JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into staging-next

Browse Source 
There ver very many conflicts, basically all due to
name -> pname+version.  Fortunately, almost everything was auto-resolved
by kdiff3, and for now I just fixed up a couple evaluation problems,
as verified by the tarball job.  There might be some fallback to these
conflicts, but I believe it should be minimal.

Hydra nixpkgs: ?compare=1538299
This commit is contained in:
Vladimír Čunát 2019-08-24 08:19:05 +02:00
commit 2e6bf42a22
No known key found for this signature in database
GPG Key ID: E747DF1F9575A3AA
865 changed files with 29587 additions and 14316 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
doc/languages-frameworks/android.section.md
View File

@ -185,10 +185,9 @@ with import <nixpkgs> {};
androidenv.emulateApp {
name = "emulate-MyAndroidApp";
platformVersion = "24";
abiVersion = "armeabi-v7a"; # mips, x86 or x86_64
systemImageType = "default";
useGoogleAPIs = false;
platformVersion = "28";
abiVersion = "x86_64"; # armeabi-v7a, mips, x86
systemImageType = "google_apis_playstore";
}
```
@ -201,7 +200,7 @@ with import <nixpkgs> {};
androidenv.emulateApp {
name = "emulate-MyAndroidApp";
platformVersion = "24";
abiVersion = "armeabi-v7a"; # mips, x86 or x86_64
abiVersion = "armeabi-v7a"; # mips, x86, x86_64
systemImageType = "default";
useGoogleAPIs = false;
app = ./MyApp.apk;

33
doc/languages-frameworks/perl.xml
View File

@ -75,7 +75,8 @@ foo = import ../path/to/foo.nix {
It adds the contents of the <envar>PERL5LIB</envar> environment variable
to <literal>#! .../bin/perl</literal> line of Perl scripts as
<literal>-I<replaceable>dir</replaceable></literal> flags. This ensures
that a script can find its dependencies.
that a script can find its dependencies. (This can cause this shebang line
to become too long for Darwin to handle; see the note below.)
</para>
</listitem>
<listitem>
@ -137,6 +138,36 @@ ClassC3Componentised = buildPerlPackage rec {
</programlisting>
</para>
<para>
On Darwin, if a script has too many
<literal>-I<replaceable>dir</replaceable></literal> flags in its first line
(its “shebang line”), it will not run. This can be worked around by calling
the <literal>shortenPerlShebang</literal> function from the
<literal>postInstall</literal> phase:
<programlisting>
{ stdenv, buildPerlPackage, fetchurl, shortenPerlShebang }:
ImageExifTool = buildPerlPackage {
pname = "Image-ExifTool";
version = "11.50";
src = fetchurl {
url = "https://www.sno.phy.queensu.ca/~phil/exiftool/Image-ExifTool-11.50.tar.gz";
sha256 = "0d8v48y94z8maxkmw1rv7v9m0jg2dc8xbp581njb6yhr7abwqdv3";
};
buildInputs = stdenv.lib.optional stdenv.isDarwin shortenPerlShebang;
postInstall = stdenv.lib.optional stdenv.isDarwin ''
shortenPerlShebang $out/bin/exiftool
'';
};
</programlisting>
This will remove the <literal>-I</literal> flags from the shebang line,
rewrite them in the <literal>use lib</literal> form, and put them on the next
line instead. This function can be given any number of Perl scripts as
arguments; it will modify them in-place.
</para>
<section xml:id="ssec-generation-from-CPAN">
<title>Generation from CPAN</title>

2
lib/default.nix
View File

@ -71,7 +71,7 @@ let
zipAttrsWithNames zipAttrsWith zipAttrs recursiveUpdateUntil
recursiveUpdate matchAttrs overrideExisting getOutput getBin
getLib getDev chooseDevOutputs zipWithNames zip;
inherit (lists) singleton foldr fold foldl foldl' imap0 imap1
inherit (lists) singleton forEach foldr fold foldl foldl' imap0 imap1
concatMap flatten remove findSingle findFirst any all count
optional optionals toList range partition zipListsWith zipLists
reverseList listDfs toposort sort naturalSort compareLists take

13
lib/lists.nix
View File

@ -21,6 +21,19 @@ rec {
*/
singleton = x: [x];
/* Apply the function to each element in the list. Same as `map`, but arguments
flipped.
Type: forEach :: [a] -> (a -> b) -> [b]
Example:
forEach [ 1 2 ] (x:
toString x
)
=> [ "1" "2" ]
*/
forEach = xs: f: map f xs;
/* right fold a binary function `op` between successive elements of
`list` with `nul' as the starting value, i.e.,
`foldr op nul [x_1 x_2 ... x_n] == op x_1 (op x_2 ... (op x_n nul))`.

38
maintainers/maintainer-list.nix
View File

@ -40,6 +40,12 @@
See `./scripts/check-maintainer-github-handles.sh` for an example on how to work with this data.
*/
{
"00-matt" = {
name = "Matt Smith";
email = "matt@offtopica.uk";
github = "00-matt";
githubId = 48835712;
};
"0x4A6F" = {
email = "0x4A6F@shackspace.de";
name = "Joachim Ernst";
@ -296,6 +302,11 @@
githubId = 17208985;
name = "Alex Rice";
};
alexbakker = {
email = "ab@alexbakker.me";
github = "alexbakker";
name = "Alexander Bakker";
};
alexchapman = {
email = "alex@farfromthere.net";
github = "AJChapman";
@ -571,6 +582,12 @@
githubId = 816777;
name = "Ashley Gillman";
};
ashkitten = {
email = "ashlea@protonmail.com";
github = "ashkitten";
githubId = 9281956;
name = "ash lea";
};
aske = {
email = "aske@fmap.me";
github = "aske";
@ -2738,6 +2755,11 @@
githubId = 26877687;
name = "Yurii Izorkin";
};
jasoncarr = {
email = "jcarr250@gmail.com";
github = "jasoncarr0";
name = "Jason Carr";
};
j-keck = {
email = "jhyphenkeck@gmail.com";
github = "j-keck";
@ -3218,6 +3240,11 @@
githubId = 6282557;
name = "Kiloreux Emperex";
};
kim0 = {
email = "email.ahmedkamal@googlemail.com";
github = "kim0";
name = "Ahmed Kamal";
};
kimburgess = {
email = "kim@acaprojects.com";
github = "kimburgess";
@ -3236,6 +3263,11 @@
githubId = 451835;
name = "Kirill Elagin";
};
kirikaza = {
email = "k@kirikaza.ru";
github = "kirikaza";
name = "Kirill Kazakov";
};
kisonecat = {
email = "kisonecat@gmail.com";
github = "kisonecat";
@ -5897,6 +5929,12 @@
githubId = 231788;
name = "Stephen Weinberg";
};
sterfield = {
email = "sterfield@gmail.com";
github = "sterfield";
githubId = 5747061;
name = "Guillaume Loetscher";
};
sternenseemann = {
email = "post@lukasepple.de";
github = "sternenseemann";

2
maintainers/scripts/luarocks-packages.csv
View File

@ -1,4 +1,5 @@
# nix name, luarocks name, server, version,luaversion,maintainers
alt-getopt,,,,,arobyn
ansicolors,,,,,
argparse,,,,,
basexx,,,,,
@ -56,6 +57,7 @@ luv,,,,,
markdown,,,,,
mediator_lua,,,,,
mpack,,,,,
moonscript,,,,,arobyn
nvim-client,,,,,
penlight,,,,,
rapidjson,,,,,

1 # nix name luarocks name server version luaversion maintainers
2 alt-getopt arobyn
3 ansicolors
4 argparse
5 basexx
57 markdown
58 mediator_lua
59 mpack
60 moonscript arobyn
61 nvim-client
62 penlight
63 rapidjson

82
nixos/doc/manual/release-notes/rl-1909.xml
View File

@ -237,6 +237,12 @@
</para>
</listitem>
<listitem>
<para>
The <literal>shibboleth-sp</literal> package has been updated to version 3.
It is largely backward compatible, for further information refer to the
<link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes">release notes</link>
and <link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/UpgradingFromV2">upgrade guide</link>.
</para>
<para>
Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has been dropped.
</para>
@ -263,6 +269,21 @@
<literal>false</literal>.
</para>
</listitem>
<listitem>
<para>
The <option>services.systemhealth</option> module has been removed from nixpkgs due to lack of maintainer.
</para>
</listitem>
<listitem>
<para>
The <option>services.mantisbt</option> module has been removed from nixpkgs due to lack of maintainer.
</para>
</listitem>
<listitem>
<para>
Squid 3 has been removed and the <option>squid</option> derivation now refers to Squid 4.
</para>
</listitem>
</itemizedlist>
</section>
@ -424,6 +445,67 @@
installer after creating <literal>/var/lib/nextcloud</literal>.
</para>
</listitem>
<listitem>
<para>
There exists now <literal>lib.forEach</literal>, which is like <literal>map</literal>, but with
arguments flipped. When mapping function body spans many lines (or has nested
<literal>map</literal>s), it is often hard to follow which list is modified.
</para>
<para>
Previous solution to this problem was either to use <literal>lib.flip map</literal>
idiom or extract that anonymous mapping function to a named one. Both can still be used
but <literal>lib.forEach</literal> is preferred over <literal>lib.flip map</literal>.
</para>
<para>
The <literal>/etc/sysctl.d/nixos.conf</literal> file containing all the options set via
<link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link> was moved to
<literal>/etc/sysctl.d/60-nixos.conf</literal>, as
<citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
recommends prefixing all filenames in <literal>/etc/sysctl.d</literal> with a
two-digit number and a dash to simplify the ordering of the files.
</para>
</listitem>
<listitem>
<para>
We now install the sysctl snippets shipped with systemd.
<itemizedlist>
<para>This enables:</para>
<listitem>
<para>Loose reverse path filtering</para>
</listitem>
<listitem>
<para>Source route filtering</para>
</listitem>
<listitem>
<para>
<literal>fq_codel</literal> as a packet scheduler (this helps to fight bufferbloat)
</para>
</listitem>
</itemizedlist>
This also configures the kernel to pass coredumps to <literal>systemd-coredump</literal>.
These sysctl snippets can be found in <literal>/etc/sysctl.d/50-*.conf</literal>,
and overridden via <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link>
(which will place the parameters in <literal>/etc/sysctl.d/60-nixos.conf</literal>).
</para>
</listitem>
<listitem>
<para>
Coredumps are now acquired by <literal>systemd-coredump</literal> by default.
<literal>systemd-coredump</literal> behaviour can still be modified via
<option>systemd.coredump.extraConfig</option>.
To stick to the old behaviour (having the kernel dump to a file called <literal>core</literal>
in the working directory), without piping it through <literal>systemd-coredump</literal>, set
<option>boot.kernel.sysctl."kernel.core_pattern"</option> to <literal>"core"</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>systemd.packages</literal> option now also supports generators and
shutdown scripts. Old <literal>systemd.generator-packages</literal> option has
been removed.
</para>
</listitem>
</itemizedlist>
</section>
</section>

6
nixos/lib/build-vms.nix
View File

@ -54,11 +54,11 @@ rec {
machinesNumbered = zipLists machines (range 1 254);
nodes_ = flip map machinesNumbered (m: nameValuePair m.fst
nodes_ = forEach machinesNumbered (m: nameValuePair m.fst
[ ( { config, nodes, ... }:
let
interfacesNumbered = zipLists config.virtualisation.vlans (range 1 255);
interfaces = flip map interfacesNumbered ({ fst, snd }:
interfaces = forEach interfacesNumbered ({ fst, snd }:
nameValuePair "eth${toString snd}" { ipv4.addresses =
[ { address = "192.168.${toString fst}.${toString m.snd}";
prefixLength = 24;
@ -88,7 +88,7 @@ rec {
"${config.networking.hostName}\n"));
virtualisation.qemu.options =
flip map interfacesNumbered
forEach interfacesNumbered
({ fst, snd }: qemuNICFlags snd fst m.snd);
};
}

2
nixos/maintainers/option-usages.nix
View File

@ -102,7 +102,7 @@ let
# builtins multiply by 4 the memory usage and the time used to compute
# each options.
tryCollectOptions = moduleResult:
flip map (excludeOptions (collect isOption moduleResult)) (opt:
forEach (excludeOptions (collect isOption moduleResult)) (opt:
{ name = showOption opt.loc; } // builtins.tryEval (strict opt.value));
in
keepNames (

168
nixos/modules/config/fonts/fontconfig-penultimate.nix
View File

@ -52,85 +52,11 @@ let
</fontconfig>
'';
# local configuration file
localConf = pkgs.writeText "fc-local.conf" cfg.localConf;
# The configuration to be included in /etc/font/
penultimateConf = pkgs.runCommand "font-penultimate-conf" {
preferLocalBuild = true;
} ''
support_folder=$out/etc/fonts/conf.d
latest_folder=$out/etc/fonts/${latestVersion}/conf.d
mkdir -p $support_folder
mkdir -p $latest_folder
ln -s ${supportFontsConf} $support_folder/../fonts.conf
ln -s ${latestPkg.out}/etc/fonts/fonts.conf \
$latest_folder/../fonts.conf
# fontconfig-penultimate various configuration files
ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \
$support_folder
ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \
$latest_folder
ln -s ${cacheConfSupport} $support_folder/00-nixos-cache.conf
ln -s ${cacheConfLatest} $latest_folder/00-nixos-cache.conf
rm $support_folder/10-antialias.conf $latest_folder/10-antialias.conf
ln -s ${antialiasConf} $support_folder/10-antialias.conf
ln -s ${antialiasConf} $latest_folder/10-antialias.conf
rm $support_folder/10-hinting.conf $latest_folder/10-hinting.conf
ln -s ${hintingConf} $support_folder/10-hinting.conf
ln -s ${hintingConf} $latest_folder/10-hinting.conf
${optionalString cfg.useEmbeddedBitmaps ''
rm $support_folder/10-no-embedded-bitmaps.conf
rm $latest_folder/10-no-embedded-bitmaps.conf
''}
rm $support_folder/10-subpixel.conf $latest_folder/10-subpixel.conf
ln -s ${subpixelConf} $support_folder/10-subpixel.conf
ln -s ${subpixelConf} $latest_folder/10-subpixel.conf
${optionalString (cfg.dpi != 0) ''
ln -s ${dpiConf} $support_folder/11-dpi.conf
ln -s ${dpiConf} $latest_folder/11-dpi.conf
''}
${optionalString (!cfg.includeUserConf) ''
rm $support_folder/50-user.conf
rm $latest_folder/50-user.conf
''}
# 51-local.conf
rm $latest_folder/51-local.conf
substitute \
${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/51-local.conf \
$latest_folder/51-local.conf \
--replace local.conf /etc/fonts/${latestVersion}/local.conf
# local.conf (indirect priority 51)
${optionalString (cfg.localConf != "") ''
ln -s ${localConf} $out/etc/fonts/local.conf
ln -s ${localConf} $out/etc/fonts/${latestVersion}/local.conf
''}
ln -s ${defaultFontsConf} $support_folder/52-default-fonts.conf
ln -s ${defaultFontsConf} $latest_folder/52-default-fonts.conf
${optionalString cfg.allowBitmaps ''
rm $support_folder/53-no-bitmaps.conf
rm $latest_folder/53-no-bitmaps.conf
''}
${optionalString (!cfg.allowType1) ''
ln -s ${rejectType1} $support_folder/53-no-type1.conf
ln -s ${rejectType1} $latest_folder/53-no-type1.conf
''}
'';
# rendering settings configuration files
# priority 10
hintingConf = pkgs.writeText "fc-10-hinting.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
@ -199,6 +125,8 @@ let
</fontconfig>
'';
# default fonts configuration file
# priority 52
defaultFontsConf =
let genDefault = fonts: name:
optionalString (fonts != []) ''
@ -228,7 +156,9 @@ let
</fontconfig>
'';
rejectType1 = pkgs.writeText "fc-53-no-type1.conf" ''
# reject Type 1 fonts
# priority 53
rejectType1 = pkgs.writeText "fc-53-nixos-reject-type1.conf" ''
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
@ -245,6 +175,88 @@ let
</fontconfig>
'';
# The configuration to be included in /etc/font/
penultimateConf = pkgs.runCommand "fontconfig-penultimate-conf" {
preferLocalBuild = true;
} ''
support_folder=$out/etc/fonts/conf.d
latest_folder=$out/etc/fonts/${latestVersion}/conf.d
mkdir -p $support_folder
mkdir -p $latest_folder
# fonts.conf
ln -s ${supportFontsConf} $support_folder/../fonts.conf
ln -s ${latestPkg.out}/etc/fonts/fonts.conf \
$latest_folder/../fonts.conf
# fontconfig-penultimate various configuration files
ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \
$support_folder
ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \
$latest_folder
ln -s ${cacheConfSupport} $support_folder/00-nixos-cache.conf
ln -s ${cacheConfLatest} $latest_folder/00-nixos-cache.conf
rm $support_folder/10-antialias.conf $latest_folder/10-antialias.conf
ln -s ${antialiasConf} $support_folder/10-antialias.conf
ln -s ${antialiasConf} $latest_folder/10-antialias.conf
rm $support_folder/10-hinting.conf $latest_folder/10-hinting.conf
ln -s ${hintingConf} $support_folder/10-hinting.conf
ln -s ${hintingConf} $latest_folder/10-hinting.conf
${optionalString cfg.useEmbeddedBitmaps ''
rm $support_folder/10-no-embedded-bitmaps.conf
rm $latest_folder/10-no-embedded-bitmaps.conf
''}
rm $support_folder/10-subpixel.conf $latest_folder/10-subpixel.conf
ln -s ${subpixelConf} $support_folder/10-subpixel.conf
ln -s ${subpixelConf} $latest_folder/10-subpixel.conf
${optionalString (cfg.dpi != 0) ''
ln -s ${dpiConf} $support_folder/11-dpi.conf
ln -s ${dpiConf} $latest_folder/11-dpi.conf
''}
# 50-user.conf
${optionalString (!cfg.includeUserConf) ''
rm $support_folder/50-user.conf
rm $latest_folder/50-user.conf
''}
# 51-local.conf
rm $latest_folder/51-local.conf
substitute \
${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/51-local.conf \
$latest_folder/51-local.conf \
--replace local.conf /etc/fonts/${latestVersion}/local.conf
# local.conf (indirect priority 51)
${optionalString (cfg.localConf != "") ''
ln -s ${localConf} $support_folder/../local.conf
ln -s ${localConf} $latest_folder/../local.conf
''}
# 52-nixos-default-fonts.conf
ln -s ${defaultFontsConf} $support_folder/52-nixos-default-fonts.conf
ln -s ${defaultFontsConf} $latest_folder/52-nixos-default-fonts.conf
# 53-no-bitmaps.conf
${optionalString cfg.allowBitmaps ''
rm $support_folder/53-no-bitmaps.conf
rm $latest_folder/53-no-bitmaps.conf
''}
${optionalString (!cfg.allowType1) ''
# 53-nixos-reject-type1.conf
ln -s ${rejectType1} $support_folder/53-nixos-reject-type1.conf
ln -s ${rejectType1} $latest_folder/53-nixos-reject-type1.conf
''}
'';
in
{

62
nixos/modules/config/fonts/fontconfig.nix
View File

@ -14,11 +14,12 @@ Low number means high priority.
*/
{ config, lib, pkgs, ... }:
{ config, pkgs, lib, ... }:
with lib;
let cfg = config.fonts.fontconfig;
let
cfg = config.fonts.fontconfig;
fcBool = x: "<bool>" + (boolToString x) + "</bool>";
@ -108,7 +109,6 @@ let cfg = config.fonts.fontconfig;
'';
# local configuration file
# priority 51
localConf = pkgs.writeText "fc-local.conf" cfg.localConf;
# default fonts configuration file
@ -144,7 +144,7 @@ let cfg = config.fonts.fontconfig;
# bitmap font options
# priority 53
rejectBitmaps = pkgs.writeText "fc-53-nixos-bitmaps.conf" ''
rejectBitmaps = pkgs.writeText "fc-53-no-bitmaps.conf" ''
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
@ -190,64 +190,66 @@ let cfg = config.fonts.fontconfig;
'';
# fontconfig configuration package
confPkg = pkgs.runCommand "fontconfig-conf" { preferLocalBuild = true; } ''
support_folder=$out/etc/fonts
latest_folder=$out/etc/fonts/${latestVersion}
confPkg = pkgs.runCommand "fontconfig-conf" {
preferLocalBuild = true;
} ''
support_folder=$out/etc/fonts/conf.d
latest_folder=$out/etc/fonts/${latestVersion}/conf.d
mkdir -p $support_folder/conf.d
mkdir -p $latest_folder/conf.d
mkdir -p $support_folder
mkdir -p $latest_folder
# fonts.conf
ln -s ${supportFontsConf} $support_folder/fonts.conf
ln -s ${supportFontsConf} $support_folder/../fonts.conf
ln -s ${latestPkg.out}/etc/fonts/fonts.conf \
$latest_folder/fonts.conf
$latest_folder/../fonts.conf
# fontconfig default config files
ln -s ${supportPkg.out}/etc/fonts/conf.d/*.conf \
$support_folder/conf.d/
$support_folder/
ln -s ${latestPkg.out}/etc/fonts/conf.d/*.conf \
$latest_folder/conf.d/
$latest_folder/
# update latest 51-local.conf path to look at the latest local.conf
rm $latest_folder/conf.d/51-local.conf
rm $latest_folder/51-local.conf
substitute ${latestPkg.out}/etc/fonts/conf.d/51-local.conf \
$latest_folder/conf.d/51-local.conf \
$latest_folder/51-local.conf \
--replace local.conf /etc/fonts/${latestVersion}/local.conf
# 00-nixos-cache.conf
ln -s ${cacheConfSupport} \
$support_folder/conf.d/00-nixos-cache.conf
ln -s ${cacheConfLatest} $latest_folder/conf.d/00-nixos-cache.conf
$support_folder/00-nixos-cache.conf
ln -s ${cacheConfLatest} $latest_folder/00-nixos-cache.conf
# 10-nixos-rendering.conf
ln -s ${renderConf} $support_folder/conf.d/10-nixos-rendering.conf
ln -s ${renderConf} $latest_folder/conf.d/10-nixos-rendering.conf
ln -s ${renderConf} $support_folder/10-nixos-rendering.conf
ln -s ${renderConf} $latest_folder/10-nixos-rendering.conf
# 50-user.conf
${optionalString (!cfg.includeUserConf) ''
rm $support_folder/conf.d/50-user.conf
rm $latest_folder/conf.d/50-user.conf
rm $support_folder/50-user.conf
rm $latest_folder/50-user.conf
''}
# local.conf (indirect priority 51)
${optionalString (cfg.localConf != "") ''
ln -s ${localConf} $support_folder/local.conf
ln -s ${localConf} $latest_folder/local.conf
ln -s ${localConf} $support_folder/../local.conf
ln -s ${localConf} $latest_folder/../local.conf
''}
# 52-nixos-default-fonts.conf
ln -s ${defaultFontsConf} $support_folder/conf.d/52-nixos-default-fonts.conf
ln -s ${defaultFontsConf} $latest_folder/conf.d/52-nixos-default-fonts.conf
ln -s ${defaultFontsConf} $support_folder/52-nixos-default-fonts.conf
ln -s ${defaultFontsConf} $latest_folder/52-nixos-default-fonts.conf
# 53-nixos-bitmaps.conf
ln -s ${rejectBitmaps} $support_folder/conf.d/53-nixos-bitmaps.conf
ln -s ${rejectBitmaps} $latest_folder/conf.d/53-nixos-bitmaps.conf
# 53-no-bitmaps.conf
ln -s ${rejectBitmaps} $support_folder/53-no-bitmaps.conf
ln -s ${rejectBitmaps} $latest_folder/53-no-bitmaps.conf
${optionalString (!cfg.allowType1) ''
# 53-nixos-reject-type1.conf
ln -s ${rejectType1} $support_folder/conf.d/53-nixos-reject-type1.conf
ln -s ${rejectType1} $latest_folder/conf.d/53-nixos-reject-type1.conf
ln -s ${rejectType1} $support_folder/53-nixos-reject-type1.conf
ln -s ${rejectType1} $latest_folder/53-nixos-reject-type1.conf
''}
'';

102
nixos/modules/config/qt5.nix Normal file
View File

@ -0,0 +1,102 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.qt5;
isQGnome = cfg.platformTheme == "gnome" && cfg.style == "adwaita";
isQtStyle = cfg.platformTheme == "gtk2" && cfg.style != "adwaita";
packages = if isQGnome then [ pkgs.qgnomeplatform pkgs.adwaita-qt ]
else if isQtStyle then [ pkgs.qtstyleplugins ]
else throw "`qt5.platformTheme` ${cfg.platformTheme} and `qt5.style` ${cfg.style} are not compatible.";
in
{
options = {
qt5 = {
enable = mkEnableOption "Qt5 theming configuration";
platformTheme = mkOption {
type = types.enum [
"gtk2"
"gnome"
];
example = "gnome";
relatedPackages = [
"qgnomeplatform"
["libsForQt5" "qtstyleplugins"]
];
description = ''
Selects the platform theme to use for Qt5 applications.</para>
<para>The options are
<variablelist>
<varlistentry>
<term><literal>gtk</literal></term>
<listitem><para>Use GTK theme with
<link xlink:href="https://github.com/qt/qtstyleplugins">qtstyleplugins</link>
</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>gnome</literal></term>
<listitem><para>Use GNOME theme with
<link xlink:href="https://github.com/FedoraQt/QGnomePlatform">qgnomeplatform</link>
</para></listitem>
</varlistentry>
</variablelist>
'';
};
style = mkOption {
type = types.enum [
"adwaita"
"cleanlooks"
"gtk2"
"motif"
"plastique"
];
example = "adwaita";
relatedPackages = [
"adwaita-qt"
["libsForQt5" "qtstyleplugins"]
];
description = ''
Selects the style to use for Qt5 applications.</para>
<para>The options are
<variablelist>
<varlistentry>
<term><literal>adwaita</literal></term>
<listitem><para>Use Adwaita Qt style with
<link xlink:href="https://github.com/FedoraQt/adwaita-qt">adwaita</link>
</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>cleanlooks</literal></term>
<term><literal>gtk2</literal></term>
<term><literal>motif</literal></term>
<term><literal>plastique</literal></term>
<listitem><para>Use styles from
<link xlink:href="https://github.com/qt/qtstyleplugins">qtstyleplugins</link>
</para></listitem>
</varlistentry>
</variablelist>
'';
};
};
};
config = mkIf cfg.enable {
environment.variables.QT_QPA_PLATFORMTHEME = cfg.platformTheme;
environment.variables.QT_STYLE_OVERRIDE = cfg.style;
environment.systemPackages = packages;
};
}

10
nixos/modules/config/sysctl.nix
View File

@ -42,22 +42,16 @@ in
config = {
environment.etc."sysctl.d/nixos.conf".text =
environment.etc."sysctl.d/60-nixos.conf".text =
concatStrings (mapAttrsToList (n: v:
optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n"
) config.boot.kernel.sysctl);
systemd.services.systemd-sysctl =
{ wantedBy = [ "multi-user.target" ];
restartTriggers = [ config.environment.etc."sysctl.d/nixos.conf".source ];
restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ];
};
# Enable hardlink and symlink restrictions. See
# https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7
# for details.
boot.kernel.sysctl."fs.protected_hardlinks" = true;
boot.kernel.sysctl."fs.protected_symlinks" = true;
# Hide kernel pointers (e.g. in /proc/modules) for unprivileged
# users as these make it easier to exploit kernel vulnerabilities.
boot.kernel.sysctl."kernel.kptr_restrict" = 1;

52
nixos/modules/config/vte.nix Normal file
View File

@ -0,0 +1,52 @@
# VTE
{ config, pkgs, lib, ... }:
with lib;
let
vteInitSnippet = ''
# Show current working directory in VTE terminals window title.
# Supports both bash and zsh, requires interactive shell.
. ${pkgs.vte}/etc/profile.d/vte.sh
'';
in
{
options = {
programs.bash.vteIntegration = mkOption {
default = false;
type = types.bool;
description = ''
Whether to enable Bash integration for VTE terminals.
This allows it to preserve the current directory of the shell
across terminals.
'';
};
programs.zsh.vteIntegration = mkOption {
default = false;
type = types.bool;
description = ''
Whether to enable Zsh integration for VTE terminals.
This allows it to preserve the current directory of the shell
across terminals.
'';
};
};
config = mkMerge [
(mkIf config.programs.bash.vteIntegration {
programs.bash.interactiveShellInit = vteInitSnippet;
})
(mkIf config.programs.zsh.vteIntegration {
programs.zsh.interactiveShellInit = vteInitSnippet;
})
];
}

4
nixos/modules/installer/cd-dvd/sd-image.nix
View File

@ -73,8 +73,8 @@ in
firmwareSize = mkOption {
type = types.int;
# As of 2019-05-31 the Raspberry pi firmware + u-bot takes ~13MiB
default = 20;
# As of 2019-08-18 the Raspberry pi firmware + u-boot takes ~18MiB
default = 30;
description = ''
Size of the /boot/firmware partition, in megabytes.
'';

11
nixos/modules/module-list.nix
View File

@ -27,6 +27,7 @@
./config/nsswitch.nix
./config/power-management.nix
./config/pulseaudio.nix
./config/qt5.nix
./config/resolvconf.nix
./config/shells-environment.nix
./config/swap.nix
@ -37,6 +38,7 @@
./config/unix-odbc-drivers.nix
./config/users-groups.nix
./config/vpnc.nix
./config/vte.nix
./config/zram.nix
./hardware/acpilight.nix
./hardware/all-firmware.nix
@ -115,6 +117,7 @@
./programs/fuse.nix
./programs/gnome-disks.nix
./programs/gnome-documents.nix
./programs/gnome-terminal.nix
./programs/gpaste.nix
./programs/gnupg.nix
./programs/gphoto2.nix
@ -285,6 +288,7 @@
./services/desktops/flatpak.nix
./services/desktops/geoclue2.nix
./services/desktops/gsignond.nix
./services/desktops/gvfs.nix
./services/desktops/pipewire.nix
./services/desktops/gnome3/at-spi2-core.nix
./services/desktops/gnome3/chrome-gnome-shell.nix
@ -295,9 +299,7 @@
./services/desktops/gnome3/gnome-remote-desktop.nix
./services/desktops/gnome3/gnome-online-miners.nix
./services/desktops/gnome3/gnome-settings-daemon.nix
./services/desktops/gnome3/gnome-terminal-server.nix
./services/desktops/gnome3/gnome-user-share.nix
./services/desktops/gnome3/gvfs.nix
./services/desktops/gnome3/rygel.nix
./services/desktops/gnome3/seahorse.nix
./services/desktops/gnome3/sushi.nix
@ -436,13 +438,13 @@
./services/misc/logkeys.nix
./services/misc/leaps.nix
./services/misc/lidarr.nix
./services/misc/mantisbt.nix
./services/misc/mathics.nix
./services/misc/matrix-synapse.nix
./services/misc/mbpfan.nix
./services/misc/mediatomb.nix
./services/misc/mesos-master.nix
./services/misc/mesos-slave.nix
./services/misc/metabase.nix
./services/misc/mwlib.nix
./services/misc/nix-daemon.nix
./services/misc/nix-gc.nix
@ -520,7 +522,6 @@
./services/monitoring/scollector.nix
./services/monitoring/smartd.nix
./services/monitoring/sysstat.nix
./services/monitoring/systemhealth.nix
./services/monitoring/teamviewer.nix
./services/monitoring/telegraf.nix
./services/monitoring/thanos.nix
@ -608,6 +609,7 @@
./services/networking/iodine.nix
./services/networking/iperf3.nix
./services/networking/ircd-hybrid/default.nix
./services/networking/jormungandr.nix
./services/networking/iwd.nix
./services/networking/keepalived/default.nix
./services/networking/keybase.nix
@ -862,7 +864,6 @@
./system/activation/activation-script.nix
./system/activation/top-level.nix
./system/boot/binfmt.nix
./system/boot/coredump.nix
./system/boot/emergency-mode.nix
./system/boot/grow-partition.nix
./system/boot/initrd-network.nix

18
nixos/modules/profiles/hardened.nix
View File

@ -14,8 +14,6 @@ with lib;
nix.allowedUsers = mkDefault [ "@users" ];
environment.memoryAllocator.provider = mkDefault "graphene-hardened";
security.hideProcessInformation = mkDefault true;
security.lockKernelModules = mkDefault true;
@ -95,23 +93,17 @@ with lib;
# Disable ftrace debugging
boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
# Enable reverse path filtering (that is, do not attempt to route packets
# that "obviously" do not belong to the iface's network; dropped packets are
# logged as martians).
# Enable strict reverse path filtering (that is, do not attempt to route
# packets that "obviously" do not belong to the iface's network; dropped
# packets are logged as martians).
boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault true;
boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault true;
boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
# Ignore broadcast ICMP (mitigate SMURF)
boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
# Ignore route information from sender
boot.kernel.sysctl."net.ipv4.conf.all.accept_source_route" = mkDefault false;
boot.kernel.sysctl."net.ipv4.conf.default.accept_source_route" = mkDefault false;
boot.kernel.sysctl."net.ipv6.conf.all.accept_source_route" = mkDefault false;
boot.kernel.sysctl."net.ipv6.conf.default.accept_source_route" = mkDefault false;
# Ignore incoming ICMP redirects (note: default is needed to ensure that the
# setting is applied to interfaces added after the sysctls are set)
boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;

10
nixos/modules/programs/dconf.nix
View File

@ -34,11 +34,11 @@ in
services.dbus.packages = [ pkgs.gnome3.dconf ];
environment.variables.GIO_EXTRA_MODULES = optional cfg.enable
"${pkgs.gnome3.dconf.lib}/lib/gio/modules";
# https://github.com/NixOS/nixpkgs/pull/31891
#environment.variables.XDG_DATA_DIRS = optional cfg.enable
# "$(echo ${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/gsettings-desktop-schemas-*)";
# For dconf executable
environment.systemPackages = [ pkgs.gnome3.dconf ];
# Needed for unwrapped applications
environment.variables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.gnome3.dconf.lib}/lib/gio/modules" ];
};
}

36
nixos/modules/programs/gnome-terminal.nix Normal file
View File

@ -0,0 +1,36 @@
# GNOME Terminal.
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.programs.gnome-terminal;
in
{
# Added 2019-08-19
imports = [
(mkRenamedOptionModule
[ "services" "gnome3" "gnome-terminal-server" "enable" ]
[ "programs" "gnome-terminal" "enable" ])
];
options = {
programs.gnome-terminal.enable = mkEnableOption "GNOME Terminal";
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.gnome3.gnome-terminal ];
services.dbus.packages = [ pkgs.gnome3.gnome-terminal ];
systemd.packages = [ pkgs.gnome3.gnome-terminal ];
programs.bash.vteIntegration = true;
programs.zsh.vteIntegration = true;
};
}

13
nixos/modules/programs/zsh/zsh.nix
View File

@ -69,9 +69,7 @@ in
promptInit = mkOption {
default = ''
if [ "$TERM" != dumb ]; then
autoload -U promptinit && promptinit && prompt walters
fi
autoload -U promptinit && promptinit && prompt walters && setopt prompt_sp
'';
description = ''
Shell script code used to initialise the zsh prompt.
@ -213,6 +211,15 @@ in
${cfg.promptInit}
# Need to disable features to support TRAMP
if [ "$TERM" = dumb ]; then
unsetopt zle prompt_cr prompt_subst
unfunction precmd preexec
unset RPS1 RPROMPT
PS1='$ '
PROMPT='$ '
fi
# Read system-wide modifications.
if test -f /etc/zshrc.local; then
. /etc/zshrc.local

3
nixos/modules/rename.nix
View File

@ -226,6 +226,7 @@ with lib;
(mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.")
(mkRemovedOptionModule [ "services" "zabbixServer" "dbPassword" ] "Use services.zabbixServer.database.passwordFile instead.")
(mkRemovedOptionModule [ "systemd" "generator-packages" ] "Use systemd.packages instead.")
(mkRemovedOptionModule [ "systemd" "coredump" "enable" ] "Enabled by default. Set boot.kernel.sysctl.\"kernel.core_pattern\" = \"core\"; to disable.")
# ZSH
(mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ])
@ -276,7 +277,7 @@ with lib;
throw "services.redshift.longitude is set to null, you can remove this"
else builtins.fromJSON value))
] ++ (flip map [ "blackboxExporter" "collectdExporter" "fritzboxExporter"
] ++ (forEach [ "blackboxExporter" "collectdExporter" "fritzboxExporter"
"jsonExporter" "minioExporter" "nginxExporter" "nodeExporter"
"snmpExporter" "unifiExporter" "varnishExporter" ]
(opt: mkRemovedOptionModule [ "services" "prometheus" "${opt}" ] ''

28
nixos/modules/services/audio/roon-server.nix
View File

@ -19,6 +19,20 @@ in {
TCP: 9100 - 9200
'';
};
user = mkOption {
type = types.str;
default = "roon-server";
description = ''
User to run the Roon Server as.
'';
};
group = mkOption {
type = types.str;
default = "roon-server";
description = ''
Group to run the Roon Server as.
'';
};
};
};
@ -33,8 +47,8 @@ in {
serviceConfig = {
ExecStart = "${pkgs.roon-server}/opt/start.sh";
LimitNOFILE = 8192;
DynamicUser = true;
SupplementaryGroups = "audio";
User = cfg.user;
Group = cfg.group;
StateDirectory = name;
};
};
@ -45,5 +59,15 @@ in {
];
allowedUDPPorts = [ 9003 ];
};
users.groups."${cfg.group}" = {};
users.users."${cfg.user}" =
if cfg.user == "roon-server" then {
isSystemUser = true;
description = "Roon Server user";
groups = [ cfg.group "audio" ];
}
else {};
};
}

4
nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix
View File

@ -30,9 +30,9 @@ with lib;
config = mkIf config.services.gnome3.gnome-online-accounts.enable {
environment.systemPackages = [ pkgs.gnome3.gnome-online-accounts ];
environment.systemPackages = [ pkgs.gnome-online-accounts ];
services.dbus.packages = [ pkgs.gnome3.gnome-online-accounts ];
services.dbus.packages = [ pkgs.gnome-online-accounts ];
};

41
nixos/modules/services/desktops/gnome3/gnome-terminal-server.nix
View File

@ -1,41 +0,0 @@
# GNOME Documents daemon.
{ config, pkgs, lib, ... }:
with lib;
{
###### interface
options = {
services.gnome3.gnome-terminal-server = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable GNOME Terminal server service,
needed for gnome-terminal.
'';
};
};
};
###### implementation
config = mkIf config.services.gnome3.gnome-terminal-server.enable {
environment.systemPackages = [ pkgs.gnome3.gnome-terminal ];
services.dbus.packages = [ pkgs.gnome3.gnome-terminal ];
systemd.packages = [ pkgs.gnome3.gnome-terminal ];
};
}

43
nixos/modules/services/desktops/gnome3/gvfs.nix
View File

@ -1,43 +0,0 @@
# gvfs backends
{ config, lib, pkgs, ... }:
with lib;
{
###### interface
options = {
services.gnome3.gvfs = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable gvfs backends, userspace virtual filesystem used
by GNOME components via D-Bus.
'';
};
};
};
###### implementation
config = mkIf config.services.gnome3.gvfs.enable {
environment.systemPackages = [ pkgs.gnome3.gvfs ];
services.dbus.packages = [ pkgs.gnome3.gvfs ];
systemd.packages = [ pkgs.gnome3.gvfs ];
services.udev.packages = [ pkgs.libmtp.bin ];
};
}

6
nixos/modules/services/desktops/gnome3/tracker-miners.nix
View File

@ -30,11 +30,11 @@ with lib;
config = mkIf config.services.gnome3.tracker-miners.enable {
environment.systemPackages = [ pkgs.gnome3.tracker-miners ];
environment.systemPackages = [ pkgs.tracker-miners ];
services.dbus.packages = [ pkgs.gnome3.tracker-miners ];
services.dbus.packages = [ pkgs.tracker-miners ];
systemd.packages = [ pkgs.gnome3.tracker-miners ];
systemd.packages = [ pkgs.tracker-miners ];
};

6
nixos/modules/services/desktops/gnome3/tracker.nix
View File

@ -30,11 +30,11 @@ with lib;
config = mkIf config.services.gnome3.tracker.enable {
environment.systemPackages = [ pkgs.gnome3.tracker ];
environment.systemPackages = [ pkgs.tracker ];
services.dbus.packages = [ pkgs.gnome3.tracker ];
services.dbus.packages = [ pkgs.tracker ];
systemd.packages = [ pkgs.gnome3.tracker ];
systemd.packages = [ pkgs.tracker ];
};

59
nixos/modules/services/desktops/gvfs.nix Normal file
View File

@ -0,0 +1,59 @@
# GVfs
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.gvfs;
in
{
# Added 2019-08-19
imports = [
(mkRenamedOptionModule
[ "services" "gnome3" "gvfs" "enable" ]
[ "services" "gvfs" "enable" ])
];
###### interface
options = {
services.gvfs = {
enable = mkEnableOption "GVfs, a userspace virtual filesystem";
# gvfs can be built with multiple configurations
package = mkOption {
type = types.package;
default = pkgs.gnome3.gvfs;
description = "Which GVfs package to use.";
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
services.dbus.packages = [ cfg.package ];
systemd.packages = [ cfg.package ];
services.udev.packages = [ pkgs.libmtp.bin ];
# Needed for unwrapped applications
environment.variables.GIO_EXTRA_MODULES = [ "${cfg.package}/lib/gio/modules" ];
};
}

24
nixos/modules/services/hardware/trezord.nix
View File

@ -5,6 +5,12 @@ let
cfg = config.services.trezord;
in {
### docs
meta = {
doc = ./trezord.xml;
};
### interface
options = {
@ -16,6 +22,22 @@ in {
Enable Trezor bridge daemon, for use with Trezor hardware bitcoin wallets.
'';
};
emulator.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable Trezor emulator support.
'';
};
emulator.port = mkOption {
type = types.port;
default = 21324;
description = ''
Listening port for the Trezor emulator.
'';
};
};
};
@ -44,7 +66,7 @@ in {
path = [];
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.trezord}/bin/trezord-go";
ExecStart = "${pkgs.trezord}/bin/trezord-go ${optionalString cfg.emulator.enable "-e ${builtins.toString cfg.emulator.port}"}";
User = "trezord";
};
};

26
nixos/modules/services/hardware/trezord.xml Normal file
View File

@ -0,0 +1,26 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="trezor">
<title>Trezor</title>
<para>
Trezor is an open-source cryptocurrency hardware wallet and security token
allowing secure storage of private keys.
</para>
<para>
It offers advanced features such U2F two-factor authorization, SSH login
through
<link xlink:href="https://wiki.trezor.io/Apps:SSH_agent">Trezor SSH agent</link>,
<link xlink:href="https://wiki.trezor.io/GPG">GPG</link> and a
<link xlink:href="https://wiki.trezor.io/Trezor_Password_Manager">password manager</link>.
For more information, guides and documentation, see <link xlink:href="https://wiki.trezor.io"/>.
</para>
<para>
To enable Trezor support, add the following to your <filename>configuration.nix</filename>:
<programlisting>
<xref linkend="opt-services.trezord.enable"/> = true;
</programlisting>
This will add all necessary udev rules and start Trezor Bridge.
</para>
</chapter>

38
nixos/modules/services/logging/awstats.nix
View File

@ -4,6 +4,7 @@ with lib;
let
cfg = config.services.awstats;
httpd = config.services.httpd;
package = pkgs.awstats;
in
@ -67,29 +68,32 @@ in
environment.etc."awstats/awstats.conf".source = pkgs.runCommand "awstats.conf"
{ preferLocalBuild = true; }
( let
cfg-httpd = config.services.httpd;
logFormat =
if cfg-httpd.logFormat == "combined" then "1" else
if cfg-httpd.logFormat == "common" then "4" else
throw "awstats service doesn't support Apache log format `${cfg-httpd.logFormat}`";
if httpd.logFormat == "combined" then "1" else
if httpd.logFormat == "common" then "4" else
throw "awstats service doesn't support Apache log format `${httpd.logFormat}`";
in
''
sed \
-e 's|^\(DirData\)=.*$|\1="${cfg.vardir}"|' \
-e 's|^\(DirIcons\)=.*$|\1="icons"|' \
-e 's|^\(CreateDirDataIfNotExists\)=.*$|\1=1|' \
-e 's|^\(SiteDomain\)=.*$|\1="${cfg-httpd.hostName}"|' \
-e 's|^\(LogFile\)=.*$|\1="${cfg-httpd.logDir}/access_log"|' \
-e 's|^\(SiteDomain\)=.*$|\1="${httpd.hostName}"|' \
-e 's|^\(LogFile\)=.*$|\1="${httpd.logDir}/access_log"|' \
-e 's|^\(LogFormat\)=.*$|\1=${logFormat}|' \
< '${package.out}/wwwroot/cgi-bin/awstats.model.conf' > "$out"
echo '${cfg.extraConfig}' >> "$out"
'');
systemd.tmpfiles.rules = optionals cfg.service.enable [
"d '${cfg.vardir}' - ${httpd.user} ${httpd.group} - -"
"Z '${cfg.vardir}' - ${httpd.user} ${httpd.group} - -"
];
# The httpd sub-service showing awstats.
services.httpd.enable = mkIf cfg.service.enable true;
services.httpd.extraSubservices = mkIf cfg.service.enable [ { function = { serverInfo, ... }: {
extraConfig =
''
services.httpd = optionalAttrs cfg.service.enable {
enable = true;
extraConfig = ''
Alias ${cfg.service.urlPrefix}/classes "${package.out}/wwwroot/classes/"
Alias ${cfg.service.urlPrefix}/css "${package.out}/wwwroot/css/"
Alias ${cfg.service.urlPrefix}/icons "${package.out}/wwwroot/icon/"
@ -97,20 +101,10 @@ in
<Directory "${package.out}/wwwroot">
Options None
AllowOverride None
Order allow,deny
Allow from all
Require all granted
</Directory>
'';
startupScript =
let
inherit (serverInfo.serverConfig) user group;
in pkgs.writeScript "awstats_startup.sh"
''
mkdir -p '${cfg.vardir}'
chown '${user}:${group}' '${cfg.vardir}'
'';
};}];
};
systemd.services.awstats-update = mkIf (cfg.updateAt != null) {
description = "awstats log collector";

2
nixos/modules/services/misc/gitlab.nix
View File

@ -659,7 +659,7 @@ in {
fi
# We remove potentially broken links to old gitlab-shell versions
rm -f ${cfg.statePath}/repositories/**/*.git/hooks
rm -Rf ${cfg.statePath}/repositories/**/*.git/hooks
${pkgs.sudo}/bin/sudo -u ${cfg.user} -H ${pkgs.git}/bin/git config --global core.autocrlf "input"
'';

68
nixos/modules/services/misc/mantisbt.nix
View File

@ -1,68 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.mantisbt;
freshInstall = cfg.extraConfig == "";
# combined code+config directory
mantisbt = let
config_inc = pkgs.writeText "config_inc.php" ("<?php\n" + cfg.extraConfig);
src = pkgs.fetchurl {
url = "mirror://sourceforge/mantisbt/${name}.tar.gz";
sha256 = "1pl6xn793p3mxc6ibpr2bhg85vkdlcf57yk7pfc399g47l8x4508";
};
name = "mantisbt-1.2.19";
in
# We have to copy every time; otherwise config won't be found.
pkgs.runCommand name
{ preferLocalBuild = true; allowSubstitutes = false; }
(''
mkdir -p "$out"
cd "$out"
tar -xf '${src}' --strip-components=1
ln -s '${config_inc}' config_inc.php
''
+ lib.optionalString (!freshInstall) "rm -r admin/"
);
in
{
options.services.mantisbt = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable the mantisbt web service.
This switches on httpd with PHP and database.
'';
};
urlPrefix = mkOption {
type = types.string;
default = "/mantisbt";
description = "The URL prefix under which the mantisbt service appears.";
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
The contents of config_inc.php, without leading &lt;?php.
If left empty, the admin directory will be accessible.
'';
};
};
config = mkIf cfg.enable {
services.mysql.enable = true;
services.httpd.enable = true;
services.httpd.enablePHP = true;
# The httpd sub-service showing mantisbt.
services.httpd.extraSubservices = [ { function = { ... }: {
extraConfig =
''
Alias ${cfg.urlPrefix} "${mantisbt}"
'';
};}];
};
}

2
nixos/modules/services/misc/matrix-synapse.nix
View File

@ -684,7 +684,7 @@ in {
fi
'';
serviceConfig = {
Type = "simple";
Type = "notify";
User = "matrix-synapse";
Group = "matrix-synapse";
WorkingDirectory = cfg.dataDir;

103
nixos/modules/services/misc/metabase.nix Normal file
View File

@ -0,0 +1,103 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.metabase;
inherit (lib) mkEnableOption mkIf mkOption;
inherit (lib) optional optionalAttrs types;
dataDir = "/var/lib/metabase";
in {
options = {
services.metabase = {
enable = mkEnableOption "Metabase service";
listen = {
ip = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
IP address that Metabase should listen on.
'';
};
port = mkOption {
type = types.port;
default = 3000;
description = ''
Listen port for Metabase.
'';
};
};
ssl = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable SSL (https) support.
'';
};
port = mkOption {
type = types.port;
default = 8443;
description = ''
Listen port over SSL (https) for Metabase.
'';
};
keystore = mkOption {
type = types.nullOr types.path;
default = "${dataDir}/metabase.jks";
example = "/etc/secrets/keystore.jks";
description = ''
<link xlink:href="https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores">Java KeyStore</link> file containing the certificates.
'';
};
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
Open ports in the firewall for Metabase.
'';
};
};
};
config = mkIf cfg.enable {
systemd.services.metabase = {
description = "Metabase server";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
environment = {
MB_PLUGINS_DIR = "${dataDir}/plugins";
MB_DB_FILE = "${dataDir}/metabase.db";
MB_JETTY_HOST = cfg.listen.ip;
MB_JETTY_PORT = toString cfg.listen.port;
} // optionalAttrs (cfg.ssl.enable) {
MB_JETTY_SSL = true;
MB_JETTY_SSL_PORT = toString cfg.ssl.port;
MB_JETTY_SSL_KEYSTORE = cfg.ssl.keystore;
};
serviceConfig = {
DynamicUser = true;
StateDirectory = baseNameOf dataDir;
ExecStart = "${pkgs.metabase}/bin/metabase";
};
};
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.listen.port ] ++ optional cfg.ssl.enable cfg.ssl.port;
};
};
}

11
nixos/modules/services/monitoring/cadvisor.nix
View File

@ -84,6 +84,16 @@ in {
type = types.bool;
description = "Cadvisor storage driver, enable secure communication.";
};
extraOptions = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Additional cadvisor options.
See <link xlink:href='https://github.com/google/cadvisor/blob/master/docs/runtime_options.md'/> for available options.
'';
};
};
};
@ -112,6 +122,7 @@ in {
-logtostderr=true \
-listen_ip="${cfg.listenAddress}" \
-port="${toString cfg.port}" \
${escapeShellArgs cfg.extraOptions} \
${optionalString (cfg.storageDriver != null) ''
-storage_driver "${cfg.storageDriver}" \
-storage_driver_user "${cfg.storageDriverHost}" \

12
nixos/modules/services/monitoring/riemann-tools.nix
View File

@ -11,7 +11,7 @@ let
healthLauncher = writeScriptBin "riemann-health" ''
#!/bin/sh
exec ${pkgs.riemann-tools}/bin/riemann-health --host ${riemannHost}
exec ${pkgs.riemann-tools}/bin/riemann-health ${builtins.concatStringsSep " " cfg.extraArgs} --host ${riemannHost}
'';
@ -34,8 +34,16 @@ in {
Address of the host riemann node. Defaults to localhost.
'';
};
extraArgs = mkOption {
type = types.listOf types.string;
default = [];
description = ''
A list of commandline-switches forwarded to a riemann-tool.
See for example `riemann-health --help` for available options.
'';
example = ["-p 5555" "--timeout=30" "--attribute=myattribute=42"];
};
};
};
config = mkIf cfg.enableHealth {

133
nixos/modules/services/monitoring/systemhealth.nix
View File

@ -1,133 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.systemhealth;
systemhealth = with pkgs; stdenv.mkDerivation {
name = "systemhealth-1.0";
src = fetchurl {
url = "https://www.brianlane.com/downloads/systemhealth/systemhealth-1.0.tar.bz2";
sha256 = "1q69lz7hmpbdpbz36zb06nzfkj651413n9icx0njmyr3xzq1j9qy";
};
buildInputs = [ python ];
installPhase = ''
mkdir -p $out/bin
# Make it work for kernels 3.x, not so different than 2.6
sed -i 's/2\.6/4.0/' system_health.py
cp system_health.py $out/bin
'';
};
rrdDir = "/var/lib/health/rrd";
htmlDir = "/var/lib/health/html";
configFile = rrdDir + "/.syshealthrc";
# The program will try to read $HOME/.syshealthrc, so we set the proper home.
command = "HOME=${rrdDir} ${systemhealth}/bin/system_health.py";
cronJob = ''
*/5 * * * * wwwrun ${command} --log
5 * * * * wwwrun ${command} --graph
'';
nameEqualName = s: "${s} = ${s}";
interfacesSection = concatStringsSep "\n" (map nameEqualName cfg.interfaces);
driveLine = d: "${d.path} = ${d.name}";
drivesSection = concatStringsSep "\n" (map driveLine cfg.drives);
in
{
options = {
services.systemhealth = {
enable = mkOption {
default = false;
description = ''
Enable the system health monitor and its generation of graphs.
'';
};
urlPrefix = mkOption {
default = "/health";
description = ''
The URL prefix under which the System Health web pages appear in httpd.
'';
};
interfaces = mkOption {
default = [ "lo" ];
example = [ "lo" "eth0" "eth1" ];
description = ''
Interfaces to monitor (minimum one).
'';
};
drives = mkOption {
default = [ ];
example = [ { name = "root"; path = "/"; } ];
description = ''
Drives to monitor.
'';
};
};
};
config = mkIf cfg.enable {
services.cron.systemCronJobs = [ cronJob ];
system.activationScripts.systemhealth = stringAfter [ "var" ]
''
mkdir -p ${rrdDir} ${htmlDir}
chown wwwrun:wwwrun ${rrdDir} ${htmlDir}
cat >${configFile} << EOF
[paths]
rrdtool = ${pkgs.rrdtool}/bin/rrdtool
loadavg_rrd = loadavg
ps = /run/current-system/sw/bin/ps
df = /run/current-system/sw/bin/df
meminfo_rrd = meminfo
uptime_rrd = uptime
rrd_path = ${rrdDir}
png_path = ${htmlDir}
[processes]
[interfaces]
${interfacesSection}
[drives]
${drivesSection}
[graphs]
width = 400
time = ['-3hours', '-32hours', '-8days', '-5weeks', '-13months']
height = 100
[external]
EOF
chown wwwrun:wwwrun ${configFile}
${pkgs.su}/bin/su -s "/bin/sh" -c "${command} --check" wwwrun
${pkgs.su}/bin/su -s "/bin/sh" -c "${command} --html" wwwrun
'';
services.httpd.extraSubservices = [
{ function = f: {
extraConfig = ''
Alias ${cfg.urlPrefix} ${htmlDir}
<Directory ${htmlDir}>
Order allow,deny
Allow from all
</Directory>
'';
};
}
];
};
}

2
nixos/modules/services/monitoring/ups.nix
View File

@ -225,7 +225,7 @@ in
''
maxstartdelay = ${toString cfg.maxStartDelay}
${flip concatStringsSep (flip map (attrValues cfg.ups) (ups: ups.summary)) "
${flip concatStringsSep (forEach (attrValues cfg.ups) (ups: ups.summary)) "
"}
'';

1
nixos/modules/services/network-filesystems/u9fs.nix
View File

@ -55,6 +55,7 @@ in
sockets.u9fs = {
description = "U9fs Listening Socket";
wantedBy = [ "sockets.target" ];
after = [ "network.target" ];
inherit (cfg) listenStreams;
socketConfig.Accept = "yes";
};

21
nixos/modules/services/networking/cjdns.nix
View File

@ -44,9 +44,7 @@ let
parseModules = x:
x // { connectTo = mapAttrs (name: value: { inherit (value) password publicKey; }) x.connectTo; };
# would be nice to merge 'cfg' with a //,
# but the json nesting is wacky.
cjdrouteConf = builtins.toJSON ( {
cjdrouteConf = builtins.toJSON ( recursiveUpdate {
admin = {
bind = cfg.admin.bind;
password = "@CJDNS_ADMIN_PASSWORD@";
@ -71,7 +69,7 @@ let
security = [ { exemptAngel = 1; setuser = "nobody"; } ];
});
} cfg.extraConfig);
in
@ -91,6 +89,16 @@ in
'';
};
extraConfig = mkOption {
type = types.attrs;
default = {};
example = { router.interface.tunDevice = "tun10"; };
description = ''
Extra configuration, given as attrs, that will be merged recursively
with the rest of the JSON generated by this module, at the root node.
'';
};
confFile = mkOption {
type = types.nullOr types.path;
default = null;
@ -246,7 +254,10 @@ in
if cfg.confFile != null then "${pkg}/bin/cjdroute < ${cfg.confFile}" else
''
source /etc/cjdns.keys
echo '${cjdrouteConf}' | sed \
(cat <<'EOF'
${cjdrouteConf}
EOF
) | sed \
-e "s/@CJDNS_ADMIN_PASSWORD@/$CJDNS_ADMIN_PASSWORD/g" \
-e "s/@CJDNS_PRIVATE_KEY@/$CJDNS_PRIVATE_KEY/g" \
| ${pkg}/bin/cjdroute

2
nixos/modules/services/networking/consul.nix
View File

@ -15,7 +15,7 @@ let
++ cfg.extraConfigFiles;
devices = attrValues (filterAttrs (_: i: i != null) cfg.interface);
systemdDevices = flip map devices
systemdDevices = forEach devices
(i: "sys-subsystem-net-devices-${utils.escapeSystemdPath i}.device");
in
{

2
nixos/modules/services/networking/hylafax/systemd.nix
View File

@ -7,7 +7,7 @@ let
inherit (lib) concatStringsSep optionalString;
cfg = config.services.hylafax;
mapModems = lib.flip map (lib.attrValues cfg.modems);
mapModems = lib.forEach (lib.attrValues cfg.modems);
mkConfigFile = name: conf:
# creates hylafax config file,

97
nixos/modules/services/networking/jormungandr.nix Normal file
View File

@ -0,0 +1,97 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.jormungandr;
inherit (lib) mkEnableOption mkIf mkOption;
inherit (lib) optionalString types;
dataDir = "/var/lib/jormungandr";
# Default settings so far, as the service matures we will
# move these out as separate settings
configSettings = {
storage = dataDir;
p2p = {
public_address = "/ip4/127.0.0.1/tcp/8606";
messages = "high";
blocks = "high";
};
rest = {
listen = "127.0.0.1:8607";
};
};
configFile = if cfg.configFile == null then
pkgs.writeText "jormungandr.yaml" (builtins.toJSON configSettings)
else cfg.configFile;
in {
options = {
services.jormungandr = {
enable = mkEnableOption "jormungandr service";
configFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/var/lib/jormungandr/node.yaml";
description = ''
The path of the jormungandr blockchain configuration file in YAML format.
If no file is specified, a file is generated using the other options.
'';
};
secretFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/etc/secret/jormungandr.yaml";
description = ''
The path of the jormungandr blockchain secret node configuration file in
YAML format. Do not store this in nix store!
'';
};
genesisBlockHash = mkOption {
type = types.nullOr types.string;
default = null;
example = "d70495af81ae8600aca3e642b2427327cb6001ec4d7a0037e96a00dabed163f9";
description = ''
Set the genesis block hash (the hash of the block0) so we can retrieve
the genesis block (and the blockchain configuration) from the existing
storage or from the network.
'';
};
genesisBlockFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/var/lib/jormungandr/block-0.bin";
description = ''
The path of the genesis block file if we are hosting it locally.
'';
};
};
};
config = mkIf cfg.enable {
systemd.services.jormungandr = {
description = "jormungandr server";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
serviceConfig = {
DynamicUser = true;
StateDirectory = baseNameOf dataDir;
ExecStart = ''
${pkgs.jormungandr}/bin/jormungandr --config ${configFile} \
${optionalString (cfg.secretFile != null) " --secret ${cfg.secretFile}"} \
${optionalString (cfg.genesisBlockHash != null) " --genesis-block-hash ${cfg.genesisBlockHash}"} \
${optionalString (cfg.genesisBlockFile != null) " --genesis-block ${cfg.genesisBlockFile}"}
'';
};
};
};
}

6
nixos/modules/services/networking/shadowsocks.nix
View File

@ -35,10 +35,10 @@ in
};
localAddress = mkOption {
type = types.str;
default = "0.0.0.0";
type = types.coercedTo types.str singleton (types.listOf types.str);
default = [ "[::0]" "0.0.0.0" ];
description = ''
Local address to which the server binds.
Local addresses to which the server binds.
'';
};

2
nixos/modules/services/networking/ssh/sshd.nix
View File

@ -502,7 +502,7 @@ in
assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;
message = "cannot enable X11 forwarding without setting xauth location";}]
++ flip map cfg.listenAddresses ({ addr, ... }: {
++ forEach cfg.listenAddresses ({ addr, ... }: {
assertion = addr != null;
message = "addr must be specified in each listenAddresses entry";
});

2
nixos/modules/services/networking/stubby.nix
View File

@ -168,7 +168,7 @@ in
default = defaultUpstream;
type = types.lines;
description = ''
Add additional upstreams. See <citerefentry><refentrytitle>stubby
Replace default upstreams. See <citerefentry><refentrytitle>stubby
</refentrytitle><manvolnum>1</manvolnum></citerefentry> for an
example of the entry formatting. In Strict mode, at least one of the
following settings must be supplied for each nameserver:

1
nixos/modules/services/search/elasticsearch.nix
View File

@ -131,6 +131,7 @@ in {
description = "Extra elasticsearch plugins";
default = [];
type = types.listOf types.package;
example = lib.literalExample "[ pkgs.elasticsearchPlugins.discovery-ec2 ]";
};
};

14
nixos/modules/services/security/sshguard.nix
View File

@ -106,14 +106,24 @@ in {
path = with pkgs; [ iptables ipset iproute systemd ];
postStart = ''
# The sshguard ipsets must exist before we invoke
# iptables. sshguard creates the ipsets after startup if
# necessary, but if we let sshguard do it, we can't reliably add
# the iptables rules because postStart races with the creation
# of the ipsets. So instead, we create both the ipsets and
# firewall rules before sshguard starts.
preStart = ''
${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet
${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6
${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP
${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP
'';
preStop = ''
postStop = ''
${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP
${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP
${pkgs.ipset}/bin/ipset -quiet destroy sshguard4
${pkgs.ipset}/bin/ipset -quiet destroy sshguard6
'';
unitConfig.Documentation = "man:sshguard(8)";

14
nixos/modules/services/security/usbguard.nix
View File

@ -39,6 +39,16 @@ in {
services.usbguard = {
enable = mkEnableOption "USBGuard daemon";
package = mkOption {
type = types.package;
default = pkgs.usbguard;
defaultText = "pkgs.usbguard";
description = ''
The usbguard package to use. If you do not need the Qt GUI, use
<literal>pkgs.usbguard-nox</literal> to save disk space.
'';
};
ruleFile = mkOption {
type = types.path;
default = "/var/lib/usbguard/rules.conf";
@ -179,7 +189,7 @@ in {
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.usbguard ];
environment.systemPackages = [ cfg.package ];
systemd.services.usbguard = {
description = "USBGuard daemon";
@ -195,7 +205,7 @@ in {
serviceConfig = {
Type = "simple";
ExecStart = ''${pkgs.usbguard}/bin/usbguard-daemon -P -k -c ${daemonConfFile}'';
ExecStart = ''${cfg.package}/bin/usbguard-daemon -P -k -c ${daemonConfFile}'';
Restart = "on-failure";
};
};

4
nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix
View File

@ -5,10 +5,12 @@
defaultConfig = {
global = {
module_path = "${pkgs.icingaweb2}/modules${optionalString (builtins.length config.modulePath > 0) ":${concatStringsSep ":" config.modulePath}"}";
module_path = "${pkgs.icingaweb2}/modules";
};
};
in {
meta.maintainers = with maintainers; [ das_j ];
options.services.icingaweb2 = with types; {
enable = mkEnableOption "the icingaweb2 web interface";

2
nixos/modules/services/web-servers/caddy.nix
View File

@ -70,7 +70,7 @@ in {
{ CADDYPATH = cfg.dataDir; };
serviceConfig = {
ExecStart = ''
${cfg.package.bin}/bin/caddy -root=/var/tmp -conf=${configFile} \
${cfg.package}/bin/caddy -root=/var/tmp -conf=${configFile} \
-ca=${cfg.ca} -email=${cfg.email} ${optionalString cfg.agree "-agree"}
'';
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";

33
nixos/modules/services/web-servers/nginx/default.nix
View File

@ -162,6 +162,10 @@ let
${cfg.appendConfig}
'';
configPath = if cfg.enableReload
then "/etc/nginx/nginx.conf"
else configFile;
vhosts = concatStringsSep "\n" (mapAttrsToList (vhostName: vhost:
let
onlySSL = vhost.onlySSL || vhost.enableSSL;
@ -431,6 +435,16 @@ in
";
};
enableReload = mkOption {
default = false;
type = types.bool;
description = ''
Reload nginx when configuration file changes (instead of restart).
The configuration file is exposed at <filename>/etc/nginx/nginx.conf</filename>.
See also <literal>systemd.services.*.restartIfChanged</literal>.
'';
};
stateDir = mkOption {
default = "/var/spool/nginx";
description = "
@ -638,10 +652,10 @@ in
preStart =
''
${cfg.preStart}
${cfg.package}/bin/nginx -c ${configFile} -p ${cfg.stateDir} -t
${cfg.package}/bin/nginx -c ${configPath} -p ${cfg.stateDir} -t
'';
serviceConfig = {
ExecStart = "${cfg.package}/bin/nginx -c ${configFile} -p ${cfg.stateDir}";
ExecStart = "${cfg.package}/bin/nginx -c ${configPath} -p ${cfg.stateDir}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "always";
RestartSec = "10s";
@ -649,6 +663,21 @@ in
};
};
environment.etc."nginx/nginx.conf" = mkIf cfg.enableReload {
source = configFile;
};
systemd.services.nginx-config-reload = mkIf cfg.enableReload {
wantedBy = [ "nginx.service" ];
restartTriggers = [ configFile ];
script = ''
if ${pkgs.systemd}/bin/systemctl -q is-active nginx.service ; then
${pkgs.systemd}/bin/systemctl reload nginx.service
fi
'';
serviceConfig.RemainAfterExit = true;
};
security.acme.certs = filterAttrs (n: v: v != {}) (
let
vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts;

7
nixos/modules/services/x11/desktop-managers/gnome3.nix
View File

@ -136,9 +136,8 @@ in {
services.gnome3.gnome-online-accounts.enable = mkDefault true;
services.gnome3.gnome-remote-desktop.enable = mkDefault true;
services.gnome3.gnome-settings-daemon.enable = true;
services.gnome3.gnome-terminal-server.enable = mkDefault true;
services.gnome3.gnome-user-share.enable = mkDefault true;
services.gnome3.gvfs.enable = true;
services.gvfs.enable = true;
services.gnome3.rygel.enable = mkDefault true;
services.gnome3.seahorse.enable = mkDefault true;
services.gnome3.sushi.enable = mkDefault true;
@ -161,10 +160,12 @@ in {
xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
# Enable default programs
programs.dconf.enable = true;
programs.evince.enable = mkDefault true;
programs.file-roller.enable = mkDefault true;
programs.gnome-disks.enable = mkDefault true;
programs.gnome-documents.enable = mkDefault true;
programs.gnome-terminal.enable = mkDefault true;
# If gnome3 is installed, build vim for gtk3 too.
nixpkgs.config.vim.gui = "gtk3";
@ -230,8 +231,6 @@ in {
services.xserver.updateDbusEnvironment = true;
environment.variables.GIO_EXTRA_MODULES = [ "${lib.getLib pkgs.gnome3.dconf}/lib/gio/modules"
"${pkgs.gnome3.gvfs}/lib/gio/modules" ];
environment.systemPackages = pkgs.gnome3.corePackages ++ cfg.sessionPath
++ (pkgs.gnome3.removePackagesByName pkgs.gnome3.optionalPackages config.environment.gnome3.excludePackages) ++ [
pkgs.xdg-user-dirs # Update user dirs as described in http://freedesktop.org/wiki/Software/xdg-user-dirs/

3
nixos/modules/services/x11/desktop-managers/lxqt.nix
View File

@ -58,7 +58,8 @@ in
# Link some extra directories in /run/current-system/software/share
environment.pathsToLink = [ "/share" ];
environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.gvfs}/lib/gio/modules" ];
services.gvfs.enable = true;
services.gvfs.package = pkgs.gvfs;
services.upower.enable = config.powerManagement.enable;
};

8
nixos/modules/services/x11/desktop-managers/mate.nix
View File

@ -94,17 +94,19 @@ in
];
programs.dconf.enable = true;
# Shell integration for VTE terminals
programs.bash.vteIntegration = mkDefault true;
programs.zsh.vteIntegration = mkDefault true;
services.gnome3.at-spi2-core.enable = true;
services.gnome3.gnome-keyring.enable = true;
services.gnome3.gnome-settings-daemon.enable = true;
services.gnome3.gnome-settings-daemon.package = pkgs.mate.mate-settings-daemon;
services.gnome3.gvfs.enable = true;
services.gvfs.enable = true;
services.upower.enable = config.powerManagement.enable;
security.pam.services."mate-screensaver".unixAuth = true;
environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.gnome3.gvfs}/lib/gio/modules" ];
environment.pathsToLink = [ "/share" ];
};

22
nixos/modules/services/x11/desktop-managers/pantheon.nix
View File

@ -99,10 +99,6 @@ in
fi
'') cfg.sessionPath}
# Makes qt applications look less alien
export QT_QPA_PLATFORMTHEME=gtk3
export QT_STYLE_OVERRIDE=adwaita
# Settings from elementary-default-settings
export GTK_CSD=1
export GTK_MODULES=$GTK_MODULES:pantheon-filechooser-module
@ -129,7 +125,7 @@ in
services.gnome3.gnome-keyring.enable = true;
services.gnome3.gnome-settings-daemon.enable = true;
services.gnome3.gnome-settings-daemon.package = pkgs.pantheon.elementary-settings-daemon;
services.gnome3.gvfs.enable = true;
services.gvfs.enable = true;
services.gnome3.rygel.enable = mkDefault true;
services.gsignond.enable = mkDefault true;
services.gsignond.plugins = with pkgs.gsignondPlugins; [ lastfm mail oauth ];
@ -146,9 +142,19 @@ in
isSystem = true;
};
programs.dconf.enable = true;
programs.evince.enable = mkDefault true;
programs.file-roller.enable = mkDefault true;
# Shell integration for VTE terminals
programs.bash.vteIntegration = mkDefault true;
programs.zsh.vteIntegration = mkDefault true;
# Harmonize Qt5 applications under Pantheon
qt5.enable = true;
qt5.platformTheme = "gnome";
qt5.style = "adwaita";
networking.networkmanager.enable = mkDefault true;
networking.networkmanager.basePackages =
{ inherit (pkgs) networkmanager modemmanager wpa_supplicant crda;
@ -161,11 +167,6 @@ in
environment.variables.GNOME_SESSION_DEBUG = optionalString cfg.debug "1";
environment.variables.GIO_EXTRA_MODULES = [
"${lib.getLib pkgs.gnome3.dconf}/lib/gio/modules"
"${pkgs.gnome3.gvfs}/lib/gio/modules"
];
environment.pathsToLink = [
# FIXME: modules should link subdirs of `/share` rather than relying on this
"/share"
@ -187,7 +188,6 @@ in
glib-networking
gnome-menus
gnome3.adwaita-icon-theme
gnome3.dconf
gtk3.out
hicolor-icon-theme
lightlocker

7
nixos/modules/services/x11/desktop-managers/xfce.nix
View File

@ -66,7 +66,6 @@ in
exo
garcon
gtk-xfce-engine
gvfs
libxfce4ui
tumbler
xfconf
@ -100,10 +99,6 @@ in
"/share/gtksourceview-2.0"
];
environment.variables = {
GIO_EXTRA_MODULES = [ "${pkgs.xfce.gvfs}/lib/gio/modules" ];
};
services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ];
services.xserver.desktopManager.session = [{
@ -128,5 +123,7 @@ in
# Enable helpful DBus services.
services.udisks2.enable = true;
services.upower.enable = config.powerManagement.enable;
services.gvfs.enable = true;
services.gvfs.package = pkgs.xfce.gvfs;
};
}

2
nixos/modules/services/x11/xautolock.nix
View File

@ -129,7 +129,7 @@ in
assertion = cfg.killer != null -> cfg.killtime >= 10;
message = "killtime has to be at least 10 minutes according to `man xautolock`";
}
] ++ (lib.flip map [ "locker" "notifier" "nowlocker" "killer" ]
] ++ (lib.forEach [ "locker" "notifier" "nowlocker" "killer" ]
(option:
{
assertion = cfg."${option}" != null -> builtins.substring 0 1 cfg."${option}" == "/";

2
nixos/modules/services/x11/xserver.nix
View File

@ -78,7 +78,7 @@ let
in imap1 mkHead cfg.xrandrHeads;
xrandrDeviceSection = let
monitors = flip map xrandrHeads (h: ''
monitors = forEach xrandrHeads (h: ''
Option "monitor-${h.config.output}" "${h.name}"
'');
# First option is indented through the space in the config but any

66
nixos/modules/system/boot/coredump.nix
View File

@ -1,66 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
{
options = {
systemd.coredump = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Enables storing core dumps in systemd.
Note that this alone is not enough to enable core dumps. The maximum
file size for core dumps must be specified in limits.conf as well. See
<option>security.pam.loginLimits</option> and the limits.conf(5)
man page (these specify the core dump limits for user login sessions)
and <option>systemd.extraConfig</option> (where e.g.
<literal>DefaultLimitCORE=1000000</literal> can be specified to set
the core dump limit for systemd system-level services).
'';
};
extraConfig = mkOption {
default = "";
type = types.lines;
example = "Storage=journal";
description = ''
Extra config options for systemd-coredump. See coredump.conf(5) man page
for available options.
'';
};
};
};
config = mkMerge [
(mkIf config.systemd.coredump.enable {
systemd.additionalUpstreamSystemUnits = [ "systemd-coredump.socket" "systemd-coredump@.service" ];
environment.etc."systemd/coredump.conf".text =
''
[Coredump]
${config.systemd.coredump.extraConfig}
'';
# Have the kernel pass core dumps to systemd's coredump helper binary.
# From systemd's 50-coredump.conf file. See:
# <https://github.com/systemd/systemd/blob/v218/sysctl.d/50-coredump.conf.in>
boot.kernel.sysctl."kernel.core_pattern" = "|${pkgs.systemd}/lib/systemd/systemd-coredump %P %u %g %s %t %c %e";
})
(mkIf (!config.systemd.coredump.enable) {
boot.kernel.sysctl."kernel.core_pattern" = mkDefault "core";
systemd.extraConfig =
''
DefaultLimitCORE=0:infinity
'';
})
];
}

1
nixos/modules/system/boot/kernel.nix
View File

@ -36,6 +36,7 @@ in
boot.kernelPackages = mkOption {
default = pkgs.linuxPackages;
type = types.unspecified // { merge = mergeEqualOption; };
apply = kernelPackages: kernelPackages.extend (self: super: {
kernel = super.kernel.override {
inherit randstructSeed;

2
nixos/modules/system/boot/loader/grub/grub.nix
View File

@ -684,7 +684,7 @@ in
assertion = if args.efiSysMountPoint == null then true else hasPrefix "/" args.efiSysMountPoint;
message = "EFI paths must be absolute, not ${args.efiSysMountPoint}";
}
] ++ flip map args.devices (device: {
] ++ forEach args.devices (device: {
assertion = device == "nodev" || hasPrefix "/" device;
message = "GRUB devices must be absolute paths, not ${device} in ${args.path}";
}));

88
nixos/modules/system/boot/networkd.nix
View File

@ -55,6 +55,27 @@ let
(assertMacAddress "MACAddress")
];
# NOTE The PrivateKey directive is missing on purpose here, please
# do not add it to this list. The nix store is world-readable let's
# refrain ourselves from providing a footgun.
checkWireGuard = checkUnitConfig "WireGuard" [
(assertOnlyFields [
"PrivateKeyFile" "ListenPort" "FwMark"
])
(assertRange "FwMark" 1 4294967295)
];
# NOTE The PresharedKey directive is missing on purpose here, please
# do not add it to this list. The nix store is world-readable,let's
# refrain ourselves from providing a footgun.
checkWireGuardPeer = checkUnitConfig "WireGuardPeer" [
(assertOnlyFields [
"PublicKey" "PresharedKeyFile" "AllowedIPs"
"Endpoint" "PersistentKeepalive"
])
(assertRange "PersistentKeepalive" 1 65535)
];
checkVlan = checkUnitConfig "VLAN" [
(assertOnlyFields ["Id" "GVRP" "MVRP" "LooseBinding" "ReorderHeader"])
(assertRange "Id" 0 4094)
@ -320,6 +341,46 @@ let
'';
};
wireguardConfig = mkOption {
default = {};
example = {
PrivateKeyFile = "/etc/wireguard/secret.key";
ListenPort = 51820;
FwMark = 42;
};
type = types.addCheck (types.attrsOf unitOption) checkWireGuard;
description = ''
Each attribute in this set specifies an option in the
<literal>[WireGuard]</literal> section of the unit. See
<citerefentry><refentrytitle>systemd.netdev</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
Use <literal>PrivateKeyFile</literal> instead of
<literal>PrivateKey</literal>: the nix store is
world-readable.
'';
};
wireguardPeers = mkOption {
default = [];
example = [ { wireguardPeerConfig={
Endpoint = "192.168.1.1:51820";
PublicKey = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g=";
PresharedKeyFile = "/etc/wireguard/psk.key";
AllowedIPs = [ "10.0.0.1/32" ];
PersistentKeepalive = 15;
};}];
type = with types; listOf (submodule wireguardPeerOptions);
description = ''
Each item in this array specifies an option in the
<literal>[WireGuardPeer]</literal> section of the unit. See
<citerefentry><refentrytitle>systemd.netdev</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
Use <literal>PresharedKeyFile</literal> instead of
<literal>PresharedKey</literal>: the nix store is
world-readable.
'';
};
vlanConfig = mkOption {
default = {};
example = { Id = "4"; };
@ -450,6 +511,23 @@ let
};
};
wireguardPeerOptions = {
options = {
wireguardPeerConfig = mkOption {
default = {};
example = { };
type = types.addCheck (types.attrsOf unitOption) checkWireGuardPeer;
description = ''
Each attribute in this set specifies an option in the
<literal>[WireGuardPeer]</literal> section of the unit. See
<citerefentry><refentrytitle>systemd.network</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
'';
};
};
};
networkOptions = commonNetworkOptions // {
networkConfig = mkOption {
@ -732,6 +810,16 @@ let
${attrsToSection def.bondConfig}
''}
${optionalString (def.wireguardConfig != { }) ''
[WireGuard]
${attrsToSection def.wireguardConfig}
''}
${flip concatMapStrings def.wireguardPeers (x: ''
[WireGuardPeer]
${attrsToSection x.wireguardPeerConfig}
'')}
${def.extraConfig}
'';
};

4
nixos/modules/system/boot/stage-1-init.sh
View File

@ -44,13 +44,13 @@ EOF
*) to ignore the error and continue
EOF
read reply
read -n 1 reply
if [ -n "$allowShell" -a "$reply" = f ]; then
exec setsid @shell@ -c "exec @shell@ < /dev/$console >/dev/$console 2>/dev/$console"
elif [ -n "$allowShell" -a "$reply" = i ]; then
echo "Starting interactive shell..."
setsid @shell@ -c "@shell@ < /dev/$console >/dev/$console 2>/dev/$console" || fail
setsid @shell@ -c "exec @shell@ < /dev/$console >/dev/$console 2>/dev/$console" || fail
elif [ "$reply" = r ]; then
echo "Rebooting..."
reboot -f

25
nixos/modules/system/boot/systemd.nix
View File

@ -76,6 +76,10 @@ let
"systemd-journald-dev-log.socket"
"syslog.socket"
# Coredumps.
"systemd-coredump.socket"
"systemd-coredump@.service"
# SysV init compatibility.
"systemd-initctl.socket"
"systemd-initctl.service"
@ -540,6 +544,16 @@ in
'';
};
systemd.coredump.extraConfig = mkOption {
default = "";
type = types.lines;
example = "Storage=journal";
description = ''
Extra config options for systemd-coredump. See coredump.conf(5) man page
for available options.
'';
};
systemd.extraConfig = mkOption {
default = "";
type = types.lines;
@ -795,6 +809,7 @@ in
DefaultMemoryAccounting=yes
DefaultTasksAccounting=yes
''}
DefaultLimitCORE=infinity
${config.systemd.extraConfig}
'';
@ -818,6 +833,12 @@ in
${config.services.journald.extraConfig}
'';
"systemd/coredump.conf".text =
''
[Coredump]
${config.systemd.coredump.extraConfig}
'';
"systemd/logind.conf".text = ''
[Login]
KillUserProcesses=${if config.services.logind.killUserProcesses then "yes" else "no"}
@ -831,6 +852,10 @@ in
[Sleep]
'';
# install provided sysctl snippets
"sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf";
"sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf";
"tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf";
"tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf";

8
nixos/modules/tasks/network-interfaces-systemd.nix
View File

@ -74,7 +74,7 @@ in
enable = true;
networks."99-main" = genericNetwork mkDefault;
}
(mkMerge (flip map interfaces (i: {
(mkMerge (forEach interfaces (i: {
netdevs = mkIf i.virtual ({
"40-${i.name}" = {
netdevConfig = {
@ -90,7 +90,7 @@ in
name = mkDefault i.name;
DHCP = mkForce (dhcpStr
(if i.useDHCP != null then i.useDHCP else cfg.useDHCP && interfaceIps i == [ ]));
address = flip map (interfaceIps i)
address = forEach (interfaceIps i)
(ip: "${ip.address}/${toString ip.prefixLength}");
networkConfig.IPv6PrivacyExtensions = "kernel";
} ];
@ -102,7 +102,7 @@ in
Kind = "bridge";
};
};
networks = listToAttrs (flip map bridge.interfaces (bi:
networks = listToAttrs (forEach bridge.interfaces (bi:
nameValuePair "40-${bi}" (mkMerge [ (genericNetwork (mkOverride 999)) {
DHCP = mkOverride 0 (dhcpStr false);
networkConfig.Bridge = name;
@ -173,7 +173,7 @@ in
};
networks = listToAttrs (flip map bond.interfaces (bi:
networks = listToAttrs (forEach bond.interfaces (bi:
nameValuePair "40-${bi}" (mkMerge [ (genericNetwork (mkOverride 999)) {
DHCP = mkOverride 0 (dhcpStr false);
networkConfig.Bond = name;

12
nixos/modules/tasks/network-interfaces.nix
View File

@ -926,7 +926,7 @@ in
warnings = concatMap (i: i.warnings) interfaces;
assertions =
(flip map interfaces (i: {
(forEach interfaces (i: {
# With the linux kernel, interface name length is limited by IFNAMSIZ
# to 16 bytes, including the trailing null byte.
# See include/linux/if.h in the kernel sources
@ -934,12 +934,12 @@ in
message = ''
The name of networking.interfaces."${i.name}" is too long, it needs to be less than 16 characters.
'';
})) ++ (flip map slaveIfs (i: {
})) ++ (forEach slaveIfs (i: {
assertion = i.ipv4.addresses == [ ] && i.ipv6.addresses == [ ];
message = ''
The networking.interfaces."${i.name}" must not have any defined ips when it is a slave.
'';
})) ++ (flip map interfaces (i: {
})) ++ (forEach interfaces (i: {
assertion = i.preferTempAddress -> cfg.enableIPv6;
message = ''
Temporary addresses are only needed when IPv6 is enabled.
@ -967,8 +967,8 @@ in
"net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6);
"net.ipv6.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces);
} // listToAttrs (flip concatMap (filter (i: i.proxyARP) interfaces)
(i: flip map [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true)))
// listToAttrs (flip map (filter (i: i.preferTempAddress) interfaces)
(i: forEach [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true)))
// listToAttrs (forEach (filter (i: i.preferTempAddress) interfaces)
(i: nameValuePair "net.ipv6.conf.${i.name}.use_tempaddr" 2));
# Capabilities won't work unless we have at-least a 4.3 Linux
@ -1050,7 +1050,7 @@ in
${cfg.localCommands}
'';
};
} // (listToAttrs (flip map interfaces (i:
} // (listToAttrs (forEach interfaces (i:
let
deviceDependency = if (config.boot.isContainer || i.name == "lo")
then []

38
nixos/modules/virtualisation/containers.nix
View File

@ -138,7 +138,7 @@ let
--bind-ro=/nix/var/nix/daemon-socket \
--bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \
--bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \
--link-journal=try-guest \
${optionalString (!cfg.ephemeral) "--link-journal=try-guest"} \
--setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \
--setenv HOST_BRIDGE="$HOST_BRIDGE" \
--setenv HOST_ADDRESS="$HOST_ADDRESS" \
@ -147,6 +147,7 @@ let
--setenv LOCAL_ADDRESS6="$LOCAL_ADDRESS6" \
--setenv HOST_PORT="$HOST_PORT" \
--setenv PATH="$PATH" \
${optionalString cfg.ephemeral "--ephemeral"} \
${if cfg.additionalCapabilities != null && cfg.additionalCapabilities != [] then
''--capability="${concatStringsSep " " cfg.additionalCapabilities}"'' else ""
} \
@ -247,6 +248,8 @@ let
Type = "notify";
RuntimeDirectory = lib.optional cfg.ephemeral "containers/%i";
# Note that on reboot, systemd-nspawn returns 133, so this
# unit will be restarted. On poweroff, it returns 0, so the
# unit won't be restarted.
@ -419,6 +422,7 @@ let
{
extraVeths = {};
additionalCapabilities = [];
ephemeral = false;
allowedDevices = [];
hostAddress = null;
hostAddress6 = null;
@ -511,6 +515,26 @@ in
information.
'';
};
ephemeral = mkOption {
type = types.bool;
default = false;
description = ''
Runs container in ephemeral mode with the empty root filesystem at boot.
This way container will be bootstrapped from scratch on each boot
and will be cleaned up on shutdown leaving no traces behind.
Useful for completely stateless, reproducible containers.
Note that this option might require to do some adjustments to the container configuration,
e.g. you might want to set
<varname>systemd.network.networks.$interface.dhcpConfig.ClientIdentifier</varname> to "mac"
if you use <varname>macvlans</varname> option.
This way dhcp client identifier will be stable between the container restarts.
Note that the container journal will not be linked to the host if this option is enabled.
'';
};
enableTun = mkOption {
type = types.bool;
default = false;
@ -659,12 +683,14 @@ in
unit = {
description = "Container '%i'";
unitConfig.RequiresMountsFor = [ "/var/lib/containers/%i" ];
unitConfig.RequiresMountsFor = "/var/lib/containers/%i";
path = [ pkgs.iproute ];
environment.INSTANCE = "%i";
environment.root = "/var/lib/containers/%i";
environment = {
root = "/var/lib/containers/%i";
INSTANCE = "%i";
};
preStart = preStartScript dummyConfig;
@ -703,11 +729,13 @@ in
}
else {});
in
unit // {
recursiveUpdate unit {
preStart = preStartScript containerConfig;
script = startScript containerConfig;
postStart = postStartScript containerConfig;
serviceConfig = serviceDirectives containerConfig;
unitConfig.RequiresMountsFor = lib.optional (!containerConfig.ephemeral) "/var/lib/containers/%i";
environment.root = if containerConfig.ephemeral then "/run/containers/%i" else "/var/lib/containers/%i";
} // (
if containerConfig.autoStart then
{

10
nixos/modules/virtualisation/google-compute-config.nix
View File

@ -159,12 +159,6 @@ in
# functionality/features (e.g. TCP Window scaling).
"net.ipv4.tcp_syncookies" = mkDefault "1";
# ignores source-routed packets
"net.ipv4.conf.all.accept_source_route" = mkDefault "0";
# ignores source-routed packets
"net.ipv4.conf.default.accept_source_route" = mkDefault "0";
# ignores ICMP redirects
"net.ipv4.conf.all.accept_redirects" = mkDefault "0";
@ -186,10 +180,10 @@ in
# don't allow traffic between networks or act as a router
"net.ipv4.conf.default.send_redirects" = mkDefault "0";
# reverse path filtering - IP spoofing protection
# strict reverse path filtering - IP spoofing protection
"net.ipv4.conf.all.rp_filter" = mkDefault "1";
# reverse path filtering - IP spoofing protection
# strict path filtering - IP spoofing protection
"net.ipv4.conf.default.rp_filter" = mkDefault "1";
# ignores ICMP broadcasts to avoid participating in Smurf attacks

14
nixos/tests/all-tests.nix
View File

@ -47,6 +47,7 @@ in
codimd = handleTest ./codimd.nix {};
colord = handleTest ./colord.nix {};
containers-bridge = handleTest ./containers-bridge.nix {};
containers-ephemeral = handleTest ./containers-ephemeral.nix {};
containers-extra_veth = handleTest ./containers-extra_veth.nix {};
containers-hosts = handleTest ./containers-hosts.nix {};
containers-imperative = handleTest ./containers-imperative.nix {};
@ -73,7 +74,7 @@ in
#ec2-config = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-config or {};
ec2-nixops = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-nixops or {};
ecryptfs = handleTest ./ecryptfs.nix {};
ejabberd = handleTest ./ejabberd.nix {};
ejabberd = handleTest ./xmpp/ejabberd.nix {};
elk = handleTestOn ["x86_64-linux"] ./elk.nix {};
env = handleTest ./env.nix {};
etcd = handleTestOn ["x86_64-linux"] ./etcd.nix {};
@ -93,8 +94,10 @@ in
gitlab = handleTest ./gitlab.nix {};
gitolite = handleTest ./gitolite.nix {};
gjs = handleTest ./gjs.nix {};
glusterfs = handleTest ./glusterfs.nix {};
gnome3-xorg = handleTest ./gnome3-xorg.nix {};
gnome3 = handleTest ./gnome3.nix {};
gnome-photos = handleTest ./gnome-photos.nix {};
gocd-agent = handleTest ./gocd-agent.nix {};
gocd-server = handleTest ./gocd-server.nix {};
google-oslogin = handleTest ./google-oslogin {};
@ -114,6 +117,7 @@ in
hound = handleTest ./hound.nix {};
hydra = handleTest ./hydra {};
i3wm = handleTest ./i3wm.nix {};
icingaweb2 = handleTest ./icingaweb2.nix {};
iftop = handleTest ./iftop.nix {};
incron = handleTest ./incron.nix {};
influxdb = handleTest ./influxdb.nix {};
@ -124,6 +128,7 @@ in
jackett = handleTest ./jackett.nix {};
jellyfin = handleTest ./jellyfin.nix {};
jenkins = handleTest ./jenkins.nix {};
jormungandr = handleTest ./jormungandr.nix {};
kafka = handleTest ./kafka.nix {};
kerberos = handleTest ./kerberos/default.nix {};
kernel-latest = handleTest ./kernel-latest.nix {};
@ -138,6 +143,7 @@ in
latestKernel.login = handleTest ./login.nix { latestKernel = true; };
ldap = handleTest ./ldap.nix {};
leaps = handleTest ./leaps.nix {};
libxmlb = handleTest ./libxmlb.nix {};
lidarr = handleTest ./lidarr.nix {};
lightdm = handleTest ./lightdm.nix {};
limesurvey = handleTest ./limesurvey.nix {};
@ -150,6 +156,7 @@ in
mediawiki = handleTest ./mediawiki.nix {};
memcached = handleTest ./memcached.nix {};
mesos = handleTest ./mesos.nix {};
metabase = handleTest ./metabase.nix {};
miniflux = handleTest ./miniflux.nix {};
minio = handleTest ./minio.nix {};
misc = handleTest ./misc.nix {};
@ -217,7 +224,8 @@ in
prometheus = handleTest ./prometheus.nix {};
prometheus2 = handleTest ./prometheus-2.nix {};
prometheus-exporters = handleTest ./prometheus-exporters.nix {};
prosody = handleTest ./prosody.nix {};
prosody = handleTest ./xmpp/prosody.nix {};
prosodyMysql = handleTest ./xmpp/prosody-mysql.nix {};
proxy = handleTest ./proxy.nix {};
quagga = handleTest ./quagga.nix {};
quake3 = handleTest ./quake3.nix {};
@ -249,6 +257,7 @@ in
systemd = handleTest ./systemd.nix {};
systemd-confinement = handleTest ./systemd-confinement.nix {};
systemd-timesyncd = handleTest ./systemd-timesyncd.nix {};
systemd-networkd-wireguard = handleTest ./systemd-networkd-wireguard.nix {};
pdns-recursor = handleTest ./pdns-recursor.nix {};
taskserver = handleTest ./taskserver.nix {};
telegraf = handleTest ./telegraf.nix {};
@ -256,6 +265,7 @@ in
tinydns = handleTest ./tinydns.nix {};
tor = handleTest ./tor.nix {};
transmission = handleTest ./transmission.nix {};
trezord = handleTest ./trezord.nix {};
udisks2 = handleTest ./udisks2.nix {};
upnp = handleTest ./upnp.nix {};
uwsgi = handleTest ./uwsgi.nix {};

56
nixos/tests/containers-ephemeral.nix Normal file
View File

@ -0,0 +1,56 @@
# Test for NixOS' container support.
import ./make-test.nix ({ pkgs, ...} : {
name = "containers-ephemeral";
machine = { pkgs, ... }: {
virtualisation.memorySize = 768;
virtualisation.writableStore = true;
containers.webserver = {
ephemeral = true;
privateNetwork = true;
hostAddress = "10.231.136.1";
localAddress = "10.231.136.2";
config = {
services.nginx = {
enable = true;
virtualHosts.localhost = {
root = (pkgs.runCommand "localhost" {} ''
mkdir "$out"
echo hello world > "$out/index.html"
'');
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
};
};
};
testScript = ''
$machine->succeed("nixos-container list") =~ /webserver/ or die;
# Start the webserver container.
$machine->succeed("nixos-container start webserver");
# Check that container got its own root folder
$machine->succeed("ls /run/containers/webserver");
# Check that container persistent directory is not created
$machine->fail("ls /var/lib/containers/webserver");
# Since "start" returns after the container has reached
# multi-user.target, we should now be able to access it.
my $ip = $machine->succeed("nixos-container show-ip webserver");
chomp $ip;
$machine->succeed("ping -n -c1 $ip");
$machine->succeed("curl --fail http://$ip/ > /dev/null");
# Stop the container.
$machine->succeed("nixos-container stop webserver");
$machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null");
# Check that container's root folder was removed
$machine->fail("ls /run/containers/webserver");
'';
})

65
nixos/tests/glusterfs.nix Normal file
View File

@ -0,0 +1,65 @@
import ./make-test.nix ({ ... } :
let
client = { pkgs, ... } : {
environment.systemPackages = [ pkgs.glusterfs ];
fileSystems = pkgs.lib.mkVMOverride
[ { mountPoint = "/gluster";
fsType = "glusterfs";
device = "server1:/gv0";
} ];
};
server = { pkgs, ... } : {
networking.firewall.enable = false;
services.glusterfs.enable = true;
# create a mount point for the volume
boot.initrd.postDeviceCommands = ''
${pkgs.e2fsprogs}/bin/mkfs.ext4 -L data /dev/vdb
'';
virtualisation.emptyDiskImages = [ 1024 ];
fileSystems = pkgs.lib.mkVMOverride
[ { mountPoint = "/data";
device = "/dev/disk/by-label/data";
fsType = "ext4";
}
];
};
in {
name = "glusterfs";
nodes = {
server1 = server;
server2 = server;
client1 = client;
client2 = client;
};
testScript = ''
$server1->waitForUnit("glusterd.service");
$server2->waitForUnit("glusterd.service");
# establish initial contact
$server1->succeed("sleep 2");
$server1->succeed("gluster peer probe server2");
$server1->succeed("gluster peer probe server1");
$server1->succeed("gluster peer status | grep Connected");
# create volumes
$server1->succeed("mkdir -p /data/vg0");
$server2->succeed("mkdir -p /data/vg0");
$server1->succeed("gluster volume create gv0 server1:/data/vg0 server2:/data/vg0");
$server1->succeed("gluster volume start gv0");
# test clients
$client1->waitForUnit("gluster.mount");
$client2->waitForUnit("gluster.mount");
$client1->succeed("echo test > /gluster/file1");
$client2->succeed("grep test /gluster/file1");
'';
})

42
nixos/tests/gnome-photos.nix Normal file
View File

@ -0,0 +1,42 @@
# run installed tests
import ./make-test.nix ({ pkgs, lib, ... }:
let
# gsettings tool with access to gsettings-desktop-schemas
desktop-gsettings = with pkgs; stdenv.mkDerivation {
name = "desktop-gsettings";
dontUnpack = true;
nativeBuildInputs = [ glib wrapGAppsHook ];
buildInputs = [ gsettings-desktop-schemas ];
installPhase = ''
runHook preInstall
mkdir -p $out/bin
ln -s ${glib.bin}/bin/gsettings $out/bin/desktop-gsettings
runHook postInstall
'';
};
in
{
name = "gnome-photos";
meta = {
maintainers = pkgs.gnome-photos.meta.maintainers;
};
machine = { pkgs, ... }: {
imports = [ ./common/x11.nix ];
programs.dconf.enable = true;
services.gnome3.at-spi2-core.enable = true; # needed for dogtail
environment.systemPackages = with pkgs; [ gnome-desktop-testing desktop-gsettings ];
services.dbus.packages = with pkgs; [ gnome-photos ];
};
testScript = ''
$machine->waitForX;
# dogtail needs accessibility enabled
$machine->succeed("desktop-gsettings set org.gnome.desktop.interface toolkit-accessibility true 2>&1");
$machine->succeed("gnome-desktop-testing-runner -d '${pkgs.gnome-photos.installedTests}/share' 2>&1");
'';
})

71
nixos/tests/icingaweb2.nix Normal file
View File

@ -0,0 +1,71 @@
import ./make-test.nix ({ pkgs, ... }: {
name = "icingaweb2";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ das_j ];
};
nodes = {
icingaweb2 = { config, pkgs, ... }: {
services.icingaweb2 = {
enable = true;
modulePackages = with pkgs.icingaweb2Modules; {
particles = theme-particles;
spring = theme-spring;
};
modules = {
doc.enable = true;
migrate.enable = true;
setup.enable = true;
test.enable = true;
translation.enable = true;
};
generalConfig = {
global = {
module_path = "${pkgs.icingaweb2}/modules";
};
};
authentications = {
icingaweb = {
backend = "external";
};
};
groupBackends = {
icingaweb = {
backend = "db";
resource = "icingaweb_db";
};
};
resources = {
# Not used, so no DB server needed
icingaweb_db = {
type = "db";
db = "mysql";
host = "localhost";
username = "icingaweb2";
password = "icingaweb2";
dbname = "icingaweb2";
};
};
roles = {
Administrators = {
users = "*";
permissions = "*";
};
};
};
};
};
testScript = ''
startAll();
$icingaweb2->waitForUnit("multi-user.target");
$icingaweb2->succeed("curl -sSf http://icingaweb2/authentication/login");
'';
})

49
nixos/tests/jormungandr.nix Normal file
View File

@ -0,0 +1,49 @@
import ./make-test.nix ({ pkgs, ... }: {
name = "jormungandr";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ mmahut ];
};
nodes = {
bft = { ... }: {
environment.systemPackages = [ pkgs.jormungandr ];
services.jormungandr.enable = true;
services.jormungandr.genesisBlockFile = "/var/lib/jormungandr/block-0.bin";
services.jormungandr.secretFile = "/etc/secrets/jormungandr.yaml";
};
};
testScript = ''
startAll;
# Let's wait for the StateDirectory
$bft->waitForFile("/var/lib/jormungandr/");
# First, we generate the genesis file for our new blockchain
$bft->succeed("jcli genesis init > /root/genesis.yaml");
# We need to generate our secret key
$bft->succeed("jcli key generate --type=Ed25519 > /root/key.prv");
# We include the secret key into our services.jormungandr.secretFile
$bft->succeed("mkdir -p /etc/secrets");
$bft->succeed("echo -e \"bft:\\n signing_key:\" \$(cat /root/key.prv) > /etc/secrets/jormungandr.yaml");
# After that, we generate our public key from it
$bft->succeed("cat /root/key.prv | jcli key to-public > /root/key.pub");
# We add our public key as a consensus leader in the genesis configration file
$bft->succeed("sed -ie \"s/ed25519_pk1vvwp2s0n5jl5f4xcjurp2e92sj2awehkrydrlas4vgqr7xzt33jsadha32/\$(cat /root/key.pub)/\" /root/genesis.yaml");
# Now we can generate the genesis block from it
$bft->succeed("jcli genesis encode --input /root/genesis.yaml --output /var/lib/jormungandr/block-0.bin");
# We should have everything to start the service now
$bft->succeed("systemctl restart jormungandr");
$bft->waitForUnit("jormungandr.service");
# Now we can test if we are able to reach the REST API
$bft->waitUntilSucceeds("curl -L http://localhost:8607/api/v0/node/stats | grep uptime");
'';
})

17
nixos/tests/libxmlb.nix Normal file
View File

@ -0,0 +1,17 @@
# run installed tests
import ./make-test.nix ({ pkgs, ... }:
{
name = "libxmlb";
meta = {
maintainers = pkgs.libxmlb.meta.maintainers;
};
machine = { pkgs, ... }: {
environment.systemPackages = with pkgs; [ gnome-desktop-testing ];
};
testScript = ''
$machine->succeed("gnome-desktop-testing-runner -d '${pkgs.libxmlb.installedTests}/share'");
'';
})

20
nixos/tests/metabase.nix Normal file
View File

@ -0,0 +1,20 @@
import ./make-test.nix ({ pkgs, ... }: {
name = "metabase";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ mmahut ];
};
nodes = {
machine = { ... }: {
services.metabase.enable = true;
virtualisation.memorySize = 1024;
};
};
testScript = ''
startAll;
$machine->waitForUnit("metabase.service");
$machine->waitForOpenPort(3000);
$machine->waitUntilSucceeds("curl -L http://localhost:3000/setup | grep Metabase");
'';
})

2
nixos/tests/networking.nix
View File

@ -21,7 +21,7 @@ let
useNetworkd = networkd;
firewall.checkReversePath = true;
firewall.allowedUDPPorts = [ 547 ];
interfaces = mkOverride 0 (listToAttrs (flip map vlanIfs (n:
interfaces = mkOverride 0 (listToAttrs (forEach vlanIfs (n:
nameValuePair "eth${toString n}" {
ipv4.addresses = [ { address = "192.168.${toString n}.1"; prefixLength = 24; } ];
ipv6.addresses = [ { address = "fd00:1234:5678:${toString n}::1"; prefixLength = 64; } ];

50
nixos/tests/nginx.nix
View File

@ -3,15 +3,15 @@
# generated virtual hosts config.
# 2. whether the ETag header is properly generated whenever we're serving
# files in Nix store paths
# 3. nginx doesn't restart on configuration changes (only reloads)
import ./make-test.nix ({ pkgs, ... }: {
name = "nginx";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ mbbx6spp ];
};
nodes = let
commonConfig = { pkgs, ... }: {
nodes = {
webserver = { pkgs, lib, ... }: {
services.nginx.enable = true;
services.nginx.commonHttpConfig = ''
log_format ceeformat '@cee: {"status":"$status",'
@ -32,30 +32,42 @@ import ./make-test.nix ({ pkgs, ... }: {
location /favicon.ico { allow all; access_log off; log_not_found off; }
'';
};
services.nginx.virtualHosts.localhost = {
root = pkgs.runCommand "testdir" {} ''
mkdir "$out"
echo hello world > "$out/index.html"
'';
};
};
in {
webserver = commonConfig;
newwebserver = { pkgs, lib, ... }: {
imports = [ commonConfig ];
services.nginx.enableReload = true;
nesting.clone = [
{
services.nginx.virtualHosts.localhost = {
root = lib.mkForce (pkgs.runCommand "testdir2" {} ''
mkdir "$out"
echo hello world > "$out/index.html"
echo content changed > "$out/index.html"
'');
};
}
{
services.nginx.virtualHosts."1.my.test".listen = [ { addr = "127.0.0.1"; port = 8080; }];
}
{
services.nginx.package = pkgs.nginxUnstable;
}
];
};
};
testScript = { nodes, ... }: let
newServerSystem = nodes.newwebserver.config.system.build.toplevel;
switch = "${newServerSystem}/bin/switch-to-configuration test";
etagSystem = "${nodes.webserver.config.system.build.toplevel}/fine-tune/child-1";
justReloadSystem = "${nodes.webserver.config.system.build.toplevel}/fine-tune/child-2";
reloadRestartSystem = "${nodes.webserver.config.system.build.toplevel}/fine-tune/child-3";
in ''
my $url = 'http://localhost/index.html';
@ -77,9 +89,23 @@ import ./make-test.nix ({ pkgs, ... }: {
subtest "check ETag if serving Nix store paths", sub {
my $oldEtag = checkEtag;
$webserver->succeed('${switch}');
$webserver->succeed("${etagSystem}/bin/switch-to-configuration test >&2");
$webserver->sleep(1); # race condition
my $newEtag = checkEtag;
die "Old ETag $oldEtag is the same as $newEtag" if $oldEtag eq $newEtag;
};
subtest "config is reloaded on nixos-rebuild switch", sub {
$webserver->succeed("${justReloadSystem}/bin/switch-to-configuration test >&2");
$webserver->waitForOpenPort("8080");
$webserver->fail("journalctl -u nginx | grep -q -i stopped");
$webserver->succeed("journalctl -u nginx | grep -q -i reloaded");
};
subtest "restart when nginx package changes", sub {
$webserver->succeed("${reloadRestartSystem}/bin/switch-to-configuration test >&2");
$webserver->waitForUnit("nginx");
$webserver->succeed("journalctl -u nginx | grep -q -i stopped");
};
'';
})

5
nixos/tests/php-pcre.nix
View File

@ -8,11 +8,8 @@ import ./make-test.nix ({ ...}: {
services.httpd = {
enable = true;
adminAddr = "please@dont.contact";
extraSubservices = lib.singleton {
function = f: {
enablePHP = true;
phpOptions = "pcre.jit = true";
extraConfig =
let
testRoot = pkgs.writeText "index.php"
@ -32,8 +29,6 @@ import ./make-test.nix ({ ...}: {
'';
};
};
};
};
testScript = { ... }:
''
$machine->waitForUnit('httpd.service');

38
nixos/tests/prosody.nix
View File

@ -1,38 +0,0 @@
import ./make-test.nix {
name = "prosody";
machine = { pkgs, ... }: {
services.prosody = {
enable = true;
# TODO: use a self-signed certificate
c2sRequireEncryption = false;
extraConfig = ''
storage = "sql"
'';
virtualHosts.test = {
domain = "example.com";
enabled = true;
};
};
environment.systemPackages = [
(pkgs.callPackage ./xmpp-sendmessage.nix {})
];
};
testScript = ''
$machine->waitForUnit('prosody.service');
$machine->succeed('prosodyctl status') =~ /Prosody is running/;
# set password to 'nothunter2' (it's asked twice)
$machine->succeed('yes nothunter2 | prosodyctl adduser cthon98@example.com');
# set password to 'y'
$machine->succeed('yes | prosodyctl adduser azurediamond@example.com');
# correct password to 'hunter2'
$machine->succeed('yes hunter2 | prosodyctl passwd azurediamond@example.com');
$machine->succeed("send-message");
$machine->succeed('prosodyctl deluser cthon98@example.com');
$machine->succeed('prosodyctl deluser azurediamond@example.com');
'';
}

121
nixos/tests/subversion.nix
View File

@ -1,121 +0,0 @@
import ./make-test.nix ({ pkgs, ...} :
let
# Build some packages with coverage instrumentation.
overrides = pkgs:
with pkgs.stdenvAdapters;
let
do = pkg: pkg.override (args: {
stdenv = addCoverageInstrumentation args.stdenv;
});
in
rec {
apr = do pkgs.apr;
aprutil = do pkgs.aprutil;
apacheHttpd = do pkgs.apacheHttpd;
mod_python = do pkgs.mod_python;
subversion = do pkgs.subversion;
# To build the kernel with coverage instrumentation, we need a
# special patch to make coverage data available under /proc.
linux = pkgs.linux.override (orig: {
stdenv = overrideInStdenv pkgs.stdenv [ pkgs.keepBuildTree ];
extraConfig =
''
GCOV_KERNEL y
GCOV_PROFILE_ALL y
'';
});
};
in
{
name = "subversion";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ eelco ];
};
nodes =
{ webserver =
{ ... }:
{
services.httpd.enable = true;
services.httpd.adminAddr = "e.dolstra@tudelft.nl";
services.httpd.extraSubservices =
[ { function = import <services/subversion>;
urlPrefix = "";
dataDir = "/data/subversion";
userCreationDomain = "192.168.0.0/16";
}
];
nixpkgs.config.packageOverrides = overrides;
};
client =
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.subversion ];
nixpkgs.config.packageOverrides = overrides;
};
};
testScript =
''
startAll;
$webserver->waitForOpenPort(80);
print STDERR $client->succeed("svn --version");
print STDERR $client->succeed("curl --fail http://webserver/");
# Create a new user through the web interface.
$client->succeed("curl --fail -F username=alice -F fullname='Alice Lastname' -F address=alice\@example.org -F password=foobar -F password_again=foobar http://webserver/repoman/adduser");
# Let Alice create a new repository.
$client->succeed("curl --fail -u alice:foobar --form repo=xyzzy --form description=Xyzzy http://webserver/repoman/create");
$client->succeed("curl --fail http://webserver/") =~ /alice/ or die;
# Let Alice do a checkout.
my $svnFlags = "--non-interactive --username alice --password foobar";
$client->succeed("svn co $svnFlags http://webserver/repos/xyzzy wc");
$client->succeed("echo hello > wc/world");
$client->succeed("svn add wc/world");
$client->succeed("svn ci $svnFlags -m 'Added world.' wc/world");
# Create a new user on the server through the create-user.pl script.
$webserver->execute("svn-server-create-user.pl bob bob\@example.org Bob");
$webserver->succeed("svn-server-resetpw.pl bob fnord");
$client->succeed("curl --fail http://webserver/") =~ /bob/ or die;
# Bob should not have access to the repo.
my $svnFlagsBob = "--non-interactive --username bob --password fnord";
$client->fail("svn co $svnFlagsBob http://webserver/repos/xyzzy wc2");
# Bob should not be able change the ACLs of the repo.
# !!! Repoman should really return a 403 here.
$client->succeed("curl --fail -u bob:fnord -F description=Xyzzy -F readers=alice,bob -F writers=alice -F watchers= -F tardirs= http://webserver/repoman/update/xyzzy")
=~ /not authorised/ or die;
# Give Bob access.
$client->succeed("curl --fail -u alice:foobar -F description=Xyzzy -F readers=alice,bob -F writers=alice -F watchers= -F tardirs= http://webserver/repoman/update/xyzzy");
# So now his checkout should succeed.
$client->succeed("svn co $svnFlagsBob http://webserver/repos/xyzzy wc2");
# Test ViewVC and WebSVN
$client->succeed("curl --fail -u alice:foobar http://webserver/viewvc/xyzzy");
$client->succeed("curl --fail -u alice:foobar http://webserver/websvn/xyzzy");
$client->succeed("curl --fail -u alice:foobar http://webserver/repos-xml/xyzzy");
# Stop Apache to gather all the coverage data.
$webserver->stopJob("httpd");
'';
})

80
nixos/tests/systemd-networkd-wireguard.nix Normal file
View File

@ -0,0 +1,80 @@
let generateNodeConf = { lib, pkgs, config, privkpath, pubk, peerId, nodeId, ...}: {
imports = [ common/user-account.nix ];
systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
networking.useNetworkd = true;
networking.firewall.enable = false;
virtualisation.vlans = [ 1 ];
environment.systemPackages = with pkgs; [ wireguard-tools ];
boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
systemd.network = {
enable = true;
netdevs = {
"90-wg0" = {
netdevConfig = { Kind = "wireguard"; Name = "wg0"; };
wireguardConfig = {
PrivateKeyFile = privkpath ;
ListenPort = 51820;
FwMark = 42;
};
wireguardPeers = [ {wireguardPeerConfig={
Endpoint = "192.168.1.${peerId}:51820";
PublicKey = pubk;
PresharedKeyFile = pkgs.writeText "psk.key" "yTL3sCOL33Wzi6yCnf9uZQl/Z8laSE+zwpqOHC4HhFU=";
AllowedIPs = [ "10.0.0.${peerId}/32" ];
PersistentKeepalive = 15;
};}];
};
};
networks = {
"99-nope" = {
matchConfig.Name = "eth*";
linkConfig.Unmanaged = true;
};
"90-wg0" = {
matchConfig = { Name = "wg0"; };
address = [ "10.0.0.${nodeId}/32" ];
routes = [
{ routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; }; }
];
};
"90-eth1" = {
matchConfig = { Name = "eth1"; };
address = [ "192.168.1.${nodeId}/24" ];
};
};
};
};
in import ./make-test.nix ({pkgs, ... }: {
name = "networkd-wireguard";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ ninjatrappeur ];
};
nodes = {
node1 = { pkgs, ... }@attrs:
let localConf = {
privkpath = pkgs.writeText "priv.key" "GDiXWlMQKb379XthwX0haAbK6hTdjblllpjGX0heP00=";
pubk = "iRxpqj42nnY0Qz8MAQbSm7bXxXP5hkPqWYIULmvW+EE=";
nodeId = "1";
peerId = "2";
};
in generateNodeConf (attrs // localConf);
node2 = { pkgs, ... }@attrs:
let localConf = {
privkpath = pkgs.writeText "priv.key" "eHxSI2jwX/P4AOI0r8YppPw0+4NZnjOxfbS5mt06K2k=";
pubk = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g=";
nodeId = "2";
peerId = "1";
};
in generateNodeConf (attrs // localConf);
};
testScript = ''
startAll;
$node1->waitForUnit('systemd-networkd-wait-online.service');
$node2->waitForUnit('systemd-networkd-wait-online.service');
$node1->succeed('ping -c 5 10.0.0.2');
$node2->succeed('ping -c 5 10.0.0.1');
# Is the fwmark set?
$node2->succeed('wg | grep -q 42');
'';
})

15
nixos/tests/systemd.nix
View File

@ -78,19 +78,16 @@ import ./make-test.nix ({ pkgs, ... }: {
$machine->fail('dumpe2fs /dev/vdb | grep -q "^Last mount time: *n/a"');
};
# Regression test for https://github.com/NixOS/nixpkgs/issues/35268
subtest "file system with x-initrd.mount is not unmounted", sub {
$machine->shutdown;
$machine->waitForUnit('multi-user.target');
# If the file system was unmounted during the shutdown the file system
# has a last mount time, because the file system wasn't checked.
$machine->fail('dumpe2fs /dev/vdb | grep -q "^Last mount time: *n/a"');
};
subtest "systemd-shutdown works", sub {
$machine->shutdown;
$machine->waitForUnit('multi-user.target');
$machine->succeed('test -e /tmp/shared/shutdown-test');
};
# Test settings from /etc/sysctl.d/50-default.conf are applied
subtest "systemd sysctl settings are applied", sub {
$machine->waitForUnit('multi-user.target');
$machine->succeed('sysctl net.core.default_qdisc | grep -q "fq_codel"');
};
'';
})

20
nixos/tests/trezord.nix Normal file
View File

@ -0,0 +1,20 @@
import ./make-test.nix ({ pkgs, ... }: {
name = "trezord";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ mmahut ];
};
nodes = {
machine = { ... }: {
services.trezord.enable = true;
services.trezord.emulator.enable = true;
};
};
testScript = ''
startAll;
$machine->waitForUnit("trezord.service");
$machine->waitForOpenPort(21325);
$machine->waitUntilSucceeds("curl -L http://localhost:21325/status/ | grep Version");
'';
})

6
nixos/tests/ejabberd.nix → nixos/tests/xmpp/ejabberd.nix
View File

@ -1,4 +1,4 @@
import ./make-test.nix ({ pkgs, ... }: {
import ../make-test.nix ({ pkgs, ... }: {
name = "ejabberd";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ ajs124 ];
@ -45,8 +45,7 @@ import ./make-test.nix ({ pkgs, ... }: {
ip: "127.0.0.1"
module: ejabberd_service
access: local
shaper_rule: fast
ip: "127.0.0.1"
shaper: fast
## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
## password storage (see auth_password_format option).
@ -181,7 +180,6 @@ import ./make-test.nix ({ pkgs, ... }: {
mod_client_state: {}
mod_configure: {} # requires mod_adhoc
## mod_delegation: {} # for xep0356
mod_echo: {}
#mod_irc:
# host: "irc.@HOST@"
# default_encoding: "utf-8"

77
nixos/tests/xmpp/prosody-mysql.nix Normal file
View File

@ -0,0 +1,77 @@
import ../make-test.nix {
name = "prosody-mysql";
nodes = {
client = { nodes, pkgs, ... }: {
environment.systemPackages = [
(pkgs.callPackage ./xmpp-sendmessage.nix { connectTo = nodes.server.config.networking.primaryIPAddress; })
];
};
server = { config, pkgs, ... }: {
nixpkgs.overlays = [
(self: super: {
prosody = super.prosody.override {
withDBI = true;
withExtraLibs = [ pkgs.luaPackages.luadbi-mysql ];
};
})
];
networking.extraHosts = ''
${config.networking.primaryIPAddress} example.com
'';
networking.firewall.enable = false;
services.prosody = {
enable = true;
# TODO: use a self-signed certificate
c2sRequireEncryption = false;
extraConfig = ''
storage = "sql"
sql = {
driver = "MySQL";
database = "prosody";
host = "mysql";
port = 3306;
username = "prosody";
password = "password123";
};
'';
virtualHosts.test = {
domain = "example.com";
enabled = true;
};
};
};
mysql = { config, pkgs, ... }: {
networking.firewall.enable = false;
services.mysql = {
enable = true;
initialScript = pkgs.writeText "mysql_init.sql" ''
CREATE DATABASE prosody;
CREATE USER 'prosody'@'server' IDENTIFIED BY 'password123';
GRANT ALL PRIVILEGES ON prosody.* TO 'prosody'@'server';
FLUSH PRIVILEGES;
'';
package = pkgs.mariadb;
};
};
};
testScript = { nodes, ... }: ''
$mysql->waitForUnit('mysql.service');
$server->waitForUnit('prosody.service');
$server->succeed('prosodyctl status') =~ /Prosody is running/;
# set password to 'nothunter2' (it's asked twice)
$server->succeed('yes nothunter2 | prosodyctl adduser cthon98@example.com');
# set password to 'y'
$server->succeed('yes | prosodyctl adduser azurediamond@example.com');
# correct password to 'hunter2'
$server->succeed('yes hunter2 | prosodyctl passwd azurediamond@example.com');
$client->succeed("send-message");
$server->succeed('prosodyctl deluser cthon98@example.com');
$server->succeed('prosodyctl deluser azurediamond@example.com');
'';
}

46
nixos/tests/xmpp/prosody.nix Normal file
View File

@ -0,0 +1,46 @@
import ../make-test.nix {
name = "prosody";
nodes = {
client = { nodes, pkgs, ... }: {
environment.systemPackages = [
(pkgs.callPackage ./xmpp-sendmessage.nix { connectTo = nodes.server.config.networking.primaryIPAddress; })
];
};
server = { config, pkgs, ... }: {
networking.extraHosts = ''
${config.networking.primaryIPAddress} example.com
'';
networking.firewall.enable = false;
services.prosody = {
enable = true;
# TODO: use a self-signed certificate
c2sRequireEncryption = false;
extraConfig = ''
storage = "sql"
'';
virtualHosts.test = {
domain = "example.com";
enabled = true;
};
};
};
};
testScript = { nodes, ... }: ''
$server->waitForUnit('prosody.service');
$server->succeed('prosodyctl status') =~ /Prosody is running/;
# set password to 'nothunter2' (it's asked twice)
$server->succeed('yes nothunter2 | prosodyctl adduser cthon98@example.com');
# set password to 'y'
$server->succeed('yes | prosodyctl adduser azurediamond@example.com');
# correct password to 'hunter2'
$server->succeed('yes hunter2 | prosodyctl passwd azurediamond@example.com');
$client->succeed("send-message");
$server->succeed('prosodyctl deluser cthon98@example.com');
$server->succeed('prosodyctl deluser azurediamond@example.com');
'';
}

0
nixos/tests/xmpp-sendmessage.nix → nixos/tests/xmpp/xmpp-sendmessage.nix
View File

38
pkgs/applications/altcoins/bitcoin-unlimited-const-comparators.patch
View File

@ -1,38 +0,0 @@
--- a/src/txmempool.h
+++ b/src/txmempool.h
@@ -204,7 +204,7 @@
class CompareTxMemPoolEntryByDescendantScore
{
public:
- bool operator()(const CTxMemPoolEntry& a, const CTxMemPoolEntry& b)
+ bool operator()(const CTxMemPoolEntry& a, const CTxMemPoolEntry& b) const
{
bool fUseADescendants = UseDescendantScore(a);
bool fUseBDescendants = UseDescendantScore(b);
@@ -226,7 +226,7 @@
}
// Calculate which score to use for an entry (avoiding division).
- bool UseDescendantScore(const CTxMemPoolEntry &a)
+ bool UseDescendantScore(const CTxMemPoolEntry &a) const
{
double f1 = (double)a.GetModifiedFee() * a.GetSizeWithDescendants();
double f2 = (double)a.GetModFeesWithDescendants() * a.GetTxSize();
@@ -241,7 +241,7 @@
class CompareTxMemPoolEntryByScore
{
public:
- bool operator()(const CTxMemPoolEntry& a, const CTxMemPoolEntry& b)
+ bool operator()(const CTxMemPoolEntry& a, const CTxMemPoolEntry& b) const
{
double f1 = (double)a.GetModifiedFee() * b.GetTxSize();
double f2 = (double)b.GetModifiedFee() * a.GetTxSize();
@@ -255,7 +255,7 @@
class CompareTxMemPoolEntryByEntryTime
{
public:
- bool operator()(const CTxMemPoolEntry& a, const CTxMemPoolEntry& b)
+ bool operator()(const CTxMemPoolEntry& a, const CTxMemPoolEntry& b) const
{
return a.GetTime() < b.GetTime();
}

24
pkgs/applications/altcoins/bitcoin-unlimited.nix
View File

@ -1,34 +1,32 @@
{ stdenv, fetchFromGitHub, pkgconfig, autoreconfHook, openssl, db48, boost
, zlib, miniupnpc, qt4, utillinux, protobuf, qrencode, libevent
, withGui
, zlib, miniupnpc, utillinux, protobuf, qrencode, libevent, python3
, withGui, wrapQtAppsHook ? null, qtbase ? null, qttools ? null
, Foundation, ApplicationServices, AppKit }:
with stdenv.lib;
stdenv.mkDerivation rec {
name = "bitcoin" + (toString (optional (!withGui) "d")) + "-unlimited-" + version;
version = "1.0.3.0";
version = "1.6.0.1";
src = fetchFromGitHub {
owner = "bitcoinunlimited";
repo = "bitcoinunlimited";
rev = "v${version}";
sha256 = "0l02a7h502msrp4c02wgm7f3159ap8l61k4890vas99gq7ywxkcx";
rev = "bucash${version}";
sha256 = "0f0mnal4jf8xdj7w5m4rdlcqkrkbpxi88c006m5k45lmjmj141zr";
};
nativeBuildInputs = [ pkgconfig autoreconfHook ];
nativeBuildInputs = [ pkgconfig autoreconfHook python3 ]
++ optionals withGui [ wrapQtAppsHook qttools ];
buildInputs = [ openssl db48 boost zlib
miniupnpc utillinux protobuf libevent ]
++ optionals withGui [ qt4 qrencode ]
++ optionals withGui [ qtbase qttools qrencode ]
++ optionals stdenv.isDarwin [ Foundation ApplicationServices AppKit ];
patches = [
./bitcoin-unlimited-const-comparators.patch
];
configureFlags = [ "--with-boost-libdir=${boost.out}/lib" ]
++ optionals withGui [ "--with-gui=qt4" ];
++ optionals withGui [ "--with-gui=qt5"
"--with-qt-bindir=${qtbase.dev}/bin:${qttools.dev}/bin"
];
enableParallelBuilding = true;
meta = {

51
pkgs/applications/altcoins/bitcoin-xt.nix
View File

@ -1,51 +0,0 @@
{ stdenv, fetchFromGitHub, pkgconfig, autoreconfHook, openssl, db48, boost
, zlib, miniupnpc, qt4, utillinux, protobuf, qrencode, curl, libevent
, withGui
, Foundation, ApplicationServices, AppKit }:
with stdenv.lib;
stdenv.mkDerivation rec{
name = "bitcoin" + (toString (optional (!withGui) "d")) + "-xt-" + version;
version = "0.11H";
src = fetchFromGitHub {
owner = "bitcoinxt";
repo = "bitcoinxt";
rev = "v${version}";
sha256 = "1v43bynmidn2zdpky939km721x3ks91bzyh4200gji61qzsmyg62";
};
nativeBuildInputs = [ pkgconfig autoreconfHook ];
buildInputs = [ openssl db48 boost zlib libevent
miniupnpc utillinux protobuf curl ]
++ optionals withGui [ qt4 qrencode ]
++ optionals stdenv.isDarwin [ Foundation ApplicationServices AppKit ];
configureFlags = [
"--with-boost-libdir=${boost.out}/lib"
"--with-libcurl-headers=${curl.dev}/include"
] ++ optionals withGui [ "--with-gui=qt4" ];
enableParallelBuilding = true;
meta = {
description = "Peer-to-peer electronic cash system (XT client)";
longDescription= ''
Bitcoin is a free open source peer-to-peer electronic cash system that is
completely decentralized, without the need for a central server or trusted
parties. Users hold the crypto keys to their own money and transact directly
with each other, with the help of a P2P network to check for double-spending.
Bitcoin XT is an implementation of a Bitcoin full node, based upon the
source code of Bitcoin Core. It is built by taking the latest stable
Core release, applying a series of patches, and then doing deterministic
builds so anyone can check the downloads correspond to the source code.
'';
homepage = https://bitcoinxt.software/;
maintainers = with maintainers; [ jefdaj ];
license = licenses.mit;
broken = stdenv.isDarwin;
platforms = platforms.unix;
};
}

17
pkgs/applications/altcoins/default.nix
View File

@ -1,4 +1,4 @@
{ callPackage, boost155, boost165, openssl_1_1, darwin, libsForQt5, libsForQt59, miniupnpc_2, python3, buildGo110Package }:
{ callPackage, boost155, boost165, darwin, libsForQt5, libsForQt59, miniupnpc_2, python3, buildGo110Package }:
rec {
@ -11,7 +11,7 @@ rec {
bitcoin-abc = libsForQt5.callPackage ./bitcoin-abc.nix { boost = boost165; withGui = true; };
bitcoind-abc = callPackage ./bitcoin-abc.nix { boost = boost165; withGui = false; };
bitcoin-unlimited = callPackage ./bitcoin-unlimited.nix {
bitcoin-unlimited = libsForQt5.callPackage ./bitcoin-unlimited.nix {
inherit (darwin.apple_sdk.frameworks) Foundation ApplicationServices AppKit;
withGui = true;
};
@ -23,15 +23,6 @@ rec {
bitcoin-classic = libsForQt5.callPackage ./bitcoin-classic.nix { boost = boost165; withGui = true; };
bitcoind-classic = callPackage ./bitcoin-classic.nix { boost = boost165; withGui = false; };
bitcoin-xt = callPackage ./bitcoin-xt.nix {
inherit (darwin.apple_sdk.frameworks) Foundation ApplicationServices AppKit;
boost = boost165; withGui = true;
};
bitcoind-xt = callPackage ./bitcoin-xt.nix {
inherit (darwin.apple_sdk.frameworks) Foundation ApplicationServices AppKit;
boost = boost165; withGui = false;
};
btc1 = callPackage ./btc1.nix {
inherit (darwin.apple_sdk.frameworks) AppKit;
boost = boost165;
@ -69,9 +60,6 @@ rec {
masari = callPackage ./masari.nix { boost = boost165; };
memorycoin = callPackage ./memorycoin.nix { boost = boost165; withGui = true; };
memorycoind = callPackage ./memorycoin.nix { boost = boost165; withGui = false; };
mist = callPackage ./mist.nix { };
namecoin = callPackage ./namecoin.nix { withGui = true; };
@ -90,7 +78,6 @@ rec {
zcash = callPackage ./zcash {
withGui = false;
openssl = openssl_1_1;
};
parity = callPackage ./parity { };

4
pkgs/applications/altcoins/dogecoin.nix
View File

@ -1,8 +1,8 @@
{ stdenv , fetchFromGitHub
, pkgconfig, autoreconfHook
, db5, openssl, boost, zlib, miniupnpc
, db5, openssl, boost, zlib, miniupnpc, libevent
, protobuf, utillinux, qt4, qrencode
, withGui, libevent }:
, withGui }:
with stdenv.lib;
stdenv.mkDerivation rec {

3
pkgs/applications/altcoins/freicoin.nix
View File

@ -34,5 +34,8 @@ stdenv.mkDerivation rec {
license = licenses.mit;
maintainers = [ maintainers.viric ];
platforms = platforms.linux;
# upstream doesn't support newer openssl versions, use 1.0.1 for testing
broken = true;
};
}

13
pkgs/applications/altcoins/jormungandr/default.nix
View File

@ -1,27 +1,28 @@
{ stdenv
, lib
, fetchgit
, rustPlatform
, openssl
, pkgconfig
, protobuf
, rustup
, darwin
}:
rustPlatform.buildRustPackage rec {
pname = "jormungandr";
version = "0.3.1";
version = "0.3.3";
src = fetchgit {
url = "https://github.com/input-output-hk/${pname}";
rev = "v${version}";
sha256 = "0ys8sw73c7binxnl79dqi7sxva62bgifbhgyzvvjvmjjdxgq4kfp";
sha256 = "1fw3cl2rxnw9mww1b1z96x2iapwbpdgyp4ra19dhvfzmlvaiml5j";
fetchSubmodules = true;
};
cargoSha256 = "0fphjzz78ym15qbka01idnq6vkyf4asrnhrhvxngwc3bifmnj937";
cargoSha256 = "1ilp9ffaz3njv38mnqics4b5d7wh52mj4rwi71h5c0wzx4ww3zal";
nativeBuildInputs = [ pkgconfig protobuf rustup ];
buildInputs = [ openssl ];
nativeBuildInputs = [ pkgconfig protobuf ];
buildInputs = [ openssl ] ++ lib.optionals stdenv.isDarwin [ darwin.apple_sdk.frameworks.Security ];
PROTOC = "${protobuf}/bin/protoc";

56
pkgs/applications/altcoins/memorycoin.nix
View File

@ -1,56 +0,0 @@
{ stdenv, fetchurl, pkgconfig, openssl, db48, boost
, zlib, qt4, qmake4Hook, utillinux, protobuf, qrencode
, withGui }:
with stdenv.lib;
stdenv.mkDerivation rec{
name = "memorycoin" + (toString (optional (!withGui) "d")) + "-" + version;
version = "0.8.5";
src = fetchurl {
url = "https://github.com/memorycoin/memorycoin/archive/v${version}.tar.gz";
sha256 = "1iyh6dqrg0mirwci5br5n5qw3ghp2cs23wd8ygr56bh9ml4dr1m8";
};
nativeBuildInputs = [ pkgconfig ];
buildInputs = [ openssl db48 boost zlib utillinux protobuf ]
++ optionals withGui [ qt4 qmake4Hook qrencode ];
qmakeFlags = ["USE_UPNP=-"];
makeFlags = ["USE_UPNP=-"];
configureFlags = [ "--with-boost-libdir=${boost.out}/lib" ]
++ optionals withGui [ "--with-gui=qt4" ];
preBuild = "unset AR;"
+ (toString (optional (!withGui) "cd src; cp makefile.unix Makefile"));
installPhase =
if withGui
then "install -D bitcoin-qt $out/bin/memorycoin-qt"
else "install -D bitcoind $out/bin/memorycoind";
# `make build/version.o`:
# make: *** No rule to make target 'build/build.h', needed by 'build/version.o'. Stop.
enableParallelBuilding = false;
meta = {
description = "Peer-to-peer, CPU-based electronic cash system";
longDescription= ''
Memorycoin is a cryptocurrency that aims to empower the
economically and financially marginalized. It allows individuals
to participate in the internet economy even when they live in
countries where credit card companies and PayPal(R) refuse to
operate. Individuals can store and transfer wealth with just a
memorized pass phrase.
Memorycoin is based on the Bitcoin code, but with some key
differences.
'';
homepage = http://www.bitcoin.org/;
maintainers = with maintainers; [ AndersonTorres ];
license = licenses.mit;
platforms = [ "x86_64-linux" ];
};
}

6
pkgs/applications/altcoins/parity/beta.nix
View File

@ -1,6 +1,6 @@
let
version = "2.6.0";
sha256 = "1v0wc6l09nr42ljlq5lq1dgignm53hq3pmrgp2sld9zfxy3vdy0x";
cargoSha256 = "1bkcvziz0diy76nbcgykajpnp6akva0m7ka7q6w3s9k7awxjxkx3";
version = "2.6.1";
sha256 = "0yvscs2ivy08zla3jhirxhwwaqsn9j5ml4sqbgx6h5rh19c941vh";
cargoSha256 = "1s3c44cggajrmc504klf4cyb1s4l5ny48yihs9c3fc0n8d064017";
in
import ./parity.nix { inherit version sha256 cargoSha256; }

6
pkgs/applications/altcoins/parity/default.nix
View File

@ -1,6 +1,6 @@
let
version = "2.5.5";
sha256 = "193fnrf1pr67wblyxd5gbrg1rgflphnfaxgm3kb4iawjh18br6c6";
cargoSha256 = "1w9p43v76igb62mbjk2rl7fynk13l4hpz25jd4f4hk5b2y2wf3r7";
version = "2.5.6";
sha256 = "1qkrqkkgjvm27babd6bidhf1n6vdp8rac1zy5kf61nfzplxzr2dy";
cargoSha256 = "0aa0nkv3jr7cdzswbxghxxv0y65a59jgs1682ch8vrasi0x17m1x";
in
import ./parity.nix { inherit version sha256 cargoSha256; }

Some files were not shown because too many files have changed in this diff Show More