JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge current master into haskell-updates.

Browse Source
This commit is contained in:
Peter Simons 2021-02-25 21:30:10 +01:00
commit fbbfb1f695
738 changed files with 14172 additions and 5649 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/CODEOWNERS vendored
View File

@ -100,7 +100,7 @@
# Rust
/pkgs/development/compilers/rust @Mic92 @LnL7 @zowoq
/pkgs/build-support/rust @andir @zowoq
/pkgs/build-support/rust @andir @danieldk @zowoq
# Darwin-related
/pkgs/stdenv/darwin @NixOS/darwin-maintainers

4
doc/builders/fetchers.chapter.md
View File

@ -31,6 +31,8 @@ Used with Subversion. Expects `url` to a Subversion directory, `rev`, and `sha25
Used with Git. Expects `url` to a Git repo, `rev`, and `sha256`. `rev` in this case can be full the git commit id (SHA1 hash) or a tag name like `refs/tags/v1.0`.
Additionally the following optional arguments can be given: `fetchSubmodules = true` makes `fetchgit` also fetch the submodules of a repository. If `deepClone` is set to true, the entire repository is cloned as opposing to just creating a shallow clone. `deepClone = true` also implies `leaveDotGit = true` which means that the `.git` directory of the clone won't be removed after checkout.
## `fetchfossil`
Used with Fossil. Expects `url` to a Fossil archive, `rev`, and `sha256`.
@ -49,6 +51,8 @@ A number of fetcher functions wrap part of `fetchurl` and `fetchzip`. They are m
`fetchFromGitHub` expects four arguments. `owner` is a string corresponding to the GitHub user or organization that controls this repository. `repo` corresponds to the name of the software repository. These are located at the top of every GitHub HTML page as `owner`/`repo`. `rev` corresponds to the Git commit hash or tag (e.g `v1.0`) that will be downloaded from Git. Finally, `sha256` corresponds to the hash of the extracted directory. Again, other hash algorithms are also available but `sha256` is currently preferred.
`fetchFromGitHub` uses `fetchzip` to download the source archive generated by GitHub for the specified revision. If `leaveDotGit`, `deepClone` or `fetchSubmodules` are set to `true`, `fetchFromGitHub` will use `fetchgit` instead. Refer to its section for documentation of these options.
## `fetchFromGitLab`
This is used with GitLab repositories. The arguments expected are very similar to fetchFromGitHub above.

27
doc/languages-frameworks/rust.section.md
View File

@ -80,6 +80,33 @@ The fetcher will verify that the `Cargo.lock` file is in sync with the `src`
attribute, and fail the build if not. It will also will compress the vendor
directory into a tar.gz archive.
The tarball with vendored dependencies contains a directory with the
package's `name`, which is normally composed of `pname` and
`version`. This means that the vendored dependencies hash
(`cargoSha256`/`cargoHash`) is dependent on the package name and
version. The `cargoDepsName` attribute can be used to use another name
for the directory of vendored dependencies. For example, the hash can
be made invariant to the version by setting `cargoDepsName` to
`pname`:
```nix
rustPlatform.buildRustPackage rec {
pname = "broot";
version = "1.2.0";
src = fetchCrate {
inherit pname version;
sha256 = "1mqaynrqaas82f5957lx31x80v74zwmwmjxxlbywajb61vh00d38";
};
cargoHash = "sha256-JmBZcDVYJaK1cK05cxx5BrnGWp4t8ca6FLUbvIot67s=";
cargoDepsName = pname;
# ...
}
```
### Cross compilation
By default, Rust packages are compiled for the host platform, just like any

2
doc/manual.xml
View File

@ -19,7 +19,7 @@
<xi:include href="stdenv/meta.xml" />
<xi:include href="stdenv/multiple-output.xml" />
<xi:include href="stdenv/cross-compilation.chapter.xml" />
<xi:include href="stdenv/platform-notes.xml" />
<xi:include href="stdenv/platform-notes.chapter.xml" />
</part>
<part>
<title>Builders</title>

19
doc/stdenv/cross-compilation.chapter.md
View File

@ -16,7 +16,7 @@ Nixpkgs follows the [conventions of GNU autoconf](https://gcc.gnu.org/onlinedocs
In Nixpkgs, these three platforms are defined as attribute sets under the names `buildPlatform`, `hostPlatform`, and `targetPlatform`. They are always defined as attributes in the standard environment. That means one can access them like:
```nix
{ stdenv, fooDep, barDep, .. }: ...stdenv.buildPlatform...
{ stdenv, fooDep, barDep, ... }: ...stdenv.buildPlatform...
```
`buildPlatform`
@ -99,15 +99,26 @@ Some examples will make this table clearer. Suppose there's some package that is
Some frequently encountered problems when packaging for cross-compilation should be answered here. Ideally, the information above is exhaustive, so this section cannot provide any new information, but it is ludicrous and cruel to expect everyone to spend effort working through the interaction of many features just to figure out the same answer to the same common problem. Feel free to add to this list!
#### My package fails to find a binutils command (`cc`/`ar`/`ld` etc.) {#cross-qa-fails-to-find-binutils}
Many packages assume that an unprefixed binutils (`cc`/`ar`/`ld` etc.) is available, but Nix doesn't provide one. It only provides a prefixed one, just as it only does for all the other binutils programs. It may be necessary to patch the package to fix the build system to use a prefix. For instance, instead of `cc`, use `${stdenv.cc.targetPrefix}cc`.
```nix
makeFlags = [ "CC=${stdenv.cc.targetPrefix}cc" ];
```
#### How do I avoid compiling a GCC cross-compiler from source? {#cross-qa-avoid-compiling-gcc-cross-compiler}
On less powerful machines, it can be inconvenient to cross-compile a package only to find out that GCC has to be compiled from source, which could take up to several hours. Nixpkgs maintains a limited [cross-related jobset on Hydra](https://hydra.nixos.org/jobset/nixpkgs/cross-trunk), which tests cross-compilation to various platforms from build platforms "x86\_64-darwin", "x86\_64-linux", and "aarch64-linux". See `pkgs/top-level/release-cross.nix` for the full list of target platforms and packages. For instance, the following invocation fetches the pre-built cross-compiled GCC for `armv6l-unknown-linux-gnueabihf` and builds GNU Hello from source.
```ShellSession
$ nix-build '<nixpkgs>' -A pkgsCross.raspberryPi.hello
```
#### What if my package's build system needs to build a C program to be run under the build environment? {#cross-qa-build-c-program-in-build-environment}
Add the following to your `mkDerivation` invocation.
```nix
depsBuildBuild = [ buildPackages.stdenv.cc ];
```
#### My package fails to find `ar`. {#cross-qa-fails-to-find-ar}
Many packages assume that an unprefixed `ar` is available, but Nix doesn't provide one. It only provides a prefixed one, just as it only does for all the other binutils programs. It may be necessary to patch the package to fix the build system to use a prefixed `ar`.
#### My package's testsuite needs to run host platform code. {#cross-testsuite-runs-host-code}
Add the following to your `mkDerivation` invocation.

62
doc/stdenv/platform-notes.chapter.md Normal file
View File

@ -0,0 +1,62 @@
# Platform Notes {#chap-platform-notes}
## Darwin (macOS) {#sec-darwin}
Some common issues when packaging software for Darwin:
- The Darwin `stdenv` uses clang instead of gcc. When referring to the compiler `$CC` or `cc` will work in both cases. Some builds hardcode gcc/g++ in their build scripts, that can usually be fixed with using something like `makeFlags = [ "CC=cc" ];` or by patching the build scripts.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
buildPhase = ''
$CC -o hello hello.c
'';
}
```
- On Darwin, libraries are linked using absolute paths, libraries are resolved by their `install_name` at link time. Sometimes packages wont set this correctly causing the library lookups to fail at runtime. This can be fixed by adding extra linker flags or by running `install_name_tool -id` during the `fixupPhase`.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
makeFlags = lib.optional stdenv.isDarwin "LDFLAGS=-Wl,-install_name,$(out)/lib/libfoo.dylib";
}
```
- Even if the libraries are linked using absolute paths and resolved via their `install_name` correctly, tests can sometimes fail to run binaries. This happens because the `checkPhase` runs before the libraries are installed.
This can usually be solved by running the tests after the `installPhase` or alternatively by using `DYLD_LIBRARY_PATH`. More information about this variable can be found in the *dyld(1)* manpage.
```
dyld: Library not loaded: /nix/store/7hnmbscpayxzxrixrgxvvlifzlxdsdir-jq-1.5-lib/lib/libjq.1.dylib
Referenced from: /private/tmp/nix-build-jq-1.5.drv-0/jq-1.5/tests/../jq
Reason: image not found
./tests/jqtest: line 5: 75779 Abort trap: 6
```
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
doInstallCheck = true;
installCheckTarget = "check";
}
```
- Some packages assume xcode is available and use `xcrun` to resolve build tools like `clang`, etc. This causes errors like `xcode-select: error: no developer tools were found at '/Applications/Xcode.app'` while the build doesnt actually depend on xcode.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
prePatch = ''
substituteInPlace Makefile \
--replace '/usr/bin/xcrun clang' clang
'';
}
```
The package `xcbuild` can be used to build projects that really depend on Xcode. However, this replacement is not 100% compatible with Xcode and can occasionally cause issues.

83
doc/stdenv/platform-notes.xml
View File

@ -1,83 +0,0 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xml:id="chap-platform-notes">
<title>Platform Notes</title>
<section xml:id="sec-darwin">
<title>Darwin (macOS)</title>
<para>
Some common issues when packaging software for Darwin:
</para>
<itemizedlist>
<listitem>
<para>
The Darwin <literal>stdenv</literal> uses clang instead of gcc. When referring to the compiler <varname>$CC</varname> or <command>cc</command> will work in both cases. Some builds hardcode gcc/g++ in their build scripts, that can usually be fixed with using something like <literal>makeFlags = [ "CC=cc" ];</literal> or by patching the build scripts.
</para>
<programlisting>
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
buildPhase = ''
$CC -o hello hello.c
'';
}
</programlisting>
</listitem>
<listitem>
<para>
On Darwin, libraries are linked using absolute paths, libraries are resolved by their <literal>install_name</literal> at link time. Sometimes packages won't set this correctly causing the library lookups to fail at runtime. This can be fixed by adding extra linker flags or by running <command>install_name_tool -id</command> during the <function>fixupPhase</function>.
</para>
<programlisting>
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
makeFlags = lib.optional stdenv.isDarwin "LDFLAGS=-Wl,-install_name,$(out)/lib/libfoo.dylib";
}
</programlisting>
</listitem>
<listitem>
<para>
Even if the libraries are linked using absolute paths and resolved via their <literal>install_name</literal> correctly, tests can sometimes fail to run binaries. This happens because the <varname>checkPhase</varname> runs before the libraries are installed.
</para>
<para>
This can usually be solved by running the tests after the <varname>installPhase</varname> or alternatively by using <varname>DYLD_LIBRARY_PATH</varname>. More information about this variable can be found in the <citerefentry>
<refentrytitle>dyld</refentrytitle>
<manvolnum>1</manvolnum></citerefentry> manpage.
</para>
<programlisting>
dyld: Library not loaded: /nix/store/7hnmbscpayxzxrixrgxvvlifzlxdsdir-jq-1.5-lib/lib/libjq.1.dylib
Referenced from: /private/tmp/nix-build-jq-1.5.drv-0/jq-1.5/tests/../jq
Reason: image not found
./tests/jqtest: line 5: 75779 Abort trap: 6
</programlisting>
<programlisting>
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
doInstallCheck = true;
installCheckTarget = "check";
}
</programlisting>
</listitem>
<listitem>
<para>
Some packages assume xcode is available and use <command>xcrun</command> to resolve build tools like <command>clang</command>, etc. This causes errors like <code>xcode-select: error: no developer tools were found at '/Applications/Xcode.app'</code> while the build doesn't actually depend on xcode.
</para>
<programlisting>
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
prePatch = ''
substituteInPlace Makefile \
--replace '/usr/bin/xcrun clang' clang
'';
}
</programlisting>
<para>
The package <literal>xcbuild</literal> can be used to build projects that really depend on Xcode. However, this replacement is not 100% compatible with Xcode and can occasionally cause issues.
</para>
</listitem>
</itemizedlist>
</section>
</chapter>

12
doc/using/configuration.xml
View File

@ -151,26 +151,26 @@
</listitem>
<listitem>
<para>
It is also possible to whitelist and blacklist licenses that are specifically acceptable or not acceptable, using <literal>whitelistedLicenses</literal> and <literal>blacklistedLicenses</literal>, respectively.
It is also possible to allow and block licenses that are specifically acceptable or not acceptable, using <literal>allowlistedLicenses</literal> and <literal>blocklistedLicenses</literal>, respectively.
</para>
<para>
The following example configuration whitelists the licenses <literal>amd</literal> and <literal>wtfpl</literal>:
The following example configuration allowlists the licenses <literal>amd</literal> and <literal>wtfpl</literal>:
<programlisting>
{
whitelistedLicenses = with lib.licenses; [ amd wtfpl ];
allowlistedLicenses = with lib.licenses; [ amd wtfpl ];
}
</programlisting>
</para>
<para>
The following example configuration blacklists the <literal>gpl3Only</literal> and <literal>agpl3Only</literal> licenses:
The following example configuration blocklists the <literal>gpl3Only</literal> and <literal>agpl3Only</literal> licenses:
<programlisting>
{
blacklistedLicenses = with lib.licenses; [ agpl3Only gpl3Only ];
blocklistedLicenses = with lib.licenses; [ agpl3Only gpl3Only ];
}
</programlisting>
</para>
<para>
Note that <literal>whitelistedLicenses</literal> only applies to unfree licenses unless <literal>allowUnfree</literal> is enabled. It is not a generic whitelist for all types of licenses. <literal>blacklistedLicenses</literal> applies to all licenses.
Note that <literal>allowlistedLicenses</literal> only applies to unfree licenses unless <literal>allowUnfree</literal> is enabled. It is not a generic allowlist for all types of licenses. <literal>blocklistedLicenses</literal> applies to all licenses.
</para>
</listitem>
</itemizedlist>

46
maintainers/maintainer-list.nix
View File

@ -82,6 +82,12 @@
githubId = 882455;
name = "Elliot Cameron";
};
_414owen = {
email = "owen@owen.cafe";
github = "414owen";
githubId = 1714287;
name = "Owen Shepherd";
};
_6AA4FD = {
email = "f6442954@gmail.com";
github = "6AA4FD";
@ -1597,12 +1603,6 @@
githubId = 89596;
name = "Florian Friesdorf";
};
charvp = {
email = "nixpkgs@cvpetegem.be";
github = "charvp";
githubId = 42220376;
name = "Charlotte Van Petegem";
};
chattered = {
email = "me@philscotted.com";
name = "Phil Scott";
@ -1711,6 +1711,12 @@
githubId = 2245737;
name = "Christopher Mark Poole";
};
chvp = {
email = "nixpkgs@cvpetegem.be";
github = "chvp";
githubId = 42220376;
name = "Charlotte Van Petegem";
};
ciil = {
email = "simon@lackerbauer.com";
github = "ciil";
@ -3291,6 +3297,12 @@
githubId = 10528737;
name = "Severin Fürbringer";
};
fufexan = {
email = "fufexan@protonmail.com";
github = "fufexan";
githubId = 36706276;
name = "Fufezan Mihai";
};
funfunctor = {
email = "eocallaghan@alterapraxis.com";
name = "Edward O'Callaghan";
@ -5890,6 +5902,12 @@
githubId = 22836301;
name = "Mateusz Mazur";
};
mbaeten = {
email = "mbaeten@users.noreply.github.com";
github = "mbaeten";
githubId = 2649304;
name = "M. Baeten";
};
mbakke = {
email = "mbakke@fastmail.com";
github = "mbakke";
@ -7185,6 +7203,12 @@
githubId = 157610;
name = "Piotr Bogdan";
};
pborzenkov = {
email = "pavel@borzenkov.net";
github = "pborzenkov";
githubId = 434254;
name = "Pavel Borzenkov";
};
pblkt = {
email = "pebblekite@gmail.com";
github = "pblkt";
@ -8319,6 +8343,12 @@
githubId = 2320433;
name = "Sam Boosalis";
};
sbruder = {
email = "nixos@sbruder.de";
github = "sbruder";
githubId = 15986681;
name = "Simon Bruder";
};
scalavision = {
email = "scalavision@gmail.com";
github = "scalavision";
@ -8878,7 +8908,7 @@
name = "Guillaume Loetscher";
};
sternenseemann = {
email = "post@lukasepple.de";
email = "sternenseemann@systemli.org";
github = "sternenseemann";
githubId = 3154475;
name = "Lukas Epple";
@ -9324,7 +9354,7 @@
name = "Jan Beinke";
};
thesola10 = {
email = "thesola10@bobile.fr";
email = "me@thesola.io";
github = "thesola10";
githubId = 7287268;
keys = [{

1
nixos/doc/manual/configuration/networking.xml
View File

@ -15,5 +15,6 @@
<xi:include href="firewall.xml" />
<xi:include href="wireless.xml" />
<xi:include href="ad-hoc-network-config.xml" />
<xi:include href="renaming-interfaces.xml" />
<!-- TODO: OpenVPN, NAT -->
</chapter>

2
nixos/doc/manual/configuration/profiles/clone-config.xml
View File

@ -16,6 +16,6 @@
On images where the installation media also becomes an installation target,
copying over <literal>configuration.nix</literal> should be disabled by
setting <literal>installer.cloneConfig</literal> to <literal>false</literal>.
For example, this is done in <literal>sd-image-aarch64.nix</literal>.
For example, this is done in <literal>sd-image-aarch64-installer.nix</literal>.
</para>
</section>

67
nixos/doc/manual/configuration/renaming-interfaces.xml Normal file
View File

@ -0,0 +1,67 @@
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-rename-ifs">
<title>Renaming network interfaces</title>
<para>
NixOS uses the udev
<link xlink:href="https://systemd.io/PREDICTABLE_INTERFACE_NAMES/">predictable naming scheme</link>
to assign names to network interfaces. This means that by default
cards are not given the traditional names like
<literal>eth0</literal> or <literal>eth1</literal>, whose order can
change unpredictably across reboots. Instead, relying on physical
locations and firmware information, the scheme produces names like
<literal>ens1</literal>, <literal>enp2s0</literal>, etc.
</para>
<para>
These names are predictable but less memorable and not necessarily
stable: for example installing new hardware or changing firmware
settings can result in a
<link xlink:href="https://github.com/systemd/systemd/issues/3715#issue-165347602">name change</link>.
If this is undesirable, for example if you have a single ethernet
card, you can revert to the traditional scheme by setting
<xref linkend="opt-networking.usePredictableInterfaceNames"/> to
<literal>false</literal>.
</para>
<section xml:id="sec-custom-ifnames">
<title>Assigning custom names</title>
<para>
In case there are multiple interfaces of the same type, its better to
assign custom names based on the device hardware address. For
example, we assign the name <literal>wan</literal> to the interface
with MAC address <literal>52:54:00:12:01:01</literal> using a
netword link unit:
</para>
<programlisting>
<link linkend="opt-systemd.network.links">systemd.network.links."10-wan"</link> = {
matchConfig.MACAddress = "52:54:00:12:01:01";
linkConfig.Name = "wan";
};
</programlisting>
<para>
Note that links are directly read by udev, <emphasis>not networkd</emphasis>,
and will work even if networkd is disabled.
</para>
<para>
Alternatively, we can use a plain old udev rule:
</para>
<programlisting>
<link linkend="opt-services.udev.initrdRules">services.udev.initrdRules</link> = ''
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", \
ATTR{address}=="52:54:00:12:01:01", KERNEL=="eth*", NAME="wan"
'';
</programlisting>
<warning><para>
The rule must be installed in the initrd using
<literal>services.udev.initrdRules</literal>, not the usual
<literal>services.udev.extraRules</literal> option. This is to avoid race
conditions with other programs controlling the interface.
</para></warning>
</section>
</section>

7
nixos/doc/manual/installation/installing-virtualbox-guest.xml
View File

@ -83,17 +83,12 @@
VirtualBox settings (Machine / Settings / Shared Folders, then click on the
"Add" icon). Add the following to the
<literal>/etc/nixos/configuration.nix</literal> to auto-mount them. If you do
not add <literal>"nofail"</literal>, the system will not boot properly. The
same goes for disabling <literal>rngd</literal> which is normally used to get
randomness but this does not work in virtual machines.
not add <literal>"nofail"</literal>, the system will not boot properly.
</para>
<programlisting>
{ config, pkgs, ...} :
{
security.rngd.enable = false; // otherwise vm will not boot
...
fileSystems."/virtualboxshare" = {
fsType = "vboxsf";
device = "nameofthesharedfolder";

30
nixos/doc/manual/release-notes/rl-2105.xml
View File

@ -91,6 +91,27 @@
</para>
<itemizedlist>
<listitem>
<para>
If you are using <option>services.udev.extraRules</option> to assign
custom names to network interfaces, this may stop working due to a change
in the initialisation of dhcpcd and systemd networkd. To avoid this, either
move them to <option>services.udev.initrdRules</option> or see the new
<link linkend="sec-custom-ifnames">Assigning custom names</link> section
of the NixOS manual for an example using networkd links.
</para>
</listitem>
<listitem>
<para>
The <option>security.hideProcessInformation</option> module has been removed.
It was broken since the switch to cgroups-v2.
</para>
</listitem>
<listitem>
<para>
The <literal>systemConfig</literal> kernel parameter is no longer added to boot loader entries. It has been unused since September 2010, but if do have a system generation from that era, you will now be unable to boot into them.
</para>
</listitem>
<listitem>
<para>
<literal>systemd-journal2gelf</literal> no longer parses json and expects the receiving system to handle it. How to achieve this with Graylog is described in this <link xlink:href="https://github.com/parse-nl/SystemdJournal2Gelf/issues/10">GitHub issue</link>.
@ -494,6 +515,15 @@ self: super:
<varname>services.flashpolicyd</varname> module.
</para>
</listitem>
<listitem>
<para>
The <literal>security.rngd</literal> module has been removed.
It was disabled by default in 20.09 as it was functionally redundant
with krngd in the linux kernel. It is not necessary for any device that the kernel recognises
as an hardware RNG, as it will automatically run the krngd task to periodically collect random
data from the device and mix it into the kernel's RNG.
</para>
</listitem>
</itemizedlist>
</section>

13
nixos/modules/config/console.nix
View File

@ -144,11 +144,16 @@ in
''}
'';
systemd.services.systemd-vconsole-setup =
{
before = optional config.services.xserver.enable "display-manager.service";
after = [ "systemd-udev-settle.service" ];
systemd.services.reload-systemd-vconsole-setup =
{ description = "Reset console on configuration changes";
wantedBy = [ "multi-user.target" ];
restartTriggers = [ vconsoleConf consoleEnv ];
reloadIfChanged = true;
serviceConfig =
{ RemainAfterExit = true;
ExecStart = "${pkgs.coreutils}/bin/true";
ExecReload = "/run/current-system/systemd/bin/systemctl restart systemd-vconsole-setup";
};
};
}

2
nixos/modules/config/swap.nix
View File

@ -185,8 +185,6 @@ in
{ description = "Initialisation of swap device ${sw.device}";
wantedBy = [ "${realDevice'}.swap" ];
before = [ "${realDevice'}.swap" ];
# If swap is encrypted, depending on rngd resolves a possible entropy starvation during boot
after = mkIf (config.security.rngd.enable && sw.randomEncryption.enable) [ "rngd.service" ];
path = [ pkgs.util-linux ] ++ optional sw.randomEncryption.enable pkgs.cryptsetup;
script =

17
nixos/modules/installer/cd-dvd/sd-image-aarch64-new-kernel.nix
View File

@ -1,7 +1,14 @@
{ pkgs, ... }:
{ config, ... }:
{
imports = [ ./sd-image-aarch64.nix ];
boot.kernelPackages = pkgs.linuxPackages_latest;
imports = [
../sd-card/sd-image-aarch64-new-kernel-installer.nix
];
config = {
warnings = [
''
.../cd-dvd/sd-image-aarch64-new-kernel.nix is deprecated and will eventually be removed.
Please switch to .../sd-card/sd-image-aarch64-new-kernel-installer.nix, instead.
''
];
};
}

84
nixos/modules/installer/cd-dvd/sd-image-aarch64.nix
View File

@ -1,80 +1,14 @@
# To build, use:
# nix-build nixos -I nixos-config=nixos/modules/installer/cd-dvd/sd-image-aarch64.nix -A config.system.build.sdImage
{ config, lib, pkgs, ... }:
{ config, ... }:
{
imports = [
../../profiles/base.nix
../../profiles/installation-device.nix
./sd-image.nix
../sd-card/sd-image-aarch64-installer.nix
];
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.consoleLogLevel = lib.mkDefault 7;
# The serial ports listed here are:
# - ttyS0: for Tegra (Jetson TX1)
# - ttyAMA0: for QEMU's -machine virt
boot.kernelParams = ["console=ttyS0,115200n8" "console=ttyAMA0,115200n8" "console=tty0"];
boot.initrd.availableKernelModules = [
# Allows early (earlier) modesetting for the Raspberry Pi
"vc4" "bcm2835_dma" "i2c_bcm2835"
# Allows early (earlier) modesetting for Allwinner SoCs
"sun4i_drm" "sun8i_drm_hdmi" "sun8i_mixer"
];
sdImage = {
populateFirmwareCommands = let
configTxt = pkgs.writeText "config.txt" ''
[pi3]
kernel=u-boot-rpi3.bin
[pi4]
kernel=u-boot-rpi4.bin
enable_gic=1
armstub=armstub8-gic.bin
# Otherwise the resolution will be weird in most cases, compared to
# what the pi3 firmware does by default.
disable_overscan=1
[all]
# Boot in 64-bit mode.
arm_64bit=1
# U-Boot needs this to work, regardless of whether UART is actually used or not.
# Look in arch/arm/mach-bcm283x/Kconfig in the U-Boot tree to see if this is still
# a requirement in the future.
enable_uart=1
# Prevent the firmware from smashing the framebuffer setup done by the mainline kernel
# when attempting to show low-voltage or overtemperature warnings.
avoid_warnings=1
'';
in ''
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/firmware/)
# Add the config
cp ${configTxt} firmware/config.txt
# Add pi3 specific files
cp ${pkgs.ubootRaspberryPi3_64bit}/u-boot.bin firmware/u-boot-rpi3.bin
# Add pi4 specific files
cp ${pkgs.ubootRaspberryPi4_64bit}/u-boot.bin firmware/u-boot-rpi4.bin
cp ${pkgs.raspberrypi-armstubs}/armstub8-gic.bin firmware/armstub8-gic.bin
cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/bcm2711-rpi-4-b.dtb firmware/
'';
populateRootCommands = ''
mkdir -p ./files/boot
${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot
'';
config = {
warnings = [
''
.../cd-dvd/sd-image-aarch64.nix is deprecated and will eventually be removed.
Please switch to .../sd-card/sd-image-aarch64-installer.nix, instead.
''
];
};
# the installation media is also the installation target,
# so we don't want to provide the installation configuration.nix.
installer.cloneConfig = false;
}

61
nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix
View File

@ -1,57 +1,14 @@
# To build, use:
# nix-build nixos -I nixos-config=nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix -A config.system.build.sdImage
{ config, lib, pkgs, ... }:
{ config, ... }:
{
imports = [
../../profiles/base.nix
../../profiles/installation-device.nix
./sd-image.nix
../sd-card/sd-image-armv7l-multiplatform-installer.nix
];
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.consoleLogLevel = lib.mkDefault 7;
boot.kernelPackages = pkgs.linuxPackages_latest;
# The serial ports listed here are:
# - ttyS0: for Tegra (Jetson TK1)
# - ttymxc0: for i.MX6 (Wandboard)
# - ttyAMA0: for Allwinner (pcDuino3 Nano) and QEMU's -machine virt
# - ttyO0: for OMAP (BeagleBone Black)
# - ttySAC2: for Exynos (ODROID-XU3)
boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=ttyO0,115200n8" "console=ttySAC2,115200n8" "console=tty0"];
sdImage = {
populateFirmwareCommands = let
configTxt = pkgs.writeText "config.txt" ''
# Prevent the firmware from smashing the framebuffer setup done by the mainline kernel
# when attempting to show low-voltage or overtemperature warnings.
avoid_warnings=1
[pi2]
kernel=u-boot-rpi2.bin
[pi3]
kernel=u-boot-rpi3.bin
# U-Boot used to need this to work, regardless of whether UART is actually used or not.
# TODO: check when/if this can be removed.
enable_uart=1
'';
in ''
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/firmware/)
cp ${pkgs.ubootRaspberryPi2}/u-boot.bin firmware/u-boot-rpi2.bin
cp ${pkgs.ubootRaspberryPi3_32bit}/u-boot.bin firmware/u-boot-rpi3.bin
cp ${configTxt} firmware/config.txt
'';
populateRootCommands = ''
mkdir -p ./files/boot
${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot
'';
config = {
warnings = [
''
.../cd-dvd/sd-image-armv7l-multiplatform.nix is deprecated and will eventually be removed.
Please switch to .../sd-card/sd-image-armv7l-multiplatform-installer.nix, instead.
''
];
};
# the installation media is also the installation target,
# so we don't want to provide the installation configuration.nix.
installer.cloneConfig = false;
}

50
nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix
View File

@ -1,46 +1,14 @@
# To build, use:
# nix-build nixos -I nixos-config=nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix -A config.system.build.sdImage
{ config, lib, pkgs, ... }:
{ config, ... }:
{
imports = [
../../profiles/base.nix
../../profiles/installation-device.nix
./sd-image.nix
../sd-card/sd-image-raspberrypi-installer.nix
];
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.consoleLogLevel = lib.mkDefault 7;
boot.kernelPackages = pkgs.linuxPackages_rpi1;
sdImage = {
populateFirmwareCommands = let
configTxt = pkgs.writeText "config.txt" ''
# Prevent the firmware from smashing the framebuffer setup done by the mainline kernel
# when attempting to show low-voltage or overtemperature warnings.
avoid_warnings=1
[pi0]
kernel=u-boot-rpi0.bin
[pi1]
kernel=u-boot-rpi1.bin
'';
in ''
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/firmware/)
cp ${pkgs.ubootRaspberryPiZero}/u-boot.bin firmware/u-boot-rpi0.bin
cp ${pkgs.ubootRaspberryPi}/u-boot.bin firmware/u-boot-rpi1.bin
cp ${configTxt} firmware/config.txt
'';
populateRootCommands = ''
mkdir -p ./files/boot
${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot
'';
config = {
warnings = [
''
.../cd-dvd/sd-image-raspberrypi.nix is deprecated and will eventually be removed.
Please switch to .../sd-card/sd-image-raspberrypi-installer.nix, instead.
''
];
};
# the installation media is also the installation target,
# so we don't want to provide the installation configuration.nix.
installer.cloneConfig = false;
}

18
nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix
View File

@ -1,8 +1,14 @@
# To build, use:
# nix-build nixos -I nixos-config=nixos/modules/installer/cd-dvd/sd-image-raspberrypi4.nix -A config.system.build.sdImage
{ config, lib, pkgs, ... }:
{ config, ... }:
{
imports = [ ./sd-image-aarch64.nix ];
boot.kernelPackages = pkgs.linuxPackages_rpi4;
imports = [
../sd-card/sd-image-raspberrypi4-installer.nix
];
config = {
warnings = [
''
.../cd-dvd/sd-image-raspberrypi4.nix is deprecated and will eventually be removed.
Please switch to .../sd-card/sd-image-raspberrypi4-installer.nix, instead.
''
];
};
}

247
nixos/modules/installer/cd-dvd/sd-image.nix
View File

@ -1,245 +1,14 @@
# This module creates a bootable SD card image containing the given NixOS
# configuration. The generated image is MBR partitioned, with a FAT
# /boot/firmware partition, and ext4 root partition. The generated image
# is sized to fit its contents, and a boot script automatically resizes
# the root partition to fit the device on the first boot.
#
# The firmware partition is built with expectation to hold the Raspberry
# Pi firmware and bootloader, and be removed and replaced with a firmware
# build for the target SoC for other board families.
#
# The derivation for the SD image will be placed in
# config.system.build.sdImage
{ config, lib, pkgs, ... }:
with lib;
let
rootfsImage = pkgs.callPackage ../../../lib/make-ext4-fs.nix ({
inherit (config.sdImage) storePaths;
compressImage = true;
populateImageCommands = config.sdImage.populateRootCommands;
volumeLabel = "NIXOS_SD";
} // optionalAttrs (config.sdImage.rootPartitionUUID != null) {
uuid = config.sdImage.rootPartitionUUID;
});
in
{ config, ... }:
{
imports = [
(mkRemovedOptionModule [ "sdImage" "bootPartitionID" ] "The FAT partition for SD image now only holds the Raspberry Pi firmware files. Use firmwarePartitionID to configure that partition's ID.")
(mkRemovedOptionModule [ "sdImage" "bootSize" ] "The boot files for SD image have been moved to the main ext4 partition. The FAT partition now only holds the Raspberry Pi firmware files. Changing its size may not be required.")
../sd-card/sd-image.nix
];
options.sdImage = {
imageName = mkOption {
default = "${config.sdImage.imageBaseName}-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.img";
description = ''
Name of the generated image file.
'';
};
imageBaseName = mkOption {
default = "nixos-sd-image";
description = ''
Prefix of the name of the generated image file.
'';
};
storePaths = mkOption {
type = with types; listOf package;
example = literalExample "[ pkgs.stdenv ]";
description = ''
Derivations to be included in the Nix store in the generated SD image.
'';
};
firmwarePartitionID = mkOption {
type = types.str;
default = "0x2178694e";
description = ''
Volume ID for the /boot/firmware partition on the SD card. This value
must be a 32-bit hexadecimal number.
'';
};
firmwarePartitionName = mkOption {
type = types.str;
default = "FIRMWARE";
description = ''
Name of the filesystem which holds the boot firmware.
'';
};
rootPartitionUUID = mkOption {
type = types.nullOr types.str;
default = null;
example = "14e19a7b-0ae0-484d-9d54-43bd6fdc20c7";
description = ''
UUID for the filesystem on the main NixOS partition on the SD card.
'';
};
firmwareSize = mkOption {
type = types.int;
# As of 2019-08-18 the Raspberry pi firmware + u-boot takes ~18MiB
default = 30;
description = ''
Size of the /boot/firmware partition, in megabytes.
'';
};
populateFirmwareCommands = mkOption {
example = literalExample "'' cp \${pkgs.myBootLoader}/u-boot.bin firmware/ ''";
description = ''
Shell commands to populate the ./firmware directory.
All files in that directory are copied to the
/boot/firmware partition on the SD image.
'';
};
populateRootCommands = mkOption {
example = literalExample "''\${config.boot.loader.generic-extlinux-compatible.populateCmd} -c \${config.system.build.toplevel} -d ./files/boot''";
description = ''
Shell commands to populate the ./files directory.
All files in that directory are copied to the
root (/) partition on the SD image. Use this to
populate the ./files/boot (/boot) directory.
'';
};
postBuildCommands = mkOption {
example = literalExample "'' dd if=\${pkgs.myBootLoader}/SPL of=$img bs=1024 seek=1 conv=notrunc ''";
default = "";
description = ''
Shell commands to run after the image is built.
Can be used for boards requiring to dd u-boot SPL before actual partitions.
'';
};
compressImage = mkOption {
type = types.bool;
default = true;
description = ''
Whether the SD image should be compressed using
<command>zstd</command>.
'';
};
};
config = {
fileSystems = {
"/boot/firmware" = {
device = "/dev/disk/by-label/${config.sdImage.firmwarePartitionName}";
fsType = "vfat";
# Alternatively, this could be removed from the configuration.
# The filesystem is not needed at runtime, it could be treated
# as an opaque blob instead of a discrete FAT32 filesystem.
options = [ "nofail" "noauto" ];
};
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
};
sdImage.storePaths = [ config.system.build.toplevel ];
system.build.sdImage = pkgs.callPackage ({ stdenv, dosfstools, e2fsprogs,
mtools, libfaketime, util-linux, zstd }: stdenv.mkDerivation {
name = config.sdImage.imageName;
nativeBuildInputs = [ dosfstools e2fsprogs mtools libfaketime util-linux zstd ];
inherit (config.sdImage) compressImage;
buildCommand = ''
mkdir -p $out/nix-support $out/sd-image
export img=$out/sd-image/${config.sdImage.imageName}
echo "${pkgs.stdenv.buildPlatform.system}" > $out/nix-support/system
if test -n "$compressImage"; then
echo "file sd-image $img.zst" >> $out/nix-support/hydra-build-products
else
echo "file sd-image $img" >> $out/nix-support/hydra-build-products
fi
echo "Decompressing rootfs image"
zstd -d --no-progress "${rootfsImage}" -o ./root-fs.img
# Gap in front of the first partition, in MiB
gap=8
# Create the image file sized to fit /boot/firmware and /, plus slack for the gap.
rootSizeBlocks=$(du -B 512 --apparent-size ./root-fs.img | awk '{ print $1 }')
firmwareSizeBlocks=$((${toString config.sdImage.firmwareSize} * 1024 * 1024 / 512))
imageSize=$((rootSizeBlocks * 512 + firmwareSizeBlocks * 512 + gap * 1024 * 1024))
truncate -s $imageSize $img
# type=b is 'W95 FAT32', type=83 is 'Linux'.
# The "bootable" partition is where u-boot will look file for the bootloader
# information (dtbs, extlinux.conf file).
sfdisk $img <<EOF
label: dos
label-id: ${config.sdImage.firmwarePartitionID}
start=''${gap}M, size=$firmwareSizeBlocks, type=b
start=$((gap + ${toString config.sdImage.firmwareSize}))M, type=83, bootable
EOF
# Copy the rootfs into the SD image
eval $(partx $img -o START,SECTORS --nr 2 --pairs)
dd conv=notrunc if=./root-fs.img of=$img seek=$START count=$SECTORS
# Create a FAT32 /boot/firmware partition of suitable size into firmware_part.img
eval $(partx $img -o START,SECTORS --nr 1 --pairs)
truncate -s $((SECTORS * 512)) firmware_part.img
faketime "1970-01-01 00:00:00" mkfs.vfat -i ${config.sdImage.firmwarePartitionID} -n ${config.sdImage.firmwarePartitionName} firmware_part.img
# Populate the files intended for /boot/firmware
mkdir firmware
${config.sdImage.populateFirmwareCommands}
# Copy the populated /boot/firmware into the SD image
(cd firmware; mcopy -psvm -i ../firmware_part.img ./* ::)
# Verify the FAT partition before copying it.
fsck.vfat -vn firmware_part.img
dd conv=notrunc if=firmware_part.img of=$img seek=$START count=$SECTORS
${config.sdImage.postBuildCommands}
if test -n "$compressImage"; then
zstd -T$NIX_BUILD_CORES --rm $img
fi
'';
}) {};
boot.postBootCommands = ''
# On the first boot do some maintenance tasks
if [ -f /nix-path-registration ]; then
set -euo pipefail
set -x
# Figure out device names for the boot device and root filesystem.
rootPart=$(${pkgs.util-linux}/bin/findmnt -n -o SOURCE /)
bootDevice=$(lsblk -npo PKNAME $rootPart)
partNum=$(lsblk -npo MAJ:MIN $rootPart | ${pkgs.gawk}/bin/awk -F: '{print $2}')
# Resize the root partition and the filesystem to fit the disk
echo ",+," | sfdisk -N$partNum --no-reread $bootDevice
${pkgs.parted}/bin/partprobe
${pkgs.e2fsprogs}/bin/resize2fs $rootPart
# Register the contents of the initial Nix store
${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration
# nixos-rebuild also requires a "system" profile and an /etc/NIXOS tag.
touch /etc/NIXOS
${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
# Prevents this from running on later boots.
rm -f /nix-path-registration
fi
'';
warnings = [
''
.../cd-dvd/sd-image.nix is deprecated and will eventually be removed.
Please switch to .../sd-card/sd-image.nix, instead.
''
];
};
}

2
nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix
View File

@ -26,7 +26,7 @@ let
# A clue for the kernel loading
kernelParams = pkgs.writeText "kernel-params.txt" ''
Kernel Parameters:
init=/boot/init systemConfig=/boot/init ${toString config.boot.kernelParams}
init=/boot/init ${toString config.boot.kernelParams}
'';
# System wide nixpkgs config

4
nixos/modules/installer/cd-dvd/system-tarball-pc.nix
View File

@ -23,13 +23,13 @@ let
label nixos
MENU LABEL ^NixOS using nfsroot
KERNEL bzImage
append ip=dhcp nfsroot=/home/pcroot systemConfig=${config.system.build.toplevel} init=${config.system.build.toplevel}/init rw
append ip=dhcp nfsroot=/home/pcroot init=${config.system.build.toplevel}/init rw
# I don't know how to make this boot with nfsroot (using the initrd)
label nixos_initrd
MENU LABEL NixOS booting the poor ^initrd.
KERNEL bzImage
append initrd=initrd ip=dhcp nfsroot=/home/pcroot systemConfig=${config.system.build.toplevel} init=${config.system.build.toplevel}/init rw
append initrd=initrd ip=dhcp nfsroot=/home/pcroot init=${config.system.build.toplevel}/init rw
label memtest
MENU LABEL ^${pkgs.memtest86.name}

10
nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix Normal file
View File

@ -0,0 +1,10 @@
{
imports = [
../../profiles/installation-device.nix
./sd-image-aarch64.nix
];
# the installation media is also the installation target,
# so we don't want to provide the installation configuration.nix.
installer.cloneConfig = false;
}

10
nixos/modules/installer/sd-card/sd-image-aarch64-new-kernel-installer.nix Normal file
View File

@ -0,0 +1,10 @@
{
imports = [
../../profiles/installation-device.nix
./sd-image-aarch64-new-kernel.nix
];
# the installation media is also the installation target,
# so we don't want to provide the installation configuration.nix.
installer.cloneConfig = false;
}

7
nixos/modules/installer/sd-card/sd-image-aarch64-new-kernel.nix Normal file
View File

@ -0,0 +1,7 @@
{ pkgs, ... }:
{
imports = [ ./sd-image-aarch64.nix ];
boot.kernelPackages = pkgs.linuxPackages_latest;
}

75
nixos/modules/installer/sd-card/sd-image-aarch64.nix Normal file
View File

@ -0,0 +1,75 @@
# To build, use:
# nix-build nixos -I nixos-config=nixos/modules/installer/sd-card/sd-image-aarch64.nix -A config.system.build.sdImage
{ config, lib, pkgs, ... }:
{
imports = [
../../profiles/base.nix
./sd-image.nix
];
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.consoleLogLevel = lib.mkDefault 7;
# The serial ports listed here are:
# - ttyS0: for Tegra (Jetson TX1)
# - ttyAMA0: for QEMU's -machine virt
boot.kernelParams = ["console=ttyS0,115200n8" "console=ttyAMA0,115200n8" "console=tty0"];
boot.initrd.availableKernelModules = [
# Allows early (earlier) modesetting for the Raspberry Pi
"vc4" "bcm2835_dma" "i2c_bcm2835"
# Allows early (earlier) modesetting for Allwinner SoCs
"sun4i_drm" "sun8i_drm_hdmi" "sun8i_mixer"
];
sdImage = {
populateFirmwareCommands = let
configTxt = pkgs.writeText "config.txt" ''
[pi3]
kernel=u-boot-rpi3.bin
[pi4]
kernel=u-boot-rpi4.bin
enable_gic=1
armstub=armstub8-gic.bin
# Otherwise the resolution will be weird in most cases, compared to
# what the pi3 firmware does by default.
disable_overscan=1
[all]
# Boot in 64-bit mode.
arm_64bit=1
# U-Boot needs this to work, regardless of whether UART is actually used or not.
# Look in arch/arm/mach-bcm283x/Kconfig in the U-Boot tree to see if this is still
# a requirement in the future.
enable_uart=1
# Prevent the firmware from smashing the framebuffer setup done by the mainline kernel
# when attempting to show low-voltage or overtemperature warnings.
avoid_warnings=1
'';
in ''
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/firmware/)
# Add the config
cp ${configTxt} firmware/config.txt
# Add pi3 specific files
cp ${pkgs.ubootRaspberryPi3_64bit}/u-boot.bin firmware/u-boot-rpi3.bin
# Add pi4 specific files
cp ${pkgs.ubootRaspberryPi4_64bit}/u-boot.bin firmware/u-boot-rpi4.bin
cp ${pkgs.raspberrypi-armstubs}/armstub8-gic.bin firmware/armstub8-gic.bin
cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/bcm2711-rpi-4-b.dtb firmware/
'';
populateRootCommands = ''
mkdir -p ./files/boot
${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot
'';
};
}

10
nixos/modules/installer/sd-card/sd-image-armv7l-multiplatform-installer.nix Normal file
View File

@ -0,0 +1,10 @@
{
imports = [
../../profiles/installation-device.nix
./sd-image-armv7l-multiplatform.nix
];
# the installation media is also the installation target,
# so we don't want to provide the installation configuration.nix.
installer.cloneConfig = false;
}

52
nixos/modules/installer/sd-card/sd-image-armv7l-multiplatform.nix Normal file
View File

@ -0,0 +1,52 @@
# To build, use:
# nix-build nixos -I nixos-config=nixos/modules/installer/sd-card/sd-image-armv7l-multiplatform.nix -A config.system.build.sdImage
{ config, lib, pkgs, ... }:
{
imports = [
../../profiles/base.nix
./sd-image.nix
];
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.consoleLogLevel = lib.mkDefault 7;
boot.kernelPackages = pkgs.linuxPackages_latest;
# The serial ports listed here are:
# - ttyS0: for Tegra (Jetson TK1)
# - ttymxc0: for i.MX6 (Wandboard)
# - ttyAMA0: for Allwinner (pcDuino3 Nano) and QEMU's -machine virt
# - ttyO0: for OMAP (BeagleBone Black)
# - ttySAC2: for Exynos (ODROID-XU3)
boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=ttyO0,115200n8" "console=ttySAC2,115200n8" "console=tty0"];
sdImage = {
populateFirmwareCommands = let
configTxt = pkgs.writeText "config.txt" ''
# Prevent the firmware from smashing the framebuffer setup done by the mainline kernel
# when attempting to show low-voltage or overtemperature warnings.
avoid_warnings=1
[pi2]
kernel=u-boot-rpi2.bin
[pi3]
kernel=u-boot-rpi3.bin
# U-Boot used to need this to work, regardless of whether UART is actually used or not.
# TODO: check when/if this can be removed.
enable_uart=1
'';
in ''
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/firmware/)
cp ${pkgs.ubootRaspberryPi2}/u-boot.bin firmware/u-boot-rpi2.bin
cp ${pkgs.ubootRaspberryPi3_32bit}/u-boot.bin firmware/u-boot-rpi3.bin
cp ${configTxt} firmware/config.txt
'';
populateRootCommands = ''
mkdir -p ./files/boot
${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot
'';
};
}

10
nixos/modules/installer/sd-card/sd-image-raspberrypi-installer.nix Normal file
View File

@ -0,0 +1,10 @@
{
imports = [
../../profiles/installation-device.nix
./sd-image-raspberrypi.nix
];
# the installation media is also the installation target,
# so we don't want to provide the installation configuration.nix.
installer.cloneConfig = false;
}

41
nixos/modules/installer/sd-card/sd-image-raspberrypi.nix Normal file
View File

@ -0,0 +1,41 @@
# To build, use:
# nix-build nixos -I nixos-config=nixos/modules/installer/sd-card/sd-image-raspberrypi.nix -A config.system.build.sdImage
{ config, lib, pkgs, ... }:
{
imports = [
../../profiles/base.nix
./sd-image.nix
];
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.consoleLogLevel = lib.mkDefault 7;
boot.kernelPackages = pkgs.linuxPackages_rpi1;
sdImage = {
populateFirmwareCommands = let
configTxt = pkgs.writeText "config.txt" ''
# Prevent the firmware from smashing the framebuffer setup done by the mainline kernel
# when attempting to show low-voltage or overtemperature warnings.
avoid_warnings=1
[pi0]
kernel=u-boot-rpi0.bin
[pi1]
kernel=u-boot-rpi1.bin
'';
in ''
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/firmware/)
cp ${pkgs.ubootRaspberryPiZero}/u-boot.bin firmware/u-boot-rpi0.bin
cp ${pkgs.ubootRaspberryPi}/u-boot.bin firmware/u-boot-rpi1.bin
cp ${configTxt} firmware/config.txt
'';
populateRootCommands = ''
mkdir -p ./files/boot
${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot
'';
};
}

10
nixos/modules/installer/sd-card/sd-image-raspberrypi4-installer.nix Normal file
View File

@ -0,0 +1,10 @@
{
imports = [
../../profiles/installation-device.nix
./sd-image-raspberrypi4.nix
];
# the installation media is also the installation target,
# so we don't want to provide the installation configuration.nix.
installer.cloneConfig = false;
}

8
nixos/modules/installer/sd-card/sd-image-raspberrypi4.nix Normal file
View File

@ -0,0 +1,8 @@
# To build, use:
# nix-build nixos -I nixos-config=nixos/modules/installer/sd-card/sd-image-raspberrypi4.nix -A config.system.build.sdImage
{ config, lib, pkgs, ... }:
{
imports = [ ./sd-image-aarch64.nix ];
boot.kernelPackages = pkgs.linuxPackages_rpi4;
}

245
nixos/modules/installer/sd-card/sd-image.nix Normal file
View File

@ -0,0 +1,245 @@
# This module creates a bootable SD card image containing the given NixOS
# configuration. The generated image is MBR partitioned, with a FAT
# /boot/firmware partition, and ext4 root partition. The generated image
# is sized to fit its contents, and a boot script automatically resizes
# the root partition to fit the device on the first boot.
#
# The firmware partition is built with expectation to hold the Raspberry
# Pi firmware and bootloader, and be removed and replaced with a firmware
# build for the target SoC for other board families.
#
# The derivation for the SD image will be placed in
# config.system.build.sdImage
{ config, lib, pkgs, ... }:
with lib;
let
rootfsImage = pkgs.callPackage ../../../lib/make-ext4-fs.nix ({
inherit (config.sdImage) storePaths;
compressImage = true;
populateImageCommands = config.sdImage.populateRootCommands;
volumeLabel = "NIXOS_SD";
} // optionalAttrs (config.sdImage.rootPartitionUUID != null) {
uuid = config.sdImage.rootPartitionUUID;
});
in
{
imports = [
(mkRemovedOptionModule [ "sdImage" "bootPartitionID" ] "The FAT partition for SD image now only holds the Raspberry Pi firmware files. Use firmwarePartitionID to configure that partition's ID.")
(mkRemovedOptionModule [ "sdImage" "bootSize" ] "The boot files for SD image have been moved to the main ext4 partition. The FAT partition now only holds the Raspberry Pi firmware files. Changing its size may not be required.")
];
options.sdImage = {
imageName = mkOption {
default = "${config.sdImage.imageBaseName}-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.img";
description = ''
Name of the generated image file.
'';
};
imageBaseName = mkOption {
default = "nixos-sd-image";
description = ''
Prefix of the name of the generated image file.
'';
};
storePaths = mkOption {
type = with types; listOf package;
example = literalExample "[ pkgs.stdenv ]";
description = ''
Derivations to be included in the Nix store in the generated SD image.
'';
};
firmwarePartitionID = mkOption {
type = types.str;
default = "0x2178694e";
description = ''
Volume ID for the /boot/firmware partition on the SD card. This value
must be a 32-bit hexadecimal number.
'';
};
firmwarePartitionName = mkOption {
type = types.str;
default = "FIRMWARE";
description = ''
Name of the filesystem which holds the boot firmware.
'';
};
rootPartitionUUID = mkOption {
type = types.nullOr types.str;
default = null;
example = "14e19a7b-0ae0-484d-9d54-43bd6fdc20c7";
description = ''
UUID for the filesystem on the main NixOS partition on the SD card.
'';
};
firmwareSize = mkOption {
type = types.int;
# As of 2019-08-18 the Raspberry pi firmware + u-boot takes ~18MiB
default = 30;
description = ''
Size of the /boot/firmware partition, in megabytes.
'';
};
populateFirmwareCommands = mkOption {
example = literalExample "'' cp \${pkgs.myBootLoader}/u-boot.bin firmware/ ''";
description = ''
Shell commands to populate the ./firmware directory.
All files in that directory are copied to the
/boot/firmware partition on the SD image.
'';
};
populateRootCommands = mkOption {
example = literalExample "''\${config.boot.loader.generic-extlinux-compatible.populateCmd} -c \${config.system.build.toplevel} -d ./files/boot''";
description = ''
Shell commands to populate the ./files directory.
All files in that directory are copied to the
root (/) partition on the SD image. Use this to
populate the ./files/boot (/boot) directory.
'';
};
postBuildCommands = mkOption {
example = literalExample "'' dd if=\${pkgs.myBootLoader}/SPL of=$img bs=1024 seek=1 conv=notrunc ''";
default = "";
description = ''
Shell commands to run after the image is built.
Can be used for boards requiring to dd u-boot SPL before actual partitions.
'';
};
compressImage = mkOption {
type = types.bool;
default = true;
description = ''
Whether the SD image should be compressed using
<command>zstd</command>.
'';
};
};
config = {
fileSystems = {
"/boot/firmware" = {
device = "/dev/disk/by-label/${config.sdImage.firmwarePartitionName}";
fsType = "vfat";
# Alternatively, this could be removed from the configuration.
# The filesystem is not needed at runtime, it could be treated
# as an opaque blob instead of a discrete FAT32 filesystem.
options = [ "nofail" "noauto" ];
};
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
};
sdImage.storePaths = [ config.system.build.toplevel ];
system.build.sdImage = pkgs.callPackage ({ stdenv, dosfstools, e2fsprogs,
mtools, libfaketime, util-linux, zstd }: stdenv.mkDerivation {
name = config.sdImage.imageName;
nativeBuildInputs = [ dosfstools e2fsprogs mtools libfaketime util-linux zstd ];
inherit (config.sdImage) compressImage;
buildCommand = ''
mkdir -p $out/nix-support $out/sd-image
export img=$out/sd-image/${config.sdImage.imageName}
echo "${pkgs.stdenv.buildPlatform.system}" > $out/nix-support/system
if test -n "$compressImage"; then
echo "file sd-image $img.zst" >> $out/nix-support/hydra-build-products
else
echo "file sd-image $img" >> $out/nix-support/hydra-build-products
fi
echo "Decompressing rootfs image"
zstd -d --no-progress "${rootfsImage}" -o ./root-fs.img
# Gap in front of the first partition, in MiB
gap=8
# Create the image file sized to fit /boot/firmware and /, plus slack for the gap.
rootSizeBlocks=$(du -B 512 --apparent-size ./root-fs.img | awk '{ print $1 }')
firmwareSizeBlocks=$((${toString config.sdImage.firmwareSize} * 1024 * 1024 / 512))
imageSize=$((rootSizeBlocks * 512 + firmwareSizeBlocks * 512 + gap * 1024 * 1024))
truncate -s $imageSize $img
# type=b is 'W95 FAT32', type=83 is 'Linux'.
# The "bootable" partition is where u-boot will look file for the bootloader
# information (dtbs, extlinux.conf file).
sfdisk $img <<EOF
label: dos
label-id: ${config.sdImage.firmwarePartitionID}
start=''${gap}M, size=$firmwareSizeBlocks, type=b
start=$((gap + ${toString config.sdImage.firmwareSize}))M, type=83, bootable
EOF
# Copy the rootfs into the SD image
eval $(partx $img -o START,SECTORS --nr 2 --pairs)
dd conv=notrunc if=./root-fs.img of=$img seek=$START count=$SECTORS
# Create a FAT32 /boot/firmware partition of suitable size into firmware_part.img
eval $(partx $img -o START,SECTORS --nr 1 --pairs)
truncate -s $((SECTORS * 512)) firmware_part.img
faketime "1970-01-01 00:00:00" mkfs.vfat -i ${config.sdImage.firmwarePartitionID} -n ${config.sdImage.firmwarePartitionName} firmware_part.img
# Populate the files intended for /boot/firmware
mkdir firmware
${config.sdImage.populateFirmwareCommands}
# Copy the populated /boot/firmware into the SD image
(cd firmware; mcopy -psvm -i ../firmware_part.img ./* ::)
# Verify the FAT partition before copying it.
fsck.vfat -vn firmware_part.img
dd conv=notrunc if=firmware_part.img of=$img seek=$START count=$SECTORS
${config.sdImage.postBuildCommands}
if test -n "$compressImage"; then
zstd -T$NIX_BUILD_CORES --rm $img
fi
'';
}) {};
boot.postBootCommands = ''
# On the first boot do some maintenance tasks
if [ -f /nix-path-registration ]; then
set -euo pipefail
set -x
# Figure out device names for the boot device and root filesystem.
rootPart=$(${pkgs.util-linux}/bin/findmnt -n -o SOURCE /)
bootDevice=$(lsblk -npo PKNAME $rootPart)
partNum=$(lsblk -npo MAJ:MIN $rootPart | ${pkgs.gawk}/bin/awk -F: '{print $2}')
# Resize the root partition and the filesystem to fit the disk
echo ",+," | sfdisk -N$partNum --no-reread $bootDevice
${pkgs.parted}/bin/partprobe
${pkgs.e2fsprogs}/bin/resize2fs $rootPart
# Register the contents of the initial Nix store
${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration
# nixos-rebuild also requires a "system" profile and an /etc/NIXOS tag.
touch /etc/NIXOS
${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
# Prevents this from running on later boots.
rm -f /nix-path-registration
fi
'';
};
}

2
nixos/modules/misc/crashdump.nix
View File

@ -53,7 +53,7 @@ in
${pkgs.kexectools}/sbin/kexec -p /run/current-system/kernel \
--initrd=/run/current-system/initrd \
--reset-vga --console-vga \
--command-line="systemConfig=$(readlink -f /run/current-system) init=$(readlink -f /run/current-system/init) irqpoll maxcpus=1 reset_devices ${kernelParams}"
--command-line="init=$(readlink -f /run/current-system/init) irqpoll maxcpus=1 reset_devices ${kernelParams}"
'';
kernelParams = [
"crashkernel=${crashdump.reservedMemory}"

4
nixos/modules/module-list.nix
View File

@ -207,7 +207,6 @@
./security/dhparams.nix
./security/duosec.nix
./security/google_oslogin.nix
./security/hidepid.nix
./security/lock-kernel-modules.nix
./security/misc.nix
./security/oath.nix
@ -257,6 +256,8 @@
./services/backup/tsm.nix
./services/backup/zfs-replication.nix
./services/backup/znapzend.nix
./services/blockchain/ethereum/geth.nix
./services/backup/zrepl.nix
./services/cluster/hadoop/default.nix
./services/cluster/k3s/default.nix
./services/cluster/kubernetes/addons/dns.nix
@ -461,6 +462,7 @@
./services/misc/errbot.nix
./services/misc/etcd.nix
./services/misc/etebase-server.nix
./services/misc/etesync-dav.nix
./services/misc/ethminer.nix
./services/misc/exhibitor.nix
./services/misc/felix.nix

2
nixos/modules/profiles/hardened.nix
View File

@ -22,8 +22,6 @@ with lib;
environment.memoryAllocator.provider = mkDefault "scudo";
environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
security.hideProcessInformation = mkDefault true;
security.lockKernelModules = mkDefault true;
security.protectKernelImage = mkDefault true;

9
nixos/modules/programs/steam.nix
View File

@ -4,6 +4,13 @@ with lib;
let
cfg = config.programs.steam;
steam = pkgs.steam.override {
extraLibraries = pkgs: with config.hardware.opengl;
if pkgs.hostPlatform.is64bit
then [ package ] ++ extraPackages
else [ package32 ] ++ extraPackages32;
};
in {
options.programs.steam.enable = mkEnableOption "steam";
@ -18,7 +25,7 @@ in {
hardware.steam-hardware.enable = true;
environment.systemPackages = [ pkgs.steam ];
environment.systemPackages = [ steam steam.run ];
};
meta.maintainers = with maintainers; [ mkg20001 ];

5
nixos/modules/rename.nix
View File

@ -73,6 +73,11 @@ with lib;
(mkRemovedOptionModule [ "services" "venus" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "flashpolicyd" ] "The flashpolicyd module has been removed. Adobe Flash Player is deprecated.")
(mkRemovedOptionModule [ "security" "hideProcessInformation" ] ''
The hidepid module was removed, since the underlying machinery
is broken when using cgroups-v2.
'')
# Do NOT add any option renames here, see top of the file
];
}

31
nixos/modules/security/hidepid.nix
View File

@ -1,31 +0,0 @@
{ config, lib, ... }:
with lib;
{
meta = {
maintainers = [ maintainers.joachifm ];
doc = ./hidepid.xml;
};
options = {
security.hideProcessInformation = mkOption {
type = types.bool;
default = false;
description = ''
Restrict process information to the owning user.
'';
};
};
config = mkIf config.security.hideProcessInformation {
users.groups.proc.gid = config.ids.gids.proc;
users.groups.proc.members = [ "polkituser" ];
boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];
systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ];
# Disable cgroupsv2, which doesn't work with hidepid.
# https://github.com/NixOS/nixpkgs/pull/104094#issuecomment-729996203
systemd.enableUnifiedCgroupHierarchy = false;
};
}

28
nixos/modules/security/hidepid.xml
View File

@ -1,28 +0,0 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-hidepid">
<title>Hiding process information</title>
<para>
Setting
<programlisting>
<xref linkend="opt-security.hideProcessInformation"/> = true;
</programlisting>
ensures that access to process information is restricted to the owning user.
This implies, among other things, that command-line arguments remain private.
Unless your deployment relies on unprivileged users being able to inspect the
process information of other users, this option should be safe to enable.
</para>
<para>
Members of the <literal>proc</literal> group are exempt from process
information hiding.
</para>
<para>
To allow a service <replaceable>foo</replaceable> to run without process
information hiding, set
<programlisting>
<link linkend="opt-systemd.services._name_.serviceConfig">systemd.services.<replaceable>foo</replaceable>.serviceConfig</link>.SupplementaryGroups = [ "proc" ];
</programlisting>
</para>
</chapter>

64
nixos/modules/security/rngd.nix
View File

@ -1,56 +1,16 @@
{ config, lib, pkgs, ... }:
with lib;
{ lib, ... }:
let
cfg = config.security.rngd;
removed = k: lib.mkRemovedOptionModule [ "security" "rngd" k ];
in
{
options = {
security.rngd = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable the rng daemon. Devices that the kernel recognises
as entropy sources are handled automatically by krngd.
'';
};
debug = mkOption {
type = types.bool;
default = false;
description = "Whether to enable debug output (-d).";
};
};
};
config = mkIf cfg.enable {
systemd.services.rngd = {
bindsTo = [ "dev-random.device" ];
after = [ "dev-random.device" ];
# Clean shutdown without DefaultDependencies
conflicts = [ "shutdown.target" ];
before = [
"sysinit.target"
"shutdown.target"
];
description = "Hardware RNG Entropy Gatherer Daemon";
# rngd may have to start early to avoid entropy starvation during boot with encrypted swap
unitConfig.DefaultDependencies = false;
serviceConfig = {
ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"
+ optionalString cfg.debug " -d";
# PrivateTmp would introduce a circular dependency if /tmp is on tmpfs and swap is encrypted,
# thus depending on rngd before swap, while swap depends on rngd to avoid entropy starvation.
NoNewPrivileges = true;
PrivateNetwork = true;
ProtectSystem = "full";
ProtectHome = true;
};
};
};
imports = [
(removed "enable" ''
rngd is not necessary for any device that the kernel recognises
as an hardware RNG, as it will automatically run the krngd task
to periodically collect random data from the device and mix it
into the kernel's RNG.
'')
(removed "debug"
"The rngd module was removed, so its debug option does nothing.")
];
}

54
nixos/modules/services/backup/zrepl.nix Normal file
View File

@ -0,0 +1,54 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.zrepl;
format = pkgs.formats.yaml { };
configFile = format.generate "zrepl.yml" cfg.settings;
in
{
meta.maintainers = with maintainers; [ cole-h ];
options = {
services.zrepl = {
enable = mkEnableOption "zrepl";
settings = mkOption {
default = { };
description = ''
Configuration for zrepl. See <link
xlink:href="https://zrepl.github.io/configuration.html"/>
for more information.
'';
type = types.submodule {
freeformType = format.type;
};
};
};
};
### Implementation ###
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.zrepl ];
# zrepl looks for its config in this location by default. This
# allows the use of e.g. `zrepl signal wakeup <job>` without having
# to specify the storepath of the config.
environment.etc."zrepl/zrepl.yml".source = configFile;
systemd.packages = [ pkgs.zrepl ];
systemd.services.zrepl = {
requires = [ "local-fs.target" ];
wantedBy = [ "zfs.target" ];
after = [ "zfs.target" ];
path = [ config.boot.zfs.package ];
restartTriggers = [ configFile ];
serviceConfig = {
Restart = "on-failure";
};
};
};
}

178
nixos/modules/services/blockchain/ethereum/geth.nix Normal file
View File

@ -0,0 +1,178 @@
{ config, lib, pkgs, ... }:
with lib;
let
eachGeth = config.services.geth;
gethOpts = { config, lib, name, ...}: {
options = {
enable = lib.mkEnableOption "Go Ethereum Node";
port = mkOption {
type = types.port;
default = 30303;
description = "Port number Go Ethereum will be listening on, both TCP and UDP.";
};
http = {
enable = lib.mkEnableOption "Go Ethereum HTTP API";
address = mkOption {
type = types.str;
default = "127.0.0.1";
description = "Listen address of Go Ethereum HTTP API.";
};
port = mkOption {
type = types.port;
default = 8545;
description = "Port number of Go Ethereum HTTP API.";
};
apis = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
description = "APIs to enable over WebSocket";
example = ["net" "eth"];
};
};
websocket = {
enable = lib.mkEnableOption "Go Ethereum WebSocket API";
address = mkOption {
type = types.str;
default = "127.0.0.1";
description = "Listen address of Go Ethereum WebSocket API.";
};
port = mkOption {
type = types.port;
default = 8546;
description = "Port number of Go Ethereum WebSocket API.";
};
apis = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
description = "APIs to enable over WebSocket";
example = ["net" "eth"];
};
};
metrics = {
enable = lib.mkEnableOption "Go Ethereum prometheus metrics";
address = mkOption {
type = types.str;
default = "127.0.0.1";
description = "Listen address of Go Ethereum metrics service.";
};
port = mkOption {
type = types.port;
default = 6060;
description = "Port number of Go Ethereum metrics service.";
};
};
network = mkOption {
type = types.nullOr (types.enum [ "goerli" "rinkeby" "yolov2" "ropsten" ]);
default = null;
description = "The network to connect to. Mainnet (null) is the default ethereum network.";
};
syncmode = mkOption {
type = types.enum [ "fast" "full" "light" ];
default = "fast";
description = "Blockchain sync mode.";
};
gcmode = mkOption {
type = types.enum [ "full" "archive" ];
default = "full";
description = "Blockchain garbage collection mode.";
};
maxpeers = mkOption {
type = types.int;
default = 50;
description = "Maximum peers to connect to.";
};
extraArgs = mkOption {
type = types.listOf types.str;
description = "Additional arguments passed to Go Ethereum.";
default = [];
};
package = mkOption {
default = pkgs.go-ethereum.geth;
type = types.package;
description = "Package to use as Go Ethereum node.";
};
};
};
in
{
###### interface
options = {
services.geth = mkOption {
type = types.attrsOf (types.submodule gethOpts);
default = {};
description = "Specification of one or more geth instances.";
};
};
###### implementation
config = mkIf (eachGeth != {}) {
environment.systemPackages = flatten (mapAttrsToList (gethName: cfg: [
cfg.package
]) eachGeth);
systemd.services = mapAttrs' (gethName: cfg: (
nameValuePair "geth-${gethName}" (mkIf cfg.enable {
description = "Go Ethereum node (${gethName})";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
DynamicUser = true;
Restart = "always";
StateDirectory = "goethereum/${gethName}/${if (cfg.network == null) then "mainnet" else cfg.network}";
# Hardening measures
PrivateTmp = "true";
ProtectSystem = "full";
NoNewPrivileges = "true";
PrivateDevices = "true";
MemoryDenyWriteExecute = "true";
};
script = ''
${cfg.package}/bin/geth \
--nousb \
--ipcdisable \
${optionalString (cfg.network != null) ''--${cfg.network}''} \
--syncmode ${cfg.syncmode} \
--gcmode ${cfg.gcmode} \
--port ${toString cfg.port} \
--maxpeers ${toString cfg.maxpeers} \
${if cfg.http.enable then ''--http --http.addr ${cfg.http.address} --http.port ${toString cfg.http.port}'' else ""} \
${optionalString (cfg.http.apis != null) ''--http.api ${lib.concatStringsSep "," cfg.http.apis}''} \
${if cfg.websocket.enable then ''--ws --ws.addr ${cfg.websocket.address} --ws.port ${toString cfg.websocket.port}'' else ""} \
${optionalString (cfg.websocket.apis != null) ''--ws.api ${lib.concatStringsSep "," cfg.websocket.apis}''} \
${optionalString cfg.metrics.enable ''--metrics --metrics.addr ${cfg.metrics.address} --metrics.port ${toString cfg.metrics.port}''} \
${lib.escapeShellArgs cfg.extraArgs} \
--datadir /var/lib/goethereum/${gethName}/${if (cfg.network == null) then "mainnet" else cfg.network}
'';
}))) eachGeth;
};
}

15
nixos/modules/services/databases/mysql.nix
View File

@ -375,6 +375,18 @@ in
fi
'';
script = ''
# https://mariadb.com/kb/en/getting-started-with-mariadb-galera-cluster/#systemd-and-galera-recovery
if test -n "''${_WSREP_START_POSITION}"; then
if test -e "${cfg.package}/bin/galera_recovery"; then
VAR=$(cd ${cfg.package}/bin/..; ${cfg.package}/bin/galera_recovery); [[ $? -eq 0 ]] && export _WSREP_START_POSITION=$VAR || exit 1
fi
fi
# The last two environment variables are used for starting Galera clusters
exec ${cfg.package}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION
'';
postStart = let
# The super user account to use on *first* run of MySQL server
superUser = if isMariaDB then cfg.user else "root";
@ -481,8 +493,7 @@ in
Type = if hasNotify then "notify" else "simple";
Restart = "on-abort";
RestartSec = "5s";
# The last two environment variables are used for starting Galera clusters
ExecStart = "${cfg.package}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} $_WSREP_NEW_CLUSTER $_WSREP_START_POSITION";
# User and group
User = cfg.user;
Group = cfg.group;

3
nixos/modules/services/desktops/pipewire/pipewire-media-session.nix
View File

@ -37,7 +37,8 @@ in {
services.pipewire.media-session = {
enable = mkOption {
type = types.bool;
default = true;
default = config.services.pipewire.enable;
defaultText = "config.services.pipewire.enable";
description = "Example pipewire session manager";
};

23
nixos/modules/services/hardware/udev.nix
View File

@ -202,12 +202,26 @@ in
'';
};
extraRules = mkOption {
initrdRules = mkOption {
default = "";
example = ''
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:1D:60:B9:6D:4F", KERNEL=="eth*", NAME="my_fast_network_card"
'';
type = types.lines;
description = ''
<command>udev</command> rules to include in the initrd
<emphasis>only</emphasis>. They'll be written into file
<filename>99-local.rules</filename>. Thus they are read and applied
after the essential initrd rules.
'';
};
extraRules = mkOption {
default = "";
example = ''
ENV{ID_VENDOR_ID}=="046d", ENV{ID_MODEL_ID}=="0825", ENV{PULSE_IGNORE}="1"
'';
type = types.lines;
description = ''
Additional <command>udev</command> rules. They'll be written
into file <filename>99-local.rules</filename>. Thus they are
@ -284,6 +298,13 @@ in
boot.kernelParams = mkIf (!config.networking.usePredictableInterfaceNames) [ "net.ifnames=0" ];
boot.initrd.extraUdevRulesCommands = optionalString (cfg.initrdRules != "")
''
cat <<'EOF' > $out/99-local.rules
${cfg.initrdRules}
EOF
'';
environment.etc =
{
"udev/rules.d".source = udevRules;

92
nixos/modules/services/misc/etesync-dav.nix Normal file
View File

@ -0,0 +1,92 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.etesync-dav;
in
{
options.services.etesync-dav = {
enable = mkEnableOption "etesync-dav";
host = mkOption {
type = types.str;
default = "localhost";
description = "The server host address.";
};
port = mkOption {
type = types.port;
default = 37358;
description = "The server host port.";
};
apiUrl = mkOption {
type = types.str;
default = "https://api.etesync.com/";
description = "The url to the etesync API.";
};
openFirewall = mkOption {
default = false;
type = types.bool;
description = "Whether to open the firewall for the specified port.";
};
sslCertificate = mkOption {
type = types.nullOr types.path;
default = null;
example = "/var/etesync.crt";
description = ''
Path to server SSL certificate. It will be copied into
etesync-dav's data directory.
'';
};
sslCertificateKey = mkOption {
type = types.nullOr types.path;
default = null;
example = "/var/etesync.key";
description = ''
Path to server SSL certificate key. It will be copied into
etesync-dav's data directory.
'';
};
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
systemd.services.etesync-dav = {
description = "etesync-dav - A CalDAV and CardDAV adapter for EteSync";
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.etesync-dav ];
environment = {
ETESYNC_LISTEN_ADDRESS = cfg.host;
ETESYNC_LISTEN_PORT = toString cfg.port;
ETESYNC_URL = cfg.apiUrl;
ETESYNC_DATA_DIR = "/var/lib/etesync-dav";
};
serviceConfig = {
Type = "simple";
DynamicUser = true;
StateDirectory = "etesync-dav";
ExecStart = "${pkgs.etesync-dav}/bin/etesync-dav";
ExecStartPre = mkIf (cfg.sslCertificate != null || cfg.sslCertificateKey != null) (
pkgs.writers.writeBash "etesync-dav-copy-keys" ''
${optionalString (cfg.sslCertificate != null) ''
cp ${toString cfg.sslCertificate} $STATE_DIRECTORY/etesync.crt
''}
${optionalString (cfg.sslCertificateKey != null) ''
cp ${toString cfg.sslCertificateKey} $STATE_DIRECTORY/etesync.key
''}
''
);
Restart = "on-failure";
RestartSec = "30min 1s";
};
};
};
}

3
nixos/modules/services/networking/dhcpcd.nix
View File

@ -191,9 +191,8 @@ in
{ description = "DHCP Client";
wantedBy = [ "multi-user.target" ] ++ optional (!hasDefaultGatewaySet) "network-online.target";
wants = [ "network.target" "systemd-udev-settle.service" ];
wants = [ "network.target" ];
before = [ "network-online.target" ];
after = [ "systemd-udev-settle.service" ];
restartTriggers = [ exitHook ];

1
nixos/modules/services/networking/dnscrypt-proxy2.nix
View File

@ -113,7 +113,6 @@ in
"~@memlock"
"~@resources"
"~@setuid"
"~@sync"
"~@timer"
];
};

65
nixos/modules/services/security/clamav.nix
View File

@ -8,30 +8,19 @@ let
cfg = config.services.clamav;
pkg = pkgs.clamav;
clamdConfigFile = pkgs.writeText "clamd.conf" ''
DatabaseDirectory ${stateDir}
LocalSocket ${runDir}/clamd.ctl
PidFile ${runDir}/clamd.pid
TemporaryDirectory /tmp
User clamav
Foreground yes
toKeyValue = generators.toKeyValue {
mkKeyValue = generators.mkKeyValueDefault {} " ";
listsAsDuplicateKeys = true;
};
${cfg.daemon.extraConfig}
'';
freshclamConfigFile = pkgs.writeText "freshclam.conf" ''
DatabaseDirectory ${stateDir}
Foreground yes
Checks ${toString cfg.updater.frequency}
${cfg.updater.extraConfig}
DatabaseMirror database.clamav.net
'';
clamdConfigFile = pkgs.writeText "clamd.conf" (toKeyValue cfg.daemon.settings);
freshclamConfigFile = pkgs.writeText "freshclam.conf" (toKeyValue cfg.updater.settings);
in
{
imports = [
(mkRenamedOptionModule [ "services" "clamav" "updater" "config" ] [ "services" "clamav" "updater" "extraConfig" ])
(mkRemovedOptionModule [ "services" "clamav" "updater" "config" ] "Use services.clamav.updater.settings instead.")
(mkRemovedOptionModule [ "services" "clamav" "updater" "extraConfig" ] "Use services.clamav.updater.settings instead.")
(mkRemovedOptionModule [ "services" "clamav" "daemon" "extraConfig" ] "Use services.clamav.daemon.settings instead.")
];
options = {
@ -39,12 +28,12 @@ in
daemon = {
enable = mkEnableOption "ClamAV clamd daemon";
extraConfig = mkOption {
type = types.lines;
default = "";
settings = mkOption {
type = with types; attrsOf (oneOf [ bool int str (listOf str) ]);
default = {};
description = ''
Extra configuration for clamd. Contents will be added verbatim to the
configuration file.
ClamAV configuration. Refer to <link xlink:href="https://linux.die.net/man/5/clamd.conf"/>,
for details on supported values.
'';
};
};
@ -68,12 +57,12 @@ in
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
settings = mkOption {
type = with types; attrsOf (oneOf [ bool int str (listOf str) ]);
default = {};
description = ''
Extra configuration for freshclam. Contents will be added verbatim to the
configuration file.
freshclam configuration. Refer to <link xlink:href="https://linux.die.net/man/5/freshclam.conf"/>,
for details on supported values.
'';
};
};
@ -93,6 +82,22 @@ in
users.groups.${clamavGroup} =
{ gid = config.ids.gids.clamav; };
services.clamav.daemon.settings = {
DatabaseDirectory = stateDir;
LocalSocket = "${runDir}/clamd.ctl";
PidFile = "${runDir}/clamd.pid";
TemporaryDirectory = "/tmp";
User = "clamav";
Foreground = true;
};
services.clamav.updater.settings = {
DatabaseDirectory = stateDir;
Foreground = true;
Checks = cfg.updater.frequency;
DatabaseMirror = [ "database.clamav.net" ];
};
environment.etc."clamav/freshclam.conf".source = freshclamConfigFile;
environment.etc."clamav/clamd.conf".source = clamdConfigFile;

7
nixos/modules/services/ttys/kmscon.nix
View File

@ -82,11 +82,8 @@ in {
X-RestartIfChanged=false
'';
systemd.units."autovt@.service".unit = pkgs.runCommand "unit" { preferLocalBuild = true; }
''
mkdir -p $out
ln -s ${config.systemd.units."kmsconvt@.service".unit}/kmsconvt@.service $out/autovt@.service
'';
systemd.suppressedSystemUnits = [ "autovt@.service" ];
systemd.units."kmsconvt@.service".aliases = [ "autovt@.service" ];
systemd.services.systemd-vconsole-setup.enable = false;

2
nixos/modules/services/web-apps/miniflux.nix
View File

@ -44,7 +44,7 @@ in
'';
description = ''
Configuration for Miniflux, refer to
<link xlink:href="http://docs.miniflux.app/en/latest/configuration.html"/>
<link xlink:href="https://miniflux.app/docs/configuration.html"/>
for documentation on the supported values.
'';
};

12
nixos/modules/services/x11/display-managers/gdm.nix
View File

@ -183,14 +183,20 @@ in
"systemd-udev-settle.service"
];
systemd.services.display-manager.conflicts = [
"getty@tty${gdm.initialVT}.service"
# TODO: Add "plymouth-quit.service" so GDM can control when plymouth quits.
# Currently this breaks switching configurations while using plymouth.
"getty@tty${gdm.initialVT}.service"
"plymouth-quit.service"
];
systemd.services.display-manager.onFailure = [
"plymouth-quit.service"
];
# Prevent nixos-rebuild switch from bringing down the graphical
# session. (If multi-user.target wants plymouth-quit.service which
# conflicts display-manager.service, then when nixos-rebuild
# switch starts multi-user.target, display-manager.service is
# stopped so plymouth-quit.service can be started.)
systemd.services.plymouth-quit.wantedBy = lib.mkForce [];
systemd.services.display-manager.serviceConfig = {
# Restart = "always"; - already defined in xserver.nix
KillMode = "mixed";

2
nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.sh
View File

@ -109,7 +109,7 @@ addEntry() {
exit 1
fi
fi
echo " APPEND systemConfig=$path init=$path/init $extraParams"
echo " APPEND init=$path/init $extraParams"
}
tmpFile="$target/extlinux/extlinux.conf.tmp.$$"

207
nixos/modules/system/boot/loader/grub/install-grub.pl
View File

@ -102,10 +102,10 @@ if (stat($bootPath)->dev != stat("/nix/store")->dev) {
# Discover information about the location of the bootPath
struct(Fs => {
device => '$',
type => '$',
mount => '$',
});
device => '$',
type => '$',
mount => '$',
});
sub PathInMount {
my ($path, $mount) = @_;
my @splitMount = split /\//, $mount;
@ -154,16 +154,16 @@ sub GetFs {
return $bestFs;
}
struct (Grub => {
path => '$',
search => '$',
});
path => '$',
search => '$',
});
my $driveid = 1;
sub GrubFs {
my ($dir) = @_;
my $fs = GetFs($dir);
my $path = substr($dir, length($fs->mount));
if (substr($path, 0, 1) ne "/") {
$path = "/$path";
$path = "/$path";
}
my $search = "";
@ -251,8 +251,8 @@ my $conf .= "# Automatically generated. DO NOT EDIT THIS FILE!\n";
if ($grubVersion == 1) {
$conf .= "
default $defaultEntry
timeout $timeout
default $defaultEntry
timeout $timeout
";
if ($splashImage) {
copy $splashImage, "$bootPath/background.xpm.gz" or die "cannot copy $splashImage to $bootPath: $!\n";
@ -302,51 +302,51 @@ else {
if ($copyKernels == 0) {
$conf .= "
" . $grubStore->search;
" . $grubStore->search;
}
# FIXME: should use grub-mkconfig.
$conf .= "
" . $grubBoot->search . "
if [ -s \$prefix/grubenv ]; then
load_env
fi
" . $grubBoot->search . "
if [ -s \$prefix/grubenv ]; then
load_env
fi
# grub-reboot sets a one-time saved entry, which we process here and
# then delete.
if [ \"\${next_entry}\" ]; then
set default=\"\${next_entry}\"
set next_entry=
save_env next_entry
set timeout=1
else
set default=$defaultEntry
set timeout=$timeout
fi
# grub-reboot sets a one-time saved entry, which we process here and
# then delete.
if [ \"\${next_entry}\" ]; then
set default=\"\${next_entry}\"
set next_entry=
save_env next_entry
set timeout=1
else
set default=$defaultEntry
set timeout=$timeout
fi
# Setup the graphics stack for bios and efi systems
if [ \"\${grub_platform}\" = \"efi\" ]; then
insmod efi_gop
insmod efi_uga
else
insmod vbe
fi
# Setup the graphics stack for bios and efi systems
if [ \"\${grub_platform}\" = \"efi\" ]; then
insmod efi_gop
insmod efi_uga
else
insmod vbe
fi
";
if ($font) {
copy $font, "$bootPath/converted-font.pf2" or die "cannot copy $font to $bootPath: $!\n";
$conf .= "
insmod font
if loadfont " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/converted-font.pf2; then
insmod gfxterm
if [ \"\${grub_platform}\" = \"efi\" ]; then
set gfxmode=$gfxmodeEfi
set gfxpayload=$gfxpayloadEfi
else
set gfxmode=$gfxmodeBios
set gfxpayload=$gfxpayloadBios
fi
terminal_output gfxterm
fi
insmod font
if loadfont " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/converted-font.pf2; then
insmod gfxterm
if [ \"\${grub_platform}\" = \"efi\" ]; then
set gfxmode=$gfxmodeEfi
set gfxpayload=$gfxpayloadEfi
else
set gfxmode=$gfxmodeBios
set gfxpayload=$gfxpayloadBios
fi
terminal_output gfxterm
fi
";
}
if ($splashImage) {
@ -363,14 +363,14 @@ else {
}
copy $splashImage, "$bootPath/background$suffix" or die "cannot copy $splashImage to $bootPath: $!\n";
$conf .= "
insmod " . substr($suffix, 1) . "
if background_image --mode '$splashMode' " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/background$suffix; then
set color_normal=white/black
set color_highlight=black/white
else
set menu_color_normal=cyan/blue
set menu_color_highlight=white/blue
fi
insmod " . substr($suffix, 1) . "
if background_image --mode '$splashMode' " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/background$suffix; then
set color_normal=white/black
set color_highlight=black/white
else
set menu_color_normal=cyan/blue
set menu_color_highlight=white/blue
fi
";
}
@ -380,21 +380,21 @@ else {
# Copy theme
rcopy($theme, "$bootPath/theme") or die "cannot copy $theme to $bootPath\n";
$conf .= "
# Sets theme.
set theme=" . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/theme/theme.txt
export theme
# Load theme fonts, if any
";
# Sets theme.
set theme=" . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/theme/theme.txt
export theme
# Load theme fonts, if any
";
find( { wanted => sub {
if ($_ =~ /\.pf2$/i) {
$font = File::Spec->abs2rel($File::Find::name, $theme);
$conf .= "
loadfont " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/theme/$font
";
}
}, no_chdir => 1 }, $theme );
}
find( { wanted => sub {
if ($_ =~ /\.pf2$/i) {
$font = File::Spec->abs2rel($File::Find::name, $theme);
$conf .= "
loadfont " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/theme/$font
";
}
}, no_chdir => 1 }, $theme );
}
}
$conf .= "$extraConfig\n";
@ -433,25 +433,25 @@ sub addEntry {
# Include second initrd with secrets
if (-e -x "$path/append-initrd-secrets") {
my $initrdName = basename($initrd);
my $initrdSecretsPath = "$bootPath/kernels/$initrdName-secrets";
my $initrdName = basename($initrd);
my $initrdSecretsPath = "$bootPath/kernels/$initrdName-secrets";
mkpath(dirname($initrdSecretsPath), 0, 0755);
my $oldUmask = umask;
# Make sure initrd is not world readable (won't work if /boot is FAT)
umask 0137;
my $initrdSecretsPathTemp = File::Temp::mktemp("$initrdSecretsPath.XXXXXXXX");
system("$path/append-initrd-secrets", $initrdSecretsPathTemp) == 0 or die "failed to create initrd secrets: $!\n";
# Check whether any secrets were actually added
if (-e $initrdSecretsPathTemp && ! -z _) {
rename $initrdSecretsPathTemp, $initrdSecretsPath or die "failed to move initrd secrets into place: $!\n";
$copied{$initrdSecretsPath} = 1;
$initrd .= " " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/kernels/$initrdName-secrets";
} else {
unlink $initrdSecretsPathTemp;
rmdir dirname($initrdSecretsPathTemp);
}
umask $oldUmask;
mkpath(dirname($initrdSecretsPath), 0, 0755);
my $oldUmask = umask;
# Make sure initrd is not world readable (won't work if /boot is FAT)
umask 0137;
my $initrdSecretsPathTemp = File::Temp::mktemp("$initrdSecretsPath.XXXXXXXX");
system("$path/append-initrd-secrets", $initrdSecretsPathTemp) == 0 or die "failed to create initrd secrets: $!\n";
# Check whether any secrets were actually added
if (-e $initrdSecretsPathTemp && ! -z _) {
rename $initrdSecretsPathTemp, $initrdSecretsPath or die "failed to move initrd secrets into place: $!\n";
$copied{$initrdSecretsPath} = 1;
$initrd .= " " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/kernels/$initrdName-secrets";
} else {
unlink $initrdSecretsPathTemp;
rmdir dirname($initrdSecretsPathTemp);
}
umask $oldUmask;
}
my $xen = -e "$path/xen.gz" ? copyToKernelsDir(Cwd::abs_path("$path/xen.gz")) : undef;
@ -459,9 +459,8 @@ sub addEntry {
# FIXME: $confName
my $kernelParams =
"systemConfig=" . Cwd::abs_path($path) . " " .
"init=" . Cwd::abs_path("$path/init") . " " .
readFile("$path/kernel-params");
"init=" . Cwd::abs_path("$path/init") . " " .
readFile("$path/kernel-params");
my $xenParams = $xen && -e "$path/xen-params" ? readFile("$path/xen-params") : "";
if ($grubVersion == 1) {
@ -503,9 +502,9 @@ foreach my $link (@links) {
my $date = strftime("%F", localtime(lstat($link)->mtime));
my $version =
-e "$link/nixos-version"
? readFile("$link/nixos-version")
: basename((glob(dirname(Cwd::abs_path("$link/kernel")) . "/lib/modules/*"))[0]);
-e "$link/nixos-version"
? readFile("$link/nixos-version")
: basename((glob(dirname(Cwd::abs_path("$link/kernel")) . "/lib/modules/*"))[0]);
if ($cfgName) {
$entryName = $cfgName;
@ -530,8 +529,8 @@ sub addProfile {
sub nrFromGen { my ($x) = @_; $x =~ /\/\w+-(\d+)-link/; return $1; }
my @links = sort
{ nrFromGen($b) <=> nrFromGen($a) }
(glob "$profile-*-link");
{ nrFromGen($b) <=> nrFromGen($a) }
(glob "$profile-*-link");
my $curEntry = 0;
foreach my $link (@links) {
@ -542,9 +541,9 @@ sub addProfile {
}
my $date = strftime("%F", localtime(lstat($link)->mtime));
my $version =
-e "$link/nixos-version"
? readFile("$link/nixos-version")
: basename((glob(dirname(Cwd::abs_path("$link/kernel")) . "/lib/modules/*"))[0]);
-e "$link/nixos-version"
? readFile("$link/nixos-version")
: basename((glob(dirname(Cwd::abs_path("$link/kernel")) . "/lib/modules/*"))[0]);
addEntry("NixOS - Configuration " . nrFromGen($link) . " ($date - $version)", $link);
}
@ -566,7 +565,7 @@ $extraPrepareConfig =~ s/\@bootPath\@/$bootPath/g;
# Run extraPrepareConfig in sh
if ($extraPrepareConfig ne "") {
system((get("shell"), "-c", $extraPrepareConfig));
system((get("shell"), "-c", $extraPrepareConfig));
}
# write the GRUB config.
@ -627,13 +626,13 @@ foreach my $fn (glob "$bootPath/kernels/*") {
#
struct(GrubState => {
name => '$',
version => '$',
efi => '$',
devices => '$',
efiMountPoint => '$',
extraGrubInstallArgs => '@',
});
name => '$',
version => '$',
efi => '$',
devices => '$',
efiMountPoint => '$',
extraGrubInstallArgs => '@',
});
# If you add something to the state file, only add it to the end
# because it is read line-by-line.
sub readGrubState {

1
nixos/modules/system/boot/loader/init-script/init-script-builder.sh
View File

@ -49,7 +49,6 @@ addEntry() {
echo "#!/bin/sh"
echo "# $name"
echo "# created by init-script-builder.sh"
echo "export systemConfig=$(readlink -f $path)"
echo "exec $stage2"
)"

2
nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
View File

@ -101,7 +101,7 @@ def write_entry(profile, generation, machine_id):
entry_file = "@efiSysMountPoint@/loader/entries/nixos-generation-%d.conf" % (generation)
generation_dir = os.readlink(system_dir(profile, generation))
tmp_path = "%s.tmp" % (entry_file)
kernel_params = "systemConfig=%s init=%s/init " % (generation_dir, generation_dir)
kernel_params = "init=%s/init " % generation_dir
with open("%s/kernel-params" % (generation_dir)) as params_file:
kernel_params = kernel_params + params_file.read()

3
nixos/modules/system/boot/networkd.nix
View File

@ -1553,9 +1553,6 @@ in
wantedBy = [ "multi-user.target" ];
aliases = [ "dbus-org.freedesktop.network1.service" ];
restartTriggers = map (x: x.source) (attrValues unitFiles);
# prevent race condition with interface renaming (#39069)
requires = [ "systemd-udev-settle.service" ];
after = [ "systemd-udev-settle.service" ];
};
systemd.services.systemd-networkd-wait-online = {

22
nixos/modules/system/boot/plymouth.nix
View File

@ -38,6 +38,14 @@ in
enable = mkEnableOption "Plymouth boot splash screen";
font = mkOption {
default = "${pkgs.dejavu_fonts.minimal}/share/fonts/truetype/DejaVuSans.ttf";
type = types.path;
description = ''
Font file made available for displaying text on the splash screen.
'';
};
themePackages = mkOption {
default = [ nixosBreezePlymouth ];
type = types.listOf types.package;
@ -113,7 +121,7 @@ in
mkdir -p $out/lib/plymouth/renderers
# module might come from a theme
cp ${themesEnv}/lib/plymouth/{text,details,$moduleName}.so $out/lib/plymouth
cp ${themesEnv}/lib/plymouth/{text,details,label,$moduleName}.so $out/lib/plymouth
cp ${plymouth}/lib/plymouth/renderers/{drm,frame-buffer}.so $out/lib/plymouth/renderers
mkdir -p $out/share/plymouth/themes
@ -133,6 +141,17 @@ in
cp -r themes/* $out/share/plymouth/themes
cp ${cfg.logo} $out/share/plymouth/logo.png
mkdir -p $out/share/fonts
cp ${cfg.font} $out/share/fonts
mkdir -p $out/etc/fonts
cat > $out/etc/fonts/fonts.conf <<EOF
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "urn:fontconfig:fonts.dtd">
<fontconfig>
<dir>$out/share/fonts</dir>
</fontconfig>
EOF
'';
boot.initrd.extraUtilsCommandsTest = ''
@ -154,6 +173,7 @@ in
ln -s $extraUtils/share/plymouth/logo.png /etc/plymouth/logo.png
ln -s $extraUtils/share/plymouth/themes /etc/plymouth/themes
ln -s $extraUtils/lib/plymouth /etc/plymouth/plugins
ln -s $extraUtils/etc/fonts /etc/fonts
plymouthd --mode=boot --pid-file=/run/plymouth/pid --attach-to-session
plymouth show-splash

13
nixos/modules/system/boot/stage-1.nix
View File

@ -205,13 +205,22 @@ let
''; # */
# Networkd link files are used early by udev to set up interfaces early.
# This must be done in stage 1 to avoid race conditions between udev and
# network daemons.
linkUnits = pkgs.runCommand "link-units" {
allowedReferences = [ extraUtils ];
preferLocalBuild = true;
} ''
} (''
mkdir -p $out
cp -v ${udev}/lib/systemd/network/*.link $out/
'';
'' + (
let
links = filterAttrs (n: v: hasSuffix ".link" n) config.systemd.network.units;
files = mapAttrsToList (n: v: "${v.unit}/${n}") links;
in
concatMapStringsSep "\n" (file: "cp -v ${file} $out/") files
));
udevRules = pkgs.runCommand "udev-rules" {
allowedReferences = [ extraUtils ];

36
nixos/modules/virtualisation/fetch-instance-ssh-keys.bash Normal file
View File

@ -0,0 +1,36 @@
#!/usr/bin/env bash
set -euo pipefail
WGET() {
wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google' "$@"
}
# When dealing with cryptographic keys, we want to keep things private.
umask 077
mkdir -p /root/.ssh
echo "Fetching authorized keys..."
WGET -O /tmp/auth_keys http://metadata.google.internal/computeMetadata/v1/instance/attributes/sshKeys
# Read keys one by one, split in case Google decided
# to append metadata (it does sometimes) and add to
# authorized_keys if not already present.
touch /root/.ssh/authorized_keys
while IFS='' read -r line || [[ -n "$line" ]]; do
keyLine=$(echo -n "$line" | cut -d ':' -f2)
IFS=' ' read -r -a array <<<"$keyLine"
if [[ ${#array[@]} -ge 3 ]]; then
echo "${array[@]:0:3}" >>/tmp/new_keys
echo "Added ${array[*]:2} to authorized_keys"
fi
done </tmp/auth_keys
mv /tmp/new_keys /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
echo "Fetching host keys..."
WGET -O /tmp/ssh_host_ed25519_key http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key
WGET -O /tmp/ssh_host_ed25519_key.pub http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key_pub
mv -f /tmp/ssh_host_ed25519_key* /etc/ssh/
chmod 600 /etc/ssh/ssh_host_ed25519_key
chmod 644 /etc/ssh/ssh_host_ed25519_key.pub

25
nixos/modules/virtualisation/google-compute-config.nix
View File

@ -69,6 +69,31 @@ in
# GC has 1460 MTU
networking.interfaces.eth0.mtu = 1460;
# Used by NixOps
systemd.services.fetch-instance-ssh-keys = {
description = "Fetch host keys and authorized_keys for root user";
wantedBy = [ "sshd.service" ];
before = [ "sshd.service" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
path = [ pkgs.wget ];
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.runCommand "fetch-instance-ssh-keys" { } ''
cp ${./fetch-instance-ssh-keys.bash} $out
chmod +x $out
${pkgs.shfmt}/bin/shfmt -i 4 -d $out
${pkgs.shellcheck}/bin/shellcheck $out
patchShebangs $out
'';
PrivateTmp = true;
StandardError = "journal+console";
StandardOutput = "journal+console";
};
};
systemd.services.google-instance-setup = {
description = "Google Compute Engine Instance Setup";
after = [ "network-online.target" "network.target" "rsyslog.service" ];

2
nixos/modules/virtualisation/hyperv-guest.nix
View File

@ -40,8 +40,6 @@ in {
environment.systemPackages = [ config.boot.kernelPackages.hyperv-daemons.bin ];
security.rngd.enable = false;
# enable hotadding cpu/memory
services.udev.packages = lib.singleton (pkgs.writeTextFile {
name = "hyperv-cpu-and-memory-hotadd-udev-rules";

10
nixos/release.nix
View File

@ -171,23 +171,23 @@ in rec {
sd_image = forMatchingSystems [ "armv6l-linux" "armv7l-linux" "aarch64-linux" ] (system: makeSdImage {
module = {
armv6l-linux = ./modules/installer/cd-dvd/sd-image-raspberrypi.nix;
armv7l-linux = ./modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix;
aarch64-linux = ./modules/installer/cd-dvd/sd-image-aarch64.nix;
armv6l-linux = ./modules/installer/sd-card/sd-image-raspberrypi-installer.nix;
armv7l-linux = ./modules/installer/sd-card/sd-image-armv7l-multiplatform-installer.nix;
aarch64-linux = ./modules/installer/sd-card/sd-image-aarch64-installer.nix;
}.${system};
inherit system;
});
sd_image_new_kernel = forMatchingSystems [ "aarch64-linux" ] (system: makeSdImage {
module = {
aarch64-linux = ./modules/installer/cd-dvd/sd-image-aarch64-new-kernel.nix;
aarch64-linux = ./modules/installer/sd-card/sd-image-aarch64-new-kernel-installer.nix;
}.${system};
type = "minimal-new-kernel";
inherit system;
});
sd_image_raspberrypi4 = forMatchingSystems [ "aarch64-linux" ] (system: makeSdImage {
module = ./modules/installer/cd-dvd/sd-image-raspberrypi4.nix;
module = ./modules/installer/sd-card/sd-image-raspberrypi4-installer.nix;
inherit system;
});

4
nixos/tests/all-tests.nix
View File

@ -182,10 +182,10 @@ in
jenkins = handleTest ./jenkins.nix {};
jirafeau = handleTest ./jirafeau.nix {};
jitsi-meet = handleTest ./jitsi-meet.nix {};
jq = handleTest ./jq.nix {};
k3s = handleTest ./k3s.nix {};
kafka = handleTest ./kafka.nix {};
keepalived = handleTest ./keepalived.nix {};
keepassxc = handleTest ./keepassxc.nix {};
kerberos = handleTest ./kerberos/default.nix {};
kernel-latest = handleTest ./kernel-latest.nix {};
kernel-lts = handleTest ./kernel-lts.nix {};
@ -343,8 +343,6 @@ in
samba = handleTest ./samba.nix {};
samba-wsdd = handleTest ./samba-wsdd.nix {};
sanoid = handleTest ./sanoid.nix {};
sbt = handleTest ./sbt.nix {};
sbt-extras = handleTest ./sbt-extras.nix {};
sddm = handleTest ./sddm.nix {};
searx = handleTest ./searx.nix {};
service-runner = handleTest ./service-runner.nix {};

1
nixos/tests/bind.nix
View File

@ -6,6 +6,7 @@ import ./make-test-python.nix {
services.bind.extraOptions = "empty-zones-enable no;";
services.bind.zones = lib.singleton {
name = ".";
master = true;
file = pkgs.writeText "root.zone" ''
$TTL 3600
. IN SOA ns.example.org. admin.example.org. ( 1 3h 1h 1w 1d )

41
nixos/tests/geth.nix Normal file
View File

@ -0,0 +1,41 @@
import ./make-test-python.nix ({ pkgs, ... }: {
name = "geth";
meta = with pkgs.lib; {
maintainers = with maintainers; [bachp ];
};
machine = { ... }: {
services.geth."mainnet" = {
enable = true;
http = {
enable = true;
};
};
services.geth."testnet" = {
enable = true;
port = 30304;
network = "goerli";
http = {
enable = true;
port = 18545;
};
};
};
testScript = ''
start_all()
machine.wait_for_unit("geth-mainnet.service")
machine.wait_for_unit("geth-testnet.service")
machine.wait_for_open_port(8545)
machine.wait_for_open_port(18545)
machine.succeed(
'geth attach --exec "eth.chainId()" http://localhost:8545 | grep \'"0x0"\' '
)
machine.succeed(
'geth attach --exec "eth.chainId()" http://localhost:18545 | grep \'"0x5"\' '
)
'';
})

11
nixos/tests/hardened.nix
View File

@ -65,17 +65,6 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : {
machine.succeed("grep -Fq wireguard /proc/modules")
# Test hidepid
with subtest("hidepid=2 option is applied and works"):
# Linux >= 5.8 shows "invisible"
machine.succeed(
"grep -Fq hidepid=2 /proc/mounts || grep -Fq hidepid=invisible /proc/mounts"
)
# cannot use pgrep -u here, it segfaults when access to process info is denied
machine.succeed("[ `su - sybil -c 'ps --no-headers --user root | wc -l'` = 0 ]")
machine.succeed("[ `su - alice -c 'ps --no-headers --user root | wc -l'` != 0 ]")
# Test kernel module hardening
with subtest("No more kernel modules can be loaded"):
# note: this better a be module we normally wouldn't load ...

10
nixos/tests/jq.nix
View File

@ -1,10 +0,0 @@
import ./make-test-python.nix ({ pkgs, ... }: {
name = "jq";
meta = with pkgs.lib.maintainers; { maintainers = [ nequissimus ]; };
nodes.jq = { pkgs, ... }: { environment.systemPackages = [ pkgs.jq ]; };
testScript = ''
assert "world" in jq.succeed('echo \'{"values":["hello","world"]}\'| jq \'.values[1]\''')
'';
})

34
nixos/tests/keepassxc.nix Normal file
View File

@ -0,0 +1,34 @@
import ./make-test-python.nix ({ pkgs, ...} :
{
name = "keepassxc";
meta = with pkgs.lib.maintainers; {
maintainers = [ turion ];
};
machine = { ... }:
{
imports = [
./common/user-account.nix
./common/x11.nix
];
services.xserver.enable = true;
test-support.displayManager.auto.user = "alice";
environment.systemPackages = [ pkgs.keepassxc ];
};
enableOCR = true;
testScript = { nodes, ... }: ''
start_all()
machine.wait_for_x()
# start KeePassXC window
machine.execute("su - alice -c keepassxc &")
machine.wait_for_text("KeePassXC ${pkgs.keepassxc.version}")
machine.screenshot("KeePassXC")
'';
})

26
nixos/tests/networking.nix
View File

@ -35,7 +35,7 @@ let
extraConfig = flip concatMapStrings vlanIfs (n: ''
subnet 192.168.${toString n}.0 netmask 255.255.255.0 {
option routers 192.168.${toString n}.1;
range 192.168.${toString n}.2 192.168.${toString n}.254;
range 192.168.${toString n}.3 192.168.${toString n}.254;
}
'')
;
@ -672,6 +672,30 @@ let
), "The IPv6 routing table has not been properly cleaned:\n{}".format(ipv6Residue)
'';
};
rename = {
name = "RenameInterface";
machine = { pkgs, ... }: {
virtualisation.vlans = [ 1 ];
networking = {
useNetworkd = networkd;
useDHCP = false;
};
} //
(if networkd
then { systemd.network.links."10-custom_name" = {
matchConfig.MACAddress = "52:54:00:12:01:01";
linkConfig.Name = "custom_name";
};
}
else { services.udev.initrdRules = ''
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="52:54:00:12:01:01", KERNEL=="eth*", NAME="custom_name"
'';
});
testScript = ''
machine.succeed("udevadm settle")
print(machine.succeed("ip link show dev custom_name"))
'';
};
# even with disabled networkd, systemd.network.links should work
# (as it's handled by udev, not networkd)
link = {

16
nixos/tests/sbt-extras.nix
View File

@ -1,16 +0,0 @@
import ./make-test-python.nix ({ pkgs, ...} : {
name = "sbt-extras";
meta = with pkgs.lib.maintainers; {
maintainers = [ nequissimus ];
};
machine = { pkgs, ... }:
{
environment.systemPackages = [ pkgs.sbt-extras ];
};
testScript =
''
machine.succeed("(sbt -h)")
'';
})

18
nixos/tests/sbt.nix
View File

@ -1,18 +0,0 @@
import ./make-test-python.nix ({ pkgs, ...} : {
name = "sbt";
meta = with pkgs.lib.maintainers; {
maintainers = [ nequissimus ];
};
machine = { pkgs, ... }:
{
environment.systemPackages = [ pkgs.sbt ];
};
testScript =
''
machine.succeed(
"(sbt --offline --version 2>&1 || true) | grep 'getting org.scala-sbt sbt ${pkgs.sbt.version} (this may take some time)'"
)
'';
})

4
nixos/tests/traefik.nix
View File

@ -11,8 +11,8 @@ import ./make-test-python.nix ({ pkgs, ... }: {
environment.systemPackages = [ pkgs.curl ];
};
traefik = { config, pkgs, ... }: {
docker-containers.nginx = {
extraDockerOptions = [
virtualisation.oci-containers.containers.nginx = {
extraOptions = [
"-l" "traefik.enable=true"
"-l" "traefik.http.routers.nginx.entrypoints=web"
"-l" "traefik.http.routers.nginx.rule=Host(`nginx.traefik.test`)"

4
pkgs/applications/audio/bslizr/default.nix
View File

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "BSlizr";
version = "1.2.8";
version = "1.2.10";
src = fetchFromGitHub {
owner = "sjaehn";
repo = pname;
rev = version;
sha256 = "1f7xrljvsy7a1p8c7wln2zhwarl3ara7gbjxkpyh47wfdpigpdb0";
sha256 = "sha256-tEGJrVg8dN9Torybx02qIpXsGOuCgn/Wb+jemfCjiK4=";
};
nativeBuildInputs = [ pkg-config ];

33
pkgs/applications/audio/ebumeter/default.nix Normal file
View File

@ -0,0 +1,33 @@
{ lib, stdenv, fetchurl
, libX11, libXft, libclthreads, libclxclient, libjack2, libpng, libsndfile, zita-resampler
}:
stdenv.mkDerivation rec {
pname = "ebumeter";
version = "0.4.2";
src = fetchurl {
url = "https://kokkinizita.linuxaudio.org/linuxaudio/downloads/${pname}-${version}.tar.bz2";
sha256 = "1wm9j1phmpicrp7jdsvdbc3mghdd92l61yl9qbps0brq2ljjyd5s";
};
buildInputs = [
libX11 libXft libclthreads libclxclient libjack2 libpng libsndfile zita-resampler
];
preConfigure = ''
cd source
'';
makeFlags = [ "PREFIX=$(out)" ];
enableParallelBuilding = true;
meta = with lib; {
description = "Level metering according to the EBU R-128 recommendation";
homepage = "http://kokkinizita.linuxaudio.org/linuxaudio/index.html";
license = licenses.gpl2Plus;
maintainers = with maintainers; [ orivej ];
platforms = platforms.linux;
};
}

1
pkgs/applications/audio/gnome-podcasts/default.nix
View File

@ -1,7 +1,6 @@
{ lib
, rustPlatform
, fetchFromGitLab
, fetchpatch
, meson
, ninja
, gettext

18
pkgs/applications/audio/mmtc/default.nix
View File

@ -1,17 +1,27 @@
{ fetchFromGitHub, lib, rustPlatform }:
{ fetchFromGitHub, installShellFiles, lib, rustPlatform }:
rustPlatform.buildRustPackage rec {
pname = "mmtc";
version = "0.2.12";
version = "0.2.13";
src = fetchFromGitHub {
owner = "figsoda";
repo = pname;
rev = "v${version}";
sha256 = "1chcnv8wql6v2vckpzvq6sxgpss7mnxaj008jdm8xalhw9d496s4";
sha256 = "0ag87hgdg6fvk80fgznba0xjlcajks5w5s6y8lvwhz9irn2kq2rz";
};
cargoSha256 = "06b0hag3s5irvi57n0hc97agfw4sw783lkkl1b26iap6mfbvrqma";
cargoSha256 = "06xqh0mqbik00qyg8mn1ddbn15v3pdwvh1agghg22xgx53kmnxb3";
nativeBuildInputs = [ installShellFiles ];
preFixup = ''
completions=($releaseDir/build/mmtc-*/out/completions)
installShellCompletion ''${completions[0]}/mmtc.{bash,fish}
installShellCompletion --zsh ''${completions[0]}/_mmtc
'';
GEN_COMPLETIONS = "1";
meta = with lib; {
description = "Minimal mpd terminal client that aims to be simple yet highly configurable";

4
pkgs/applications/audio/ncmpc/default.nix
View File

@ -18,13 +18,13 @@ assert pcreSupport -> pcre != null;
stdenv.mkDerivation rec {
pname = "ncmpc";
version = "0.44";
version = "0.45";
src = fetchFromGitHub {
owner = "MusicPlayerDaemon";
repo = "ncmpc";
rev = "v${version}";
sha256 = "sha256-Qu41TL8KSKC9L25D6Z8bEbJUJQ9QI08grTGZ+0qGdUQ=";
sha256 = "sha256-KDSHbEZ2PJLEIlXqPvBQ2ZPWno+IoajTjkl9faAXIko=";
};
buildInputs = [ glib ncurses libmpdclient boost ]

5
pkgs/applications/audio/picard/default.nix
View File

@ -40,11 +40,6 @@ in pythonPackages.buildPythonApplication rec {
dateutil
];
prePatch = ''
# Pesky unicode punctuation.
substituteInPlace setup.cfg --replace "" "'"
'';
# In order to spare double wrapping, we use:
preFixup = ''
makeWrapperArgs+=("''${qtWrapperArgs[@]}")

103
pkgs/applications/audio/pragha/default.nix Normal file
View File

@ -0,0 +1,103 @@
{ lib
, intltool
, mkDerivation
, installShellFiles
, pkg-config
, fetchFromGitHub
, dbus-glib
, desktop-file-utils
, hicolor-icon-theme
, pcre
, qtbase
, sqlite
, taglib
, zlib
, gtk3
, libpeas
, libcddb
, libcdio
, gst_all_1, withGstPlugins ? true
, glyr, withGlyr ? true
, liblastfmSF, withLastfm ? true
, libcdio-paranoia, withCD ? true
, keybinder3, withKeybinder ? false
, libnotify, withLibnotify ? false
, libsoup, withLibsoup ? false
, libgudev, withGudev ? false # experimental
, libmtp, withMtp ? false # experimental
, xfce, withXfce4ui ? false
, totem-pl-parser, withTotemPlParser ? false
# , grilo, withGrilo ? false
# , rygel, withRygel ? true
}:
assert withGlyr -> withLastfm;
assert withLastfm -> withCD;
mkDerivation rec {
pname = "pragha";
version = "1.3.4";
src = fetchFromGitHub {
owner = "pragha-music-player";
repo = "pragha";
rev = "v${version}";
sha256 = "sha256:0n8gx8amg5l9g4w7s4agjf8mlmpgjydgzx3vryp9lzzs9xrd5vqh";
};
nativeBuildInputs = [
intltool
pkg-config
xfce.xfce4-dev-tools
desktop-file-utils
installShellFiles
];
buildInputs = with gst_all_1; [
dbus-glib
gstreamer
gst-plugins-base
gtk3
hicolor-icon-theme
libpeas
pcre
qtbase
sqlite
taglib
zlib
]
++ lib.optionals withGstPlugins [ gst-plugins-good gst-plugins-bad gst-plugins-ugly ]
++ lib.optionals withCD [ libcddb libcdio libcdio-paranoia ]
++ lib.optional withGudev libgudev
++ lib.optional withKeybinder keybinder3
++ lib.optional withLibnotify libnotify
++ lib.optional withLastfm liblastfmSF
++ lib.optional withGlyr glyr
++ lib.optional withLibsoup libsoup
++ lib.optional withMtp libmtp
++ lib.optional withXfce4ui xfce.libxfce4ui
++ lib.optional withTotemPlParser totem-pl-parser
# ++ lib.optional withGrilo grilo
# ++ lib.optional withRygel rygel
;
CFLAGS = [ "-DHAVE_PARANOIA_NEW_INCLUDES" ];
NIX_CFLAGS_COMPILE = "-I${lib.getDev gst_all_1.gst-plugins-base}/include/gstreamer-1.0";
postInstall = ''
qtWrapperArgs+=(--prefix GST_PLUGIN_SYSTEM_PATH_1_0 : "$GST_PLUGIN_SYSTEM_PATH_1_0")
install -m 444 data/${pname}.desktop $out/share/applications
install -d $out/share/pixmaps
installManPage data/${pname}.1
'';
meta = with lib; {
description = "A lightweight GTK+ music manager - fork of Consonance Music Manager";
homepage = "https://pragha-music-player.github.io/";
license = licenses.gpl3Plus;
maintainers = with maintainers; [ mbaeten ];
platforms = platforms.unix;
};
}

1
pkgs/applications/audio/shortwave/default.nix
View File

@ -14,7 +14,6 @@
, openssl
, pkg-config
, python3
, rust
, rustc
, rustPlatform
, sqlite

6
pkgs/applications/audio/spotifyd/default.nix
View File

@ -1,4 +1,4 @@
{ lib, fetchFromGitHub, rustPackages, pkg-config, openssl
{ lib, fetchFromGitHub, rustPackages_1_45, pkg-config, openssl
, withALSA ? true, alsaLib ? null
, withPulseAudio ? false, libpulseaudio ? null
, withPortAudio ? false, portaudio ? null
@ -7,7 +7,7 @@
, dbus ? null
}:
rustPackages.rustPlatform.buildRustPackage rec {
rustPackages_1_45.rustPlatform.buildRustPackage rec {
pname = "spotifyd";
version = "0.3.0";
@ -39,7 +39,7 @@ rustPackages.rustPlatform.buildRustPackage rec {
meta = with lib; {
description = "An open source Spotify client running as a UNIX daemon";
homepage = "https://github.com/Spotifyd/spotifyd";
license = with licenses; [ gpl3 ];
license = licenses.gpl3Plus;
maintainers = with maintainers; [ anderslundstedt Br1ght0ne marsam ];
platforms = platforms.unix;
};

1
pkgs/applications/audio/tuijam/default.nix
View File

@ -2,7 +2,6 @@
, fetchFromGitHub
, lib
, python3Packages
, youtube-dl
}:
buildPythonApplication rec {

4
pkgs/applications/blockchains/ergo/default.nix
View File

@ -2,11 +2,11 @@
stdenv.mkDerivation rec {
pname = "ergo";
version = "3.3.6";
version = "4.0.0";
src = fetchurl {
url = "https://github.com/ergoplatform/ergo/releases/download/v${version}/ergo-${version}.jar";
sha256 = "1zi559ixjxxsrpvvjbxa1d0g96px3h9amjvy149sfhp7b8w5hhk3";
sha256 = "sha256-M0kgd/txqc04WNLNZiq+imHMM9YGFd12jMWJyY2ExrY=";
};
nativeBuildInputs = [ makeWrapper ];

17
pkgs/applications/blockchains/go-ethereum.nix
View File

@ -1,6 +1,12 @@
{ lib, stdenv, buildGoModule, fetchFromGitHub, libobjc, IOKit }:
buildGoModule rec {
let
# A list of binaries to put into separate outputs
bins = [
"geth"
];
in buildGoModule rec {
pname = "go-ethereum";
version = "1.9.25";
@ -16,6 +22,13 @@ buildGoModule rec {
doCheck = false;
outputs = [ "out" ] ++ bins;
# Move binaries to separate outputs and symlink them back to $out
postInstall = lib.concatStringsSep "\n" (
builtins.map (bin: "mkdir -p \$${bin}/bin && mv $out/bin/${bin} \$${bin}/bin/ && ln -s \$${bin}/bin/${bin} $out/bin/") bins
);
subPackages = [
"cmd/abidump"
"cmd/abigen"
@ -40,7 +53,7 @@ buildGoModule rec {
meta = with lib; {
homepage = "https://geth.ethereum.org/";
description = "Official golang implementation of the Ethereum protocol";
license = with licenses; [ lgpl3 gpl3 ];
license = with licenses; [ lgpl3Plus gpl3Plus ];
maintainers = with maintainers; [ adisbladis lionello xrelkd RaghavSood ];
};
}

2
pkgs/applications/editors/bluej/default.nix
View File

@ -30,7 +30,7 @@ stdenv.mkDerivation rec {
description = "A simple integrated development environment for Java";
homepage = "https://www.bluej.org/";
license = licenses.gpl2ClasspathPlus;
maintainers = [ maintainers.charvp ];
maintainers = [ maintainers.chvp ];
platforms = platforms.unix;
};
}

92
pkgs/applications/editors/emacs-modes/manual-packages.nix
View File

@ -1,4 +1,4 @@
{ lib, external, pkgs }: self: with self; with lib.licenses; {
{ lib, pkgs }: self: with self; with lib.licenses; {
elisp-ffi = melpaBuild rec {
pname = "elisp-ffi";
@ -9,7 +9,7 @@
rev = version;
sha256 = "0z2n3h5l5fj8wl8i1ilfzv11l3zba14sgph6gz7dx7q12cnp9j22";
};
buildInputs = [ external.libffi ];
buildInputs = [ pkgs.libffi ];
preBuild = "make";
recipe = pkgs.writeText "recipe" ''
(elisp-ffi
@ -29,15 +29,15 @@
};
};
agda2-mode = with external; trivialBuild {
agda2-mode = trivialBuild {
pname = "agda-mode";
version = Agda.version;
version = pkgs.haskellPackages.Agda.version;
phases = [ "buildPhase" "installPhase" ];
# already byte-compiled by Agda builder
buildPhase = ''
agda=`${Agda}/bin/agda-mode locate`
agda=`${pkgs.haskellPackages.Agda}/bin/agda-mode locate`
cp `dirname $agda`/*.el* .
'';
@ -47,21 +47,21 @@
Wrapper packages that liberates init.el from `agda-mode locate` magic.
Simply add this to user profile or systemPackages and do `(require 'agda2)` in init.el.
'';
homepage = Agda.meta.homepage;
license = Agda.meta.license;
homepage = pkgs.haskellPackages.Agda.meta.homepage;
license = pkgs.haskellPackages.Agda.meta.license;
};
};
agda-input = self.trivialBuild {
pname = "agda-input";
inherit (external.Agda) src version;
inherit (pkgs.haskellPackages.Agda) src version;
postUnpack = "mv $sourceRoot/src/data/emacs-mode/agda-input.el $sourceRoot";
meta = {
description = "Standalone package providing the agda-input method without building Agda.";
inherit (external.Agda.meta) homepage license;
inherit (pkgs.haskellPackages.Agda.meta) homepage license;
};
};
@ -74,10 +74,10 @@
ghc-mod = melpaBuild {
pname = "ghc";
version = external.ghc-mod.version;
src = external.ghc-mod.src;
version = pkgs.haskellPackages.ghc-mod.version;
src = pkgs.haskellPackages.ghc-mod.src;
packageRequires = [ haskell-mode ];
propagatedUserEnvPkgs = [ external.ghc-mod ];
propagatedUserEnvPkgs = [ pkgs.haskellPackages.ghc-mod ];
recipe = pkgs.writeText "recipe" ''
(ghc-mod :repo "DanielG/ghc-mod" :fetcher github :files ("elisp/*.el"))
'';
@ -113,19 +113,83 @@
jam-mode = callPackage ./jam-mode { };
llvm-mode = trivialBuild {
pname = "llvm-mode";
inherit (pkgs.llvmPackages.llvm) src version;
dontConfigure = true;
buildPhase = ''
cp utils/emacs/*.el .
'';
meta = {
inherit (pkgs.llvmPackages.llvm.meta) homepage license;
description = "Major mode for the LLVM assembler language.";
};
};
matrix-client = melpaBuild {
pname = "matrix-client";
version = "0.3.0";
src = pkgs.fetchFromGitHub {
owner = "alphapapa";
repo = "matrix-client.el";
rev = "d2ac55293c96d4c95971ed8e2a3f6f354565c5ed";
sha256 = "1scfv1502yg7x4bsl253cpr6plml1j4d437vci2ggs764sh3rcqq";
};
patches = [
(pkgs.fetchpatch {
url = "https://github.com/alphapapa/matrix-client.el/commit/5f49e615c7cf2872f48882d3ee5c4a2bff117d07.patch";
sha256 = "07bvid7s1nv1377p5n61q46yww3m1w6bw4vnd4iyayw3fby1lxbm";
})
];
packageRequires = [
anaphora
cl-lib
self.map
dash-functional
esxml
f
ov
tracking
rainbow-identifiers
dash
s
request
frame-purpose
a
ht
];
recipe = pkgs.writeText "recipe" ''
(matrix-client
:repo "alphapapa/matrix-client.el"
:fetcher github)
'';
meta = {
description = "A chat client and API wrapper for Matrix.org";
license = gpl3Plus;
};
};
org-mac-link =
callPackage ./org-mac-link { };
ott-mode = self.trivialBuild {
pname = "ott-mod";
inherit (external.ott) src version;
inherit (pkgs.ott) src version;
postUnpack = "mv $sourceRoot/emacs/ott-mode.el $sourceRoot";
meta = {
description = "Standalone package providing ott-mode without building ott and with compiled bytecode.";
inherit (external.Agda.meta) homepage license;
inherit (pkgs.haskellPackages.Agda.meta) homepage license;
};
};

54
pkgs/applications/editors/emacs-modes/melpa-packages.nix
View File

@ -22,7 +22,7 @@ instantenous and formats commits for you.
*/
{ lib, external, pkgs }: variant: self:
{ lib, pkgs }: variant: self:
let
dontConfigure = pkg:
if pkg != null then pkg.override (args: {
@ -53,7 +53,7 @@ let
});
fix-rtags = pkg:
if pkg != null then dontConfigure (externalSrc pkg external.rtags)
if pkg != null then dontConfigure (externalSrc pkg pkgs.rtags)
else null;
generateMelpa = lib.makeOverridable ({ archiveJson ? ./recipes-archive-melpa.json
@ -79,9 +79,9 @@ let
};
auto-complete-clang-async = super.auto-complete-clang-async.overrideAttrs (old: {
buildInputs = old.buildInputs ++ [ external.llvmPackages.llvm ];
CFLAGS = "-I${external.llvmPackages.clang}/include";
LDFLAGS = "-L${external.llvmPackages.clang}/lib";
buildInputs = old.buildInputs ++ [ pkgs.llvmPackages.llvm ];
CFLAGS = "-I${pkgs.llvmPackages.clang}/include";
LDFLAGS = "-L${pkgs.llvmPackages.clang}/lib";
});
# part of a larger package
@ -132,8 +132,8 @@ let
flycheck-rtags = fix-rtags super.flycheck-rtags;
pdf-tools = super.pdf-tools.overrideAttrs (old: {
nativeBuildInputs = [ external.pkg-config ];
buildInputs = with external; old.buildInputs ++ [ autoconf automake libpng zlib poppler ];
nativeBuildInputs = [ pkgs.pkg-config ];
buildInputs = with pkgs; old.buildInputs ++ [ autoconf automake libpng zlib poppler ];
preBuild = "make server/epdfinfo";
recipe = pkgs.writeText "recipe" ''
(pdf-tools
@ -143,7 +143,7 @@ let
});
# Build same version as Haskell package
hindent = (externalSrc super.hindent external.hindent).overrideAttrs (attrs: {
hindent = (externalSrc super.hindent pkgs.haskellPackages.hindent).overrideAttrs (attrs: {
packageRequires = [ self.haskell-mode ];
});
@ -169,7 +169,7 @@ let
dontUseCmakeBuildDir = true;
doCheck = true;
packageRequires = [ self.emacs ];
nativeBuildInputs = [ external.cmake external.llvmPackages.llvm external.llvmPackages.clang ];
nativeBuildInputs = [ pkgs.cmake pkgs.llvmPackages.llvm pkgs.llvmPackages.clang ];
});
# tries to write a log file to $HOME
@ -286,18 +286,28 @@ let
# part of a larger package
notmuch = dontConfigure super.notmuch;
rtags = dontConfigure (externalSrc super.rtags external.rtags);
rtags = dontConfigure (externalSrc super.rtags pkgs.rtags);
rtags-xref = dontConfigure super.rtags;
shm = super.shm.overrideAttrs (attrs: {
propagatedUserEnvPkgs = [ external.structured-haskell-mode ];
propagatedUserEnvPkgs = [ pkgs.haskellPackages.structured-haskell-mode ];
});
# Telega has a server portion for it's network protocol
telega = super.telega.overrideAttrs (old: {
buildInputs = old.buildInputs ++ [ pkgs.tdlib ];
nativeBuildInputs = [ external.pkg-config ];
nativeBuildInputs = [ pkgs.pkg-config ];
postPatch = ''
substituteInPlace telega-customize.el \
--replace 'defcustom telega-server-command "telega-server"' \
"defcustom telega-server-command \"$out/bin/telega-server\""
substituteInPlace telega-sticker.el --replace '"dwebp"' '"${pkgs.libwebp}/bin/dwebp"'
substituteInPlace telega-vvnote.el --replace '"ffmpeg' '"${pkgs.ffmpeg}/bin/ffmpeg'
'';
postBuild = ''
cd source/server
@ -314,12 +324,12 @@ let
treemacs-magit = super.treemacs-magit.overrideAttrs (attrs: {
# searches for Git at build time
nativeBuildInputs =
(attrs.nativeBuildInputs or [ ]) ++ [ external.git ];
(attrs.nativeBuildInputs or [ ]) ++ [ pkgs.git ];
});
vdiff-magit = super.vdiff-magit.overrideAttrs (attrs: {
nativeBuildInputs =
(attrs.nativeBuildInputs or [ ]) ++ [ external.git ];
(attrs.nativeBuildInputs or [ ]) ++ [ pkgs.git ];
});
zmq = super.zmq.overrideAttrs (old: {
@ -328,11 +338,11 @@ let
make
'';
nativeBuildInputs = [
external.autoconf
external.automake
external.pkg-config
external.libtool
(external.zeromq.override { enableDrafts = true; })
pkgs.autoconf
pkgs.automake
pkgs.pkg-config
pkgs.libtool
(pkgs.zeromq.override { enableDrafts = true; })
];
postInstall = ''
mv $out/share/emacs/site-lisp/elpa/zmq-*/src/.libs/emacs-zmq.so $out/share/emacs/site-lisp/elpa/zmq-*
@ -415,7 +425,7 @@ let
window-numbering = markBroken super.window-numbering;
editorconfig = super.editorconfig.overrideAttrs (attrs: {
propagatedUserEnvPkgs = [ external.editorconfig-core-c ];
propagatedUserEnvPkgs = [ pkgs.editorconfig-core-c ];
});
# missing dependencies
@ -433,7 +443,7 @@ let
racer = super.racer.overrideAttrs (attrs: {
postPatch = attrs.postPatch or "" + ''
substituteInPlace racer.el \
--replace /usr/local/src/rust/src ${external.rustPlatform.rustcSrc}
--replace /usr/local/src/rust/src ${pkgs.rustPlatform.rustcSrc}
'';
});
@ -462,7 +472,7 @@ let
w3m = super.w3m.override (args: {
melpaBuild = drv: args.melpaBuild (drv // {
prePatch =
let w3m = "${lib.getBin external.w3m}/bin/w3m"; in
let w3m = "${lib.getBin pkgs.w3m}/bin/w3m"; in
''
substituteInPlace w3m.el \
--replace 'defcustom w3m-command nil' \

1
pkgs/applications/editors/emacs/26.nix
View File

@ -2,7 +2,6 @@ import ./generic.nix (rec {
version = "26.3";
sha256 = "119ldpk7sgn9jlpyngv5y4z3i7bb8q3xp4p0qqi7i5nq39syd42d";
patches = [
./clean-env-26.patch
./tramp-detect-wrapped-gvfsd-26.patch
];
})

1
pkgs/applications/editors/emacs/27.nix
View File

@ -2,7 +2,6 @@ import ./generic.nix (rec {
version = "27.1";
sha256 = "0h9f2wpmp6rb5rfwvqwv1ia1nw86h74p7hnz3vb3gjazj67i4k2a";
patches = [
./clean-env.patch
./tramp-detect-wrapped-gvfsd.patch
];
})

15
pkgs/applications/editors/emacs/clean-env-26.patch
View File

@ -1,15 +0,0 @@
Dump temacs in an empty environment to prevent -dev paths from ending
up in the dumped image.
diff --git a/src/Makefile.in b/src/Makefile.in
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -535,7 +535,7 @@ ifeq ($(CANNOT_DUMP),yes)
ln -f temacs$(EXEEXT) $@
else
unset EMACS_HEAP_EXEC; \
- LC_ALL=C $(RUN_TEMACS) -batch $(BUILD_DETAILS) -l loadup dump
+ env -i LC_ALL=C $(RUN_TEMACS) -batch $(BUILD_DETAILS) -l loadup dump
ifneq ($(PAXCTL_dumped),)
$(PAXCTL_dumped) $@
endif

16
pkgs/applications/editors/emacs/clean-env.patch
View File

@ -1,16 +0,0 @@
Dump temacs in an empty environment to prevent -dev paths from ending
up in the dumped image.
diff --git a/src/Makefile.in b/src/Makefile.in
index fd05a45df5..13f529c253 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -570,7 +570,7 @@ emacs$(EXEEXT): temacs$(EXEEXT) \
lisp.mk $(etc)/DOC $(lisp) \
$(lispsource)/international/charprop.el ${charsets}
ifeq ($(DUMPING),unexec)
- LC_ALL=C $(RUN_TEMACS) -batch $(BUILD_DETAILS) -l loadup --temacs=dump
+ env -i LC_ALL=C $(RUN_TEMACS) -batch $(BUILD_DETAILS) -l loadup --temacs=dump
ifneq ($(PAXCTL_dumped),)
$(PAXCTL_dumped) emacs$(EXEEXT)
endif

18
pkgs/applications/editors/emacs/generic.nix
View File

@ -63,6 +63,12 @@ let emacs = stdenv.mkDerivation (lib.optionalAttrs nativeComp {
rm -fr .git
'')
# Reduce closure size by cleaning the environment of the emacs dumper
''
substituteInPlace src/Makefile.in \
--replace 'RUN_TEMACS = ./temacs' 'RUN_TEMACS = env -i ./temacs'
''
''
substituteInPlace lisp/international/mule-cmds.el \
--replace /usr/share/locale ${gettext}/share/locale
@ -159,10 +165,14 @@ let emacs = stdenv.mkDerivation (lib.optionalAttrs nativeComp {
'' + lib.optionalString (nativeComp && withNS) ''
ln -snf $out/lib/emacs/*/native-lisp $out/Applications/Emacs.app/Contents/native-lisp
'' + lib.optionalString nativeComp ''
$out/bin/emacs --batch \
-l comp --eval "(mapatoms (lambda (s) \
(when (subr-primitive-p (symbol-function s)) \
(comp-trampoline-compile s))))"
echo "Generating native-compiled trampolines..."
# precompile trampolines in parallel, but avoid spawning one process per trampoline.
# 1000 is a rough lower bound on the number of trampolines compiled.
$out/bin/emacs --batch --eval "(mapatoms (lambda (s) \
(when (subr-primitive-p (symbol-function s)) (print s))))" \
| xargs -n $((1000/NIX_BUILD_CORES + 1)) -P $NIX_BUILD_CORES \
$out/bin/emacs --batch -l comp --eval "(while argv \
(comp-trampoline-compile (intern (pop argv))))"
mkdir -p $out/share/emacs/native-lisp
$out/bin/emacs --batch \
--eval "(add-to-list 'comp-eln-load-path \"$out/share/emacs/native-lisp\")" \

7
pkgs/applications/editors/emacs/macport.nix
View File

@ -26,8 +26,6 @@ stdenv.mkDerivation rec {
sha256 = "0f2wzdw2a3ac581322b2y79rlj3c9f33ddrq9allj97r1si6v5xk";
};
patches = [ ./clean-env.patch ];
enableParallelBuilding = true;
nativeBuildInputs = [ pkg-config autoconf automake ];
@ -57,6 +55,11 @@ stdenv.mkDerivation rec {
# Fix sandbox impurities.
substituteInPlace Makefile.in --replace '/bin/pwd' 'pwd'
substituteInPlace lib-src/Makefile.in --replace '/bin/pwd' 'pwd'
# Reduce closure size by cleaning the environment of the emacs dumper
substituteInPlace src/Makefile.in \
--replace 'RUN_TEMACS = ./temacs' 'RUN_TEMACS = env -i ./temacs'
'';
configureFlags = [

1
pkgs/applications/editors/gnome-builder/default.nix
View File

@ -35,7 +35,6 @@
, wrapGAppsHook
, dbus
, xvfb_run
, glib
}:
stdenv.mkDerivation rec {

2
pkgs/applications/editors/greenfoot/default.nix
View File

@ -32,7 +32,7 @@ stdenv.mkDerivation rec {
description = "A simple integrated development environment for Java";
homepage = "https://www.greenfoot.org/";
license = licenses.gpl2ClasspathPlus;
maintainers = [ maintainers.charvp ];
maintainers = [ maintainers.chvp ];
platforms = platforms.unix;
};
}

4
pkgs/applications/editors/kakoune/plugins/default.nix
View File

@ -1,7 +1,7 @@
{ pkgs, parinfer-rust, rep }:
{ pkgs, parinfer-rust, rep, kak-lsp }:
{
inherit parinfer-rust rep;
inherit parinfer-rust rep kak-lsp;
case-kak = pkgs.callPackage ./case.kak.nix { };
kak-ansi = pkgs.callPackage ./kak-ansi.nix { };

Some files were not shown because too many files have changed in this diff Show More