Merge master into staging-next
This commit is contained in:
commit
c9d8f5235b
@ -21,6 +21,7 @@ rec {
|
||||
isSparc = { cpu = { family = "sparc"; }; };
|
||||
isWasm = { cpu = { family = "wasm"; }; };
|
||||
isAvr = { cpu = { family = "avr"; }; };
|
||||
isAlpha = { cpu = { family = "alpha"; }; };
|
||||
|
||||
is32bit = { cpu = { bits = 32; }; };
|
||||
is64bit = { cpu = { bits = 64; }; };
|
||||
|
@ -752,6 +752,11 @@
|
||||
github = "calbrecht";
|
||||
name = "Christian Albrecht";
|
||||
};
|
||||
callahad = {
|
||||
email = "dan.callahan@gmail.com";
|
||||
github = "callahad";
|
||||
name = "Dan Callahan";
|
||||
};
|
||||
calvertvl = {
|
||||
email = "calvertvl@gmail.com";
|
||||
github = "calvertvl";
|
||||
|
@ -23,5 +23,6 @@
|
||||
<xi:include href="linux-kernel.xml" />
|
||||
<xi:include href="../generated/modules.xml" xpointer="xpointer(//section[@id='modules']/*)" />
|
||||
<xi:include href="profiles.xml" />
|
||||
<xi:include href="kubernetes.xml" />
|
||||
<!-- Apache; libvirtd virtualisation -->
|
||||
</part>
|
||||
|
127
nixos/doc/manual/configuration/kubernetes.xml
Normal file
127
nixos/doc/manual/configuration/kubernetes.xml
Normal file
@ -0,0 +1,127 @@
|
||||
<chapter xmlns="http://docbook.org/ns/docbook"
|
||||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
version="5.0"
|
||||
xml:id="sec-kubernetes">
|
||||
<title>Kubernetes</title>
|
||||
|
||||
<para>
|
||||
The NixOS Kubernetes module is a collective term for a handful of
|
||||
individual submodules implementing the Kubernetes cluster components.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
There are generally two ways of enabling Kubernetes on NixOS.
|
||||
One way is to enable and configure cluster components appropriately by hand:
|
||||
<programlisting>
|
||||
services.kubernetes = {
|
||||
apiserver.enable = true;
|
||||
controllerManager.enable = true;
|
||||
scheduler.enable = true;
|
||||
addonManager.enable = true;
|
||||
proxy.enable = true;
|
||||
flannel.enable = true;
|
||||
};
|
||||
</programlisting>
|
||||
Another way is to assign cluster roles ("master" and/or "node") to the host.
|
||||
This enables apiserver, controllerManager, scheduler, addonManager,
|
||||
kube-proxy and etcd:
|
||||
<programlisting>
|
||||
<xref linkend="opt-services.kubernetes.roles"/> = [ "master" ];
|
||||
</programlisting>
|
||||
While this will enable the kubelet and kube-proxy only:
|
||||
<programlisting>
|
||||
<xref linkend="opt-services.kubernetes.roles"/> = [ "node" ];
|
||||
</programlisting>
|
||||
Assigning both the master and node roles is usable if you want a single
|
||||
node Kubernetes cluster for dev or testing purposes:
|
||||
<programlisting>
|
||||
<xref linkend="opt-services.kubernetes.roles"/> = [ "master" "node" ];
|
||||
</programlisting>
|
||||
Note: Assigning either role will also default both
|
||||
<xref linkend="opt-services.kubernetes.flannel.enable"/> and
|
||||
<xref linkend="opt-services.kubernetes.easyCerts"/> to true.
|
||||
This sets up flannel as CNI and activates automatic PKI bootstrapping.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
As of kubernetes 1.10.X it has been deprecated to open
|
||||
non-tls-enabled ports on kubernetes components. Thus, from NixOS 19.03 all
|
||||
plain HTTP ports have been disabled by default.
|
||||
While opening insecure ports is still possible, it is recommended not to
|
||||
bind these to other interfaces than loopback.
|
||||
|
||||
To re-enable the insecure port on the apiserver, see options:
|
||||
<xref linkend="opt-services.kubernetes.apiserver.insecurePort"/>
|
||||
and
|
||||
<xref linkend="opt-services.kubernetes.apiserver.insecureBindAddress"/>
|
||||
</para>
|
||||
|
||||
<note>
|
||||
<para>
|
||||
As of NixOS 19.03, it is mandatory to configure:
|
||||
<xref linkend="opt-services.kubernetes.masterAddress"/>.
|
||||
The masterAddress must be resolveable and routeable by all cluster nodes.
|
||||
In single node clusters, this can be set to <literal>localhost</literal>.
|
||||
</para>
|
||||
</note>
|
||||
|
||||
<para>
|
||||
Role-based access control (RBAC) authorization mode is enabled by default.
|
||||
This means that anonymous requests to the apiserver secure port will
|
||||
expectedly cause a permission denied error. All cluster components must
|
||||
therefore be configured with x509 certificates for two-way tls communication.
|
||||
The x509 certificate subject section determines the roles and permissions
|
||||
granted by the apiserver to perform clusterwide or namespaced operations.
|
||||
See also:
|
||||
<link
|
||||
xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/">
|
||||
Using RBAC Authorization</link>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The NixOS kubernetes module provides an option for automatic certificate
|
||||
bootstrapping and configuration,
|
||||
<xref linkend="opt-services.kubernetes.easyCerts"/>.
|
||||
The PKI bootstrapping process involves setting up a certificate authority
|
||||
(CA) daemon (cfssl) on the kubernetes master node. cfssl generates a CA-cert
|
||||
for the cluster, and uses the CA-cert for signing subordinate certs issued to
|
||||
each of the cluster components. Subsequently, the certmgr daemon monitors
|
||||
active certificates and renews them when needed. For single node Kubernetes
|
||||
clusters, setting <xref linkend="opt-services.kubernetes.easyCerts"/> = true
|
||||
is sufficient and no further action is required. For joining extra node
|
||||
machines to an existing cluster on the other hand, establishing initial trust
|
||||
is mandatory.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
To add new nodes to the cluster:
|
||||
On any (non-master) cluster node where
|
||||
<xref linkend="opt-services.kubernetes.easyCerts"/> is enabled, the helper
|
||||
script <literal>nixos-kubernetes-node-join</literal> is available on PATH.
|
||||
Given a token on stdin, it will copy the token to the kubernetes
|
||||
secrets directory and restart the certmgr service. As requested
|
||||
certificates are issued, the script will restart kubernetes cluster
|
||||
components as needed for them to pick up new keypairs.
|
||||
</para>
|
||||
|
||||
<note>
|
||||
<para>
|
||||
Multi-master (HA) clusters are not supported by the easyCerts module.
|
||||
</para>
|
||||
</note>
|
||||
|
||||
<para>
|
||||
In order to interact with an RBAC-enabled cluster as an administrator, one
|
||||
needs to have cluster-admin privileges. By default, when easyCerts is
|
||||
enabled, a cluster-admin kubeconfig file is generated and linked into
|
||||
<literal>/etc/kubernetes/cluster-admin.kubeconfig</literal> as determined by
|
||||
<xref linkend="opt-services.kubernetes.pki.etcClusterAdminKubeconfig"/>.
|
||||
<literal>export KUBECONFIG=/etc/kubernetes/cluster-admin.kubeconfig</literal>
|
||||
will make kubectl use this kubeconfig to access and authenticate the cluster.
|
||||
The cluster-admin kubeconfig references an auto-generated keypair owned by
|
||||
root. Thus, only root on the kubernetes master may obtain cluster-admin
|
||||
rights by means of this file.
|
||||
</para>
|
||||
|
||||
</chapter>
|
@ -54,6 +54,13 @@
|
||||
</itemizedlist>
|
||||
<para>to <literal>false</literal> and enable your preferred display manager.</para>
|
||||
</note>
|
||||
<para>
|
||||
A major refactoring of the Kubernetes module has been completed.
|
||||
Refactorings primarily focus on decoupling components and enhancing
|
||||
security. Two-way TLS and RBAC has been enabled by default for all
|
||||
components, which slightly changes the way the module is configured.
|
||||
See: <xref linkend="sec-kubernetes"/> for details.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
@ -564,6 +571,40 @@
|
||||
provisioning.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The use of insecure ports on kubernetes has been deprecated.
|
||||
Thus options:
|
||||
<varname>services.kubernetes.apiserver.port</varname> and
|
||||
<varname>services.kubernetes.controllerManager.port</varname>
|
||||
has been renamed to <varname>.insecurePort</varname>,
|
||||
and default of both options has changed to 0 (disabled).
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Note that the default value of
|
||||
<varname>services.kubernetes.apiserver.bindAddress</varname>
|
||||
has changed from 127.0.0.1 to 0.0.0.0, allowing the apiserver to be
|
||||
accessible from outside the master node itself.
|
||||
If the apiserver insecurePort is enabled,
|
||||
it is strongly recommended to only bind on the loopback interface. See:
|
||||
<varname>services.kubernetes.apiserver.insecurebindAddress</varname>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The option <varname>services.kubernetes.apiserver.allowPrivileged</varname>
|
||||
and <varname>services.kubernetes.kubelet.allowPrivileged</varname> now
|
||||
defaults to false. Disallowing privileged containers on the cluster.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The kubernetes module does no longer add the kubernetes package to
|
||||
<varname>environment.systemPackages</varname> implicitly.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
</section>
|
||||
|
@ -82,6 +82,7 @@
|
||||
./misc/version.nix
|
||||
./programs/adb.nix
|
||||
./programs/atop.nix
|
||||
./programs/autojump.nix
|
||||
./programs/bash/bash.nix
|
||||
./programs/bcc.nix
|
||||
./programs/blcr.nix
|
||||
@ -195,9 +196,17 @@
|
||||
./services/backup/tarsnap.nix
|
||||
./services/backup/znapzend.nix
|
||||
./services/cluster/hadoop/default.nix
|
||||
./services/cluster/kubernetes/addons/dns.nix
|
||||
./services/cluster/kubernetes/addons/dashboard.nix
|
||||
./services/cluster/kubernetes/addon-manager.nix
|
||||
./services/cluster/kubernetes/apiserver.nix
|
||||
./services/cluster/kubernetes/controller-manager.nix
|
||||
./services/cluster/kubernetes/default.nix
|
||||
./services/cluster/kubernetes/dns.nix
|
||||
./services/cluster/kubernetes/dashboard.nix
|
||||
./services/cluster/kubernetes/flannel.nix
|
||||
./services/cluster/kubernetes/kubelet.nix
|
||||
./services/cluster/kubernetes/pki.nix
|
||||
./services/cluster/kubernetes/proxy.nix
|
||||
./services/cluster/kubernetes/scheduler.nix
|
||||
./services/computing/boinc/client.nix
|
||||
./services/computing/torque/server.nix
|
||||
./services/computing/torque/mom.nix
|
||||
@ -283,6 +292,7 @@
|
||||
./services/hardware/acpid.nix
|
||||
./services/hardware/actkbd.nix
|
||||
./services/hardware/bluetooth.nix
|
||||
./services/hardware/bolt.nix
|
||||
./services/hardware/brltty.nix
|
||||
./services/hardware/freefall.nix
|
||||
./services/hardware/fwupd.nix
|
||||
|
33
nixos/modules/programs/autojump.nix
Normal file
33
nixos/modules/programs/autojump.nix
Normal file
@ -0,0 +1,33 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.programs.autojump;
|
||||
prg = config.programs;
|
||||
in
|
||||
{
|
||||
options = {
|
||||
programs.autojump = {
|
||||
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable autojump.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
###### implementation
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
environment.pathsToLink = [ "/share/autojump" ];
|
||||
environment.systemPackages = [ pkgs.autojump ];
|
||||
|
||||
programs.bash.interactiveShellInit = "source ${pkgs.autojump}/share/autojump/autojump.bash";
|
||||
programs.zsh.interactiveShellInit = mkIf prg.zsh.enable "source ${pkgs.autojump}/share/autojump/autojump.zsh";
|
||||
programs.fish.interactiveShellInit = mkIf prg.fish.enable "source ${pkgs.autojump}/share/autojump/autojump.fish";
|
||||
};
|
||||
}
|
@ -40,9 +40,19 @@ with lib;
|
||||
(mkRenamedOptionModule [ "services" "kibana" "host" ] [ "services" "kibana" "listenAddress" ])
|
||||
(mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "admissionControl" ] [ "services" "kubernetes" "apiserver" "enableAdmissionPlugins" ])
|
||||
(mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "address" ] ["services" "kubernetes" "apiserver" "bindAddress"])
|
||||
(mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "port" ] ["services" "kubernetes" "apiserver" "insecurePort"])
|
||||
(mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "publicAddress" ] "")
|
||||
(mkRenamedOptionModule [ "services" "kubernetes" "addons" "dashboard" "enableRBAC" ] [ "services" "kubernetes" "addons" "dashboard" "rbac" "enable" ])
|
||||
(mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "address" ] ["services" "kubernetes" "controllerManager" "bindAddress"])
|
||||
(mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "port" ] ["services" "kubernetes" "controllerManager" "insecurePort"])
|
||||
(mkRenamedOptionModule [ "services" "kubernetes" "etcd" "servers" ] [ "services" "kubernetes" "apiserver" "etcd" "servers" ])
|
||||
(mkRenamedOptionModule [ "services" "kubernetes" "etcd" "keyFile" ] [ "services" "kubernetes" "apiserver" "etcd" "keyFile" ])
|
||||
(mkRenamedOptionModule [ "services" "kubernetes" "etcd" "certFile" ] [ "services" "kubernetes" "apiserver" "etcd" "certFile" ])
|
||||
(mkRenamedOptionModule [ "services" "kubernetes" "etcd" "caFile" ] [ "services" "kubernetes" "apiserver" "etcd" "caFile" ])
|
||||
(mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "applyManifests" ] "")
|
||||
(mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "cadvisorPort" ] "")
|
||||
(mkRenamedOptionModule [ "services" "kubernetes" "proxy" "address" ] ["services" "kubernetes" "proxy" "bindAddress"])
|
||||
(mkRemovedOptionModule [ "services" "kubernetes" "verbose" ] "")
|
||||
(mkRenamedOptionModule [ "services" "logstash" "address" ] [ "services" "logstash" "listenAddress" ])
|
||||
(mkRenamedOptionModule [ "services" "mpd" "network" "host" ] [ "services" "mpd" "network" "listenAddress" ])
|
||||
(mkRenamedOptionModule [ "services" "neo4j" "host" ] [ "services" "neo4j" "defaultListenAddress" ])
|
||||
@ -59,6 +69,7 @@ with lib;
|
||||
(mkRenamedOptionModule [ "services" "statsd" "host" ] [ "services" "statsd" "listenAddress" ])
|
||||
(mkRenamedOptionModule [ "services" "subsonic" "host" ] [ "services" "subsonic" "listenAddress" ])
|
||||
(mkRenamedOptionModule [ "services" "tor" "relay" "portSpec" ] [ "services" "tor" "relay" "port" ])
|
||||
(mkRenamedOptionModule [ "services" "vmwareGuest" ] [ "virtualisation" "vmware" "guest" ])
|
||||
(mkRenamedOptionModule [ "jobs" ] [ "systemd" "services" ])
|
||||
|
||||
(mkRenamedOptionModule [ "services" "gitlab" "stateDir" ] [ "services" "gitlab" "statePath" ])
|
||||
|
167
nixos/modules/services/cluster/kubernetes/addon-manager.nix
Normal file
167
nixos/modules/services/cluster/kubernetes/addon-manager.nix
Normal file
@ -0,0 +1,167 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
top = config.services.kubernetes;
|
||||
cfg = top.addonManager;
|
||||
|
||||
isRBACEnabled = elem "RBAC" top.apiserver.authorizationMode;
|
||||
|
||||
addons = pkgs.runCommand "kubernetes-addons" { } ''
|
||||
mkdir -p $out
|
||||
# since we are mounting the addons to the addon manager, they need to be copied
|
||||
${concatMapStringsSep ";" (a: "cp -v ${a}/* $out/") (mapAttrsToList (name: addon:
|
||||
pkgs.writeTextDir "${name}.json" (builtins.toJSON addon)
|
||||
) (cfg.addons))}
|
||||
'';
|
||||
in
|
||||
{
|
||||
###### interface
|
||||
options.services.kubernetes.addonManager = with lib.types; {
|
||||
|
||||
bootstrapAddons = mkOption {
|
||||
description = ''
|
||||
Bootstrap addons are like regular addons, but they are applied with cluster-admin rigths.
|
||||
They are applied at addon-manager startup only.
|
||||
'';
|
||||
default = { };
|
||||
type = attrsOf attrs;
|
||||
example = literalExample ''
|
||||
{
|
||||
"my-service" = {
|
||||
"apiVersion" = "v1";
|
||||
"kind" = "Service";
|
||||
"metadata" = {
|
||||
"name" = "my-service";
|
||||
"namespace" = "default";
|
||||
};
|
||||
"spec" = { ... };
|
||||
};
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
addons = mkOption {
|
||||
description = "Kubernetes addons (any kind of Kubernetes resource can be an addon).";
|
||||
default = { };
|
||||
type = attrsOf (either attrs (listOf attrs));
|
||||
example = literalExample ''
|
||||
{
|
||||
"my-service" = {
|
||||
"apiVersion" = "v1";
|
||||
"kind" = "Service";
|
||||
"metadata" = {
|
||||
"name" = "my-service";
|
||||
"namespace" = "default";
|
||||
};
|
||||
"spec" = { ... };
|
||||
};
|
||||
}
|
||||
// import <nixpkgs/nixos/modules/services/cluster/kubernetes/dashboard.nix> { cfg = config.services.kubernetes; };
|
||||
'';
|
||||
};
|
||||
|
||||
enable = mkEnableOption "Whether to enable Kubernetes addon manager.";
|
||||
};
|
||||
|
||||
###### implementation
|
||||
config = mkIf cfg.enable {
|
||||
environment.etc."kubernetes/addons".source = "${addons}/";
|
||||
|
||||
systemd.services.kube-addon-manager = {
|
||||
description = "Kubernetes addon manager";
|
||||
wantedBy = [ "kubernetes.target" ];
|
||||
after = [ "kube-apiserver.service" ];
|
||||
environment.ADDON_PATH = "/etc/kubernetes/addons/";
|
||||
path = [ pkgs.gawk ];
|
||||
serviceConfig = {
|
||||
Slice = "kubernetes.slice";
|
||||
ExecStart = "${top.package}/bin/kube-addons";
|
||||
WorkingDirectory = top.dataDir;
|
||||
User = "kubernetes";
|
||||
Group = "kubernetes";
|
||||
Restart = "on-failure";
|
||||
RestartSec = 10;
|
||||
};
|
||||
};
|
||||
|
||||
services.kubernetes.addonManager.bootstrapAddons = mkIf isRBACEnabled
|
||||
(let
|
||||
name = system:kube-addon-manager;
|
||||
namespace = "kube-system";
|
||||
in
|
||||
{
|
||||
|
||||
kube-addon-manager-r = {
|
||||
apiVersion = "rbac.authorization.k8s.io/v1";
|
||||
kind = "Role";
|
||||
metadata = {
|
||||
inherit name namespace;
|
||||
};
|
||||
rules = [{
|
||||
apiGroups = ["*"];
|
||||
resources = ["*"];
|
||||
verbs = ["*"];
|
||||
}];
|
||||
};
|
||||
|
||||
kube-addon-manager-rb = {
|
||||
apiVersion = "rbac.authorization.k8s.io/v1";
|
||||
kind = "RoleBinding";
|
||||
metadata = {
|
||||
inherit name namespace;
|
||||
};
|
||||
roleRef = {
|
||||
apiGroup = "rbac.authorization.k8s.io";
|
||||
kind = "Role";
|
||||
inherit name;
|
||||
};
|
||||
subjects = [{
|
||||
apiGroup = "rbac.authorization.k8s.io";
|
||||
kind = "User";
|
||||
inherit name;
|
||||
}];
|
||||
};
|
||||
|
||||
kube-addon-manager-cluster-lister-cr = {
|
||||
apiVersion = "rbac.authorization.k8s.io/v1";
|
||||
kind = "ClusterRole";
|
||||
metadata = {
|
||||
name = "${name}:cluster-lister";
|
||||
};
|
||||
rules = [{
|
||||
apiGroups = ["*"];
|
||||
resources = ["*"];
|
||||
verbs = ["list"];
|
||||
}];
|
||||
};
|
||||
|
||||
kube-addon-manager-cluster-lister-crb = {
|
||||
apiVersion = "rbac.authorization.k8s.io/v1";
|
||||
kind = "ClusterRoleBinding";
|
||||
metadata = {
|
||||
name = "${name}:cluster-lister";
|
||||
};
|
||||
roleRef = {
|
||||
apiGroup = "rbac.authorization.k8s.io";
|
||||
kind = "ClusterRole";
|
||||
name = "${name}:cluster-lister";
|
||||
};
|
||||
subjects = [{
|
||||
kind = "User";
|
||||
inherit name;
|
||||
}];
|
||||
};
|
||||
});
|
||||
|
||||
services.kubernetes.pki.certs = {
|
||||
addonManager = top.lib.mkCert {
|
||||
name = "kube-addon-manager";
|
||||
CN = "system:kube-addon-manager";
|
||||
action = "systemctl restart kube-addon-manager.service";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
}
|
@ -8,6 +8,13 @@ in {
|
||||
options.services.kubernetes.addons.dashboard = {
|
||||
enable = mkEnableOption "kubernetes dashboard addon";
|
||||
|
||||
extraArgs = mkOption {
|
||||
description = "Extra arguments to append to the dashboard cmdline";
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
example = ["--enable-skip-login"];
|
||||
};
|
||||
|
||||
rbac = mkOption {
|
||||
description = "Role-based access control (RBAC) options";
|
||||
default = {};
|
||||
@ -31,7 +38,7 @@ in {
|
||||
version = mkOption {
|
||||
description = "Which version of the kubernetes dashboard to deploy";
|
||||
type = types.str;
|
||||
default = "v1.8.3";
|
||||
default = "v1.10.1";
|
||||
};
|
||||
|
||||
image = mkOption {
|
||||
@ -39,9 +46,9 @@ in {
|
||||
type = types.attrs;
|
||||
default = {
|
||||
imageName = "k8s.gcr.io/kubernetes-dashboard-amd64";
|
||||
imageDigest = "sha256:dc4026c1b595435ef5527ca598e1e9c4343076926d7d62b365c44831395adbd0";
|
||||
imageDigest = "sha256:0ae6b69432e78069c5ce2bcde0fe409c5c4d6f0f4d9cd50a17974fea38898747";
|
||||
finalImageTag = cfg.version;
|
||||
sha256 = "18ajcg0q1vignfjk2sm4xj4wzphfz8wah69ps8dklqfvv0164mc8";
|
||||
sha256 = "01xrr4pwgr2hcjrjsi3d14ifpzdfbxzqpzxbk2fkbjb9zkv38zxy";
|
||||
};
|
||||
};
|
||||
};
|
||||
@ -99,7 +106,7 @@ in {
|
||||
memory = "100Mi";
|
||||
};
|
||||
};
|
||||
args = ["--auto-generate-certificates"];
|
||||
args = ["--auto-generate-certificates"] ++ cfg.extraArgs;
|
||||
volumeMounts = [{
|
||||
name = "tmp-volume";
|
||||
mountPath = "/tmp";
|
@ -3,7 +3,7 @@
|
||||
with lib;
|
||||
|
||||
let
|
||||
version = "1.2.5";
|
||||
version = "1.3.1";
|
||||
cfg = config.services.kubernetes.addons.dns;
|
||||
ports = {
|
||||
dns = 10053;
|
||||
@ -43,9 +43,9 @@ in {
|
||||
type = types.attrs;
|
||||
default = {
|
||||
imageName = "coredns/coredns";
|
||||
imageDigest = "sha256:33c8da20b887ae12433ec5c40bfddefbbfa233d5ce11fb067122e68af30291d6";
|
||||
imageDigest = "sha256:02382353821b12c21b062c59184e227e001079bb13ebd01f9d3270ba0fcbf1e4";
|
||||
finalImageTag = version;
|
||||
sha256 = "13q19rgwapv27xcs664dw502254yw4zw63insf6g2danidv2mg6i";
|
||||
sha256 = "0vbylgyxv2jm2mnzk6f28jbsj305zsxmx3jr6ngjq461czcl5fi5";
|
||||
};
|
||||
};
|
||||
};
|
||||
@ -54,21 +54,7 @@ in {
|
||||
services.kubernetes.kubelet.seedDockerImages =
|
||||
singleton (pkgs.dockerTools.pullImage cfg.coredns);
|
||||
|
||||
services.kubernetes.addonManager.addons = {
|
||||
coredns-sa = {
|
||||
apiVersion = "v1";
|
||||
kind = "ServiceAccount";
|
||||
metadata = {
|
||||
labels = {
|
||||
"addonmanager.kubernetes.io/mode" = "Reconcile";
|
||||
"k8s-app" = "kube-dns";
|
||||
"kubernetes.io/cluster-service" = "true";
|
||||
};
|
||||
name = "coredns";
|
||||
namespace = "kube-system";
|
||||
};
|
||||
};
|
||||
|
||||
services.kubernetes.addonManager.bootstrapAddons = {
|
||||
coredns-cr = {
|
||||
apiVersion = "rbac.authorization.k8s.io/v1beta1";
|
||||
kind = "ClusterRole";
|
||||
@ -123,6 +109,22 @@ in {
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
services.kubernetes.addonManager.addons = {
|
||||
coredns-sa = {
|
||||
apiVersion = "v1";
|
||||
kind = "ServiceAccount";
|
||||
metadata = {
|
||||
labels = {
|
||||
"addonmanager.kubernetes.io/mode" = "Reconcile";
|
||||
"k8s-app" = "kube-dns";
|
||||
"kubernetes.io/cluster-service" = "true";
|
||||
};
|
||||
name = "coredns";
|
||||
namespace = "kube-system";
|
||||
};
|
||||
};
|
||||
|
||||
coredns-cm = {
|
||||
apiVersion = "v1";
|
428
nixos/modules/services/cluster/kubernetes/apiserver.nix
Normal file
428
nixos/modules/services/cluster/kubernetes/apiserver.nix
Normal file
@ -0,0 +1,428 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
top = config.services.kubernetes;
|
||||
cfg = top.apiserver;
|
||||
|
||||
isRBACEnabled = elem "RBAC" cfg.authorizationMode;
|
||||
|
||||
apiserverServiceIP = (concatStringsSep "." (
|
||||
take 3 (splitString "." cfg.serviceClusterIpRange
|
||||
)) + ".1");
|
||||
in
|
||||
{
|
||||
###### interface
|
||||
options.services.kubernetes.apiserver = with lib.types; {
|
||||
|
||||
advertiseAddress = mkOption {
|
||||
description = ''
|
||||
Kubernetes apiserver IP address on which to advertise the apiserver
|
||||
to members of the cluster. This address must be reachable by the rest
|
||||
of the cluster.
|
||||
'';
|
||||
default = null;
|
||||
type = nullOr str;
|
||||
};
|
||||
|
||||
allowPrivileged = mkOption {
|
||||
description = "Whether to allow privileged containers on Kubernetes.";
|
||||
default = false;
|
||||
type = bool;
|
||||
};
|
||||
|
||||
authorizationMode = mkOption {
|
||||
description = ''
|
||||
Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/Webhook/RBAC/Node). See
|
||||
<link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/authorization/"/>
|
||||
'';
|
||||
default = ["RBAC" "Node"]; # Enabling RBAC by default, although kubernetes default is AllowAllow
|
||||
type = listOf (enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "Webhook" "RBAC" "Node"]);
|
||||
};
|
||||
|
||||
authorizationPolicy = mkOption {
|
||||
description = ''
|
||||
Kubernetes apiserver authorization policy file. See
|
||||
<link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/authorization/"/>
|
||||
'';
|
||||
default = [];
|
||||
type = listOf attrs;
|
||||
};
|
||||
|
||||
basicAuthFile = mkOption {
|
||||
description = ''
|
||||
Kubernetes apiserver basic authentication file. See
|
||||
<link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/authentication"/>
|
||||
'';
|
||||
default = null;
|
||||
type = nullOr path;
|
||||
};
|
||||
|
||||
bindAddress = mkOption {
|
||||
description = ''
|
||||
The IP address on which to listen for the --secure-port port.
|
||||
The associated interface(s) must be reachable by the rest
|
||||
of the cluster, and by CLI/web clients.
|
||||
'';
|
||||
default = "0.0.0.0";
|
||||
type = str;
|
||||
};
|
||||
|
||||
clientCaFile = mkOption {
|
||||
description = "Kubernetes apiserver CA file for client auth.";
|
||||
default = top.caFile;
|
||||
type = nullOr path;
|
||||
};
|
||||
|
||||
disableAdmissionPlugins = mkOption {
|
||||
description = ''
|
||||
Kubernetes admission control plugins to disable. See
|
||||
<link xlink:href="https://kubernetes.io/docs/admin/admission-controllers/"/>
|
||||
'';
|
||||
default = [];
|
||||
type = listOf str;
|
||||
};
|
||||
|
||||
enable = mkEnableOption "Kubernetes apiserver";
|
||||
|
||||
enableAdmissionPlugins = mkOption {
|
||||
description = ''
|
||||
Kubernetes admission control plugins to enable. See
|
||||
<link xlink:href="https://kubernetes.io/docs/admin/admission-controllers/"/>
|
||||
'';
|
||||
default = [
|
||||
"NamespaceLifecycle" "LimitRanger" "ServiceAccount"
|
||||
"ResourceQuota" "DefaultStorageClass" "DefaultTolerationSeconds"
|
||||
"NodeRestriction"
|
||||
];
|
||||
example = [
|
||||
"NamespaceLifecycle" "NamespaceExists" "LimitRanger"
|
||||
"SecurityContextDeny" "ServiceAccount" "ResourceQuota"
|
||||
"PodSecurityPolicy" "NodeRestriction" "DefaultStorageClass"
|
||||
];
|
||||
type = listOf str;
|
||||
};
|
||||
|
||||
etcd = {
|
||||
servers = mkOption {
|
||||
description = "List of etcd servers.";
|
||||
default = ["http://127.0.0.1:2379"];
|
||||
type = types.listOf types.str;
|
||||
};
|
||||
|
||||
keyFile = mkOption {
|
||||
description = "Etcd key file.";
|
||||
default = null;
|
||||
type = types.nullOr types.path;
|
||||
};
|
||||
|
||||
certFile = mkOption {
|
||||
description = "Etcd cert file.";
|
||||
default = null;
|
||||
type = types.nullOr types.path;
|
||||
};
|
||||
|
||||
caFile = mkOption {
|
||||
description = "Etcd ca file.";
|
||||
default = top.caFile;
|
||||
type = types.nullOr types.path;
|
||||
};
|
||||
};
|
||||
|
||||
extraOpts = mkOption {
|
||||
description = "Kubernetes apiserver extra command line options.";
|
||||
default = "";
|
||||
type = str;
|
||||
};
|
||||
|
||||
extraSANs = mkOption {
|
||||
description = "Extra x509 Subject Alternative Names to be added to the kubernetes apiserver tls cert.";
|
||||
default = [];
|
||||
type = listOf str;
|
||||
};
|
||||
|
||||
featureGates = mkOption {
|
||||
description = "List set of feature gates";
|
||||
default = top.featureGates;
|
||||
type = listOf str;
|
||||
};
|
||||
|
||||
insecureBindAddress = mkOption {
|
||||
description = "The IP address on which to serve the --insecure-port.";
|
||||
default = "127.0.0.1";
|
||||
type = str;
|
||||
};
|
||||
|
||||
insecurePort = mkOption {
|
||||
description = "Kubernetes apiserver insecure listening port. (0 = disabled)";
|
||||
default = 0;
|
||||
type = int;
|
||||
};
|
||||
|
||||
kubeletClientCaFile = mkOption {
|
||||
description = "Path to a cert file for connecting to kubelet.";
|
||||
default = top.caFile;
|
||||
type = nullOr path;
|
||||
};
|
||||
|
||||
kubeletClientCertFile = mkOption {
|
||||
description = "Client certificate to use for connections to kubelet.";
|
||||
default = null;
|
||||
type = nullOr path;
|
||||
};
|
||||
|
||||
kubeletClientKeyFile = mkOption {
|
||||
description = "Key to use for connections to kubelet.";
|
||||
default = null;
|
||||
type = nullOr path;
|
||||
};
|
||||
|
||||
kubeletHttps = mkOption {
|
||||
description = "Whether to use https for connections to kubelet.";
|
||||
default = true;
|
||||
type = bool;
|
||||
};
|
||||
|
||||
runtimeConfig = mkOption {
|
||||
description = ''
|
||||
Api runtime configuration. See
|
||||
<link xlink:href="https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/"/>
|
||||
'';
|
||||
default = "authentication.k8s.io/v1beta1=true";
|
||||
example = "api/all=false,api/v1=true";
|
||||
type = str;
|
||||
};
|
||||
|
||||
storageBackend = mkOption {
|
||||
description = ''
|
||||
Kubernetes apiserver storage backend.
|
||||
'';
|
||||
default = "etcd3";
|
||||
type = enum ["etcd2" "etcd3"];
|
||||
};
|
||||
|
||||
securePort = mkOption {
|
||||
description = "Kubernetes apiserver secure port.";
|
||||
default = 6443;
|
||||
type = int;
|
||||
};
|
||||
|
||||
serviceAccountKeyFile = mkOption {
|
||||
description = ''
|
||||
Kubernetes apiserver PEM-encoded x509 RSA private or public key file,
|
||||
used to verify ServiceAccount tokens. By default tls private key file
|
||||
is used.
|
||||
'';
|
||||
default = null;
|
||||
type = nullOr path;
|
||||
};
|
||||
|
||||
serviceClusterIpRange = mkOption {
|
||||
description = ''
|
||||
A CIDR notation IP range from which to assign service cluster IPs.
|
||||
This must not overlap with any IP ranges assigned to nodes for pods.
|
||||
'';
|
||||
default = "10.0.0.0/24";
|
||||
type = str;
|
||||
};
|
||||
|
||||
tlsCertFile = mkOption {
|
||||
description = "Kubernetes apiserver certificate file.";
|
||||
default = null;
|
||||
type = nullOr path;
|
||||
};
|
||||
|
||||
tlsKeyFile = mkOption {
|
||||
description = "Kubernetes apiserver private key file.";
|
||||
default = null;
|
||||
type = nullOr path;
|
||||
};
|
||||
|
||||
tokenAuthFile = mkOption {
|
||||
description = ''
|
||||
Kubernetes apiserver token authentication file. See
|
||||
<link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/authentication"/>
|
||||
'';
|
||||
default = null;
|
||||
type = nullOr path;
|
||||
};
|
||||
|
||||
verbosity = mkOption {
|
||||
description = ''
|
||||
Optional glog verbosity level for logging statements. See
|
||||
<link xlink:href="https://github.com/kubernetes/community/blob/master/contributors/devel/logging.md"/>
|
||||
'';
|
||||
default = null;
|
||||
type = nullOr int;
|
||||
};
|
||||
|
||||
webhookConfig = mkOption {
|
||||
description = ''
|
||||
Kubernetes apiserver Webhook config file. It uses the kubeconfig file format.
|
||||
See <link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/webhook/"/>
|
||||
'';
|
||||
default = null;
|
||||
type = nullOr path;
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
|
||||
###### implementation
|
||||
config = mkMerge [
|
||||
|
||||
(mkIf cfg.enable {
|
||||
systemd.services.kube-apiserver = {
|
||||
description = "Kubernetes APIServer Service";
|
||||
wantedBy = [ "kubernetes.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
Slice = "kubernetes.slice";
|
||||
ExecStart = ''${top.package}/bin/kube-apiserver \
|
||||
--allow-privileged=${boolToString cfg.allowPrivileged} \
|
||||
--authorization-mode=${concatStringsSep "," cfg.authorizationMode} \
|
||||
${optionalString (elem "ABAC" cfg.authorizationMode)
|
||||
"--authorization-policy-file=${
|
||||
pkgs.writeText "kube-auth-policy.jsonl"
|
||||
(concatMapStringsSep "\n" (l: builtins.toJSON l) cfg.authorizationPolicy)
|
||||
}"
|
||||
} \
|
||||
${optionalString (elem "Webhook" cfg.authorizationMode)
|
||||
"--authorization-webhook-config-file=${cfg.webhookConfig}"
|
||||
} \
|
||||
--bind-address=${cfg.bindAddress} \
|
||||
${optionalString (cfg.advertiseAddress != null)
|
||||
"--advertise-address=${cfg.advertiseAddress}"} \
|
||||
${optionalString (cfg.clientCaFile != null)
|
||||
"--client-ca-file=${cfg.clientCaFile}"} \
|
||||
--disable-admission-plugins=${concatStringsSep "," cfg.disableAdmissionPlugins} \
|
||||
--enable-admission-plugins=${concatStringsSep "," cfg.enableAdmissionPlugins} \
|
||||
--etcd-servers=${concatStringsSep "," cfg.etcd.servers} \
|
||||
${optionalString (cfg.etcd.caFile != null)
|
||||
"--etcd-cafile=${cfg.etcd.caFile}"} \
|
||||
${optionalString (cfg.etcd.certFile != null)
|
||||
"--etcd-certfile=${cfg.etcd.certFile}"} \
|
||||
${optionalString (cfg.etcd.keyFile != null)
|
||||
"--etcd-keyfile=${cfg.etcd.keyFile}"} \
|
||||
${optionalString (cfg.featureGates != [])
|
||||
"--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \
|
||||
${optionalString (cfg.basicAuthFile != null)
|
||||
"--basic-auth-file=${cfg.basicAuthFile}"} \
|
||||
--kubelet-https=${boolToString cfg.kubeletHttps} \
|
||||
${optionalString (cfg.kubeletClientCaFile != null)
|
||||
"--kubelet-certificate-authority=${cfg.kubeletClientCaFile}"} \
|
||||
${optionalString (cfg.kubeletClientCertFile != null)
|
||||
"--kubelet-client-certificate=${cfg.kubeletClientCertFile}"} \
|
||||
${optionalString (cfg.kubeletClientKeyFile != null)
|
||||
"--kubelet-client-key=${cfg.kubeletClientKeyFile}"} \
|
||||
--insecure-bind-address=${cfg.insecureBindAddress} \
|
||||
--insecure-port=${toString cfg.insecurePort} \
|
||||
${optionalString (cfg.runtimeConfig != "")
|
||||
"--runtime-config=${cfg.runtimeConfig}"} \
|
||||
--secure-port=${toString cfg.securePort} \
|
||||
${optionalString (cfg.serviceAccountKeyFile!=null)
|
||||
"--service-account-key-file=${cfg.serviceAccountKeyFile}"} \
|
||||
--service-cluster-ip-range=${cfg.serviceClusterIpRange} \
|
||||
--storage-backend=${cfg.storageBackend} \
|
||||
${optionalString (cfg.tlsCertFile != null)
|
||||
"--tls-cert-file=${cfg.tlsCertFile}"} \
|
||||
${optionalString (cfg.tlsKeyFile != null)
|
||||
"--tls-private-key-file=${cfg.tlsKeyFile}"} \
|
||||
${optionalString (cfg.tokenAuthFile != null)
|
||||
"--token-auth-file=${cfg.tokenAuthFile}"} \
|
||||
${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \
|
||||
${cfg.extraOpts}
|
||||
'';
|
||||
WorkingDirectory = top.dataDir;
|
||||
User = "kubernetes";
|
||||
Group = "kubernetes";
|
||||
AmbientCapabilities = "cap_net_bind_service";
|
||||
Restart = "on-failure";
|
||||
RestartSec = 5;
|
||||
};
|
||||
};
|
||||
|
||||
services.etcd = {
|
||||
clientCertAuth = mkDefault true;
|
||||
peerClientCertAuth = mkDefault true;
|
||||
listenClientUrls = mkDefault ["https://0.0.0.0:2379"];
|
||||
listenPeerUrls = mkDefault ["https://0.0.0.0:2380"];
|
||||
advertiseClientUrls = mkDefault ["https://${top.masterAddress}:2379"];
|
||||
initialCluster = mkDefault ["${top.masterAddress}=https://${top.masterAddress}:2380"];
|
||||
name = top.masterAddress;
|
||||
initialAdvertisePeerUrls = mkDefault ["https://${top.masterAddress}:2380"];
|
||||
};
|
||||
|
||||
services.kubernetes.addonManager.bootstrapAddons = mkIf isRBACEnabled {
|
||||
|
||||
apiserver-kubelet-api-admin-crb = {
|
||||
apiVersion = "rbac.authorization.k8s.io/v1";
|
||||
kind = "ClusterRoleBinding";
|
||||
metadata = {
|
||||
name = "system:kube-apiserver:kubelet-api-admin";
|
||||
};
|
||||
roleRef = {
|
||||
apiGroup = "rbac.authorization.k8s.io";
|
||||
kind = "ClusterRole";
|
||||
name = "system:kubelet-api-admin";
|
||||
};
|
||||
subjects = [{
|
||||
kind = "User";
|
||||
name = "system:kube-apiserver";
|
||||
}];
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
services.kubernetes.pki.certs = with top.lib; {
|
||||
apiServer = mkCert {
|
||||
name = "kube-apiserver";
|
||||
CN = "kubernetes";
|
||||
hosts = [
|
||||
"kubernetes.default.svc"
|
||||
"kubernetes.default.svc.${top.addons.dns.clusterDomain}"
|
||||
cfg.advertiseAddress
|
||||
top.masterAddress
|
||||
apiserverServiceIP
|
||||
"127.0.0.1"
|
||||
] ++ cfg.extraSANs;
|
||||
action = "systemctl restart kube-apiserver.service";
|
||||
};
|
||||
apiserverKubeletClient = mkCert {
|
||||
name = "kube-apiserver-kubelet-client";
|
||||
CN = "system:kube-apiserver";
|
||||
action = "systemctl restart kube-apiserver.service";
|
||||
};
|
||||
apiserverEtcdClient = mkCert {
|
||||
name = "kube-apiserver-etcd-client";
|
||||
CN = "etcd-client";
|
||||
action = "systemctl restart kube-apiserver.service";
|
||||
};
|
||||
clusterAdmin = mkCert {
|
||||
name = "cluster-admin";
|
||||
CN = "cluster-admin";
|
||||
fields = {
|
||||
O = "system:masters";
|
||||
};
|
||||
privateKeyOwner = "root";
|
||||
};
|
||||
etcd = mkCert {
|
||||
name = "etcd";
|
||||
CN = top.masterAddress;
|
||||
hosts = [
|
||||
"etcd.local"
|
||||
"etcd.${top.addons.dns.clusterDomain}"
|
||||
top.masterAddress
|
||||
cfg.advertiseAddress
|
||||
];
|
||||
privateKeyOwner = "etcd";
|
||||
action = "systemctl restart etcd.service";
|
||||
};
|
||||
};
|
||||
|
||||
})
|
||||
|
||||
];
|
||||
|
||||
}
|
162
nixos/modules/services/cluster/kubernetes/controller-manager.nix
Normal file
162
nixos/modules/services/cluster/kubernetes/controller-manager.nix
Normal file
@ -0,0 +1,162 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
top = config.services.kubernetes;
|
||||
cfg = top.controllerManager;
|
||||
in
|
||||
{
|
||||
###### interface
|
||||
options.services.kubernetes.controllerManager = with lib.types; {
|
||||
|
||||
allocateNodeCIDRs = mkOption {
|
||||
description = "Whether to automatically allocate CIDR ranges for cluster nodes.";
|
||||
default = true;
|
||||
type = bool;
|
||||
};
|
||||
|
||||
bindAddress = mkOption {
|
||||
description = "Kubernetes controller manager listening address.";
|
||||
default = "127.0.0.1";
|
||||
type = str;
|
||||
};
|
||||
|
||||
clusterCidr = mkOption {
|
||||
description = "Kubernetes CIDR Range for Pods in cluster.";
|
||||
default = top.clusterCidr;
|
||||
type = str;
|
||||
};
|
||||
|
||||
enable = mkEnableOption "Kubernetes controller manager.";
|
||||
|
||||
extraOpts = mkOption {
|
||||
description = "Kubernetes controller manager extra command line options.";
|
||||
default = "";
|
||||
type = str;
|
||||
};
|
||||
|
||||
featureGates = mkOption {
|
||||
description = "List set of feature gates";
|
||||
default = top.featureGates;
|
||||
type = listOf str;
|
||||
};
|
||||
|
||||
insecurePort = mkOption {
|
||||
description = "Kubernetes controller manager insecure listening port.";
|
||||
default = 0;
|
||||
type = int;
|
||||
};
|
||||
|
||||
kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes controller manager";
|
||||
|
||||
leaderElect = mkOption {
|
||||
description = "Whether to start leader election before executing main loop.";
|
||||
type = bool;
|
||||
default = true;
|
||||
};
|
||||
|
||||
rootCaFile = mkOption {
|
||||
description = ''
|
||||
Kubernetes controller manager certificate authority file included in
|
||||
service account's token secret.
|
||||
'';
|
||||
default = top.caFile;
|
||||
type = nullOr path;
|
||||
};
|
||||
|
||||
securePort = mkOption {
|
||||
description = "Kubernetes controller manager secure listening port.";
|
||||
default = 10252;
|
||||
type = int;
|
||||
};
|
||||
|
||||
serviceAccountKeyFile = mkOption {
|
||||
description = ''
|
||||
Kubernetes controller manager PEM-encoded private RSA key file used to
|
||||
sign service account tokens
|
||||
'';
|
||||
default = null;
|
||||
type = nullOr path;
|
||||
};
|
||||
|
||||
tlsCertFile = mkOption {
|
||||
description = "Kubernetes controller-manager certificate file.";
|
||||
default = null;
|
||||
type = nullOr path;
|
||||
};
|
||||
|
||||
tlsKeyFile = mkOption {
|
||||
description = "Kubernetes controller-manager private key file.";
|
||||
default = null;
|
||||
type = nullOr path;
|
||||
};
|
||||
|
||||
verbosity = mkOption {
|
||||
description = ''
|
||||
Optional glog verbosity level for logging statements. See
|
||||
<link xlink:href="https://github.com/kubernetes/community/blob/master/contributors/devel/logging.md"/>
|
||||
'';
|
||||
default = null;
|
||||
type = nullOr int;
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
###### implementation
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.kube-controller-manager = {
|
||||
description = "Kubernetes Controller Manager Service";
|
||||
wantedBy = [ "kubernetes.target" ];
|
||||
after = [ "kube-apiserver.service" ];
|
||||
serviceConfig = {
|
||||
RestartSec = "30s";
|
||||
Restart = "on-failure";
|
||||
Slice = "kubernetes.slice";
|
||||
ExecStart = ''${top.package}/bin/kube-controller-manager \
|
||||
--allocate-node-cidrs=${boolToString cfg.allocateNodeCIDRs} \
|
||||
--bind-address=${cfg.bindAddress} \
|
||||
${optionalString (cfg.clusterCidr!=null)
|
||||
"--cluster-cidr=${cfg.clusterCidr}"} \
|
||||
${optionalString (cfg.featureGates != [])
|
||||
"--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \
|
||||
--kubeconfig=${top.lib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig} \
|
||||
--leader-elect=${boolToString cfg.leaderElect} \
|
||||
${optionalString (cfg.rootCaFile!=null)
|
||||
"--root-ca-file=${cfg.rootCaFile}"} \
|
||||
--port=${toString cfg.insecurePort} \
|
||||
--secure-port=${toString cfg.securePort} \
|
||||
${optionalString (cfg.serviceAccountKeyFile!=null)
|
||||
"--service-account-private-key-file=${cfg.serviceAccountKeyFile}"} \
|
||||
${optionalString (cfg.tlsCertFile!=null)
|
||||
"--tls-cert-file=${cfg.tlsCertFile}"} \
|
||||
${optionalString (cfg.tlsKeyFile!=null)
|
||||
"--tls-key-file=${cfg.tlsKeyFile}"} \
|
||||
${optionalString (elem "RBAC" top.apiserver.authorizationMode)
|
||||
"--use-service-account-credentials"} \
|
||||
${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \
|
||||
${cfg.extraOpts}
|
||||
'';
|
||||
WorkingDirectory = top.dataDir;
|
||||
User = "kubernetes";
|
||||
Group = "kubernetes";
|
||||
};
|
||||
path = top.path;
|
||||
};
|
||||
|
||||
services.kubernetes.pki.certs = with top.lib; {
|
||||
controllerManager = mkCert {
|
||||
name = "kube-controller-manager";
|
||||
CN = "kube-controller-manager";
|
||||
action = "systemctl restart kube-controller-manager.service";
|
||||
};
|
||||
controllerManagerClient = mkCert {
|
||||
name = "kube-controller-manager-client";
|
||||
CN = "system:kube-controller-manager";
|
||||
action = "systemctl restart kube-controller-manager.service";
|
||||
};
|
||||
};
|
||||
|
||||
services.kubernetes.controllerManager.kubeconfig.server = mkDefault top.apiserverAddress;
|
||||
};
|
||||
}
|
File diff suppressed because it is too large
Load Diff
134
nixos/modules/services/cluster/kubernetes/flannel.nix
Normal file
134
nixos/modules/services/cluster/kubernetes/flannel.nix
Normal file
@ -0,0 +1,134 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
top = config.services.kubernetes;
|
||||
cfg = top.flannel;
|
||||
|
||||
# we want flannel to use kubernetes itself as configuration backend, not direct etcd
|
||||
storageBackend = "kubernetes";
|
||||
|
||||
# needed for flannel to pass options to docker
|
||||
mkDockerOpts = pkgs.runCommand "mk-docker-opts" {
|
||||
buildInputs = [ pkgs.makeWrapper ];
|
||||
} ''
|
||||
mkdir -p $out
|
||||
cp ${pkgs.kubernetes.src}/cluster/centos/node/bin/mk-docker-opts.sh $out/mk-docker-opts.sh
|
||||
|
||||
# bashInteractive needed for `compgen`
|
||||
makeWrapper ${pkgs.bashInteractive}/bin/bash $out/mk-docker-opts --add-flags "$out/mk-docker-opts.sh"
|
||||
'';
|
||||
in
|
||||
{
|
||||
###### interface
|
||||
options.services.kubernetes.flannel = {
|
||||
enable = mkEnableOption "enable flannel networking";
|
||||
};
|
||||
|
||||
###### implementation
|
||||
config = mkIf cfg.enable {
|
||||
services.flannel = {
|
||||
|
||||
enable = mkDefault true;
|
||||
network = mkDefault top.clusterCidr;
|
||||
inherit storageBackend;
|
||||
nodeName = config.services.kubernetes.kubelet.hostname;
|
||||
};
|
||||
|
||||
services.kubernetes.kubelet = {
|
||||
networkPlugin = mkDefault "cni";
|
||||
cni.config = mkDefault [{
|
||||
name = "mynet";
|
||||
type = "flannel";
|
||||
delegate = {
|
||||
isDefaultGateway = true;
|
||||
bridge = "docker0";
|
||||
};
|
||||
}];
|
||||
};
|
||||
|
||||
systemd.services."mk-docker-opts" = {
|
||||
description = "Pre-Docker Actions";
|
||||
path = with pkgs; [ gawk gnugrep ];
|
||||
script = ''
|
||||
${mkDockerOpts}/mk-docker-opts -d /run/flannel/docker
|
||||
systemctl restart docker
|
||||
'';
|
||||
serviceConfig.Type = "oneshot";
|
||||
};
|
||||
|
||||
systemd.paths."flannel-subnet-env" = {
|
||||
wantedBy = [ "flannel.service" ];
|
||||
pathConfig = {
|
||||
PathModified = "/run/flannel/subnet.env";
|
||||
Unit = "mk-docker-opts.service";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.docker = {
|
||||
environment.DOCKER_OPTS = "-b none";
|
||||
serviceConfig.EnvironmentFile = "-/run/flannel/docker";
|
||||
};
|
||||
|
||||
# read environment variables generated by mk-docker-opts
|
||||
virtualisation.docker.extraOptions = "$DOCKER_OPTS";
|
||||
|
||||
networking = {
|
||||
firewall.allowedUDPPorts = [
|
||||
8285 # flannel udp
|
||||
8472 # flannel vxlan
|
||||
];
|
||||
dhcpcd.denyInterfaces = [ "docker*" "flannel*" ];
|
||||
};
|
||||
|
||||
services.kubernetes.pki.certs = {
|
||||
flannelClient = top.lib.mkCert {
|
||||
name = "flannel-client";
|
||||
CN = "flannel-client";
|
||||
action = "systemctl restart flannel.service";
|
||||
};
|
||||
};
|
||||
|
||||
# give flannel som kubernetes rbac permissions if applicable
|
||||
services.kubernetes.addonManager.bootstrapAddons = mkIf ((storageBackend == "kubernetes") && (elem "RBAC" top.apiserver.authorizationMode)) {
|
||||
|
||||
flannel-cr = {
|
||||
apiVersion = "rbac.authorization.k8s.io/v1beta1";
|
||||
kind = "ClusterRole";
|
||||
metadata = { name = "flannel"; };
|
||||
rules = [{
|
||||
apiGroups = [ "" ];
|
||||
resources = [ "pods" ];
|
||||
verbs = [ "get" ];
|
||||
}
|
||||
{
|
||||
apiGroups = [ "" ];
|
||||
resources = [ "nodes" ];
|
||||
verbs = [ "list" "watch" ];
|
||||
}
|
||||
{
|
||||
apiGroups = [ "" ];
|
||||
resources = [ "nodes/status" ];
|
||||
verbs = [ "patch" ];
|
||||
}];
|
||||
};
|
||||
|
||||
flannel-crb = {
|
||||
apiVersion = "rbac.authorization.k8s.io/v1beta1";
|
||||
kind = "ClusterRoleBinding";
|
||||
metadata = { name = "flannel"; };
|
||||
roleRef = {
|
||||
apiGroup = "rbac.authorization.k8s.io";
|
||||
kind = "ClusterRole";
|
||||
name = "flannel";
|
||||
};
|
||||
subjects = [{
|
||||
kind = "User";
|
||||
name = "flannel-client";
|
||||
}];
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
}
|
358
nixos/modules/services/cluster/kubernetes/kubelet.nix
Normal file
358
nixos/modules/services/cluster/kubernetes/kubelet.nix
Normal file
@ -0,0 +1,358 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
top = config.services.kubernetes;
|
||||
cfg = top.kubelet;
|
||||
|
||||
cniConfig =
|
||||
if cfg.cni.config != [] && !(isNull cfg.cni.configDir) then
|
||||
throw "Verbatim CNI-config and CNI configDir cannot both be set."
|
||||
else if !(isNull cfg.cni.configDir) then
|
||||
cfg.cni.configDir
|
||||
else
|
||||
(pkgs.buildEnv {
|
||||
name = "kubernetes-cni-config";
|
||||
paths = imap (i: entry:
|
||||
pkgs.writeTextDir "${toString (10+i)}-${entry.type}.conf" (builtins.toJSON entry)
|
||||
) cfg.cni.config;
|
||||
});
|
||||
|
||||
infraContainer = pkgs.dockerTools.buildImage {
|
||||
name = "pause";
|
||||
tag = "latest";
|
||||
contents = top.package.pause;
|
||||
config.Cmd = "/bin/pause";
|
||||
};
|
||||
|
||||
kubeconfig = top.lib.mkKubeConfig "kubelet" cfg.kubeconfig;
|
||||
|
||||
manifests = pkgs.buildEnv {
|
||||
name = "kubernetes-manifests";
|
||||
paths = mapAttrsToList (name: manifest:
|
||||
pkgs.writeTextDir "${name}.json" (builtins.toJSON manifest)
|
||||
) cfg.manifests;
|
||||
};
|
||||
|
||||
manifestPath = "kubernetes/manifests";
|
||||
|
||||
taintOptions = with lib.types; { name, ... }: {
|
||||
options = {
|
||||
key = mkOption {
|
||||
description = "Key of taint.";
|
||||
default = name;
|
||||
type = str;
|
||||
};
|
||||
value = mkOption {
|
||||
description = "Value of taint.";
|
||||
type = str;
|
||||
};
|
||||
effect = mkOption {
|
||||
description = "Effect of taint.";
|
||||
example = "NoSchedule";
|
||||
type = enum ["NoSchedule" "PreferNoSchedule" "NoExecute"];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
taints = concatMapStringsSep "," (v: "${v.key}=${v.value}:${v.effect}") (mapAttrsToList (n: v: v) cfg.taints);
|
||||
in
|
||||
{
|
||||
###### interface
|
||||
options.services.kubernetes.kubelet = with lib.types; {
|
||||
|
||||
address = mkOption {
|
||||
description = "Kubernetes kubelet info server listening address.";
|
||||
default = "0.0.0.0";
|
||||
type = str;
|
||||
};
|
||||
|
||||
allowPrivileged = mkOption {
|
||||
description = "Whether to allow Kubernetes containers to request privileged mode.";
|
||||
default = false;
|
||||
type = bool;
|
||||
};
|
||||
|
||||
clusterDns = mkOption {
|
||||
description = "Use alternative DNS.";
|
||||
default = "10.1.0.1";
|
||||
type = str;
|
||||
};
|
||||
|
||||
clusterDomain = mkOption {
|
||||
description = "Use alternative domain.";
|
||||
default = config.services.kubernetes.addons.dns.clusterDomain;
|
||||
type = str;
|
||||
};
|
||||
|
||||
clientCaFile = mkOption {
|
||||
description = "Kubernetes apiserver CA file for client authentication.";
|
||||
default = top.caFile;
|
||||
type = nullOr path;
|
||||
};
|
||||
|
||||
cni = {
|
||||
packages = mkOption {
|
||||
description = "List of network plugin packages to install.";
|
||||
type = listOf package;
|
||||
default = [];
|
||||
};
|
||||
|
||||
config = mkOption {
|
||||
description = "Kubernetes CNI configuration.";
|
||||
type = listOf attrs;
|
||||
default = [];
|
||||
example = literalExample ''
|
||||
[{
|
||||
"cniVersion": "0.2.0",
|
||||
"name": "mynet",
|
||||
"type": "bridge",
|
||||
"bridge": "cni0",
|
||||
"isGateway": true,
|
||||
"ipMasq": true,
|
||||
"ipam": {
|
||||
"type": "host-local",
|
||||
"subnet": "10.22.0.0/16",
|
||||
"routes": [
|
||||
{ "dst": "0.0.0.0/0" }
|
||||
]
|
||||
}
|
||||
} {
|
||||
"cniVersion": "0.2.0",
|
||||
"type": "loopback"
|
||||
}]
|
||||
'';
|
||||
};
|
||||
|
||||
configDir = mkOption {
|
||||
description = "Path to Kubernetes CNI configuration directory.";
|
||||
type = nullOr path;
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
|
||||
enable = mkEnableOption "Kubernetes kubelet.";
|
||||
|
||||
extraOpts = mkOption {
|
||||
description = "Kubernetes kubelet extra command line options.";
|
||||
default = "";
|
||||
type = str;
|
||||
};
|
||||
|
||||
featureGates = mkOption {
|
||||
description = "List set of feature gates";
|
||||
default = top.featureGates;
|
||||
type = listOf str;
|
||||
};
|
||||
|
||||
healthz = {
|
||||
bind = mkOption {
|
||||
description = "Kubernetes kubelet healthz listening address.";
|
||||
default = "127.0.0.1";
|
||||
type = str;
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
description = "Kubernetes kubelet healthz port.";
|
||||
default = 10248;
|
||||
type = int;
|
||||
};
|
||||
};
|
||||
|
||||
hostname = mkOption {
|
||||
description = "Kubernetes kubelet hostname override.";
|
||||
default = config.networking.hostName;
|
||||
type = str;
|
||||
};
|
||||
|
||||
kubeconfig = top.lib.mkKubeConfigOptions "Kubelet";
|
||||
|
||||
manifests = mkOption {
|
||||
description = "List of manifests to bootstrap with kubelet (only pods can be created as manifest entry)";
|
||||
type = attrsOf attrs;
|
||||
default = {};
|
||||
};
|
||||
|
||||
networkPlugin = mkOption {
|
||||
description = "Network plugin to use by Kubernetes.";
|
||||
type = nullOr (enum ["cni" "kubenet"]);
|
||||
default = "kubenet";
|
||||
};
|
||||
|
||||
nodeIp = mkOption {
|
||||
description = "IP address of the node. If set, kubelet will use this IP address for the node.";
|
||||
default = null;
|
||||
type = nullOr str;
|
||||
};
|
||||
|
||||
registerNode = mkOption {
|
||||
description = "Whether to auto register kubelet with API server.";
|
||||
default = true;
|
||||
type = bool;
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
description = "Kubernetes kubelet info server listening port.";
|
||||
default = 10250;
|
||||
type = int;
|
||||
};
|
||||
|
||||
seedDockerImages = mkOption {
|
||||
description = "List of docker images to preload on system";
|
||||
default = [];
|
||||
type = listOf package;
|
||||
};
|
||||
|
||||
taints = mkOption {
|
||||
description = "Node taints (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/).";
|
||||
default = {};
|
||||
type = attrsOf (submodule [ taintOptions ]);
|
||||
};
|
||||
|
||||
tlsCertFile = mkOption {
|
||||
description = "File containing x509 Certificate for HTTPS.";
|
||||
default = null;
|
||||
type = nullOr path;
|
||||
};
|
||||
|
||||
tlsKeyFile = mkOption {
|
||||
description = "File containing x509 private key matching tlsCertFile.";
|
||||
default = null;
|
||||
type = nullOr path;
|
||||
};
|
||||
|
||||
unschedulable = mkOption {
|
||||
description = "Whether to set node taint to unschedulable=true as it is the case of node that has only master role.";
|
||||
default = false;
|
||||
type = bool;
|
||||
};
|
||||
|
||||
verbosity = mkOption {
|
||||
description = ''
|
||||
Optional glog verbosity level for logging statements. See
|
||||
<link xlink:href="https://github.com/kubernetes/community/blob/master/contributors/devel/logging.md"/>
|
||||
'';
|
||||
default = null;
|
||||
type = nullOr int;
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
###### implementation
|
||||
config = mkMerge [
|
||||
(mkIf cfg.enable {
|
||||
services.kubernetes.kubelet.seedDockerImages = [infraContainer];
|
||||
|
||||
systemd.services.kubelet = {
|
||||
description = "Kubernetes Kubelet Service";
|
||||
wantedBy = [ "kubernetes.target" ];
|
||||
after = [ "network.target" "docker.service" "kube-apiserver.service" ];
|
||||
path = with pkgs; [ gitMinimal openssh docker utillinux iproute ethtool thin-provisioning-tools iptables socat ] ++ top.path;
|
||||
preStart = ''
|
||||
${concatMapStrings (img: ''
|
||||
echo "Seeding docker image: ${img}"
|
||||
docker load <${img}
|
||||
'') cfg.seedDockerImages}
|
||||
|
||||
rm /opt/cni/bin/* || true
|
||||
${concatMapStrings (package: ''
|
||||
echo "Linking cni package: ${package}"
|
||||
ln -fs ${package}/bin/* /opt/cni/bin
|
||||
'') cfg.cni.packages}
|
||||
'';
|
||||
serviceConfig = {
|
||||
Slice = "kubernetes.slice";
|
||||
CPUAccounting = true;
|
||||
MemoryAccounting = true;
|
||||
Restart = "on-failure";
|
||||
RestartSec = "1000ms";
|
||||
ExecStart = ''${top.package}/bin/kubelet \
|
||||
--address=${cfg.address} \
|
||||
--allow-privileged=${boolToString cfg.allowPrivileged} \
|
||||
--authentication-token-webhook \
|
||||
--authentication-token-webhook-cache-ttl="10s" \
|
||||
--authorization-mode=Webhook \
|
||||
${optionalString (cfg.clientCaFile != null)
|
||||
"--client-ca-file=${cfg.clientCaFile}"} \
|
||||
${optionalString (cfg.clusterDns != "")
|
||||
"--cluster-dns=${cfg.clusterDns}"} \
|
||||
${optionalString (cfg.clusterDomain != "")
|
||||
"--cluster-domain=${cfg.clusterDomain}"} \
|
||||
--cni-conf-dir=${cniConfig} \
|
||||
${optionalString (cfg.featureGates != [])
|
||||
"--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \
|
||||
--hairpin-mode=hairpin-veth \
|
||||
--healthz-bind-address=${cfg.healthz.bind} \
|
||||
--healthz-port=${toString cfg.healthz.port} \
|
||||
--hostname-override=${cfg.hostname} \
|
||||
--kubeconfig=${kubeconfig} \
|
||||
${optionalString (cfg.networkPlugin != null)
|
||||
"--network-plugin=${cfg.networkPlugin}"} \
|
||||
${optionalString (cfg.nodeIp != null)
|
||||
"--node-ip=${cfg.nodeIp}"} \
|
||||
--pod-infra-container-image=pause \
|
||||
${optionalString (cfg.manifests != {})
|
||||
"--pod-manifest-path=/etc/${manifestPath}"} \
|
||||
--port=${toString cfg.port} \
|
||||
--register-node=${boolToString cfg.registerNode} \
|
||||
${optionalString (taints != "")
|
||||
"--register-with-taints=${taints}"} \
|
||||
--root-dir=${top.dataDir} \
|
||||
${optionalString (cfg.tlsCertFile != null)
|
||||
"--tls-cert-file=${cfg.tlsCertFile}"} \
|
||||
${optionalString (cfg.tlsKeyFile != null)
|
||||
"--tls-private-key-file=${cfg.tlsKeyFile}"} \
|
||||
${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \
|
||||
${cfg.extraOpts}
|
||||
'';
|
||||
WorkingDirectory = top.dataDir;
|
||||
};
|
||||
};
|
||||
|
||||
# Allways include cni plugins
|
||||
services.kubernetes.kubelet.cni.packages = [pkgs.cni-plugins];
|
||||
|
||||
boot.kernelModules = ["br_netfilter"];
|
||||
|
||||
services.kubernetes.kubelet.hostname = with config.networking;
|
||||
mkDefault (hostName + optionalString (!isNull domain) ".${domain}");
|
||||
|
||||
services.kubernetes.pki.certs = with top.lib; {
|
||||
kubelet = mkCert {
|
||||
name = "kubelet";
|
||||
CN = top.kubelet.hostname;
|
||||
action = "systemctl restart kubelet.service";
|
||||
|
||||
};
|
||||
kubeletClient = mkCert {
|
||||
name = "kubelet-client";
|
||||
CN = "system:node:${top.kubelet.hostname}";
|
||||
fields = {
|
||||
O = "system:nodes";
|
||||
};
|
||||
action = "systemctl restart kubelet.service";
|
||||
};
|
||||
};
|
||||
|
||||
services.kubernetes.kubelet.kubeconfig.server = mkDefault top.apiserverAddress;
|
||||
})
|
||||
|
||||
(mkIf (cfg.enable && cfg.manifests != {}) {
|
||||
environment.etc = mapAttrs' (name: manifest:
|
||||
nameValuePair "${manifestPath}/${name}.json" {
|
||||
text = builtins.toJSON manifest;
|
||||
mode = "0755";
|
||||
}
|
||||
) cfg.manifests;
|
||||
})
|
||||
|
||||
(mkIf (cfg.unschedulable && cfg.enable) {
|
||||
services.kubernetes.kubelet.taints.unschedulable = {
|
||||
value = "true";
|
||||
effect = "NoSchedule";
|
||||
};
|
||||
})
|
||||
|
||||
];
|
||||
}
|
388
nixos/modules/services/cluster/kubernetes/pki.nix
Normal file
388
nixos/modules/services/cluster/kubernetes/pki.nix
Normal file
@ -0,0 +1,388 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
top = config.services.kubernetes;
|
||||
cfg = top.pki;
|
||||
|
||||
csrCA = pkgs.writeText "kube-pki-cacert-csr.json" (builtins.toJSON {
|
||||
key = {
|
||||
algo = "rsa";
|
||||
size = 2048;
|
||||
};
|
||||
names = singleton cfg.caSpec;
|
||||
});
|
||||
|
||||
csrCfssl = pkgs.writeText "kube-pki-cfssl-csr.json" (builtins.toJSON {
|
||||
key = {
|
||||
algo = "rsa";
|
||||
size = 2048;
|
||||
};
|
||||
CN = top.masterAddress;
|
||||
});
|
||||
|
||||
cfsslAPITokenBaseName = "apitoken.secret";
|
||||
cfsslAPITokenPath = "${config.services.cfssl.dataDir}/${cfsslAPITokenBaseName}";
|
||||
certmgrAPITokenPath = "${top.secretsPath}/${cfsslAPITokenBaseName}";
|
||||
cfsslAPITokenLength = 32;
|
||||
|
||||
clusterAdminKubeconfig = with cfg.certs.clusterAdmin;
|
||||
top.lib.mkKubeConfig "cluster-admin" {
|
||||
server = top.apiserverAddress;
|
||||
certFile = cert;
|
||||
keyFile = key;
|
||||
};
|
||||
|
||||
remote = with config.services; "https://${kubernetes.masterAddress}:${toString cfssl.port}";
|
||||
in
|
||||
{
|
||||
###### interface
|
||||
options.services.kubernetes.pki = with lib.types; {
|
||||
|
||||
enable = mkEnableOption "Whether to enable easyCert issuer service.";
|
||||
|
||||
certs = mkOption {
|
||||
description = "List of certificate specs to feed to cert generator.";
|
||||
default = {};
|
||||
type = attrs;
|
||||
};
|
||||
|
||||
genCfsslCACert = mkOption {
|
||||
description = ''
|
||||
Whether to automatically generate cfssl CA certificate and key,
|
||||
if they don't exist.
|
||||
'';
|
||||
default = true;
|
||||
type = bool;
|
||||
};
|
||||
|
||||
genCfsslAPICerts = mkOption {
|
||||
description = ''
|
||||
Whether to automatically generate cfssl API webserver TLS cert and key,
|
||||
if they don't exist.
|
||||
'';
|
||||
default = true;
|
||||
type = bool;
|
||||
};
|
||||
|
||||
genCfsslAPIToken = mkOption {
|
||||
description = ''
|
||||
Whether to automatically generate cfssl API-token secret,
|
||||
if they doesn't exist.
|
||||
'';
|
||||
default = true;
|
||||
type = bool;
|
||||
};
|
||||
|
||||
pkiTrustOnBootstrap = mkOption {
|
||||
description = "Whether to always trust remote cfssl server upon initial PKI bootstrap.";
|
||||
default = true;
|
||||
type = bool;
|
||||
};
|
||||
|
||||
caCertPathPrefix = mkOption {
|
||||
description = ''
|
||||
Path-prefrix for the CA-certificate to be used for cfssl signing.
|
||||
Suffixes ".pem" and "-key.pem" will be automatically appended for
|
||||
the public and private keys respectively.
|
||||
'';
|
||||
default = "${config.services.cfssl.dataDir}/ca";
|
||||
type = str;
|
||||
};
|
||||
|
||||
caSpec = mkOption {
|
||||
description = "Certificate specification for the auto-generated CAcert.";
|
||||
default = {
|
||||
CN = "kubernetes-cluster-ca";
|
||||
O = "NixOS";
|
||||
OU = "services.kubernetes.pki.caSpec";
|
||||
L = "auto-generated";
|
||||
};
|
||||
type = attrs;
|
||||
};
|
||||
|
||||
etcClusterAdminKubeconfig = mkOption {
|
||||
description = ''
|
||||
Symlink a kubeconfig with cluster-admin privileges to environment path
|
||||
(/etc/<path>).
|
||||
'';
|
||||
default = null;
|
||||
type = nullOr str;
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
###### implementation
|
||||
config = mkIf cfg.enable
|
||||
(let
|
||||
cfsslCertPathPrefix = "${config.services.cfssl.dataDir}/cfssl";
|
||||
cfsslCert = "${cfsslCertPathPrefix}.pem";
|
||||
cfsslKey = "${cfsslCertPathPrefix}-key.pem";
|
||||
in
|
||||
{
|
||||
|
||||
services.cfssl = mkIf (top.apiserver.enable) {
|
||||
enable = true;
|
||||
address = "0.0.0.0";
|
||||
tlsCert = cfsslCert;
|
||||
tlsKey = cfsslKey;
|
||||
configFile = toString (pkgs.writeText "cfssl-config.json" (builtins.toJSON {
|
||||
signing = {
|
||||
profiles = {
|
||||
default = {
|
||||
usages = ["digital signature"];
|
||||
auth_key = "default";
|
||||
expiry = "720h";
|
||||
};
|
||||
};
|
||||
};
|
||||
auth_keys = {
|
||||
default = {
|
||||
type = "standard";
|
||||
key = "file:${cfsslAPITokenPath}";
|
||||
};
|
||||
};
|
||||
}));
|
||||
};
|
||||
|
||||
systemd.services.cfssl.preStart = with pkgs; with config.services.cfssl; mkIf (top.apiserver.enable)
|
||||
(concatStringsSep "\n" [
|
||||
"set -e"
|
||||
(optionalString cfg.genCfsslCACert ''
|
||||
if [ ! -f "${cfg.caCertPathPrefix}.pem" ]; then
|
||||
${cfssl}/bin/cfssl genkey -initca ${csrCA} | \
|
||||
${cfssl}/bin/cfssljson -bare ${cfg.caCertPathPrefix}
|
||||
fi
|
||||
'')
|
||||
(optionalString cfg.genCfsslAPICerts ''
|
||||
if [ ! -f "${dataDir}/cfssl.pem" ]; then
|
||||
${cfssl}/bin/cfssl gencert -ca "${cfg.caCertPathPrefix}.pem" -ca-key "${cfg.caCertPathPrefix}-key.pem" ${csrCfssl} | \
|
||||
${cfssl}/bin/cfssljson -bare ${cfsslCertPathPrefix}
|
||||
fi
|
||||
'')
|
||||
(optionalString cfg.genCfsslAPIToken ''
|
||||
if [ ! -f "${cfsslAPITokenPath}" ]; then
|
||||
head -c ${toString (cfsslAPITokenLength / 2)} /dev/urandom | od -An -t x | tr -d ' ' >"${cfsslAPITokenPath}"
|
||||
fi
|
||||
chown cfssl "${cfsslAPITokenPath}" && chmod 400 "${cfsslAPITokenPath}"
|
||||
'')]);
|
||||
|
||||
systemd.services.kube-certmgr-bootstrap = {
|
||||
description = "Kubernetes certmgr bootstrapper";
|
||||
wantedBy = [ "certmgr.service" ];
|
||||
after = [ "cfssl.target" ];
|
||||
script = concatStringsSep "\n" [''
|
||||
set -e
|
||||
|
||||
# If there's a cfssl (cert issuer) running locally, then don't rely on user to
|
||||
# manually paste it in place. Just symlink.
|
||||
# otherwise, create the target file, ready for users to insert the token
|
||||
|
||||
if [ -f "${cfsslAPITokenPath}" ]; then
|
||||
ln -fs "${cfsslAPITokenPath}" "${certmgrAPITokenPath}"
|
||||
else
|
||||
touch "${certmgrAPITokenPath}" && chmod 600 "${certmgrAPITokenPath}"
|
||||
fi
|
||||
''
|
||||
(optionalString (cfg.pkiTrustOnBootstrap) ''
|
||||
if [ ! -f "${top.caFile}" ] || [ $(cat "${top.caFile}" | wc -c) -lt 1 ]; then
|
||||
${pkgs.curl}/bin/curl --fail-early -f -kd '{}' ${remote}/api/v1/cfssl/info | \
|
||||
${pkgs.cfssl}/bin/cfssljson -stdout >${top.caFile}
|
||||
fi
|
||||
'')
|
||||
];
|
||||
serviceConfig = {
|
||||
RestartSec = "10s";
|
||||
Restart = "on-failure";
|
||||
};
|
||||
};
|
||||
|
||||
services.certmgr = {
|
||||
enable = true;
|
||||
package = pkgs.certmgr-selfsigned;
|
||||
svcManager = "command";
|
||||
specs =
|
||||
let
|
||||
mkSpec = _: cert: {
|
||||
inherit (cert) action;
|
||||
authority = {
|
||||
inherit remote;
|
||||
file.path = cert.caCert;
|
||||
root_ca = cert.caCert;
|
||||
profile = "default";
|
||||
auth_key_file = certmgrAPITokenPath;
|
||||
};
|
||||
certificate = {
|
||||
path = cert.cert;
|
||||
};
|
||||
private_key = cert.privateKeyOptions;
|
||||
request = {
|
||||
inherit (cert) CN hosts;
|
||||
key = {
|
||||
algo = "rsa";
|
||||
size = 2048;
|
||||
};
|
||||
names = [ cert.fields ];
|
||||
};
|
||||
};
|
||||
in
|
||||
mapAttrs mkSpec cfg.certs;
|
||||
};
|
||||
|
||||
#TODO: Get rid of kube-addon-manager in the future for the following reasons
|
||||
# - it is basically just a shell script wrapped around kubectl
|
||||
# - it assumes that it is clusterAdmin or can gain clusterAdmin rights through serviceAccount
|
||||
# - it is designed to be used with k8s system components only
|
||||
# - it would be better with a more Nix-oriented way of managing addons
|
||||
systemd.services.kube-addon-manager = mkIf top.addonManager.enable (mkMerge [{
|
||||
environment.KUBECONFIG = with cfg.certs.addonManager;
|
||||
top.lib.mkKubeConfig "addon-manager" {
|
||||
server = top.apiserverAddress;
|
||||
certFile = cert;
|
||||
keyFile = key;
|
||||
};
|
||||
}
|
||||
|
||||
(optionalAttrs (top.addonManager.bootstrapAddons != {}) {
|
||||
serviceConfig.PermissionsStartOnly = true;
|
||||
preStart = with pkgs;
|
||||
let
|
||||
files = mapAttrsToList (n: v: writeText "${n}.json" (builtins.toJSON v))
|
||||
top.addonManager.bootstrapAddons;
|
||||
in
|
||||
''
|
||||
export KUBECONFIG=${clusterAdminKubeconfig}
|
||||
${kubectl}/bin/kubectl apply -f ${concatStringsSep " \\\n -f " files}
|
||||
'';
|
||||
})]);
|
||||
|
||||
environment.etc.${cfg.etcClusterAdminKubeconfig}.source = mkIf (!isNull cfg.etcClusterAdminKubeconfig)
|
||||
clusterAdminKubeconfig;
|
||||
|
||||
environment.systemPackages = mkIf (top.kubelet.enable || top.proxy.enable) [
|
||||
(pkgs.writeScriptBin "nixos-kubernetes-node-join" ''
|
||||
set -e
|
||||
exec 1>&2
|
||||
|
||||
if [ $# -gt 0 ]; then
|
||||
echo "Usage: $(basename $0)"
|
||||
echo ""
|
||||
echo "No args. Apitoken must be provided on stdin."
|
||||
echo "To get the apitoken, execute: 'sudo cat ${certmgrAPITokenPath}' on the master node."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ $(id -u) != 0 ]; then
|
||||
echo "Run as root please."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
read -r token
|
||||
if [ ''${#token} != ${toString cfsslAPITokenLength} ]; then
|
||||
echo "Token must be of length ${toString cfsslAPITokenLength}."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo $token > ${certmgrAPITokenPath}
|
||||
chmod 600 ${certmgrAPITokenPath}
|
||||
|
||||
echo "Restarting certmgr..." >&1
|
||||
systemctl restart certmgr
|
||||
|
||||
echo "Waiting for certs to appear..." >&1
|
||||
|
||||
${optionalString top.kubelet.enable ''
|
||||
while [ ! -f ${cfg.certs.kubelet.cert} ]; do sleep 1; done
|
||||
echo "Restarting kubelet..." >&1
|
||||
systemctl restart kubelet
|
||||
''}
|
||||
|
||||
${optionalString top.proxy.enable ''
|
||||
while [ ! -f ${cfg.certs.kubeProxyClient.cert} ]; do sleep 1; done
|
||||
echo "Restarting kube-proxy..." >&1
|
||||
systemctl restart kube-proxy
|
||||
''}
|
||||
|
||||
${optionalString top.flannel.enable ''
|
||||
while [ ! -f ${cfg.certs.flannelClient.cert} ]; do sleep 1; done
|
||||
echo "Restarting flannel..." >&1
|
||||
systemctl restart flannel
|
||||
''}
|
||||
|
||||
echo "Node joined succesfully"
|
||||
'')];
|
||||
|
||||
# isolate etcd on loopback at the master node
|
||||
# easyCerts doesn't support multimaster clusters anyway atm.
|
||||
services.etcd = with cfg.certs.etcd; {
|
||||
listenClientUrls = ["https://127.0.0.1:2379"];
|
||||
listenPeerUrls = ["https://127.0.0.1:2380"];
|
||||
advertiseClientUrls = ["https://etcd.local:2379"];
|
||||
initialCluster = ["${top.masterAddress}=https://etcd.local:2380"];
|
||||
initialAdvertisePeerUrls = ["https://etcd.local:2380"];
|
||||
certFile = mkDefault cert;
|
||||
keyFile = mkDefault key;
|
||||
trustedCaFile = mkDefault caCert;
|
||||
};
|
||||
networking.extraHosts = mkIf (config.services.etcd.enable) ''
|
||||
127.0.0.1 etcd.${top.addons.dns.clusterDomain} etcd.local
|
||||
'';
|
||||
|
||||
services.flannel = with cfg.certs.flannelClient; {
|
||||
kubeconfig = top.lib.mkKubeConfig "flannel" {
|
||||
server = top.apiserverAddress;
|
||||
certFile = cert;
|
||||
keyFile = key;
|
||||
};
|
||||
};
|
||||
|
||||
services.kubernetes = {
|
||||
|
||||
apiserver = mkIf top.apiserver.enable (with cfg.certs.apiServer; {
|
||||
etcd = with cfg.certs.apiserverEtcdClient; {
|
||||
servers = ["https://etcd.local:2379"];
|
||||
certFile = mkDefault cert;
|
||||
keyFile = mkDefault key;
|
||||
caFile = mkDefault caCert;
|
||||
};
|
||||
clientCaFile = mkDefault caCert;
|
||||
tlsCertFile = mkDefault cert;
|
||||
tlsKeyFile = mkDefault key;
|
||||
serviceAccountKeyFile = mkDefault cfg.certs.serviceAccount.cert;
|
||||
kubeletClientCaFile = mkDefault caCert;
|
||||
kubeletClientCertFile = mkDefault cfg.certs.apiserverKubeletClient.cert;
|
||||
kubeletClientKeyFile = mkDefault cfg.certs.apiserverKubeletClient.key;
|
||||
});
|
||||
controllerManager = mkIf top.controllerManager.enable {
|
||||
serviceAccountKeyFile = mkDefault cfg.certs.serviceAccount.key;
|
||||
rootCaFile = cfg.certs.controllerManagerClient.caCert;
|
||||
kubeconfig = with cfg.certs.controllerManagerClient; {
|
||||
certFile = mkDefault cert;
|
||||
keyFile = mkDefault key;
|
||||
};
|
||||
};
|
||||
scheduler = mkIf top.scheduler.enable {
|
||||
kubeconfig = with cfg.certs.schedulerClient; {
|
||||
certFile = mkDefault cert;
|
||||
keyFile = mkDefault key;
|
||||
};
|
||||
};
|
||||
kubelet = mkIf top.kubelet.enable {
|
||||
clientCaFile = mkDefault cfg.certs.kubelet.caCert;
|
||||
tlsCertFile = mkDefault cfg.certs.kubelet.cert;
|
||||
tlsKeyFile = mkDefault cfg.certs.kubelet.key;
|
||||
kubeconfig = with cfg.certs.kubeletClient; {
|
||||
certFile = mkDefault cert;
|
||||
keyFile = mkDefault key;
|
||||
};
|
||||
};
|
||||
proxy = mkIf top.proxy.enable {
|
||||
kubeconfig = with cfg.certs.kubeProxyClient; {
|
||||
certFile = mkDefault cert;
|
||||
keyFile = mkDefault key;
|
||||
};
|
||||
};
|
||||
};
|
||||
});
|
||||
}
|
80
nixos/modules/services/cluster/kubernetes/proxy.nix
Normal file
80
nixos/modules/services/cluster/kubernetes/proxy.nix
Normal file
@ -0,0 +1,80 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
top = config.services.kubernetes;
|
||||
cfg = top.proxy;
|
||||
in
|
||||
{
|
||||
|
||||
###### interface
|
||||
options.services.kubernetes.proxy = with lib.types; {
|
||||
|
||||
bindAddress = mkOption {
|
||||
description = "Kubernetes proxy listening address.";
|
||||
default = "0.0.0.0";
|
||||
type = str;
|
||||
};
|
||||
|
||||
enable = mkEnableOption "Whether to enable Kubernetes proxy.";
|
||||
|
||||
extraOpts = mkOption {
|
||||
description = "Kubernetes proxy extra command line options.";
|
||||
default = "";
|
||||
type = str;
|
||||
};
|
||||
|
||||
featureGates = mkOption {
|
||||
description = "List set of feature gates";
|
||||
default = top.featureGates;
|
||||
type = listOf str;
|
||||
};
|
||||
|
||||
kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes proxy";
|
||||
|
||||
verbosity = mkOption {
|
||||
description = ''
|
||||
Optional glog verbosity level for logging statements. See
|
||||
<link xlink:href="https://github.com/kubernetes/community/blob/master/contributors/devel/logging.md"/>
|
||||
'';
|
||||
default = null;
|
||||
type = nullOr int;
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
###### implementation
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.kube-proxy = {
|
||||
description = "Kubernetes Proxy Service";
|
||||
wantedBy = [ "kubernetes.target" ];
|
||||
after = [ "kube-apiserver.service" ];
|
||||
path = with pkgs; [ iptables conntrack_tools ];
|
||||
serviceConfig = {
|
||||
Slice = "kubernetes.slice";
|
||||
ExecStart = ''${top.package}/bin/kube-proxy \
|
||||
--bind-address=${cfg.bindAddress} \
|
||||
${optionalString (top.clusterCidr!=null)
|
||||
"--cluster-cidr=${top.clusterCidr}"} \
|
||||
${optionalString (cfg.featureGates != [])
|
||||
"--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \
|
||||
--kubeconfig=${top.lib.mkKubeConfig "kube-proxy" cfg.kubeconfig} \
|
||||
${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \
|
||||
${cfg.extraOpts}
|
||||
'';
|
||||
WorkingDirectory = top.dataDir;
|
||||
};
|
||||
};
|
||||
|
||||
services.kubernetes.pki.certs = {
|
||||
kubeProxyClient = top.lib.mkCert {
|
||||
name = "kube-proxy-client";
|
||||
CN = "system:kube-proxy";
|
||||
action = "systemctl restart kube-proxy.service";
|
||||
};
|
||||
};
|
||||
|
||||
services.kubernetes.proxy.kubeconfig.server = mkDefault top.apiserverAddress;
|
||||
};
|
||||
}
|
92
nixos/modules/services/cluster/kubernetes/scheduler.nix
Normal file
92
nixos/modules/services/cluster/kubernetes/scheduler.nix
Normal file
@ -0,0 +1,92 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
top = config.services.kubernetes;
|
||||
cfg = top.scheduler;
|
||||
in
|
||||
{
|
||||
###### interface
|
||||
options.services.kubernetes.scheduler = with lib.types; {
|
||||
|
||||
address = mkOption {
|
||||
description = "Kubernetes scheduler listening address.";
|
||||
default = "127.0.0.1";
|
||||
type = str;
|
||||
};
|
||||
|
||||
enable = mkEnableOption "Whether to enable Kubernetes scheduler.";
|
||||
|
||||
extraOpts = mkOption {
|
||||
description = "Kubernetes scheduler extra command line options.";
|
||||
default = "";
|
||||
type = str;
|
||||
};
|
||||
|
||||
featureGates = mkOption {
|
||||
description = "List set of feature gates";
|
||||
default = top.featureGates;
|
||||
type = listOf str;
|
||||
};
|
||||
|
||||
kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes scheduler";
|
||||
|
||||
leaderElect = mkOption {
|
||||
description = "Whether to start leader election before executing main loop.";
|
||||
type = bool;
|
||||
default = true;
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
description = "Kubernetes scheduler listening port.";
|
||||
default = 10251;
|
||||
type = int;
|
||||
};
|
||||
|
||||
verbosity = mkOption {
|
||||
description = ''
|
||||
Optional glog verbosity level for logging statements. See
|
||||
<link xlink:href="https://github.com/kubernetes/community/blob/master/contributors/devel/logging.md"/>
|
||||
'';
|
||||
default = null;
|
||||
type = nullOr int;
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
###### implementation
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.kube-scheduler = {
|
||||
description = "Kubernetes Scheduler Service";
|
||||
wantedBy = [ "kubernetes.target" ];
|
||||
after = [ "kube-apiserver.service" ];
|
||||
serviceConfig = {
|
||||
Slice = "kubernetes.slice";
|
||||
ExecStart = ''${top.package}/bin/kube-scheduler \
|
||||
--address=${cfg.address} \
|
||||
${optionalString (cfg.featureGates != [])
|
||||
"--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \
|
||||
--kubeconfig=${top.lib.mkKubeConfig "kube-scheduler" cfg.kubeconfig} \
|
||||
--leader-elect=${boolToString cfg.leaderElect} \
|
||||
--port=${toString cfg.port} \
|
||||
${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \
|
||||
${cfg.extraOpts}
|
||||
'';
|
||||
WorkingDirectory = top.dataDir;
|
||||
User = "kubernetes";
|
||||
Group = "kubernetes";
|
||||
};
|
||||
};
|
||||
|
||||
services.kubernetes.pki.certs = {
|
||||
schedulerClient = top.lib.mkCert {
|
||||
name = "kube-scheduler-client";
|
||||
CN = "system:kube-scheduler";
|
||||
action = "systemctl restart kube-scheduler.service";
|
||||
};
|
||||
};
|
||||
|
||||
services.kubernetes.scheduler.kubeconfig.server = mkDefault top.apiserverAddress;
|
||||
};
|
||||
}
|
34
nixos/modules/services/hardware/bolt.nix
Normal file
34
nixos/modules/services/hardware/bolt.nix
Normal file
@ -0,0 +1,34 @@
|
||||
# Thunderbolt 3 device manager
|
||||
|
||||
{ config, lib, pkgs, ...}:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
options = {
|
||||
|
||||
services.hardware.bolt = {
|
||||
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable Bolt, a userspace daemon to enable
|
||||
security levels for Thunderbolt 3 on GNU/Linux.
|
||||
|
||||
Bolt is used by GNOME 3 to handle Thunderbolt settings.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = mkIf config.services.hardware.bolt.enable {
|
||||
|
||||
environment.systemPackages = [ pkgs.bolt ];
|
||||
services.udev.packages = [ pkgs.bolt ];
|
||||
systemd.packages = [ pkgs.bolt ];
|
||||
|
||||
};
|
||||
}
|
@ -22,7 +22,8 @@ let
|
||||
password = cfg.databasePassword;
|
||||
username = cfg.databaseUsername;
|
||||
encoding = "utf8";
|
||||
};
|
||||
pool = cfg.databasePool;
|
||||
} // cfg.extraDatabaseConfig;
|
||||
};
|
||||
|
||||
gitalyToml = pkgs.writeText "gitaly.toml" ''
|
||||
@ -253,6 +254,18 @@ in {
|
||||
description = "Gitlab database user.";
|
||||
};
|
||||
|
||||
databasePool = mkOption {
|
||||
type = types.int;
|
||||
default = 5;
|
||||
description = "Database connection pool size.";
|
||||
};
|
||||
|
||||
extraDatabaseConfig = mkOption {
|
||||
type = types.attrs;
|
||||
default = {};
|
||||
description = "Extra configuration in config/database.yml.";
|
||||
};
|
||||
|
||||
host = mkOption {
|
||||
type = types.str;
|
||||
default = config.networking.hostName;
|
||||
|
@ -4,11 +4,36 @@ with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.jackett;
|
||||
|
||||
in
|
||||
{
|
||||
options = {
|
||||
services.jackett = {
|
||||
enable = mkEnableOption "Jackett";
|
||||
|
||||
dataDir = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/jackett/.config/Jackett";
|
||||
description = "The directory where Jackett stores its data files.";
|
||||
};
|
||||
|
||||
openFirewall = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Open ports in the firewall for the Jackett web interface.";
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "jackett";
|
||||
description = "User account under which Jackett runs.";
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "jackett";
|
||||
description = "Group under which Jackett runs.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@ -18,30 +43,38 @@ in
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
preStart = ''
|
||||
test -d /var/lib/jackett/ || {
|
||||
echo "Creating jackett data directory in /var/lib/jackett/"
|
||||
mkdir -p /var/lib/jackett/
|
||||
test -d ${cfg.dataDir} || {
|
||||
echo "Creating jackett data directory in ${cfg.dataDir}"
|
||||
mkdir -p ${cfg.dataDir}
|
||||
}
|
||||
chown -R jackett:jackett /var/lib/jackett/
|
||||
chmod 0700 /var/lib/jackett/
|
||||
chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir}
|
||||
chmod 0700 ${cfg.dataDir}
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
User = "jackett";
|
||||
Group = "jackett";
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
PermissionsStartOnly = "true";
|
||||
ExecStart = "${pkgs.jackett}/bin/Jackett";
|
||||
ExecStart = "${pkgs.jackett}/bin/Jackett --NoUpdates --DataFolder '${cfg.dataDir}'";
|
||||
Restart = "on-failure";
|
||||
};
|
||||
};
|
||||
|
||||
users.users.jackett = {
|
||||
uid = config.ids.uids.jackett;
|
||||
home = "/var/lib/jackett";
|
||||
group = "jackett";
|
||||
networking.firewall = mkIf cfg.openFirewall {
|
||||
allowedTCPPorts = [ 9117 ];
|
||||
};
|
||||
users.groups.jackett.gid = config.ids.gids.jackett;
|
||||
|
||||
users.users = mkIf (cfg.user == "jackett") {
|
||||
jackett = {
|
||||
group = cfg.group;
|
||||
home = cfg.dataDir;
|
||||
uid = config.ids.uids.jackett;
|
||||
};
|
||||
};
|
||||
|
||||
users.groups = mkIf (cfg.group == "jackett") {
|
||||
jackett.gid = config.ids.gids.jackett;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -4,11 +4,36 @@ with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.radarr;
|
||||
|
||||
in
|
||||
{
|
||||
options = {
|
||||
services.radarr = {
|
||||
enable = mkEnableOption "Radarr";
|
||||
|
||||
dataDir = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/radarr/.config/Radarr";
|
||||
description = "The directory where Radarr stores its data files.";
|
||||
};
|
||||
|
||||
openFirewall = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Open ports in the firewall for the Radarr web interface.";
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "radarr";
|
||||
description = "User account under which Radarr runs.";
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "radarr";
|
||||
description = "Group under which Radarr runs.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@ -18,30 +43,38 @@ in
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
preStart = ''
|
||||
test -d /var/lib/radarr/ || {
|
||||
echo "Creating radarr data directory in /var/lib/radarr/"
|
||||
mkdir -p /var/lib/radarr/
|
||||
test -d ${cfg.dataDir} || {
|
||||
echo "Creating radarr data directory in ${cfg.dataDir}"
|
||||
mkdir -p ${cfg.dataDir}
|
||||
}
|
||||
chown -R radarr:radarr /var/lib/radarr/
|
||||
chmod 0700 /var/lib/radarr/
|
||||
chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir}
|
||||
chmod 0700 ${cfg.dataDir}
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
User = "radarr";
|
||||
Group = "radarr";
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
PermissionsStartOnly = "true";
|
||||
ExecStart = "${pkgs.radarr}/bin/Radarr";
|
||||
ExecStart = "${pkgs.radarr}/bin/Radarr -nobrowser -data='${cfg.dataDir}'";
|
||||
Restart = "on-failure";
|
||||
};
|
||||
};
|
||||
|
||||
users.users.radarr = {
|
||||
uid = config.ids.uids.radarr;
|
||||
home = "/var/lib/radarr";
|
||||
group = "radarr";
|
||||
networking.firewall = mkIf cfg.openFirewall {
|
||||
allowedTCPPorts = [ 7878 ];
|
||||
};
|
||||
users.groups.radarr.gid = config.ids.gids.radarr;
|
||||
|
||||
users.users = mkIf (cfg.user == "radarr") {
|
||||
radarr = {
|
||||
group = cfg.group;
|
||||
home = cfg.dataDir;
|
||||
uid = config.ids.uids.radarr;
|
||||
};
|
||||
};
|
||||
|
||||
users.groups = mkIf (cfg.group == "radarr") {
|
||||
radarr.gid = config.ids.gids.radarr;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -161,7 +161,10 @@ in {
|
||||
FLANNELD_KUBECONFIG_FILE = cfg.kubeconfig;
|
||||
NODE_NAME = cfg.nodeName;
|
||||
};
|
||||
preStart = mkIf (cfg.storageBackend == "etcd") ''
|
||||
preStart = ''
|
||||
mkdir -p /run/flannel
|
||||
touch /run/flannel/docker
|
||||
'' + optionalString (cfg.storageBackend == "etcd") ''
|
||||
echo "setting network configuration"
|
||||
until ${pkgs.etcdctl.bin}/bin/etcdctl set /coreos.com/network/config '${builtins.toJSON networkConfig}'
|
||||
do
|
||||
@ -169,13 +172,11 @@ in {
|
||||
sleep 1
|
||||
done
|
||||
'';
|
||||
postStart = ''
|
||||
while [ ! -f /run/flannel/subnet.env ]
|
||||
do
|
||||
sleep 1
|
||||
done
|
||||
'';
|
||||
serviceConfig.ExecStart = "${cfg.package}/bin/flannel";
|
||||
serviceConfig = {
|
||||
ExecStart = "${cfg.package}/bin/flannel";
|
||||
Restart = "always";
|
||||
RestartSec = "10s";
|
||||
};
|
||||
};
|
||||
|
||||
services.etcd.enable = mkDefault (cfg.storageBackend == "etcd" && cfg.etcd.endpoints == ["http://127.0.0.1:2379"]);
|
||||
|
@ -40,7 +40,7 @@ let
|
||||
else if (cfg.database.passwordFile != null) then
|
||||
"file_get_contents('${cfg.database.passwordFile}')"
|
||||
else
|
||||
""
|
||||
"''"
|
||||
});
|
||||
define('DB_PORT', '${toString dbPort}');
|
||||
|
||||
|
@ -497,8 +497,8 @@ in
|
||||
default = false;
|
||||
description = ''
|
||||
If enabled, each virtual host gets its own
|
||||
<filename>access_log</filename> and
|
||||
<filename>error_log</filename>, namely suffixed by the
|
||||
<filename>access.log</filename> and
|
||||
<filename>error.log</filename>, namely suffixed by the
|
||||
<option>hostName</option> of the virtual host.
|
||||
'';
|
||||
};
|
||||
|
@ -151,6 +151,7 @@ in {
|
||||
services.colord.enable = mkDefault true;
|
||||
services.packagekit.enable = mkDefault true;
|
||||
hardware.bluetooth.enable = mkDefault true;
|
||||
services.hardware.bolt.enable = mkDefault true;
|
||||
services.xserver.libinput.enable = mkDefault true; # for controlling touchpad settings via gnome control center
|
||||
services.udev.packages = [ pkgs.gnome3.gnome-settings-daemon ];
|
||||
systemd.packages = [ pkgs.gnome3.vino ];
|
||||
|
@ -3,19 +3,17 @@
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.vmwareGuest;
|
||||
cfg = config.virtualisation.vmware.guest;
|
||||
open-vm-tools = if cfg.headless then pkgs.open-vm-tools-headless else pkgs.open-vm-tools;
|
||||
xf86inputvmmouse = pkgs.xorg.xf86inputvmmouse;
|
||||
in
|
||||
{
|
||||
options = {
|
||||
services.vmwareGuest = {
|
||||
enable = mkEnableOption "VMWare Guest Support";
|
||||
headless = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Whether to disable X11-related features.";
|
||||
};
|
||||
options.virtualisation.vmware.guest = {
|
||||
enable = mkEnableOption "VMWare Guest Support";
|
||||
headless = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Whether to disable X11-related features.";
|
||||
};
|
||||
};
|
||||
|
||||
@ -25,6 +23,8 @@ in
|
||||
message = "VMWare guest is not currently supported on ${pkgs.stdenv.hostPlatform.system}";
|
||||
} ];
|
||||
|
||||
boot.initrd.kernelModules = [ "vmw_pvscsi" ];
|
||||
|
||||
environment.systemPackages = [ open-vm-tools ];
|
||||
|
||||
systemd.services.vmware =
|
||||
|
@ -10,7 +10,6 @@ let
|
||||
mkKubernetesBaseTest =
|
||||
{ name, domain ? "my.zyx", test, machines
|
||||
, pkgs ? import <nixpkgs> { inherit system; }
|
||||
, certs ? import ./certs.nix { inherit pkgs; externalDomain = domain; kubelets = attrNames machines; }
|
||||
, extraConfiguration ? null }:
|
||||
let
|
||||
masterName = head (filter (machineName: any (role: role == "master") machines.${machineName}.roles) (attrNames machines));
|
||||
@ -20,6 +19,10 @@ let
|
||||
${master.ip} api.${domain}
|
||||
${concatMapStringsSep "\n" (machineName: "${machines.${machineName}.ip} ${machineName}.${domain}") (attrNames machines)}
|
||||
'';
|
||||
kubectl = with pkgs; runCommand "wrap-kubectl" { buildInputs = [ makeWrapper ]; } ''
|
||||
mkdir -p $out/bin
|
||||
makeWrapper ${pkgs.kubernetes}/bin/kubectl $out/bin/kubectl --set KUBECONFIG "/etc/kubernetes/cluster-admin.kubeconfig"
|
||||
'';
|
||||
in makeTest {
|
||||
inherit name;
|
||||
|
||||
@ -27,6 +30,7 @@ let
|
||||
{ config, pkgs, lib, nodes, ... }:
|
||||
mkMerge [
|
||||
{
|
||||
boot.postBootCommands = "rm -fr /var/lib/kubernetes/secrets /tmp/shared/*";
|
||||
virtualisation.memorySize = mkDefault 1536;
|
||||
virtualisation.diskSize = mkDefault 4096;
|
||||
networking = {
|
||||
@ -45,34 +49,25 @@ let
|
||||
};
|
||||
};
|
||||
programs.bash.enableCompletion = true;
|
||||
environment.variables = {
|
||||
ETCDCTL_CERT_FILE = "${certs.worker}/etcd-client.pem";
|
||||
ETCDCTL_KEY_FILE = "${certs.worker}/etcd-client-key.pem";
|
||||
ETCDCTL_CA_FILE = "${certs.worker}/ca.pem";
|
||||
ETCDCTL_PEERS = "https://etcd.${domain}:2379";
|
||||
};
|
||||
environment.systemPackages = [ kubectl ];
|
||||
services.flannel.iface = "eth1";
|
||||
services.kubernetes.apiserver.advertiseAddress = master.ip;
|
||||
services.kubernetes = {
|
||||
addons.dashboard.enable = true;
|
||||
|
||||
easyCerts = true;
|
||||
inherit (machine) roles;
|
||||
apiserver = {
|
||||
securePort = 443;
|
||||
advertiseAddress = master.ip;
|
||||
};
|
||||
masterAddress = "${masterName}.${config.networking.domain}";
|
||||
};
|
||||
}
|
||||
(optionalAttrs (any (role: role == "master") machine.roles) {
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
2379 2380 # etcd
|
||||
443 # kubernetes apiserver
|
||||
];
|
||||
services.etcd = {
|
||||
enable = true;
|
||||
certFile = "${certs.master}/etcd.pem";
|
||||
keyFile = "${certs.master}/etcd-key.pem";
|
||||
trustedCaFile = "${certs.master}/ca.pem";
|
||||
peerClientCertAuth = true;
|
||||
listenClientUrls = ["https://0.0.0.0:2379"];
|
||||
listenPeerUrls = ["https://0.0.0.0:2380"];
|
||||
advertiseClientUrls = ["https://etcd.${config.networking.domain}:2379"];
|
||||
initialCluster = ["${masterName}=https://etcd.${config.networking.domain}:2380"];
|
||||
initialAdvertisePeerUrls = ["https://etcd.${config.networking.domain}:2380"];
|
||||
};
|
||||
})
|
||||
(import ./kubernetes-common.nix { inherit (machine) roles; inherit pkgs config certs; })
|
||||
(optionalAttrs (machine ? "extraConfiguration") (machine.extraConfiguration { inherit config pkgs lib nodes; }))
|
||||
(optionalAttrs (extraConfiguration != null) (extraConfiguration { inherit config pkgs lib nodes; }))
|
||||
]
|
||||
|
@ -1,219 +0,0 @@
|
||||
{
|
||||
pkgs ? import <nixpkgs> {},
|
||||
externalDomain ? "myawesomecluster.cluster.yourdomain.net",
|
||||
serviceClusterIp ? "10.0.0.1",
|
||||
kubelets,
|
||||
...
|
||||
}:
|
||||
let
|
||||
runWithCFSSL = name: cmd:
|
||||
let secrets = pkgs.runCommand "${name}-cfss.json" {
|
||||
buildInputs = [ pkgs.cfssl pkgs.jq ];
|
||||
outputs = [ "out" "cert" "key" "csr" ];
|
||||
}
|
||||
''
|
||||
(
|
||||
echo "${cmd}"
|
||||
cfssl ${cmd} > tmp
|
||||
cat tmp | jq -r .key > $key
|
||||
cat tmp | jq -r .cert > $cert
|
||||
cat tmp | jq -r .csr > $csr
|
||||
|
||||
touch $out
|
||||
) 2>&1 | fold -w 80 -s
|
||||
'';
|
||||
in {
|
||||
key = secrets.key;
|
||||
cert = secrets.cert;
|
||||
csr = secrets.csr;
|
||||
};
|
||||
|
||||
writeCFSSL = content:
|
||||
pkgs.runCommand content.name {
|
||||
buildInputs = [ pkgs.cfssl pkgs.jq ];
|
||||
} ''
|
||||
mkdir -p $out
|
||||
cd $out
|
||||
|
||||
json=${pkgs.lib.escapeShellArg (builtins.toJSON content)}
|
||||
|
||||
# for a given $field in the $json, treat the associated value as a
|
||||
# file path and substitute the contents thereof into the $json
|
||||
# object.
|
||||
expandFileField() {
|
||||
local field=$1
|
||||
if jq -e --arg field "$field" 'has($field)'; then
|
||||
local path="$(echo "$json" | jq -r ".$field")"
|
||||
json="$(echo "$json" | jq --arg val "$(cat "$path")" ".$field = \$val")"
|
||||
fi
|
||||
}
|
||||
|
||||
expandFileField key
|
||||
expandFileField ca
|
||||
expandFileField cert
|
||||
|
||||
echo "$json" | cfssljson -bare ${content.name}
|
||||
'';
|
||||
|
||||
noCSR = content: pkgs.lib.filterAttrs (n: v: n != "csr") content;
|
||||
noKey = content: pkgs.lib.filterAttrs (n: v: n != "key") content;
|
||||
|
||||
writeFile = content:
|
||||
if pkgs.lib.isDerivation content
|
||||
then content
|
||||
else pkgs.writeText "content" (builtins.toJSON content);
|
||||
|
||||
createServingCertKey = { ca, cn, hosts? [], size ? 2048, name ? cn }:
|
||||
noCSR (
|
||||
(runWithCFSSL name "gencert -ca=${writeFile ca.cert} -ca-key=${writeFile ca.key} -profile=server -config=${writeFile ca.config} ${writeFile {
|
||||
CN = cn;
|
||||
hosts = hosts;
|
||||
key = { algo = "rsa"; inherit size; };
|
||||
}}") // { inherit name; }
|
||||
);
|
||||
|
||||
createClientCertKey = { ca, cn, groups ? [], size ? 2048, name ? cn }:
|
||||
noCSR (
|
||||
(runWithCFSSL name "gencert -ca=${writeFile ca.cert} -ca-key=${writeFile ca.key} -profile=client -config=${writeFile ca.config} ${writeFile {
|
||||
CN = cn;
|
||||
names = map (group: {O = group;}) groups;
|
||||
hosts = [""];
|
||||
key = { algo = "rsa"; inherit size; };
|
||||
}}") // { inherit name; }
|
||||
);
|
||||
|
||||
createSigningCertKey = { C ? "xx", ST ? "x", L ? "x", O ? "x", OU ? "x", CN ? "ca", emailAddress ? "x", expiry ? "43800h", size ? 2048, name ? CN }:
|
||||
(noCSR (runWithCFSSL CN "genkey -initca ${writeFile {
|
||||
key = { algo = "rsa"; inherit size; };
|
||||
names = [{ inherit C ST L O OU CN emailAddress; }];
|
||||
}}")) // {
|
||||
inherit name;
|
||||
config.signing = {
|
||||
default.expiry = expiry;
|
||||
profiles = {
|
||||
server = {
|
||||
inherit expiry;
|
||||
usages = [
|
||||
"signing"
|
||||
"key encipherment"
|
||||
"server auth"
|
||||
];
|
||||
};
|
||||
client = {
|
||||
inherit expiry;
|
||||
usages = [
|
||||
"signing"
|
||||
"key encipherment"
|
||||
"client auth"
|
||||
];
|
||||
};
|
||||
peer = {
|
||||
inherit expiry;
|
||||
usages = [
|
||||
"signing"
|
||||
"key encipherment"
|
||||
"server auth"
|
||||
"client auth"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
ca = createSigningCertKey {};
|
||||
|
||||
kube-apiserver = createServingCertKey {
|
||||
inherit ca;
|
||||
cn = "kube-apiserver";
|
||||
hosts = ["kubernetes.default" "kubernetes.default.svc" "localhost" "api.${externalDomain}" serviceClusterIp];
|
||||
};
|
||||
|
||||
kubelet = createServingCertKey {
|
||||
inherit ca;
|
||||
cn = "kubelet";
|
||||
hosts = ["*.${externalDomain}"];
|
||||
};
|
||||
|
||||
service-accounts = createServingCertKey {
|
||||
inherit ca;
|
||||
cn = "kube-service-accounts";
|
||||
};
|
||||
|
||||
etcd = createServingCertKey {
|
||||
inherit ca;
|
||||
cn = "etcd";
|
||||
hosts = ["etcd.${externalDomain}"];
|
||||
};
|
||||
|
||||
etcd-client = createClientCertKey {
|
||||
inherit ca;
|
||||
cn = "etcd-client";
|
||||
};
|
||||
|
||||
kubelet-client = createClientCertKey {
|
||||
inherit ca;
|
||||
cn = "kubelet-client";
|
||||
groups = ["system:masters"];
|
||||
};
|
||||
|
||||
apiserver-client = {
|
||||
kubelet = hostname: createClientCertKey {
|
||||
inherit ca;
|
||||
name = "apiserver-client-kubelet-${hostname}";
|
||||
cn = "system:node:${hostname}.${externalDomain}";
|
||||
groups = ["system:nodes"];
|
||||
};
|
||||
|
||||
kube-proxy = createClientCertKey {
|
||||
inherit ca;
|
||||
name = "apiserver-client-kube-proxy";
|
||||
cn = "system:kube-proxy";
|
||||
groups = ["system:kube-proxy" "system:nodes"];
|
||||
};
|
||||
|
||||
kube-controller-manager = createClientCertKey {
|
||||
inherit ca;
|
||||
name = "apiserver-client-kube-controller-manager";
|
||||
cn = "system:kube-controller-manager";
|
||||
groups = ["system:masters"];
|
||||
};
|
||||
|
||||
kube-scheduler = createClientCertKey {
|
||||
inherit ca;
|
||||
name = "apiserver-client-kube-scheduler";
|
||||
cn = "system:kube-scheduler";
|
||||
groups = ["system:kube-scheduler"];
|
||||
};
|
||||
|
||||
admin = createClientCertKey {
|
||||
inherit ca;
|
||||
cn = "admin";
|
||||
groups = ["system:masters"];
|
||||
};
|
||||
};
|
||||
in {
|
||||
master = pkgs.buildEnv {
|
||||
name = "master-keys";
|
||||
paths = [
|
||||
(writeCFSSL (noKey ca))
|
||||
(writeCFSSL kube-apiserver)
|
||||
(writeCFSSL kubelet-client)
|
||||
(writeCFSSL apiserver-client.kube-controller-manager)
|
||||
(writeCFSSL apiserver-client.kube-scheduler)
|
||||
(writeCFSSL service-accounts)
|
||||
(writeCFSSL etcd)
|
||||
];
|
||||
};
|
||||
|
||||
worker = pkgs.buildEnv {
|
||||
name = "worker-keys";
|
||||
paths = [
|
||||
(writeCFSSL (noKey ca))
|
||||
(writeCFSSL kubelet)
|
||||
(writeCFSSL apiserver-client.kube-proxy)
|
||||
(writeCFSSL etcd-client)
|
||||
] ++ map (hostname: writeCFSSL (apiserver-client.kubelet hostname)) kubelets;
|
||||
};
|
||||
|
||||
admin = writeCFSSL apiserver-client.admin;
|
||||
}
|
@ -71,17 +71,17 @@ let
|
||||
|
||||
base = {
|
||||
name = "dns";
|
||||
inherit domain certs extraConfiguration;
|
||||
inherit domain extraConfiguration;
|
||||
};
|
||||
|
||||
singleNodeTest = {
|
||||
test = ''
|
||||
# prepare machine1 for test
|
||||
$machine1->waitUntilSucceeds("kubectl get node machine1.${domain} | grep -w Ready");
|
||||
$machine1->execute("docker load < ${redisImage}");
|
||||
$machine1->waitUntilSucceeds("docker load < ${redisImage}");
|
||||
$machine1->waitUntilSucceeds("kubectl create -f ${redisPod}");
|
||||
$machine1->waitUntilSucceeds("kubectl create -f ${redisService}");
|
||||
$machine1->execute("docker load < ${probeImage}");
|
||||
$machine1->waitUntilSucceeds("docker load < ${probeImage}");
|
||||
$machine1->waitUntilSucceeds("kubectl create -f ${probePod}");
|
||||
|
||||
# check if pods are running
|
||||
@ -99,13 +99,16 @@ let
|
||||
|
||||
multiNodeTest = {
|
||||
test = ''
|
||||
# Node token exchange
|
||||
$machine1->waitUntilSucceeds("cp -f /var/lib/cfssl/apitoken.secret /tmp/shared/apitoken.secret");
|
||||
$machine2->waitUntilSucceeds("cat /tmp/shared/apitoken.secret | nixos-kubernetes-node-join");
|
||||
|
||||
# prepare machines for test
|
||||
$machine1->waitUntilSucceeds("kubectl get node machine1.${domain} | grep -w Ready");
|
||||
$machine1->waitUntilSucceeds("kubectl get node machine2.${domain} | grep -w Ready");
|
||||
$machine2->execute("docker load < ${redisImage}");
|
||||
$machine2->waitUntilSucceeds("docker load < ${redisImage}");
|
||||
$machine1->waitUntilSucceeds("kubectl create -f ${redisPod}");
|
||||
$machine1->waitUntilSucceeds("kubectl create -f ${redisService}");
|
||||
$machine2->execute("docker load < ${probeImage}");
|
||||
$machine2->waitUntilSucceeds("docker load < ${probeImage}");
|
||||
$machine1->waitUntilSucceeds("kubectl create -f ${probePod}");
|
||||
|
||||
# check if pods are running
|
||||
|
@ -1,57 +0,0 @@
|
||||
{ roles, config, pkgs, certs }:
|
||||
with pkgs.lib;
|
||||
let
|
||||
base = {
|
||||
inherit roles;
|
||||
flannel.enable = true;
|
||||
addons.dashboard.enable = true;
|
||||
|
||||
caFile = "${certs.master}/ca.pem";
|
||||
apiserver = {
|
||||
tlsCertFile = "${certs.master}/kube-apiserver.pem";
|
||||
tlsKeyFile = "${certs.master}/kube-apiserver-key.pem";
|
||||
kubeletClientCertFile = "${certs.master}/kubelet-client.pem";
|
||||
kubeletClientKeyFile = "${certs.master}/kubelet-client-key.pem";
|
||||
serviceAccountKeyFile = "${certs.master}/kube-service-accounts.pem";
|
||||
};
|
||||
etcd = {
|
||||
servers = ["https://etcd.${config.networking.domain}:2379"];
|
||||
certFile = "${certs.worker}/etcd-client.pem";
|
||||
keyFile = "${certs.worker}/etcd-client-key.pem";
|
||||
};
|
||||
kubeconfig = {
|
||||
server = "https://api.${config.networking.domain}";
|
||||
};
|
||||
kubelet = {
|
||||
tlsCertFile = "${certs.worker}/kubelet.pem";
|
||||
tlsKeyFile = "${certs.worker}/kubelet-key.pem";
|
||||
hostname = "${config.networking.hostName}.${config.networking.domain}";
|
||||
kubeconfig = {
|
||||
certFile = "${certs.worker}/apiserver-client-kubelet-${config.networking.hostName}.pem";
|
||||
keyFile = "${certs.worker}/apiserver-client-kubelet-${config.networking.hostName}-key.pem";
|
||||
};
|
||||
};
|
||||
controllerManager = {
|
||||
serviceAccountKeyFile = "${certs.master}/kube-service-accounts-key.pem";
|
||||
kubeconfig = {
|
||||
certFile = "${certs.master}/apiserver-client-kube-controller-manager.pem";
|
||||
keyFile = "${certs.master}/apiserver-client-kube-controller-manager-key.pem";
|
||||
};
|
||||
};
|
||||
scheduler = {
|
||||
kubeconfig = {
|
||||
certFile = "${certs.master}/apiserver-client-kube-scheduler.pem";
|
||||
keyFile = "${certs.master}/apiserver-client-kube-scheduler-key.pem";
|
||||
};
|
||||
};
|
||||
proxy = {
|
||||
kubeconfig = {
|
||||
certFile = "${certs.worker}/apiserver-client-kube-proxy.pem";
|
||||
keyFile = "${certs.worker}//apiserver-client-kube-proxy-key.pem";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
in {
|
||||
services.kubernetes = base;
|
||||
}
|
@ -96,7 +96,7 @@ let
|
||||
test = ''
|
||||
$machine1->waitUntilSucceeds("kubectl get node machine1.my.zyx | grep -w Ready");
|
||||
|
||||
$machine1->execute("docker load < ${kubectlImage}");
|
||||
$machine1->waitUntilSucceeds("docker load < ${kubectlImage}");
|
||||
|
||||
$machine1->waitUntilSucceeds("kubectl apply -f ${roServiceAccount}");
|
||||
$machine1->waitUntilSucceeds("kubectl apply -f ${roRole}");
|
||||
@ -105,7 +105,7 @@ let
|
||||
|
||||
$machine1->waitUntilSucceeds("kubectl get pod kubectl | grep Running");
|
||||
|
||||
$machine1->succeed("kubectl exec -ti kubectl -- kubectl get pods");
|
||||
$machine1->waitUntilSucceeds("kubectl exec -ti kubectl -- kubectl get pods");
|
||||
$machine1->fail("kubectl exec -ti kubectl -- kubectl create -f /kubectl-pod-2.json");
|
||||
$machine1->fail("kubectl exec -ti kubectl -- kubectl delete pods -l name=kubectl");
|
||||
'';
|
||||
@ -113,10 +113,13 @@ let
|
||||
|
||||
multinode = base // {
|
||||
test = ''
|
||||
$machine1->waitUntilSucceeds("kubectl get node machine1.my.zyx | grep -w Ready");
|
||||
# Node token exchange
|
||||
$machine1->waitUntilSucceeds("cp -f /var/lib/cfssl/apitoken.secret /tmp/shared/apitoken.secret");
|
||||
$machine2->waitUntilSucceeds("cat /tmp/shared/apitoken.secret | nixos-kubernetes-node-join");
|
||||
|
||||
$machine1->waitUntilSucceeds("kubectl get node machine2.my.zyx | grep -w Ready");
|
||||
|
||||
$machine2->execute("docker load < ${kubectlImage}");
|
||||
$machine2->waitUntilSucceeds("docker load < ${kubectlImage}");
|
||||
|
||||
$machine1->waitUntilSucceeds("kubectl apply -f ${roServiceAccount}");
|
||||
$machine1->waitUntilSucceeds("kubectl apply -f ${roRole}");
|
||||
@ -125,7 +128,7 @@ let
|
||||
|
||||
$machine1->waitUntilSucceeds("kubectl get pod kubectl | grep Running");
|
||||
|
||||
$machine1->succeed("kubectl exec -ti kubectl -- kubectl get pods");
|
||||
$machine1->waitUntilSucceeds("kubectl exec -ti kubectl -- kubectl get pods");
|
||||
$machine1->fail("kubectl exec -ti kubectl -- kubectl create -f /kubectl-pod-2.json");
|
||||
$machine1->fail("kubectl exec -ti kubectl -- kubectl delete pods -l name=kubectl");
|
||||
'';
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
buildGoPackage rec {
|
||||
name = "go-ethereum-${version}";
|
||||
version = "1.8.21";
|
||||
version = "1.8.22";
|
||||
goPackagePath = "github.com/ethereum/go-ethereum";
|
||||
|
||||
# Fix for usb-related segmentation faults on darwin
|
||||
@ -16,13 +16,13 @@ buildGoPackage rec {
|
||||
owner = "ethereum";
|
||||
repo = "go-ethereum";
|
||||
rev = "v${version}";
|
||||
sha256 = "1p4qfxa90l26s9q4hddyb93gdf7vb0sb46z9n26ijiqlxdq3z7v2";
|
||||
sha256 = "0ag9qxrf7n0qkccaf6v4jaysivpxvsy5zfzar3mcm65223pqy375";
|
||||
};
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
homepage = https://ethereum.github.io/go-ethereum/;
|
||||
description = "Official golang implementation of the Ethereum protocol";
|
||||
license = with licenses; [ lgpl3 gpl3 ];
|
||||
maintainers = [ maintainers.adisbladis maintainers.lionello ];
|
||||
maintainers = with maintainers; [ adisbladis asymmetric lionello ];
|
||||
};
|
||||
}
|
||||
|
@ -2,11 +2,11 @@
|
||||
|
||||
pythonPackages.buildPythonApplication rec {
|
||||
pname = "Mopidy-Iris";
|
||||
version = "3.32.4";
|
||||
version = "3.32.5";
|
||||
|
||||
src = pythonPackages.fetchPypi {
|
||||
inherit pname version;
|
||||
sha256 = "16b3dkxland4mjzjs2rz5gbqjapzzmap4d1mfhbrj2ch3plmdy7g";
|
||||
sha256 = "0vs8x26zcakk6c31sc774h2lcdw3syp236vyymmx1jnfsh1jaqpn";
|
||||
};
|
||||
|
||||
propagatedBuildInputs = [
|
||||
|
@ -1,8 +1,8 @@
|
||||
{ stdenv, fetchurl, boost, mpd_clientlib, ncurses, pkgconfig, readline
|
||||
, libiconv, icu, curl
|
||||
, outputsSupport ? false # outputs screen
|
||||
, outputsSupport ? true # outputs screen
|
||||
, visualizerSupport ? false, fftw ? null # visualizer screen
|
||||
, clockSupport ? false # clock screen
|
||||
, clockSupport ? true # clock screen
|
||||
, taglibSupport ? true, taglib ? null # tag editor
|
||||
}:
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
{ stdenv, fetchurl, zlib, pkgconfig, mpg123, libogg, libvorbis, portaudio, libsndfile, flac
|
||||
, usePulseAudio ? false, libpulseaudio }:
|
||||
{ config, stdenv, fetchurl, zlib, pkgconfig, mpg123, libogg, libvorbis, portaudio, libsndfile, flac
|
||||
, usePulseAudio ? config.pulseaudio or false, libpulseaudio }:
|
||||
|
||||
let
|
||||
version = "0.4.1";
|
||||
|
@ -55,6 +55,7 @@ stdenv.mkDerivation rec {
|
||||
meta = {
|
||||
homepage = http://www.eclipse.org/;
|
||||
inherit description;
|
||||
platforms = [ "x86_64-linux" ];
|
||||
};
|
||||
|
||||
}
|
||||
|
@ -11,7 +11,14 @@ assert stdenv ? glibc;
|
||||
# http://download.eclipse.org/eclipse/downloads/ is the main place to
|
||||
# find the downloads needed for new versions
|
||||
|
||||
rec {
|
||||
let
|
||||
platform_major = "4";
|
||||
platform_minor = "10";
|
||||
year = "2018";
|
||||
month = "12";
|
||||
timestamp = "201812060815";
|
||||
|
||||
in rec {
|
||||
|
||||
buildEclipse = import ./build-eclipse.nix {
|
||||
inherit stdenv makeDesktopItem freetype fontconfig libX11 libXrender zlib
|
||||
@ -21,133 +28,43 @@ rec {
|
||||
|
||||
### Eclipse CPP
|
||||
|
||||
eclipse-cpp = eclipse-cpp-47; # always point to latest
|
||||
|
||||
eclipse-cpp-47 = buildEclipse {
|
||||
name = "eclipse-cpp-4.7.0";
|
||||
eclipse-cpp = buildEclipse {
|
||||
name = "eclipse-cpp-${platform_major}.${platform_minor}";
|
||||
description = "Eclipse IDE for C/C++ Developers, Oxygen release";
|
||||
src =
|
||||
if stdenv.hostPlatform.system == "x86_64-linux" then
|
||||
fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/oxygen/R/eclipse-cpp-oxygen-R-linux-gtk-x86_64.tar.gz;
|
||||
sha512 = "813c791e739d7d0e2ab242a5bacadca135bbeee20ef97aa830353cd90f63fa6e9c89cfcc6aadf635c742befe035bd6e3f15103013f63c419f6144e86ebde3ed1";
|
||||
}
|
||||
else if stdenv.hostPlatform.system == "i686-linux" then
|
||||
fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/oxygen/R/eclipse-cpp-oxygen-R-linux-gtk.tar.gz;
|
||||
sha512 = "2b50f4a00306a89cda1aaaa606e62285cacbf93464a9dd3f3319dca3e2c578b802e685de6f78e5e617d269e21271188effe73d41f491a6de946e28795d82db8a";
|
||||
}
|
||||
else throw "Unsupported system: ${stdenv.hostPlatform.system}";
|
||||
fetchurl {
|
||||
url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/${year}-${month}/R/eclipse-cpp-${year}-${month}-R-linux-gtk-x86_64.tar.gz";
|
||||
sha512 = "1f5yr7cydz4iw8c14yn713d44f1g1wkiqiwmb4ikdfx4l70rc5xxsdxv9b4mhm89b02cqnxdh9p5hivkssmnzg0km3ab5bx9mvzgzx7";
|
||||
};
|
||||
};
|
||||
|
||||
eclipse-cpp-37 = buildEclipse {
|
||||
name = "eclipse-cpp-3.7";
|
||||
description = "Eclipse IDE for C/C++ Developers";
|
||||
src =
|
||||
if stdenv.hostPlatform.system == "x86_64-linux" then
|
||||
fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/indigo/R/eclipse-cpp-indigo-incubation-linux-gtk-x86_64.tar.gz;
|
||||
sha256 = "14ppc9g9igzvj1pq7jl01vwhzb66nmzbl9wsdl1sf3xnwa9wnqk3";
|
||||
}
|
||||
else
|
||||
fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/indigo/R/eclipse-cpp-indigo-incubation-linux-gtk.tar.gz;
|
||||
sha256 = "1cvg1vgyazrkinwzlvlf0dpl197p4784752srqybqylyj5psdi3b";
|
||||
};
|
||||
};
|
||||
eclipse_cpp_37 = eclipse-cpp-37; # backward compatibility, added 2016-01-30
|
||||
|
||||
### Eclipse Modeling
|
||||
|
||||
eclipse-modeling = eclipse-modeling-47; # always point to latest
|
||||
|
||||
eclipse-modeling-47 = buildEclipse {
|
||||
name = "eclipse-modeling-4.7";
|
||||
eclipse-modeling = buildEclipse {
|
||||
name = "eclipse-modeling-${platform_major}.${platform_minor}";
|
||||
description = "Eclipse Modeling Tools";
|
||||
src =
|
||||
if stdenv.hostPlatform.system == "x86_64-linux" then
|
||||
fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/oxygen/R/eclipse-modeling-oxygen-R-linux-gtk-x86_64.tar.gz;
|
||||
sha512 = "3b9a7ad4b5d6b77fbdd64e8d323e0adb6c2904763ad042b374b4d87cef8607408cb407e395870fc755d58c0c800e20818adcf456ebe193d76cede16c5fe12271";
|
||||
}
|
||||
else
|
||||
fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/oxygen/R/eclipse-modeling-oxygen-R-linux-gtk.tar.gz;
|
||||
sha512 = "b8597c1dec117e69c72a5e1a53e09b1f81a7c9de86ed7e71a9d007664603202df301745f186ded02b2e76410345863e80a2ba40867d6848e5375601289999206";
|
||||
};
|
||||
fetchurl {
|
||||
url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/${year}-${month}/R/eclipse-modeling-${year}-${month}-R-linux-gtk-x86_64.tar.gz";
|
||||
sha512 = "18psh1lgqg21dmndyc0yr6rz7piqyk861j9mlhgv9xaq8nz11fb6lil594sk64yyv0qbgi98vp03f1p06zvhgs37k9rjkfjmzl7n97k";
|
||||
};
|
||||
};
|
||||
|
||||
eclipse-modeling-36 = buildEclipse {
|
||||
name = "eclipse-modeling-3.6.2";
|
||||
description = "Eclipse Modeling Tools (includes Incubating components)";
|
||||
src =
|
||||
if stdenv.hostPlatform.system == "x86_64-linux" then
|
||||
fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/helios/SR2/eclipse-modeling-helios-SR2-incubation-linux-gtk-x86_64.tar.gz;
|
||||
sha1 = "e96f5f006298f68476f4a15a2be8589158d5cc61";
|
||||
}
|
||||
else
|
||||
fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/helios/SR2/eclipse-modeling-helios-SR2-incubation-linux-gtk.tar.gz;
|
||||
sha1 = "696377895bb26445de39d82a916b7e69edb1d939";
|
||||
};
|
||||
};
|
||||
eclipse_modeling_36 = eclipse-modeling-36; # backward compatibility, added 2016-01-30
|
||||
|
||||
### Eclipse Platform
|
||||
|
||||
eclipse-platform = eclipse-platform-49; # always point to latest
|
||||
|
||||
eclipse-platform-47 = buildEclipse {
|
||||
name = "eclipse-platform-4.7.3a";
|
||||
description = "Eclipse Platform Oxygen";
|
||||
sources = {
|
||||
"x86_64-linux" = fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops4/R-4.7.3a-201803300640/eclipse-platform-4.7.3a-linux-gtk-x86_64.tar.gz;
|
||||
sha512 = "caf86cd6efaf66258c75434f1adf552587a7395d57dba4cfd20f86196308cf942866d931f4b352f9d39a6fbf14444fcd2167e6bfd146a28c96c229bb9988156a";
|
||||
};
|
||||
"i686-linux" = fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops4/R-4.7.3a-201803300640/eclipse-platform-4.7.3a-linux-gtk.tar.gz;
|
||||
sha512 = "c633da467774e4ab40f8d51d07b8e7d8403f26f23365c3c3ceeaeec1039b8c23c7508cee1f786bf52db64c7b84e0f91cb31a2848a74ac8271f8504934407bd5c";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
eclipse-platform-48 = buildEclipse {
|
||||
name = "eclipse-platform-4.8";
|
||||
description = "Eclipse Platform Photon";
|
||||
sources = {
|
||||
"x86_64-linux" = fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops4/R-4.8-201806110500/eclipse-platform-4.8-linux-gtk-x86_64.tar.gz;
|
||||
sha512 = "ccce2b954938479e42ef3f9b78f74b24ae4cae7499546fa4f9a55ec1849e1acfd06315d4529b11474a8b3d1142c9409c581edfa571baaf1342ab062f02467af2";
|
||||
};
|
||||
"i686-linux" = fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops4/R-4.8-201806110500/eclipse-platform-4.8-linux-gtk.tar.gz;
|
||||
sha512 = "f5f407727e22b848931cf38f71b1a0c30a9778aa227c3df137dcceec2fba2ecc309cbfa8b4a660b814d2edb60f65110381497b4325781cab4d6402784139e32b";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
eclipse-platform-49 = buildEclipse {
|
||||
name = "eclipse-platform-4.9";
|
||||
description = "Eclipse Platform 2018-09";
|
||||
sources = {
|
||||
"x86_64-linux" = fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops4/R-4.9-201809060745/eclipse-platform-4.9-linux-gtk-x86_64.tar.gz;
|
||||
sha512 = "875714bb411145c917fccedf2f7c4fd2757640b2debf4a18f775604233abd6f0da893b350cc03da44413d7ec6fae3f773ef08634e632058e4b705e6cda2893eb";
|
||||
};
|
||||
"i686-linux" = fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops4/R-4.9-201809060745/eclipse-platform-4.9-linux-gtk.tar.gz;
|
||||
sha512 = "758bc0de30fa5c4b76b343ea0325611d87b6928ef5002244f2f1ba2a9fa937de89b2a94ce2c8d33d79344fd574d6e8a72c5d127fe416d785f48600e9e85fce86";
|
||||
};
|
||||
};
|
||||
eclipse-platform = buildEclipse {
|
||||
name = "eclipse-platform-${platform_major}.${platform_minor}";
|
||||
description = "Eclipse Platform ${year}-${month}";
|
||||
src =
|
||||
fetchurl {
|
||||
url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops${platform_major}/R-${platform_major}.${platform_minor}-${timestamp}/eclipse-platform-${platform_major}.${platform_minor}-linux-gtk-x86_64.tar.gz";
|
||||
sha512 = "2zdvbjk05a00lbcad9v30rcr93j03d2pycdhpwrvrakr8z4yrxs6svamq9s294ry1w3lw04pgsnqklw6zjx6iil1kp51f374lkfpxn7";
|
||||
};
|
||||
};
|
||||
|
||||
### Eclipse Scala SDK
|
||||
|
||||
eclipse-scala-sdk = eclipse-scala-sdk-441; # always point to latest
|
||||
|
||||
eclipse-scala-sdk-441 = buildEclipse {
|
||||
eclipse-scala-sdk = buildEclipse {
|
||||
name = "eclipse-scala-sdk-4.4.1";
|
||||
description = "Eclipse IDE for Scala Developers";
|
||||
src =
|
||||
@ -165,88 +82,26 @@ rec {
|
||||
|
||||
### Eclipse SDK
|
||||
|
||||
eclipse-sdk = eclipse-sdk-49; # always point to latest
|
||||
|
||||
eclipse-sdk-47 = buildEclipse {
|
||||
name = "eclipse-sdk-4.7.3a";
|
||||
description = "Eclipse Oxygen Classic";
|
||||
sources = {
|
||||
"x86_64-linux" = fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops4/R-4.7.3a-201803300640/eclipse-SDK-4.7.3a-linux-gtk-x86_64.tar.gz;
|
||||
sha512 = "d77e42aca16d26526cef32e363d038258bb8a4616d9dbe6e76dd3656dc2217369436390a82555bde4566bbbdb631813bbaca08602f7bb885cb30e8a26a14873f";
|
||||
};
|
||||
"i686-linux" = fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops4/R-4.7.3a-201803300640/eclipse-SDK-4.7.3a-linux-gtk.tar.gz;
|
||||
sha512 = "b0b936fd4142ae86ec5c30535cd5e4caf6fe313d814ae5b16f300635e4163a79b748b1eee11792a135114f2265678a74821ec80c2bfd69872769b6d0ccbcde3a";
|
||||
};
|
||||
};
|
||||
eclipse-sdk = buildEclipse {
|
||||
name = "eclipse-sdk-${platform_major}.${platform_minor}";
|
||||
description = "Eclipse ${year}-${month} Classic";
|
||||
src =
|
||||
fetchurl {
|
||||
url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops${platform_major}/R-${platform_major}.${platform_minor}-${timestamp}/eclipse-SDK-${platform_major}.${platform_minor}-linux-gtk-x86_64.tar.gz";
|
||||
sha512 = "1kq14vhzcngfhl8kjs722rshny81gxv6wcgln46x7lnpg2274sb9dprhns62fpq97l0355cmg8mnny6fsd1nqibrw09xq932v86cfm8";
|
||||
};
|
||||
};
|
||||
|
||||
eclipse-sdk-48 = buildEclipse {
|
||||
name = "eclipse-sdk-4.8";
|
||||
description = "Eclipse Photon Classic";
|
||||
sources = {
|
||||
"x86_64-linux" = fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops4/R-4.8-201806110500/eclipse-SDK-4.8-linux-gtk-x86_64.tar.gz;
|
||||
sha512 = "357ea9e7f426c68ced693f1c7b76eae23f9e3c7893de1f12d17994ec17b447896b5daa7292d5fbf6d9c4e5b7fd637ca5b2a6ba8ce40a2a7c2fe06f2124d31b75";
|
||||
};
|
||||
"i686-linux" = fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops4/R-4.8-201806110500/eclipse-SDK-4.8-linux-gtk.tar.gz;
|
||||
sha512 = "c7cae7baa3978d48477090bb9941e85b4c7484021ece9c5c77a7e859e57e5c1f13556262f92b561cfb11f828b934bad7a6018be7b8fd9454e3991e8d5cae9917";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
eclipse-sdk-49 = buildEclipse {
|
||||
name = "eclipse-sdk-4.9";
|
||||
description = "Eclipse 2018-09 Classic";
|
||||
sources = {
|
||||
"x86_64-linux" = fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops4/R-4.9-201809060745/eclipse-SDK-4.9-linux-gtk-x86_64.tar.gz;
|
||||
sha512 = "5e74a0411f56b3973b7c6d8c3727392297d55ad458a814b4cc3f2f6a57dbeebc64852d1a6a958db5c3b08c620093bfb5bcc0d2c6a400f5594b82c2ef5d5fa9fb";
|
||||
};
|
||||
"i686-linux" = fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops4/R-4.9-201809060745/eclipse-SDK-4.9-linux-gtk.tar.gz;
|
||||
sha512 = "b1861bd99c8e43f1d04247226584246aa7844af5e2da820fe98a51018dbe8ff4c25dbb9fa655f56e103f95c0696f40a65dcce13430c63aa080f786738e70eb8b";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
eclipse-sdk-37 = buildEclipse {
|
||||
name = "eclipse-sdk-3.7";
|
||||
description = "Eclipse Classic";
|
||||
sources = {
|
||||
"x86_64-linux" = fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops/R-3.7.2-201202080800/eclipse-SDK-3.7.2-linux-gtk-x86_64.tar.gz;
|
||||
sha256 = "0nf4nv7awhp1k8b1hjb7chpjyjrqnyszsjbc4dlk9phpjv3j4wg5";
|
||||
};
|
||||
"i686-linux" = fetchurl {
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops/R-3.7.2-201202080800/eclipse-SDK-3.7.2-linux-gtk.tar.gz;
|
||||
sha256 = "1isn7i45l9kyn2yx6vm88jl1gnxph8ynank0aaa218cg8kdygk7j";
|
||||
};
|
||||
};
|
||||
};
|
||||
eclipse_sdk_37 = eclipse-sdk-37; # backward compatibility, added 2016-01-30
|
||||
|
||||
### Eclipse Java
|
||||
|
||||
eclipse-java = eclipse-java-49;
|
||||
|
||||
eclipse-java-49 = buildEclipse {
|
||||
name = "eclipse-java-4.9.0";
|
||||
eclipse-java = buildEclipse {
|
||||
name = "eclipse-java-${platform_major}.${platform_minor}";
|
||||
description = "Eclipse IDE for Java Developers";
|
||||
src =
|
||||
if stdenv.system == "x86_64-linux" then
|
||||
fetchurl {
|
||||
url = http://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/2018-09/R/eclipse-java-2018-09-linux-gtk-x86_64.tar.gz;
|
||||
sha512 = "9dac5d040cdabf779de3996de87290e352130c7e860c1d0a98772f41da828ad45f90748b68e0a8a4f8d1ebbbbe5fdfe6401b7d871b93af34103d4a81a041c6a5";
|
||||
}
|
||||
else if stdenv.system == "i686-linux" then
|
||||
fetchurl {
|
||||
url = http://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/2018-09/R/eclipse-java-2018-09-linux-gtk.tar.gz;
|
||||
sha512 = "24208e95b972e848d6b65ed8108d9e81584cf051397f2f43fb6269f5a625b8d7552ad77c7980a1a5653c87f06776e2926fd85607aae44e44657b4f6cc9b3e2e3";
|
||||
}
|
||||
else throw "Unsupported system: ${stdenv.system}";
|
||||
fetchurl {
|
||||
url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/${year}-${month}/R/eclipse-java-${year}-${month}-R-linux-gtk-x86_64.tar.gz";
|
||||
sha512 = "2xd5q7kg3aly7jnz2fijn06ljmnnd7ggwwzmndfhqwfzxpyjg1lnlln76pcd6chx7gnwdrl7khg0fs566ddabfjv17c46dj5fpw9y6j";
|
||||
};
|
||||
};
|
||||
|
||||
### Environments
|
||||
|
@ -254,12 +254,12 @@ rec {
|
||||
|
||||
cdt = buildEclipseUpdateSite rec {
|
||||
name = "cdt-${version}";
|
||||
version = "9.0.1";
|
||||
version = "9.6.0";
|
||||
|
||||
src = fetchzip {
|
||||
stripRoot = false;
|
||||
url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/tools/cdt/releases/9.0/${name}.zip";
|
||||
sha256 = "0vdx0j9ci533wnk7y17qjvjyqx38hlrdw67z6pi05vfv3r6ys39x";
|
||||
url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/tools/cdt/releases/9.6/${name}/${name}.zip";
|
||||
sha256 = "08rk3b1va57jcy4s161fx0xmb8dn47akhhxd2f28hspq6i2jqicm";
|
||||
};
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
@ -497,12 +497,12 @@ rec {
|
||||
|
||||
jdt = buildEclipseUpdateSite rec {
|
||||
name = "jdt-${version}";
|
||||
version = "4.9";
|
||||
version = "4.10";
|
||||
|
||||
src = fetchzip {
|
||||
stripRoot = false;
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops4/R-4.9-201809060745/org.eclipse.jdt-4.9.zip;
|
||||
sha256 = "144rqrw0crxd2v862dqxm2p5y60n4pbzdryv709xnhcw54rycm7n";
|
||||
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops4/R-4.10-201812060815/org.eclipse.jdt-4.10.zip;
|
||||
sha256 = "1h11w3zd6xy5w4sk6xnyb2a27wxwhp83qfx67ji7bzdrwbvljqkz";
|
||||
};
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
|
@ -1,4 +1,4 @@
|
||||
{ stdenv, lib, fetchurl, ncurses, xlibsWrapper, libXaw, libXpm, Xaw3d
|
||||
{ stdenv, lib, fetchurl, ncurses, xlibsWrapper, libXaw, libXpm, Xaw3d, libXcursor
|
||||
, pkgconfig, gettext, libXft, dbus, libpng, libjpeg, libungif
|
||||
, libtiff, librsvg, gconf, libxml2, imagemagick, gnutls, libselinux
|
||||
, alsaLib, cairo, acl, gpm, cf-private, AppKit, GSS, ImageIO, m17n_lib, libotf
|
||||
@ -118,6 +118,17 @@ stdenv.mkDerivation rec {
|
||||
mv nextstep/Emacs.app $out/Applications
|
||||
'';
|
||||
|
||||
postFixup =
|
||||
let libPath = lib.makeLibraryPath [
|
||||
libXcursor
|
||||
];
|
||||
in lib.optionalString (withX && toolkit == "lucid") ''
|
||||
patchelf --set-rpath \
|
||||
"$(patchelf --print-rpath "$out/bin/emacs"):${libPath}" \
|
||||
"$out/bin/emacs"
|
||||
patchelf --add-needed "libXcursor.so.1" "$out/bin/emacs"
|
||||
'';
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
description = "The extensible, customizable GNU text editor";
|
||||
homepage = https://www.gnu.org/software/emacs/;
|
||||
|
29
pkgs/applications/editors/kdevelop5/kdev-php.nix
Normal file
29
pkgs/applications/editors/kdevelop5/kdev-php.nix
Normal file
@ -0,0 +1,29 @@
|
||||
{ stdenv, lib, fetchurl, cmake, extra-cmake-modules, threadweaver, ktexteditor, kdevelop-unwrapped, kdevelop-pg-qt }:
|
||||
|
||||
let
|
||||
pname = "kdev-php";
|
||||
version = "5.3.1";
|
||||
in
|
||||
stdenv.mkDerivation rec {
|
||||
name = "${pname}-${version}";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://github.com/KDE/${pname}/archive/v${version}.tar.gz";
|
||||
sha256 = "1xiz4v6w30dsa7l4nk3jw3hxpkx71b0yaaj2k8s7xzgjif824bgl";
|
||||
};
|
||||
|
||||
cmakeFlags = [
|
||||
"-DBUILD_TESTING=OFF"
|
||||
];
|
||||
|
||||
nativeBuildInputs = [ cmake extra-cmake-modules ];
|
||||
buildInputs = [ kdevelop-pg-qt threadweaver ktexteditor kdevelop-unwrapped ];
|
||||
|
||||
meta = with lib; {
|
||||
maintainers = [ maintainers.aanderse ];
|
||||
platforms = platforms.linux;
|
||||
description = "PHP support for KDevelop";
|
||||
homepage = https://www.kdevelop.org;
|
||||
license = [ licenses.gpl2 ];
|
||||
};
|
||||
}
|
30
pkgs/applications/editors/kdevelop5/kdev-python.nix
Normal file
30
pkgs/applications/editors/kdevelop5/kdev-python.nix
Normal file
@ -0,0 +1,30 @@
|
||||
{ stdenv, lib, fetchurl, cmake, extra-cmake-modules, threadweaver, ktexteditor, kdevelop-unwrapped, python }:
|
||||
|
||||
let
|
||||
pname = "kdev-python";
|
||||
version = "5.3.1";
|
||||
in
|
||||
stdenv.mkDerivation rec {
|
||||
name = "${pname}-${version}";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://github.com/KDE/${pname}/archive/v${version}.tar.gz";
|
||||
sha256 = "11hf8n6vrlaz31c0p3xbnf0df2q5j6ykgc9ip0l5g33kadwn5b9j";
|
||||
};
|
||||
|
||||
cmakeFlags = [
|
||||
"-DBUILD_TESTING=OFF"
|
||||
"-DPYTHON_EXECUTABLE=${python}/bin/python"
|
||||
];
|
||||
|
||||
nativeBuildInputs = [ cmake extra-cmake-modules ];
|
||||
buildInputs = [ threadweaver ktexteditor kdevelop-unwrapped ];
|
||||
|
||||
meta = with lib; {
|
||||
maintainers = [ maintainers.aanderse ];
|
||||
platforms = platforms.linux;
|
||||
description = "Python support for KDevelop";
|
||||
homepage = https://www.kdevelop.org;
|
||||
license = [ licenses.gpl2 ];
|
||||
};
|
||||
}
|
@ -43,6 +43,13 @@ mkDerivation rec {
|
||||
"-DCLANG_BUILTIN_DIR=${llvmPackages.clang-unwrapped}/lib/clang/${(builtins.parseDrvName llvmPackages.clang.name).version}/include"
|
||||
];
|
||||
|
||||
postPatch = ''
|
||||
# FIXME: temporary until https://invent.kde.org/kde/kdevelop/merge_requests/8 is merged
|
||||
substituteInPlace kdevplatform/language/backgroundparser/parsejob.cpp --replace \
|
||||
'if (internalFilePath.startsWith(dataPath.canonicalPath() + QStringLiteral("/kdev"))) {' \
|
||||
'if (internalFilePath.startsWith(dataPath.canonicalPath() + QStringLiteral("/kdev")) || localFile.startsWith(path + QStringLiteral("/kdev"))) {'
|
||||
'';
|
||||
|
||||
postInstall = ''
|
||||
# The kdevelop! script (shell environment) needs qdbus and kioclient5 in PATH.
|
||||
wrapProgram "$out/bin/kdevelop!" \
|
||||
|
7
pkgs/applications/editors/kdevelop5/wrapper.nix
Normal file
7
pkgs/applications/editors/kdevelop5/wrapper.nix
Normal file
@ -0,0 +1,7 @@
|
||||
{ symlinkJoin, kdevelop-unwrapped, plugins ? null }:
|
||||
|
||||
symlinkJoin {
|
||||
name = "kdevelop-with-plugins";
|
||||
|
||||
paths = [ kdevelop-unwrapped ] ++ (if plugins != null then plugins else []);
|
||||
}
|
@ -1,7 +1,7 @@
|
||||
{ stdenv, fetchFromGitHub, pkgconfig, libconfig,
|
||||
gtkmm2, glibmm, libxml2, libsecret, curl, libzip,
|
||||
librsvg, gst_all_1, autoreconfHook, makeWrapper,
|
||||
useUnrar ? false, unrar
|
||||
{ config, stdenv, fetchFromGitHub, pkgconfig, libconfig
|
||||
, gtkmm2, glibmm, libxml2, libsecret, curl, libzip
|
||||
, librsvg, gst_all_1, autoreconfHook, makeWrapper
|
||||
, useUnrar ? config.ahoviewer.useUnrar or false, unrar
|
||||
}:
|
||||
|
||||
assert useUnrar -> unrar != null;
|
||||
|
@ -28,6 +28,9 @@ stdenv.mkDerivation rec {
|
||||
|
||||
qmakeFlags = [ "VERSION=${version}" ];
|
||||
|
||||
# src/lexer.l:36:10: fatal error: parser.hxx: No such file or directory
|
||||
enableParallelBuilding = false; # true by default due to qmake
|
||||
|
||||
doCheck = false;
|
||||
|
||||
meta = {
|
||||
|
@ -6,7 +6,7 @@ stdenv, fetchFromGitHub, cmake, makeWrapper
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
name = "paraview-${version}";
|
||||
version = "5.5.2";
|
||||
version = "5.6.0";
|
||||
|
||||
# fetching from GitHub instead of taking an "official" source
|
||||
# tarball because of missing submodules there
|
||||
@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
|
||||
owner = "Kitware";
|
||||
repo = "ParaView";
|
||||
rev = "v${version}";
|
||||
sha256 = "1jivph7lppnflmjsiirhgv0mnh8mxx41i1vzkk78ynn00rzacx3j";
|
||||
sha256 = "1j13yfdgcv4yzfr449i4c8r4rs1c9zr6qd3igr4vv3ani8zixkzi";
|
||||
fetchSubmodules = true;
|
||||
};
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
{ lib, stdenv, fetchurl
|
||||
{ config, lib, stdenv, fetchurl
|
||||
, enableAlsa ? true, alsaLib ? null
|
||||
, enableLibao ? true, libao ? null
|
||||
, enableLame ? false, lame ? null
|
||||
, enableLame ? config.sox.enableLame or false, lame ? null
|
||||
, enableLibmad ? true, libmad ? null
|
||||
, enableLibogg ? true, libogg ? null, libvorbis ? null
|
||||
, enableFLAC ? true, flac ? null
|
||||
|
@ -1,10 +1,10 @@
|
||||
{ stdenv, lib, fetchurl, boost, cmake, ffmpeg, gettext, glew
|
||||
{ config, stdenv, lib, fetchurl, boost, cmake, ffmpeg, gettext, glew
|
||||
, ilmbase, libXi, libX11, libXext, libXrender
|
||||
, libjpeg, libpng, libsamplerate, libsndfile
|
||||
, libtiff, libGLU_combined, openal, opencolorio, openexr, openimageio, openjpeg_1, pythonPackages
|
||||
, zlib, fftw, opensubdiv, freetype, jemalloc, ocl-icd
|
||||
, jackaudioSupport ? false, libjack2
|
||||
, cudaSupport ? false, cudatoolkit
|
||||
, cudaSupport ? config.cudaSupport or false, cudatoolkit
|
||||
, colladaSupport ? true, opencollada
|
||||
, enableNumpy ? false, makeWrapper
|
||||
}:
|
||||
|
@ -69,7 +69,7 @@ with python3.pkgs; buildPythonApplication rec {
|
||||
homepage = https://github.com/jarun/Buku;
|
||||
license = licenses.gpl3;
|
||||
platforms = platforms.linux;
|
||||
maintainers = with maintainers; [ infinisil ];
|
||||
maintainers = with maintainers; [ matthiasbeyer infinisil ];
|
||||
};
|
||||
}
|
||||
|
||||
|
@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
|
||||
homepage = http://cgg.bzatek.net/;
|
||||
description = "a simple static web photo gallery, designed to be clean and easily usable";
|
||||
license = stdenv.lib.licenses.gpl2;
|
||||
maintainers = with stdenv.lib.maintainers; [ ];
|
||||
maintainers = [ stdenv.lib.maintainers.matthiasbeyer ];
|
||||
platforms = with stdenv.lib.platforms; linux ++ darwin;
|
||||
};
|
||||
}
|
||||
|
@ -30,7 +30,7 @@ stdenv.mkDerivation rec {
|
||||
homepage = https://github.com/dpayne/cli-visualizer;
|
||||
description = "CLI based audio visualizer";
|
||||
license = stdenv.lib.licenses.mit;
|
||||
maintainers = with stdenv.lib.maintainers; [ ];
|
||||
maintainers = [ stdenv.lib.maintainers.matthiasbeyer ];
|
||||
platforms = with stdenv.lib.platforms; linux;
|
||||
};
|
||||
}
|
||||
|
@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
|
||||
homepage = http://ctodo.apakoh.dk/;
|
||||
description = "A simple ncurses-based task list manager";
|
||||
license = stdenv.lib.licenses.mit;
|
||||
maintainers = with stdenv.lib.maintainers; [ ];
|
||||
maintainers = [ stdenv.lib.maintainers.matthiasbeyer ];
|
||||
platforms = stdenv.lib.platforms.linux;
|
||||
};
|
||||
}
|
||||
|
@ -14,13 +14,13 @@ in
|
||||
|
||||
python3Packages.buildPythonApplication rec {
|
||||
pname = "electrum";
|
||||
version = "3.3.2";
|
||||
version = "3.3.4";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "spesmilo";
|
||||
repo = "electrum";
|
||||
rev = version;
|
||||
sha256 = "1jsn02azdydpq4plr2552s7ijyqgw6zqm2zx8skwsalgbwmhx12i";
|
||||
sha256 = "0yxdpc602jnd14xz3px85ka0b6db98zwbgfi9a3vj8p1k3mmiwaj";
|
||||
};
|
||||
|
||||
propagatedBuildInputs = with python3Packages; [
|
||||
@ -53,9 +53,6 @@ python3Packages.buildPythonApplication rec {
|
||||
|
||||
preBuild = ''
|
||||
sed -i 's,usr_share = .*,usr_share = "'$out'/share",g' setup.py
|
||||
pyrcc5 icons.qrc -o electrum/gui/qt/icons_rc.py
|
||||
# Recording the creation timestamps introduces indeterminism to the build
|
||||
sed -i '/Created: .*/d' electrum/gui/qt/icons_rc.py
|
||||
sed -i "s|name = 'libzbar.*'|name='${zbar}/lib/libzbar.so'|" electrum/qrscanner.py
|
||||
substituteInPlace ./electrum/ecc_fast.py --replace libsecp256k1.so.0 ${secp256k1}/lib/libsecp256k1.so.0
|
||||
'';
|
||||
|
@ -38,7 +38,7 @@ buildPythonApplication rec {
|
||||
homepage = https://github.com/donnemartin/haxor-news;
|
||||
description = "Browse Hacker News like a haxor";
|
||||
license = licenses.asl20;
|
||||
maintainers = with maintainers; [ ];
|
||||
maintainers = with maintainers; [ matthiasbeyer ];
|
||||
};
|
||||
|
||||
}
|
||||
|
@ -22,7 +22,7 @@ stdenv.mkDerivation rec {
|
||||
homepage = https://github.com/LuRsT/hr;
|
||||
description = "A horizontal bar for your terminal";
|
||||
license = licenses.mit;
|
||||
maintainers = [ ];
|
||||
maintainers = [ maintainers.matthiasbeyer ];
|
||||
platforms = platforms.unix;
|
||||
};
|
||||
}
|
||||
|
@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
|
||||
homepage = https://github.com/dvorka/hstr;
|
||||
description = "Shell history suggest box - easily view, navigate, search and use your command history";
|
||||
license = stdenv.lib.licenses.asl20;
|
||||
maintainers = with stdenv.lib.maintainers; [ ];
|
||||
maintainers = [ stdenv.lib.maintainers.matthiasbeyer ];
|
||||
platforms = with stdenv.lib.platforms; linux; # Cannot test others
|
||||
};
|
||||
|
||||
|
@ -50,6 +50,6 @@ in with python.pkgs; buildPythonApplication rec {
|
||||
homepage = https://github.com/scheibler/khard;
|
||||
description = "Console carddav client";
|
||||
license = stdenv.lib.licenses.gpl3;
|
||||
maintainers = with stdenv.lib.maintainers; [ ];
|
||||
maintainers = with stdenv.lib.maintainers; [ matthiasbeyer ];
|
||||
};
|
||||
}
|
||||
|
@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
|
||||
meta = with stdenv.lib; {
|
||||
homepage = https://github.com/visit1985/mdp;
|
||||
description = "A command-line based markdown presentation tool";
|
||||
maintainers = with maintainers; [ vrthra ];
|
||||
maintainers = with maintainers; [ matthiasbeyer vrthra ];
|
||||
license = licenses.gpl3;
|
||||
platforms = with platforms; unix;
|
||||
};
|
||||
|
@ -25,7 +25,7 @@ stdenv.mkDerivation rec {
|
||||
homepage = http://jwilk.net/software/mwic;
|
||||
description = "spell-checker that groups possible misspellings and shows them in their contexts";
|
||||
license = licenses.mit;
|
||||
maintainers = with maintainers; [ ];
|
||||
maintainers = with maintainers; [ matthiasbeyer ];
|
||||
};
|
||||
}
|
||||
|
||||
|
@ -41,6 +41,6 @@ buildPythonApplication rec {
|
||||
homepage = https://github.com/michael-lazar/rtv;
|
||||
description = "Browse Reddit from your Terminal";
|
||||
license = licenses.mit;
|
||||
maintainers = with maintainers; [ jgeerds wedens ];
|
||||
maintainers = with maintainers; [ matthiasbeyer jgeerds wedens ];
|
||||
};
|
||||
}
|
||||
|
@ -29,6 +29,6 @@ python3Packages.buildPythonApplication rec {
|
||||
description = "Yet another simple static gallery generator";
|
||||
homepage = http://sigal.saimon.org/en/latest/index.html;
|
||||
license = licenses.mit;
|
||||
maintainers = with maintainers; [ domenkozar ];
|
||||
maintainers = with maintainers; [ domenkozar matthiasbeyer ];
|
||||
};
|
||||
}
|
||||
|
@ -19,7 +19,7 @@ stdenv.mkDerivation {
|
||||
homepage = https://github.com/seenaburns/stag;
|
||||
description = "Terminal streaming bar graph passed through stdin";
|
||||
license = stdenv.lib.licenses.bsdOriginal;
|
||||
maintainers = with stdenv.lib.maintainers; [ ];
|
||||
maintainers = [ stdenv.lib.maintainers.matthiasbeyer ];
|
||||
platforms = stdenv.lib.platforms.unix;
|
||||
};
|
||||
}
|
||||
|
@ -36,7 +36,7 @@ stdenv.mkDerivation rec {
|
||||
meta = with stdenv.lib; {
|
||||
homepage = https://github.com/lharding/tasknc;
|
||||
description = "A ncurses wrapper around taskwarrior";
|
||||
maintainers = with maintainers; [ infinisil ];
|
||||
maintainers = with maintainers; [ matthiasbeyer infinisil ];
|
||||
platforms = platforms.linux; # Cannot test others
|
||||
license = licenses.mit;
|
||||
};
|
||||
|
@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
|
||||
description = "REPL for taskwarrior";
|
||||
homepage = http://tasktools.org;
|
||||
license = licenses.mit;
|
||||
maintainers = with maintainers; [ ];
|
||||
maintainers = with maintainers; [ matthiasbeyer ];
|
||||
platforms = platforms.linux;
|
||||
};
|
||||
}
|
||||
|
@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
|
||||
description = "A command-line time tracker";
|
||||
homepage = https://taskwarrior.org/docs/timewarrior;
|
||||
license = licenses.mit;
|
||||
maintainers = with maintainers; [ mrVanDalo ];
|
||||
maintainers = with maintainers; [ matthiasbeyer mrVanDalo ];
|
||||
platforms = platforms.linux ++ platforms.darwin;
|
||||
};
|
||||
}
|
||||
|
@ -24,7 +24,7 @@ python3Packages.buildPythonApplication rec {
|
||||
description = "Mastodon CLI interface";
|
||||
homepage = "https://github.com/ihabunek/toot";
|
||||
license = licenses.mit;
|
||||
maintainers = [ ];
|
||||
maintainers = [ maintainers.matthiasbeyer ];
|
||||
};
|
||||
|
||||
}
|
||||
|
@ -35,7 +35,7 @@ stdenv.mkDerivation rec {
|
||||
homepage = http://fungi.yuggoth.org/weather;
|
||||
description = "Quick access to current weather conditions and forecasts";
|
||||
license = stdenv.lib.licenses.isc;
|
||||
maintainers = with stdenv.lib.maintainers; [ ];
|
||||
maintainers = [ stdenv.lib.maintainers.matthiasbeyer ];
|
||||
platforms = with stdenv.lib.platforms; linux; # my only platform
|
||||
};
|
||||
}
|
||||
|
@ -12,13 +12,13 @@ in
|
||||
|
||||
stdenv'.mkDerivation rec {
|
||||
name = "xmr-stak-${version}";
|
||||
version = "2.7.1";
|
||||
version = "2.8.2";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "fireice-uk";
|
||||
repo = "xmr-stak";
|
||||
rev = "${version}";
|
||||
sha256 = "1mlli8sx1f3922ygnwakmi2h3swccz62njxbzxfzbi4hlmvsaz0y";
|
||||
sha256 = "0z0fdh5fmiisx5dgfyyin3ddl8g28fpd64gn8nl8dd6sf3iw8z7p";
|
||||
};
|
||||
|
||||
NIX_CFLAGS_COMPILE = "-O3";
|
||||
|
@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
|
||||
homepage = https://github.com/uobikiemukot/yaft;
|
||||
description = "Yet another framebuffer terminal";
|
||||
license = stdenv.lib.licenses.mit;
|
||||
maintainers = with stdenv.lib.maintainers; [ ];
|
||||
maintainers = [ stdenv.lib.maintainers.matthiasbeyer ];
|
||||
platforms = with stdenv.lib.platforms; linux;
|
||||
};
|
||||
}
|
||||
|
@ -1,4 +1,6 @@
|
||||
{ pkgs, useMupdf ? true, synctexSupport ? true }:
|
||||
{ config, pkgs
|
||||
, useMupdf ? config.zathura.useMupdf or true
|
||||
, synctexSupport ? true }:
|
||||
|
||||
let
|
||||
callPackage = pkgs.newScope self;
|
||||
|
@ -2,16 +2,16 @@
|
||||
|
||||
rustPlatform.buildRustPackage rec {
|
||||
name = "zola-${version}";
|
||||
version = "0.5.0";
|
||||
version = "0.5.1";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "getzola";
|
||||
repo = "zola";
|
||||
rev = "v${version}";
|
||||
sha256 = "0as8nrzw9zz10w4xxiibgz8ylghc879b2pwaxnw8sjbji2d9qv63";
|
||||
sha256 = "1jj6yfb3qkfq3nwcxfrc7k1gqyls873imxgpifbwjx9slg6ssis9";
|
||||
};
|
||||
|
||||
cargoSha256 = "0a14hq8d3xjr6yfg5qn5r7npqivm816f1p53bbm826igvpc9hsxa";
|
||||
cargoSha256 = "1hn2l25fariidgdr32mfx2yqb3g8xk4qafs614bdjiyvfrb7j752";
|
||||
|
||||
nativeBuildInputs = [ cmake pkgconfig openssl ];
|
||||
buildInputs = stdenv.lib.optionals stdenv.isDarwin [ CoreServices cf-private ];
|
||||
|
@ -13,11 +13,11 @@
|
||||
stdenv.mkDerivation rec {
|
||||
name = "${product}-${version}";
|
||||
product = "vivaldi";
|
||||
version = "2.3.1440.41-1";
|
||||
version = "2.3.1440.48-1";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://downloads.vivaldi.com/stable/${product}-stable_${version}_amd64.deb";
|
||||
sha256 = "0wrq7c0sw1b41bshwgzji4pwl0raj0l5h2r7gkcg952rcn0wl9bs";
|
||||
sha256 = "0zc9080np82qqqrfavg78vbjfl7w1b4p7f3s6h5wga9f6w1m078c";
|
||||
};
|
||||
|
||||
unpackPhase = ''
|
||||
|
@ -6,11 +6,11 @@
|
||||
stdenv.mkDerivation rec {
|
||||
name = "${product}-${version}";
|
||||
product = "vivaldi-ffmpeg-codecs";
|
||||
version = "72.0.3626.96";
|
||||
version = "72.0.3626.109";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://commondatastorage.googleapis.com/chromium-browser-official/chromium-${version}.tar.xz";
|
||||
sha512 = "2hawkyydcd0b6ipfigkf5n6c1ha1vknaqd4mgw381pi0ayq8skxbjazqabfcg9gcj84cnksi8j4dylfcrbgrmlnmc479fix0m0xx7cl";
|
||||
sha512 = "0ffpzvamrzw71vfi12sdwqrxc42bhraai21zzx8rp5n12794rr687dzw9hn3735sc0h2bq7c59zc4hcx3ighr2i93iplz35hp883dhy";
|
||||
};
|
||||
|
||||
buildInputs = [ ];
|
||||
|
@ -4,7 +4,7 @@
|
||||
}:
|
||||
|
||||
let
|
||||
version = "1.30.0";
|
||||
version = "1.31.0";
|
||||
|
||||
# Update these on version bumps according to Makefile
|
||||
centOsIsoVersion = "v1.14.0";
|
||||
@ -18,7 +18,7 @@ in buildGoPackage rec {
|
||||
owner = "minishift";
|
||||
repo = "minishift";
|
||||
rev = "v${version}";
|
||||
sha256 = "0p7g7r4m3brssy2znw7pd60aph6m6absqy23x88c07n5n4mv9wj8";
|
||||
sha256 = "0v5hngfz393yi3x4c328g5bjazw02jr59ljqh6ws0j6wzxzm8jxf";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ pkgconfig go-bindata makeWrapper ];
|
||||
@ -28,9 +28,6 @@ in buildGoPackage rec {
|
||||
subPackages = [ "cmd/minishift" ];
|
||||
|
||||
postPatch = ''
|
||||
substituteInPlace vendor/github.com/containers/image/storage/storage_image.go \
|
||||
--replace 'nil, diff' 'diff'
|
||||
|
||||
# minishift downloads openshift if not found therefore set the cache to /nix/store/...
|
||||
substituteInPlace pkg/minishift/cache/oc_caching.go \
|
||||
--replace 'filepath.Join(oc.MinishiftCacheDir, OC_CACHE_DIR, oc.OpenShiftVersion, runtime.GOOS)' '"${openshift}/bin"' \
|
||||
|
@ -10,6 +10,7 @@
|
||||
, rubySupport ? true, ruby
|
||||
, tclSupport ? true, tcl
|
||||
, extraBuildInputs ? []
|
||||
, fetchpatch
|
||||
}:
|
||||
|
||||
let
|
||||
@ -27,14 +28,22 @@ let
|
||||
in
|
||||
assert lib.all (p: p.enabled -> ! (builtins.elem null p.buildInputs)) plugins;
|
||||
stdenv.mkDerivation rec {
|
||||
version = "2.3";
|
||||
version = "2.4";
|
||||
name = "weechat-${version}";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://weechat.org/files/src/weechat-${version}.tar.bz2";
|
||||
sha256 = "0mi4pfnyny0vqc35r0scn6yy21y790a5iwq8ms7kch7b7z11jn9w";
|
||||
sha256 = "1z80y5fbrb56wdcx9njrf203r8282wnn3piw3yffk5lvhklsz9k1";
|
||||
};
|
||||
|
||||
patches = [
|
||||
(fetchpatch {
|
||||
url = https://github.com/weechat/weechat/commit/6a9937f08ad2c14aeb0a847ffb99e652d47d8251.patch;
|
||||
sha256 = "1blhgxwqs65dvpw3ppxszxrsg02rx7qck1w71h61ljinyjzri3bp";
|
||||
excludes = [ "ChangeLog.adoc" ];
|
||||
})
|
||||
];
|
||||
|
||||
outputs = [ "out" "man" ] ++ map (p: p.name) enabledPlugins;
|
||||
|
||||
enableParallelBuilding = true;
|
||||
|
@ -1,4 +1,4 @@
|
||||
{ fetchurl, stdenv, wrapGAppsHook, autoreconfHook
|
||||
{ config, fetchurl, stdenv, wrapGAppsHook, autoreconfHook
|
||||
, curl, dbus, dbus-glib, enchant, gtk2, gnutls, gnupg, gpgme, hicolor-icon-theme
|
||||
, libarchive, libcanberra-gtk2, libetpan, libnotify, libsoup, libxml2, networkmanager
|
||||
, openldap, perl, pkgconfig, poppler, python, shared-mime-info, webkitgtk24x-gtk2
|
||||
@ -10,7 +10,7 @@
|
||||
# gdata requires libgdata
|
||||
# geolocation requires libchamplain
|
||||
, enableLdap ? false
|
||||
, enableNetworkManager ? false
|
||||
, enableNetworkManager ? config.networking.networkmanager.enable or false
|
||||
, enablePgp ? true
|
||||
, enablePluginArchive ? false
|
||||
, enablePluginFancy ? false
|
||||
|
@ -12,7 +12,7 @@
|
||||
with stdenv.lib;
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
version = "0.28.1";
|
||||
version = "0.28.2";
|
||||
name = "notmuch-${version}";
|
||||
|
||||
passthru = {
|
||||
@ -22,7 +22,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://notmuchmail.org/releases/${name}.tar.gz";
|
||||
sha256 = "0mcsfkrp6mpy374m5rwwgm9md8qzvwa3s4rbzid4cnkx2cwfj4fi";
|
||||
sha256 = "0cg9ff7h7mklgbqqknxigxxx1j3p3s2a9cxvrs5ih7j56f04k9l5";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ pkgconfig ];
|
||||
|
@ -25,7 +25,7 @@ stdenv.mkDerivation rec {
|
||||
# The (only) source file states:
|
||||
# License: "Do what you feel is right, but don't be a jerk" public license.
|
||||
|
||||
maintainers = with stdenv.lib.maintainers; [ ];
|
||||
maintainers = with stdenv.lib.maintainers; [ matthiasbeyer ];
|
||||
};
|
||||
}
|
||||
|
||||
|
@ -32,6 +32,6 @@ buildPythonApplication rec {
|
||||
homepage = https://beancount.github.io/fava;
|
||||
description = "Web interface for beancount";
|
||||
license = stdenv.lib.licenses.mit;
|
||||
maintainers = with stdenv.lib.maintainers; [ ];
|
||||
maintainers = with stdenv.lib.maintainers; [ matthiasbeyer ];
|
||||
};
|
||||
}
|
||||
|
@ -49,7 +49,7 @@ stdenv.mkDerivation rec {
|
||||
description = "Text-based word processor";
|
||||
homepage = https://cowlark.com/wordgrinder;
|
||||
license = licenses.mit;
|
||||
maintainers = with maintainers; [ ];
|
||||
maintainers = with maintainers; [ matthiasbeyer ];
|
||||
platforms = with stdenv.lib.platforms; linux ++ darwin;
|
||||
};
|
||||
}
|
||||
|
@ -1,17 +1,20 @@
|
||||
{ fetchurl, stdenv, ocamlPackages }:
|
||||
{ fetchurl, stdenv, which, dune, ocamlPackages }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
name = "alt-ergo-${version}";
|
||||
version = "2.2.0";
|
||||
version = "2.3.0";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://alt-ergo.ocamlpro.com/download_manager.php?target=${name}.tar.gz";
|
||||
name = "${name}.tar.gz";
|
||||
sha256 = "106zfgisq6qxr7dlk8z7gi68ly7qff4frn8wab2g8z2nkkwla92w";
|
||||
sha256 = "1ycr3ff0gacq1aqzs16n6swgfniwpim0m7rvhcam64kj0a80c6bz";
|
||||
};
|
||||
|
||||
buildInputs = with ocamlPackages;
|
||||
[ ocaml findlib camlzip ocamlgraph zarith lablgtk ocplib-simplex psmt2-frontend menhir num ];
|
||||
buildInputs = [ dune which ] ++ (with ocamlPackages; [
|
||||
ocaml findlib camlzip lablgtk menhir num ocplib-simplex psmt2-frontend seq zarith
|
||||
]);
|
||||
|
||||
preConfigure = "patchShebangs ./configure";
|
||||
|
||||
meta = {
|
||||
description = "High-performance theorem prover and SMT solver";
|
||||
|
@ -1,9 +1,9 @@
|
||||
{ stdenv
|
||||
{ config, stdenv
|
||||
, callPackage
|
||||
, lib
|
||||
, fetchurl
|
||||
, unzip
|
||||
, licenseAccepted ? false
|
||||
, licenseAccepted ? config.sc2-headless.accept_license or false
|
||||
}:
|
||||
|
||||
if !licenseAccepted then throw ''
|
||||
|
@ -1,4 +1,4 @@
|
||||
{ stdenv, lib, runCommand
|
||||
{ config, stdenv, lib, runCommand
|
||||
, fetchFromGitHub
|
||||
, fetchurl
|
||||
, cmake
|
||||
@ -13,8 +13,8 @@
|
||||
, Accelerate, CoreGraphics, CoreVideo
|
||||
, lmdbSupport ? true, lmdb
|
||||
, leveldbSupport ? true, leveldb, snappy
|
||||
, cudaSupport ? stdenv.isLinux, cudatoolkit
|
||||
, cudnnSupport ? false, cudnn ? null
|
||||
, cudaSupport ? config.cudaSupport or false, cudatoolkit
|
||||
, cudnnSupport ? cudaSupport, cudnn ? null
|
||||
, ncclSupport ? false, nccl ? null
|
||||
, pythonSupport ? false, python ? null, numpy ? null
|
||||
, substituteAll
|
||||
|
@ -1,8 +1,8 @@
|
||||
{ lib, stdenv, fetchgit, fetchFromGitHub, cmake
|
||||
{ config, lib, stdenv, fetchgit, fetchFromGitHub, cmake
|
||||
, openblas, opencv3, libzip, boost, protobuf, openmpi
|
||||
, onebitSGDSupport ? false
|
||||
, cudaSupport ? false, cudatoolkit, nvidia_x11
|
||||
, cudnnSupport ? false, cudnn
|
||||
, cudaSupport ? config.cudaSupport or false, cudatoolkit, nvidia_x11
|
||||
, cudnnSupport ? cudaSupport, cudnn
|
||||
}:
|
||||
|
||||
assert cudnnSupport -> cudaSupport;
|
||||
|
@ -1,7 +1,7 @@
|
||||
{ stdenv, lib, fetchurl, bash, cmake
|
||||
{ config, stdenv, lib, fetchurl, bash, cmake
|
||||
, opencv, gtest, openblas, liblapack, perl
|
||||
, cudaSupport ? false, cudatoolkit, nvidia_x11
|
||||
, cudnnSupport ? false, cudnn
|
||||
, cudaSupport ? config.cudaSupport or false, cudatoolkit, nvidia_x11
|
||||
, cudnnSupport ? cudaSupport, cudnn
|
||||
}:
|
||||
|
||||
assert cudnnSupport -> cudaSupport;
|
||||
|
@ -28,7 +28,7 @@ pythonPackages.buildPythonApplication rec {
|
||||
homepage = http://www.bugseverywhere.org/;
|
||||
license = licenses.gpl2Plus;
|
||||
platforms = platforms.all;
|
||||
maintainers = [ ];
|
||||
maintainers = [ maintainers.matthiasbeyer ];
|
||||
};
|
||||
}
|
||||
|
||||
|
@ -49,6 +49,6 @@ buildRustPackage rec {
|
||||
inherit (src.meta) homepage;
|
||||
description = "Decentralized Issue Tracking for git";
|
||||
license = licenses.gpl2;
|
||||
maintainers = with maintainers; [ Profpatsch ];
|
||||
maintainers = with maintainers; [ Profpatsch matthiasbeyer ];
|
||||
};
|
||||
}
|
||||
|
@ -1,32 +1,32 @@
|
||||
{
|
||||
"ce": {
|
||||
"version": "11.7.4",
|
||||
"repo_hash": "0qq9snykdlpkpbznwpkv0n7bz1rsgz4z7lcjl4xkjxkf2gkf8pxp",
|
||||
"deb_hash": "1j76jya0ydyg7v3vcdfjmcr5ir23yzdwmg9fxlirvgh74py7q85c",
|
||||
"deb_url": "https://packages.gitlab.com/gitlab/gitlab-ce/packages/debian/stretch/gitlab-ce_11.7.4-ce.0_amd64.deb/download.deb",
|
||||
"version": "11.7.5",
|
||||
"repo_hash": "0bbyx9zmscf9273fgypb82gw166psy7d3p7dnwb6f5r9yz7rmhbn",
|
||||
"deb_hash": "1m6hdvrz467q33z626l9f3d5pssl0bbj2hkqy5g0b05wvdznmldy",
|
||||
"deb_url": "https://packages.gitlab.com/gitlab/gitlab-ce/packages/debian/stretch/gitlab-ce_11.7.5-ce.0_amd64.deb/download.deb",
|
||||
"owner": "gitlab-org",
|
||||
"repo": "gitlab-ce",
|
||||
"rev": "v11.7.4",
|
||||
"rev": "v11.7.5",
|
||||
"passthru": {
|
||||
"GITALY_SERVER_VERSION": "1.12.2",
|
||||
"GITLAB_PAGES_VERSION": "1.3.1",
|
||||
"GITLAB_SHELL_VERSION": "8.4.4",
|
||||
"GITLAB_WORKHORSE_VERSION": "8.0.1"
|
||||
"GITLAB_WORKHORSE_VERSION": "8.0.2"
|
||||
}
|
||||
},
|
||||
"ee": {
|
||||
"version": "11.7.4",
|
||||
"repo_hash": "0riqww094ylbbwb9mhjpsqhrdpxlcf6rc5p796p7x7f46p31mcjb",
|
||||
"deb_hash": "02hnhhyrm4a3lgwnl399byka2dr5q3pjirki447373270ca93h5i",
|
||||
"deb_url": "https://packages.gitlab.com/gitlab/gitlab-ee/packages/debian/stretch/gitlab-ee_11.7.4-ee.0_amd64.deb/download.deb",
|
||||
"version": "11.7.5",
|
||||
"repo_hash": "05dzvqrdgxbzsrf9rbis5m3iic04midx2arxgg3g4f78qfjxzylm",
|
||||
"deb_hash": "1nfd68vzy3zc6a3xn5lhr83kqv9d7aaxvzv4ca9awcz4va5b33kc",
|
||||
"deb_url": "https://packages.gitlab.com/gitlab/gitlab-ee/packages/debian/stretch/gitlab-ee_11.7.5-ee.0_amd64.deb/download.deb",
|
||||
"owner": "gitlab-org",
|
||||
"repo": "gitlab-ee",
|
||||
"rev": "v11.7.4-ee",
|
||||
"rev": "v11.7.5-ee",
|
||||
"passthru": {
|
||||
"GITALY_SERVER_VERSION": "1.12.2",
|
||||
"GITLAB_PAGES_VERSION": "1.3.1",
|
||||
"GITLAB_SHELL_VERSION": "8.4.4",
|
||||
"GITLAB_WORKHORSE_VERSION": "8.0.1"
|
||||
"GITLAB_WORKHORSE_VERSION": "8.0.2"
|
||||
}
|
||||
}
|
||||
}
|
@ -3,13 +3,13 @@
|
||||
stdenv.mkDerivation rec {
|
||||
name = "gitlab-workhorse-${version}";
|
||||
|
||||
version = "8.0.1";
|
||||
version = "8.0.2";
|
||||
|
||||
src = fetchFromGitLab {
|
||||
owner = "gitlab-org";
|
||||
repo = "gitlab-workhorse";
|
||||
rev = "v${version}";
|
||||
sha256 = "1aslcadag1q2rdirf9m0dl5vfaz8v3yy1232mvyjyvy1wb51pf4q";
|
||||
sha256 = "12xwr9yl59i58gnf0yn5yjp7zwz3s46042lk7rihvvzsa0kax690";
|
||||
};
|
||||
|
||||
buildInputs = [ git go ];
|
||||
|
@ -29,12 +29,12 @@
|
||||
}:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
version = "1.2.0";
|
||||
name = "handbrake-${version}";
|
||||
pname = "handbrake";
|
||||
version = "1.2.1";
|
||||
|
||||
src = fetchurl {
|
||||
url = ''https://download2.handbrake.fr/${version}/HandBrake-${version}-source.tar.bz2'';
|
||||
sha256 = "03clkknaq3mz84p85cvr21gsy9b8vv2g4vvyfz44hz8la253jfqi";
|
||||
sha256 = "0gbqzar49c8ygz6chnsz65xgsdcwr60lbc8ivnw8i6xjggn6wc80";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [
|
||||
|
@ -1,9 +1,9 @@
|
||||
{ stdenv, fetchurl, fetchFromGitHub, makeWrapper
|
||||
{ config, stdenv, fetchurl, fetchFromGitHub, makeWrapper
|
||||
, docutils, perl, pkgconfig, python3, which, ffmpeg_4
|
||||
, freefont_ttf, freetype, libass, libpthreadstubs, mujs
|
||||
, lua, libuchardet, libiconv ? null, darwin
|
||||
|
||||
, waylandSupport ? false
|
||||
, waylandSupport ? stdenv.isLinux
|
||||
, wayland ? null
|
||||
, wayland-protocols ? null
|
||||
, libxkbcommon ? null
|
||||
@ -24,30 +24,30 @@
|
||||
, vulkan-headers ? null
|
||||
, vulkan-loader ? null
|
||||
|
||||
, alsaSupport ? true, alsaLib ? null
|
||||
, bluraySupport ? true, libbluray ? null
|
||||
, bs2bSupport ? true, libbs2b ? null
|
||||
, cacaSupport ? true, libcaca ? null
|
||||
, cmsSupport ? true, lcms2 ? null
|
||||
, drmSupport ? true, libdrm ? null
|
||||
, dvdnavSupport ? true, libdvdnav ? null
|
||||
, dvdreadSupport ? true, libdvdread ? null
|
||||
, libpngSupport ? true, libpng ? null
|
||||
, pulseSupport ? true, libpulseaudio ? null
|
||||
, rubberbandSupport ? true, rubberband ? null
|
||||
, screenSaverSupport ? true, libXScrnSaver ? null
|
||||
, sdl2Support ? true, SDL2 ? null
|
||||
, speexSupport ? true, speex ? null
|
||||
, theoraSupport ? true, libtheora ? null
|
||||
, vaapiSupport ? true, libva ? null
|
||||
, vdpauSupport ? true, libvdpau ? null
|
||||
, xineramaSupport ? true, libXinerama ? null
|
||||
, xvSupport ? true, libXv ? null
|
||||
, youtubeSupport ? true, youtube-dl ? null
|
||||
, archiveSupport ? false, libarchive ? null
|
||||
, jackaudioSupport ? false, libjack2 ? null
|
||||
, openalSupport ? false, openalSoft ? null
|
||||
, vapoursynthSupport ? false, vapoursynth ? null
|
||||
, alsaSupport ? stdenv.isLinux, alsaLib ? null
|
||||
, bluraySupport ? true, libbluray ? null
|
||||
, bs2bSupport ? true, libbs2b ? null
|
||||
, cacaSupport ? true, libcaca ? null
|
||||
, cmsSupport ? true, lcms2 ? null
|
||||
, drmSupport ? stdenv.isLinux, libdrm ? null
|
||||
, dvdnavSupport ? stdenv.isLinux, libdvdnav ? null
|
||||
, dvdreadSupport ? stdenv.isLinux, libdvdread ? null
|
||||
, libpngSupport ? true, libpng ? null
|
||||
, pulseSupport ? config.pulseaudio or stdenv.isLinux, libpulseaudio ? null
|
||||
, rubberbandSupport ? stdenv.isLinux, rubberband ? null
|
||||
, screenSaverSupport ? true, libXScrnSaver ? null
|
||||
, sdl2Support ? true, SDL2 ? null
|
||||
, speexSupport ? true, speex ? null
|
||||
, theoraSupport ? true, libtheora ? null
|
||||
, vaapiSupport ? stdenv.isLinux, libva ? null
|
||||
, vdpauSupport ? true, libvdpau ? null
|
||||
, xineramaSupport ? stdenv.isLinux, libXinerama ? null
|
||||
, xvSupport ? stdenv.isLinux, libXv ? null
|
||||
, youtubeSupport ? true, youtube-dl ? null
|
||||
, archiveSupport ? false, libarchive ? null
|
||||
, jackaudioSupport ? false, libjack2 ? null
|
||||
, openalSupport ? false, openalSoft ? null
|
||||
, vapoursynthSupport ? false, vapoursynth ? null
|
||||
}:
|
||||
|
||||
with stdenv.lib;
|
||||
@ -92,7 +92,7 @@ let
|
||||
"http://www.freehackers.org/~tnagy/release/waf-${wafVersion}" ];
|
||||
sha256 = "0j7sbn3w6bgslvwwh5v9527w3gi2sd08kskrgxamx693y0b0i3ia";
|
||||
};
|
||||
luaEnv = lua.withPackages(ps: with ps; [ luasocket]);
|
||||
luaEnv = lua.withPackages(ps: with ps; [ luasocket ]);
|
||||
|
||||
in stdenv.mkDerivation rec {
|
||||
name = "mpv-${version}";
|
||||
|
@ -1,4 +1,4 @@
|
||||
{ stdenv
|
||||
{ config, stdenv
|
||||
, fetchFromGitHub
|
||||
, fetchpatch
|
||||
, cmake
|
||||
@ -26,9 +26,9 @@
|
||||
, swig
|
||||
, python3
|
||||
|
||||
, alsaSupport ? false
|
||||
, alsaSupport ? stdenv.isLinux
|
||||
, alsaLib
|
||||
, pulseaudioSupport ? false
|
||||
, pulseaudioSupport ? config.pulseaudio or stdenv.isLinux
|
||||
, libpulseaudio
|
||||
}:
|
||||
|
||||
|
@ -3,13 +3,13 @@
|
||||
stdenv.mkDerivation rec {
|
||||
name = "${pname}-${version}";
|
||||
pname = "dynamips";
|
||||
version = "0.2.19";
|
||||
version = "0.2.20";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "GNS3";
|
||||
repo = pname;
|
||||
rev = "v${version}";
|
||||
sha256 = "0x63m37vjyp57900x09gfvw02cwg85b33918x7fjj9x37wgmi5qf";
|
||||
sha256 = "1841h0m0k0p3c3ify4imafjk7jigcj2zlr8rn3iyp7jnafkxqik7";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ cmake ];
|
||||
|
@ -1,7 +1,7 @@
|
||||
{ fetchurl, stdenv }:
|
||||
|
||||
let
|
||||
version = "0.13.0";
|
||||
version = "0.14.0";
|
||||
baseurl = "https://github.com/firecracker-microvm/firecracker/releases/download";
|
||||
|
||||
fetchbin = name: sha256: fetchurl {
|
||||
@ -9,8 +9,8 @@ let
|
||||
inherit sha256;
|
||||
};
|
||||
|
||||
firecracker-bin = fetchbin "firecracker" "1wdcy4vmnx216jnza7bz6czlqpsjrnpqfsb5d322ld4gzbylm718";
|
||||
jailer-bin = fetchbin "jailer" "0k0sc5138bh35ciim2l78ma9g5x18dw098f2ar5y31ybr8i4q60y";
|
||||
firecracker-bin = fetchbin "firecracker" "02d7s2hzhl13k5linlav7yc4kg9v70sccc3ysfgaqq8hz7zfqywg";
|
||||
jailer-bin = fetchbin "jailer" "120n14zjnm21s39dza99p003bn5n0n5fzcyaw4l6laq336r24gvi";
|
||||
in
|
||||
stdenv.mkDerivation {
|
||||
name = "firecracker-${version}";
|
||||
|
@ -1,5 +1,5 @@
|
||||
{ stdenv, fetchFromGitHub, pkgconfig, autoreconfHook, glib, dbus-glib
|
||||
, desktopSupport, xorg
|
||||
, desktopSupport ? "gnomeflashback", xorg
|
||||
, gtk2
|
||||
, gtk3, gnome3, mate
|
||||
, libxfce4util, xfce4-panel
|
||||
|
@ -187,6 +187,7 @@ stdenv.mkDerivation {
|
||||
else if targetPlatform.isPower then if targetPlatform.isBigEndian then "ppc" else "lppc"
|
||||
else if targetPlatform.isSparc then "sparc"
|
||||
else if targetPlatform.isAvr then "avr"
|
||||
else if targetPlatform.isAlpha then "alpha"
|
||||
else throw "unknown emulation for platform: " + targetPlatform.config;
|
||||
in targetPlatform.platform.bfdEmulation or (fmt + sep + arch);
|
||||
|
||||
|
@ -33,7 +33,9 @@ in stdenv.mkDerivation (fBuildAttrs // {
|
||||
# sandbox enabled. Code here
|
||||
# https://github.com/bazelbuild/bazel/blob/9323c57607d37f9c949b60e293b573584906da46/src/main/cpp/startup_options.cc#L123-L124
|
||||
#
|
||||
USER=homeless-shelter bazel --output_base="$bazelOut" --output_user_root="$bazelUserRoot" fetch $bazelFlags $bazelTarget
|
||||
# On macOS Bazel will use the system installed Xcode or CLT toolchain instead of the one in the PATH unless we pass BAZEL_USE_CPP_ONLY_TOOLCHAIN
|
||||
#
|
||||
BAZEL_USE_CPP_ONLY_TOOLCHAIN=1 USER=homeless-shelter bazel --output_base="$bazelOut" --output_user_root="$bazelUserRoot" fetch $bazelFlags $bazelTarget
|
||||
|
||||
runHook postBuild
|
||||
'';
|
||||
@ -90,7 +92,42 @@ in stdenv.mkDerivation (fBuildAttrs // {
|
||||
buildPhase = fBuildAttrs.buildPhase or ''
|
||||
runHook preBuild
|
||||
|
||||
bazel --output_base="$bazelOut" --output_user_root="$bazelUserRoot" build -j $NIX_BUILD_CORES $bazelFlags $bazelTarget
|
||||
# Bazel sandboxes the execution of the tools it invokes, so even though we are
|
||||
# calling the correct nix wrappers, the values of the environment variables
|
||||
# the wrappers are expecting will not be set. So instead of relying on the
|
||||
# wrappers picking them up, pass them in explicitly via `--copt`, `--linkopt`
|
||||
# and related flags.
|
||||
#
|
||||
copts=()
|
||||
host_copts=()
|
||||
for flag in $NIX_CFLAGS_COMPILE; do
|
||||
copts+=( "--copt=$flag" )
|
||||
host_copts+=( "--host_copt=$flag" )
|
||||
done
|
||||
for flag in $NIX_CXXSTDLIB_COMPILE; do
|
||||
copts+=( "--copt=$flag" )
|
||||
host_copts+=( "--host_copt=$flag" )
|
||||
done
|
||||
linkopts=()
|
||||
host_linkopts=()
|
||||
for flag in $NIX_LD_FLAGS; do
|
||||
linkopts+=( "--linkopt=$flag" )
|
||||
host_linkopts+=( "--host_linkopt=$flag" )
|
||||
done
|
||||
|
||||
BAZEL_USE_CPP_ONLY_TOOLCHAIN=1 \
|
||||
USER=homeless-shelter \
|
||||
bazel \
|
||||
--output_base="$bazelOut" \
|
||||
--output_user_root="$bazelUserRoot" \
|
||||
build \
|
||||
-j $NIX_BUILD_CORES \
|
||||
"''${copts[@]}" \
|
||||
"''${host_copts[@]}" \
|
||||
"''${linkopts[@]}" \
|
||||
"''${host_linkopts[@]}" \
|
||||
$bazelFlags \
|
||||
$bazelTarget
|
||||
|
||||
runHook postBuild
|
||||
'';
|
||||
|
@ -1,4 +1,4 @@
|
||||
{stdenvNoCC, subversion, glibcLocales, sshSupport ? false, openssh ? null}:
|
||||
{stdenvNoCC, subversion, glibcLocales, sshSupport ? true, openssh ? null}:
|
||||
{url, rev ? "HEAD", md5 ? "", sha256 ? ""
|
||||
, ignoreExternals ? false, ignoreKeywords ? false, name ? null
|
||||
, preferLocalBuild ? true }:
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user