JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into improved-make-overridable

Browse Source
This commit is contained in:
Will Fancher 2017-09-12 17:30:35 -04:00
commit dbd5009376
1921 changed files with 38401 additions and 26547 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
.github/CODEOWNERS vendored
View File

@ -7,17 +7,43 @@
# For documentation on this file, see https://help.github.com/articles/about-codeowners/
# Mentioned users will get code review requests.
# Python-related code and docs
pkgs/top-level/python-packages.nix @FRidh
pkgs/development/interpreters/python/* @FRidh
pkgs/development/python-modules/* @FRidh
doc/languages-frameworks/python.md @FRidh
# This file
.github/CODEOWNERS @edolstra
# Boostraping and core infra
pkgs/stdenv/ @Ericson2314
pkgs/build-support/cc-wrapper/ @Ericson2314
pkgs/stdenv/ @edolstra
pkgs/build-support/cc-wrapper/ @edolstra
# Libraries
lib/ @edolstra
# Python-related code and docs
pkgs/top-level/python-packages.nix @FRidh
pkgs/development/interpreters/python/* @FRidh
pkgs/development/python-modules/* @FRidh
doc/languages-frameworks/python.md @FRidh
# Haskell
pkgs/development/compilers/ghc @peti
pkgs/development/haskell-modules @peti
pkgs/development/haskell-modules/default.nix @Profpatsch @peti
pkgs/development/haskell-modules/generic-builder.nix @Profpatsch @peti
pkgs/development/haskell-modules/hoogle.nix @Profpatsch @peti
# R
pkgs/applications/science/math/R @peti
pkgs/development/r-modules @peti
# Darwin-related
pkgs/stdenv/darwin/* @copumpkin @LnL7
pkgs/os-specific/darwin/* @LnL7
pkgs/os-specific/darwin/apple-source-releases/* @copumpkin
pkgs/stdenv/darwin/* @copumpkin @LnL7
pkgs/os-specific/darwin/* @LnL7
pkgs/os-specific/darwin/apple-source-releases/* @copumpkin
# Beam-related (Erlang, Elixir, LFE, etc)
pkgs/development/beam-modules/* @gleber
pkgs/development/interpreters/erlang/* @gleber
pkgs/development/interpreters/lfe/* @gleber
pkgs/development/interpreters/elixir/* @gleber
pkgs/development/tools/build-managers/rebar/* @gleber
pkgs/development/tools/build-managers/rebar3/* @gleber
pkgs/development/tools/erlang/* @gleber

2
.github/CONTRIBUTING.md vendored
View File

@ -23,7 +23,7 @@ under the terms of [COPYING](../COPYING), which is an MIT-like license.
Examples:
* nginx: init at 2.0.1
* firefox: 3.0 -> 3.1.1
* firefox: 54.0.1 -> 55.0
* nixos/hydra: add bazBaz option
Dual baz behavior is needed to do foo.

5
.github/PULL_REQUEST_TEMPLATE.md vendored
View File

@ -5,10 +5,7 @@
<!-- Please check what applies. Note that these are not hard requirements but merely serve as information for reviewers. -->
- [ ] Tested using sandboxing
([nix.useSandbox](http://nixos.org/nixos/manual/options.html#opt-nix.useSandbox) on NixOS,
or option `build-use-sandbox` in [`nix.conf`](http://nixos.org/nix/manual/#sec-conf-file)
on non-NixOS)
- [ ] Tested using sandboxing ([nix.useSandbox](http://nixos.org/nixos/manual/options.html#opt-nix.useSandbox) on NixOS, or option `build-use-sandbox` in [`nix.conf`](http://nixos.org/nix/manual/#sec-conf-file) on non-NixOS)
- Built on platform(s)
- [ ] NixOS
- [ ] macOS

2
.version
View File

@ -1 +1 @@
17.09
18.03

12
doc/coding-conventions.xml
View File

@ -254,7 +254,7 @@ bound to the variable name <varname>e2fsprogs</varname> in
dash) — e.g., <literal>"hello-0.3.1rc2"</literal>.</para></listitem>
<listitem><para>If a package is not a release but a commit from a repository, then
the version part of the name <emphasis>must</emphasis> be the date of that
the version part of the name <emphasis>must</emphasis> be the date of that
(fetched) commit. The date must be in <literal>"YYYY-MM-DD"</literal> format.
Also append <literal>"unstable"</literal> to the name - e.g.,
<literal>"pkgname-unstable-2014-09-23"</literal>.</para></listitem>
@ -365,7 +365,7 @@ splitting up an existing category.</para>
<varlistentry>
<term>If its a (set of) <emphasis>tool(s)</emphasis>:</term>
<listitem>
<para>(A tool is a relatively small program, especially one intented
<para>(A tool is a relatively small program, especially one intended
to be used non-interactively.)</para>
<variablelist>
<varlistentry>
@ -456,7 +456,7 @@ splitting up an existing category.</para>
<varlistentry>
<term>If its a <emphasis>window manager</emphasis>:</term>
<listitem>
<para><filename>applications/window-managers</filename> (e.g. <filename>awesome</filename>, <filename>compiz</filename>, <filename>stumpwm</filename>)</para>
<para><filename>applications/window-managers</filename> (e.g. <filename>awesome</filename>, <filename>stumpwm</filename>)</para>
</listitem>
</varlistentry>
<varlistentry>
@ -608,7 +608,7 @@ evaluate correctly.</para>
</section>
<section xml:id="sec-sources"><title>Fetching Sources</title>
<para>There are multiple ways to fetch a package source in nixpkgs. The
general guidline is that you should package sources with a high degree of
general guideline is that you should package sources with a high degree of
availability. Right now there is only one fetcher which has mirroring
support and that is <literal>fetchurl</literal>. Note that you should also
prefer protocols which have a corresponding proxy environment variable.
@ -661,9 +661,9 @@ src = fetchFromGitHub {
</section>
<section xml:id="sec-patches"><title>Patches</title>
<para>Only patches that are unique to <literal>nixpkgs</literal> should be
<para>Only patches that are unique to <literal>nixpkgs</literal> should be
included in <literal>nixpkgs</literal> source.</para>
<para>Patches available online should be retrieved using
<para>Patches available online should be retrieved using
<literal>fetchpatch</literal>.</para>
<para>
<programlisting>

61
doc/languages-frameworks/haskell.md
View File

@ -867,6 +867,67 @@ use the following to get the `scientific` package build with `integer-simple`:
nix-build -A haskell.packages.integer-simple.ghc802.scientific
```
### Quality assurance
The `haskell.lib` library includes a number of functions for checking for
various imperfections in Haskell packages. It's useful to apply these functions
to your own Haskell packages and integrate that in a Continuous Integration
server like [hydra](https://nixos.org/hydra/) to assure your packages maintain a
minimum level of quality. This section discusses some of these functions.
#### failOnAllWarnings
Applying `haskell.lib.failOnAllWarnings` to a Haskell package enables the
`-Wall` and `-Werror` GHC options to turn all warnings into build failures.
#### buildStrictly
Applying `haskell.lib.buildStrictly` to a Haskell package calls
`failOnAllWarnings` on the given package to turn all warnings into build
failures. Additionally the source of your package is gotten from first invoking
`cabal sdist` to ensure all needed files are listed in the Cabal file.
#### checkUnusedPackages
Applying `haskell.lib.checkUnusedPackages` to a Haskell package invokes
the [packunused](http://hackage.haskell.org/package/packunused) tool on the
package. `packunused` complains when it finds packages listed as build-depends
in the Cabal file which are redundant. For example:
```
$ nix-build -E 'let pkgs = import <nixpkgs> {}; in pkgs.haskell.lib.checkUnusedPackages {} pkgs.haskellPackages.scientific'
these derivations will be built:
/nix/store/3lc51cxj2j57y3zfpq5i69qbzjpvyci1-scientific-0.3.5.1.drv
...
detected package components
~~~~~~~~~~~~~~~~~~~~~~~~~~~
- library
- testsuite(s): test-scientific
- benchmark(s): bench-scientific*
(component names suffixed with '*' are not configured to be built)
library
~~~~~~~
The following package dependencies seem redundant:
- ghc-prim-0.5.0.0
testsuite(test-scientific)
~~~~~~~~~~~~~~~~~~~~~~~~~~
no redundant packages dependencies found
builder for /nix/store/3lc51cxj2j57y3zfpq5i69qbzjpvyci1-scientific-0.3.5.1.drv failed with exit code 1
error: build of /nix/store/3lc51cxj2j57y3zfpq5i69qbzjpvyci1-scientific-0.3.5.1.drv failed
```
As you can see, `packunused` finds out that although the testsuite component has
no redundant dependencies the library component of `scientific-0.3.5.1` depends
on `ghc-prim` which is unused in the library.
## Other resources
- The Youtube video [Nix Loves Haskell](https://www.youtube.com/watch?v=BsBhi_r-OeE)

22
doc/languages-frameworks/python.md
View File

@ -590,7 +590,7 @@ By default tests are run because `doCheck = true`. Test dependencies, like
e.g. the test runner, should be added to `buildInputs`.
By default `meta.platforms` is set to the same value
as the interpreter unless overriden otherwise.
as the interpreter unless overridden otherwise.
##### `buildPythonPackage` parameters
@ -774,6 +774,21 @@ The `buildPythonPackage` function sets `DETERMINISTIC_BUILD=1` and
Both are also exported in `nix-shell`.
### Automatic tests
It is recommended to test packages as part of the build process.
Source distributions (`sdist`) often include test files, but not always.
By default the command `python setup.py test` is run as part of the
`checkPhase`, but often it is necessary to pass a custom `checkPhase`. An
example of such a situation is when `py.test` is used.
#### Common issues
- Non-working tests can often be deselected. In the case of `py.test`: `py.test -k 'not function_name and not other_function'`.
- Unicode issues can typically be fixed by including `glibcLocales` in `buildInputs` and exporting `LC_ALL=en_US.utf-8`.
- Tests that attempt to access `$HOME` can be fixed by using the following work-around before running tests (e.g. `preCheck`): `export HOME=$(mktemp -d)`
## FAQ
### How to solve circular dependencies?
@ -985,8 +1000,9 @@ rec {
Following rules are desired to be respected:
* Python libraries are supposed to be called from `python-packages.nix` and packaged with `buildPythonPackage`. The expression of a library should be in `pkgs/development/python-modules/<name>/default.nix`. Libraries in `pkgs/top-level/python-packages.nix` are sorted quasi-alphabetically to avoid merge conflicts.
* Python libraries are called from `python-packages.nix` and packaged with `buildPythonPackage`. The expression of a library should be in `pkgs/development/python-modules/<name>/default.nix`. Libraries in `pkgs/top-level/python-packages.nix` are sorted quasi-alphabetically to avoid merge conflicts.
* Python applications live outside of `python-packages.nix` and are packaged with `buildPythonApplication`.
* Make sure libraries build for all Python interpreters.
* By default we enable tests. Make sure the tests are found and, in the case of libraries, are passing for all interpreters. If certain tests fail they can be disabled individually. Try to avoid disabling the tests altogether. In any case, when you disable tests, leave a comment explaining why.
* Commit names of Python libraries should include `pythonPackages`, for example `pythonPackages.numpy: 1.11 -> 1.12`.
* Commit names of Python libraries should reflect that they are Python libraries, so write for example `pythonPackages.numpy: 1.11 -> 1.12`.

2
doc/languages-frameworks/rust.md
View File

@ -17,7 +17,7 @@ into the `environment.systemPackages` or bring them into scope with
`nix-shell -p rustStable.rustc -p rustStable.cargo`.
There are also `rustBeta` and `rustNightly` package sets available.
These are not updated very regulary. For daily builds use either rustup from
These are not updated very regularly. For daily builds use either rustup from
nixpkgs or use the [Rust nightlies overlay](#using-the-rust-nightlies-overlay).
## Packaging Rust applications

58
doc/package-notes.xml
View File

@ -101,7 +101,7 @@ modulesTree = [kernel]
$ nix-env -i ncurses
$ export NIX_CFLAGS_LINK=-lncurses
$ make menuconfig ARCH=<replaceable>arch</replaceable></screen>
</para>
</listitem>
@ -111,9 +111,9 @@ $ make menuconfig ARCH=<replaceable>arch</replaceable></screen>
</listitem>
</orderedlist>
</para>
</listitem>
<listitem>
@ -409,24 +409,24 @@ it. Place the resulting <filename>package.nix</filename> file into
<title>Steam in Nix</title>
<para>
Steam is distributed as a <filename>.deb</filename> file, for now only
as an i686 package (the amd64 package only has documentation).
When unpacked, it has a script called <filename>steam</filename> that
Steam is distributed as a <filename>.deb</filename> file, for now only
as an i686 package (the amd64 package only has documentation).
When unpacked, it has a script called <filename>steam</filename> that
in ubuntu (their target distro) would go to <filename>/usr/bin
</filename>. When run for the first time, this script copies some
files to the user's home, which include another script that is the
ultimate responsible for launching the steam binary, which is also
</filename>. When run for the first time, this script copies some
files to the user's home, which include another script that is the
ultimate responsible for launching the steam binary, which is also
in $HOME.
</para>
<para>
Nix problems and constraints:
<itemizedlist>
<listitem><para>We don't have <filename>/bin/bash</filename> and many
<listitem><para>We don't have <filename>/bin/bash</filename> and many
scripts point there. Similarly for <filename>/usr/bin/python</filename>
.</para></listitem>
<listitem><para>We don't have the dynamic loader in <filename>/lib
</filename>.</para></listitem>
<listitem><para>The <filename>steam.sh</filename> script in $HOME can
<listitem><para>The <filename>steam.sh</filename> script in $HOME can
not be patched, as it is checked and rewritten by steam.</para></listitem>
<listitem><para>The steam binary cannot be patched, it's also checked.</para></listitem>
</itemizedlist>
@ -446,10 +446,10 @@ it. Place the resulting <filename>package.nix</filename> file into
<title>How to play</title>
<para>
For 64-bit systems it's important to have
<programlisting>hardware.opengl.driSupport32Bit = true;</programlisting>
in your <filename>/etc/nixos/configuration.nix</filename>. You'll also need
<programlisting>hardware.pulseaudio.support32Bit = true;</programlisting>
For 64-bit systems it's important to have
<programlisting>hardware.opengl.driSupport32Bit = true;</programlisting>
in your <filename>/etc/nixos/configuration.nix</filename>. You'll also need
<programlisting>hardware.pulseaudio.support32Bit = true;</programlisting>
if you are using PulseAudio - this will enable 32bit ALSA apps integration.
To use the Steam controller, you need to add
<programlisting>services.udev.extraRules = ''
@ -470,23 +470,31 @@ it. Place the resulting <filename>package.nix</filename> file into
<varlistentry>
<term>Steam fails to start. What do I do?</term>
<listitem><para>Try to run
<listitem><para>Try to run
<programlisting>strace steam</programlisting>
to see what is causing steam to fail.</para></listitem>
</varlistentry>
<varlistentry>
<term>Using the FOSS Radeon drivers</term>
<term>Using the FOSS Radeon or nouveau (nvidia) drivers</term>
<listitem><itemizedlist><listitem><para>
The open source radeon drivers need a newer libc++ than is provided
by the default runtime, which leads to a crash on launch. Use
<programlisting>environment.systemPackages = [(pkgs.steam.override { newStdcpp = true; })];</programlisting>
in your config if you get an error like
Both the open source radeon drivers as well as the nouveau drivers (nvidia)
need a newer libc++ than is provided by the default runtime, which leads to a
crash on launch. Use <programlisting>environment.systemPackages =
[(pkgs.steam.override { newStdcpp = true; })];</programlisting> in your config
if you get an error like
<programlisting>
libGL error: unable to load driver: radeonsi_dri.so
libGL error: driver pointer missing
libGL error: failed to load driver: radeonsi
libGL error: unable to load driver: swrast_dri.so
libGL error: failed to load driver: swrast</programlisting>
or
<programlisting>
libGL error: unable to load driver: nouveau_dri.so
libGL error: driver pointer missing
libGL error: failed to load driver: nouveau
libGL error: unable to load driver: swrast_dri.so
libGL error: failed to load driver: swrast</programlisting></para></listitem>
<listitem><para>
Steam ships statically linked with a version of libcrypto that
@ -504,7 +512,7 @@ libGL error: failed to load driver: swrast</programlisting></para></listitem>
<listitem><para>
There is no java in steam chrootenv by default. If you get a message like
<programlisting>/home/foo/.local/share/Steam/SteamApps/common/towns/towns.sh: line 1: java: command not found</programlisting>
You need to add
You need to add
<programlisting> steam.override { withJava = true; };</programlisting>
to your configuration.
</para></listitem>
@ -519,14 +527,14 @@ libGL error: failed to load driver: swrast</programlisting></para></listitem>
<title>steam-run</title>
<para>
The FHS-compatible chroot used for steam can also be used to run
The FHS-compatible chroot used for steam can also be used to run
other linux games that expect a FHS environment.
To do it, add
To do it, add
<programlisting>pkgs.(steam.override {
nativeOnly = true;
newStdcpp = true;
}).run</programlisting>
to your configuration, rebuild, and run the game with
to your configuration, rebuild, and run the game with
<programlisting>steam-run ./foo</programlisting>
</para>

129
doc/submitting-changes.xml
View File

@ -78,7 +78,7 @@ Additional information.
<listitem>
<para>
<command>firefox: 3.0 -> 3.1.1</command>
<command>firefox: 54.0.1 -> 55.0</command>
</para>
</listitem>
@ -223,6 +223,133 @@ Additional information.
</itemizedlist>
</section>
<section>
<title>Pull Request Template</title>
<para>
The pull request template helps determine what steps have been made for a
contribution so far, and will help guide maintainers on the status of a
change. The motivation section of the PR should include any extra details
the title does not address and link any existing issues related to the pull
request.
</para>
<para>When a PR is created, it will be pre-populated with some checkboxes detailed below:
</para>
<section>
<title>Tested using sandboxing</title>
<para>
When sandbox builds are enabled, Nix will setup an isolated environment
for each build process. It is used to remove further hidden dependencies
set by the build environment to improve reproducibility. This includes
access to the network during the build outside of
<function>fetch*</function> functions and files outside the Nix store.
Depending on the operating system access to other resources are blocked
as well (ex. inter process communication is isolated on Linux); see <link
xlink:href="https://nixos.org/nix/manual/#description-45">build-use-sandbox</link>
in Nix manual for details.
</para>
<para>
Sandboxing is not enabled by default in Nix due to a small performance
hit on each build. In pull requests for <link
xlink:href="https://github.com/NixOS/nixpkgs/">nixpkgs</link> people
are asked to test builds with sandboxing enabled (see <literal>Tested
using sandboxing</literal> in the pull request template) because
in<link
xlink:href="https://nixos.org/hydra/">https://nixos.org/hydra/</link>
sandboxing is also used.
</para>
<para>
Depending if you use NixOS or other platforms you can use one of the
following methods to enable sandboxing <emphasis role="bold">before</emphasis> building the package:
<itemizedlist>
<listitem>
<para>
<emphasis role="bold">Globally enable sandboxing on NixOS</emphasis>:
add the following to
<filename>configuration.nix</filename>
<screen>nix.useSandbox = true;</screen>
</para>
</listitem>
<listitem>
<para>
<emphasis role="bold">Globally enable sandboxing on non-NixOS platforms</emphasis>:
add the following to: <filename>/etc/nix/nix.conf</filename>
<screen>build-use-sandbox = true</screen>
</para>
</listitem>
</itemizedlist>
</para>
</section>
<section>
<title>Built on platform(s)</title>
<para>
Many Nix packages are designed to run on multiple
platforms. As such, it's important to let the maintainer know which
platforms your changes have been tested on. It's not always practical to
test a change on all platforms, and is not required for a pull request to
be merged. Only check the systems you tested the build on in this
section.
</para>
</section>
<section>
<title>Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)</title>
<para>
Packages with automated tests are much more likely to be merged in a
timely fashion because it doesn't require as much manual testing by the
maintainer to verify the functionality of the package. If there are
existing tests for the package, they should be run to verify your changes
do not break the tests. Tests only apply to packages with NixOS modules
defined and can only be run on Linux. For more details on writing and
running tests, see the <link
xlink:href="https://nixos.org/nixos/manual/index.html#sec-nixos-tests">section
in the NixOS manual</link>.
</para>
</section>
<section>
<title>Tested compilation of all pkgs that depend on this change using <command>nox-review</command></title>
<para>
If you are updating a package's version, you can use nox to make sure all
packages that depend on the updated package still compile correctly. This
can be done using the nox utility. The <command>nox-review</command>
utility can look for and build all dependencies either based on
uncommited changes with the <literal>wip</literal> option or specifying a
github pull request number.
</para>
<para>
review uncommitted changes:
<screen>nix-shell -p nox --run nox-review wip</screen>
</para>
<para>
review changes from pull request number 12345:
<screen>nix-shell -p nox --run nox-review pr 12345</screen>
</para>
</section>
<section>
<title>Tested execution of all binary files (usually in <filename>./result/bin/</filename>)</title>
<para>
It's important to test any executables generated by a build when you
change or create a package in nixpkgs. This can be done by looking in
<filename>./result/bin</filename> and running any files in there, or at a
minimum, the main executable for the package. For example, if you make a change
to <package>texlive</package>, you probably would only check the binaries
associated with the change you made rather than testing all of them.
</para>
</section>
<section>
<title>Meets nixpkgs contribution standards</title>
<para>
The last checkbox is fits <link
xlink:href="https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md">CONTRIBUTING.md</link>.
The contributing document has detailed information on standards the Nix
community has for commit messages, reviews, licensing of contributions
you make to the project, etc... Everyone should read and understand the
standards the community has for contributing before submitting a pull
request.
</para>
</section>
</section>
<section>
<title>Hotfixing pull requests</title>

4
lib/licenses.nix
View File

@ -198,7 +198,7 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
eupl11 = spdx {
spdxId = "EUPL-1.1";
fullname = "European Union Public License 1.1";
fullName = "European Union Public License 1.1";
};
fdl12 = spdx {
@ -363,7 +363,7 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
};
miros = {
fullname = "MirOS License";
fullName = "MirOS License";
url = https://opensource.org/licenses/MirOS;
};

7
lib/maintainers.nix
View File

@ -97,6 +97,7 @@
canndrew = "Andrew Cann <shum@canndrew.org>";
carlsverre = "Carl Sverre <accounts@carlsverre.com>";
casey = "Casey Rodarmor <casey@rodarmor.net>";
caugner = "Claas Augner <nixos@caugner.de>";
cdepillabout = "Dennis Gosnell <cdep.illabout@gmail.com>";
cfouche = "Chaddaï Fouché <chaddai.fouche@gmail.com>";
changlinli = "Changlin Li <mail@changlinli.com>";
@ -112,6 +113,7 @@
cleverca22 = "Michael Bishop <cleverca22@gmail.com>";
cmcdragonkai = "Roger Qiu <roger.qiu@matrix.ai>";
cmfwyp = "cmfwyp <cmfwyp@riseup.net>";
cobbal = "Andrew Cobb <andrew.cobb@gmail.com>";
coconnor = "Corey O'Connor <coreyoconnor@gmail.com>";
codsl = "codsl <codsl@riseup.net>";
codyopel = "Cody Opel <codyopel@gmail.com>";
@ -210,6 +212,7 @@
fuuzetsu = "Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk>";
fuzzy-id = "Thomas Bach <hacking+nixos@babibo.de>";
fxfactorial = "Edgar Aroutiounian <edgar.factorial@gmail.com>";
gabesoft = "Gabriel Adomnicai <gabesoft@gmail.com>";
gal_bolle = "Florent Becker <florent.becker@ens-lyon.org>";
garbas = "Rok Garbas <rok@garbas.si>";
garrison = "Jim Garrison <jim@garrison.cc>";
@ -250,6 +253,7 @@
igsha = "Igor Sharonov <igor.sharonov@gmail.com>";
ikervagyok = "Balázs Lengyel <ikervagyok@gmail.com>";
infinisil = "Silvan Mosberger <infinisil@icloud.com>";
ironpinguin = "Michele Catalano <michele@catalano.de>";
ivan-tkatchev = "Ivan Tkatchev <tkatchev@gmail.com>";
j-keck = "Jürgen Keck <jhyphenkeck@gmail.com>";
jagajaga = "Arseniy Seroka <ars.seroka@gmail.com>";
@ -546,6 +550,7 @@
smironov = "Sergey Mironov <grrwlf@gmail.com>";
snyh = "Xia Bin <snyh@snyh.org>";
solson = "Scott Olson <scott@solson.me>";
sorpaas = "Wei Tang <hi@that.world>";
spacefrogg = "Michael Raitza <spacefrogg-nixos@meterriblecrew.net>";
spencerjanssen = "Spencer Janssen <spencerjanssen@gmail.com>";
spinus = "Tomasz Czyż <tomasz.czyz@gmail.com>";
@ -570,7 +575,9 @@
taku0 = "Takuo Yonezawa <mxxouy6x3m_github@tatapa.org>";
tari = "Peter Marheine <peter@taricorp.net>";
tavyc = "Octavian Cerna <octavian.cerna@gmail.com>";
ltavard = "Laure Tavard <laure.tavard@univ-grenoble-alpes.fr>";
teh = "Tom Hunger <tehunger@gmail.com>";
teto = "Matthieu Coudron <mcoudron@hotmail.com>";
telotortium = "Robert Irelan <rirelan@gmail.com>";
thall = "Niclas Thall <niclas.thall@gmail.com>";
thammers = "Tobias Hammerschmidt <jawr@gmx.de>";

5
lib/sources.nix
View File

@ -15,8 +15,11 @@ rec {
cleanSourceFilter = name: type: let baseName = baseNameOf (toString name); in ! (
# Filter out Subversion and CVS directories.
(type == "directory" && (baseName == ".git" || baseName == ".svn" || baseName == "CVS" || baseName == ".hg")) ||
# Filter out backup files.
# Filter out editor backup / swap files.
lib.hasSuffix "~" baseName ||
builtins.match "^\\.sw[a-z]$" baseName != null ||
builtins.match "^\\..*\\.sw[a-z]$" baseName != null ||
# Filter out generates files.
lib.hasSuffix ".o" baseName ||
lib.hasSuffix ".so" baseName ||

2
lib/systems/doubles.nix
View File

@ -26,7 +26,7 @@ in rec {
allBut = platforms: lists.filter (x: !(builtins.elem x platforms)) all;
none = [];
arm = filterDoubles predicates.isArm32;
arm = filterDoubles predicates.isArm;
i686 = filterDoubles predicates.isi686;
mips = filterDoubles predicates.isMips;
x86_64 = filterDoubles predicates.isx86_64;

4
lib/systems/inspect.nix
View File

@ -11,6 +11,7 @@ rec {
PowerPC = { cpu = cpuTypes.powerpc; };
x86 = { cpu = { family = "x86"; }; };
Arm = { cpu = { family = "arm"; }; };
Aarch64 = { cpu = { family = "aarch64"; }; };
Mips = { cpu = { family = "mips"; }; };
BigEndian = { cpu = { significantByte = significantBytes.bigEndian; }; };
LittleEndian = { cpu = { significantByte = significantBytes.littleEndian; }; };
@ -28,9 +29,6 @@ rec {
Windows = { kernel = kernels.windows; };
Cygwin = { kernel = kernels.windows; abi = abis.cygnus; };
MinGW = { kernel = kernels.windows; abi = abis.gnu; };
Arm32 = recursiveUpdate Arm patterns."32bit";
Arm64 = recursiveUpdate Arm patterns."64bit";
};
matchAnyAttrs = patterns:

2
lib/systems/parse.nix
View File

@ -40,7 +40,7 @@ rec {
armv6l = { bits = 32; significantByte = littleEndian; family = "arm"; };
armv7a = { bits = 32; significantByte = littleEndian; family = "arm"; };
armv7l = { bits = 32; significantByte = littleEndian; family = "arm"; };
aarch64 = { bits = 64; significantByte = littleEndian; family = "arm"; };
aarch64 = { bits = 64; significantByte = littleEndian; family = "aarch64"; };
i686 = { bits = 32; significantByte = littleEndian; family = "x86"; };
x86_64 = { bits = 64; significantByte = littleEndian; family = "x86"; };
mips64el = { bits = 32; significantByte = littleEndian; family = "mips"; };

10
lib/trivial.nix
View File

@ -70,6 +70,16 @@ rec {
min = x: y: if x < y then x else y;
max = x: y: if x > y then x else y;
/* Integer modulus
Example:
mod 11 10
=> 1
mod 1 10
=> 1
*/
mod = base: int: base - (int * (builtins.div base int));
/* Reads a JSON file. */
importJSON = path:
builtins.fromJSON (builtins.readFile path);

27
maintainers/scripts/hydra-eval-failures.py
View File

@ -31,18 +31,21 @@ EVAL_FILE = {
def get_maintainers(attr_name):
nixname = attr_name.split('.')
meta_json = subprocess.check_output([
'nix-instantiate',
'--eval',
'--strict',
'-A',
'.'.join(nixname[1:]) + '.meta',
EVAL_FILE[nixname[0]],
'--json'])
meta = json.loads(meta_json)
if meta.get('maintainers'):
return [MAINTAINERS[name] for name in meta['maintainers'] if MAINTAINERS.get(name)]
try:
nixname = attr_name.split('.')
meta_json = subprocess.check_output([
'nix-instantiate',
'--eval',
'--strict',
'-A',
'.'.join(nixname[1:]) + '.meta',
EVAL_FILE[nixname[0]],
'--json'])
meta = json.loads(meta_json)
if meta.get('maintainers'):
return [MAINTAINERS[name] for name in meta['maintainers'] if MAINTAINERS.get(name)]
except:
return []
@click.command()

2
nixos/doc/manual/administration/declarative-containers.xml
View File

@ -16,7 +16,7 @@ containers.database =
{ config =
{ config, pkgs, ... }:
{ services.postgresql.enable = true;
services.postgresql.package = pkgs.postgresql92;
services.postgresql.package = pkgs.postgresql96;
};
};
</programlisting>

3
nixos/doc/manual/configuration/summary.xml
View File

@ -113,7 +113,8 @@ manual</link> for the rest.</para>
</row>
<row>
<entry><literal>assert 1 + 1 == 2; "yes!"</literal></entry>
<entry>Assertion check (evaluates to <literal>"yes!"</literal>)</entry>
<entry>Assertion check (evaluates to <literal>"yes!"</literal>). See <xref
linkend="sec-assertions"/> for using assertions in modules</entry>
</row>
<row>
<entry><literal>let x = "foo"; y = "bar"; in x + y</literal></entry>

80
nixos/doc/manual/development/assertions.xml Normal file
View File

@ -0,0 +1,80 @@
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-assertions">
<title>Warnings and Assertions</title>
<para>
When configuration problems are detectable in a module, it is a good
idea to write an assertion or warning. Doing so provides clear
feedback to the user and prevents errors after the build.
</para>
<para>
Although Nix has the <literal>abort</literal> and
<literal>builtins.trace</literal> <link xlink:href="https://nixos.org/nix/manual/#ssec-builtins">functions</link> to perform such tasks,
they are not ideally suited for NixOS modules. Instead of these
functions, you can declare your warnings and assertions using the
NixOS module system.
</para>
<section>
<title>Warnings</title>
<para>
This is an example of using <literal>warnings</literal>.
</para>
<programlisting>
<![CDATA[
{ config, lib, ... }:
{
config = lib.mkIf config.services.foo.enable {
warnings =
if config.services.foo.bar
then [ ''You have enabled the bar feature of the foo service.
This is known to cause some specific problems in certain situations.
'' ]
else [];
}
}
]]>
</programlisting>
</section>
<section>
<title>Assertions</title>
<para>
This example, extracted from the
<link xlink:href="https://github.com/NixOS/nixpkgs/blob/release-17.09/nixos/modules/services/logging/syslogd.nix">
<literal>syslogd</literal> module
</link> shows how to use <literal>assertions</literal>. Since there
can only be one active syslog daemon at a time, an assertion is useful to
prevent such a broken system from being built.
</para>
<programlisting>
<![CDATA[
{ config, lib, ... }:
{
config = lib.mkIf config.services.syslogd.enable {
assertions =
[ { assertion = !config.services.rsyslogd.enable;
message = "rsyslogd conflicts with syslogd";
}
];
}
}
]]>
</programlisting>
</section>
</section>

4
nixos/doc/manual/development/option-declarations.xml
View File

@ -137,8 +137,8 @@ services.xserver.displayManager.enable = mkOption {
};</screen></example>
<example xml:id='ex-option-declaration-eot-backend-sddm'><title>Extending
<literal>services.foo.backend</literal> in the <literal>sddm</literal>
module</title>
<literal>services.xserver.displayManager.enable</literal> in the
<literal>sddm</literal> module</title>
<screen>
services.xserver.displayManager.enable = mkOption {
type = with types; nullOr (enum [ "sddm" ]);

60
nixos/doc/manual/development/option-types.xml
View File

@ -157,27 +157,26 @@
<section xml:id='section-option-types-submodule'><title>Submodule</title>
<para>Submodule is a very powerful type that defines a set of sub-options that
are handled like a separate module.
It is especially interesting when used with composed types like
<literal>attrsOf</literal> or <literal>listOf</literal>.</para>
<para><literal>submodule</literal> is a very powerful type that defines a set
of sub-options that are handled like a separate module.</para>
<para>The submodule type take a parameter <replaceable>o</replaceable>, that
should be a set, or a function returning a set with an
<literal>options</literal> key defining the sub-options.
The option set can be defined directly (<xref linkend='ex-submodule-direct'
/>) or as reference (<xref linkend='ex-submodule-reference' />).</para>
<para>It takes a parameter <replaceable>o</replaceable>, that should be a set,
or a function returning a set with an <literal>options</literal> key
defining the sub-options.
Submodule option definitions are type-checked accordingly to the
<literal>options</literal> declarations.
Of course, you can nest submodule option definitons for even higher
modularity.</para>
<para>Submodule option definitions are type-checked accordingly to the options
declarations. It is possible to declare submodule options inside a submodule
sub-options for even higher modularity.</para>
<para>The option set can be defined directly
(<xref linkend='ex-submodule-direct' />) or as reference
(<xref linkend='ex-submodule-reference' />).</para>
<example xml:id='ex-submodule-direct'><title>Directly defined submodule</title>
<screen>
options.mod = mkOption {
name = "mod";
description = "submodule example";
type = with types; listOf (submodule {
type = with types; submodule {
options = {
foo = mkOption {
type = int;
@ -186,10 +185,10 @@ options.mod = mkOption {
type = str;
};
};
});
};
};</screen></example>
<example xml:id='ex-submodule-reference'><title>Submodule defined as a
<example xml:id='ex-submodule-reference'><title>Submodule defined as a
reference</title>
<screen>
let
@ -206,16 +205,20 @@ let
in
options.mod = mkOption {
description = "submodule example";
type = with types; listOf (submodule modOptions);
type = with types; submodule modOptions;
};</screen></example>
<section><title>Composed with <literal>listOf</literal></title>
<para>When composed with <literal>listOf</literal>, submodule allows multiple
definitions of the submodule option set.</para>
<para>The <literal>submodule</literal> type is especially interesting when
used with composed types like <literal>attrsOf</literal> or
<literal>listOf</literal>.
When composed with <literal>listOf</literal>
(<xref linkend='ex-submodule-listof-declaration' />),
<literal>submodule</literal> allows multiple definitions of the submodule
option set (<xref linkend='ex-submodule-listof-definition' />).</para>
<example xml:id='ex-submodule-listof-declaration'><title>Declaration of a list
of submodules</title>
nof submodules</title>
<screen>
options.mod = mkOption {
description = "submodule example";
@ -239,13 +242,11 @@ config.mod = [
{ foo = 2; bar = "two"; }
];</screen></example>
</section>
<section><title>Composed with <literal>attrsOf</literal></title>
<para>When composed with <literal>attrsOf</literal>, submodule allows multiple
named definitions of the submodule option set.</para>
<para>When composed with <literal>attrsOf</literal>
(<xref linkend='ex-submodule-attrsof-declaration' />),
<literal>submodule</literal> allows multiple named definitions of the
submodule option set (<xref linkend='ex-submodule-attrsof-definition' />).
</para>
<example xml:id='ex-submodule-attrsof-declaration'><title>Declaration of
attribute sets of submodules</title>
@ -270,7 +271,6 @@ options.mod = mkOption {
config.mod.one = { foo = 1; bar = "one"; };
config.mod.two = { foo = 2; bar = "two"; };</screen></example>
</section>
</section>
<section><title>Extending types</title>

145
nixos/doc/manual/development/releases.xml
View File

@ -10,7 +10,7 @@
<title>Release process</title>
<para>
Going through an example of releasing NixOS 15.09:
Going through an example of releasing NixOS 17.09:
</para>
<section xml:id="one-month-before-the-beta">
@ -18,13 +18,13 @@
<itemizedlist spacing="compact">
<listitem>
<para>
Send an email to nix-dev mailinglist as a warning about upcoming beta "feature freeze" in a month.
Send an email to the nix-devel mailinglist as a warning about upcoming beta "feature freeze" in a month.
</para>
</listitem>
<listitem>
<para>
Discuss with Eelco Dolstra and the community (via IRC, ML) about what will reach the deadline.
Any issue or Pull Request targeting the release should have assigned milestone.
Any issue or Pull Request targeting the release should be included in the release milestone.
</para>
</listitem>
</itemizedlist>
@ -32,64 +32,6 @@
<section xml:id="at-beta-release-time">
<title>At beta release time</title>
<itemizedlist spacing="compact">
<listitem>
<para>
Rename <literal>rl-unstable.xml</literal> -&gt;
<literal>rl-1509.xml</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>git tag -a -m &quot;Release 15.09-beta&quot; 15.09-beta &amp;&amp; git push --tags</literal>
</para>
</listitem>
<listitem>
<para>
From the master branch run <literal>git checkout -B release-15.09</literal>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/NixOS/nixos-org-configurations/pull/18">
Make sure channel is created at http://nixos.org/channels/.
</link>
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/NixOS/nixpkgs/settings/branches">
Lock the branch on github (so developers cant force push)
</link>
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/NixOS/nixpkgs/compare/bdf161ed8d21...6b63c4616790">bump
<literal>system.defaultChannel</literal> attribute in
<literal>nixos/modules/misc/version.nix</literal></link>
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/NixOS/nixpkgs/commit/d6b08acd1ccac0d9d502c4b635e00b04d3387f06">update
<literal>versionSuffix</literal> in
<literal>nixos/release.nix</literal></link>, use
<literal>git log --format=%an|wc -l</literal> to get commit
count
</para>
</listitem>
<listitem>
<para>
<literal>echo -n &quot;16.03&quot; &gt; .version</literal> in
master.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/NixOS/nixpkgs/commit/b8a4095003e27659092892a4708bb3698231a842">pick
a new name for unstable branch.</link>
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/13559">Create
@ -99,26 +41,81 @@
</listitem>
<listitem>
<para>
Use https://lwn.net/Vulnerabilities/ and
<link xlink:href="https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&amp;q=vulnerabilities&amp;type=Issues">triage vulnerabilities in an issue</link>.
<literal>git tag -a -s -m &quot;Release 17.09-beta&quot; 17.09-beta &amp;&amp; git push --tags</literal>
</para>
</listitem>
<listitem>
<para>
Create two Hydra jobsets: release-15.09 and release-15.09-small with <literal>stableBranch</literal> set to false
From the master branch run <literal>git checkout -B release-17.09</literal>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/NixOS/nixos-org-configurations/pull/18">
Make sure a channel is created at http://nixos.org/channels/.
</link>
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/NixOS/nixpkgs/settings/branches">
Let a GitHub nixpkgs admin lock the branch on github for you.
(so developers cant force push)
</link>
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/NixOS/nixpkgs/compare/bdf161ed8d21...6b63c4616790">
Bump the <literal>system.defaultChannel</literal> attribute in
<literal>nixos/modules/misc/version.nix</literal>
</link>
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/NixOS/nixpkgs/commit/d6b08acd1ccac0d9d502c4b635e00b04d3387f06">
Update <literal>versionSuffix</literal> in
<literal>nixos/release.nix</literal></link>, use
<literal>git log --format=%an|wc -l</literal> to get the commit
count
</para>
</listitem>
<listitem>
<para>
<literal>echo -n &quot;18.03&quot; &gt; .version</literal> on
master.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/NixOS/nixpkgs/commit/b8a4095003e27659092892a4708bb3698231a842">
Pick a new name for the unstable branch.
</link>
</para>
</listitem>
<listitem>
<para>
Create a new release notes file for the upcoming release + 1, in this
case <literal>rl-1803.xml</literal>.
</para>
</listitem>
<listitem>
<para>
Create two Hydra jobsets: release-17.09 and release-17.09-small with <literal>stableBranch</literal> set to false.
</para>
</listitem>
<listitem>
<para>
Edit changelog at
<literal>nixos/doc/manual/release-notes/rl-1509.xml</literal>
<literal>nixos/doc/manual/release-notes/rl-1709.xml</literal>
(double check desktop versions are noted)
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
Get all new NixOS modules
<literal>git diff release-14.12..release-15.09 nixos/modules/module-list.nix|grep ^+</literal>
<literal>git diff release-17.03..release-17.09 nixos/modules/module-list.nix|grep ^+</literal>
</para>
</listitem>
<listitem>
@ -130,9 +127,25 @@
</listitem>
</itemizedlist>
</section>
<section xml:id="during-beta">
<title>During Beta</title>
<itemizedlist spacing="compact">
<listitem>
<para>
Monitor the master branch for bugfixes and minor updates
and cherry-pick them to the release branch.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="before-the-final-release">
<title>Before the final release</title>
<itemizedlist spacing="compact">
<listitem>
<para>
Re-check that the release notes are complete.
</para>
</listitem>
<listitem>
<para>
Release Nix (currently only Eelco Dolstra can do that).

1
nixos/doc/manual/development/writing-modules.xml
View File

@ -178,6 +178,7 @@ in {
<xi:include href="option-declarations.xml" />
<xi:include href="option-types.xml" />
<xi:include href="option-def.xml" />
<xi:include href="assertions.xml" />
<xi:include href="meta-attributes.xml" />
<xi:include href="replace-modules.xml" />

2
nixos/doc/manual/release-notes/rl-1609.xml
View File

@ -176,7 +176,7 @@ following incompatible changes:</para>
streamlined. Desktop users should be able to simply set
<programlisting>security.grsecurity.enable = true</programlisting> to get
a reasonably secure system without having to sacrifice too much
functionality. See <xref linkend="sec-grsecurity" /> for documentation
functionality.
</para></listitem>
<listitem><para>Special filesystems, like <literal>/proc</literal>,

42
nixos/doc/manual/release-notes/rl-1709.xml
View File

@ -10,6 +10,11 @@
has the following highlights: </para>
<itemizedlist>
<listitem>
<para>
The GNOME version is now 3.24.
</para>
</listitem>
<listitem>
<para>
The user handling now keeps track of deallocated UIDs/GIDs. When a user
@ -101,6 +106,9 @@ rmdir /var/lib/ipfs/.ipfs
<para>
The <literal>mysql</literal> default <literal>dataDir</literal> has changed from <literal>/var/mysql</literal> to <literal>/var/lib/mysql</literal>.
</para>
<para>
Radicale's default package has changed from 1.x to 2.x. Instructions to migrate can be found <link xlink:href="http://radicale.org/1to2/"> here </link>. It is also possible to use the newer version by setting the <literal>package</literal> to <literal>radicale2</literal>, which is done automatically when <literal>stateVersion</literal> is 17.09 or higher.
</para>
</listitem>
<listitem>
<para>
@ -162,6 +170,38 @@ rmdir /var/lib/ipfs/.ipfs
Refer to the description of the options for more details.
</para>
</listitem>
<listitem>
<para>
The <literal>compiz</literal> window manager and package was
removed. The system support had been broken for several years.
</para>
</listitem>
<listitem>
<para>
Touchpad support should now be enabled through
<literal>libinput</literal> as <literal>synaptics</literal> is
now deprecated. See the option
<literal>services.xserver.libinput.enable</literal>.
</para>
</listitem>
<listitem>
<para>
grsecurity/PaX support has been dropped, following upstream's
decision to cease free support. See
<link xlink:href="https://grsecurity.net/passing_the_baton.php">
upstream's announcement</link> for more information.
No complete replacement for grsecurity/PaX is available presently.
</para>
</listitem>
<listitem>
<para>
The <literal>gnupg</literal> package used to suffix its programs
with <literal>2</literal>, like <command>gpg2</command> and
<command>gpgv2</command>. This suffix has since been dropped,
and the programs are now simply <command>gpg</command>,
<command>gpgv</command>, etc.
</para>
</listitem>
</itemizedlist>
<para>Other notable improvements:</para>
@ -207,7 +247,7 @@ rmdir /var/lib/ipfs/.ipfs
<listitem>
<para>
Nixpkgs overlays may now be specified with a file as well as a directory. The
value of <literal>&lt;nixpkgs-overlays></literal> may be a file, and
value of <literal>&lt;nixpkgs-overlays></literal> may be a file, and
<filename>~/.config/nixpkgs/overlays.nix</filename> can be used instead of the
<filename>~/.config/nixpkgs/overalys</filename> directory.
</para>

46
nixos/doc/manual/release-notes/rl-1803.xml Normal file
View File

@ -0,0 +1,46 @@
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-18.03">
<title>Release 18.03 (“Impala”, 2018/03/??)</title>
<para>In addition to numerous new and upgraded packages, this release
has the following highlights: </para>
<itemizedlist>
<listitem>
<para>
</para>
</listitem>
</itemizedlist>
<para>The following new services were added since the last release:</para>
<itemizedlist>
<listitem>
<para></para>
</listitem>
</itemizedlist>
<para>When upgrading from a previous release, please be aware of the
following incompatible changes:</para>
<itemizedlist>
<listitem>
<para>
</para>
</listitem>
</itemizedlist>
<para>Other notable improvements:</para>
<itemizedlist>
<listitem>
<para>
</para>
</listitem>
</itemizedlist>
</section>

14
nixos/lib/make-disk-image.nix
View File

@ -45,19 +45,7 @@ let
raw = "img";
};
# Copied from https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/installer/cd-dvd/channel.nix
# TODO: factor out more cleanly
# Do not include these things:
# - The '.git' directory
# - Result symlinks from nix-build ('result', 'result-2', 'result-bin', ...)
# - VIM/Emacs swap/backup files ('.swp', '.swo', '.foo.swp', 'foo~', ...)
filterFn = path: type: let basename = baseNameOf (toString path); in
if type == "directory" then basename != ".git"
else if type == "symlink" then builtins.match "^result(|-.*)$" basename == null
else builtins.match "^((|\..*)\.sw[a-z]|.*~)$" basename == null;
nixpkgs = builtins.filterSource filterFn pkgs.path;
nixpkgs = lib.cleanSource pkgs.path;
channelSources = pkgs.runCommand "nixos-${config.system.nixosVersion}" {} ''
mkdir -p $out

2
nixos/maintainers/scripts/openstack/nova-image.nix
View File

@ -1,3 +1,5 @@
# nix-build '<nixpkgs/nixos>' -A config.system.build.novaImage --arg configuration "{ imports = [ ./nixos/maintainers/scripts/openstack/nova-image.nix ]; }"
{ config, lib, pkgs, ... }:
with lib;

2
nixos/modules/config/fonts/fontconfig-ultimate.nix
View File

@ -53,7 +53,7 @@ in
};
substitutions = mkOption {
type = types.nullOr (types.enum ["free" "combi" "ms"]);
type = types.enum ["free" "combi" "ms" "none"];
default = "free";
description = ''
Font substitutions to replace common Type 1 fonts with nicer

2
nixos/modules/config/i18n.nix
View File

@ -43,7 +43,7 @@ with lib;
<literal>"all"</literal> means that all locales supported by
Glibc will be installed. A full list of supported locales
can be found at <link
xlink:href="http://sourceware.org/cgi-bin/cvsweb.cgi/libc/localedata/SUPPORTED?cvsroot=glibc"/>.
xlink:href="https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED"/>.
'';
};

1
nixos/modules/config/no-x-libs.nix
View File

@ -34,6 +34,7 @@ with lib;
networkmanager_openvpn = pkgs.networkmanager_openvpn.override { withGnome = false; };
networkmanager_pptp = pkgs.networkmanager_pptp.override { withGnome = false; };
networkmanager_vpnc = pkgs.networkmanager_vpnc.override { withGnome = false; };
networkmanager_iodine = pkgs.networkmanager_iodine.override { withGnome = false; };
pinentry = pkgs.pinentry.override { gtk2 = null; qt4 = null; };
};
};

61
nixos/modules/hardware/raid/hpsa.nix Normal file
View File

@ -0,0 +1,61 @@
{ config, lib, pkgs, ... }:
with lib;
let
hpssacli = pkgs.stdenv.mkDerivation rec {
name = "hpssacli-${version}";
version = "2.40-13.0";
src = pkgs.fetchurl {
url = "http://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/${name}_amd64.deb";
sha256 = "11w7fwk93lmfw0yya4jpjwdmgjimqxx6412sqa166g1pz4jil4sw";
};
nativeBuildInputs = [ pkgs.dpkg ];
unpackPhase = "dpkg -x $src ./";
installPhase = ''
mkdir -p $out/bin $out/share/doc $out/share/man
mv opt/hp/hpssacli/bld/{hpssascripting,hprmstr,hpssacli} $out/bin/
mv opt/hp/hpssacli/bld/*.{license,txt} $out/share/doc/
mv usr/man $out/share/
for file in $out/bin/*; do
chmod +w $file
patchelf --set-interpreter "$(cat $NIX_BINUTILS/nix-support/dynamic-linker)" \
--set-rpath ${lib.makeLibraryPath [ pkgs.stdenv.cc.cc ]} \
$file
done
'';
dontStrip = true;
meta = with lib; {
description = "HP Smart Array CLI";
homepage = http://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/;
license = licenses.unfreeRedistributable;
platforms = [ "x86_64-linux" ];
maintainers = with maintainers; [ volth ];
};
};
in {
###### interface
options = {
hardware.raid.HPSmartArray = {
enable = mkEnableOption "HP Smart Array kernel modules and CLI utility";
};
};
###### implementation
config = mkIf config.hardware.raid.HPSmartArray.enable {
boot.initrd.kernelModules = [ "sg" ]; /* hpssacli wants it */
boot.initrd.availableKernelModules = [ "hpsa" ];
environment.systemPackages = [ hpssacli ];
};
}

11
nixos/modules/installer/cd-dvd/channel.nix
View File

@ -6,16 +6,7 @@
with lib;
let
# Do not include these things:
# - The '.git' directory
# - Result symlinks from nix-build ('result', 'result-2', 'result-bin', ...)
# - VIM/Emacs swap/backup files ('.swp', '.swo', '.foo.swp', 'foo~', ...)
filterFn = path: type: let basename = baseNameOf (toString path); in
if type == "directory" then basename != ".git"
else if type == "symlink" then builtins.match "^result(|-.*)$" basename == null
else builtins.match "^((|\..*)\.sw[a-z]|.*~)$" basename == null;
nixpkgs = builtins.filterSource filterFn pkgs.path;
nixpkgs = lib.cleanSource pkgs.path;
# We need a copy of the Nix expressions for Nixpkgs and NixOS on the
# CD. These are installed into the "nixos" channel of the root

2
nixos/modules/installer/tools/auto-upgrade.nix
View File

@ -76,7 +76,7 @@ let cfg = config.system.autoUpgrade; in
environment = config.nix.envVars //
{ inherit (config.environment.sessionVariables) NIX_PATH;
HOME = "/root";
};
} // config.networking.proxy.envVars;
path = [ pkgs.gnutar pkgs.xz.bin config.nix.package.out ];

6
nixos/modules/installer/tools/nix-fallback-paths.nix
View File

@ -1,5 +1,5 @@
{
x86_64-linux = "/nix/store/avwiw7hb1qckag864sc6ixfxr8qmf94w-nix-1.11.13";
i686-linux = "/nix/store/8wv3ms0afw95hzsz4lxzv0nj4w3614z9-nix-1.11.13";
x86_64-darwin = "/nix/store/z21lvakv1l7lhasmv5fvaz8mlzxia8k9-nix-1.11.13";
x86_64-linux = "/nix/store/xrqssm90gsrnqdn79rpfcs6dwx8597d2-nix-1.11.14";
i686-linux = "/nix/store/3vjphivqs2iy6m9yb3bd80nd3518510k-nix-1.11.14";
x86_64-darwin = "/nix/store/4j9jacx8mjd4jlj53wvymyhxq7dqyj5d-nix-1.11.14";
}

10
nixos/modules/installer/tools/nixos-generate-config.pl
View File

@ -605,6 +605,9 @@ $bootLoaderConfig
# services.xserver.layout = "us";
# services.xserver.xkbOptions = "eurosign:e";
# Enable touchpad support.
# services.xserver.libinput.enable = true;
# Enable the KDE Desktop Environment.
# services.xserver.displayManager.sddm.enable = true;
# services.xserver.desktopManager.plasma5.enable = true;
@ -615,8 +618,11 @@ $bootLoaderConfig
# uid = 1000;
# };
# The NixOS release to be compatible with for stateful data such as databases.
system.stateVersion = "${\(qw(@nixosRelease@))}";
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "${\(qw(@nixosRelease@))}"; # Did you read the comment?
}
EOF

2
nixos/modules/misc/ids.nix
View File

@ -254,7 +254,6 @@
hydra-queue-runner = 235;
hydra-www = 236;
syncthing = 237;
mfi = 238;
caddy = 239;
taskd = 240;
factorio = 241;
@ -522,7 +521,6 @@
octoprint = 230;
radicale = 234;
syncthing = 237;
#mfi = 238; # unused
caddy = 239;
taskd = 240;
factorio = 241;

2
nixos/modules/misc/version.nix
View File

@ -95,7 +95,7 @@ in
nixosVersionSuffix = mkIf (pathIsDirectory gitRepo) (mkDefault (".git." + gitCommitId));
# Note: code names must only increase in alphabetical order.
nixosCodeName = "Hummingbird";
nixosCodeName = "Impala";
};
# Generate /etc/os-release. See

10
nixos/modules/module-list.nix
View File

@ -43,6 +43,7 @@
./hardware/nitrokey.nix
./hardware/opengl.nix
./hardware/pcmcia.nix
./hardware/raid/hpsa.nix
./hardware/usb-wwan.nix
./hardware/video/amdgpu.nix
./hardware/video/amdgpu-pro.nix
@ -120,7 +121,6 @@
./security/chromium-suid-sandbox.nix
./security/dhparams.nix
./security/duosec.nix
./security/grsecurity.nix
./security/hidepid.nix
./security/lock-kernel-modules.nix
./security/oath.nix
@ -204,6 +204,7 @@
./services/desktops/gnome3/gnome-online-miners.nix
./services/desktops/gnome3/gnome-terminal-server.nix
./services/desktops/gnome3/gnome-user-share.nix
./services/desktops/gnome3/gpaste.nix
./services/desktops/gnome3/gvfs.nix
./services/desktops/gnome3/seahorse.nix
./services/desktops/gnome3/sushi.nix
@ -225,6 +226,7 @@
./services/hardware/brltty.nix
./services/hardware/freefall.nix
./services/hardware/illum.nix
./services/hardware/interception-tools.nix
./services/hardware/irqbalance.nix
./services/hardware/nvidia-optimus.nix
./services/hardware/pcscd.nix
@ -361,6 +363,7 @@
./services/monitoring/prometheus/default.nix
./services/monitoring/prometheus/alertmanager.nix
./services/monitoring/prometheus/blackbox-exporter.nix
./services/monitoring/prometheus/collectd-exporter.nix
./services/monitoring/prometheus/fritzbox-exporter.nix
./services/monitoring/prometheus/json-exporter.nix
./services/monitoring/prometheus/nginx-exporter.nix
@ -456,7 +459,6 @@
./services/networking/lldpd.nix
./services/networking/logmein-hamachi.nix
./services/networking/mailpile.nix
./services/networking/mfi.nix
./services/networking/mjpg-streamer.nix
./services/networking/minidlna.nix
./services/networking/miniupnpd.nix
@ -549,7 +551,6 @@
./services/security/fail2ban.nix
./services/security/fprintd.nix
./services/security/fprot.nix
./services/security/frandom.nix
./services/security/haka.nix
./services/security/haveged.nix
./services/security/hologram-server.nix
@ -587,6 +588,7 @@
./services/web-apps/frab.nix
./services/web-apps/mattermost.nix
./services/web-apps/nixbot.nix
./services/web-apps/nexus.nix
./services/web-apps/pgpkeyserver-lite.nix
./services/web-apps/piwik.nix
./services/web-apps/pump.io.nix
@ -630,7 +632,6 @@
./services/x11/redshift.nix
./services/x11/urxvtd.nix
./services/x11/window-managers/awesome.nix
#./services/x11/window-managers/compiz.nix
./services/x11/window-managers/default.nix
./services/x11/window-managers/fluxbox.nix
./services/x11/window-managers/icewm.nix
@ -680,6 +681,7 @@
./tasks/cpu-freq.nix
./tasks/encrypted-devices.nix
./tasks/filesystems.nix
./tasks/filesystems/bcachefs.nix
./tasks/filesystems/btrfs.nix
./tasks/filesystems/cifs.nix
./tasks/filesystems/exfat.nix

2
nixos/modules/profiles/graphical.nix
View File

@ -8,7 +8,7 @@
enable = true;
displayManager.sddm.enable = true;
desktopManager.plasma5.enable = true;
synaptics.enable = true; # for touchpad support on many laptops
libinput.enable = true; # for touchpad support on many laptops
};
environment.systemPackages = [ pkgs.glxinfo ];

17
nixos/modules/profiles/hardened.nix
View File

@ -25,6 +25,13 @@ with lib;
"nohibernate"
];
boot.blacklistedKernelModules = [
# Obscure network protocols
"ax25"
"netrom"
"rose"
];
# Restrict ptrace() usage to processes with a pre-defined relationship
# (e.g., parent/child)
boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
@ -65,4 +72,14 @@ with lib;
# Note: mmap_rnd_compat_bits may not exist on 64bit.
boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32;
boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16;
# Allowing users to mmap() memory starting at virtual address 0 can turn a
# NULL dereference bug in the kernel into code execution with elevated
# privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory
# space. This breaks applications that require mapping the 0 page, such as
# dosemu or running 16bit applications under wine. It also breaks older
# versions of qemu.
#
# The value is taken from the KSPP recommendations (Debian uses 4096).
boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536;
}

2
nixos/modules/profiles/installation-device.nix
View File

@ -28,7 +28,7 @@ with lib;
services.nixosManual.showManual = true;
# Let the user play Rogue on TTY 8 during the installation.
services.rogue.enable = true;
#services.rogue.enable = true;
# Disable some other stuff we don't need.
security.sudo.enable = false;

4
nixos/modules/programs/zsh/zsh.nix
View File

@ -169,12 +169,12 @@ in
"source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh"
}
${zshAliases}
${cfge.interactiveShellInit}
${cfg.interactiveShellInit}
${zshAliases}
${cfg.promptInit}
# Read system-wide modifications.

26
nixos/modules/rename.nix
View File

@ -1,4 +1,4 @@
{ lib, ... }:
{ lib, pkgs, ... }:
with lib;
@ -14,6 +14,10 @@ with lib;
(mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "networking" "enableRalinkFirmware" ])
(mkRenamedOptionModule [ "services" "cadvisor" "host" ] [ "services" "cadvisor" "listenAddress" ])
(mkChangedOptionModule [ "services" "printing" "gutenprint" ] [ "services" "printing" "drivers" ]
(config:
let enabled = getAttrFromPath [ "services" "printing" "gutenprint" ] config;
in if enabled then [ pkgs.gutenprint ] else [ ]))
(mkRenamedOptionModule [ "services" "elasticsearch" "host" ] [ "services" "elasticsearch" "listenAddress" ])
(mkRenamedOptionModule [ "services" "graphite" "api" "host" ] [ "services" "graphite" "api" "listenAddress" ])
(mkRenamedOptionModule [ "services" "graphite" "web" "host" ] [ "services" "graphite" "web" "listenAddress" ])
@ -120,26 +124,6 @@ with lib;
(mkRenamedOptionModule [ "services" "iodined" "extraConfig" ] [ "services" "iodine" "server" "extraConfig" ])
(mkRemovedOptionModule [ "services" "iodined" "client" ] "")
# Grsecurity
(mkRemovedOptionModule [ "security" "grsecurity" "kernelPatch" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "mode" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "priority" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "system" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationConfig" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "hardwareVirtualisation" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationSoftware" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "sysctl" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootChmod" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootCaps" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "denyUSB" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProc" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProcWithGroup" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "unrestrictProcGid" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "disableRBAC" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "disableSimultConnect" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "verboseVersion" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "kernelExtraConfig" ] "")
# Unity3D
(mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ])

3
nixos/modules/security/chromium-suid-sandbox.nix
View File

@ -19,9 +19,6 @@ in
Also, if the URL chrome://sandbox tells you that "You are not adequately
sandboxed!", turning this on might resolve the issue.
Finally, if you have <option>security.grsecurity</option> enabled and you
use Chromium, you probably need this.
'';
};

169
nixos/modules/security/grsecurity.nix
View File

@ -1,169 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.security.grsecurity;
grsecLockPath = "/proc/sys/kernel/grsecurity/grsec_lock";
# Ascertain whether NixOS container support is required
containerSupportRequired =
config.boot.enableContainers && config.containers != {};
in
{
meta = {
maintainers = with maintainers; [ ];
doc = ./grsecurity.xml;
};
options.security.grsecurity = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable grsecurity/PaX.
'';
};
lockTunables = mkOption {
type = types.bool;
default = true;
description = ''
Whether to automatically lock grsecurity tunables
(<option>boot.kernel.sysctl."kernel.grsecurity.*"</option>). Disable
this to allow runtime configuration of grsecurity features. Activate
the <literal>grsec-lock</literal> service unit to prevent further
configuration until the next reboot.
'';
};
disableEfiRuntimeServices = mkOption {
type = types.bool;
default = true;
description = ''
Whether to disable access to EFI runtime services. Enabling EFI runtime
services creates a venue for code injection attacks on the kernel and
should be disabled if at all possible. Changing this option enters into
effect upon reboot.
'';
};
};
config = mkIf cfg.enable {
boot.kernelPackages = mkForce pkgs.linuxPackages_grsec_nixos;
boot.kernelParams = [ "grsec_sysfs_restrict=0" ]
++ optional cfg.disableEfiRuntimeServices "noefi";
nixpkgs.config.grsecurity = true;
# Install PaX related utillities into the system profile.
environment.systemPackages = with pkgs; [ gradm paxctl pax-utils ];
# Install rules for the grsec device node
services.udev.packages = [ pkgs.gradm ];
# This service unit is responsible for locking the grsecurity tunables. The
# unit is always defined, but only activated on bootup if lockTunables is
# toggled. When lockTunables is toggled, failure to activate the unit will
# enter emergency mode. The intent is to make it difficult to silently
# enter multi-user mode without having locked the tunables. Some effort is
# made to ensure that starting the unit is an idempotent operation.
systemd.services.grsec-lock = {
description = "Lock grsecurity tunables";
wantedBy = optional cfg.lockTunables "multi-user.target";
wants = [ "local-fs.target" "systemd-sysctl.service" ];
after = [ "local-fs.target" "systemd-sysctl.service" ];
conflicts = [ "shutdown.target" ];
restartIfChanged = false;
script = ''
if ${pkgs.gnugrep}/bin/grep -Fq 0 ${grsecLockPath} ; then
echo -n 1 > ${grsecLockPath}
fi
'';
unitConfig = {
ConditionPathIsReadWrite = grsecLockPath;
DefaultDependencies = false;
} // optionalAttrs cfg.lockTunables {
OnFailure = "emergency.target";
};
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
};
# Configure system tunables
boot.kernel.sysctl = {
# Read-only under grsecurity
"kernel.kptr_restrict" = mkForce null;
# All grsec tunables default to off, those not enabled below are
# *disabled*. We use mkDefault to allow expert users to override
# our choices, but use mkForce where tunables would outright
# conflict with other settings.
# Enable all chroot restrictions by default (overwritten as
# necessary below)
"kernel.grsecurity.chroot_caps" = mkDefault 1;
"kernel.grsecurity.chroot_deny_bad_rename" = mkDefault 1;
"kernel.grsecurity.chroot_deny_chmod" = mkDefault 1;
"kernel.grsecurity.chroot_deny_chroot" = mkDefault 1;
"kernel.grsecurity.chroot_deny_fchdir" = mkDefault 1;
"kernel.grsecurity.chroot_deny_mknod" = mkDefault 1;
"kernel.grsecurity.chroot_deny_mount" = mkDefault 1;
"kernel.grsecurity.chroot_deny_pivot" = mkDefault 1;
"kernel.grsecurity.chroot_deny_shmat" = mkDefault 1;
"kernel.grsecurity.chroot_deny_sysctl" = mkDefault 1;
"kernel.grsecurity.chroot_deny_unix" = mkDefault 1;
"kernel.grsecurity.chroot_enforce_chdir" = mkDefault 1;
"kernel.grsecurity.chroot_findtask" = mkDefault 1;
"kernel.grsecurity.chroot_restrict_nice" = mkDefault 1;
# Enable various grsec protections
"kernel.grsecurity.consistent_setxid" = mkDefault 1;
"kernel.grsecurity.deter_bruteforce" = mkDefault 1;
"kernel.grsecurity.fifo_restrictions" = mkDefault 1;
"kernel.grsecurity.harden_ipc" = mkDefault 1;
"kernel.grsecurity.harden_ptrace" = mkDefault 1;
"kernel.grsecurity.harden_tty" = mkDefault 1;
"kernel.grsecurity.ip_blackhole" = mkDefault 1;
"kernel.grsecurity.linking_restrictions" = mkDefault 1;
"kernel.grsecurity.ptrace_readexec" = mkDefault 1;
# Enable auditing
"kernel.grsecurity.audit_ptrace" = mkDefault 1;
"kernel.grsecurity.forkfail_logging" = mkDefault 1;
"kernel.grsecurity.rwxmap_logging" = mkDefault 1;
"kernel.grsecurity.signal_logging" = mkDefault 1;
"kernel.grsecurity.timechange_logging" = mkDefault 1;
} // optionalAttrs config.nix.useSandbox {
# chroot(2) restrictions that conflict with sandboxed Nix builds
"kernel.grsecurity.chroot_caps" = mkForce 0;
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
"kernel.grsecurity.chroot_deny_chroot" = mkForce 0;
"kernel.grsecurity.chroot_deny_mount" = mkForce 0;
"kernel.grsecurity.chroot_deny_pivot" = mkForce 0;
} // optionalAttrs containerSupportRequired {
# chroot(2) restrictions that conflict with NixOS lightweight containers
"kernel.grsecurity.chroot_caps" = mkForce 0;
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
"kernel.grsecurity.chroot_deny_mount" = mkForce 0;
"kernel.grsecurity.chroot_restrict_nice" = mkForce 0;
# Disable privileged IO by default, unless X is enabled
} // optionalAttrs (!config.services.xserver.enable) {
"kernel.grsecurity.disable_priv_io" = mkDefault 1;
};
};
}

385
nixos/modules/security/grsecurity.xml
View File

@ -1,385 +0,0 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-grsecurity">
<title>Grsecurity/PaX</title>
<para>
Grsecurity/PaX is a set of patches against the Linux kernel that
implements an extensive suite of
<link xlink:href="https://grsecurity.net/features.php">features</link>
designed to increase the difficulty of exploiting kernel and
application bugs.
</para>
<para>
The NixOS grsecurity/PaX module is designed with casual users in mind and is
intended to be compatible with normal desktop usage, without
<emphasis>unnecessarily</emphasis> compromising security. The
following sections describe the configuration and administration of
a grsecurity/PaX enabled NixOS system. For more comprehensive
coverage, please refer to the
<link xlink:href="https://en.wikibooks.org/wiki/Grsecurity">grsecurity wikibook</link>
and the
<link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch
Linux wiki page on grsecurity</link>.
<warning><para>Upstream has ceased free support for grsecurity/PaX. See
<link xlink:href="https://grsecurity.net/passing_the_baton.php">
the announcement</link> for more information. Consequently, NixOS
support for grsecurity/PaX also must cease. Enabling this module will
result in a build error.</para></warning>
<note><para>We standardise on a desktop oriented configuration primarily due
to lack of resources. The grsecurity/PaX configuration state space is huge
and each configuration requires quite a bit of testing to ensure that the
resulting packages work as advertised. Defining additional package sets
would likely result in a large number of functionally broken packages, to
nobody's benefit.</para></note>
</para>
<sect1 xml:id="sec-grsec-enable"><title>Enabling grsecurity/PaX</title>
<para>
To make use of grsecurity/PaX on NixOS, add the following to your
<filename>configuration.nix</filename>:
<programlisting>
security.grsecurity.enable = true;
</programlisting>
followed by
<programlisting>
# nixos-rebuild boot
# reboot
</programlisting>
<note><para>
Enabling the grsecurity module overrides
<option>boot.kernelPackages</option>, to reduce the risk of
misconfiguration. <xref linkend="sec-grsec-custom-kernel" />
describes how to use a custom kernel package set.
</para></note>
For most users, further configuration should be unnecessary. All users
are encouraged to look over <xref linkend="sec-grsec-security" /> before
using the system, however. If you experience problems, please refer to
<xref linkend="sec-grsec-issues" />.
</para>
<para>
Once booted into the new system, you can optionally use
<command>paxtest</command> to exercise various PaX features:
<screen><![CDATA[
# nix-shell -p paxtest --command 'paxtest blackhat'
Executable anonymous mapping : Killed
Executable bss : Killed
# ... remaining output truncated for brevity
]]></screen>
</para>
</sect1>
<sect1 xml:id="sec-grsec-declarative-tuning"><title>Declarative tuning</title>
<para>
The default configuration mode is strictly declarative. Some features
simply cannot be changed at all after boot, while others are locked once the
system is up and running. Moreover, changes to the configuration enter
into effect only upon booting into the new system.
</para>
<para>
The NixOS module exposes a limited number of options for tuning the behavior
of grsecurity/PaX. These are options thought to be of particular interest
to most users. For experts, further tuning is possible via
<option>boot.kernelParams</option> (see
<xref linkend="sec-grsec-kernel-params" />) and
<option>boot.kernel.sysctl."kernel.grsecurity.*"</option> (the wikibook
contains an <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Sysctl_Options">
exhaustive listing of grsecurity sysctl tunables</link>).
</para>
</sect1>
<sect1 xml:id="sec-grsec-manual-tuning"><title>Manual tuning</title>
<para>
To permit manual tuning of grsecurity runtime parameters, set:
<programlisting>
security.grsecurity.lockTunables = false;
</programlisting>
Once booted into this system, grsecurity features that have a corresponding
sysctl tunable can be changed without rebooting, either by switching into
a new system profile or via the <command>sysctl</command> utility.
</para>
<para>
To lock all grsecurity tunables until the next boot, do:
<screen>
# systemctl start grsec-lock
</screen>
</para>
</sect1>
<sect1 xml:id="sec-grsec-security"><title>Security considerations</title>
<para>
The NixOS kernel is built using upstream's recommended settings for a
desktop deployment that generally favours security over performance. This
section details deviations from upstream's recommendations that may
compromise security.
<warning><para>There may be additional problems not covered here!</para>
</warning>
</para>
<itemizedlist>
<listitem><para>
The following hardening features are disabled in the NixOS kernel:
<itemizedlist>
<listitem><para>Kernel symbol hiding: rendered useless by redistributing
kernel objects.</para></listitem>
<listitem><para>Randomization of kernel structures: rendered useless by
redistributing kernel objects.</para></listitem>
<listitem><para>TCP simultaneous OPEN connection is permitted: breaking
strict TCP conformance is inappropriate for a general purpose kernel.
The trade-off is that an attacker may be able to deny outgoing
connections if they are able to guess the source port allocated by your
OS for that connection <emphasis>and</emphasis> also manage to initiate
a TCP simultaneous OPEN on that port before the connection is actually
established.</para></listitem>
<listitem><para>Trusted path execution: a desirable feature, but
requires some more work to operate smoothly on NixOS.</para></listitem>
</itemizedlist>
</para></listitem>
<listitem><para>
The NixOS module conditionally weakens <command>chroot</command>
restrictions to accommodate NixOS lightweight containers and sandboxed Nix
builds. This can be problematic if the deployment also runs privileged
network facing processes that <emphasis>rely</emphasis> on
<command>chroot</command> for isolation.
</para></listitem>
<listitem><para>
The NixOS kernel is patched to allow usermode helpers from anywhere in the
Nix store. A usermode helper is an executable called by the kernel in
certain circumstances, e.g., <command>modprobe</command>. Vanilla
grsecurity only allows usermode helpers from paths typically owned by the
super user. The NixOS kernel allows an attacker to inject malicious code
into the Nix store which could then be executed by the kernel as a
usermode helper.
</para></listitem>
<listitem><para>
The following features are disabled because they overlap with
vanilla kernel mechanisms:
<itemizedlist>
<listitem><para><filename class="directory">/proc</filename> hardening:
use <option>security.hideProcessInformation</option> instead. This
trades weaker protection for greater compatibility.
</para></listitem>
<listitem><para><command>dmesg</command> restrictions:
use <option>boot.kernel.sysctl."kernel.dmesg_restrict"</option> instead
</para></listitem>
</itemizedlist>
</para></listitem>
</itemizedlist>
</sect1>
<sect1 xml:id="sec-grsec-custom-kernel"><title>Using a custom grsecurity/PaX kernel</title>
<para>
The NixOS kernel is likely to be either too permissive or too restrictive
for many deployment scenarios. In addition to producing a kernel more
suitable for a particular deployment, a custom kernel may improve security
by depriving an attacker the ability to study the kernel object code, adding
yet more guesswork to successfully carry out certain exploits.
</para>
<para>
To build a custom kernel using upstream's recommended settings for server
deployments, while still using the NixOS module:
<programlisting>
nixpkgs.config.packageOverrides = super: {
linux_grsec_nixos = super.linux_grsec_nixos.override {
extraConfig = ''
GRKERNSEC_CONFIG_AUTO y
GRKERNSEC_CONFIG_SERVER y
GRKERNSEC_CONFIG_SECURITY y
'';
};
};
</programlisting>
</para>
<para>
The grsecurity/PaX wikibook provides an exhaustive listing of
<link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">kernel configuration options</link>.
</para>
<para>
The NixOS module makes several assumptions about the kernel and so
may be incompatible with your customised kernel. Currently, the only way
to work around these incompatibilities is to eschew the NixOS
module.
</para>
<para>
If not using the NixOS module, a custom grsecurity package set can
be specified inline instead, as in
<programlisting>
boot.kernelPackages =
let
kernel = pkgs.linux_grsec_nixos.override {
extraConfig = /* as above */;
};
self = pkgs.linuxPackagesFor kernel self;
in self;
</programlisting>
</para>
</sect1>
<sect1 xml:id="sec-grsec-pax-flags"><title>Per-executable PaX flags</title>
<para>
Manual tuning of per-file PaX flags for executables in the Nix store is
impossible on a properly configured system. If a package in Nixpkgs fails
due to PaX, that is a bug in the package recipe and should be reported to
the maintainer (including relevant <command>dmesg</command> output).
</para>
<para>
For executables installed outside of the Nix store, PaX flags can be set
using the <command>paxctl</command> utility:
<programlisting>
paxctl -czem <replaceable>foo</replaceable>
</programlisting>
<warning>
<para><command>paxctl</command> overwrites files in-place.</para>
</warning>
Equivalently, on file systems that support extended attributes:
<programlisting>
setfattr -n user.pax.flags -v em <replaceable>foo</replaceable>
</programlisting>
<!-- TODO: PaX flags via RBAC policy -->
</para>
</sect1>
<sect1 xml:id="sec-grsec-issues"><title>Issues and work-arounds</title>
<itemizedlist>
<listitem><para>User namespaces require <literal>CAP_SYS_ADMIN</literal>:
consequently, unprivileged namespaces are unsupported. Applications that
rely on namespaces for sandboxing must use a privileged helper. For chromium
there is <option>security.chromiumSuidSandbox.enable</option>.</para></listitem>
<listitem><para>Access to EFI runtime services is disabled by default:
this plugs a potential code injection attack vector; use
<option>security.grsecurity.disableEfiRuntimeServices</option> to override
this behavior.</para></listitem>
<listitem><para>User initiated autoloading of modules (e.g., when
using fuse or loop devices) is disallowed; either load requisite modules
as root or add them to <option>boot.kernelModules</option>.</para></listitem>
<listitem><para>Virtualization: KVM is the preferred virtualization
solution. Xen, Virtualbox, and VMWare are
<emphasis>unsupported</emphasis> and most likely require a custom kernel.
</para></listitem>
<listitem><para>
Attaching <command>gdb</command> to a running process is disallowed by
default: unprivileged users can only ptrace processes that are children of
the ptracing process. To relax this restriction, set
<programlisting>
boot.kernel.sysctl."kernel.grsecurity.harden_ptrace" = 0;
</programlisting>
</para></listitem>
<listitem><para>
Overflows in boot critical code (e.g., the root filesystem module) can
render the system unbootable. Work around by setting
<programlisting>
boot.kernelParams = [ "pax_size_overflow_report_only" ];
</programlisting>
</para></listitem>
<listitem><para>
The <citerefentry><refentrytitle>modify_ldt
</refentrytitle><manvolnum>2</manvolnum></citerefentry> syscall is disabled
by default. This restriction can interfere with programs designed to run
legacy 16-bit or segmented 32-bit code. To support applications that rely
on this syscall, set
<programlisting>
boot.kernel.sysctl."kernel.modify_ldt" = 1;
</programlisting>
</para></listitem>
<listitem><para>
The gitlab service (<xref linkend="module-services-gitlab" />)
requires a variant of the <literal>ruby</literal> interpreter
built without `mprotect()` hardening, as in
<programlisting>
services.gitlab.packages.gitlab = pkgs.gitlab.override {
ruby = pkgs.ruby.overrideAttrs (attrs: {
postFixup = "paxmark m $out/bin/ruby";
});
};
</programlisting>
</para></listitem>
</itemizedlist>
</sect1>
<sect1 xml:id="sec-grsec-kernel-params"><title>Grsecurity/PaX kernel parameters</title>
<para>
The NixOS kernel supports the following kernel command line parameters:
<itemizedlist>
<listitem><para>
<literal>pax_nouderef</literal>: disable UDEREF (separate kernel and
user address spaces).
</para></listitem>
<listitem><para>
<literal>pax_weakuderef</literal>: enable a faster but
weaker variant of UDEREF on 64-bit processors with PCID support
(check <code>grep pcid /proc/cpuinfo</code>).
</para></listitem>
<listitem><para>
<literal>pax_sanitize_slab={off|fast|full}</literal>: control kernel
slab object sanitization. Defaults to <literal>fast</literal>
</para></listitem>
<listitem><para>
<literal>pax_size_overflow_report_only</literal>: log size overflow
violations but leave the violating task running
</para></listitem>
<listitem><para>
<literal>grsec_sysfs_restrict=[0|1]</literal>: toggle sysfs
restrictions. The NixOS module sets this to <literal>0</literal>
for systemd compatibility
</para></listitem>
</itemizedlist>
</para>
</sect1>
</chapter>

10
nixos/modules/services/backup/znapzend.nix
View File

@ -27,7 +27,13 @@ in
noDestroy = mkOption {
type = types.bool;
default = false;
description = "Does all changes to the filesystem except destroy";
description = "Does all changes to the filesystem except destroy.";
};
autoCreation = mkOption {
type = types.bool;
default = false;
description = "Automatically create the dataset on dest if it does not exists.";
};
};
};
@ -44,7 +50,7 @@ in
path = with pkgs; [ zfs mbuffer openssh ];
serviceConfig = {
ExecStart = "${pkgs.znapzend}/bin/znapzend --logto=${cfg.logTo} --loglevel=${cfg.logLevel} ${optionalString cfg.noDestroy "--nodestroy"}";
ExecStart = "${pkgs.znapzend}/bin/znapzend --logto=${cfg.logTo} --loglevel=${cfg.logLevel} ${optionalString cfg.noDestroy "--nodestroy"} ${optionalString cfg.autoCreation "--autoCreation"}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "on-failure";
};

11
nixos/modules/services/continuous-integration/gitlab-runner.nix
View File

@ -96,10 +96,21 @@ in
example = literalExample "pkgs.gitlab-runner_1_11";
};
packages = mkOption {
default = [ pkgs.bash pkgs.docker-machine ];
defaultText = "[ pkgs.bash pkgs.docker-machine ]";
type = types.listOf types.package;
description = ''
Packages to add to PATH for the gitlab-runner process.
'';
};
};
config = mkIf cfg.enable {
systemd.services.gitlab-runner = {
path = cfg.packages;
environment = config.networking.proxy.envVars;
description = "Gitlab Runner";
after = [ "network.target" ]
++ optional hasDocker "docker.service";

4
nixos/modules/services/continuous-integration/hydra/default.nix
View File

@ -270,8 +270,8 @@ in
${optionalString haveLocalDB ''
if ! [ -e ${baseDir}/.db-created ]; then
${config.services.postgresql.package}/bin/createuser hydra
${config.services.postgresql.package}/bin/createdb -O hydra hydra
${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${config.services.postgresql.package}/bin/createuser hydra
${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${config.services.postgresql.package}/bin/createdb -O hydra hydra
touch ${baseDir}/.db-created
fi
''}

10
nixos/modules/services/databases/mysql.nix
View File

@ -108,10 +108,13 @@ in
initialDatabases = mkOption {
default = [];
description = "List of database names and their initial schemas that should be used to create databases on the first startup of MySQL";
description = ''
List of database names and their initial schemas that should be used to create databases on the first startup
of MySQL. The schema attribute is optional: If not specified, an empty database is created.
'';
example = [
{ name = "foodatabase"; schema = literalExample "./foodatabase.sql"; }
{ name = "bardatabase"; schema = literalExample "./bardatabase.sql"; }
{ name = "bardatabase"; }
];
};
@ -247,6 +250,8 @@ in
if ! test -e "${cfg.dataDir}/${database.name}"; then
echo "Creating initial database: ${database.name}"
( echo "create database ${database.name};"
${optionalString (database ? "schema") ''
echo "use ${database.name};"
if [ -f "${database.schema}" ]
@ -256,6 +261,7 @@ in
then
cat ${database.schema}/mysql-databases/*.sql
fi
''}
) | ${mysql}/bin/mysql -u root -N
fi
'') cfg.initialDatabases}

21
nixos/modules/services/databases/postgresql.nix
View File

@ -38,9 +38,6 @@ let
pre84 = versionOlder (builtins.parseDrvName postgresql.name).version "8.4";
# NixOS traditionally used `root` as superuser, most other distros use `postgres`. From 17.09
# we also try to follow this standard
superuser = (if versionAtLeast config.system.stateVersion "17.09" then "postgres" else "root");
in
@ -62,7 +59,7 @@ in
package = mkOption {
type = types.package;
example = literalExample "pkgs.postgresql92";
example = literalExample "pkgs.postgresql96";
description = ''
PostgreSQL package to use.
'';
@ -151,6 +148,16 @@ in
Contents of the <filename>recovery.conf</filename> file.
'';
};
superUser = mkOption {
type = types.str;
default= if versionAtLeast config.system.stateVersion "17.09" then "postgres" else "root";
internal = true;
description = ''
NixOS traditionally used `root` as superuser, most other distros use `postgres`.
From 17.09 we also try to follow this standard. Internal since changing this value
would lead to breakage while setting up databases.
'';
};
};
};
@ -215,7 +222,7 @@ in
''
# Initialise the database.
if ! test -e ${cfg.dataDir}/PG_VERSION; then
initdb -U ${superuser}
initdb -U ${cfg.superUser}
# See postStart!
touch "${cfg.dataDir}/.first_startup"
fi
@ -247,14 +254,14 @@ in
# Wait for PostgreSQL to be ready to accept connections.
postStart =
''
while ! ${pkgs.sudo}/bin/sudo -u ${superuser} psql --port=${toString cfg.port} -d postgres -c "" 2> /dev/null; do
while ! ${pkgs.sudo}/bin/sudo -u ${cfg.superUser} psql --port=${toString cfg.port} -d postgres -c "" 2> /dev/null; do
if ! kill -0 "$MAINPID"; then exit 1; fi
sleep 0.1
done
if test -e "${cfg.dataDir}/.first_startup"; then
${optionalString (cfg.initialScript != null) ''
${pkgs.sudo}/bin/sudo -u ${superuser} psql -f "${cfg.initialScript}" --port=${toString cfg.port} -d postgres
${pkgs.sudo}/bin/sudo -u ${cfg.superUser} psql -f "${cfg.initialScript}" --port=${toString cfg.port} -d postgres
''}
rm -f "${cfg.dataDir}/.first_startup"
fi

30
nixos/modules/services/desktops/gnome3/gpaste.nix Normal file
View File

@ -0,0 +1,30 @@
# GPaste daemon.
{ config, lib, ... }:
with lib;
let
gnome3 = config.environment.gnome3.packageSet;
in
{
###### interface
options = {
services.gnome3.gpaste = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable GPaste, a clipboard manager.
'';
};
};
};
###### implementation
config = mkIf config.services.gnome3.gpaste.enable {
environment.systemPackages = [ gnome3.gpaste ];
services.dbus.packages = [ gnome3.gpaste ];
services.xserver.desktopManager.gnome3.sessionPath = [ gnome3.gpaste ];
systemd.packages = [ gnome3.gpaste ];
};
}

61
nixos/modules/services/hardware/interception-tools.nix Normal file
View File

@ -0,0 +1,61 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.interception-tools;
in {
options.services.interception-tools = {
enable = mkOption {
type = types.bool;
default = false;
description = "Whether to enable the interception tools service.";
};
plugins = mkOption {
type = types.listOf types.package;
default = [ pkgs.interception-tools-plugins.caps2esc ];
description = ''
A list of interception tools plugins that will be made available to use
inside the udevmon configuration.
'';
};
udevmonConfig = mkOption {
type = types.either types.str types.path;
default = ''
- JOB: "intercept -g $DEVNODE | caps2esc | uinput -d $DEVNODE"
DEVICE:
EVENTS:
EV_KEY: [KEY_CAPSLOCK, KEY_ESC]
'';
example = ''
- JOB: "intercept -g $DEVNODE | y2z | x2y | uinput -d $DEVNODE"
DEVICE:
EVENTS:
EV_KEY: [KEY_X, KEY_Y]
'';
description = ''
String of udevmon YAML configuration, or path to a udevmon YAML
configuration file.
'';
};
};
config = mkIf cfg.enable {
systemd.services.interception-tools = {
description = "Interception tools";
path = [ pkgs.bash pkgs.interception-tools ] ++ cfg.plugins;
serviceConfig = {
ExecStart = ''
${pkgs.interception-tools}/bin/udevmon -c \
${if builtins.typeOf cfg.udevmonConfig == "path"
then cfg.udevmonConfig
else pkgs.writeText "udevmon.yaml" cfg.udevmonConfig}
'';
Nice = -20;
};
wantedBy = [ "multi-user.target" ];
};
};
}

6
nixos/modules/services/mail/postfix.nix
View File

@ -836,11 +836,5 @@ in
(mkIf (cfg.dnsBlacklists != []) {
services.postfix.mapFiles."client_access" = checkClientAccessFile;
})
(mkIf (cfg.extraConfig != "") {
warnings = [ "The services.postfix.extraConfig option was deprecated. Please use services.postfix.config instead." ];
})
(mkIf (cfg.extraMasterConf != "") {
warnings = [ "The services.postfix.extraMasterConf option was deprecated. Please use services.postfix.masterConfig instead." ];
})
]);
}

2
nixos/modules/services/misc/bepasty.nix
View File

@ -3,7 +3,7 @@
with lib;
let
gunicorn = pkgs.pythonPackages.gunicorn;
bepasty = pkgs.pythonPackages.bepasty-server;
bepasty = pkgs.bepasty;
gevent = pkgs.pythonPackages.gevent;
python = pkgs.pythonPackages.python;
cfg = config.services.bepasty;

2
nixos/modules/services/misc/calibre-server.nix
View File

@ -42,7 +42,7 @@ in
serviceConfig = {
User = "calibre-server";
Restart = "always";
ExecStart = "${pkgs.calibre}/bin/calibre-server --with-library=${cfg.libraryDir}";
ExecStart = "${pkgs.calibre}/bin/calibre-server ${cfg.libraryDir}";
};
};

118
nixos/modules/services/misc/gitlab.nix
View File

@ -10,10 +10,12 @@ let
ruby = cfg.packages.gitlab.ruby;
bundler = pkgs.bundler;
gemHome = "${cfg.packages.gitlab.env}/${ruby.gemPath}";
gemHome = "${cfg.packages.gitlab.rubyEnv}/${ruby.gemPath}";
gitlabSocket = "${cfg.statePath}/tmp/sockets/gitlab.socket";
gitalySocket = "${cfg.statePath}/tmp/sockets/gitaly.socket";
pathUrlQuote = url: replaceStrings ["/"] ["%2F"] url;
pgSuperUser = config.services.postgresql.superUser;
databaseYml = ''
production:
@ -25,6 +27,23 @@ let
encoding: utf8
'';
gitalyToml = pkgs.writeText "gitaly.toml" ''
socket_path = "${lib.escape ["\""] gitalySocket}"
prometheus_listen_addr = "localhost:9236"
[gitaly-ruby]
dir = "${cfg.packages.gitaly.ruby}"
[gitlab-shell]
dir = "${cfg.packages.gitlab-shell}"
${concatStringsSep "\n" (attrValues (mapAttrs (k: v: ''
[[storage]]
name = "${lib.escape ["\""] k}"
path = "${lib.escape ["\""] v.path}"
'') gitlabConfig.production.repositories.storages))}
'';
gitlabShellYml = ''
user: ${cfg.user}
gitlab_url: "http+unix://${pathUrlQuote gitlabSocket}"
@ -41,11 +60,17 @@ let
namespace: resque:gitlab
'';
redisYml = ''
production:
url: redis://localhost:6379/
'';
secretsYml = ''
production:
secret_key_base: ${cfg.secrets.secret}
otp_key_base: ${cfg.secrets.otp}
db_key_base: ${cfg.secrets.db}
jws_private_key: ${builtins.toJSON cfg.secrets.jws}
'';
gitlabConfig = {
@ -69,7 +94,8 @@ let
container_registry = true;
};
};
repositories.storages.default = "${cfg.statePath}/repositories";
repositories.storages.default.path = "${cfg.statePath}/repositories";
repositories.storages.default.gitaly_address = "unix:${gitalySocket}";
artifacts.enabled = true;
lfs.enabled = true;
gravatar.enabled = true;
@ -86,11 +112,22 @@ let
upload_pack = true;
receive_pack = true;
};
workhorse = {
secret_file = "${cfg.statePath}/.gitlab_workhorse_secret";
};
git = {
bin_path = "git";
max_size = 20971520; # 20MB
timeout = 10;
};
monitoring = {
ip_whitelist = [ "127.0.0.0/8" "::1/128" ];
sidekiq_exporter = {
enable = true;
address = "localhost";
port = 3807;
};
};
extra = {};
};
};
@ -105,9 +142,11 @@ let
GITLAB_UPLOADS_PATH = "${cfg.statePath}/uploads";
GITLAB_LOG_PATH = "${cfg.statePath}/log";
GITLAB_SHELL_PATH = "${cfg.packages.gitlab-shell}";
GITLAB_SHELL_CONFIG_PATH = "${cfg.statePath}/shell/config.yml";
GITLAB_SHELL_CONFIG_PATH = "${cfg.statePath}/home/config.yml";
GITLAB_SHELL_SECRET_PATH = "${cfg.statePath}/config/gitlab_shell_secret";
GITLAB_SHELL_HOOKS_PATH = "${cfg.statePath}/shell/hooks";
GITLAB_SHELL_HOOKS_PATH = "${cfg.statePath}/home/hooks";
GITLAB_REDIS_CONFIG_FILE = pkgs.writeText "gitlab-redis.yml" redisYml;
prometheus_multiproc_dir = "/run/gitlab";
RAILS_ENV = "production";
};
@ -115,15 +154,15 @@ let
gitlab-rake = pkgs.stdenv.mkDerivation rec {
name = "gitlab-rake";
buildInputs = [ cfg.packages.gitlab cfg.packages.gitlab.env pkgs.makeWrapper ];
buildInputs = [ cfg.packages.gitlab cfg.packages.gitlab.rubyEnv pkgs.makeWrapper ];
phases = "installPhase fixupPhase";
buildPhase = "";
installPhase = ''
mkdir -p $out/bin
makeWrapper ${cfg.packages.gitlab.env}/bin/bundle $out/bin/gitlab-bundle \
makeWrapper ${cfg.packages.gitlab.rubyEnv}/bin/bundle $out/bin/gitlab-bundle \
${concatStrings (mapAttrsToList (name: value: "--set ${name} '${value}' ") gitlabEnv)} \
--set GITLAB_CONFIG_PATH '${cfg.statePath}/config' \
--set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip config.services.postgresql.package ]}:$PATH' \
--set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip pkgs.git pkgs.gnutar config.services.postgresql.package ]}:$PATH' \
--set RAKEOPT '-f ${cfg.packages.gitlab}/share/gitlab/Rakefile' \
--run 'cd ${cfg.packages.gitlab}/share/gitlab'
makeWrapper $out/bin/gitlab-bundle $out/bin/gitlab-rake \
@ -182,6 +221,13 @@ in {
description = "Reference to the gitlab-workhorse package";
};
packages.gitaly = mkOption {
type = types.package;
default = pkgs.gitaly;
defaultText = "pkgs.gitaly";
description = "Reference to the gitaly package";
};
statePath = mkOption {
type = types.str;
default = "/var/gitlab/state";
@ -359,6 +405,19 @@ in {
'';
};
secrets.jws = mkOption {
type = types.str;
description = ''
The secret is used to encrypt session keys. If you change or lose
this key, users will be disconnected.
Make sure the secret is an RSA private key in PEM format. You can
generate one with
openssl genrsa 2048openssl genpkey -algorithm RSA -out - -pkeyopt rsa_keygen_bits:2048
'';
};
extraConfig = mkOption {
type = types.attrs;
default = {};
@ -420,6 +479,7 @@ in {
ruby
openssh
nodejs
gnupg
];
serviceConfig = {
Type = "simple";
@ -428,7 +488,24 @@ in {
TimeoutSec = "300";
Restart = "on-failure";
WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
ExecStart="${cfg.packages.gitlab.env}/bin/bundle exec \"sidekiq -C \"${cfg.packages.gitlab}/share/gitlab/config/sidekiq_queues.yml\" -e production -P ${cfg.statePath}/tmp/sidekiq.pid\"";
ExecStart="${cfg.packages.gitlab.rubyEnv}/bin/bundle exec \"sidekiq -C \"${cfg.packages.gitlab}/share/gitlab/config/sidekiq_queues.yml\" -e production -P ${cfg.statePath}/tmp/sidekiq.pid\"";
};
};
systemd.services.gitaly = {
after = [ "network.target" "gitlab.service" ];
wantedBy = [ "multi-user.target" ];
environment.HOME = gitlabEnv.HOME;
path = with pkgs; [ gitAndTools.git cfg.packages.gitaly.rubyEnv ];
serviceConfig = {
#PermissionsStartOnly = true; # preStart must be run as root
Type = "simple";
User = cfg.user;
Group = cfg.group;
TimeoutSec = "300";
Restart = "on-failure";
WorkingDirectory = gitlabEnv.HOME;
ExecStart = "${cfg.packages.gitaly}/bin/gitaly ${gitalyToml}";
};
};
@ -463,7 +540,7 @@ in {
+ "-listenAddr /run/gitlab/gitlab-workhorse.socket "
+ "-authSocket ${gitlabSocket} "
+ "-documentRoot ${cfg.packages.gitlab}/share/gitlab/public "
+ "-secretPath ${cfg.packages.gitlab}/share/gitlab/.gitlab_workhorse_secret";
+ "-secretPath ${cfg.statePath}/.gitlab_workhorse_secret";
};
};
@ -477,6 +554,7 @@ in {
gitAndTools.git
openssh
nodejs
procps
];
preStart = ''
mkdir -p ${cfg.backupPath}
@ -486,12 +564,11 @@ in {
mkdir -p ${gitlabConfig.production.shared.path}/lfs-objects
mkdir -p ${gitlabConfig.production.shared.path}/pages
mkdir -p ${cfg.statePath}/log
mkdir -p ${cfg.statePath}/shell
mkdir -p ${cfg.statePath}/tmp/pids
mkdir -p ${cfg.statePath}/tmp/sockets
rm -rf ${cfg.statePath}/config ${cfg.statePath}/shell/hooks
mkdir -p ${cfg.statePath}/config ${cfg.statePath}/shell
rm -rf ${cfg.statePath}/config ${cfg.statePath}/home/hooks
mkdir -p ${cfg.statePath}/config
tr -dc A-Za-z0-9 < /dev/urandom | head -c 32 > ${cfg.statePath}/config/gitlab_shell_secret
@ -499,7 +576,8 @@ in {
# symlinked in the gitlab package to /run/gitlab/uploads to make it
# configurable
mkdir -p /run/gitlab
mkdir -p ${cfg.statePath}/uploads
mkdir -p ${cfg.statePath}/{log,uploads}
ln -sf ${cfg.statePath}/log /run/gitlab/log
ln -sf ${cfg.statePath}/uploads /run/gitlab/uploads
chown -R ${cfg.user}:${cfg.group} /run/gitlab
@ -507,7 +585,6 @@ in {
mkdir -p ${gitlabEnv.HOME}/.ssh
touch ${gitlabEnv.HOME}/.ssh/authorized_keys
chown -R ${cfg.user}:${cfg.group} ${gitlabEnv.HOME}/
chmod -R u+rwX,go-rwx+X ${gitlabEnv.HOME}/
cp -rf ${cfg.packages.gitlab}/share/gitlab/config.dist/* ${cfg.statePath}/config
${optionalString cfg.smtp.enable ''
@ -532,14 +609,14 @@ in {
if [ "${cfg.databaseHost}" = "127.0.0.1" ]; then
if ! test -e "${cfg.statePath}/db-created"; then
psql postgres -c "CREATE ROLE ${cfg.databaseUsername} WITH LOGIN NOCREATEDB NOCREATEROLE NOCREATEUSER ENCRYPTED PASSWORD '${cfg.databasePassword}'"
${config.services.postgresql.package}/bin/createdb --owner ${cfg.databaseUsername} ${cfg.databaseName} || true
${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "CREATE ROLE ${cfg.databaseUsername} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${cfg.databasePassword}'"
${pkgs.sudo}/bin/sudo -u ${pgSuperUser} ${config.services.postgresql.package}/bin/createdb --owner ${cfg.databaseUsername} ${cfg.databaseName}
touch "${cfg.statePath}/db-created"
fi
fi
# enable required pg_trgm extension for gitlab
psql gitlab -c "CREATE EXTENSION IF NOT EXISTS pg_trgm"
${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql gitlab -c "CREATE EXTENSION IF NOT EXISTS pg_trgm"
# Always do the db migrations just to be sure the database is up-to-date
${gitlab-rake}/bin/gitlab-rake db:migrate RAILS_ENV=production
@ -548,14 +625,15 @@ in {
# up the initial database
if ! test -e "${cfg.statePath}/db-seeded"; then
${gitlab-rake}/bin/gitlab-rake db:seed_fu RAILS_ENV=production \
GITLAB_ROOT_PASSWORD="${cfg.initialRootPassword}" GITLAB_ROOT_EMAIL="${cfg.initialRootEmail}"
GITLAB_ROOT_PASSWORD='${cfg.initialRootPassword}' GITLAB_ROOT_EMAIL='${cfg.initialRootEmail}'
touch "${cfg.statePath}/db-seeded"
fi
# Change permissions in the last step because some of the
# intermediary scripts like to create directories as root.
chown -R ${cfg.user}:${cfg.group} ${cfg.statePath}
chmod -R u+rwX,go-rwx+X ${cfg.statePath}
chmod -R ug+rwX,o-rwx+X ${cfg.statePath}
chmod -R u+rwX,go-rwx+X ${gitlabEnv.HOME}
'';
serviceConfig = {
@ -566,7 +644,7 @@ in {
TimeoutSec = "300";
Restart = "on-failure";
WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
ExecStart = "${cfg.packages.gitlab.env}/bin/bundle exec \"unicorn -c ${cfg.statePath}/config/unicorn.rb -E production\"";
ExecStart = "${cfg.packages.gitlab.rubyEnv}/bin/bundle exec \"unicorn -c ${cfg.statePath}/config/unicorn.rb -E production\"";
};
};

4
nixos/modules/services/misc/gitolite.nix
View File

@ -4,7 +4,8 @@ with lib;
let
cfg = config.services.gitolite;
pubkeyFile = pkgs.writeText "gitolite-admin.pub" cfg.adminPubkey;
# Use writeTextDir to not leak Nix store hash into file name
pubkeyFile = (pkgs.writeTextDir "gitolite-admin.pub" cfg.adminPubkey) + "/gitolite-admin.pub";
hooks = lib.concatMapStrings (hook: "${hook} ") cfg.commonHooks;
in
{
@ -70,6 +71,7 @@ in
systemd.services."gitolite-init" = {
description = "Gitolite initialization";
wantedBy = [ "multi-user.target" ];
unitConfig.RequiresMountsFor = cfg.dataDir;
serviceConfig.User = "${cfg.user}";
serviceConfig.Type = "oneshot";

128
nixos/modules/services/monitoring/prometheus/collectd-exporter.nix Normal file
View File

@ -0,0 +1,128 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.prometheus.collectdExporter;
collectSettingsArgs = if (cfg.collectdBinary.enable) then ''
-collectd.listen-address ${optionalString (cfg.collectdBinary.listenAddress != null) cfg.collectdBinary.listenAddress}:${toString cfg.collectdBinary.port} \
-collectd.security-level ${cfg.collectdBinary.securityLevel} \
'' else "";
in {
options = {
services.prometheus.collectdExporter = {
enable = mkEnableOption "prometheus collectd exporter";
port = mkOption {
type = types.int;
default = 9103;
description = ''
Port to listen on.
This is used for scraping as well as the to receive collectd data via the write_http plugin.
'';
};
listenAddress = mkOption {
type = types.nullOr types.str;
default = null;
example = "0.0.0.0";
description = ''
Address to listen on for web interface, telemetry and collectd JSON data.
'';
};
collectdBinary = {
enable = mkEnableOption "collectd binary protocol receiver";
authFile = mkOption {
default = null;
type = types.nullOr types.path;
description = "File mapping user names to pre-shared keys (passwords).";
};
port = mkOption {
type = types.int;
default = 25826;
description = ''Network address on which to accept collectd binary network packets.'';
};
listenAddress = mkOption {
type = types.nullOr types.str;
default = null;
example = "0.0.0.0";
description = ''
Address to listen on for binary network packets.
'';
};
securityLevel = mkOption {
type = types.enum ["None" "Sign" "Encrypt"];
default = "None";
description = ''
Minimum required security level for accepted packets.
'';
};
};
extraFlags = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Extra commandline options when launching the collectd exporter.
'';
};
logFormat = mkOption {
type = types.str;
default = "logger:stderr";
example = "logger:syslog?appname=bob&local=7 or logger:stdout?json=true";
description = ''
Set the log target and format.
'';
};
logLevel = mkOption {
type = types.enum ["debug" "info" "warn" "error" "fatal"];
default = "info";
description = ''
Only log messages with the given severity or above.
'';
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
Open port in firewall for incoming connections.
'';
};
};
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = (optional cfg.openFirewall cfg.port) ++
(optional (cfg.openFirewall && cfg.collectdBinary.enable) cfg.collectdBinary.port);
systemd.services.prometheus-collectd-exporter = {
description = "Prometheus exporter for Collectd metrics";
unitConfig.Documentation = "https://github.com/prometheus/collectd_exporter";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
DynamicUser = true;
Restart = "always";
PrivateTmp = true;
WorkingDirectory = /tmp;
ExecStart = ''
${pkgs.prometheus-collectd-exporter}/bin/collectd_exporter \
-log.format ${cfg.logFormat} \
-log.level ${cfg.logLevel} \
-web.listen-address ${optionalString (cfg.listenAddress != null) cfg.listenAddress}:${toString cfg.port} \
${collectSettingsArgs} \
${concatStringsSep " " cfg.extraFlags}
'';
};
};
};
}

10
nixos/modules/services/network-filesystems/glusterfs.nix
View File

@ -50,11 +50,19 @@ in
after = [ "rpcbind.service" "network.target" "local-fs.target" ];
before = [ "network-online.target" ];
# The copying of hooks is due to upstream bug https://bugzilla.redhat.com/show_bug.cgi?id=1452761
preStart = ''
install -m 0755 -d /var/log/glusterfs
''
# The copying of hooks is due to upstream bug https://bugzilla.redhat.com/show_bug.cgi?id=1452761
+ ''
mkdir -p /var/lib/glusterd/hooks/
${rsync}/bin/rsync -a ${glusterfs}/var/lib/glusterd/hooks/ /var/lib/glusterd/hooks/
''
# `glusterfind` needs dirs that upstream installs at `make install` phase
# https://github.com/gluster/glusterfs/blob/v3.10.2/tools/glusterfind/Makefile.am#L16-L17
+ ''
mkdir -p /var/lib/glusterd/glusterfind/.keys
mkdir -p /var/lib/glusterd/hooks/1/delete/post/
'';
serviceConfig = {

181
nixos/modules/services/network-filesystems/ipfs.nix
View File

@ -1,15 +1,19 @@
{ config, lib, pkgs, ... }:
with lib;
let
inherit (pkgs) ipfs runCommand makeWrapper;
cfg = config.services.ipfs;
ipfsFlags = ''${if cfg.autoMigrate then "--migrate" else ""} ${if cfg.enableGC then "--enable-gc" else ""} ${toString cfg.extraFlags}'';
ipfsFlags = toString ([
#(optionalString cfg.autoMount "--mount")
(optionalString cfg.autoMigrate "--migrate")
(optionalString cfg.enableGC "--enable-gc")
(optionalString (cfg.serviceFdlimit != null) "--manage-fdlimit=false")
(optionalString (cfg.defaultMode == "offline") "--offline")
(optionalString (cfg.defaultMode == "norouting") "--routing=none")
] ++ cfg.extraFlags);
# Before Version 17.09, ipfs would always use "/var/lib/ipfs/.ipfs" as it's dataDir
defaultDataDir = if versionAtLeast config.system.stateVersion "17.09" then
"/var/lib/ipfs" else
"/var/lib/ipfs/.ipfs";
@ -17,11 +21,48 @@ let
# Wrapping the ipfs binary with the environment variable IPFS_PATH set to dataDir because we can't set it in the user environment
wrapped = runCommand "ipfs" { buildInputs = [ makeWrapper ]; } ''
mkdir -p "$out/bin"
makeWrapper "${ipfs}/bin/ipfs" "$out/bin/ipfs" --set IPFS_PATH ${cfg.dataDir}
makeWrapper "${ipfs}/bin/ipfs" "$out/bin/ipfs" \
--set IPFS_PATH ${cfg.dataDir} \
--prefix PATH : /run/wrappers/bin
'';
in
{
commonEnv = {
environment.IPFS_PATH = cfg.dataDir;
path = [ wrapped ];
serviceConfig.User = cfg.user;
serviceConfig.Group = cfg.group;
};
baseService = recursiveUpdate commonEnv {
wants = [ "ipfs-init.service" ];
preStart = ''
ipfs --local config Addresses.API ${cfg.apiAddress}
ipfs --local config Addresses.Gateway ${cfg.gatewayAddress}
'' + optionalString false/*cfg.autoMount*/ ''
ipfs --local config Mounts.FuseAllowOther --json true
ipfs --local config Mounts.IPFS ${cfg.ipfsMountDir}
ipfs --local config Mounts.IPNS ${cfg.ipnsMountDir}
'' + concatStringsSep "\n" (collect
isString
(mapAttrsRecursive
(path: value:
# Using heredoc below so that the value is never improperly quoted
''
read value <<EOF
${builtins.toJSON value}
EOF
ipfs --local config --json "${concatStringsSep "." path}" "$value"
'')
cfg.extraConfig)
);
serviceConfig = {
ExecStart = "${wrapped}/bin/ipfs daemon ${ipfsFlags}";
Restart = "on-failure";
RestartSec = 1;
} // optionalAttrs (cfg.serviceFdlimit != null) { LimitNOFILE = cfg.serviceFdlimit; };
};
in {
###### interface
@ -63,6 +104,24 @@ in
'';
};
#autoMount = mkOption {
# type = types.bool;
# default = false;
# description = "Whether IPFS should try to mount /ipfs and /ipns at startup.";
#};
ipfsMountDir = mkOption {
type = types.str;
default = "/ipfs";
description = "Where to mount the IPFS namespace to";
};
ipnsMountDir = mkOption {
type = types.str;
default = "/ipns";
description = "Where to mount the IPNS namespace to";
};
gatewayAddress = mkOption {
type = types.str;
default = "/ip4/127.0.0.1/tcp/8080";
@ -91,11 +150,41 @@ in
'';
};
extraConfig = mkOption {
type = types.attrs;
description = toString [
"Attrset of daemon configuration to set using `ipfs config`, every time the daemon starts."
"These are applied last, so may override configuration set by other options in this module."
"Keep in mind that this configuration is stateful; i.e., unsetting anything in here does not reset the value to the default!"
];
default = {};
example = {
Datastore.StorageMax = "100GB";
Discovery.MDNS.Enabled = false;
Bootstrap = [
"/ip4/128.199.219.111/tcp/4001/ipfs/QmSoLSafTMBsPKadTEgaXctDQVcqN88CNLHXMkTNwMKPnu"
"/ip4/162.243.248.213/tcp/4001/ipfs/QmSoLueR4xBeUbY9WZ9xGUUxunbKWcrNFTDAadQJmocnWm"
];
Swarm.AddrFilters = null;
};
};
extraFlags = mkOption {
type = types.listOf types.str;
description = "Extra flags passed to the IPFS daemon";
default = [];
};
serviceFdlimit = mkOption {
type = types.nullOr types.int;
default = null;
description = ''
The fdlimit for the IPFS systemd unit or `null` to have the daemon attempt to manage it.
'';
example = 256*1024;
};
};
};
@ -115,108 +204,56 @@ in
};
users.extraGroups = mkIf (cfg.group == "ipfs") {
ipfs = {
gid = config.ids.gids.ipfs;
};
ipfs.gid = config.ids.gids.ipfs;
};
systemd.services.ipfs-init = {
systemd.services.ipfs-init = recursiveUpdate commonEnv {
description = "IPFS Initializer";
after = [ "local-fs.target" ];
before = [ "ipfs.service" "ipfs-offline.service" ];
environment.IPFS_PATH = cfg.dataDir;
path = [ pkgs.ipfs pkgs.su pkgs.bash ];
preStart = ''
install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.dataDir}
'' + optionalString false/*cfg.autoMount*/ ''
install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.ipfsMountDir}
install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.ipnsMountDir}
'';
script = ''
script = ''
if [[ ! -f ${cfg.dataDir}/config ]]; then
${ipfs}/bin/ipfs init ${optionalString cfg.emptyRepo "-e"}
ipfs init ${optionalString cfg.emptyRepo "-e"}
fi
${ipfs}/bin/ipfs --local config Addresses.API ${cfg.apiAddress}
${ipfs}/bin/ipfs --local config Addresses.Gateway ${cfg.gatewayAddress}
'';
serviceConfig = {
User = cfg.user;
Group = cfg.group;
Type = "oneshot";
RemainAfterExit = true;
PermissionsStartOnly = true;
};
};
systemd.services.ipfs = {
# TODO These 3 definitions possibly be further abstracted through use of a function
# like: mutexServices "ipfs" [ "", "offline", "norouting" ] { ... shared conf here ... }
systemd.services.ipfs = recursiveUpdate baseService {
description = "IPFS Daemon";
wantedBy = mkIf (cfg.defaultMode == "online") [ "multi-user.target" ];
after = [ "network.target" "local-fs.target" "ipfs-init.service" ];
conflicts = [ "ipfs-offline.service" "ipfs-norouting.service"];
wants = [ "ipfs-init.service" ];
environment.IPFS_PATH = cfg.dataDir;
path = [ pkgs.ipfs ];
serviceConfig = {
ExecStart = "${ipfs}/bin/ipfs daemon ${ipfsFlags}";
User = cfg.user;
Group = cfg.group;
Restart = "on-failure";
RestartSec = 1;
};
};
systemd.services.ipfs-offline = {
systemd.services.ipfs-offline = recursiveUpdate baseService {
description = "IPFS Daemon (offline mode)";
wantedBy = mkIf (cfg.defaultMode == "offline") [ "multi-user.target" ];
after = [ "local-fs.target" "ipfs-init.service" ];
conflicts = [ "ipfs.service" "ipfs-norouting.service"];
wants = [ "ipfs-init.service" ];
environment.IPFS_PATH = cfg.dataDir;
path = [ pkgs.ipfs ];
serviceConfig = {
ExecStart = "${ipfs}/bin/ipfs daemon ${ipfsFlags} --offline";
User = cfg.user;
Group = cfg.group;
Restart = "on-failure";
RestartSec = 1;
};
};
systemd.services.ipfs-norouting = {
systemd.services.ipfs-norouting = recursiveUpdate baseService {
description = "IPFS Daemon (no routing mode)";
wantedBy = mkIf (cfg.defaultMode == "norouting") [ "multi-user.target" ];
after = [ "local-fs.target" "ipfs-init.service" ];
conflicts = [ "ipfs.service" "ipfs-offline.service"];
wants = [ "ipfs-init.service" ];
environment.IPFS_PATH = cfg.dataDir;
path = [ pkgs.ipfs ];
serviceConfig = {
ExecStart = "${ipfs}/bin/ipfs daemon ${ipfsFlags} --routing=none";
User = cfg.user;
Group = cfg.group;
Restart = "on-failure";
RestartSec = 1;
};
};
};

4
nixos/modules/services/network-filesystems/openafs-client/default.nix
View File

@ -6,8 +6,8 @@ let
cfg = config.services.openafsClient;
cellServDB = pkgs.fetchurl {
url = http://dl.central.org/dl/cellservdb/CellServDB.2009-06-29;
sha256 = "be566f850e88130333ab8bc3462872ad90c9482e025c60a92f728b5bac1b4fa9";
url = http://dl.central.org/dl/cellservdb/CellServDB.2017-03-14;
sha256 = "1197z6c5xrijgf66rhaymnm5cvyg2yiy1i20y4ah4mrzmjx0m7sc";
};
afsConfig = pkgs.runCommand "afsconfig" {} ''

2
nixos/modules/services/network-filesystems/samba.nix
View File

@ -28,7 +28,7 @@ let
configFile = pkgs.writeText "smb.conf"
(if cfg.configText != null then cfg.configText else
''
[ global ]
[global]
security = ${cfg.securityType}
passwd program = /run/wrappers/bin/passwd %u
pam password change = ${smbToString cfg.syncPasswordsByPam}

8
nixos/modules/services/networking/dnscrypt-wrapper.nix
View File

@ -45,7 +45,7 @@ let
rotateKeys = ''
# check if keys are not expired
keyValid() {
fingerprint=$(dnscrypt-wrapper --show-provider-publickey-fingerprint | awk '{print $(NF)}')
fingerprint=$(dnscrypt-wrapper --show-provider-publickey | awk '{print $(NF)}')
dnscrypt-proxy --test=${toString (cfg.keys.checkInterval + 1)} \
--resolver-address=127.0.0.1:${toString cfg.port} \
--provider-name=${cfg.providerName} \
@ -56,9 +56,10 @@ let
# archive old keys and restart the service
if ! keyValid; then
echo "certificate soon to become invalid; backing up old cert"
mkdir -p oldkeys
mv ${cfg.providerName}.key oldkeys/${cfg.providerName}-$(date +%F-%T).key
mv ${cfg.providerName}.crt oldkeys/${cfg.providerName}-$(date +%F-%T).crt
mv -v ${cfg.providerName}.key oldkeys/${cfg.providerName}-$(date +%F-%T).key
mv -v ${cfg.providerName}.crt oldkeys/${cfg.providerName}-$(date +%F-%T).crt
systemctl restart dnscrypt-wrapper
fi
'';
@ -169,6 +170,7 @@ in {
path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy gawk ];
script = rotateKeys;
serviceConfig.User = "dnscrypt-wrapper";
};

8
nixos/modules/services/networking/i2pd.nix
View File

@ -256,6 +256,14 @@ in
'';
};
nat = mkOption {
type = types.bool;
default = true;
description = ''
Assume router is NATed. Enabled by default.
'';
};
upnp = {
enable = mkOption {
type = types.bool;

9
nixos/modules/services/networking/lldpd.nix
View File

@ -28,16 +28,11 @@ in
users.extraGroups._lldpd = {};
environment.systemPackages = [ pkgs.lldpd ];
systemd.packages = [ pkgs.lldpd ];
systemd.services.lldpd = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
requires = [ "network.target" ];
serviceConfig = {
ExecStart = "${pkgs.lldpd}/bin/lldpd -d ${concatStringsSep " " cfg.extraArgs}";
PrivateTmp = true;
PrivateDevices = true;
};
environment.LLDPD_OPTIONS = concatStringsSep " " cfg.extraArgs;
};
};
}

100
nixos/modules/services/networking/mfi.nix
View File

@ -1,100 +0,0 @@
{ config, lib, pkgs, utils, ... }:
with lib;
let
name = "Ubiquiti mFi Controller";
cfg = config.services.mfi;
stateDir = "/var/lib/mfi";
# XXX 2 runtime exceptions using jre8: JSPException on GET / ; can't initialize ./data/keystore on first run.
cmd = "@${pkgs.jre7}/bin/java java -jar ${stateDir}/lib/ace.jar";
mountPoints = [
{ what = "${pkgs.mfi}/dl"; where = "${stateDir}/dl"; }
{ what = "${pkgs.mfi}/lib"; where = "${stateDir}/lib"; }
{ what = "${pkgs.mongodb248}/bin"; where = "${stateDir}/bin"; }
{ what = "${cfg.dataDir}"; where = "${stateDir}/data"; }
];
systemdMountPoints = map (m: "${utils.escapeSystemdPath m.where}.mount") mountPoints;
ports = [ 6080 6880 6443 6843 ];
in
{
options = {
services.mfi = {
enable = mkEnableOption name;
openPorts = mkOption {
type = types.bool;
default = true;
description = "Whether to open TCP ports ${concatMapStrings (a: "${toString a} ") ports}for the services.";
};
dataDir = mkOption {
type = types.str;
default = "${stateDir}/data";
description = ''
Where to store the database and other data.
This directory will be bind-mounted to ${stateDir}/data as part of the service startup.
'';
};
};
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = mkIf config.services.mfi.openPorts ports;
users.users.mfi = {
uid = config.ids.uids.mfi;
description = "mFi controller daemon user";
home = "${stateDir}";
};
# We must create the binary directories as bind mounts instead of symlinks
# This is because the controller resolves all symlinks to absolute paths
# to be used as the working directory.
systemd.mounts = map ({ what, where }: {
bindsTo = [ "mfi.service" ];
partOf = [ "mfi.service" ];
unitConfig.RequiresMountsFor = stateDir;
options = "bind";
what = what;
where = where;
}) mountPoints;
systemd.services.mfi = {
description = "mFi controller daemon";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ] ++ systemdMountPoints;
partOf = systemdMountPoints;
bindsTo = systemdMountPoints;
unitConfig.RequiresMountsFor = stateDir;
preStart = ''
# Clear ./webapps each run.
rm -rf "${stateDir}/webapps"
mkdir -p "${stateDir}/webapps"
ln -s "${pkgs.mfi}/webapps/ROOT.war" "${stateDir}/webapps"
# Copy initial config only once.
test -e "${stateDir}/conf" || cp -ar "${pkgs.mfi}/conf" "${stateDir}/conf"
test -e "${stateDir}/data" || cp -ar "${pkgs.mfi}/data" "${stateDir}/data"
# Fix Permissions.
# (Bind-mounts cause errors; ignore exit codes)
chown -fR mfi: "${stateDir}" || true
chmod -fR u=rwX,go= "${stateDir}" || true
'';
postStop = ''
rm -rf "${stateDir}/webapps"
'';
serviceConfig = {
Type = "simple";
ExecStart = "${cmd} start";
ExecStop = "${cmd} stop";
User = "mfi";
PermissionsStartOnly = true;
UMask = "0077";
WorkingDirectory = "${stateDir}";
};
};
};
}

11
nixos/modules/services/networking/networkmanager.nix
View File

@ -130,7 +130,8 @@ in {
default = { inherit networkmanager modemmanager wpa_supplicant
networkmanager_openvpn networkmanager_vpnc
networkmanager_openconnect networkmanager_fortisslvpn
networkmanager_pptp networkmanager_l2tp; };
networkmanager_pptp networkmanager_l2tp
networkmanager_iodine; };
internal = true;
};
@ -255,6 +256,9 @@ in {
{ source = "${networkmanager_strongswan}/etc/NetworkManager/VPN/nm-strongswan-service.name";
target = "NetworkManager/VPN/nm-strongswan-service.name";
}
{ source = "${networkmanager_iodine}/etc/NetworkManager/VPN/nm-iodine-service.name";
target = "NetworkManager/VPN/nm-iodine-service.name";
}
] ++ optional (cfg.appendNameservers == [] || cfg.insertNameservers == [])
{ source = overrideNameserversScript;
target = "NetworkManager/dispatcher.d/02overridedns";
@ -278,6 +282,11 @@ in {
name = "nm-openvpn";
uid = config.ids.uids.nm-openvpn;
extraGroups = [ "networkmanager" ];
}
{
name = "nm-iodine";
isSystemUser = true;
group = "networkmanager";
}];
systemd.packages = cfg.packages;

40
nixos/modules/services/networking/radicale.nix
View File

@ -1,4 +1,4 @@
{config, lib, pkgs, ...}:
{ config, lib, pkgs, ... }:
with lib;
@ -8,17 +8,35 @@ let
confFile = pkgs.writeText "radicale.conf" cfg.config;
# This enables us to default to version 2 while still not breaking configurations of people with version 1
defaultPackage = if versionAtLeast "17.09" config.system.stateVersion then {
pkg = pkgs.radicale2;
text = "pkgs.radicale2";
} else {
pkg = pkgs.radicale1;
text = "pkgs.radicale1";
};
in
{
options = {
services.radicale.enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable Radicale CalDAV and CardDAV server
Enable Radicale CalDAV and CardDAV server.
'';
};
services.radicale.package = mkOption {
type = types.package;
default = defaultPackage.pkg;
defaultText = defaultPackage.text;
description = ''
Radicale package to use. This defaults to version 1.x if
<literal>system.stateVersion &lt; 17.09</literal> and version 2.x
otherwise.
'';
};
@ -27,13 +45,13 @@ in
default = "";
description = ''
Radicale configuration, this will set the service
configuration file
configuration file.
'';
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.radicale ];
environment.systemPackages = [ cfg.package ];
users.extraUsers = singleton
{ name = "radicale";
@ -52,11 +70,13 @@ in
description = "A Simple Calendar and Contact Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
script = "${pkgs.radicale}/bin/radicale -C ${confFile} -f";
serviceConfig.User = "radicale";
serviceConfig.Group = "radicale";
serviceConfig = {
ExecStart = "${cfg.package}/bin/radicale -C ${confFile} -f";
User = "radicale";
Group = "radicale";
};
};
};
meta.maintainers = with lib.maintainers; [ aneeshusa ];
meta.maintainers = with lib.maintainers; [ aneeshusa infinisil ];
}

14
nixos/modules/services/networking/znc.nix
View File

@ -261,7 +261,7 @@ in
"freenode" = {
server = "chat.freenode.net";
port = 6697;
ssl = true;
useSSL = true;
modules = [ "simple_away" ];
};
};
@ -276,6 +276,14 @@ in
'';
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
Whether to open ports in the firewall for ZNC.
'';
};
passBlock = mkOption {
example = defaultPassBlock;
type = types.string;
@ -350,6 +358,10 @@ in
config = mkIf cfg.enable {
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.port ];
};
systemd.services.znc = {
description = "ZNC Server";
wantedBy = [ "multi-user.target" ];

32
nixos/modules/services/printing/cupsd.nix
View File

@ -4,7 +4,7 @@ with lib;
let
inherit (pkgs) cups cups-pk-helper cups-filters gutenprint;
inherit (pkgs) cups cups-pk-helper cups-filters;
cfg = config.services.printing;
@ -35,7 +35,6 @@ let
name = "cups-progs";
paths =
[ cups.out additionalBackends cups-filters pkgs.ghostscript ]
++ optional cfg.gutenprint gutenprint
++ cfg.drivers;
pathsToLink = [ "/lib" "/share/cups" "/bin" ];
postBuild = cfg.bindirCmds;
@ -97,12 +96,15 @@ let
(writeConf "client.conf" cfg.clientConf)
(writeConf "snmp.conf" cfg.snmpConf)
] ++ optional avahiEnabled browsedFile
++ optional cfg.gutenprint gutenprint
++ cfg.drivers;
pathsToLink = [ "/etc/cups" ];
ignoreCollisions = true;
};
filterGutenprint = pkgs: filter (pkg: pkg.meta.isGutenprint or false == true) pkgs;
containsGutenprint = pkgs: length (filterGutenprint pkgs) > 0;
getGutenprint = pkgs: head (filterGutenprint pkgs);
in
{
@ -224,23 +226,17 @@ in
'';
};
gutenprint = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable Gutenprint drivers for CUPS. This includes auto-updating
Gutenprint PPD files.
'';
};
drivers = mkOption {
type = types.listOf types.path;
default = [];
example = literalExample "[ pkgs.splix ]";
example = literalExample "[ pkgs.gutenprint pkgs.hplip pkgs.splix ]";
description = ''
CUPS drivers to use. Drivers provided by CUPS, cups-filters, Ghostscript
and Samba are added unconditionally. For adding Gutenprint, see
<literal>gutenprint</literal>.
CUPS drivers to use. Drivers provided by CUPS, cups-filters,
Ghostscript and Samba are added unconditionally. If this list contains
Gutenprint (i.e. a derivation with
<literal>meta.isGutenprint = true</literal>) the PPD files in
<filename>/var/lib/cups/ppd</filename> will be updated automatically
to avoid errors due to incompatible versions.
'';
};
@ -318,9 +314,9 @@ in
[ ! -e /var/lib/cups/path ] && \
ln -s ${bindir} /var/lib/cups/path
${optionalString cfg.gutenprint ''
${optionalString (containsGutenprint cfg.drivers) ''
if [ -d /var/lib/cups/ppd ]; then
${gutenprint}/bin/cups-genppdupdate -p /var/lib/cups/ppd
${getGutenprint cfg.drivers}/bin/cups-genppdupdate -p /var/lib/cups/ppd
fi
''}
'';

2
nixos/modules/services/scheduling/cron.nix
View File

@ -122,7 +122,7 @@ in
fi
'';
restartTriggers = [ config.environment.etc.localtime.source ];
restartTriggers = [ config.time.timeZone ];
serviceConfig.ExecStart = "${cronNixosPkg}/bin/cron -n";
};

31
nixos/modules/services/security/frandom.nix
View File

@ -1,31 +0,0 @@
{lib, config, ...}:
let kernel = config.boot.kernelPackages;
in
{
###### interface
options = {
services.frandom.enable = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
enable the /dev/frandom device (a very fast random number generator)
'';
};
};
###### implementation
config = lib.mkIf config.services.frandom.enable {
boot.kernelModules = [ "frandom" ];
boot.extraModulePackages = [ kernel.frandom ];
services.udev.packages = [ kernel.frandom ];
};
}

2
nixos/modules/services/security/physlock.nix
View File

@ -99,6 +99,8 @@ in
'';
};
security.pam.services.physlock = {};
};
}

10
nixos/modules/services/torrent/deluge.nix
View File

@ -42,9 +42,9 @@ in {
after = [ "network.target" ];
description = "Deluge BitTorrent Daemon";
wantedBy = [ "multi-user.target" ];
path = [ pkgs.pythonPackages.deluge ];
path = [ pkgs.deluge ];
serviceConfig = {
ExecStart = "${pkgs.pythonPackages.deluge}/bin/deluged -d";
ExecStart = "${pkgs.deluge}/bin/deluged -d";
# To prevent "Quit & shutdown daemon" from working; we want systemd to manage it!
Restart = "on-success";
User = "deluge";
@ -57,13 +57,13 @@ in {
after = [ "network.target" ];
description = "Deluge BitTorrent WebUI";
wantedBy = [ "multi-user.target" ];
path = [ pkgs.pythonPackages.deluge ];
serviceConfig.ExecStart = "${pkgs.pythonPackages.deluge}/bin/deluge --ui web";
path = [ pkgs.deluge ];
serviceConfig.ExecStart = "${pkgs.deluge}/bin/deluge --ui web";
serviceConfig.User = "deluge";
serviceConfig.Group = "deluge";
};
environment.systemPackages = [ pkgs.pythonPackages.deluge ];
environment.systemPackages = [ pkgs.deluge ];
users.extraUsers.deluge = {
group = "deluge";

10
nixos/modules/services/torrent/transmission.nix
View File

@ -6,7 +6,7 @@ let
cfg = config.services.transmission;
apparmor = config.security.apparmor.enable;
homeDir = "/var/lib/transmission";
homeDir = cfg.home;
downloadDir = "${homeDir}/Downloads";
incompleteDir = "${homeDir}/.incomplete";
@ -69,6 +69,14 @@ in
default = 9091;
description = "TCP port number to run the RPC/web interface.";
};
home = mkOption {
type = types.path;
default = "/var/lib/transmission";
description = ''
The directory where transmission will create files.
'';
};
};
};

100
nixos/modules/services/web-apps/nexus.nix Normal file
View File

@ -0,0 +1,100 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.nexus;
in
{
options = {
services.nexus = {
enable = mkEnableOption "SonarType Nexus3 OSS service";
user = mkOption {
type = types.str;
default = "nexus";
description = "User which runs Nexus3.";
};
group = mkOption {
type = types.str;
default = "nexus";
description = "Group which runs Nexus3.";
};
home = mkOption {
type = types.str;
default = "/var/lib/sonatype-work";
description = "Home directory of the Nexus3 instance.";
};
listenAddress = mkOption {
type = types.str;
default = "127.0.0.1";
description = "Address to listen on.";
};
listenPort = mkOption {
type = types.int;
default = 8081;
description = "Port to listen on.";
};
};
};
config = mkIf cfg.enable {
users.extraUsers."${cfg.user}" = {
isSystemUser = true;
group = cfg.group;
};
users.extraGroups."${cfg.group}" = {};
systemd.services.nexus = {
description = "SonarType Nexus3";
wantedBy = [ "multi-user.target" ];
path = [ cfg.home ];
environment = {
NEXUS_USER = cfg.user;
NEXUS_HOME = cfg.home;
};
preStart = ''
mkdir -p ${cfg.home}/nexus3/etc
ln -sf ${cfg.home} /run/sonatype-work
chown -R ${cfg.user}:${cfg.group} ${cfg.home}
if [ ! -f ${cfg.home}/nexus3/etc/nexus.properties ]; then
echo "# Jetty section" > ${cfg.home}/nexus3/etc/nexus.properties
echo "application-port=${toString cfg.listenPort}" >> ${cfg.home}/nexus3/etc/nexus.properties
echo "application-host=${toString cfg.listenAddress}" >> ${cfg.home}/nexus3/etc/nexus.properties
else
sed 's/^application-port=.*/application-port=${toString cfg.listenPort}/' -i ${cfg.home}/nexus3/etc/nexus.properties
sed 's/^# application-port=.*/application-port=${toString cfg.listenPort}/' -i ${cfg.home}/nexus3/etc/nexus.properties
sed 's/^application-host=.*/application-host=${toString cfg.listenAddress}/' -i ${cfg.home}/nexus3/etc/nexus.properties
sed 's/^# application-host=.*/application-host=${toString cfg.listenAddress}/' -i ${cfg.home}/nexus3/etc/nexus.properties
fi
'';
script = "${pkgs.nexus}/bin/nexus run";
serviceConfig = {
User = cfg.user;
Group = cfg.group;
PrivateTmp = true;
PermissionsStartOnly = true;
LimitNOFILE = 102642;
};
};
};
meta.maintainers = with stdenv.lib.maintainers; [ ironpinguin ];
}

10
nixos/modules/services/web-apps/piwik-doc.xml
View File

@ -79,16 +79,6 @@
You can safely ignore this, unless you need a plugin that needs JavaScript tracker access.
</para>
</listitem>
<listitem>
<para>
Sending mail from piwik, e.g. for the password reset function, might not work out of the box:
There's a problem with using <command>sendmail</command> from <literal>php-fpm</literal> that is
being investigated at <link xlink:href="https://github.com/NixOS/nixpkgs/issues/26611" />.
If you have (or don't have) this problem as well, please report it. You can enable SMTP as method
to send mail in piwik's <quote>General Settings</quote> > <quote>Mail Server Settings</quote> instead.
</para>
</listitem>
</itemizedlist>
</section>

96
nixos/modules/services/web-apps/piwik.nix
View File

@ -24,14 +24,17 @@ in {
default = false;
description = ''
Enable piwik web analytics with php-fpm backend.
Either the nginx option or the webServerUser option is mandatory.
'';
};
webServerUser = mkOption {
type = types.str;
example = "nginx";
type = types.nullOr types.str;
default = null;
example = "lighttpd";
description = ''
Name of the owner of the ${phpSocket} fastcgi socket for piwik.
Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for piwik if the nginx
option is not used. Either this option or the nginx option is mandatory.
If you want to use another webserver than nginx, you need to set this to that server's user
and pass fastcgi requests to `index.php` and `piwik.php` to this socket.
'';
@ -57,47 +60,43 @@ in {
};
nginx = mkOption {
# TODO: for maximum flexibility, it would be nice to use nginx's vhost_options module
# but this only makes sense if we can somehow specify defaults suitable for piwik.
# But users can always copy the piwik nginx config to their configuration.nix and customize it.
type = types.nullOr (types.submodule {
options = {
virtualHost = mkOption {
type = types.str;
default = "piwik.${config.networking.hostName}";
example = "piwik.$\{config.networking.hostName\}";
description = ''
Name of the nginx virtualhost to use and set up.
'';
};
enableSSL = mkOption {
type = types.bool;
default = true;
description = "Whether to enable https.";
};
forceSSL = mkOption {
type = types.bool;
default = true;
description = "Whether to always redirect to https.";
};
enableACME = mkOption {
type = types.bool;
default = true;
description = "Whether to ask Let's Encrypt to sign a certificate for this vhost.";
};
};
});
type = types.nullOr (types.submodule (
recursiveUpdate
(import ../web-servers/nginx/vhost-options.nix { inherit config lib; })
{
# enable encryption by default,
# as sensitive login and piwik data should not be transmitted in clear text.
options.forceSSL.default = true;
options.enableACME.default = true;
}
)
);
default = null;
example = { virtualHost = "stats.$\{config.networking.hostName\}"; };
example = {
serverName = "stats.$\{config.networking.hostName\}";
enableACME = false;
};
description = ''
The options to use to configure an nginx virtualHost.
If null (the default), no nginx virtualHost will be configured.
With this option, you can customize an nginx virtualHost which already has sensible defaults for piwik.
Either this option or the webServerUser option is mandatory.
Set this to {} to just enable the virtualHost if you don't need any customization.
If enabled, then by default, the serverName is piwik.$\{config.networking.hostName\}, SSL is active,
and certificates are acquired via ACME.
If this is set to null (the default), no nginx virtualHost will be configured.
'';
};
};
};
config = mkIf cfg.enable {
warnings = mkIf (cfg.nginx != null && cfg.webServerUser != null) [
"If services.piwik.nginx is set, services.piwik.nginx.webServerUser is ignored and should be removed."
];
assertions = [ {
assertion = cfg.nginx != null || cfg.webServerUser != null;
message = "Either services.piwik.nginx or services.piwik.nginx.webServerUser is mandatory";
}];
users.extraUsers.${user} = {
isSystemUser = true;
@ -153,10 +152,16 @@ in {
serviceConfig.UMask = "0007";
};
services.phpfpm.poolConfigs = {
services.phpfpm.poolConfigs = let
# workaround for when both are null and need to generate a string,
# which is illegal, but as assertions apparently are being triggered *after* config generation,
# we have to avoid already throwing errors at this previous stage.
socketOwner = if (cfg.nginx != null) then config.services.nginx.user
else if (cfg.webServerUser != null) then cfg.webServerUser else "";
in {
${pool} = ''
listen = "${phpSocket}"
listen.owner = ${cfg.webServerUser}
listen.owner = ${socketOwner}
listen.group = root
listen.mode = 0600
user = ${user}
@ -170,12 +175,15 @@ in {
# References:
# https://fralef.me/piwik-hardening-with-nginx-and-php-fpm.html
# https://github.com/perusio/piwik-nginx
${cfg.nginx.virtualHost} = {
root = "${pkgs.piwik}/share";
enableSSL = cfg.nginx.enableSSL;
enableACME = cfg.nginx.enableACME;
forceSSL = cfg.nginx.forceSSL;
"${user}.${config.networking.hostName}" = mkMerge [ cfg.nginx {
# don't allow to override the root easily, as it will almost certainly break piwik.
# disadvantage: not shown as default in docs.
root = mkForce "${pkgs.piwik}/share";
# define locations here instead of as the submodule option's default
# so that they can easily be extended with additional locations if required
# without needing to redefine the piwik ones.
# disadvantage: not shown as default in docs.
locations."/" = {
index = "index.php";
};
@ -208,7 +216,7 @@ in {
locations."= /piwik.js".extraConfig = ''
expires 1M;
'';
};
}];
};
};

142
nixos/modules/services/web-servers/nginx/default.nix
View File

@ -19,6 +19,24 @@ let
) cfg.virtualHosts;
enableIPv6 = config.networking.enableIPv6;
recommendedProxyConfig = pkgs.writeText "nginx-recommended-proxy-headers.conf" ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header Accept-Encoding "";
'';
upstreamConfig = toString (flip mapAttrsToList cfg.upstreams (name: upstream: ''
upstream ${name} {
${toString (flip mapAttrsToList upstream.servers (name: server: ''
server ${name} ${optionalString server.backup "backup"};
''))}
}
''));
configFile = pkgs.writeText "nginx.conf" ''
user ${cfg.user} ${cfg.group};
error_log stderr;
@ -41,6 +59,7 @@ let
${optionalString (cfg.resolver.addresses != []) ''
resolver ${toString cfg.resolver.addresses} ${optionalString (cfg.resolver.valid != "") "valid=${cfg.resolver.valid}"};
''}
${upstreamConfig}
${optionalString (cfg.recommendedOptimisation) ''
# optimisation
@ -74,21 +93,19 @@ let
''}
${optionalString (cfg.recommendedProxySettings) ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header Accept-Encoding "";
proxy_redirect off;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_http_version 1.0;
include ${recommendedProxyConfig};
''}
# $connection_upgrade is used for websocket proxying
map $http_upgrade $connection_upgrade {
default upgrade;
''' close;
}
client_max_body_size ${cfg.clientMaxBodySize};
server_tokens ${if cfg.serverTokens then "on" else "off"};
@ -130,22 +147,23 @@ let
vhosts = concatStringsSep "\n" (mapAttrsToList (vhostName: vhost:
let
ssl = with vhost; addSSL || onlySSL || enableSSL;
onlySSL = vhost.onlySSL || vhost.enableSSL;
hasSSL = onlySSL || vhost.addSSL || vhost.forceSSL;
defaultListen = with vhost;
if listen != [] then listen
else if onlySSL || enableSSL then
singleton { addr = "0.0.0.0"; port = 443; ssl = true; }
++ optional enableIPv6 { addr = "[::]"; port = 443; ssl = true; }
else singleton { addr = "0.0.0.0"; port = 80; ssl = false; }
++ optional enableIPv6 { addr = "[::]"; port = 80; ssl = false; }
++ optional addSSL { addr = "0.0.0.0"; port = 443; ssl = true; }
++ optional (enableIPv6 && addSSL) { addr = "[::]"; port = 443; ssl = true; };
defaultListen =
if vhost.listen != [] then vhost.listen
else ((optionals hasSSL (
singleton { addr = "0.0.0.0"; port = 443; ssl = true; }
++ optional enableIPv6 { addr = "[::]"; port = 443; ssl = true; }
)) ++ optionals (!onlySSL) (
singleton { addr = "0.0.0.0"; port = 80; ssl = false; }
++ optional enableIPv6 { addr = "[::]"; port = 80; ssl = false; }
));
hostListen =
if !vhost.forceSSL
then defaultListen
else filter (x: x.ssl) defaultListen;
if vhost.forceSSL
then filter (x: x.ssl) defaultListen
else defaultListen;
listenString = { addr, port, ssl, ... }:
"listen ${addr}:${toString port} "
@ -155,9 +173,6 @@ let
redirectListen = filter (x: !x.ssl) defaultListen;
redirectListenString = { addr, ... }:
"listen ${addr}:80 ${optionalString vhost.default "default_server"};";
acmeLocation = ''
location /.well-known/acme-challenge {
${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"}
@ -175,7 +190,7 @@ let
in ''
${optionalString vhost.forceSSL ''
server {
${concatMapStringsSep "\n" redirectListenString redirectListen}
${concatMapStringsSep "\n" listenString redirectListen}
server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases};
${optionalString vhost.enableACME acmeLocation}
@ -191,9 +206,9 @@ let
${optionalString vhost.enableACME acmeLocation}
${optionalString (vhost.root != null) "root ${vhost.root};"}
${optionalString (vhost.globalRedirect != null) ''
return 301 http${optionalString ssl "s"}://${vhost.globalRedirect}$request_uri;
return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri;
''}
${optionalString ssl ''
${optionalString hasSSL ''
ssl_certificate ${vhost.sslCertificate};
ssl_certificate_key ${vhost.sslCertificateKey};
''}
@ -208,12 +223,24 @@ let
) virtualHosts);
mkLocations = locations: concatStringsSep "\n" (mapAttrsToList (location: config: ''
location ${location} {
${optionalString (config.proxyPass != null) "proxy_pass ${config.proxyPass};"}
${optionalString (config.proxyPass != null && !cfg.proxyResolveWhileRunning)
"proxy_pass ${config.proxyPass};"
}
${optionalString (config.proxyPass != null && cfg.proxyResolveWhileRunning) ''
set $nix_proxy_target "${config.proxyPass}";
proxy_pass $nix_proxy_target;
''}
${optionalString config.proxyWebsockets ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
''}
${optionalString (config.index != null) "index ${config.index};"}
${optionalString (config.tryFiles != null) "try_files ${config.tryFiles};"}
${optionalString (config.root != null) "root ${config.root};"}
${optionalString (config.alias != null) "alias ${config.alias};"}
${config.extraConfig}
${optionalString (config.proxyPass != null && cfg.recommendedProxySettings) "include ${recommendedProxyConfig};"}
}
'') locations);
mkBasicAuth = vhostName: authDef: let
@ -405,6 +432,16 @@ in
description = "Path to DH parameters file.";
};
proxyResolveWhileRunning = mkOption {
type = types.bool;
default = false;
description = ''
Resolves domains of proxyPass targets at runtime
and not only at start, you have to set
services.nginx.resolver, too.
'';
};
resolver = mkOption {
type = types.submodule {
options = {
@ -431,6 +468,35 @@ in
default = {};
};
upstreams = mkOption {
type = types.attrsOf (types.submodule {
options = {
servers = mkOption {
type = types.attrsOf (types.submodule {
options = {
backup = mkOption {
type = types.bool;
default = false;
description = ''
Marks the server as a backup server. It will be passed
requests when the primary servers are unavailable.
'';
};
};
});
description = ''
Defines the address and other parameters of the upstream servers.
'';
default = {};
};
};
});
description = ''
Defines a group of servers to use as proxy target.
'';
default = {};
};
virtualHosts = mkOption {
type = types.attrsOf (types.submodule (import ./vhost-options.nix {
inherit config lib;
@ -441,7 +507,6 @@ in
example = literalExample ''
{
"hydra.example.com" = {
addSSL = true;
forceSSL = true;
enableACME = true;
locations."/" = {
@ -478,18 +543,15 @@ in
}
{
assertion = all (conf: with conf; !(addSSL && (onlySSL || enableSSL))) (attrValues virtualHosts);
assertion = all (conf: with conf;
!(addSSL && (onlySSL || enableSSL)) &&
!(forceSSL && (onlySSL || enableSSL)) &&
!(addSSL && forceSSL)
) (attrValues virtualHosts);
message = ''
Options services.nginx.service.virtualHosts.<name>.addSSL and
services.nginx.virtualHosts.<name>.onlySSL are mutually esclusive
'';
}
{
assertion = all (conf: with conf; forceSSL -> addSSL) (attrValues virtualHosts);
message = ''
Option services.nginx.virtualHosts.<name>.forceSSL requires
services.nginx.virtualHosts.<name>.addSSL set to true.
Options services.nginx.service.virtualHosts.<name>.addSSL,
services.nginx.virtualHosts.<name>.onlySSL and services.nginx.virtualHosts.<name>.forceSSL
are mutually exclusive.
'';
}
];

12
nixos/modules/services/web-servers/nginx/location-options.nix
View File

@ -14,7 +14,17 @@ with lib;
default = null;
example = "http://www.example.org/";
description = ''
Adds proxy_pass directive.
Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
'';
};
proxyWebsockets = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
Whether to supporty proxying websocket connections with HTTP/1.1.
'';
};

5
nixos/modules/services/web-servers/nginx/vhost-options.nix
View File

@ -96,8 +96,9 @@ with lib;
default = false;
description = ''
Whether to add a separate nginx server block that permanently redirects (301)
all plain HTTP traffic to HTTPS. This option needs <literal>addSSL</literal>
to be set to true.
all plain HTTP traffic to HTTPS. This will set defaults for
<literal>listen</literal> to listen on all interfaces on the respective default
ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
'';
};

3
nixos/modules/services/web-servers/phpfpm/default.nix
View File

@ -150,7 +150,8 @@ in {
PrivateDevices = true;
ProtectSystem = "full";
ProtectHome = true;
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
# XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
Type = "notify";
ExecStart = "${cfg.phpPackage}/bin/php-fpm -y ${cfgFile} -c ${phpIni}";
ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID";

1
nixos/modules/services/x11/desktop-managers/default.nix
View File

@ -20,6 +20,7 @@ in
imports = [
./none.nix ./xterm.nix ./xfce.nix ./plasma5.nix ./lumina.nix
./lxqt.nix ./enlightenment.nix ./gnome3.nix ./kodi.nix ./maxx.nix
./mate.nix
];
options = {

3
nixos/modules/services/x11/desktop-managers/gnome3.nix
View File

@ -186,7 +186,8 @@ in {
networking.networkmanager.basePackages =
{ inherit (pkgs) networkmanager modemmanager wpa_supplicant;
inherit (gnome3) networkmanager_openvpn networkmanager_vpnc
networkmanager_openconnect networkmanager_fortisslvpn networkmanager_pptp
networkmanager_openconnect networkmanager_fortisslvpn
networkmanager_pptp networkmanager_iodine
networkmanager_l2tp; };
# Needed for themes and backgrounds

79
nixos/modules/services/x11/desktop-managers/mate.nix Normal file
View File

@ -0,0 +1,79 @@
{ config, lib, pkgs, ... }:
with lib;
let
# Remove packages of ys from xs, based on their names
removePackagesByName = xs: ys:
let
pkgName = drv: (builtins.parseDrvName drv.name).name;
ysNames = map pkgName ys;
in
filter (x: !(builtins.elem (pkgName x) ysNames)) xs;
xcfg = config.services.xserver;
cfg = xcfg.desktopManager.mate;
in
{
options = {
services.xserver.desktopManager.mate.enable = mkOption {
type = types.bool;
default = false;
description = "Enable the MATE desktop environment";
};
environment.mate.excludePackages = mkOption {
default = [];
example = literalExample "[ pkgs.mate.mate-terminal pkgs.mate.pluma ]";
type = types.listOf types.package;
description = "Which MATE packages to exclude from the default environment";
};
};
config = mkIf (xcfg.enable && cfg.enable) {
services.xserver.desktopManager.session = singleton {
name = "mate";
bgSupport = true;
start = ''
# Set GTK_DATA_PREFIX so that GTK+ can find the themes
export GTK_DATA_PREFIX=${config.system.path}
# Find theme engines
export GTK_PATH=${config.system.path}/lib/gtk-3.0:${config.system.path}/lib/gtk-2.0
export XDG_MENU_PREFIX=mate
# Find the mouse
export XCURSOR_PATH=~/.icons:${config.system.path}/share/icons
# Update user dirs as described in http://freedesktop.org/wiki/Software/xdg-user-dirs/
${pkgs.xdg-user-dirs}/bin/xdg-user-dirs-update
${pkgs.mate.mate-session-manager}/bin/mate-session &
waitPID=$!
'';
};
environment.systemPackages =
pkgs.mate.basePackages ++
(removePackagesByName
pkgs.mate.extraPackages
config.environment.mate.excludePackages);
services.dbus.packages = [
pkgs.gnome3.dconf
pkgs.at_spi2_core
];
services.gnome3.gnome-keyring.enable = true;
environment.pathsToLink = [ "/share" ];
};
}

19
nixos/modules/services/x11/display-managers/gdm.nix
View File

@ -103,14 +103,29 @@ in
(filter (arg: arg != "-terminate") cfg.xserverArgs);
GDM_SESSIONS_DIR = "${cfg.session.desktops}";
# Find the mouse
XCURSOR_PATH = "~/.icons:${config.system.path}/share/icons";
XCURSOR_PATH = "~/.icons:${gnome3.adwaita-icon-theme}/share/icons";
};
execCmd = "exec ${gdm}/bin/gdm";
};
# Because sd_login_monitor_new requires /run/systemd/machines
systemd.services.display-manager.wants = [ "systemd-machined.service" ];
systemd.services.display-manager.after = [ "systemd-machined.service" ];
systemd.services.display-manager.after = [
"rc-local.service"
"systemd-machined.service"
"systemd-user-sessions.service"
"getty@tty1.service"
];
systemd.services.display-manager.conflicts = [ "getty@tty1.service" ];
systemd.services.display-manager.serviceConfig = {
# Restart = "always"; - already defined in xserver.nix
KillMode = "mixed";
IgnoreSIGPIPE = "no";
BusName = "org.gnome.DisplayManager";
StandardOutput = "syslog";
StandardError = "inherit";
};
systemd.services.display-manager.path = [ gnome3.gnome_session ];

9
nixos/modules/services/x11/display-managers/xpra.nix
View File

@ -34,6 +34,12 @@ in
};
pulseaudio = mkEnableOption "pulseaudio audio streaming.";
extraOptions = mkOption {
description = "Extra xpra options";
default = [];
type = types.listOf types.str;
};
};
};
@ -233,7 +239,8 @@ in
--socket-dirs=/var/run/xpra \
--xvfb="xpra_Xdummy ${concatStringsSep " " dmcfg.xserverArgs}" \
${optionalString (cfg.bindTcp != null) "--bind-tcp=${cfg.bindTcp}"} \
--auth=${cfg.auth}
--auth=${cfg.auth} \
${concatStringsSep " " cfg.extraOptions}
'';
};

2
nixos/modules/services/x11/hardware/synaptics.nix
View File

@ -29,7 +29,7 @@ in {
enable = mkOption {
type = types.bool;
default = false;
description = "Whether to enable touchpad support.";
description = "Whether to enable touchpad support. Deprecated: Consider services.xserver.libinput.enable.";
};
dev = mkOption {

60
nixos/modules/services/x11/window-managers/compiz.nix
View File

@ -1,60 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.xserver.windowManager.compiz;
xorg = config.services.xserver.package;
in
{
options = {
services.xserver.windowManager.compiz = {
enable = mkEnableOption "compiz";
renderingFlag = mkOption {
default = "";
example = "--indirect-rendering";
description = "Pass the <option>--indirect-rendering</option> flag to Compiz.";
};
};
};
config = mkIf cfg.enable {
services.xserver.windowManager.session = singleton
{ name = "compiz";
start =
''
# Start Compiz using the flat-file configuration backend
# (ccp).
export COMPIZ_PLUGINDIR=${config.system.path}/lib/compiz
export COMPIZ_METADATADIR=${config.system.path}/share/compiz
${pkgs.compiz}/bin/compiz ccp ${cfg.renderingFlag} &
# Start GTK-style window decorator.
${pkgs.compiz}/bin/gtk-window-decorator &
'';
};
environment.systemPackages =
[ pkgs.compiz
pkgs.compiz_ccsm
pkgs.compiz_plugins_main
pkgs.compiz_plugins_extra
pkgs.libcompizconfig # for the "ccp" plugin
];
environment.pathsToLink = [ "/lib/compiz" "/share/compiz" ];
};
}

1
nixos/modules/services/x11/window-managers/default.nix
View File

@ -11,7 +11,6 @@ in
./2bwm.nix
./afterstep.nix
./bspwm.nix
./compiz.nix
./dwm.nix
./exwm.nix
./fluxbox.nix

9
nixos/modules/system/activation/switch-to-configuration.pl
View File

@ -147,11 +147,16 @@ my $activePrev = getActiveUnits;
while (my ($unit, $state) = each %{$activePrev}) {
my $baseUnit = $unit;
# Recognise template instances.
$baseUnit = "$1\@.$2" if $unit =~ /^(.*)@[^\.]*\.(.*)$/;
my $prevUnitFile = "/etc/systemd/system/$baseUnit";
my $newUnitFile = "$out/etc/systemd/system/$baseUnit";
# Detect template instances.
if (!-e $prevUnitFile && !-e $newUnitFile && $unit =~ /^(.*)@[^\.]*\.(.*)$/) {
$baseUnit = "$1\@.$2";
$prevUnitFile = "/etc/systemd/system/$baseUnit";
$newUnitFile = "$out/etc/systemd/system/$baseUnit";
}
my $baseName = $baseUnit;
$baseName =~ s/\.[a-z]*$//;

4
nixos/modules/system/boot/loader/grub/install-grub.pl
View File

@ -121,8 +121,8 @@ sub GetFs {
my $device = $fields[$n + 1];
my @superOptions = split /,/, $fields[$n + 2];
# Skip the read-only bind-mount on /nix/store.
next if $mountPoint eq "/nix/store" && (grep { $_ eq "rw" } @superOptions) && (grep { $_ eq "ro" } @mountOptions);
# Skip the bind-mount on /nix/store.
next if $mountPoint eq "/nix/store" && (grep { $_ eq "rw" } @superOptions);
# Skip mount point generated by systemd-efi-boot-generator?
next if $fsType eq "autofs";

29
nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
View File

@ -12,6 +12,9 @@ import warnings
import ctypes
libc = ctypes.CDLL("libc.so.6")
import re
import datetime
import glob
import os.path
def copy_if_not_exists(source, dest):
if not os.path.exists(dest):
@ -24,7 +27,7 @@ def system_dir(profile, generation):
return "/nix/var/nix/profiles/system-%d-link" % (generation)
BOOT_ENTRY = """title NixOS{profile}
version Generation {generation}
version Generation {generation} {description}
linux {kernel}
initrd {initrd}
options {kernel_params}
@ -54,6 +57,26 @@ def copy_from_profile(profile, generation, name, dry_run=False):
copy_if_not_exists(store_file_path, "@efiSysMountPoint@%s" % (efi_file_path))
return efi_file_path
def describe_generation(generation_dir):
try:
with open("%s/nixos-version" % generation_dir) as f:
nixos_version = f.read()
except IOError:
nixos_version = "Unknown"
kernel_dir = os.path.dirname(os.path.realpath("%s/kernel" % generation_dir))
module_dir = glob.glob("%s/lib/modules/*" % kernel_dir)[0]
kernel_version = os.path.basename(module_dir)
build_time = int(os.path.getctime(generation_dir))
build_date = datetime.datetime.fromtimestamp(build_time).strftime('%F')
description = "NixOS {}, Linux Kernel {}, Built on {}".format(
nixos_version, kernel_version, build_date
)
return description
def write_entry(profile, generation, machine_id):
kernel = copy_from_profile(profile, generation, "kernel")
initrd = copy_from_profile(profile, generation, "initrd")
@ -69,6 +92,7 @@ def write_entry(profile, generation, machine_id):
generation_dir = os.readlink(system_dir(profile, generation))
tmp_path = "%s.tmp" % (entry_file)
kernel_params = "systemConfig=%s init=%s/init " % (generation_dir, generation_dir)
with open("%s/kernel-params" % (generation_dir)) as params_file:
kernel_params = kernel_params + params_file.read()
with open(tmp_path, 'w') as f:
@ -76,7 +100,8 @@ def write_entry(profile, generation, machine_id):
generation=generation,
kernel=kernel,
initrd=initrd,
kernel_params=kernel_params))
kernel_params=kernel_params,
description=describe_generation(generation_dir)))
if machine_id is not None:
f.write("machine-id %s\n" % machine_id)
os.rename(tmp_path, entry_file)

3
nixos/modules/system/boot/stage-1-init.sh
View File

@ -221,6 +221,9 @@ checkFS() {
# Don't check resilient COWs as they validate the fs structures at mount time
if [ "$fsType" = btrfs -o "$fsType" = zfs ]; then return 0; fi
# Skip fsck for bcachefs - not implemented yet.
if [ "$fsType" = bcachefs ]; then return 0; fi
# Skip fsck for inherently readonly filesystems.
if [ "$fsType" = squashfs ]; then return 0; fi

2
nixos/modules/tasks/filesystems.nix
View File

@ -294,7 +294,7 @@ in
"/run" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=755" "size=${config.boot.runSize}" ]; };
"/dev" = { fsType = "devtmpfs"; options = [ "nosuid" "strictatime" "mode=755" "size=${config.boot.devSize}" ]; };
"/dev/shm" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=1777" "size=${config.boot.devShmSize}" ]; };
"/dev/pts" = { fsType = "devpts"; options = [ "nosuid" "noexec" "mode=620" "gid=${toString config.ids.gids.tty}" ]; };
"/dev/pts" = { fsType = "devpts"; options = [ "nosuid" "noexec" "mode=620" "ptmxmode=0666" "gid=${toString config.ids.gids.tty}" ]; };
# To hold secrets that shouldn't be written to disk (generally used for NixOps, harmless elsewhere)
"/run/keys" = { fsType = "ramfs"; options = [ "nosuid" "nodev" "mode=750" "gid=${toString config.ids.gids.keys}" ]; };

26
nixos/modules/tasks/filesystems/bcachefs.nix Normal file
View File

@ -0,0 +1,26 @@
{ config, lib, pkgs, ... }:
with lib;
let
inInitrd = any (fs: fs == "bcachefs") config.boot.initrd.supportedFilesystems;
in
{
config = mkIf (any (fs: fs == "bcachefs") config.boot.supportedFilesystems) {
system.fsPackages = [ pkgs.bcachefs-tools ];
# use kernel package with bcachefs support until it's in mainline
boot.kernelPackages = pkgs.linuxPackages_testing_bcachefs;
boot.initrd.availableKernelModules = mkIf inInitrd [ "bcachefs" ];
boot.initrd.extraUtilsCommands = mkIf inInitrd
''
copy_bin_and_libs ${pkgs.bcachefs-tools}/bin/fsck.bcachefs
'';
};
}

Some files were not shown because too many files have changed in this diff Show More