JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'binutils-always-patch' into ios-mini-staging

Browse Source
This commit is contained in:
John Ericson 2018-05-22 13:37:32 -04:00
commit 2e903444d0
1024 changed files with 24173 additions and 17211 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/configuration.xml
View File

@ -378,7 +378,7 @@
myPackages = pkgs.buildEnv {
name = "my-packages";
paths = [ aspell bc coreutils ffmpeg nixUnstable emscripten jq nox silver-searcher ];
pathsToLink = [ "/share/man" "/share/doc" /bin" ];
pathsToLink = [ "/share/man" "/share/doc" "/bin" ];
extraOutputsToInstall = [ "man" "doc" ];
};
};
@ -416,7 +416,7 @@ cp ${myProfile} $out/etc/profile.d/my-profile.sh
nox
silver-searcher
];
pathsToLink = [ "/share/man" "/share/doc" /bin" "/etc" ];
pathsToLink = [ "/share/man" "/share/doc" "/bin" "/etc" ];
extraOutputsToInstall = [ "man" "doc" ];
};
};

2
doc/submitting-changes.xml
View File

@ -476,7 +476,7 @@ Additional information.
<para>
It's only for non-breaking mass-rebuild commits. That means it's not to
be used for testing, and changes must have been well tested already.
<link xlink:href="http://comments.gmane.org/gmane.linux.distributions.nixos/13447">Read
<link xlink:href="https://web.archive.org/web/20160528180406/http://comments.gmane.org/gmane.linux.distributions.nixos/13447">Read
policy here</link>.
</para>
</listitem>

39
lib/default.nix
View File

@ -51,11 +51,11 @@ let
# back-compat aliases
platforms = systems.forMeta;
inherit (builtins) add addErrorContext attrNames
concatLists deepSeq elem elemAt filter genericClosure genList
getAttr hasAttr head isAttrs isBool isInt isList
isString length lessThan listToAttrs pathExists readFile
replaceStrings seq stringLength sub substring tail;
inherit (builtins) add addErrorContext attrNames concatLists
deepSeq elem elemAt filter genericClosure genList getAttr
hasAttr head isAttrs isBool isInt isList isString length
lessThan listToAttrs pathExists readFile replaceStrings seq
stringLength sub substring tail;
inherit (trivial) id const concat or and boolToString mergeAttrs
flip mapNullable inNixShell min max importJSON warn info
nixpkgsVersion version mod compare splitByAndCompare
@ -74,30 +74,32 @@ let
inherit (lists) singleton foldr fold foldl foldl' imap0 imap1
concatMap flatten remove findSingle findFirst any all count
optional optionals toList range partition zipListsWith zipLists
reverseList listDfs toposort sort naturalSort compareLists take drop sublist
last init crossLists unique intersectLists subtractLists
mutuallyExclusive;
reverseList listDfs toposort sort naturalSort compareLists take
drop sublist last init crossLists unique intersectLists
subtractLists mutuallyExclusive;
inherit (strings) concatStrings concatMapStrings concatImapStrings
intersperse concatStringsSep concatMapStringsSep
concatImapStringsSep makeSearchPath makeSearchPathOutput
makeLibraryPath makeBinPath makePerlPath optionalString
hasPrefix hasSuffix stringToCharacters stringAsChars escape
escapeShellArg escapeShellArgs replaceChars lowerChars upperChars
toLower toUpper addContextFrom splitString removePrefix
removeSuffix versionOlder versionAtLeast getVersion nameFromURL
enableFeature fixedWidthString fixedWidthNumber isStorePath
escapeShellArg escapeShellArgs replaceChars lowerChars
upperChars toLower toUpper addContextFrom splitString
removePrefix removeSuffix versionOlder versionAtLeast getVersion
nameFromURL enableFeature enableFeatureAs withFeature
withFeatureAs fixedWidthString fixedWidthNumber isStorePath
toInt readPathsFromFile fileContents;
inherit (stringsWithDeps) textClosureList textClosureMap
noDepEntry fullDepEntry packEntry stringAfter;
inherit (customisation) overrideDerivation makeOverridable
callPackageWith callPackagesWith extendDerivation
hydraJob makeScope;
callPackageWith callPackagesWith extendDerivation hydraJob
makeScope;
inherit (meta) addMetaAttrs dontDistribute setName updateName
appendToName mapDerivationAttrset lowPrio lowPrioSet hiPrio
hiPrioSet;
inherit (sources) pathType pathIsDirectory cleanSourceFilter
cleanSource sourceByRegex sourceFilesBySuffices
commitIdFromGitRepo cleanSourceWith pathHasContext canCleanSource;
commitIdFromGitRepo cleanSourceWith pathHasContext
canCleanSource;
inherit (modules) evalModules closeModules unifyModuleSyntax
applyIfFunction unpackSubmodule packSubmodule mergeModules
mergeModules' mergeOptionDecls evalOptionValue mergeDefinitions
@ -119,8 +121,7 @@ let
traceXMLVal traceXMLValMarked traceSeq traceSeqN traceValSeq
traceValSeqFn traceValSeqN traceValSeqNFn traceShowVal
traceShowValMarked showVal traceCall traceCall2 traceCall3
traceValIfNot runTests testAllTrue traceCallXml
attrNamesToStr;
traceValIfNot runTests testAllTrue traceCallXml attrNamesToStr;
inherit (misc) maybeEnv defaultMergeArg defaultMerge foldArgs
defaultOverridableDelayableArgs composedArgsAndFun
maybeAttrNullable maybeAttr ifEnable checkFlag getValue
@ -129,7 +130,7 @@ let
closePropagation mapAttrsFlatten nvs setAttr setAttrMerge
mergeAttrsWithFunc mergeAttrsConcatenateValues
mergeAttrsNoOverride mergeAttrByFunc mergeAttrsByFuncDefaults
mergeAttrsByFuncDefaultsClean mergeAttrBy
prepareDerivationArgs nixType imap overridableDelayableArgs;
mergeAttrsByFuncDefaultsClean mergeAttrBy prepareDerivationArgs
nixType imap overridableDelayableArgs;
});
in lib

2
lib/meta.nix
View File

@ -86,6 +86,4 @@ rec {
then { system = elem; }
else { parsed = elem; };
in lib.matchAttrs pattern platform;
enableIfAvailable = p: if p.meta.available or true then [ p ] else [];
}

28
lib/modules.nix
View File

@ -310,6 +310,7 @@ rec {
in opt //
{ value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;
inherit (res.defsFinal') highestPrio;
definitions = map (def: def.value) res.defsFinal;
files = map (def: def.file) res.defsFinal;
inherit (res) isDefined;
@ -317,7 +318,7 @@ rec {
# Merge definitions of a value of a given type.
mergeDefinitions = loc: type: defs: rec {
defsFinal =
defsFinal' =
let
# Process mkMerge and mkIf properties.
defs' = concatMap (m:
@ -325,15 +326,20 @@ rec {
) defs;
# Process mkOverride properties.
defs'' = filterOverrides defs';
defs'' = filterOverrides' defs';
# Sort mkOrder properties.
defs''' =
# Avoid sorting if we don't have to.
if any (def: def.value._type or "" == "order") defs''
then sortProperties defs''
else defs'';
in defs''';
if any (def: def.value._type or "" == "order") defs''.values
then sortProperties defs''.values
else defs''.values;
in {
values = defs''';
inherit (defs'') highestPrio;
};
defsFinal = defsFinal'.values;
# Type-check the remaining definitions, and merge them.
mergedValue = foldl' (res: def:
@ -416,13 +422,18 @@ rec {
Note that "z" has the default priority 100.
*/
filterOverrides = defs:
filterOverrides = defs: (filterOverrides' defs).values;
filterOverrides' = defs:
let
defaultPrio = 100;
getPrio = def: if def.value._type or "" == "override" then def.value.priority else defaultPrio;
highestPrio = foldl' (prio: def: min (getPrio def) prio) 9999 defs;
strip = def: if def.value._type or "" == "override" then def // { value = def.value.content; } else def;
in concatMap (def: if getPrio def == highestPrio then [(strip def)] else []) defs;
in {
values = concatMap (def: if getPrio def == highestPrio then [(strip def)] else []) defs;
inherit highestPrio;
};
/* Sort a list of properties. The sort priority of a property is
1000 by default, but can be overridden by wrapping the property
@ -664,6 +675,7 @@ rec {
in
{ config, options, ... }:
{ options = setAttrByPath from (mkOption {
inherit visible;
description = "Alias of <option>${showOption to}</option>.";
apply = x: use (toOf config);
});

35
lib/strings.nix
View File

@ -82,7 +82,7 @@ rec {
=> "//bin"
*/
makeSearchPath = subDir: packages:
concatStringsSep ":" (map (path: path + "/" + subDir) packages);
concatStringsSep ":" (map (path: path + "/" + subDir) (builtins.filter (x: x != null) packages));
/* Construct a Unix-style search path, using given package output.
If no output is found, fallback to `.out` and then to the default.
@ -414,6 +414,39 @@ rec {
*/
enableFeature = enable: feat: "--${if enable then "enable" else "disable"}-${feat}";
/* Create an --{enable-<feat>=<value>,disable-<feat>} string that can be passed to
standard GNU Autoconf scripts.
Example:
enableFeature true "shared" "foo"
=> "--enable-shared=foo"
enableFeature false "shared" (throw "ignored")
=> "--disable-shared"
*/
enableFeatureAs = enable: feat: value: enableFeature enable feat + optionalString enable "=${value}";
/* Create an --{with,without}-<feat> string that can be passed to
standard GNU Autoconf scripts.
Example:
withFeature true "shared"
=> "--with-shared"
withFeature false "shared"
=> "--without-shared"
*/
withFeature = with_: feat: "--${if with_ then "with" else "without"}-${feat}";
/* Create an --{with-<feat>=<value>,without-<feat>} string that can be passed to
standard GNU Autoconf scripts.
Example:
with_Feature true "shared" "foo"
=> "--with-shared=foo"
with_Feature false "shared" (throw "ignored")
=> "--without-shared"
*/
withFeatureAs = with_: feat: value: withFeature with_ feat + optionalString with_ "=${value}";
/* Create a fixed width string with additional prefix to match
required width.

8
lib/systems/default.nix
View File

@ -29,6 +29,7 @@ rec {
/**/ if final.isDarwin then "libSystem"
else if final.isMinGW then "msvcrt"
else if final.isMusl then "musl"
else if final.isUClibc then "uclibc"
else if final.isAndroid then "bionic"
else if final.isLinux /* default */ then "glibc"
# TODO(@Ericson2314) think more about other operating systems
@ -49,5 +50,12 @@ rec {
} // mapAttrs (n: v: v final.parsed) inspect.predicates
// args;
in assert final.useAndroidPrebuilt -> final.isAndroid;
assert lib.foldl
(pass: { assertion, message }:
if assertion final
then pass
else throw message)
true
(final.parsed.abi.assertions or []);
final;
}

38
lib/systems/examples.nix
View File

@ -11,36 +11,41 @@ rec {
sheevaplug = rec {
config = "armv5tel-unknown-linux-gnueabi";
arch = "armv5tel";
float = "soft";
platform = platforms.sheevaplug;
};
raspberryPi = rec {
config = "armv6l-unknown-linux-gnueabihf";
arch = "armv6l";
float = "hard";
fpu = "vfp";
platform = platforms.raspberrypi;
};
armv7l-hf-multiplatform = rec {
config = "arm-unknown-linux-gnueabihf";
arch = "armv7-a";
float = "hard";
fpu = "vfpv3-d16";
config = "armv7a-unknown-linux-gnueabihf";
platform = platforms.armv7l-hf-multiplatform;
};
aarch64-multiplatform = rec {
config = "aarch64-unknown-linux-gnu";
arch = "aarch64";
platform = platforms.aarch64-multiplatform;
};
armv5te-android-prebuilt = rec {
config = "armv5tel-unknown-linux-androideabi";
sdkVer = "21";
platform = platforms.armv5te-android;
useAndroidPrebuilt = true;
};
armv7a-android-prebuilt = rec {
config = "armv7a-unknown-linux-androideabi";
sdkVer = "21";
platform = platforms.armv7a-android;
useAndroidPrebuilt = true;
};
aarch64-android-prebuilt = rec {
config = "aarch64-unknown-linux-android";
arch = "aarch64";
sdkVer = "24";
platform = platforms.aarch64-multiplatform;
useAndroidPrebuilt = true;
};
@ -51,16 +56,17 @@ rec {
};
pogoplug4 = rec {
arch = "armv5tel";
config = "armv5tel-unknown-linux-gnueabi";
float = "soft";
platform = platforms.pogoplug4;
};
ben-nanonote = rec {
config = "mipsel-unknown-linux-uclibc";
platform = platforms.ben_nanonote;
};
fuloongminipc = rec {
config = "mipsel-unknown-linux-gnu";
arch = "mips";
float = "hard";
platform = platforms.fuloong2f_n32;
};
@ -128,7 +134,6 @@ rec {
# 32 bit mingw-w64
mingw32 = {
config = "i686-pc-mingw32";
arch = "x86"; # Irrelevant
libc = "msvcrt"; # This distinguishes the mingw (non posix) toolchain
platform = {};
};
@ -137,7 +142,6 @@ rec {
mingwW64 = {
# That's the triplet they use in the mingw-w64 docs.
config = "x86_64-pc-mingw32";
arch = "x86_64"; # Irrelevant
libc = "msvcrt"; # This distinguishes the mingw (non posix) toolchain
platform = {};
};

4
lib/systems/inspect.nix
View File

@ -3,6 +3,9 @@ with import ./parse.nix { inherit lib; };
with lib.attrsets;
with lib.lists;
let abis_ = abis; in
let abis = lib.mapAttrs (_: abi: builtins.removeAttrs abi [ "assertions" ]) abis_; in
rec {
patterns = rec {
isi686 = { cpu = cpuTypes.i686; };
@ -38,6 +41,7 @@ rec {
isAndroid = [ { abi = abis.android; } { abi = abis.androideabi; } ];
isMusl = with abis; map (a: { abi = a; }) [ musl musleabi musleabihf ];
isUClibc = with abis; map (a: { abi = a; }) [ uclibc uclibceabi uclibceabihf ];
isEfi = map (family: { cpu.family = family; })
[ "x86" "arm" "aarch64" ];

73
lib/systems/parse.nix
View File

@ -68,20 +68,31 @@ rec {
cpuTypes = with significantBytes; setTypes types.openCpuType {
arm = { bits = 32; significantByte = littleEndian; family = "arm"; };
armv5tel = { bits = 32; significantByte = littleEndian; family = "arm"; };
armv6l = { bits = 32; significantByte = littleEndian; family = "arm"; };
armv7a = { bits = 32; significantByte = littleEndian; family = "arm"; };
armv7l = { bits = 32; significantByte = littleEndian; family = "arm"; };
aarch64 = { bits = 64; significantByte = littleEndian; family = "arm"; };
armv5tel = { bits = 32; significantByte = littleEndian; family = "arm"; version = "5"; };
armv6m = { bits = 32; significantByte = littleEndian; family = "arm"; version = "6"; };
armv6l = { bits = 32; significantByte = littleEndian; family = "arm"; version = "6"; };
armv7a = { bits = 32; significantByte = littleEndian; family = "arm"; version = "7"; };
armv7r = { bits = 32; significantByte = littleEndian; family = "arm"; version = "7"; };
armv7m = { bits = 32; significantByte = littleEndian; family = "arm"; version = "7"; };
armv7l = { bits = 32; significantByte = littleEndian; family = "arm"; version = "7"; };
armv8a = { bits = 32; significantByte = littleEndian; family = "arm"; version = "8"; };
armv8r = { bits = 32; significantByte = littleEndian; family = "arm"; version = "8"; };
armv8m = { bits = 32; significantByte = littleEndian; family = "arm"; version = "8"; };
aarch64 = { bits = 64; significantByte = littleEndian; family = "arm"; version = "8"; };
i686 = { bits = 32; significantByte = littleEndian; family = "x86"; };
x86_64 = { bits = 64; significantByte = littleEndian; family = "x86"; };
mips = { bits = 32; significantByte = bigEndian; family = "mips"; };
mipsel = { bits = 32; significantByte = littleEndian; family = "mips"; };
mips64 = { bits = 64; significantByte = bigEndian; family = "mips"; };
mips64el = { bits = 64; significantByte = littleEndian; family = "mips"; };
powerpc = { bits = 32; significantByte = bigEndian; family = "power"; };
riscv32 = { bits = 32; significantByte = littleEndian; family = "riscv"; };
riscv64 = { bits = 64; significantByte = littleEndian; family = "riscv"; };
wasm32 = { bits = 32; significantByte = littleEndian; family = "wasm"; };
wasm64 = { bits = 64; significantByte = littleEndian; family = "wasm"; };
};
@ -184,17 +195,40 @@ rec {
types.abi = enum (attrValues abis);
abis = setTypes types.openAbi {
android = {};
cygnus = {};
gnu = {};
msvc = {};
eabi = {};
androideabi = {};
gnueabi = {};
gnueabihf = {};
musleabi = {};
musleabihf = {};
musl = {};
cygnus = {};
msvc = {};
eabi = {};
androideabi = {};
android = {
assertions = [
{ assertion = platform: !platform.isAarch32;
message = ''
The "android" ABI is not for 32-bit ARM. Use "androideabi" instead.
'';
}
];
};
gnueabi = { float = "soft"; };
gnueabihf = { float = "hard"; };
gnu = {
assertions = [
{ assertion = platform: !platform.isAarch32;
message = ''
The "gnu" ABI is ambiguous on 32-bit ARM. Use "gnueabi" or "gnueabihf" instead.
'';
}
];
};
musleabi = { float = "soft"; };
musleabihf = { float = "hard"; };
musl = {};
uclibceabihf = { float = "soft"; };
uclibceabi = { float = "hard"; };
uclibc = {};
unknown = {};
};
@ -261,7 +295,12 @@ rec {
kernel = getKernel args.kernel;
abi =
/**/ if args ? abi then getAbi args.abi
else if isLinux parsed then abis.gnu
else if isLinux parsed then
if isAarch32 parsed then
if lib.versionAtLeast (parsed.cpu.version or "0") "6"
then abis.gnueabihf
else abis.gnueabi
else abis.gnu
else if isWindows parsed then abis.gnu
else abis.unknown;
};

222
lib/systems/platforms.nix
View File

@ -20,12 +20,15 @@ rec {
kernelAutoModules = false;
};
##
## ARM
##
pogoplug4 = {
name = "pogoplug4";
gcc = {
arch = "armv5te";
float = "soft";
};
kernelMajor = "2.6";
@ -158,7 +161,6 @@ rec {
kernelDTB = true; # Beyond 3.10
gcc = {
arch = "armv5te";
float = "soft";
};
};
@ -243,7 +245,6 @@ rec {
gcc = {
arch = "armv6";
fpu = "vfp";
float = "hard";
# TODO(@Ericson2314) what is this and is it a good idea? It was
# used in some cross compilation examples but not others.
#
@ -336,7 +337,6 @@ rec {
gcc = {
cpu = "cortex-a9";
fpu = "vfpv3";
float = "hard";
};
};
@ -363,7 +363,6 @@ rec {
gcc = {
cpu = "cortex-a9";
fpu = "neon";
float = "hard";
};
};
@ -376,6 +375,128 @@ rec {
kernelBaseConfig = "guruplug_defconfig";
};
beaglebone = armv7l-hf-multiplatform // {
name = "beaglebone";
kernelBaseConfig = "bb.org_defconfig";
kernelAutoModules = false;
kernelExtraConfig = ""; # TBD kernel config
kernelTarget = "zImage";
};
# https://developer.android.com/ndk/guides/abis#armeabi
armv5te-android = {
name = "armeabi";
gcc = {
arch = "armv5te";
float = "soft";
float-abi = "soft";
};
};
# https://developer.android.com/ndk/guides/abis#v7a
armv7a-android = {
name = "armeabi-v7a";
gcc = {
arch = "armv7-a";
float = "hard";
float-abi = "softfp";
fpu = "vfpv3-d16";
};
};
armv7l-hf-multiplatform = {
name = "armv7l-hf-multiplatform";
kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc.
kernelBaseConfig = "multi_v7_defconfig";
kernelArch = "arm";
kernelDTB = true;
kernelAutoModules = true;
kernelPreferBuiltin = true;
kernelTarget = "zImage";
kernelExtraConfig = ''
# Serial port for Raspberry Pi 3. Upstream forgot to add it to the ARMv7 defconfig.
SERIAL_8250_BCM2835AUX y
SERIAL_8250_EXTENDED y
SERIAL_8250_SHARE_IRQ y
# Fix broken sunxi-sid nvmem driver.
TI_CPTS y
# Hangs ODROID-XU4
ARM_BIG_LITTLE_CPUIDLE n
'';
gcc = {
# Some table about fpu flags:
# http://community.arm.com/servlet/JiveServlet/showImage/38-1981-3827/blogentry-103749-004812900+1365712953_thumb.png
# Cortex-A5: -mfpu=neon-fp16
# Cortex-A7 (rpi2): -mfpu=neon-vfpv4
# Cortex-A8 (beaglebone): -mfpu=neon
# Cortex-A9: -mfpu=neon-fp16
# Cortex-A15: -mfpu=neon-vfpv4
# More about FPU:
# https://wiki.debian.org/ArmHardFloatPort/VfpComparison
# vfpv3-d16 is what Debian uses and seems to be the best compromise: NEON is not supported in e.g. Scaleway or Tegra 2,
# and the above page suggests NEON is only an improvement with hand-written assembly.
arch = "armv7-a";
fpu = "vfpv3-d16";
# For Raspberry Pi the 2 the best would be:
# cpu = "cortex-a7";
# fpu = "neon-vfpv4";
};
};
aarch64-multiplatform = {
name = "aarch64-multiplatform";
kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc.
kernelBaseConfig = "defconfig";
kernelArch = "arm64";
kernelDTB = true;
kernelAutoModules = true;
kernelPreferBuiltin = true;
kernelExtraConfig = ''
# Raspberry Pi 3 stuff. Not needed for kernels >= 4.10.
ARCH_BCM2835 y
BCM2835_MBOX y
BCM2835_WDT y
RASPBERRYPI_FIRMWARE y
RASPBERRYPI_POWER y
SERIAL_8250_BCM2835AUX y
SERIAL_8250_EXTENDED y
SERIAL_8250_SHARE_IRQ y
# Cavium ThunderX stuff.
PCI_HOST_THUNDER_ECAM y
# Nvidia Tegra stuff.
PCI_TEGRA y
# The default (=y) forces us to have the XHCI firmware available in initrd,
# which our initrd builder can't currently do easily.
USB_XHCI_TEGRA m
'';
kernelTarget = "Image";
gcc = {
arch = "armv8-a";
};
};
##
## MIPS
##
ben_nanonote = {
name = "ben_nanonote";
kernelMajor = "2.6";
kernelArch = "mips";
gcc = {
arch = "mips32";
float = "soft";
};
};
fuloong2f_n32 = {
name = "fuloong2f_n32";
kernelMajor = "2.6";
@ -449,97 +570,14 @@ rec {
kernelTarget = "vmlinux";
gcc = {
arch = "loongson2f";
float = "hard";
abi = "n32";
};
};
beaglebone = armv7l-hf-multiplatform // {
name = "beaglebone";
kernelBaseConfig = "bb.org_defconfig";
kernelAutoModules = false;
kernelExtraConfig = ""; # TBD kernel config
kernelTarget = "zImage";
};
armv7l-hf-multiplatform = {
name = "armv7l-hf-multiplatform";
kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc.
kernelBaseConfig = "multi_v7_defconfig";
kernelArch = "arm";
kernelDTB = true;
kernelAutoModules = true;
kernelPreferBuiltin = true;
kernelTarget = "zImage";
kernelExtraConfig = ''
# Serial port for Raspberry Pi 3. Upstream forgot to add it to the ARMv7 defconfig.
SERIAL_8250_BCM2835AUX y
SERIAL_8250_EXTENDED y
SERIAL_8250_SHARE_IRQ y
# Fix broken sunxi-sid nvmem driver.
TI_CPTS y
# Hangs ODROID-XU4
ARM_BIG_LITTLE_CPUIDLE n
'';
gcc = {
# Some table about fpu flags:
# http://community.arm.com/servlet/JiveServlet/showImage/38-1981-3827/blogentry-103749-004812900+1365712953_thumb.png
# Cortex-A5: -mfpu=neon-fp16
# Cortex-A7 (rpi2): -mfpu=neon-vfpv4
# Cortex-A8 (beaglebone): -mfpu=neon
# Cortex-A9: -mfpu=neon-fp16
# Cortex-A15: -mfpu=neon-vfpv4
# More about FPU:
# https://wiki.debian.org/ArmHardFloatPort/VfpComparison
# vfpv3-d16 is what Debian uses and seems to be the best compromise: NEON is not supported in e.g. Scaleway or Tegra 2,
# and the above page suggests NEON is only an improvement with hand-written assembly.
arch = "armv7-a";
fpu = "vfpv3-d16";
float = "hard";
# For Raspberry Pi the 2 the best would be:
# cpu = "cortex-a7";
# fpu = "neon-vfpv4";
};
};
aarch64-multiplatform = {
name = "aarch64-multiplatform";
kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc.
kernelBaseConfig = "defconfig";
kernelArch = "arm64";
kernelDTB = true;
kernelAutoModules = true;
kernelPreferBuiltin = true;
kernelExtraConfig = ''
# Raspberry Pi 3 stuff. Not needed for kernels >= 4.10.
ARCH_BCM2835 y
BCM2835_MBOX y
BCM2835_WDT y
RASPBERRYPI_FIRMWARE y
RASPBERRYPI_POWER y
SERIAL_8250_BCM2835AUX y
SERIAL_8250_EXTENDED y
SERIAL_8250_SHARE_IRQ y
# Cavium ThunderX stuff.
PCI_HOST_THUNDER_ECAM y
# Nvidia Tegra stuff.
PCI_TEGRA y
# The default (=y) forces us to have the XHCI firmware available in initrd,
# which our initrd builder can't currently do easily.
USB_XHCI_TEGRA m
'';
kernelTarget = "Image";
gcc = {
arch = "armv8-a";
};
};
##
## Other
##
riscv-multiplatform = bits: {
name = "riscv-multiplatform";

13
lib/tests/modules.sh
View File

@ -136,7 +136,18 @@ checkConfigOutput "true" "$@" ./define-module-check.nix
# Check coerced value.
checkConfigOutput "\"42\"" config.value ./declare-coerced-value.nix
checkConfigOutput "\"24\"" config.value ./declare-coerced-value.nix ./define-value-string.nix
checkConfigError 'The option value .* in .* is not.*string or signed integer.*' config.value ./declare-coerced-value.nix ./define-value-list.nix
checkConfigError 'The option value .* in .* is not.*string or signed integer convertible to it' config.value ./declare-coerced-value.nix ./define-value-list.nix
# Check coerced value with unsound coercion
checkConfigOutput "12" config.value ./declare-coerced-value-unsound.nix
checkConfigError 'The option value .* in .* is not.*8 bit signed integer.* or string convertible to it' config.value ./declare-coerced-value-unsound.nix ./define-value-string-bigint.nix
checkConfigError 'unrecognised JSON value' config.value ./declare-coerced-value-unsound.nix ./define-value-string-arbitrary.nix
# Check loaOf with long list.
checkConfigOutput "1 2 3 4 5 6 7 8 9 10" config.result ./loaOf-with-long-list.nix
# Check loaOf with many merges of lists.
checkConfigOutput "1 2 3 4 5 6 7 8 9 10" config.result ./loaOf-with-many-list-merges.nix
cat <<EOF
====== module tests ======

10
lib/tests/modules/declare-coerced-value-unsound.nix Normal file
View File

@ -0,0 +1,10 @@
{ lib, ... }:
{
options = {
value = lib.mkOption {
default = "12";
type = lib.types.coercedTo lib.types.str lib.toInt lib.types.ints.s8;
};
};
}

3
lib/tests/modules/define-value-string-arbitrary.nix Normal file
View File

@ -0,0 +1,3 @@
{
value = "foobar";
}

3
lib/tests/modules/define-value-string-bigint.nix Normal file
View File

@ -0,0 +1,3 @@
{
value = "1000";
}

19
lib/tests/modules/loaOf-with-long-list.nix Normal file
View File

@ -0,0 +1,19 @@
{ config, lib, ... }:
{
options = {
loaOfInt = lib.mkOption {
type = lib.types.loaOf lib.types.int;
};
result = lib.mkOption {
type = lib.types.str;
};
};
config = {
loaOfInt = [ 1 2 3 4 5 6 7 8 9 10 ];
result = toString (lib.attrValues config.loaOfInt);
};
}

19
lib/tests/modules/loaOf-with-many-list-merges.nix Normal file
View File

@ -0,0 +1,19 @@
{ config, lib, ... }:
{
options = {
loaOfInt = lib.mkOption {
type = lib.types.loaOf lib.types.int;
};
result = lib.mkOption {
type = lib.types.str;
};
};
config = {
loaOfInt = lib.mkMerge (map lib.singleton [ 1 2 3 4 5 6 7 8 9 10 ]);
result = toString (lib.attrValues config.loaOfInt);
};
}

48
lib/types.nix
View File

@ -256,7 +256,7 @@ rec {
functor = (defaultFunctor name) // { wrapped = elemType; };
};
nonEmptyListOf = elemType:
nonEmptyListOf = elemType:
let list = addCheck (types.listOf elemType) (l: l != []);
in list // { description = "non-empty " + list.description; };
@ -280,15 +280,26 @@ rec {
# List or attribute set of ...
loaOf = elemType:
let
convertIfList = defIdx: def:
convertAllLists = defs:
let
padWidth = stringLength (toString (length defs));
unnamedPrefix = i: "unnamed-" + fixedWidthNumber padWidth i + ".";
in
imap1 (i: convertIfList (unnamedPrefix i)) defs;
convertIfList = unnamedPrefix: def:
if isList def.value then
{ inherit (def) file;
value = listToAttrs (
imap1 (elemIdx: elem:
{ name = elem.name or "unnamed-${toString defIdx}.${toString elemIdx}";
value = elem;
}) def.value);
}
let
padWidth = stringLength (toString (length def.value));
unnamed = i: unnamedPrefix + fixedWidthNumber padWidth i;
in
{ inherit (def) file;
value = listToAttrs (
imap1 (elemIdx: elem:
{ name = elem.name or (unnamed elemIdx);
value = elem;
}) def.value);
}
else
def;
listOnly = listOf elemType;
@ -297,7 +308,7 @@ rec {
name = "loaOf";
description = "list or attribute set of ${elemType.description}s";
check = x: isList x || isAttrs x;
merge = loc: defs: attrOnly.merge loc (imap1 convertIfList defs);
merge = loc: defs: attrOnly.merge loc (convertAllLists defs);
getSubOptions = prefix: elemType.getSubOptions (prefix ++ ["<name?>"]);
getSubModules = elemType.getSubModules;
substSubModules = m: loaOf (elemType.substSubModules m);
@ -361,7 +372,13 @@ rec {
# This is mandatory as some option declaration might use the
# "name" attribute given as argument of the submodule and use it
# as the default of option declarations.
args.name = "&lt;name&gt;";
#
# Using lookalike unicode single angle quotation marks because
# of the docbook transformation the options receive. In all uses
# &gt; and &lt; wouldn't be encoded correctly so the encoded values
# would be used, and use of `<` and `>` would break the XML document.
# It shouldn't cause an issue since this is cosmetic for the manual.
args.name = "name";
}).options;
getSubModules = opts';
substSubModules = m: submodule m;
@ -419,16 +436,13 @@ rec {
assert coercedType.getSubModules == null;
mkOptionType rec {
name = "coercedTo";
description = "${finalType.description} or ${coercedType.description}";
check = x: finalType.check x || coercedType.check x;
description = "${finalType.description} or ${coercedType.description} convertible to it";
check = x: finalType.check x || (coercedType.check x && finalType.check (coerceFunc x));
merge = loc: defs:
let
coerceVal = val:
if finalType.check val then val
else let
coerced = coerceFunc val;
in assert finalType.check coerced; coerced;
else coerceFunc val;
in finalType.merge loc (map (def: def // { value = coerceVal def.value; }) defs);
getSubOptions = finalType.getSubOptions;
getSubModules = finalType.getSubModules;

89
maintainers/maintainer-list.nix
View File

@ -43,6 +43,11 @@
github = "ChengCat";
name = "Yucheng Zhang";
};
CrazedProgrammer = {
email = "crazedprogrammer@gmail.com";
github = "CrazedProgrammer";
name = "CrazedProgrammer";
};
CrystalGamma = {
email = "nixos@crystalgamma.de";
github = "CrystalGamma";
@ -676,6 +681,11 @@
github = "bramd";
name = "Bram Duvigneau";
};
brian-dawn = {
email = "brian.t.dawn@gmail.com";
github = "brian-dawn";
name = "Brian Dawn";
};
bstrik = {
email = "dutchman55@gmx.com";
github = "bstrik";
@ -979,9 +989,9 @@
name = "Davor Babic";
};
dbohdan = {
email = "danyil.bohdan@gmail.com";
email = "dbohdan@dbohdan.com";
github = "dbohdan";
name = "Danyil Bohdan";
name = "D. Bohdan";
};
dbrock = {
email = "daniel@brockman.se";
@ -998,6 +1008,11 @@
github = "demin-dmitriy";
name = "Dmitriy Demin";
};
demyanrogozhin = {
email = "demyan.rogozhin@gmail.com";
github = "demyanrogozhin";
name = "Demyan Rogozhin";
};
derchris = {
email = "derchris@me.com";
github = "derchrisuk";
@ -1221,6 +1236,11 @@
github = "ElvishJerricco";
name = "Will Fancher";
};
emmanuelrosa = {
email = "emmanuel_rosa@aol.com";
github = "emmanuelrosa";
name = "Emmanuel Rosa";
};
endgame = {
email = "jack@jackkelly.name";
github = "endgame";
@ -1468,6 +1488,11 @@
github = "georgewhewell";
name = "George Whewell";
};
gerschtli = {
email = "tobias.happ@gmx.de";
github = "Gerschtli";
name = "Tobias Happ";
};
gilligan = {
email = "tobias.pflug@gmail.com";
github = "gilligan";
@ -1740,6 +1765,11 @@
github = "jdagilliland";
name = "Jason Gilliland";
};
jD91mZM2 = {
email = "me@krake.one";
github = "jD91mZM2";
name = "jD91mZM2";
};
jefdaj = {
email = "jefdaj@gmail.com";
github = "jefdaj";
@ -1815,6 +1845,11 @@
github = "joamaki";
name = "Jussi Maki";
};
joelburget = {
email = "joelburget@gmail.com";
github = "joelburget";
name = "Joel Burget";
};
joelmo = {
email = "joel.moberg@gmail.com";
github = "joelmo";
@ -1967,6 +2002,11 @@
github = "kini";
name = "Keshav Kini";
};
kirelagin = {
email = "kirelagin@gmail.com";
github = "kirelagin";
name = "Kirill Elagin";
};
kkallio = {
email = "tierpluspluslists@gmail.com";
name = "Karn Kallio";
@ -2011,6 +2051,11 @@
github = "kristoff3r";
name = "Kristoffer Søholm";
};
ktf = {
email = "giulio.eulisse@cern.ch";
github = "ktf";
name = "Giuluo Eulisse";
};
ktosiek = {
email = "tomasz.kontusz@gmail.com";
github = "ktosiek";
@ -2358,6 +2403,11 @@
github = "meditans";
name = "Carlo Nucera";
};
megheaiulian = {
email = "iulian.meghea@gmail.com";
github = "megheaiulian";
name = "Meghea Iulian";
};
mehandes = {
email = "niewskici@gmail.com";
github = "mehandes";
@ -2471,6 +2521,16 @@
github = "mmahut";
name = "Marek Mahut";
};
mmlb = {
email = "me.mmlb@mmlb.me";
github = "mmlb";
name = "Manuel Mendez";
};
mnacamura = {
email = "m.nacamura@gmail.com";
github = "mnacamura";
name = "Mitsuhiro Nakamura";
};
moaxcp = {
email = "moaxcp@gmail.com";
github = "moaxcp";
@ -3006,6 +3066,11 @@
email = "philipp@xndr.de";
name = "Philipp Steinpaß";
};
psyanticy = {
email = "iuns@outlook.fr";
github = "Assassinkin";
name = "Psyanticy";
};
puffnfresh = {
email = "brian@brianmckenna.org";
github = "puffnfresh";
@ -3139,6 +3204,11 @@
github = "rittelle";
name = "Lennart Rittel";
};
rkoe = {
email = "rk@simple-is-better.org";
github = "rkoe";
name = "Roland Koebler";
};
rlupton20 = {
email = "richard.lupton@gmail.com";
github = "rlupton20";
@ -3219,6 +3289,11 @@
github = "rushmorem";
name = "Rushmore Mushambi";
};
ruuda = {
email = "dev+nix@veniogames.com";
github = "ruuda";
name = "Ruud van Asseldonk";
};
rvl = {
email = "dev+nix@rodney.id.au";
github = "rvl";
@ -3731,6 +3806,11 @@
github = "titanous";
name = "Jonathan Rudenberg";
};
tmplt = {
email = "tmplt@dragons.rocks";
github = "tmplt";
name = "Viktor";
};
tnias = {
email = "phil@grmr.de";
github = "tnias";
@ -3825,6 +3905,11 @@
github = "typetetris";
name = "Eric Wolf";
};
udono = {
email = "udono@virtual-things.biz";
github = "udono";
name = "Udo Spallek";
};
unode = {
email = "alves.rjc@gmail.com";
github = "unode";

4
nixos/doc/manual/configuration/linux-kernel.xml
View File

@ -50,9 +50,9 @@ nixpkgs.config.packageOverrides = pkgs:
<xref linkend="opt-boot.kernelModules"/> = [ "fuse" "kvm-intel" "coretemp" ];
</programlisting>
If the module is required early during the boot (e.g. to mount the root file
system), you can use <xref linkend="opt-boot.initrd.extraKernelModules"/>:
system), you can use <xref linkend="opt-boot.initrd.kernelModules"/>:
<programlisting>
<xref linkend="opt-boot.initrd.extraKernelModules"/> = [ "cifs" ];
<xref linkend="opt-boot.initrd.kernelModules"/> = [ "cifs" ];
</programlisting>
This causes the specified modules and their dependencies to be added to the
initial ramdisk.

9
nixos/doc/manual/development/option-types.xml
View File

@ -21,6 +21,15 @@
</para>
<variablelist>
<varlistentry>
<term><varname>types.attrs</varname>
</term>
<listitem>
<para>
A free-form attribute set.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>types.bool</varname>
</term>

2
nixos/doc/manual/development/releases.xml
View File

@ -70,7 +70,7 @@
<listitem>
<para>
<link xlink:href="https://github.com/NixOS/nixpkgs/compare/bdf161ed8d21...6b63c4616790">
Bump the <literal>system.defaultChannel</literal> attribute in
Bump the <literal>system.nixos.defaultChannel</literal> attribute in
<literal>nixos/modules/misc/version.nix</literal> </link>
</para>
</listitem>

2
nixos/doc/manual/installation/installing-from-other-distro.xml
View File

@ -47,7 +47,7 @@
Short version:
</para>
<screen>
$ bash &lt;(curl https://nixos.org/nix/install)
$ curl https://nixos.org/nix/install | sh
$ . $HOME/.nix-profile/etc/profile.d/nix.sh # …or open a fresh shell</screen>
<para>
More details in the

4
nixos/doc/manual/release-notes/rl-1509.xml
View File

@ -433,9 +433,9 @@ system.autoUpgrade.enable = true;
default. If you have existing systems with such host keys and want to
continue to use them, please set
<programlisting>
system.stateVersion = "14.12";
system.nixos.stateVersion = "14.12";
</programlisting>
The new option <option>system.stateVersion</option> ensures that certain
The new option <option>system.nixos.stateVersion</option> ensures that certain
configuration changes that could break existing systems (such as the
<command>sshd</command> host key setting) will maintain compatibility with
the specified NixOS release. NixOps sets the state version of existing

74
nixos/doc/manual/release-notes/rl-1809.xml
View File

@ -53,7 +53,10 @@ $ nix-instantiate -E '(import &lt;nixpkgsunstable&gt; {}).gitFull'
<itemizedlist>
<listitem>
<para></para>
<para>When enabled the <literal>iproute2</literal> will copy the files
expected by ip route (e.g., <filename>rt_tables</filename>) in
<filename>/run/iproute2</filename>. This allows to write aliases for
routing tables for instance.</para>
</listitem>
</itemizedlist>
</section>
@ -101,6 +104,17 @@ $ nix-instantiate -E '(import &lt;nixpkgsunstable&gt; {}).gitFull'
that can be mapped onto the YAML configuration defined in <link xlink:href="https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md">the <varname>docker/distribution</varname> docs</link>.
</para>
</listitem>
<listitem>
<para>
<literal>gnucash</literal> has changed from version 2.4 to 3.x.
If you've been using <literal>gnucash</literal> (version 2.4) instead of
<literal>gnucash26</literal> (version 2.6) you must open your Gnucash
data file(s) with <literal>gnucash26</literal> and then save them to
upgrade the file format. Then you may use your data file(s) with
Gnucash 3.x. See the upgrade <link xlink:href="https://wiki.gnucash.org/wiki/FAQ#Using_Different_Versions.2C_Up_And_Downgrade">documentation</link>.
Gnucash 2.4 is still available under the attribute <literal>gnucash24</literal>.
</para>
</listitem>
</itemizedlist>
</section>
@ -169,6 +183,64 @@ $ nix-instantiate -E '(import &lt;nixpkgsunstable&gt; {}).gitFull'
for further reference.
</para>
</listitem>
<listitem>
<para>
The module for <option>security.dhparams</option> has two new options now:
</para>
<variablelist>
<varlistentry>
<term><option>security.dhparams.stateless</option></term>
<listitem><para>
Puts the generated Diffie-Hellman parameters into the Nix store instead
of managing them in a stateful manner in
<filename class="directory">/var/lib/dhparams</filename>.
</para></listitem>
</varlistentry>
<varlistentry>
<term><option>security.dhparams.defaultBitSize</option></term>
<listitem><para>
The default bit size to use for the generated Diffie-Hellman parameters.
</para></listitem>
</varlistentry>
</variablelist>
<note><para>
The path to the actual generated parameter files should now be queried
using
<literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal>
because it might be either in the Nix store or in a directory configured
by <option>security.dhparams.path</option>.
</para></note>
<note>
<title>For developers:</title>
<para>
Module implementers should not set a specific bit size in order to let
users configure it by themselves if they want to have a different bit
size than the default (2048).
</para>
<para>
An example usage of this would be:
<programlisting>
{ config, ... }:
{
security.dhparams.params.myservice = {};
environment.etc."myservice.conf".text = ''
dhparams = ${config.security.dhparams.params.myservice.path}
'';
}
</programlisting>
</para>
</note>
</listitem>
<listitem>
<para>
<literal>networking.networkmanager.useDnsmasq</literal> has been deprecated. Use
<literal>networking.networkmanager.dns</literal> instead.
</para>
</listitem>
</itemizedlist>
</section>
</section>

9
nixos/lib/make-ext4-fs.nix
View File

@ -14,7 +14,7 @@ in
pkgs.stdenv.mkDerivation {
name = "ext4-fs.img";
nativeBuildInputs = with pkgs; [e2fsprogs libfaketime perl];
nativeBuildInputs = with pkgs; [e2fsprogs.bin libfaketime perl];
buildCommand =
''
@ -83,5 +83,12 @@ pkgs.stdenv.mkDerivation {
echo "--- Failed to create EXT4 image of $bytes bytes (numInodes=$numInodes, numDataBlocks=$numDataBlocks) ---"
return 1
fi
# I have ended up with corrupted images sometimes, I suspect that happens when the build machine's disk gets full during the build.
if ! fsck.ext4 -n -f $out; then
echo "--- Fsck failed for EXT4 image of $bytes bytes (numInodes=$numInodes, numDataBlocks=$numDataBlocks) ---"
cat errorlog
return 1
fi
'';
}

5
nixos/maintainers/scripts/ec2/amazon-image.nix
View File

@ -8,6 +8,11 @@ in {
imports = [ ../../../modules/virtualisation/amazon-image.nix ];
# Required to provide good EBS experience,
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nvme-ebs-volumes.html#timeout-nvme-ebs-volumes
# TODO change value to 4294967295 when kernel is updated to 4.15 or later
config.boot.kernelParams = [ "nvme_core.io_timeout=255" ];
options.amazonImage = {
name = mkOption {
type = types.str;

23
nixos/modules/config/iproute2.nix Normal file
View File

@ -0,0 +1,23 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.networking.iproute2;
confDir = "/run/iproute2";
in
{
options.networking.iproute2.enable = mkEnableOption "copy IP route configuration files";
config = mkMerge [
({ nixpkgs.config.iproute2.confDir = confDir; })
(mkIf cfg.enable {
system.activationScripts.iproute2 = ''
cp -R ${pkgs.iproute}/etc/iproute2 ${confDir}
chmod -R 664 ${confDir}
chmod +x ${confDir}
'';
})
];
}

2
nixos/modules/installer/cd-dvd/installation-cd-base.nix
View File

@ -31,4 +31,6 @@ with lib;
# Allow the user to log in as root without a password.
users.extraUsers.root.initialHashedPassword = "";
system.nixos.stateVersion = mkDefault "18.03";
}

8
nixos/modules/installer/tools/nix-fallback-paths.nix
View File

@ -1,6 +1,6 @@
{
x86_64-linux = "/nix/store/2gk7rk2sx2dkmsjr59gignrfdmya8f6s-nix-2.0.1";
i686-linux = "/nix/store/5160glkphiv13qggnivyidg8r0491pbl-nix-2.0.1";
aarch64-linux = "/nix/store/jk29zz3ns9vdkkclcyzzkpzp8dhv1x3i-nix-2.0.1";
x86_64-darwin = "/nix/store/4a9czmrpd4hf3r80zcmga2c2lm3hbbvv-nix-2.0.1";
x86_64-linux = "/nix/store/z6avpvg24f6d1br2sr6qlphsq3h4d91v-nix-2.0.2";
i686-linux = "/nix/store/cdqjyb9srhwkc4gqbknnap7y31lws4yq-nix-2.0.2";
aarch64-linux = "/nix/store/fbgaa3fb2am30klwv4lls44njwqh487a-nix-2.0.2";
x86_64-darwin = "/nix/store/hs8mxsvdhm95dxgx943d74fws01j2zj3-nix-2.0.2";
}

2
nixos/modules/installer/tools/nixos-generate-config.pl
View File

@ -628,7 +628,7 @@ $bootLoaderConfig
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "${\(qw(@release@))}"; # Did you read the comment?
system.nixos.stateVersion = "${\(qw(@release@))}"; # Did you read the comment?
}
EOF

2
nixos/modules/installer/tools/tools.nix
View File

@ -76,7 +76,7 @@ in
];
system.build = {
inherit nixos-install nixos-prepare-root nixos-generate-config nixos-option nixos-rebuild nixos-enter;
inherit nixos-install nixos-generate-config nixos-option nixos-rebuild nixos-enter;
};
};

1
nixos/modules/installer/virtualbox-demo.nix
View File

@ -21,4 +21,5 @@ with lib;
services.xserver.videoDrivers = mkOverride 40 [ "virtualbox" "vmware" "cirrus" "vesa" "modesetting" ];
powerManagement.enable = false;
system.nixos.stateVersion = mkDefault "18.03";
}

6
nixos/modules/misc/documentation.nix
View File

@ -75,20 +75,20 @@ let cfg = config.documentation; in
(mkIf cfg.man.enable {
environment.systemPackages = [ pkgs.man-db ];
environment.pathsToLink = [ "/share/man" ];
environment.extraOutputsToInstall = [ "man" ] ++ optional cfg.dev.enable [ "devman" ];
environment.extraOutputsToInstall = [ "man" ] ++ optional cfg.dev.enable "devman";
})
(mkIf cfg.info.enable {
environment.systemPackages = [ pkgs.texinfoInteractive ];
environment.pathsToLink = [ "/share/info" ];
environment.extraOutputsToInstall = [ "info" ] ++ optional cfg.dev.enable [ "devinfo" ];
environment.extraOutputsToInstall = [ "info" ] ++ optional cfg.dev.enable "devinfo";
})
(mkIf cfg.doc.enable {
# TODO(@oxij): put it here and remove from profiles?
# environment.systemPackages = [ pkgs.w3m ]; # w3m-nox?
environment.pathsToLink = [ "/share/doc" ];
environment.extraOutputsToInstall = [ "doc" ] ++ optional cfg.dev.enable [ "devdoc" ];
environment.extraOutputsToInstall = [ "doc" ] ++ optional cfg.dev.enable "devdoc";
})
]);

8
nixos/modules/misc/ids.nix
View File

@ -190,7 +190,7 @@
cadvisor = 167;
nylon = 168;
apache-kafka = 169;
panamax = 170;
#panamax = 170; # unused
exim = 172;
#fleet = 173; # unused
#input = 174; # unused
@ -306,6 +306,7 @@
ceph = 288;
duplicati = 289;
monetdb = 290;
restic = 291;
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -473,9 +474,9 @@
#chronos = 164; # unused
gitlab = 165;
nylon = 168;
panamax = 170;
#panamax = 170; # unused
exim = 172;
fleet = 173;
#fleet = 173; # unused
input = 174;
sddm = 175;
tss = 176;
@ -580,6 +581,7 @@
ceph = 288;
duplicati = 289;
monetdb = 290;
restic = 291;
# When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal

17
nixos/modules/misc/version.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ options, config, lib, pkgs, ... }:
with lib;
@ -12,29 +12,29 @@ in
{
options.system = {
options.system.nixos = {
nixos.version = mkOption {
version = mkOption {
internal = true;
type = types.str;
description = "The full NixOS version (e.g. <literal>16.03.1160.f2d4ee1</literal>).";
};
nixos.release = mkOption {
release = mkOption {
readOnly = true;
type = types.str;
default = trivial.release;
description = "The NixOS release (e.g. <literal>16.03</literal>).";
};
nixos.versionSuffix = mkOption {
versionSuffix = mkOption {
internal = true;
type = types.str;
default = trivial.versionSuffix;
description = "The NixOS version suffix (e.g. <literal>1160.f2d4ee1</literal>).";
};
nixos.revision = mkOption {
revision = mkOption {
internal = true;
type = types.str;
default = if pathIsDirectory gitRepo then commitIdFromGitRepo gitRepo
@ -43,7 +43,7 @@ in
description = "The Git revision from which this NixOS configuration was built.";
};
nixos.codeName = mkOption {
codeName = mkOption {
readOnly = true;
type = types.str;
description = "The NixOS release code name (e.g. <literal>Emu</literal>).";
@ -76,6 +76,9 @@ in
config = {
warnings = lib.optional (options.system.nixos.stateVersion.highestPrio > 1000)
"You don't have `system.nixos.stateVersion` explicitly set. Expect things to break.";
system.nixos = {
# These defaults are set here rather than up there so that
# changing them would not rebuild the manual

12
nixos/modules/module-list.nix
View File

@ -9,6 +9,7 @@
./config/fonts/ghostscript.nix
./config/gnu.nix
./config/i18n.nix
./config/iproute2.nix
./config/krb5/default.nix
./config/ldap.nix
./config/networking.nix
@ -101,6 +102,7 @@
./programs/qt5ct.nix
./programs/rootston.nix
./programs/screen.nix
./programs/sedutil.nix
./programs/slock.nix
./programs/shadow.nix
./programs/shell.nix
@ -120,6 +122,7 @@
./programs/wireshark.nix
./programs/xfs_quota.nix
./programs/xonsh.nix
./programs/xss-lock.nix
./programs/yabar.nix
./programs/zsh/oh-my-zsh.nix
./programs/zsh/zsh.nix
@ -167,14 +170,13 @@
./services/backup/mysql-backup.nix
./services/backup/postgresql-backup.nix
./services/backup/restic.nix
./services/backup/restic-rest-server.nix
./services/backup/rsnapshot.nix
./services/backup/tarsnap.nix
./services/backup/znapzend.nix
./services/cluster/fleet.nix
./services/cluster/kubernetes/default.nix
./services/cluster/kubernetes/dns.nix
./services/cluster/kubernetes/dashboard.nix
./services/cluster/panamax.nix
./services/computing/boinc/client.nix
./services/computing/torque/server.nix
./services/computing/torque/mom.nix
@ -215,6 +217,7 @@
./services/desktops/accountsservice.nix
./services/desktops/dleyna-renderer.nix
./services/desktops/dleyna-server.nix
./services/desktops/flatpak.nix
./services/desktops/geoclue2.nix
./services/desktops/pipewire.nix
./services/desktops/gnome3/at-spi2-core.nix
@ -381,6 +384,7 @@
./services/misc/sundtek.nix
./services/misc/svnserve.nix
./services/misc/synergy.nix
./services/misc/sysprof.nix
./services/misc/taskserver
./services/misc/tzupdate.nix
./services/misc/uhub.nix
@ -514,6 +518,7 @@
./services/networking/murmur.nix
./services/networking/namecoind.nix
./services/networking/nat.nix
./services/networking/ndppd.nix
./services/networking/networkmanager.nix
./services/networking/nftables.nix
./services/networking/ngircd.nix
@ -566,6 +571,7 @@
./services/networking/strongswan.nix
./services/networking/strongswan-swanctl/module.nix
./services/networking/stunnel.nix
./services/networking/stubby.nix
./services/networking/supplicant.nix
./services/networking/supybot.nix
./services/networking/syncthing.nix
@ -649,6 +655,7 @@
./services/web-apps/tt-rss.nix
./services/web-apps/selfoss.nix
./services/web-apps/quassel-webserver.nix
./services/web-apps/youtrack.nix
./services/web-servers/apache-httpd/default.nix
./services/web-servers/caddy.nix
./services/web-servers/fcgiwrap.nix
@ -780,6 +787,7 @@
./virtualisation/hyperv-guest.nix
./virtualisation/openvswitch.nix
./virtualisation/parallels-guest.nix
./virtualisation/qemu-guest-agent.nix
./virtualisation/rkt.nix
./virtualisation/virtualbox-guest.nix
./virtualisation/virtualbox-host.nix

1
nixos/modules/profiles/base.nix
View File

@ -17,6 +17,7 @@
pkgs.ddrescue
pkgs.ccrypt
pkgs.cryptsetup # needed for dm-crypt volumes
pkgs.mkpasswd # for generating password files
# Some networking tools.
pkgs.fuse

18
nixos/modules/programs/sedutil.nix Normal file
View File

@ -0,0 +1,18 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.programs.sedutil;
in {
options.programs.sedutil.enable = mkEnableOption "sedutil";
config = mkIf cfg.enable {
boot.kernelParams = [
"libata.allow_tpm=1"
];
environment.systemPackages = with pkgs; [ sedutil ];
};
}

2
nixos/modules/programs/shell.nix
View File

@ -40,7 +40,7 @@ in
# Subscribe the root user to the NixOS channel by default.
if [ "$USER" = root -a ! -e $HOME/.nix-channels ]; then
echo "${config.system.defaultChannel} nixos" > $HOME/.nix-channels
echo "${config.system.nixos.defaultChannel} nixos" > $HOME/.nix-channels
fi
# Create the per-user garbage collector roots directory.

26
nixos/modules/programs/xss-lock.nix Normal file
View File

@ -0,0 +1,26 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.programs.xss-lock;
in
{
options.programs.xss-lock = {
enable = mkEnableOption "xss-lock";
lockerCommand = mkOption {
example = "xlock";
type = types.string;
description = "Locker to be used with xsslock";
};
};
config = mkIf cfg.enable {
systemd.user.services.xss-lock = {
description = "XSS Lock Daemon";
wantedBy = [ "graphical-session.target" ];
partOf = [ "graphical-session.target" ];
serviceConfig.ExecStart = "${pkgs.xss-lock}/bin/xss-lock ${cfg.lockerCommand}";
};
};
}

3
nixos/modules/rename.nix
View File

@ -17,6 +17,7 @@ with lib;
(mkRenamedOptionModule [ "networking" "enableIntel2100BGFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
(mkRenamedOptionModule [ "networking" "enableRalinkFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
(mkRenamedOptionModule [ "networking" "enableRTL8192cFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
(mkRenamedOptionModule [ "networking" "networkmanager" "useDnsmasq" ] [ "networking" "networkmanager" "dns" ])
(mkRenamedOptionModule [ "services" "cadvisor" "host" ] [ "services" "cadvisor" "listenAddress" ])
(mkChangedOptionModule [ "services" "printing" "gutenprint" ] [ "services" "printing" "drivers" ]
@ -203,6 +204,8 @@ with lib;
(mkRenamedOptionModule [ "system" "nixosVersionSuffix" ] [ "system" "nixos" "versionSuffix" ])
(mkRenamedOptionModule [ "system" "nixosRevision" ] [ "system" "nixos" "revision" ])
(mkRenamedOptionModule [ "system" "nixosLabel" ] [ "system" "nixos" "label" ])
(mkRenamedOptionModule [ "system" "stateVersion" ] [ "system" "nixos" "stateVersion" ])
(mkRenamedOptionModule [ "system" "defaultChannel" ] [ "system" "nixos" "defaultChannel" ])
# Users
(mkAliasOptionModule [ "users" "extraUsers" ] [ "users" "users" ])

8
nixos/modules/security/acme.nix
View File

@ -257,7 +257,7 @@ in
if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then
${if data.activationDelay != null then ''
${data.preDelay}
if [ -d '${lpath}' ]; then
@ -266,6 +266,10 @@ in
systemctl --wait start acme-setlive-${cert}.service
fi
'' else data.postRun}
# noop ensuring that the "if" block is non-empty even if
# activationDelay == null and postRun == ""
true
fi
'';
@ -294,7 +298,7 @@ in
chown '${data.user}:${data.group}' '${cpath}'
fi
'';
script =
script =
''
workdir="$(mktemp -d)"

228
nixos/modules/security/dhparams.nix
View File

@ -1,107 +1,173 @@
{ config, lib, pkgs, ... }:
with lib;
let
inherit (lib) mkOption types;
cfg = config.security.dhparams;
in
{
bitType = types.addCheck types.int (b: b >= 16) // {
name = "bits";
description = "integer of at least 16 bits";
};
paramsSubmodule = { name, config, ... }: {
options.bits = mkOption {
type = bitType;
default = cfg.defaultBitSize;
description = ''
The bit size for the prime that is used during a Diffie-Hellman
key exchange.
'';
};
options.path = mkOption {
type = types.path;
readOnly = true;
description = ''
The resulting path of the generated Diffie-Hellman parameters
file for other services to reference. This could be either a
store path or a file inside the directory specified by
<option>security.dhparams.path</option>.
'';
};
config.path = let
generated = pkgs.runCommand "dhparams-${name}.pem" {
nativeBuildInputs = [ pkgs.openssl ];
} "openssl dhparam -out \"$out\" ${toString config.bits}";
in if cfg.stateful then "${cfg.path}/${name}.pem" else generated;
};
in {
options = {
security.dhparams = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to generate new DH params and clean up old DH params.
'';
};
params = mkOption {
description =
''
Diffie-Hellman parameters to generate.
The value is the size (in bits) of the DH params to generate. The
generated DH params path can be found in
<filename><replaceable>security.dhparams.path</replaceable>/<replaceable>name</replaceable>.pem</filename>.
Note: The name of the DH params is taken as being the name of the
service it serves: the params will be generated before the said
service is started.
Warning: If you are removing all dhparams from this list, you have
to leave security.dhparams.enable for at least one activation in
order to have them be cleaned up. This also means if you rollback to
a version without any dhparams the existing ones won't be cleaned
up.
'';
type = with types; attrsOf int;
type = with types; let
coerce = bits: { inherit bits; };
in attrsOf (coercedTo int coerce (submodule paramsSubmodule));
default = {};
example = { nginx = 3072; };
example = lib.literalExample "{ nginx.bits = 3072; }";
description = ''
Diffie-Hellman parameters to generate.
The value is the size (in bits) of the DH params to generate. The
generated DH params path can be found in
<literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal>.
<note><para>The name of the DH params is taken as being the name of
the service it serves and the params will be generated before the
said service is started.</para></note>
<warning><para>If you are removing all dhparams from this list, you
have to leave <option>security.dhparams.enable</option> for at
least one activation in order to have them be cleaned up. This also
means if you rollback to a version without any dhparams the
existing ones won't be cleaned up. Of course this only applies if
<option>security.dhparams.stateful</option> is
<literal>true</literal>.</para></warning>
<note><title>For module implementers:</title><para>It's recommended
to not set a specific bit size here, so that users can easily
override this by setting
<option>security.dhparams.defaultBitSize</option>.</para></note>
'';
};
stateful = mkOption {
type = types.bool;
default = true;
description = ''
Whether generation of Diffie-Hellman parameters should be stateful or
not. If this is enabled, PEM-encoded files for Diffie-Hellman
parameters are placed in the directory specified by
<option>security.dhparams.path</option>. Otherwise the files are
created within the Nix store.
<note><para>If this is <literal>false</literal> the resulting store
path will be non-deterministic and will be rebuilt every time the
<package>openssl</package> package changes.</para></note>
'';
};
defaultBitSize = mkOption {
type = bitType;
default = 2048;
description = ''
This allows to override the default bit size for all of the
Diffie-Hellman parameters set in
<option>security.dhparams.params</option>.
'';
};
path = mkOption {
description =
''
Path to the directory in which Diffie-Hellman parameters will be
stored.
'';
type = types.str;
default = "/var/lib/dhparams";
};
enable = mkOption {
description =
''
Whether to generate new DH params and clean up old DH params.
'';
default = false;
type = types.bool;
description = ''
Path to the directory in which Diffie-Hellman parameters will be
stored. This only is relevant if
<option>security.dhparams.stateful</option> is
<literal>true</literal>.
'';
};
};
};
config = mkIf cfg.enable {
config = lib.mkIf (cfg.enable && cfg.stateful) {
systemd.services = {
dhparams-init = {
description = "Cleanup old Diffie-Hellman parameters";
wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set
serviceConfig.Type = "oneshot";
script =
# Create directory
''
if [ ! -d ${cfg.path} ]; then
mkdir -p ${cfg.path}
fi
'' +
# Remove old dhparams
''
for file in ${cfg.path}/*; do
if [ ! -f "$file" ]; then
continue
fi
'' + concatStrings (mapAttrsToList (name: value:
''
if [ "$file" == "${cfg.path}/${name}.pem" ] && \
${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString value} bit)" > /dev/null; then
continue
fi
''
) cfg.params) +
''
rm $file
done
description = "Clean Up Old Diffie-Hellman Parameters";
# TODO: Ideally this would be removing the *former* cfg.path, though this
# does not seem really important as changes to it are quite unlikely
rmdir --ignore-fail-on-non-empty ${cfg.path}
'';
};
} //
mapAttrs' (name: value: nameValuePair "dhparams-gen-${name}" {
description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet";
after = [ "dhparams-init.service" ];
before = [ "${name}.service" ];
# Clean up even when no DH params is set
wantedBy = [ "multi-user.target" ];
serviceConfig.RemainAfterExit = true;
serviceConfig.Type = "oneshot";
script =
''
script = ''
if [ ! -d ${cfg.path} ]; then
mkdir -p ${cfg.path}
if [ ! -f ${cfg.path}/${name}.pem ]; then
${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString value}
fi
# Remove old dhparams
for file in ${cfg.path}/*; do
if [ ! -f "$file" ]; then
continue
fi
'';
}) cfg.params;
${lib.concatStrings (lib.mapAttrsToList (name: { bits, path, ... }: ''
if [ "$file" = ${lib.escapeShellArg path} ] && \
${pkgs.openssl}/bin/openssl dhparam -in "$file" -text \
| head -n 1 | grep "(${toString bits} bit)" > /dev/null; then
continue
fi
'') cfg.params)}
rm $file
done
# TODO: Ideally this would be removing the *former* cfg.path, though
# this does not seem really important as changes to it are quite
# unlikely
rmdir --ignore-fail-on-non-empty ${cfg.path}
'';
};
} // lib.mapAttrs' (name: { bits, path, ... }: lib.nameValuePair "dhparams-gen-${name}" {
description = "Generate Diffie-Hellman Parameters for ${name}";
after = [ "dhparams-init.service" ];
before = [ "${name}.service" ];
wantedBy = [ "multi-user.target" ];
unitConfig.ConditionPathExists = "!${path}";
serviceConfig.Type = "oneshot";
script = ''
mkdir -p ${lib.escapeShellArg cfg.path}
${pkgs.openssl}/bin/openssl dhparam -out ${lib.escapeShellArg path} \
${toString bits}
'';
}) cfg.params;
};
}

4
nixos/modules/security/pam.nix
View File

@ -449,6 +449,10 @@ in
<varname>item</varname>, and <varname>value</varname>
attribute. The syntax and semantics of these attributes
must be that described in the limits.conf(5) man page.
Note that these limits do not apply to systemd services,
whose limits can be changed via <option>systemd.extraConfig</option>
instead.
'';
};

107
nixos/modules/services/backup/restic-rest-server.nix Normal file
View File

@ -0,0 +1,107 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.restic.server;
in
{
meta.maintainers = [ maintainers.bachp ];
options.services.restic.server = {
enable = mkEnableOption "Restic REST Server";
listenAddress = mkOption {
default = ":8000";
example = "127.0.0.1:8080";
type = types.str;
description = "Listen on a specific IP address and port.";
};
dataDir = mkOption {
default = "/var/lib/restic";
type = types.path;
description = "The directory for storing the restic repository.";
};
appendOnly = mkOption {
default = false;
type = types.bool;
description = ''
Enable append only mode.
This mode allows creation of new backups but prevents deletion and modification of existing backups.
This can be useful when backing up systems that have a potential of being hacked.
'';
};
privateRepos = mkOption {
default = false;
type = types.bool;
description = ''
Enable private repos.
Grants access only when a subdirectory with the same name as the user is specified in the repository URL.
'';
};
prometheus = mkOption {
default = false;
type = types.bool;
description = "Enable Prometheus metrics at /metrics.";
};
extraFlags = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Extra commandline options to pass to Restic REST server.
'';
};
package = mkOption {
default = pkgs.restic-rest-server;
defaultText = "pkgs.restic-rest-server";
type = types.package;
description = "Restic REST server package to use.";
};
};
config = mkIf cfg.enable {
systemd.services.restic-rest-server = {
description = "Restic REST Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = ''
${cfg.package}/bin/rest-server \
--listen ${cfg.listenAddress} \
--path ${cfg.dataDir} \
${optionalString cfg.appendOnly "--append-only"} \
${optionalString cfg.privateRepos "--private-repos"} \
${optionalString cfg.prometheus "--prometheus"} \
${escapeShellArgs cfg.extraFlags} \
'';
Type = "simple";
User = "restic";
Group = "restic";
# Security hardening
ReadWritePaths = [ cfg.dataDir ];
PrivateTmp = true;
ProtectSystem = "strict";
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
PrivateDevices = true;
};
};
users.extraUsers.restic = {
group = "restic";
home = cfg.dataDir;
createHome = true;
uid = config.ids.uids.restic;
};
users.extraGroups.restic.gid = config.ids.uids.restic;
};
}

150
nixos/modules/services/cluster/fleet.nix
View File

@ -1,150 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.fleet;
in {
##### Interface
options.services.fleet = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable fleet service.
'';
};
listen = mkOption {
type = types.listOf types.str;
default = [ "/var/run/fleet.sock" ];
example = [ "/var/run/fleet.sock" "127.0.0.1:49153" ];
description = ''
Fleet listening addresses.
'';
};
etcdServers = mkOption {
type = types.listOf types.str;
default = [ "http://127.0.0.1:2379" ];
description = ''
Fleet list of etcd endpoints to use.
'';
};
publicIp = mkOption {
type = types.nullOr types.str;
default = "";
description = ''
Fleet IP address that should be published with the local Machine's
state and any socket information. If not set, fleetd will attempt
to detect the IP it should publish based on the machine's IP
routing information.
'';
};
etcdCafile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Fleet TLS ca file when SSL certificate authentication is enabled
in etcd endpoints.
'';
};
etcdKeyfile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Fleet TLS key file when SSL certificate authentication is enabled
in etcd endpoints.
'';
};
etcdCertfile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Fleet TLS cert file when SSL certificate authentication is enabled
in etcd endpoints.
'';
};
metadata = mkOption {
type = types.attrsOf types.str;
default = {};
apply = attrs: concatMapStringsSep "," (n: "${n}=${attrs."${n}"}") (attrNames attrs);
example = literalExample ''
{
region = "us-west";
az = "us-west-1";
}
'';
description = ''
Key/value pairs that are published with the local to the fleet registry.
This data can be used directly by a client of fleet to make scheduling decisions.
'';
};
extraConfig = mkOption {
type = types.attrsOf types.str;
apply = mapAttrs' (n: v: nameValuePair ("FLEET_" + n) v);
default = {};
example = literalExample ''
{
VERBOSITY = 1;
ETCD_REQUEST_TIMEOUT = "2.0";
AGENT_TTL = "40s";
}
'';
description = ''
Fleet extra config. See
<link xlink:href="https://github.com/coreos/fleet/blob/master/Documentation/deployment-and-configuration.md"/>
for configuration options.
'';
};
};
##### Implementation
config = mkIf cfg.enable {
systemd.services.fleet = {
description = "Fleet Init System Daemon";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "fleet.socket" "etcd.service" "docker.service" ];
requires = [ "fleet.socket" ];
environment = {
FLEET_ETCD_SERVERS = concatStringsSep "," cfg.etcdServers;
FLEET_PUBLIC_IP = cfg.publicIp;
FLEET_ETCD_CAFILE = cfg.etcdCafile;
FLEET_ETCD_KEYFILE = cfg.etcdKeyfile;
FLEET_ETCD_CERTFILE = cfg.etcdCertfile;
FLEET_METADATA = cfg.metadata;
} // cfg.extraConfig;
serviceConfig = {
ExecStart = "${pkgs.fleet}/bin/fleetd";
Group = "fleet";
};
};
systemd.sockets.fleet = {
description = "Fleet Socket for the API";
wantedBy = [ "sockets.target" ];
listenStreams = cfg.listen;
socketConfig = {
ListenStream = "/var/run/fleet.sock";
SocketMode = "0660";
SocketUser = "root";
SocketGroup = "fleet";
};
};
services.etcd.enable = mkDefault true;
virtualisation.docker.enable = mkDefault true;
environment.systemPackages = [ pkgs.fleet ];
users.extraGroups.fleet.gid = config.ids.gids.fleet;
};
}

156
nixos/modules/services/cluster/panamax.nix
View File

@ -1,156 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.panamax;
panamax_api = pkgs.panamax_api.override { dataDir = cfg.dataDir + "/api"; };
panamax_ui = pkgs.panamax_ui.override { dataDir = cfg.dataDir + "/ui"; };
in {
##### Interface
options.services.panamax = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable Panamax service.
'';
};
UIPort = mkOption {
type = types.int;
default = 8888;
description = ''
Panamax UI listening port.
'';
};
APIPort = mkOption {
type = types.int;
default = 3000;
description = ''
Panamax UI listening port.
'';
};
dataDir = mkOption {
type = types.str;
default = "/var/lib/panamax";
description = ''
Data dir for Panamax.
'';
};
fleetctlEndpoint = mkOption {
type = types.str;
default = "http://127.0.0.1:2379";
description = ''
Panamax fleetctl endpoint.
'';
};
journalEndpoint = mkOption {
type = types.str;
default = "http://127.0.0.1:19531";
description = ''
Panamax journal endpoint.
'';
};
secretKey = mkOption {
type = types.str;
default = "SomethingVeryLong.";
description = ''
Panamax secret key (do change this).
'';
};
};
##### Implementation
config = mkIf cfg.enable {
systemd.services.panamax-api = {
description = "Panamax API";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "fleet.service" "etcd.service" "docker.service" ];
path = [ panamax_api ];
environment = {
RAILS_ENV = "production";
JOURNAL_ENDPOINT = cfg.journalEndpoint;
FLEETCTL_ENDPOINT = cfg.fleetctlEndpoint;
PANAMAX_DATABASE_PATH = "${cfg.dataDir}/api/db/mnt/db.sqlite3";
};
preStart = ''
rm -rf ${cfg.dataDir}/state/tmp
mkdir -p ${cfg.dataDir}/api/{db/mnt,state/log,state/tmp}
ln -sf ${panamax_api}/share/panamax-api/_db/{schema.rb,seeds.rb,migrate} ${cfg.dataDir}/api/db/
if [ ! -f ${cfg.dataDir}/.created ]; then
bundle exec rake db:setup
bundle exec rake db:seed
bundle exec rake panamax:templates:load || true
touch ${cfg.dataDir}/.created
else
bundle exec rake db:migrate
fi
'';
serviceConfig = {
ExecStart = "${panamax_api}/bin/bundle exec rails server --binding 127.0.0.1 --port ${toString cfg.APIPort}";
User = "panamax";
Group = "panamax";
};
};
systemd.services.panamax-ui = {
description = "Panamax UI";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "panamax_api.service" ];
path = [ panamax_ui ];
environment = {
RAILS_ENV = "production";
JOURNAL_ENDPOINT = cfg.journalEndpoint;
PMX_API_PORT_3000_TCP_ADDR = "localhost";
PMX_API_PORT_3000_TCP_PORT = toString cfg.APIPort;
SECRET_KEY_BASE = cfg.secretKey;
};
preStart = ''
mkdir -p ${cfg.dataDir}/ui/state/{log,tmp}
chown -R panamax:panamax ${cfg.dataDir}
'';
serviceConfig = {
ExecStart = "${panamax_ui}/bin/bundle exec rails server --binding 127.0.0.1 --port ${toString cfg.UIPort}";
User = "panamax";
Group = "panamax";
PermissionsStartOnly = true;
};
};
users.extraUsers.panamax =
{ uid = config.ids.uids.panamax;
description = "Panamax user";
createHome = true;
home = cfg.dataDir;
extraGroups = [ "docker" ];
};
services.journald.enableHttpGateway = mkDefault true;
services.fleet.enable = mkDefault true;
services.cadvisor.enable = mkDefault true;
services.cadvisor.port = mkDefault 3002;
virtualisation.docker.enable = mkDefault true;
environment.systemPackages = [ panamax_api panamax_ui ];
users.extraGroups.panamax.gid = config.ids.gids.panamax;
};
}

2
nixos/modules/services/databases/mysql.nix
View File

@ -218,7 +218,7 @@ in
config = mkIf config.services.mysql.enable {
services.mysql.dataDir =
mkDefault (if versionAtLeast config.system.stateVersion "17.09" then "/var/lib/mysql"
mkDefault (if versionAtLeast config.system.nixos.stateVersion "17.09" then "/var/lib/mysql"
else "/var/mysql");
users.extraUsers.mysql = {

10
nixos/modules/services/databases/postgresql.nix
View File

@ -147,7 +147,7 @@ in
};
superUser = mkOption {
type = types.str;
default= if versionAtLeast config.system.stateVersion "17.09" then "postgres" else "root";
default= if versionAtLeast config.system.nixos.stateVersion "17.09" then "postgres" else "root";
internal = true;
description = ''
NixOS traditionally used 'root' as superuser, most other distros use 'postgres'.
@ -166,14 +166,14 @@ in
services.postgresql.package =
# Note: when changing the default, make it conditional on
# system.stateVersion to maintain compatibility with existing
# system.nixos.stateVersion to maintain compatibility with existing
# systems!
mkDefault (if versionAtLeast config.system.stateVersion "17.09" then pkgs.postgresql96
else if versionAtLeast config.system.stateVersion "16.03" then pkgs.postgresql95
mkDefault (if versionAtLeast config.system.nixos.stateVersion "17.09" then pkgs.postgresql96
else if versionAtLeast config.system.nixos.stateVersion "16.03" then pkgs.postgresql95
else pkgs.postgresql94);
services.postgresql.dataDir =
mkDefault (if versionAtLeast config.system.stateVersion "17.09" then "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"
mkDefault (if versionAtLeast config.system.nixos.stateVersion "17.09" then "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"
else "/var/db/postgresql");
services.postgresql.authentication = mkAfter

52
nixos/modules/services/desktops/flatpak.nix Normal file
View File

@ -0,0 +1,52 @@
# flatpak service.
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.flatpak;
in {
meta = {
doc = ./flatpak.xml;
maintainers = pkgs.flatpak.meta.maintainers;
};
###### interface
options = {
services.flatpak = {
enable = mkEnableOption "flatpak";
extraPortals = mkOption {
type = types.listOf types.package;
default = [];
description = ''
List of additional portals to add to path. Portals allow interaction
with system, like choosing files or taking screenshots. At minimum,
a desktop portal implementation should be listed. GNOME already
adds <package>xdg-desktop-portal-gtk</package>; for KDE, there
is <package>xdg-desktop-portal-kde</package>. Other desktop
environments will probably want to do the same.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.flatpak ];
services.dbus.packages = [ pkgs.flatpak pkgs.xdg-desktop-portal ] ++ cfg.extraPortals;
systemd.packages = [ pkgs.flatpak pkgs.xdg-desktop-portal ] ++ cfg.extraPortals;
environment.variables = {
PATH = [
"$HOME/.local/share/flatpak/exports/bin"
"/var/lib/flatpak/exports/bin"
];
XDG_DESKTOP_PORTAL_PATH = map (p: "${p}/share/xdg-desktop-portal/portals") cfg.extraPortals;
};
};
}

53
nixos/modules/services/desktops/flatpak.xml Normal file
View File

@ -0,0 +1,53 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="module-services-flatpak">
<title>Flatpak</title>
<para><emphasis>Source:</emphasis> <filename>modules/services/desktop/flatpak.nix</filename></para>
<para><emphasis>Upstream documentation:</emphasis> <link xlink:href="https://github.com/flatpak/flatpak/wiki"/></para>
<para>Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.</para>
<para>
To enable Flatpak, add the following to your <filename>configuration.nix</filename>:
<programlisting>
<xref linkend="opt-services.flatpak.enable"/> = true;
</programlisting>
</para>
<para>
For the sandboxed apps to work correctly, desktop integration portals need to be installed. If you run GNOME, this will be handled automatically for you; in other cases, you will need to add something like the following to your <filename>configuration.nix</filename>:
<programlisting>
<xref linkend="opt-services.flatpak.extraPortals"/> = [ pkgs.xdg-desktop-portal-gtk ];
</programlisting>
</para>
<para>
Then, you will need to add a repository, for example, <link xlink:href="https://github.com/flatpak/flatpak/wiki">Flathub</link>, either using the following commands:
<programlisting>
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
flatpak update
</programlisting>
or by opening the <link xlink:href="https://flathub.org/repo/flathub.flatpakrepo">repository file</link> in GNOME Software.
</para>
<para>
Finally, you can search and install programs:
<programlisting>
flatpak search bustle
flatpak install flathub org.freedesktop.Bustle
flatpak run org.freedesktop.Bustle
</programlisting>
Again, GNOME Software offers graphical interface for these tasks.
</para>
</chapter>

8
nixos/modules/services/mail/dovecot.nix
View File

@ -25,6 +25,7 @@ let
ssl_cert = <${cfg.sslServerCert}
ssl_key = <${cfg.sslServerKey}
${optionalString (!(isNull cfg.sslCACert)) ("ssl_ca = <" + cfg.sslCACert)}
ssl_dh = <${config.security.dhparams.params.dovecot2.path}
disable_plaintext_auth = yes
'')
@ -297,10 +298,13 @@ in
config = mkIf cfg.enable {
security.pam.services.dovecot2 = mkIf cfg.enablePAM {};
services.dovecot2.protocols =
security.dhparams = mkIf (! isNull cfg.sslServerCert) {
enable = true;
params.dovecot2 = {};
};
services.dovecot2.protocols =
optional cfg.enableImap "imap"
++ optional cfg.enablePop3 "pop3"
++ optional cfg.enableLmtp "lmtp";

69
nixos/modules/services/misc/gitea.nix
View File

@ -4,6 +4,7 @@ with lib;
let
cfg = config.services.gitea;
gitea = cfg.package;
pg = config.services.postgresql;
usePostgresql = cfg.database.type == "postgres";
configFile = pkgs.writeText "app.ini" ''
@ -57,6 +58,13 @@ in
description = "Enable Gitea Service.";
};
package = mkOption {
default = pkgs.gitea;
type = types.package;
defaultText = "pkgs.gitea";
description = "gitea derivation to use";
};
useWizard = mkOption {
default = false;
type = types.bool;
@ -156,6 +164,30 @@ in
};
};
dump = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable a timer that runs gitea dump to generate backup-files of the
current gitea database and repositories.
'';
};
interval = mkOption {
type = types.str;
default = "04:31";
example = "hourly";
description = ''
Run a gitea dump at this interval. Runs by default at 04:31 every day.
The format is described in
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>7</manvolnum></citerefentry>.
'';
};
};
appName = mkOption {
type = types.str;
default = "gitea: Gitea Service";
@ -203,7 +235,7 @@ in
staticRootPath = mkOption {
type = types.str;
default = "${pkgs.gitea.data}";
default = "${gitea.data}";
example = "/var/lib/gitea/data";
description = "Upper level of template and static files path.";
};
@ -223,7 +255,7 @@ in
description = "gitea";
after = [ "network.target" "postgresql.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.gitea.bin ];
path = [ gitea.bin ];
preStart = let
runConfig = "${cfg.stateDir}/custom/conf/app.ini";
@ -253,7 +285,7 @@ in
HOOKS=$(find ${cfg.repositoryRoot} -mindepth 4 -maxdepth 4 -type f -wholename "*git/hooks/*")
if [ "$HOOKS" ]
then
sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gitea,${pkgs.gitea.bin}/bin/gitea,g' $HOOKS
sed -ri 's,/nix/store/[a-z0-9.-]+/bin/gitea,${gitea.bin}/bin/gitea,g' $HOOKS
sed -ri 's,/nix/store/[a-z0-9.-]+/bin/env,${pkgs.coreutils}/bin/env,g' $HOOKS
sed -ri 's,/nix/store/[a-z0-9.-]+/bin/bash,${pkgs.bash}/bin/bash,g' $HOOKS
sed -ri 's,/nix/store/[a-z0-9.-]+/bin/perl,${pkgs.perl}/bin/perl,g' $HOOKS
@ -261,7 +293,7 @@ in
if [ ! -d ${cfg.stateDir}/conf/locale ]
then
mkdir -p ${cfg.stateDir}/conf
cp -r ${pkgs.gitea.out}/locale ${cfg.stateDir}/conf/locale
cp -r ${gitea.out}/locale ${cfg.stateDir}/conf/locale
fi
'' + optionalString (usePostgresql && cfg.database.createDatabase) ''
if ! test -e "${cfg.stateDir}/db-created"; then
@ -288,7 +320,7 @@ in
User = cfg.user;
WorkingDirectory = cfg.stateDir;
PermissionsStartOnly = true;
ExecStart = "${pkgs.gitea.bin}/bin/gitea web";
ExecStart = "${gitea.bin}/bin/gitea web";
Restart = "always";
};
@ -318,5 +350,32 @@ in
name = "gitea-database-password";
text = cfg.database.password;
})));
systemd.services.gitea-dump = {
description = "gitea dump";
after = [ "gitea.service" ];
wantedBy = [ "default.target" ];
path = [ gitea.bin ];
environment = {
USER = cfg.user;
HOME = cfg.stateDir;
GITEA_WORK_DIR = cfg.stateDir;
};
serviceConfig = {
Type = "oneshot";
User = cfg.user;
ExecStart = "${gitea.bin}/bin/gitea dump";
WorkingDirectory = cfg.stateDir;
};
};
systemd.timers.gitea-dump = {
description = "Update timer for gitea-dump";
partOf = [ "gitea-dump.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = cfg.dump.interval;
};
};
}

20
nixos/modules/services/misc/matrix-synapse.nix
View File

@ -342,7 +342,7 @@ in {
};
database_type = mkOption {
type = types.enum [ "sqlite3" "psycopg2" ];
default = if versionAtLeast config.system.stateVersion "18.03"
default = if versionAtLeast config.system.nixos.stateVersion "18.03"
then "psycopg2"
else "sqlite3";
description = ''
@ -395,7 +395,14 @@ in {
};
url_preview_ip_range_blacklist = mkOption {
type = types.listOf types.str;
default = [];
default = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"100.64.0.0/10"
"169.254.0.0/16"
];
description = ''
List of IP address CIDR ranges that the URL preview spider is denied
from accessing.
@ -412,14 +419,7 @@ in {
};
url_preview_url_blacklist = mkOption {
type = types.listOf types.str;
default = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"100.64.0.0/10"
"169.254.0.0/16"
];
default = [];
description = ''
Optional list of URL matches that the URL preview spider is
denied from accessing.

2
nixos/modules/services/misc/mesos-slave.nix
View File

@ -187,7 +187,7 @@ in {
systemd.services.mesos-slave = {
description = "Mesos Slave";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
after = [ "network.target" ] ++ optionals cfg.withDocker [ "docker.service" ] ;
path = [ pkgs.runtimeShellPackage ];
serviceConfig = {
ExecStart = ''

19
nixos/modules/services/misc/sysprof.nix Normal file
View File

@ -0,0 +1,19 @@
{ config, lib, pkgs, ... }:
{
options = {
services.sysprof = {
enable = lib.mkEnableOption "sysprof profiling daemon";
};
};
config = lib.mkIf config.services.sysprof.enable {
environment.systemPackages = [ pkgs.sysprof ];
services.dbus.packages = [ pkgs.sysprof ];
systemd.packages = [ pkgs.sysprof ];
};
meta.maintainers = pkgs.sysprof.meta.maintainers;
}

2
nixos/modules/services/network-filesystems/ipfs.nix
View File

@ -14,7 +14,7 @@ let
(optionalString (cfg.defaultMode == "norouting") "--routing=none")
] ++ cfg.extraFlags);
defaultDataDir = if versionAtLeast config.system.stateVersion "17.09" then
defaultDataDir = if versionAtLeast config.system.nixos.stateVersion "17.09" then
"/var/lib/ipfs" else
"/var/lib/ipfs/.ipfs";

3
nixos/modules/services/networking/cjdns.nix
View File

@ -260,7 +260,8 @@ in
RestartSec = 1;
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID";
ProtectSystem = true;
MemoryDenyWriteExecute = true;
# Doesn't work on i686, causing service to fail
MemoryDenyWriteExecute = !pkgs.stdenv.isi686;
ProtectHome = true;
PrivateTmp = true;
};

4
nixos/modules/services/networking/dnscrypt-proxy.nix
View File

@ -192,6 +192,7 @@ in
security.apparmor.profiles = singleton (pkgs.writeText "apparmor-dnscrypt-proxy" ''
${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy {
/dev/null rw,
/dev/random r,
/dev/urandom r,
/etc/passwd r,
@ -211,6 +212,9 @@ in
${getLib pkgs.gcc.cc}/lib/libssp.so.* mr,
${getLib pkgs.libsodium}/lib/libsodium.so.* mr,
${getLib pkgs.systemd}/lib/libsystemd.so.* mr,
${getLib pkgs.utillinuxMinimal.out}/lib/libmount.so.* mr,
${getLib pkgs.utillinuxMinimal.out}/lib/libblkid.so.* mr,
${getLib pkgs.utillinuxMinimal.out}/lib/libuuid.so.* mr,
${getLib pkgs.xz}/lib/liblzma.so.* mr,
${getLib pkgs.libgcrypt}/lib/libgcrypt.so.* mr,
${getLib pkgs.libgpgerror}/lib/libgpg-error.so.* mr,

3
nixos/modules/services/networking/firewall.nix
View File

@ -242,6 +242,9 @@ let
# Don't allow traffic to leak out until the script has completed
ip46tables -A INPUT -j nixos-drop
${cfg.extraStopCommands}
if ${startScript}; then
ip46tables -D INPUT -j nixos-drop 2>/dev/null || true
else

14
nixos/modules/services/networking/gnunet.nix
View File

@ -102,6 +102,14 @@ in
};
};
package = mkOption {
type = types.package;
default = pkgs.gnunet;
defaultText = "pkgs.gnunet";
description = "Overridable attribute of the gnunet package to use.";
example = literalExample "pkgs.gnunet_git";
};
extraOptions = mkOption {
default = "";
description = ''
@ -130,16 +138,16 @@ in
# The user tools that talk to `gnunetd' should come from the same source,
# so install them globally.
environment.systemPackages = [ pkgs.gnunet ];
environment.systemPackages = [ cfg.package ];
systemd.services.gnunet = {
description = "GNUnet";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.gnunet pkgs.miniupnpc ];
path = [ cfg.package pkgs.miniupnpc ];
environment.TMPDIR = "/tmp";
serviceConfig.PrivateTemp = true;
serviceConfig.ExecStart = "${pkgs.gnunet}/lib/gnunet/libexec/gnunet-service-arm -c ${configFile}";
serviceConfig.ExecStart = "${cfg.package}/lib/gnunet/libexec/gnunet-service-arm -c ${configFile}";
serviceConfig.User = "gnunet";
serviceConfig.UMask = "0007";
serviceConfig.WorkingDirectory = homeDir;

5
nixos/modules/services/networking/hostapd.nix
View File

@ -151,11 +151,6 @@ in
config = mkIf cfg.enable {
assertions = [
{ assertion = (cfg.channel >= 1 && cfg.channel <= 13);
message = "channel must be between 1 and 13";
}];
environment.systemPackages = [ pkgs.hostapd ];
systemd.services.hostapd =

62
nixos/modules/services/networking/keepalived/default.nix
View File

@ -8,10 +8,12 @@ let
keepalivedConf = pkgs.writeText "keepalived.conf" ''
global_defs {
${optionalString cfg.enableScriptSecurity "enable_script_security"}
${snmpGlobalDefs}
${cfg.extraGlobalDefs}
}
${vrrpScriptStr}
${vrrpInstancesStr}
${cfg.extraConfig}
'';
@ -26,6 +28,22 @@ let
+ optionalString enableTraps "enable_traps"
);
vrrpScriptStr = concatStringsSep "\n" (map (s:
''
vrrp_script ${s.name} {
script "${s.script}"
interval ${toString s.interval}
fall ${toString s.fall}
rise ${toString s.rise}
timeout ${toString s.timeout}
weight ${toString s.weight}
user ${s.user} ${optionalString (s.group != null) s.group}
${s.extraConfig}
}
''
) vrrpScripts);
vrrpInstancesStr = concatStringsSep "\n" (map (i:
''
vrrp_instance ${i.name} {
@ -49,6 +67,18 @@ let
${concatMapStringsSep "\n" virtualIpLine i.virtualIps}
}
${optionalString (builtins.length i.trackScripts > 0) ''
track_script {
${concatStringsSep "\n" i.trackScripts}
}
''}
${optionalString (builtins.length i.trackInterfaces > 0) ''
track_interface {
${concatStringsSep "\n" i.trackInterfaces}
}
''}
${i.extraConfig}
}
''
@ -64,6 +94,12 @@ let
notNullOrEmpty = s: !(s == null || s == "");
vrrpScripts = mapAttrsToList (name: config:
{
inherit name;
} // config
) cfg.vrrpScripts;
vrrpInstances = mapAttrsToList (iName: iConfig:
{
name = iName;
@ -86,7 +122,8 @@ let
{ assertion = !i.vmacXmitBase || i.useVmac;
message = "services.keepalived.vrrpInstances.${i.name}.vmacXmitBase has no effect when services.keepalived.vrrpInstances.${i.name}.useVmac is not set.";
}
] ++ flatten (map (virtualIpAssertions i.name) i.virtualIps);
] ++ flatten (map (virtualIpAssertions i.name) i.virtualIps)
++ flatten (map (vrrpScriptAssertion i.name) i.trackScripts);
virtualIpAssertions = vrrpName: ip: [
{ assertion = ip.addr != "";
@ -94,6 +131,11 @@ let
}
];
vrrpScriptAssertion = vrrpName: scriptName: {
assertion = builtins.hasAttr scriptName cfg.vrrpScripts;
message = "services.keepalived.vrrpInstances.${vrrpName} trackscript ${scriptName} is not defined in services.keepalived.vrrpScripts.";
};
pidFile = "/run/keepalived.pid";
in
@ -110,6 +152,14 @@ in
'';
};
enableScriptSecurity = mkOption {
type = types.bool;
default = false;
description = ''
Don't run scripts configured to be run as root if any part of the path is writable by a non-root user.
'';
};
snmp = {
enable = mkOption {
@ -181,8 +231,16 @@ in
};
vrrpScripts = mkOption {
type = types.attrsOf (types.submodule (import ./vrrp-script-options.nix {
inherit lib;
}));
default = {};
description = "Declarative vrrp script config";
};
vrrpInstances = mkOption {
type = types.attrsOf (types.submodule (import ./vrrp-options.nix {
type = types.attrsOf (types.submodule (import ./vrrp-instance-options.nix {
inherit lib;
}));
default = {};

14
nixos/modules/services/networking/keepalived/vrrp-options.nix → nixos/modules/services/networking/keepalived/vrrp-instance-options.nix
View File

@ -108,6 +108,20 @@ with lib;
description = "Declarative vhost config";
};
trackScripts = mkOption {
type = types.listOf types.str;
default = [];
example = [ "chk_cmd1" "chk_cmd2" ];
description = "List of script names to invoke for health tracking.";
};
trackInterfaces = mkOption {
type = types.listOf types.str;
default = [];
example = [ "eth0" "eth1" ];
description = "List of network interfaces to monitor for health tracking.";
};
extraConfig = mkOption {
type = types.lines;
default = "";

64
nixos/modules/services/networking/keepalived/vrrp-script-options.nix Normal file
View File

@ -0,0 +1,64 @@
{ lib } :
with lib;
with lib.types;
{
options = {
script = mkOption {
type = str;
example = "\${pkgs.curl} -f http://localhost:80";
description = "(Path of) Script command to execute followed by args, i.e. cmd [args]...";
};
interval = mkOption {
type = int;
default = 1;
description = "Seconds between script invocations.";
};
timeout = mkOption {
type = int;
default = 5;
description = "Seconds after which script is considered to have failed.";
};
weight = mkOption {
type = int;
default = 0;
description = "Following a failure, adjust the priority by this weight.";
};
rise = mkOption {
type = int;
default = 5;
description = "Required number of successes for OK transition.";
};
fall = mkOption {
type = int;
default = 3;
description = "Required number of failures for KO transition.";
};
user = mkOption {
type = str;
default = "keepalived_script";
description = "Name of user to run the script under.";
};
group = mkOption {
type = nullOr str;
default = null;
description = "Name of group to run the script under. Defaults to user group.";
};
extraConfig = mkOption {
type = lines;
default = "";
description = "Extra lines to be added verbatim to the vrrp_script section.";
};
};
}

82
nixos/modules/services/networking/matterbridge.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ options, config, pkgs, lib, ... }:
with lib;
@ -6,7 +6,11 @@ let
cfg = config.services.matterbridge;
matterbridgeConfToml = pkgs.writeText "matterbridge.toml" (cfg.configFile);
matterbridgeConfToml =
if cfg.configPath == null then
pkgs.writeText "matterbridge.toml" (cfg.configFile)
else
cfg.configPath;
in
@ -15,17 +19,32 @@ in
services.matterbridge = {
enable = mkEnableOption "Matterbridge chat platform bridge";
configPath = mkOption {
type = with types; nullOr str;
default = null;
example = "/etc/nixos/matterbridge.toml";
description = ''
The path to the matterbridge configuration file.
'';
};
configFile = mkOption {
type = types.str;
example = ''
#WARNING: as this file contains credentials, be sure to set correct file permissions [irc]
# WARNING: as this file contains credentials, do not use this option!
# It is kept only for backwards compatibility, and would cause your
# credentials to be in the nix-store, thus with the world-readable
# permission bits.
# Use services.matterbridge.configPath instead.
[irc]
[irc.freenode]
Server="irc.freenode.net:6667"
Nick="matterbot"
[mattermost]
[mattermost.work]
#do not prefix it wit http:// or https://
# Do not prefix it with http:// or https://
Server="yourmattermostserver.domain"
Team="yourteam"
Login="yourlogin"
@ -44,6 +63,10 @@ in
channel="off-topic"
'';
description = ''
WARNING: THIS IS INSECURE, as your password will end up in
<filename>/nix/store</filename>, thus publicly readable. Use
<literal>services.matterbridge.configPath</literal> instead.
The matterbridge configuration file in the TOML file format.
'';
};
@ -65,32 +88,31 @@ in
};
};
config = mkMerge [
(mkIf cfg.enable {
config = mkIf cfg.enable {
warnings = optional options.services.matterbridge.configFile.isDefined
"The option services.matterbridge.configFile is insecure and should be replaced with services.matterbridge.configPath";
users.extraUsers = mkIf (cfg.user == "matterbridge") [
{ name = "matterbridge";
group = "matterbridge";
} ];
users.extraGroups = mkIf (cfg.group == "matterbridge") [
{ name = "matterbridge";
} ];
systemd.services.matterbridge = {
description = "Matterbridge chat platform bridge";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
User = cfg.user;
Group = cfg.group;
ExecStart = "${pkgs.matterbridge.bin}/bin/matterbridge -conf ${matterbridgeConfToml}";
Restart = "always";
RestartSec = "10";
};
users.extraUsers = optional (cfg.user == "matterbridge")
{ name = "matterbridge";
group = "matterbridge";
};
})
];
}
users.extraGroups = optional (cfg.group == "matterbridge")
{ name = "matterbridge";
};
systemd.services.matterbridge = {
description = "Matterbridge chat platform bridge";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
User = cfg.user;
Group = cfg.group;
ExecStart = "${pkgs.matterbridge.bin}/bin/matterbridge -conf ${matterbridgeConfToml}";
Restart = "always";
RestartSec = "10";
};
};
};
}

43
nixos/modules/services/networking/minidlna.nix
View File

@ -1,23 +1,16 @@
# Module for MiniDLNA, a simple DLNA server.
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.minidlna;
port = 8200;
in
{
###### interface
options = {
services.minidlna.enable = mkOption {
type = types.bool;
default = false;
@ -43,24 +36,48 @@ in
'';
};
services.minidlna.loglevel = mkOption {
type = types.str;
default = "warn";
example = "general,artwork,database,inotify,scanner,metadata,http,ssdp,tivo=warn";
description =
''
Defines the type of messages that should be logged, and down to
which level of importance they should be considered.
The possible types are artwork, database, general, http,
inotify, metadata, scanner, ssdp and tivo.
The levels are off, fatal, error, warn, info and
debug, listed here in order of decreasing importance. off
turns off logging messages entirely, fatal logs the most
critical messages only, and so on down to debug that logs every
single messages.
The types are comma-separated, followed by an equal sign (=),
followed by a level that applies to the preceding types. This can
be repeated, separating each of these constructs with a comma.
Defaults to general,artwork,database,inotify,scanner,metadata,
http,ssdp,tivo=warn which logs every type of message at the
warn level.
'';
};
services.minidlna.config = mkOption {
type = types.lines;
description = "The contents of MiniDLNA's configuration file.";
};
};
###### implementation
config = mkIf cfg.enable {
services.minidlna.config =
''
port=${toString port}
friendly_name=${config.networking.hostName} MiniDLNA
db_dir=/var/cache/minidlna
log_level=warn
log_level=${cfg.loglevel}
inotify=yes
${concatMapStrings (dir: ''
media_dir=${dir}
@ -98,7 +115,5 @@ in
" -f ${pkgs.writeText "minidlna.conf" cfg.config}";
};
};
};
}

47
nixos/modules/services/networking/ndppd.nix Normal file
View File

@ -0,0 +1,47 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.ndppd;
configFile = pkgs.runCommand "ndppd.conf" {} ''
substitute ${pkgs.ndppd}/etc/ndppd.conf $out \
--replace eth0 ${cfg.interface} \
--replace 1111:: ${cfg.network}
'';
in {
options = {
services.ndppd = {
enable = mkEnableOption "daemon that proxies NDP (Neighbor Discovery Protocol) messages between interfaces";
interface = mkOption {
type = types.string;
default = "eth0";
example = "ens3";
description = "Interface which is on link-level with router.";
};
network = mkOption {
type = types.string;
default = "1111::";
example = "2001:DB8::/32";
description = "Network that we proxy.";
};
configFile = mkOption {
type = types.nullOr types.path;
default = null;
description = "Path to configuration file.";
};
};
};
config = mkIf cfg.enable {
systemd.packages = [ pkgs.ndppd ];
environment.etc."ndppd.conf".source = if (cfg.configFile != null) then cfg.configFile else configFile;
systemd.services.ndppd = {
serviceConfig.RuntimeDirectory = [ "ndppd" ];
wantedBy = [ "multi-user.target" ];
};
};
meta.maintainers = with maintainers; [ gnidorah ];
}

23
nixos/modules/services/networking/networkmanager.nix
View File

@ -10,7 +10,8 @@ let
stateDirs = "/var/lib/NetworkManager /var/lib/dhclient /var/lib/misc";
dns =
if cfg.useDnsmasq then "dnsmasq"
if cfg.dns == "none" then "none"
else if cfg.dns == "dnsmasq" then "dnsmasq"
else if config.services.resolved.enable then "systemd-resolved"
else if config.services.unbound.enable then "unbound"
else "default";
@ -205,14 +206,20 @@ in {
};
};
useDnsmasq = mkOption {
type = types.bool;
default = false;
dns = mkOption {
type = types.enum [ "auto" "dnsmasq" "none" ];
default = "auto";
description = ''
Enable NetworkManager's dnsmasq integration. NetworkManager will run
dnsmasq as a local caching nameserver, using a "split DNS"
configuration if you are connected to a VPN, and then update
resolv.conf to point to the local nameserver.
Options:
- auto: Check for systemd-resolved, unbound, or use default.
- dnsmasq:
Enable NetworkManager's dnsmasq integration. NetworkManager will run
dnsmasq as a local caching nameserver, using a "split DNS"
configuration if you are connected to a VPN, and then update
resolv.conf to point to the local nameserver.
- none:
Disable NetworkManager's DNS integration completely.
It will not touch your /etc/resolv.conf.
'';
};

14
nixos/modules/services/networking/nsd.nix
View File

@ -20,6 +20,7 @@ let
zoneStats = length (collect (x: (x.zoneStats or null) != null) cfg.zones) > 0;
};
mkZoneFileName = name: if name == "." then "root" else name;
nsdEnv = pkgs.buildEnv {
name = "nsd-env";
@ -50,8 +51,9 @@ let
};
writeZoneData = name: text: pkgs.writeTextFile {
inherit name text;
destination = "/zones/${name}";
name = "nsd-zone-${mkZoneFileName name}";
inherit text;
destination = "/zones/${mkZoneFileName name}";
};
@ -146,7 +148,7 @@ let
zoneConfigFile = name: zone: ''
zone:
name: "${name}"
zonefile: "${stateDir}/zones/${name}"
zonefile: "${stateDir}/zones/${mkZoneFileName name}"
${maybeString "outgoing-interface: " zone.outgoingInterface}
${forEach " rrl-whitelist: " zone.rrlWhitelist}
${maybeString "zonestats: " zone.zoneStats}
@ -887,6 +889,12 @@ in
config = mkIf cfg.enable {
assertions = singleton {
assertion = zoneConfigs ? "." -> cfg.rootServer;
message = "You have a root zone configured. If this is really what you "
+ "want, please enable 'services.nsd.rootServer'.";
};
environment.systemPackages = [ nsdPkg ];
users.extraGroups = singleton {

4
nixos/modules/services/networking/radicale.nix
View File

@ -9,7 +9,7 @@ let
confFile = pkgs.writeText "radicale.conf" cfg.config;
# This enables us to default to version 2 while still not breaking configurations of people with version 1
defaultPackage = if versionAtLeast config.system.stateVersion "17.09" then {
defaultPackage = if versionAtLeast config.system.nixos.stateVersion "17.09" then {
pkg = pkgs.radicale2;
text = "pkgs.radicale2";
} else {
@ -35,7 +35,7 @@ in
defaultText = defaultPackage.text;
description = ''
Radicale package to use. This defaults to version 1.x if
<literal>system.stateVersion &lt; 17.09</literal> and version 2.x
<literal>system.nixos.stateVersion &lt; 17.09</literal> and version 2.x
otherwise.
'';
};

214
nixos/modules/services/networking/stubby.nix Normal file
View File

@ -0,0 +1,214 @@
{ config, lib, pkgs, ...}:
with lib;
let
cfg = config.services.stubby;
fallbacks = concatMapStringsSep "\n " (x: "- ${x}") cfg.fallbackProtocols;
listeners = concatMapStringsSep "\n " (x: "- ${x}") cfg.listenAddresses;
# By default, the recursive resolvers maintained by the getdns
# project itself are enabled. More information about both getdns's servers,
# as well as third party options for upstream resolvers, can be found here:
# https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
#
# You can override these values by supplying a yaml-formatted array of your
# preferred upstream resolvers in the following format:
#
# 106 # - address_data: IPv4 or IPv6 address of the upstream
# port: Port for UDP/TCP (default is 53)
# tls_auth_name: Authentication domain name checked against the server
# certificate
# tls_pubkey_pinset: An SPKI pinset verified against the keys in the server
# certificate
# - digest: Only "sha256" is currently supported
# value: Base64 encoded value of the sha256 fingerprint of the public
# key
# tls_port: Port for TLS (default is 853)
defaultUpstream = ''
- address_data: 145.100.185.15
tls_auth_name: "dnsovertls.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
- address_data: 145.100.185.16
tls_auth_name: "dnsovertls1.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
- address_data: 185.49.141.37
tls_auth_name: "getdnsapi.net"
tls_pubkey_pinset:
- digest: "sha256"
value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
- address_data: 2001:610:1:40ba:145:100:185:15
tls_auth_name: "dnsovertls.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
- address_data: 2001:610:1:40ba:145:100:185:16
tls_auth_name: "dnsovertls1.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
- address_data: 2a04:b900:0:100::38
tls_auth_name: "getdnsapi.net"
tls_pubkey_pinset:
- digest: "sha256"
value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=
'';
# Resolution type is not changeable here because it is required per the
# stubby documentation:
#
# "resolution_type: Work in stub mode only (not recursive mode) - required for Stubby
# operation."
#
# https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby
confFile = pkgs.writeText "stubby.yml" ''
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
${fallbacks}
tls_authentication: ${cfg.authenticationMode}
tls_query_padding_blocksize: ${toString cfg.queryPaddingBlocksize}
edns_client_subnet_private: ${if cfg.subnetPrivate then "1" else "0"}
idle_timeout: ${toString cfg.idleTimeout}
listen_addresses:
${listeners}
round_robin_upstreams: ${if cfg.roundRobinUpstreams then "1" else "0"}
${cfg.extraConfig}
upstream_recursive_servers:
${cfg.upstreamServers}
'';
in
{
options = {
services.stubby = {
enable = mkEnableOption "Stubby DNS resolver";
fallbackProtocols = mkOption {
default = [ "GETDNS_TRANSPORT_TLS" ];
type = with types; listOf (enum [
"GETDNS_TRANSPORT_TLS"
"GETDNS_TRANSPORT_TCP"
"GETDNS_TRANSPORT_UDP"
]);
description = ''
Ordered list composed of one or more transport protocols.
Strict mode should only use <literal>GETDNS_TRANSPORT_TLS</literal>.
Other options are <literal>GETDNS_TRANSPORT_UDP</literal> and
<literal>GETDNS_TRANSPORT_TCP</literal>.
'';
};
authenticationMode = mkOption {
default = "GETDNS_AUTHENTICATION_REQUIRED";
type = types.enum [
"GETDNS_AUTHENTICATION_REQUIRED"
"GETDNS_AUTHENTICATION_NONE"
];
description = ''
Selects the Strict or Opportunistic usage profile.
For strict, set to <literal>GETDNS_AUTHENTICATION_REQUIRED</literal>.
for opportunistic, use <literal>GETDNS_AUTHENTICATION_NONE</literal>.
'';
};
queryPaddingBlocksize = mkOption {
default = 128;
type = types.int;
description = ''
EDNS0 option to pad the size of the DNS query to the given blocksize.
'';
};
subnetPrivate = mkOption {
default = true;
type = types.bool;
description = ''
EDNS0 option for ECS client privacy. Default is
<literal>true</literal>. If set, this option prevents the client
subnet from being sent to authoritative nameservers.
'';
};
idleTimeout = mkOption {
default = 10000;
type = types.int;
description = "EDNS0 option for keepalive idle timeout expressed in
milliseconds.";
};
listenAddresses = mkOption {
default = [ "127.0.0.1" "0::1" ];
type = with types; listOf str;
description = ''
Sets the listen address for the stubby daemon.
Uses port 53 by default.
Ise IP@port to specify a different port.
'';
};
roundRobinUpstreams = mkOption {
default = true;
type = types.bool;
description = ''
Instructs stubby to distribute queries across all available name
servers. Default is <literal>true</literal>. Set to
<literal>false</literal> in order to use the first available.
'';
};
upstreamServers = mkOption {
default = defaultUpstream;
type = types.lines;
description = ''
Add additional upstreams. See <citerefentry><refentrytitle>stubby
</refentrytitle><manvolnum>1</manvolnum></citerefentry> for an
example of the entry formatting. In Strict mode, at least one of the
following settings must be supplied for each nameserver:
<literal>tls_auth_name</literal> or
<literal>tls_pubkey_pinset</literal>.
'';
};
debugLogging = mkOption {
default = false;
type = types.bool;
description = "Enable or disable debug level logging.";
};
extraConfig = mkOption {
default = "";
type = types.lines;
description = ''
Add additional configuration options. see <citerefentry>
<refentrytitle>stubby</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>for more options.
'';
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.stubby ];
systemd.services.stubby = {
description = "Stubby local DNS resolver";
after = [ "network.target" ];
before = [ "nss-lookup.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
ExecStart = "${pkgs.stubby}/bin/stubby -C ${confFile} ${optionalString cfg.debugLogging "-l"}";
DynamicUser = true;
};
};
};
}

4
nixos/modules/services/networking/wireguard.nix
View File

@ -193,7 +193,7 @@ let
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment.DEVICE = name;
path = with pkgs; [ kmod iproute wireguard ];
path = with pkgs; [ kmod iproute wireguard-tools ];
serviceConfig = {
Type = "oneshot";
@ -279,7 +279,7 @@ in
config = mkIf (cfg.interfaces != {}) {
boot.extraModulePackages = [ kernel.wireguard ];
environment.systemPackages = [ pkgs.wireguard ];
environment.systemPackages = [ pkgs.wireguard-tools ];
systemd.services = mapAttrs' generateUnit cfg.interfaces;

1
nixos/modules/services/security/sshguard.nix
View File

@ -133,6 +133,7 @@ in {
ReadOnlyDirectories = "/";
ReadWriteDirectories = "/run/sshguard /var/lib/sshguard";
RuntimeDirectory = "sshguard";
StateDirectory = "sshguard";
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
};
};

40
nixos/modules/services/web-apps/nexus.nix
View File

@ -42,6 +42,34 @@ in
default = 8081;
description = "Port to listen on.";
};
jvmOpts = mkOption {
type = types.lines;
default = ''
-Xms1200M
-Xmx1200M
-XX:MaxDirectMemorySize=2G
-XX:+UnlockDiagnosticVMOptions
-XX:+UnsyncloadClass
-XX:+LogVMOutput
-XX:LogFile=${cfg.home}/nexus3/log/jvm.log
-XX:-OmitStackTraceInFastThrow
-Djava.net.preferIPv4Stack=true
-Dkaraf.home=${pkgs.nexus}
-Dkaraf.base=${pkgs.nexus}
-Dkaraf.etc=${pkgs.nexus}/etc/karaf
-Djava.util.logging.config.file=${pkgs.nexus}/etc/karaf/java.util.logging.properties
-Dkaraf.data=${cfg.home}/nexus3
-Djava.io.tmpdir=${cfg.home}/nexus3/tmp
-Dkaraf.startLocalConsole=false
'';
description = ''
Options for the JVM written to `nexus.jvmopts`.
Please refer to the docs (https://help.sonatype.com/repomanager3/installation/configuring-the-runtime-environment)
for further information.
'';
};
};
};
@ -63,13 +91,13 @@ in
environment = {
NEXUS_USER = cfg.user;
NEXUS_HOME = cfg.home;
VM_OPTS_FILE = pkgs.writeText "nexus.vmoptions" cfg.jvmOpts;
};
preStart = ''
mkdir -p ${cfg.home}/nexus3/etc
ln -sf ${cfg.home} /run/sonatype-work
chown -R ${cfg.user}:${cfg.group} ${cfg.home}
if [ ! -f ${cfg.home}/nexus3/etc/nexus.properties ]; then
@ -77,10 +105,10 @@ in
echo "application-port=${toString cfg.listenPort}" >> ${cfg.home}/nexus3/etc/nexus.properties
echo "application-host=${toString cfg.listenAddress}" >> ${cfg.home}/nexus3/etc/nexus.properties
else
sed 's/^application-port=.*/application-port=${toString cfg.listenPort}/' -i ${cfg.home}/nexus3/etc/nexus.properties
sed 's/^# application-port=.*/application-port=${toString cfg.listenPort}/' -i ${cfg.home}/nexus3/etc/nexus.properties
sed 's/^application-host=.*/application-host=${toString cfg.listenAddress}/' -i ${cfg.home}/nexus3/etc/nexus.properties
sed 's/^# application-host=.*/application-host=${toString cfg.listenAddress}/' -i ${cfg.home}/nexus3/etc/nexus.properties
sed 's/^application-port=.*/application-port=${toString cfg.listenPort}/' -i ${cfg.home}/nexus3/etc/nexus.properties
sed 's/^# application-port=.*/application-port=${toString cfg.listenPort}/' -i ${cfg.home}/nexus3/etc/nexus.properties
sed 's/^application-host=.*/application-host=${toString cfg.listenAddress}/' -i ${cfg.home}/nexus3/etc/nexus.properties
sed 's/^# application-host=.*/application-host=${toString cfg.listenAddress}/' -i ${cfg.home}/nexus3/etc/nexus.properties
fi
'';

2
nixos/modules/services/web-servers/caddy.nix
View File

@ -66,7 +66,7 @@ in {
description = "Caddy web server";
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
environment = mkIf (versionAtLeast config.system.stateVersion "17.09")
environment = mkIf (versionAtLeast config.system.nixos.stateVersion "17.09")
{ CADDYPATH = cfg.dataDir; };
serviceConfig = {
ExecStart = ''

8
nixos/modules/services/web-servers/nginx/default.nix
View File

@ -38,6 +38,7 @@ let
${toString (flip mapAttrsToList upstream.servers (name: server: ''
server ${name} ${optionalString server.backup "backup"};
''))}
${upstream.extraConfig}
}
''));
@ -492,6 +493,13 @@ in
'';
default = {};
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
These lines go to the end of the upstream verbatim.
'';
};
};
});
description = ''

1
nixos/modules/services/web-servers/nginx/vhost-options.nix
View File

@ -62,6 +62,7 @@ with lib;
This is useful if you have many subdomains and want to avoid hitting the
<link xlink:href="https://letsencrypt.org/docs/rate-limits/">rate limit</link>.
Alternately, you can generate a certificate through <option>enableACME</option>.
<emphasis>Note that this option does not create any certificates, nor it does add subdomains to existing ones you will need to create them manually using <xref linkend="opt-security.acme.certs"/>.</emphasis>
'';
};

1
nixos/modules/services/x11/desktop-managers/gnome3.nix
View File

@ -120,6 +120,7 @@ in {
services.xserver.libinput.enable = mkDefault true; # for controlling touchpad settings via gnome control center
services.udev.packages = [ pkgs.gnome3.gnome-settings-daemon ];
systemd.packages = [ pkgs.gnome3.vino ];
services.flatpak.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
# If gnome3 is installed, build vim for gtk3 too.
nixpkgs.config.vim.gui = "gtk3";

1
nixos/modules/services/x11/desktop-managers/xterm.nix
View File

@ -12,6 +12,7 @@ in
options = {
services.xserver.desktopManager.xterm.enable = mkOption {
type = types.bool;
default = true;
description = "Enable a xterm terminal as a desktop manager.";
};

3
nixos/modules/services/x11/display-managers/gdm.nix
View File

@ -135,6 +135,9 @@ in
systemd.services.display-manager.path = [ pkgs.gnome3.gnome-session ];
# Allow choosing an user account
services.accounts-daemon.enable = true;
services.dbus.packages = [ gdm ];
systemd.user.services.dbus.wantedBy = [ "default.target" ];

4
nixos/modules/services/x11/window-managers/stumpwm.nix
View File

@ -15,10 +15,10 @@ in
services.xserver.windowManager.session = singleton {
name = "stumpwm";
start = ''
${pkgs.stumpwm}/bin/stumpwm &
${pkgs.lispPackages.stumpwm}/bin/stumpwm &
waitPID=$!
'';
};
environment.systemPackages = [ pkgs.stumpwm ];
environment.systemPackages = [ pkgs.lispPackages.stumpwm ];
};
}

19
nixos/modules/system/activation/switch-to-configuration.pl
View File

@ -4,6 +4,7 @@ use strict;
use warnings;
use File::Basename;
use File::Slurp;
use Net::DBus;
use Sys::Syslog qw(:standard :macros);
use Cwd 'abs_path';
@ -67,17 +68,15 @@ EOF
$SIG{PIPE} = "IGNORE";
sub getActiveUnits {
# FIXME: use D-Bus or whatever to query this, since parsing the
# output of list-units is likely to break.
# Use current version of systemctl binary before daemon is reexeced.
my $lines = `LANG= /run/current-system/sw/bin/systemctl list-units --full --no-legend`;
my $mgr = Net::DBus->system->get_service("org.freedesktop.systemd1")->get_object("/org/freedesktop/systemd1");
my $units = $mgr->ListUnitsByPatterns([], []);
my $res = {};
foreach my $line (split '\n', $lines) {
chomp $line;
last if $line eq "";
$line =~ /^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s/ or next;
next if $1 eq "UNIT";
$res->{$1} = { load => $2, state => $3, substate => $4 };
for my $item (@$units) {
my ($id, $description, $load_state, $active_state, $sub_state,
$following, $unit_path, $job_id, $job_type, $job_path) = @$item;
next unless $following eq '';
next if $job_id == 0 and $active_state eq 'inactive';
$res->{$id} = { load => $load_state, state => $active_state, substate => $sub_state };
}
return $res;
}

3
nixos/modules/system/activation/top-level.nix
View File

@ -127,7 +127,8 @@ let
configurationName = config.boot.loader.grub.configurationName;
# Needed by switch-to-configuration.
perl = "${pkgs.perl}/bin/perl -I${pkgs.perlPackages.FileSlurp}/lib/perl5/site_perl";
perl = "${pkgs.perl}/bin/perl " + (concatMapStringsSep " " (lib: "-I${lib}/${pkgs.perl.libPrefix}") (with pkgs.perlPackages; [ FileSlurp NetDBus XMLParser XMLTwig ]));
} else throw "\nFailed assertions:\n${concatStringsSep "\n" (map (x: "- ${x}") failed)}");
# Replace runtime dependencies

7
nixos/modules/system/boot/coredump.nix
View File

@ -15,8 +15,11 @@ with lib;
Enables storing core dumps in systemd.
Note that this alone is not enough to enable core dumps. The maximum
file size for core dumps must be specified in limits.conf as well. See
<option>security.pam.loginLimits</option> as well as the limits.conf(5)
man page.
<option>security.pam.loginLimits</option> and the limits.conf(5)
man page (these specify the core dump limits for user login sessions)
and <option>systemd.extraConfig</option> (where e.g.
<literal>DefaultLimitCORE=1000000</literal> can be specified to set
the core dump limit for systemd system-level services).
'';
};

2
nixos/modules/system/boot/grow-partition.nix
View File

@ -30,7 +30,7 @@ with lib;
boot.initrd.postDeviceCommands = ''
rootDevice="${config.fileSystems."/".device}"
if [ -e "$rootDevice" ]; then
if waitDevice "$rootDevice"; then
rootDevice="$(readlink -f "$rootDevice")"
parentDevice="$rootDevice"
while [ "''${parentDevice%[0-9]}" != "''${parentDevice}" ]; do

1
nixos/modules/system/boot/luksroot.nix
View File

@ -454,7 +454,6 @@ in
["firewire_ohci" "firewire_core" "firewire_sbp2"];
# Some modules that may be needed for mounting anything ciphered
# Also load input_leds to get caps lock light working (#12456)
boot.initrd.availableKernelModules = [ "dm_mod" "dm_crypt" "cryptd" "input_leds" ]
++ luks.cryptoModules
# workaround until https://marc.info/?l=linux-crypto-vger&m=148783562211457&w=4 is merged

3
nixos/modules/system/boot/plymouth.nix
View File

@ -87,9 +87,10 @@ in
systemd.services.plymouth-kexec.wantedBy = [ "kexec.target" ];
systemd.services.plymouth-halt.wantedBy = [ "halt.target" ];
systemd.services.plymouth-quit-wait.wantedBy = [ "multi-user.target" ];
systemd.services.plymouth-quit = {
wantedBy = [ "multi-user.target" ];
after = [ "display-manager.service" "multi-user.target" ];
after = [ "display-manager.service" ];
};
systemd.services.plymouth-poweroff.wantedBy = [ "poweroff.target" ];
systemd.services.plymouth-reboot.wantedBy = [ "reboot.target" ];

59
nixos/modules/system/boot/stage-1-init.sh
View File

@ -74,6 +74,32 @@ ln -s /proc/mounts /etc/mtab # to shut up mke2fs
touch /etc/udev/hwdb.bin # to shut up udev
touch /etc/initrd-release
# Function for waiting a device to appear.
waitDevice() {
local device="$1"
# USB storage devices tend to appear with some delay. It would be
# great if we had a way to synchronously wait for them, but
# alas... So just wait for a few seconds for the device to
# appear.
if test ! -e $device; then
echo -n "waiting for device $device to appear..."
try=20
while [ $try -gt 0 ]; do
sleep 1
# also re-try lvm activation now that new block devices might have appeared
lvm vgchange -ay
# and tell udev to create nodes for the new LVs
udevadm trigger --action=add
if test -e $device; then break; fi
echo -n "."
try=$((try - 1))
done
echo
[ $try -ne 0 ]
fi
}
# Mount special file systems.
specialMount() {
local device="$1"
@ -377,40 +403,7 @@ lustrateRoot () {
exec 4>&-
}
# Function for waiting a device to appear.
waitDevice() {
local device="$1"
# USB storage devices tend to appear with some delay. It would be
# great if we had a way to synchronously wait for them, but
# alas... So just wait for a few seconds for the device to
# appear.
if test ! -e $device; then
echo -n "waiting for device $device to appear..."
try=20
while [ $try -gt 0 ]; do
sleep 1
# also re-try lvm activation now that new block devices might have appeared
lvm vgchange -ay
# and tell udev to create nodes for the new LVs
udevadm trigger --action=add
if test -e $device; then break; fi
echo -n "."
try=$((try - 1))
done
echo
[ $try -ne 0 ]
fi
}
# Try to resume - all modules are loaded now.
if test -e /sys/power/tuxonice/resume; then
if test -n "$(cat /sys/power/tuxonice/resume)"; then
echo 0 > /sys/power/tuxonice/user_interface/enabled
echo 1 > /sys/power/tuxonice/do_resume || echo "failed to resume..."
fi
fi
if test -e /sys/power/resume -a -e /sys/power/disk; then
if test -n "@resumeDevice@" && waitDevice "@resumeDevice@"; then

17
nixos/modules/system/boot/systemd-lib.nix
View File

@ -2,9 +2,10 @@
with lib;
let cfg = config.systemd; in
rec {
let
cfg = config.systemd;
lndir = "${pkgs.xorg.lndir}/bin/lndir";
in rec {
shellEscape = s: (replaceChars [ "\\" ] [ "\\\\" ] s);
@ -136,7 +137,13 @@ rec {
for i in ${toString cfg.packages}; do
for fn in $i/etc/systemd/${type}/* $i/lib/systemd/${type}/*; do
if ! [[ "$fn" =~ .wants$ ]]; then
ln -s $fn $out/
if [[ -d "$fn" ]]; then
targetDir="$out/$(basename "$fn")"
mkdir -p "$targetDir"
${lndir} "$fn" "$targetDir"
else
ln -s $fn $out/
fi
fi
done
done
@ -151,7 +158,7 @@ rec {
if [ "$(readlink -f $i/$fn)" = /dev/null ]; then
ln -sfn /dev/null $out/$fn
else
mkdir $out/$fn.d
mkdir -p $out/$fn.d
ln -s $i/$fn $out/$fn.d/overrides.conf
fi
else

2
nixos/modules/system/boot/systemd-unit-options.nix
View File

@ -217,7 +217,7 @@ in rec {
environment = mkOption {
default = {};
type = with types; attrsOf (nullOr (either str package));
type = with types; attrsOf (nullOr (either str (either path package)));
example = { PATH = "/foo/bar/bin"; LANG = "nl_NL.UTF-8"; };
description = "Environment variables passed to the service's processes.";
};

6
nixos/modules/testing/test-instrumentation.nix
View File

@ -58,6 +58,9 @@ in
systemd.services."serial-getty@${qemuSerialDevice}".enable = false;
systemd.services."serial-getty@hvc0".enable = false;
# Only use a serial console, no TTY.
virtualisation.qemu.consoles = [ qemuSerialDevice ];
boot.initrd.preDeviceCommands =
''
echo 600 > /proc/sys/kernel/hung_task_timeout_secs
@ -126,6 +129,9 @@ in
users.extraUsers.root.initialHashedPassword = mkOverride 150 "";
services.xserver.displayManager.job.logToJournal = true;
# set default stateVersion to avoid warnings during eval
system.nixos.stateVersion = mkDefault "18.03";
};
}

7
nixos/modules/virtualisation/amazon-image.nix
View File

@ -48,13 +48,6 @@ let cfg = config.ec2; in
boot.loader.grub.extraPerEntryConfig = mkIf (!cfg.hvm) "root (hd0)";
boot.loader.timeout = 0;
boot.initrd.postDeviceCommands =
''
# Force udev to exit to prevent random "Device or resource busy
# while trying to open /dev/xvda" errors from fsck.
udevadm control --exit || true
'';
boot.initrd.network.enable = true;
# Mount all formatted ephemeral disks and activate all swap devices.

2
nixos/modules/virtualisation/amazon-options.nix
View File

@ -3,7 +3,7 @@
options = {
ec2 = {
hvm = lib.mkOption {
default = lib.versionAtLeast config.system.stateVersion "17.03";
default = lib.versionAtLeast config.system.nixos.stateVersion "17.03";
internal = true;
description = ''
Whether the EC2 instance is a HVM instance.

4
nixos/modules/virtualisation/containers.nix
View File

@ -606,8 +606,8 @@ in
{ config, pkgs, ... }:
{ services.postgresql.enable = true;
services.postgresql.package = pkgs.postgresql96;
system.stateVersion = "17.03";
system.nixos.stateVersion = "17.03";
};
};
}

36
nixos/modules/virtualisation/qemu-guest-agent.nix Normal file
View File

@ -0,0 +1,36 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.qemuGuest;
in {
options.services.qemuGuest = {
enable = mkOption {
type = types.bool;
default = false;
description = "Whether to enable the qemu guest agent.";
};
};
config = mkIf cfg.enable (
mkMerge [
{
services.udev.extraRules = ''
SUBSYSTEM=="virtio-ports", ATTR{name}=="org.qemu.guest_agent.0", TAG+="systemd" ENV{SYSTEMD_WANTS}="qemu-guest-agent.service"
'';
systemd.services.qemu-guest-agent = {
description = "Run the QEMU Guest Agent";
serviceConfig = {
ExecStart = "${pkgs.kvm.ga}/bin/qemu-ga";
Restart = "always";
RestartSec = 0;
};
};
}
]
);
}

43
nixos/modules/virtualisation/qemu-vm.nix
View File

@ -23,9 +23,9 @@ let
cfg = config.virtualisation;
qemuGraphics = if cfg.graphics then "" else "-nographic";
kernelConsole = if cfg.graphics then "" else "console=${qemuSerialDevice}";
ttys = [ "tty1" "tty2" "tty3" "tty4" "tty5" "tty6" ];
qemuGraphics = lib.optionalString (!cfg.graphics) "-nographic";
consoles = lib.concatMapStringsSep " " (c: "console=${c}") cfg.qemu.consoles;
# XXX: This is very ugly and in the future we really should use attribute
# sets to build ALL of the QEMU flags instead of this mixed mess of Nix
@ -108,7 +108,7 @@ let
${mkDiskIfaceDriveFlag "0" "file=$NIX_DISK_IMAGE,cache=writeback,werror=report"} \
-kernel ${config.system.build.toplevel}/kernel \
-initrd ${config.system.build.toplevel}/initrd \
-append "$(cat ${config.system.build.toplevel}/kernel-params) init=${config.system.build.toplevel}/init regInfo=${regInfo}/registration ${kernelConsole} $QEMU_KERNEL_PARAMS" \
-append "$(cat ${config.system.build.toplevel}/kernel-params) init=${config.system.build.toplevel}/init regInfo=${regInfo}/registration ${consoles} $QEMU_KERNEL_PARAMS" \
''} \
$extraDisks \
${qemuGraphics} \
@ -248,9 +248,10 @@ in
default = true;
description =
''
Whether to run QEMU with a graphics window, or access
the guest computer serial port through the host tty.
'';
Whether to run QEMU with a graphics window, or in nographic mode.
Serial console will be enabled on both settings, but this will
change the preferred console.
'';
};
virtualisation.cores =
@ -332,6 +333,23 @@ in
description = "Options passed to QEMU.";
};
consoles = mkOption {
type = types.listOf types.str;
default = let
consoles = [ "${qemuSerialDevice},115200n8" "tty0" ];
in if cfg.graphics then consoles else reverseList consoles;
example = [ "console=tty1" ];
description = ''
The output console devices to pass to the kernel command line via the
<literal>console</literal> parameter, the primary console is the last
item of this list.
By default it enables both serial console and
<literal>tty0</literal>. The preferred console (last one) is based on
the value of <option>virtualisation.graphics</option>.
'';
};
networkingOptions =
mkOption {
default = [
@ -356,6 +374,15 @@ in
type = types.enum [ "virtio" "scsi" "ide" ];
description = "The interface used for the virtual hard disks.";
};
guestAgent.enable =
mkOption {
default = true;
type = types.bool;
description = ''
Enable the Qemu guest agent.
'';
};
};
virtualisation.useBootLoader =
@ -507,6 +534,8 @@ in
# Don't run ntpd in the guest. It should get the correct time from KVM.
services.timesyncd.enable = false;
services.qemuGuest.enable = cfg.qemu.guestAgent.enable;
system.build.vm = pkgs.runCommand "nixos-vm" { preferLocalBuild = true; }
''
mkdir -p $out/bin

7
nixos/release-combined.nix
View File

@ -58,6 +58,8 @@ in rec {
nixos.ova.x86_64-linux or []
#(all nixos.tests.containers)
(all nixos.tests.containers-imperative)
(all nixos.tests.containers-ipv4)
nixos.tests.chromium.x86_64-linux or []
(all nixos.tests.firefox)
(all nixos.tests.firewall)
@ -98,6 +100,7 @@ in rec {
(all nixos.tests.misc)
(all nixos.tests.mutableUsers)
(all nixos.tests.nat.firewall)
(all nixos.tests.nat.firewall-conntrack)
(all nixos.tests.nat.standalone)
(all nixos.tests.networking.scripted.loopback)
(all nixos.tests.networking.scripted.static)
@ -112,6 +115,10 @@ in rec {
(all nixos.tests.nfs4)
(all nixos.tests.openssh)
(all nixos.tests.php-pcre)
(all nixos.tests.predictable-interface-names.predictable)
(all nixos.tests.predictable-interface-names.unpredictable)
(all nixos.tests.predictable-interface-names.predictableNetworkd)
(all nixos.tests.predictable-interface-names.unpredictableNetworkd)
(all nixos.tests.printing)
(all nixos.tests.proxy)
(all nixos.tests.sddm.default)

13
nixos/release.nix
View File

@ -198,6 +198,7 @@ in rec {
modules = singleton ({ config, pkgs, ... }:
{ fileSystems."/".device = mkDefault "/dev/sda1";
boot.loader.grub.device = mkDefault "/dev/sda";
system.nixos.stateVersion = mkDefault "18.03";
});
}).config.system.build.toplevel;
preferLocalBuild = true;
@ -269,6 +270,7 @@ in rec {
tests.containers-macvlans = callTest tests/containers-macvlans.nix {};
tests.couchdb = callTest tests/couchdb.nix {};
tests.deluge = callTest tests/deluge.nix {};
tests.dhparams = callTest tests/dhparams.nix {};
tests.docker = callTestOnMatchingSystems ["x86_64-linux"] tests/docker.nix {};
tests.docker-tools = callTestOnMatchingSystems ["x86_64-linux"] tests/docker-tools.nix {};
tests.docker-tools-overlay = callTestOnMatchingSystems ["x86_64-linux"] tests/docker-tools-overlay.nix {};
@ -283,8 +285,8 @@ in rec {
tests.env = callTest tests/env.nix {};
tests.ferm = callTest tests/ferm.nix {};
tests.firefox = callTest tests/firefox.nix {};
tests.flatpak = callTest tests/flatpak.nix {};
tests.firewall = callTest tests/firewall.nix {};
tests.fleet = callTestOnMatchingSystems ["x86_64-linux"] tests/fleet.nix {};
tests.fwupd = callTest tests/fwupd.nix {};
#tests.gitlab = callTest tests/gitlab.nix {};
tests.gitolite = callTest tests/gitolite.nix {};
@ -313,10 +315,7 @@ in rec {
tests.plotinus = callTest tests/plotinus.nix {};
tests.keymap = callSubTests tests/keymap.nix {};
tests.initrdNetwork = callTest tests/initrd-network.nix {};
tests.kafka_0_9 = callTest tests/kafka_0_9.nix {};
tests.kafka_0_10 = callTest tests/kafka_0_10.nix {};
tests.kafka_0_11 = callTest tests/kafka_0_11.nix {};
tests.kafka_1_0 = callTest tests/kafka_1_0.nix {};
tests.kafka = callSubTests tests/kafka.nix {};
tests.kernel-copperhead = callTest tests/kernel-copperhead.nix {};
tests.kernel-latest = callTest tests/kernel-latest.nix {};
tests.kernel-lts = callTest tests/kernel-lts.nix {};
@ -348,6 +347,7 @@ in rec {
tests.networking.scripted = callSubTests tests/networking.nix { networkd = false; };
# TODO: put in networking.nix after the test becomes more complete
tests.networkingProxy = callTest tests/networking-proxy.nix {};
tests.nexus = callTest tests/nexus.nix { };
tests.nfs3 = callTest tests/nfs.nix { version = 3; };
tests.nfs4 = callTest tests/nfs.nix { version = 4; };
tests.nginx = callTest tests/nginx.nix { };
@ -360,7 +360,6 @@ in rec {
tests.openldap = callTest tests/openldap.nix {};
tests.owncloud = callTest tests/owncloud.nix {};
tests.pam-oath-login = callTest tests/pam-oath-login.nix {};
#tests.panamax = callTestOnMatchingSystems ["x86_64-linux"] tests/panamax.nix {};
tests.peerflix = callTest tests/peerflix.nix {};
tests.php-pcre = callTest tests/php-pcre.nix {};
tests.postgresql = callSubTests tests/postgresql.nix {};
@ -399,9 +398,11 @@ in rec {
tests.virtualbox = callSubTestsOnMatchingSystems ["x86_64-linux"] tests/virtualbox.nix {};
tests.wordpress = callTest tests/wordpress.nix {};
tests.xautolock = callTest tests/xautolock.nix {};
tests.xdg-desktop-portal = callTest tests/xdg-desktop-portal.nix {};
tests.xfce = callTest tests/xfce.nix {};
tests.xmonad = callTest tests/xmonad.nix {};
tests.xrdp = callTest tests/xrdp.nix {};
tests.xss-lock = callTest tests/xss-lock.nix {};
tests.yabar = callTest tests/yabar.nix {};
tests.zookeeper = callTest tests/zookeeper.nix {};

Some files were not shown because too many files have changed in this diff Show More