JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into openssl-1.1

Browse Source
This commit is contained in:
Robin Gloster 2019-08-21 14:25:13 +02:00
commit f4fc845e5b
No known key found for this signature in database
GPG Key ID: D5C458DF6DD97EDF
1739 changed files with 138825 additions and 193125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
doc/functions/dockertools.xml
View File

@ -312,7 +312,23 @@ hello latest de2bf4786de6 About a minute ago 25.2MB
Maximum number of layers to create.
</para>
<para>
<emphasis>Default:</emphasis> <literal>24</literal>
<emphasis>Default:</emphasis> <literal>100</literal>
</para>
<para>
<emphasis>Maximum:</emphasis> <literal>125</literal>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<varname>extraCommands</varname> <emphasis>optional</emphasis>
</term>
<listitem>
<para>
Shell commands to run while building the final layer, without access
to most of the layer contents. Changes to this layer are "on top"
of all the other layers, so can create additional directories
and files.
</para>
</listitem>
</varlistentry>

9
doc/languages-frameworks/android.section.md
View File

@ -185,10 +185,9 @@ with import <nixpkgs> {};
androidenv.emulateApp {
name = "emulate-MyAndroidApp";
platformVersion = "24";
abiVersion = "armeabi-v7a"; # mips, x86 or x86_64
systemImageType = "default";
useGoogleAPIs = false;
platformVersion = "28";
abiVersion = "x86_64"; # armeabi-v7a, mips, x86
systemImageType = "google_apis_playstore";
}
```
@ -201,7 +200,7 @@ with import <nixpkgs> {};
androidenv.emulateApp {
name = "emulate-MyAndroidApp";
platformVersion = "24";
abiVersion = "armeabi-v7a"; # mips, x86 or x86_64
abiVersion = "armeabi-v7a"; # mips, x86, x86_64
systemImageType = "default";
useGoogleAPIs = false;
app = ./MyApp.apk;

18
doc/languages-frameworks/idris.section.md
View File

@ -124,3 +124,21 @@ in another file (say `default.nix`) to be able to build it with
```
$ nix-build -A yaml
```
## Passing options to `idris` commands
The `build-idris-package` function provides also optional input values to set additional options for the used `idris` commands.
Specifically, you can set `idrisBuildOptions`, `idrisTestOptions`, `idrisInstallOptions` and `idrisDocOptions` to provide additional options to the `idris` command respectively when building, testing, installing and generating docs for your package.
For example you could set
```
build-idris-package {
idrisBuildOptions = [ "--log" "1" "--verbose" ]
...
}
```
to require verbose output during `idris` build phase.

33
doc/languages-frameworks/perl.xml
View File

@ -75,7 +75,8 @@ foo = import ../path/to/foo.nix {
It adds the contents of the <envar>PERL5LIB</envar> environment variable
to <literal>#! .../bin/perl</literal> line of Perl scripts as
<literal>-I<replaceable>dir</replaceable></literal> flags. This ensures
that a script can find its dependencies.
that a script can find its dependencies. (This can cause this shebang line
to become too long for Darwin to handle; see the note below.)
</para>
</listitem>
<listitem>
@ -137,6 +138,36 @@ ClassC3Componentised = buildPerlPackage rec {
</programlisting>
</para>
<para>
On Darwin, if a script has too many
<literal>-I<replaceable>dir</replaceable></literal> flags in its first line
(its “shebang line”), it will not run. This can be worked around by calling
the <literal>shortenPerlShebang</literal> function from the
<literal>postInstall</literal> phase:
<programlisting>
{ stdenv, buildPerlPackage, fetchurl, shortenPerlShebang }:
ImageExifTool = buildPerlPackage {
pname = "Image-ExifTool";
version = "11.50";
src = fetchurl {
url = "https://www.sno.phy.queensu.ca/~phil/exiftool/Image-ExifTool-11.50.tar.gz";
sha256 = "0d8v48y94z8maxkmw1rv7v9m0jg2dc8xbp581njb6yhr7abwqdv3";
};
buildInputs = stdenv.lib.optional stdenv.isDarwin shortenPerlShebang;
postInstall = stdenv.lib.optional stdenv.isDarwin ''
shortenPerlShebang $out/bin/exiftool
'';
};
</programlisting>
This will remove the <literal>-I</literal> flags from the shebang line,
rewrite them in the <literal>use lib</literal> form, and put them on the next
line instead. This function can be given any number of Perl scripts as
arguments; it will modify them in-place.
</para>
<section xml:id="ssec-generation-from-CPAN">
<title>Generation from CPAN</title>

9
doc/languages-frameworks/qt.xml
View File

@ -113,6 +113,15 @@ mkDerivation {
</programlisting>
</para>
<note>
<para>
<literal>wrapQtAppsHook</literal> ignores files that are non-ELF executables.
This means that scripts won't be automatically wrapped so you'll need to manually
wrap them as previously mentioned. An example of when you'd always need to do this
is with Python applications that use PyQT.
</para>
</note>
<para>
Libraries are built with every available version of Qt. Use the <literal>meta.broken</literal>
attribute to disable the package for unsupported Qt versions:

166
doc/languages-frameworks/vim.section.md
View File

@ -21,7 +21,7 @@ At the moment we support three different methods for managing plugins:
Adding custom .vimrc lines can be done using the following code:
```
```nix
vim_configurable.customize {
# `name` specifies the name of the executable and package
name = "vim-with-plugins";
@ -32,11 +32,11 @@ vim_configurable.customize {
}
```
This configuration is used when vim is invoked with the command specified as name, in this case `vim-with-plugins`.
This configuration is used when Vim is invoked with the command specified as name, in this case `vim-with-plugins`.
For Neovim the `configure` argument can be overridden to achieve the same:
```
```nix
neovim.override {
configure = {
customRC = ''
@ -46,10 +46,10 @@ neovim.override {
}
```
If you want to use `neovim-qt` as a graphical editor, you can configure it by overriding neovim in an overlay
or passing it an overridden neovimn:
If you want to use `neovim-qt` as a graphical editor, you can configure it by overriding Neovim in an overlay
or passing it an overridden Neovimn:
```
```nix
neovim-qt.override {
neovim = neovim.override {
configure = {
@ -63,16 +63,16 @@ neovim-qt.override {
## Managing plugins with Vim packages
To store you plugins in Vim packages (the native vim plugin manager, see `:help packages`) the following example can be used:
To store you plugins in Vim packages (the native Vim plugin manager, see `:help packages`) the following example can be used:
```
```nix
vim_configurable.customize {
vimrcConfig.packages.myVimPackage = with pkgs.vimPlugins; {
# loaded on launch
start = [ youcompleteme fugitive ];
# manually loadable by calling `:packadd $plugin-name`
# however, if a vim plugin has a dependency that is not explicitly listed in
# opt that dependency will always be added to start to avoid confusion.
# however, if a Vim plugin has a dependency that is not explicitly listed in
# opt that dependency will always be added to start to avoid confusion.
opt = [ phpCompletion elm-vim ];
# To automatically load a plugin when opening a filetype, add vimrc lines like:
# autocmd FileType php :packadd phpCompletion
@ -83,7 +83,7 @@ vim_configurable.customize {
`myVimPackage` is an arbitrary name for the generated package. You can choose any name you like.
For Neovim the syntax is:
```
```nix
neovim.override {
configure = {
customRC = ''
@ -92,7 +92,7 @@ neovim.override {
packages.myVimPackage = with pkgs.vimPlugins; {
# see examples below how to use custom packages
start = [ ];
# If a vim plugin has a dependency that is not explicitly listed in
# If a Vim plugin has a dependency that is not explicitly listed in
# opt that dependency will always be added to start to avoid confusion.
opt = [ ];
};
@ -102,7 +102,7 @@ neovim.override {
The resulting package can be added to `packageOverrides` in `~/.nixpkgs/config.nix` to make it installable:
```
```nix
{
packageOverrides = pkgs: with pkgs; {
myVim = vim_configurable.customize {
@ -126,7 +126,7 @@ After that you can install your special grafted `myVim` or `myNeovim` packages.
To use [vim-plug](https://github.com/junegunn/vim-plug) to manage your Vim
plugins the following example can be used:
```
```nix
vim_configurable.customize {
vimrcConfig.packages.myVimPackage = with pkgs.vimPlugins; {
# loaded on launch
@ -137,7 +137,7 @@ vim_configurable.customize {
For Neovim the syntax is:
```
```nix
neovim.override {
configure = {
customRC = ''
@ -161,89 +161,112 @@ assuming that "using latest version" is ok most of the time.
First create a vim-scripts file having one plugin name per line. Example:
"tlib"
{'name': 'vim-addon-sql'}
{'filetype_regex': '\%(vim)$', 'names': ['reload', 'vim-dev-plugin']}
```
"tlib"
{'name': 'vim-addon-sql'}
{'filetype_regex': '\%(vim)$', 'names': ['reload', 'vim-dev-plugin']}
```
Such vim-scripts file can be read by VAM as well like this:
call vam#Scripts(expand('~/.vim-scripts'), {})
```vim
call vam#Scripts(expand('~/.vim-scripts'), {})
```
Create a default.nix file:
{ nixpkgs ? import <nixpkgs> {}, compiler ? "ghc7102" }:
nixpkgs.vim_configurable.customize { name = "vim"; vimrcConfig.vam.pluginDictionaries = [ "vim-addon-vim2nix" ]; }
```nix
{ nixpkgs ? import <nixpkgs> {}, compiler ? "ghc7102" }:
nixpkgs.vim_configurable.customize { name = "vim"; vimrcConfig.vam.pluginDictionaries = [ "vim-addon-vim2nix" ]; }
```
Create a generate.vim file:
ActivateAddons vim-addon-vim2nix
let vim_scripts = "vim-scripts"
call nix#ExportPluginsForNix({
\ 'path_to_nixpkgs': eval('{"'.substitute(substitute(substitute($NIX_PATH, ':', ',', 'g'), '=',':', 'g'), '\([:,]\)', '"\1"',"g").'"}')["nixpkgs"],
\ 'cache_file': '/tmp/vim2nix-cache',
\ 'try_catch': 0,
\ 'plugin_dictionaries': ["vim-addon-manager"]+map(readfile(vim_scripts), 'eval(v:val)')
\ })
```vim
ActivateAddons vim-addon-vim2nix
let vim_scripts = "vim-scripts"
call nix#ExportPluginsForNix({
\ 'path_to_nixpkgs': eval('{"'.substitute(substitute(substitute($NIX_PATH, ':', ',', 'g'), '=',':', 'g'), '\([:,]\)', '"\1"',"g").'"}')["nixpkgs"],
\ 'cache_file': '/tmp/vim2nix-cache',
\ 'try_catch': 0,
\ 'plugin_dictionaries': ["vim-addon-manager"]+map(readfile(vim_scripts), 'eval(v:val)')
\ })
```
Then run
nix-shell -p vimUtils.vim_with_vim2nix --command "vim -c 'source generate.vim'"
```bash
nix-shell -p vimUtils.vim_with_vim2nix --command "vim -c 'source generate.vim'"
```
You should get a Vim buffer with the nix derivations (output1) and vam.pluginDictionaries (output2).
You can add your vim to your system's configuration file like this and start it by "vim-my":
You can add your Vim to your system's configuration file like this and start it by "vim-my":
my-vim =
let plugins = let inherit (vimUtils) buildVimPluginFrom2Nix; in {
copy paste output1 here
}; in vim_configurable.customize {
name = "vim-my";
```
my-vim =
let plugins = let inherit (vimUtils) buildVimPluginFrom2Nix; in {
copy paste output1 here
}; in vim_configurable.customize {
name = "vim-my";
vimrcConfig.vam.knownPlugins = plugins; # optional
vimrcConfig.vam.pluginDictionaries = [
copy paste output2 here
];
# Pathogen would be
# vimrcConfig.pathogen.knownPlugins = plugins; # plugins
# vimrcConfig.pathogen.pluginNames = ["tlib"];
};
vimrcConfig.vam.knownPlugins = plugins; # optional
vimrcConfig.vam.pluginDictionaries = [
copy paste output2 here
];
# Pathogen would be
# vimrcConfig.pathogen.knownPlugins = plugins; # plugins
# vimrcConfig.pathogen.pluginNames = ["tlib"];
};
```
Sample output1:
"reload" = buildVimPluginFrom2Nix { # created by nix#NixDerivation
name = "reload";
src = fetchgit {
url = "git://github.com/xolox/vim-reload";
rev = "0a601a668727f5b675cb1ddc19f6861f3f7ab9e1";
sha256 = "0vb832l9yxj919f5hfg6qj6bn9ni57gnjd3bj7zpq7d4iv2s4wdh";
};
dependencies = ["nim-misc"];
```
"reload" = buildVimPluginFrom2Nix { # created by nix#NixDerivation
name = "reload";
src = fetchgit {
url = "git://github.com/xolox/vim-reload";
rev = "0a601a668727f5b675cb1ddc19f6861f3f7ab9e1";
sha256 = "0vb832l9yxj919f5hfg6qj6bn9ni57gnjd3bj7zpq7d4iv2s4wdh";
};
dependencies = ["nim-misc"];
};
[...]
};
[...]
```
Sample output2:
[
''vim-addon-manager''
''tlib''
{ "name" = ''vim-addon-sql''; }
{ "filetype_regex" = ''\%(vim)$$''; "names" = [ ''reload'' ''vim-dev-plugin'' ]; }
]
```nix
[
''vim-addon-manager''
''tlib''
{ "name" = ''vim-addon-sql''; }
{ "filetype_regex" = ''\%(vim)$$''; "names" = [ ''reload'' ''vim-dev-plugin'' ]; }
]
```
## Adding new plugins to nixpkgs
In `pkgs/misc/vim-plugins/vim-plugin-names` we store the plugin names
for all vim plugins we automatically generate plugins for.
The format of this file `github username/github repository`:
For example https://github.com/scrooloose/nerdtree becomes `scrooloose/nerdtree`.
After adding your plugin to this file run the `./update.py` in the same folder.
This will updated a file called `generated.nix` and make your plugin accessible in the
`vimPlugins` attribute set (`vimPlugins.nerdtree` in our example).
If additional steps to the build process of the plugin are required, add an
override to the `pkgs/misc/vim-plugins/default.nix` in the same directory.
Nix expressions for Vim plugins are stored in [pkgs/misc/vim-plugins](/pkgs/misc/vim-plugins). For the vast majority of plugins, Nix expressions are automatically generated by running [`./update.py`](/pkgs/misc/vim-plugins/update.py). This creates a [generated.nix](/pkgs/misc/vim-plugins/generated.nix) file based on the plugins listed in [vim-plugin-names](/pkgs/misc/vim-plugins/vim-plugin-names). Plugins are listed in alphabetical order in `vim-plugin-names` using the format `[github username]/[repository]`. For example https://github.com/scrooloose/nerdtree becomes `scrooloose/nerdtree`.
Some plugins require overrides in order to function properly. Overrides are placed in [overrides.nix](/pkgs/misc/vim-plugins/overrides.nix). Overrides are most often required when a plugin requires some dependencies, or extra steps are required during the build process. For example `deoplete-fish` requires both `deoplete-nvim` and `vim-fish`, and so the following override was added:
```
deoplete-fish = super.deoplete-fish.overrideAttrs(old: {
dependencies = with super; [ deoplete-nvim vim-fish ];
});
```
Sometimes plugins require an override that must be changed when the plugin is updated. This can cause issues when Vim plugins are auto-updated but the associated override isn't updated. For these plugins, the override should be written so that it specifies all information required to install the plugin, and running `./update.py` doesn't change the derivation for the plugin. Manually updating the override is required to update these types of plugins. An example of such a plugin is `LanguageClient-neovim`.
To add a new plugin:
1. run `./update.py` and create a commit named "vimPlugins: Update",
2. add the new plugin to [vim-plugin-names](/pkgs/misc/vim-plugins/vim-plugin-names) and add overrides if required to [overrides.nix](/pkgs/misc/vim-plugins/overrides.nix),
3. run `./update.py` again and create a commit named "vimPlugins.[name]: init at [version]" (where `name` and `version` can be found in [generated.nix](/pkgs/misc/vim-plugins/generated.nix)), and
4. create a pull request.
## Important repositories
@ -252,4 +275,3 @@ override to the `pkgs/misc/vim-plugins/default.nix` in the same directory.
- [vim2nix](https://github.com/MarcWeber/vim-addon-vim2nix) which generates the
.nix code

8
doc/quick-start.xml
View File

@ -210,8 +210,12 @@
</listitem>
<listitem>
<para>
Optionally commit the new package and open a pull request, or send a patch
to <literal>https://groups.google.com/forum/#!forum/nix-devel</literal>.
Optionally commit the new package and open a pull request <link
xlink:href="https://github.com/NixOS/nixpkgs/pulls">to nixpkgs</link>, or
use <link
xlink:href="https://discourse.nixos.org/t/about-the-patches-category/477">
the Patches category</link> on Discourse for sending a patch without a
GitHub account.
</para>
</listitem>
</orderedlist>

10
doc/stdenv.xml
View File

@ -1599,6 +1599,16 @@ installTargets = "install-bin install-doc";</programlisting>
<variablelist>
<title>Variables controlling the fixup phase</title>
<varlistentry>
<term>
<varname>dontFixup</varname>
</term>
<listitem>
<para>
Set to true to skip the fixup phase.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<varname>dontStrip</varname>

2
lib/default.nix
View File

@ -71,7 +71,7 @@ let
zipAttrsWithNames zipAttrsWith zipAttrs recursiveUpdateUntil
recursiveUpdate matchAttrs overrideExisting getOutput getBin
getLib getDev chooseDevOutputs zipWithNames zip;
inherit (lists) singleton foldr fold foldl foldl' imap0 imap1
inherit (lists) singleton forEach foldr fold foldl foldl' imap0 imap1
concatMap flatten remove findSingle findFirst any all count
optional optionals toList range partition zipListsWith zipLists
reverseList listDfs toposort sort naturalSort compareLists take

13
lib/lists.nix
View File

@ -21,6 +21,19 @@ rec {
*/
singleton = x: [x];
/* Apply the function to each element in the list. Same as `map`, but arguments
flipped.
Type: forEach :: [a] -> (a -> b) -> [b]
Example:
forEach [ 1 2 ] (x:
toString x
)
=> [ "1" "2" ]
*/
forEach = xs: f: map f xs;
/* right fold a binary function `op` between successive elements of
`list` with `nul' as the starting value, i.e.,
`foldr op nul [x_1 x_2 ... x_n] == op x_1 (op x_2 ... (op x_n nul))`.

9
lib/tests/modules.sh
View File

@ -71,6 +71,15 @@ checkConfigError 'The option value .* in .* is not of type.*positive integer.*'
checkConfigOutput "42" config.value ./declare-int-between-value.nix ./define-value-int-positive.nix
checkConfigError 'The option value .* in .* is not of type.*between.*-21 and 43.*inclusive.*' config.value ./declare-int-between-value.nix ./define-value-int-negative.nix
# Check either types
# types.either
checkConfigOutput "42" config.value ./declare-either.nix ./define-value-int-positive.nix
checkConfigOutput "\"24\"" config.value ./declare-either.nix ./define-value-string.nix
# types.oneOf
checkConfigOutput "42" config.value ./declare-oneOf.nix ./define-value-int-positive.nix
checkConfigOutput "[ ]" config.value ./declare-oneOf.nix ./define-value-list.nix
checkConfigOutput "\"24\"" config.value ./declare-oneOf.nix ./define-value-string.nix
# Check mkForce without submodules.
set -- config.enable ./declare-enable.nix ./define-enable.nix
checkConfigOutput "true" "$@"

5
lib/tests/modules/declare-either.nix Normal file
View File

@ -0,0 +1,5 @@
{ lib, ... }: {
options.value = lib.mkOption {
type = lib.types.either lib.types.int lib.types.str;
};
}

9
lib/tests/modules/declare-oneOf.nix Normal file
View File

@ -0,0 +1,9 @@
{ lib, ... }: {
options.value = lib.mkOption {
type = lib.types.oneOf [
lib.types.int
(lib.types.listOf lib.types.int)
lib.types.str
];
};
}

7
lib/types.nix
View File

@ -443,6 +443,13 @@ rec {
functor = (defaultFunctor name) // { wrapped = [ t1 t2 ]; };
};
# Any of the types in the given list
oneOf = ts:
let
head' = if ts == [] then throw "types.oneOf needs to get at least one type in its argument" else head ts;
tail' = tail ts;
in foldl' either head' tail';
# Either value of type `finalType` or `coercedType`, the latter is
# converted to `finalType` using `coerceFunc`.
coercedTo = coercedType: coerceFunc: finalType:

1112
maintainers/maintainer-list.nix
View File

File diff suppressed because it is too large Load Diff

106
nixos/doc/manual/default.nix
View File

@ -5,55 +5,6 @@ with pkgs;
let
lib = pkgs.lib;
# Remove invisible and internal options.
optionsListVisible = lib.filter (opt: opt.visible && !opt.internal) (lib.optionAttrSetToDocList options);
# Replace functions by the string <function>
substFunction = x:
if builtins.isAttrs x then lib.mapAttrs (name: substFunction) x
else if builtins.isList x then map substFunction x
else if lib.isFunction x then "<function>"
else x;
# Generate DocBook documentation for a list of packages. This is
# what `relatedPackages` option of `mkOption` from
# ../../../lib/options.nix influences.
#
# Each element of `relatedPackages` can be either
# - a string: that will be interpreted as an attribute name from `pkgs`,
# - a list: that will be interpreted as an attribute path from `pkgs`,
# - an attrset: that can specify `name`, `path`, `package`, `comment`
# (either of `name`, `path` is required, the rest are optional).
genRelatedPackages = packages:
let
unpack = p: if lib.isString p then { name = p; }
else if lib.isList p then { path = p; }
else p;
describe = args:
let
title = args.title or null;
name = args.name or (lib.concatStringsSep "." args.path);
path = args.path or [ args.name ];
package = args.package or (lib.attrByPath path (throw "Invalid package attribute path `${toString path}'") pkgs);
in "<listitem>"
+ "<para><literal>${lib.optionalString (title != null) "${title} aka "}pkgs.${name} (${package.meta.name})</literal>"
+ lib.optionalString (!package.meta.available) " <emphasis>[UNAVAILABLE]</emphasis>"
+ ": ${package.meta.description or "???"}.</para>"
+ lib.optionalString (args ? comment) "\n<para>${args.comment}</para>"
# Lots of `longDescription's break DocBook, so we just wrap them into <programlisting>
+ lib.optionalString (package.meta ? longDescription) "\n<programlisting>${package.meta.longDescription}</programlisting>"
+ "</listitem>";
in "<itemizedlist>${lib.concatStringsSep "\n" (map (p: describe (unpack p)) packages)}</itemizedlist>";
optionsListDesc = lib.flip map optionsListVisible (opt: opt // {
# Clean up declaration sites to not refer to the NixOS source tree.
declarations = map stripAnyPrefixes opt.declarations;
}
// lib.optionalAttrs (opt ? example) { example = substFunction opt.example; }
// lib.optionalAttrs (opt ? default) { default = substFunction opt.default; }
// lib.optionalAttrs (opt ? type) { type = substFunction opt.type; }
// lib.optionalAttrs (opt ? relatedPackages && opt.relatedPackages != []) { relatedPackages = genRelatedPackages opt.relatedPackages; });
# We need to strip references to /nix/store/* from options,
# including any `extraSources` if some modules came from elsewhere,
# or else the build will fail.
@ -63,37 +14,13 @@ let
prefixesToStrip = map (p: "${toString p}/") ([ ../../.. ] ++ extraSources);
stripAnyPrefixes = lib.flip (lib.fold lib.removePrefix) prefixesToStrip;
# Custom "less" that pushes up all the things ending in ".enable*"
# and ".package*"
optionLess = a: b:
let
ise = lib.hasPrefix "enable";
isp = lib.hasPrefix "package";
cmp = lib.splitByAndCompare ise lib.compare
(lib.splitByAndCompare isp lib.compare lib.compare);
in lib.compareLists cmp a.loc b.loc < 0;
# Customly sort option list for the man page.
optionsList = lib.sort optionLess optionsListDesc;
# Convert the list of options into an XML file.
optionsXML = builtins.toFile "options.xml" (builtins.toXML optionsList);
optionsDocBook = runCommand "options-db.xml" {} ''
optionsXML=${optionsXML}
if grep /nixpkgs/nixos/modules $optionsXML; then
echo "The manual appears to depend on the location of Nixpkgs, which is bad"
echo "since this prevents sharing via the NixOS channel. This is typically"
echo "caused by an option default that refers to a relative path (see above"
echo "for hints about the offending path)."
exit 1
fi
${buildPackages.libxslt.bin}/bin/xsltproc \
--stringparam revision '${revision}' \
-o intermediate.xml ${./options-to-docbook.xsl} $optionsXML
${buildPackages.libxslt.bin}/bin/xsltproc \
-o "$out" ${./postprocess-option-descriptions.xsl} intermediate.xml
'';
optionsDoc = buildPackages.nixosOptionsDoc {
inherit options revision;
transformOptions = opt: opt // {
# Clean up declaration sites to not refer to the NixOS source tree.
declarations = map stripAnyPrefixes opt.declarations;
};
};
sources = lib.sourceFilesBySuffices ./. [".xml"];
@ -108,7 +35,7 @@ let
generatedSources = runCommand "generated-docbook" {} ''
mkdir $out
ln -s ${modulesDoc} $out/modules.xml
ln -s ${optionsDocBook} $out/options-db.xml
ln -s ${optionsDoc.optionsDocBook} $out/options-db.xml
printf "%s" "${version}" > $out/version
'';
@ -234,22 +161,7 @@ let
in rec {
inherit generatedSources;
# The NixOS options in JSON format.
optionsJSON = runCommand "options-json"
{ meta.description = "List of NixOS options in JSON format";
}
''
# Export list of options in different format.
dst=$out/share/doc/nixos
mkdir -p $dst
cp ${builtins.toFile "options.json" (builtins.unsafeDiscardStringContext (builtins.toJSON
(builtins.listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList))))
} $dst/options.json
mkdir -p $out/nix-support
echo "file json $dst/options.json" >> $out/nix-support/hydra-build-products
''; # */
inherit (optionsDoc) optionsJSON optionsXML optionsDocBook;
# Generate the NixOS manual.
manualHTML = runCommand "nixos-manual-html"

12
nixos/doc/manual/development/option-types.xml
View File

@ -346,6 +346,18 @@
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<varname>types.oneOf</varname> [ <replaceable>t1</replaceable> <replaceable>t2</replaceable> ... ]
</term>
<listitem>
<para>
Type <replaceable>t1</replaceable> or type <replaceable>t2</replaceable> and so forth,
e.g. <literal>with types; oneOf [ int str bool ]</literal>. Multiple definitions
cannot be merged.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<varname>types.coercedTo</varname> <replaceable>from</replaceable> <replaceable>f</replaceable> <replaceable>to</replaceable>

10
nixos/doc/manual/development/releases.xml
View File

@ -98,6 +98,16 @@
<literal>stableBranch</literal> set to false.
</para>
</listitem>
<listitem>
<para>
Remove attributes that we know we will not be able to support,
especially if there is a stable alternative. E.g. Check that our
Linux kernels'
<link xlink:href="https://www.kernel.org/category/releases.html">
projected end-of-life</link> are after our release projected
end-of-life
</para>
</listitem>
<listitem>
<para>
Edit changelog at

7
nixos/doc/manual/installation/changing-config.xml
View File

@ -14,6 +14,13 @@
to build the new configuration, make it the default configuration for
booting, and try to realise the configuration in the running system (e.g., by
restarting system services).
<warning>
<para>
This command doesn't start/stop <link linkend="opt-systemd.user.services">user
services</link> automatically. <command>nixos-rebuild</command> only runs a
<literal>daemon-reload</literal> for each user with running user services.
</para>
</warning>
</para>
<warning>
<para>

19
nixos/doc/manual/installation/installing.xml
View File

@ -29,13 +29,14 @@
</para>
<para>
You are logged-in automatically as <literal>root</literal>. (The
<literal>root</literal> user account has an empty password.)
You are logged-in automatically as <literal>nixos</literal>.
The <literal>nixos</literal> user account has an empty password so you
can use <command>sudo</command> without a password.
</para>
<para>
If you downloaded the graphical ISO image, you can run <command>systemctl
start display-manager</command> to start KDE. If you want to continue on the
start display-manager</command> to start the desktop environment. If you want to continue on the
terminal, you can use <command>loadkeys</command> to switch to your
preferred keyboard layout. (We even provide neo2 via <command>loadkeys de
neo</command>!)
@ -65,9 +66,9 @@
<para>
If you would like to continue the installation from a different machine you
need to activate the SSH daemon via <literal>systemctl start
sshd</literal>. In order to be able to login you also need to set a
password for <literal>root</literal> using <literal>passwd</literal>.
need to activate the SSH daemon via <command>systemctl start
sshd</command>. You then must set a password for either <literal>root</literal> or
<literal>nixos</literal> with <command>passwd></command> to be able to login.
</para>
</section>
</section>
@ -334,7 +335,7 @@
If youre using the graphical ISO image, other editors may be available
(such as <command>vim</command>). If you have network access, you can also
install other editors — for instance, you can install Emacs by running
<literal>nix-env -i emacs</literal>.
<literal>nix-env -f '&lt;nixpkgs&gt;' -iA emacs</literal>.
</para>
<variablelist>
<varlistentry>
@ -466,10 +467,10 @@ Retype new UNIX password: ***</screen>
<para>
You may also want to install some software. For instance,
<screen>
<prompt>$ </prompt>nix-env -qa \*</screen>
<prompt>$ </prompt>nix-env -qaP \*</screen>
shows what packages are available, and
<screen>
<prompt>$ </prompt>nix-env -i w3m</screen>
<prompt>$ </prompt>nix-env -f '&lt;nixpkgs&gt;' -iA w3m</screen>
install the <literal>w3m</literal> browser.
</para>
</listitem>

16
nixos/doc/manual/man-nixos-enter.xml
View File

@ -34,6 +34,12 @@
</arg>
<replaceable>shell-command</replaceable>
</arg>
<arg>
<arg choice='plain'>
<option>--silent</option>
</arg>
</arg>
<arg>
<arg choice='plain'>
@ -100,6 +106,16 @@
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>--silent</option>
</term>
<listitem>
<para>
Suppresses all output from the activation script of the target system.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>--</option>

32
nixos/doc/manual/man-nixos-rebuild.xml
View File

@ -90,6 +90,35 @@
<arg>
<option>--show-trace</option>
</arg>
<arg>
<option>-I</option>
<replaceable>path</replaceable>
</arg>
<arg>
<group choice='req'>
<arg choice='plain'><option>--verbose</option></arg>
<arg choice='plain'><option>-v</option></arg>
</group>
</arg>
<arg>
<group choice='req'>
<arg choice='plain'><option>--max-jobs</option></arg>
<arg choice='plain'><option>-j</option></arg>
</group>
<replaceable>number</replaceable>
</arg>
<arg>
<group choice='req'>
<arg choice='plain'><option>--keep-failed</option></arg>
<arg choice='plain'><option>-K</option></arg>
</group>
</arg>
<arg>
<group choice='req'>
<arg choice='plain'><option>--keep-going</option></arg>
<arg choice='plain'><option>-k</option></arg>
</group>
</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection>
@ -101,7 +130,8 @@
NixOS module, you must run <command>nixos-rebuild</command> to make the
changes take effect. It builds the new system in
<filename>/nix/store</filename>, runs its activation script, and stop and
(re)starts any system services if needed.
(re)starts any system services if needed. Please note that user services need
to be started manually as they aren't detected by the activation script at the moment.
</para>
<para>
This command has one required argument, which specifies the desired

2
nixos/doc/manual/man-pages.xml
View File

@ -6,7 +6,7 @@
<author><personname><firstname>Eelco</firstname><surname>Dolstra</surname></personname>
<contrib>Author</contrib>
</author>
<copyright><year>2007-2018</year><holder>Eelco Dolstra</holder>
<copyright><year>2007-2019</year><holder>Eelco Dolstra</holder>
</copyright>
</info>
<xi:include href="man-configuration.xml" />

115
nixos/doc/manual/release-notes/rl-1909.xml
View File

@ -33,6 +33,21 @@
PHP 7.1 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 19.09 release.
</para>
</listitem>
<listitem>
<para>
The binfmt module is now easier to use. Additional systems can
be added through <option>boot.binfmt.emulatedSystems</option>.
For instance, <literal>boot.binfmt.emulatedSystems = [
"wasm32-wasi" "x86_64-windows" "aarch64-linux" ];</literal> will
set up binfmt interpreters for each of those listed systems.
</para>
</listitem>
<listitem>
<para>
The installer now uses a less privileged <literal>nixos</literal> user whereas before we logged in as root.
To gain root privileges use <literal>sudo -i</literal> without a password.
</para>
</listitem>
</itemizedlist>
</section>
@ -47,6 +62,13 @@
The following new services were added since the last release:
</para>
<itemizedlist>
<listitem>
<para>
<literal>./programs/dwm-status.nix</literal>
</para>
</listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
@ -225,6 +247,38 @@
Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has been dropped.
</para>
</listitem>
<listitem>
<para>
By default, prometheus exporters are now run with <literal>DynamicUser</literal> enabled.
Exporters that need a real user, now run under a seperate user and group which follow the pattern <literal>&lt;exporter-name&gt;-exporter</literal>, instead of the previous default <literal>nobody</literal> and <literal>nogroup</literal>.
Only some exporters are affected by the latter, namely the exporters <literal>dovecot</literal>, <literal>node</literal>, <literal>postfix</literal> and <literal>varnish</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>ibus-qt</literal> package is not installed by default anymore when <xref linkend="opt-i18n.inputMethod.enabled" /> is set to <literal>ibus</literal>.
If IBus support in Qt 4.x applications is required, add the <literal>ibus-qt</literal> package to your <xref linkend="opt-environment.systemPackages" /> manually.
</para>
</listitem>
<listitem>
<para>
The CUPS Printing service now uses socket-based activation by
default, only starting when needed. The previous behavior can
be restored by setting
<option>services.cups.startWhenNeeded</option> to
<literal>false</literal>.
</para>
</listitem>
<listitem>
<para>
The <option>services.systemhealth</option> module has been removed from nixpkgs due to lack of maintainer.
</para>
</listitem>
<listitem>
<para>
The <option>services.mantisbt</option> module has been removed from nixpkgs due to lack of maintainer.
</para>
</listitem>
</itemizedlist>
</section>
@ -386,6 +440,67 @@
installer after creating <literal>/var/lib/nextcloud</literal>.
</para>
</listitem>
<listitem>
<para>
There exists now <literal>lib.forEach</literal>, which is like <literal>map</literal>, but with
arguments flipped. When mapping function body spans many lines (or has nested
<literal>map</literal>s), it is often hard to follow which list is modified.
</para>
<para>
Previous solution to this problem was either to use <literal>lib.flip map</literal>
idiom or extract that anonymous mapping function to a named one. Both can still be used
but <literal>lib.forEach</literal> is preferred over <literal>lib.flip map</literal>.
</para>
<para>
The <literal>/etc/sysctl.d/nixos.conf</literal> file containing all the options set via
<link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link> was moved to
<literal>/etc/sysctl.d/60-nixos.conf</literal>, as
<citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
recommends prefixing all filenames in <literal>/etc/sysctl.d</literal> with a
two-digit number and a dash to simplify the ordering of the files.
</para>
</listitem>
<listitem>
<para>
We now install the sysctl snippets shipped with systemd.
<itemizedlist>
<para>This enables:</para>
<listitem>
<para>Loose reverse path filtering</para>
</listitem>
<listitem>
<para>Source route filtering</para>
</listitem>
<listitem>
<para>
<literal>fq_codel</literal> as a packet scheduler (this helps to fight bufferbloat)
</para>
</listitem>
</itemizedlist>
This also configures the kernel to pass coredumps to <literal>systemd-coredump</literal>.
These sysctl snippets can be found in <literal>/etc/sysctl.d/50-*.conf</literal>,
and overridden via <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link>
(which will place the parameters in <literal>/etc/sysctl.d/60-nixos.conf</literal>).
</para>
</listitem>
<listitem>
<para>
Coredumps are now acquired by <literal>systemd-coredump</literal> by default.
<literal>systemd-coredump</literal> behaviour can still be modified via
<option>systemd.coredump.extraConfig</option>.
To stick to the old behaviour (having the kernel dump to a file called <literal>core</literal>
in the working directory), without piping it through <literal>systemd-coredump</literal>, set
<option>boot.kernel.sysctl."kernel.core_pattern"</option> to <literal>"core"</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>systemd.packages</literal> option now also supports generators and
shutdown scripts. Old <literal>systemd.generator-packages</literal> option has
been removed.
</para>
</listitem>
</itemizedlist>
</section>
</section>

8
nixos/lib/build-vms.nix
View File

@ -54,11 +54,11 @@ rec {
machinesNumbered = zipLists machines (range 1 254);
nodes_ = flip map machinesNumbered (m: nameValuePair m.fst
nodes_ = forEach machinesNumbered (m: nameValuePair m.fst
[ ( { config, nodes, ... }:
let
interfacesNumbered = zipLists config.virtualisation.vlans (range 1 255);
interfaces = flip map interfacesNumbered ({ fst, snd }:
interfaces = forEach interfacesNumbered ({ fst, snd }:
nameValuePair "eth${toString snd}" { ipv4.addresses =
[ { address = "192.168.${toString fst}.${toString m.snd}";
prefixLength = 24;
@ -67,7 +67,7 @@ rec {
in
{ key = "ip-address";
config =
{ networking.hostName = m.fst;
{ networking.hostName = mkDefault m.fst;
networking.interfaces = listToAttrs interfaces;
@ -88,7 +88,7 @@ rec {
"${config.networking.hostName}\n"));
virtualisation.qemu.options =
flip map interfacesNumbered
forEach interfacesNumbered
({ fst, snd }: qemuNICFlags snd fst m.snd);
};
}

164
nixos/lib/make-options-doc/default.nix Normal file
View File

@ -0,0 +1,164 @@
/* Generate JSON, XML and DocBook documentation for given NixOS options.
Minimal example:
{ pkgs, }:
let
eval = import (pkgs.path + "/nixos/lib/eval-config.nix") {
baseModules = [
../module.nix
];
modules = [];
};
in pkgs.nixosOptionsDoc {
options = eval.options;
}
*/
{ pkgs
, lib
, options
, transformOptions ? lib.id # function for additional tranformations of the options
, revision ? "" # Specify revision for the options
}:
let
# Replace functions by the string <function>
substFunction = x:
if builtins.isAttrs x then lib.mapAttrs (name: substFunction) x
else if builtins.isList x then map substFunction x
else if lib.isFunction x then "<function>"
else x;
optionsListDesc = lib.flip map optionsListVisible
(opt: transformOptions opt
// lib.optionalAttrs (opt ? example) { example = substFunction opt.example; }
// lib.optionalAttrs (opt ? default) { default = substFunction opt.default; }
// lib.optionalAttrs (opt ? type) { type = substFunction opt.type; }
// lib.optionalAttrs (opt ? relatedPackages && opt.relatedPackages != []) { relatedPackages = genRelatedPackages opt.relatedPackages; }
);
# Generate DocBook documentation for a list of packages. This is
# what `relatedPackages` option of `mkOption` from
# ../../../lib/options.nix influences.
#
# Each element of `relatedPackages` can be either
# - a string: that will be interpreted as an attribute name from `pkgs`,
# - a list: that will be interpreted as an attribute path from `pkgs`,
# - an attrset: that can specify `name`, `path`, `package`, `comment`
# (either of `name`, `path` is required, the rest are optional).
genRelatedPackages = packages:
let
unpack = p: if lib.isString p then { name = p; }
else if lib.isList p then { path = p; }
else p;
describe = args:
let
title = args.title or null;
name = args.name or (lib.concatStringsSep "." args.path);
path = args.path or [ args.name ];
package = args.package or (lib.attrByPath path (throw "Invalid package attribute path `${toString path}'") pkgs);
in "<listitem>"
+ "<para><literal>${lib.optionalString (title != null) "${title} aka "}pkgs.${name} (${package.meta.name})</literal>"
+ lib.optionalString (!package.meta.available) " <emphasis>[UNAVAILABLE]</emphasis>"
+ ": ${package.meta.description or "???"}.</para>"
+ lib.optionalString (args ? comment) "\n<para>${args.comment}</para>"
# Lots of `longDescription's break DocBook, so we just wrap them into <programlisting>
+ lib.optionalString (package.meta ? longDescription) "\n<programlisting>${package.meta.longDescription}</programlisting>"
+ "</listitem>";
in "<itemizedlist>${lib.concatStringsSep "\n" (map (p: describe (unpack p)) packages)}</itemizedlist>";
# Custom "less" that pushes up all the things ending in ".enable*"
# and ".package*"
optionLess = a: b:
let
ise = lib.hasPrefix "enable";
isp = lib.hasPrefix "package";
cmp = lib.splitByAndCompare ise lib.compare
(lib.splitByAndCompare isp lib.compare lib.compare);
in lib.compareLists cmp a.loc b.loc < 0;
# Remove invisible and internal options.
optionsListVisible = lib.filter (opt: opt.visible && !opt.internal) (lib.optionAttrSetToDocList options);
# Customly sort option list for the man page.
optionsList = lib.sort optionLess optionsListDesc;
# Convert the list of options into an XML file.
optionsXML = builtins.toFile "options.xml" (builtins.toXML optionsList);
optionsNix = builtins.listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList);
# TODO: declarations: link to github
singleAsciiDoc = name: value: ''
== ${name}
${value.description}
[discrete]
=== details
Type:: ${value.type}
${ if lib.hasAttr "default" value
then ''
Default::
+
----
${builtins.toJSON value.default}
----
''
else "No Default:: {blank}"
}
${ if value.readOnly
then "Read Only:: {blank}"
else ""
}
${ if lib.hasAttr "example" value
then ''
Example::
+
----
${builtins.toJSON value.example}
----
''
else "No Example:: {blank}"
}
'';
in rec {
inherit optionsNix;
optionsAsciiDoc = lib.concatStringsSep "\n" (lib.mapAttrsToList singleAsciiDoc optionsNix);
optionsJSON = pkgs.runCommand "options.json"
{ meta.description = "List of NixOS options in JSON format";
}
''
# Export list of options in different format.
dst=$out/share/doc/nixos
mkdir -p $dst
cp ${builtins.toFile "options.json" (builtins.unsafeDiscardStringContext (builtins.toJSON optionsNix))} $dst/options.json
mkdir -p $out/nix-support
echo "file json $dst/options.json" >> $out/nix-support/hydra-build-products
''; # */
optionsDocBook = pkgs.runCommand "options-docbook.xml" {} ''
optionsXML=${optionsXML}
if grep /nixpkgs/nixos/modules $optionsXML; then
echo "The manual appears to depend on the location of Nixpkgs, which is bad"
echo "since this prevents sharing via the NixOS channel. This is typically"
echo "caused by an option default that refers to a relative path (see above"
echo "for hints about the offending path)."
exit 1
fi
${pkgs.libxslt.bin}/bin/xsltproc \
--stringparam revision '${revision}' \
-o intermediate.xml ${./options-to-docbook.xsl} $optionsXML
${pkgs.libxslt.bin}/bin/xsltproc \
-o "$out" ${./postprocess-option-descriptions.xsl} intermediate.xml
'';
}

0
nixos/doc/manual/options-to-docbook.xsl → nixos/lib/make-options-doc/options-to-docbook.xsl
View File

0
nixos/doc/manual/postprocess-option-descriptions.xsl → nixos/lib/make-options-doc/postprocess-option-descriptions.xsl
View File

2
nixos/maintainers/option-usages.nix
View File

@ -102,7 +102,7 @@ let
# builtins multiply by 4 the memory usage and the time used to compute
# each options.
tryCollectOptions = moduleResult:
flip map (excludeOptions (collect isOption moduleResult)) (opt:
forEach (excludeOptions (collect isOption moduleResult)) (opt:
{ name = showOption opt.loc; } // builtins.tryEval (strict opt.value));
in
keepNames (

35
nixos/modules/config/timezone.nix → nixos/modules/config/locale.nix
View File

@ -9,6 +9,8 @@ let
timezone = types.nullOr (types.addCheck types.str nospace)
// { description = "null or string without spaces"; };
lcfg = config.location;
in
{
@ -37,12 +39,45 @@ in
};
};
location = {
latitude = mkOption {
type = types.float;
description = ''
Your current latitude, between
<literal>-90.0</literal> and <literal>90.0</literal>. Must be provided
along with longitude.
'';
};
longitude = mkOption {
type = types.float;
description = ''
Your current longitude, between
between <literal>-180.0</literal> and <literal>180.0</literal>. Must be
provided along with latitude.
'';
};
provider = mkOption {
type = types.enum [ "manual" "geoclue2" ];
default = "manual";
description = ''
The location provider to use for determining your location. If set to
<literal>manual</literal> you must also provide latitude/longitude.
'';
};
};
};
config = {
environment.sessionVariables.TZDIR = "/etc/zoneinfo";
services.geoclue2.enable = mkIf (lcfg.provider == "geoclue2") true;
# This way services are restarted when tzdata changes.
systemd.globalEnvironment.TZDIR = tzdir;

102
nixos/modules/config/qt5.nix Normal file
View File

@ -0,0 +1,102 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.qt5;
isQGnome = cfg.platformTheme == "gnome" && cfg.style == "adwaita";
isQtStyle = cfg.platformTheme == "gtk2" && cfg.style != "adwaita";
packages = if isQGnome then [ pkgs.qgnomeplatform pkgs.adwaita-qt ]
else if isQtStyle then [ pkgs.qtstyleplugins ]
else throw "`qt5.platformTheme` ${cfg.platformTheme} and `qt5.style` ${cfg.style} are not compatible.";
in
{
options = {
qt5 = {
enable = mkEnableOption "Qt5 theming configuration";
platformTheme = mkOption {
type = types.enum [
"gtk2"
"gnome"
];
example = "gnome";
relatedPackages = [
"qgnomeplatform"
["libsForQt5" "qtstyleplugins"]
];
description = ''
Selects the platform theme to use for Qt5 applications.</para>
<para>The options are
<variablelist>
<varlistentry>
<term><literal>gtk</literal></term>
<listitem><para>Use GTK theme with
<link xlink:href="https://github.com/qt/qtstyleplugins">qtstyleplugins</link>
</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>gnome</literal></term>
<listitem><para>Use GNOME theme with
<link xlink:href="https://github.com/FedoraQt/QGnomePlatform">qgnomeplatform</link>
</para></listitem>
</varlistentry>
</variablelist>
'';
};
style = mkOption {
type = types.enum [
"adwaita"
"cleanlooks"
"gtk2"
"motif"
"plastique"
];
example = "adwaita";
relatedPackages = [
"adwaita-qt"
["libsForQt5" "qtstyleplugins"]
];
description = ''
Selects the style to use for Qt5 applications.</para>
<para>The options are
<variablelist>
<varlistentry>
<term><literal>adwaita</literal></term>
<listitem><para>Use Adwaita Qt style with
<link xlink:href="https://github.com/FedoraQt/adwaita-qt">adwaita</link>
</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>cleanlooks</literal></term>
<term><literal>gtk2</literal></term>
<term><literal>motif</literal></term>
<term><literal>plastique</literal></term>
<listitem><para>Use styles from
<link xlink:href="https://github.com/qt/qtstyleplugins">qtstyleplugins</link>
</para></listitem>
</varlistentry>
</variablelist>
'';
};
};
};
config = mkIf cfg.enable {
environment.variables.QT_QPA_PLATFORMTHEME = cfg.platformTheme;
environment.variables.QT_STYLE_OVERRIDE = cfg.style;
environment.systemPackages = packages;
};
}

10
nixos/modules/config/sysctl.nix
View File

@ -42,22 +42,16 @@ in
config = {
environment.etc."sysctl.d/nixos.conf".text =
environment.etc."sysctl.d/60-nixos.conf".text =
concatStrings (mapAttrsToList (n: v:
optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n"
) config.boot.kernel.sysctl);
systemd.services.systemd-sysctl =
{ wantedBy = [ "multi-user.target" ];
restartTriggers = [ config.environment.etc."sysctl.d/nixos.conf".source ];
restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ];
};
# Enable hardlink and symlink restrictions. See
# https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7
# for details.
boot.kernel.sysctl."fs.protected_hardlinks" = true;
boot.kernel.sysctl."fs.protected_symlinks" = true;
# Hide kernel pointers (e.g. in /proc/modules) for unprivileged
# users as these make it easier to exploit kernel vulnerabilities.
boot.kernel.sysctl."kernel.kptr_restrict" = 1;

5
nixos/modules/config/users-groups.nix
View File

@ -564,7 +564,10 @@ in {
};
}) (filterAttrs (_: u: u.packages != []) cfg.users));
environment.profiles = [ "/etc/profiles/per-user/$USER" ];
environment.profiles = [
"$HOME/.nix-profile"
"/etc/profiles/per-user/$USER"
];
assertions = [
{ assertion = !cfg.enforceIdUniqueness || (uidsAreUnique && gidsAreUnique);

56
nixos/modules/hardware/device-tree.nix Normal file
View File

@ -0,0 +1,56 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.deviceTree;
in {
options = {
hardware.deviceTree = {
enable = mkOption {
default = pkgs.stdenv.hostPlatform.platform.kernelDTB or false;
type = types.bool;
description = ''
Build device tree files. These are used to describe the
non-discoverable hardware of a system.
'';
};
base = mkOption {
default = "${config.boot.kernelPackages.kernel}/dtbs";
defaultText = "\${config.boot.kernelPackages.kernel}/dtbs";
example = literalExample "pkgs.deviceTree_rpi";
type = types.path;
description = ''
The package containing the base device-tree (.dtb) to boot. Contains
device trees bundled with the Linux kernel by default.
'';
};
overlays = mkOption {
default = [];
example = literalExample
"[\"\${pkgs.deviceTree_rpi.overlays}/w1-gpio.dtbo\"]";
type = types.listOf types.path;
description = ''
A path containing device tree overlays (.dtbo) to be applied to all
base device-trees.
'';
};
package = mkOption {
default = null;
type = types.nullOr types.path;
internal = true;
description = ''
A path containing the result of applying `overlays` to `base`.
'';
};
};
};
config = mkIf (cfg.enable) {
hardware.deviceTree.package = if (cfg.overlays != [])
then pkgs.deviceTree.applyOverlays cfg.base cfg.overlays else cfg.base;
};
}

2
nixos/modules/i18n/input-method/ibus.nix
View File

@ -55,7 +55,7 @@ in
# Without dconf enabled it is impossible to use IBus
environment.systemPackages = with pkgs; [
ibus-qt gnome3.dconf ibusAutostart
gnome3.dconf ibusAutostart
];
environment.variables = {

19
nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix
View File

@ -8,16 +8,30 @@ with lib;
{
imports = [ ./installation-cd-base.nix ];
# Whitelist wheel users to do anything
# This is useful for things like pkexec
#
# WARNING: this is dangerous for systems
# outside the installation-cd and shouldn't
# be used anywhere else.
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
});
'';
services.xserver = {
enable = true;
# Don't start the X server by default.
autorun = mkForce false;
# Automatically login as root.
# Automatically login as nixos.
displayManager.slim = {
enable = true;
defaultUser = "root";
defaultUser = "nixos";
autoLogin = true;
};
@ -33,7 +47,6 @@ with lib;
# Enable sound in graphical iso's.
hardware.pulseaudio.enable = true;
hardware.pulseaudio.systemWide = true; # Needed since we run plasma as root.
environment.systemPackages = [
# Include gparted for partitioning disks.

17
nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix
View File

@ -1,5 +1,5 @@
# This module defines a NixOS installation CD that contains X11 and
# Plasma5.
# Plasma 5.
{ config, lib, pkgs, ... }:
@ -30,15 +30,20 @@ with lib;
Version=1.0
Type=Application
Name=NixOS Manual
Exec=firefox ${config.system.build.manual.manualHTMLIndex}
Exec=firefox ${config.system.build.manual.manual}/share/doc/nixos/index.html
Icon=text-html
'';
homeDir = "/home/nixos/";
desktopDir = homeDir + "Desktop/";
in ''
mkdir -p /root/Desktop
ln -sfT ${manualDesktopFile} /root/Desktop/nixos-manual.desktop
ln -sfT ${pkgs.konsole}/share/applications/org.kde.konsole.desktop /root/Desktop/org.kde.konsole.desktop
ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop /root/Desktop/gparted.desktop
mkdir -p ${desktopDir}
chown nixos ${homeDir} ${desktopDir}
ln -sfT ${manualDesktopFile} ${desktopDir + "nixos-manual.desktop"}
ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop ${desktopDir + "gparted.desktop"}
ln -sfT ${pkgs.konsole}/share/applications/org.kde.konsole.desktop ${desktopDir + "org.kde.konsole.desktop"}
'';
}

4
nixos/modules/installer/cd-dvd/sd-image.nix
View File

@ -73,8 +73,8 @@ in
firmwareSize = mkOption {
type = types.int;
# As of 2019-05-31 the Raspberry pi firmware + u-bot takes ~13MiB
default = 20;
# As of 2019-08-18 the Raspberry pi firmware + u-boot takes ~18MiB
default = 30;
description = ''
Size of the /boot/firmware partition, in megabytes.
'';

21
nixos/modules/installer/tools/nixos-enter.sh
View File

@ -16,7 +16,8 @@ fi
mountPoint=/mnt
system=/nix/var/nix/profiles/system
command=($system/sw/bin/bash "--login")
command=("$system/sw/bin/bash" "--login")
silent=0
while [ "$#" -gt 0 ]; do
i="$1"; shift 1
@ -32,9 +33,12 @@ while [ "$#" -gt 0 ]; do
exit 1
;;
--command|-c)
command=($system/sw/bin/bash "-c" "$1")
command=("$system/sw/bin/bash" "-c" "$1")
shift 1
;;
--silent)
silent=1
;;
--)
command=("$@")
break
@ -51,11 +55,20 @@ if [[ ! -e $mountPoint/etc/NIXOS ]]; then
exit 126
fi
mkdir -m 0755 -p "$mountPoint/dev" "$mountPoint/sys"
mkdir -p "$mountPoint/dev" "$mountPoint/sys"
chmod 0755 "$mountPoint/dev" "$mountPoint/sys"
mount --rbind /dev "$mountPoint/dev"
mount --rbind /sys "$mountPoint/sys"
# If silent, write both stdout and stderr of activation script to /dev/null
# otherwise, write both streams to stderr of this process
if [ "$silent" -eq 0 ]; then
PIPE_TARGET="/dev/stderr"
else
PIPE_TARGET="/dev/null"
fi
# Run the activation script. Set $LOCALE_ARCHIVE to supress some Perl locale warnings.
LOCALE_ARCHIVE=$system/sw/lib/locale/locale-archive chroot "$mountPoint" "$system/activate" >&2 || true
LOCALE_ARCHIVE="$system/sw/lib/locale/locale-archive" chroot "$mountPoint" "$system/activate" >>$PIPE_TARGET 2>&1 || true
exec chroot "$mountPoint" "${command[@]}"

85
nixos/modules/installer/tools/nixos-generate-config.pl
View File

@ -607,90 +607,7 @@ EOF
}
write_file($fn, <<EOF);
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
$bootLoaderConfig
# networking.hostName = "nixos"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password\@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
# i18n = {
# consoleFont = "Lat2-Terminus16";
# consoleKeyMap = "us";
# defaultLocale = "en_US.UTF-8";
# };
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";
# List packages installed in system profile. To search, run:
# \$ nix search wget
# environment.systemPackages = with pkgs; [
# wget vim
# ];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
# List services that you want to enable:
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# sound.enable = true;
# hardware.pulseaudio.enable = true;
# Enable the X11 windowing system.
# services.xserver.enable = true;
# services.xserver.layout = "us";
# services.xserver.xkbOptions = "eurosign:e";
# Enable touchpad support.
# services.xserver.libinput.enable = true;
# Enable the KDE Desktop Environment.
# services.xserver.displayManager.sddm.enable = true;
# services.xserver.desktopManager.plasma5.enable = true;
# Define a user account. Don't forget to set a password with passwd.
# users.users.jane = {
# isNormalUser = true;
# extraGroups = [ "wheel" ]; # Enable sudo for the user.
# };
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "${\(qw(@release@))}"; # Did you read the comment?
}
@configuration@
EOF
} else {
print STDERR "warning: not overwriting existing $fn\n";

105
nixos/modules/installer/tools/tools.nix
View File

@ -38,7 +38,7 @@ let
src = ./nixos-generate-config.pl;
path = lib.optionals (lib.elem "btrfs" config.boot.supportedFilesystems) [ pkgs.btrfs-progs ];
perl = "${pkgs.perl}/bin/perl -I${pkgs.perlPackages.FileSlurp}/${pkgs.perl.libPrefix}";
inherit (config.system.nixos) release;
inherit (config.system.nixos-generate-config) configuration;
};
nixos-option = makeProg {
@ -61,8 +61,111 @@ in
{
options.system.nixos-generate-config.configuration = mkOption {
internal = true;
type = types.str;
description = ''
The NixOS module that <literal>nixos-generate-config</literal>
saves to <literal>/etc/nixos/configuration.nix</literal>.
This is an internal option. No backward compatibility is guaranteed.
Use at your own risk!
Note that this string gets spliced into a Perl script. The perl
variable <literal>$bootLoaderConfig</literal> can be used to
splice in the boot loader configuration.
'';
};
config = {
system.nixos-generate-config.configuration = mkDefault ''
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
$bootLoaderConfig
# networking.hostName = "nixos"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password\@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
# i18n = {
# consoleFont = "Lat2-Terminus16";
# consoleKeyMap = "us";
# defaultLocale = "en_US.UTF-8";
# };
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";
# List packages installed in system profile. To search, run:
# \$ nix search wget
# environment.systemPackages = with pkgs; [
# wget vim
# ];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
# List services that you want to enable:
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# sound.enable = true;
# hardware.pulseaudio.enable = true;
# Enable the X11 windowing system.
# services.xserver.enable = true;
# services.xserver.layout = "us";
# services.xserver.xkbOptions = "eurosign:e";
# Enable touchpad support.
# services.xserver.libinput.enable = true;
# Enable the KDE Desktop Environment.
# services.xserver.displayManager.sddm.enable = true;
# services.xserver.desktopManager.plasma5.enable = true;
# Define a user account. Don't forget to set a password with passwd.
# users.users.jane = {
# isNormalUser = true;
# extraGroups = [ "wheel" ]; # Enable sudo for the user.
# };
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "${config.system.nixos.release}"; # Did you read the comment?
}
'';
environment.systemPackages =
[ nixos-build-vms
nixos-install

1
nixos/modules/misc/crashdump.nix
View File

@ -58,7 +58,6 @@ in
"crashkernel=${crashdump.reservedMemory}"
"nmi_watchdog=panic"
"softlockup_panic=1"
"idle=poll"
];
kernelPatches = [ {
name = "crashdump-config";

2
nixos/modules/misc/nixpkgs.nix
View File

@ -19,7 +19,7 @@ let
lhs = optCall lhs_ { inherit pkgs; };
rhs = optCall rhs_ { inherit pkgs; };
in
lhs // rhs //
recursiveUpdate lhs rhs //
optionalAttrs (lhs ? packageOverrides) {
packageOverrides = pkgs:
optCall lhs.packageOverrides pkgs //

24
nixos/modules/module-list.nix
View File

@ -20,12 +20,14 @@
./config/iproute2.nix
./config/krb5/default.nix
./config/ldap.nix
./config/locale.nix
./config/malloc.nix
./config/networking.nix
./config/no-x-libs.nix
./config/nsswitch.nix
./config/power-management.nix
./config/pulseaudio.nix
./config/qt5.nix
./config/resolvconf.nix
./config/shells-environment.nix
./config/swap.nix
@ -33,7 +35,6 @@
./config/system-environment.nix
./config/system-path.nix
./config/terminfo.nix
./config/timezone.nix
./config/unix-odbc-drivers.nix
./config/users-groups.nix
./config/vpnc.nix
@ -46,6 +47,7 @@
./hardware/cpu/amd-microcode.nix
./hardware/cpu/intel-microcode.nix
./hardware/digitalbitbox.nix
./hardware/device-tree.nix
./hardware/sensor/iio.nix
./hardware/ksm.nix
./hardware/ledger.nix
@ -106,9 +108,15 @@
./programs/digitalbitbox/default.nix
./programs/dmrconfig.nix
./programs/environment.nix
./programs/evince.nix
./programs/file-roller.nix
./programs/firejail.nix
./programs/fish.nix
./programs/freetds.nix
./programs/fuse.nix
./programs/gnome-disks.nix
./programs/gnome-documents.nix
./programs/gpaste.nix
./programs/gnupg.nix
./programs/gphoto2.nix
./programs/iftop.nix
@ -209,6 +217,7 @@
./services/backup/duplicity.nix
./services/backup/mysql-backup.nix
./services/backup/postgresql-backup.nix
./services/backup/postgresql-wal-receiver.nix
./services/backup/restic.nix
./services/backup/restic-rest-server.nix
./services/backup/rsnapshot.nix
@ -277,15 +286,12 @@
./services/desktops/flatpak.nix
./services/desktops/geoclue2.nix
./services/desktops/gsignond.nix
./services/desktops/gvfs.nix
./services/desktops/pipewire.nix
./services/desktops/gnome3/at-spi2-core.nix
./services/desktops/gnome3/chrome-gnome-shell.nix
./services/desktops/gnome3/evince.nix
./services/desktops/gnome3/evolution-data-server.nix
./services/desktops/gnome3/file-roller.nix
./services/desktops/gnome3/glib-networking.nix
./services/desktops/gnome3/gnome-disks.nix
./services/desktops/gnome3/gnome-documents.nix
./services/desktops/gnome3/gnome-keyring.nix
./services/desktops/gnome3/gnome-online-accounts.nix
./services/desktops/gnome3/gnome-remote-desktop.nix
@ -293,8 +299,6 @@
./services/desktops/gnome3/gnome-settings-daemon.nix
./services/desktops/gnome3/gnome-terminal-server.nix
./services/desktops/gnome3/gnome-user-share.nix
./services/desktops/gnome3/gpaste.nix
./services/desktops/gnome3/gvfs.nix
./services/desktops/gnome3/rygel.nix
./services/desktops/gnome3/seahorse.nix
./services/desktops/gnome3/sushi.nix
@ -402,6 +406,7 @@
./services/misc/couchpotato.nix
./services/misc/devmon.nix
./services/misc/dictd.nix
./services/misc/dwm-status.nix
./services/misc/dysnomia.nix
./services/misc/disnix.nix
./services/misc/docker-registry.nix
@ -432,13 +437,13 @@
./services/misc/logkeys.nix
./services/misc/leaps.nix
./services/misc/lidarr.nix
./services/misc/mantisbt.nix
./services/misc/mathics.nix
./services/misc/matrix-synapse.nix
./services/misc/mbpfan.nix
./services/misc/mediatomb.nix
./services/misc/mesos-master.nix
./services/misc/mesos-slave.nix
./services/misc/metabase.nix
./services/misc/mwlib.nix
./services/misc/nix-daemon.nix
./services/misc/nix-gc.nix
@ -516,7 +521,6 @@
./services/monitoring/scollector.nix
./services/monitoring/smartd.nix
./services/monitoring/sysstat.nix
./services/monitoring/systemhealth.nix
./services/monitoring/teamviewer.nix
./services/monitoring/telegraf.nix
./services/monitoring/thanos.nix
@ -818,6 +822,7 @@
./services/web-servers/varnish/default.nix
./services/web-servers/zope2.nix
./services/x11/extra-layouts.nix
./services/x11/clight.nix
./services/x11/colord.nix
./services/x11/compton.nix
./services/x11/unclutter.nix
@ -857,7 +862,6 @@
./system/activation/activation-script.nix
./system/activation/top-level.nix
./system/boot/binfmt.nix
./system/boot/coredump.nix
./system/boot/emergency-mode.nix
./system/boot/grow-partition.nix
./system/boot/initrd-network.nix

24
nixos/modules/profiles/hardened.nix
View File

@ -14,8 +14,6 @@ with lib;
nix.allowedUsers = mkDefault [ "@users" ];
environment.memoryAllocator.provider = mkDefault "graphene-hardened";
security.hideProcessInformation = mkDefault true;
security.lockKernelModules = mkDefault true;
@ -44,6 +42,9 @@ with lib;
# Disable legacy virtual syscalls
"vsyscall=none"
# Enable page allocator randomization
"page_alloc.shuffle=1"
];
boot.blacklistedKernelModules = [
@ -92,23 +93,17 @@ with lib;
# Disable ftrace debugging
boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
# Enable reverse path filtering (that is, do not attempt to route packets
# that "obviously" do not belong to the iface's network; dropped packets are
# logged as martians).
# Enable strict reverse path filtering (that is, do not attempt to route
# packets that "obviously" do not belong to the iface's network; dropped
# packets are logged as martians).
boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault true;
boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault true;
boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
# Ignore broadcast ICMP (mitigate SMURF)
boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
# Ignore route information from sender
boot.kernel.sysctl."net.ipv4.conf.all.accept_source_route" = mkDefault false;
boot.kernel.sysctl."net.ipv4.conf.default.accept_source_route" = mkDefault false;
boot.kernel.sysctl."net.ipv6.conf.all.accept_source_route" = mkDefault false;
boot.kernel.sysctl."net.ipv6.conf.default.accept_source_route" = mkDefault false;
# Ignore incoming ICMP redirects (note: default is needed to ensure that the
# setting is applied to interfaces added after the sysctls are set)
boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
@ -121,4 +116,7 @@ with lib;
# Ignore outgoing ICMP redirects (this is ipv4 only)
boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
# Restrict userfaultfd syscalls to processes with the SYS_PTRACE capability
boot.kernel.sysctl."vm.unprivileged_userfaultfd" = mkDefault false;
}

27
nixos/modules/profiles/installation-device.nix
View File

@ -32,19 +32,35 @@ with lib;
#services.rogue.enable = true;
# Disable some other stuff we don't need.
security.sudo.enable = mkDefault false;
services.udisks2.enable = mkDefault false;
# Use less privileged nixos user
users.users.nixos = {
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" "video" ];
# Allow the graphical user to login without password
initialHashedPassword = "";
};
# Allow the user to log in as root without a password.
users.users.root.initialHashedPassword = "";
# Allow passwordless sudo from nixos user
security.sudo = {
enable = mkDefault true;
wheelNeedsPassword = mkForce false;
};
# Automatically log in at the virtual consoles.
services.mingetty.autologinUser = "root";
services.mingetty.autologinUser = "nixos";
# Some more help text.
services.mingetty.helpLine =
''
The "root" account has an empty password. ${
The "nixos" and "root" account have empty passwords. ${
optionalString config.services.xserver.enable
"Type `systemctl start display-manager' to\nstart the graphical user interface."}
"Type `sudo systemctl start display-manager' to\nstart the graphical user interface."}
'';
# Allow sshd to be started manually through "systemctl start sshd".
@ -86,8 +102,5 @@ with lib;
# because we have the firewall enabled. This makes installs from the
# console less cumbersome if the machine has a public IP.
networking.firewall.logRefusedConnections = mkDefault false;
# Allow the user to log in as root without a password.
users.users.root.initialHashedPassword = "";
};
}

10
nixos/modules/programs/dconf.nix
View File

@ -34,11 +34,11 @@ in
services.dbus.packages = [ pkgs.gnome3.dconf ];
environment.variables.GIO_EXTRA_MODULES = optional cfg.enable
"${pkgs.gnome3.dconf.lib}/lib/gio/modules";
# https://github.com/NixOS/nixpkgs/pull/31891
#environment.variables.XDG_DATA_DIRS = optional cfg.enable
# "$(echo ${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/gsettings-desktop-schemas-*)";
# For dconf executable
environment.systemPackages = [ pkgs.gnome3.dconf ];
# Needed for unwrapped applications
environment.variables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.gnome3.dconf.lib}/lib/gio/modules" ];
};
}

5
nixos/modules/programs/environment.nix
View File

@ -23,9 +23,8 @@ in
XCURSOR_PATH = [ "$HOME/.icons" ];
};
environment.profiles =
[ "$HOME/.nix-profile"
"/nix/var/nix/profiles/default"
environment.profiles = mkAfter
[ "/nix/var/nix/profiles/default"
"/run/current-system/sw"
];

13
nixos/modules/services/desktops/gnome3/evince.nix → nixos/modules/programs/evince.nix
View File

@ -6,14 +6,21 @@ with lib;
{
# Added 2019-08-09
imports = [
(mkRenamedOptionModule
[ "services" "gnome3" "evince" "enable" ]
[ "programs" "evince" "enable" ])
];
###### interface
options = {
services.gnome3.evince = {
programs.evince = {
enable = mkEnableOption
"systemd and dbus services for Evince, the GNOME document viewer";
"Evince, the GNOME document viewer";
};
@ -22,7 +29,7 @@ with lib;
###### implementation
config = mkIf config.services.gnome3.evince.enable {
config = mkIf config.programs.evince.enable {
environment.systemPackages = [ pkgs.evince ];

11
nixos/modules/services/desktops/gnome3/file-roller.nix → nixos/modules/programs/file-roller.nix
View File

@ -6,11 +6,18 @@ with lib;
{
# Added 2019-08-09
imports = [
(mkRenamedOptionModule
[ "services" "gnome3" "file-roller" "enable" ]
[ "programs" "file-roller" "enable" ])
];
###### interface
options = {
services.gnome3.file-roller = {
programs.file-roller = {
enable = mkEnableOption "File Roller, an archive manager for GNOME";
@ -21,7 +28,7 @@ with lib;
###### implementation
config = mkIf config.services.gnome3.file-roller.enable {
config = mkIf config.programs.file-roller.enable {
environment.systemPackages = [ pkgs.gnome3.file-roller ];

37
nixos/modules/programs/fuse.nix Normal file
View File

@ -0,0 +1,37 @@
{ config, lib, ... }:
with lib;
let
cfg = config.programs.fuse;
in {
meta.maintainers = with maintainers; [ primeos ];
options.programs.fuse = {
mountMax = mkOption {
# In the C code it's an "int" (i.e. signed and at least 16 bit), but
# negative numbers obviously make no sense:
type = types.ints.between 0 32767; # 2^15 - 1
default = 1000;
description = ''
Set the maximum number of FUSE mounts allowed to non-root users.
'';
};
userAllowOther = mkOption {
type = types.bool;
default = false;
description = ''
Allow non-root users to specify the allow_other or allow_root mount
options, see mount.fuse3(8).
'';
};
};
config = {
environment.etc."fuse.conf".text = ''
${optionalString (!cfg.userAllowOther) "#"}user_allow_other
mount_max = ${toString cfg.mountMax}
'';
};
}

15
nixos/modules/services/desktops/gnome3/gnome-disks.nix → nixos/modules/programs/gnome-disks.nix
View File

@ -1,4 +1,4 @@
# GNOME Disks daemon.
# GNOME Disks.
{ config, pkgs, lib, ... }:
@ -6,17 +6,24 @@ with lib;
{
# Added 2019-08-09
imports = [
(mkRenamedOptionModule
[ "services" "gnome3" "gnome-disks" "enable" ]
[ "programs" "gnome-disks" "enable" ])
];
###### interface
options = {
services.gnome3.gnome-disks = {
programs.gnome-disks = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable GNOME Disks daemon, a service designed to
Whether to enable GNOME Disks daemon, a program designed to
be a UDisks2 graphical front-end.
'';
};
@ -28,7 +35,7 @@ with lib;
###### implementation
config = mkIf config.services.gnome3.gnome-disks.enable {
config = mkIf config.programs.gnome-disks.enable {
environment.systemPackages = [ pkgs.gnome3.gnome-disk-utility ];

15
nixos/modules/services/desktops/gnome3/gnome-documents.nix → nixos/modules/programs/gnome-documents.nix
View File

@ -1,4 +1,4 @@
# GNOME Documents daemon.
# GNOME Documents.
{ config, pkgs, lib, ... }:
@ -6,17 +6,24 @@ with lib;
{
# Added 2019-08-09
imports = [
(mkRenamedOptionModule
[ "services" "gnome3" "gnome-documents" "enable" ]
[ "programs" "gnome-documents" "enable" ])
];
###### interface
options = {
services.gnome3.gnome-documents = {
programs.gnome-documents = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable GNOME Documents services, a document
Whether to enable GNOME Documents, a document
manager application for GNOME.
'';
};
@ -28,7 +35,7 @@ with lib;
###### implementation
config = mkIf config.services.gnome3.gnome-documents.enable {
config = mkIf config.programs.gnome-documents.enable {
environment.systemPackages = [ pkgs.gnome3.gnome-documents ];

15
nixos/modules/services/desktops/gnome3/gpaste.nix → nixos/modules/programs/gpaste.nix
View File

@ -1,12 +1,20 @@
# GPaste daemon.
# GPaste.
{ config, lib, pkgs, ... }:
with lib;
{
# Added 2019-08-09
imports = [
(mkRenamedOptionModule
[ "services" "gnome3" "gpaste" "enable" ]
[ "programs" "gpaste" "enable" ])
];
###### interface
options = {
services.gnome3.gpaste = {
programs.gpaste = {
enable = mkOption {
type = types.bool;
default = false;
@ -18,10 +26,9 @@ with lib;
};
###### implementation
config = mkIf config.services.gnome3.gpaste.enable {
config = mkIf config.programs.gpaste.enable {
environment.systemPackages = [ pkgs.gnome3.gpaste ];
services.dbus.packages = [ pkgs.gnome3.gpaste ];
services.xserver.desktopManager.gnome3.sessionPath = [ pkgs.gnome3.gpaste ];
systemd.packages = [ pkgs.gnome3.gpaste ];
};
}

36
nixos/modules/programs/nylas-mail.nix
View File

@ -1,36 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.nylas-mail;
in {
###### interface
options = {
services.nylas-mail = {
enable = mkEnableOption ''
nylas-mail - Open-source mail client built on the modern web with Electron, React, and Flux
'';
gnome3-keyring = mkOption {
type = types.bool;
default = true;
description = "Enable gnome3 keyring for nylas-mail.";
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.nylas-mail-bin ];
services.gnome3.gnome-keyring = mkIf cfg.gnome3-keyring {
enable = true;
};
};
}

2
nixos/modules/programs/zsh/zsh.nix
View File

@ -70,7 +70,7 @@ in
promptInit = mkOption {
default = ''
if [ "$TERM" != dumb ]; then
autoload -U promptinit && promptinit && prompt walters
autoload -U promptinit && promptinit && prompt walters && setopt prompt_sp
fi
'';
description = ''

22
nixos/modules/rename.nix
View File

@ -51,6 +51,10 @@ with lib;
(mkRemovedOptionModule [ "services" "misc" "nzbget" "openFirewall" ] "The port used by nzbget is managed through the web interface so you should adjust your firewall rules accordingly.")
(mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "user" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a user setting.")
(mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "group" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a group setting.")
(mkRemovedOptionModule [ "services" "prometheus2" "alertmanagerURL" ] ''
Due to incompatibility, the alertmanagerURL option has been removed,
please use 'services.prometheus2.alertmanagers' instead.
'')
(mkRenamedOptionModule [ "services" "tor" "relay" "portSpec" ] [ "services" "tor" "relay" "port" ])
(mkRenamedOptionModule [ "services" "vmwareGuest" ] [ "virtualisation" "vmware" "guest" ])
(mkRenamedOptionModule [ "jobs" ] [ "systemd" "services" ])
@ -221,6 +225,8 @@ with lib;
(mkRemovedOptionModule [ "services" "mysql" "pidDir" ] "Don't wait for pidfiles, describe dependencies through systemd")
(mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.")
(mkRemovedOptionModule [ "services" "zabbixServer" "dbPassword" ] "Use services.zabbixServer.database.passwordFile instead.")
(mkRemovedOptionModule [ "systemd" "generator-packages" ] "Use systemd.packages instead.")
(mkRemovedOptionModule [ "systemd" "coredump" "enable" ] "Enabled by default. Set boot.kernel.sysctl.\"kernel.core_pattern\" = \"core\"; to disable.")
# ZSH
(mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ])
@ -257,7 +263,21 @@ with lib;
(mkRenamedOptionModule [ "networking" "extraResolvconfConf" ] [ "networking" "resolvconf" "extraConfig" ])
(mkRenamedOptionModule [ "networking" "resolvconfOptions" ] [ "networking" "resolvconf" "extraOptions" ])
] ++ (flip map [ "blackboxExporter" "collectdExporter" "fritzboxExporter"
# Redshift
(mkChangedOptionModule [ "services" "redshift" "latitude" ] [ "location" "latitude" ]
(config:
let value = getAttrFromPath [ "services" "redshift" "latitude" ] config;
in if value == null then
throw "services.redshift.latitude is set to null, you can remove this"
else builtins.fromJSON value))
(mkChangedOptionModule [ "services" "redshift" "longitude" ] [ "location" "longitude" ]
(config:
let value = getAttrFromPath [ "services" "redshift" "longitude" ] config;
in if value == null then
throw "services.redshift.longitude is set to null, you can remove this"
else builtins.fromJSON value))
] ++ (forEach [ "blackboxExporter" "collectdExporter" "fritzboxExporter"
"jsonExporter" "minioExporter" "nginxExporter" "nodeExporter"
"snmpExporter" "unifiExporter" "varnishExporter" ]
(opt: mkRemovedOptionModule [ "services" "prometheus" "${opt}" ] ''

4
nixos/modules/services/admin/oxidized.nix
View File

@ -97,8 +97,8 @@ in
preStart = ''
mkdir -p ${cfg.dataDir}/.config/oxidized
cp -v ${cfg.routerDB} ${cfg.dataDir}/.config/oxidized/router.db
cp -v ${cfg.configFile} ${cfg.dataDir}/.config/oxidized/config
ln -f -s ${cfg.routerDB} ${cfg.dataDir}/.config/oxidized/router.db
ln -f -s ${cfg.configFile} ${cfg.dataDir}/.config/oxidized/config
'';
serviceConfig = {

28
nixos/modules/services/audio/roon-server.nix
View File

@ -19,6 +19,20 @@ in {
TCP: 9100 - 9200
'';
};
user = mkOption {
type = types.str;
default = "roon-server";
description = ''
User to run the Roon Server as.
'';
};
group = mkOption {
type = types.str;
default = "roon-server";
description = ''
Group to run the Roon Server as.
'';
};
};
};
@ -33,8 +47,8 @@ in {
serviceConfig = {
ExecStart = "${pkgs.roon-server}/opt/start.sh";
LimitNOFILE = 8192;
DynamicUser = true;
SupplementaryGroups = "audio";
User = cfg.user;
Group = cfg.group;
StateDirectory = name;
};
};
@ -45,5 +59,15 @@ in {
];
allowedUDPPorts = [ 9003 ];
};
users.groups."${cfg.group}" = {};
users.users."${cfg.user}" =
if cfg.user == "roon-server" then {
isSystemUser = true;
description = "Roon Server user";
groups = [ cfg.group "audio" ];
}
else {};
};
}

2
nixos/modules/services/backup/automysqlbackup.nix
View File

@ -41,7 +41,7 @@ in
};
config = mkOption {
type = with types; attrsOf (either (either str (either int bool)) (listOf str));
type = with types; attrsOf (oneOf [ str int bool (listOf str) ]);
default = {};
description = ''
automysqlbackup configuration. Refer to

203
nixos/modules/services/backup/postgresql-wal-receiver.nix Normal file
View File

@ -0,0 +1,203 @@
{ config, lib, pkgs, ... }:
with lib;
let
receiverSubmodule = {
options = {
postgresqlPackage = mkOption {
type = types.package;
example = literalExample "pkgs.postgresql_11";
description = ''
PostgreSQL package to use.
'';
};
directory = mkOption {
type = types.path;
example = literalExample "/mnt/pg_wal/main/";
description = ''
Directory to write the output to.
'';
};
statusInterval = mkOption {
type = types.int;
default = 10;
description = ''
Specifies the number of seconds between status packets sent back to the server.
This allows for easier monitoring of the progress from server.
A value of zero disables the periodic status updates completely,
although an update will still be sent when requested by the server, to avoid timeout disconnect.
'';
};
slot = mkOption {
type = types.str;
default = "";
example = "some_slot_name";
description = ''
Require <command>pg_receivewal</command> to use an existing replication slot (see
<link xlink:href="https://www.postgresql.org/docs/current/warm-standby.html#STREAMING-REPLICATION-SLOTS">Section 26.2.6 of the PostgreSQL manual</link>).
When this option is used, <command>pg_receivewal</command> will report a flush position to the server,
indicating when each segment has been synchronized to disk so that the server can remove that segment if it is not otherwise needed.
When the replication client of <command>pg_receivewal</command> is configured on the server as a synchronous standby,
then using a replication slot will report the flush position to the server, but only when a WAL file is closed.
Therefore, that configuration will cause transactions on the primary to wait for a long time and effectively not work satisfactorily.
The option <option>synchronous</option> must be specified in addition to make this work correctly.
'';
};
synchronous = mkOption {
type = types.bool;
default = false;
description = ''
Flush the WAL data to disk immediately after it has been received.
Also send a status packet back to the server immediately after flushing, regardless of <option>statusInterval</option>.
This option should be specified if the replication client of <command>pg_receivewal</command> is configured on the server as a synchronous standby,
to ensure that timely feedback is sent to the server.
'';
};
compress = mkOption {
type = types.ints.between 0 9;
default = 0;
description = ''
Enables gzip compression of write-ahead logs, and specifies the compression level
(<literal>0</literal> through <literal>9</literal>, <literal>0</literal> being no compression and <literal>9</literal> being best compression).
The suffix <literal>.gz</literal> will automatically be added to all filenames.
This option requires PostgreSQL >= 10.
'';
};
connection = mkOption {
type = types.str;
example = "postgresql://user@somehost";
description = ''
Specifies parameters used to connect to the server, as a connection string.
See <link xlink:href="https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING">Section 34.1.1 of the PostgreSQL manual</link> for more information.
Because <command>pg_receivewal</command> doesn't connect to any particular database in the cluster,
database name in the connection string will be ignored.
'';
};
extraArgs = mkOption {
type = with types; listOf str;
default = [ ];
example = literalExample ''
[
"--no-sync"
]
'';
description = ''
A list of extra arguments to pass to the <command>pg_receivewal</command> command.
'';
};
environment = mkOption {
type = with types; attrsOf str;
default = { };
example = literalExample ''
{
PGPASSFILE = "/private/passfile";
PGSSLMODE = "require";
}
'';
description = ''
Environment variables passed to the service.
Usable parameters are listed in <link xlink:href="https://www.postgresql.org/docs/current/libpq-envars.html">Section 34.14 of the PostgreSQL manual</link>.
'';
};
};
};
in {
options = {
services.postgresqlWalReceiver = {
receivers = mkOption {
type = with types; attrsOf (submodule receiverSubmodule);
default = { };
example = literalExample ''
{
main = {
postgresqlPackage = pkgs.postgresql_11;
directory = /mnt/pg_wal/main/;
slot = "main_wal_receiver";
connection = "postgresql://user@somehost";
};
}
'';
description = ''
PostgreSQL WAL receivers.
Stream write-ahead logs from a PostgreSQL server using <command>pg_receivewal</command> (formerly <command>pg_receivexlog</command>).
See <link xlink:href="https://www.postgresql.org/docs/current/app-pgreceivewal.html">the man page</link> for more information.
'';
};
};
};
config = let
receivers = config.services.postgresqlWalReceiver.receivers;
in mkIf (receivers != { }) {
users = {
users.postgres = {
uid = config.ids.uids.postgres;
group = "postgres";
description = "PostgreSQL server user";
};
groups.postgres = {
gid = config.ids.gids.postgres;
};
};
assertions = concatLists (attrsets.mapAttrsToList (name: config: [
{
assertion = config.compress > 0 -> versionAtLeast config.postgresqlPackage.version "10";
message = "Invalid configuration for WAL receiver \"${name}\": compress requires PostgreSQL version >= 10.";
}
]) receivers);
systemd.tmpfiles.rules = mapAttrsToList (name: config: ''
d ${escapeShellArg config.directory} 0750 postgres postgres - -
'') receivers;
systemd.services = with attrsets; mapAttrs' (name: config: nameValuePair "postgresql-wal-receiver-${name}" {
description = "PostgreSQL WAL receiver (${name})";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "postgres";
Group = "postgres";
KillSignal = "SIGINT";
Restart = "always";
RestartSec = 30;
};
inherit (config) environment;
script = let
receiverCommand = postgresqlPackage:
if (versionAtLeast postgresqlPackage.version "10")
then "${postgresqlPackage}/bin/pg_receivewal"
else "${postgresqlPackage}/bin/pg_receivexlog";
in ''
${receiverCommand config.postgresqlPackage} \
--no-password \
--directory=${escapeShellArg config.directory} \
--status-interval=${toString config.statusInterval} \
--dbname=${escapeShellArg config.connection} \
${optionalString (config.compress > 0) "--compress=${toString config.compress}"} \
${optionalString (config.slot != "") "--slot=${escapeShellArg config.slot}"} \
${optionalString config.synchronous "--synchronous"} \
${concatStringsSep " " config.extraArgs}
'';
}) receivers;
};
meta.maintainers = with maintainers; [ pacien ];
}

90
nixos/modules/services/backup/zfs-replication.nix Normal file
View File

@ -0,0 +1,90 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.services.zfs.autoReplication;
recursive = optionalString cfg.recursive " --recursive";
followDelete = optionalString cfg.followDelete " --follow-delete";
in {
options = {
services.zfs.autoReplication = {
enable = mkEnableOption "ZFS snapshot replication.";
followDelete = mkOption {
description = "Remove remote snapshots that don't have a local correspondant.";
default = true;
type = types.bool;
};
host = mkOption {
description = "Remote host where snapshots should be sent.";
example = "example.com";
type = types.str;
};
identityFilePath = mkOption {
description = "Path to SSH key used to login to host.";
example = "/home/username/.ssh/id_rsa";
type = types.path;
};
localFilesystem = mkOption {
description = "Local ZFS fileystem from which snapshots should be sent. Defaults to the attribute name.";
example = "pool/file/path";
type = types.str;
};
remoteFilesystem = mkOption {
description = "Remote ZFS filesystem where snapshots should be sent.";
example = "pool/file/path";
type = types.str;
};
recursive = mkOption {
description = "Recursively discover snapshots to send.";
default = true;
type = types.bool;
};
username = mkOption {
description = "Username used by SSH to login to remote host.";
example = "username";
type = types.str;
};
};
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [
pkgs.lz4
];
systemd.services."zfs-replication" = {
after = [
"zfs-snapshot-daily.service"
"zfs-snapshot-frequent.service"
"zfs-snapshot-hourly.service"
"zfs-snapshot-monthly.service"
"zfs-snapshot-weekly.service"
];
description = "ZFS Snapshot Replication";
documentation = [
"https://github.com/alunduil/zfs-replicate"
];
restartIfChanged = false;
serviceConfig.ExecStart = "${pkgs.zfs-replicate}/bin/zfs-replicate${recursive} -l ${escapeShellArg cfg.username} -i ${escapeShellArg cfg.identityFilePath}${followDelete} ${escapeShellArg cfg.host} ${escapeShellArg cfg.remoteFilesystem} ${escapeShellArg cfg.localFilesystem}";
wantedBy = [
"zfs-snapshot-daily.service"
"zfs-snapshot-frequent.service"
"zfs-snapshot-hourly.service"
"zfs-snapshot-monthly.service"
"zfs-snapshot-weekly.service"
];
};
};
meta = {
maintainers = with lib.maintainers; [ alunduil ];
};
}

8
nixos/modules/services/databases/couchdb.nix
View File

@ -160,7 +160,7 @@ in {
systemd.tmpfiles.rules = [
"d '${dirOf cfg.uriFile}' - ${cfg.user} ${cfg.group} - -"
"d '${dirOf cfg.logFile}' - ${cfg.user} ${cfg.group} - -"
"f '${cfg.logFile}' - ${cfg.user} ${cfg.group} - -"
"d '${cfg.databaseDir}' - ${cfg.user} ${cfg.group} - -"
"d '${cfg.viewIndexDir}' - ${cfg.user} ${cfg.group} - -"
];
@ -169,11 +169,9 @@ in {
description = "CouchDB Server";
wantedBy = [ "multi-user.target" ];
preStart =
''
preStart = ''
touch ${cfg.configFile}
touch -a ${cfg.logFile}
'';
'';
environment = mkIf useVersion2 {
# we are actually specifying 4 configuration files:

18
nixos/modules/services/databases/memcached.nix
View File

@ -86,7 +86,25 @@ in
in "${memcached}/bin/memcached ${networking} -m ${toString cfg.maxMemory} -c ${toString cfg.maxConnections} ${concatStringsSep " " cfg.extraOptions}";
User = cfg.user;
# Filesystem access
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
RuntimeDirectory = "memcached";
# Caps
CapabilityBoundingSet = "";
NoNewPrivileges = true;
# Misc.
LockPersonality = true;
RestrictRealtime = true;
PrivateMounts = true;
PrivateUsers = true;
MemoryDenyWriteExecute = true;
};
};
};

8
nixos/modules/services/databases/postgresql.nix
View File

@ -251,6 +251,10 @@ in
environment.systemPackages = [ postgresql ];
environment.pathsToLink = [
"/share/postgresql"
];
systemd.services.postgresql =
{ description = "PostgreSQL Server";
@ -326,13 +330,13 @@ in
fi
'' + optionalString (cfg.ensureDatabases != []) ''
${concatMapStrings (database: ''
$PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE ${database}"
$PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}"'
'') cfg.ensureDatabases}
'' + ''
${concatMapStrings (user: ''
$PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc "CREATE USER ${user.name}"
${concatStringsSep "\n" (mapAttrsToList (database: permission: ''
$PSQL -tAc "GRANT ${permission} ON ${database} TO ${user.name}"
$PSQL -tAc 'GRANT ${permission} ON ${database} TO ${user.name}'
'') user.ensurePermissions)}
'') cfg.ensureUsers}
'';

11
nixos/modules/services/desktops/flatpak.nix
View File

@ -38,5 +38,16 @@ in {
"$HOME/.local/share/flatpak/exports"
"/var/lib/flatpak/exports"
];
# It has been possible since https://github.com/flatpak/flatpak/releases/tag/1.3.2
# to build a SELinux policy module.
users.users.flatpak = {
description = "Flatpak system helper";
group = "flatpak";
isSystemUser = true;
};
users.groups.flatpak = { };
};
}

43
nixos/modules/services/desktops/gnome3/gvfs.nix
View File

@ -1,43 +0,0 @@
# gvfs backends
{ config, lib, pkgs, ... }:
with lib;
{
###### interface
options = {
services.gnome3.gvfs = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable gvfs backends, userspace virtual filesystem used
by GNOME components via D-Bus.
'';
};
};
};
###### implementation
config = mkIf config.services.gnome3.gvfs.enable {
environment.systemPackages = [ pkgs.gnome3.gvfs ];
services.dbus.packages = [ pkgs.gnome3.gvfs ];
systemd.packages = [ pkgs.gnome3.gvfs ];
services.udev.packages = [ pkgs.libmtp.bin ];
};
}

59
nixos/modules/services/desktops/gvfs.nix Normal file
View File

@ -0,0 +1,59 @@
# GVfs
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.gvfs;
in
{
# Added 2019-08-19
imports = [
(mkRenamedOptionModule
[ "services" "gnome3" "gvfs" "enable" ]
[ "services" "gvfs" "enable" ])
];
###### interface
options = {
services.gvfs = {
enable = mkEnableOption "GVfs, a userspace virtual filesystem";
# gvfs can be built with multiple configurations
package = mkOption {
type = types.package;
default = pkgs.gnome3.gvfs;
description = "Which GVfs package to use.";
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
services.dbus.packages = [ cfg.package ];
systemd.packages = [ cfg.package ];
services.udev.packages = [ pkgs.libmtp.bin ];
# Needed for unwrapped applications
environment.variables.GIO_EXTRA_MODULES = [ "${cfg.package}/lib/gio/modules" ];
};
}

23
nixos/modules/services/development/bloop.nix
View File

@ -9,6 +9,20 @@ let
in {
options.services.bloop = {
extraOptions = mkOption {
type = types.listOf types.str;
default = [ ];
example = [
"-J-Xmx2G"
"-J-XX:MaxInlineLevel=20"
"-J-XX:+UseParallelGC"
];
description = ''
Specifies additional command line argument to pass to bloop
java process.
'';
};
install = mkOption {
type = types.bool;
default = false;
@ -25,10 +39,13 @@ in {
systemd.user.services.bloop = {
description = "Bloop Scala build server";
environment = {
PATH = mkForce "${makeBinPath [ config.programs.java.package ]}";
};
serviceConfig = {
Type = "simple";
ExecStart = ''${pkgs.bloop}/bin/blp-server'';
Restart = "always";
Type = "simple";
ExecStart = ''${pkgs.bloop}/bin/bloop server'';
Restart = "always";
};
};

2
nixos/modules/services/editors/emacs.xml
View File

@ -552,7 +552,7 @@ emacsclient --create-frame --tty # opens a new frame on the current terminal
<xref linkend="opt-environment.systemPackages"/>
(<link
linkend="sec-declarative-package-mgmt">NixOS</link>), or run
<literal>nix-env -i pkgs.docbook5</literal>
<literal>nix-env -f '&lt;nixpkgs&gt;' -iA docbook5</literal>
(<link linkend="sec-ad-hoc-packages">Nix</link>).
</para>

2
nixos/modules/services/games/minecraft-server.nix
View File

@ -118,7 +118,7 @@ in {
};
serverProperties = mkOption {
type = with types; attrsOf (either bool (either int str));
type = with types; attrsOf (oneOf [ bool int str ]);
default = {};
example = literalExample ''
{

11
nixos/modules/services/hardware/throttled.nix
View File

@ -8,6 +8,12 @@ in {
options = {
services.throttled = {
enable = mkEnableOption "fix for Intel CPU throttling";
extraConfig = mkOption {
type = types.str;
default = "";
description = "Alternative configuration";
};
};
};
@ -16,6 +22,9 @@ in {
# The upstream package has this in Install, but that's not enough, see the NixOS manual
systemd.services."lenovo_fix".wantedBy = [ "multi-user.target" ];
environment.etc."lenovo_fix.conf".source = "${pkgs.throttled}/etc/lenovo_fix.conf";
environment.etc."lenovo_fix.conf".source =
if cfg.extraConfig != ""
then pkgs.writeText "lenovo_fix.conf" cfg.extraConfig
else "${pkgs.throttled}/etc/lenovo_fix.conf";
};
}

6
nixos/modules/services/hardware/trezord.nix
View File

@ -4,6 +4,12 @@ with lib;
let
cfg = config.services.trezord;
in {
### docs
meta = {
doc = ./trezord.xml;
};
### interface

26
nixos/modules/services/hardware/trezord.xml Normal file
View File

@ -0,0 +1,26 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="trezor">
<title>Trezor</title>
<para>
Trezor is an open-source cryptocurrency hardware wallet and security token
allowing secure storage of private keys.
</para>
<para>
It offers advanced features such U2F two-factor authorization, SSH login
through
<link xlink:href="https://wiki.trezor.io/Apps:SSH_agent">Trezor SSH agent</link>,
<link xlink:href="https://wiki.trezor.io/GPG">GPG</link> and a
<link xlink:href="https://wiki.trezor.io/Trezor_Password_Manager">password manager</link>.
For more information, guides and documentation, see <link xlink:href="https://wiki.trezor.io"/>.
</para>
<para>
To enable Trezor support, add the following to your <filename>configuration.nix</filename>:
<programlisting>
<xref linkend="opt-services.trezord.enable"/> = true;
</programlisting>
This will add all necessary udev rules and start Trezor Bridge.
</para>
</chapter>

56
nixos/modules/services/logging/awstats.nix
View File

@ -4,6 +4,7 @@ with lib;
let
cfg = config.services.awstats;
httpd = config.services.httpd;
package = pkgs.awstats;
in
@ -67,50 +68,43 @@ in
environment.etc."awstats/awstats.conf".source = pkgs.runCommand "awstats.conf"
{ preferLocalBuild = true; }
( let
cfg-httpd = config.services.httpd;
logFormat =
if cfg-httpd.logFormat == "combined" then "1" else
if cfg-httpd.logFormat == "common" then "4" else
throw "awstats service doesn't support Apache log format `${cfg-httpd.logFormat}`";
if httpd.logFormat == "combined" then "1" else
if httpd.logFormat == "common" then "4" else
throw "awstats service doesn't support Apache log format `${httpd.logFormat}`";
in
''
sed \
-e 's|^\(DirData\)=.*$|\1="${cfg.vardir}"|' \
-e 's|^\(DirIcons\)=.*$|\1="icons"|' \
-e 's|^\(CreateDirDataIfNotExists\)=.*$|\1=1|' \
-e 's|^\(SiteDomain\)=.*$|\1="${cfg-httpd.hostName}"|' \
-e 's|^\(LogFile\)=.*$|\1="${cfg-httpd.logDir}/access_log"|' \
-e 's|^\(SiteDomain\)=.*$|\1="${httpd.hostName}"|' \
-e 's|^\(LogFile\)=.*$|\1="${httpd.logDir}/access_log"|' \
-e 's|^\(LogFormat\)=.*$|\1=${logFormat}|' \
< '${package.out}/wwwroot/cgi-bin/awstats.model.conf' > "$out"
echo '${cfg.extraConfig}' >> "$out"
'');
# The httpd sub-service showing awstats.
services.httpd.enable = mkIf cfg.service.enable true;
services.httpd.extraSubservices = mkIf cfg.service.enable [ { function = { serverInfo, ... }: {
extraConfig =
''
Alias ${cfg.service.urlPrefix}/classes "${package.out}/wwwroot/classes/"
Alias ${cfg.service.urlPrefix}/css "${package.out}/wwwroot/css/"
Alias ${cfg.service.urlPrefix}/icons "${package.out}/wwwroot/icon/"
ScriptAlias ${cfg.service.urlPrefix}/ "${package.out}/wwwroot/cgi-bin/"
systemd.tmpfiles.rules = optionals cfg.service.enable [
"d '${cfg.vardir}' - ${httpd.user} ${httpd.group} - -"
"Z '${cfg.vardir}' - ${httpd.user} ${httpd.group} - -"
];
<Directory "${package.out}/wwwroot">
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>
'';
startupScript =
let
inherit (serverInfo.serverConfig) user group;
in pkgs.writeScript "awstats_startup.sh"
''
mkdir -p '${cfg.vardir}'
chown '${user}:${group}' '${cfg.vardir}'
'';
};}];
# The httpd sub-service showing awstats.
services.httpd = optionalAttrs cfg.service.enable {
enable = true;
extraConfig = ''
Alias ${cfg.service.urlPrefix}/classes "${package.out}/wwwroot/classes/"
Alias ${cfg.service.urlPrefix}/css "${package.out}/wwwroot/css/"
Alias ${cfg.service.urlPrefix}/icons "${package.out}/wwwroot/icon/"
ScriptAlias ${cfg.service.urlPrefix}/ "${package.out}/wwwroot/cgi-bin/"
<Directory "${package.out}/wwwroot">
Options None
Require all granted
</Directory>
'';
};
systemd.services.awstats-update = mkIf (cfg.updateAt != null) {
description = "awstats log collector";

2
nixos/modules/services/mail/davmail.nix
View File

@ -7,7 +7,7 @@ let
cfg = config.services.davmail;
configType = with types;
either (either (attrsOf configType) str) (either int bool) // {
oneOf [ (attrsOf configType) str int bool ] // {
description = "davmail config type (str, int, bool or attribute set thereof)";
};

2
nixos/modules/services/mail/postfix.nix
View File

@ -447,7 +447,7 @@ in
};
config = mkOption {
type = with types; attrsOf (either bool (either str (listOf str)));
type = with types; attrsOf (oneOf [ bool str (listOf str) ]);
description = ''
The main.cf configuration file as key value set.
'';

2
nixos/modules/services/mail/rspamd.nix
View File

@ -331,7 +331,7 @@ in
};
config = mkOption {
type = with types; attrsOf (either bool (either str (listOf str)));
type = with types; attrsOf (oneOf [ bool str (listOf str) ]);
description = ''
Addon to postfix configuration
'';

2
nixos/modules/services/mail/rss2email.nix
View File

@ -30,7 +30,7 @@ in {
};
config = mkOption {
type = with types; attrsOf (either str (either int bool));
type = with types; attrsOf (oneOf [ str int bool ]);
default = {};
description = ''
The configuration to give rss2email.

73
nixos/modules/services/misc/dwm-status.nix Normal file
View File

@ -0,0 +1,73 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.dwm-status;
order = concatMapStringsSep "," (feature: ''"${feature}"'') cfg.order;
configFile = pkgs.writeText "dwm-status.toml" ''
order = [${order}]
${cfg.extraConfig}
'';
in
{
###### interface
options = {
services.dwm-status = {
enable = mkEnableOption "dwm-status user service";
package = mkOption {
type = types.package;
default = pkgs.dwm-status;
defaultText = "pkgs.dwm-status";
example = "pkgs.dwm-status.override { enableAlsaUtils = false; }";
description = ''
Which dwm-status package to use.
'';
};
order = mkOption {
type = types.listOf (types.enum [ "audio" "backlight" "battery" "cpu_load" "network" "time" ]);
description = ''
List of enabled features in order.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Extra config in TOML format.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
services.upower.enable = elem "battery" cfg.order;
systemd.user.services.dwm-status = {
description = "Highly performant and configurable DWM status service";
wantedBy = [ "graphical-session.target" ];
partOf = [ "graphical-session.target" ];
serviceConfig.ExecStart = "${cfg.package}/bin/dwm-status ${configFile}";
};
};
}

4
nixos/modules/services/misc/gitlab.nix
View File

@ -502,7 +502,7 @@ in {
"d ${cfg.statePath} 0750 ${cfg.user} ${cfg.group} -"
"d ${cfg.statePath}/builds 0750 ${cfg.user} ${cfg.group} -"
"d ${cfg.statePath}/config 0750 ${cfg.user} ${cfg.group} -"
"d ${cfg.statePath}/config/initializers 0750 ${cfg.user} ${cfg.group} -"
"D ${cfg.statePath}/config/initializers 0750 ${cfg.user} ${cfg.group} -"
"d ${cfg.statePath}/db 0750 ${cfg.user} ${cfg.group} -"
"d ${cfg.statePath}/log 0750 ${cfg.user} ${cfg.group} -"
"d ${cfg.statePath}/repositories 2770 ${cfg.user} ${cfg.group} -"
@ -659,7 +659,7 @@ in {
fi
# We remove potentially broken links to old gitlab-shell versions
rm -f ${cfg.statePath}/repositories/**/*.git/hooks
rm -Rf ${cfg.statePath}/repositories/**/*.git/hooks
${pkgs.sudo}/bin/sudo -u ${cfg.user} -H ${pkgs.git}/bin/git config --global core.autocrlf "input"
'';

29
nixos/modules/services/misc/gitolite.nix
View File

@ -143,21 +143,37 @@ in
users.users.${cfg.user} = {
description = "Gitolite user";
home = cfg.dataDir;
createHome = true;
uid = config.ids.uids.gitolite;
group = cfg.group;
useDefaultShell = true;
};
users.groups."${cfg.group}".gid = config.ids.gids.gitolite;
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0750 ${cfg.user} ${cfg.group} - -"
"d '${cfg.dataDir}'/.gitolite - ${cfg.user} ${cfg.group} - -"
"d '${cfg.dataDir}'/.gitolite/logs - ${cfg.user} ${cfg.group} - -"
"Z ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group} - -"
];
systemd.services."gitolite-init" = {
description = "Gitolite initialization";
wantedBy = [ "multi-user.target" ];
unitConfig.RequiresMountsFor = cfg.dataDir;
serviceConfig.User = "${cfg.user}";
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
environment = {
GITOLITE_RC = ".gitolite.rc";
GITOLITE_RC_DEFAULT = "${rcDir}/gitolite.rc.default";
};
serviceConfig = {
Type = "oneshot";
User = cfg.user;
Group = cfg.group;
WorkingDirectory = "~";
RemainAfterExit = true;
};
path = [ pkgs.gitolite pkgs.git pkgs.perl pkgs.bash pkgs.diffutils config.programs.ssh.package ];
script =
@ -187,11 +203,6 @@ in
'';
in
''
cd ${cfg.dataDir}
mkdir -p .gitolite/logs
GITOLITE_RC=.gitolite.rc
GITOLITE_RC_DEFAULT=${rcDir}/gitolite.rc.default
if ( [[ ! -e "$GITOLITE_RC" ]] && [[ ! -L "$GITOLITE_RC" ]] ) ||
( [[ -f "$GITOLITE_RC" ]] && diff -q "$GITOLITE_RC" "$GITOLITE_RC_DEFAULT" >/dev/null ) ||
( [[ -L "$GITOLITE_RC" ]] && [[ "$(readlink "$GITOLITE_RC")" =~ ^/nix/store/ ]] )

68
nixos/modules/services/misc/mantisbt.nix
View File

@ -1,68 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.mantisbt;
freshInstall = cfg.extraConfig == "";
# combined code+config directory
mantisbt = let
config_inc = pkgs.writeText "config_inc.php" ("<?php\n" + cfg.extraConfig);
src = pkgs.fetchurl {
url = "mirror://sourceforge/mantisbt/${name}.tar.gz";
sha256 = "1pl6xn793p3mxc6ibpr2bhg85vkdlcf57yk7pfc399g47l8x4508";
};
name = "mantisbt-1.2.19";
in
# We have to copy every time; otherwise config won't be found.
pkgs.runCommand name
{ preferLocalBuild = true; allowSubstitutes = false; }
(''
mkdir -p "$out"
cd "$out"
tar -xf '${src}' --strip-components=1
ln -s '${config_inc}' config_inc.php
''
+ lib.optionalString (!freshInstall) "rm -r admin/"
);
in
{
options.services.mantisbt = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable the mantisbt web service.
This switches on httpd with PHP and database.
'';
};
urlPrefix = mkOption {
type = types.string;
default = "/mantisbt";
description = "The URL prefix under which the mantisbt service appears.";
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
The contents of config_inc.php, without leading &lt;?php.
If left empty, the admin directory will be accessible.
'';
};
};
config = mkIf cfg.enable {
services.mysql.enable = true;
services.httpd.enable = true;
services.httpd.enablePHP = true;
# The httpd sub-service showing mantisbt.
services.httpd.extraSubservices = [ { function = { ... }: {
extraConfig =
''
Alias ${cfg.urlPrefix} "${mantisbt}"
'';
};}];
};
}

2
nixos/modules/services/misc/matrix-synapse.nix
View File

@ -684,7 +684,7 @@ in {
fi
'';
serviceConfig = {
Type = "simple";
Type = "notify";
User = "matrix-synapse";
Group = "matrix-synapse";
WorkingDirectory = cfg.dataDir;

103
nixos/modules/services/misc/metabase.nix Normal file
View File

@ -0,0 +1,103 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.metabase;
inherit (lib) mkEnableOption mkIf mkOption;
inherit (lib) optional optionalAttrs types;
dataDir = "/var/lib/metabase";
in {
options = {
services.metabase = {
enable = mkEnableOption "Metabase service";
listen = {
ip = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
IP address that Metabase should listen on.
'';
};
port = mkOption {
type = types.port;
default = 3000;
description = ''
Listen port for Metabase.
'';
};
};
ssl = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable SSL (https) support.
'';
};
port = mkOption {
type = types.port;
default = 8443;
description = ''
Listen port over SSL (https) for Metabase.
'';
};
keystore = mkOption {
type = types.nullOr types.path;
default = "${dataDir}/metabase.jks";
example = "/etc/secrets/keystore.jks";
description = ''
<link xlink:href="https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores">Java KeyStore</link> file containing the certificates.
'';
};
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
Open ports in the firewall for Metabase.
'';
};
};
};
config = mkIf cfg.enable {
systemd.services.metabase = {
description = "Metabase server";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
environment = {
MB_PLUGINS_DIR = "${dataDir}/plugins";
MB_DB_FILE = "${dataDir}/metabase.db";
MB_JETTY_HOST = cfg.listen.ip;
MB_JETTY_PORT = toString cfg.listen.port;
} // optionalAttrs (cfg.ssl.enable) {
MB_JETTY_SSL = true;
MB_JETTY_SSL_PORT = toString cfg.ssl.port;
MB_JETTY_SSL_KEYSTORE = cfg.ssl.keystore;
};
serviceConfig = {
DynamicUser = true;
StateDirectory = baseNameOf dataDir;
ExecStart = "${pkgs.metabase}/bin/metabase";
};
};
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.listen.port ] ++ optional cfg.ssl.enable cfg.ssl.port;
};
};
}

11
nixos/modules/services/monitoring/cadvisor.nix
View File

@ -84,6 +84,16 @@ in {
type = types.bool;
description = "Cadvisor storage driver, enable secure communication.";
};
extraOptions = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Additional cadvisor options.
See <link xlink:href='https://github.com/google/cadvisor/blob/master/docs/runtime_options.md'/> for available options.
'';
};
};
};
@ -112,6 +122,7 @@ in {
-logtostderr=true \
-listen_ip="${cfg.listenAddress}" \
-port="${toString cfg.port}" \
${escapeShellArgs cfg.extraOptions} \
${optionalString (cfg.storageDriver != null) ''
-storage_driver "${cfg.storageDriver}" \
-storage_driver_user "${cfg.storageDriverHost}" \

8
nixos/modules/services/monitoring/datadog-agent.nix
View File

@ -42,9 +42,9 @@ let
# Apply the configured extraIntegrations to the provided agent
# package. See the documentation of `dd-agent/integrations-core.nix`
# for detailed information on this.
datadogPkg = cfg.package.overrideAttrs(_: {
python = (pkgs.datadog-integrations-core cfg.extraIntegrations).python;
});
datadogPkg = cfg.package.override {
pythonPackages = pkgs.datadog-integrations-core cfg.extraIntegrations;
};
in {
options.services.datadog-agent = {
enable = mkOption {
@ -60,7 +60,7 @@ in {
defaultText = "pkgs.datadog-agent";
description = ''
Which DataDog v6 agent package to use. Note that the provided
package is expected to have an overridable `python`-attribute
package is expected to have an overridable `pythonPackages`-attribute
which configures the Python environment with the Datadog
checks.
'';

4
nixos/modules/services/monitoring/grafana.nix
View File

@ -503,12 +503,12 @@ in {
message = "Cannot set both adminPassword and adminPasswordFile";
}
{
assertion = cfg.security.secretKeyFile != opt.security.secretKeyFile.default -> cfg.security.secretKeyFile == null;
assertion = cfg.security.secretKey != opt.security.secretKey.default -> cfg.security.secretKeyFile == null;
message = "Cannot set both secretKey and secretKeyFile";
}
{
assertion = cfg.smtp.password != opt.smtp.password.default -> cfg.smtp.passwordFile == null;
message = "Cannot set both password and secretKeyFile";
message = "Cannot set both password and passwordFile";
}
];

2
nixos/modules/services/monitoring/loki.nix
View File

@ -103,7 +103,7 @@ in {
PrivateTmp = true;
ProtectHome = true;
ProtectSystem = "full";
DecvicePolicy = "closed";
DevicePolicy = "closed";
NoNewPrivileges = true;
WorkingDirectory = cfg.dataDir;
};

26
nixos/modules/services/monitoring/prometheus/default.nix
View File

@ -79,12 +79,8 @@ let
(pkgs.writeText "prometheus.rules" (concatStringsSep "\n" cfg2.rules))
]);
scrape_configs = filterValidPrometheus cfg2.scrapeConfigs;
alerting = optionalAttrs (cfg2.alertmanagerURL != []) {
alertmanagers = [{
static_configs = [{
targets = cfg2.alertmanagerURL;
}];
}];
alerting = {
inherit (cfg2) alertmanagers;
};
};
@ -738,11 +734,23 @@ in {
'';
};
alertmanagerURL = mkOption {
type = types.listOf types.str;
alertmanagers = mkOption {
type = types.listOf types.attrs;
example = literalExample ''
[ {
scheme = "https";
path_prefix = "/alertmanager";
static_configs = [ {
targets = [
"prometheus.domain.tld"
];
} ];
} ]
'';
default = [];
description = ''
List of Alertmanager URLs to send notifications to.
A list of alertmanagers to send alerts to.
See <link xlink:href="https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config">the official documentation</link> for more information.
'';
};

23
nixos/modules/services/monitoring/prometheus/exporters.nix
View File

@ -33,6 +33,7 @@ let
"nginx"
"node"
"postfix"
"postgres"
"snmp"
"surfboard"
"tor"
@ -87,7 +88,7 @@ let
};
user = mkOption {
type = types.str;
default = "nobody";
default = "${name}-exporter";
description = ''
User name under which the ${name} exporter shall be run.
Has no effect when <option>systemd.services.prometheus-${name}-exporter.serviceConfig.DynamicUser</option> is true.
@ -95,7 +96,7 @@ let
};
group = mkOption {
type = types.str;
default = "nobody";
default = "${name}-exporter";
description = ''
Group under which the ${name} exporter shall be run.
Has no effect when <option>systemd.services.prometheus-${name}-exporter.serviceConfig.DynamicUser</option> is true.
@ -126,8 +127,23 @@ let
);
mkExporterConf = { name, conf, serviceOpts }:
let
enableDynamicUser = serviceOpts.serviceConfig.DynamicUser or true;
in
mkIf conf.enable {
warnings = conf.warnings or [];
users.users = (mkIf (conf.user == "${name}-exporter" && !enableDynamicUser) {
"${name}-exporter" = {
description = ''
Prometheus ${name} exporter service user
'';
isSystemUser = true;
inherit (conf) group;
};
});
users.groups = (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) {
"${name}-exporter" = {};
});
networking.firewall.extraCommands = mkIf conf.openFirewall (concatStrings [
"ip46tables -A nixos-fw ${conf.firewallFilter} "
"-m comment --comment ${name}-exporter -j nixos-fw-accept"
@ -138,7 +154,8 @@ let
serviceConfig.Restart = mkDefault "always";
serviceConfig.PrivateTmp = mkDefault true;
serviceConfig.WorkingDirectory = mkDefault /tmp;
} serviceOpts ] ++ optional (!(serviceOpts.serviceConfig.DynamicUser or false)) {
serviceConfig.DynamicUser = mkDefault enableDynamicUser;
} serviceOpts ] ++ optional (!enableDynamicUser) {
serviceConfig.User = conf.user;
serviceConfig.Group = conf.group;
});

2
nixos/modules/services/monitoring/prometheus/exporters.xml
View File

@ -159,8 +159,10 @@ in
# `serviceOpts.script` and `serviceOpts.serviceConfig.ExecStart`
# has to be specified here. This will be merged with the default
# service confiuration.
# Note that by default 'DynamicUser' is 'true'.
serviceOpts = {
serviceConfig = {
DynamicUser = false;
ExecStart = ''
${pkgs.prometheus-postfix-exporter}/bin/postfix_exporter \
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \

1
nixos/modules/services/monitoring/prometheus/exporters/bind.nix
View File

@ -39,7 +39,6 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-bind-exporter}/bin/bind_exporter \
-web.listen-address ${cfg.listenAddress}:${toString cfg.port} \

10
nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix
View File

@ -4,6 +4,13 @@ with lib;
let
cfg = config.services.prometheus.exporters.blackbox;
checkConfig = file: pkgs.runCommand "checked-blackbox-exporter.conf" {
preferLocalBuild = true;
buildInputs = [ pkgs.buildPackages.prometheus-blackbox-exporter ]; } ''
ln -s ${file} $out
blackbox_exporter --config.check --config.file $out
'';
in
{
port = 9115;
@ -18,11 +25,10 @@ in
serviceOpts = {
serviceConfig = {
AmbientCapabilities = [ "CAP_NET_RAW" ]; # for ping probes
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-blackbox-exporter}/bin/blackbox_exporter \
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \
--config.file ${cfg.configFile} \
--config.file ${checkConfig cfg.configFile} \
${concatStringsSep " \\\n " cfg.extraFlags}
'';
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";

1
nixos/modules/services/monitoring/prometheus/exporters/collectd.nix
View File

@ -64,7 +64,6 @@ in
'' else "";
in {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-collectd-exporter}/bin/collectd_exporter \
-log.format ${cfg.logFormat} \

1
nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix
View File

@ -26,7 +26,6 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-dnsmasq-exporter}/bin/dnsmasq_exporter \
--listen ${cfg.listenAddress}:${toString cfg.port} \

5
nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix
View File

@ -39,8 +39,8 @@ in
mail_plugins = $mail_plugins old_stats
service old-stats {
unix_listener old-stats {
user = nobody
group = nobody
user = dovecot-exporter
group = dovecot-exporter
}
}
''';
@ -59,6 +59,7 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = false;
ExecStart = ''
${pkgs.prometheus-dovecot-exporter}/bin/dovecot_exporter \
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \

1
nixos/modules/services/monitoring/prometheus/exporters/fritzbox.nix
View File

@ -26,7 +26,6 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-fritzbox-exporter}/bin/exporter \
-listen-address ${cfg.listenAddress}:${toString cfg.port} \

1
nixos/modules/services/monitoring/prometheus/exporters/json.nix
View File

@ -24,7 +24,6 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = true;
ExecStart = ''
${pkgs.prometheus-json-exporter}/bin/prometheus-json-exporter \
--port ${toString cfg.port} \

1
nixos/modules/services/monitoring/prometheus/exporters/mail.nix
View File

@ -143,6 +143,7 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = false;
ExecStart = ''
${pkgs.prometheus-mail-exporter}/bin/mailexporter \
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \

Some files were not shown because too many files have changed in this diff Show More