Merge staging-next into staging

This commit is contained in:
Frederik Rietdijk 2020-01-28 10:48:36 +01:00
commit cdff57e1fc
887 changed files with 18829 additions and 16536 deletions

2
.github/CODEOWNERS vendored
View File

@ -14,7 +14,9 @@
/lib @edolstra @nbp @infinisil
/lib/systems @nbp @ericson2314 @matthewbauer
/lib/generators.nix @edolstra @nbp @Profpatsch
/lib/cli.nix @edolstra @nbp @Profpatsch
/lib/debug.nix @edolstra @nbp @Profpatsch
/lib/asserts.nix @edolstra @nbp @Profpatsch
# Nixpkgs Internals
/default.nix @nbp

View File

@ -48,6 +48,15 @@ In addition to writing properly formatted commit messages, it's important to inc
For package version upgrades and such a one-line commit message is usually sufficient.
## Backporting changes
To [backport a change into a release branch](https://nixos.org/nixpkgs/manual/#submitting-changes-stable-release-branches):
1. Take note of the commit in which the change was introduced into `master`.
2. Check out the target _release branch_, e.g. `release-19.09`. Do not use a _channel branch_ like `nixos-19.09` or `nixpkgs-19.09`.
3. Use `git cherry-pick -x <original commit>`.
4. Open your backport PR. Make sure to select the release branch (e.g. `release-19.09`) as the target branch of the PR, and link to the PR in which the original change was made to `master`.
## Reviewing contributions
See the nixpkgs manual for more details on how to [Review contributions](https://nixos.org/nixpkgs/manual/#chap-reviewing-contributions).

View File

@ -80,7 +80,7 @@ appimageTools.wrapType2 { # or wrapType1
<varname>src</varname> specifies the AppImage file to extract.
</para>
</callout>
<callout arearefs='ex-appimageTools-wrapping-2'>
<callout arearefs='ex-appimageTools-wrapping-3'>
<para>
<varname>extraPkgs</varname> allows you to pass a function to include additional packages inside the FHS environment your AppImage is going to run in. There are a few ways to learn which dependencies an application needs:
<itemizedlist>

View File

@ -1029,36 +1029,43 @@ If you want to create a Python environment for development, then the recommended
method is to use `nix-shell`, either with or without the `python.buildEnv`
function.
### How to consume python modules using pip in a virtualenv like I am used to on other Operating Systems ?
### How to consume python modules using pip in a virtual environment like I am used to on other Operating Systems?
This is an example of a `default.nix` for a `nix-shell`, which allows to consume a `virtualenv` environment,
While this approach is not very idiomatic from Nix perspective, it can still be useful when dealing with pre-existing
projects or in situations where it's not feasible or desired to write derivations for all required dependencies.
This is an example of a `default.nix` for a `nix-shell`, which allows to consume a virtual environment created by `venv`,
and install python modules through `pip` the traditional way.
Create this `default.nix` file, together with a `requirements.txt` and simply execute `nix-shell`.
```nix
with import <nixpkgs> {};
with import <nixpkgs> { };
let
pythonPackages = python27Packages;
in
stdenv.mkDerivation {
pythonPackages = python3Packages;
in pkgs.mkShell rec {
name = "impurePythonEnv";
src = null;
venvDir = "./.venv";
buildInputs = [
# these packages are required for virtualenv and pip to work:
#
pythonPackages.virtualenv
pythonPackages.pip
# A python interpreter including the 'venv' module is required to bootstrap
# the environment.
pythonPackages.python
# This execute some shell code to initialize a venv in $venvDir before
# dropping into the shell
pythonPackages.venvShellHook
# Those are dependencies that we would like to use from nixpkgs, which will
# add them to PYTHONPATH and thus make them accessible from within the venv.
pythonPackages.numpy
pythonPackages.requests
# the following packages are related to the dependencies of your python
# project.
# In this particular example the python modules listed in the
# requirements.txt require the following packages to be installed locally
# in order to compile any binary extensions they may require.
#
taglib
openssl
git
@ -1068,11 +1075,47 @@ stdenv.mkDerivation {
zlib
];
# Now we can execute any commands within the virtual environment
postShellHook = ''
pip install -r requirements.txt
'';
}
```
In case the supplied venvShellHook is insufficient, or when python 2 support is needed,
you can define your own shell hook and adapt to your needs like in the following example:
```nix
with import <nixpkgs> { };
let
venvDir = "./.venv";
in pkgs.mkShell rec {
name = "impurePythonEnv";
buildInputs = [
python3Packages.python
python3Packages.virtualenv
...
];
# This is very close to how venvShellHook is implemented, but
# adapted to use 'virtualenv'
shellHook = ''
# set SOURCE_DATE_EPOCH so that we can use python wheels
SOURCE_DATE_EPOCH=$(date +%s)
virtualenv --python=${pythonPackages.python.interpreter} --no-setuptools venv
export PATH=$PWD/venv/bin:$PATH
if [ -d "${venvDir}" ]; then
echo "Skipping venv creation, '${venvDir}' already exists"
else
echo "Creating new venv environment in path: '${venvDir}'"
${pythonPackages.python.interpreter} -m venv "${venvDir}"
fi
# Under some circumstances it might be necessary to add your virtual
# environment to PYTHONPATH, which you can do here too;
# PYTHONPATH=$PWD/${venvDir}/${python.sitePackages}/:$PYTHONPATH
source "${venvDir}/bin/activate"
pip install -r requirements.txt
'';
}

View File

@ -16,12 +16,6 @@ cargo
into the `environment.systemPackages` or bring them into
scope with `nix-shell -p rustc cargo`.
> If you are using NixOS and you want to use rust without a nix expression you
> probably want to add the following in your `configuration.nix` to build
> crates with C dependencies.
>
> environment.systemPackages = [binutils gcc gnumake openssl pkgconfig]
For daily builds (beta and nightly) use either rustup from
nixpkgs or use the [Rust nightlies
overlay](#using-the-rust-nightlies-overlay).

View File

@ -60,7 +60,7 @@ rec {
[ { name = head attrPath; value = setAttrByPath (tail attrPath) value; } ];
/* Like `getAttrPath' without a default value. If it doesn't find the
/* Like `attrByPath' without a default value. If it doesn't find the
path it will throw.
Example:

View File

@ -6,50 +6,77 @@ rec {
This helps protect against malformed command lines and also to reduce
boilerplate related to command-line construction for simple use cases.
`toGNUCommandLine` returns a list of nix strings.
`toGNUCommandLineShell` returns an escaped shell string.
Example:
encodeGNUCommandLine
{ }
{ data = builtins.toJSON { id = 0; };
cli.toGNUCommandLine {} {
data = builtins.toJSON { id = 0; };
X = "PUT";
retry = 3;
retry-delay = null;
url = [ "https://example.com/foo" "https://example.com/bar" ];
silent = false;
verbose = true;
}
=> [
"-X" "PUT"
"--data" "{\"id\":0}"
"--retry" "3"
"--url" "https://example.com/foo"
"--url" "https://example.com/bar"
"--verbose"
]
X = "PUT";
retry = 3;
retry-delay = null;
url = [ "https://example.com/foo" "https://example.com/bar" ];
silent = false;
verbose = true;
};
=> "'-X' 'PUT' '--data' '{\"id\":0}' '--retry' '3' '--url' 'https://example.com/foo' '--url' 'https://example.com/bar' '--verbose'"
cli.toGNUCommandLineShell {} {
data = builtins.toJSON { id = 0; };
X = "PUT";
retry = 3;
retry-delay = null;
url = [ "https://example.com/foo" "https://example.com/bar" ];
silent = false;
verbose = true;
}
=> "'-X' 'PUT' '--data' '{\"id\":0}' '--retry' '3' '--url' 'https://example.com/foo' '--url' 'https://example.com/bar' '--verbose'";
*/
encodeGNUCommandLine =
toGNUCommandLineShell =
options: attrs: lib.escapeShellArgs (toGNUCommandLine options attrs);
toGNUCommandLine =
{ renderKey ?
key: if builtins.stringLength key == 1 then "-${key}" else "--${key}"
toGNUCommandLine = {
# how to string-format the option name;
# by default one character is a short option (`-`),
# more than one characters a long option (`--`).
mkOptionName ?
k: if builtins.stringLength k == 1
then "-${k}"
else "--${k}",
, renderOption ?
key: value:
if value == null
then []
else [ (renderKey key) (builtins.toString value) ]
# how to format a boolean value to a command list;
# by default its a flag option
# (only the option name if true, left out completely if false).
mkBool ? k: v: lib.optional v (mkOptionName k),
, renderBool ? key: value: lib.optional value (renderKey key)
# how to format a list value to a command list;
# by default the option name is repeated for each value
# and `mkOption` is applied to the values themselves.
mkList ? k: v: lib.concatMap (mkOption k) v,
, renderList ? key: value: lib.concatMap (renderOption key) value
# how to format any remaining value to a command list;
# on the toplevel, booleans and lists are handled by `mkBool` and `mkList`,
# though they can still appear as values of a list.
# By default, everything is printed verbatim and complex types
# are forbidden (lists, attrsets, functions). `null` values are omitted.
mkOption ?
k: v: if v == null
then []
else [ (mkOptionName k) (lib.generators.mkValueStringDefault {} v) ]
}:
options:
let
render = key: value:
if builtins.isBool value
then renderBool key value
else if builtins.isList value
then renderList key value
else renderOption key value;
render = k: v:
if builtins.isBool v then mkBool k v
else if builtins.isList v then mkList k v
else mkOption k v;
in
builtins.concatLists (lib.mapAttrsToList render options);

View File

@ -37,11 +37,13 @@ let
licenses = callLibs ./licenses.nix;
systems = callLibs ./systems;
# serialization
cli = callLibs ./cli.nix;
generators = callLibs ./generators.nix;
# misc
asserts = callLibs ./asserts.nix;
cli = callLibs ./cli.nix;
debug = callLibs ./debug.nix;
generators = callLibs ./generators.nix;
misc = callLibs ./deprecated.nix;
# domain-specific
@ -101,7 +103,7 @@ let
inherit (sources) pathType pathIsDirectory cleanSourceFilter
cleanSource sourceByRegex sourceFilesBySuffices
commitIdFromGitRepo cleanSourceWith pathHasContext
canCleanSource pathIsRegularFile;
canCleanSource pathIsRegularFile pathIsGitRepo;
inherit (modules) evalModules unifyModuleSyntax
applyIfFunction mergeModules
mergeModules' mergeOptionDecls evalOptionValue mergeDefinitions
@ -121,7 +123,6 @@ let
isOptionType mkOptionType;
inherit (asserts)
assertMsg assertOneOf;
inherit (cli) encodeGNUCommandLine toGNUCommandLine;
inherit (debug) addErrorContextToAttrs traceIf traceVal traceValFn
traceXMLVal traceXMLValMarked traceSeq traceSeqN traceValSeq
traceValSeqFn traceValSeqN traceValSeqNFn traceShowVal

View File

@ -46,7 +46,10 @@ rec {
else if isList v then err "lists" v
# same as for lists, might want to replace
else if isAttrs v then err "attrsets" v
# functions cant be printed of course
else if isFunction v then err "functions" v
# lets not talk about floats. There is no sensible `toString` for them.
else if isFloat v then err "floats" v
else err "this value is" (toString v);

View File

@ -536,11 +536,6 @@ lib.mapAttrs (n: v: v // { shortName = n; }) {
fullName = "University of Illinois/NCSA Open Source License";
};
notion_lgpl = {
url = "https://raw.githubusercontent.com/raboof/notion/master/LICENSE";
fullName = "Notion modified LGPL";
};
nposl3 = spdx {
spdxId = "NPOSL-3.0";
fullName = "Non-Profit Open Software License 3.0";

View File

@ -764,12 +764,15 @@ rec {
fromOpt = getAttrFromPath from options;
toOf = attrByPath to
(abort "Renaming error: option `${showOption to}' does not exist.");
toType = let opt = attrByPath to {} options; in opt.type or null;
in
{
options = setAttrByPath from (mkOption {
inherit visible;
description = "Alias of <option>${showOption to}</option>.";
apply = x: use (toOf config);
} // optionalAttrs (toType != null) {
type = toType;
});
config = mkMerge [
{

View File

@ -105,6 +105,7 @@ rec {
in type == "directory" || lib.any (ext: lib.hasSuffix ext base) exts;
in cleanSourceWith { inherit filter; src = path; };
pathIsGitRepo = path: (builtins.tryEval (commitIdFromGitRepo path)).success;
# Get the commit id of a git repo
# Example: commitIdFromGitRepo <nixpkgs/.git>
@ -113,6 +114,10 @@ rec {
with builtins;
let fileName = toString path + "/" + file;
packedRefsName = toString path + "/packed-refs";
absolutePath = base: path:
if lib.hasPrefix "/" path
then path
else toString (/. + "${base}/${path}");
in if pathIsRegularFile path
# Resolve git worktrees. See gitrepository-layout(5)
then
@ -120,13 +125,11 @@ rec {
in if m == null
then throw ("File contains no gitdir reference: " + path)
else
let gitDir = lib.head m;
let gitDir = absolutePath (dirOf path) (lib.head m);
commonDir' = if pathIsRegularFile "${gitDir}/commondir"
then lib.fileContents "${gitDir}/commondir"
else gitDir;
commonDir = if lib.hasPrefix "/" commonDir'
then commonDir'
else toString (/. + "${gitDir}/${commonDir'}");
commonDir = absolutePath gitDir commonDir';
refFile = lib.removePrefix "${commonDir}/" "${gitDir}/${file}";
in readCommitFromFile refFile commonDir

View File

@ -441,24 +441,40 @@ runTests {
expected = "«foo»";
};
testRenderOptions = {
expr =
encodeGNUCommandLine
{ }
{ data = builtins.toJSON { id = 0; };
X = "PUT";
# CLI
retry = 3;
testToGNUCommandLine = {
expr = cli.toGNUCommandLine {} {
data = builtins.toJSON { id = 0; };
X = "PUT";
retry = 3;
retry-delay = null;
url = [ "https://example.com/foo" "https://example.com/bar" ];
silent = false;
verbose = true;
};
retry-delay = null;
expected = [
"-X" "PUT"
"--data" "{\"id\":0}"
"--retry" "3"
"--url" "https://example.com/foo"
"--url" "https://example.com/bar"
"--verbose"
];
};
url = [ "https://example.com/foo" "https://example.com/bar" ];
silent = false;
verbose = true;
};
testToGNUCommandLineShell = {
expr = cli.toGNUCommandLineShell {} {
data = builtins.toJSON { id = 0; };
X = "PUT";
retry = 3;
retry-delay = null;
url = [ "https://example.com/foo" "https://example.com/bar" ];
silent = false;
verbose = true;
};
expected = "'-X' 'PUT' '--data' '{\"id\":0}' '--retry' '3' '--url' 'https://example.com/foo' '--url' 'https://example.com/bar' '--verbose'";
};

View File

@ -191,7 +191,7 @@ rec {
let
revisionFile = "${toString ./..}/.git-revision";
gitRepo = "${toString ./..}/.git";
in if builtins.pathExists gitRepo
in if lib.pathIsGitRepo gitRepo
then lib.commitIdFromGitRepo gitRepo
else if lib.pathExists revisionFile then lib.fileContents revisionFile
else default;

View File

@ -406,7 +406,7 @@ rec {
In file ${def.file}
a list is being assigned to the option config.${option}.
This will soon be an error as type loaOf is deprecated.
See https://git.io/fj2zm for more information.
See https://github.com/NixOS/nixpkgs/pull/63103 for more information.
Do
${option} =
{ ${set}${more}}

View File

@ -40,12 +40,6 @@
See `./scripts/check-maintainer-github-handles.sh` for an example on how to work with this data.
*/
{
"00-matt" = {
name = "Matt Smith";
email = "matt@offtopica.uk";
github = "00-matt";
githubId = 48835712;
};
"0x4A6F" = {
email = "0x4A6F@shackspace.de";
name = "Joachim Ernst";
@ -517,6 +511,12 @@
githubId = 5327697;
name = "Anatolii Prylutskyi";
};
antoinerg = {
email = "roygobeil.antoine@gmail.com";
github = "antoinerg";
githubId = 301546;
name = "Antoine Roy-Gobeil";
};
anton-dessiatov = {
email = "anton.dessiatov@gmail.com";
github = "anton-dessiatov";
@ -594,6 +594,12 @@
githubId = 1296771;
name = "Anders Riutta";
};
arnoldfarkas = {
email = "arnold.farkas@gmail.com";
github = "arnoldfarkas";
githubId = 59696216;
name = "Arnold Farkas";
};
arobyn = {
email = "shados@shados.net";
github = "shados";
@ -951,6 +957,12 @@
githubId = 5718007;
name = "Bastian Köcher";
};
blanky0230 = {
email = "blanky0230@gmail.com";
github = "blanky0230";
githubId = 5700358;
name = "Thomas Blank";
};
blitz = {
email = "js@alien8.de";
github = "blitz";
@ -1919,6 +1931,12 @@
fingerprint = "5DD7 C6F6 0630 F08E DAE7 4711 1525 585D 1B43 C62A";
}];
};
dwarfmaster = {
email = "nixpkgs@dwarfmaster.net";
github = "dwarfmaster";
githubId = 2025623;
name = "Luc Chabassier";
};
dxf = {
email = "dingxiangfei2009@gmail.com";
github = "dingxiangfei2009";
@ -2393,6 +2411,12 @@
githubId = 415760;
name = "Jonas Höglund";
};
fishi0x01 = {
email = "fishi0x01@gmail.com";
github = "fishi0x01";
githubId = 10799507;
name = "Karl Fischer";
};
Flakebi = {
email = "flakebi@t-online.de";
github = "Flakebi";
@ -3480,6 +3504,12 @@
github = "jorsn";
githubId = 4646725;
};
jpas = {
name = "Jarrod Pas";
email = "jarrod@jarrodpas.com";
github = "jpas";
githubId = 5689724;
};
jpdoyle = {
email = "joethedoyle@gmail.com";
github = "jpdoyle";
@ -3510,6 +3540,16 @@
githubId = 4611077;
name = "Raymond Gauthier";
};
jtcoolen = {
email = "jtcoolen@pm.me";
name = "Julien Coolen";
github = "jtcoolen";
githubId = 54635632;
keys = [{
longkeyid = "rsa4096/0x19642151C218F6F5";
fingerprint = "4C68 56EE DFDA 20FB 77E8 9169 1964 2151 C218 F6F5";
}];
};
jtobin = {
email = "jared@jtobin.io";
github = "jtobin";
@ -3796,6 +3836,12 @@
githubId = 787421;
name = "Kevin Quick";
};
kraem = {
email = "me@kraem.xyz";
github = "kraem";
githubId = 26622971;
name = "Ronnie Ebrin";
};
kragniz = {
email = "louis@kragniz.eu";
github = "kragniz";
@ -3844,6 +3890,12 @@
githubId = 449813;
name = "Roman Kuznetsov";
};
kwohlfahrt = {
email = "kai.wohlfahrt@gmail.com";
github = "kwohlfahrt";
githubId = 2422454;
name = "Kai Wohlfahrt";
};
kylesferrazza = {
name = "Kyle Sferrazza";
email = "kyle.sferrazza@gmail.com";
@ -4153,12 +4205,6 @@
github = "ltavard";
name = "Laure Tavard";
};
lucas8 = {
email = "luc.linux@mailoo.org";
github = "lucas8";
githubId = 2025623;
name = "Luc Chabassier";
};
lucus16 = {
email = "lars.jellema@gmail.com";
github = "Lucus16";
@ -5409,6 +5455,12 @@
githubId = 3250809;
name = "Milan Pässler";
};
petercommand = {
email = "petercommand@gmail.com";
github = "petercommand";
githubId = 1260660;
name = "petercommand";
};
peterhoeg = {
email = "peter@hoeg.com";
github = "peterhoeg";
@ -6153,6 +6205,16 @@
githubId = 6022042;
name = "Sam Parkinson";
};
samlich = {
email = "nixos@samli.ch";
github = "samlich";
githubId = 1349989;
name = "samlich";
keys = [{
longkeyid = "rsa4096/B1568953B1939F1C";
fingerprint = "AE8C 0836 FDF6 3FFC 9580 C588 B156 8953 B193 9F1C";
}];
};
samrose = {
email = "samuel.rose@gmail.com";
github = "samrose";
@ -6260,6 +6322,12 @@
github = "scubed2";
name = "Sterling Stein";
};
sdier = {
email = "scott@dier.name";
github = "sdier";
githubId = 11613056;
name = "Scott Dier";
};
sdll = {
email = "sasha.delly@gmail.com";
github = "sdll";
@ -7834,6 +7902,12 @@
githubId = 1069303;
name = "Kim Simmons";
};
zowoq = {
email = "59103226+zowoq@users.noreply.github.com";
github = "zowoq";
githubId = 59103226;
name = "zowoq";
};
zraexy = {
email = "zraexy@gmail.com";
github = "zraexy";

View File

@ -11,13 +11,14 @@ compat53,,,,,vcunat
coxpcall,,,1.17.0-1,,
cqueues,,,,,vcunat
cyrussasl,,,,,vcunat
digestif,,http://luarocks.org/dev,,lua5_3,
digestif,,,,lua5_3,
dkjson,,,,,
fifo,,,,,
http,,,,,vcunat
inspect,,,,,
ldoc,,,,,
lgi,,,,,
linenoise,,,,,
ljsyscall,,,,lua5_1,lblasc
lpeg,,,,,vyp
lpeg_patterns,,,,,
@ -43,6 +44,7 @@ luadbi-mysql,,,,,
luadbi-postgresql,,,,,
luadbi-sqlite3,,,,,
luadoc,,,,,
luaepnf,,,,,
luaevent,,,,,
luaexpat,,,1.3.0-1,,arobyn flosse
luaffi,,http://luarocks.org/dev,,,
@ -50,6 +52,7 @@ luafilesystem,,,1.7.0-2,,flosse vcunat
lualogging,,,,,
luaossl,,,,lua5_1,vcunat
luaposix,,,,,vyp lblasc
luarepl,,,,,
luasec,,,,,flosse
luasocket,,,,,
luasql-sqlite3,,,,,vyp
@ -72,3 +75,4 @@ std__debug,std._debug,,,,
std_normalize,std.normalize,,,,
stdlib,,,,,vyp
pulseaudio,,,,,doronbehar
vstruct,,,,,

1 # nix name luarocks name server version luaversion maintainers
11 coxpcall 1.17.0-1
12 cqueues vcunat
13 cyrussasl vcunat
14 digestif http://luarocks.org/dev lua5_3
15 dkjson
16 fifo
17 http vcunat
18 inspect
19 ldoc
20 lgi
21 linenoise
22 ljsyscall lua5_1 lblasc
23 lpeg vyp
24 lpeg_patterns
44 luadbi-postgresql
45 luadbi-sqlite3
46 luadoc
47 luaepnf
48 luaevent
49 luaexpat 1.3.0-1 arobyn flosse
50 luaffi http://luarocks.org/dev
52 lualogging
53 luaossl lua5_1 vcunat
54 luaposix vyp lblasc
55 luarepl
56 luasec flosse
57 luasocket
58 luasql-sqlite3 vyp
75 std_normalize std.normalize
76 stdlib vyp
77 pulseaudio doronbehar
78 vstruct

View File

@ -19,7 +19,7 @@ export LUAROCKS_CONFIG="$NIXPKGS_PATH/maintainers/scripts/luarocks-config.lua"
# 10 is a pretty arbitrary number of simultaneous jobs, but it is generally
# impolite to hit a webserver with *too* many simultaneous connections :)
PARALLEL_JOBS=10
PARALLEL_JOBS=1
exit_trap() {
local lc="$BASH_COMMAND" rc=$?

View File

@ -19,6 +19,12 @@
<command>nixos-rebuild switch</command>.
</para>
<note>
<para>
Some packages require additional global configuration such as D-Bus or systemd service registration so adding them to <xref linkend="opt-environment.systemPackages"/> might not be sufficient. You are advised to check the <link xlink:href="#ch-options">list of options</link> whether a NixOS module for the package does not exist.
</para>
</note>
<para>
You can get a list of the available packages as follows:
<screen>

View File

@ -37,4 +37,38 @@ Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: ***
on an encrypted partition, it is necessary to add the following grub option:
<programlisting><xref linkend="opt-boot.loader.grub.enableCryptodisk"/> = true;</programlisting>
</para>
<section xml:id="sec-luks-file-systems-fido2">
<title>FIDO2</title>
<para>
NixOS also supports unlocking your LUKS-Encrypted file system using a FIDO2 compatible token. In the following example, we will create a new FIDO2 credential
and add it as a new key to our existing device <filename>/dev/sda2</filename>:
<screen>
# export FIDO2_LABEL="/dev/sda2 @ $HOSTNAME"
# fido2luks credential "$FIDO2_LABEL"
f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7
# fido2luks -i add-key /dev/sda2 f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7
Password:
Password (again):
Old password:
Old password (again):
Added to key to device /dev/sda2, slot: 2
</screen>
To ensure that this file system is decrypted using the FIDO2 compatible key, add the following to <filename>configuration.nix</filename>:
<programlisting>
<link linkend="opt-boot.initrd.luks.fido2Support">boot.initrd.luks.fido2Support</link> = true;
<link linkend="opt-boot.initrd.luks.devices._name__.fido2.credential">boot.initrd.luks.devices."/dev/sda2".fido2.credential</link> = "f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7";
</programlisting>
You can also use the FIDO2 passwordless setup, but for security reasons, you might want to enable it only when your device is PIN protected, such as <link xlink:href="https://trezor.io/">Trezor</link>.
<programlisting>
<link linkend="opt-boot.initrd.luks.devices._name__.fido2.passwordLess">boot.initrd.luks.devices."/dev/sda2".fido2.passwordLess</link> = true;
</programlisting>
</para>
</section>
</section>

View File

@ -236,6 +236,10 @@
introduced to their role, making it easier to pass on knowledge and
experience.
</para>
<para>
Release managers for the current NixOS release are tracked by GitHub team
<link xlink:href="https://github.com/orgs/NixOS/teams/nixos-release-managers/members"><literal>@NixOS/nixos-release-managers</literal></link>.
</para>
<para>
A release manager's role and responsibilities are:
</para>

View File

@ -210,7 +210,7 @@
The closure must be an appropriately configured NixOS system, with boot
loader and partition configuration that fits the target host. Such a
closure is typically obtained with a command such as <command>nix-build
-I nixos-config=./configuration.nix '&lt;nixos&gt;' -A system
-I nixos-config=./configuration.nix '&lt;nixpkgs/nixos&gt;' -A system
--no-out-link</command>
</para>
</listitem>

View File

@ -168,6 +168,12 @@ services.xserver.displayManager.defaultSession = "xfce+icewm";
SDDM, GDM, or using the startx module which uses Xinitrc.
</para>
</listitem>
<listitem>
<para>
The Way Cooler wayland compositor has been removed, as the project has been officially canceled.
There are no more <literal>way-cooler</literal> attribute and <literal>programs.way-cooler</literal> options.
</para>
</listitem>
<listitem>
<para>
The BEAM package set has been deleted. You will only find there the different interpreters.
@ -401,6 +407,44 @@ users.users.me =
the type to <literal>either path (submodule ...)</literal>.
</para>
</listitem>
<listitem>
<para>
The <link linkend="opt-services.buildkite-agent.enable">Buildkite Agent</link>
module and corresponding packages have been updated to 3.x.
While doing so, the following options have been changed:
</para>
<itemizedlist>
<listitem>
<para>
<literal>services.buildkite-agent.meta-data</literal> has been renamed to
<link linkend="opt-services.buildkite-agent.tags">services.buildkite-agent.tags</link>,
to match upstreams naming for 3.x.
Its type has also changed - it now accepts an attrset of strings.
</para>
</listitem>
<listitem>
<para>
The<literal>services.buildkite-agent.openssh.publicKeyPath</literal> option
has been removed, as it's not necessary to deploy public keys to clone private
repositories.
</para>
</listitem>
<listitem>
<para>
<literal>services.buildkite-agent.openssh.privateKeyPath</literal>
has been renamed to
<link linkend="opt-services.buildkite-agent.privateSshKeyPath">buildkite-agent.privateSshKeyPath</link>,
as the whole <literal>openssh</literal> now only contained that single option.
</para>
</listitem>
<listitem>
<para>
<link linkend="opt-services.buildkite-agent.shell">services.buildkite-agent.shell</link>
has been introduced, allowing to specify a custom shell to be used.
</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
</section>
@ -441,6 +485,12 @@ users.users.me =
now uses the short rather than full version string.
</para>
</listitem>
<listitem>
<para>
It is now possible to unlock LUKS-Encrypted file systems using a FIDO2 token
via <option>boot.initrd.luks.fido2Support</option>.
</para>
</listitem>
</itemizedlist>
</section>
</section>

View File

@ -84,7 +84,7 @@ CHAR_TO_KEY = {
# Forward references
nr_tests: int
nr_succeeded: int
failed_tests: list
log: "Logger"
machines: "List[Machine]"
@ -221,7 +221,7 @@ class Machine:
return path
self.state_dir = create_dir("vm-state-{}".format(self.name))
self.shared_dir = create_dir("{}/xchg".format(self.state_dir))
self.shared_dir = create_dir("shared-xchg")
self.booted = False
self.connected = False
@ -395,7 +395,7 @@ class Machine:
status_code_pattern = re.compile(r"(.*)\|\!EOF\s+(\d+)")
while True:
chunk = self.shell.recv(4096).decode()
chunk = self.shell.recv(4096).decode(errors="ignore")
match = status_code_pattern.match(chunk)
if match:
output += match[1]
@ -576,7 +576,7 @@ class Machine:
vm_src = pathlib.Path(source)
with tempfile.TemporaryDirectory(dir=self.shared_dir) as shared_td:
shared_temp = pathlib.Path(shared_td)
vm_shared_temp = pathlib.Path("/tmp/xchg") / shared_temp.name
vm_shared_temp = pathlib.Path("/tmp/shared") / shared_temp.name
vm_intermediate = vm_shared_temp / vm_src.name
intermediate = shared_temp / vm_src.name
# Copy the file to the shared directory inside VM
@ -842,23 +842,31 @@ def run_tests() -> None:
machine.execute("sync")
if nr_tests != 0:
nr_succeeded = nr_tests - len(failed_tests)
eprint("{} out of {} tests succeeded".format(nr_succeeded, nr_tests))
if nr_tests > nr_succeeded:
if len(failed_tests) > 0:
eprint(
"The following tests have failed:\n - {}".format(
"\n - ".join(failed_tests)
)
)
sys.exit(1)
@contextmanager
def subtest(name: str) -> Iterator[None]:
global nr_tests
global nr_succeeded
global failed_tests
with log.nested(name):
nr_tests += 1
try:
yield
nr_succeeded += 1
return True
except Exception as e:
failed_tests.append(
'Test "{}" failed with error: "{}"'.format(name, str(e))
)
log.log("error: {}".format(str(e)))
return False
@ -880,7 +888,7 @@ if __name__ == "__main__":
exec("\n".join(machine_eval))
nr_tests = 0
nr_succeeded = 0
failed_tests = []
@atexit.register
def clean_up() -> None:

View File

@ -4,7 +4,7 @@ stdenv.mkDerivation rec {
name = "jquery-ui-1.11.4";
src = fetchurl {
url = "http://jqueryui.com/resources/download/${name}.zip";
url = "https://jqueryui.com/resources/download/${name}.zip";
sha256 = "0ciyaj1acg08g8hpzqx6whayq206fvf4whksz2pjgxlv207lqgjh";
};
@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
'';
meta = {
homepage = http://jqueryui.com/;
homepage = https://jqueryui.com/;
description = "A library of JavaScript widgets and effects";
platforms = stdenv.lib.platforms.all;
};

View File

@ -43,11 +43,11 @@ in
description = ''
Whether to enable OpenGL drivers. This is needed to enable
OpenGL support in X11 systems, as well as for Wayland compositors
like sway, way-cooler and Weston. It is enabled by default
like sway and Weston. It is enabled by default
by the corresponding modules, so you do not usually have to
set it yourself, only if there is no module for your wayland
compositor of choice. See services.xserver.enable,
programs.sway.enable, and programs.way-cooler.enable.
compositor of choice. See services.xserver.enable and
programs.sway.enable.
'';
type = types.bool;
default = false;

View File

@ -0,0 +1,35 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.tuxedo-keyboard;
tuxedo-keyboard = config.boot.kernelPackages.tuxedo-keyboard;
in
{
options.hardware.tuxedo-keyboard = {
enable = mkEnableOption ''
Enables the tuxedo-keyboard driver.
To configure the driver, pass the options to the <option>boot.kernelParams</option> configuration.
There are several parameters you can change. It's best to check at the source code description which options are supported.
You can find all the supported parameters at: <link xlink:href="https://github.com/tuxedocomputers/tuxedo-keyboard#kernelparam" />
In order to use the <literal>custom</literal> lighting with the maximumg brightness and a color of <literal>0xff0a0a</literal> one would put pass <option>boot.kernelParams</option> like this:
<programlisting>
boot.kernelParams = [
"tuxedo_keyboard.mode=0"
"tuxedo_keyboard.brightness=255"
"tuxedo_keyboard.color_left=0xff0a0a"
];
</programlisting>
'';
};
config = mkIf cfg.enable
{
boot.kernelModules = ["tuxedo_keyboard"];
boot.extraModulePackages = [ tuxedo-keyboard ];
};
}

View File

@ -1,7 +1,7 @@
{ pkgs, ... }:
{
imports = [ ./installation-cd-graphical-kde.nix ];
imports = [ ./installation-cd-graphical-plasma5.nix ];
boot.kernelPackages = pkgs.linuxPackages_latest;
}

View File

@ -22,7 +22,7 @@ repair=
profile=/nix/var/nix/profiles/system
buildHost=
targetHost=
maybeSudo=
maybeSudo=()
while [ "$#" -gt 0 ]; do
i="$1"; shift 1
@ -92,7 +92,7 @@ while [ "$#" -gt 0 ]; do
;;
--use-remote-sudo)
# note the trailing space
maybeSudo="sudo "
maybeSudo=(sudo --)
shift 1
;;
*)
@ -102,6 +102,10 @@ while [ "$#" -gt 0 ]; do
esac
done
if [ -n "$SUDO_USER" ]; then
maybeSudo=(sudo --)
fi
if [ -z "$buildHost" -a -n "$targetHost" ]; then
buildHost="$targetHost"
fi
@ -116,17 +120,17 @@ buildHostCmd() {
if [ -z "$buildHost" ]; then
"$@"
elif [ -n "$remoteNix" ]; then
ssh $SSHOPTS "$buildHost" env PATH="$remoteNix:$PATH" "$maybeSudo$@"
ssh $SSHOPTS "$buildHost" env PATH="$remoteNix:$PATH" "${maybeSudo[@]}" "$@"
else
ssh $SSHOPTS "$buildHost" "$maybeSudo$@"
ssh $SSHOPTS "$buildHost" "${maybeSudo[@]}" "$@"
fi
}
targetHostCmd() {
if [ -z "$targetHost" ]; then
"$@"
"${maybeSudo[@]}" "$@"
else
ssh $SSHOPTS "$targetHost" "$maybeSudo$@"
ssh $SSHOPTS "$targetHost" "${maybeSudo[@]}" "$@"
fi
}

View File

@ -6,6 +6,7 @@ let
cfg = config.system.nixos;
gitRepo = "${toString pkgs.path}/.git";
gitRepoValid = lib.pathIsGitRepo gitRepo;
gitCommitId = lib.substring 0 7 (commitIdFromGitRepo gitRepo);
in
@ -91,8 +92,8 @@ in
# These defaults are set here rather than up there so that
# changing them would not rebuild the manual
version = mkDefault (cfg.release + cfg.versionSuffix);
revision = mkIf (pathExists gitRepo) (mkDefault gitCommitId);
versionSuffix = mkIf (pathExists gitRepo) (mkDefault (".git." + gitCommitId));
revision = mkIf gitRepoValid (mkDefault gitCommitId);
versionSuffix = mkIf gitRepoValid (mkDefault (".git." + gitCommitId));
};
# Generate /etc/os-release. See

View File

@ -62,6 +62,7 @@
./hardware/printers.nix
./hardware/raid/hpsa.nix
./hardware/steam-hardware.nix
./hardware/tuxedo-keyboard.nix
./hardware/usb-wwan.nix
./hardware/onlykey.nix
./hardware/video/amdgpu.nix
@ -127,6 +128,7 @@
./programs/java.nix
./programs/kbdlight.nix
./programs/less.nix
./programs/liboping.nix
./programs/light.nix
./programs/mosh.nix
./programs/mininet.nix
@ -152,13 +154,13 @@
./programs/system-config-printer.nix
./programs/thefuck.nix
./programs/tmux.nix
./programs/traceroute.nix
./programs/tsm-client.nix
./programs/udevil.nix
./programs/usbtop.nix
./programs/venus.nix
./programs/vim.nix
./programs/wavemon.nix
./programs/way-cooler.nix
./programs/waybar.nix
./programs/wireshark.nix
./programs/x2goserver.nix
@ -577,6 +579,7 @@
./services/networking/connman.nix
./services/networking/consul.nix
./services/networking/coredns.nix
./services/networking/corerad.nix
./services/networking/coturn.nix
./services/networking/dante.nix
./services/networking/ddclient.nix
@ -803,6 +806,7 @@
./services/web-apps/codimd.nix
./services/web-apps/cryptpad.nix
./services/web-apps/documize.nix
./services/web-apps/dokuwiki.nix
./services/web-apps/frab.nix
./services/web-apps/gotify-server.nix
./services/web-apps/icingaweb2/icingaweb2.nix
@ -870,7 +874,6 @@
./services/x11/display-managers/xpra.nix
./services/x11/fractalart.nix
./services/x11/hardware/libinput.nix
./services/x11/hardware/multitouch.nix
./services/x11/hardware/synaptics.nix
./services/x11/hardware/wacom.nix
./services/x11/hardware/digimend.nix

View File

@ -96,7 +96,7 @@ in
# This overrides the systemd user unit shipped with the gnupg package
systemd.user.services.gpg-agent = mkIf (cfg.agent.pinentryFlavor != null) {
serviceConfig.ExecStart = [ "" ''
${pkgs.gnupg}/bin/gpg-agent --supervised \
${cfg.package}/bin/gpg-agent --supervised \
--pinentry-program ${pkgs.pinentry.${cfg.agent.pinentryFlavor}}/bin/pinentry
'' ];
};

View File

@ -0,0 +1,22 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.programs.liboping;
in {
options.programs.liboping = {
enable = mkEnableOption "liboping";
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [ liboping ];
security.wrappers = mkMerge (map (
exec: {
"${exec}" = {
source = "${pkgs.liboping}/bin/${exec}";
capabilities = "cap_net_raw+p";
};
}
) [ "oping" "noping" ]);
};
}

View File

@ -87,7 +87,8 @@ in {
type = with types; listOf package;
default = with pkgs; [
swaylock swayidle
xwayland rxvt_unicode dmenu
xwayland alacritty dmenu
rxvt_unicode # For backward compatibility (old default terminal)
];
defaultText = literalExample ''
with pkgs; [ swaylock swayidle xwayland rxvt_unicode dmenu ];

View File

@ -0,0 +1,26 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.programs.traceroute;
in {
options = {
programs.traceroute = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to configure a setcap wrapper for traceroute.
'';
};
};
};
config = mkIf cfg.enable {
security.wrappers.traceroute = {
source = "${pkgs.traceroute}/bin/traceroute";
capabilities = "cap_net_raw+p";
};
};
}

View File

@ -1,78 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.programs.way-cooler;
way-cooler = pkgs.way-cooler;
wcWrapped = pkgs.writeShellScriptBin "way-cooler" ''
${cfg.extraSessionCommands}
exec ${pkgs.dbus}/bin/dbus-run-session ${way-cooler}/bin/way-cooler
'';
wcJoined = pkgs.symlinkJoin {
name = "way-cooler-wrapped";
paths = [ wcWrapped way-cooler ];
};
configFile = readFile "${way-cooler}/etc/way-cooler/init.lua";
spawnBar = ''
util.program.spawn_at_startup("lemonbar");
'';
in
{
options.programs.way-cooler = {
enable = mkEnableOption "way-cooler";
extraSessionCommands = mkOption {
default = "";
type = types.lines;
example = ''
export XKB_DEFAULT_LAYOUT=us,de
export XKB_DEFAULT_VARIANT=,nodeadkeys
export XKB_DEFAULT_OPTIONS=grp:caps_toggle,
'';
description = ''
Shell commands executed just before way-cooler is started.
'';
};
extraPackages = mkOption {
type = with types; listOf package;
default = with pkgs; [
westonLite xwayland dmenu
];
example = literalExample ''
with pkgs; [
westonLite xwayland dmenu
]
'';
description = ''
Extra packages to be installed system wide.
'';
};
enableBar = mkOption {
type = types.bool;
default = true;
description = ''
Whether to enable an unofficial bar.
'';
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ wcJoined ] ++ cfg.extraPackages;
security.pam.services.wc-lock = {};
environment.etc."way-cooler/init.lua".text = ''
${configFile}
${optionalString cfg.enableBar spawnBar}
'';
hardware.opengl.enable = mkDefault true;
fonts.enableDefaultFonts = mkDefault true;
programs.dconf.enable = mkDefault true;
};
meta.maintainers = with maintainers; [ gnidorah ];
}

View File

@ -27,6 +27,13 @@ with lib;
(mkRemovedOptionModule [ "services.osquery" ] "The osquery module has been removed")
(mkRemovedOptionModule [ "services.fourStore" ] "The fourStore module has been removed")
(mkRemovedOptionModule [ "services.fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed")
(mkRemovedOptionModule [ "programs" "way-cooler" ] ("way-cooler is abandoned by its author: " +
"https://way-cooler.org/blog/2020/01/09/way-cooler-post-mortem.html"))
(mkRemovedOptionModule [ "services" "xserver" "multitouch" ] ''
services.xserver.multitouch (which uses xf86_input_mtrack) has been removed
as the underlying package isn't being maintained. Working alternatives are
libinput and synaptics.
'')
# Do NOT add any option renames here, see top of the file
];

View File

@ -98,8 +98,8 @@ in {
will be merged into these options by RabbitMQ at runtime to
form the final configuration.
See http://www.rabbitmq.com/configure.html#config-items
For the distinct formats, see http://www.rabbitmq.com/configure.html#config-file-formats
See https://www.rabbitmq.com/configure.html#config-items
For the distinct formats, see https://www.rabbitmq.com/configure.html#config-file-formats
'';
};
@ -116,8 +116,8 @@ in {
The contents of this option will be merged into the <literal>configItems</literal>
by RabbitMQ at runtime to form the final configuration.
See the second table on http://www.rabbitmq.com/configure.html#config-items
For the distinct formats, see http://www.rabbitmq.com/configure.html#config-file-formats
See the second table on https://www.rabbitmq.com/configure.html#config-items
For the distinct formats, see https://www.rabbitmq.com/configure.html#config-file-formats
'';
};
@ -165,7 +165,10 @@ in {
after = [ "network.target" "epmd.socket" ];
wants = [ "network.target" "epmd.socket" ];
path = [ cfg.package pkgs.procps ];
path = [
cfg.package
pkgs.coreutils # mkdir/chown/chmod for preStart
];
environment = {
RABBITMQ_MNESIA_BASE = "${cfg.dataDir}/mnesia";

View File

@ -20,6 +20,7 @@ let
size = 2048;
};
CN = top.masterAddress;
hosts = cfg.cfsslAPIExtraSANs;
});
cfsslAPITokenBaseName = "apitoken.secret";
@ -66,6 +67,15 @@ in
type = bool;
};
cfsslAPIExtraSANs = mkOption {
description = ''
Extra x509 Subject Alternative Names to be added to the cfssl API webserver TLS cert.
'';
default = [];
example = [ "subdomain.example.com" ];
type = listOf str;
};
genCfsslAPIToken = mkOption {
description = ''
Whether to automatically generate cfssl API-token secret,

View File

@ -50,8 +50,8 @@ in
};
runtimePackages = mkOption {
default = [ pkgs.bash pkgs.nix ];
defaultText = "[ pkgs.bash pkgs.nix ]";
default = [ pkgs.bash pkgs.gnutar pkgs.gzip pkgs.git pkgs.nix ];
defaultText = "[ pkgs.bash pkgs.gnutar pkgs.gzip pkgs.git pkgs.nix ]";
description = "Add programs to the buildkite-agent environment";
type = types.listOf types.package;
};
@ -74,13 +74,12 @@ in
'';
};
meta-data = mkOption {
type = types.str;
default = "";
example = "queue=default,docker=true,ruby2=true";
tags = mkOption {
type = types.attrsOf types.str;
default = {};
example = { queue = "default"; docker = "true"; ruby2 ="true"; };
description = ''
Meta data for the agent. This is a comma-separated list of
<code>key=value</code> pairs.
Tags for the agent.
'';
};
@ -93,26 +92,20 @@ in
'';
};
openssh =
{ privateKeyPath = mkOption {
type = types.path;
description = ''
Private agent key.
privateSshKeyPath = mkOption {
type = types.nullOr types.path;
default = null;
## maximum care is taken so that secrets (ssh keys and the CI token)
## don't end up in the Nix store.
apply = final: if final == null then null else toString final;
A run-time path to the key file, which is supposed to be provisioned
outside of Nix store.
'';
};
publicKeyPath = mkOption {
type = types.path;
description = ''
Public agent key.
description = ''
OpenSSH private key
A run-time path to the key file, which is supposed to be provisioned
outside of Nix store.
'';
};
};
A run-time path to the key file, which is supposed to be provisioned
outside of Nix store.
'';
};
hooks = mkHookOptions [
{ name = "checkout";
@ -181,18 +174,26 @@ in
instead.
'';
};
shell = mkOption {
type = types.str;
default = "${pkgs.bash}/bin/bash -e -c";
description = ''
Command that buildkite-agent 3 will execute when it spawns a shell.
'';
};
};
};
config = mkIf config.services.buildkite-agent.enable {
users.users.buildkite-agent =
{ name = "buildkite-agent";
home = cfg.dataDir;
createHome = true;
description = "Buildkite agent user";
extraGroups = [ "keys" ];
isSystemUser = true;
};
users.users.buildkite-agent = {
name = "buildkite-agent";
home = cfg.dataDir;
createHome = true;
description = "Buildkite agent user";
extraGroups = [ "keys" ];
isSystemUser = true;
};
environment.systemPackages = [ cfg.package ];
@ -210,17 +211,18 @@ in
## don't end up in the Nix store.
preStart = let
sshDir = "${cfg.dataDir}/.ssh";
tagStr = lib.concatStringsSep "," (lib.mapAttrsToList (name: value: "${name}=${value}") cfg.tags);
in
''
optionalString (cfg.privateSshKeyPath != null) ''
mkdir -m 0700 -p "${sshDir}"
cp -f "${toString cfg.openssh.privateKeyPath}" "${sshDir}/id_rsa"
cp -f "${toString cfg.openssh.publicKeyPath}" "${sshDir}/id_rsa.pub"
chmod 600 "${sshDir}"/id_rsa*
cp -f "${toString cfg.privateSshKeyPath}" "${sshDir}/id_rsa"
chmod 600 "${sshDir}"/id_rsa
'' + ''
cat > "${cfg.dataDir}/buildkite-agent.cfg" <<EOF
token="$(cat ${toString cfg.tokenPath})"
name="${cfg.name}"
meta-data="${cfg.meta-data}"
shell="${cfg.shell}"
tags="${tagStr}"
build-path="${cfg.dataDir}/builds"
hooks-path="${cfg.hooksPath}"
${cfg.extraConfig}
@ -228,11 +230,14 @@ in
'';
serviceConfig =
{ ExecStart = "${pkgs.buildkite-agent}/bin/buildkite-agent start --config /var/lib/buildkite-agent/buildkite-agent.cfg";
{ ExecStart = "${cfg.package}/bin/buildkite-agent start --config /var/lib/buildkite-agent/buildkite-agent.cfg";
User = "buildkite-agent";
RestartSec = 5;
Restart = "on-failure";
TimeoutSec = 10;
# set a long timeout to give buildkite-agent a chance to finish current builds
TimeoutStopSec = "2 min";
KillMode = "mixed";
};
};
@ -246,8 +251,11 @@ in
];
};
imports = [
(mkRenamedOptionModule [ "services" "buildkite-agent" "token" ] [ "services" "buildkite-agent" "tokenPath" ])
(mkRenamedOptionModule [ "services" "buildkite-agent" "openssh" "privateKey" ] [ "services" "buildkite-agent" "openssh" "privateKeyPath" ])
(mkRenamedOptionModule [ "services" "buildkite-agent" "openssh" "publicKey" ] [ "services" "buildkite-agent" "openssh" "publicKeyPath" ])
(mkRenamedOptionModule [ "services" "buildkite-agent" "token" ] [ "services" "buildkite-agent" "tokenPath" ])
(mkRenamedOptionModule [ "services" "buildkite-agent" "openssh" "privateKey" ] [ "services" "buildkite-agent" "privateSshKeyPath" ])
(mkRenamedOptionModule [ "services" "buildkite-agent" "openssh" "privateKeyPath" ] [ "services" "buildkite-agent" "privateSshKeyPath" ])
(mkRemovedOptionModule [ "services" "buildkite-agent" "openssh" "publicKey" ] "SSH public keys aren't necessary to clone private repos.")
(mkRemovedOptionModule [ "services" "buildkite-agent" "openssh" "publicKeyPath" ] "SSH public keys aren't necessary to clone private repos.")
(mkRenamedOptionModule [ "services" "buildkite-agent" "meta-data"] [ "services" "buildkite-agent" "tags" ])
];
}

View File

@ -167,7 +167,7 @@ in
buildMachinesFiles = mkOption {
type = types.listOf types.path;
default = [ "/etc/nix/machines" ];
default = optional (config.nix.buildMachines != []) "/etc/nix/machines";
example = [ "/etc/nix/machines" "/var/lib/hydra/provisioner/machines" ];
description = "List of files containing build machines.";
};
@ -333,7 +333,7 @@ in
IN_SYSTEMD = "1"; # to get log severity levels
};
serviceConfig =
{ ExecStart = "@${cfg.package}/bin/hydra-queue-runner hydra-queue-runner -v --option build-use-substitutes ${boolToString cfg.useSubstitutes}";
{ ExecStart = "@${cfg.package}/bin/hydra-queue-runner hydra-queue-runner -v";
ExecStopPost = "${cfg.package}/bin/hydra-queue-runner --unlock";
User = "hydra-queue-runner";
Restart = "always";

View File

@ -18,6 +18,9 @@ with lib;
description = ''
Whether to enable at-spi2-core, a service for the Assistive Technologies
available on the GNOME platform.
Enable this if you get the error or warning
<literal>The name org.a11y.Bus was not provided by any .service files</literal>.
'';
};

View File

@ -5,6 +5,8 @@ with lib;
let
cfg = config.services.roundcube;
fpm = config.services.phpfpm.pools.roundcube;
localDB = cfg.database.host == "localhost";
user = cfg.database.username;
in
{
options.services.roundcube = {
@ -44,7 +46,10 @@ in
username = mkOption {
type = types.str;
default = "roundcube";
description = "Username for the postgresql connection";
description = ''
Username for the postgresql connection.
If <literal>database.host</literal> is set to <literal>localhost</literal>, a unix user and group of the same name will be created as well.
'';
};
host = mkOption {
type = types.str;
@ -58,7 +63,12 @@ in
};
password = mkOption {
type = types.str;
description = "Password for the postgresql connection";
description = "Password for the postgresql connection. Do not use: the password will be stored world readable in the store; use <literal>passwordFile</literal> instead.";
default = "";
};
passwordFile = mkOption {
type = types.str;
description = "Password file for the postgresql connection. Must be readable by user <literal>nginx</literal>. Ignored if <literal>database.host</literal> is set to <literal>localhost</literal>, as peer authentication will be used.";
};
dbname = mkOption {
type = types.str;
@ -83,14 +93,22 @@ in
};
config = mkIf cfg.enable {
# backward compatibility: if password is set but not passwordFile, make one.
services.roundcube.database.passwordFile = mkIf (!localDB && cfg.database.password != "") (mkDefault ("${pkgs.writeText "roundcube-password" cfg.database.password}"));
warnings = lib.optional (!localDB && cfg.database.password != "") "services.roundcube.database.password is deprecated and insecure; use services.roundcube.database.passwordFile instead";
environment.etc."roundcube/config.inc.php".text = ''
<?php
${lib.optionalString (!localDB) "$password = file_get_contents('${cfg.database.passwordFile}');"}
$config = array();
$config['db_dsnw'] = 'pgsql://${cfg.database.username}:${cfg.database.password}@${cfg.database.host}/${cfg.database.dbname}';
$config['db_dsnw'] = 'pgsql://${cfg.database.username}${lib.optionalString (!localDB) ":' . $password . '"}@${if localDB then "unix(/run/postgresql)" else cfg.database.host}/${cfg.database.dbname}';
$config['log_driver'] = 'syslog';
$config['max_message_size'] = '25M';
$config['plugins'] = [${concatMapStringsSep "," (p: "'${p}'") cfg.plugins}];
$config['des_key'] = file_get_contents('/var/lib/roundcube/des_key');
$config['mime_types'] = '${pkgs.nginx}/conf/mime.types';
${cfg.extraConfig}
'';
@ -116,12 +134,26 @@ in
};
};
services.postgresql = mkIf (cfg.database.host == "localhost") {
services.postgresql = mkIf localDB {
enable = true;
ensureDatabases = [ cfg.database.dbname ];
ensureUsers = [ {
name = cfg.database.username;
ensurePermissions = {
"DATABASE ${cfg.database.username}" = "ALL PRIVILEGES";
};
} ];
};
users.users.${user} = mkIf localDB {
group = user;
isSystemUser = true;
createHome = false;
};
users.groups.${user} = mkIf localDB {};
services.phpfpm.pools.roundcube = {
user = "nginx";
user = if localDB then user else "nginx";
phpOptions = ''
error_log = 'stderr'
log_errors = on
@ -143,9 +175,7 @@ in
};
systemd.services.phpfpm-roundcube.after = [ "roundcube-setup.service" ];
systemd.services.roundcube-setup = let
pgSuperUser = config.services.postgresql.superUser;
in mkMerge [
systemd.services.roundcube-setup = mkMerge [
(mkIf (cfg.database.host == "localhost") {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
@ -153,22 +183,31 @@ in
})
{
wantedBy = [ "multi-user.target" ];
script = ''
mkdir -p /var/lib/roundcube
if [ ! -f /var/lib/roundcube/db-created ]; then
if [ "${cfg.database.host}" = "localhost" ]; then
${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "create role ${cfg.database.username} with login password '${cfg.database.password}'";
${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "create database ${cfg.database.dbname} with owner ${cfg.database.username}";
fi
PGPASSWORD="${cfg.database.password}" ${pkgs.postgresql}/bin/psql -U ${cfg.database.username} \
-f ${cfg.package}/SQL/postgres.initial.sql \
-h ${cfg.database.host} ${cfg.database.dbname}
touch /var/lib/roundcube/db-created
script = let
psql = "${lib.optionalString (!localDB) "PGPASSFILE=${cfg.database.passwordFile}"} ${pkgs.postgresql}/bin/psql ${lib.optionalString (!localDB) "-h ${cfg.database.host} -U ${cfg.database.username} "} ${cfg.database.dbname}";
in
''
version="$(${psql} -t <<< "select value from system where name = 'roundcube-version';" || true)"
if ! (grep -E '[a-zA-Z0-9]' <<< "$version"); then
${psql} -f ${cfg.package}/SQL/postgres.initial.sql
fi
if [ ! -f /var/lib/roundcube/des_key ]; then
base64 /dev/urandom | head -c 24 > /var/lib/roundcube/des_key;
# we need to log out everyone in case change the des_key
# from the default when upgrading from nixos 19.09
${psql} <<< 'TRUNCATE TABLE session;'
fi
${pkgs.php}/bin/php ${cfg.package}/bin/update.sh
'';
serviceConfig.Type = "oneshot";
serviceConfig = {
Type = "oneshot";
StateDirectory = "roundcube";
User = if localDB then user else "nginx";
# so that the des_key is not world readable
StateDirectoryMode = "0700";
};
}
];
};

View File

@ -18,7 +18,7 @@ let
in checkedConfig yml;
cmdlineArgs = cfg.extraFlags ++ [
"--config.file ${alertmanagerYml}"
"--config.file /tmp/alert-manager-substituted.yaml"
"--web.listen-address ${cfg.listenAddress}:${toString cfg.port}"
"--log.level ${cfg.logLevel}"
] ++ (optional (cfg.webExternalUrl != null)
@ -127,6 +127,18 @@ in {
Extra commandline options when launching the Alertmanager.
'';
};
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/root/alertmanager.env";
description = ''
File to load as environment file. Environment variables
from this file will be interpolated into the config file
using envsubst with this syntax:
<literal>$ENVIRONMENT ''${VARIABLE}</literal>
'';
};
};
};
@ -144,9 +156,14 @@ in {
systemd.services.alertmanager = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
preStart = ''
${lib.getBin pkgs.envsubst}/bin/envsubst -o "/tmp/alert-manager-substituted.yaml" \
-i "${alertmanagerYml}"
'';
serviceConfig = {
Restart = "always";
DynamicUser = true;
DynamicUser = true; # implies PrivateTmp
EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
WorkingDirectory = "/tmp";
ExecStart = "${cfg.package}/bin/alertmanager" +
optionalString (length cmdlineArgs != 0) (" \\\n " +

View File

@ -74,7 +74,7 @@ in
then "--systemd.slice ${cfg.systemd.slice}"
else "--systemd.unit ${cfg.systemd.unit}")
++ optional (cfg.systemd.enable && (cfg.systemd.journalPath != null))
"--systemd.jounal_path ${cfg.systemd.journalPath}"
"--systemd.journal_path ${cfg.systemd.journalPath}"
++ optional (!cfg.systemd.enable) "--postfix.logfile_path ${cfg.logfilePath}")}
'';
};

View File

@ -168,8 +168,7 @@ in
createHome = true;
};
users.groups = singleton {
name = "bitlbee";
users.groups.bitlbee = {
gid = config.ids.gids.bitlbee;
};

View File

@ -0,0 +1,46 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.corerad;
in {
meta = {
maintainers = with maintainers; [ mdlayher ];
};
options.services.corerad = {
enable = mkEnableOption "CoreRAD IPv6 NDP RA daemon";
configFile = mkOption {
type = types.path;
example = literalExample "\"\${pkgs.corerad}/etc/corerad/corerad.toml\"";
description = "Path to CoreRAD TOML configuration file.";
};
package = mkOption {
default = pkgs.corerad;
defaultText = literalExample "pkgs.corerad";
type = types.package;
description = "CoreRAD package to use.";
};
};
config = mkIf cfg.enable {
systemd.services.corerad = {
description = "CoreRAD IPv6 NDP RA daemon";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
LimitNPROC = 512;
LimitNOFILE = 1048576;
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW";
NoNewPrivileges = true;
DynamicUser = true;
ExecStart = "${getBin cfg.package}/bin/corerad -c=${cfg.configFile}";
Restart = "on-failure";
};
};
};
}

View File

@ -56,6 +56,7 @@ in {
package = mkOption {
type = types.package;
default = pkgs.knot-dns;
defaultText = "pkgs.knot-dns";
description = ''
Which Knot DNS package to use
'';
@ -92,4 +93,3 @@ in {
environment.systemPackages = [ knot-cli-wrappers ];
};
}

View File

@ -5,12 +5,15 @@ with lib;
let
cfg = config.services.kresd;
package = pkgs.knot-resolver;
configFile = pkgs.writeText "kresd.conf" ''
${optionalString (cfg.listenDoH != []) "modules.load('http')"}
${cfg.extraConfig};
'';
configFile = pkgs.writeText "kresd.conf" cfg.extraConfig;
in
{
package = pkgs.knot-resolver.override {
extraFeatures = cfg.listenDoH != [];
};
in {
meta.maintainers = [ maintainers.vcunat /* upstream developer */ ];
imports = [
@ -67,6 +70,15 @@ in
For detailed syntax see ListenStream in man systemd.socket.
'';
};
listenDoH = mkOption {
type = with types; listOf str;
default = [];
example = [ "198.51.100.1:443" "[2001:db8::1]:443" "443" ];
description = ''
Addresses and ports on which kresd should provide DNS over HTTPS (see RFC 7858).
For detailed syntax see ListenStream in man systemd.socket.
'';
};
# TODO: perhaps options for more common stuff like cache size or forwarding
};
@ -104,6 +116,18 @@ in
};
};
systemd.sockets.kresd-doh = mkIf (cfg.listenDoH != []) rec {
wantedBy = [ "sockets.target" ];
before = wantedBy;
partOf = [ "kresd.socket" ];
listenStreams = cfg.listenDoH;
socketConfig = {
FileDescriptorName = "doh";
FreeBind = true;
Service = "kresd.service";
};
};
systemd.sockets.kresd-control = rec {
wantedBy = [ "sockets.target" ];
before = wantedBy;

View File

@ -111,7 +111,7 @@ in
serviceConfig = {
User = cfg.user;
Group = cfg.group;
ExecStart = "${pkgs.matterbridge.bin}/bin/matterbridge -conf ${matterbridgeConfToml}";
ExecStart = "${pkgs.matterbridge}/bin/matterbridge -conf ${matterbridgeConfToml}";
Restart = "always";
RestartSec = "10";
};

View File

@ -484,6 +484,24 @@ in {
-gui-address=${cfg.guiAddress} \
-home=${cfg.configDir}
'';
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
CapabilityBoundingSet = [
"~CAP_SYS_PTRACE" "~CAP_SYS_ADMIN"
"~CAP_SETGID" "~CAP_SETUID" "~CAP_SETPCAP"
"~CAP_SYS_TIME" "~CAP_KILL"
];
};
};
syncthing-init = mkIf (

View File

@ -38,10 +38,13 @@ in
config = mkIf cfg.enable {
systemd.services.zerotierone = {
description = "ZeroTierOne";
path = [ cfg.package ];
bindsTo = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
wants = [ "network-online.target" ];
path = [ cfg.package ];
preStart = ''
mkdir -p /var/lib/zerotier-one/networks.d
chmod 700 /var/lib/zerotier-one
@ -53,6 +56,7 @@ in
ExecStart = "${cfg.package}/bin/zerotier-one -p${toString cfg.port}";
Restart = "always";
KillMode = "process";
TimeoutStopSec = 5;
};
};

View File

@ -13,19 +13,11 @@ in
services.solr = {
enable = mkEnableOption "Solr";
# default to the 8.x series not forcing major version upgrade of those on the 7.x series
package = mkOption {
type = types.package;
default = if versionAtLeast config.system.stateVersion "19.09"
then pkgs.solr_8
else pkgs.solr_7
;
default = pkgs.solr;
defaultText = "pkgs.solr";
description = ''
Which Solr package to use. This defaults to version 7.x if
<literal>system.stateVersion &lt; 19.09</literal> and version 8.x
otherwise.
'';
description = "Which Solr package to use.";
};
port = mkOption {

View File

@ -92,8 +92,11 @@ in {
"-o cat"
"-n1"
] ++ (map (name: "-t ${escapeShellArg name}") cfg.services));
backend = if config.networking.nftables.enable
then "sshg-fw-nft-sets"
else "sshg-fw-ipset";
in ''
BACKEND="${pkgs.sshguard}/libexec/sshg-fw-ipset"
BACKEND="${pkgs.sshguard}/libexec/${backend}"
LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}"
'';
@ -104,7 +107,9 @@ in {
after = [ "network.target" ];
partOf = optional config.networking.firewall.enable "firewall.service";
path = with pkgs; [ iptables ipset iproute systemd ];
path = with pkgs; if config.networking.nftables.enable
then [ nftables iproute systemd ]
else [ iptables ipset iproute systemd ];
# The sshguard ipsets must exist before we invoke
# iptables. sshguard creates the ipsets after startup if
@ -112,14 +117,14 @@ in {
# the iptables rules because postStart races with the creation
# of the ipsets. So instead, we create both the ipsets and
# firewall rules before sshguard starts.
preStart = ''
preStart = optionalString config.networking.firewall.enable ''
${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet
${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6
${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP
${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP
'';
postStop = ''
postStop = optionalString config.networking.firewall.enable ''
${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP
${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP
${pkgs.ipset}/bin/ipset -quiet destroy sshguard4

View File

@ -135,6 +135,7 @@ in
User = "vault";
Group = "vault";
ExecStart = "${cfg.package}/bin/vault server -config ${configFile}";
ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
PrivateDevices = true;
PrivateTmp = true;
ProtectSystem = "full";

View File

@ -0,0 +1,272 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkEnableOption mkForce mkIf mkMerge mkOption optionalAttrs recursiveUpdate types;
cfg = config.services.dokuwiki;
user = config.services.nginx.user;
group = config.services.nginx.group;
dokuwikiAclAuthConfig = pkgs.writeText "acl.auth.php" ''
# acl.auth.php
# <?php exit()?>
#
# Access Control Lists
#
${toString cfg.acl}
'';
dokuwikiLocalConfig = pkgs.writeText "local.php" ''
<?php
$conf['savedir'] = '${cfg.stateDir}';
$conf['superuser'] = '${toString cfg.superUser}';
$conf['useacl'] = '${toString cfg.aclUse}';
${toString cfg.extraConfig}
'';
dokuwikiPluginsLocalConfig = pkgs.writeText "plugins.local.php" ''
<?php
${cfg.pluginsConfig}
'';
in
{
options.services.dokuwiki = {
enable = mkEnableOption "DokuWiki web application.";
hostName = mkOption {
type = types.str;
default = "localhost";
description = "FQDN for the instance.";
};
stateDir = mkOption {
type = types.path;
default = "/var/lib/dokuwiki/data";
description = "Location of the dokuwiki state directory.";
};
acl = mkOption {
type = types.nullOr types.lines;
default = null;
example = "* @ALL 8";
description = ''
Access Control Lists: see <link xlink:href="https://www.dokuwiki.org/acl"/>
Mutually exclusive with services.dokuwiki.aclFile
Set this to a value other than null to take precedence over aclFile option.
'';
};
aclFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Location of the dokuwiki acl rules. Mutually exclusive with services.dokuwiki.acl
Mutually exclusive with services.dokuwiki.acl which is preferred.
Consult documentation <link xlink:href="https://www.dokuwiki.org/acl"/> for further instructions.
Example: <link xlink:href="https://github.com/splitbrain/dokuwiki/blob/master/conf/acl.auth.php.dist"/>
'';
};
aclUse = mkOption {
type = types.bool;
default = true;
description = ''
Necessary for users to log in into the system.
Also limits anonymous users. When disabled,
everyone is able to create and edit content.
'';
};
pluginsConfig = mkOption {
type = types.lines;
default = ''
$plugins['authad'] = 0;
$plugins['authldap'] = 0;
$plugins['authmysql'] = 0;
$plugins['authpgsql'] = 0;
'';
description = ''
List of the dokuwiki (un)loaded plugins.
'';
};
superUser = mkOption {
type = types.nullOr types.str;
default = "@admin";
description = ''
You can set either a username, a list of usernames (admin1,admin2),
or the name of a group by prepending an @ char to the groupname
Consult documentation <link xlink:href="https://www.dokuwiki.org/config:superuser"/> for further instructions.
'';
};
usersFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Location of the dokuwiki users file. List of users. Format:
login:passwordhash:Real Name:email:groups,comma,separated
Create passwordHash easily by using:$ mkpasswd -5 password `pwgen 8 1`
Example: <link xlink:href="https://github.com/splitbrain/dokuwiki/blob/master/conf/users.auth.php.dist"/>
'';
};
extraConfig = mkOption {
type = types.nullOr types.lines;
default = null;
example = ''
$conf['title'] = 'My Wiki';
$conf['userewrite'] = 1;
'';
description = ''
DokuWiki configuration. Refer to
<link xlink:href="https://www.dokuwiki.org/config"/>
for details on supported values.
'';
};
poolConfig = mkOption {
type = with types; attrsOf (oneOf [ str int bool ]);
default = {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
};
description = ''
Options for the dokuwiki PHP pool. See the documentation on <literal>php-fpm.conf</literal>
for details on configuration directives.
'';
};
nginx = mkOption {
type = types.submodule (
recursiveUpdate
(import ../web-servers/nginx/vhost-options.nix { inherit config lib; })
{
# Enable encryption by default,
options.forceSSL.default = true;
options.enableACME.default = true;
}
);
default = {forceSSL = true; enableACME = true;};
example = {
serverAliases = [
"wiki.\${config.networking.domain}"
];
enableACME = false;
};
description = ''
With this option, you can customize the nginx virtualHost which already has sensible defaults for DokuWiki.
'';
};
};
# implementation
config = mkIf cfg.enable {
warnings = mkIf (cfg.superUser == null) ["Not setting services.dokuwiki.superUser will impair your ability to administer DokuWiki"];
assertions = [
{
assertion = cfg.aclUse -> (cfg.acl != null || cfg.aclFile != null);
message = "Either services.dokuwiki.acl or services.dokuwiki.aclFile is mandatory when aclUse is true";
}
{
assertion = cfg.usersFile != null -> cfg.aclUse != false;
message = "services.dokuwiki.aclUse must be true when usersFile is not null";
}
];
services.phpfpm.pools.dokuwiki = {
inherit user;
inherit group;
phpEnv = {
DOKUWIKI_LOCAL_CONFIG = "${dokuwikiLocalConfig}";
DOKUWIKI_PLUGINS_LOCAL_CONFIG = "${dokuwikiPluginsLocalConfig}";
} //optionalAttrs (cfg.usersFile != null) {
DOKUWIKI_USERS_AUTH_CONFIG = "${cfg.usersFile}";
} //optionalAttrs (cfg.aclUse) {
DOKUWIKI_ACL_AUTH_CONFIG = if (cfg.acl != null) then "${dokuwikiAclAuthConfig}" else "${toString cfg.aclFile}";
};
settings = {
"listen.mode" = "0660";
"listen.owner" = user;
"listen.group" = group;
} // cfg.poolConfig;
};
services.nginx = {
enable = true;
virtualHosts = {
${cfg.hostName} = mkMerge [ cfg.nginx {
root = mkForce "${pkgs.dokuwiki}/share/dokuwiki/";
extraConfig = "fastcgi_param HTTPS on;";
locations."~ /(conf/|bin/|inc/|install.php)" = {
extraConfig = "deny all;";
};
locations."~ ^/data/" = {
root = "${cfg.stateDir}";
extraConfig = "internal;";
};
locations."~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = {
extraConfig = "expires 365d;";
};
locations."/" = {
priority = 1;
index = "doku.php";
extraConfig = ''try_files $uri $uri/ @dokuwiki;'';
};
locations."@dokuwiki" = {
extraConfig = ''
# rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
rewrite ^/(.*) /doku.php?id=$1&$args last;
'';
};
locations."~ \.php$" = {
extraConfig = ''
try_files $uri $uri/ /doku.php;
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REDIRECT_STATUS 200;
fastcgi_pass unix:${config.services.phpfpm.pools.dokuwiki.socket};
fastcgi_param HTTPS on;
'';
};
}];
};
};
systemd.tmpfiles.rules = [
"d ${cfg.stateDir}/attic 0750 ${user} ${group} - -"
"d ${cfg.stateDir}/cache 0750 ${user} ${group} - -"
"d ${cfg.stateDir}/index 0750 ${user} ${group} - -"
"d ${cfg.stateDir}/locks 0750 ${user} ${group} - -"
"d ${cfg.stateDir}/media 0750 ${user} ${group} - -"
"d ${cfg.stateDir}/media_attic 0750 ${user} ${group} - -"
"d ${cfg.stateDir}/media_meta 0750 ${user} ${group} - -"
"d ${cfg.stateDir}/meta 0750 ${user} ${group} - -"
"d ${cfg.stateDir}/pages 0750 ${user} ${group} - -"
"d ${cfg.stateDir}/tmp 0750 ${user} ${group} - -"
];
};
}

View File

@ -629,6 +629,9 @@ in
environment.systemPackages = [httpd];
# required for "apachectl configtest"
environment.etc."httpd/httpd.conf".source = httpdConf;
services.httpd.phpOptions =
''
; Needed for PHP's mail() function.

View File

@ -3,8 +3,9 @@
with lib;
let
cfg = config.services.gitweb;
package = pkgs.gitweb.override (optionalAttrs cfg.gitwebTheme {
cfg = config.services.nginx.gitweb;
gitwebConfig = config.services.gitweb;
package = pkgs.gitweb.override (optionalAttrs gitwebConfig.gitwebTheme {
gitwebTheme = true;
});
@ -17,13 +18,45 @@ in
default = false;
type = types.bool;
description = ''
If true, enable gitweb in nginx. Access it at http://yourserver/gitweb
If true, enable gitweb in nginx.
'';
};
location = mkOption {
default = "/gitweb";
type = types.str;
description = ''
Location to serve gitweb on.
'';
};
user = mkOption {
default = "nginx";
type = types.str;
description = ''
Existing user that the CGI process will belong to. (Default almost surely will do.)
'';
};
group = mkOption {
default = "nginx";
type = types.str;
description = ''
Group that the CGI process will belong to. (Set to <literal>config.services.gitolite.group</literal> if you are using gitolite.)
'';
};
virtualHost = mkOption {
default = "_";
type = types.str;
description = ''
VirtualHost to serve gitweb on. Default is catch-all.
'';
};
};
config = mkIf config.services.nginx.gitweb.enable {
config = mkIf cfg.enable {
systemd.services.gitweb = {
description = "GitWeb service";
@ -32,22 +65,22 @@ in
FCGI_SOCKET_PATH = "/run/gitweb/gitweb.sock";
};
serviceConfig = {
User = "nginx";
Group = "nginx";
User = cfg.user;
Group = cfg.group;
RuntimeDirectory = [ "gitweb" ];
};
wantedBy = [ "multi-user.target" ];
};
services.nginx = {
virtualHosts.default = {
locations."/gitweb/static/" = {
virtualHosts.${cfg.virtualHost} = {
locations."${cfg.location}/static/" = {
alias = "${package}/static/";
};
locations."/gitweb/" = {
locations."${cfg.location}/" = {
extraConfig = ''
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param GITWEB_CONFIG ${cfg.gitwebConfigFile};
fastcgi_param GITWEB_CONFIG ${gitwebConfig.gitwebConfigFile};
fastcgi_pass unix:/run/gitweb/gitweb.sock;
'';
};

View File

@ -111,7 +111,7 @@ in {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
# Security
NoNewPrivileges = true;
# Sanboxing
# Sandboxing
ProtectSystem = "full";
ProtectHome = true;
RuntimeDirectory = "unit";
@ -130,8 +130,10 @@ in {
};
users.users = optionalAttrs (cfg.user == "unit") {
unit.group = cfg.group;
isSystemUser = true;
unit = {
group = cfg.group;
isSystemUser = true;
};
};
users.groups = optionalAttrs (cfg.group == "unit") {

View File

@ -144,7 +144,7 @@ in
services.gnome3.core-shell.enable = true;
services.gnome3.core-utilities.enable = mkDefault true;
services.xserver.displayManager.sessionPackages = [ pkgs.gnome3.gnome-session ];
services.xserver.displayManager.sessionPackages = [ pkgs.gnome3.gnome-session.sessions ];
environment.extraInit = ''
${concatMapStrings (p: ''
@ -249,11 +249,17 @@ in
services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true));
services.telepathy.enable = mkDefault true;
systemd.packages = with pkgs.gnome3; [ vino gnome-session ];
systemd.packages = with pkgs.gnome3; [
gnome-session
gnome-shell
vino
];
services.avahi.enable = mkDefault true;
xdg.portal.extraPortals = [ pkgs.gnome3.gnome-shell ];
xdg.portal.extraPortals = [
pkgs.gnome3.gnome-shell
];
services.geoclue2.enable = mkDefault true;
services.geoclue2.enableDemoAgent = false; # GNOME has its own geoclue agent

View File

@ -127,14 +127,9 @@ in
"/share/gtksourceview-4.0"
];
services.xserver.desktopManager.session = [{
name = "xfce";
bgSupport = true;
start = ''
${pkgs.runtimeShell} ${pkgs.xfce.xfce4-session.xinitrc} &
waitPID=$!
'';
}];
services.xserver.displayManager.sessionPackages = [
pkgs.xfce.xfce4-session
];
services.xserver.updateDbusEnvironment = true;
services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ];

View File

@ -174,6 +174,10 @@ in
"f /run/gdm/.config/gnome-initial-setup-done 0711 gdm gdm - yes"
];
# Otherwise GDM will not be able to start correctly and display Wayland sessions
systemd.packages = with pkgs.gnome3; [ gnome-session gnome-shell ];
environment.systemPackages = [ pkgs.gnome3.adwaita-icon-theme ];
systemd.services.display-manager.wants = [
# Because sd_login_monitor_new requires /run/systemd/machines
"systemd-machined.service"

View File

@ -1,94 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.services.xserver.multitouch;
disabledTapConfig = ''
Option "MaxTapTime" "0"
Option "MaxTapMove" "0"
Option "TapButton1" "0"
Option "TapButton2" "0"
Option "TapButton3" "0"
'';
in {
options = {
services.xserver.multitouch = {
enable = mkOption {
default = false;
description = "Whether to enable multitouch touchpad support.";
};
invertScroll = mkOption {
default = false;
type = types.bool;
description = "Whether to invert scrolling direction à la OSX Lion";
};
ignorePalm = mkOption {
default = false;
type = types.bool;
description = "Whether to ignore touches detected as being the palm (i.e when typing)";
};
tapButtons = mkOption {
type = types.bool;
default = true;
description = "Whether to enable tap buttons.";
};
buttonsMap = mkOption {
type = types.listOf types.int;
default = [3 2 0];
example = [1 3 2];
description = "Remap touchpad buttons.";
apply = map toString;
};
additionalOptions = mkOption {
type = types.str;
default = "";
example = ''
Option "ScaleDistance" "50"
Option "RotateDistance" "60"
'';
description = ''
Additional options for mtrack touchpad driver.
'';
};
};
};
config = mkIf cfg.enable {
services.xserver.modules = [ pkgs.xf86_input_mtrack ];
services.xserver.config =
''
# Automatically enable the multitouch driver
Section "InputClass"
MatchIsTouchpad "on"
Identifier "Touchpads"
Driver "mtrack"
Option "IgnorePalm" "${boolToString cfg.ignorePalm}"
Option "ClickFinger1" "${builtins.elemAt cfg.buttonsMap 0}"
Option "ClickFinger2" "${builtins.elemAt cfg.buttonsMap 1}"
Option "ClickFinger3" "${builtins.elemAt cfg.buttonsMap 2}"
${optionalString (!cfg.tapButtons) disabledTapConfig}
${optionalString cfg.invertScroll ''
Option "ScrollUpButton" "5"
Option "ScrollDownButton" "4"
Option "ScrollLeftButton" "7"
Option "ScrollRightButton" "6"
''}
${cfg.additionalOptions}
EndSection
'';
};
}

View File

@ -32,7 +32,7 @@ in {
default = 1;
};
threeshold = mkOption {
threshold = mkOption {
description = "Minimum number of pixels considered cursor movement";
type = types.int;
default = 1;
@ -72,6 +72,11 @@ in {
};
};
imports = [
(mkRenamedOptionModule [ "services" "unclutter" "threeshold" ]
[ "services" "unclutter" "threshold" ])
];
meta.maintainers = with lib.maintainers; [ rnhmjoj ];
}

View File

@ -162,6 +162,16 @@ in
<literal>/usr/bin/env</literal>.
'';
};
environment.ld-linux = mkOption {
default = false;
type = types.bool;
visible = false;
description = ''
Install symlink to ld-linux(8) system-wide to allow running unmodified ELF binaries.
It might be useful to run games or executables distributed inside jar files.
'';
};
};
@ -195,9 +205,30 @@ in
''
else ''
rm -f /usr/bin/env
rmdir --ignore-fail-on-non-empty /usr/bin /usr
rmdir -p /usr/bin || true
'';
system.activationScripts.ld-linux =
concatStrings (
mapAttrsToList
(target: source:
if config.environment.ld-linux then ''
mkdir -m 0755 -p $(dirname ${target})
ln -sfn ${escapeShellArg source} ${target}.tmp
mv -f ${target}.tmp ${target} # atomically replace
'' else ''
rm -f ${target}
rmdir $(dirname ${target}) || true
'')
{
"i686-linux" ."/lib/ld-linux.so.2" = "${pkgs.glibc.out}/lib/ld-linux.so.2";
"x86_64-linux" ."/lib/ld-linux.so.2" = "${pkgs.pkgsi686Linux.glibc.out}/lib/ld-linux.so.2";
"x86_64-linux" ."/lib64/ld-linux-x86-64.so.2" = "${pkgs.glibc.out}/lib64/ld-linux-x86-64.so.2";
"aarch64-linux"."/lib/ld-linux-aarch64.so.1" = "${pkgs.glibc.out}/lib/ld-linux-aarch64.so.1";
"armv7l-linux" ."/lib/ld-linux-armhf.so.3" = "${pkgs.glibc.out}/lib/ld-linux-armhf.so.3";
}.${pkgs.stdenv.system} or {}
);
system.activationScripts.specialfs =
''
specialMount() {

View File

@ -4,6 +4,7 @@ with lib;
let
luks = config.boot.initrd.luks;
kernelPackages = config.boot.kernelPackages;
commonFunctions = ''
die() {
@ -139,7 +140,7 @@ let
umount /crypt-ramfs 2>/dev/null
'';
openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fallbackToPassword, ... }: assert name' == name;
openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fido2, fallbackToPassword, ... }: assert name' == name;
let
csopen = "cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} ${optionalString (header != null) "--header=${header}"}";
cschange = "cryptsetup luksChangeKey ${device} ${optionalString (header != null) "--header=${header}"}";
@ -387,7 +388,31 @@ let
}
''}
${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) then ''
${optionalString (luks.fido2Support && (fido2.credential != null)) ''
open_with_hardware() {
local passsphrase
${if fido2.passwordLess then ''
export passphrase=""
'' else ''
read -rsp "FIDO2 salt for ${device}: " passphrase
echo
''}
${optionalString (lib.versionOlder kernelPackages.kernel.version "5.4") ''
echo "On systems with Linux Kernel < 5.4, it might take a while to initialize the CRNG, you might want to use linuxPackages_latest."
echo "Please move your mouse to create needed randomness."
''}
echo "Waiting for your FIDO2 device..."
fido2luks -i open ${device} ${name} ${fido2.credential} --await-dev ${toString fido2.gracePeriod} --salt string:$passphrase
if [ $? -ne 0 ]; then
echo "No FIDO2 key found, falling back to normal open procedure"
open_normally
fi
}
''}
${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) || (luks.fido2Support && (fido2.credential != null)) then ''
open_with_hardware
'' else ''
open_normally
@ -608,6 +633,31 @@ in
});
};
fido2 = {
credential = mkOption {
default = null;
example = "f1d00200d8dc783f7fb1e10ace8da27f8312d72692abfca2f7e4960a73f48e82e1f7571f6ebfcee9fb434f9886ccc8fcc52a6614d8d2";
type = types.str;
description = "The FIDO2 credential ID.";
};
gracePeriod = mkOption {
default = 10;
type = types.int;
description = "Time in seconds to wait for the FIDO2 key.";
};
passwordLess = mkOption {
default = false;
type = types.bool;
description = ''
Defines whatever to use an empty string as a default salt.
Enable only when your device is PIN protected, such as <link xlink:href="https://trezor.io/">Trezor</link>.
'';
};
};
yubikey = mkOption {
default = null;
description = ''
@ -706,6 +756,15 @@ in
and a Yubikey to work with this feature.
'';
};
boot.initrd.luks.fido2Support = mkOption {
default = false;
type = types.bool;
description = ''
Enables support for authenticating with FIDO2 devices.
'';
};
};
config = mkIf (luks.devices != {} || luks.forceLuksSupportInInitrd) {
@ -714,6 +773,14 @@ in
[ { assertion = !(luks.gpgSupport && luks.yubikeySupport);
message = "Yubikey and GPG Card may not be used at the same time.";
}
{ assertion = !(luks.gpgSupport && luks.fido2Support);
message = "FIDO2 and GPG Card may not be used at the same time.";
}
{ assertion = !(luks.fido2Support && luks.yubikeySupport);
message = "FIDO2 and Yubikey may not be used at the same time.";
}
];
# actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested
@ -753,6 +820,11 @@ in
chmod +x $out/bin/openssl-wrap
''}
${optionalString luks.fido2Support ''
copy_bin_and_libs ${pkgs.fido2luks}/bin/fido2luks
''}
${optionalString luks.gpgSupport ''
copy_bin_and_libs ${pkgs.gnupg}/bin/gpg
copy_bin_and_libs ${pkgs.gnupg}/bin/gpg-agent
@ -783,6 +855,9 @@ in
$out/bin/gpg-agent --version
$out/bin/scdaemon --version
''}
${optionalString luks.fido2Support ''
$out/bin/fido2luks --version
''}
'';
boot.initrd.preFailCommands = postCommands;

View File

@ -49,7 +49,7 @@ let
(assertValueOneOf "Kind" [
"bond" "bridge" "dummy" "gre" "gretap" "ip6gre" "ip6tnl" "ip6gretap" "ipip"
"ipvlan" "macvlan" "macvtap" "sit" "tap" "tun" "veth" "vlan" "vti" "vti6"
"vxlan" "geneve" "vrf" "vcan" "vxcan" "wireguard" "netdevsim"
"vxlan" "geneve" "vrf" "vcan" "vxcan" "wireguard" "netdevsim" "xfrm"
])
(assertByteFormat "MTUBytes")
(assertMacAddress "MACAddress")
@ -172,6 +172,14 @@ let
(assertValueOneOf "AllSlavesActive" boolValues)
];
checkXfrm = checkUnitConfig "Xfrm" [
(assertOnlyFields [
"InterfaceId" "Independent"
])
(assertRange "InterfaceId" 1 4294967295)
(assertValueOneOf "Independent" boolValues)
];
checkNetwork = checkUnitConfig "Network" [
(assertOnlyFields [
"Description" "DHCP" "DHCPServer" "LinkLocalAddressing" "IPv4LLRoute"
@ -182,7 +190,7 @@ let
"IPv6HopLimit" "IPv4ProxyARP" "IPv6ProxyNDP" "IPv6ProxyNDPAddress"
"IPv6PrefixDelegation" "IPv6MTUBytes" "Bridge" "Bond" "VRF" "VLAN"
"IPVLAN" "MACVLAN" "VXLAN" "Tunnel" "ActiveSlave" "PrimarySlave"
"ConfigureWithoutCarrier"
"ConfigureWithoutCarrier" "Xfrm"
])
# Note: For DHCP the values both, none, v4, v6 are deprecated
(assertValueOneOf "DHCP" ["yes" "no" "ipv4" "ipv6" "both" "none" "v4" "v6"])
@ -477,6 +485,18 @@ let
'';
};
xfrmConfig = mkOption {
default = {};
example = { InterfaceId = 1; };
type = types.addCheck (types.attrsOf unitOption) checkXfrm;
description = ''
Each attribute in this set specifies an option in the
<literal>[Xfrm]</literal> section of the unit. See
<citerefentry><refentrytitle>systemd.netdev</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
'';
};
};
addressOptions = {
@ -712,6 +732,16 @@ let
'';
};
xfrm = mkOption {
default = [ ];
type = types.listOf types.str;
description = ''
A list of xfrm interfaces to be added to the network section of the
unit. See <citerefentry><refentrytitle>systemd.network</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
'';
};
addresses = mkOption {
default = [ ];
type = with types; listOf (submodule addressOptions);
@ -809,6 +839,11 @@ let
[Bond]
${attrsToSection def.bondConfig}
''}
${optionalString (def.xfrmConfig != { }) ''
[Xfrm]
${attrsToSection def.xfrmConfig}
''}
${optionalString (def.wireguardConfig != { }) ''
[WireGuard]
@ -847,6 +882,7 @@ let
${concatStringsSep "\n" (map (s: "MACVLAN=${s}") def.macvlan)}
${concatStringsSep "\n" (map (s: "VXLAN=${s}") def.vxlan)}
${concatStringsSep "\n" (map (s: "Tunnel=${s}") def.tunnel)}
${concatStringsSep "\n" (map (s: "Xfrm=${s}") def.xfrm)}
${optionalString (def.dhcpConfig != { }) ''
[DHCP]

View File

@ -147,7 +147,13 @@ in rec {
done
# Symlink all units provided listed in systemd.packages.
for i in ${toString cfg.packages}; do
packages="${toString cfg.packages}"
# Filter duplicate directories
declare -A unique_packages
for k in $packages ; do unique_packages[$k]=1 ; done
for i in ''${!unique_packages[@]}; do
for fn in $i/etc/systemd/${type}/* $i/lib/systemd/${type}/*; do
if ! [[ "$fn" =~ .wants$ ]]; then
if [[ -d "$fn" ]]; then

View File

@ -869,11 +869,15 @@ in
"sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf";
"sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf";
"tmpfiles.d/home.conf".source = "${systemd}/example/tmpfiles.d/home.conf";
"tmpfiles.d/journal-nocow.conf".source = "${systemd}/example/tmpfiles.d/journal-nocow.conf";
"tmpfiles.d/portables.conf".source = "${systemd}/example/tmpfiles.d/portables.conf";
"tmpfiles.d/static-nodes-permissions.conf".source = "${systemd}/example/tmpfiles.d/static-nodes-permissions.conf";
"tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf";
"tmpfiles.d/systemd-nologin.conf".source = "${systemd}/example/tmpfiles.d/systemd-nologin.conf";
"tmpfiles.d/systemd-nspawn.conf".source = "${systemd}/example/tmpfiles.d/systemd-nspawn.conf";
"tmpfiles.d/systemd-tmp.conf".source = "${systemd}/example/tmpfiles.d/systemd-tmp.conf";
"tmpfiles.d/tmp.conf".source = "${systemd}/example/tmpfiles.d/tmp.conf";
"tmpfiles.d/var.conf".source = "${systemd}/example/tmpfiles.d/var.conf";
"tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf";

View File

@ -7,8 +7,8 @@ let
echo "attempting to fetch configuration from EC2 user data..."
export HOME=/root
export PATH=${pkgs.lib.makeBinPath [ config.nix.package pkgs.systemd pkgs.gnugrep pkgs.gnused config.system.build.nixos-rebuild]}:$PATH
export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels
export PATH=${pkgs.lib.makeBinPath [ config.nix.package pkgs.systemd pkgs.gnugrep pkgs.git pkgs.gnutar pkgs.gzip pkgs.gnused config.system.build.nixos-rebuild]}:$PATH
export NIX_PATH=nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels
userData=/etc/ec2-metadata/user-data
@ -18,9 +18,9 @@ let
# that as the channel.
if sed '/^\(#\|SSH_HOST_.*\)/d' < "$userData" | grep -q '\S'; then
channels="$(grep '^###' "$userData" | sed 's|###\s*||')"
printf "%s" "$channels" | while read channel; do
while IFS= read -r channel; do
echo "writing channel: $channel"
done
done < <(printf "%s\n" "$channels")
if [[ -n "$channels" ]]; then
printf "%s" "$channels" > /root/.nix-channels
@ -58,4 +58,3 @@ in {
};
};
}

View File

@ -54,7 +54,7 @@ in rec {
(all nixos.dummy)
(all nixos.manual)
nixos.iso_graphical.x86_64-linux or []
nixos.iso_plasma5.x86_64-linux or []
nixos.iso_minimal.aarch64-linux or []
nixos.iso_minimal.i686-linux or []
nixos.iso_minimal.x86_64-linux or []

View File

@ -149,9 +149,9 @@ in rec {
inherit system;
});
iso_graphical = forMatchingSystems [ "x86_64-linux" ] (system: makeIso {
module = ./modules/installer/cd-dvd/installation-cd-graphical-kde.nix;
type = "graphical";
iso_plasma5 = forMatchingSystems [ "x86_64-linux" ] (system: makeIso {
module = ./modules/installer/cd-dvd/installation-cd-graphical-plasma5.nix;
type = "plasma5";
inherit system;
});
@ -209,7 +209,8 @@ in rec {
hydraJob ((import lib/eval-config.nix {
inherit system;
modules =
[ versionModule
[ configuration
versionModule
./maintainers/scripts/ec2/amazon-image.nix
];
}).config.system.build.amazonImage)

View File

@ -33,6 +33,7 @@ in
bind = handleTest ./bind.nix {};
bittorrent = handleTest ./bittorrent.nix {};
#blivet = handleTest ./blivet.nix {}; # broken since 2017-07024
buildkite-agent = handleTest ./buildkite-agent.nix {};
boot = handleTestOn ["x86_64-linux"] ./boot.nix {}; # syslinux is unsupported on aarch64
boot-stage1 = handleTest ./boot-stage1.nix {};
borgbackup = handleTest ./borgbackup.nix {};
@ -61,6 +62,7 @@ in
containers-portforward = handleTest ./containers-portforward.nix {};
containers-restart_networking = handleTest ./containers-restart_networking.nix {};
containers-tmpfs = handleTest ./containers-tmpfs.nix {};
corerad = handleTest ./corerad.nix {};
couchdb = handleTest ./couchdb.nix {};
deluge = handleTest ./deluge.nix {};
dhparams = handleTest ./dhparams.nix {};
@ -73,6 +75,7 @@ in
docker-tools = handleTestOn ["x86_64-linux"] ./docker-tools.nix {};
docker-tools-overlay = handleTestOn ["x86_64-linux"] ./docker-tools-overlay.nix {};
documize = handleTest ./documize.nix {};
dokuwiki = handleTest ./dokuwiki.nix {};
dovecot = handleTest ./dovecot.nix {};
# ec2-config doesn't work in a sandbox as the simulated ec2 instance needs network access
#ec2-config = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-config or {};

View File

@ -0,0 +1,36 @@
import ./make-test-python.nix ({ pkgs, ... }:
{
name = "buildkite-agent";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ flokli ];
};
nodes = {
node1 = { pkgs, ... }: {
services.buildkite-agent = {
enable = true;
privateSshKeyPath = (import ./ssh-keys.nix pkgs).snakeOilPrivateKey;
tokenPath = (pkgs.writeText "my-token" "5678");
};
};
# don't configure ssh key, run as a separate user
node2 = { pkgs, ...}: {
services.buildkite-agent = {
enable = true;
tokenPath = (pkgs.writeText "my-token" "1234");
};
};
};
testScript = ''
start_all()
# we can't wait on the unit to start up, as we obviously can't connect to buildkite,
# but we can look whether files are set up correctly
node1.wait_for_file("/var/lib/buildkite-agent/buildkite-agent.cfg")
node1.wait_for_file("/var/lib/buildkite-agent/.ssh/id_rsa")
node2.wait_for_file("/var/lib/buildkite-agent/buildkite-agent.cfg")
'';
})

View File

@ -9,8 +9,8 @@ let
inherit action;
authority = {
file = {
group = "nobody";
owner = "nobody";
group = "nginx";
owner = "nginx";
path = "/tmp/${host}-ca.pem";
};
label = "www_ca";
@ -18,14 +18,14 @@ let
remote = "localhost:8888";
};
certificate = {
group = "nobody";
owner = "nobody";
group = "nginx";
owner = "nginx";
path = "/tmp/${host}-cert.pem";
};
private_key = {
group = "nobody";
group = "nginx";
mode = "0600";
owner = "nobody";
owner = "nginx";
path = "/tmp/${host}-key.pem";
};
request = {

View File

@ -25,7 +25,7 @@ with pkgs.lib;
my $imageDir = ($ENV{'TMPDIR'} // "/tmp") . "/vm-state-machine";
mkdir $imageDir, 0700;
my $diskImage = "$imageDir/machine.qcow2";
system("qemu-img create -f qcow2 -o backing_file=${image}/nixos.qcow2 $diskImage") == 0 or die;
system("qemu-img create -f qcow2 -o backing_file=${image} $diskImage") == 0 or die;
system("qemu-img resize $diskImage 10G") == 0 or die;
# Note: we use net=169.0.0.0/8 rather than
@ -35,7 +35,7 @@ with pkgs.lib;
# again when it deletes link-local addresses.) Ideally we'd
# turn off the DHCP server, but qemu does not have an option
# to do that.
my $startCommand = "qemu-kvm -m 768";
my $startCommand = "qemu-kvm -m 1024";
$startCommand .= " -device virtio-net-pci,netdev=vlan0";
$startCommand .= " -netdev 'user,id=vlan0,net=169.0.0.0/8,guestfwd=tcp:169.254.169.254:80-cmd:${pkgs.micro-httpd}/bin/micro_httpd ${metaData}'";
$startCommand .= " -drive file=$diskImage,if=virtio,werror=report";

70
nixos/tests/corerad.nix Normal file
View File

@ -0,0 +1,70 @@
import ./make-test-python.nix (
{
nodes = {
router = {config, pkgs, ...}: {
config = {
# This machines simulates a router with IPv6 forwarding and a static IPv6 address.
boot.kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = true;
};
networking.interfaces.eth1 = {
ipv6.addresses = [ { address = "fd00:dead:beef:dead::1"; prefixLength = 64; } ];
};
services.corerad = {
enable = true;
# Serve router advertisements to the client machine with prefix information matching
# any IPv6 /64 prefixes configured on this interface.
configFile = pkgs.writeText "corerad.toml" ''
[[interfaces]]
name = "eth1"
send_advertisements = true
[[interfaces.prefix]]
prefix = "::/64"
'';
};
};
};
client = {config, pkgs, ...}: {
# Use IPv6 SLAAC from router advertisements, and install rdisc6 so we can
# trigger one immediately.
config = {
boot.kernel.sysctl = {
"net.ipv6.conf.all.autoconf" = true;
};
environment.systemPackages = with pkgs; [
ndisc6
];
};
};
};
testScript = ''
start_all()
with subtest("Wait for CoreRAD and network ready"):
# Ensure networking is online and CoreRAD is ready.
router.wait_for_unit("network-online.target")
client.wait_for_unit("network-online.target")
router.wait_for_unit("corerad.service")
# Ensure the client can reach the router.
client.wait_until_succeeds("ping -c 1 fd00:dead:beef:dead::1")
with subtest("Verify SLAAC on client"):
# Trigger a router solicitation and verify a SLAAC address is assigned from
# the prefix configured on the router.
client.wait_until_succeeds("rdisc6 -1 -r 10 eth1")
client.wait_until_succeeds(
"ip -6 addr show dev eth1 | grep -q 'fd00:dead:beef:dead:'"
)
addrs = client.succeed("ip -6 addr show dev eth1")
assert (
"fd00:dead:beef:dead:" in addrs
), "SLAAC prefix was not found in client addresses after router advertisement"
assert (
"/64 scope global temporary" in addrs
), "SLAAC temporary address was not configured on client after router advertisement"
'';
})

29
nixos/tests/dokuwiki.nix Normal file
View File

@ -0,0 +1,29 @@
import ./make-test-python.nix ({ lib, ... }:
with lib;
{
name = "dokuwiki";
meta.maintainers = with maintainers; [ maintainers."1000101" ];
nodes.machine =
{ pkgs, ... }:
{ services.dokuwiki = {
enable = true;
acl = " ";
superUser = null;
nginx = {
forceSSL = false;
enableACME = false;
};
};
};
testScript = ''
machine.start()
machine.wait_for_unit("phpfpm-dokuwiki.service")
machine.wait_for_unit("nginx.service")
machine.wait_for_open_port(80)
machine.succeed("curl -sSfL http://localhost/ | grep 'DokuWiki'")
'';
})

View File

@ -9,7 +9,7 @@ with pkgs.lib;
with import common/ec2.nix { inherit makeTest pkgs; };
let
image =
imageCfg =
(import ../lib/eval-config.nix {
inherit system;
modules = [
@ -26,20 +26,32 @@ let
'';
# Needed by nixos-rebuild due to the lack of network
# access. Mostly copied from
# modules/profiles/installation-device.nix.
# access. Determined by trial and error.
system.extraDependencies =
with pkgs; [
stdenv busybox perlPackages.ArchiveCpio unionfs-fuse mkinitcpio-nfs-utils
with pkgs; (
[
# Needed for a nixos-rebuild.
busybox
stdenv
stdenvNoCC
mkinitcpio-nfs-utils
unionfs-fuse
cloud-utils
desktop-file-utils
texinfo
libxslt.bin
xorg.lndir
# These are used in the configure-from-userdata tests for EC2. Httpd and valgrind are requested
# directly by the configuration we set, and libxslt.bin is used indirectly as a build dependency
# of the derivation for dbus configuration files.
apacheHttpd valgrind.doc libxslt.bin
];
# These are used in the configure-from-userdata tests
# for EC2. Httpd and valgrind are requested by the
# configuration.
apacheHttpd apacheHttpd.doc apacheHttpd.man valgrind.doc
]
);
}
];
}).config.system.build.amazonImage;
}).config;
image = "${imageCfg.system.build.amazonImage}/${imageCfg.amazonImage.name}.vhd";
sshKeys = import ./ssh-keys.nix pkgs;
snakeOilPrivateKey = sshKeys.snakeOilPrivateKey.text;
@ -110,16 +122,23 @@ in {
text = "whoa";
};
networking.hostName = "ec2-test-vm"; # required by services.httpd
services.httpd = {
enable = true;
adminAddr = "test@example.org";
virtualHosts.localhost.documentRoot = "${pkgs.valgrind.doc}/share/doc/valgrind/html";
virtualHosts.localhost.documentRoot = "''${pkgs.valgrind.doc}/share/doc/valgrind/html";
};
networking.firewall.allowedTCPPorts = [ 80 ];
}
'';
script = ''
$machine->start;
# amazon-init must succeed. if it fails, make the test fail
# immediately instead of timing out in waitForFile.
$machine->waitForUnit('amazon-init.service');
$machine->waitForFile("/etc/testFile");
$machine->succeed("cat /etc/testFile | grep -q 'whoa'");

View File

@ -10,8 +10,7 @@ let
esUrl = "http://localhost:9200";
mkElkTest = name : elk :
let elasticsearchGe7 = builtins.compareVersions elk.elasticsearch.version "7" >= 0;
in import ./make-test-python.nix ({
import ./make-test-python.nix ({
inherit name;
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ eelco offline basvandijk ];
@ -91,8 +90,7 @@ let
};
elasticsearch-curator = {
# The current version of curator (5.6) doesn't support elasticsearch >= 7.0.0.
enable = !elasticsearchGe7;
enable = true;
actionYAML = ''
---
actions:
@ -173,7 +171,7 @@ let
one.wait_until_succeeds(
total_hits("Supercalifragilisticexpialidocious") + " | grep -v 0"
)
'' + pkgs.lib.optionalString (!elasticsearchGe7) ''
with subtest("Elasticsearch-curator works"):
one.systemctl("stop logstash")
one.systemctl("start elasticsearch-curator")

View File

@ -1,21 +1,26 @@
import ./make-test.nix ({ pkgs, ... }: {
import ./make-test-python.nix ({ pkgs, ... }: {
name = "limesurvey";
meta.maintainers = [ pkgs.stdenv.lib.maintainers.aanderse ];
machine =
{ ... }:
{ services.limesurvey.enable = true;
services.limesurvey.virtualHost.hostName = "example.local";
services.limesurvey.virtualHost.adminAddr = "root@example.local";
# limesurvey won't work without a dot in the hostname
networking.hosts."127.0.0.1" = [ "example.local" ];
machine = { ... }: {
services.limesurvey = {
enable = true;
virtualHost = {
hostName = "example.local";
adminAddr = "root@example.local";
};
};
testScript = ''
startAll;
# limesurvey won't work without a dot in the hostname
networking.hosts."127.0.0.1" = [ "example.local" ];
};
$machine->waitForUnit('phpfpm-limesurvey.service');
$machine->succeed('curl http://example.local/') =~ /The following surveys are available/ or die;
testScript = ''
start_all()
machine.wait_for_unit("phpfpm-limesurvey.service")
assert "The following surveys are available" in machine.succeed(
"curl http://example.local/"
)
'';
})

View File

@ -17,7 +17,7 @@ let
../modules/testing/test-instrumentation.nix
../modules/profiles/qemu-guest.nix
];
}).config.system.build.openstackImage;
}).config.system.build.openstackImage + "/nixos.qcow2";
sshKeys = import ./ssh-keys.nix pkgs;
snakeOilPrivateKey = sshKeys.snakeOilPrivateKey.text;

View File

@ -1,97 +1,90 @@
import ./make-test.nix ({ pkgs, ...} :
import ./make-test-python.nix ({ pkgs, ...} :
let
backend =
{ pkgs, ... }:
{ services.httpd.enable = true;
services.httpd.adminAddr = "foo@example.org";
services.httpd.virtualHosts.localhost.documentRoot = "${pkgs.valgrind.doc}/share/doc/valgrind/html";
networking.firewall.allowedTCPPorts = [ 80 ];
backend = { pkgs, ... }: {
services.httpd = {
enable = true;
adminAddr = "foo@example.org";
virtualHosts.localhost.documentRoot = "${pkgs.valgrind.doc}/share/doc/valgrind/html";
};
in
{
networking.firewall.allowedTCPPorts = [ 80 ];
};
in {
name = "proxy";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ eelco ];
};
nodes =
{ proxy =
{ nodes, ... }:
nodes = {
proxy = { nodes, ... }: {
services.httpd = {
enable = true;
adminAddr = "bar@example.org";
extraModules = [ "proxy_balancer" "lbmethod_byrequests" ];
extraConfig = ''
ExtendedStatus on
'';
virtualHosts.localhost = {
extraConfig = ''
<Location /server-status>
Require all granted
SetHandler server-status
</Location>
{ services.httpd.enable = true;
services.httpd.adminAddr = "bar@example.org";
services.httpd.extraModules = [ "proxy_balancer" "lbmethod_byrequests" ];
services.httpd.extraConfig = ''
ExtendedStatus on
<Proxy balancer://cluster>
Require all granted
BalancerMember http://${nodes.backend1.config.networking.hostName} retry=0
BalancerMember http://${nodes.backend2.config.networking.hostName} retry=0
</Proxy>
ProxyStatus full
ProxyPass /server-status !
ProxyPass / balancer://cluster/
ProxyPassReverse / balancer://cluster/
# For testing; don't want to wait forever for dead backend servers.
ProxyTimeout 5
'';
services.httpd.virtualHosts.localhost = {
extraConfig = ''
<Location /server-status>
Require all granted
SetHandler server-status
</Location>
<Proxy balancer://cluster>
Require all granted
BalancerMember http://${nodes.backend1.config.networking.hostName} retry=0
BalancerMember http://${nodes.backend2.config.networking.hostName} retry=0
</Proxy>
ProxyStatus full
ProxyPass /server-status !
ProxyPass / balancer://cluster/
ProxyPassReverse / balancer://cluster/
# For testing; don't want to wait forever for dead backend servers.
ProxyTimeout 5
'';
};
networking.firewall.allowedTCPPorts = [ 80 ];
};
backend1 = backend;
backend2 = backend;
client = { ... }: { };
};
networking.firewall.allowedTCPPorts = [ 80 ];
};
testScript =
''
startAll;
backend1 = backend;
backend2 = backend;
$proxy->waitForUnit("httpd");
$backend1->waitForUnit("httpd");
$backend2->waitForUnit("httpd");
$client->waitForUnit("network.target");
client = { ... }: { };
};
# With the back-ends up, the proxy should work.
$client->succeed("curl --fail http://proxy/");
testScript = ''
start_all()
$client->succeed("curl --fail http://proxy/server-status");
proxy.wait_for_unit("httpd")
backend1.wait_for_unit("httpd")
backend2.wait_for_unit("httpd")
client.wait_for_unit("network.target")
# Block the first back-end.
$backend1->block;
# With the back-ends up, the proxy should work.
client.succeed("curl --fail http://proxy/")
# The proxy should still work.
$client->succeed("curl --fail http://proxy/");
client.succeed("curl --fail http://proxy/server-status")
$client->succeed("curl --fail http://proxy/");
# Block the first back-end.
backend1.block()
# Block the second back-end.
$backend2->block;
# The proxy should still work.
client.succeed("curl --fail http://proxy/")
client.succeed("curl --fail http://proxy/")
# Now the proxy should fail as well.
$client->fail("curl --fail http://proxy/");
# Block the second back-end.
backend2.block()
# But if the second back-end comes back, the proxy should start
# working again.
$backend2->unblock;
$client->succeed("curl --fail http://proxy/");
'';
# Now the proxy should fail as well.
client.fail("curl --fail http://proxy/")
# But if the second back-end comes back, the proxy should start
# working again.
backend2.unblock()
client.succeed("curl --fail http://proxy/")
'';
})

View File

@ -1,65 +1,48 @@
{ system ? builtins.currentSystem,
config ? {},
pkgs ? import ../.. { inherit system config; }
}:
import ./make-test.nix ({ pkgs, ... }:
with import ../lib/testing.nix { inherit system pkgs; };
with pkgs.lib;
let
solrTest = package: makeTest {
machine =
{ config, pkgs, ... }:
{
# Ensure the virtual machine has enough memory for Solr to avoid the following error:
#
# OpenJDK 64-Bit Server VM warning:
# INFO: os::commit_memory(0x00000000e8000000, 402653184, 0)
# failed; error='Cannot allocate memory' (errno=12)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (mmap) failed to map 402653184 bytes for committing reserved memory.
virtualisation.memorySize = 2000;
services.solr.enable = true;
services.solr.package = package;
};
testScript = ''
startAll;
$machine->waitForUnit('solr.service');
$machine->waitForOpenPort('8983');
$machine->succeed('curl --fail http://localhost:8983/solr/');
# adapted from pkgs.solr/examples/films/README.txt
$machine->succeed('sudo -u solr solr create -c films');
$machine->succeed(q(curl http://localhost:8983/solr/films/schema -X POST -H 'Content-type:application/json' --data-binary '{
"add-field" : {
"name":"name",
"type":"text_general",
"multiValued":false,
"stored":true
},
"add-field" : {
"name":"initial_release_date",
"type":"pdate",
"stored":true
}
}')) =~ /"status":0/ or die;
$machine->succeed('sudo -u solr post -c films ${pkgs.solr}/example/films/films.json');
$machine->succeed('curl http://localhost:8983/solr/films/query?q=name:batman') =~ /"name":"Batman Begins"/ or die;
'';
};
in
{
solr_7 = solrTest pkgs.solr_7 // {
name = "solr_7";
meta.maintainers = [ lib.maintainers.aanderse ];
};
name = "solr";
meta.maintainers = [ pkgs.stdenv.lib.maintainers.aanderse ];
solr_8 = solrTest pkgs.solr_8 // {
name = "solr_8";
meta.maintainers = [ lib.maintainers.aanderse ];
};
}
machine =
{ config, pkgs, ... }:
{
# Ensure the virtual machine has enough memory for Solr to avoid the following error:
#
# OpenJDK 64-Bit Server VM warning:
# INFO: os::commit_memory(0x00000000e8000000, 402653184, 0)
# failed; error='Cannot allocate memory' (errno=12)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (mmap) failed to map 402653184 bytes for committing reserved memory.
virtualisation.memorySize = 2000;
services.solr.enable = true;
};
testScript = ''
startAll;
$machine->waitForUnit('solr.service');
$machine->waitForOpenPort('8983');
$machine->succeed('curl --fail http://localhost:8983/solr/');
# adapted from pkgs.solr/examples/films/README.txt
$machine->succeed('sudo -u solr solr create -c films');
$machine->succeed(q(curl http://localhost:8983/solr/films/schema -X POST -H 'Content-type:application/json' --data-binary '{
"add-field" : {
"name":"name",
"type":"text_general",
"multiValued":false,
"stored":true
},
"add-field" : {
"name":"initial_release_date",
"type":"pdate",
"stored":true
}
}')) =~ /"status":0/ or die;
$machine->succeed('sudo -u solr post -c films ${pkgs.solr}/example/films/films.json');
$machine->succeed('curl http://localhost:8983/solr/films/query?q=name:batman') =~ /"name":"Batman Begins"/ or die;
'';
})

View File

@ -0,0 +1,55 @@
{ stdenv, lib, fetchFromGitHub
, autoreconfHook, pkgconfig, wrapGAppsHook
, glib, gtk3, expat, gnome-doc-utils, which
, at-spi2-core, dbus
, libxslt, libxml2
, speechSupport ? true, speechd ? null
}:
assert speechSupport -> speechd != null;
stdenv.mkDerivation {
pname = "dasher";
version = "2018-04-03";
src = fetchFromGitHub {
owner = "dasher-project";
repo = "dasher";
rev = "9ab12462e51d17a38c0ddc7f7ffe1cb5fe83b627";
sha256 = "1r9xn966nx3pv2bidd6i3pxmprvlw6insnsb38zabmac609h9d9s";
};
prePatch = ''
# tries to invoke git for something, probably fetching the ref
echo "true" > build-aux/mkversion
'';
configureFlags = lib.optional (!speechSupport) "--disable-speech";
nativeBuildInputs = [
autoreconfHook
wrapGAppsHook
pkgconfig
# doc generation
gnome-doc-utils
which
libxslt libxml2
];
buildInputs = [
glib
gtk3
expat
# at-spi2 needs dbus to be recognized by pkg-config
at-spi2-core dbus
] ++ lib.optional speechSupport speechd;
meta = {
homepage = http://www.inference.org.uk/dasher/;
description = "Information-efficient text-entry interface, driven by natural continuous pointing gestures";
license = lib.licenses.gpl2;
maintainers = [ lib.maintainers.Profpatsch ];
platforms = lib.platforms.all;
};
}

View File

@ -2,18 +2,16 @@
bitwig-studio1.overrideAttrs (oldAttrs: rec {
name = "bitwig-studio-${version}";
version = "3.1.1";
version = "3.1.2";
src = fetchurl {
url = "https://downloads.bitwig.com/stable/${version}/bitwig-studio-${version}.deb";
sha256 = "1mgyyl1mr8hmzn3qdmg77km6sk58hyd0gsqr9jksh0a8p6hj24pk";
sha256 = "07djn52lz43ls6fa4k1ncz3m1nc5zv2j93hwyavnr66r0hlqy7l9";
};
buildInputs = oldAttrs.buildInputs ++ [ xorg.libXtst ];
runtimeDependencies = [
pulseaudio
];
runtimeDependencies = [ pulseaudio ];
installPhase = ''
${oldAttrs.installPhase}

View File

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "BShapr";
version = "0.6";
version = "0.7";
src = fetchFromGitHub {
owner = "sjaehn";
repo = pname;
rev = "v${version}";
sha256 = "0mi8f0svq1h9cmmxyskcazr5x2q4dls3j9jc6ahi5rlk7i0bpa74";
sha256 = "1422xay28jkmqlj5y4vhb57kljy6ysvxh20cxpfxm980m8n54gq5";
};
nativeBuildInputs = [ pkgconfig ];

View File

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "BSlizr";
version = "1.2.2";
version = "1.2.4";
src = fetchFromGitHub {
owner = "sjaehn";
repo = pname;
rev = "${version}";
sha256 = "0q92ygz17iiriwzqylmaxd5ml2bhqy3n6c3f7g71n4hn9z3bl3s1";
sha256 = "0gyczxhd1jch7lwz3y1nrbpc0dycw9cc5i144rpif6b9gd2y1h1j";
};
nativeBuildInputs = [ pkgconfig ];

View File

@ -9,13 +9,13 @@ let
else "linux";
in stdenv.mkDerivation rec {
pname = "distrho-ports";
version = "2018-04-16";
version = "unstable-2019-10-09";
src = fetchFromGitHub {
owner = "DISTRHO";
repo = "DISTRHO-Ports";
rev = version;
sha256 = "0l4zwl4mli8jzch32a1fh7c88r9q17xnkxsdw17ds5hadnxlk12v";
rev = "7e62235e809e59770d0d91d2c48c3f50ce7c027a";
sha256 = "10hpsjcmk0cgcsic9r1wxyja9x6q9wb8w8254dlrnzyswl54r1f8";
};
configurePhase = ''

View File

@ -15,11 +15,11 @@
stdenv.mkDerivation rec {
pname = "ecasound";
version = "2.9.2";
version = "2.9.3";
src = fetchurl {
url = "https://ecasound.seul.org/download/ecasound-${version}.tar.gz";
sha256 = "15rcs28fq2wfvfs66p5na7adq88b55qszbhshpizgdbyqzgr2jf1";
sha256 = "1m7njfjdb7sqf0lhgc4swihgdr4snkg8v02wcly08wb5ar2fr2s6";
};
buildInputs = [ alsaLib audiofile libjack2 liblo liboil libsamplerate libsndfile lilv lv2 ];

View File

@ -5,13 +5,13 @@
stdenv.mkDerivation rec {
pname = "giada";
version = "0.16.0";
version = "0.16.1";
src = fetchFromGitHub {
owner = "monocasual";
repo = pname;
rev = "v${version}";
sha256 = "1lbxqa4kwzjdd79whrjgh8li453z4ckkjx4s4qzmrv7aqa2xmfsf";
sha256 = "0b3lhjs6myml5r5saky15523sbc3qr43r9rh047vhsiafmqdvfq1";
};
configureFlags = [ "--target=linux" ];

View File

@ -12,11 +12,11 @@ in
stdenv.mkDerivation rec {
pname = "guitarix";
version = "0.38.1";
version = "0.39.0";
src = fetchurl {
url = "mirror://sourceforge/guitarix/guitarix2-${version}.tar.xz";
sha256 = "0bw7xnrx062nwb1bfj9x660h7069ncmz77szcs8icpqxrvhs7z80";
sha256 = "1nn80m1qagfhvv69za60f0w6ck87vmk77qmqarj7fbr8avwg63s9";
};
nativeBuildInputs = [ gettext intltool wrapGAppsHook pkgconfig python2 wafHook ];

View File

@ -1,23 +1,24 @@
{ stdenv, fetchgit, boost, ganv, glibmm, gtkmm2, libjack2, lilv
, lv2Unstable, makeWrapper, pkgconfig, python, raul, rdflib, serd, sord, sratom
, lv2, makeWrapper, pkgconfig, python, raul, rdflib, serd, sord, sratom
, wafHook
, suil
}:
stdenv.mkDerivation rec {
name = "ingen-unstable-${rev}";
rev = "2017-07-22";
pname = "ingen";
version = "unstable-2019-12-09";
name = "${pname}-${version}";
src = fetchgit {
url = "https://git.drobilla.net/cgit.cgi/ingen.git";
rev = "cc4a4db33f4d126a07a4a498e053c5fb9a883be3";
sha256 = "1gmwmml486r9zq4w65v91mfaz36af9zzyjkmi74m8qmh67ffqn3w";
url = "https://gitlab.com/drobilla/ingen.git";
rev = "e32f32a360f2bf8f017ea347b6d1e568c0beaf68";
sha256 = "0wjn2i3j7jb0bmxymg079xpk4iplb91q0xqqnvnpvyldrr7gawlb";
deepClone = true;
};
nativeBuildInputs = [ pkgconfig wafHook ];
buildInputs = [
boost ganv glibmm gtkmm2 libjack2 lilv lv2Unstable makeWrapper
boost ganv glibmm gtkmm2 libjack2 lilv lv2 makeWrapper
python raul serd sord sratom suil
];
@ -38,7 +39,7 @@ stdenv.mkDerivation rec {
meta = with stdenv.lib; {
description = "A modular audio processing system using JACK and LV2 or LADSPA plugins";
homepage = http://drobilla.net/software/ingen;
license = licenses.gpl3;
license = licenses.agpl3Plus;
maintainers = [ maintainers.goibhniu ];
platforms = platforms.linux;
};

View File

@ -1,18 +1,18 @@
{ stdenv, fetchurl, gtk2, libjack2, lilv, lv2, pkgconfig, python
{ stdenv, fetchurl, gtk3, libjack2, lilv, lv2, pkgconfig, python
, serd, sord , sratom, suil, wafHook }:
stdenv.mkDerivation rec {
pname = "jalv";
version = "1.6.2";
version = "1.6.4";
src = fetchurl {
url = "https://download.drobilla.net/${pname}-${version}.tar.bz2";
sha256 = "13al2hb9s3m7jgbg051x704bmzmcg4wb56cfh8z588kiyh0mxpaa";
sha256 = "1wwfn7yzbs37s2rdlfjgks63svd5g14yyzd2gdl7h0z12qncwsy2";
};
nativeBuildInputs = [ pkgconfig wafHook ];
buildInputs = [
gtk2 libjack2 lilv lv2 python serd sord sratom suil
gtk3 libjack2 lilv lv2 python serd sord sratom suil
];
meta = with stdenv.lib; {

View File

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "noise-repellent";
version = "unstable-2018-12-29";
version = "0.1.5";
src = fetchFromGitHub {
owner = "lucianodato";
repo = pname;
rev = "9efdd0b41ec184a792087c87cbf5382f455e33ec";
sha256 = "0pn9cxapfvb5l62q86bchyfll1290vi0rhrzarb1jpc4ix7kz53c";
rev = version;
sha256 = "0hb89x9i2knzan46q4nwscf5zmnb2nwf4w13xl2c0y1mx1ls1mwl";
fetchSubmodules = true;
};

View File

@ -29,11 +29,11 @@
# handle that.
mkDerivation rec {
name = "qmmp-1.3.5";
name = "qmmp-1.3.6";
src = fetchurl {
url = "http://qmmp.ylsoftware.com/files/${name}.tar.bz2";
sha256 = "0h7kcqzhfvk610937pwrhizcdgd4n7ncl1vayv6sj3va1x7pv6xm";
sha256 = "0dihy6v6j1cfx4qgwgajdn8rx6nf8x5srk8yjki9xh1mlcaanhp8";
};
nativeBuildInputs = [ cmake pkgconfig ];

View File

@ -2,16 +2,16 @@
python3Packages.buildPythonApplication rec {
pname = "rofi-mpd";
version = "1.1.0";
version = "2.0.1";
src = fetchFromGitHub {
owner = "JakeStanger";
repo = "Rofi_MPD";
rev = "v${version}";
sha256 = "0pdra1idgas3yl9z9v7b002igwg2c1mv0yw2ffb8rsbx88x4gbai";
sha256 = "12zzx0m2nwyzxzzqgzq30a27k015kcw4ylvs7cyalf5gf6sg27kl";
};
propagatedBuildInputs = with python3Packages; [ mutagen mpd2 ];
propagatedBuildInputs = with python3Packages; [ mutagen mpd2 toml appdirs ];
# upstream doesn't contain a test suite
doCheck = false;

View File

@ -1,14 +1,14 @@
{ stdenv, fetchurl, cmake, makedepend, perl, pkgconfig, qttools, wrapQtAppsHook
, dssi, fftwSinglePrec, ladspaH, ladspaPlugins, libjack2
, dssi, fftwSinglePrec, ladspaH, ladspaPlugins, libjack2, alsaLib
, liblo, liblrdf, libsamplerate, libsndfile, lirc ? null, qtbase }:
stdenv.mkDerivation (rec {
version = "19.06";
version = "19.12";
pname = "rosegarden";
src = fetchurl {
url = "mirror://sourceforge/rosegarden/${pname}-${version}.tar.bz2";
sha256 = "169qb58v2s8va59hzkih8nqb2aipsqlrbfs8q39ywqa8w5d60gcc";
sha256 = "1qcaxc6hdzva7kwxxhgl95437fagjbxzv4mihsgpr7y9qk08ppw1";
};
patchPhase = ''
@ -30,6 +30,7 @@ stdenv.mkDerivation (rec {
libsndfile
lirc
qtbase
alsaLib
];
enableParallelBuilding = true;

View File

@ -0,0 +1,32 @@
{ stdenv, fetchFromGitHub , cmake, libjack2, libsndfile }:
stdenv.mkDerivation rec {
pname = "sfizz";
version = "unstable-2020-01-24";
src = fetchFromGitHub {
owner = "sfztools";
repo = pname;
rev = "b9c332777853cb35faeeda2ff4bf34ea7121ffb9";
sha256 = "0wzgwpcwal5a7ifrm1hx8y6vx832qixk9ilp8wkjnsdxj6i88p2c";
fetchSubmodules = true;
};
nativeBuildInputs = [ cmake ];
buildInputs = [ libjack2 libsndfile ];
cmakeFlags = [
"-DCMAKE_BUILD_TYPE=Release"
"-DSFIZZ_TESTS=ON"
];
meta = with stdenv.lib; {
homepage = "https://github.com/sfztools/sfizz";
description = "SFZ jack client and LV2 plugin";
license = licenses.bsd2;
maintainers = [ maintainers.magnetophon ];
platforms = platforms.all;
badPlatforms = platforms.darwin;
};
}

Some files were not shown because too many files have changed in this diff Show More