.prv,genesis.json,logback.xml,yolo-evm.conf,yolo-kevm.conf,run-ethereum-test-net.ss} $out/gerbil/lib/mukn/ethereum/scripts/
cp scripts/{croesus.prv,genesis.json,logback.xml,yolo-evm.conf,yolo-kevm.conf,run-ethereum-test-net.ss} $out/gerbil/lib/clan/ethereum/scripts/
mkdir -p $out/bin
cat > $out/bin/run-ethereum-test-net <<EOF
#!/bin/sh
@ -33,7 +34,7 @@ rec {
export GERBIL_PATH GERBIL_LOADPATH GLOW_SOURCE ORIG_GERBIL_PATH ORIG_GERBIL_LOADPATH
exec ${gerbil}/bin/gxi "\$0" "\$@"
|#
(import :mukn/ethereum/scripts/run-ethereum-test-net :clan/multicall)
(import :clan/ethereum/scripts/run-ethereum-test-net :clan/multicall)
(apply call-entry-point (cdr (command-line)))
EOF
chmod a+x $out/bin/run-ethereum-test-net

31
pkgs/development/compilers/gerbil/gerbil-leveldb.nix Normal file
View File

@ -0,0 +1,31 @@
{ pkgs, lib, fetchFromGitHub, gerbilPackages, leveldb, ... }:
{
pname = "gerbil-leveldb";
version = "unstable-2023-09-23";
git-version = "c62e47f";
gerbil-package = "clan";
gerbilInputs = [ ];
nativeBuildInputs = [ pkgs.pkg-config ];
buildInputs = [ leveldb ];
version-path = "";
softwareName = "Gerbil-LevelDB";
pre-src = {
fun = fetchFromGitHub;
owner = "mighty-gerbils";
repo = "gerbil-leveldb";
rev = "c62e47f352377b6843fb3e4b27030762a510a0d8";
sha256 = "177zn1smv2zq97mlryf8fi7v5gbjk07v5i0dix3r2wsanphaawvl";
};
meta = with lib; {
description = "LevelDB bindings for Gerbil";
homepage = "https://github.com/mighty-gerbils/gerbil-leveldb";
license = licenses.asl20;
platforms = platforms.unix;
maintainers = with maintainers; [ fare ];
};
# "-L${leveldb}/lib"
}

29
pkgs/development/compilers/gerbil/gerbil-libxml.nix Normal file
View File

@ -0,0 +1,29 @@
{ pkgs, lib, fetchFromGitHub, gerbilPackages, libxml2, ... }:
{
pname = "gerbil-libxml";
version = "unstable-2023-09-23";
git-version = "b08e5d8";
gerbil-package = "clan";
gerbilInputs = [ ];
nativeBuildInputs = [ pkgs.pkg-config ];
buildInputs = [ libxml2 ];
version-path = "";
softwareName = "Gerbil-LibXML";
pre-src = {
fun = fetchFromGitHub;
owner = "mighty-gerbils";
repo = "gerbil-libxml";
rev = "b08e5d8fe4688a162824062579ce152a10adb4cf";
sha256 = "1zfccqaibwy2b3srwmwwgv91dwy1xl18cfimxhcsxl6mxvgm61pd";
};
meta = with lib; {
description = "libxml bindings for Gerbil";
homepage = "https://github.com/mighty-gerbils/gerbil-libxml";
license = licenses.asl20;
platforms = platforms.unix;
maintainers = with maintainers; [ fare ];
};
}

31
pkgs/development/compilers/gerbil/gerbil-libyaml.nix Normal file
View File

@ -0,0 +1,31 @@
{ pkgs, lib, fetchFromGitHub, gerbilPackages, libyaml, ... }:
{
pname = "gerbil-libyaml";
version = "unstable-2023-09-23";
git-version = "398a197";
gerbil-package = "clan";
gerbilInputs = [ ];
nativeBuildInputs = [ pkgs.pkg-config ];
buildInputs = [ libyaml ];
version-path = "";
softwareName = "Gerbil-LibYAML";
pre-src = {
fun = fetchFromGitHub;
owner = "mighty-gerbils";
repo = "gerbil-libyaml";
rev = "398a19782b1526de94b70de165c027d4b6029dac";
sha256 = "0plmwx1i23c9nzzg6zxz2xi0y92la97mak9hg6h3c6d8kxvajb5c";
};
meta = with lib; {
description = "libyaml bindings for Gerbil";
homepage = "https://github.com/mighty-gerbils/gerbil-libyaml";
license = licenses.asl20;
platforms = platforms.unix;
maintainers = with maintainers; [ fare ];
};
# "-L${libyaml}/lib"
}

31
pkgs/development/compilers/gerbil/gerbil-lmdb.nix Normal file
View File

@ -0,0 +1,31 @@
{ pkgs, lib, fetchFromGitHub, gerbilPackages, lmdb, ... }:
{
pname = "gerbil-lmdb";
version = "unstable-2023-09-23";
git-version = "6d64813";
gerbil-package = "clan";
gerbilInputs = [ ];
nativeBuildInputs = [ pkgs.pkg-config ];
buildInputs = [ lmdb ];
version-path = "";
softwareName = "Gerbil-LMDB";
pre-src = {
fun = fetchFromGitHub;
owner = "mighty-gerbils";
repo = "gerbil-lmdb";
rev = "6d64813afe5766776a0d7ef45f80c784b820742c";
sha256 = "12kywxx4qjxchmhcd66700r2yfqjnh12ijgqnpqaccvigi07iq9b";
};
meta = with lib; {
description = "LMDB bindings for Gerbil";
homepage = "https://github.com/mighty-gerbils/gerbil-lmdb";
license = licenses.asl20;
platforms = platforms.unix;
maintainers = with maintainers; [ fare ];
};
# "-L${lmdb.out}/lib"
}

31
pkgs/development/compilers/gerbil/gerbil-mysql.nix Normal file
View File

@ -0,0 +1,31 @@
{ pkgs, lib, fetchFromGitHub, gerbilPackages, mariadb-connector-c, ... }:
{
pname = "gerbil-mysql";
version = "unstable-2023-09-23";
git-version = "ecec94c";
gerbil-package = "clan";
gerbilInputs = [ ];
nativeBuildInputs = [ pkgs.pkg-config ];
buildInputs = [ mariadb-connector-c ];
version-path = "";
softwareName = "Gerbil-MySQL";
pre-src = {
fun = fetchFromGitHub;
owner = "mighty-gerbils";
repo = "gerbil-mysql";
rev = "ecec94c76d7aa23331b7e02ac7732a7923f100a5";
sha256 = "01506r0ivgp6cxvwracmg7pwr735ngb7899ga3lxy181lzkp6b2c";
};
meta = with lib; {
description = "MySQL bindings for Gerbil";
homepage = "https://github.com/mighty-gerbils/gerbil-mysql";
license = licenses.asl20;
platforms = platforms.unix;
maintainers = with maintainers; [ fare ];
};
# "-L${mariadb-connector-c}/lib/mariadb"
}

12
pkgs/development/compilers/gerbil/gerbil-persist.nix
View File

@ -1,20 +1,20 @@
{ lib, fetchFromGitHub, gerbilPackages, ... }:
{
pname = "gerbil-persist";
version = "unstable-2023-03-02";
git-version = "0.1.0-24-ge2305f5";
version = "unstable-2023-10-07";
git-version = "0.1.1-1-g3ce1d4a";
softwareName = "Gerbil-persist";
gerbil-package = "clan/persist";
version-path = "version";
gerbilInputs = with gerbilPackages; [ gerbil-utils gerbil-crypto gerbil-poo ];
gerbilInputs = with gerbilPackages; [ gerbil-utils gerbil-crypto gerbil-poo gerbil-leveldb ];
pre-src = {
fun = fetchFromGitHub;
owner = "fare";
owner = "mighty-gerbils";
repo = "gerbil-persist";
rev = "e2305f53571e55292179286ca2d88e046ec6638b";
sha256 = "1vsi4rfzpqg4hhn53d2r26iw715vzwz0hiai9r34z4diwzqixfgn";
rev = "3ce1d4a4b1d7be290e54f884d780c02ceee8f10e";
sha256 = "1kzvgpqkpq4wlc0hlfxy314fbv6215aksrrlrrpq9w97wdibmv7x";
};
meta = with lib; {

10
pkgs/development/compilers/gerbil/gerbil-poo.nix
View File

@ -2,8 +2,8 @@
{
pname = "gerbil-poo";
version = "unstable-2023-04-28";
git-version = "0.0-106-g418b582";
version = "unstable-2023-10-07";
git-version = "0.1-1-g367ab43";
softwareName = "Gerbil-POO";
gerbil-package = "clan/poo";
version-path = "version";
@ -12,10 +12,10 @@
pre-src = {
fun = fetchFromGitHub;
owner = "fare";
owner = "mighty-gerbils";
repo = "gerbil-poo";
rev = "418b582ae72e1494cf3a5f334d31d4f6503578f5";
sha256 = "0qdzs7l6hp45dji5bc3879k4c8k9x6cj4qxz68cskjhn8wrc5lr8";
rev = "367ab4376fdd6fc0b0892da2becef35a5039c583";
sha256 = "0ci88zqi7gb55ahl0n7dk1ihij2j6dn8jb6rzfiilck773x46kdh";
};
meta = with lib; {

53
pkgs/development/compilers/gerbil/gerbil-support.nix
View File

@ -1,15 +1,22 @@
{ pkgs, lib, callPackage, ... }:
with pkgs.gerbil-support; {
with pkgs.gerbil-support; {
pppToName = ppp: lib.removeSuffix ".nix" (baseNameOf ppp); # from pre-package path to name
callPpp = ppp: callPackage ppp prePackage-defaults; # from pre-package path to pre-package
pppToKV = ppp: { name = pppToName ppp; value = callPpp ppp; }; # from pre-package path to name
ppplToPpa = ppps: builtins.listToAttrs (map pppToKV ppps); # from pre-package path list to name/pre-package attr
prePackages-unstable =
let pks = [ ./gerbil-libp2p.nix ./smug-gerbil.nix ./ftw.nix
./gerbil-utils.nix ./gerbil-crypto.nix ./gerbil-poo.nix
./gerbil-persist.nix ./gerbil-ethereum.nix ./glow-lang.nix ];
call = pkg: callPackage pkg prePackage-defaults;
pkgName = pkg: lib.removeSuffix ".nix" (baseNameOf pkg);
f = pkg: { name = pkgName pkg; value = call pkg; }; in
builtins.listToAttrs (map f pks);
ppplToPpa
[ ./gerbil-leveldb.nix ./gerbil-lmdb.nix ./gerbil-mysql.nix
./gerbil-libxml.nix ./gerbil-libyaml.nix
./smug-gerbil.nix # ./ftw.nix
./gerbil-utils.nix ./gerbil-crypto.nix ./gerbil-poo.nix
./gerbil-persist.nix ./gerbil-ethereum.nix
# ./gerbil-libp2p.nix
./glow-lang.nix
];
prePackage-defaults = {
gerbil = pkgs.gerbil-unstable;
@ -25,24 +32,23 @@
softwareName = "";
};
gerbilPackages-unstable =
builtins.mapAttrs (_: gerbilPackage) prePackages-unstable;
ppaToPl = builtins.mapAttrs (_: gerbilPackage);
gerbilPackages-unstable = ppaToPl prePackages-unstable;
resolve-pre-src = pre-src: pre-src.fun (removeAttrs pre-src ["fun"]);
gerbilVersionFromGit = pkg:
let version-path = "${pkg.passthru.pre-pkg.version-path}.ss"; in
if builtins.pathExists version-path then
gerbilVersionFromGit = srcDir: version-path:
let version-file = "${srcDir}/${version-path}.ss"; in
if builtins.pathExists version-file then
let m =
builtins.match "\\(import :clan/versioning.*\\)\n\\(register-software \"([-_.A-Za-z0-9]+)\" \"([-_.A-Za-z0-9]+)\"\\) ;; ([-0-9]+)\n"
(builtins.readFile version-path); in
{ version = builtins.elemAt m 2; git-version = builtins.elemAt m 1; }
else { version = "0.0";
git-version = let gitpath = "${toString pkg.src}/.git"; in
(builtins.readFile version-file); in
{ version = "${builtins.elemAt m 2}-git"; git-version = builtins.elemAt m 1; }
else { version = "0.0-git";
git-version = let gitpath = "${srcDir}/.git"; in
if builtins.pathExists gitpath then lib.commitIdFromGitRepo gitpath else "0"; };
gerbilSkippableFiles = [".git" ".build" ".build_outputs" "run" "result" "dep" "BLAH"
"version.ss" "tmp.nix"];
gerbilSkippableFiles = [".git" ".build" ".build_outputs" "run" "result" "dep" "BLAH" "tmp.nix"];
gerbilSourceFilter = path: type:
let baseName = baseNameOf path; in
@ -66,9 +72,12 @@
if old-sha256 == new-sha256 then {} else
view "Overriding ${name} old-sha256: ${old-sha256} new-sha256: ${new-sha256}"
{ ${name} = super.${name} // {
pre-src = new-pre-src;
version = "override";
git-version = if new-pre-src ? rev then lib.substring 0 7 new-pre-src.rev else "unknown";};};
pre-src = new-pre-src;
version = "override";
git-version = if new-pre-src ? rev
then lib.substring 0 7 new-pre-src.rev
else "unknown";};
};
pkgsOverrideGerbilPackageSrc = name: pre-src: pkgs: super: {
gerbil-support = (super-support:

10
pkgs/development/compilers/gerbil/gerbil-utils.nix
View File

@ -2,18 +2,18 @@
{
pname = "gerbil-utils";
version = "unstable-2023-07-22";
git-version = "0.2-198-g2fb01ce";
version = "unstable-2023-10-08";
git-version = "0.3-3-g2914428";
softwareName = "Gerbil-utils";
gerbil-package = "clan";
version-path = "version";
pre-src = {
fun = fetchFromGitHub;
owner = "fare";
owner = "mighty-gerbils";
repo = "gerbil-utils";
rev = "2fb01ce0b302f232f5c4daf4987457b6357d609d";
sha256 = "127q98gk1x6y1nlkkpnbnkz989ybpszy7aiy43hzai2q6xn4nv72";
rev = "29144289b40ce624adf30eab23b796ddd6b6b55d";
sha256 = "0qysw2zs5acgri3wrjb3ngnnhd17xpr9hcdr4ya383k8k7jacr8a";
};
meta = with lib; {

11
pkgs/development/compilers/gerbil/glow-lang.nix
View File

@ -2,22 +2,23 @@
rec {
pname = "glow-lang";
version = "unstable-2023-04-26";
git-version = "0.3.2-222-gb19cd980";
version = "unstable-2023-10-06";
git-version = "0.3.2-232-ga1a7a9e5";
softwareName = "Glow";
gerbil-package = "mukn/glow";
version-path = "version";
gerbilInputs = with gerbilPackages;
[ gerbil-utils gerbil-crypto gerbil-poo gerbil-persist gerbil-ethereum
gerbil-libp2p smug-gerbil ftw ];
smug-gerbil gerbil-leveldb # gerbil-libp2p ftw
];
pre-src = {
fun = fetchFromGitHub;
owner = "Glow-Lang";
repo = "glow";
rev = "b19cd98082dfc5156d1b4fc83cde161572d6a211";
sha256 = "0k3qy5826pxqr9ylnnpq4iikxf4j50987vhpa5qiv99j0p643xr3";
rev = "a1a7a9e51ba9a466d91c397d9da55af90076110c";
sha256 = "0wgav4gbg6mlxgisjjbyhvhz94b29vv2rkjkjy1jl7v0hs3wbm52";
};
postPatch = ''

17
pkgs/development/compilers/gerbil/unstable.nix
View File

@ -1,15 +1,18 @@
{ callPackage, fetchFromGitHub, gambit-unstable, gambit-support }:
{ callPackage, fetchFromGitHub, gambit-unstable, gambit-support, pkgs, gccStdenv }:
callPackage ./build.nix rec {
version = "unstable-2023-08-07";
git-version = "0.17.0-187-gba545b77";
version = "unstable-2023-10-13";
git-version = "0.18-2-g8ed012ff";
src = fetchFromGitHub {
owner = "vyzo";
owner = "mighty-gerbils";
repo = "gerbil";
rev = "ba545b77e8e85118089232e3cd263856e414b24b";
sha256 = "1f4v1qawx2i8333kshj4pbj5r21z0868pwrr3r710n6ng3pd9gqn";
rev = "8ed012ff9571fcfebcc07815813001a3f356150d";
sha256 = "056kmjn7sd0hjwikmg7v3a1kvgsgvfi7pi9xcx3ixym9g3bqa4mx";
fetchSubmodules = true;
};
inherit gambit-support;
gambit = gambit-unstable;
gambit-params = gambit-support.unstable-params;
gambit-git-version = "4.9.5-40-g24201248"; # pkgs.gambit-unstable.passthru.git-version
gambit-stampYmd = "20230917"; # pkgs.gambit-unstable.passthru.git-stampYmd
gambit-stampHms = "182043"; # pkgs.gambit-unstable.passthru.git-stampHms
}

66
pkgs/development/compilers/yosys/plugins/synlig-makefile-for-nix.patch Normal file
View File

@ -0,0 +1,66 @@
diff --git a/Makefile b/Makefile
index 4c96ae7..9e1a2e3 100755
--- a/Makefile
+++ b/Makefile
@@ -3,7 +3,7 @@
# Setup make itself.
.ONESHELL:
-override SHELL := /bin/bash
+SHELL := bash
override .SHELLFLAGS := -e -u -o pipefail -O nullglob -O extglob -O globstar -c
# Unset all default build- and recipe-related variables.
@@ -315,7 +315,6 @@ endif
GetTargetStructName = target[${1}]
makefiles_to_include := \
- third_party/Build.*.mk \
frontends/*/Build.mk \
tests/*/Build.mk \
lib/*/Build.mk
diff --git a/frontends/systemverilog/Build.mk b/frontends/systemverilog/Build.mk
index acd9cb6..c039994 100644
--- a/frontends/systemverilog/Build.mk
+++ b/frontends/systemverilog/Build.mk
@@ -1,6 +1,7 @@
t := systemverilog-plugin
ts := $(call GetTargetStructName,${t})
out_dir := $(call GetTargetBuildDir,${t})
+mod_dir := third_party/yosys_mod
cxx_is_clang := $(findstring clang,$(notdir ${CXX}))
@@ -13,9 +14,9 @@ ${ts}.sources := \
${${ts}.src_dir}uhdm_ast_frontend.cc \
${${ts}.src_dir}uhdm_common_frontend.cc \
${${ts}.src_dir}uhdm_surelog_ast_frontend.cc \
- ${$(call GetTargetStructName,yosys).mod_dir}const2ast.cc \
- ${$(call GetTargetStructName,yosys).mod_dir}edif.cc \
- ${$(call GetTargetStructName,yosys).mod_dir}simplify.cc
+ $(mod_dir)/const2ast.cc \
+ $(mod_dir)/edif.cc \
+ $(mod_dir)/simplify.cc
define ${ts}.env =
export PKG_CONFIG_PATH=$(call ShQuote,${$(call GetTargetStructName,surelog).output_vars.PKG_CONFIG_PATH}$(if ${PKG_CONFIG_PATH},:${PKG_CONFIG_PATH}))
@@ -35,8 +36,8 @@ endif
endif
${ts}.cxxflags = \
- -I${$(call GetTargetStructName,yosys).src_dir} \
- -I${$(call GetTargetStructName,yosys).mod_dir} \
+ -I$(shell yosys-config --cxxflags) \
+ -I$(mod_dir) \
-D_YOSYS_ \
-DYOSYS_ENABLE_PLUGINS \
$(shell ${${ts}.env}; pkg-config --cflags Surelog) \
@@ -55,7 +56,7 @@ ${ts}.ldflags = \
$(shell ${${ts}.env}; pkg-config --libs-only-L Surelog) \
${build_type_ldflags} \
${LDFLAGS} \
- -Wl,--export-dynamic
+ $(shell yosys-config --ldflags --ldlibs)
${ts}.ldlibs = \
$(shell ${${ts}.env}; pkg-config --libs-only-l --libs-only-other Surelog) \

73
pkgs/development/compilers/yosys/plugins/synlig.nix Normal file
View File

@ -0,0 +1,73 @@
{ stdenv
, lib
, fetchFromGitHub
, pkg-config
, antlr4
, capnproto
, readline
, surelog
, uhdm
, yosys
}:
stdenv.mkDerivation (finalAttrs: {
pname = "yosys-synlig";
version = "2023.10.12"; # Currently no tagged versions upstream
plugin = "synlig";
src = fetchFromGitHub {
owner = "chipsalliance";
repo = "synlig";
rev = "c5bd73595151212c61709d69a382917e96877a14";
sha256 = "sha256-WJhf5gdZTCs3EeNocP9aZAh6EZquHgYOG/xiTo8l0ao=";
fetchSubmodules = false; # we use all dependencies from nix
};
patches = [
./synlig-makefile-for-nix.patch # Remove assumption submodules available.
];
nativeBuildInputs = [
pkg-config
];
buildInputs = [
antlr4.runtime.cpp
capnproto
readline
surelog
uhdm
yosys
];
buildPhase = ''
runHook preBuild
make -j $NIX_BUILD_CORES build@systemverilog-plugin
runHook postBuild
'';
# Very simple litmus test that the plugin can be loaded successfully.
doCheck = true;
checkPhase = ''
runHook preCheck
yosys -p "plugin -i build/release/systemverilog-plugin/systemverilog.so;\
help read_systemverilog" | grep "Read SystemVerilog files using"
runHook postCheck
'';
installPhase = ''
runHook preInstall
mkdir -p $out/share/yosys/plugins
cp ./build/release/systemverilog-plugin/systemverilog.so \
$out/share/yosys/plugins/systemverilog.so
runHook postInstall
'';
meta = with lib; {
description = "SystemVerilog support plugin for Yosys";
homepage = "https://github.com/chipsalliance/synlig";
license = licenses.asl20;
maintainers = with maintainers; [ hzeller ];
platforms = platforms.all;
};
})

6
pkgs/development/embedded/svdtools/default.nix
View File

@ -5,14 +5,14 @@
rustPlatform.buildRustPackage rec {
pname = "svdtools";
version = "0.3.3";
version = "0.3.4";
src = fetchCrate {
inherit version pname;
hash = "sha256-pZufVz7m91MiD1TfzTzS6mL0eBxawcr43GAfvDJVqfU=";
hash = "sha256-rdBUEOyE4bHqPXZs3MxT/oivagKmJIVE/hI9mp0RY0k=";
};
cargoHash = "sha256-FAJZ/3eNhxPvIKXnE9lpejQuMi+yeBaA5ra9Peb2yIM=";
cargoHash = "sha256-mPz8m/9VGKSqXan/R1k1JTZ9a44CwCL6JefVyeeREeE=";
meta = with lib; {
description = "Tools to handle vendor-supplied, often buggy SVD files";

5
pkgs/development/interpreters/clisp/default.nix
View File

@ -29,6 +29,7 @@
, x11Support ? (stdenv.hostPlatform.isx86 && ! stdenv.hostPlatform.isDarwin)
, dllSupport ? true
, withModules ? [
"asdf"
"pcre"
"rawsock"
]
@ -41,6 +42,8 @@ assert x11Support -> (libX11 != null && libXau != null && libXt != null
let
ffcallAvailable = stdenv.isLinux && (libffcall != null);
# Some modules need autoreconf called in their directory.
shouldReconfModule = name: name != "asdf";
in
stdenv.mkDerivation {
@ -92,7 +95,7 @@ stdenv.mkDerivation {
cd modules/${x}
autoreconf -f -i -I "$root/src" -I "$root/src/m4" -I "$root/src/glm4"
)
'') withModules);
'') (builtins.filter shouldReconfModule withModules));
configureFlags = [ "builddir" ]
++ lib.optional (!dllSupport) "--without-dynamic-modules"

8
pkgs/development/interpreters/python/cpython/default.nix
View File

@ -58,6 +58,7 @@
, reproducibleBuild ? false
, pythonAttr ? "python${sourceVersion.major}${sourceVersion.minor}"
, noldconfigPatch ? ./. + "/${sourceVersion.major}.${sourceVersion.minor}/no-ldconfig.patch"
, testers
} @ inputs:
# Note: this package is used for bootstrapping fetchurl, and thus
@ -232,7 +233,7 @@ let
'';
execSuffix = stdenv.hostPlatform.extensions.executable;
in with passthru; stdenv.mkDerivation {
in with passthru; stdenv.mkDerivation (finalAttrs: {
pname = "python3";
inherit src version;
@ -579,6 +580,8 @@ in with passthru; stdenv.mkDerivation {
nativeBuildInputs = with pkgsBuildBuild.python3.pkgs; [ sphinxHook python_docs_theme ];
};
tests.pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;
};
enableParallelBuilding = true;
@ -604,8 +607,9 @@ in with passthru; stdenv.mkDerivation {
high level dynamic data types.
'';
license = licenses.psfl;
pkgConfigModules = [ "python3" ];
platforms = platforms.linux ++ platforms.darwin ++ platforms.windows;
maintainers = with maintainers; [ fridh ];
mainProgram = executable;
};
}
})

113
pkgs/development/libraries/catboost/default.nix Normal file
View File

@ -0,0 +1,113 @@
{ lib
, config
, stdenv
, fetchFromGitHub
, cmake
, libiconv
, llvmPackages
, ninja
, openssl
, python3Packages
, ragel
, yasm
, zlib
, cudaSupport ? config.cudaSupport
, cudaPackages ? {}
, pythonSupport ? false
}:
stdenv.mkDerivation (finalAttrs: {
pname = "catboost";
version = "1.2.2";
src = fetchFromGitHub {
owner = "catboost";
repo = "catboost";
rev = "refs/tags/v${finalAttrs.version}";
hash = "sha256-A1zCIqPOW21dHKBQHRtS+/sstZ2o6F8k71lmJFGn0+g=";
};
patches = [
./remove-conan.patch
];
postPatch = ''
substituteInPlace cmake/common.cmake \
--replace "\''${RAGEL_BIN}" "${ragel}/bin/ragel" \
--replace "\''${YASM_BIN}" "${yasm}/bin/yasm"
shopt -s globstar
for cmakelists in **/CMakeLists.*; do
sed -i "s/OpenSSL::OpenSSL/OpenSSL::SSL/g" $cmakelists
${lib.optionalString (lib.versionOlder cudaPackages.cudaVersion "11.8") ''
sed -i 's/-gencode=arch=compute_89,code=sm_89//g' $cmakelists
sed -i 's/-gencode=arch=compute_90,code=sm_90//g' $cmakelists
''}
done
'';
outputs = [ "out" "dev" ];
nativeBuildInputs = [
cmake
llvmPackages.bintools
ninja
(python3Packages.python.withPackages (ps: with ps; [ six ]))
ragel
yasm
] ++ lib.optionals cudaSupport (with cudaPackages; [
cuda_nvcc
]);
buildInputs = [
openssl
zlib
] ++ lib.optionals stdenv.isDarwin [
libiconv
] ++ lib.optionals cudaSupport (with cudaPackages; [
cuda_cudart
cuda_cccl
libcublas
]);
env = {
CUDAHOSTCXX = lib.optionalString cudaSupport "${stdenv.cc}/bin/cc";
NIX_CFLAGS_LINK = lib.optionalString stdenv.isLinux "-fuse-ld=lld";
NIX_LDFLAGS = "-lc -lm";
};
cmakeFlags = [
"-DCMAKE_BINARY_DIR=$out"
"-DCMAKE_POSITION_INDEPENDENT_CODE=on"
"-DCATBOOST_COMPONENTS=app;libs${lib.optionalString pythonSupport ";python-package"}"
] ++ lib.optionals cudaSupport [
"-DHAVE_CUDA=on"
];
installPhase = ''
runHook preInstall
mkdir $dev
cp -r catboost $dev
install -Dm555 catboost/app/catboost -t $out/bin
install -Dm444 catboost/libs/model_interface/static/lib/libmodel_interface-static-lib.a -t $out/lib
install -Dm444 catboost/libs/model_interface/libcatboostmodel${stdenv.hostPlatform.extensions.sharedLibrary} -t $out/lib
install -Dm444 catboost/libs/train_interface/libcatboost${stdenv.hostPlatform.extensions.sharedLibrary} -t $out/lib
runHook postInstall
'';
meta = with lib; {
description = "High-performance library for gradient boosting on decision trees";
longDescription = ''
A fast, scalable, high performance Gradient Boosting on Decision Trees
library, used for ranking, classification, regression and other machine
learning tasks for Python, R, Java, C++. Supports computation on CPU and GPU.
'';
license = licenses.asl20;
platforms = platforms.unix;
homepage = "https://catboost.ai";
maintainers = with maintainers; [ PlushBeaver natsukium ];
mainProgram = "catboost";
};
})

34
pkgs/development/libraries/catboost/remove-conan.patch Normal file
View File

@ -0,0 +1,34 @@
diff --git a/CMakeLists.txt b/CMakeLists.txt
index becd2ad03c..7e3c8c99b1 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -27,7 +27,6 @@ cmake_policy(SET CMP0104 OLD)
include(cmake/archive.cmake)
include(cmake/common.cmake)
-include(cmake/conan.cmake)
include(cmake/cuda.cmake)
include(cmake/cython.cmake)
include(cmake/fbs.cmake)
@@ -37,21 +36,6 @@ include(cmake/recursive_library.cmake)
include(cmake/swig.cmake)
include(cmake/global_vars.cmake)
-if (CMAKE_CROSSCOMPILING)
- include(${CMAKE_BINARY_DIR}/conan_paths.cmake)
-else()
- conan_cmake_autodetect(settings)
- conan_cmake_install(
- PATH_OR_REFERENCE ${CMAKE_SOURCE_DIR}
- INSTALL_FOLDER ${CMAKE_BINARY_DIR}
- BUILD missing
- REMOTE conancenter
- SETTINGS ${settings}
- ENV "CONAN_CMAKE_GENERATOR=${CMAKE_GENERATOR}"
- CONF "tools.cmake.cmaketoolchain:generator=${CMAKE_GENERATOR}"
- )
-endif()
-
if (CMAKE_SYSTEM_NAME STREQUAL "Linux" AND CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND NOT HAVE_CUDA)
include(CMakeLists.linux-x86_64.txt)
elseif (CMAKE_SYSTEM_NAME STREQUAL "Linux" AND CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND HAVE_CUDA)

8
pkgs/development/libraries/flatpak/fix-test-paths.patch
View File

@ -180,14 +180,16 @@ index d9fc8251..d8ddb96e 100755
@@ -1,10 +1,10 @@
#!/bin/sh
if command -v gtk-update-icon-cache >/dev/null && test -d "$1/exports/share/icons/hicolor"; then
-if command -v gtk-update-icon-cache >/dev/null && test -d "$1/exports/share/icons/hicolor"; then
- cp /usr/share/icons/hicolor/index.theme "$1/exports/share/icons/hicolor/"
+ cp @hicolorIconTheme@/share/icons/hicolor/index.theme "$1/exports/share/icons/hicolor/"
+if test -d "$1/exports/share/icons/hicolor"; then
+ @coreutils@/bin/cp -f @hicolorIconTheme@/share/icons/hicolor/index.theme "$1/exports/share/icons/hicolor/"
for dir in "$1"/exports/share/icons/*; do
if test -f "$dir/index.theme"; then
- if ! gtk-update-icon-cache --quiet "$dir"; then
- echo "Failed to run gtk-update-icon-cache for $dir"
+ if ! @gtk3@/bin/gtk-update-icon-cache --quiet "$dir"; then
echo "Failed to run gtk-update-icon-cache for $dir"
+ @coreutils@/bin/echo "Failed to run gtk-update-icon-cache for $dir"
exit 1
fi
diff --git a/triggers/mime-database.trigger b/triggers/mime-database.trigger

2
pkgs/development/libraries/geos/default.nix
View File

@ -32,7 +32,7 @@ stdenv.mkDerivation (finalAttrs: {
doCheck = true;
passthru.tests = {
pkg-config = testers.hasPkgConfigModules { package = finalAttrs.finalPackage; };
pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;
geos = callPackage ./tests.nix { geos = finalAttrs.finalPackage; };
};

13
pkgs/development/libraries/gsasl/default.nix
View File

@ -1,11 +1,13 @@
{ fetchurl, lib, stdenv, libidn, libkrb5 }:
{ fetchurl, lib, stdenv, libidn, libkrb5
, testers
}:
stdenv.mkDerivation rec {
stdenv.mkDerivation (finalAttrs: {
pname = "gsasl";
version = "2.2.0";
src = fetchurl {
url = "mirror://gnu/gsasl/${pname}-${version}.tar.gz";
url = "mirror://gnu/gsasl/${finalAttrs.pname}-${finalAttrs.version}.tar.gz";
sha256 = "sha256-ebho47mXbcSE1ZspygroiXvpbOTTbTKu1dk1p6Mwd1k=";
};
@ -24,6 +26,8 @@ stdenv.mkDerivation rec {
'';
doCheck = !stdenv.hostPlatform.isDarwin;
passthru.tests.pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;
meta = {
description = "GNU SASL, Simple Authentication and Security Layer library";
@ -38,6 +42,7 @@ stdenv.mkDerivation rec {
license = lib.licenses.gpl3Plus;
maintainers = with lib.maintainers; [ shlevy ];
pkgConfigModules = [ "libgsasl" ];
platforms = lib.platforms.all;
};
}
})

2
pkgs/development/libraries/libicns/default.nix
View File

@ -2,7 +2,7 @@
stdenv.mkDerivation {
pname = "libicns";
version = "unstable-2022-04-10";
version = "0.8.1-unstable-2022-04-10";
src = fetchgit {
name = "libicns";

13
pkgs/development/libraries/libidn/default.nix
View File

@ -1,11 +1,13 @@
{ fetchurl, lib, stdenv, libiconv }:
{ fetchurl, lib, stdenv, libiconv
, testers
}:
stdenv.mkDerivation rec {
stdenv.mkDerivation (finalAttrs: {
pname = "libidn";
version = "1.41";
src = fetchurl {
url = "mirror://gnu/libidn/${pname}-${version}.tar.gz";
url = "mirror://gnu/libidn/${finalAttrs.pname}-${finalAttrs.version}.tar.gz";
sha256 = "sha256-iE1wY2S4Gr3Re+6Whtj/KudDHFoUZRBHxorfizH9iUU=";
};
@ -15,6 +17,8 @@ stdenv.mkDerivation rec {
buildInputs = lib.optional stdenv.isDarwin libiconv;
passthru.tests.pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;
meta = {
homepage = "https://www.gnu.org/software/libidn/";
description = "Library for internationalized domain names";
@ -36,7 +40,8 @@ stdenv.mkDerivation rec {
'';
license = lib.licenses.lgpl2Plus;
pkgConfigModules = [ "libidn" ];
platforms = lib.platforms.all;
maintainers = with lib.maintainers; [ lsix ];
};
}
})

19
pkgs/development/libraries/libpng/12.nix
View File

@ -1,13 +1,15 @@
{ lib, stdenv, fetchurl, zlib }:
{ lib, stdenv, fetchurl, zlib
, testers
}:
assert stdenv.hostPlatform == stdenv.buildPlatform -> zlib != null;
stdenv.mkDerivation rec {
stdenv.mkDerivation (finalAttrs: {
pname = "libpng";
version = "1.2.59";
src = fetchurl {
url = "mirror://sourceforge/libpng/libpng-${version}.tar.xz";
url = "mirror://sourceforge/libpng/libpng-${finalAttrs.version}.tar.xz";
sha256 = "1izw9ybm27llk8531w6h4jp4rk2rxy2s9vil16nwik5dp0amyqxl";
};
@ -15,18 +17,23 @@ stdenv.mkDerivation rec {
propagatedBuildInputs = [ zlib ];
passthru = { inherit zlib; };
configureFlags = [ "--enable-static" ];
postInstall = ''mv "$out/bin" "$dev/bin"'';
passthru = {
inherit zlib;
tests.pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;
};
meta = with lib; {
description = "The official reference implementation for the PNG file format";
homepage = "http://www.libpng.org/pub/png/libpng.html";
license = licenses.libpng;
maintainers = [ ];
branch = "1.2";
pkgConfigModules = [ "libpng" "libpng12" ];
platforms = platforms.unix;
};
}
})

17
pkgs/development/libraries/libpng/default.nix
View File

@ -1,4 +1,6 @@
{ lib, stdenv, fetchurl, zlib, apngSupport ? true }:
{ lib, stdenv, fetchurl, zlib, apngSupport ? true
, testers
}:
assert zlib != null;
@ -10,12 +12,12 @@ let
};
whenPatched = lib.optionalString apngSupport;
in stdenv.mkDerivation rec {
in stdenv.mkDerivation (finalAttrs: {
pname = "libpng" + whenPatched "-apng";
version = "1.6.40";
src = fetchurl {
url = "mirror://sourceforge/libpng/libpng-${version}.tar.xz";
url = "mirror://sourceforge/libpng/libpng-${finalAttrs.version}.tar.xz";
hash = "sha256-U1tHmyRn/yMaPsbZKlJZBvuO8nl4vk9m2+BdPzoBs6E=";
};
postPatch = whenPatched "gunzip < ${patch_src} | patch -Np1";
@ -27,14 +29,19 @@ in stdenv.mkDerivation rec {
doCheck = true;
passthru = { inherit zlib; };
passthru = {
inherit zlib;
tests.pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;
};
meta = with lib; {
description = "The official reference implementation for the PNG file format" + whenPatched " with animation patch";
homepage = "http://www.libpng.org/pub/png/libpng.html";
changelog = "https://github.com/glennrp/libpng/blob/v1.6.40/CHANGES";
license = licenses.libpng2;
pkgConfigModules = [ "libpng" "libpng16" ];
platforms = platforms.all;
maintainers = with maintainers; [ vcunat ];
};
}
})

17
pkgs/development/libraries/libsass/default.nix
View File

@ -1,13 +1,15 @@
{ lib, stdenv, fetchFromGitHub, autoreconfHook }:
{ lib, stdenv, fetchFromGitHub, autoreconfHook
, testers
}:
stdenv.mkDerivation rec {
stdenv.mkDerivation (finalAttrs: {
pname = "libsass";
version = "3.6.5"; # also check sassc for updates
src = fetchFromGitHub {
owner = "sass";
repo = pname;
rev = version;
repo = finalAttrs.pname;
rev = finalAttrs.version;
sha256 = "1cxj6r85d5f3qxdwzxrmkx8z875hig4cr8zsi30w6vj23cyds3l2";
# Remove unicode file names which leads to different checksums on HFS+
# vs. other filesystems because of unicode normalisation.
@ -17,16 +19,19 @@ stdenv.mkDerivation rec {
};
preConfigure = ''
export LIBSASS_VERSION=${version}
export LIBSASS_VERSION=${finalAttrs.version}
'';
nativeBuildInputs = [ autoreconfHook ];
passthru.tests.pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;
meta = with lib; {
description = "A C/C++ implementation of a Sass compiler";
homepage = "https://github.com/sass/libsass";
license = licenses.mit;
maintainers = with maintainers; [ codyopel offline ];
pkgConfigModules = [ "libsass" ];
platforms = platforms.unix;
};
}
})

39
pkgs/development/libraries/libxkbcommon/libxkbcommon_7.nix
View File

@ -1,39 +0,0 @@
{ lib, stdenv, fetchurl, pkg-config, bison, flex, xkeyboard_config, libxcb, libX11 }:
stdenv.mkDerivation rec {
pname = "libxkbcommon";
version = "0.7.2";
src = fetchurl {
url = "http://xkbcommon.org/download/libxkbcommon-${version}.tar.xz";
sha256 = "1n5rv5n210kjnkyrvbh04gfwaa7zrmzy1393p8nyqfw66lkxr918";
};
outputs = [ "out" "dev" ];
nativeBuildInputs = [ pkg-config ];
buildInputs = [ bison flex xkeyboard_config libxcb ];
configureFlags = [
"--with-xkb-config-root=${xkeyboard_config}/etc/X11/xkb"
"--with-x-locale-root=${libX11.out}/share/X11/locale"
];
env.NIX_CFLAGS_COMPILE = toString [
# Needed with GCC 12
"-Wno-error=array-bounds"
];
preBuild = lib.optionalString stdenv.isDarwin ''
sed -i 's/,--version-script=.*$//' Makefile
'';
meta = with lib; {
description = "A library to handle keyboard descriptions";
homepage = "https://xkbcommon.org";
license = licenses.mit;
maintainers = with maintainers; [ ttuegel ];
mainProgram = "xkbcli";
platforms = with platforms; unix;
};
}

4
pkgs/development/libraries/nghttp3/default.nix
View File

@ -6,13 +6,13 @@
stdenv.mkDerivation rec {
pname = "nghttp3";
version = "0.15.0";
version = "1.0.0";
src = fetchFromGitHub {
owner = "ngtcp2";
repo = pname;
rev = "v${version}";
hash = "sha256-ZnfwPgjBAI2elHrx7uzc3JX2MdeX/hsrFKj4TfMK2tI=";
hash = "sha256-mw0zI7528lvEZlv+/KuST7PWjuu37p/+EGGsjIEto2Q=";
};
outputs = [ "out" "dev" "doc" ];

4
pkgs/development/libraries/ngtcp2/default.nix
View File

@ -8,13 +8,13 @@
stdenv.mkDerivation rec {
pname = "ngtcp2";
version = "0.19.1";
version = "1.0.0";
src = fetchFromGitHub {
owner = "ngtcp2";
repo = pname;
rev = "v${version}";
hash = "sha256-agiQRy/e5VS+ANxajXYi5huRjQQ2M8eddH/AzmwnHdQ==";
hash = "sha256-dnYIRcNGTIzETu2OjTJa0IWB1+xttdGFKRBmMkTwrXk=";
};
outputs = [ "out" "dev" "doc" ];

7
pkgs/development/libraries/pcaudiolib/default.nix
View File

@ -38,7 +38,11 @@ stdenv.mkDerivation (finalAttrs: {
++ lib.optional stdenv.isLinux alsa-lib
++ lib.optional pulseaudioSupport libpulseaudio;
preConfigure = ''
# touch ChangeLog to avoid below error on darwin:
# Makefile.am: error: required file './ChangeLog.md' not found
preConfigure = lib.optionalString stdenv.isDarwin ''
touch ChangeLog
'' + ''
./autogen.sh
'';
@ -48,6 +52,5 @@ stdenv.mkDerivation (finalAttrs: {
license = licenses.gpl3Plus;
maintainers = with maintainers; [ aske ];
platforms = platforms.unix;
badPlatforms = platforms.darwin;
};
})

Some files were not shown because too many files have changed in this diff Show More