Merge remote-tracking branch 'upstream/master' into vim-plugins

This commit is contained in:
Tmplt 2019-08-15 11:28:44 +02:00
commit 8294b9bde6
1761 changed files with 171698 additions and 225374 deletions

View File

@ -1,27 +0,0 @@
---
name: Security report
about: Report security issues
title: ''
labels: '1.severity: security'
assignees: ''
---
To privately report a security issue with NixOS, Nix, and its ecosystem,
please email a member of the NixOS Security Team and we will ensure the issue
is handled. Our responses will be signed with our GPG keys:
https://nixos.org/nixos/security.html
**Report**
CVE:
**Metadata**
Maintainer information:
```yaml
# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module:
```

View File

@ -18,4 +18,6 @@
- [ ] Ensured that relevant documentation is up to date
- [ ] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md).
---
###### Notify maintainers
cc @

View File

@ -124,3 +124,21 @@ in another file (say `default.nix`) to be able to build it with
```
$ nix-build -A yaml
```
## Passing options to `idris` commands
The `build-idris-package` function provides also optional input values to set additional options for the used `idris` commands.
Specifically, you can set `idrisBuildOptions`, `idrisTestOptions`, `idrisInstallOptions` and `idrisDocOptions` to provide additional options to the `idris` command respectively when building, testing, installing and generating docs for your package.
For example you could set
```
build-idris-package {
idrisBuildOptions = [ "--log" "1" "--verbose" ]
...
}
```
to require verbose output during `idris` build phase.

View File

@ -603,6 +603,7 @@ All parameters from `stdenv.mkDerivation` function are still supported. The foll
* `preShellHook`: Hook to execute commands before `shellHook`.
* `postShellHook`: Hook to execute commands after `shellHook`.
* `removeBinByteCode ? true`: Remove bytecode from `/bin`. Bytecode is only created when the filenames end with `.py`.
* `setupPyGlobalFlags ? []`: List of flags passed to `setup.py` command.
* `setupPyBuildFlags ? []`: List of flags passed to `setup.py build_ext` command.
The `stdenv.mkDerivation` function accepts various parameters for describing build inputs (see "Specifying dependencies"). The following are of special

View File

@ -113,6 +113,15 @@ mkDerivation {
</programlisting>
</para>
<note>
<para>
<literal>wrapQtAppsHook</literal> ignores files that are non-ELF executables.
This means that scripts won't be automatically wrapped so you'll need to manually
wrap them as previously mentioned. An example of when you'd always need to do this
is with Python applications that use PyQT.
</para>
</note>
<para>
Libraries are built with every available version of Qt. Use the <literal>meta.broken</literal>
attribute to disable the package for unsupported Qt versions:

View File

@ -21,7 +21,7 @@ At the moment we support three different methods for managing plugins:
Adding custom .vimrc lines can be done using the following code:
```
```nix
vim_configurable.customize {
# `name` specifies the name of the executable and package
name = "vim-with-plugins";
@ -32,11 +32,11 @@ vim_configurable.customize {
}
```
This configuration is used when vim is invoked with the command specified as name, in this case `vim-with-plugins`.
This configuration is used when Vim is invoked with the command specified as name, in this case `vim-with-plugins`.
For Neovim the `configure` argument can be overridden to achieve the same:
```
```nix
neovim.override {
configure = {
customRC = ''
@ -46,10 +46,10 @@ neovim.override {
}
```
If you want to use `neovim-qt` as a graphical editor, you can configure it by overriding neovim in an overlay
or passing it an overridden neovimn:
If you want to use `neovim-qt` as a graphical editor, you can configure it by overriding Neovim in an overlay
or passing it an overridden Neovimn:
```
```nix
neovim-qt.override {
neovim = neovim.override {
configure = {
@ -63,15 +63,15 @@ neovim-qt.override {
## Managing plugins with Vim packages
To store you plugins in Vim packages (the native vim plugin manager, see `:help packages`) the following example can be used:
To store you plugins in Vim packages (the native Vim plugin manager, see `:help packages`) the following example can be used:
```
```nix
vim_configurable.customize {
vimrcConfig.packages.myVimPackage = with pkgs.vimPlugins; {
# loaded on launch
start = [ youcompleteme fugitive ];
# manually loadable by calling `:packadd $plugin-name`
# however, if a vim plugin has a dependency that is not explicitly listed in
# however, if a Vim plugin has a dependency that is not explicitly listed in
# opt that dependency will always be added to start to avoid confusion.
opt = [ phpCompletion elm-vim ];
# To automatically load a plugin when opening a filetype, add vimrc lines like:
@ -83,7 +83,7 @@ vim_configurable.customize {
`myVimPackage` is an arbitrary name for the generated package. You can choose any name you like.
For Neovim the syntax is:
```
```nix
neovim.override {
configure = {
customRC = ''
@ -92,7 +92,7 @@ neovim.override {
packages.myVimPackage = with pkgs.vimPlugins; {
# see examples below how to use custom packages
start = [ ];
# If a vim plugin has a dependency that is not explicitly listed in
# If a Vim plugin has a dependency that is not explicitly listed in
# opt that dependency will always be added to start to avoid confusion.
opt = [ ];
};
@ -102,7 +102,7 @@ neovim.override {
The resulting package can be added to `packageOverrides` in `~/.nixpkgs/config.nix` to make it installable:
```
```nix
{
packageOverrides = pkgs: with pkgs; {
myVim = vim_configurable.customize {
@ -126,7 +126,7 @@ After that you can install your special grafted `myVim` or `myNeovim` packages.
To use [vim-plug](https://github.com/junegunn/vim-plug) to manage your Vim
plugins the following example can be used:
```
```nix
vim_configurable.customize {
vimrcConfig.packages.myVimPackage = with pkgs.vimPlugins; {
# loaded on launch
@ -137,7 +137,7 @@ vim_configurable.customize {
For Neovim the syntax is:
```
```nix
neovim.override {
configure = {
customRC = ''
@ -161,21 +161,28 @@ assuming that "using latest version" is ok most of the time.
First create a vim-scripts file having one plugin name per line. Example:
```
"tlib"
{'name': 'vim-addon-sql'}
{'filetype_regex': '\%(vim)$', 'names': ['reload', 'vim-dev-plugin']}
```
Such vim-scripts file can be read by VAM as well like this:
```vim
call vam#Scripts(expand('~/.vim-scripts'), {})
```
Create a default.nix file:
```nix
{ nixpkgs ? import <nixpkgs> {}, compiler ? "ghc7102" }:
nixpkgs.vim_configurable.customize { name = "vim"; vimrcConfig.vam.pluginDictionaries = [ "vim-addon-vim2nix" ]; }
```
Create a generate.vim file:
```vim
ActivateAddons vim-addon-vim2nix
let vim_scripts = "vim-scripts"
call nix#ExportPluginsForNix({
@ -184,14 +191,18 @@ Create a generate.vim file:
\ 'try_catch': 0,
\ 'plugin_dictionaries': ["vim-addon-manager"]+map(readfile(vim_scripts), 'eval(v:val)')
\ })
```
Then run
```bash
nix-shell -p vimUtils.vim_with_vim2nix --command "vim -c 'source generate.vim'"
```
You should get a Vim buffer with the nix derivations (output1) and vam.pluginDictionaries (output2).
You can add your vim to your system's configuration file like this and start it by "vim-my":
You can add your Vim to your system's configuration file like this and start it by "vim-my":
```
my-vim =
let plugins = let inherit (vimUtils) buildVimPluginFrom2Nix; in {
copy paste output1 here
@ -207,10 +218,11 @@ You can add your vim to your system's configuration file like this and start it
# vimrcConfig.pathogen.knownPlugins = plugins; # plugins
# vimrcConfig.pathogen.pluginNames = ["tlib"];
};
```
Sample output1:
```
"reload" = buildVimPluginFrom2Nix { # created by nix#NixDerivation
name = "reload";
src = fetchgit {
@ -222,28 +234,39 @@ Sample output1:
};
[...]
```
Sample output2:
```nix
[
''vim-addon-manager''
''tlib''
{ "name" = ''vim-addon-sql''; }
{ "filetype_regex" = ''\%(vim)$$''; "names" = [ ''reload'' ''vim-dev-plugin'' ]; }
]
```
## Adding new plugins to nixpkgs
In `pkgs/misc/vim-plugins/vim-plugin-names` we store the plugin names
for all vim plugins we automatically generate plugins for.
The format of this file `github username/github repository`:
For example https://github.com/scrooloose/nerdtree becomes `scrooloose/nerdtree`.
After adding your plugin to this file run the `./update.py` in the same folder.
This will updated a file called `generated.nix` and make your plugin accessible in the
`vimPlugins` attribute set (`vimPlugins.nerdtree` in our example).
If additional steps to the build process of the plugin are required, add an
override to the `pkgs/misc/vim-plugins/default.nix` in the same directory.
Nix expressions for Vim plugins are stored in [pkgs/misc/vim-plugins](/pkgs/misc/vim-plugins). For the vast majority of plugins, Nix expressions are automatically generated by running [`./update.py`](/pkgs/misc/vim-plugins/update.py). This creates a [generated.nix](/pkgs/misc/vim-plugins/generated.nix) file based on the plugins listed in [vim-plugin-names](/pkgs/misc/vim-plugins/vim-plugin-names). Plugins are listed in alphabetical order in `vim-plugin-names` using the format `[github username]/[repository]`. For example https://github.com/scrooloose/nerdtree becomes `scrooloose/nerdtree`.
Some plugins require overrides in order to function properly. Overrides are placed in [overrides.nix](/pkgs/misc/vim-plugins/overrides.nix). Overrides are most often required when a plugin requires some dependencies, or extra steps are required during the build process. For example `deoplete-fish` requires both `deoplete-nvim` and `vim-fish`, and so the following override was added:
```
deoplete-fish = super.deoplete-fish.overrideAttrs(old: {
dependencies = with super; [ deoplete-nvim vim-fish ];
});
```
Sometimes plugins require an override that must be changed when the plugin is updated. This can cause issues when Vim plugins are auto-updated but the associated override isn't updated. For these plugins, the override should be written so that it specifies all information required to install the plugin, and running `./update.py` doesn't change the derivation for the plugin. Manually updating the override is required to update these types of plugins. An example of such a plugin is `LanguageClient-neovim`.
To add a new plugin:
1. run `./update.py` and create a commit named "vimPlugins: Update",
2. add the new plugin to [vim-plugin-names](/pkgs/misc/vim-plugins/vim-plugin-names) and add overrides if required to [overrides.nix](/pkgs/misc/vim-plugins/overrides.nix),
3. run `./update.py` again and create a commit named "vimPlugins.[name]: init at [version]" (where `name` and `version` can be found in [generated.nix](/pkgs/misc/vim-plugins/generated.nix)), and
4. create a pull request.
## Important repositories
@ -252,4 +275,3 @@ override to the `pkgs/misc/vim-plugins/default.nix` in the same directory.
- [vim2nix](https://github.com/MarcWeber/vim-addon-vim2nix) which generates the
.nix code

View File

@ -786,7 +786,7 @@ passthru.updateScript = [ ../../update.sh pname "--requested-release=unstable" ]
set, the default value is used, which is <literal>$prePhases
unpackPhase patchPhase $preConfigurePhases configurePhase
$preBuildPhases buildPhase checkPhase $preInstallPhases installPhase
fixupPhase $preDistPhases distPhase $postPhases</literal>.
fixupPhase installCheckPhase $preDistPhases distPhase $postPhases</literal>.
</para>
<para>
Usually, if you just want to add a few phases, its more convenient
@ -1599,6 +1599,16 @@ installTargets = "install-bin install-doc";</programlisting>
<variablelist>
<title>Variables controlling the fixup phase</title>
<varlistentry>
<term>
<varname>dontFixup</varname>
</term>
<listitem>
<para>
Set to true to skip the fixup phase.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<varname>dontStrip</varname>

View File

@ -53,9 +53,13 @@ rec {
# Filter sources by a list of regular expressions.
#
# E.g. `src = sourceByRegex ./my-subproject [".*\.py$" "^database.sql$"]`
sourceByRegex = src: regexes: cleanSourceWith {
sourceByRegex = src: regexes:
let
isFiltered = src ? _isLibCleanSourceWith;
origSrc = if isFiltered then src.origSrc else src;
in lib.cleanSourceWith {
filter = (path: type:
let relPath = lib.removePrefix (toString src + "/") (toString path);
let relPath = lib.removePrefix (toString origSrc + "/") (toString path);
in lib.any (re: builtins.match re relPath != null) regexes);
inherit src;
};

View File

@ -26,7 +26,7 @@ let
"riscv32-linux" "riscv64-linux"
"aarch64-none" "avr-none" "arm-none" "i686-none" "x86_64-none" "powerpc-none" "msp430-none"
"aarch64-none" "avr-none" "arm-none" "i686-none" "x86_64-none" "powerpc-none" "msp430-none" "riscv64-none" "riscv32-none"
];
allParsed = map parse.mkSystemFromString all;

View File

@ -97,6 +97,18 @@ rec {
riscv64 = riscv "64";
riscv32 = riscv "32";
riscv64-embedded = {
config = "riscv64-none-elf";
libc = "newlib";
platform = platforms.riscv-multiplatform "64";
};
riscv32-embedded = {
config = "riscv32-none-elf";
libc = "newlib";
platform = platforms.riscv-multiplatform "32";
};
msp430 = {
config = "msp430-elf";
libc = "newlib";

View File

@ -71,6 +71,15 @@ checkConfigError 'The option value .* in .* is not of type.*positive integer.*'
checkConfigOutput "42" config.value ./declare-int-between-value.nix ./define-value-int-positive.nix
checkConfigError 'The option value .* in .* is not of type.*between.*-21 and 43.*inclusive.*' config.value ./declare-int-between-value.nix ./define-value-int-negative.nix
# Check either types
# types.either
checkConfigOutput "42" config.value ./declare-either.nix ./define-value-int-positive.nix
checkConfigOutput "\"24\"" config.value ./declare-either.nix ./define-value-string.nix
# types.oneOf
checkConfigOutput "42" config.value ./declare-oneOf.nix ./define-value-int-positive.nix
checkConfigOutput "[ ]" config.value ./declare-oneOf.nix ./define-value-list.nix
checkConfigOutput "\"24\"" config.value ./declare-oneOf.nix ./define-value-string.nix
# Check mkForce without submodules.
set -- config.enable ./declare-enable.nix ./define-enable.nix
checkConfigOutput "true" "$@"

View File

@ -0,0 +1,5 @@
{ lib, ... }: {
options.value = lib.mkOption {
type = lib.types.either lib.types.int lib.types.str;
};
}

View File

@ -0,0 +1,9 @@
{ lib, ... }: {
options.value = lib.mkOption {
type = lib.types.oneOf [
lib.types.int
(lib.types.listOf lib.types.int)
lib.types.str
];
};
}

View File

@ -111,7 +111,7 @@ rec {
name = "int";
description = "signed integer";
check = isInt;
merge = mergeOneOption;
merge = mergeEqualOption;
};
# Specialized subdomains of int
@ -176,14 +176,14 @@ rec {
name = "float";
description = "floating point number";
check = isFloat;
merge = mergeOneOption;
merge = mergeEqualOption;
};
str = mkOptionType {
name = "str";
description = "string";
check = isString;
merge = mergeOneOption;
merge = mergeEqualOption;
};
strMatching = pattern: mkOptionType {
@ -243,7 +243,7 @@ rec {
name = "path";
# Hacky: there is no isPath primop.
check = x: builtins.substring 0 1 (toString x) == "/";
merge = mergeOneOption;
merge = mergeEqualOption;
};
# drop this in the future:
@ -415,7 +415,7 @@ rec {
name = "enum";
description = "one of ${concatMapStringsSep ", " show values}";
check = flip elem values;
merge = mergeOneOption;
merge = mergeEqualOption;
functor = (defaultFunctor name) // { payload = values; binOp = a: b: unique (a ++ b); };
};
@ -443,6 +443,13 @@ rec {
functor = (defaultFunctor name) // { wrapped = [ t1 t2 ]; };
};
# Any of the types in the given list
oneOf = ts:
let
head' = if ts == [] then throw "types.oneOf needs to get at least one type in its argument" else head ts;
tail' = tail ts;
in foldl' either head' tail';
# Either value of type `finalType` or `coercedType`, the latter is
# converted to `finalType` using `coerceFunc`.
coercedTo = coercedType: coerceFunc: finalType:

View File

@ -66,14 +66,6 @@
email = "aaron@ajanse.me";
github = "aaronjanse";
name = "Aaron Janse";
keys = [
{ longkeyid = "rsa2048/0x651BD4B37D75E234"; # Email only
fingerprint = "490F 5009 34E7 20BD 4C53 96C2 651B D4B3 7D75 E234";
}
{ longkeyid = "rsa4096/0xBE6C92145BFF4A34"; # Git, etc
fingerprint = "CED9 6DF4 63D7 B86A 1C4B 1322 BE6C 9214 5BFF 4A34";
}
];
};
aaronschif = {
email = "aaronschif@gmail.com";
@ -85,6 +77,15 @@
github = "baldo";
name = "Andreas Baldeau";
};
abbe = {
email = "ashish.is@lostca.se";
github = "wahjava";
name = "Ashish SHUKLA";
keys = [{
longkeyid = "rsa4096/0xC746CFA9E74FA4B0";
fingerprint = "F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0";
}];
};
abbradar = {
email = "ab@fmap.me";
github = "abbradar";
@ -393,6 +394,11 @@
github = "aneeshusa";
name = "Aneesh Agrawal";
};
angristan = {
email = "angristan@pm.me";
github = "angristan";
name = "Stanislas Lange";
};
ankhers = {
email = "justin.k.wood@gmail.com";
github = "ankhers";
@ -1078,6 +1084,11 @@
github = "codyopel";
name = "Cody Opel";
};
cohencyril = {
email = "cyril.cohen@inria.fr";
github = "CohenCyril";
name = "Cyril Cohen";
};
colemickens = {
email = "cole.mickens@gmail.com";
github = "colemickens";
@ -1508,6 +1519,11 @@
github = "liclac";
name = "embr";
};
emily = {
email = "nixpkgs@emily.moe";
github = "emilazy";
name = "Emily";
};
ederoyd46 = {
email = "matt@ederoyd.co.uk";
github = "ederoyd46";
@ -1693,6 +1709,11 @@
fingerprint = "67FE 98F2 8C44 CF22 1828 E12F D57E FA62 5C9A 925F";
}];
};
evanjs = {
email = "evanjsx@gmail.com";
github = "evanjs";
name = "Evan Stoll";
};
evck = {
email = "eric@evenchick.com";
github = "ericevenchick";
@ -1748,6 +1769,11 @@
github = "fare";
name = "Francois-Rene Rideau";
};
farlion = {
email = "florian.peter@gmx.at";
github = "workflow";
name = "Florian Peter";
};
fdns = {
email = "fdns02@gmail.com";
github = "fdns";
@ -2156,6 +2182,11 @@
github = "hlolli";
name = "Hlodver Sigurdsson";
};
hugoreeves = {
email = "hugolreeves@gmail.com";
github = "hugoreeves";
name = "Hugo Reeves";
};
hodapp = {
email = "hodapp87@gmail.com";
github = "Hodapp87";
@ -2601,6 +2632,11 @@
github = "jraygauthier";
name = "Raymond Gauthier";
};
jtobin = {
email = "jared@jtobin.io";
github = "jtobin";
name = "Jared Tobin";
};
jtojnar = {
email = "jtojnar@gmail.com";
github = "jtojnar";
@ -4204,9 +4240,13 @@
name = "Ben Hamlin";
};
prusnak = {
email = "stick@gk2.sk";
email = "pavol@rusnak.io";
github = "prusnak";
name = "Pavol Rusnak";
keys = [{
longkeyid = "rsa4096/0x91F3B339B9A02A3D";
fingerprint = "86E6 792F C27B FD47 8860 C110 91F3 B339 B9A0 2A3D";
}];
};
pshendry = {
email = "paul@pshendry.com";
@ -4996,6 +5036,15 @@
github = "sternenseemann";
name = "Lukas Epple";
};
steshaw = {
name = "Steven Shaw";
email = "steven@steshaw.org";
github = "steshaw";
keys = [{
longkeyid = "rsa4096/0x1D9A17DFD23DCB91";
fingerprint = "0AFE 77F7 474D 1596 EE55 7A29 1D9A 17DF D23D CB91";
}];
};
stesie = {
email = "stesie@brokenpipe.de";
github = "stesie";
@ -5571,6 +5620,11 @@
github = "viric";
name = "Lluís Batlle i Rossell";
};
virusdave = {
email = "dave.nicponski@gmail.com";
github = "virusdave";
name = "Dave Nicponski";
};
vizanto = {
email = "danny@prime.vc";
github = "vizanto";
@ -5921,4 +5975,9 @@
github = "mattmelling";
name = "Matt Melling";
};
wd15 = {
email = "daniel.wheeler2@gmail.com";
github = "wd15";
name = "Daniel Wheeler";
};
}

View File

@ -95,7 +95,7 @@ in {
# forward all Matrix API calls to the synapse Matrix homeserver
locations."/_matrix" = {
proxyPass = "http://[::1]:8008/_matrix";
proxyPass = "http://[::1]:8008"; # without a trailing /
};
};
};

View File

@ -125,10 +125,12 @@
You will need to reboot after enabling this driver to prevent a clash with
other kernel modules.
</para>
<note>
<para>
Note: for recent AMD GPUs you most likely want to keep either the defaults
For recent AMD GPUs you most likely want to keep either the defaults
or <literal>"amdgpu"</literal> (both free).
</para>
</note>
</simplesect>
<simplesect xml:id="sec-x11-touchpads">
<title>Touchpads</title>
@ -157,4 +159,134 @@
versions.
</para>
</simplesect>
<simplesect xml:id="custom-xkb-layouts">
<title>Custom XKB layouts</title>
<para>
It is possible to install custom
<link xlink:href="https://en.wikipedia.org/wiki/X_keyboard_extension">
XKB
</link>
keyboard layouts using the option
<option>
<link linkend="opt-services.xserver.extraLayouts">
services.xserver.extraLayouts
</link>
</option>.
As a first example, we are going to create a layout based on the basic US
layout, with an additional layer to type some greek symbols by pressing the
right-alt key.
</para>
<para>
To do this we are going to create a <literal>us-greek</literal> file
with a <literal>xkb_symbols</literal> section.
</para>
<programlisting>
xkb_symbols &quot;us-greek&quot;
{
include &quot;us(basic)&quot; // includes the base US keys
include &quot;level3(ralt_switch)&quot; // configures right alt as a third level switch
key &lt;LatA&gt; { [ a, A, Greek_alpha ] };
key &lt;LatB&gt; { [ b, B, Greek_beta ] };
key &lt;LatG&gt; { [ g, G, Greek_gamma ] };
key &lt;LatD&gt; { [ d, D, Greek_delta ] };
key &lt;LatZ&gt; { [ z, Z, Greek_zeta ] };
};
</programlisting>
<para>
To install the layout, the filepath, a description and the list of
languages must be given:
</para>
<programlisting>
<xref linkend="opt-services.xserver.extraLayouts"/>.us-greek = {
description = "US layout with alt-gr greek";
languages = [ "eng" ];
symbolsFile = /path/to/us-greek;
}
</programlisting>
<note>
<para>
The name should match the one given to the
<literal>xkb_symbols</literal> block.
</para>
</note>
<para>
The layout should now be installed and ready to use: try it by
running <literal>setxkbmap us-greek</literal> and type
<literal>&lt;alt&gt;+a</literal>. To change the default the usual
<option>
<link linkend="opt-services.xserver.layout">
services.xserver.layout
</link>
</option>
option can still be used.
</para>
<para>
A layout can have several other components besides
<literal>xkb_symbols</literal>, for example we will define new
keycodes for some multimedia key and bind these to some symbol.
</para>
<para>
Use the <emphasis>xev</emphasis> utility from
<literal>pkgs.xorg.xev</literal> to find the codes of the keys of
interest, then create a <literal>media-key</literal> file to hold
the keycodes definitions
</para>
<programlisting>
xkb_keycodes &quot;media&quot;
{
&lt;volUp&gt; = 123;
&lt;volDown&gt; = 456;
}
</programlisting>
<para>
Now use the newly define keycodes in <literal>media-sym</literal>:
</para>
<programlisting>
xkb_symbols &quot;media&quot;
{
key.type = &quot;ONE_LEVEL&quot;;
key &lt;volUp&gt; { [ XF86AudioLowerVolume ] };
key &lt;volDown&gt; { [ XF86AudioRaiseVolume ] };
}
</programlisting>
<para>
As before, to install the layout do
</para>
<programlisting>
<xref linkend="opt-services.xserver.extraLayouts"/>.media = {
description = "Multimedia keys remapping";
languages = [ "eng" ];
symbolsFile = /path/to/media-key;
keycodesFile = /path/to/media-sym;
};
</programlisting>
<note>
<para>
The function <literal>pkgs.writeText &lt;filename&gt; &lt;content&gt;
</literal> can be useful if you prefer to keep the layout definitions
inside the NixOS configuration.
</para>
</note>
<para>
Unfortunately, the Xorg server does not (currently) support setting a
keymap directly but relies instead on XKB rules to select the matching
components (keycodes, types, ...) of a layout. This means that components
other than symbols won't be loaded by default. As a workaround, you
can set the keymap using <literal>setxkbmap</literal> at the start of the
session with:
</para>
<programlisting>
<xref linkend="opt-services.xserver.displayManager.sessionCommands"/> = "setxkbmap -keycodes media";
</programlisting>
<para>
To learn how to write layouts take a look at the XKB
<link xlink:href="https://www.x.org/releases/current/doc/xorg-docs/input/XKB-Enhancing.html#Defining_New_Layouts">
documentation
</link>. More example layouts can also be found
<link xlink:href="https://wiki.archlinux.org/index.php/X_KeyBoard_extension#Basic_examples">
here
</link>.
</para>
</simplesect>
</chapter>

View File

@ -5,55 +5,6 @@ with pkgs;
let
lib = pkgs.lib;
# Remove invisible and internal options.
optionsListVisible = lib.filter (opt: opt.visible && !opt.internal) (lib.optionAttrSetToDocList options);
# Replace functions by the string <function>
substFunction = x:
if builtins.isAttrs x then lib.mapAttrs (name: substFunction) x
else if builtins.isList x then map substFunction x
else if lib.isFunction x then "<function>"
else x;
# Generate DocBook documentation for a list of packages. This is
# what `relatedPackages` option of `mkOption` from
# ../../../lib/options.nix influences.
#
# Each element of `relatedPackages` can be either
# - a string: that will be interpreted as an attribute name from `pkgs`,
# - a list: that will be interpreted as an attribute path from `pkgs`,
# - an attrset: that can specify `name`, `path`, `package`, `comment`
# (either of `name`, `path` is required, the rest are optional).
genRelatedPackages = packages:
let
unpack = p: if lib.isString p then { name = p; }
else if lib.isList p then { path = p; }
else p;
describe = args:
let
title = args.title or null;
name = args.name or (lib.concatStringsSep "." args.path);
path = args.path or [ args.name ];
package = args.package or (lib.attrByPath path (throw "Invalid package attribute path `${toString path}'") pkgs);
in "<listitem>"
+ "<para><literal>${lib.optionalString (title != null) "${title} aka "}pkgs.${name} (${package.meta.name})</literal>"
+ lib.optionalString (!package.meta.available) " <emphasis>[UNAVAILABLE]</emphasis>"
+ ": ${package.meta.description or "???"}.</para>"
+ lib.optionalString (args ? comment) "\n<para>${args.comment}</para>"
# Lots of `longDescription's break DocBook, so we just wrap them into <programlisting>
+ lib.optionalString (package.meta ? longDescription) "\n<programlisting>${package.meta.longDescription}</programlisting>"
+ "</listitem>";
in "<itemizedlist>${lib.concatStringsSep "\n" (map (p: describe (unpack p)) packages)}</itemizedlist>";
optionsListDesc = lib.flip map optionsListVisible (opt: opt // {
# Clean up declaration sites to not refer to the NixOS source tree.
declarations = map stripAnyPrefixes opt.declarations;
}
// lib.optionalAttrs (opt ? example) { example = substFunction opt.example; }
// lib.optionalAttrs (opt ? default) { default = substFunction opt.default; }
// lib.optionalAttrs (opt ? type) { type = substFunction opt.type; }
// lib.optionalAttrs (opt ? relatedPackages && opt.relatedPackages != []) { relatedPackages = genRelatedPackages opt.relatedPackages; });
# We need to strip references to /nix/store/* from options,
# including any `extraSources` if some modules came from elsewhere,
# or else the build will fail.
@ -63,37 +14,13 @@ let
prefixesToStrip = map (p: "${toString p}/") ([ ../../.. ] ++ extraSources);
stripAnyPrefixes = lib.flip (lib.fold lib.removePrefix) prefixesToStrip;
# Custom "less" that pushes up all the things ending in ".enable*"
# and ".package*"
optionLess = a: b:
let
ise = lib.hasPrefix "enable";
isp = lib.hasPrefix "package";
cmp = lib.splitByAndCompare ise lib.compare
(lib.splitByAndCompare isp lib.compare lib.compare);
in lib.compareLists cmp a.loc b.loc < 0;
# Customly sort option list for the man page.
optionsList = lib.sort optionLess optionsListDesc;
# Convert the list of options into an XML file.
optionsXML = builtins.toFile "options.xml" (builtins.toXML optionsList);
optionsDocBook = runCommand "options-db.xml" {} ''
optionsXML=${optionsXML}
if grep /nixpkgs/nixos/modules $optionsXML; then
echo "The manual appears to depend on the location of Nixpkgs, which is bad"
echo "since this prevents sharing via the NixOS channel. This is typically"
echo "caused by an option default that refers to a relative path (see above"
echo "for hints about the offending path)."
exit 1
fi
${buildPackages.libxslt.bin}/bin/xsltproc \
--stringparam revision '${revision}' \
-o intermediate.xml ${./options-to-docbook.xsl} $optionsXML
${buildPackages.libxslt.bin}/bin/xsltproc \
-o "$out" ${./postprocess-option-descriptions.xsl} intermediate.xml
'';
optionsDoc = buildPackages.nixosOptionsDoc {
inherit options revision;
transformOptions = opt: opt // {
# Clean up declaration sites to not refer to the NixOS source tree.
declarations = map stripAnyPrefixes opt.declarations;
};
};
sources = lib.sourceFilesBySuffices ./. [".xml"];
@ -108,7 +35,7 @@ let
generatedSources = runCommand "generated-docbook" {} ''
mkdir $out
ln -s ${modulesDoc} $out/modules.xml
ln -s ${optionsDocBook} $out/options-db.xml
ln -s ${optionsDoc.optionsDocBook} $out/options-db.xml
printf "%s" "${version}" > $out/version
'';
@ -234,22 +161,7 @@ let
in rec {
inherit generatedSources;
# The NixOS options in JSON format.
optionsJSON = runCommand "options-json"
{ meta.description = "List of NixOS options in JSON format";
}
''
# Export list of options in different format.
dst=$out/share/doc/nixos
mkdir -p $dst
cp ${builtins.toFile "options.json" (builtins.unsafeDiscardStringContext (builtins.toJSON
(builtins.listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList))))
} $dst/options.json
mkdir -p $out/nix-support
echo "file json $dst/options.json" >> $out/nix-support/hydra-build-products
''; # */
inherit (optionsDoc) optionsJSON optionsXML optionsDocBook;
# Generate the NixOS manual.
manualHTML = runCommand "nixos-manual-html"

View File

@ -346,6 +346,18 @@
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<varname>types.oneOf</varname> [ <replaceable>t1</replaceable> <replaceable>t2</replaceable> ... ]
</term>
<listitem>
<para>
Type <replaceable>t1</replaceable> or type <replaceable>t2</replaceable> and so forth,
e.g. <literal>with types; oneOf [ int str bool ]</literal>. Multiple definitions
cannot be merged.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<varname>types.coercedTo</varname> <replaceable>from</replaceable> <replaceable>f</replaceable> <replaceable>to</replaceable>

View File

@ -98,6 +98,16 @@
<literal>stableBranch</literal> set to false.
</para>
</listitem>
<listitem>
<para>
Remove attributes that we know we will not be able to support,
especially if there is a stable alternative. E.g. Check that our
Linux kernels'
<link xlink:href="https://www.kernel.org/category/releases.html">
projected end-of-life</link> are after our release projected
end-of-life
</para>
</listitem>
<listitem>
<para>
Edit changelog at

View File

@ -14,6 +14,13 @@
to build the new configuration, make it the default configuration for
booting, and try to realise the configuration in the running system (e.g., by
restarting system services).
<warning>
<para>
This command doesn't start/stop <link linkend="opt-systemd.user.services">user
services</link> automatically. <command>nixos-rebuild</command> only runs a
<literal>daemon-reload</literal> for each user with running user services.
</para>
</warning>
</para>
<warning>
<para>

View File

@ -29,13 +29,14 @@
</para>
<para>
You are logged-in automatically as <literal>root</literal>. (The
<literal>root</literal> user account has an empty password.)
You are logged-in automatically as <literal>nixos</literal>.
The <literal>nixos</literal> user account has an empty password so you
can use <command>sudo</command> without a password.
</para>
<para>
If you downloaded the graphical ISO image, you can run <command>systemctl
start display-manager</command> to start KDE. If you want to continue on the
start display-manager</command> to start the desktop environment. If you want to continue on the
terminal, you can use <command>loadkeys</command> to switch to your
preferred keyboard layout. (We even provide neo2 via <command>loadkeys de
neo</command>!)
@ -65,9 +66,9 @@
<para>
If you would like to continue the installation from a different machine you
need to activate the SSH daemon via <literal>systemctl start
sshd</literal>. In order to be able to login you also need to set a
password for <literal>root</literal> using <literal>passwd</literal>.
need to activate the SSH daemon via <command>systemctl start
sshd</command>. You then must set a password for either <literal>root</literal> or
<literal>nixos</literal> with <command>passwd></command> to be able to login.
</para>
</section>
</section>

View File

@ -35,6 +35,12 @@
<replaceable>shell-command</replaceable>
</arg>
<arg>
<arg choice='plain'>
<option>--silent</option>
</arg>
</arg>
<arg>
<arg choice='plain'>
<option>--help</option>
@ -100,6 +106,16 @@
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>--silent</option>
</term>
<listitem>
<para>
Suppresses all output from the activation script of the target system.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>--</option>

View File

@ -90,6 +90,35 @@
<arg>
<option>--show-trace</option>
</arg>
<arg>
<option>-I</option>
<replaceable>path</replaceable>
</arg>
<arg>
<group choice='req'>
<arg choice='plain'><option>--verbose</option></arg>
<arg choice='plain'><option>-v</option></arg>
</group>
</arg>
<arg>
<group choice='req'>
<arg choice='plain'><option>--max-jobs</option></arg>
<arg choice='plain'><option>-j</option></arg>
</group>
<replaceable>number</replaceable>
</arg>
<arg>
<group choice='req'>
<arg choice='plain'><option>--keep-failed</option></arg>
<arg choice='plain'><option>-K</option></arg>
</group>
</arg>
<arg>
<group choice='req'>
<arg choice='plain'><option>--keep-going</option></arg>
<arg choice='plain'><option>-k</option></arg>
</group>
</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection>
@ -101,7 +130,8 @@
NixOS module, you must run <command>nixos-rebuild</command> to make the
changes take effect. It builds the new system in
<filename>/nix/store</filename>, runs its activation script, and stop and
(re)starts any system services if needed.
(re)starts any system services if needed. Please note that user services need
to be started manually as they aren't detected by the activation script at the moment.
</para>
<para>
This command has one required argument, which specifies the desired

View File

@ -6,7 +6,7 @@
<author><personname><firstname>Eelco</firstname><surname>Dolstra</surname></personname>
<contrib>Author</contrib>
</author>
<copyright><year>2007-2018</year><holder>Eelco Dolstra</holder>
<copyright><year>2007-2019</year><holder>Eelco Dolstra</holder>
</copyright>
</info>
<xi:include href="man-configuration.xml" />

View File

@ -33,6 +33,21 @@
PHP 7.1 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 19.09 release.
</para>
</listitem>
<listitem>
<para>
The binfmt module is now easier to use. Additional systems can
be added through <option>boot.binfmt.emulatedSystems</option>.
For instance, <literal>boot.binfmt.emulatedSystems = [
"wasm32-wasi" "x86_64-windows" "aarch64-linux" ];</literal> will
set up binfmt interpreters for each of those listed systems.
</para>
</listitem>
<listitem>
<para>
The installer now uses a less privileged <literal>nixos</literal> user whereas before we logged in as root.
To gain root privileges use <literal>sudo -i</literal> without a password.
</para>
</listitem>
</itemizedlist>
</section>
@ -47,6 +62,13 @@
The following new services were added since the last release:
</para>
<itemizedlist>
<listitem>
<para>
<literal>./programs/dwm-status.nix</literal>
</para>
</listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
@ -163,7 +185,8 @@
Most of the httpd subservices packaged with NixOS have been replaced with
full NixOS modules including LimeSurvey, WordPress, and Zabbix. These
modules can be enabled using the <option>services.limesurvey.enable</option>,
<option>services.wordpress.enable</option>, and <option>services.zabbixWeb.enable</option> options.
<option>services.mediawiki.enable</option>, <option>services.wordpress.enable</option>,
and <option>services.zabbixWeb.enable</option> options.
</para>
</listitem>
<listitem>
@ -213,6 +236,33 @@
have a look at the <link xlink:href="https://github.com/nginxinc/nginx-prometheus-exporter">official repo</link>.
</para>
</listitem>
<listitem>
<para>
Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has been dropped.
</para>
</listitem>
<listitem>
<para>
By default, prometheus exporters are now run with <literal>DynamicUser</literal> enabled.
Exporters that need a real user, now run under a seperate user and group which follow the pattern <literal>&lt;exporter-name&gt;-exporter</literal>, instead of the previous default <literal>nobody</literal> and <literal>nogroup</literal>.
Only some exporters are affected by the latter, namely the exporters <literal>dovecot</literal>, <literal>node</literal>, <literal>postfix</literal> and <literal>varnish</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>ibus-qt</literal> package is not installed by default anymore when <xref linkend="opt-i18n.inputMethod.enabled" /> is set to <literal>ibus</literal>.
If IBus support in Qt 4.x applications is required, add the <literal>ibus-qt</literal> package to your <xref linkend="opt-environment.systemPackages" /> manually.
</para>
</listitem>
<listitem>
<para>
The CUPS Printing service now uses socket-based activation by
default, only starting when needed. The previous behavior can
be restored by setting
<option>services.cups.startWhenNeeded</option> to
<literal>false</literal>.
</para>
</listitem>
</itemizedlist>
</section>

View File

@ -67,7 +67,7 @@ rec {
in
{ key = "ip-address";
config =
{ networking.hostName = m.fst;
{ networking.hostName = mkDefault m.fst;
networking.interfaces = listToAttrs interfaces;

View File

@ -0,0 +1,164 @@
/* Generate JSON, XML and DocBook documentation for given NixOS options.
Minimal example:
{ pkgs, }:
let
eval = import (pkgs.path + "/nixos/lib/eval-config.nix") {
baseModules = [
../module.nix
];
modules = [];
};
in pkgs.nixosOptionsDoc {
options = eval.options;
}
*/
{ pkgs
, lib
, options
, transformOptions ? lib.id # function for additional tranformations of the options
, revision ? "" # Specify revision for the options
}:
let
# Replace functions by the string <function>
substFunction = x:
if builtins.isAttrs x then lib.mapAttrs (name: substFunction) x
else if builtins.isList x then map substFunction x
else if lib.isFunction x then "<function>"
else x;
optionsListDesc = lib.flip map optionsListVisible
(opt: transformOptions opt
// lib.optionalAttrs (opt ? example) { example = substFunction opt.example; }
// lib.optionalAttrs (opt ? default) { default = substFunction opt.default; }
// lib.optionalAttrs (opt ? type) { type = substFunction opt.type; }
// lib.optionalAttrs (opt ? relatedPackages && opt.relatedPackages != []) { relatedPackages = genRelatedPackages opt.relatedPackages; }
);
# Generate DocBook documentation for a list of packages. This is
# what `relatedPackages` option of `mkOption` from
# ../../../lib/options.nix influences.
#
# Each element of `relatedPackages` can be either
# - a string: that will be interpreted as an attribute name from `pkgs`,
# - a list: that will be interpreted as an attribute path from `pkgs`,
# - an attrset: that can specify `name`, `path`, `package`, `comment`
# (either of `name`, `path` is required, the rest are optional).
genRelatedPackages = packages:
let
unpack = p: if lib.isString p then { name = p; }
else if lib.isList p then { path = p; }
else p;
describe = args:
let
title = args.title or null;
name = args.name or (lib.concatStringsSep "." args.path);
path = args.path or [ args.name ];
package = args.package or (lib.attrByPath path (throw "Invalid package attribute path `${toString path}'") pkgs);
in "<listitem>"
+ "<para><literal>${lib.optionalString (title != null) "${title} aka "}pkgs.${name} (${package.meta.name})</literal>"
+ lib.optionalString (!package.meta.available) " <emphasis>[UNAVAILABLE]</emphasis>"
+ ": ${package.meta.description or "???"}.</para>"
+ lib.optionalString (args ? comment) "\n<para>${args.comment}</para>"
# Lots of `longDescription's break DocBook, so we just wrap them into <programlisting>
+ lib.optionalString (package.meta ? longDescription) "\n<programlisting>${package.meta.longDescription}</programlisting>"
+ "</listitem>";
in "<itemizedlist>${lib.concatStringsSep "\n" (map (p: describe (unpack p)) packages)}</itemizedlist>";
# Custom "less" that pushes up all the things ending in ".enable*"
# and ".package*"
optionLess = a: b:
let
ise = lib.hasPrefix "enable";
isp = lib.hasPrefix "package";
cmp = lib.splitByAndCompare ise lib.compare
(lib.splitByAndCompare isp lib.compare lib.compare);
in lib.compareLists cmp a.loc b.loc < 0;
# Remove invisible and internal options.
optionsListVisible = lib.filter (opt: opt.visible && !opt.internal) (lib.optionAttrSetToDocList options);
# Customly sort option list for the man page.
optionsList = lib.sort optionLess optionsListDesc;
# Convert the list of options into an XML file.
optionsXML = builtins.toFile "options.xml" (builtins.toXML optionsList);
optionsNix = builtins.listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList);
# TODO: declarations: link to github
singleAsciiDoc = name: value: ''
== ${name}
${value.description}
[discrete]
=== details
Type:: ${value.type}
${ if lib.hasAttr "default" value
then ''
Default::
+
----
${builtins.toJSON value.default}
----
''
else "No Default:: {blank}"
}
${ if value.readOnly
then "Read Only:: {blank}"
else ""
}
${ if lib.hasAttr "example" value
then ''
Example::
+
----
${builtins.toJSON value.example}
----
''
else "No Example:: {blank}"
}
'';
in rec {
inherit optionsNix;
optionsAsciiDoc = lib.concatStringsSep "\n" (lib.mapAttrsToList singleAsciiDoc optionsNix);
optionsJSON = pkgs.runCommand "options.json"
{ meta.description = "List of NixOS options in JSON format";
}
''
# Export list of options in different format.
dst=$out/share/doc/nixos
mkdir -p $dst
cp ${builtins.toFile "options.json" (builtins.unsafeDiscardStringContext (builtins.toJSON optionsNix))} $dst/options.json
mkdir -p $out/nix-support
echo "file json $dst/options.json" >> $out/nix-support/hydra-build-products
''; # */
optionsDocBook = pkgs.runCommand "options-docbook.xml" {} ''
optionsXML=${optionsXML}
if grep /nixpkgs/nixos/modules $optionsXML; then
echo "The manual appears to depend on the location of Nixpkgs, which is bad"
echo "since this prevents sharing via the NixOS channel. This is typically"
echo "caused by an option default that refers to a relative path (see above"
echo "for hints about the offending path)."
exit 1
fi
${pkgs.libxslt.bin}/bin/xsltproc \
--stringparam revision '${revision}' \
-o intermediate.xml ${./options-to-docbook.xsl} $optionsXML
${pkgs.libxslt.bin}/bin/xsltproc \
-o "$out" ${./postprocess-option-descriptions.xsl} intermediate.xml
'';
}

View File

@ -9,6 +9,8 @@ let
timezone = types.nullOr (types.addCheck types.str nospace)
// { description = "null or string without spaces"; };
lcfg = config.location;
in
{
@ -37,12 +39,45 @@ in
};
};
location = {
latitude = mkOption {
type = types.float;
description = ''
Your current latitude, between
<literal>-90.0</literal> and <literal>90.0</literal>. Must be provided
along with longitude.
'';
};
longitude = mkOption {
type = types.float;
description = ''
Your current longitude, between
between <literal>-180.0</literal> and <literal>180.0</literal>. Must be
provided along with latitude.
'';
};
provider = mkOption {
type = types.enum [ "manual" "geoclue2" ];
default = "manual";
description = ''
The location provider to use for determining your location. If set to
<literal>manual</literal> you must also provide latitude/longitude.
'';
};
};
};
config = {
environment.sessionVariables.TZDIR = "/etc/zoneinfo";
services.geoclue2.enable = mkIf (lcfg.provider == "geoclue2") true;
# This way services are restarted when tzdata changes.
systemd.globalEnvironment.TZDIR = tzdir;

View File

@ -34,7 +34,7 @@ with lib;
networkmanager-openvpn = super.networkmanager-openvpn.override { withGnome = false; };
networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; };
networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; };
pinentry = super.pinentry.override { gtk2 = null; gcr = null; qt = null; };
pinentry = super.pinentry.override { gtk2 = null; gcr = null; qt4 = null; qt5 = null; };
gobject-introspection = super.gobject-introspection.override { x11Support = false; };
}));
};

View File

@ -564,7 +564,10 @@ in {
};
}) (filterAttrs (_: u: u.packages != []) cfg.users));
environment.profiles = [ "/etc/profiles/per-user/$USER" ];
environment.profiles = [
"$HOME/.nix-profile"
"/etc/profiles/per-user/$USER"
];
assertions = [
{ assertion = !cfg.enforceIdUniqueness || (uidsAreUnique && gidsAreUnique);

View File

@ -1,10 +1,12 @@
{ config, pkgs ,lib ,... }:
with lib;
{
options.xdg.portal = {
enable =
mkEnableOption "<link xlink:href='https://github.com/flatpak/xdg-desktop-portal'>xdg desktop integration</link>"//{
default = config.services.xserver.enable;
default = false;
};
extraPortals = mkOption {
@ -19,6 +21,17 @@ with lib;
environments you probably want to add them yourself.
'';
};
gtkUsePortal = mkOption {
type = types.bool;
default = false;
description = ''
Sets environment variable <literal>GTK_USE_PORTAL</literal> to <literal>1</literal>.
This is needed for packages ran outside Flatpak to respect and use XDG Desktop Portals.
For example, you'd need to set this for non-flatpak Firefox to use native filechoosers.
Defaults to <literal>false</literal> to respect its opt-in nature.
'';
};
};
config =
@ -28,10 +41,17 @@ with lib;
in mkIf cfg.enable {
assertions = [
{ assertion = (cfg.gtkUsePortal -> cfg.extraPortals != []);
message = "Setting xdg.portal.gtkUsePortal to true requires a portal implementation in xdg.portal.extraPortals such as xdg-desktop-portal-gtk or xdg-desktop-portal-kde.";
}
];
services.dbus.packages = packages;
systemd.packages = packages;
environment.variables = {
GTK_USE_PORTAL = "1";
GTK_USE_PORTAL = mkIf cfg.gtkUsePortal "1";
XDG_DESKTOP_PORTAL_PATH = map (p: "${p}/share/xdg-desktop-portal/portals") cfg.extraPortals;
};
};

View File

@ -55,7 +55,7 @@ in
# Without dconf enabled it is impossible to use IBus
environment.systemPackages = with pkgs; [
ibus-qt gnome3.dconf ibusAutostart
gnome3.dconf ibusAutostart
];
environment.variables = {

View File

@ -8,16 +8,30 @@ with lib;
{
imports = [ ./installation-cd-base.nix ];
# Whitelist wheel users to do anything
# This is useful for things like pkexec
#
# WARNING: this is dangerous for systems
# outside the installation-cd and shouldn't
# be used anywhere else.
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
'';
services.xserver = {
enable = true;
# Don't start the X server by default.
autorun = mkForce false;
# Automatically login as root.
# Automatically login as nixos.
displayManager.slim = {
enable = true;
defaultUser = "root";
defaultUser = "nixos";
autoLogin = true;
};
@ -33,7 +47,6 @@ with lib;
# Enable sound in graphical iso's.
hardware.pulseaudio.enable = true;
hardware.pulseaudio.systemWide = true; # Needed since we run plasma as root.
environment.systemPackages = [
# Include gparted for partitioning disks.

View File

@ -30,15 +30,20 @@ with lib;
Version=1.0
Type=Application
Name=NixOS Manual
Exec=firefox ${config.system.build.manual.manualHTMLIndex}
Exec=firefox ${config.system.build.manual.manual}/share/doc/nixos/index.html
Icon=text-html
'';
homeDir = "/home/nixos/";
desktopDir = homeDir + "Desktop/";
in ''
mkdir -p /root/Desktop
ln -sfT ${manualDesktopFile} /root/Desktop/nixos-manual.desktop
ln -sfT ${pkgs.konsole}/share/applications/org.kde.konsole.desktop /root/Desktop/org.kde.konsole.desktop
ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop /root/Desktop/gparted.desktop
mkdir -p ${desktopDir}
chown nixos ${homeDir} ${desktopDir}
ln -sfT ${manualDesktopFile} ${desktopDir + "nixos-manual.desktop"}
ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop ${desktopDir + "gparted.desktop"}
ln -sfT ${pkgs.konsole}/share/applications/org.kde.konsole.desktop ${desktopDir + "org.kde.konsole.desktop"}
'';
}

View File

@ -16,7 +16,8 @@ fi
mountPoint=/mnt
system=/nix/var/nix/profiles/system
command=($system/sw/bin/bash "--login")
command=("$system/sw/bin/bash" "--login")
silent=0
while [ "$#" -gt 0 ]; do
i="$1"; shift 1
@ -32,9 +33,12 @@ while [ "$#" -gt 0 ]; do
exit 1
;;
--command|-c)
command=($system/sw/bin/bash "-c" "$1")
command=("$system/sw/bin/bash" "-c" "$1")
shift 1
;;
--silent)
silent=1
;;
--)
command=("$@")
break
@ -51,11 +55,20 @@ if [[ ! -e $mountPoint/etc/NIXOS ]]; then
exit 126
fi
mkdir -m 0755 -p "$mountPoint/dev" "$mountPoint/sys"
mkdir -p "$mountPoint/dev" "$mountPoint/sys"
chmod 0755 "$mountPoint/dev" "$mountPoint/sys"
mount --rbind /dev "$mountPoint/dev"
mount --rbind /sys "$mountPoint/sys"
# If silent, write both stdout and stderr of activation script to /dev/null
# otherwise, write both streams to stderr of this process
if [ "$silent" -eq 0 ]; then
PIPE_TARGET="/dev/stderr"
else
PIPE_TARGET="/dev/null"
fi
# Run the activation script. Set $LOCALE_ARCHIVE to supress some Perl locale warnings.
LOCALE_ARCHIVE=$system/sw/lib/locale/locale-archive chroot "$mountPoint" "$system/activate" >&2 || true
LOCALE_ARCHIVE="$system/sw/lib/locale/locale-archive" chroot "$mountPoint" "$system/activate" >>$PIPE_TARGET 2>&1 || true
exec chroot "$mountPoint" "${command[@]}"

View File

@ -607,90 +607,7 @@ EOF
}
write_file($fn, <<EOF);
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
$bootLoaderConfig
# networking.hostName = "nixos"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password\@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
# i18n = {
# consoleFont = "Lat2-Terminus16";
# consoleKeyMap = "us";
# defaultLocale = "en_US.UTF-8";
# };
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";
# List packages installed in system profile. To search, run:
# \$ nix search wget
# environment.systemPackages = with pkgs; [
# wget vim
# ];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
# List services that you want to enable:
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# sound.enable = true;
# hardware.pulseaudio.enable = true;
# Enable the X11 windowing system.
# services.xserver.enable = true;
# services.xserver.layout = "us";
# services.xserver.xkbOptions = "eurosign:e";
# Enable touchpad support.
# services.xserver.libinput.enable = true;
# Enable the KDE Desktop Environment.
# services.xserver.displayManager.sddm.enable = true;
# services.xserver.desktopManager.plasma5.enable = true;
# Define a user account. Don't forget to set a password with passwd.
# users.users.jane = {
# isNormalUser = true;
# extraGroups = [ "wheel" ]; # Enable sudo for the user.
# };
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "${\(qw(@release@))}"; # Did you read the comment?
}
@configuration@
EOF
} else {
print STDERR "warning: not overwriting existing $fn\n";

View File

@ -38,7 +38,7 @@ let
src = ./nixos-generate-config.pl;
path = lib.optionals (lib.elem "btrfs" config.boot.supportedFilesystems) [ pkgs.btrfs-progs ];
perl = "${pkgs.perl}/bin/perl -I${pkgs.perlPackages.FileSlurp}/${pkgs.perl.libPrefix}";
inherit (config.system.nixos) release;
inherit (config.system.nixos-generate-config) configuration;
};
nixos-option = makeProg {
@ -61,8 +61,111 @@ in
{
options.system.nixos-generate-config.configuration = mkOption {
internal = true;
type = types.str;
description = ''
The NixOS module that <literal>nixos-generate-config</literal>
saves to <literal>/etc/nixos/configuration.nix</literal>.
This is an internal option. No backward compatibility is guaranteed.
Use at your own risk!
Note that this string gets spliced into a Perl script. The perl
variable <literal>$bootLoaderConfig</literal> can be used to
splice in the boot loader configuration.
'';
};
config = {
system.nixos-generate-config.configuration = mkDefault ''
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
$bootLoaderConfig
# networking.hostName = "nixos"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password\@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
# i18n = {
# consoleFont = "Lat2-Terminus16";
# consoleKeyMap = "us";
# defaultLocale = "en_US.UTF-8";
# };
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";
# List packages installed in system profile. To search, run:
# \$ nix search wget
# environment.systemPackages = with pkgs; [
# wget vim
# ];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
# List services that you want to enable:
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# sound.enable = true;
# hardware.pulseaudio.enable = true;
# Enable the X11 windowing system.
# services.xserver.enable = true;
# services.xserver.layout = "us";
# services.xserver.xkbOptions = "eurosign:e";
# Enable touchpad support.
# services.xserver.libinput.enable = true;
# Enable the KDE Desktop Environment.
# services.xserver.displayManager.sddm.enable = true;
# services.xserver.desktopManager.plasma5.enable = true;
# Define a user account. Don't forget to set a password with passwd.
# users.users.jane = {
# isNormalUser = true;
# extraGroups = [ "wheel" ]; # Enable sudo for the user.
# };
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "${config.system.nixos.release}"; # Did you read the comment?
}
'';
environment.systemPackages =
[ nixos-build-vms
nixos-install

View File

@ -58,7 +58,6 @@ in
"crashkernel=${crashdump.reservedMemory}"
"nmi_watchdog=panic"
"softlockup_panic=1"
"idle=poll"
];
kernelPatches = [ {
name = "crashdump-config";

View File

@ -19,7 +19,7 @@ let
lhs = optCall lhs_ { inherit pkgs; };
rhs = optCall rhs_ { inherit pkgs; };
in
lhs // rhs //
recursiveUpdate lhs rhs //
optionalAttrs (lhs ? packageOverrides) {
packageOverrides = pkgs:
optCall lhs.packageOverrides pkgs //

View File

@ -20,6 +20,7 @@
./config/iproute2.nix
./config/krb5/default.nix
./config/ldap.nix
./config/locale.nix
./config/malloc.nix
./config/networking.nix
./config/no-x-libs.nix
@ -33,7 +34,6 @@
./config/system-environment.nix
./config/system-path.nix
./config/terminfo.nix
./config/timezone.nix
./config/unix-odbc-drivers.nix
./config/users-groups.nix
./config/vpnc.nix
@ -106,9 +106,15 @@
./programs/digitalbitbox/default.nix
./programs/dmrconfig.nix
./programs/environment.nix
./programs/evince.nix
./programs/file-roller.nix
./programs/firejail.nix
./programs/fish.nix
./programs/freetds.nix
./programs/fuse.nix
./programs/gnome-disks.nix
./programs/gnome-documents.nix
./programs/gpaste.nix
./programs/gnupg.nix
./programs/gphoto2.nix
./programs/iftop.nix
@ -209,6 +215,7 @@
./services/backup/duplicity.nix
./services/backup/mysql-backup.nix
./services/backup/postgresql-backup.nix
./services/backup/postgresql-wal-receiver.nix
./services/backup/restic.nix
./services/backup/restic-rest-server.nix
./services/backup/rsnapshot.nix
@ -280,12 +287,8 @@
./services/desktops/pipewire.nix
./services/desktops/gnome3/at-spi2-core.nix
./services/desktops/gnome3/chrome-gnome-shell.nix
./services/desktops/gnome3/evince.nix
./services/desktops/gnome3/evolution-data-server.nix
./services/desktops/gnome3/file-roller.nix
./services/desktops/gnome3/glib-networking.nix
./services/desktops/gnome3/gnome-disks.nix
./services/desktops/gnome3/gnome-documents.nix
./services/desktops/gnome3/gnome-keyring.nix
./services/desktops/gnome3/gnome-online-accounts.nix
./services/desktops/gnome3/gnome-remote-desktop.nix
@ -293,7 +296,6 @@
./services/desktops/gnome3/gnome-settings-daemon.nix
./services/desktops/gnome3/gnome-terminal-server.nix
./services/desktops/gnome3/gnome-user-share.nix
./services/desktops/gnome3/gpaste.nix
./services/desktops/gnome3/gvfs.nix
./services/desktops/gnome3/rygel.nix
./services/desktops/gnome3/seahorse.nix
@ -402,6 +404,7 @@
./services/misc/couchpotato.nix
./services/misc/devmon.nix
./services/misc/dictd.nix
./services/misc/dwm-status.nix
./services/misc/dysnomia.nix
./services/misc/disnix.nix
./services/misc/docker-registry.nix
@ -519,6 +522,7 @@
./services/monitoring/systemhealth.nix
./services/monitoring/teamviewer.nix
./services/monitoring/telegraf.nix
./services/monitoring/thanos.nix
./services/monitoring/ups.nix
./services/monitoring/uptime.nix
./services/monitoring/vnstat.nix
@ -780,6 +784,7 @@
./services/web-apps/icingaweb2/module-monitoring.nix
./services/web-apps/limesurvey.nix
./services/web-apps/mattermost.nix
./services/web-apps/mediawiki.nix
./services/web-apps/miniflux.nix
./services/web-apps/nextcloud.nix
./services/web-apps/nexus.nix
@ -815,6 +820,8 @@
./services/web-servers/uwsgi.nix
./services/web-servers/varnish/default.nix
./services/web-servers/zope2.nix
./services/x11/extra-layouts.nix
./services/x11/clight.nix
./services/x11/colord.nix
./services/x11/compton.nix
./services/x11/unclutter.nix

View File

@ -26,6 +26,8 @@ with lib;
security.allowSimultaneousMultithreading = mkDefault false;
security.forcePageTableIsolation = mkDefault true;
security.virtualisation.flushL1DataCache = mkDefault "always";
security.apparmor.enable = mkDefault true;
@ -42,9 +44,6 @@ with lib;
# Disable legacy virtual syscalls
"vsyscall=none"
# Enable PTI even if CPU claims to be safe from meltdown
"pti=on"
];
boot.blacklistedKernelModules = [

View File

@ -32,19 +32,35 @@ with lib;
#services.rogue.enable = true;
# Disable some other stuff we don't need.
security.sudo.enable = mkDefault false;
services.udisks2.enable = mkDefault false;
# Use less privileged nixos user
users.users.nixos = {
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" "video" ];
# Allow the graphical user to login without password
initialHashedPassword = "";
};
# Allow the user to log in as root without a password.
users.users.root.initialHashedPassword = "";
# Allow passwordless sudo from nixos user
security.sudo = {
enable = mkDefault true;
wheelNeedsPassword = mkForce false;
};
# Automatically log in at the virtual consoles.
services.mingetty.autologinUser = "root";
services.mingetty.autologinUser = "nixos";
# Some more help text.
services.mingetty.helpLine =
''
The "root" account has an empty password. ${
The "nixos" and "root" account have empty passwords. ${
optionalString config.services.xserver.enable
"Type `systemctl start display-manager' to\nstart the graphical user interface."}
"Type `sudo systemctl start display-manager' to\nstart the graphical user interface."}
'';
# Allow sshd to be started manually through "systemctl start sshd".
@ -86,8 +102,5 @@ with lib;
# because we have the firewall enabled. This makes installs from the
# console less cumbersome if the machine has a public IP.
networking.firewall.logRefusedConnections = mkDefault false;
# Allow the user to log in as root without a password.
users.users.root.initialHashedPassword = "";
};
}

View File

@ -23,9 +23,8 @@ in
XCURSOR_PATH = [ "$HOME/.icons" ];
};
environment.profiles =
[ "$HOME/.nix-profile"
"/nix/var/nix/profiles/default"
environment.profiles = mkAfter
[ "/nix/var/nix/profiles/default"
"/run/current-system/sw"
];

View File

@ -6,14 +6,21 @@ with lib;
{
# Added 2019-08-09
imports = [
(mkRenamedOptionModule
[ "services" "gnome3" "evince" "enable" ]
[ "programs" "evince" "enable" ])
];
###### interface
options = {
services.gnome3.evince = {
programs.evince = {
enable = mkEnableOption
"systemd and dbus services for Evince, the GNOME document viewer";
"Evince, the GNOME document viewer";
};
@ -22,7 +29,7 @@ with lib;
###### implementation
config = mkIf config.services.gnome3.evince.enable {
config = mkIf config.programs.evince.enable {
environment.systemPackages = [ pkgs.evince ];

View File

@ -6,11 +6,18 @@ with lib;
{
# Added 2019-08-09
imports = [
(mkRenamedOptionModule
[ "services" "gnome3" "file-roller" "enable" ]
[ "programs" "file-roller" "enable" ])
];
###### interface
options = {
services.gnome3.file-roller = {
programs.file-roller = {
enable = mkEnableOption "File Roller, an archive manager for GNOME";
@ -21,7 +28,7 @@ with lib;
###### implementation
config = mkIf config.services.gnome3.file-roller.enable {
config = mkIf config.programs.file-roller.enable {
environment.systemPackages = [ pkgs.gnome3.file-roller ];

View File

@ -0,0 +1,37 @@
{ config, lib, ... }:
with lib;
let
cfg = config.programs.fuse;
in {
meta.maintainers = with maintainers; [ primeos ];
options.programs.fuse = {
mountMax = mkOption {
# In the C code it's an "int" (i.e. signed and at least 16 bit), but
# negative numbers obviously make no sense:
type = types.ints.between 0 32767; # 2^15 - 1
default = 1000;
description = ''
Set the maximum number of FUSE mounts allowed to non-root users.
'';
};
userAllowOther = mkOption {
type = types.bool;
default = false;
description = ''
Allow non-root users to specify the allow_other or allow_root mount
options, see mount.fuse3(8).
'';
};
};
config = {
environment.etc."fuse.conf".text = ''
${optionalString (!cfg.userAllowOther) "#"}user_allow_other
mount_max = ${toString cfg.mountMax}
'';
};
}

View File

@ -1,4 +1,4 @@
# GNOME Disks daemon.
# GNOME Disks.
{ config, pkgs, lib, ... }:
@ -6,17 +6,24 @@ with lib;
{
# Added 2019-08-09
imports = [
(mkRenamedOptionModule
[ "services" "gnome3" "gnome-disks" "enable" ]
[ "programs" "gnome-disks" "enable" ])
];
###### interface
options = {
services.gnome3.gnome-disks = {
programs.gnome-disks = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable GNOME Disks daemon, a service designed to
Whether to enable GNOME Disks daemon, a program designed to
be a UDisks2 graphical front-end.
'';
};
@ -28,7 +35,7 @@ with lib;
###### implementation
config = mkIf config.services.gnome3.gnome-disks.enable {
config = mkIf config.programs.gnome-disks.enable {
environment.systemPackages = [ pkgs.gnome3.gnome-disk-utility ];

View File

@ -1,4 +1,4 @@
# GNOME Documents daemon.
# GNOME Documents.
{ config, pkgs, lib, ... }:
@ -6,17 +6,24 @@ with lib;
{
# Added 2019-08-09
imports = [
(mkRenamedOptionModule
[ "services" "gnome3" "gnome-documents" "enable" ]
[ "programs" "gnome-documents" "enable" ])
];
###### interface
options = {
services.gnome3.gnome-documents = {
programs.gnome-documents = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable GNOME Documents services, a document
Whether to enable GNOME Documents, a document
manager application for GNOME.
'';
};
@ -28,7 +35,7 @@ with lib;
###### implementation
config = mkIf config.services.gnome3.gnome-documents.enable {
config = mkIf config.programs.gnome-documents.enable {
environment.systemPackages = [ pkgs.gnome3.gnome-documents ];

View File

@ -1,12 +1,20 @@
# GPaste daemon.
# GPaste.
{ config, lib, pkgs, ... }:
with lib;
{
# Added 2019-08-09
imports = [
(mkRenamedOptionModule
[ "services" "gnome3" "gpaste" "enable" ]
[ "programs" "gpaste" "enable" ])
];
###### interface
options = {
services.gnome3.gpaste = {
programs.gpaste = {
enable = mkOption {
type = types.bool;
default = false;
@ -18,10 +26,9 @@ with lib;
};
###### implementation
config = mkIf config.services.gnome3.gpaste.enable {
config = mkIf config.programs.gpaste.enable {
environment.systemPackages = [ pkgs.gnome3.gpaste ];
services.dbus.packages = [ pkgs.gnome3.gpaste ];
services.xserver.desktopManager.gnome3.sessionPath = [ pkgs.gnome3.gpaste ];
systemd.packages = [ pkgs.gnome3.gpaste ];
};
}

View File

@ -1,36 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.nylas-mail;
in {
###### interface
options = {
services.nylas-mail = {
enable = mkEnableOption ''
nylas-mail - Open-source mail client built on the modern web with Electron, React, and Flux
'';
gnome3-keyring = mkOption {
type = types.bool;
default = true;
description = "Enable gnome3 keyring for nylas-mail.";
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.nylas-mail-bin ];
services.gnome3.gnome-keyring = mkIf cfg.gnome3-keyring {
enable = true;
};
};
}

View File

@ -12,7 +12,7 @@ with lib;
''
# Set up the per-user profile.
mkdir -m 0755 -p "$NIX_USER_PROFILE_DIR"
if [ "$(stat --printf '%u' "$NIX_USER_PROFILE_DIR")" != "$(id -u)" ]; then
if [ "$(stat -c '%u' "$NIX_USER_PROFILE_DIR")" != "$(id -u)" ]; then
echo "WARNING: the per-user profile dir $NIX_USER_PROFILE_DIR should belong to user id $(id -u)" >&2
fi
@ -34,7 +34,7 @@ with lib;
# Create the per-user garbage collector roots directory.
NIX_USER_GCROOTS_DIR="/nix/var/nix/gcroots/per-user/$USER"
mkdir -m 0755 -p "$NIX_USER_GCROOTS_DIR"
if [ "$(stat --printf '%u' "$NIX_USER_GCROOTS_DIR")" != "$(id -u)" ]; then
if [ "$(stat -c '%u' "$NIX_USER_GCROOTS_DIR")" != "$(id -u)" ]; then
echo "WARNING: the per-user gcroots dir $NIX_USER_GCROOTS_DIR should belong to user id $(id -u)" >&2
fi

View File

@ -21,7 +21,7 @@ let
knownHostsText = (flip (concatMapStringsSep "\n") knownHosts
(h: assert h.hostNames != [];
concatStringsSep "," h.hostNames + " "
optionalString h.certAuthority "@cert-authority " + concatStringsSep "," h.hostNames + " "
+ (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
)) + "\n";
@ -128,6 +128,14 @@ in
default = {};
type = types.loaOf (types.submodule ({ name, ... }: {
options = {
certAuthority = mkOption {
type = types.bool;
default = false;
description = ''
This public key is an SSH certificate authority, rather than an
individual host's key.
'';
};
hostNames = mkOption {
type = types.listOf types.str;
default = [];
@ -227,6 +235,7 @@ in
systemd.user.services.ssh-agent = mkIf cfg.startAgent
{ description = "SSH Agent";
wantedBy = [ "default.target" ];
unitConfig.ConditionUser = "!@system";
serviceConfig =
{ ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent";
ExecStart =

View File

@ -26,6 +26,7 @@ in
package = mkOption {
type = types.package;
default = pkgs.xonsh;
example = literalExample "pkgs.xonsh.override { configFile = \"/path/to/xonshrc\"; }";
description = ''
xonsh package to use.
@ -46,11 +47,11 @@ in
environment.etc."xonshrc".text = cfg.config;
environment.systemPackages = [ pkgs.xonsh ];
environment.systemPackages = [ cfg.package ];
environment.shells =
[ "/run/current-system/sw/bin/xonsh"
"${pkgs.xonsh}/bin/xonsh"
"${cfg.package}/bin/xonsh"
];
};

View File

@ -51,6 +51,10 @@ with lib;
(mkRemovedOptionModule [ "services" "misc" "nzbget" "openFirewall" ] "The port used by nzbget is managed through the web interface so you should adjust your firewall rules accordingly.")
(mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "user" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a user setting.")
(mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "group" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a group setting.")
(mkRemovedOptionModule [ "services" "prometheus2" "alertmanagerURL" ] ''
Due to incompatibility, the alertmanagerURL option has been removed,
please use 'services.prometheus2.alertmanagers' instead.
'')
(mkRenamedOptionModule [ "services" "tor" "relay" "portSpec" ] [ "services" "tor" "relay" "port" ])
(mkRenamedOptionModule [ "services" "vmwareGuest" ] [ "virtualisation" "vmware" "guest" ])
(mkRenamedOptionModule [ "jobs" ] [ "systemd" "services" ])
@ -257,6 +261,20 @@ with lib;
(mkRenamedOptionModule [ "networking" "extraResolvconfConf" ] [ "networking" "resolvconf" "extraConfig" ])
(mkRenamedOptionModule [ "networking" "resolvconfOptions" ] [ "networking" "resolvconf" "extraOptions" ])
# Redshift
(mkChangedOptionModule [ "services" "redshift" "latitude" ] [ "location" "latitude" ]
(config:
let value = getAttrFromPath [ "services" "redshift" "latitude" ] config;
in if value == null then
throw "services.redshift.latitude is set to null, you can remove this"
else builtins.fromJSON value))
(mkChangedOptionModule [ "services" "redshift" "longitude" ] [ "location" "longitude" ]
(config:
let value = getAttrFromPath [ "services" "redshift" "longitude" ] config;
in if value == null then
throw "services.redshift.longitude is set to null, you can remove this"
else builtins.fromJSON value))
] ++ (flip map [ "blackboxExporter" "collectdExporter" "fritzboxExporter"
"jsonExporter" "minioExporter" "nginxExporter" "nodeExporter"
"snmpExporter" "unifiExporter" "varnishExporter" ]

View File

@ -54,6 +54,18 @@ with lib;
'';
};
security.forcePageTableIsolation = mkOption {
type = types.bool;
default = false;
description = ''
Whether to force-enable the Page Table Isolation (PTI) Linux kernel
feature even on CPU models that claim to be safe from Meltdown.
This hardening feature is most beneficial to systems that run untrusted
workloads that rely on address space isolation for security.
'';
};
security.virtualisation.flushL1DataCache = mkOption {
type = types.nullOr (types.enum [ "never" "cond" "always" ]);
default = null;
@ -114,6 +126,10 @@ with lib;
boot.kernelParams = [ "nosmt" ];
})
(mkIf config.security.forcePageTableIsolation {
boot.kernelParams = [ "pti=on" ];
})
(mkIf (config.security.virtualisation.flushL1DataCache != null) {
boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualisation.flushL1DataCache}" ];
})

View File

@ -97,8 +97,8 @@ in
preStart = ''
mkdir -p ${cfg.dataDir}/.config/oxidized
cp -v ${cfg.routerDB} ${cfg.dataDir}/.config/oxidized/router.db
cp -v ${cfg.configFile} ${cfg.dataDir}/.config/oxidized/config
ln -f -s ${cfg.routerDB} ${cfg.dataDir}/.config/oxidized/router.db
ln -f -s ${cfg.configFile} ${cfg.dataDir}/.config/oxidized/config
'';
serviceConfig = {

View File

@ -41,7 +41,7 @@ in
};
config = mkOption {
type = with types; attrsOf (either (either str (either int bool)) (listOf str));
type = with types; attrsOf (oneOf [ str int bool (listOf str) ]);
default = {};
description = ''
automysqlbackup configuration. Refer to

View File

@ -0,0 +1,203 @@
{ config, lib, pkgs, ... }:
with lib;
let
receiverSubmodule = {
options = {
postgresqlPackage = mkOption {
type = types.package;
example = literalExample "pkgs.postgresql_11";
description = ''
PostgreSQL package to use.
'';
};
directory = mkOption {
type = types.path;
example = literalExample "/mnt/pg_wal/main/";
description = ''
Directory to write the output to.
'';
};
statusInterval = mkOption {
type = types.int;
default = 10;
description = ''
Specifies the number of seconds between status packets sent back to the server.
This allows for easier monitoring of the progress from server.
A value of zero disables the periodic status updates completely,
although an update will still be sent when requested by the server, to avoid timeout disconnect.
'';
};
slot = mkOption {
type = types.str;
default = "";
example = "some_slot_name";
description = ''
Require <command>pg_receivewal</command> to use an existing replication slot (see
<link xlink:href="https://www.postgresql.org/docs/current/warm-standby.html#STREAMING-REPLICATION-SLOTS">Section 26.2.6 of the PostgreSQL manual</link>).
When this option is used, <command>pg_receivewal</command> will report a flush position to the server,
indicating when each segment has been synchronized to disk so that the server can remove that segment if it is not otherwise needed.
When the replication client of <command>pg_receivewal</command> is configured on the server as a synchronous standby,
then using a replication slot will report the flush position to the server, but only when a WAL file is closed.
Therefore, that configuration will cause transactions on the primary to wait for a long time and effectively not work satisfactorily.
The option <option>synchronous</option> must be specified in addition to make this work correctly.
'';
};
synchronous = mkOption {
type = types.bool;
default = false;
description = ''
Flush the WAL data to disk immediately after it has been received.
Also send a status packet back to the server immediately after flushing, regardless of <option>statusInterval</option>.
This option should be specified if the replication client of <command>pg_receivewal</command> is configured on the server as a synchronous standby,
to ensure that timely feedback is sent to the server.
'';
};
compress = mkOption {
type = types.ints.between 0 9;
default = 0;
description = ''
Enables gzip compression of write-ahead logs, and specifies the compression level
(<literal>0</literal> through <literal>9</literal>, <literal>0</literal> being no compression and <literal>9</literal> being best compression).
The suffix <literal>.gz</literal> will automatically be added to all filenames.
This option requires PostgreSQL >= 10.
'';
};
connection = mkOption {
type = types.str;
example = "postgresql://user@somehost";
description = ''
Specifies parameters used to connect to the server, as a connection string.
See <link xlink:href="https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING">Section 34.1.1 of the PostgreSQL manual</link> for more information.
Because <command>pg_receivewal</command> doesn't connect to any particular database in the cluster,
database name in the connection string will be ignored.
'';
};
extraArgs = mkOption {
type = with types; listOf str;
default = [ ];
example = literalExample ''
[
"--no-sync"
]
'';
description = ''
A list of extra arguments to pass to the <command>pg_receivewal</command> command.
'';
};
environment = mkOption {
type = with types; attrsOf str;
default = { };
example = literalExample ''
{
PGPASSFILE = "/private/passfile";
PGSSLMODE = "require";
}
'';
description = ''
Environment variables passed to the service.
Usable parameters are listed in <link xlink:href="https://www.postgresql.org/docs/current/libpq-envars.html">Section 34.14 of the PostgreSQL manual</link>.
'';
};
};
};
in {
options = {
services.postgresqlWalReceiver = {
receivers = mkOption {
type = with types; attrsOf (submodule receiverSubmodule);
default = { };
example = literalExample ''
{
main = {
postgresqlPackage = pkgs.postgresql_11;
directory = /mnt/pg_wal/main/;
slot = "main_wal_receiver";
connection = "postgresql://user@somehost";
};
}
'';
description = ''
PostgreSQL WAL receivers.
Stream write-ahead logs from a PostgreSQL server using <command>pg_receivewal</command> (formerly <command>pg_receivexlog</command>).
See <link xlink:href="https://www.postgresql.org/docs/current/app-pgreceivewal.html">the man page</link> for more information.
'';
};
};
};
config = let
receivers = config.services.postgresqlWalReceiver.receivers;
in mkIf (receivers != { }) {
users = {
users.postgres = {
uid = config.ids.uids.postgres;
group = "postgres";
description = "PostgreSQL server user";
};
groups.postgres = {
gid = config.ids.gids.postgres;
};
};
assertions = concatLists (attrsets.mapAttrsToList (name: config: [
{
assertion = config.compress > 0 -> versionAtLeast config.postgresqlPackage.version "10";
message = "Invalid configuration for WAL receiver \"${name}\": compress requires PostgreSQL version >= 10.";
}
]) receivers);
systemd.tmpfiles.rules = mapAttrsToList (name: config: ''
d ${escapeShellArg config.directory} 0750 postgres postgres - -
'') receivers;
systemd.services = with attrsets; mapAttrs' (name: config: nameValuePair "postgresql-wal-receiver-${name}" {
description = "PostgreSQL WAL receiver (${name})";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "postgres";
Group = "postgres";
KillSignal = "SIGINT";
Restart = "always";
RestartSec = 30;
};
inherit (config) environment;
script = let
receiverCommand = postgresqlPackage:
if (versionAtLeast postgresqlPackage.version "10")
then "${postgresqlPackage}/bin/pg_receivewal"
else "${postgresqlPackage}/bin/pg_receivexlog";
in ''
${receiverCommand config.postgresqlPackage} \
--no-password \
--directory=${escapeShellArg config.directory} \
--status-interval=${toString config.statusInterval} \
--dbname=${escapeShellArg config.connection} \
${optionalString (config.compress > 0) "--compress=${toString config.compress}"} \
${optionalString (config.slot != "") "--slot=${escapeShellArg config.slot}"} \
${optionalString config.synchronous "--synchronous"} \
${concatStringsSep " " config.extraArgs}
'';
}) receivers;
};
meta.maintainers = with maintainers; [ pacien ];
}

View File

@ -0,0 +1,90 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.services.zfs.autoReplication;
recursive = optionalString cfg.recursive " --recursive";
followDelete = optionalString cfg.followDelete " --follow-delete";
in {
options = {
services.zfs.autoReplication = {
enable = mkEnableOption "ZFS snapshot replication.";
followDelete = mkOption {
description = "Remove remote snapshots that don't have a local correspondant.";
default = true;
type = types.bool;
};
host = mkOption {
description = "Remote host where snapshots should be sent.";
example = "example.com";
type = types.str;
};
identityFilePath = mkOption {
description = "Path to SSH key used to login to host.";
example = "/home/username/.ssh/id_rsa";
type = types.path;
};
localFilesystem = mkOption {
description = "Local ZFS fileystem from which snapshots should be sent. Defaults to the attribute name.";
example = "pool/file/path";
type = types.str;
};
remoteFilesystem = mkOption {
description = "Remote ZFS filesystem where snapshots should be sent.";
example = "pool/file/path";
type = types.str;
};
recursive = mkOption {
description = "Recursively discover snapshots to send.";
default = true;
type = types.bool;
};
username = mkOption {
description = "Username used by SSH to login to remote host.";
example = "username";
type = types.str;
};
};
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [
pkgs.lz4
];
systemd.services."zfs-replication" = {
after = [
"zfs-snapshot-daily.service"
"zfs-snapshot-frequent.service"
"zfs-snapshot-hourly.service"
"zfs-snapshot-monthly.service"
"zfs-snapshot-weekly.service"
];
description = "ZFS Snapshot Replication";
documentation = [
"https://github.com/alunduil/zfs-replicate"
];
restartIfChanged = false;
serviceConfig.ExecStart = "${pkgs.zfs-replicate}/bin/zfs-replicate${recursive} -l ${escapeShellArg cfg.username} -i ${escapeShellArg cfg.identityFilePath}${followDelete} ${escapeShellArg cfg.host} ${escapeShellArg cfg.remoteFilesystem} ${escapeShellArg cfg.localFilesystem}";
wantedBy = [
"zfs-snapshot-daily.service"
"zfs-snapshot-frequent.service"
"zfs-snapshot-hourly.service"
"zfs-snapshot-monthly.service"
"zfs-snapshot-weekly.service"
];
};
};
meta = {
maintainers = with lib.maintainers; [ alunduil ];
};
}

View File

@ -160,7 +160,7 @@ in {
systemd.tmpfiles.rules = [
"d '${dirOf cfg.uriFile}' - ${cfg.user} ${cfg.group} - -"
"d '${dirOf cfg.logFile}' - ${cfg.user} ${cfg.group} - -"
"f '${cfg.logFile}' - ${cfg.user} ${cfg.group} - -"
"d '${cfg.databaseDir}' - ${cfg.user} ${cfg.group} - -"
"d '${cfg.viewIndexDir}' - ${cfg.user} ${cfg.group} - -"
];
@ -169,10 +169,8 @@ in {
description = "CouchDB Server";
wantedBy = [ "multi-user.target" ];
preStart =
''
preStart = ''
touch ${cfg.configFile}
touch -a ${cfg.logFile}
'';
environment = mkIf useVersion2 {

View File

@ -86,7 +86,25 @@ in
in "${memcached}/bin/memcached ${networking} -m ${toString cfg.maxMemory} -c ${toString cfg.maxConnections} ${concatStringsSep " " cfg.extraOptions}";
User = cfg.user;
# Filesystem access
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
RuntimeDirectory = "memcached";
# Caps
CapabilityBoundingSet = "";
NoNewPrivileges = true;
# Misc.
LockPersonality = true;
RestrictRealtime = true;
PrivateMounts = true;
PrivateUsers = true;
MemoryDenyWriteExecute = true;
};
};
};

View File

@ -251,6 +251,10 @@ in
environment.systemPackages = [ postgresql ];
environment.pathsToLink = [
"/share/postgresql"
];
systemd.services.postgresql =
{ description = "PostgreSQL Server";
@ -326,13 +330,13 @@ in
fi
'' + optionalString (cfg.ensureDatabases != []) ''
${concatMapStrings (database: ''
$PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE ${database}"
$PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}"'
'') cfg.ensureDatabases}
'' + ''
${concatMapStrings (user: ''
$PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc "CREATE USER ${user.name}"
${concatStringsSep "\n" (mapAttrsToList (database: permission: ''
$PSQL -tAc "GRANT ${permission} ON ${database} TO ${user.name}"
$PSQL -tAc 'GRANT ${permission} ON ${database} TO ${user.name}'
'') user.ensurePermissions)}
'') cfg.ensureUsers}
'';

View File

@ -22,6 +22,12 @@ in {
###### implementation
config = mkIf cfg.enable {
assertions = [
{ assertion = (config.xdg.portal.enable == true);
message = "To use Flatpak you must enable XDG Desktop Portals with xdg.portal.enable.";
}
];
environment.systemPackages = [ pkgs.flatpak ];
services.dbus.packages = [ pkgs.flatpak ];

View File

@ -9,6 +9,20 @@ let
in {
options.services.bloop = {
extraOptions = mkOption {
type = types.listOf types.str;
default = [ ];
example = [
"-J-Xmx2G"
"-J-XX:MaxInlineLevel=20"
"-J-XX:+UseParallelGC"
];
description = ''
Specifies additional command line argument to pass to bloop
java process.
'';
};
install = mkOption {
type = types.bool;
default = false;
@ -25,9 +39,12 @@ in {
systemd.user.services.bloop = {
description = "Bloop Scala build server";
environment = {
PATH = mkForce "${makeBinPath [ config.programs.java.package ]}";
};
serviceConfig = {
Type = "simple";
ExecStart = ''${pkgs.bloop}/bin/blp-server'';
ExecStart = ''${pkgs.bloop}/bin/bloop server'';
Restart = "always";
};
};

View File

@ -118,7 +118,7 @@ in {
};
serverProperties = mkOption {
type = with types; attrsOf (either bool (either int str));
type = with types; attrsOf (oneOf [ bool int str ]);
default = {};
example = literalExample ''
{

View File

@ -8,6 +8,12 @@ in {
options = {
services.throttled = {
enable = mkEnableOption "fix for Intel CPU throttling";
extraConfig = mkOption {
type = types.str;
default = "";
description = "Alternative configuration";
};
};
};
@ -16,6 +22,9 @@ in {
# The upstream package has this in Install, but that's not enough, see the NixOS manual
systemd.services."lenovo_fix".wantedBy = [ "multi-user.target" ];
environment.etc."lenovo_fix.conf".source = "${pkgs.throttled}/etc/lenovo_fix.conf";
environment.etc."lenovo_fix.conf".source =
if cfg.extraConfig != ""
then pkgs.writeText "lenovo_fix.conf" cfg.extraConfig
else "${pkgs.throttled}/etc/lenovo_fix.conf";
};
}

View File

@ -7,7 +7,7 @@ let
cfg = config.services.davmail;
configType = with types;
either (either (attrsOf configType) str) (either int bool) // {
oneOf [ (attrsOf configType) str int bool ] // {
description = "davmail config type (str, int, bool or attribute set thereof)";
};

View File

@ -447,7 +447,7 @@ in
};
config = mkOption {
type = with types; attrsOf (either bool (either str (listOf str)));
type = with types; attrsOf (oneOf [ bool str (listOf str) ]);
description = ''
The main.cf configuration file as key value set.
'';

View File

@ -331,7 +331,7 @@ in
};
config = mkOption {
type = with types; attrsOf (either bool (either str (listOf str)));
type = with types; attrsOf (oneOf [ bool str (listOf str) ]);
description = ''
Addon to postfix configuration
'';

View File

@ -30,7 +30,7 @@ in {
};
config = mkOption {
type = with types; attrsOf (either str (either int bool));
type = with types; attrsOf (oneOf [ str int bool ]);
default = {};
description = ''
The configuration to give rss2email.

View File

@ -0,0 +1,73 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.dwm-status;
order = concatMapStringsSep "," (feature: ''"${feature}"'') cfg.order;
configFile = pkgs.writeText "dwm-status.toml" ''
order = [${order}]
${cfg.extraConfig}
'';
in
{
###### interface
options = {
services.dwm-status = {
enable = mkEnableOption "dwm-status user service";
package = mkOption {
type = types.package;
default = pkgs.dwm-status;
defaultText = "pkgs.dwm-status";
example = "pkgs.dwm-status.override { enableAlsaUtils = false; }";
description = ''
Which dwm-status package to use.
'';
};
order = mkOption {
type = types.listOf (types.enum [ "audio" "backlight" "battery" "cpu_load" "network" "time" ]);
description = ''
List of enabled features in order.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Extra config in TOML format.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
services.upower.enable = elem "battery" cfg.order;
systemd.user.services.dwm-status = {
description = "Highly performant and configurable DWM status service";
wantedBy = [ "graphical-session.target" ];
partOf = [ "graphical-session.target" ];
serviceConfig.ExecStart = "${cfg.package}/bin/dwm-status ${configFile}";
};
};
}

View File

@ -502,6 +502,7 @@ in {
"d ${cfg.statePath} 0750 ${cfg.user} ${cfg.group} -"
"d ${cfg.statePath}/builds 0750 ${cfg.user} ${cfg.group} -"
"d ${cfg.statePath}/config 0750 ${cfg.user} ${cfg.group} -"
"D ${cfg.statePath}/config/initializers 0750 ${cfg.user} ${cfg.group} -"
"d ${cfg.statePath}/db 0750 ${cfg.user} ${cfg.group} -"
"d ${cfg.statePath}/log 0750 ${cfg.user} ${cfg.group} -"
"d ${cfg.statePath}/repositories 2770 ${cfg.user} ${cfg.group} -"

View File

@ -143,21 +143,37 @@ in
users.users.${cfg.user} = {
description = "Gitolite user";
home = cfg.dataDir;
createHome = true;
uid = config.ids.uids.gitolite;
group = cfg.group;
useDefaultShell = true;
};
users.groups."${cfg.group}".gid = config.ids.gids.gitolite;
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0750 ${cfg.user} ${cfg.group} - -"
"d '${cfg.dataDir}'/.gitolite - ${cfg.user} ${cfg.group} - -"
"d '${cfg.dataDir}'/.gitolite/logs - ${cfg.user} ${cfg.group} - -"
"Z ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group} - -"
];
systemd.services."gitolite-init" = {
description = "Gitolite initialization";
wantedBy = [ "multi-user.target" ];
unitConfig.RequiresMountsFor = cfg.dataDir;
serviceConfig.User = "${cfg.user}";
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
environment = {
GITOLITE_RC = ".gitolite.rc";
GITOLITE_RC_DEFAULT = "${rcDir}/gitolite.rc.default";
};
serviceConfig = {
Type = "oneshot";
User = cfg.user;
Group = cfg.group;
WorkingDirectory = "~";
RemainAfterExit = true;
};
path = [ pkgs.gitolite pkgs.git pkgs.perl pkgs.bash pkgs.diffutils config.programs.ssh.package ];
script =
@ -187,11 +203,6 @@ in
'';
in
''
cd ${cfg.dataDir}
mkdir -p .gitolite/logs
GITOLITE_RC=.gitolite.rc
GITOLITE_RC_DEFAULT=${rcDir}/gitolite.rc.default
if ( [[ ! -e "$GITOLITE_RC" ]] && [[ ! -L "$GITOLITE_RC" ]] ) ||
( [[ -f "$GITOLITE_RC" ]] && diff -q "$GITOLITE_RC" "$GITOLITE_RC_DEFAULT" >/dev/null ) ||
( [[ -L "$GITOLITE_RC" ]] && [[ "$(readlink "$GITOLITE_RC")" =~ ^/nix/store/ ]] )

View File

@ -467,7 +467,7 @@ in
fi
'';
nix.nrBuildUsers = mkDefault (lib.max 32 cfg.maxJobs);
nix.nrBuildUsers = mkDefault (lib.max 32 (if cfg.maxJobs == "auto" then 0 else cfg.maxJobs));
users.users = nixbldUsers;

View File

@ -411,7 +411,7 @@ in {
} else {
cert = "${cfg.pki.manual.server.cert}";
key = "${cfg.pki.manual.server.key}";
crl = "${cfg.pki.manual.server.crl}";
${mapNullable (_: "crl") cfg.pki.manual.server.crl} = "${cfg.pki.manual.server.crl}";
});
ca.cert = if needToCreateCA then "${cfg.dataDir}/keys/ca.cert"

View File

@ -42,9 +42,9 @@ let
# Apply the configured extraIntegrations to the provided agent
# package. See the documentation of `dd-agent/integrations-core.nix`
# for detailed information on this.
datadogPkg = cfg.package.overrideAttrs(_: {
python = (pkgs.datadog-integrations-core cfg.extraIntegrations).python;
});
datadogPkg = cfg.package.override {
pythonPackages = pkgs.datadog-integrations-core cfg.extraIntegrations;
};
in {
options.services.datadog-agent = {
enable = mkOption {
@ -60,7 +60,7 @@ in {
defaultText = "pkgs.datadog-agent";
description = ''
Which DataDog v6 agent package to use. Note that the provided
package is expected to have an overridable `python`-attribute
package is expected to have an overridable `pythonPackages`-attribute
which configures the Python environment with the Datadog
checks.
'';

View File

@ -503,12 +503,12 @@ in {
message = "Cannot set both adminPassword and adminPasswordFile";
}
{
assertion = cfg.security.secretKeyFile != opt.security.secretKeyFile.default -> cfg.security.secretKeyFile == null;
assertion = cfg.security.secretKey != opt.security.secretKey.default -> cfg.security.secretKeyFile == null;
message = "Cannot set both secretKey and secretKeyFile";
}
{
assertion = cfg.smtp.password != opt.smtp.password.default -> cfg.smtp.passwordFile == null;
message = "Cannot set both password and secretKeyFile";
message = "Cannot set both password and passwordFile";
}
];

View File

@ -79,12 +79,8 @@ let
(pkgs.writeText "prometheus.rules" (concatStringsSep "\n" cfg2.rules))
]);
scrape_configs = filterValidPrometheus cfg2.scrapeConfigs;
alerting = optionalAttrs (cfg2.alertmanagerURL != []) {
alertmanagers = [{
static_configs = [{
targets = cfg2.alertmanagerURL;
}];
}];
alerting = {
inherit (cfg2) alertmanagers;
};
};
@ -738,11 +734,23 @@ in {
'';
};
alertmanagerURL = mkOption {
type = types.listOf types.str;
alertmanagers = mkOption {
type = types.listOf types.attrs;
example = literalExample ''
[ {
scheme = "https";
path_prefix = "/alertmanager";
static_configs = [ {
targets = [
"prometheus.domain.tld"
];
} ];
} ]
'';
default = [];
description = ''
List of Alertmanager URLs to send notifications to.
A list of alertmanagers to send alerts to.
See <link xlink:href="https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config">the official documentation</link> for more information.
'';
};

View File

@ -28,10 +28,12 @@ let
"dovecot"
"fritzbox"
"json"
"mail"
"minio"
"nginx"
"node"
"postfix"
"postgres"
"snmp"
"surfboard"
"tor"
@ -86,7 +88,7 @@ let
};
user = mkOption {
type = types.str;
default = "nobody";
default = "${name}-exporter";
description = ''
User name under which the ${name} exporter shall be run.
Has no effect when <option>systemd.services.prometheus-${name}-exporter.serviceConfig.DynamicUser</option> is true.
@ -94,7 +96,7 @@ let
};
group = mkOption {
type = types.str;
default = "nobody";
default = "${name}-exporter";
description = ''
Group under which the ${name} exporter shall be run.
Has no effect when <option>systemd.services.prometheus-${name}-exporter.serviceConfig.DynamicUser</option> is true.
@ -125,8 +127,23 @@ let
);
mkExporterConf = { name, conf, serviceOpts }:
let
enableDynamicUser = serviceOpts.serviceConfig.DynamicUser or true;
in
mkIf conf.enable {
warnings = conf.warnings or [];
users.users = (mkIf (conf.user == "${name}-exporter" && !enableDynamicUser) {
"${name}-exporter" = {
description = ''
Prometheus ${name} exporter service user
'';
isSystemUser = true;
inherit (conf) group;
};
});
users.groups = (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) {
"${name}-exporter" = {};
});
networking.firewall.extraCommands = mkIf conf.openFirewall (concatStrings [
"ip46tables -A nixos-fw ${conf.firewallFilter} "
"-m comment --comment ${name}-exporter -j nixos-fw-accept"
@ -137,7 +154,8 @@ let
serviceConfig.Restart = mkDefault "always";
serviceConfig.PrivateTmp = mkDefault true;
serviceConfig.WorkingDirectory = mkDefault /tmp;
} serviceOpts ] ++ optional (!(serviceOpts.serviceConfig.DynamicUser or false)) {
serviceConfig.DynamicUser = mkDefault enableDynamicUser;
} serviceOpts ] ++ optional (!enableDynamicUser) {
serviceConfig.User = conf.user;
serviceConfig.Group = conf.group;
});
@ -168,6 +186,12 @@ in
Please ensure you have either `services.prometheus.exporters.snmp.configuration'
or `services.prometheus.exporters.snmp.configurationPath' set!
'';
} {
assertion = (cfg.mail.configFile == null) != (cfg.mail.configuration == {});
message = ''
Please specify either 'services.prometheus.exporters.mail.configuration'
or 'services.prometheus.exporters.mail.configFile'.
'';
} ];
}] ++ [(mkIf config.services.minio.enable {
services.prometheus.exporters.minio.minioAddress = mkDefault "http://localhost:9000";

View File

@ -159,8 +159,10 @@ in
# `serviceOpts.script` and `serviceOpts.serviceConfig.ExecStart`
# has to be specified here. This will be merged with the default
# service confiuration.
# Note that by default 'DynamicUser' is 'true'.
serviceOpts = {
serviceConfig = {
DynamicUser = false;
ExecStart = ''
${pkgs.prometheus-postfix-exporter}/bin/postfix_exporter \
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \

View File

@ -39,7 +39,6 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-bind-exporter}/bin/bind_exporter \
-web.listen-address ${cfg.listenAddress}:${toString cfg.port} \

View File

@ -4,6 +4,13 @@ with lib;
let
cfg = config.services.prometheus.exporters.blackbox;
checkConfig = file: pkgs.runCommand "checked-blackbox-exporter.conf" {
preferLocalBuild = true;
buildInputs = [ pkgs.buildPackages.prometheus-blackbox-exporter ]; } ''
ln -s ${file} $out
blackbox_exporter --config.check --config.file $out
'';
in
{
port = 9115;
@ -18,11 +25,10 @@ in
serviceOpts = {
serviceConfig = {
AmbientCapabilities = [ "CAP_NET_RAW" ]; # for ping probes
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-blackbox-exporter}/bin/blackbox_exporter \
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \
--config.file ${cfg.configFile} \
--config.file ${checkConfig cfg.configFile} \
${concatStringsSep " \\\n " cfg.extraFlags}
'';
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";

View File

@ -64,7 +64,6 @@ in
'' else "";
in {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-collectd-exporter}/bin/collectd_exporter \
-log.format ${cfg.logFormat} \

View File

@ -26,7 +26,6 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-dnsmasq-exporter}/bin/dnsmasq_exporter \
--listen ${cfg.listenAddress}:${toString cfg.port} \

View File

@ -39,8 +39,8 @@ in
mail_plugins = $mail_plugins old_stats
service old-stats {
unix_listener old-stats {
user = nobody
group = nobody
user = dovecot-exporter
group = dovecot-exporter
}
}
''';
@ -59,6 +59,7 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = false;
ExecStart = ''
${pkgs.prometheus-dovecot-exporter}/bin/dovecot_exporter \
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \

View File

@ -26,7 +26,6 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-fritzbox-exporter}/bin/exporter \
-listen-address ${cfg.listenAddress}:${toString cfg.port} \

View File

@ -24,7 +24,6 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-json-exporter}/bin/prometheus-json-exporter \
--port ${toString cfg.port} \

View File

@ -0,0 +1,157 @@
{ config, lib, pkgs, options }:
with lib;
let
cfg = config.services.prometheus.exporters.mail;
configurationFile = pkgs.writeText "prometheus-mail-exporter.conf" (builtins.toJSON (
# removes the _module attribute, null values and converts attrNames to lowercase
mapAttrs' (name: value:
if name == "servers"
then nameValuePair (toLower name)
((map (srv: (mapAttrs' (n: v: nameValuePair (toLower n) v)
(filterAttrs (n: v: !(n == "_module" || v == null)) srv)
))) value)
else nameValuePair (toLower name) value
) (filterAttrs (n: _: !(n == "_module")) cfg.configuration)
));
serverOptions.options = {
name = mkOption {
type = types.str;
description = ''
Value for label 'configname' which will be added to all metrics.
'';
};
server = mkOption {
type = types.str;
description = ''
Hostname of the server that should be probed.
'';
};
port = mkOption {
type = types.int;
example = 587;
description = ''
Port to use for SMTP.
'';
};
from = mkOption {
type = types.str;
example = "exporteruser@domain.tld";
description = ''
Content of 'From' Header for probing mails.
'';
};
to = mkOption {
type = types.str;
example = "exporteruser@domain.tld";
description = ''
Content of 'To' Header for probing mails.
'';
};
detectionDir = mkOption {
type = types.path;
example = "/var/spool/mail/exporteruser/new";
description = ''
Directory in which new mails for the exporter user are placed.
Note that this needs to exist when the exporter starts.
'';
};
login = mkOption {
type = types.nullOr types.str;
default = null;
example = "exporteruser@domain.tld";
description = ''
Username to use for SMTP authentication.
'';
};
passphrase = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Password to use for SMTP authentication.
'';
};
};
exporterOptions.options = {
monitoringInterval = mkOption {
type = types.str;
example = "10s";
description = ''
Time interval between two probe attempts.
'';
};
mailCheckTimeout = mkOption {
type = types.str;
description = ''
Timeout until mails are considered "didn't make it".
'';
};
disableFileDelition = mkOption {
type = types.bool;
default = false;
description = ''
Disables the exporter's function to delete probing mails.
'';
};
servers = mkOption {
type = types.listOf (types.submodule serverOptions);
default = [];
example = literalExample ''
[ {
name = "testserver";
server = "smtp.domain.tld";
port = 587;
from = "exporteruser@domain.tld";
to = "exporteruser@domain.tld";
detectionDir = "/path/to/Maildir/new";
} ]
'';
description = ''
List of servers that should be probed.
'';
};
};
in
{
port = 9225;
extraOpts = {
configFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Specify the mailexporter configuration file to use.
'';
};
configuration = mkOption {
type = types.submodule exporterOptions;
default = {};
description = ''
Specify the mailexporter configuration file to use.
'';
};
telemetryPath = mkOption {
type = types.str;
default = "/metrics";
description = ''
Path under which to expose metrics.
'';
};
};
serviceOpts = {
serviceConfig = {
DynamicUser = false;
ExecStart = ''
${pkgs.prometheus-mail-exporter}/bin/mailexporter \
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \
--config.file ${
if cfg.configuration != {} then configurationFile else cfg.configFile
} \
${concatStringsSep " \\\n " cfg.extraFlags}
'';
};
};
}

View File

@ -50,7 +50,6 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-minio-exporter}/bin/minio-exporter \
-web.listen-address ${cfg.listenAddress}:${toString cfg.port} \

View File

@ -34,7 +34,6 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-nginx-exporter}/bin/nginx-prometheus-exporter \
--nginx.scrape-uri '${cfg.scrapeUri}' \

View File

@ -27,6 +27,7 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = false;
RuntimeDirectory = "prometheus-node-exporter";
ExecStart = ''
${pkgs.prometheus-node-exporter}/bin/node_exporter \

View File

@ -62,6 +62,7 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = false;
ExecStart = ''
${pkgs.prometheus-postfix-exporter}/bin/postfix_exporter \
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \

View File

@ -0,0 +1,47 @@
{ config, lib, pkgs, options }:
with lib;
let
cfg = config.services.prometheus.exporters.postgres;
in
{
port = 9187;
extraOpts = {
telemetryPath = mkOption {
type = types.str;
default = "/metrics";
description = ''
Path under which to expose metrics.
'';
};
dataSourceName = mkOption {
type = types.str;
default = "user=postgres database=postgres host=/run/postgresql sslmode=disable";
example = "postgresql://username:password@localhost:5432/postgres?sslmode=disable";
description = ''
Accepts PostgreSQL URI form and key=value form arguments.
'';
};
runAsLocalSuperUser = mkOption {
type = types.bool;
default = false;
description = ''
Whether to run the exporter as the local 'postgres' super user.
'';
};
};
serviceOpts = {
environment.DATA_SOURCE_NAME = cfg.dataSourceName;
serviceConfig = {
DynamicUser = false;
User = mkIf cfg.runAsLocalSuperUser (mkForce "postgres");
ExecStart = ''
${pkgs.prometheus-postgres-exporter}/bin/postgres_exporter \
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \
--web.telemetry-path ${cfg.telemetryPath} \
${concatStringsSep " \\\n " cfg.extraFlags}
'';
};
};
}

View File

@ -57,7 +57,6 @@ in
else "${pkgs.writeText "snmp-eporter-conf.yml" (builtins.toJSON cfg.configuration)}";
in {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-snmp-exporter.bin}/bin/snmp_exporter \
--config.file=${configFile} \

View File

@ -20,7 +20,6 @@ in
description = "Prometheus exporter for surfboard cable modem";
unitConfig.Documentation = "https://github.com/ipstatic/surfboard_exporter";
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-surfboard-exporter}/bin/surfboard_exporter \
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \

View File

@ -26,7 +26,6 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-tor-exporter}/bin/prometheus-tor-exporter \
-b ${cfg.listenAddress} \

View File

@ -51,7 +51,6 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-unifi-exporter}/bin/unifi_exporter \
-telemetry.addr ${cfg.listenAddress}:${toString cfg.port} \

Some files were not shown because too many files have changed in this diff Show More