Merge branch 'staging' into gcc-7

This commit is contained in:
Vladimír Čunát 2017-11-11 19:09:41 +01:00
commit 1862b77b5d
No known key found for this signature in database
GPG Key ID: E747DF1F9575A3AA
3666 changed files with 70441 additions and 56174 deletions

82
.github/CODEOWNERS vendored
View File

@ -8,45 +8,75 @@
# Mentioned users will get code review requests.
# This file
.github/CODEOWNERS @edolstra
/.github/CODEOWNERS @edolstra
# Boostraping and core infra
pkgs/stdenv/ @edolstra
pkgs/build-support/cc-wrapper/ @edolstra
/pkgs/stdenv @edolstra
/pkgs/build-support/cc-wrapper @edolstra
# Libraries
lib/ @edolstra
/lib @edolstra @nbp
# Nixpkgs Internals
/default.nix @nbp
/pkgs/top-level/default.nix @nbp
/pkgs/top-level/impure.nix @nbp
/pkgs/top-level/stage.nix @nbp
# NixOS Internals
/nixos/default.nix @nbp
/nixos/lib/from-env.nix @nbp
/nixos/lib/eval-config.nix @nbp
/nixos/doc/manual/configuration/abstractions.xml @nbp
/nixos/doc/manual/configuration/config-file.xml @nbp
/nixos/doc/manual/configuration/config-syntax.xml @nbp
/nixos/doc/manual/configuration/modularity.xml @nbp
/nixos/doc/manual/development/assertions.xml @nbp
/nixos/doc/manual/development/meta-attributes.xml @nbp
/nixos/doc/manual/development/option-declarations.xml @nbp
/nixos/doc/manual/development/option-def.xml @nbp
/nixos/doc/manual/development/option-types.xml @nbp
/nixos/doc/manual/development/replace-modules.xml @nbp
/nixos/doc/manual/development/writing-modules.xml @nbp
/nixos/doc/manual/man-nixos-option.xml @nbp
/nixos/modules/installer/tools/nixos-option.sh @nbp
# Python-related code and docs
pkgs/top-level/python-packages.nix @FRidh
pkgs/development/interpreters/python/* @FRidh
pkgs/development/python-modules/* @FRidh
doc/languages-frameworks/python.md @FRidh
/pkgs/top-level/python-packages.nix @FRidh
/pkgs/development/interpreters/python @FRidh
/pkgs/development/python-modules @FRidh
/doc/languages-frameworks/python.md @FRidh
# Haskell
pkgs/development/compilers/ghc @peti
pkgs/development/haskell-modules @peti
pkgs/development/haskell-modules/default.nix @peti
pkgs/development/haskell-modules/generic-builder.nix @peti
pkgs/development/haskell-modules/hoogle.nix @peti
/pkgs/development/compilers/ghc @peti
/pkgs/development/haskell-modules @peti
/pkgs/development/haskell-modules/default.nix @peti
/pkgs/development/haskell-modules/generic-builder.nix @peti
/pkgs/development/haskell-modules/hoogle.nix @peti
# R
pkgs/applications/science/math/R @peti
pkgs/development/r-modules @peti
/pkgs/applications/science/math/R @peti
/pkgs/development/r-modules @peti
# Ruby
/pkgs/development/interpreters/ruby @zimbatm
/pkgs/development/ruby-modules @zimbatm
# Darwin-related
pkgs/stdenv/darwin/* @copumpkin @LnL7
pkgs/os-specific/darwin/* @LnL7
pkgs/os-specific/darwin/apple-source-releases/* @copumpkin
/pkgs/stdenv/darwin @NixOS/darwin-maintainers
/pkgs/os-specific/darwin @NixOS/darwin-maintainers
# Beam-related (Erlang, Elixir, LFE, etc)
pkgs/development/beam-modules/* @gleber
pkgs/development/interpreters/erlang/* @gleber
pkgs/development/interpreters/lfe/* @gleber
pkgs/development/interpreters/elixir/* @gleber
pkgs/development/tools/build-managers/rebar/* @gleber
pkgs/development/tools/build-managers/rebar3/* @gleber
pkgs/development/tools/erlang/* @gleber
/pkgs/development/beam-modules @gleber
/pkgs/development/interpreters/erlang @gleber
/pkgs/development/interpreters/lfe @gleber
/pkgs/development/interpreters/elixir @gleber
/pkgs/development/tools/build-managers/rebar @gleber
/pkgs/development/tools/build-managers/rebar3 @gleber
/pkgs/development/tools/erlang @gleber
# Jetbrains
pkgs/applications/editors/jetbrains @edwtjo
/pkgs/applications/editors/jetbrains @edwtjo
# Eclipse
/pkgs/applications/editors/eclipse @rycee

View File

@ -32,11 +32,14 @@ under the terms of [COPYING](../COPYING), which is an MIT-like license.
The old config generation system used impure shell scripts and could break in specific circumstances (see #1234).
* `meta.description` should:
* Be capitalized
* Not start with the package name
* Not have a dot at the end
* Be capitalized.
* Not start with the package name.
* Not have a period at the end.
* `meta.license` must be set and fit the upstream license.
* If there is no upstream license, `meta.license` should default to `stdenv.lib.licenses.unfree`.
* `meta.maintainers` must be set.
See the nixpkgs manual for more details on how to [Submit changes to nixpkgs](https://nixos.org/nixpkgs/manual/#chap-submitting-changes).
See the nixpkgs manual for more details on [standard meta-attributes](https://nixos.org/nixpkgs/manual/#sec-standard-meta-attributes) and on how to [submit changes to nixpkgs](https://nixos.org/nixpkgs/manual/#chap-submitting-changes).
## Writing good commit messages

View File

@ -9,7 +9,7 @@
- Built on platform(s)
- [ ] NixOS
- [ ] macOS
- [ ] Linux
- [ ] other Linux distributions
- [ ] Tested via one or more NixOS test(s) if existing and applicable for the change (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests))
- [ ] Tested compilation of all pkgs that depend on this change using `nix-shell -p nox --run "nox-review wip"`
- [ ] Tested execution of all binary files (usually in `./result/bin/`)

View File

@ -23,9 +23,7 @@ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Note: the license above does not apply to the packages built by the
Nix Packages collection, merely to the package descriptions (i.e., Nix
expressions, build scripts, etc.). Also, the license does not apply
to some of the binaries used for bootstrapping Nixpkgs (e.g.,
pkgs/stdenv/linux/tools/bash). It also might not apply to patches
expressions, build scripts, etc.). It also might not apply to patches
included in Nixpkgs, which may be derivative works of the packages to
which they apply. The aforementioned artifacts are all covered by the
licenses of the respective packages.

View File

@ -13,12 +13,12 @@ build daemon as so-called channels. To get channel information via git, add
```
For stability and maximum binary package support, it is recommended to maintain
custom changes on top of one of the channels, e.g. `nixos-17.03` for the latest
custom changes on top of one of the channels, e.g. `nixos-17.09` for the latest
release and `nixos-unstable` for the latest successful build of master:
```
% git remote update channels
% git rebase channels/nixos-17.03
% git rebase channels/nixos-17.09
```
For pull-requests, please rebase onto nixpkgs `master`.
@ -30,11 +30,11 @@ For pull-requests, please rebase onto nixpkgs `master`.
* [Documentation (Nix Expression Language chapter)](https://nixos.org/nix/manual/#ch-expression-language)
* [Manual (How to write packages for Nix)](https://nixos.org/nixpkgs/manual/)
* [Manual (NixOS)](https://nixos.org/nixos/manual/)
* [Nix Wiki](https://nixos.org/wiki/) (deprecated, see milestone ["Move the Wiki!"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Move+the+wiki%21%22))
* [Community maintained wiki](https://nixos.wiki/)
* [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
* [Continuous package builds for 17.03 release](https://hydra.nixos.org/jobset/nixos/release-17.03)
* [Continuous package builds for 17.09 release](https://hydra.nixos.org/jobset/nixos/release-17.09)
* [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
* [Tests for 17.03 release](https://hydra.nixos.org/job/nixos/release-17.03/tested#tabs-constituents)
* [Tests for 17.09 release](https://hydra.nixos.org/job/nixos/release-17.09/tested#tabs-constituents)
Communication:

View File

@ -55,6 +55,10 @@ configuration file located at
</programlisting>
</para>
<para>Note that we are not able to test or build unfree software on Hydra
due to policy. Most unfree licenses prohibit us from either executing or
distributing the software.</para>
<section xml:id="sec-allow-broken">
<title>Installing broken packages</title>

View File

@ -184,7 +184,7 @@
For now, feel free to use either method.
</para>
<note><para>
There is also a "backlink" <varname>__targetPackages</varname>, yielding a package set whose <varname>buildPackages</varname> is the current package set.
There is also a "backlink" <varname>targetPackages</varname>, yielding a package set whose <varname>buildPackages</varname> is the current package set.
This is a hack, though, to accommodate compilers with lousy build systems.
Please do not use this unless you are absolutely sure you are packaging such a compiler and there is no other way.
</para></note>

View File

@ -48,6 +48,4 @@ The binaries are made available via a [binary cache](https://cache.nixos.org).
The current Nix expressions of the channels are available in the
[`nixpkgs-channels`](https://github.com/NixOS/nixpkgs-channels) repository,
which has branches corresponding to the available channels. There is also the
[Nixpkgs Monitor](http://monitor.nixos.org) which keeps track of updates
and security vulnerabilities.
which has branches corresponding to the available channels.

View File

@ -165,7 +165,7 @@ run the script in the `python3` shell.
```py
#! /usr/bin/env nix-shell
#! nix-shell -i 'python3.withPackages(ps: [ps.numpy])'
#! nix-shell -i python3 -p "python3.withPackages(ps: [ps.numpy])"
import numpy
@ -785,7 +785,20 @@ example of such a situation is when `py.test` is used.
#### Common issues
- Non-working tests can often be deselected. In the case of `py.test`: `py.test -k 'not function_name and not other_function'`.
- Non-working tests can often be deselected. By default `buildPythonPackage` runs `python setup.py test`.
Most python modules follows the standard test protocol where the pytest runner can be used instead.
`py.test` supports a `-k` parameter to ignore test methods or classes:
```nix
buildPythonPackage {
# ...
# assumes the tests are located in tests
checkInputs = [ pytest ];
checkPhase = ''
py.test -k 'not function_name and not other_function' tests
'';
}
```
- Unicode issues can typically be fixed by including `glibcLocales` in `buildInputs` and exporting `LC_ALL=en_US.utf-8`.
- Tests that attempt to access `$HOME` can be fixed by using the following work-around before running tests (e.g. `preCheck`): `export HOME=$(mktemp -d)`

View File

@ -9,16 +9,15 @@ date: 2017-03-05
To install the rust compiler and cargo put
```
rustStable.rustc
rustStable.cargo
rust
```
into the `environment.systemPackages` or bring them into scope with
`nix-shell -p rustStable.rustc -p rustStable.cargo`.
into the `environment.systemPackages` or bring them into
scope with `nix-shell -p rust`.
There are also `rustBeta` and `rustNightly` package sets available.
These are not updated very regularly. For daily builds use either rustup from
nixpkgs or use the [Rust nightlies overlay](#using-the-rust-nightlies-overlay).
For daily builds (beta and nightly) use either rustup from
nixpkgs or use the [Rust nightlies
overlay](#using-the-rust-nightlies-overlay).
## Packaging Rust applications
@ -38,7 +37,7 @@ buildRustPackage rec {
sha256 = "0y5d1n6hkw85jb3rblcxqas2fp82h3nghssa4xqrhqnz25l799pj";
};
depsSha256 = "0q68qyl2h6i0qsz82z840myxlnjay8p1w5z7hfyr8fqp7wgwa9cx";
cargoSha256 = "0q68qyl2h6i0qsz82z840myxlnjay8p1w5z7hfyr8fqp7wgwa9cx";
meta = with stdenv.lib; {
description = "A utility that combines the usability of The Silver Searcher with the raw speed of grep";
@ -50,7 +49,7 @@ buildRustPackage rec {
}
```
`buildRustPackage` requires a `depsSha256` attribute which is computed over
`buildRustPackage` requires a `cargoSha256` attribute which is computed over
all crate sources of this package. Currently it is obtained by inserting a
fake checksum into the expression and building the package once. The correct
checksum can be then take from the failed build.
@ -76,11 +75,11 @@ in the `~/.config/nixpkgs/overlays` directory.
The latest version can be installed with the following command:
$ nix-env -Ai nixos.rustChannels.stable.rust
$ nix-env -Ai nixos.latest.rustChannels.stable.rust
Or using the attribute with nix-shell:
$ nix-shell -p nixos.rustChannels.stable.rust
$ nix-shell -p nixos.latest.rustChannels.stable.rust
To install the beta or nightly channel, "stable" should be substituted by
"nightly" or "beta", or

View File

@ -18,6 +18,7 @@
<xi:include href="functions.xml" />
<xi:include href="meta.xml" />
<xi:include href="languages-frameworks/index.xml" />
<xi:include href="platform-notes.xml" />
<xi:include href="package-notes.xml" />
<xi:include href="overlays.xml" />
<xi:include href="coding-conventions.xml" />

View File

@ -200,11 +200,9 @@ meta-attributes</title>
meta.platforms = stdenv.lib.platforms.linux;
</programlisting>
Attribute Set <varname>stdenv.lib.platforms</varname> in
<link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/lib/platforms.nix">
<filename>nixpkgs/lib/platforms.nix</filename></link> defines various common
lists of platforms types.
</para></listitem>
Attribute Set <varname>stdenv.lib.platforms</varname> defines
<link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/lib/systems/doubles.nix">
various common lists</link> of platforms types.</para></listitem>
</varlistentry>
<varlistentry>

View File

@ -477,25 +477,11 @@ it. Place the resulting <filename>package.nix</filename> file into
<varlistentry>
<term>Using the FOSS Radeon or nouveau (nvidia) drivers</term>
<listitem><itemizedlist><listitem><para>
Both the open source radeon drivers as well as the nouveau drivers (nvidia)
need a newer libc++ than is provided by the default runtime, which leads to a
crash on launch. Use <programlisting>environment.systemPackages =
[(pkgs.steam.override { newStdcpp = true; })];</programlisting> in your config
if you get an error like
<programlisting>
libGL error: unable to load driver: radeonsi_dri.so
libGL error: driver pointer missing
libGL error: failed to load driver: radeonsi
libGL error: unable to load driver: swrast_dri.so
libGL error: failed to load driver: swrast</programlisting>
or
<programlisting>
libGL error: unable to load driver: nouveau_dri.so
libGL error: driver pointer missing
libGL error: failed to load driver: nouveau
libGL error: unable to load driver: swrast_dri.so
libGL error: failed to load driver: swrast</programlisting></para></listitem>
<listitem><itemizedlist>
<listitem><para>The <literal>newStdcpp</literal> parameter
was removed since NixOS 17.09 and should not be needed anymore.
</para></listitem>
<listitem><para>
Steam ships statically linked with a version of libcrypto that
conflics with the one dynamically loaded by radeonsi_dri.so.
@ -678,4 +664,34 @@ cp ${myEmacsConfig} $out/share/emacs/site-lisp/default.el
</section>
<section xml:id="sec-weechat">
<title>Weechat</title>
<para>
Weechat can currently be configured to include your choice of plugins.
To make use of this functionality, install an expression that overrides its configuration such as
<programlisting>weechat.override {configure = {availablePlugins, ...}: {
plugins = with availablePlugins; [ python perl ];
}
}</programlisting>
</para>
<para>
The plugins currently available are <literal>python</literal>,
<literal>perl</literal>, <literal>ruby</literal>, <literal>guile</literal>,
<literal>tcl</literal> and <literal>lua</literal>.
</para>
<para>
The python plugin allows the addition of extra libraries. For instance,
the <literal>inotify.py</literal> script in weechat-scripts requires
D-Bus or libnotify, and the <literal>fish.py</literal> script requires
pycrypto. To use these scripts, use the <literal>python</literal>
plugin's <literal>withPackages</literal> attribute:
<programlisting>weechat.override {configure = {availablePlugins, ...}: {
plugins = with availablePlugins; [
(python.withPackages (ps: with ps; [ pycrypto python-dbus ]))
];
}
}
</programlisting>
</para>
</section>
</chapter>

83
doc/platform-notes.xml Normal file
View File

@ -0,0 +1,83 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xml:id="chap-platform-nodes">
<title>Platform Notes</title>
<section xml:id="sec-darwin">
<title>Darwin (macOS)</title>
<para>Some common issues when packaging software for darwin:</para>
<itemizedlist>
<listitem>
<para>
The darwin <literal>stdenv</literal> uses clang instead of gcc.
When referring to the compiler <varname>$CC</varname> or <command>cc</command>
will work in both cases. Some builds hardcode gcc/g++ in their
build scripts, that can usually be fixed with using something
like <literal>makeFlags = [ "CC=cc" ];</literal> or by patching
the build scripts.
</para>
<programlisting>
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
buildPhase = ''
$CC -o hello hello.c
'';
}
</programlisting>
</listitem>
<listitem>
<para>
On darwin libraries are linked using absolute paths, libraries
are resolved by their <literal>install_name</literal> at link
time. Sometimes packages won't set this correctly causing the
library lookups to fail at runtime. This can be fixed by adding
extra linker flags or by running <command>install_name_tool -id</command>
during the <function>fixupPhase</function>.
</para>
<programlisting>
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
makeFlags = stdenv.lib.optional stdenv.isDarwin "LDFLAGS=-Wl,-install_name,$(out)/lib/libfoo.dylib";
}
</programlisting>
</listitem>
<listitem>
<para>
Some packages assume xcode is available and use <command>xcrun</command>
to resolve build tools like <command>clang</command>, etc.
This causes errors like <code>xcode-select: error: no developer tools were found at '/Applications/Xcode.app'</code>
while the build doesn't actually depend on xcode.
</para>
<programlisting>
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
prePatch = ''
substituteInPlace Makefile \
--replace '/usr/bin/xcrun clang' clang
'';
}
</programlisting>
<para>
The package <literal>xcbuild</literal> can be used to build projects
that really depend on Xcode, however projects that build some kind of
graphical interface won't work without using Xcode in an impure way.
</para>
</listitem>
</itemizedlist>
</section>
</chapter>

View File

@ -1,4 +1,3 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xml:id="chap-stdenv">
@ -188,11 +187,13 @@ genericBuild
<varlistentry>
<term><varname>NIX_DEBUG</varname></term>
<listitem><para>If set, <literal>stdenv</literal> will print some
debug information during the build. In particular, the
<command>gcc</command> and <command>ld</command> wrapper scripts
will print out the complete command line passed to the wrapped
tools.</para></listitem>
<listitem><para>
A natural number indicating how much information to log.
If set to 1 or higher, <literal>stdenv</literal> will print moderate debug information during the build.
In particular, the <command>gcc</command> and <command>ld</command> wrapper scripts will print out the complete command line passed to the wrapped tools.
If set to 6 or higher, the <literal>stdenv</literal> setup script will be run with <literal>set -x</literal> tracing.
If set to 7 or higher, the <command>gcc</command> and <command>ld</command> wrapper scripts will also be run with <literal>set -x</literal> tracing.
</para></listitem>
</varlistentry>
</variablelist>
@ -697,8 +698,14 @@ nothing.</para>
<listitem><para>A list of strings passed as additional flags to
<command>make</command>. These flags are also used by the default
install and check phase. For setting make flags specific to the
build phase, use <varname>buildFlags</varname> (see
below).</para></listitem>
build phase, use <varname>buildFlags</varname> (see below).
<programlisting>
makeFlags = [ "PREFIX=$(out)" ];
</programlisting>
<note><para>The flags are quoted in bash, but environment variables can
be specified by using the make syntax.</para></note></para></listitem>
</varlistentry>
<varlistentry>

View File

@ -219,6 +219,7 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
ffsl = {
fullName = "Floodgap Free Software License";
url = http://www.floodgap.com/software/ffsl/license.html;
free = false;
};
free = {
@ -281,6 +282,11 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
url = https://fedoraproject.org/wiki/Licensing/GPL_Classpath_Exception;
};
hpnd = spdx {
spdxId = "HPND";
fullName = "Historic Permission Notice and Disclaimer";
};
# Intel's license, seems free
iasl = {
fullName = "iASL";

View File

@ -31,6 +31,7 @@
ak = "Alexander Kjeldaas <ak@formalprivacy.com>";
akaWolf = "Artjom Vejsel <akawolf0@gmail.com>";
akc = "Anders Claesson <akc@akc.is>";
alexvorobiev = "Alex Vorobiev <alexander.vorobiev@gmail.com";
algorith = "Dries Van Daele <dries_van_daele@telenet.be>";
alibabzo = "Alistair Bill <alistair.bill@gmail.com>";
all = "Nix Committers <nix-commits@lists.science.uu.nl>";
@ -41,12 +42,15 @@
amorsillo = "Andrew Morsillo <andrew.morsillo@gmail.com>";
AndersonTorres = "Anderson Torres <torres.anderson.85@gmail.com>";
anderspapitto = "Anders Papitto <anderspapitto@gmail.com>";
andir = "Andreas Rammhold <andreas@rammhold.de>";
andres = "Andres Loeh <ksnixos@andres-loeh.de>";
andrestylianos = "Andre S. Ramos <andre.stylianos@gmail.com>";
andrewrk = "Andrew Kelley <superjoe30@gmail.com>";
andsild = "Anders Sildnes <andsild@gmail.com>";
aneeshusa = "Aneesh Agrawal <aneeshusa@gmail.com>";
ankhers = "Justin Wood <justin.k.wood@gmail.com>";
antono = "Antono Vasiljev <self@antono.info>";
antonxy = "Anton Schirg <anton.schirg@posteo.de>";
apeschar = "Albert Peschar <albert@peschar.net>";
apeyroux = "Alexandre Peyroux <alex@px.io>";
ardumont = "Antoine R. Dumont <eniotna.t@gmail.com>";
@ -71,6 +75,7 @@
bcarrell = "Brandon Carrell <brandoncarrell@gmail.com>";
bcdarwin = "Ben Darwin <bcdarwin@gmail.com>";
bdimcheff = "Brandon Dimcheff <brandon@dimcheff.com>";
bendlas = "Herwig Hochleitner <herwig@bendlas.net>";
benley = "Benjamin Staffin <benley@gmail.com>";
bennofs = "Benno Fünfstück <benno.fuenfstueck@gmail.com>";
benwbooth = "Ben Booth <benwbooth@gmail.com>";
@ -90,6 +95,7 @@
bramd = "Bram Duvigneau <bram@bramd.nl>";
bstrik = "Berno Strik <dutchman55@gmx.com>";
bzizou = "Bruno Bzeznik <Bruno@bzizou.net>";
c0bw3b = "Renaud <c0bw3b@gmail.com>";
c0dehero = "CodeHero <codehero@nerdpol.ch>";
calbrecht = "Christian Albrecht <christian.albrecht@mayflower.de>";
calrama = "Moritz Maxeiner <moritz@ucworks.org>";
@ -98,6 +104,7 @@
canndrew = "Andrew Cann <shum@canndrew.org>";
carlsverre = "Carl Sverre <accounts@carlsverre.com>";
casey = "Casey Rodarmor <casey@rodarmor.net>";
catern = "Spencer Baugh <sbaugh@catern.com>";
caugner = "Claas Augner <nixos@caugner.de>";
cdepillabout = "Dennis Gosnell <cdep.illabout@gmail.com>";
cfouche = "Chaddaï Fouché <chaddai.fouche@gmail.com>";
@ -105,12 +112,14 @@
chaoflow = "Florian Friesdorf <flo@chaoflow.net>";
chattered = "Phil Scott <me@philscotted.com>";
choochootrain = "Hurshal Patel <hurshal@imap.cc>";
chpatrick = "Patrick Chilton <chpatrick@gmail.com>";
chris-martin = "Chris Martin <ch.martin@gmail.com>";
chrisjefferson = "Christopher Jefferson <chris@bubblescope.net>";
chrisrosset = "Christopher Rosset <chris@rosset.org.uk>";
christopherpoole = "Christopher Mark Poole <mail@christopherpoole.net>";
ciil = "Simon Lackerbauer <simon@lackerbauer.com>";
ckampka = "Christian Kampka <christian@kampka.net>";
ckauhaus = "Christian Kauhaus <christian@kauhaus.de>";
cko = "Christine Koppelt <christine.koppelt@gmail.com>";
cleverca22 = "Michael Bishop <cleverca22@gmail.com>";
cmcdragonkai = "Roger Qiu <roger.qiu@matrix.ai>";
@ -130,12 +139,14 @@
cryptix = "Henry Bubert <cryptix@riseup.net>";
CrystalGamma = "Jona Stubbe <nixos@crystalgamma.de>";
cstrahan = "Charles Strahan <charles@cstrahan.com>";
csingley = "Christopher Singley <csingley@gmail.com>";
cwoac = "Oliver Matthews <oliver@codersoffortune.net>";
DamienCassou = "Damien Cassou <damien@cassou.me>";
danbst = "Danylo Hlynskyi <abcz2.uprola@gmail.com>";
dancek = "Hannu Hartikainen <hannu.hartikainen@gmail.com>";
danielfullmer = "Daniel Fullmer <danielrf12@gmail.com>";
dasuxullebt = "Christoph-Simon Senjak <christoph.senjak@googlemail.com>";
david50407 = "David Kuo <me@davy.tw>";
davidak = "David Kleuker <post@davidak.de>";
davidrusu = "David Rusu <davidrusu.me@gmail.com>";
davorb = "Davor Babic <davor@davor.se>";
@ -155,6 +166,7 @@
dgonyeo = "Derek Gonyeo <derek@gonyeo.com>";
dipinhora = "Dipin Hora <dipinhora+github@gmail.com>";
disassembler = "Samuel Leathers <disasm@gmail.com>";
dizfer = "David Izquierdo <david@izquierdofernandez.com>";
dmalikov = "Dmitry Malikov <malikov.d.y@gmail.com>";
DmitryTsygankov = "Dmitry Tsygankov <dmitry.tsygankov@gmail.com>";
dmjio = "David Johnson <djohnson.m@gmail.com>";
@ -163,13 +175,16 @@
dotlambda = "Robert Schütz <rschuetz17@gmail.com>";
doublec = "Chris Double <chris.double@double.co.nz>";
dpaetzel = "David Pätzel <david.a.paetzel@gmail.com>";
dpflug = "David Pflug <david@pflug.email>";
drets = "Dmytro Rets <dmitryrets@gmail.com>";
drewkett = "Andrew Burkett <burkett.andrew@gmail.com>";
dsferruzza = "David Sferruzza <david.sferruzza@gmail.com>";
dtzWill = "Will Dietz <nix@wdtz.org>";
dupgit = "Olivier Delhomme <olivier.delhomme@free.fr>";
dywedir = "Vladyslav M. <dywedir@protonmail.ch>";
e-user = "Alexander Kahl <nixos@sodosopa.io>";
ebzzry = "Rommel Martinez <ebzzry@gmail.com>";
earldouglas = "James Earl Douglas <james@earldouglas.com>";
ebzzry = "Rommel Martinez <ebzzry@ebzzry.io>";
edanaher = "Evan Danaher <nixos@edanaher.net>";
edef = "edef <edef@edef.eu>";
ederoyd46 = "Matthew Brown <matt@ederoyd.co.uk>";
@ -190,15 +205,19 @@
eqyiel = "Ruben Maher <r@rkm.id.au>";
ericbmerritt = "Eric Merritt <eric@afiniate.com>";
ericsagnes = "Eric Sagnes <eric.sagnes@gmail.com>";
erictapen = "Justin Humm <justin.humm@posteo.de>";
erikryb = "Erik Rybakken <erik.rybakken@math.ntnu.no>";
ertes = "Ertugrul Söylemez <esz@posteo.de>";
ethercrow = "Dmitry Ivanov <ethercrow@gmail.com>";
etu = "Elis Hirwing <elis@hirwing.se>";
exi = "Reno Reckling <nixos@reckling.org>";
exlevan = "Alexey Levan <exlevan@gmail.com>";
expipiplus1 = "Joe Hermaszewski <nix@monoid.al>";
fadenb = "Tristan Helmich <tristan.helmich+nixos@gmail.com>";
fare = "Francois-Rene Rideau <fahree@gmail.com>";
falsifian = "James Cook <james.cook@utoronto.ca>";
fare = "Francois-Rene Rideau <fahree@gmail.com>";
fgaz = "Francesco Gazzetta <francygazz@gmail.com>";
flokli = "Florian Klink <flokli@flokli.de>";
florianjacob = "Florian Jacob <projects+nixos@florianjacob.de>";
flosse = "Markus Kohlhase <mail@markus-kohlhase.de>";
fluffynukeit = "Daniel Austin <dan@fluffynukeit.com>";
@ -237,6 +256,7 @@
grburst = "Julius Elias <grburst@openmailbox.org>";
gridaphobe = "Eric Seidel <eric@seidel.io>";
guibert = "David Guibert <david.guibert@gmail.com>";
guibou = "Guillaume Bouchard <guillaum.bouchard@gmail.com>";
guillaumekoenig = "Guillaume Koenig <guillaume.edward.koenig@gmail.com>";
guyonvarch = "Joris Guyonvarch <joris@guyonvarch.me>";
hakuch = "Jesse Haber-Kucharsky <hakuch@gmail.com>";
@ -245,6 +265,7 @@
hbunke = "Hendrik Bunke <bunke.hendrik@gmail.com>";
hce = "Hans-Christian Esperer <hc@hcesperer.org>";
hectorj = "Hector Jusforgues <hector.jusforgues+nixos@gmail.com>";
hedning = "Tor Hedin Brønner <torhedinbronner@gmail.com>";
heel = "Sergii Paryzhskyi <parizhskiy@gmail.com>";
henrytill = "Henry Till <henrytill@gmail.com>";
hhm = "hhm <heehooman+nixpkgs@gmail.com>";
@ -254,6 +275,7 @@
htr = "Hugo Tavares Reis <hugo@linux.com>";
iand675 = "Ian Duncan <ian@iankduncan.com>";
ianwookim = "Ian-Woo Kim <ianwookim@gmail.com>";
iblech = "Ingo Blechschmidt <iblech@speicherleck.de>";
igsha = "Igor Sharonov <igor.sharonov@gmail.com>";
ikervagyok = "Balázs Lengyel <ikervagyok@gmail.com>";
infinisil = "Silvan Mosberger <infinisil@icloud.com>";
@ -285,17 +307,19 @@
joelmo = "Joel Moberg <joel.moberg@gmail.com>";
joelteon = "Joel Taylor <me@joelt.io>";
johbo = "Johannes Bornhold <johannes@bornhold.name>";
johnmh = "John M. Harris, Jr. <johnmh@openblox.org>";
johnramsden = "John Ramsden <johnramsden@riseup.net>";
joko = "Ioannis Koutras <ioannis.koutras@gmail.com>";
jonafato = "Jon Banafato <jon@jonafato.com>";
joncojonathan = "Jonathan Haddock <joncojonathan@gmail.com>";
jpierre03 = "Jean-Pierre PRUNARET <nix@prunetwork.fr>";
jpotier = "Martin Potier <jpo.contributes.to.nixos@marvid.fr>";
jyp = "Jean-Philippe Bernardy <jeanphilippe.bernardy@gmail.com>";
jraygauthier = "Raymond Gauthier <jraygauthier@gmail.com>";
jtojnar = "Jan Tojnar <jtojnar@gmail.com>";
juliendehos = "Julien Dehos <dehos@lisic.univ-littoral.fr>";
jwiegley = "John Wiegley <johnw@newartisans.com>";
jwilberding = "Jordan Wilberding <jwilberding@afiniate.com>";
jyp = "Jean-Philippe Bernardy <jeanphilippe.bernardy@gmail.com>";
jzellner = "Jeff Zellner <jeffz@eml.cc>";
kaiha = "Kai Harries <kai.harries@gmail.com>";
kamilchm = "Kamil Chmielewski <kamil.chm@gmail.com>";
@ -306,14 +330,17 @@
KibaFox = "Kiba Fox <kiba.fox@foxypossibilities.com>";
kierdavis = "Kier Davis <kierdavis@gmail.com>";
kiloreux = "Kiloreux Emperex <kiloreux@gmail.com>";
kini = "Keshav Kini <keshav.kini@gmail.com>";
kkallio = "Karn Kallio <tierpluspluslists@gmail.com>";
knedlsepp = "Josef Kemetmüller <josef.kemetmueller@gmail.com>";
konimex = "Muhammad Herdiansyah <herdiansyah@netc.eu>";
koral = "Koral <koral@mailoo.org>";
kovirobi = "Kovacsics Robert <kovirobi@gmail.com>";
kquick = "Kevin Quick <quick@sparq.org>";
kragniz = "Louis Taylor <louis@kragniz.eu>";
kristoff3r = "Kristoffer Søholm <k.soeholm@gmail.com>";
ktosiek = "Tomasz Kontusz <tomasz.kontusz@gmail.com>";
kuznero = "Roman Kuznetsov <roman@kuznero.com>";
lassulus = "Lassulus <lassulus@gmail.com>";
layus = "Guillaume Maudoux <layus.on@gmail.com>";
ldesgoui = "Lucas Desgouilles <ldesgoui@gmail.com>";
@ -331,10 +358,12 @@
linus = "Linus Arver <linusarver@gmail.com>";
lluchs = "Lukas Werling <lukas.werling@gmail.com>";
lnl7 = "Daiderd Jordan <daiderd@gmail.com>";
lo1tuma = "Mathias Schreck <schreck.mathias@gmail.com>";
loskutov = "Ignat Loskutov <ignat.loskutov@gmail.com>";
lovek323 = "Jason O'Conal <jason@oconal.id.au>";
lowfatcomputing = "Andreas Wagner <andreas.wagner@lowfatcomputing.org>";
lsix = "Lancelot SIX <lsix@lancelotsix.com>";
ltavard = "Laure Tavard <laure.tavard@univ-grenoble-alpes.fr>";
lucas8 = "Luc Chabassier <luc.linux@mailoo.org>";
ludo = "Ludovic Courtès <ludo@gnu.org>";
lufia = "Kyohei Kadota <lufia@lufia.org>";
@ -368,8 +397,10 @@
mcmtroffaes = "Matthias C. M. Troffaes <matthias.troffaes@gmail.com>";
mdaiter = "Matthew S. Daiter <mdaiter8121@gmail.com>";
meditans = "Carlo Nucera <meditans@gmail.com>";
mehandes = "Matt Deming <niewskici@gmail.com>";
meisternu = "Matt Miemiec <meister@krutt.org>";
metabar = "Celine Mercier <softs@metabarcoding.org>";
mgdelacroix = "Miguel de la Cruz <mgdelacroix@gmail.com>";
mguentner = "Maximilian Güntner <code@klandest.in>";
mic92 = "Jörg Thalheim <joerg@thalheim.io>";
michaelpj = "Michael Peyton Jones <michaelpj@gmail.com>";
@ -379,7 +410,6 @@
mikefaille = "Michaël Faille <michael@faille.io>";
miltador = "Vasiliy Solovey <miltador@yandex.ua>";
mimadrid = "Miguel Madrid <mimadrid@ucm.es>";
mingchuan = "Ming Chuan <ming@culpring.com>";
mirdhyn = "Merlin Gaillard <mirdhyn@gmail.com>";
mirrexagon = "Andrew Abbott <mirrexagon@mirrexagon.com>";
mjanczyk = "Marcin Janczyk <m@dragonvr.pl>";
@ -419,7 +449,7 @@
nicknovitski = "Nick Novitski <nixpkgs@nicknovitski.com>";
nico202 = "Nicolò Balzarotti <anothersms@gmail.com>";
NikolaMandic = "Ratko Mladic <nikola@mandic.email>";
nixy = "Andrew R. M. <andrewmiller237@gmail.com>";
nixy = "Andrew R. M. <nixy@nixy.moe>";
nocoolnametom = "Tom Doggett <nocoolnametom@gmail.com>";
notthemessiah = "Brian Cohen <brian.cohen.88@gmail.com>";
np = "Nicolas Pouillard <np.nix@nicolaspouillard.fr>";
@ -453,6 +483,7 @@
periklis = "theopompos@gmail.com";
pesterhazy = "Paulus Esterhazy <pesterhazy@gmail.com>";
peterhoeg = "Peter Hoeg <peter@hoeg.com>";
peterromfeldhk = "Peter Romfeld <peter.romfeld.hk@gmail.com>";
peti = "Peter Simons <simons@cryp.to>";
philandstuff = "Philip Potter <philip.g.potter@gmail.com>";
phile314 = "Philipp Hausmann <nix@314.ch>";
@ -488,6 +519,7 @@
rardiol = "Ricardo Ardissone <ricardo.ardissone@gmail.com>";
rasendubi = "Alexey Shmalko <rasen.dubi@gmail.com>";
raskin = "Michael Raskin <7c6f434c@mail.ru>";
ravloony = "Tom Macdonald <ravloony@gmail.com>";
rbasso = "Rafael Basso <rbasso@sharpgeeks.net>";
redbaron = "Maxim Ivanov <ivanov.maxim@gmail.com>";
redvers = "Redvers Davies <red@infect.me>";
@ -507,6 +539,7 @@
robberer = "Longrin Wischnewski <robberer@freakmail.de>";
robbinch = "Robbin C. <robbinch33@gmail.com>";
roberth = "Robert Hensing <nixpkgs@roberthensing.nl>";
robertodr = "Roberto Di Remigio <roberto.diremigio@gmail.com>";
robgssp = "Rob Glossop <robgssp@gmail.com>";
roblabla = "Robin Lambertz <robinlambertz+dev@gmail.com>";
roconnor = "Russell O'Connor <roconnor@theorem.ca>";
@ -526,6 +559,7 @@
ryneeverett = "Ryne Everett <ryneeverett@gmail.com>";
rzetterberg = "Richard Zetterberg <richard.zetterberg@gmail.com>";
s1lvester = "Markus Silvester <s1lvester@bockhacker.me>";
samdroid-apps = "Sam Parkinson <sam@sam.today>";
samuelrivas = "Samuel Rivas <samuelrivas@gmail.com>";
sander = "Sander van der Burg <s.vanderburg@tudelft.nl>";
sargon = "Daniel Ehlers <danielehlers@mindeye.net>";
@ -535,6 +569,7 @@
schristo = "Scott Christopher <schristopher@konputa.com>";
scolobb = "Sergiu Ivanov <sivanov@colimite.fr>";
sdll = "Sasha Illarionov <sasha.delly@gmail.com>";
SeanZicari = "Sean Zicari <sean.zicari@gmail.com>";
sepi = "Raffael Mancini <raffael@mancini.lu>";
seppeljordan = "Sebastian Jordan <sebastian.jordan.mail@googlemail.com>";
shanemikel = "Shane Pearlman <shanemikel1@gmail.com>";
@ -544,8 +579,10 @@
shell = "Shell Turner <cam.turn@gmail.com>";
shlevy = "Shea Levy <shea@shealevy.com>";
siddharthist = "Langston Barrett <langston.barrett@gmail.com>";
sifmelcara = "Ming Chuan <ming@culpring.com>";
sigma = "Yann Hodique <yann.hodique@gmail.com>";
simonvandel = "Simon Vandel Sillesen <simon.vandel@gmail.com>";
sivteck = "Sivaram Balakrishnan <sivaram1992@gmail.com>";
sjagoe = "Simon Jagoe <simon@simonjagoe.com>";
sjmackenzie = "Stewart Mackenzie <setori88@gmail.com>";
sjourdois = "Stéphane kwisatz Jourdois <sjourdois@gmail.com>";
@ -556,6 +593,7 @@
snyh = "Xia Bin <snyh@snyh.org>";
solson = "Scott Olson <scott@solson.me>";
sorpaas = "Wei Tang <hi@that.world>";
sorki = "Richard Marko <srk@48.io>";
spacefrogg = "Michael Raitza <spacefrogg-nixos@meterriblecrew.net>";
spencerjanssen = "Spencer Janssen <spencerjanssen@gmail.com>";
spinus = "Tomasz Czyż <tomasz.czyz@gmail.com>";
@ -567,23 +605,27 @@
sternenseemann = "Lukas Epple <post@lukasepple.de>";
stesie = "Stefan Siegl <stesie@brokenpipe.de>";
steveej = "Stefan Junker <mail@stefanjunker.de>";
stumoss = "Stuart Moss <samoss@gmail.com>";
SuprDewd = "Bjarki Ágúst Guðmundsson <suprdewd@gmail.com>";
swarren83 = "Shawn Warren <shawn.w.warren@gmail.com>";
swflint = "Samuel W. Flint <swflint@flintfam.org>";
swistak35 = "Rafał Łasocha <me@swistak35.com>";
symphorien = "Guillaume Girol <symphorien_nixpkgs@xlumurb.eu>";
szczyp = "Szczyp <qb@szczyp.com>";
sztupi = "Attila Sztupak <attila.sztupak@gmail.com>";
taeer = "Taeer Bar-Yam <taeer@necsi.edu>";
tailhook = "Paul Colomiets <paul@colomiets.name>";
taketwo = "Sergey Alexandrov <alexandrov88@gmail.com>";
takikawa = "Asumu Takikawa <asumu@igalia.com>";
taktoa = "Remy Goldschmidt <taktoa@gmail.com>";
taku0 = "Takuo Yonezawa <mxxouy6x3m_github@tatapa.org>";
tari = "Peter Marheine <peter@taricorp.net>";
tavyc = "Octavian Cerna <octavian.cerna@gmail.com>";
ltavard = "Laure Tavard <laure.tavard@univ-grenoble-alpes.fr>";
TealG = "Teal Gaure <~@Teal.Gr>";
teh = "Tom Hunger <tehunger@gmail.com>";
teto = "Matthieu Coudron <mcoudron@hotmail.com>";
telotortium = "Robert Irelan <rirelan@gmail.com>";
teto = "Matthieu Coudron <mcoudron@hotmail.com>";
tex = "Milan Svoboda <milan.svoboda@centrum.cz>";
thall = "Niclas Thall <niclas.thall@gmail.com>";
thammers = "Tobias Hammerschmidt <jawr@gmx.de>";
the-kenny = "Moritz Ulrich <moritz@tarn-vedra.de>";
@ -591,6 +633,7 @@
ThomasMader = "Thomas Mader <thomas.mader@gmail.com>";
thoughtpolice = "Austin Seipp <aseipp@pobox.com>";
timbertson = "Tim Cuthbertson <tim@gfxmonk.net>";
timokau = "Timo Kaufmann <timokau@zoho.com>";
titanous = "Jonathan Rudenberg <jonathan@titanous.com>";
tnias = "Philipp Bartsch <phil@grmr.de>";
tohl = "Tomas Hlavaty <tom@logand.com>";
@ -612,6 +655,7 @@
#urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>"; inactive since 2012
uwap = "uwap <me@uwap.name>";
vaibhavsagar = "Vaibhav Sagar <vaibhavsagar@gmail.com>";
valeriangalliat = "Valérian Galliat <val@codejam.info>";
vandenoever = "Jos van den Oever <jos@vandenoever.info>";
vanschelven = "Klaas van Schelven <klaas@vanschelven.com>";
vanzef = "Ivan Solyankin <vanzef@gmail.com>";
@ -628,7 +672,6 @@
vlstill = "Vladimír Štill <xstill@fi.muni.cz>";
vmandela = "Venkateswara Rao Mandela <venkat.mandela@gmail.com>";
vmchale = "Vanessa McHale <tmchale@wisc.edu>";
valeriangalliat = "Valérian Galliat <val@codejam.info>";
volhovm = "Mikhail Volkhov <volhovm.cs@gmail.com>";
volth = "Jaroslavas Pocepko <jaroslavas@volth.com>";
vozz = "Oliver Hunt <oliver.huntuk@gmail.com>";
@ -649,7 +692,10 @@
xnwdd = "Guillermo NWDD <nwdd+nixos@no.team>";
xvapx = "Marti Serra <marti.serra.coscollano@gmail.com>";
xwvvvvwx = "David Terry <davidterry@posteo.de>";
xzfc = "Albert Safin <xzfcpw@gmail.com>";
yarr = "Dmitry V. <savraz@gmail.com>";
yegortimoshenko = "Yegor Timoshenko <yegortimoshenko@gmail.com>";
ylwghst = "Burim Augustin Berisa <ylwghst@onionmail.info>";
yochai = "Yochai <yochai@titat.info>";
yorickvp = "Yorick van Pelt <yorickvanpelt@gmail.com>";
yuriaisaka = "Yuri Aisaka <yuri.aisaka+nix@gmail.com>";

View File

@ -338,7 +338,7 @@ rec {
# Type-check the remaining definitions, and merge them.
mergedValue = foldl' (res: def:
if type.check def.value then res
else throw "The option value `${showOption loc}' in `${def.file}' is not a ${type.description}.")
else throw "The option value `${showOption loc}' in `${def.file}' is not of type `${type.description}'.")
(type.merge loc defsFinal) defsFinal;
isDefined = defsFinal != [];

View File

@ -2,7 +2,6 @@
rec {
pcBase = {
name = "pc";
uboot = null;
kernelHeadersBaseConfig = "defconfig";
kernelBaseConfig = "defconfig";
# Build whatever possible as a module, if not stated in the extra config.
@ -50,9 +49,6 @@ rec {
kernelTarget = "uImage";
# TODO reenable once manual-config's config actually builds a .dtb and this is checked to be working
#kernelDTB = true;
# XXX can be anything non-null, pkgs actually only cares if it is set or not
uboot = "pogoplug4";
};
sheevaplug = {
@ -162,9 +158,6 @@ rec {
'';
kernelMakeFlags = [ "LOADADDR=0x0200000" ];
kernelTarget = "uImage";
uboot = "sheevaplug";
# Only for uboot = uboot :
ubootConfig = "sheevaplug_config";
kernelDTB = true; # Beyond 3.10
gcc = {
arch = "armv5te";
@ -251,7 +244,6 @@ rec {
LATENCYTOP y
'';
kernelTarget = "zImage";
uboot = null;
gcc = {
arch = "armv6";
fpu = "vfp";
@ -342,7 +334,6 @@ rec {
XEN? n
'';
kernelTarget = "zImage";
uboot = null;
};
scaleway-c1 = armv7l-hf-multiplatform // {
@ -374,7 +365,6 @@ rec {
kernelMakeFlags = [ "LOADADDR=0x10800000" ];
kernelTarget = "uImage";
kernelDTB = true;
uboot = true; #XXX: any non-null value here is needed so that mkimage is present to build kernelTarget uImage
gcc = {
cpu = "cortex-a9";
fpu = "neon";
@ -464,7 +454,6 @@ rec {
FTRACE n
'';
kernelTarget = "vmlinux";
uboot = null;
gcc = {
arch = "loongson2f";
abi = "n32";
@ -473,11 +462,10 @@ rec {
beaglebone = armv7l-hf-multiplatform // {
name = "beaglebone";
kernelBaseConfig = "omap2plus_defconfig";
kernelBaseConfig = "bb.org_defconfig";
kernelAutoModules = false;
kernelExtraConfig = ""; # TBD kernel config
kernelTarget = "zImage";
uboot = null;
};
armv7l-hf-multiplatform = {
@ -489,7 +477,6 @@ rec {
kernelDTB = true;
kernelAutoModules = true;
kernelPreferBuiltin = true;
uboot = null;
kernelTarget = "zImage";
kernelExtraConfig = ''
# Fix broken sunxi-sid nvmem driver.
@ -545,11 +532,13 @@ rec {
# Cavium ThunderX stuff.
PCI_HOST_THUNDER_ECAM y
# Nvidia Tegra stuff.
PCI_TEGRA y
# The default (=y) forces us to have the XHCI firmware available in initrd,
# which our initrd builder can't currently do easily.
USB_XHCI_TEGRA m
'';
uboot = null;
kernelTarget = "Image";
gcc = {
arch = "armv8-a";

View File

@ -61,6 +61,16 @@ checkConfigError() {
checkConfigOutput "false" config.enable ./declare-enable.nix
checkConfigError 'The option .* defined in .* does not exist.' config.enable ./define-enable.nix
# Check integer types.
# unsigned
checkConfigOutput "42" config.value ./declare-int-unsigned-value.nix ./define-value-int-positive.nix
checkConfigError 'The option value .* in .* is not of type.*unsigned integer.*' config.value ./declare-int-unsigned-value.nix ./define-value-int-negative.nix
# positive
checkConfigError 'The option value .* in .* is not of type.*positive integer.*' config.value ./declare-int-positive-value.nix ./define-value-int-zero.nix
# between
checkConfigOutput "42" config.value ./declare-int-between-value.nix ./define-value-int-positive.nix
checkConfigError 'The option value .* in .* is not of type.*between.*-21 and 43.*inclusive.*' config.value ./declare-int-between-value.nix ./define-value-int-negative.nix
# Check mkForce without submodules.
set -- config.enable ./declare-enable.nix ./define-enable.nix
checkConfigOutput "true" "$@"
@ -126,7 +136,7 @@ checkConfigOutput "true" "$@" ./define-module-check.nix
# Check coerced value.
checkConfigOutput "\"42\"" config.value ./declare-coerced-value.nix
checkConfigOutput "\"24\"" config.value ./declare-coerced-value.nix ./define-value-string.nix
checkConfigError 'The option value .* in .* is not a string or integer.' config.value ./declare-coerced-value.nix ./define-value-list.nix
checkConfigError 'The option value .* in .* is not.*string or signed integer.*' config.value ./declare-coerced-value.nix ./define-value-list.nix
cat <<EOF
====== module tests ======

View File

@ -0,0 +1,9 @@
{ lib, ... }:
{
options = {
value = lib.mkOption {
type = lib.types.ints.between (-21) 43;
};
};
}

View File

@ -0,0 +1,9 @@
{ lib, ... }:
{
options = {
value = lib.mkOption {
type = lib.types.ints.positive;
};
};
}

View File

@ -0,0 +1,9 @@
{ lib, ... }:
{
options = {
value = lib.mkOption {
type = lib.types.ints.unsigned;
};
};
}

View File

@ -0,0 +1,3 @@
{
value = -23;
}

View File

@ -0,0 +1,3 @@
{
value = 42;
}

View File

@ -0,0 +1,3 @@
{
value = 0;
}

View File

@ -109,11 +109,64 @@ rec {
int = mkOptionType rec {
name = "int";
description = "integer";
description = "signed integer";
check = isInt;
merge = mergeOneOption;
};
# Specialized subdomains of int
ints =
let
betweenDesc = lowest: highest:
"${toString lowest} and ${toString highest} (both inclusive)";
between = lowest: highest: assert lowest <= highest;
addCheck int (x: x >= lowest && x <= highest) // {
name = "intBetween";
description = "integer between ${betweenDesc lowest highest}";
};
ign = lowest: highest: name: docStart:
between lowest highest // {
inherit name;
description = docStart + "; between ${betweenDesc lowest highest}";
};
unsign = bit: range: ign 0 (range - 1)
"unsignedInt${toString bit}" "${toString bit} bit unsigned integer";
sign = bit: range: ign (0 - (range / 2)) (range / 2 - 1)
"signedInt${toString bit}" "${toString bit} bit signed integer";
in rec {
/* An int with a fixed range.
*
* Example:
* (ints.between 0 100).check (-1)
* => false
* (ints.between 0 100).check (101)
* => false
* (ints.between 0 0).check 0
* => true
*/
inherit between;
unsigned = addCheck types.int (x: x >= 0) // {
name = "unsignedInt";
description = "unsigned integer, meaning >=0";
};
positive = addCheck types.int (x: x > 0) // {
name = "positiveInt";
description = "positive integer, meaning >0";
};
u8 = unsign 8 256;
u16 = unsign 16 65536;
# the biggest int a 64-bit Nix accepts is 2^63 - 1 (9223372036854775808), for a 32-bit Nix it is 2^31 - 1 (2147483647)
# the smallest int a 64-bit Nix accepts is -2^63 (-9223372036854775807), for a 32-bit Nix it is -2^31 (-2147483648)
# u32 = unsign 32 4294967296;
# u64 = unsign 64 18446744073709551616;
s8 = sign 8 256;
s16 = sign 16 65536;
# s32 = sign 32 4294967296;
};
str = mkOptionType {
name = "str";
description = "string";
@ -172,7 +225,7 @@ rec {
};
# drop this in the future:
list = builtins.trace "`types.list' is deprecated; use `types.listOf' instead" types.listOf;
list = builtins.trace "`types.list` is deprecated; use `types.listOf` instead" types.listOf;
listOf = elemType: mkOptionType rec {
name = "listOf";
@ -189,7 +242,7 @@ rec {
).optionalValue
) def.value
else
throw "The option value `${showOption loc}' in `${def.file}' is not a list.") defs)));
throw "The option value `${showOption loc}` in `${def.file}` is not a list.") defs)));
getSubOptions = prefix: elemType.getSubOptions (prefix ++ ["*"]);
getSubModules = elemType.getSubModules;
substSubModules = m: listOf (elemType.substSubModules m);
@ -240,25 +293,6 @@ rec {
functor = (defaultFunctor name) // { wrapped = elemType; };
};
# List or element of ...
loeOf = elemType: mkOptionType rec {
name = "loeOf";
description = "element or list of ${elemType.description}s";
check = x: isList x || elemType.check x;
merge = loc: defs:
let
defs' = filterOverrides defs;
res = (head defs').value;
in
if isList res then concatLists (getValues defs')
else if lessThan 1 (length defs') then
throw "The option `${showOption loc}' is defined multiple times, in ${showFiles (getFiles defs)}."
else if !isString res then
throw "The option `${showOption loc}' does not have a string value, in ${showFiles (getFiles defs)}."
else res;
functor = (defaultFunctor name) // { wrapped = elemType; };
};
# Value of given type but with no merging (i.e. `uniq list`s are not concatenated).
uniq = elemType: mkOptionType rec {
name = "uniq";
@ -279,7 +313,7 @@ rec {
let nrNulls = count (def: def.value == null) defs; in
if nrNulls == length defs then null
else if nrNulls != 0 then
throw "The option `${showOption loc}' is defined both null and not null, in ${showFiles (getFiles defs)}."
throw "The option `${showOption loc}` is defined both null and not null, in ${showFiles (getFiles defs)}."
else elemType.merge loc defs;
getSubOptions = elemType.getSubOptions;
getSubModules = elemType.getSubModules;
@ -307,8 +341,17 @@ rec {
}).config;
getSubOptions = prefix: (evalModules
{ modules = opts'; inherit prefix;
# FIXME: hack to get shit to evaluate.
args = { name = ""; }; }).options;
# This is a work-around due to the fact that some sub-modules,
# such as the one included in an attribute set, expects a "args"
# attribute to be given to the sub-module. As the option
# evaluation does not have any specific attribute name, we
# provide a default one for the documentation.
#
# This is mandatory as some option declaration might use the
# "name" attribute given as argument of the submodule and use it
# as the default of option declarations.
args.name = "&lt;name&gt;";
}).options;
getSubModules = opts';
substSubModules = m: submodule m;
functor = (defaultFunctor name) // {

View File

@ -6,7 +6,7 @@ GNOME_FTP=ftp.gnome.org/pub/GNOME/sources
# projects that don't follow the GNOME major versioning, or that we don't want to
# programmatically update
NO_GNOME_MAJOR="ghex gtkhtml gdm"
NO_GNOME_MAJOR="ghex gtkhtml gdm gucharmap"
usage() {
echo "Usage: $0 <show project>|<update project>|<update-all> [major.minor]" >&2

View File

@ -49,8 +49,8 @@ def get_maintainers(attr_name):
@click.command()
@click.option(
'--jobset',
default="nixos/release-17.03",
help='Hydra project like nixos/release-17.03')
default="nixos/release-17.09",
help='Hydra project like nixos/release-17.09')
def cli(jobset):
"""
Given a Hydra project, inspect latest evaluation

View File

@ -18,6 +18,7 @@ import os
import re
import requests
import toolz
from concurrent.futures import ThreadPoolExecutor as pool
INDEX = "https://pypi.io/pypi"
"""url of PyPI"""
@ -235,7 +236,8 @@ def main():
packages = map(os.path.abspath, args.package)
count = list(map(_update, packages))
with pool() as p:
count = list(p.map(_update, packages))
logging.info("{} package(s) updated".format(sum(count)))

View File

@ -22,10 +22,6 @@
<listitem><para>A boolean, its values can be <literal>true</literal> or
<literal>false</literal>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>types.int</varname></term>
<listitem><para>An integer.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>types.path</varname></term>
<listitem><para>A filesystem path, defined as anything that when coerced to
@ -39,7 +35,59 @@
</varlistentry>
</variablelist>
<para>String related types:</para>
<para>Integer-related types:</para>
<variablelist>
<varlistentry>
<term><varname>types.int</varname></term>
<listitem><para>A signed integer.</para></listitem>
</varlistentry>
<varlistentry>
<term>
<varname>types.ints.{s8, s16, s32}</varname>
</term>
<listitem>
<para>Signed integers with a fixed length (8, 16 or 32 bits).
They go from
<inlineequation><mathphrase>2<superscript>n</superscript>/2</mathphrase>
</inlineequation> to <inlineequation>
<mathphrase>2<superscript>n</superscript>/21</mathphrase>
</inlineequation>
respectively (e.g. <literal>128</literal> to <literal>127</literal>
for 8 bits).
</para></listitem>
</varlistentry>
<varlistentry>
<term>
<varname>types.ints.unsigned</varname>
</term>
<listitem><para>An unsigned integer (that is >= 0).
</para></listitem>
</varlistentry>
<varlistentry>
<term>
<varname>types.ints.{u8, u16, u32}</varname>
</term>
<listitem>
<para>Unsigned integers with a fixed length (8, 16 or 32 bits).
They go from
<inlineequation><mathphrase>0</mathphrase></inlineequation> to <inlineequation>
<mathphrase>2<superscript>n</superscript>1</mathphrase>
</inlineequation>
respectively (e.g. <literal>0</literal> to <literal>255</literal>
for 8 bits).
</para></listitem>
</varlistentry>
<varlistentry>
<term>
<varname>types.ints.positive</varname>
</term>
<listitem><para>A positive integer (that is > 0).
</para></listitem>
</varlistentry>
</variablelist>
<para>String-related types:</para>
<variablelist>
<varlistentry>
@ -68,7 +116,7 @@
<section><title>Value Types</title>
<para>Value types are type that take a value parameter.</para>
<para>Value types are types that take a value parameter.</para>
<variablelist>
<varlistentry>
@ -84,6 +132,17 @@
<replaceable>sep</replaceable>, e.g. <literal>types.separatedString
"|"</literal>.</para></listitem>
</varlistentry>
<varlistentry>
<term>
<varname>types.ints.between</varname>
<replaceable>lowest</replaceable>
<replaceable>highest</replaceable>
</term>
<listitem><para>An integer between <replaceable>lowest</replaceable>
and <replaceable>highest</replaceable> (both inclusive).
Useful for creating types like <literal>types.port</literal>.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>types.submodule</varname> <replaceable>o</replaceable></term>
<listitem><para>A set of sub options <replaceable>o</replaceable>.

View File

@ -31,7 +31,7 @@ ISO, copy its contents verbatim to your drive, then either:
<para>Edit <filename>loader/entries/nixos-livecd.conf</filename> on the drive
and change the <literal>root=</literal> field in the <literal>options</literal>
line to point to your drive (see the documentation on <literal>root=</literal>
in <link xlink:href="https://www.kernel.org/doc/Documentation/kernel-parameters.txt">
in <link xlink:href="https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt">
the kernel documentation</link> for more details).</para>
</listitem>
<listitem>

View File

@ -16,7 +16,8 @@
hardware.</para></listitem>
<listitem><para>The NixOS manual is available on virtual console 8
(press Alt+F8 to access).</para></listitem>
(press Alt+F8 to access) or by running <command>nixos-help</command>.
</para></listitem>
<listitem><para>You get logged in as <literal>root</literal>
(with empty password).</para></listitem>
@ -139,6 +140,11 @@
the GRUB boot loader is to be installed. Without it, NixOS cannot
boot.</para>
<para>If there are other operating systems running on the machine before
installing NixOS, the
<option>boot.loader.grub.useOSProber</option> option can be set to
<literal>true</literal> to automatically add them to the grub menu.</para>
<para>Another critical option is <option>fileSystems</option>,
specifying the file systems that need to be mounted by NixOS.
However, you typically dont need to set it yourself, because

View File

@ -9,6 +9,7 @@
<para>This section lists the release notes for each stable version of NixOS
and current unstable revision.</para>
<xi:include href="rl-1803.xml" />
<xi:include href="rl-1709.xml" />
<xi:include href="rl-1703.xml" />
<xi:include href="rl-1609.xml" />

View File

@ -6,13 +6,22 @@
<title>Release 17.09 (“Hummingbird”, 2017/09/??)</title>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-17.09-highlights">
<title>Highlights</title>
<para>In addition to numerous new and upgraded packages, this release
has the following highlights: </para>
<itemizedlist>
<listitem>
<para>
The GNOME version is now 3.24.
The GNOME version is now 3.24. KDE Plasma was upgraded to 5.10,
KDE Applications to 17.08.1 and KDE Frameworks to 5.37.
</para>
</listitem>
<listitem>
@ -45,16 +54,130 @@ has the following highlights: </para>
even though <literal>HDMI-0</literal> is the first head in the list.
</para>
</listitem>
<listitem>
<para>
The handling of SSL in the <literal>services.nginx</literal> module has
been cleaned up, renaming the misnamed <literal>enableSSL</literal> to
<literal>onlySSL</literal> which reflects its original intention. This
is not to be used with the already existing <literal>forceSSL</literal>
which creates a second non-SSL virtual host redirecting to the SSL
virtual host. This by chance had worked earlier due to specific
implementation details. In case you had specified both please remove
the <literal>enableSSL</literal> option to keep the previous behaviour.
</para>
<para>
Another <literal>addSSL</literal> option has been introduced to configure
both a non-SSL virtual host and an SSL virtual host with the same
configuration.
</para>
<para>
Options to configure <literal>resolver</literal> options and
<literal>upstream</literal> blocks have been introduced. See their information
for further details.
</para>
<para>
The <literal>port</literal> option has been replaced by a more generic
<literal>listen</literal> option which makes it possible to specify
multiple addresses, ports and SSL configs dependant on the new SSL
handling mentioned above.
</para>
</listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-17.09-new-services">
<title>New Services</title>
<para>The following new services were added since the last release:</para>
<itemizedlist>
<listitem>
<para></para>
</listitem>
<listitem><para><literal>config/fonts/fontconfig-penultimate.nix</literal></para></listitem>
<listitem><para><literal>config/fonts/fontconfig-ultimate.nix</literal></para></listitem>
<listitem><para><literal>config/terminfo.nix</literal></para></listitem>
<listitem><para><literal>hardware/sensor/iio.nix</literal></para></listitem>
<listitem><para><literal>hardware/nitrokey.nix</literal></para></listitem>
<listitem><para><literal>hardware/raid/hpsa.nix</literal></para></listitem>
<listitem><para><literal>programs/browserpass.nix</literal></para></listitem>
<listitem><para><literal>programs/gnupg.nix</literal></para></listitem>
<listitem><para><literal>programs/qt5ct.nix</literal></para></listitem>
<listitem><para><literal>programs/slock.nix</literal></para></listitem>
<listitem><para><literal>programs/thefuck.nix</literal></para></listitem>
<listitem><para><literal>security/auditd.nix</literal></para></listitem>
<listitem><para><literal>security/lock-kernel-modules.nix</literal></para></listitem>
<listitem><para><literal>service-managers/docker.nix</literal></para></listitem>
<listitem><para><literal>service-managers/trivial.nix</literal></para></listitem>
<listitem><para><literal>services/admin/salt/master.nix</literal></para></listitem>
<listitem><para><literal>services/admin/salt/minion.nix</literal></para></listitem>
<listitem><para><literal>services/audio/slimserver.nix</literal></para></listitem>
<listitem><para><literal>services/cluster/kubernetes/default.nix</literal></para></listitem>
<listitem><para><literal>services/cluster/kubernetes/dns.nix</literal></para></listitem>
<listitem><para><literal>services/cluster/kubernetes/dashboard.nix</literal></para></listitem>
<listitem><para><literal>services/continuous-integration/hail.nix</literal></para></listitem>
<listitem><para><literal>services/databases/clickhouse.nix</literal></para></listitem>
<listitem><para><literal>services/databases/postage.nix</literal></para></listitem>
<listitem><para><literal>services/desktops/gnome3/gnome-disks.nix</literal></para></listitem>
<listitem><para><literal>services/desktops/gnome3/gpaste.nix</literal></para></listitem>
<listitem><para><literal>services/logging/SystemdJournal2Gelf.nix</literal></para></listitem>
<listitem><para><literal>services/logging/heartbeat.nix</literal></para></listitem>
<listitem><para><literal>services/logging/journalwatch.nix</literal></para></listitem>
<listitem><para><literal>services/logging/syslogd.nix</literal></para></listitem>
<listitem><para><literal>services/mail/mailhog.nix</literal></para></listitem>
<listitem><para><literal>services/mail/nullmailer.nix</literal></para></listitem>
<listitem><para><literal>services/misc/airsonic.nix</literal></para></listitem>
<listitem><para><literal>services/misc/autorandr.nix</literal></para></listitem>
<listitem><para><literal>services/misc/exhibitor.nix</literal></para></listitem>
<listitem><para><literal>services/misc/fstrim.nix</literal></para></listitem>
<listitem><para><literal>services/misc/gollum.nix</literal></para></listitem>
<listitem><para><literal>services/misc/irkerd.nix</literal></para></listitem>
<listitem><para><literal>services/misc/jackett.nix</literal></para></listitem>
<listitem><para><literal>services/misc/radarr.nix</literal></para></listitem>
<listitem><para><literal>services/misc/snapper.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/osquery.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/collectd-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/fritzbox-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/network-filesystems/kbfs.nix</literal></para></listitem>
<listitem><para><literal>services/networking/dnscache.nix</literal></para></listitem>
<listitem><para><literal>services/networking/fireqos.nix</literal></para></listitem>
<listitem><para><literal>services/networking/iwd.nix</literal></para></listitem>
<listitem><para><literal>services/networking/keepalived/default.nix</literal></para></listitem>
<listitem><para><literal>services/networking/keybase.nix</literal></para></listitem>
<listitem><para><literal>services/networking/lldpd.nix</literal></para></listitem>
<listitem><para><literal>services/networking/matterbridge.nix</literal></para></listitem>
<listitem><para><literal>services/networking/squid.nix</literal></para></listitem>
<listitem><para><literal>services/networking/tinydns.nix</literal></para></listitem>
<listitem><para><literal>services/networking/xrdp.nix</literal></para></listitem>
<listitem><para><literal>services/security/shibboleth-sp.nix</literal></para></listitem>
<listitem><para><literal>services/security/sks.nix</literal></para></listitem>
<listitem><para><literal>services/security/sshguard.nix</literal></para></listitem>
<listitem><para><literal>services/security/torify.nix</literal></para></listitem>
<listitem><para><literal>services/security/usbguard.nix</literal></para></listitem>
<listitem><para><literal>services/security/vault.nix</literal></para></listitem>
<listitem><para><literal>services/system/earlyoom.nix</literal></para></listitem>
<listitem><para><literal>services/system/saslauthd.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/nexus.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/pgpkeyserver-lite.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/piwik.nix</literal></para></listitem>
<listitem><para><literal>services/web-servers/lighttpd/collectd.nix</literal></para></listitem>
<listitem><para><literal>services/web-servers/minio.nix</literal></para></listitem>
<listitem><para><literal>services/x11/display-managers/xpra.nix</literal></para></listitem>
<listitem><para><literal>services/x11/xautolock.nix</literal></para></listitem>
<listitem><para><literal>tasks/filesystems/bcachefs.nix</literal></para></listitem>
<listitem><para><literal>tasks/powertop.nix</literal></para></listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-17.09-incompatibilities">
<title>Backward Incompatibilities</title>
<para>When upgrading from a previous release, please be aware of the
following incompatible changes:</para>
@ -62,10 +185,97 @@ following incompatible changes:</para>
<itemizedlist>
<listitem>
<para>
<literal>aiccu</literal> package was removed. This is due to SixXS
<emphasis role="strong">
In an Qemu-based virtualization environment, the network interface
names changed from i.e. <literal>enp0s3</literal> to
<literal>ens3</literal>.
</emphasis>
</para>
<para>
This is due to a kernel configuration change. The new naming
is consistent with those of other Linux distributions with
systemd. See
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/29197">#29197</link>
for more information.
</para>
<para>
A machine is affected if the <literal>virt-what</literal> tool
either returns <literal>qemu</literal> or
<literal>kvm</literal> <emphasis>and</emphasis> has
interface names used in any part of its NixOS configuration,
in particular if a static network configuration with
<literal>networking.interfaces</literal> is used.
</para>
<para>
Before rebooting affected machines, please ensure:
<itemizedlist>
<listitem>
<para>
Change the interface names in your NixOS configuration.
The first interface will be called <literal>ens3</literal>,
the second one <literal>ens8</literal> and starting from there
incremented by 1.
</para>
</listitem>
<listitem>
<para>
After changing the interface names, rebuild your system with
<literal>nixos-rebuild boot</literal> to activate the new
configuration after a reboot. If you switch to the new
configuration right away you might lose network connectivity!
If using <literal>nixops</literal>, deploy with
<literal>nixops deploy --force-reboot</literal>.
</para>
</listitem>
</itemizedlist>
</para>
</listitem>
<listitem>
<para>
The following changes apply if the <literal>stateVersion</literal> is changed to 17.09 or higher.
For <literal>stateVersion = "17.03"</literal> or lower the old behavior is preserved.
</para>
<itemizedlist>
<listitem>
<para>
The <literal>postgres</literal> default version was changed from 9.5 to 9.6.
</para>
</listitem>
<listitem>
<para>
The <literal>postgres</literal> superuser name has changed from <literal>root</literal> to <literal>postgres</literal> to more closely follow what other Linux distributions are doing.
</para>
</listitem>
<listitem>
<para>
The <literal>postgres</literal> default <literal>dataDir</literal> has changed from <literal>/var/db/postgres</literal> to <literal>/var/lib/postgresql/$psqlSchema</literal> where $psqlSchema is 9.6 for example.
</para>
</listitem>
<listitem>
<para>
The <literal>mysql</literal> default <literal>dataDir</literal> has changed from <literal>/var/mysql</literal> to <literal>/var/lib/mysql</literal>.
</para>
</listitem>
<listitem>
<para>
Radicale's default package has changed from 1.x to 2.x. Instructions to migrate can be found <link xlink:href="http://radicale.org/1to2/"> here </link>. It is also possible to use the newer version by setting the <literal>package</literal> to <literal>radicale2</literal>, which is done automatically when <literal>stateVersion</literal> is 17.09 or higher. The <literal>extraArgs</literal> option has been added to allow passing the data migration arguments specified in the instructions; see the <filename xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/radicale.nix">radicale.nix</filename> NixOS test for an example migration.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
The <literal>aiccu</literal> package was removed. This is due to SixXS
<link xlink:href="https://www.sixxs.net/main/"> sunsetting</link> its IPv6 tunnel.
</para>
</listitem>
<listitem>
<para>
The <literal>fanctl</literal> package and <literal>fan</literal> module
have been removed due to the developers not upstreaming their iproute2
patches and lagging with compatibility to recent iproute2 versions.
</para>
</listitem>
<listitem>
<para>
Top-level <literal>idea</literal> package collection was renamed.
@ -81,7 +291,7 @@ following incompatible changes:</para>
</listitem>
<listitem>
<para>
The ipfs package now doesn't ignore the <literal>dataDir</literal> option anymore. If you've ever set this option to anything other than the default you'll have to either unset it (so the default gets used) or migrate the old data manually with
The <literal>ipfs</literal> service now doesn't ignore the <literal>dataDir</literal> option anymore. If you've ever set this option to anything other than the default you'll have to either unset it (so the default gets used) or migrate the old data manually with
<programlisting>
dataDir=&lt;valueOfDataDir&gt;
mv /var/lib/ipfs/.ipfs/* $dataDir
@ -89,32 +299,11 @@ rmdir /var/lib/ipfs/.ipfs
</programlisting>
</para>
</listitem>
<listitem>
<para>
The following changes apply if the <literal>stateVersion</literal> is changed to 17.09 or higher.
For <literal>stateVersion = "17.03</literal> or lower the old behavior is preserved.
</para>
<para>
The <literal>postgres</literal> default version was changed from 9.5 to 9.6.
</para>
<para>
The <literal>postgres</literal> superuser name has changed from <literal>root</literal> to <literal>postgres</literal> to more closely follow what other Linux distributions are doing.
</para>
<para>
The <literal>postgres</literal> default <literal>dataDir</literal> has changed from <literal>/var/db/postgres</literal> to <literal>/var/lib/postgresql/$psqlSchema</literal> where $psqlSchema is 9.6 for example.
</para>
<para>
The <literal>mysql</literal> default <literal>dataDir</literal> has changed from <literal>/var/mysql</literal> to <literal>/var/lib/mysql</literal>.
</para>
<para>
Radicale's default package has changed from 1.x to 2.x. Instructions to migrate can be found <link xlink:href="http://radicale.org/1to2/"> here </link>. It is also possible to use the newer version by setting the <literal>package</literal> to <literal>radicale2</literal>, which is done automatically when <literal>stateVersion</literal> is 17.09 or higher. The <literal>extraArgs</literal> option has been added to allow passing the data migration arguments specified in the instructions; see the <filename xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/radicale.nix">radicale.nix</filename> NixOS test for an example migration.
</para>
</listitem>
<listitem>
<para>
The <literal>caddy</literal> service was previously using an extra
<literal>.caddy</literal> in the data directory specified with the
<literal>dataDir</literal> option. The contents of the
<literal>.caddy</literal> directory in the data directory specified
with the <literal>dataDir</literal> option. The contents of the
<literal>.caddy</literal> directory are now expected to be in the
<literal>dataDir</literal>.
</para>
@ -195,16 +384,112 @@ rmdir /var/lib/ipfs/.ipfs
</listitem>
<listitem>
<para>
The <literal>gnupg</literal> package used to suffix its programs
with <literal>2</literal>, like <command>gpg2</command> and
<command>gpgv2</command>. This suffix has since been dropped,
and the programs are now simply <command>gpg</command>,
<command>gpgv</command>, etc.
<literal>services.mysql</literal> now has declarative
configuration of databases and users with the <literal>ensureDatabases</literal> and
<literal>ensureUsers</literal> options.
</para>
<para>
These options will never delete existing databases and users,
especially not when the value of the options are changed.
</para>
<para>
The MySQL users will be identified using
<link xlink:href="https://mariadb.com/kb/en/library/authentication-plugin-unix-socket/">
Unix socket authentication</link>. This authenticates the
Unix user with the same name only, and that without the need
for a password.
</para>
<para>
If you have previously created a MySQL <literal>root</literal>
user <emphasis>with a password</emphasis>, you will need to add
<literal>root</literal> user for unix socket authentication
before using the new options. This can be done by running the
following SQL script:
<programlisting language="sql">
CREATE USER 'root'@'%' IDENTIFIED BY '';
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;
-- Optionally, delete the password-authenticated user:
-- DROP USER 'root'@'localhost';
</programlisting>
</para>
</listitem>
<listitem>
<para>
<literal>services.mysqlBackup</literal> now works by default
without any user setup, including for users other than
<literal>mysql</literal>.
</para>
<para>
By default, the <literal>mysql</literal> user is no longer the
user which performs the backup. Instead a system account
<literal>mysqlbackup</literal> is used.
</para>
<para>
The <literal>mysqlBackup</literal> service is also now using
systemd timers instead of <literal>cron</literal>.
</para>
<para>
Therefore, the <literal>services.mysqlBackup.period</literal>
option no longer exists, and has been replaced with
<literal>services.mysqlBackup.calendar</literal>, which is in
the format of <link
xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.time.html#Calendar%20Events">systemd.time(7)</link>.
</para>
<para>
If you expect to be sent an e-mail when the backup fails,
consider using a script which monitors the systemd journal for
errors. Regretfully, at present there is no built-in
functionality for this.
</para>
<para>
You can check that backups still work by running
<command>systemctl start mysql-backup</command> then
<command>systemctl status mysql-backup</command>.
</para>
</listitem>
<listitem>
<para>
Templated systemd services e.g <literal>container@name</literal> are
now handled currectly when switching to a new configuration, resulting
in them being reloaded.
</para>
</listitem>
<listitem>
<para>Steam: the <literal>newStdcpp</literal> parameter
was removed and should not be needed anymore.</para>
</listitem>
<listitem>
<para>
Redis has been updated to version 4 which mandates a cluster
mass-restart, due to changes in the network handling, in order
to ensure compatibility with networks NATing traffic.
</para>
</listitem>
</itemizedlist>
<para>Other notable improvements:</para>
</section>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-17.09-notable-changes">
<title>Other Notable Changes</title>
<itemizedlist>
@ -249,7 +534,7 @@ rmdir /var/lib/ipfs/.ipfs
Nixpkgs overlays may now be specified with a file as well as a directory. The
value of <literal>&lt;nixpkgs-overlays></literal> may be a file, and
<filename>~/.config/nixpkgs/overlays.nix</filename> can be used instead of the
<filename>~/.config/nixpkgs/overalys</filename> directory.
<filename>~/.config/nixpkgs/overlays</filename> directory.
</para>
<para>
See the overlays chapter of the Nixpkgs manual for more details.
@ -257,14 +542,70 @@ rmdir /var/lib/ipfs/.ipfs
</listitem>
<listitem>
<para>
<literal>sha256</literal> argument value of
<literal>dockerTools.pullImage</literal> expression must be
updated since the mechanism to download the image has been
changed. Skopeo is now used to pull the image instead of the
Docker daemon.
Definitions for <filename>/etc/hosts</filename> can now be specified
declaratively with <literal>networking.hosts</literal>.
</para>
</listitem>
<listitem>
<para>
Two new options have been added to the installer loader, in addition
to the default having changed. The kernel log verbosity has been lowered
to the upstream default for the default options, in order to not spam
the console when e.g. joining a network.
</para>
<para>
This therefore leads to adding a new <literal>debug</literal> option
to set the log level to the previous verbose mode, to make debugging
easier, but still accessible easily.
</para>
<para>
Additionally a <literal>copytoram</literal> option has been added,
which makes it possible to remove the install medium after booting.
This allows tethering from your phone after booting from it.
</para>
</listitem>
<listitem>
<para>
<literal>services.gitlab-runner.configOptions</literal> has been added
to specify the configuration of gitlab-runners declaratively.
</para>
</listitem>
<listitem>
<para>
<literal>services.jenkins.plugins</literal> has been added
to install plugins easily, this can be generated with jenkinsPlugins2nix.
</para>
</listitem>
<listitem>
<para>
<literal>services.postfix.config</literal> has been added
to specify the main.cf with NixOS options. Additionally other options
have been added to the postfix module and has been improved further.
</para>
</listitem>
<listitem>
<para>
The GitLab package and module have been updated to the latest 10.0
release.
</para>
</listitem>
<listitem>
<para>
The <literal>systemd-boot</literal> boot loader now lists the NixOS
version, kernel version and build date of all bootable generations.
</para>
</listitem>
<listitem>
<para>
The dnscrypt-proxy service now defaults to using a random upstream resolver,
selected from the list of public non-logging resolvers with DNSSEC support.
Existing configurations can be migrated to this mode of operation by
omitting the <option>services.dnscrypt-proxy.resolverName</option> option
or setting it to <literal>"random"</literal>.
</para>
</listitem>
</itemizedlist>
</section>
</section>

View File

@ -6,6 +6,14 @@
<title>Release 18.03 (“Impala”, 2018/03/??)</title>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-18.03-highlights">
<title>Highlights</title>
<para>In addition to numerous new and upgraded packages, this release
has the following highlights: </para>
@ -16,6 +24,15 @@ has the following highlights: </para>
</listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-18.03-new-services">
<title>New Services</title>
<para>The following new services were added since the last release:</para>
<itemizedlist>
@ -24,23 +41,56 @@ has the following highlights: </para>
</listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-18.03-incompatibilities">
<title>Backward Incompatibilities</title>
<para>When upgrading from a previous release, please be aware of the
following incompatible changes:</para>
<itemizedlist>
<listitem>
<para>
Dollar signs in options under <option>services.postfix</option> are
passed verbatim to Postfix, which will interpret them as the beginning of
a parameter expression. This was already true for string-valued options
in the previous release, but not for list-valued options. If you need to
pass literal dollar signs through Postfix, double them.
</para>
</listitem>
</itemizedlist>
<para>Other notable improvements:</para>
<itemizedlist>
<listitem>
<para>
The <literal>postage</literal> package (for web-based PostgreSQL
administration) has been renamed to <literal>pgmanage</literal>. The
corresponding module has also been renamed. To migrate please rename all
<option>services.postage</option> options to
<option>services.pgmanage</option>.
</para>
</listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-18.03-notable-changes">
<title>Other Notable Changes</title>
<itemizedlist>
<listitem>
<para>
ZNC option <option>services.znc.mutable</option> now defaults to <literal>true</literal>.
That means that old configuration is not overwritten by default when update to the znc options are made.
</para>
</listitem>
</itemizedlist>
</section>
</section>

View File

@ -64,7 +64,7 @@ let
${channelSources}
'';
prepareImageInputs = with pkgs; [ rsync utillinux parted e2fsprogs lkl fakeroot config.system.build.nixos-prepare-root ] ++ stdenv.initialPath;
prepareImageInputs = with pkgs; [ rsync utillinux parted e2fsprogs lkl fakeroot libfaketime config.system.build.nixos-prepare-root ] ++ stdenv.initialPath;
# I'm preserving the line below because I'm going to search for it across nixpkgs to consolidate
# image building logic. The comment right below this now appears in 4 different places in nixpkgs :)
@ -80,13 +80,13 @@ let
truncate -s ${toString diskSize}M $diskImage
${if partitioned then ''
parted $diskImage -- mklabel msdos mkpart primary ext4 1M -1s
parted --script $diskImage -- mklabel msdos mkpart primary ext4 1M -1s
offset=$((2048*512))
'' else ''
offset=0
''}
mkfs.${fsType} -F -L nixos -E offset=$offset $diskImage
faketime -f "1970-01-01 00:00:01" mkfs.${fsType} -F -L nixos -E offset=$offset $diskImage
root="$PWD/root"
mkdir -p $root
@ -124,6 +124,14 @@ let
fakeroot nixos-prepare-root $root ${channelSources} ${config.system.build.toplevel} closure
echo "copying staging root to image..."
# If we don't faketime, we can end up with timestamps other than 1 on the nix store, which
# will confuse Nix in some situations (e.g., breaking image builds in the target image)
# N.B: I use 0 here, which results in timestamp = 1 in the image. It's weird but see
# https://github.com/lkl/linux/issues/393. Also, running under faketime makes `cptofs` super
# noisy and it prints out that it can't find a bunch of files, and then works anyway. We'll
# shut it up someday but trying to do a stderr filter through grep is running into some nasty
# bug in some eval nonsense we have in runInLinuxVM and I'm sick of trying to fix it.
faketime -f "1970-01-01 00:00:00" \
cptofs ${pkgs.lib.optionalString partitioned "-P 1"} -t ${fsType} -i $diskImage $root/* /
'';
in pkgs.vmTools.runInLinuxVM (

View File

@ -372,6 +372,17 @@ sub getUnitInfo {
return $info;
}
# Fail if the given systemd unit is not in the "active" state.
sub requireActiveUnit {
my ($self, $unit) = @_;
$self->nest("checking if unit $unit has reached state 'active'", sub {
my $info = $self->getUnitInfo($unit);
my $state = $info->{ActiveState};
if ($state ne "active") {
die "Expected unit $unit to to be in state 'active' but it is in state $state\n";
};
});
}
# Wait for a systemd unit to reach the "active" state.
sub waitForUnit {

View File

@ -149,6 +149,7 @@ rec {
{ key = "run-in-machine";
networking.hostName = "client";
nix.readOnlyStore = false;
virtualisation.writableStore = false;
}
];

View File

@ -9,6 +9,12 @@ in {
imports = [ ../../../modules/virtualisation/amazon-image.nix ];
options.amazonImage = {
name = mkOption {
type = types.str;
description = "The name of the generated derivation";
default = "nixos-disk-image";
};
contents = mkOption {
example = literalExample ''
[ { source = pkgs.memtest86 + "/memtest.bin";
@ -38,7 +44,7 @@ in {
config.system.build.amazonImage = import ../../../lib/make-disk-image.nix {
inherit lib config;
inherit (cfg) contents format;
inherit (cfg) contents format name;
pkgs = import ../../../.. { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package
partitioned = config.ec2.hvm;
diskSize = cfg.sizeMB;

View File

@ -17,7 +17,7 @@ mkdir -p $stateDir
rm -f ec2-amis.nix
types="hvm"
stores="ebs s3"
stores="ebs"
regions="eu-west-1 eu-west-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2 ca-central-1 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"
for type in $types; do

View File

@ -30,14 +30,15 @@ with lib;
};
config = {
config = mkIf config.environment.enableDebugInfo {
# FIXME: currently disabled because /lib is already in
# environment.pathsToLink, and we can't have both.
#environment.pathsToLink = [ "/lib/debug/.build-id" ];
environment.extraOutputsToInstall =
optional config.environment.enableDebugInfo "debug";
environment.extraOutputsToInstall = [ "debug" ];
environment.variables.NIX_DEBUG_INFO_DIRS = [ "/run/current-system/sw/lib/debug" ];
};

View File

@ -1,206 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.krb5;
in
{
###### interface
options = {
krb5 = {
enable = mkOption {
default = false;
description = "Whether to enable Kerberos V.";
};
defaultRealm = mkOption {
default = "ATENA.MIT.EDU";
description = "Default realm.";
};
domainRealm = mkOption {
default = "atena.mit.edu";
description = "Default domain realm.";
};
kdc = mkOption {
default = "kerberos.mit.edu";
description = "Key Distribution Center";
};
kerberosAdminServer = mkOption {
default = "kerberos.mit.edu";
description = "Kerberos Admin Server.";
};
};
};
###### implementation
config = mkIf config.krb5.enable {
environment.systemPackages = [ pkgs.krb5Full ];
environment.etc."krb5.conf".text =
''
[libdefaults]
default_realm = ${cfg.defaultRealm}
encrypt = true
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
# default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
# default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
# permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
${cfg.defaultRealm} = {
kdc = ${cfg.kdc}
admin_server = ${cfg.kerberosAdminServer}
#kpasswd_server = ${cfg.kerberosAdminServer}
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = vice28.fs.andrew.cmu.edu
kdc = vice2.fs.andrew.cmu.edu
kdc = vice11.fs.andrew.cmu.edu
kdc = vice12.fs.andrew.cmu.edu
admin_server = vice28.fs.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementia.org
kdc = kerberos2.dementia.org
admin_server = kerberos.dementia.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
[domain_realm]
.${cfg.domainRealm} = ${cfg.defaultRealm}
${cfg.domainRealm} = ${cfg.defaultRealm}
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.exchange.mit.edu = EXCHANGE.MIT.EDU
exchange.mit.edu = EXCHANGE.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
[logging]
kdc = SYSLOG:INFO:DAEMON
admin_server = SYSLOG:INFO:DAEMON
default = SYSLOG:INFO:DAEMON
krb4_convert = true
krb4_get_tickets = false
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
max_timeout = 30
timeout_shift = 2
initial_timeout = 1
}
'';
};
}

View File

@ -0,0 +1,367 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.krb5;
# This is to provide support for old configuration options (as much as is
# reasonable). This can be removed after 18.03 was released.
defaultConfig = {
libdefaults = optionalAttrs (cfg.defaultRealm != null)
{ default_realm = cfg.defaultRealm; };
realms = optionalAttrs (lib.all (value: value != null) [
cfg.defaultRealm cfg.kdc cfg.kerberosAdminServer
]) {
"${cfg.defaultRealm}" = {
kdc = cfg.kdc;
admin_server = cfg.kerberosAdminServer;
};
};
domain_realm = optionalAttrs (lib.all (value: value != null) [
cfg.domainRealm cfg.defaultRealm
]) {
".${cfg.domainRealm}" = cfg.defaultRealm;
"${cfg.domainRealm}" = cfg.defaultRealm;
};
};
mergedConfig = (recursiveUpdate defaultConfig {
inherit (config.krb5)
kerberos libdefaults realms domain_realm capaths appdefaults plugins
extraConfig config;
});
filterEmbeddedMetadata = value: if isAttrs value then
(filterAttrs
(attrName: attrValue: attrName != "_module" && attrValue != null)
value)
else value;
mkIndent = depth: concatStrings (builtins.genList (_: " ") (2 * depth));
mkRelation = name: value: "${name} = ${mkVal { inherit value; }}";
mkVal = { value, depth ? 0 }:
if (value == true) then "true"
else if (value == false) then "false"
else if (isInt value) then (toString value)
else if (isList value) then
concatMapStringsSep " " mkVal { inherit value depth; }
else if (isAttrs value) then
(concatStringsSep "\n${mkIndent (depth + 1)}"
([ "{" ] ++ (mapAttrsToList
(attrName: attrValue: let
mappedAttrValue = mkVal {
value = attrValue;
depth = depth + 1;
};
in "${attrName} = ${mappedAttrValue}")
value))) + "\n${mkIndent depth}}"
else value;
mkMappedAttrsOrString = value: concatMapStringsSep "\n"
(line: if builtins.stringLength line > 0
then "${mkIndent 1}${line}"
else line)
(splitString "\n"
(if isAttrs value then
concatStringsSep "\n"
(mapAttrsToList mkRelation value)
else value));
in {
###### interface
options = {
krb5 = {
enable = mkEnableOption "Whether to enable Kerberos V.";
kerberos = mkOption {
type = types.package;
default = pkgs.krb5Full;
defaultText = "pkgs.krb5Full";
example = literalExample "pkgs.heimdalFull";
description = ''
The Kerberos implementation that will be present in
<literal>environment.systemPackages</literal> after enabling this
service.
'';
};
libdefaults = mkOption {
type = with types; either attrs lines;
default = {};
apply = attrs: filterEmbeddedMetadata attrs;
example = literalExample ''
{
default_realm = "ATHENA.MIT.EDU";
};
'';
description = ''
Settings used by the Kerberos V5 library.
'';
};
realms = mkOption {
type = with types; either attrs lines;
default = {};
example = literalExample ''
{
"ATHENA.MIT.EDU" = {
admin_server = "athena.mit.edu";
kdc = "athena.mit.edu";
};
};
'';
apply = attrs: filterEmbeddedMetadata attrs;
description = "Realm-specific contact information and settings.";
};
domain_realm = mkOption {
type = with types; either attrs lines;
default = {};
example = literalExample ''
{
"example.com" = "EXAMPLE.COM";
".example.com" = "EXAMPLE.COM";
};
'';
apply = attrs: filterEmbeddedMetadata attrs;
description = ''
Map of server hostnames to Kerberos realms.
'';
};
capaths = mkOption {
type = with types; either attrs lines;
default = {};
example = literalExample ''
{
"ATHENA.MIT.EDU" = {
"EXAMPLE.COM" = ".";
};
"EXAMPLE.COM" = {
"ATHENA.MIT.EDU" = ".";
};
};
'';
apply = attrs: filterEmbeddedMetadata attrs;
description = ''
Authentication paths for non-hierarchical cross-realm authentication.
'';
};
appdefaults = mkOption {
type = with types; either attrs lines;
default = {};
example = literalExample ''
{
pam = {
debug = false;
ticket_lifetime = 36000;
renew_lifetime = 36000;
max_timeout = 30;
timeout_shift = 2;
initial_timeout = 1;
};
};
'';
apply = attrs: filterEmbeddedMetadata attrs;
description = ''
Settings used by some Kerberos V5 applications.
'';
};
plugins = mkOption {
type = with types; either attrs lines;
default = {};
example = literalExample ''
{
ccselect = {
disable = "k5identity";
};
};
'';
apply = attrs: filterEmbeddedMetadata attrs;
description = ''
Controls plugin module registration.
'';
};
extraConfig = mkOption {
type = with types; nullOr lines;
default = null;
example = ''
[logging]
kdc = SYSLOG:NOTICE
admin_server = SYSLOG:NOTICE
default = SYSLOG:NOTICE
'';
description = ''
These lines go to the end of <literal>krb5.conf</literal> verbatim.
<literal>krb5.conf</literal> may include any of the relations that are
valid for <literal>kdc.conf</literal> (see <literal>man
kdc.conf</literal>), but it is not a recommended practice.
'';
};
config = mkOption {
type = with types; nullOr lines;
default = null;
example = ''
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
admin_server = kerberos.example.com
kdc = kerberos.example.com
default_principal_flags = +preauth
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
[logging]
kdc = SYSLOG:NOTICE
admin_server = SYSLOG:NOTICE
default = SYSLOG:NOTICE
'';
description = ''
Verbatim <literal>krb5.conf</literal> configuration. Note that this
is mutually exclusive with configuration via
<literal>libdefaults</literal>, <literal>realms</literal>,
<literal>domain_realm</literal>, <literal>capaths</literal>,
<literal>appdefaults</literal>, <literal>plugins</literal> and
<literal>extraConfig</literal> configuration options. Consult
<literal>man krb5.conf</literal> for documentation.
'';
};
defaultRealm = mkOption {
type = with types; nullOr str;
default = null;
example = "ATHENA.MIT.EDU";
description = ''
DEPRECATED, please use
<literal>krb5.libdefaults.default_realm</literal>.
'';
};
domainRealm = mkOption {
type = with types; nullOr str;
default = null;
example = "athena.mit.edu";
description = ''
DEPRECATED, please create a map of server hostnames to Kerberos realms
in <literal>krb5.domain_realm</literal>.
'';
};
kdc = mkOption {
type = with types; nullOr str;
default = null;
example = "kerberos.mit.edu";
description = ''
DEPRECATED, please pass a <literal>kdc</literal> attribute to a realm
in <literal>krb5.realms</literal>.
'';
};
kerberosAdminServer = mkOption {
type = with types; nullOr str;
default = null;
example = "kerberos.mit.edu";
description = ''
DEPRECATED, please pass an <literal>admin_server</literal> attribute
to a realm in <literal>krb5.realms</literal>.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.kerberos ];
environment.etc."krb5.conf".text = if isString cfg.config
then cfg.config
else (''
[libdefaults]
${mkMappedAttrsOrString mergedConfig.libdefaults}
[realms]
${mkMappedAttrsOrString mergedConfig.realms}
[domain_realm]
${mkMappedAttrsOrString mergedConfig.domain_realm}
[capaths]
${mkMappedAttrsOrString mergedConfig.capaths}
[appdefaults]
${mkMappedAttrsOrString mergedConfig.appdefaults}
[plugins]
${mkMappedAttrsOrString mergedConfig.plugins}
'' + optionalString (mergedConfig.extraConfig != null)
("\n" + mergedConfig.extraConfig));
warnings = flatten [
(optional (cfg.defaultRealm != null) ''
The option krb5.defaultRealm is deprecated, please use
krb5.libdefaults.default_realm.
'')
(optional (cfg.domainRealm != null) ''
The option krb5.domainRealm is deprecated, please use krb5.domain_realm.
'')
(optional (cfg.kdc != null) ''
The option krb5.kdc is deprecated, please pass a kdc attribute to a
realm in krb5.realms.
'')
(optional (cfg.kerberosAdminServer != null) ''
The option krb5.kerberosAdminServer is deprecated, please pass an
admin_server attribute to a realm in krb5.realms.
'')
];
assertions = [
{ assertion = !((builtins.any (value: value != null) [
cfg.defaultRealm cfg.domainRealm cfg.kdc cfg.kerberosAdminServer
]) && ((builtins.any (value: value != {}) [
cfg.libdefaults cfg.realms cfg.domain_realm cfg.capaths
cfg.appdefaults cfg.plugins
]) || (builtins.any (value: value != null) [
cfg.config cfg.extraConfig
])));
message = ''
Configuration of krb5.conf by deprecated options is mutually exclusive
with configuration by section. Please migrate your config using the
attributes suggested in the warnings.
'';
}
{ assertion = !(cfg.config != null
&& ((builtins.any (value: value != {}) [
cfg.libdefaults cfg.realms cfg.domain_realm cfg.capaths
cfg.appdefaults cfg.plugins
]) || (builtins.any (value: value != null) [
cfg.extraConfig cfg.defaultRealm cfg.domainRealm cfg.kdc
cfg.kerberosAdminServer
])));
message = ''
Configuration of krb5.conf using krb.config is mutually exclusive with
configuration by section. If you want to mix the two, you can pass
lines to any configuration section or lines to krb5.extraConfig.
'';
}
];
};
}

View File

@ -18,7 +18,7 @@ let
hostArray = [ "files" ]
++ optionals mymachines [ "mymachines" ]
++ optionals nssmdns [ "mdns_minimal [!UNAVAIL=return]" ]
++ optionals nssmdns [ "mdns_minimal [NOTFOUND=return]" ]
++ optionals nsswins [ "wins" ]
++ optionals resolved ["resolve [!UNAVAIL=return]"]
++ [ "dns" ]

View File

@ -31,6 +31,7 @@ let
pkgs.nano
pkgs.ncurses
pkgs.netcat
pkgs.nix-info
config.programs.ssh.package
pkgs.perl
pkgs.procps

View File

@ -5,6 +5,9 @@ with lib;
let
tzdir = "${pkgs.tzdata}/share/zoneinfo";
nospace = str: filter (c: c == " ") (stringToCharacters str) == [];
timezone = types.nullOr (types.addCheck types.str nospace)
// { description = "null or string without spaces"; };
in
@ -15,7 +18,7 @@ in
timeZone = mkOption {
default = null;
type = types.nullOr types.str;
type = timezone;
example = "America/New_York";
description = ''
The time zone used when displaying times and dates. See <link

View File

@ -1,3 +0,0 @@
{
hardware.enableRedistributableFirmware = true;
}

View File

@ -1,30 +0,0 @@
{ config, pkgs, lib, ... }:
{
###### interface
options = {
networking.enableIntel2100BGFirmware = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Turn on this option if you want firmware for the Intel
PRO/Wireless 2100BG to be loaded automatically. This is
required if you want to use this device.
'';
};
};
###### implementation
config = lib.mkIf config.networking.enableIntel2100BGFirmware {
hardware.enableRedistributableFirmware = true;
};
}

View File

@ -1,29 +0,0 @@
{ config, pkgs, lib, ... }:
{
###### interface
options = {
networking.enableIntel3945ABGFirmware = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
This option enables automatic loading of the firmware for the Intel
PRO/Wireless 3945ABG.
'';
};
};
###### implementation
config = lib.mkIf config.networking.enableIntel3945ABGFirmware {
hardware.enableRedistributableFirmware = true;
};
}

View File

@ -1,3 +0,0 @@
{
hardware.enableRedistributableFirmware = true;
}

View File

@ -1,3 +0,0 @@
{
hardware.enableRedistributableFirmware = true;
}

View File

@ -1,3 +0,0 @@
{
hardware.enableRedistributableFirmware = true;
}

View File

@ -1,3 +0,0 @@
{
hardware.enableRedistributableFirmware = true;
}

View File

@ -1,3 +0,0 @@
{
hardware.enableRedistributableFirmware = true;
}

View File

@ -1,3 +0,0 @@
{
hardware.enableRedistributableFirmware = true;
}

View File

@ -1,26 +0,0 @@
{pkgs, config, lib, ...}:
{
###### interface
options = {
networking.enableRalinkFirmware = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Turn on this option if you want firmware for the RT73 NIC.
'';
};
};
###### implementation
config = lib.mkIf config.networking.enableRalinkFirmware {
hardware.enableRedistributableFirmware = true;
};
}

View File

@ -1,26 +0,0 @@
{pkgs, config, lib, ...}:
{
###### interface
options = {
networking.enableRTL8192cFirmware = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Turn on this option if you want firmware for the RTL8192c (and related) NICs.
'';
};
};
###### implementation
config = lib.mkIf config.networking.enableRTL8192cFirmware {
hardware.enableRedistributableFirmware = true;
};
}

View File

@ -93,7 +93,7 @@ in
hardware.opengl.extraPackages = mkOption {
type = types.listOf types.package;
default = [];
example = literalExample "with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]";
example = literalExample "with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau intel-ocl ]";
description = ''
Additional packages to add to OpenGL drivers. This can be used
to add OpenCL drivers, VA-API/VDPAU drivers etc.

View File

@ -40,6 +40,12 @@ in
{
config = mkIf enabled {
assertions = [
{
assertion = config.services.xserver.displayManager.gdm.wayland;
message = "NVidia drivers don't support wayland";
}
];
services.xserver.drivers = singleton
{ name = "nvidia"; modules = [ nvidia_x11.bin ]; libPath = [ nvidia_x11 ]; };
@ -62,11 +68,16 @@ in
boot.extraModulePackages = [ nvidia_x11.bin ];
# nvidia-uvm is required by CUDA applications.
boot.kernelModules = [ "nvidia-uvm" ];
boot.kernelModules = [ "nvidia-uvm" ] ++
lib.optionals config.services.xserver.enable [ "nvidia" "nvidia_modeset" "nvidia_drm" ];
# Create /dev/nvidia-uvm when the nvidia-uvm module is loaded.
services.udev.extraRules =
''
KERNEL=="nvidia", RUN+="${pkgs.stdenv.shell} -c 'mknod -m 666 /dev/nvidiactl c $(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 255'"
KERNEL=="nvidia_modeset", RUN+="${pkgs.stdenv.shell} -c 'mknod -m 666 /dev/nvidia-modeset c $(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 254'"
KERNEL=="card*", SUBSYSTEM=="drm", DRIVERS=="nvidia", RUN+="${pkgs.stdenv.shell} -c 'mknod -m 666 /dev/nvidia%n c $(grep nvidia-frontend /proc/devices | cut -d \ -f 1) %n'"
KERNEL=="nvidia_uvm", RUN+="${pkgs.stdenv.shell} -c 'mknod -m 666 /dev/nvidia-uvm c $(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'"
'';

View File

@ -361,6 +361,9 @@ in
{ source = config.isoImage.splashImage;
target = "/isolinux/background.png";
}
{ source = pkgs.writeText "version" config.system.nixosVersion;
target = "/version.txt";
}
] ++ optionals config.isoImage.makeEfiBootable [
{ source = efiImg;
target = "/boot/efi.img";

View File

@ -10,6 +10,7 @@ let
in
{
imports = [
../../profiles/base.nix
../../profiles/installation-device.nix
./sd-image.nix
];
@ -27,9 +28,12 @@ in
boot.loader.generic-extlinux-compatible.enable = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
# Increase the amount of CMA to ensure the virtual console on the RPi3 works.
boot.kernelParams = ["cma=32M" "console=ttyS0,115200n8" "console=tty0"];
boot.consoleLogLevel = 7;
# The serial ports listed here are:
# - ttyS0: for Tegra (Jetson TX1)
# - ttyAMA0: for QEMU's -machine virt
# Also increase the amount of CMA to ensure the virtual console on the RPi3 works.
boot.kernelParams = ["cma=32M" "console=ttyS0,115200n8" "console=ttyAMA0,115200n8" "console=tty0"];
# FIXME: this probably should be in installation-device.nix
users.extraUsers.root.initialHashedPassword = "";

View File

@ -10,6 +10,7 @@ let
in
{
imports = [
../../profiles/base.nix
../../profiles/installation-device.nix
./sd-image.nix
];
@ -27,6 +28,12 @@ in
boot.loader.generic-extlinux-compatible.enable = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
# The serial ports listed here are:
# - ttyS0: for Tegra (Jetson TK1)
# - ttymxc0: for i.MX6 (Wandboard)
# - ttyAMA0: for Allwinner (pcDuino3 Nano) and QEMU's -machine virt
# - ttyO0: for OMAP (BeagleBone Black)
# - ttySAC2: for Exynos (ODROID-XU3)
boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=ttyO0,115200n8" "console=ttySAC2,115200n8" "console=tty0"];
# FIXME: this probably should be in installation-device.nix

View File

@ -10,6 +10,7 @@ let
in
{
imports = [
../../profiles/base.nix
../../profiles/installation-device.nix
./sd-image.nix
];

View File

@ -6,8 +6,7 @@ with lib;
{
config = mkDefault {
# Wireless card firmware
networking.enableIntel2200BGFirmware = true;
networking.enableIntel3945ABGFirmware = true;
# Common firmware, i.e. for wifi cards
hardware.enableRedistributableFirmware = true;
};
}

View File

@ -8,6 +8,7 @@ use File::Basename;
use File::Slurp;
use File::stat;
umask(0022);
sub uniq {
my %seen;
@ -103,7 +104,7 @@ if (-e "/sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors") {
foreach $e (@desired_governors) {
if (index($governors, $e) != -1) {
last if (push @attrs, "powerManagement.cpuFreqGovernor = \"$e\";");
last if (push @attrs, "powerManagement.cpuFreqGovernor = lib.mkDefault \"$e\";");
}
}
}
@ -398,19 +399,15 @@ EOF
# Is this a btrfs filesystem?
if ($fsType eq "btrfs") {
my ($status, @id_info) = runCommand("btrfs subvol show $rootDir$mountPoint");
if ($status != 0 || join("", @id_info) =~ /ERROR:/) {
my ($status, @info) = runCommand("btrfs subvol show $rootDir$mountPoint");
if ($status != 0 || join("", @info) =~ /ERROR:/) {
die "Failed to retrieve subvolume info for $mountPoint\n";
}
my @ids = join("", @id_info) =~ m/Subvolume ID:[ \t\n]*([^ \t\n]*)/;
my @ids = join("\n", @info) =~ m/^(?!\/\n).*Subvolume ID:[ \t\n]*([0-9]+)/s;
if ($#ids > 0) {
die "Btrfs subvol name for $mountPoint listed multiple times in mount\n"
} elsif ($#ids == 0) {
my ($status, @path_info) = runCommand("btrfs subvol list $rootDir$mountPoint");
if ($status != 0) {
die "Failed to find $mountPoint subvolume id from btrfs\n";
}
my @paths = join("", @path_info) =~ m/ID $ids[0] [^\n]* path ([^\n]*)/;
my @paths = join("", @info) =~ m/^([^\n]*)/;
if ($#paths > 0) {
die "Btrfs returned multiple paths for a single subvolume id, mountpoint $mountPoint\n";
} elsif ($#paths != 0) {

View File

@ -113,8 +113,33 @@ if [[ -z "$closure" ]]; then
fi
unset NIXOS_CONFIG
# TODO: do I need to set NIX_SUBSTITUTERS here or is the --option binary-caches above enough?
# These get created in nixos-prepare-root as well, but we want to make sure they're here in case we're
# running with --chroot. TODO: --chroot should just be split into a separate tool.
mkdir -m 0755 -p "$mountPoint/dev" "$mountPoint/proc" "$mountPoint/sys"
# Set up some bind mounts we'll want regardless of chroot or not
mount --rbind /dev "$mountPoint/dev"
mount --rbind /proc "$mountPoint/proc"
mount --rbind /sys "$mountPoint/sys"
# If we asked for a chroot, that means we're not actually installing anything (yeah I was confused too)
# and we just want to run a command in the context of a $mountPoint that we're assuming has already been
# set up by a previous nixos-install invocation. In that case we set up some remaining bind mounts and
# exec the requested command, skipping the rest of the installation procedure.
if [ -n "$runChroot" ]; then
mount -t tmpfs -o "mode=0755" none $mountPoint/run
rm -rf $mountPoint/var/run
ln -s /run $mountPoint/var/run
for f in /etc/resolv.conf /etc/hosts; do rm -f $mountPoint/$f; [ -f "$f" ] && cp -Lf $f $mountPoint/etc/; done
for f in /etc/passwd /etc/group; do touch $mountPoint/$f; [ -f "$f" ] && mount --rbind -o ro $f $mountPoint/$f; done
if ! [ -L $mountPoint/nix/var/nix/profiles/system ]; then
echo "$0: installation not finished; cannot chroot into installation directory"
exit 1
fi
ln -s /nix/var/nix/profiles/system $mountPoint/run/current-system
exec chroot $mountPoint "${chrootCommand[@]}"
fi
# A place to drop temporary closures
trap "rm -rf $tmpdir" EXIT
@ -153,9 +178,7 @@ nix-store --export $channel_root > $channel_closure
# nixos-prepare-root doesn't currently do anything with file ownership, so we set it up here instead
chown @root_uid@:@nixbld_gid@ $mountPoint/nix/store
mount --rbind /dev $mountPoint/dev
mount --rbind /proc $mountPoint/proc
mount --rbind /sys $mountPoint/sys
# Grub needs an mtab.
ln -sfn /proc/mounts $mountPoint/etc/mtab

View File

@ -31,16 +31,16 @@ if ! test -e "$mountPoint"; then
fi
# Create a few of the standard directories in the target root directory.
mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home
mkdir -m 01777 -p $mountPoint/tmp
mkdir -m 0755 -p $mountPoint/tmp/root
mkdir -m 0755 -p $mountPoint/var
mkdir -m 0700 -p $mountPoint/root
install -m 0755 -d $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home
install -m 01777 -d $mountPoint/tmp
install -m 0755 -d $mountPoint/tmp/root
install -m 0755 -d $mountPoint/var
install -m 0700 -d $mountPoint/root
ln -sf /run $mountPoint/var/run
# Create the necessary Nix directories on the target device
mkdir -m 0755 -p \
install -m 0755 -d \
$mountPoint/nix/var/nix/gcroots \
$mountPoint/nix/var/nix/temproots \
$mountPoint/nix/var/nix/userpool \
@ -48,7 +48,7 @@ mkdir -m 0755 -p \
$mountPoint/nix/var/nix/db \
$mountPoint/nix/var/log/nix/drvs
mkdir -m 1775 -p $mountPoint/nix/store
install -m 1775 -d $mountPoint/nix/store
# All Nix operations below should operate on our target store, not /nix/store.
# N.B: this relies on Nix 1.12 or higher
@ -80,7 +80,7 @@ if [ ! -x $mountPoint/@shell@ ]; then
echo "Error: @shell@ wasn't included in the closure" >&2
exit 1
fi
mkdir -m 0755 -p $mountPoint/bin
install -m 0755 -d $mountPoint/bin
ln -sf @shell@ $mountPoint/bin/sh
echo "setting the system closure to '$system'..."
@ -89,17 +89,16 @@ nix-env "${extraBuildFlags[@]}" -p $mountPoint/nix/var/nix/profiles/system --set
ln -sfn /nix/var/nix/profiles/system $mountPoint/run/current-system
# Copy the NixOS/Nixpkgs sources to the target as the initial contents of the NixOS channel.
mkdir -m 0755 -p $mountPoint/nix/var/nix/profiles
mkdir -m 1777 -p $mountPoint/nix/var/nix/profiles/per-user
mkdir -m 0755 -p $mountPoint/nix/var/nix/profiles/per-user/root
install -m 0755 -d $mountPoint/nix/var/nix/profiles
install -m 1777 -d $mountPoint/nix/var/nix/profiles/per-user
install -m 0755 -d $mountPoint/nix/var/nix/profiles/per-user/root
if [ -z "$noChannelCopy" ] && [ -n "$channel" ]; then
echo "copying channel..."
nix-env --option build-use-substitutes false "${extraBuildFlags[@]}" -p $mountPoint/nix/var/nix/profiles/per-user/root/channels --set "$channel" --quiet
fi
mkdir -m 0700 -p $mountPoint/root/.nix-defexpr
install -m 0700 -d $mountPoint/root/.nix-defexpr
ln -sfn /nix/var/nix/profiles/per-user/root/channels $mountPoint/root/.nix-defexpr/channels
# Mark the target as a NixOS installation, otherwise switch-to-configuration will chicken out.
touch $mountPoint/etc/NIXOS

View File

@ -18,26 +18,23 @@ in
default = false;
description = ''
If enabled, NixOS will set up a kernel that will
boot on crash, and leave the user to a stage1 debug1devices
interactive shell to be able to save the crashed kernel dump.
boot on crash, and leave the user in systemd rescue
to be able to save the crashed kernel dump at
/proc/vmcore.
It also activates the NMI watchdog.
'';
};
kernelPackages = mkOption {
type = types.package;
default = pkgs.linuxPackages;
# We don't want to evaluate all of linuxPackages for the manual
# - some of it might not even evaluate correctly.
defaultText = "pkgs.linuxPackages";
example = literalExample "pkgs.linuxPackages_2_6_25";
reservedMemory = mkOption {
default = "128M";
description = ''
This will override the boot.kernelPackages, and will add some
kernel configuration parameters for the crash dump to work.
The amount of memory reserved for the crashdump kernel.
If you choose a too high value, dmesg will mention
"crashkernel reservation failed".
'';
};
kernelParams = mkOption {
type = types.listOf types.str;
default = [ "debug1devices" ];
default = [ "1" "boot.shell_on_fail" ];
description = ''
Parameters that will be passed to the kernel kexec-ed on crash.
'';
@ -51,29 +48,29 @@ in
config = mkIf crashdump.enable {
boot = {
postBootCommands = ''
echo "loading crashdump kernel...";
${pkgs.kexectools}/sbin/kexec -p /run/current-system/kernel \
--initrd=/run/current-system/initrd \
--append="init=$(readlink -f /run/current-system/init) system=$(readlink -f /run/current-system) irqpoll maxcpus=1 reset_devices ${kernelParams}" --reset-vga --console-vga
--reset-vga --console-vga \
--command-line="systemConfig=$(readlink -f /run/current-system) init=$(readlink -f /run/current-system/init) irqpoll maxcpus=1 reset_devices ${kernelParams}"
'';
kernelParams = [
"crashkernel=64M"
"crashkernel=${crashdump.reservedMemory}"
"nmi_watchdog=panic"
"softlockup_panic=1"
"idle=poll"
];
kernelPackages = mkOverride 50 (crashdump.kernelPackages // {
kernel = crashdump.kernelPackages.kernel.override
(attrs: {
extraConfig = (optionalString (attrs ? extraConfig) attrs.extraConfig) +
''
kernelPatches = [ {
name = "crashdump-config";
patch = null;
extraConfig = ''
CRASH_DUMP y
DEBUG_INFO y
PROC_VMCORE y
LOCKUP_DETECTOR y
HARDLOCKUP_DETECTOR y
'';
});
});
} ];
};
};
}

View File

@ -207,11 +207,12 @@
ripple-data-api = 186;
mediatomb = 187;
rdnssd = 188;
# ihaskell = 189; # unused
ihaskell = 189;
i2p = 190;
lambdabot = 191;
asterisk = 192;
plex = 193;
plexpy = 195;
grafana = 196;
skydns = 197;
# ripple-rest = 198; # unused, removed 2017-08-12
@ -296,6 +297,9 @@
clickhouse = 278;
rslsync = 279;
minio = 280;
kanboard = 281;
pykms = 282;
kodi = 283;
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -480,7 +484,7 @@
#ripple-data-api = 186; #unused
mediatomb = 187;
#rdnssd = 188; # unused
# ihaskell = 189; # unused
ihaskell = 189;
i2p = 190;
lambdabot = 191;
asterisk = 192;
@ -561,6 +565,9 @@
clickhouse = 278;
rslsync = 279;
minio = 280;
kanboard = 281;
pykms = 282;
kodi = 283;
# When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal

View File

@ -126,12 +126,15 @@ in {
++ optional (isFindutils && cfg.pruneNames != []) "findutils locate does not support pruning by directory component"
++ optional (isFindutils && cfg.pruneBindMounts) "findutils locate does not support skipping bind mounts";
# directory creation needs to be separated from main service
# because ReadWritePaths fails when the directory doesn't already exist
systemd.tmpfiles.rules = [ "d ${dirOf cfg.output} 0755 root root -" ];
systemd.services.update-locatedb =
{ description = "Update Locate Database";
path = mkIf (!isMLocate) [ pkgs.su ];
script =
''
mkdir -m 0755 -p ${dirOf cfg.output}
exec ${cfg.locate}/bin/updatedb \
${optionalString (cfg.localuser != null && ! isMLocate) ''--localuser=${cfg.localuser}''} \
--output=${toString cfg.output} ${concatStringsSep " " cfg.extraFlags}
@ -147,8 +150,13 @@ in {
serviceConfig.PrivateTmp = "yes";
serviceConfig.PrivateNetwork = "yes";
serviceConfig.NoNewPrivileges = "yes";
serviceConfig.ReadOnlyDirectories = "/";
serviceConfig.ReadWriteDirectories = dirOf cfg.output;
serviceConfig.ReadOnlyPaths = "/";
# Use dirOf cfg.output because mlocate creates temporary files next to
# the actual database. We could specify and create them as well,
# but that would make this quite brittle when they change something.
# NOTE: If /var/cache does not exist, this leads to the misleading error message:
# update-locatedb.service: Failed at step NAMESPACE spawning …/update-locatedb-start: No such file or directory
serviceConfig.ReadWritePaths = dirOf cfg.output;
};
systemd.timers.update-locatedb =

View File

@ -9,7 +9,7 @@
./config/fonts/ghostscript.nix
./config/gnu.nix
./config/i18n.nix
./config/krb5.nix
./config/krb5/default.nix
./config/ldap.nix
./config/networking.nix
./config/no-x-libs.nix
@ -35,11 +35,6 @@
./hardware/ksm.nix
./hardware/mcelog.nix
./hardware/network/b43.nix
./hardware/network/intel-2100bg.nix
./hardware/network/intel-2200bg.nix
./hardware/network/intel-3945abg.nix
./hardware/network/ralink.nix
./hardware/network/rtl8192c.nix
./hardware/nitrokey.nix
./hardware/opengl.nix
./hardware/pcmcia.nix
@ -73,6 +68,7 @@
./programs/adb.nix
./programs/atop.nix
./programs/bash/bash.nix
./programs/bcc.nix
./programs/blcr.nix
./programs/browserpass.nix
./programs/cdemu.nix
@ -102,6 +98,8 @@
./programs/spacefm.nix
./programs/ssh.nix
./programs/ssmtp.nix
./programs/sysdig.nix
./programs/sway.nix
./programs/thefuck.nix
./programs/tmux.nix
./programs/venus.nix
@ -134,8 +132,6 @@
./security/rtkit.nix
./security/wrappers/default.nix
./security/sudo.nix
./service-managers/docker.nix
./service-managers/trivial.nix
./services/admin/salt/master.nix
./services/admin/salt/minion.nix
./services/amqp/activemq/default.nix
@ -189,7 +185,7 @@
./services/databases/neo4j.nix
./services/databases/openldap.nix
./services/databases/opentsdb.nix
./services/databases/postage.nix
./services/databases/pgmanage.nix
./services/databases/postgresql.nix
./services/databases/redis.nix
./services/databases/riak.nix
@ -267,6 +263,7 @@
./services/mail/offlineimap.nix
./services/mail/opendkim.nix
./services/mail/opensmtpd.nix
./services/mail/pfix-srsd.nix
./services/mail/postfix.nix
./services/mail/postsrsd.nix
./services/mail/postgrey.nix
@ -300,13 +297,14 @@
./services/misc/fstrim.nix
./services/misc/gammu-smsd.nix
./services/misc/geoip-updater.nix
./services/misc/gitea.nix
#./services/misc/gitit.nix
./services/misc/gitlab.nix
./services/misc/gitolite.nix
./services/misc/gogs.nix
./services/misc/gollum.nix
./services/misc/gpsd.nix
#./services/misc/ihaskell.nix
./services/misc/ihaskell.nix
./services/misc/irkerd.nix
./services/misc/jackett.nix
./services/misc/logkeys.nix
@ -330,6 +328,8 @@
./services/misc/parsoid.nix
./services/misc/phd.nix
./services/misc/plex.nix
./services/misc/plexpy.nix
./services/misc/pykms.nix
./services/misc/radarr.nix
./services/misc/redmine.nix
./services/misc/rippled.nix
@ -346,6 +346,7 @@
./services/misc/svnserve.nix
./services/misc/synergy.nix
./services/misc/taskserver
./services/misc/tzupdate.nix
./services/misc/uhub.nix
./services/misc/zookeeper.nix
./services/monitoring/apcupsd.nix
@ -355,6 +356,7 @@
./services/monitoring/collectd.nix
./services/monitoring/das_watchdog.nix
./services/monitoring/dd-agent/dd-agent.nix
./services/monitoring/fusion-inventory.nix
./services/monitoring/grafana.nix
./services/monitoring/graphite.nix
./services/monitoring/hdaps.nix
@ -371,6 +373,7 @@
./services/monitoring/prometheus/collectd-exporter.nix
./services/monitoring/prometheus/fritzbox-exporter.nix
./services/monitoring/prometheus/json-exporter.nix
./services/monitoring/prometheus/minio-exporter.nix
./services/monitoring/prometheus/nginx-exporter.nix
./services/monitoring/prometheus/node-exporter.nix
./services/monitoring/prometheus/snmp-exporter.nix
@ -410,6 +413,7 @@
./services/networking/asterisk.nix
./services/networking/atftpd.nix
./services/networking/avahi-daemon.nix
./services/networking/babeld.nix
./services/networking/bind.nix
./services/networking/autossh.nix
./services/networking/bird.nix
@ -618,6 +622,7 @@
./services/web-servers/phpfpm/default.nix
./services/web-servers/shellinabox.nix
./services/web-servers/tomcat.nix
./services/web-servers/traefik.nix
./services/web-servers/uwsgi.nix
./services/web-servers/varnish/default.nix
./services/web-servers/winstone.nix
@ -693,6 +698,7 @@
./tasks/filesystems/bcachefs.nix
./tasks/filesystems/btrfs.nix
./tasks/filesystems/cifs.nix
./tasks/filesystems/ecryptfs.nix
./tasks/filesystems/exfat.nix
./tasks/filesystems/ext.nix
./tasks/filesystems/f2fs.nix

View File

@ -47,9 +47,6 @@
# Hyper-V support.
"hv_storvsc"
# Keyboards
"usbhid" "hid_apple" "hid_logitech_dj" "hid_lenovo_tpkbd" "hid_roccat"
];
# Include lots of firmware.

View File

@ -0,0 +1,9 @@
{ config, lib, pkgs, ... }:
{
options.programs.bcc.enable = lib.mkEnableOption "bcc";
config = lib.mkIf config.programs.bcc.enable {
environment.systemPackages = [ config.boot.kernelPackages.bcc ];
boot.extraModulePackages = [ config.boot.kernelPackages.bcc ];
};
}

View File

@ -25,7 +25,14 @@ in
{
options.programs.command-not-found = {
enable = mkEnableOption "command-not-found hook for interactive shell";
enable = mkOption {
type = types.bool;
default = true;
description = ''
Whether interactive shells should show which Nix package (if
any) provides a missing command.
'';
};
dbPath = mkOption {
default = "/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite" ;

View File

@ -148,11 +148,11 @@ in
[
{
hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ];
publicKeyFile = "./pubkeys/myhost_ssh_host_dsa_key.pub";
publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
}
{
hostNames = [ "myhost2" ];
publicKeyFile = "./pubkeys/myhost2_ssh_host_dsa_key.pub";
publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
}
]
'';

View File

@ -0,0 +1,69 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.programs.sway;
sway = pkgs.sway;
swayWrapped = pkgs.writeScriptBin "sway" ''
#! ${pkgs.stdenv.shell}
${cfg.extraSessionCommands}
PATH="${sway}/bin:$PATH"
exec ${pkgs.dbus.dbus-launch} --exit-with-session sway-setcap
'';
swayJoined = pkgs.symlinkJoin {
name = "sway-wrapped";
paths = [ swayWrapped sway ];
};
in
{
options.programs.sway = {
enable = mkEnableOption "sway";
extraSessionCommands = mkOption {
default = "";
type = types.lines;
example = ''
export XKB_DEFAULT_LAYOUT=us,de
export XKB_DEFAULT_VARIANT=,nodeadkeys
export XKB_DEFAULT_OPTIONS=grp:alt_shift_toggle,
'';
description = ''
Shell commands executed just before sway is started.
'';
};
extraPackages = mkOption {
type = with types; listOf package;
default = with pkgs; [
i3status xwayland rxvt_unicode dmenu
];
example = literalExample ''
with pkgs; [
i3status xwayland rxvt_unicode dmenu
]
'';
description = ''
Extra packages to be installed system wide.
'';
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ swayJoined ] ++ cfg.extraPackages;
security.wrappers.sway = {
program = "sway-setcap";
source = "${sway}/bin/sway";
capabilities = "cap_sys_ptrace,cap_sys_tty_config=eip";
owner = "root";
group = "sway";
permissions = "u+rx,g+rx";
};
users.extraGroups.sway = {};
hardware.opengl.enable = mkDefault true;
fonts.enableDefaultFonts = mkDefault true;
};
}

View File

@ -0,0 +1,14 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.programs.sysdig;
in {
options.programs.sysdig.enable = mkEnableOption "sysdig";
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.sysdig ];
boot.extraModulePackages = [ config.boot.kernelPackages.sysdig ];
};
}

View File

@ -54,25 +54,25 @@ in
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [ zsh-syntax-highlighting ];
programs.zsh.interactiveShellInit = with pkgs; with builtins; ''
source ${zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
${optionalString (length(cfg.highlighters) > 0)
"ZSH_HIGHLIGHT_HIGHLIGHTERS=(${concatStringsSep " " cfg.highlighters})"
}
${let
n = attrNames cfg.patterns;
in
optionalString (length(n) > 0)
(assert(elem "pattern" cfg.highlighters); (foldl (
a: b:
''
${a}
ZSH_HIGHLIGHT_PATTERNS+=('${b}' '${attrByPath [b] "" cfg.patterns}')
''
) "") n)
}
assertions = [
{
assertion = length(attrNames cfg.patterns) > 0 -> elem "pattern" cfg.highlighters;
message = ''
When highlighting patterns, "pattern" needs to be included in the list of highlighters.
'';
}
];
programs.zsh.interactiveShellInit = with pkgs;
lib.concatStringsSep "\n" ([
"source ${zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh"
] ++ optional (length(cfg.highlighters) > 0)
"ZSH_HIGHLIGHT_HIGHLIGHTERS=(${concatStringsSep " " cfg.highlighters})"
++ optionals (length(attrNames cfg.patterns) > 0)
(mapAttrsToList (
pattern: design:
"ZSH_HIGHLIGHT_PATTERNS+=('${pattern}' '${design}')"
) cfg.patterns)
);
};
}

View File

@ -11,7 +11,11 @@ with lib;
(mkRenamedOptionModule [ "fonts" "extraFonts" ] [ "fonts" "fonts" ])
(mkRenamedOptionModule [ "networking" "enableWLAN" ] [ "networking" "wireless" "enable" ])
(mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "networking" "enableRalinkFirmware" ])
(mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "hardware" "enableRedistributableFirmware" ])
(mkRenamedOptionModule [ "networking" "enableIntel3945ABGFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
(mkRenamedOptionModule [ "networking" "enableIntel2100BGFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
(mkRenamedOptionModule [ "networking" "enableRalinkFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
(mkRenamedOptionModule [ "networking" "enableRTL8192cFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
(mkRenamedOptionModule [ "services" "cadvisor" "host" ] [ "services" "cadvisor" "listenAddress" ])
(mkChangedOptionModule [ "services" "printing" "gutenprint" ] [ "services" "printing" "drivers" ]
@ -108,6 +112,9 @@ with lib;
(mkAliasOptionModule [ "environment" "checkConfigurationOptions" ] [ "_module" "check" ])
# opendkim
(mkRenamedOptionModule [ "services" "opendkim" "keyFile" ] [ "services" "opendkim" "keyPath" ])
# XBMC
(mkRenamedOptionModule [ "services" "xserver" "windowManager" "xbmc" ] [ "services" "xserver" "desktopManager" "kodi" ])
(mkRenamedOptionModule [ "services" "xserver" "desktopManager" "xbmc" ] [ "services" "xserver" "desktopManager" "kodi" ])

View File

@ -139,6 +139,20 @@ in
'';
};
production = mkOption {
type = types.bool;
default = true;
description = ''
If set to true, use Let's Encrypt's production environment
instead of the staging environment. The main benefit of the
staging environment is to get much higher rate limits.
See
<literal>https://letsencrypt.org/docs/staging-environment</literal>
for more detail.
'';
};
certs = mkOption {
default = { };
type = with types; attrsOf (submodule certOpts);
@ -177,7 +191,9 @@ in
cmdline = [ "-v" "-d" domain "--default_root" data.webroot "--valid_min" cfg.validMin ]
++ optionals (data.email != null) [ "--email" data.email ]
++ concatMap (p: [ "-f" p ]) data.plugins
++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);
++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains)
++ (if cfg.production then []
else ["--server" "https://acme-staging.api.letsencrypt.org/directory"]);
acmeService = {
description = "Renew ACME Certificate for ${cert}";
after = [ "network.target" "network-online.target" ];

View File

@ -89,8 +89,5 @@ services.nginx = {
};
}
</programlisting>
<para>At the moment you still have to restart Nginx after the ACME
certs arrive.</para>
</section>
</chapter>

View File

@ -486,8 +486,9 @@ in
++ optionals config.krb5.enable [pam_krb5 pam_ccreds]
++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ]
++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ];
boot.supportedFilesystems = optionals config.security.pam.enableEcryptfs [ "ecryptfs" ];
security.wrappers = {
unix_chkpwd = {
@ -495,10 +496,7 @@ in
owner = "root";
setuid = true;
};
} // (if config.security.pam.enableEcryptfs then {
"mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
"umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
} else {});
};
environment.etc =
mapAttrsToList (n: v: makePAMService v) config.security.pam.services;
@ -521,6 +519,7 @@ in
ftp = {};
i3lock = {};
i3lock-color = {};
swaylock = {};
screen = {};
vlock = {};
xlock = {};

View File

@ -22,7 +22,7 @@ in
description = ''
Enable USB login for all login systems that support it. For
more information, visit <link
xlink:href="http://pamusb.org/doc/quickstart#setting_up" />.
xlink:href="https://github.com/aluzzardi/pam_usb/wiki/Getting-Started#setting-up-devices-and-users" />.
'';
};

View File

@ -1,29 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.docker-containers;
containerModule = {
script = mkOption {
type = types.lines;
description = "Shell commands executed as the service's main process.";
};
};
toContainer = name: value: pkgs.dockerTools.buildImage {
inherit name;
config = {
Cmd = [ value.script ];
};
};
in {
options.docker-containers = mkOption {
default = {};
type = with types; attrsOf (types.submodule containerModule);
description = "Definition of docker containers";
};
config.system.build.toplevel-docker = lib.mapAttrs toContainer cfg;
}

View File

@ -1,35 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.trivial-services;
serviceModule.options = {
script = mkOption {
type = types.lines;
description = "Shell commands executed as the service's main process.";
};
environment = mkOption {
default = {};
type = types.attrs; # FIXME
example = { PATH = "/foo/bar/bin"; LANG = "nl_NL.UTF-8"; };
description = "Environment variables passed to the service's processes.";
};
};
launcher = name: value: pkgs.writeScript name ''
#!${pkgs.stdenv.shell} -eu
${pkgs.writeScript "${name}-entry" value.script}
'';
in {
options.trivial-services = mkOption {
default = {};
type = with types; attrsOf (types.submodule serviceModule);
description = "Definition of trivial services";
};
config.system.build.toplevel-trivial = lib.mapAttrs launcher cfg;
}

View File

@ -7,9 +7,27 @@ let
inherit (pkgs) mysql gzip;
cfg = config.services.mysqlBackup;
location = cfg.location ;
mysqlBackupCron = db : ''
${cfg.period} ${cfg.user} ${mysql}/bin/mysqldump ${if cfg.singleTransaction then "--single-transaction" else ""} ${db} | ${gzip}/bin/gzip -c > ${location}/${db}.gz
defaultUser = "mysqlbackup";
backupScript = ''
set -o pipefail
failed=""
${concatMapStringsSep "\n" backupDatabaseScript cfg.databases}
if [ -n "$failed" ]; then
echo "Backup of database(s) failed:$failed"
exit 1
fi
'';
backupDatabaseScript = db: ''
dest="${cfg.location}/${db}.gz"
if ${mysql}/bin/mysqldump ${if cfg.singleTransaction then "--single-transaction" else ""} ${db} | ${gzip}/bin/gzip -c > $dest.tmp; then
mv $dest.tmp $dest
echo "Backed up to $dest"
else
echo "Failed to back up to $dest"
rm -f $dest.tmp
failed="$failed ${db}"
fi
'';
in
@ -26,17 +44,16 @@ in
'';
};
period = mkOption {
default = "15 01 * * *";
calendar = mkOption {
type = types.str;
default = "01:15:00";
description = ''
This option defines (in the format used by cron) when the
databases should be dumped.
The default is to update at 01:15 (at night) every day.
Configured when to run the backup service systemd unit (DayOfWeek Year-Month-Day Hour:Minute:Second).
'';
};
user = mkOption {
default = "mysql";
default = defaultUser;
description = ''
User to be used to perform backup.
'';
@ -66,16 +83,49 @@ in
};
config = mkIf config.services.mysqlBackup.enable {
config = mkIf cfg.enable {
users.extraUsers = optionalAttrs (cfg.user == defaultUser) (singleton
{ name = defaultUser;
isSystemUser = true;
createHome = false;
home = cfg.location;
group = "nogroup";
});
services.cron.systemCronJobs = map mysqlBackupCron config.services.mysqlBackup.databases;
services.mysql.ensureUsers = [{
name = cfg.user;
ensurePermissions = with lib;
let
privs = "SELECT, SHOW VIEW, TRIGGER, LOCK TABLES";
grant = db: nameValuePair "${db}.*" privs;
in
listToAttrs (map grant cfg.databases);
}];
system.activationScripts.mysqlBackup = stringAfter [ "stdio" "users" ]
''
mkdir -m 0700 -p ${config.services.mysqlBackup.location}
chown ${config.services.mysqlBackup.user} ${config.services.mysqlBackup.location}
systemd = {
timers."mysql-backup" = {
description = "Mysql backup timer";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = cfg.calendar;
AccuracySec = "5m";
Unit = "mysql-backup.service";
};
};
services."mysql-backup" = {
description = "Mysql backup service";
enable = true;
serviceConfig = {
User = cfg.user;
PermissionsStartOnly = true;
};
preStart = ''
mkdir -m 0700 -p ${cfg.location}
chown -R ${cfg.user} ${cfg.location}
'';
script = backupScript;
};
};
};
}

View File

@ -11,7 +11,7 @@ let
image = pkgs.dockerTools.pullImage {
imageName = name;
imageTag = version;
sha256 = "0b5v7xa3s91yi9yfsw2b8wijiprnicbb02f5kqa579h4yndb3gfz";
sha256 = "1sf54d96nkgic9hir9c6p14gw24ns1k5d5a0r1sg414kjrvic0b4";
};
in {
options.services.kubernetes.addons.dashboard = {

View File

@ -8,19 +8,19 @@ let
k8s-dns-kube-dns = pkgs.dockerTools.pullImage {
imageName = "gcr.io/google_containers/k8s-dns-kube-dns-amd64";
imageTag = version;
sha256 = "0g64jc2076ng28xl4w3w9svf7hc6s9h8rq9mhvvwpfy2p6lgj6gy";
sha256 = "0q97xfqrigrfjl2a9cxl5in619py0zv44gch09jm8gqjkxl80imp";
};
k8s-dns-dnsmasq-nanny = pkgs.dockerTools.pullImage {
imageName = "gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64";
imageTag = version;
sha256 = "0sdpsbj1vismihy7ass1cn96nwmav6sf3r5h6i4k2dxha0y0jsh5";
sha256 = "051w5ca4qb88mwva4hbnh9xzlsvv7k1mbk3wz50lmig2mqrqqx6c";
};
k8s-dns-sidecar = pkgs.dockerTools.pullImage {
imageName = "gcr.io/google_containers/k8s-dns-sidecar-amd64";
imageTag = version;
sha256 = "01zpi189hpy2z62awl38fap908s8rrhc3v5gb6m90y2pycl4ad6q";
sha256 = "1z0d129bcm8i2cqq36x5jhnrv9hirj8c6kjrmdav8vgf7py78vsm";
};
cfg = config.services.kubernetes.addons.dns;

View File

@ -9,9 +9,8 @@ let
token="${cfg.token}"
name="${cfg.name}"
meta-data="${cfg.meta-data}"
hooks-path="${pkgs.buildkite-agent}/share/hooks"
build-path="/var/lib/buildkite-agent/builds"
bootstrap-script="${pkgs.buildkite-agent}/share/bootstrap.sh"
hooks-path="${cfg.package}/share/hooks"
build-path="${cfg.dataDir}"
'';
in
@ -20,6 +19,26 @@ in
services.buildkite-agent = {
enable = mkEnableOption "buildkite-agent";
package = mkOption {
default = pkgs.buildkite-agent;
defaultText = "pkgs.buildkite-agent";
description = "Which buildkite-agent derivation to use";
type = types.package;
};
dataDir = mkOption {
default = "/var/lib/buildkite-agent";
description = "The workdir for the agent";
type = types.str;
};
runtimePackages = mkOption {
default = [ pkgs.bash pkgs.nix ];
defaultText = "[ pkgs.bash pkgs.nix ]";
description = "Add programs to the buildkite-agent environment";
type = types.listOf types.package;
};
token = mkOption {
type = types.str;
description = ''
@ -62,26 +81,30 @@ in
config = mkIf config.services.buildkite-agent.enable {
users.extraUsers.buildkite-agent =
{ name = "buildkite-agent";
home = "/var/lib/buildkite-agent";
home = cfg.dataDir;
createHome = true;
description = "Buildkite agent user";
};
environment.systemPackages = [ pkgs.buildkite-agent ];
environment.systemPackages = [ cfg.package ];
systemd.services.buildkite-agent =
{ description = "Buildkite Agent";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
environment.HOME = "/var/lib/buildkite-agent";
path = cfg.runtimePackages;
environment = config.networking.proxy.envVars // {
HOME = cfg.dataDir;
NIX_REMOTE = "daemon";
};
preStart = ''
${pkgs.coreutils}/bin/mkdir -m 0700 -p /var/lib/buildkite-agent/.ssh
${pkgs.coreutils}/bin/mkdir -m 0700 -p ${cfg.dataDir}/.ssh
echo "${cfg.openssh.privateKey}" > /var/lib/buildkite-agent/.ssh/id_rsa
${pkgs.coreutils}/bin/chmod 600 /var/lib/buildkite-agent/.ssh/id_rsa
echo "${cfg.openssh.privateKey}" > ${cfg.dataDir}/.ssh/id_rsa
${pkgs.coreutils}/bin/chmod 600 ${cfg.dataDir}/.ssh/id_rsa
echo "${cfg.openssh.publicKey}" > /var/lib/buildkite-agent/.ssh/id_rsa.pub
${pkgs.coreutils}/bin/chmod 600 /var/lib/buildkite-agent/.ssh/id_rsa.pub
echo "${cfg.openssh.publicKey}" > ${cfg.dataDir}/.ssh/id_rsa.pub
${pkgs.coreutils}/bin/chmod 600 ${cfg.dataDir}/.ssh/id_rsa.pub
'';
serviceConfig =

View File

@ -78,6 +78,13 @@ in {
'';
};
package = mkOption {
default = pkgs.jenkins;
defaultText = "pkgs.jenkins";
type = types.package;
description = "Jenkins package to use.";
};
packages = mkOption {
default = [ pkgs.stdenv pkgs.git pkgs.jdk config.programs.ssh.package pkgs.nix ];
defaultText = "[ pkgs.stdenv pkgs.git pkgs.jdk config.programs.ssh.package pkgs.nix ]";
@ -194,7 +201,7 @@ in {
'';
script = ''
${pkgs.jdk}/bin/java ${concatStringsSep " " cfg.extraJavaOptions} -jar ${pkgs.jenkins}/webapps/jenkins.war --httpListenAddress=${cfg.listenAddress} \
${pkgs.jdk}/bin/java ${concatStringsSep " " cfg.extraJavaOptions} -jar ${cfg.package}/webapps/jenkins.war --httpListenAddress=${cfg.listenAddress} \
--httpPort=${toString cfg.port} \
--prefix=${cfg.prefix} \
${concatStringsSep " " cfg.extraOptions}

View File

@ -67,7 +67,7 @@ in
type = types.nullOr types.str;
default = null;
example = literalExample "0.0.0.0";
description = "Address to bind to. The default it to bind to all addresses";
description = "Address to bind to. The default is to bind to all addresses";
};
port = mkOption {

View File

@ -3,16 +3,16 @@
with lib;
let
cfg = config.services.postage;
cfg = config.services.pgmanage;
confFile = pkgs.writeTextFile {
name = "postage.conf";
name = "pgmanage.conf";
text = ''
connection_file = ${postageConnectionsFile}
connection_file = ${pgmanageConnectionsFile}
allow_custom_connections = ${builtins.toJSON cfg.allowCustomConnections}
postage_port = ${toString cfg.port}
pgmanage_port = ${toString cfg.port}
super_only = ${builtins.toJSON cfg.superOnly}
@ -20,7 +20,7 @@ let
login_timeout = ${toString cfg.loginTimeout}
web_root = ${cfg.package}/etc/postage/web_root
web_root = ${cfg.package}/etc/pgmanage/web_root
data_root = ${cfg.dataRoot}
@ -33,24 +33,23 @@ let
'';
};
postageConnectionsFile = pkgs.writeTextFile {
name = "postage-connections.conf";
pgmanageConnectionsFile = pkgs.writeTextFile {
name = "pgmanage-connections.conf";
text = concatStringsSep "\n"
(mapAttrsToList (name : conn : "${name}: ${conn}") cfg.connections);
};
postage = "postage";
in {
pgmanage = "pgmanage";
options.services.postage = {
pgmanageOptions = {
enable = mkEnableOption "PostgreSQL Administration for the web";
package = mkOption {
type = types.package;
default = pkgs.postage;
defaultText = "pkgs.postage";
default = pkgs.pgmanage;
defaultText = "pkgs.pgmanage";
description = ''
The postage package to use.
The pgmanage package to use.
'';
};
@ -62,14 +61,14 @@ in {
"mini-server" = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=require";
};
description = ''
Postage requires at least one PostgreSQL server be defined.
pgmanage requires at least one PostgreSQL server be defined.
</para><para>
Detailed information about PostgreSQL connection strings is available at:
<link xlink:href="http://www.postgresql.org/docs/current/static/libpq-connect.html"/>
</para><para>
Note that you should not specify your user name or password. That
information will be entered on the login screen. If you specify a
username or password, it will be removed by Postage before attempting to
username or password, it will be removed by pgmanage before attempting to
connect to a database.
'';
};
@ -78,7 +77,7 @@ in {
type = types.bool;
default = false;
description = ''
This tells Postage whether or not to allow anyone to use a custom
This tells pgmanage whether or not to allow anyone to use a custom
connection from the login screen.
'';
};
@ -87,7 +86,7 @@ in {
type = types.int;
default = 8080;
description = ''
This tells Postage what port to listen on for browser requests.
This tells pgmanage what port to listen on for browser requests.
'';
};
@ -95,7 +94,7 @@ in {
type = types.bool;
default = true;
description = ''
This tells Postage whether or not to set the listening socket to local
This tells pgmanage whether or not to set the listening socket to local
addresses only.
'';
};
@ -104,10 +103,10 @@ in {
type = types.bool;
default = true;
description = ''
This tells Postage whether or not to only allow super users to
This tells pgmanage whether or not to only allow super users to
login. The recommended value is true and will restrict users who are not
super users from logging in to any PostgreSQL instance through
Postage. Note that a connection will be made to PostgreSQL in order to
pgmanage. Note that a connection will be made to PostgreSQL in order to
test if the user is a superuser.
'';
};
@ -116,8 +115,8 @@ in {
type = types.nullOr types.str;
default = null;
description = ''
This tells Postage to only allow users in a certain PostgreSQL group to
login to Postage. Note that a connection will be made to PostgreSQL in
This tells pgmanage to only allow users in a certain PostgreSQL group to
login to pgmanage. Note that a connection will be made to PostgreSQL in
order to test if the user is a member of the login group.
'';
};
@ -133,10 +132,10 @@ in {
dataRoot = mkOption {
type = types.str;
default = "/var/lib/postage";
default = "/var/lib/pgmanage";
description = ''
This tells Postage where to put the SQL file history. All tabs are saved
to this location so that if you get disconnected from Postage you
This tells pgmanage where to put the SQL file history. All tabs are saved
to this location so that if you get disconnected from pgmanage you
don't lose your work.
'';
};
@ -156,15 +155,15 @@ in {
});
default = null;
description = ''
These options tell Postage where the TLS Certificate and Key files
These options tell pgmanage where the TLS Certificate and Key files
reside. If you use these options then you'll only be able to access
Postage through a secure TLS connection. These options are only
necessary if you wish to connect directly to Postage using a secure TLS
connection. As an alternative, you can set up Postage in a reverse proxy
pgmanage through a secure TLS connection. These options are only
necessary if you wish to connect directly to pgmanage using a secure TLS
connection. As an alternative, you can set up pgmanage in a reverse proxy
configuration. This allows your web server to terminate the secure
connection and pass on the request to Postage. You can find help to set
connection and pass on the request to pgmanage. You can find help to set
up this configuration in:
<link xlink:href="https://github.com/workflowproducts/postage/blob/master/INSTALL_NGINX.md"/>
<link xlink:href="https://github.com/pgManage/pgManage/blob/master/INSTALL_NGINX.md"/>
'';
};
@ -177,29 +176,47 @@ in {
};
};
config = mkIf cfg.enable {
systemd.services.postage = {
description = "postage - PostgreSQL Administration for the web";
in {
options.services.pgmanage = pgmanageOptions;
# This is deprecated and should be removed for NixOS-18.03.
options.services.postage = pgmanageOptions;
config = mkMerge [
{ assertions = [
{ assertion = !config.services.postage.enable;
message =
"services.postage is deprecated in favour of pgmanage. " +
"They have the same options so just substitute postage for pgmanage." ;
}
];
}
(mkIf cfg.enable {
systemd.services.pgmanage = {
description = "pgmanage - PostgreSQL Administration for the web";
wants = [ "postgresql.service" ];
after = [ "postgresql.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = postage;
Group = postage;
ExecStart = "${pkgs.postage}/sbin/postage -c ${confFile}" +
User = pgmanage;
Group = pgmanage;
ExecStart = "${pkgs.pgmanage}/sbin/pgmanage -c ${confFile}" +
optionalString cfg.localOnly " --local-only=true";
};
};
users = {
users."${postage}" = {
name = postage;
group = postage;
users."${pgmanage}" = {
name = pgmanage;
group = pgmanage;
home = cfg.dataRoot;
createHome = true;
};
groups."${postage}" = {
name = postage;
};
groups."${pgmanage}" = {
name = pgmanage;
};
};
})
];
}

View File

@ -34,6 +34,8 @@ with lib;
services.dbus.packages = [ pkgs.at_spi2_core ];
systemd.packages = [ pkgs.at_spi2_core ];
};
}

View File

@ -35,6 +35,18 @@ with lib;
description = "Whether to set the system sendmail to nullmailer's.";
};
remotesFile = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Path to the <code>remotes</code> control file. This file contains a
list of remote servers to which to send each message.
See <code>man 8 nullmailer-send</code> for syntax and available
options.
'';
};
config = {
adminaddr = mkOption {
type = types.nullOr types.str;
@ -142,7 +154,16 @@ with lib;
type = types.nullOr types.str;
default = null;
description = ''
If set, content will override the envelope sender on all messages.
A list of remote servers to which to send each message. Each line
contains a remote host name or address followed by an optional
protocol string, separated by white space.
See <code>man 8 nullmailer-send</code> for syntax and available
options.
WARNING: This is stored world-readable in the nix store. If you need
to specify any secret credentials here, consider using the
<code>remotesFile</code> option instead.
'';
};
@ -164,13 +185,19 @@ with lib;
cfg = config.services.nullmailer;
in mkIf cfg.enable {
assertions = [
{ assertion = cfg.config.remotes == null || cfg.remotesFile == null;
message = "Only one of `remotesFile` or `config.remotes` may be used at a time.";
}
];
environment = {
systemPackages = [ pkgs.nullmailer ];
etc = let
getval = attr: builtins.getAttr attr cfg.config;
attrs = builtins.attrNames cfg.config;
attrs' = builtins.filter (attr: ! isNull (getval attr)) attrs;
in foldl' (as: attr: as // { "nullmailer/${attr}".text = getval attr; }) {} attrs';
validAttrs = filterAttrs (name: value: value != null) cfg.config;
in
(foldl' (as: name: as // { "nullmailer/${name}".text = validAttrs.${name}; }) {} (attrNames validAttrs))
// optionalAttrs (cfg.remotesFile != null) { "nullmailer/remotes".source = cfg.remotesFile; };
};
users = {
@ -192,7 +219,7 @@ with lib;
preStart = ''
mkdir -p /var/spool/nullmailer/{queue,tmp}
rm -f var/spool/nullmailer/trigger && mkfifo -m 660 /var/spool/nullmailer/trigger
rm -f /var/spool/nullmailer/trigger && mkfifo -m 660 /var/spool/nullmailer/trigger
chown ${cfg.user} /var/spool/nullmailer/*
'';

View File

@ -8,10 +8,12 @@ let
defaultSock = "local:/run/opendkim/opendkim.sock";
keyFile = "${cfg.keyPath}/${cfg.selector}.private";
args = [ "-f" "-l"
"-p" cfg.socket
"-d" cfg.domains
"-k" cfg.keyFile
"-k" keyFile
"-s" cfg.selector
] ++ optionals (cfg.configFile != null) [ "-x" cfg.configFile ];
@ -57,9 +59,13 @@ in {
'';
};
keyFile = mkOption {
keyPath = mkOption {
type = types.path;
description = "Secret key file used for signing messages.";
description = ''
The path that opendkim should put its generated private keys into.
The DNS settings will be found in this directory with the name selector.txt.
'';
default = "/var/lib/opendkim/keys";
};
selector = mkOption {
@ -100,11 +106,25 @@ in {
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -p "${cfg.keyPath}"
cd "${cfg.keyPath}"
if ! test -f ${cfg.selector}.private; then
${pkgs.opendkim}/bin/opendkim-genkey -s ${cfg.selector} -d all-domains-generic-key
echo "Generated OpenDKIM key! Please update your DNS settings:\n"
echo "-------------------------------------------------------------"
cat ${cfg.selector}.txt
echo "-------------------------------------------------------------"
fi
chown ${cfg.user}:${cfg.group} ${cfg.selector}.private
'';
serviceConfig = {
ExecStart = "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}";
User = cfg.user;
Group = cfg.group;
RuntimeDirectory = optional (cfg.socket == defaultSock) "opendkim";
PermissionsStartOnly = true;
};
};

View File

@ -0,0 +1,56 @@
{ config, lib, pkgs, ... }:
with lib;
{
###### interface
options = {
services.pfix-srsd = {
enable = mkOption {
default = false;
type = types.bool;
description = "Whether to run the postfix sender rewriting scheme daemon.";
};
domain = mkOption {
description = "The domain for which to enable srs";
type = types.str;
example = "example.com";
};
secretsFile = mkOption {
description = ''
The secret data used to encode the SRS address.
to generate, use a command like:
<literal>for n in $(seq 5); do dd if=/dev/urandom count=1 bs=1024 status=none | sha256sum | sed 's/ -$//' | sed 's/^/ /'; done</literal>
'';
type = types.path;
default = "/var/lib/pfix-srsd/secrets";
};
};
};
###### implementation
config = mkIf config.services.pfix-srsd.enable {
environment = {
systemPackages = [ pkgs.pfixtools ];
};
systemd.services."pfix-srsd" = {
description = "Postfix sender rewriting scheme daemon";
before = [ "postfix.service" ];
#note that we use requires rather than wants because postfix
#is unable to process (almost) all mail without srsd
requiredBy = [ "postfix.service" ];
serviceConfig = {
Type = "forking";
PIDFile = "/var/run/pfix-srsd.pid";
ExecStart = "${pkgs.pfixtools}/bin/pfix-srsd -p /var/run/pfix-srsd.pid -I ${config.services.pfix-srsd.domain} ${config.services.pfix-srsd.secretsFile}";
};
};
};
}

View File

@ -28,7 +28,7 @@ let
mainCf = let
escape = replaceStrings ["$"] ["$$"];
mkList = items: "\n " + concatMapStringsSep "\n " escape items;
mkList = items: "\n " + concatStringsSep "\n " items;
mkVal = value:
if isList value then mkList value
else " " + (if value == true then "yes"
@ -60,9 +60,11 @@ let
manpage_directory = "${pkgs.postfix}/share/man";
html_directory = "${pkgs.postfix}/share/postfix/doc/html";
shlib_directory = false;
relayhost = if cfg.lookupMX || cfg.relayHost == ""
then cfg.relayHost
else "[${cfg.relayHost}]";
relayhost = if cfg.relayHost == "" then "" else
if cfg.lookupMX
then "${cfg.relayHost}:${toString cfg.relayPort}"
else "[${cfg.relayHost}]:${toString cfg.relayPort}";
mail_spool_directory = "/var/spool/mail/";
setgid_group = setgidGroup;
}
@ -79,6 +81,12 @@ let
// optionalAttrs haveTransport { transport_maps = "hash:/etc/postfix/transport"; }
// optionalAttrs haveVirtual { virtual_alias_maps = "${cfg.virtualMapType}:/etc/postfix/virtual"; }
// optionalAttrs (cfg.dnsBlacklists != []) { smtpd_client_restrictions = clientRestrictions; }
// optionalAttrs cfg.useSrs {
sender_canonical_maps = "tcp:127.0.0.1:10001";
sender_canonical_classes = "envelope_sender";
recipient_canonical_maps = "tcp:127.0.0.1:10002";
recipient_canonical_classes= "envelope_recipient";
}
// optionalAttrs cfg.enableHeaderChecks { header_checks = "regexp:/etc/postfix/header_checks"; }
// optionalAttrs (cfg.sslCert != "") {
smtp_tls_CAfile = cfg.sslCACert;
@ -452,6 +460,14 @@ in
";
};
relayPort = mkOption {
type = types.int;
default = 25;
description = "
SMTP port for relay mail relay.
";
};
lookupMX = mkOption {
type = types.bool;
default = false;
@ -626,6 +642,12 @@ in
description = "Maps to be compiled and placed into /var/lib/postfix/conf.";
};
useSrs = mkOption {
type = types.bool;
default = false;
description = "Whether to enable sender rewriting scheme";
};
};
};
@ -646,6 +668,8 @@ in
systemPackages = [ pkgs.postfix ];
};
services.pfix-srsd.enable = config.services.postfix.useSrs;
services.mail.sendmailSetuidWrapper = mkIf config.services.postfix.setSendmail {
program = "sendmail";
source = "${pkgs.postfix}/bin/sendmail";

View File

@ -122,7 +122,11 @@ in
config = mkIf cfg.enable {
# Allow users to run 'spamc'.
environment.systemPackages = [ pkgs.spamassassin ];
environment = {
etc = singleton { source = spamdEnv; target = "spamassassin"; };
systemPackages = [ pkgs.spamassassin ];
};
users.extraUsers = singleton {
name = "spamd";
@ -177,11 +181,6 @@ in
# 0 and 1 no error, exitcode > 1 means error:
# https://spamassassin.apache.org/full/3.1.x/doc/sa-update.html#exit_codes
preStart = ''
# this abstraction requires no centralized config at all
if [ -d /etc/spamassassin ]; then
echo "This spamassassin does not support global '/etc/spamassassin' folder for configuration as this would be impure. Merge your configs into 'services.spamassassin' and remove the '/etc/spamassassin' folder to make this service work. Also see 'https://github.com/NixOS/nixpkgs/pull/26470'.";
exit 1
fi
echo "Recreating '/var/lib/spamasassin' with creating '3.004001' (or similar) and 'sa-update-keys'"
mkdir -p /var/lib/spamassassin
chown spamd:spamd /var/lib/spamassassin -R

View File

@ -0,0 +1,270 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.gitea;
configFile = pkgs.writeText "app.ini" ''
APP_NAME = ${cfg.appName}
RUN_USER = ${cfg.user}
RUN_MODE = prod
[database]
DB_TYPE = ${cfg.database.type}
HOST = ${cfg.database.host}:${toString cfg.database.port}
NAME = ${cfg.database.name}
USER = ${cfg.database.user}
PASSWD = #dbpass#
PATH = ${cfg.database.path}
[repository]
ROOT = ${cfg.repositoryRoot}
[server]
DOMAIN = ${cfg.domain}
HTTP_ADDR = ${cfg.httpAddress}
HTTP_PORT = ${toString cfg.httpPort}
ROOT_URL = ${cfg.rootUrl}
STATIC_ROOT_PATH = ${cfg.staticRootPath}
[session]
COOKIE_NAME = session
COOKIE_SECURE = ${boolToString cfg.cookieSecure}
[security]
SECRET_KEY = #secretkey#
INSTALL_LOCK = true
${cfg.extraConfig}
'';
in
{
options = {
services.gitea = {
enable = mkOption {
default = false;
type = types.bool;
description = "Enable Gitea Service.";
};
useWizard = mkOption {
default = false;
type = types.bool;
description = "Do not generate a configuration and use gitea' installation wizard instead. The first registered user will be administrator.";
};
stateDir = mkOption {
default = "/var/lib/gitea";
type = types.str;
description = "gitea data directory.";
};
user = mkOption {
type = types.str;
default = "gitea";
description = "User account under which gitea runs.";
};
database = {
type = mkOption {
type = types.enum [ "sqlite3" "mysql" "postgres" ];
example = "mysql";
default = "sqlite3";
description = "Database engine to use.";
};
host = mkOption {
type = types.str;
default = "127.0.0.1";
description = "Database host address.";
};
port = mkOption {
type = types.int;
default = 3306;
description = "Database host port.";
};
name = mkOption {
type = types.str;
default = "gitea";
description = "Database name.";
};
user = mkOption {
type = types.str;
default = "gitea";
description = "Database user.";
};
password = mkOption {
type = types.str;
default = "";
description = ''
The password corresponding to <option>database.user</option>.
Warning: this is stored in cleartext in the Nix store!
Use <option>database.passwordFile</option> instead.
'';
};
passwordFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/run/keys/gitea-dbpassword";
description = ''
A file containing the password corresponding to
<option>database.user</option>.
'';
};
path = mkOption {
type = types.str;
default = "${cfg.stateDir}/data/gitea.db";
description = "Path to the sqlite3 database file.";
};
};
appName = mkOption {
type = types.str;
default = "gitea: Gitea Service";
description = "Application name.";
};
repositoryRoot = mkOption {
type = types.str;
default = "${cfg.stateDir}/repositories";
description = "Path to the git repositories.";
};
domain = mkOption {
type = types.str;
default = "localhost";
description = "Domain name of your server.";
};
rootUrl = mkOption {
type = types.str;
default = "http://localhost:3000/";
description = "Full public URL of gitea server.";
};
httpAddress = mkOption {
type = types.str;
default = "0.0.0.0";
description = "HTTP listen address.";
};
httpPort = mkOption {
type = types.int;
default = 3000;
description = "HTTP listen port.";
};
cookieSecure = mkOption {
type = types.bool;
default = false;
description = ''
Marks session cookies as "secure" as a hint for browsers to only send
them via HTTPS. This option is recommend, if gitea is being served over HTTPS.
'';
};
staticRootPath = mkOption {
type = types.str;
default = "${pkgs.gitea.data}";
example = "/var/lib/gitea/data";
description = "Upper level of template and static files path.";
};
extraConfig = mkOption {
type = types.str;
default = "";
description = "Configuration lines appended to the generated gitea configuration file.";
};
};
};
config = mkIf cfg.enable {
systemd.services.gitea = {
description = "gitea";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.gitea.bin ];
preStart = let
runConfig = "${cfg.stateDir}/custom/conf/app.ini";
secretKey = "${cfg.stateDir}/custom/conf/secret_key";
in ''
mkdir -p ${cfg.stateDir}
# copy custom configuration and generate a random secret key if needed
${optionalString (cfg.useWizard == false) ''
mkdir -p ${cfg.stateDir}/custom/conf
cp -f ${configFile} ${runConfig}
if [ ! -e ${secretKey} ]; then
head -c 16 /dev/urandom | base64 > ${secretKey}
fi
KEY=$(head -n1 ${secretKey})
DBPASS=$(head -n1 ${cfg.database.passwordFile})
sed -e "s,#secretkey#,$KEY,g" \
-e "s,#dbpass#,$DBPASS,g" \
-i ${runConfig}
chmod 640 ${runConfig} ${secretKey}
''}
mkdir -p ${cfg.repositoryRoot}
# update all hooks' binary paths
HOOKS=$(find ${cfg.repositoryRoot} -mindepth 4 -maxdepth 4 -type f -wholename "*git/hooks/*")
if [ "$HOOKS" ]
then
sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gitea,${pkgs.gitea.bin}/bin/gitea,g' $HOOKS
sed -ri 's,/nix/store/[a-z0-9.-]+/bin/env,${pkgs.coreutils}/bin/env,g' $HOOKS
sed -ri 's,/nix/store/[a-z0-9.-]+/bin/bash,${pkgs.bash}/bin/bash,g' $HOOKS
sed -ri 's,/nix/store/[a-z0-9.-]+/bin/perl,${pkgs.perl}/bin/perl,g' $HOOKS
fi
if [ ! -d ${cfg.stateDir}/conf/locale ]
then
mkdir -p ${cfg.stateDir}/conf
cp -r ${pkgs.gitea.out}/locale ${cfg.stateDir}/conf/locale
fi
'';
serviceConfig = {
Type = "simple";
User = cfg.user;
WorkingDirectory = cfg.stateDir;
ExecStart = "${pkgs.gitea.bin}/bin/gitea web";
Restart = "always";
};
environment = {
USER = cfg.user;
HOME = cfg.stateDir;
GITEA_WORK_DIR = cfg.stateDir;
};
};
users = mkIf (cfg.user == "gitea") {
extraUsers.gitea = {
description = "Gitea Service";
home = cfg.stateDir;
createHome = true;
};
};
warnings = optional (cfg.database.password != "")
''config.services.gitea.database.password will be stored as plaintext
in the Nix store. Use database.passwordFile instead.'';
# Create database passwordFile default when password is configured.
services.gitea.database.passwordFile =
(mkDefault (toString (pkgs.writeTextFile {
name = "gitea-database-password";
text = cfg.database.password;
})));
};
}

Some files were not shown because too many files have changed in this diff Show More