nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-04-15 09:47:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into openbsd-static

Browse Source
This commit is contained in:
John Ericson 2024-07-09 18:18:47 -04:00
commit 000b58721f
4137 changed files with 81786 additions and 37469 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.envrc Normal file
View File

@ -0,0 +1 @@
use nix

14
.git-blame-ignore-revs
View File

@ -121,3 +121,17 @@ c759efa5e7f825913f9a69ef20f025f50f56dc4d
# python3Packages: format with nixfmt
59b1aef59071cae6e87859dc65de973d2cc595c0
# treewide description changes (#317959)
bf995e3641950f4183c1dd9010349263dfa0123b
755b915a158c9d588f08e9b08da9f7f3422070cc
f8c4a98e8e138e21353a2c33b90db3359f539b37
# vscode-extensions.*: format with nixfmt (RFC 166)
7bf9febfa6271012b1ef86647a3a06f06875fdcf
# remove uses of mdDoc (#303841)
1a24330f792c8625746d07d842290e6fd95ae6f9
acd0e3898feb321cb9a71a0fd376f1157d0f4553
1b28414d2886c57343864326dbb745a634d3e37d
6afb255d976f85f3359e4929abd6f5149c323a02

22
.github/CODEOWNERS vendored
View File

@ -19,6 +19,7 @@
# Develompent support
/.editorconfig @Mic92 @zowoq
/shell.nix @infinisil @NixOS/Security
/.envrc @infinisil @NixOS/Security
# Libraries
/lib @infinisil
@ -53,7 +54,7 @@
/pkgs/build-support/setup-hooks/auto-patchelf.py @layus
/pkgs/pkgs-lib @infinisil
## Format generators/serializers
/pkgs/pkgs-lib/formats/libconfig @ckiee @h7x4
/pkgs/pkgs-lib/formats/libconfig @h7x4
/pkgs/pkgs-lib/formats/hocon @h7x4
# pkgs/by-name
@ -108,6 +109,9 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @raitobezarius
# NixOS QEMU virtualisation
/nixos/virtualisation/qemu-vm.nix @raitobezarius
# ACME
/nixos/modules/security/acme @arianvp @flokli @aanderse # no merge permission: @m1cr0man @emilazy
# Systemd
/nixos/modules/system/boot/systemd.nix @NixOS/systemd
/nixos/modules/system/boot/systemd @NixOS/systemd
@ -129,8 +133,11 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @raitobezarius
/pkgs/common-updater/scripts/update-source-version @jtojnar
# Python-related code and docs
/doc/languages-frameworks/python.section.md @mweinelt
/pkgs/development/interpreters/python/hooks
/doc/languages-frameworks/python.section.md @mweinelt @natsukium
/maintainers/scripts/update-python-libraries @natsukium
/pkgs/development/interpreters/python @natsukium
/pkgs/top-level/python-packages.nix @natsukium
/pkgs/top-level/release-python.nix @natsukium
# Haskell
/doc/languages-frameworks/haskell.section.md @sternenseemann @maralorn @ncfavier
@ -225,18 +232,15 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
/nixos/modules/services/networking/ntp @thoughtpolice
# Network
/pkgs/tools/networking/octodns @Janik-Haag
/pkgs/tools/networking/kea/default.nix @mweinelt
/pkgs/tools/networking/babeld/default.nix @mweinelt
/nixos/modules/services/networking/babeld.nix @mweinelt
/nixos/modules/services/networking/kea.nix @mweinelt
/nixos/modules/services/networking/knot.nix @mweinelt
nixos/modules/services/networking/networkmanager.nix @Janik-Haag
/nixos/modules/services/monitoring/prometheus/exporters/kea.nix @mweinelt
/nixos/tests/babeld.nix @mweinelt
/nixos/tests/kea.nix @mweinelt
/nixos/tests/knot.nix @mweinelt
/nixos/tests/networking/* @Janik-Haag
# Web servers
/doc/packages/nginx.section.md @raitobezarius
@ -322,9 +326,9 @@ pkgs/by-name/fo/forgejo/package.nix @adamcstephens @bendlas @emilylange
/doc/languages-frameworks/dotnet.section.md @corngood
# Node.js
/pkgs/build-support/node/build-npm-package @lilyinstarlight @winterqt
/pkgs/build-support/node/fetch-npm-deps @lilyinstarlight @winterqt
/doc/languages-frameworks/javascript.section.md @lilyinstarlight @winterqt
/pkgs/build-support/node/build-npm-package @winterqt
/pkgs/build-support/node/fetch-npm-deps @winterqt
/doc/languages-frameworks/javascript.section.md @winterqt
# environment.noXlibs option aka NoX
/nixos/modules/config/no-x-libs.nix @SuperSandro2000

11
.github/labeler.yml vendored
View File

@ -34,9 +34,9 @@
- nixos/modules/services/editors/emacs.nix
- nixos/modules/services/editors/emacs.xml
- nixos/tests/emacs-daemon.nix
- pkgs/applications/editors/emacs/build-support/**/*
- pkgs/applications/editors/emacs/elisp-packages/**/*
- pkgs/applications/editors/emacs/**/*
- pkgs/build-support/emacs/**/*
- pkgs/top-level/emacs-packages.nix
"6.topic: Enlightenment DE":
@ -74,6 +74,13 @@
- lib/systems/flake-systems.nix
- nixos/modules/config/nix-flakes.nix
"6.topic: flutter":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/build-support/flutter/*.nix
- pkgs/development/compilers/flutter/**/*.nix
"6.topic: GNOME":
- any:
- changed-files:
@ -149,7 +156,7 @@
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/development/compilers/llvm/*
- pkgs/development/compilers/llvm/**/*
"6.topic: lua":
- any:

2
.github/workflows/check-by-name.yml vendored
View File

@ -58,7 +58,7 @@ jobs:
if [[ "$mergeable" == "null" ]]; then
if (( retryCount == 0 )); then
echo "Not retrying anymore, probably GitHub is having internal issues"
echo "Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com/"
exit 1
else
(( retryCount -= 1 )) || true

4
.github/workflows/periodic-merge-24h.yml vendored
View File

@ -35,10 +35,6 @@ jobs:
pairs:
- from: master
into: haskell-updates
- from: release-23.11
into: staging-next-23.11
- from: staging-next-23.11
into: staging-23.11
- from: release-24.05
into: staging-next-24.05
- from: staging-next-24.05

1
.gitignore vendored
View File

@ -19,6 +19,7 @@ tags
/doc/manual.pdf
/source/
.version-suffix
.direnv
.DS_Store
.mypy_cache

1
doc/build-helpers.md
View File

@ -20,6 +20,7 @@ There is no uniform interface for build helpers.
build-helpers/fetchers.chapter.md
build-helpers/trivial-build-helpers.chapter.md
build-helpers/testers.chapter.md
build-helpers/dev-shell-tools.chapter.md
build-helpers/special.md
build-helpers/images.md
hooks/index.md

29
doc/build-helpers/dev-shell-tools.chapter.md Normal file
View File

@ -0,0 +1,29 @@
# Development Shell helpers {#chap-devShellTools}
The `nix-shell` command has popularized the concept of transient shell environments for development or testing purposes.
<!--
We should try to document the product, not its development process in the Nixpkgs reference manual,
but *something* needs to be said to provide context for this library.
This is the most future proof sentence I could come up with while Nix itself does yet make use of this.
Relevant is the current status of the devShell attribute "project": https://github.com/NixOS/nix/issues/7501
-->
However, `nix-shell` is not the only way to create such environments, and even `nix-shell` itself can indirectly benefit from this library.
This library provides a set of functions that help create such environments.
## `devShellTools.valueToString` {#sec-devShellTools-valueToString}
Converts Nix values to strings in the way the [`derivation` built-in function](https://nix.dev/manual/nix/2.23/language/derivations) does.
:::{.example}
## `valueToString` usage examples
```nix
devShellTools.valueToString (builtins.toFile "foo" "bar")
=> "/nix/store/...-foo"
```
```nix
devShellTools.valueToString false
=> ""
```

2
doc/build-helpers/fetchers.chapter.md
View File

@ -869,7 +869,7 @@ It produces packages that cannot be built automatically.
fetchtorrent {
config = { peer-limit-global = 100; };
url = "magnet:?xt=urn:btih:dd8255ecdc7ca55fb0bbf81323d87062db1f6d1c";
sha256 = "";
hash = "";
}
```

7
doc/build-helpers/testers.chapter.md
View File

@ -120,9 +120,10 @@ It has two modes:
Checks that the output from running a command contains the specified version string in it as a whole word.
Although simplistic, this test assures that the main program can run.
While there's no substitute for a real test case, it does catch dynamic linking errors and such.
It also provides some protection against accidentally building the wrong version, for example when using an "old" hash in a fixed-output derivation.
NOTE: In most cases, [`versionCheckHook`](#versioncheckhook) should be preferred, but this function is provided and documented here anyway. The motivation for adding either tests would be:
- Catch dynamic linking errors and such and missing environment variables that should be added by wrapping.
- Probable protection against accidentally building the wrong version, for example when using an "old" hash in a fixed-output derivation.
By default, the command to be run will be inferred from the given `package` attribute:
it will check `meta.mainProgram` first, and fall back to `pname` or `name`.

2
doc/build-helpers/trivial-build-helpers.chapter.md
View File

@ -468,7 +468,7 @@ This is for consistency with the convention of software packages placing executa
The created file is marked as executable.
The file's contents will be put into `/nix/store/<store path>/bin/<name>`.
The store path will include the the name, and it will be a directory.
The store path will include the name, and it will be a directory.
::: {.example #ex-writeScriptBin}
# Usage of `writeScriptBin`

1
doc/hooks/index.md
View File

@ -29,6 +29,7 @@ scons.section.md
tetex-tex-live.section.md
unzip.section.md
validatePkgConfig.section.md
versionCheckHook.section.md
waf.section.md
zig.section.md
xcbuild.section.md

35
doc/hooks/versionCheckHook.section.md Normal file
View File

@ -0,0 +1,35 @@
# versionCheckHook {#versioncheckhook}
This hook adds a `versionCheckPhase` to the [`preInstallCheckHooks`](#ssec-installCheck-phase) that runs the main program of the derivation with a `--help` or `--version` argument, and checks that the `${version}` string is found in that output. You use it like this:
```nix
{
lib,
stdenv,
versionCheckHook,
# ...
}:
stdenv.mkDerivation (finalAttrs: {
# ...
nativeInstallCheckInputs = [
versionCheckHook
];
doInstallCheck = true;
# ...
})
```
Note that for [`buildPythonPackage`](#buildpythonpackage-function) and [`buildPythonApplication`](#buildpythonapplication-function), `doInstallCheck` is enabled by default.
It does so in a clean environment (using `env --ignore-environment`), and it checks for the `${version}` string in both the `stdout` and the `stderr` of the command. It will report to you in the build log the output it received and it will fail the build if it failed to find `${version}`.
The variables that this phase control are:
- `dontVersionCheck`: Disable adding this hook to the [`preDistPhases`](#var-stdenv-preDist). Useful if you do want to load the bash functions of the hook, but run them differently.
- `versionCheckProgram`: The full path to the program that should print the `${version}` string. Defaults roughly to `${placeholder "out"}/bin/${pname}`. Using `$out` in the value of this variable won't work, as environment variables from this variable are not expanded by the hook. Hence using `placeholder` is unavoidable.
- `versionCheckProgramArg`: The argument that needs to be passed to `versionCheckProgram`. If undefined the hook tries first `--help` and then `--version`. Examples: `version`, `-V`, `-v`.
- `preVersionCheck`: A hook to run before the check is done.
- `postVersionCheck`: A hook to run after the check is done.

2
doc/languages-frameworks/dart.section.md
View File

@ -114,7 +114,7 @@ flutter322.buildFlutterApplication {
owner = "canonical";
repo = "firmware-updater";
rev = "6e7dbdb64e344633ea62874b54ff3990bd3b8440";
sha256 = "sha256-s5mwtr5MSPqLMN+k851+pFIFFPa0N1hqz97ys050tFA=";
hash = "sha256-s5mwtr5MSPqLMN+k851+pFIFFPa0N1hqz97ys050tFA=";
fetchSubmodules = true;
};

22
doc/languages-frameworks/dotnet.section.md
View File

@ -194,7 +194,7 @@ This helper has the same arguments as `buildDotnetModule`, with a few difference
* `pname` and `version` are required, and will be used to find the NuGet package of the tool
* `nugetName` can be used to override the NuGet package name that will be downloaded, if it's different from `pname`
* `nugetSha256` is the hash of the fetched NuGet package. Set this to `lib.fakeHash256` for the first build, and it will error out, giving you the proper hash. Also remember to update it during version updates (it will not error out if you just change the version while having a fetched package in `/nix/store`)
* `nugetHash` is the hash of the fetched NuGet package. `nugetSha256` is also supported, but not recommended. Set this to `lib.fakeHash` for the first build, and it will error out, giving you the proper hash. Also remember to update it during version updates (it will not error out if you just change the version while having a fetched package in `/nix/store`)
* `dotnet-runtime` is set to `dotnet-sdk` by default. When changing this, remember that .NET tools fetched from NuGet require an SDK.
Here is an example of packaging `pbm`, an unfree binary without source available:
@ -205,7 +205,7 @@ buildDotnetGlobalTool {
pname = "pbm";
version = "1.3.1";
nugetSha256 = "sha256-ZG2HFyKYhVNVYd2kRlkbAjZJq88OADe3yjxmLuxXDUo=";
nugetHash = "sha256-ZG2HFyKYhVNVYd2kRlkbAjZJq88OADe3yjxmLuxXDUo=";
meta = {
homepage = "https://cmd.petabridge.com/index.html";
@ -241,15 +241,15 @@ $ nuget-to-nix out > deps.nix
Which `nuget-to-nix` will generate an output similar to below
```nix
{ fetchNuGet }: [
(fetchNuGet { pname = "FosterFramework"; version = "0.1.15-alpha"; sha256 = "0pzsdfbsfx28xfqljcwy100xhbs6wyx0z1d5qxgmv3l60di9xkll"; })
(fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-x64"; version = "8.0.1"; sha256 = "1gjz379y61ag9whi78qxx09bwkwcznkx2mzypgycibxk61g11da1"; })
(fetchNuGet { pname = "Microsoft.NET.ILLink.Tasks"; version = "8.0.1"; sha256 = "1drbgqdcvbpisjn8mqfgba1pwb6yri80qc4mfvyczqwrcsj5k2ja"; })
(fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-x64"; version = "8.0.1"; sha256 = "1g5b30f4l8a1zjjr3b8pk9mcqxkxqwa86362f84646xaj4iw3a4d"; })
(fetchNuGet { pname = "SharpGLTF.Core"; version = "1.0.0-alpha0031"; sha256 = "0ln78mkhbcxqvwnf944hbgg24vbsva2jpih6q3x82d3h7rl1pkh6"; })
(fetchNuGet { pname = "SharpGLTF.Runtime"; version = "1.0.0-alpha0031"; sha256 = "0lvb3asi3v0n718qf9y367km7qpkb9wci38y880nqvifpzllw0jg"; })
(fetchNuGet { pname = "Sledge.Formats"; version = "1.2.2"; sha256 = "1y0l66m9rym0p1y4ifjlmg3j9lsmhkvbh38frh40rpvf1axn2dyh"; })
(fetchNuGet { pname = "Sledge.Formats.Map"; version = "1.1.5"; sha256 = "1bww60hv9xcyxpvkzz5q3ybafdxxkw6knhv97phvpkw84pd0jil6"; })
(fetchNuGet { pname = "System.Numerics.Vectors"; version = "4.5.0"; sha256 = "1kzrj37yzawf1b19jq0253rcs8hsq1l2q8g69d7ipnhzb0h97m59"; })
(fetchNuGet { pname = "FosterFramework"; version = "0.1.15-alpha"; hash = "sha256-lM6eYgOGjl1fx6WFD7rnRi/YAQieM0mx60h0p5dr+l8="; })
(fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-x64"; version = "8.0.1"; hash = "sha256-QbUQXjCzr8j8u/5X0af9jE++EugdoxMhT08F49MZX74="; })
(fetchNuGet { pname = "Microsoft.NET.ILLink.Tasks"; version = "8.0.1"; hash = "sha256-SopZpGaZ48/8dpUwDFDM3ix+g1rP4Yqs1PGuzRp+K7c="; })
(fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-x64"; version = "8.0.1"; hash = "sha256-jajBI5GqG2IIcsIMgxTHfXbMapoXrZGl/EEhShwYq7w="; })
(fetchNuGet { pname = "SharpGLTF.Core"; version = "1.0.0-alpha0031"; hash = "sha256-Bs4baD5wNIH6wAbGK4Xaem0i3luQkOQs37izBWdFx1I="; })
(fetchNuGet { pname = "SharpGLTF.Runtime"; version = "1.0.0-alpha0031"; hash = "sha256-TwJO6b8ubmwBQh6NyHha8+JT5zHDJ4dROBbsEbUaa1M="; })
(fetchNuGet { pname = "Sledge.Formats"; version = "1.2.2"; hash = "sha256-0Ddhuwpu3wwIzA4NuPaEVdMkx6tUukh8uKD6nKoxFPg="; })
(fetchNuGet { pname = "Sledge.Formats.Map"; version = "1.1.5"; hash = "sha256-hkYJ2iWIz7vhPWlDOw2fvTenlh+4/D/37Z71tCEwnK8="; })
(fetchNuGet { pname = "System.Numerics.Vectors"; version = "4.5.0"; hash = "sha256-qdSTIFgf2htPS+YhLGjAGiLN8igCYJnCCo6r78+Q+c8="; })
]
```

2
doc/languages-frameworks/gnome.section.md
View File

@ -143,7 +143,7 @@ You can also pass additional arguments to `makeWrapper` using `gappsWrapperArgs`
## Updating GNOME packages {#ssec-gnome-updating}
Most GNOME package offer [`updateScript`](#var-passthru-updateScript), it is therefore possible to update to latest source tarball by running `nix-shell maintainers/scripts/update.nix --argstr package gnome.nautilus` or even en masse with `nix-shell maintainers/scripts/update.nix --argstr path gnome`. Read the packages `NEWS` file to see what changed.
Most GNOME package offer [`updateScript`](#var-passthru-updateScript), it is therefore possible to update to latest source tarball by running `nix-shell maintainers/scripts/update.nix --argstr package nautilus` or even en masse with `nix-shell maintainers/scripts/update.nix --argstr path gnome`. Read the packages `NEWS` file to see what changed.
## Frequently encountered issues {#ssec-gnome-common-issues}

1
doc/languages-frameworks/index.md
View File

@ -90,6 +90,7 @@ qt.section.md
r.section.md
ruby.section.md
rust.section.md
scheme.section.md
swift.section.md
texlive.section.md
titanium.section.md

11
doc/languages-frameworks/python.section.md
View File

@ -1315,9 +1315,6 @@ we can do:
```nix
{
nativeBuildInputs = [
pythonRelaxDepsHook
];
pythonRelaxDeps = [
"pkg1"
"pkg3"
@ -1340,7 +1337,6 @@ example:
```nix
{
nativeBuildInputs = [ pythonRelaxDepsHook ];
pythonRelaxDeps = true;
}
```
@ -1362,8 +1358,11 @@ instead of a dev dependency).
Keep in mind that while the examples above are done with `requirements.txt`,
`pythonRelaxDepsHook` works by modifying the resulting wheel file, so it should
work with any of the [existing hooks](#setup-hooks).
It indicates that `pythonRelaxDepsHook` has no effect on build time dependencies, such as in `build-system`.
If a package requires incompatible build time dependencies, they should be removed in `postPatch` with `substituteInPlace` or something similar.
The `pythonRelaxDepsHook` has no effect on build time dependencies, such as
those specified in `build-system`. If a package requires incompatible build
time dependencies, they should be removed in `postPatch` through
`substituteInPlace` or similar.
#### Using unittestCheckHook {#using-unittestcheckhook}

35
doc/languages-frameworks/scheme.section.md Normal file
View File

@ -0,0 +1,35 @@
# Scheme {#sec-scheme}
## Package Management {#sec-scheme-package-management}
### Akku {#sec-scheme-package-management-akku}
About two hundred R6RS & R7RS libraries from [Akku](https://akkuscm.org/)
(which also mirrors [snow-fort](https://snow-fort.org/pkg))
are available inside the `akkuPackages` attrset, and the Akku executable
itself is at the top level as `akku`. The packages could be used
in a derivation's `buildInputs`, work inside of `nix-shell`, and
are tested using [Chez](https://www.scheme.com/) &
[Chibi](https://synthcode.com/wiki/chibi-scheme)
Scheme during build time.
Including a package as a build input is done in the typical Nix fashion.
For example, to include
[a bunch of SRFIs](https://akkuscm.org/packages/chez-srfi/)
primarily for Chez Scheme in a derivation, one might write:
```nix
{
buildInputs = [
chez
akkuPackages.chez-srfi
];
}
```
The package index is located in `pkgs/tools/package-management/akku`
as `deps.toml`, and should be updated occasionally by running `./update.sh`
in the directory. Doing so will pull the source URLs for new packages and
more recent versions, then write them to the TOML.

3
doc/languages-frameworks/texlive.section.md
View File

@ -83,12 +83,13 @@ Release 23.11 ships with a new interface that will eventually replace `texlive.c
```nix
stdenvNoCC.mkDerivation rec {
src = texlive.pkgs.iwona;
dontUnpack = true;
inherit (src) pname version;
installPhase = ''
runHook preInstall
install -Dm644 fonts/opentype/nowacki/iwona/*.otf -t $out/share/fonts/opentype
install -Dm644 $src/fonts/opentype/nowacki/iwona/*.otf -t $out/share/fonts/opentype
runHook postInstall
'';
}

18
doc/stdenv/meta.chapter.md
View File

@ -22,6 +22,10 @@ Meta-attributes are not passed to the builder of the package. Thus, a change to
## Standard meta-attributes {#sec-standard-meta-attributes}
If the package is to be submitted to Nixpkgs, please check out the
[requirements for meta attributes](https://github.com/NixOS/nixpkgs/tree/master/pkgs#meta-attributes)
in the contributing documentation.
It is expected that each meta-attribute is one of the following:
### `description` {#var-meta-description}
@ -29,11 +33,21 @@ It is expected that each meta-attribute is one of the following:
A short (one-line) description of the package.
This is displayed on [search.nixos.org](https://search.nixos.org/packages).
Dont include a period at the end. Dont include newline characters. Capitalise the first character. For brevity, dont repeat the name of package --- just describe what it does.
The general requirements of a description are:
- Be short, just one sentence.
- Be capitalized.
- Not start with definite ("The") or indefinite ("A"/"An") article.
- Not start with the package name.
- More generally, it should not refer to the package name.
- Not end with a period (or any punctuation for that matter).
- Provide factual information.
- Avoid subjective language.
Wrong: `"libpng is a library that allows you to decode PNG images."`
Right: `"A library for decoding PNG images"`
Right: `"Library for decoding PNG images"`
### `longDescription` {#var-meta-longDescription}

39
doc/stdenv/passthru.chapter.md
View File

@ -75,40 +75,17 @@ The Nixpkgs systems for continuous integration [Hydra](https://hydra.nixos.org/)
#### Package tests {#var-passthru-tests-packages}
[]{#var-meta-tests-packages} <!-- legacy anchor -->
Tests that are part of the source package, if they run quickly, are typically executed in the [`installCheckPhase`](#var-stdenv-phases).
This phase is also suitable for performing a `--version` test for packages that support such flag.
Most programs distributed by Nixpkgs support such a `--version` flag, and successfully calling the program with that flag indicates that the package at least got compiled properly.
Besides tests provided by upstream, that you run in the [`checkPhase`](#ssec-check-phase), you may want to define tests derivations in the `passthru.tests` attribute, which won't change the build. `passthru.tests` have several advantages over running tests during any of the [standard phases](#sec-stdenv-phases):
:::{.example #ex-checking-build-installCheckPhase}
- They access the package as consumers would, independently from the environment in which it was built
- They can be run and debugged without rebuilding the package, which is useful if that takes a long time
- They don't add overhead to each build, as opposed checks added to the [`distPhase`](#ssec-distribution-phase), such as [`versionCheckHook`](#versioncheckhook).
## Checking builds with `installCheckPhase`
It is also possible to use `passthru.tests` to test the version with [`testVersion`](#tester-testVersion), but since that is pretty trivial and recommended thing to do, we recommend using [`versionCheckHook`](#versioncheckhook) for that, which has the following advantages over `passthru.tests`:
When building `git`, a rudimentary test for successful compilation would be running `git --version`:
```nix
stdenv.mkDerivation (finalAttrs: {
pname = "git";
version = "1.2.3";
# ...
doInstallCheck = true;
installCheckPhase = ''
runHook preInstallCheck
echo checking if 'git --version' mentions ${finalAttrs.version}
$out/bin/git --version | grep ${finalAttrs.version}
runHook postInstallCheck
'';
# ...
})
```
:::
However, tests that are non-trivial will better fit into `passthru.tests` because they:
- Access the package as consumers would, independently from the environment in which it was built
- Can be run and debugged without rebuilding the package, which is useful if that takes a long time
- Don't add overhad to each build, as opposed to `installCheckPhase`
It is also possible to use `passthru.tests` to test the version with [`testVersion`](#tester-testVersion).
- If the `versionCheckPhase` (the phase defined by [`versionCheckHook`](#versioncheckhook)) fails, it triggers a failure which can't be ignored if you use the package, or if you find out about it in a [`nixpkgs-review`](https://github.com/Mic92/nixpkgs-review) report.
- Sometimes packages become silently broken - meaning they fail to launch but their build passes because they don't perform any tests in the `checkPhase`. If you use this tool infrequently, such a silent breakage may rot in your system / profile configuration, and you will not notice the failure until you will want to use this package. Testing such basic functionality ensures you have to deal with the failure when you update your system / profile.
- When you open a PR, [ofborg](https://github.com/NixOS/ofborg)'s CI _will_ run `passthru.tests` of [packages that are directly changed by your PR (according to your commits' messages)](https://github.com/NixOS/ofborg?tab=readme-ov-file#automatic-building), but if you'd want to use the [`@ofborg build`](https://github.com/NixOS/ofborg?tab=readme-ov-file#build) command for dependent packages, you won't have to specify in addition the `.tests` attribute of the packages you want to build, and no body will be able to avoid these tests.
<!-- NOTE(@fricklerhandwerk): one may argue whether that testing guide should rather be in the user's manual -->
For more on how to write and run package tests for Nixpkgs, see the [testing section in the package contributor guide](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests).

20
doc/stdenv/stdenv.chapter.md
View File

@ -762,6 +762,8 @@ Before and after running `make`, the hooks `preBuild` and `postBuild` are called
The check phase checks whether the package was built correctly by running its test suite. The default `checkPhase` calls `make $checkTarget`, but only if the [`doCheck` variable](#var-stdenv-doCheck) is enabled.
It is highly recommended, for packages' sources that are not distributed with any tests, to at least use [`versionCheckHook`](#versioncheckhook) to test that the resulting executable is basically functional.
#### Variables controlling the check phase {#variables-controlling-the-check-phase}
##### `doCheck` {#var-stdenv-doCheck}
@ -1515,6 +1517,10 @@ This flag can break dynamic shared object loading. For instance, the module syst
intel_drv.so: undefined symbol: vgaHWFreeHWRec
```
#### `zerocallusedregs` {#zerocallusedregs}
Adds the `-fzero-call-used-regs=used-gpr` compiler option. This causes the general-purpose registers that an architecture's calling convention considers "call-used" to be zeroed on return from the function. This can make it harder for attackers to construct useful ROP gadgets and also reduces the chance of data leakage from a function call.
### Hardening flags disabled by default {#sec-hardening-flags-disabled-by-default}
The following flags are disabled by default and should be enabled with `hardeningEnable` for packages that take untrusted input like network services.
@ -1532,16 +1538,22 @@ Adds the `-fPIE` compiler and `-pie` linker options. Position Independent Execut
Static libraries need to be compiled with `-fPIE` so that executables can link them in with the `-pie` linker option.
If the libraries lack `-fPIE`, you will get the error `recompile with -fPIE`.
#### `zerocallusedregs` {#zerocallusedregs}
Adds the `-fzero-call-used-regs=used-gpr` compiler option. This causes the general-purpose registers that an architecture's calling convention considers "call-used" to be zeroed on return from the function. This can make it harder for attackers to construct useful ROP gadgets and also reduces the chance of data leakage from a function call.
#### `trivialautovarinit` {#trivialautovarinit}
Adds the `-ftrivial-auto-var-init=pattern` compiler option. This causes "trivially-initializable" uninitialized stack variables to be forcibly initialized with a nonzero value that is likely to cause a crash (and therefore be noticed). Uninitialized variables generally take on their values based on fragments of previous program state, and attackers can carefully manipulate that state to craft malicious initial values for these variables.
Use of this flag is controversial as it can prevent tools that detect uninitialized variable use (such as valgrind) from operating correctly.
This should be turned off or fixed for build errors such as:
```
sorry, unimplemented: __builtin_clear_padding not supported for variable length aggregates
```
#### `stackclashprotection` {#stackclashprotection}
This flag adds the `-fstack-clash-protection` compiler option, which causes growth of a program's stack to access each successive page in order. This should force the guard page to be accessed and cause an attempt to "jump over" this guard page to crash.
[^footnote-stdenv-ignored-build-platform]: The build platform is ignored because it is a mere implementation detail of the package satisfying the dependency: As a general programming principle, dependencies are always *specified* as interfaces, not concrete implementation.
[^footnote-stdenv-native-dependencies-in-path]: Currently, this means for native builds all dependencies are put on the `PATH`. But in the future that may not be the case for sake of matching cross: the platforms would be assumed to be unique for native and cross builds alike, so only the `depsBuild*` and `nativeBuildInputs` would be added to the `PATH`.
[^footnote-stdenv-propagated-dependencies]: Nix itself already takes a packages transitive dependencies into account, but this propagation ensures nixpkgs-specific infrastructure like [setup hooks](#ssec-setup-hooks) also are run as if it were a propagated dependency.

2
lib/default.nix
View File

@ -66,7 +66,7 @@ let
# TODO: For consistency, all builtins should also be available from a sub-library;
# these are the only ones that are currently not
inherit (builtins) addErrorContext isPath trace;
inherit (builtins) addErrorContext isPath trace typeOf unsafeGetAttrPos;
inherit (self.trivial) id const pipe concat or and xor bitAnd bitOr bitXor
bitNot boolToString mergeAttrs flip mapNullable inNixShell isFloat min max
importJSON importTOML warn warnIf warnIfNot throwIf throwIfNot checkListOfEnum

6
lib/licenses.nix
View File

@ -917,7 +917,7 @@ in mkLicense lset) ({
ncbiPd = {
spdxId = "NCBI-PD";
fullname = "NCBI Public Domain Notice";
fullName = "NCBI Public Domain Notice";
# Due to United States copyright law, anything with this "license" does not have a copyright in the
# jurisdiction of the United States. However, other jurisdictions may assign the United States
# government copyright to the work, and the license explicitly states that in such a case, no license
@ -1161,7 +1161,7 @@ in mkLicense lset) ({
shortName = "TSL";
fullName = "Timescale License Agreegment";
url = "https://github.com/timescale/timescaledb/blob/main/tsl/LICENSE-TIMESCALE";
unfree = true;
free = false;
};
tcltk = {
@ -1297,7 +1297,7 @@ in mkLicense lset) ({
zsh = {
url = "https://github.com/zsh-users/zsh/blob/master/LICENCE";
fulllName = "Zsh License";
fullName = "Zsh License";
};
zpl20 = {

94
lib/modules.nix
View File

@ -2,6 +2,7 @@
let
inherit (lib)
addErrorContext
all
any
attrByPath
@ -13,13 +14,16 @@ let
elem
filter
foldl'
functionArgs
getAttrFromPath
genericClosure
head
id
imap1
isAttrs
isBool
isFunction
isInOldestRelease
isList
isString
length
@ -32,9 +36,17 @@ let
optionalString
recursiveUpdate
reverseList sort
seq
setAttrByPath
substring
throwIfNot
trace
typeOf
types
unsafeGetAttrPos
warn
warnIf
zipAttrs
zipAttrsWith
;
inherit (lib.options)
@ -89,8 +101,8 @@ let
}:
let
withWarnings = x:
lib.warnIf (evalModulesArgs?args) "The args argument to evalModules is deprecated. Please set config._module.args instead."
lib.warnIf (evalModulesArgs?check) "The check argument to evalModules is deprecated. Please set config._module.check instead."
warnIf (evalModulesArgs?args) "The args argument to evalModules is deprecated. Please set config._module.args instead."
warnIf (evalModulesArgs?check) "The check argument to evalModules is deprecated. Please set config._module.check instead."
x;
legacyModules =
@ -265,9 +277,9 @@ let
let
optText = showOption (prefix ++ firstDef.prefix);
defText =
builtins.addErrorContext
addErrorContext
"while evaluating the error message for definitions for `${optText}', which is an option that does not exist"
(builtins.addErrorContext
(addErrorContext
"while evaluating a definition from `${firstDef.file}'"
( showDefs [ firstDef ])
);
@ -298,7 +310,7 @@ let
else throw baseMsg
else null;
checked = builtins.seq checkUnmatched;
checked = seq checkUnmatched;
extendModules = extendArgs@{
modules ? [],
@ -312,7 +324,7 @@ let
prefix = extendArgs.prefix or evalModulesArgs.prefix or [];
});
type = lib.types.submoduleWith {
type = types.submoduleWith {
inherit modules specialArgs class;
};
@ -344,8 +356,8 @@ let
else
throw (
"Could not load a value as a module, because it is of type ${lib.strings.escapeNixString m._type}"
+ lib.optionalString (fallbackFile != unknownModule) ", in file ${toString fallbackFile}."
+ lib.optionalString (m._type == "configuration") " If you do intend to import this configuration, please only import the modules that make up the configuration. You may have to create a `let` binding, file or attribute to give yourself access to the relevant modules.\nWhile loading a configuration into the module system is a very sensible idea, it can not be done cleanly in practice."
+ optionalString (fallbackFile != unknownModule) ", in file ${toString fallbackFile}."
+ optionalString (m._type == "configuration") " If you do intend to import this configuration, please only import the modules that make up the configuration. You may have to create a `let` binding, file or attribute to give yourself access to the relevant modules.\nWhile loading a configuration into the module system is a very sensible idea, it can not be done cleanly in practice."
# Extended explanation: That's because a finalized configuration is more than just a set of modules. For instance, it has its own `specialArgs` that, by the nature of `specialArgs` can't be loaded through `imports` or the the `modules` argument. So instead, we have to ask you to extract the relevant modules and use those instead. This way, we keep the module system comparatively simple, and hopefully avoid a bad surprise down the line.
)
else if isList m then
@ -415,7 +427,7 @@ let
moduleKey = file: m:
if isString m
then
if builtins.substring 0 1 m == "/"
if substring 0 1 m == "/"
then m
else toString modulesPath + "/" + m
@ -433,11 +445,11 @@ let
else if isAttrs m
then throw "Module `${file}` contains a disabledModules item that is an attribute set, presumably a module, that does not have a `key` attribute. This means that the module system doesn't have any means to identify the module that should be disabled. Make sure that you've put the correct value in disabledModules: a string path relative to modulesPath, a path value, or an attribute set with a `key` attribute."
else throw "Each disabledModules item must be a path, string, or a attribute set with a key attribute, or a value supported by toString. However, one of the disabledModules items in `${toString file}` is none of that, but is of type ${builtins.typeOf m}.";
else throw "Each disabledModules item must be a path, string, or a attribute set with a key attribute, or a value supported by toString. However, one of the disabledModules items in `${toString file}` is none of that, but is of type ${typeOf m}.";
disabledKeys = concatMap ({ file, disabled }: map (moduleKey file) disabled) disabled;
keyFilter = filter (attrs: ! elem attrs.key disabledKeys);
in map (attrs: attrs.module) (builtins.genericClosure {
in map (attrs: attrs.module) (genericClosure {
startSet = keyFilter modules;
operator = attrs: keyFilter attrs.modules;
});
@ -475,7 +487,7 @@ let
}
else
# shorthand syntax
lib.throwIfNot (isAttrs m) "module ${file} (${key}) does not look like a module."
throwIfNot (isAttrs m) "module ${file} (${key}) does not look like a module."
{ _file = toString m._file or file;
_class = m._class or null;
key = toString m.key or key;
@ -485,10 +497,10 @@ let
config = addFreeformType (removeAttrs m ["_class" "_file" "key" "disabledModules" "require" "imports" "freeformType"]);
};
applyModuleArgsIfFunction = key: f: args@{ config, options, lib, ... }:
applyModuleArgsIfFunction = key: f: args@{ config, ... }:
if isFunction f then applyModuleArgs key f args else f;
applyModuleArgs = key: f: args@{ config, options, lib, ... }:
applyModuleArgs = key: f: args@{ config, ... }:
let
# Module arguments are resolved in a strict manner when attribute set
# deconstruction is used. As the arguments are now defined with the
@ -503,10 +515,10 @@ let
# not their values. The values are forwarding the result of the
# evaluation of the option.
context = name: ''while evaluating the module argument `${name}' in "${key}":'';
extraArgs = builtins.mapAttrs (name: _:
builtins.addErrorContext (context name)
extraArgs = mapAttrs (name: _:
addErrorContext (context name)
(args.${name} or config._module.args.${name})
) (lib.functionArgs f);
) (functionArgs f);
# Note: we append in the opposite order such that we can add an error
# context on the explicit arguments of "args" too. This update
@ -547,16 +559,16 @@ let
(n: concatLists)
(map
(module: let subtree = module.options; in
if !(builtins.isAttrs subtree) then
if !(isAttrs subtree) then
throw ''
An option declaration for `${builtins.concatStringsSep "." prefix}' has type
`${builtins.typeOf subtree}' rather than an attribute set.
An option declaration for `${concatStringsSep "." prefix}' has type
`${typeOf subtree}' rather than an attribute set.
Did you mean to define this outside of `options'?
''
else
mapAttrs
(n: option:
[{ inherit (module) _file; pos = builtins.unsafeGetAttrPos n subtree; options = option; }]
[{ inherit (module) _file; pos = unsafeGetAttrPos n subtree; options = option; }]
)
subtree
)
@ -565,17 +577,17 @@ let
# The root of any module definition must be an attrset.
checkedConfigs =
assert
lib.all
all
(c:
# TODO: I have my doubts that this error would occur when option definitions are not matched.
# The implementation of this check used to be tied to a superficially similar check for
# options, so maybe that's why this is here.
isAttrs c.config || throw ''
In module `${c.file}', you're trying to define a value of type `${builtins.typeOf c.config}'
In module `${c.file}', you're trying to define a value of type `${typeOf c.config}'
rather than an attribute set for the option
`${builtins.concatStringsSep "." prefix}'!
`${concatStringsSep "." prefix}'!
This usually happens if `${builtins.concatStringsSep "." prefix}' has option
This usually happens if `${concatStringsSep "." prefix}' has option
definitions inside that are not matched. Please check how to properly define
this option by e.g. referring to `man 5 configuration.nix'!
''
@ -667,7 +679,7 @@ let
let
nonOptions = filter (m: !isOption m.options) decls;
in
throw "The option `${showOption loc}' in module `${(lib.head optionDecls)._file}' would be a parent of the following options, but its type `${(lib.head optionDecls).options.type.description or "<no description>"}' does not support nested options.\n${
throw "The option `${showOption loc}' in module `${(head optionDecls)._file}' would be a parent of the following options, but its type `${(head optionDecls).options.type.description or "<no description>"}' does not support nested options.\n${
showRawDecls loc nonOptions
}"
else
@ -806,7 +818,7 @@ let
"The type `types.${opt.type.name}' of option `${showOption loc}' defined in ${showFiles opt.declarations} is deprecated. ${opt.type.deprecationMessage}";
in warnDeprecation opt //
{ value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;
{ value = addErrorContext "while evaluating the option `${showOption loc}':" value;
inherit (res.defsFinal') highestPrio;
definitions = map (def: def.value) res.defsFinal;
files = map (def: def.file) res.defsFinal;
@ -822,7 +834,7 @@ let
let
# Process mkMerge and mkIf properties.
defs' = concatMap (m:
map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
map (value: { inherit (m) file; inherit value; }) (addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
) defs;
# Process mkOverride properties.
@ -972,12 +984,12 @@ let
mergeAttrDefinitionsWithPrio = opt:
let
defsByAttr =
lib.zipAttrs (
lib.concatLists (
lib.concatMap
zipAttrs (
concatLists (
concatMap
({ value, ... }@def:
map
(lib.mapAttrsToList (k: value: { ${k} = def // { inherit value; }; }))
(mapAttrsToList (k: value: { ${k} = def // { inherit value; }; }))
(pushDownProperties value)
)
opt.definitionsWithLocations
@ -985,9 +997,9 @@ let
);
in
assert opt.type.name == "attrsOf" || opt.type.name == "lazyAttrsOf";
lib.mapAttrs
mapAttrs
(k: v:
let merging = lib.mergeDefinitions (opt.loc ++ [k]) opt.type.nestedTypes.elemType v;
let merging = mergeDefinitions (opt.loc ++ [k]) opt.type.nestedTypes.elemType v;
in {
value = merging.mergedValue;
inherit (merging.defsFinal') highestPrio;
@ -1023,9 +1035,9 @@ let
mkForce = mkOverride 50;
mkVMOverride = mkOverride 10; # used by nixos-rebuild build-vm
defaultPriority = lib.warnIf (lib.isInOldestRelease 2305) "lib.modules.defaultPriority is deprecated, please use lib.modules.defaultOverridePriority instead." defaultOverridePriority;
defaultPriority = warnIf (isInOldestRelease 2305) "lib.modules.defaultPriority is deprecated, please use lib.modules.defaultOverridePriority instead." defaultOverridePriority;
mkFixStrictness = lib.warn "lib.mkFixStrictness has no effect and will be removed. It returns its argument unmodified, so you can just remove any calls." id;
mkFixStrictness = warn "lib.mkFixStrictness has no effect and will be removed. It returns its argument unmodified, so you can just remove any calls." id;
mkOrder = priority: content:
{ _type = "order";
@ -1121,7 +1133,7 @@ let
inherit from to;
visible = false;
warn = true;
use = builtins.trace "Obsolete option `${showOption from}' is used. It was renamed to `${showOption to}'.";
use = trace "Obsolete option `${showOption from}' is used. It was renamed to `${showOption to}'.";
};
mkRenamedOptionModuleWith = {
@ -1139,8 +1151,8 @@ let
}: doRename {
inherit from to;
visible = false;
warn = lib.isInOldestRelease sinceRelease;
use = lib.warnIf (lib.isInOldestRelease sinceRelease)
warn = isInOldestRelease sinceRelease;
use = warnIf (isInOldestRelease sinceRelease)
"Obsolete option `${showOption from}' is used. It was renamed to `${showOption to}'.";
};
@ -1372,8 +1384,8 @@ let
config = lib.importTOML file;
};
private = lib.mapAttrs
(k: lib.warn "External use of `lib.modules.${k}` is deprecated. If your use case isn't covered by non-deprecated functions, we'd like to know more and perhaps support your use case well, instead of providing access to these low level functions. In this case please open an issue in https://github.com/nixos/nixpkgs/issues/.")
private = mapAttrs
(k: warn "External use of `lib.modules.${k}` is deprecated. If your use case isn't covered by non-deprecated functions, we'd like to know more and perhaps support your use case well, instead of providing access to these low level functions. In this case please open an issue in https://github.com/nixos/nixpkgs/issues/.")
{
inherit
applyModuleArgsIfFunction

1
lib/systems/default.nix
View File

@ -323,6 +323,7 @@ let
os =
/**/ if rust ? platform then rust.platform.os or "none"
else if final.isDarwin then "macos"
else if final.isWasm && !final.isWasi then "unknown" # Needed for {wasm32,wasm64}-unknown-unknown.
else final.parsed.kernel.name;
# https://doc.rust-lang.org/reference/conditional-compilation.html#target_family

2
lib/tests/modules.sh
View File

@ -94,6 +94,8 @@ checkConfigOutput '^true$' config.result ./module-argument-default.nix
# gvariant
checkConfigOutput '^true$' config.assertion ./gvariant.nix
checkConfigOutput '"ok"' config.result ./specialArgs-lib.nix
# https://github.com/NixOS/nixpkgs/pull/131205
# We currently throw this error already in `config`, but throwing in `config.wrong1` would be acceptable.
checkConfigError 'It seems as if you.re trying to declare an option by placing it into .config. rather than .options.' config.wrong1 ./error-mkOption-in-config.nix

28
lib/tests/modules/specialArgs-lib.nix Normal file
View File

@ -0,0 +1,28 @@
{ config, lib, ... }:
{
options = {
result = lib.mkOption { };
weird = lib.mkOption {
type = lib.types.submoduleWith {
# I generally recommend against overriding lib, because that leads to
# slightly incompatible dialects of the module system.
# Nonetheless, it's worth guarding the property that the module system
# evaluates with a completely custom lib, as a matter of separation of
# concerns.
specialArgs.lib = { };
modules = [ ];
};
};
};
config.weird = args@{ ... /* note the lack of a `lib` argument */ }:
assert args.lib == { };
assert args.specialArgs == { lib = { }; };
{
options.foo = lib.mkOption { };
config.foo = lib.mkIf true "alright";
};
config.result =
assert config.weird.foo == "alright";
"ok";
}

2
lib/trivial.nix
View File

@ -379,7 +379,7 @@ in {
*/
oldestSupportedRelease =
# Update on master only. Do not backport.
2311;
2405;
/**
Whether a feature is supported in all supported releases (at the time of

1
lib/types.nix
View File

@ -73,7 +73,6 @@ let
outer_types =
rec {
__attrsFailEvaluation = true;
isType = type: x: (x._type or "") == type;
setType = typeName: value: value // {

341
maintainers/maintainer-list.nix
View File

@ -71,6 +71,12 @@
github = "0b11stan";
githubId = 27831931;
};
_0david0mp = {
email = "davidmrpr@proton.me";
github = "0david0mp";
githubId = 54892055;
name = "David mp";
};
_0nyr = {
email = "onyr.maintainer@gmail.com";
github = "0nyr";
@ -227,6 +233,12 @@
githubId = 12578560;
name = "Quinn Bohner";
};
_71zenith = {
email = "71zenith@proton.me";
github = "71zenith";
githubId = 92977828;
name = "Mori Zen";
};
_8aed = {
email = "8aed@riseup.net";
github = "8aed";
@ -1115,6 +1127,12 @@
github = "AmeerTaweel";
githubId = 20538273;
};
amerino = {
name = "Alberto Merino";
email = "amerinor01@gmail.com";
github = "amerinor01";
githubId = 22280447;
};
amesgen = {
email = "amesgen@amesgen.de";
github = "amesgen";
@ -1196,6 +1214,12 @@
githubId = 754494;
name = "Anders Asheim Hennum";
};
andershus = {
email = "anders.husebo@eviny.no";
github = "andershus";
githubId = 93526270;
name = "Anders Husebø";
};
andersk = {
email = "andersk@mit.edu";
github = "andersk";
@ -1780,12 +1804,6 @@
githubId = 104313094;
name = "Andrey Shaat";
};
ashkitten = {
email = "ashlea@protonmail.com";
github = "ashkitten";
githubId = 9281956;
name = "ash lea";
};
ashley = {
email = "ashley@kira64.xyz";
github = "kira64xyz";
@ -2272,13 +2290,6 @@
githubId = 19501722;
keys = [ { fingerprint = "C593 27B5 9D0F 2622 23F6 1D03 C1C0 F299 52BC F558"; } ];
};
bb010g = {
email = "me@bb010g.com";
matrix = "@bb010g:matrix.org";
github = "bb010g";
githubId = 340132;
name = "Brayden Banks";
};
bb2020 = {
github = "bb2020";
githubId = 19290397;
@ -2421,14 +2432,6 @@
githubId = 7118777;
keys = [ { fingerprint = "E9A3 7864 2165 28CE 507C CA82 72EA BF75 C331 CD25"; } ];
};
Benjamin-L = {
name = "Benjamin Lee";
email = "benjamin@computer.surgery";
matrix = "@benjamin:computer.surgery";
github = "Benjamin-L";
githubId = 6504174;
keys = [ { fingerprint = "9D84 09A0 44FC 1EEB AE2D FA30 FB96 24E2 885D 55A4"; } ];
};
benkuhn = {
email = "ben@ben-kuhn.com";
github = "ben-kuhn";
@ -2613,6 +2616,11 @@
githubId = 30630233;
name = "Timo Triebensky";
};
birdee = {
name = "birdee";
github = "BirdeeHub";
githubId = 85372418;
};
birkb = {
email = "birk@batchworks.de";
github = "birkb";
@ -2799,6 +2807,12 @@
githubId = 3465841;
name = "Boris Sukholitko";
};
bot-wxt1221 = {
email = "3264117476@qq.com";
github = "Bot-wxt1221";
githubId = 74451279;
name = "Bot-wxt1221";
};
bouk = {
name = "Bouke van der Bijl";
email = "i@bou.ke";
@ -2980,12 +2994,6 @@
githubId = 2379774;
name = "Sean Buckley";
};
buffet = {
email = "niclas@countingsort.com";
github = "buffet";
githubId = 33751841;
name = "Niclas Meyer";
};
bugworm = {
email = "bugworm@zoho.com";
github = "bugworm";
@ -3713,14 +3721,6 @@
githubId = 1448923;
name = "Christian Kauhaus";
};
ckie = {
email = "nixpkgs-0efe364@ckie.dev";
github = "ckiee";
githubId = 25263210;
keys = [ { fingerprint = "539F 0655 4D35 38A5 429A E253 13E7 9449 C052 5215"; } ];
name = "ckie";
matrix = "@ckie:ckie.dev";
};
cko = {
email = "christine.koppelt@gmail.com";
github = "cko";
@ -3759,6 +3759,12 @@
githubId = 848609;
name = "Michael Bishop";
};
clevor = {
email = "myclevorname@gmail.com";
github = "myclevorname";
githubId = 140354451;
name = "Samuel Connelly";
};
clkamp = {
email = "c@lkamp.de";
github = "clkamp";
@ -4117,6 +4123,12 @@
githubId = 34543609;
name = "creator54";
};
crertel = {
email = "chris@kedagital.com";
github = "crertel";
githubId = 1707779;
name = "Chris Ertel";
};
crinklywrappr = {
email = "crinklywrappr@pm.me";
name = "Daniel Fitzpatrick";
@ -4352,6 +4364,12 @@
githubId = 24708079;
name = "Dan Eads";
};
danid3v = {
email = "sch220233@spengergasse.at";
github = "DaniD3v";
githubId = 124387056;
name = "DaniD3v";
};
danielalvsaaker = {
email = "daniel.alvsaaker@proton.me";
github = "danielalvsaaker";
@ -4728,12 +4746,6 @@
github = "deinferno";
githubId = 14363193;
};
delan = {
name = "Delan Azabani";
email = "delan@azabani.com";
github = "delan";
githubId = 465303;
};
delehef = {
name = "Franklin Delehelle";
email = "nix@odena.eu";
@ -5092,6 +5104,12 @@
githubId = 56017218;
keys = [ { fingerprint = "E6F4 BFB4 8DE3 893F 68FC A15F FF5F 4B30 A41B BAC8"; } ];
};
Djabx = {
email = "alexandre@badez.eu";
github = "Djabx";
githubId = 69534;
name = "Alexandre Badez";
};
djacu = {
email = "daniel.n.baker@gmail.com";
github = "djacu";
@ -5327,6 +5345,12 @@
githubId = 6199462;
name = "Dmytro Rets";
};
dretyuiop = {
email = "chewch03@gmail.com";
github = "dretyuiop";
githubId = 81854406;
name = "Chew Cheng Hong";
};
drewrisinger = {
email = "drisinger+nixpkgs@gmail.com";
github = "drewrisinger";
@ -5373,6 +5397,11 @@
githubId = 5596239;
keys = [ { fingerprint = "62BC E2BD 49DF ECC7 35C7 E153 875F 2BCF 163F 1B29"; } ];
};
dseelp = {
name = "dsee";
github = "DSeeLP";
githubId = 46624152;
};
dsferruzza = {
email = "david.sferruzza@gmail.com";
github = "dsferruzza";
@ -7139,6 +7168,12 @@
githubId = 37017396;
name = "gbtb";
};
gcleroux = {
email = "guillaume@cleroux.dev";
github = "gcleroux";
githubId = 73357644;
name = "Guillaume Cléroux";
};
gdamjan = {
email = "gdamjan@gmail.com";
matrix = "@gdamjan:spodeli.org";
@ -7524,7 +7559,8 @@
name = "Yacine Hmito";
};
gracicot = {
email = "gracicot42@gmail.com";
email = "dev@gracicot.com";
matrix = "@gracicot-59e8f173d73408ce4f7ac803:gitter.im";
github = "gracicot";
githubId = 2906673;
name = "Guillaume Racicot";
@ -8016,12 +8052,6 @@
githubId = 222664;
name = "Matthew Leach";
};
hexchen = {
email = "nix@lilwit.ch";
github = "hexchen";
githubId = 41522204;
name = "hexchen";
};
hexclover = {
email = "hexclover@outlook.com";
github = "hexclover";
@ -8035,6 +8065,12 @@
name = "Nova Witterick";
keys = [ { fingerprint = "4304 6B43 8D83 078E 3DF7 10D6 DEB0 E15C 6D2A 5A7C"; } ];
};
heywoodlh = {
email = "nixpkgs@heywoodlh.io";
github = "heywoodlh";
githubId = 18178614;
name = "Spencer Heywood";
};
hh = {
email = "hh@m-labs.hk";
github = "HarryMakes";
@ -8182,6 +8218,12 @@
githubId = 25618740;
name = "Vincent Cui";
};
hornwall = {
email = "hannes@hornwall.me";
github = "hornwall";
githubId = 1064477;
name = "Hannes Hornwall";
};
hoverbear = {
email = "operator+nix@hoverbear.org";
matrix = "@hoverbear:matrix.org";
@ -8424,6 +8466,12 @@
email = "astrid@astrid.tech";
name = "ifd3f";
};
if-loop69420 = {
github = "if-loop69420";
githubId = 81078181;
email = "j.sztavi@pm.me";
name = "Jeremy Sztavinovszki";
};
iFreilicht = {
github = "iFreilicht";
githubId = 9742635;
@ -8946,6 +8994,13 @@
github = "jali-clarke";
githubId = 17733984;
};
jamalam = {
email = "james@jamalam.tech";
name = "jamalam";
github = "Jamalam360";
githubId = 56727311;
keys = [ { fingerprint = "B1B2 2BA0 FC39 D4B4 2240 5F55 D86C D68E 8DB2 E368"; } ];
};
james-atkins = {
name = "James Atkins";
github = "james-atkins";
@ -8957,13 +9012,6 @@
githubId = 1358764;
name = "Jamie Magee";
};
janik = {
name = "Janik";
email = "janik@aq0.de";
matrix = "@janik0:matrix.org";
github = "Janik-Haag";
githubId = 80165193;
};
jankaifer = {
name = "Jan Kaifer";
email = "jan@kaifer.cz";
@ -8982,6 +9030,11 @@
githubId = 3874017;
name = "Jappie Klooster";
};
jaredmontoya = {
name = "Jared Montoya";
github = "jaredmontoya";
githubId = 49511278;
};
jasoncarr = {
email = "jcarr250@gmail.com";
github = "jasoncarr0";
@ -9087,6 +9140,12 @@
github = "jceb";
githubId = 101593;
};
jcelerier = {
name = "Jean-Michaël Celerier";
email = "jeanmichael.celerier@gmail.com";
github = "jcelerier";
githubId = 2772730;
};
jchw = {
email = "johnwchadwick@gmail.com";
github = "jchv";
@ -10147,12 +10206,6 @@
githubId = 46386452;
name = "Jeroen Wijenbergh";
};
jwoudenberg = {
email = "nixpkgs@jasperwoudenberg.com";
github = "jwoudenberg";
githubId = 1525551;
name = "Jasper Woudenberg";
};
jwygoda = {
email = "jaroslaw@wygoda.me";
github = "jwygoda";
@ -11336,12 +11389,6 @@
githubId = 13804737;
keys = [ { fingerprint = "7FE2 113A A08B 695A C8B8 DDE6 AE53 B4C2 E58E DD45"; } ];
};
lf- = {
email = "nix-maint@lfcode.ca";
github = "lf-";
githubId = 6652840;
name = "Jade";
};
lgcl = {
email = "dev@lgcl.de";
name = "Leon Vack";
@ -11423,40 +11470,25 @@
githubId = 3696783;
name = "Leroy Hopson";
};
liketechnik = {
name = "Florian Warzecha";
email = "liketechnik@disroot.org";
github = "liketechnik";
githubId = 24209689;
keys = [ { fingerprint = "92D8 A09D 03DD B774 AABD 53B9 E136 2F07 D750 DB5C"; } ];
};
lilacious = {
email = "yuchenhe126@gmail.com";
github = "Lilacious";
githubId = 101508537;
name = "Yuchen He";
};
LilleAila = {
name = "Olai";
email = "olai@olai.dev";
github = "LilleAila";
githubId = 67327023;
keys = [ { fingerprint = "8185 29F9 BB4C 33F0 69BB 9782 D1AC CDCF 2B9B 9799"; } ];
};
lillycham = {
email = "lillycat332@gmail.com";
github = "lillycat332";
githubId = 54189319;
name = "Lilly Cham";
};
lilyball = {
email = "lily@sb.org";
github = "lilyball";
githubId = 714;
name = "Lily Ballard";
};
lilyinstarlight = {
email = "lily@lily.flowers";
matrix = "@lily:lily.flowers";
github = "lilyinstarlight";
githubId = 298109;
name = "Lily Foster";
};
limeytexan = {
email = "limeytexan@gmail.com";
github = "limeytexan";
@ -12008,6 +12040,12 @@
github = "itslychee";
name = "Lychee";
};
lyndeno = {
name = "Lyndon Sanche";
email = "lsanche@lyndeno.ca";
github = "Lyndeno";
githubId = 13490857;
};
lynty = {
email = "ltdong93+nix@gmail.com";
github = "Lynty";
@ -12259,6 +12297,12 @@
githubId = 30078229;
name = "marble";
};
marcel = {
email = "me@m4rc3l.de";
github = "MarcelCoding";
githubId = 34819524;
name = "Marcel";
};
marcovergueira = {
email = "vergueira.marco@gmail.com";
github = "marcovergueira";
@ -12350,12 +12394,6 @@
githubId = 33522919;
name = "Marshall Arruda";
};
martfont = {
name = "Martino Fontana";
email = "tinozzo123@tutanota.com";
github = "SuperSamus";
githubId = 40663462;
};
martijnvermaat = {
email = "martijn@vermaat.name";
github = "martijnvermaat";
@ -12950,7 +12988,7 @@
name = "Merlin Humml";
};
mguentner = {
email = "code@klandest.in";
email = "code@mguentner.de";
github = "mguentner";
githubId = 668926;
name = "Maximilian Güntner";
@ -14049,10 +14087,6 @@
githubId = 4532582;
keys = [ { fingerprint = "BDEA AB07 909D B96F 4106 85F1 CC15 0758 46BC E91B"; } ];
};
nayala = {
name = "Nia";
matrix = "@fly:asra.gr";
};
nazarewk = {
name = "Krzysztof Nazarewski";
email = "nixpkgs@kdn.im";
@ -14719,12 +14753,6 @@
github = "nullishamy";
githubId = 99221043;
};
nullx76 = {
email = "nix@xirion.net";
github = "NULLx76";
githubId = 1809198;
name = "Victor Roest";
};
numinit = {
email = "me@numin.it";
github = "numinit";
@ -15330,12 +15358,6 @@
githubId = 4580157;
name = "Patrick Hobusch";
};
patka = {
email = "patka@patka.dev";
github = "patka-123";
githubId = 69802930;
name = "patka";
};
patrickdag = {
email = "patrick-nixos@failmail.dev";
github = "PatrickDaG";
@ -15386,7 +15408,7 @@
githubId = 53442728;
};
paveloom = {
email = "paveloom@riseup.net";
email = "contact@paveloom.dev";
github = "paveloom";
githubId = 49961859;
name = "Pavel Sobolev";
@ -15466,6 +15488,12 @@
githubId = 817039;
name = "Paulo Casaretto";
};
pcboy = {
email = "david@joynetiks.com";
github = "pcboy";
githubId = 943430;
name = "David Hagege";
};
pedrohlc = {
email = "root@pedrohlc.com";
github = "PedroHLC";
@ -15508,12 +15536,6 @@
githubId = 13225611;
name = "Nicolas Martin";
};
pennae = {
name = "pennae";
email = "github@quasiparticle.net";
github = "pennae";
githubId = 82953136;
};
perchun = {
name = "Perchun Pak";
email = "nixpkgs@perchun.it";
@ -16786,6 +16808,12 @@
githubId = 52847440;
name = "Ryan Burns";
};
rcoeurjoly = {
email = "rolandcoeurjoly@gmail.com";
github = "RCoeurjoly";
githubId = 16906199;
name = "Roland Coeurjoly";
};
rconybea = {
email = "n1xpkgs@hushmail.com";
github = "rconybea";
@ -17345,12 +17373,6 @@
github = "roshaen";
githubId = 58213083;
};
rossabaker = {
name = "Ross A. Baker";
email = "ross@rossabaker.com";
github = "rossabaker";
githubId = 142698;
};
RossComputerGuy = {
name = "Tristan Ross";
email = "tristan.ross@midstall.com";
@ -17473,6 +17495,12 @@
githubId = 61306;
name = "Rene Treffer";
};
rubenhoenle = {
email = "git@hoenle.xyz";
github = "rubenhoenle";
githubId = 56157634;
name = "Ruben Hönle";
};
ruby0b = {
github = "ruby0b";
githubId = 106119328;
@ -17599,6 +17627,12 @@
githubId = 70191398;
name = "Ryan Cao";
};
ryand56 = {
email = "git@ryand.ca";
github = "ryand56";
githubId = 22267679;
name = "Ryan Omasta";
};
ryane = {
email = "ryanesc@gmail.com";
github = "ryane";
@ -18478,6 +18512,14 @@
githubId = 53050011;
name = "Yohann Boniface";
};
sigmasquadron = {
name = "Fernando Rodrigues";
email = "alpha@sigmasquadron.net";
matrix = "@sigmasquadron:matrix.org";
github = "SigmaSquadron";
githubId = 174749595;
keys = [ { fingerprint = "E3CD E225 47C6 2DB6 6CCD BC06 CC3A E2EA 0000 0000"; } ];
};
sikmir = {
email = "sikmir@disroot.org";
matrix = "@sikmir:matrix.org";
@ -18909,11 +18951,6 @@
githubId = 10437171;
keys = [ { fingerprint = "75F0 AB7C FE01 D077 AEE6 CAFD 353E 4A18 EE0F AB72"; } ];
};
spacefault = {
github = "spacefault";
githubId = 74156492;
name = "spacefault";
};
spacefrogg = {
email = "spacefrogg-nixos@meterriblecrew.net";
github = "spacefrogg";
@ -19531,13 +19568,6 @@
githubId = 28858039;
name = "Tuomas Mäkinen";
};
tadeokondrak = {
email = "me@tadeo.ca";
github = "tadeokondrak";
githubId = 4098453;
name = "Tadeo Kondrak";
keys = [ { fingerprint = "0F2B C0C7 E77C 5B42 AC5B 4C18 FBE6 07FC C495 16D3"; } ];
};
tadfisher = {
email = "tadfisher@gmail.com";
github = "tadfisher";
@ -19771,6 +19801,12 @@
githubId = 1755789;
name = "Robert Irelan";
};
tembleking = {
name = "Fede Barcelona";
email = "fede_rico_94@hotmail.com";
github = "tembleking";
githubId = 2988780;
};
tengkuizdihar = {
name = "Tengku Izdihar";
email = "tengkuizdihar@gmail.com";
@ -21041,13 +21077,6 @@
github = "victormeriqui";
githubId = 1396008;
};
victormignot = {
email = "root@victormignot.fr";
github = "victormignot";
githubId = 58660971;
name = "Victor Mignot";
keys = [ { fingerprint = "CA5D F91A D672 683A 1F65 BBC9 0317 096D 20E0 067B"; } ];
};
vidbina = {
email = "vid@bina.me";
github = "vidbina";
@ -21066,12 +21095,6 @@
githubId = 5837359;
name = "Adrian Pistol";
};
vigress8 = {
email = "vig@disroot.org";
github = "vigress8";
githubId = 150687949;
name = "Vigress";
};
vikanezrimaya = {
email = "vika@fireburn.ru";
github = "vikanezrimaya";
@ -21749,6 +21772,12 @@
github = "x0ba";
githubId = 64868985;
};
x123 = {
name = "x123";
email = "nix@boxchop.city";
github = "x123";
githubId = 5481629;
};
x3ro = {
name = "^x3ro";
email = "nix@x3ro.dev";
@ -22004,6 +22033,12 @@
githubId = 58453832;
keys = [ { fingerprint = "FD0A C425 9EF5 4084 F99F 9B47 2ACC 9749 7C68 FAD4"; } ];
};
yelite = {
name = "Lite Ye";
email = "yelite958@gmail.com";
github = "yelite";
githubId = 3517225;
};
YellowOnion = {
name = "Daniel Hill";
email = "daniel@gluo.nz";
@ -22322,6 +22357,12 @@
githubId = 250877;
name = "Elmar Athmer";
};
zazedd = {
name = "Leonardo Santos";
email = "leomendesantos@gmail.com";
github = "zazedd";
githubId = 93401987;
};
zbioe = {
name = "Iury Fukuda";
email = "zbioe@protonmail.com";

4
maintainers/scripts/luarocks-packages.csv
View File

@ -6,6 +6,7 @@ argparse,,,,,,
basexx,,,,,,
binaryheap,,,,,,vcunat
busted,,,,,,
busted-htest,,,,,,mrcjkb
cassowary,,,,,,alerque
cldr,,,,,,alerque
compat53,,,,,,vcunat
@ -97,7 +98,7 @@ lua-utils.nvim,,,,,,mrcjkb
lua-yajl,,,,,,pstn
lua-iconv,,,,7.0.0,,
luuid,,,,20120509-2,,
luv,,,,1.44.2-1,,
luv,,,,1.48.0-2,,
lush.nvim,,,https://luarocks.org/dev,,,teto
lyaml,,,,,,lblasc
lz.n,,,,,,mrcjkb
@ -136,7 +137,6 @@ telescope.nvim,,,,,5.1,
telescope-manix,,,,,,
tiktoken_core,,,,,,natsukium
tl,,,,,,mephistophiles
toml,,,,,,mrcjkb
toml-edit,,,,,5.1,mrcjkb
tree-sitter-norg,,,,,5.1,mrcjkb
vstruct,,,,,,

1 name rockspec ref server version luaversion maintainers
6 basexx
7 binaryheap vcunat
8 busted
9 busted-htest mrcjkb
10 cassowary alerque
11 cldr alerque
12 compat53 vcunat
98 lua-yajl pstn
99 lua-iconv 7.0.0
100 luuid 20120509-2
101 luv 1.44.2-1 1.48.0-2
102 lush.nvim https://luarocks.org/dev teto
103 lyaml lblasc
104 lz.n mrcjkb
137 telescope-manix
138 tiktoken_core natsukium
139 tl mephistophiles
toml mrcjkb
140 toml-edit 5.1 mrcjkb
141 tree-sitter-norg 5.1 mrcjkb
142 vstruct

2
maintainers/scripts/update.nix
View File

@ -158,7 +158,7 @@ let
to run all update scripts for all packages that lists \`garbas\` as a maintainer
and have \`updateScript\` defined, or:
% nix-shell maintainers/scripts/update.nix --argstr package gnome.nautilus
% nix-shell maintainers/scripts/update.nix --argstr package nautilus
to run update script for specific package, or

7
maintainers/team-list.nix
View File

@ -715,10 +715,7 @@ with lib.maintainers;
};
node = {
members = [
lilyinstarlight
winter
];
members = [ winter ];
scope = "Maintain Node.js runtimes and build tooling.";
shortName = "Node.js";
enableFeatureFreezePing = true;
@ -772,7 +769,7 @@ with lib.maintainers;
aanderse
drupol
ma27
patka
piotrkwiecinski
talyz
];
githubTeams = [ "php" ];

4
nixos/doc/manual/installation/installing.chapter.md
View File

@ -174,8 +174,6 @@ commands:
OK
> set_network 0 psk "mypassword"
OK
> set_network 0 key_mgmt WPA-PSK
OK
> enable_network 0
OK
```
@ -191,8 +189,6 @@ OK
OK
> set_network 0 password "mypassword"
OK
> set_network 0 key_mgmt WPA-EAP
OK
> enable_network 0
OK
```

13
nixos/doc/manual/release-notes/rl-2405.section.md
View File

@ -225,6 +225,19 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
- `appimageTools.wrapAppImage` now creates the binary at `$out/bin/${pname}` rather than `$out/bin/${pname}-${version}`, which will break downstream workarounds.
- `apptainer` and `singularity` now prioritize system-wide `PATH` over those constructed from dependent packages when searching for third-party utilities. The `PATH` to search for third-party utilities, known as `defaultPath` inside Apptainer/Singularity source code, is now constructed from the following sources, ordered by their precedence:
- `systemBinPaths`, a new argument introduced to specify system-wide `"/**/bin"` directories.
- The FHS `defaultPath` value set by Apptainer/Singularity developers, making Apptainer/Singularity work out of the box in FHS systems.
- `defaultPathInputs`, a list of packages to form the fall-back `PATH`.
This change is required to enable Sylabs SingularityCE (`singularity`) to run images, as it requires a `fusermount3` commant with the SUID bit set.
`newuidmapPath` and `newgidmapPath` arguments are deprecated in favour of `systemBinPaths`. Their support will be removed in future releases.
`programs.singularity.systemBinPaths` option is introduced to specify the `systemBinPaths` argument of the overridden package. It includes `"/run/wrappers/bin"` even if specified empty.
`programs.singularity.enableFakeroot` option is deprecated and has no effect. `--fakeroot` support is now always enabled as long as `programs.singularity.systemBinPaths` is not forcefully overridden.
- `azure-cli` now has extension support. For example, to install the `aks-preview` extension, use
```nix

52
nixos/doc/manual/release-notes/rl-2411.section.md
View File

@ -8,6 +8,7 @@
- [AMDVLK](https://github.com/GPUOpen-Drivers/AMDVLK), AMD's open source Vulkan driver, is now available to be configured as `hardware.amdgpu.amdvlk` option.
This also allows configuring runtime settings of AMDVLK and enabling experimental features.
- The `moonlight-qt` package ([Moonlight game streaming](https://moonlight-stream.org/)) now has HDR support on Linux systems.
## New Services {#sec-release-24.11-new-services}
@ -19,12 +20,18 @@
- [Flood](https://flood.js.org/), a beautiful WebUI for various torrent clients. Available as [services.flood](options.html#opt-services.flood).
- [Eintopf](https://eintopf.info), community event and calendar web application. Available as [services.eintopf](options.html#opt-services.eintopf).
- [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable).
- [wg-access-server](https://github.com/freifunkMUC/wg-access-server/), an all-in-one WireGuard VPN solution with a web ui for connecting devices. Available at [services.wg-access-server](#opt-services.wg-access-server.enable).
- [Envision](https://gitlab.com/gabmus/envision), a UI for building, configuring and running Monado, the open source OpenXR runtime. Available as [programs.envision](#opt-programs.envision.enable).
- [Playerctld](https://github.com/altdesktop/playerctl), a daemon to track media player activity. Available as [services.playerctld](option.html#opt-services.playerctld).
- [Glance](https://github.com/glanceapp/glance), a self-hosted dashboard that puts all your feeds in one place. Available as [services.glance](option.html#opt-services.glance).
## Backward Incompatibilities {#sec-release-24.11-incompatibilities}
- `transmission` package has been aliased with a `trace` warning to `transmission_3`. Since [Transmission 4 has been released last year](https://github.com/transmission/transmission/releases/tag/4.0.0), and Transmission 3 will eventually go away, it was decided perform this warning alias to make people aware of the new version. The `services.transmission.package` defaults to `transmission_3` as well because the upgrade can cause data loss in certain specific usage patterns (examples: [#5153](https://github.com/transmission/transmission/issues/5153), [#6796](https://github.com/transmission/transmission/issues/6796)). Please make sure to back up to your data directory per your usage:
@ -33,6 +40,8 @@
- `androidenv.androidPkgs_9_0` has been removed, and replaced with `androidenv.androidPkgs` for a more complete Android SDK including support for Android 9 and later.
- `grafana` has been updated to version 11.1. This version doesn't support setting `http_addr` to a hostname anymore, an IP address is expected.
- `wstunnel` has had a major version upgrade that entailed rewriting the program in Rust.
The module was updated to accommodate for breaking changes.
Breaking changes to the module API were minimised as much as possible,
@ -58,6 +67,20 @@
it is set, instead of the previous hardcoded default of
`${networking.hostName}.${security.ipa.domain}`.
- The fcgiwrap module now allows multiple instances running as distinct users.
The option `services.fgciwrap` now takes an attribute set of the
configuration of each individual instance.
This requires migrating any previous configuration keys from
`services.fcgiwrap.*` to `services.fcgiwrap.some-instance.*`.
The ownership and mode of the UNIX sockets created by this service are now
configurable and private by default.
Processes also now run as a dynamically allocated user by default instead of
root.
- `services.cgit` now runs as the cgit user by default instead of root.
This change requires granting access to the repositories to this user or
setting the appropriate one through `services.cgit.some-instance.user`.
- `nvimpager` was updated to version 0.13.0, which changes the order of user and
nvimpager settings: user commands in `-c` and `--cmd` now override the
respective default settings because they are executed later.
@ -71,6 +94,10 @@
- `services.ddclient.use` has been deprecated: `ddclient` now supports separate IPv4 and IPv6 configuration. Use `services.ddclient.usev4` and `services.ddclient.usev6` instead.
- `teleport` has been upgraded from major version 15 to major version 16.
Refer to upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/)
and [release notes for v16](https://goteleport.com/docs/changelog/#1600-061324).
- `vaultwarden` lost the capability to bind to privileged ports. If you rely on
this behavior, override the systemd unit to allow `CAP_NET_BIND_SERVICE` in
your local configuration.
@ -87,6 +114,10 @@
- Android NDK version 26 and SDK version 33 are now the default versions used for cross compilation to android.
- `nodePackages.vscode-css-languageserver-bin`, `nodePackages.vscode-html-languageserver-bin`,
and `nodePackages.vscode-json-languageserver-bin` were dropped due to an unmaintained upstream.
The `vscode-langservers-extracted` package is a maintained drop-in replacement.
- `haskell.lib.compose.justStaticExecutables` now disallows references to GHC in the
output by default, to alert users to closure size issues caused by
[#164630](https://github.com/NixOS/nixpkgs/issues/164630). See ["Packaging
@ -106,6 +137,14 @@
for `stateVersion` ≥ 24.11. (It was previously using SQLite for structured
data and the filesystem for blobs).
- The `shiori` service now requires an HTTP secret value `SHIORI_HTTP_SECRET_KEY` to be provided via environment variable. The nixos module therefore, now provides an environmentFile option:
```
# This is how a environment file can be generated:
# $ printf "SHIORI_HTTP_SECRET_KEY=%s\n" "$(openssl rand -hex 16)" > /path/to/env-file
services.shiori.environmentFile = "/path/to/env-file";
```
- `libe57format` has been updated to `>= 3.0.0`, which contains some backward-incompatible API changes. See the [release note](https://github.com/asmaloney/libE57Format/releases/tag/v3.0.0) for more details.
- `gitlab` deprecated support for *runner registration tokens* in GitLab 16.0, disabled their support in GitLab 17.0 and will
@ -116,6 +155,8 @@
GitLab administrators should migrate to the [new runner registration workflow](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#using-registration-tokens-after-gitlab-170)
with *runner authentication tokens* until the release of GitLab 18.0.
- `gitlab` has been updated from 16.x to 17.x and requires at least `postgresql` 14.9, as stated in the [documentation](https://docs.gitlab.com/17.1/ee/install/requirements.html#postgresql-requirements). Check the [upgrade guide](#module-services-postgres-upgrading) in the NixOS manual on how to upgrade your PostgreSQL installation.
- `zx` was updated to v8, which introduces several breaking changes.
See the [v8 changelog](https://github.com/google/zx/releases/tag/8.0.0) for more information.
@ -142,10 +183,18 @@
- The `services.prometheus.exporters.minio` option has been removed, as it's upstream implementation was broken and unmaintained.
Minio now has built-in [Prometheus metrics exposure](https://min.io/docs/minio/linux/operations/monitoring/collect-minio-metrics-using-prometheus.html), which can be used instead.
- The `services.patroni.raft` option has been removed, as Raft has been [deprecated by upstream since 3.0.0](https://github.com/patroni/patroni/blob/master/docs/releases.rst#version-300)
- `services.roundcube.maxAttachmentSize` will multiply the value set with `1.37` to offset overhead introduced by the base64 encoding applied to attachments.
## Other Notable Changes {#sec-release-24.11-notable-changes}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- The `zerocallusedregs` hardening flag is enabled by default on compilers that support it.
- The `stackclashprotection` hardening flag has been added, though disabled by default.
- `hareHook` has been added as the language framework for Hare. From now on, it,
not the `hare` package, should be added to `nativeBuildInputs` when building
Hare programs.
@ -156,6 +205,9 @@
The derivation now installs "impl" headers selectively instead of by a wildcard.
Use `imgui.src` if you just want to access the unpacked sources.
- `security.pam.u2f` now follows RFC42.
All module options are now settable through the freeform `.settings`.
- Cinnamon has been updated to 6.2.
- Following Mint 22 defaults, the Cinnamon module no longer ships geary and hexchat by default.
- Nemo is now built with gtk-layer-shell support, note that for now it will be expected to see nemo-desktop

2
nixos/lib/make-options-doc/default.nix
View File

@ -1,5 +1,5 @@
/**
Generates documentation for [nix modules](https://nix.dev/tutorials/module-system/module-system.html).
Generates documentation for [nix modules](https://nix.dev/tutorials/module-system/index.html).
It uses the declared `options` to generate documentation in various formats.

91
nixos/lib/utils.nix
View File

@ -23,6 +23,7 @@ let
isPath
isString
listToAttrs
mapAttrs
nameValuePair
optionalString
removePrefix
@ -140,11 +141,35 @@ utils = rec {
];
} "_secret" -> { ".example[1].relevant.secret" = "/path/to/secret"; }
*/
recursiveGetAttrWithJqPrefix = item: attr:
recursiveGetAttrWithJqPrefix = item: attr: mapAttrs (_name: set: set.${attr}) (recursiveGetAttrsetWithJqPrefix item attr);
/* Similar to `recursiveGetAttrWithJqPrefix`, but returns the whole
attribute set containing `attr` instead of the value of `attr` in
the set.
Example:
recursiveGetAttrsetWithJqPrefix {
example = [
{
irrelevant = "not interesting";
}
{
ignored = "ignored attr";
relevant = {
secret = {
_secret = "/path/to/secret";
quote = true;
};
};
}
];
} "_secret" -> { ".example[1].relevant.secret" = { _secret = "/path/to/secret"; quote = true; }; }
*/
recursiveGetAttrsetWithJqPrefix = item: attr:
let
recurse = prefix: item:
if item ? ${attr} then
nameValuePair prefix item.${attr}
nameValuePair prefix item
else if isDerivation item then []
else if isAttrs item then
map (name:
@ -206,6 +231,58 @@ utils = rec {
}
]
}
The attribute set { _secret = "/path/to/secret"; } can contain extra
options, currently it accepts the `quote = true|false` option.
If `quote = true` (default behavior), the content of the secret file will
be quoted as a string and embedded. Otherwise, if `quote = false`, the
content of the secret file will be parsed to JSON and then embedded.
Example:
If the file "/path/to/secret" contains the JSON document:
[
{ "a": "topsecretpassword1234" },
{ "b": "topsecretpassword5678" }
]
genJqSecretsReplacementSnippet {
example = [
{
irrelevant = "not interesting";
}
{
ignored = "ignored attr";
relevant = {
secret = {
_secret = "/path/to/secret";
quote = false;
};
};
}
];
} "/path/to/output.json"
would generate a snippet that, when run, outputs the following
JSON file at "/path/to/output.json":
{
"example": [
{
"irrelevant": "not interesting"
},
{
"ignored": "ignored attr",
"relevant": {
"secret": [
{ "a": "topsecretpassword1234" },
{ "b": "topsecretpassword5678" }
]
}
}
]
}
*/
genJqSecretsReplacementSnippet = genJqSecretsReplacementSnippet' "_secret";
@ -213,7 +290,11 @@ utils = rec {
# attr which identifies the secret to be changed.
genJqSecretsReplacementSnippet' = attr: set: output:
let
secrets = recursiveGetAttrWithJqPrefix set attr;
secretsRaw = recursiveGetAttrsetWithJqPrefix set attr;
# Set default option values
secrets = mapAttrs (_name: set: {
quote = true;
} // set) secretsRaw;
stringOrDefault = str: def: if str == "" then def else str;
in ''
if [[ -h '${output}' ]]; then
@ -227,7 +308,7 @@ utils = rec {
+ concatStringsSep
"\n"
(imap1 (index: name: ''
secret${toString index}=$(<'${secrets.${name}}')
secret${toString index}=$(<'${secrets.${name}.${attr}}')
export secret${toString index}
'')
(attrNames secrets))
@ -236,7 +317,7 @@ utils = rec {
+ escapeShellArg (stringOrDefault
(concatStringsSep
" | "
(imap1 (index: name: ''${name} = $ENV.secret${toString index}'')
(imap1 (index: name: ''${name} = ($ENV.secret${toString index}${optionalString (!secrets.${name}.quote) " | fromjson"})'')
(attrNames secrets)))
".")
+ ''

2
nixos/modules/config/fonts/ghostscript.nix
View File

@ -18,6 +18,6 @@ with lib;
};
config = mkIf config.fonts.enableGhostscriptFonts {
fonts.packages = [ "${pkgs.ghostscript}/share/ghostscript/fonts" ];
fonts.packages = [ pkgs.ghostscript.fonts ];
};
}

49
nixos/modules/config/stevenblack.nix
View File

@ -1,34 +1,49 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) optionals mkOption mkEnableOption types mkIf elem concatStringsSep maintainers;
inherit (lib)
getOutput
maintainers
mkEnableOption
mkIf
mkOption
mkPackageOption
types
;
cfg = config.networking.stevenblack;
# needs to be in a specific order
activatedHosts = with cfg; [ ]
++ optionals (elem "fakenews" block) [ "fakenews" ]
++ optionals (elem "gambling" block) [ "gambling" ]
++ optionals (elem "porn" block) [ "porn" ]
++ optionals (elem "social" block) [ "social" ];
hostsPath = "${pkgs.stevenblack-blocklist}/alternates/" + concatStringsSep "-" activatedHosts + "/hosts";
in
{
options.networking.stevenblack = {
enable = mkEnableOption "the stevenblack hosts file blocklist";
package = mkPackageOption pkgs "stevenblack-blocklist" { };
block = mkOption {
type = types.listOf (types.enum [ "fakenews" "gambling" "porn" "social" ]);
type = types.listOf (
types.enum [
"fakenews"
"gambling"
"porn"
"social"
]
);
default = [ ];
description = "Additional blocklist extensions.";
};
};
config = mkIf cfg.enable {
networking.hostFiles = [ ]
++ optionals (activatedHosts != [ ]) [ hostsPath ]
++ optionals (activatedHosts == [ ]) [ "${pkgs.stevenblack-blocklist}/hosts" ];
networking.hostFiles = map (x: "${getOutput x cfg.package}/hosts") ([ "ads" ] ++ cfg.block);
};
meta.maintainers = [ maintainers.moni maintainers.artturin ];
meta.maintainers = with maintainers; [
moni
artturin
frontear
];
}

2
nixos/modules/config/update-users-groups.pl
View File

@ -234,7 +234,7 @@ foreach my $u (@{$spec->{users}}) {
# Ensure home directory incl. ownership and permissions.
if ($u->{createHome} and !$is_dry) {
make_path($u->{home}, { mode => oct($u->{homeMode}) }) if ! -e $u->{home};
make_path($u->{home}, { mode => 0755 }) if ! -e $u->{home};
chown $u->{uid}, $u->{gid}, $u->{home};
chmod oct($u->{homeMode}), $u->{home};
}

16
nixos/modules/hardware/decklink.nix
View File

@ -1,16 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.hardware.decklink;
kernelPackages = config.boot.kernelPackages;
in
{
options.hardware.decklink.enable = lib.mkEnableOption "hardware support for the Blackmagic Design Decklink audio/video interfaces";
config = lib.mkIf cfg.enable {
boot.kernelModules = [ "blackmagic" "blackmagic-io" "snd_blackmagic-io" ];
boot.extraModulePackages = [ kernelPackages.decklink ];
systemd.packages = [ pkgs.blackmagic-desktop-video ];
systemd.services.DesktopVideoHelper.wantedBy = [ "multi-user.target" ];
};
}

5
nixos/modules/misc/locate.nix
View File

@ -297,7 +297,10 @@ in
description = "Update timer for locate database";
partOf = [ "update-locatedb.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = cfg.interval;
timerConfig = {
OnCalendar = cfg.interval;
Persistent = true;
};
};
};

4
nixos/modules/module-list.nix
View File

@ -59,7 +59,6 @@
./hardware/cpu/intel-microcode.nix
./hardware/cpu/intel-sgx.nix
./hardware/cpu/x86-msr.nix
./hardware/decklink.nix
./hardware/device-tree.nix
./hardware/digitalbitbox.nix
./hardware/flipperzero.nix
@ -181,6 +180,7 @@
./programs/dublin-traceroute.nix
./programs/ecryptfs.nix
./programs/environment.nix
./programs/envision.nix
./programs/evince.nix
./programs/extra-container.nix
./programs/fcast-receiver.nix
@ -1370,6 +1370,7 @@
./services/web-apps/documize.nix
./services/web-apps/dokuwiki.nix
./services/web-apps/dolibarr.nix
./services/web-apps/eintopf.nix
./services/web-apps/engelsystem.nix
./services/web-apps/ethercalc.nix
./services/web-apps/filesender.nix
@ -1379,6 +1380,7 @@
./services/web-apps/freshrss.nix
./services/web-apps/galene.nix
./services/web-apps/gerrit.nix
./services/web-apps/glance.nix
./services/web-apps/gotify-server.nix
./services/web-apps/gotosocial.nix
./services/web-apps/grocy.nix

10
nixos/modules/profiles/qemu-guest.nix
View File

@ -5,13 +5,5 @@
{
boot.initrd.availableKernelModules = [ "virtio_net" "virtio_pci" "virtio_mmio" "virtio_blk" "virtio_scsi" "9p" "9pnet_virtio" ];
boot.initrd.kernelModules = [ "virtio_balloon" "virtio_console" "virtio_rng" ];
boot.initrd.postDeviceCommands = lib.mkIf (!config.boot.initrd.systemd.enable)
''
# Set the system time from the hardware clock to work around a
# bug in qemu-kvm > 1.5.2 (where the VM clock is initialised
# to the *boot time* of the host).
hwclock -s
'';
boot.initrd.kernelModules = [ "virtio_balloon" "virtio_console" "virtio_rng" "virtio_gpu" ];
}

43
nixos/modules/programs/envision.nix Normal file
View File

@ -0,0 +1,43 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.programs.envision;
in
{
options = {
programs.envision = {
enable = lib.mkEnableOption "envision";
package = lib.mkPackageOption pkgs "envision" {};
openFirewall = lib.mkEnableOption "the default ports in the firewall for the WiVRn server" // {
default = true;
};
};
};
config = lib.mkIf cfg.enable {
services.avahi = {
enable = true;
publish = {
enable = true;
userServices = true;
};
};
environment.systemPackages = [ cfg.package ];
networking.firewall = lib.mkIf cfg.openFirewall {
allowedTCPPorts = [ 9757 ];
allowedUDPPorts = [ 9757 ];
};
};
meta.maintainers = pkgs.envision.meta.maintainers;
}

2
nixos/modules/programs/file-roller.nix
View File

@ -14,7 +14,7 @@ in {
enable = lib.mkEnableOption "File Roller, an archive manager for GNOME";
package = lib.mkPackageOption pkgs [ "gnome" "file-roller" ] { };
package = lib.mkPackageOption pkgs "file-roller" { };
};

2
nixos/modules/programs/geary.nix
View File

@ -13,7 +13,7 @@ in {
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ pkgs.gnome.geary ];
environment.systemPackages = [ pkgs.geary ];
programs.dconf.enable = true;
services.gnome.gnome-keyring.enable = true;
services.gnome.gnome-online-accounts.enable = true;

4
nixos/modules/programs/gnome-disks.nix
View File

@ -32,9 +32,9 @@
config = lib.mkIf config.programs.gnome-disks.enable {
environment.systemPackages = [ pkgs.gnome.gnome-disk-utility ];
environment.systemPackages = [ pkgs.gnome-disk-utility ];
services.dbus.packages = [ pkgs.gnome.gnome-disk-utility ];
services.dbus.packages = [ pkgs.gnome-disk-utility ];
};

6
nixos/modules/programs/gnome-terminal.nix
View File

@ -19,9 +19,9 @@ in
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ pkgs.gnome.gnome-terminal ];
services.dbus.packages = [ pkgs.gnome.gnome-terminal ];
systemd.packages = [ pkgs.gnome.gnome-terminal ];
environment.systemPackages = [ pkgs.gnome-terminal ];
services.dbus.packages = [ pkgs.gnome-terminal ];
systemd.packages = [ pkgs.gnome-terminal ];
programs.bash.vteIntegration = true;
programs.zsh.vteIntegration = true;

10
nixos/modules/programs/gpaste.nix
View File

@ -18,12 +18,12 @@
###### implementation
config = lib.mkIf config.programs.gpaste.enable {
environment.systemPackages = [ pkgs.gnome.gpaste ];
services.dbus.packages = [ pkgs.gnome.gpaste ];
systemd.packages = [ pkgs.gnome.gpaste ];
environment.systemPackages = [ pkgs.gpaste ];
services.dbus.packages = [ pkgs.gpaste ];
systemd.packages = [ pkgs.gpaste ];
# gnome-control-center crashes in Keyboard Shortcuts pane without the GSettings schemas.
services.xserver.desktopManager.gnome.sessionPath = [ pkgs.gnome.gpaste ];
services.xserver.desktopManager.gnome.sessionPath = [ pkgs.gpaste ];
# gpaste-reloaded applet doesn't work without the typelib
services.xserver.desktopManager.cinnamon.sessionPath = [ pkgs.gnome.gpaste ];
services.xserver.desktopManager.cinnamon.sessionPath = [ pkgs.gpaste ];
};
}

2
nixos/modules/programs/nautilus-open-any-terminal.nix
View File

@ -19,7 +19,7 @@ in
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [
gnome.nautilus-python
nautilus-python
nautilus-open-any-terminal
];
programs.dconf = lib.optionalAttrs (cfg.terminal != null) {

2
nixos/modules/programs/qdmr.nix
View File

@ -8,7 +8,7 @@
let
cfg = config.programs.qdmr;
in {
meta.maintainers = [ lib.maintainers.janik ];
meta.maintainers = [ ];
options = {
programs.qdmr = {

6
nixos/modules/programs/seahorse.nix
View File

@ -21,14 +21,14 @@
config = lib.mkIf config.programs.seahorse.enable {
programs.ssh.askPassword = lib.mkDefault "${pkgs.gnome.seahorse}/libexec/seahorse/ssh-askpass";
programs.ssh.askPassword = lib.mkDefault "${pkgs.seahorse}/libexec/seahorse/ssh-askpass";
environment.systemPackages = [
pkgs.gnome.seahorse
pkgs.seahorse
];
services.dbus.packages = [
pkgs.gnome.seahorse
pkgs.seahorse
];
};

25
nixos/modules/programs/singularity.nix
View File

@ -56,9 +56,12 @@ in
enableFakeroot = lib.mkOption {
type = lib.types.bool;
default = true;
example = false;
description = ''
Whether to enable the `--fakeroot` support of Singularity/Apptainer.
This option is deprecated and has no effect.
`--fakeroot` support is enabled automatically,
as `systemBinPaths = [ "/run/wrappers/bin" ]` is always specified.
'';
};
enableSuid = lib.mkOption {
@ -74,22 +77,34 @@ in
Whether to enable the SUID support of Singularity/Apptainer.
'';
};
systemBinPaths = lib.mkOption {
type = lib.types.listOf lib.types.path;
default = [ ];
description = ''
(Extra) system-wide /**/bin paths
for Apptainer/Singularity to find command-line utilities in.
`"/run/wrappers/bin"` is included by default to make
utilities with SUID bit set available to Apptainer/Singularity.
Use `lib.mkForce` to shadow the default values.
'';
};
};
config = lib.mkIf cfg.enable {
programs.singularity.packageOverriden = (
cfg.package.override (
lib.optionalAttrs cfg.enableExternalLocalStateDir { externalLocalStateDir = "/var/lib"; }
// lib.optionalAttrs cfg.enableFakeroot {
newuidmapPath = "/run/wrappers/bin/newuidmap";
newgidmapPath = "/run/wrappers/bin/newgidmap";
{
systemBinPaths = cfg.systemBinPaths;
}
// lib.optionalAttrs cfg.enableExternalLocalStateDir { externalLocalStateDir = "/var/lib"; }
// lib.optionalAttrs cfg.enableSuid {
enableSuid = true;
starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid";
}
)
);
programs.singularity.systemBinPaths = [ "/run/wrappers/bin" ];
environment.systemPackages = [ cfg.packageOverriden ];
security.wrappers."${cfg.packageOverriden.projectName}-suid" = lib.mkIf cfg.enableSuid {
setuid = true;

199
nixos/modules/security/pam.nix
View File

@ -7,6 +7,13 @@ with lib;
let
moduleSettingsType = with types; attrsOf (nullOr (oneOf [ bool str int pathInStore ]));
moduleSettingsDescription = ''
Boolean values render just the key if true, and nothing if false.
Null values are ignored.
All other values are rendered as key-value pairs.
'';
mkRulesTypeOption = type: mkOption {
# These options are experimental and subject to breaking changes without notice.
description = ''
@ -71,12 +78,12 @@ let
'';
};
settings = mkOption {
type = with types; attrsOf (nullOr (oneOf [ bool str int pathInStore ]));
type = moduleSettingsType;
default = {};
description = ''
Settings to add as `module-arguments`.
Boolean values render just the key if true, and nothing if false. Null values are ignored. All other values are rendered as key-value pairs.
${moduleSettingsDescription}
'';
};
};
@ -660,11 +667,7 @@ let
(let p11 = config.security.pam.p11; in { name = "p11"; enable = cfg.p11Auth; control = p11.control; modulePath = "${pkgs.pam_p11}/lib/security/pam_p11.so"; args = [
"${pkgs.opensc}/lib/opensc-pkcs11.so"
]; })
(let u2f = config.security.pam.u2f; in { name = "u2f"; enable = cfg.u2fAuth; control = u2f.control; modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so"; settings = {
inherit (u2f) debug interactive cue origin;
authfile = u2f.authFile;
appid = u2f.appId;
}; })
(let u2f = config.security.pam.u2f; in { name = "u2f"; enable = cfg.u2fAuth; control = u2f.control; modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so"; inherit (u2f) settings; })
(let ussh = config.security.pam.ussh; in { name = "ussh"; enable = config.security.pam.ussh.enable && cfg.usshAuth; control = ussh.control; modulePath = "${pkgs.pam_ussh}/lib/security/pam_ussh.so"; settings = {
ca_file = ussh.caFile;
authorized_principals = ussh.authorizedPrincipals;
@ -723,7 +726,7 @@ let
disable_interactive = true;
}; }
{ name = "kwallet"; enable = cfg.kwallet.enable; control = "optional"; modulePath = "${cfg.kwallet.package}/lib/security/pam_kwallet5.so"; }
{ name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; }
{ name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so"; }
{ name = "intune"; enable = config.services.intune.enable; control = "optional"; modulePath = "${pkgs.intune-portal}/lib/security/pam_intune.so"; }
{ name = "gnupg"; enable = cfg.gnupg.enable; control = "optional"; modulePath = "${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"; settings = {
store-only = cfg.gnupg.storeOnly;
@ -789,7 +792,7 @@ let
{ name = "krb5"; enable = config.security.pam.krb5.enable; control = "sufficient"; modulePath = "${pam_krb5}/lib/security/pam_krb5.so"; settings = {
use_first_pass = true;
}; }
{ name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; settings = {
{ name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so"; settings = {
use_authtok = true;
}; }
];
@ -858,7 +861,7 @@ let
debug = true;
}; }
{ name = "kwallet"; enable = cfg.kwallet.enable; control = "optional"; modulePath = "${cfg.kwallet.package}/lib/security/pam_kwallet5.so"; }
{ name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; settings = {
{ name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so"; settings = {
auto_start = true;
}; }
{ name = "gnupg"; enable = cfg.gnupg.enable; control = "optional"; modulePath = "${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"; settings = {
@ -952,6 +955,12 @@ in
imports = [
(mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ])
(mkRenamedOptionModule [ "security" "pam" "enableSSHAgentAuth" ] [ "security" "pam" "sshAgentAuth" "enable" ])
(mkRenamedOptionModule [ "security" "pam" "u2f" "authFile" ] [ "security" "pam" "u2f" "settings" "authfile" ])
(mkRenamedOptionModule [ "security" "pam" "u2f" "appId" ] [ "security" "pam" "u2f" "settings" "appid" ])
(mkRenamedOptionModule [ "security" "pam" "u2f" "origin" ] [ "security" "pam" "u2f" "settings" "origin" ])
(mkRenamedOptionModule [ "security" "pam" "u2f" "debug" ] [ "security" "pam" "u2f" "settings" "debug" ])
(mkRenamedOptionModule [ "security" "pam" "u2f" "interactive" ] [ "security" "pam" "u2f" "settings" "interactive" ])
(mkRenamedOptionModule [ "security" "pam" "u2f" "cue" ] [ "security" "pam" "u2f" "settings" "cue" ])
];
###### interface
@ -1144,57 +1153,6 @@ in
'';
};
authFile = mkOption {
default = null;
type = with types; nullOr path;
description = ''
By default `pam-u2f` module reads the keys from
{file}`$XDG_CONFIG_HOME/Yubico/u2f_keys` (or
{file}`$HOME/.config/Yubico/u2f_keys` if XDG variable is
not set).
If you want to change auth file locations or centralize database (for
example use {file}`/etc/u2f-mappings`) you can set this
option.
File format is:
`username:first_keyHandle,first_public_key: second_keyHandle,second_public_key`
This file can be generated using {command}`pamu2fcfg` command.
More information can be found [here](https://developers.yubico.com/pam-u2f/).
'';
};
appId = mkOption {
default = null;
type = with types; nullOr str;
description = ''
By default `pam-u2f` module sets the application
ID to `pam://$HOSTNAME`.
When using {command}`pamu2fcfg`, you can specify your
application ID with the `-i` flag.
More information can be found [here](https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html)
'';
};
origin = mkOption {
default = null;
type = with types; nullOr str;
description = ''
By default `pam-u2f` module sets the origin
to `pam://$HOSTNAME`.
Setting origin to an host independent value will allow you to
reuse credentials across machines
When using {command}`pamu2fcfg`, you can specify your
application ID with the `-o` flag.
More information can be found [here](https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html)
'';
};
control = mkOption {
default = "sufficient";
type = types.enum [ "required" "requisite" "sufficient" "optional" ];
@ -1209,33 +1167,104 @@ in
'';
};
debug = mkOption {
default = false;
type = types.bool;
description = ''
Debug output to stderr.
'';
};
settings = mkOption {
type = types.submodule {
freeformType = moduleSettingsType;
interactive = mkOption {
default = false;
type = types.bool;
description = ''
Set to prompt a message and wait before testing the presence of a U2F device.
Recommended if your device doesnt have a tactile trigger.
'';
};
options = {
authfile = mkOption {
default = null;
type = with types; nullOr path;
description = ''
By default `pam-u2f` module reads the keys from
{file}`$XDG_CONFIG_HOME/Yubico/u2f_keys` (or
{file}`$HOME/.config/Yubico/u2f_keys` if XDG variable is
not set).
cue = mkOption {
default = false;
type = types.bool;
description = ''
By default `pam-u2f` module does not inform user
that he needs to use the u2f device, it just waits without a prompt.
If you want to change auth file locations or centralize database (for
example use {file}`/etc/u2f-mappings`) you can set this
option.
If you set this option to `true`,
`cue` option is added to `pam-u2f`
module and reminder message will be displayed.
File format is:
`username:first_keyHandle,first_public_key: second_keyHandle,second_public_key`
This file can be generated using {command}`pamu2fcfg` command.
More information can be found [here](https://developers.yubico.com/pam-u2f/).
'';
};
appid = mkOption {
default = null;
type = with types; nullOr str;
description = ''
By default `pam-u2f` module sets the application
ID to `pam://$HOSTNAME`.
When using {command}`pamu2fcfg`, you can specify your
application ID with the `-i` flag.
More information can be found [here](https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html)
'';
};
origin = mkOption {
default = null;
type = with types; nullOr str;
description = ''
By default `pam-u2f` module sets the origin
to `pam://$HOSTNAME`.
Setting origin to an host independent value will allow you to
reuse credentials across machines
When using {command}`pamu2fcfg`, you can specify your
application ID with the `-o` flag.
More information can be found [here](https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html)
'';
};
debug = mkOption {
default = false;
type = types.bool;
description = ''
Debug output to stderr.
'';
};
interactive = mkOption {
default = false;
type = types.bool;
description = ''
Set to prompt a message and wait before testing the presence of a U2F device.
Recommended if your device doesnt have a tactile trigger.
'';
};
cue = mkOption {
default = false;
type = types.bool;
description = ''
By default `pam-u2f` module does not inform user
that he needs to use the u2f device, it just waits without a prompt.
If you set this option to `true`,
`cue` option is added to `pam-u2f`
module and reminder message will be displayed.
'';
};
};
};
default = { };
example = {
authfile = "/etc/u2f_keys";
authpending_file = "";
userpresence = 0;
pinverification = 1;
};
description = ''
Options to pass to the PAM module.
${moduleSettingsDescription}
'';
};
};

3
nixos/modules/services/backup/borgbackup.nix
View File

@ -104,6 +104,9 @@ let
--what="sleep" \
--why="Scheduled backup" \
'' + backupScript;
unitConfig = optionalAttrs (isLocalPath cfg.repo) {
RequiresMountsFor = [ cfg.repo ];
};
serviceConfig = {
User = cfg.user;
Group = cfg.group;

24
nixos/modules/services/backup/duplicity.nix
View File

@ -42,6 +42,28 @@ in
'';
};
includeFileList = mkOption {
type = types.nullOr types.path;
default = null;
example = /path/to/fileList.txt;
description = ''
File containing newline-separated list of paths to include into the
backups. See the FILE SELECTION section in {manpage}`duplicity(1)` for
details on the syntax.
'';
};
excludeFileList = mkOption {
type = types.nullOr types.path;
default = null;
example = /path/to/fileList.txt;
description = ''
File containing newline-separated list of paths to exclude into the
backups. See the FILE SELECTION section in {manpage}`duplicity(1)` for
details on the syntax.
'';
};
targetUrl = mkOption {
type = types.str;
example = "s3://host:port/prefix";
@ -154,6 +176,8 @@ in
${lib.optionalString (cfg.cleanup.maxIncr != null) "${dup} remove-all-inc-of-but-n-full ${toString cfg.cleanup.maxIncr} ${target} --force ${extra}"}
exec ${dup} ${if cfg.fullIfOlderThan == "always" then "full" else "incr"} ${lib.escapeShellArgs (
[ cfg.root cfg.targetUrl ]
++ lib.optionals (cfg.includeFileList != null) [ "--include-filelist" cfg.includeFileList ]
++ lib.optionals (cfg.excludeFileList != null) [ "--exclude-filelist" cfg.excludeFileList ]
++ concatMap (p: [ "--include" p ]) cfg.include
++ concatMap (p: [ "--exclude" p ]) cfg.exclude
++ (lib.optionals (cfg.fullIfOlderThan != "never" && cfg.fullIfOlderThan != "always") [ "--full-if-older-than" cfg.fullIfOlderThan ])

36
nixos/modules/services/cluster/patroni/default.nix
View File

@ -10,6 +10,15 @@ let
configFile = format.generate configFileName cfg.settings;
in
{
imports = [
(lib.mkRemovedOptionModule [ "services" "patroni" "raft" ] ''
Raft has been deprecated by upstream.
'')
(lib.mkRemovedOptionModule [ "services" "patroni" "raftPort" ] ''
Raft has been deprecated by upstream.
'')
];
options.services.patroni = {
enable = mkEnableOption "Patroni";
@ -68,7 +77,7 @@ in
type = types.path;
default = "/var/lib/patroni";
description = ''
Folder where Patroni data will be written, used by Raft as well if enabled.
Folder where Patroni data will be written, this is where the pgpass password file will be written.
'';
};
@ -120,22 +129,6 @@ in
'';
};
raft = mkOption {
type = types.bool;
default = false;
description = ''
This will configure Patroni to use its own RAFT implementation instead of using a dedicated DCS.
'';
};
raftPort = mkOption {
type = types.port;
default = 5010;
description = ''
The port on which RAFT listens.
'';
};
softwareWatchdog = mkOption {
type = types.bool;
default = false;
@ -178,12 +171,6 @@ in
connect_address = "${cfg.nodeIp}:${toString cfg.restApiPort}";
};
raft = mkIf cfg.raft {
data_dir = "${cfg.dataDir}/raft";
self_addr = "${cfg.nodeIp}:5010";
partner_addrs = map (ip: ip + ":5010") cfg.otherNodesIps;
};
postgresql = {
listen = "${cfg.nodeIp}:${toString cfg.postgresqlPort}";
connect_address = "${cfg.nodeIp}:${toString cfg.postgresqlPort}";
@ -235,7 +222,7 @@ in
KillMode = "process";
}
(mkIf (cfg.postgresqlDataDir == "/var/lib/postgresql/${cfg.postgresqlPackage.psqlSchema}" && cfg.dataDir == "/var/lib/patroni") {
StateDirectory = "patroni patroni/raft postgresql postgresql/${cfg.postgresqlPackage.psqlSchema}";
StateDirectory = "patroni postgresql postgresql/${cfg.postgresqlPackage.psqlSchema}";
StateDirectoryMode = "0750";
})
];
@ -251,7 +238,6 @@ in
environment.systemPackages = [
pkgs.patroni
cfg.postgresqlPackage
(mkIf cfg.raft pkgs.python310Packages.pysyncobj)
];
environment.etc."${configFileName}".source = configFile;

15
nixos/modules/services/continuous-integration/gitlab-runner.nix
View File

@ -137,8 +137,10 @@ let
"--builds-dir ${service.buildsDir}"
++ optional (service.cloneUrl != null)
"--clone-url ${service.cloneUrl}"
++ optional (service.preCloneScript != null)
"--pre-clone-script ${service.preCloneScript}"
++ optional (service.preGetSourcesScript != null)
"--pre-get-sources-script ${service.preGetSourcesScript}"
++ optional (service.postGetSourcesScript != null)
"--post-get-sources-script ${service.postGetSourcesScript}"
++ optional (service.preBuildScript != null)
"--pre-build-script ${service.preBuildScript}"
++ optional (service.postBuildScript != null)
@ -495,13 +497,20 @@ in {
Whitelist allowed services.
'';
};
preCloneScript = mkOption {
preGetSourcesScript = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Runner-specific command script executed before code is pulled.
'';
};
postGetSourcesScript = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Runner-specific command script executed after code is pulled.
'';
};
preBuildScript = mkOption {
type = types.nullOr types.path;
default = null;

2
nixos/modules/services/continuous-integration/woodpecker/agents.nix
View File

@ -109,7 +109,7 @@ let
};
in
{
meta.maintainers = with lib.maintainers; [ janik ambroisie ];
meta.maintainers = with lib.maintainers; [ ambroisie ];
options = {
services.woodpecker-agents = {

2
nixos/modules/services/continuous-integration/woodpecker/server.nix
View File

@ -8,7 +8,7 @@ let
cfg = config.services.woodpecker-server;
in
{
meta.maintainers = with lib.maintainers; [ janik ambroisie ];
meta.maintainers = with lib.maintainers; [ ambroisie ];
options = {

2
nixos/modules/services/databases/monetdb.nix
View File

@ -6,7 +6,7 @@ let
cfg = config.services.monetdb;
in {
meta.maintainers = with maintainers; [ StillerHarpo primeos ];
meta.maintainers = with maintainers; [ StillerHarpo ];
###### interface
options = {

19
nixos/modules/services/desktop-managers/lomiri.nix
View File

@ -21,8 +21,11 @@ in {
history-service
libusermetrics
lomiri
lomiri-calculator-app
lomiri-clock-app
lomiri-download-manager
lomiri-filemanager-app
lomiri-polkit-agent
lomiri-schemas # exposes some required dbus interfaces
lomiri-session # wrappers to properly launch the session
lomiri-sounds
@ -35,7 +38,7 @@ in {
morph-browser
qtmir # not having its desktop file for Xwayland available causes any X11 application to crash the session
suru-icon-theme
# telephony-service # currently broken: https://github.com/NixOS/nixpkgs/pull/314043
telephony-service
]);
variables = {
# To override the keyboard layouts in Lomiri
@ -84,7 +87,7 @@ in {
] ++ lib.optionals (config.hardware.pulseaudio.enable || config.services.pipewire.pulse.enable) [
ayatana-indicator-sound
]) ++ (with pkgs.lomiri; [
# telephony-service # currently broken: https://github.com/NixOS/nixpkgs/pull/314043
telephony-service
] ++ lib.optionals config.networking.networkmanager.enable [
lomiri-indicator-network
]);
@ -145,6 +148,18 @@ in {
ExecStart = "${pkgs.lomiri.lomiri-url-dispatcher}/libexec/lomiri-url-dispatcher/lomiri-update-directory /run/current-system/sw/share/lomiri-url-dispatcher/urls/";
};
};
"lomiri-polkit-agent" = rec {
description = "Lomiri Polkit agent";
wantedBy = [ "lomiri.service" "lomiri-full-greeter.service" "lomiri-full-shell.service" "lomiri-greeter.service" "lomiri-shell.service" ];
after = [ "graphical-session.target" ];
partOf = wantedBy;
serviceConfig = {
Type = "simple";
Restart = "always";
ExecStart = "${pkgs.lomiri.lomiri-polkit-agent}/libexec/lomiri-polkit-agent/policykit-agent";
};
};
};
systemd.services = {

1
nixos/modules/services/desktops/espanso.nix
View File

@ -8,6 +8,7 @@ in {
options = {
services.espanso = {
enable = mkEnableOption "Espanso";
wayland = mkEnableOption "use the Wayland compatible espanso package";
package = mkPackageOption pkgs "espanso" {
example = "pkgs.espanso-wayland";
};

21
nixos/modules/services/desktops/gnome/gnome-keyring.nix
View File

@ -26,33 +26,22 @@ in
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ pkgs.gnome.gnome-keyring ];
environment.systemPackages = [ pkgs.gnome-keyring ];
services.dbus.packages = [
pkgs.gnome.gnome-keyring
pkgs.gnome-keyring
pkgs.gcr
];
xdg.portal.extraPortals = [ pkgs.gnome.gnome-keyring ];
xdg.portal.extraPortals = [ pkgs.gnome-keyring ];
security.pam.services = lib.mkMerge [
{
login.enableGnomeKeyring = true;
}
(lib.mkIf config.services.xserver.displayManager.gdm.enable {
gdm-password.enableGnomeKeyring = true;
gdm-autologin.enableGnomeKeyring = true;
})
(lib.mkIf (config.services.xserver.displayManager.gdm.enable && config.services.fprintd.enable) {
gdm-fingerprint.enableGnomeKeyring = true;
})
];
security.pam.services.login.enableGnomeKeyring = true;
security.wrappers.gnome-keyring-daemon = {
owner = "root";
group = "root";
capabilities = "cap_ipc_lock=ep";
source = "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon";
source = "${pkgs.gnome-keyring}/bin/gnome-keyring-daemon";
};
};
}

4
nixos/modules/services/desktops/gnome/gnome-user-share.nix
View File

@ -26,11 +26,11 @@
config = lib.mkIf config.services.gnome.gnome-user-share.enable {
environment.systemPackages = [
pkgs.gnome.gnome-user-share
pkgs.gnome-user-share
];
systemd.packages = [
pkgs.gnome.gnome-user-share
pkgs.gnome-user-share
];
};

8
nixos/modules/services/desktops/gnome/rygel.nix
View File

@ -23,12 +23,12 @@
###### implementation
config = lib.mkIf config.services.gnome.rygel.enable {
environment.systemPackages = [ pkgs.gnome.rygel ];
environment.systemPackages = [ pkgs.rygel ];
services.dbus.packages = [ pkgs.gnome.rygel ];
services.dbus.packages = [ pkgs.rygel ];
systemd.packages = [ pkgs.gnome.rygel ];
systemd.packages = [ pkgs.rygel ];
environment.etc."rygel.conf".source = "${pkgs.gnome.rygel}/etc/rygel.conf";
environment.etc."rygel.conf".source = "${pkgs.rygel}/etc/rygel.conf";
};
}

4
nixos/modules/services/desktops/gnome/sushi.nix
View File

@ -31,9 +31,9 @@
config = lib.mkIf config.services.gnome.sushi.enable {
environment.systemPackages = [ pkgs.gnome.sushi ];
environment.systemPackages = [ pkgs.sushi ];
services.dbus.packages = [ pkgs.gnome.sushi ];
services.dbus.packages = [ pkgs.sushi ];
};

12
nixos/modules/services/mail/roundcube.nix
View File

@ -93,13 +93,17 @@ in
maxAttachmentSize = mkOption {
type = types.int;
default = 18;
apply = configuredMaxAttachmentSize: "${toString (configuredMaxAttachmentSize * 1.37)}M";
description = ''
The maximum attachment size in MB.
Note: Since roundcube only uses 70% of max upload values configured in php
30% is added automatically to [](#opt-services.roundcube.maxAttachmentSize).
[upstream issue comment]: https://github.com/roundcube/roundcubemail/issues/7979#issuecomment-808879209
::: {.note}
Since there is some overhead in base64 encoding applied to attachments, + 37% will be added
to the value set in this option in order to offset the overhead. For example, setting
`maxAttachmentSize` to `100` would result in `137M` being the real value in the configuration.
See [upstream issue comment] for more details on the motivations behind this.
:::
'';
apply = configuredMaxAttachmentSize: "${toString (configuredMaxAttachmentSize * 1.3)}M";
};
configureNginx = lib.mkOption {

21
nixos/modules/services/mail/stalwart-mail.nix
View File

@ -9,12 +9,28 @@ let
dataDir = "/var/lib/stalwart-mail";
useLegacyStorage = versionOlder config.system.stateVersion "24.11";
parsePorts = listeners: let
parseAddresses = listeners: lib.flatten(lib.mapAttrsToList (name: value: value.bind) listeners);
splitAddress = addr: strings.splitString ":" addr;
extractPort = addr: strings.toInt(builtins.foldl' (a: b: b) "" (splitAddress addr));
in
builtins.map(address: extractPort address) (parseAddresses listeners);
in {
options.services.stalwart-mail = {
enable = mkEnableOption "the Stalwart all-in-one email server";
package = mkPackageOption pkgs "stalwart-mail" { };
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
Whether to open TCP firewall ports, which are specified in
{option}`services.stalwart-mail.settings.listener` on all interfaces.
'';
};
settings = mkOption {
inherit (configFormat) type;
default = { };
@ -138,6 +154,11 @@ in {
# Make admin commands available in the shell
environment.systemPackages = [ cfg.package ];
networking.firewall = mkIf (cfg.openFirewall
&& (builtins.hasAttr "listener" cfg.settings.server)) {
allowedTCPPorts = parsePorts cfg.settings.server.listener;
};
};
meta = {

3
nixos/modules/services/misc/dictd.nix
View File

@ -62,6 +62,9 @@ in
description = "DICT.org Dictionary Server";
wantedBy = [ "multi-user.target" ];
environment = { LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive"; };
# Work around the fact that dictd doesn't handle SIGTERM; it terminates
# with code 143 instead of exiting with code 0.
serviceConfig.SuccessExitStatus = [ 143 ];
serviceConfig.Type = "forking";
script = "${pkgs.dict}/sbin/dictd -s -c ${dictdb}/share/dictd/dictd.conf --locale en_US.UTF-8";
};

7
nixos/modules/services/misc/gitlab.nix
View File

@ -12,7 +12,7 @@ let
postgresqlPackage = if config.services.postgresql.enable then
config.services.postgresql.package
else
pkgs.postgresql_13;
pkgs.postgresql_14;
gitlabSocket = "${cfg.statePath}/tmp/sockets/gitlab.socket";
gitalySocket = "${cfg.statePath}/tmp/sockets/gitaly.socket";
@ -1119,8 +1119,8 @@ in {
message = "services.gitlab.secrets.jwsFile must be set!";
}
{
assertion = versionAtLeast postgresqlPackage.version "13.6.0";
message = "PostgreSQL >=13.6 is required to run GitLab 16. Follow the instructions in the manual section for upgrading PostgreSQL here: https://nixos.org/manual/nixos/stable/index.html#module-services-postgres-upgrading";
assertion = versionAtLeast postgresqlPackage.version "14.9";
message = "PostgreSQL >= 14.9 is required to run GitLab 17. Follow the instructions in the manual section for upgrading PostgreSQL here: https://nixos.org/manual/nixos/stable/index.html#module-services-postgres-upgrading";
}
];
@ -1282,6 +1282,7 @@ in {
"d ${gitlabConfig.production.shared.path}/registry 0750 ${cfg.user} ${cfg.group} -"
"d ${gitlabConfig.production.shared.path}/terraform_state 0750 ${cfg.user} ${cfg.group} -"
"d ${gitlabConfig.production.shared.path}/ci_secure_files 0750 ${cfg.user} ${cfg.group} -"
"d ${gitlabConfig.production.shared.path}/external-diffs 0750 ${cfg.user} ${cfg.group} -"
"L+ /run/gitlab/config - - - - ${cfg.statePath}/config"
"L+ /run/gitlab/log - - - - ${cfg.statePath}/log"
"L+ /run/gitlab/tmp - - - - ${cfg.statePath}/tmp"

7
nixos/modules/services/misc/jellyseerr.nix
View File

@ -9,6 +9,7 @@ in
options.services.jellyseerr = {
enable = mkEnableOption ''Jellyseerr, a requests manager for Jellyfin'';
package = mkPackageOption pkgs "jellyseerr" { };
openFirewall = mkOption {
type = types.bool;
@ -32,10 +33,10 @@ in
serviceConfig = {
Type = "exec";
StateDirectory = "jellyseerr";
WorkingDirectory = "${pkgs.jellyseerr}/libexec/jellyseerr/deps/jellyseerr";
WorkingDirectory = "${cfg.package}/libexec/jellyseerr/deps/jellyseerr";
DynamicUser = true;
ExecStart = "${pkgs.jellyseerr}/bin/jellyseerr";
BindPaths = [ "/var/lib/jellyseerr/:${pkgs.jellyseerr}/libexec/jellyseerr/deps/jellyseerr/config/" ];
ExecStart = lib.getExe cfg.package;
BindPaths = [ "/var/lib/jellyseerr/:${cfg.package}/libexec/jellyseerr/deps/jellyseerr/config/" ];
Restart = "on-failure";
ProtectHome = true;
ProtectSystem = "strict";

43
nixos/modules/services/misc/languagetool.nix
View File

@ -1,14 +1,17 @@
{ config, lib, options, pkgs, ... }:
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.languagetool;
settingsFormat = pkgs.formats.javaProperties {};
in {
settingsFormat = pkgs.formats.javaProperties { };
in
{
options.services.languagetool = {
enable = mkEnableOption "the LanguageTool server, a multilingual spelling, style, and grammar checker that helps correct or paraphrase texts";
package = mkPackageOption pkgs "languagetool" { };
port = mkOption {
type = types.port;
default = 8081;
@ -31,7 +34,7 @@ in {
'';
};
settings = lib.mkOption {
settings = mkOption {
type = types.submodule {
freeformType = settingsFormat.type;
@ -49,11 +52,25 @@ in {
for supported settings.
'';
};
jrePackage = mkPackageOption pkgs "jre" { };
jvmOptions = mkOption {
description = ''
Extra command line options for the JVM running languagetool.
More information can be found here: https://docs.oracle.com/en/java/javase/19/docs/specs/man/java.html#standard-options-for-java
'';
default = [ ];
type = types.listOf types.str;
example = [
"-Xmx512m"
];
};
};
config = mkIf cfg.enable {
systemd.services.languagetool = {
systemd.services.languagetool = {
description = "LanguageTool HTTP server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
@ -65,13 +82,17 @@ in {
RestrictNamespaces = [ "" ];
SystemCallFilter = [ "@system-service" "~ @privileged" ];
ProtectHome = "yes";
Restart = "on-failure";
ExecStart = ''
${pkgs.languagetool}/bin/languagetool-http-server \
--port ${toString cfg.port} \
${optionalString cfg.public "--public"} \
${optionalString (cfg.allowOrigin != null) "--allow-origin ${cfg.allowOrigin}"} \
"--config" ${settingsFormat.generate "languagetool.conf" cfg.settings}
'';
${cfg.jrePackage}/bin/java \
-cp ${cfg.package}/share/languagetool-server.jar \
${toString cfg.jvmOptions} \
org.languagetool.server.HTTPServer \
--port ${toString cfg.port} \
${optionalString cfg.public "--public"} \
${optionalString (cfg.allowOrigin != null) "--allow-origin ${cfg.allowOrigin}"} \
"--config" ${settingsFormat.generate "languagetool.conf" cfg.settings}
'';
};
};
};

3
nixos/modules/services/misc/ollama.nix
View File

@ -5,9 +5,6 @@ let
cfg = config.services.ollama;
ollamaPackage = cfg.package.override {
inherit (cfg) acceleration;
linuxPackages = config.boot.kernelPackages // {
nvidia_x11 = config.hardware.nvidia.package;
};
};
in
{

1
nixos/modules/services/misc/renovate.nix
View File

@ -128,6 +128,7 @@ in
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;

2
nixos/modules/services/misc/rkvm.nix
View File

@ -7,7 +7,7 @@ let
toml = pkgs.formats.toml { };
in
{
meta.maintainers = with maintainers; [ ckie ];
meta.maintainers = with maintainers; [ ];
options.services.rkvm = {
enable = mkOption {

26
nixos/modules/services/misc/snapper.nix
View File

@ -96,48 +96,48 @@ let
};
TIMELINE_LIMIT_HOURLY = mkOption {
type = types.str;
default = "10";
type = types.int;
default = 10;
description = ''
Limits for timeline cleanup.
'';
};
TIMELINE_LIMIT_DAILY = mkOption {
type = types.str;
default = "10";
type = types.int;
default = 10;
description = ''
Limits for timeline cleanup.
'';
};
TIMELINE_LIMIT_WEEKLY = mkOption {
type = types.str;
default = "0";
type = types.int;
default = 0;
description = ''
Limits for timeline cleanup.
'';
};
TIMELINE_LIMIT_MONTHLY = mkOption {
type = types.str;
default = "10";
type = types.int;
default = 10;
description = ''
Limits for timeline cleanup.
'';
};
TIMELINE_LIMIT_QUARTERLY = mkOption {
type = types.str;
default = "0";
type = types.int;
default = 0;
description = ''
Limits for timeline cleanup.
'';
};
TIMELINE_LIMIT_YEARLY = mkOption {
type = types.str;
default = "10";
type = types.int;
default = 10;
description = ''
Limits for timeline cleanup.
'';
@ -353,4 +353,6 @@ in
) (attrNames cfg.configs);
}
);
meta.maintainers = with lib.maintainers; [ Djabx ];
}

8
nixos/modules/services/misc/sonarr.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, utils, ... }:
with lib;
@ -54,7 +54,11 @@ in
Type = "simple";
User = cfg.user;
Group = cfg.group;
ExecStart = "${cfg.package}/bin/NzbDrone -nobrowser -data='${cfg.dataDir}'";
ExecStart = utils.escapeSystemdExecArgs [
(lib.getExe cfg.package)
"-nobrowser"
"-data=${cfg.dataDir}"
];
Restart = "on-failure";
};
};

14
nixos/modules/services/misc/zoneminder.nix
View File

@ -202,10 +202,10 @@ in {
];
services = {
fcgiwrap = lib.mkIf useNginx {
enable = true;
preforkProcesses = cfg.cameras;
inherit user group;
fcgiwrap.zoneminder = lib.mkIf useNginx {
process.prefork = cfg.cameras;
process.user = user;
process.group = group;
};
mysql = lib.mkIf cfg.database.createLocally {
@ -225,9 +225,7 @@ in {
default = true;
root = "${pkg}/share/zoneminder/www";
listen = [ { addr = "0.0.0.0"; inherit (cfg) port; } ];
extraConfig = let
fcgi = config.services.fcgiwrap;
in ''
extraConfig = ''
index index.php;
location / {
@ -257,7 +255,7 @@ in {
fastcgi_param HTTP_PROXY "";
fastcgi_intercept_errors on;
fastcgi_pass ${fcgi.socketType}:${fcgi.socketAddress};
fastcgi_pass unix:${config.services.fcgiwrap.zoneminder.socket.address};
}
location /cache/ {

2
nixos/modules/services/monitoring/grafana.nix
View File

@ -105,7 +105,7 @@ let
};
url = mkOption {
type = types.str;
default = "localhost";
default = "";
description = "Url of the datasource.";
};
editable = mkOption {

11
nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix
View File

@ -32,9 +32,15 @@ in
${escapeShellArgs cfg.extraFlags}
'';
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
DynamicUser = true;
NoNewPrivileges = true;
MemoryDenyWriteExecute = true;
LockPersonality = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ProtectHome = "tmpfs";
@ -43,6 +49,8 @@ in
PrivateDevices = true;
PrivateIPC = true;
ProcSubset = "pid";
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
@ -50,7 +58,10 @@ in
ProtectKernelLogs = true;
ProtectControlGroups = true;
Restart = "on-failure";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;

52
nixos/modules/services/monitoring/prometheus/alertmanager.nix
View File

@ -181,15 +181,57 @@ in {
-i "${alertmanagerYml}"
'';
serviceConfig = {
Restart = "always";
StateDirectory = "alertmanager";
DynamicUser = true; # implies PrivateTmp
EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
WorkingDirectory = "/tmp";
ExecStart = "${cfg.package}/bin/alertmanager" +
optionalString (length cmdlineArgs != 0) (" \\\n " +
concatStringsSep " \\\n " cmdlineArgs);
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
DynamicUser = true;
NoNewPrivileges = true;
MemoryDenyWriteExecute = true;
LockPersonality = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ProtectHome = "tmpfs";
PrivateTmp = true;
PrivateDevices = true;
PrivateIPC = true;
ProcSubset = "pid";
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
Restart = "always";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
StateDirectory = "alertmanager";
SystemCallFilter = [
"@system-service"
"~@cpu-emulation"
"~@privileged"
"~@reboot"
"~@setuid"
"~@swap"
];
WorkingDirectory = "/tmp";
};
};
})

16
nixos/modules/services/monitoring/prometheus/exporters.nix
View File

@ -29,6 +29,7 @@ let
"blackbox"
"buildkite-agent"
"collectd"
"deluge"
"dmarc"
"dnsmasq"
"dnssec"
@ -408,6 +409,14 @@ in
Please ensure you have either `services.prometheus.exporters.idrac.configuration'
or `services.prometheus.exporters.idrac.configurationPath' set!
'';
} {
assertion = cfg.deluge.enable -> (
(cfg.deluge.delugePassword == null) != (cfg.deluge.delugePasswordFile == null)
);
message = ''
Please ensure you have either `services.prometheus.exporters.deluge.delugePassword'
or `services.prometheus.exporters.deluge.delugePasswordFile' set!
'';
} ] ++ (flip map (attrNames exporterOpts) (exporter: {
assertion = cfg.${exporter}.firewallFilter != null -> cfg.${exporter}.openFirewall;
message = ''
@ -437,6 +446,13 @@ in
hardware.rtl-sdr.enable = mkDefault true;
})] ++ [(mkIf config.services.postfix.enable {
services.prometheus.exporters.postfix.group = mkDefault config.services.postfix.setgidGroup;
})] ++ [(mkIf config.services.prometheus.exporters.deluge.enable {
system.activationScripts = {
deluge-exported.text = ''
mkdir -p /etc/deluge-exporter
echo "DELUGE_PASSWORD=$(cat ${config.services.prometheus.exporters.deluge.delugePasswordFile})" > /etc/deluge-exporter/password
'';
};
})] ++ (mapAttrsToList (name: conf:
mkExporterConf {
inherit name;

85
nixos/modules/services/monitoring/prometheus/exporters/deluge.nix Normal file
View File

@ -0,0 +1,85 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.prometheus.exporters.deluge;
inherit (lib) mkOption types concatStringsSep;
in
{
port = 9354;
extraOpts = {
delugeHost = mkOption {
type = types.str;
default = "localhost";
description = ''
Hostname where deluge server is running.
'';
};
delugePort = mkOption {
type = types.port;
default = 58846;
description = ''
Port where deluge server is listening.
'';
};
delugeUser = mkOption {
type = types.str;
default = "localclient";
description = ''
User to connect to deluge server.
'';
};
delugePassword = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Password to connect to deluge server.
This stores the password unencrypted in the nix store and is thus considered unsafe. Prefer
using the delugePasswordFile option.
'';
};
delugePasswordFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
File containing the password to connect to deluge server.
'';
};
exportPerTorrentMetrics = mkOption {
type = types.bool;
default = false;
description = ''
Enable per-torrent metrics.
This may significantly increase the number of time series depending on the number of
torrents in your Deluge instance.
'';
};
};
serviceOpts = {
serviceConfig = {
ExecStart = ''
${pkgs.prometheus-deluge-exporter}/bin/deluge-exporter
'';
Environment = [
"LISTEN_PORT=${toString cfg.port}"
"LISTEN_ADDRESS=${toString cfg.listenAddress}"
"DELUGE_HOST=${cfg.delugeHost}"
"DELUGE_USER=${cfg.delugeUser}"
"DELUGE_PORT=${toString cfg.delugePort}"
] ++ lib.optionals (cfg.delugePassword != null) [
"DELUGE_PASSWORD=${cfg.delugePassword}"
] ++ lib.optionals cfg.exportPerTorrentMetrics [
"PER_TORRENT_METRICS=1"
];
EnvironmentFile = lib.optionalString (cfg.delugePasswordFile != null) "/etc/deluge-exporter/password";
};
};
}

41
nixos/modules/services/monitoring/prometheus/exporters/fastly.nix
View File

@ -1,17 +1,20 @@
{ config
, lib
, pkgs
, options
, ...
{
config,
lib,
pkgs,
utils,
...
}:
let
inherit (lib)
escapeShellArgs
getExe
mkOption
optionals
types
;
;
inherit (utils) escapeSystemdExecArgs;
cfg = config.services.prometheus.exporters.fastly;
in
@ -39,17 +42,19 @@ in
serviceOpts = {
serviceConfig = {
LoadCredential = "fastly-api-token:${cfg.tokenPath}";
Environment = [ "FASTLY_API_TOKEN=%d/fastly-api-token" ];
ExecStart = escapeSystemdExecArgs (
[
(getExe pkgs.prometheus-fastly-exporter)
"-listen"
"${cfg.listenAddress}:${toString cfg.port}"
]
++ optionals (cfg.configFile != null) [
"--config-file"
cfg.configFile
]
++ cfg.extraFlags
);
};
script = let
call = escapeShellArgs ([
"${pkgs.prometheus-fastly-exporter}/bin/fastly-exporter"
"-listen" "${cfg.listenAddress}:${toString cfg.port}"
] ++ optionals (cfg.configFile != null) [
"--config-file" cfg.configFile
] ++ cfg.extraFlags);
in ''
export FASTLY_API_TOKEN="$(cat $CREDENTIALS_DIRECTORY/fastly-api-token)"
${call}
'';
};
}

44
nixos/modules/services/monitoring/prometheus/pushgateway.nix
View File

@ -147,12 +147,52 @@ in {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
Restart = "always";
DynamicUser = true;
ExecStart = "${cfg.package}/bin/pushgateway" +
optionalString (length cmdlineArgs != 0) (" \\\n " +
concatStringsSep " \\\n " cmdlineArgs);
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
DynamicUser = true;
NoNewPrivileges = true;
MemoryDenyWriteExecute = true;
LockPersonality = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ProtectHome = "tmpfs";
PrivateTmp = true;
PrivateDevices = true;
PrivateIPC = true;
ProcSubset = "pid";
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
Restart = "always";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
StateDirectory = if cfg.persistMetrics then cfg.stateDir else null;
SystemCallFilter = [
"@system-service"
"~@cpu-emulation"
"~@privileged"
"~@reboot"
"~@setuid"
"~@swap"
];
};
};
};

27
nixos/modules/services/monitoring/smartd.nix
View File

@ -10,6 +10,7 @@ let
opt = options.services.smartd;
nm = cfg.notifications.mail;
ns = cfg.notifications.systembus-notify;
nw = cfg.notifications.wall;
nx = cfg.notifications.x11;
@ -28,6 +29,12 @@ let
${pkgs.smartmontools}/sbin/smartctl -a -d "$SMARTD_DEVICETYPE" "$SMARTD_DEVICE"
} | ${nm.mailer} -i "${nm.recipient}"
''}
${optionalString ns.enable ''
${pkgs.dbus}/bin/dbus-send --system \
/ net.nuetzlich.SystemNotifications.Notify \
"string:Problem detected with disk: $SMARTD_DEVICESTRING" \
"string:Warning message from smartd is: $SMARTD_MESSAGE"
''}
${optionalString nw.enable ''
{
${pkgs.coreutils}/bin/cat << EOF
@ -159,6 +166,24 @@ in
};
};
systembus-notify = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Whenever to send systembus-notify notifications.
WARNING: enabling this option (while convenient) should *not* be done on a
machine where you do not trust the other users as it allows any other
local user to DoS your session by spamming notifications.
To actually see the notifications in your GUI session, you need to have
`systembus-notify` running as your user, which this
option handles by enabling {option}`services.systembus-notify`.
'';
};
};
wall = {
enable = mkOption {
default = true;
@ -247,6 +272,8 @@ in
serviceConfig.ExecStart = "${pkgs.smartmontools}/sbin/smartd ${lib.concatStringsSep " " cfg.extraOptions} --no-fork --configfile=${smartdConf}";
};
services.systembus-notify.enable = mkDefault ns.enable;
};
}

6
nixos/modules/services/network-filesystems/samba.nix
View File

@ -55,6 +55,7 @@ let
PIDFile = "/run/${appName}.pid";
Type = "notify";
NotifyAccess = "all"; #may not do anything...
Slice = "system-samba.slice";
};
unitConfig.RequiresMountsFor = "/var/lib/samba";
@ -216,6 +217,11 @@ in
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
};
slices.system-samba = {
description = "Samba slice";
};
# Refer to https://github.com/samba-team/samba/tree/master/packaging/systemd
# for correct use with systemd
services = {

3
nixos/modules/services/networking/bee.nix
View File

@ -101,8 +101,7 @@ in {
preStart = with cfg.settings; ''
if ! test -f ${password-file}; then
< /dev/urandom tr -dc _A-Z-a-z-0-9 2> /dev/null | head -c32 > ${password-file}
chmod 0600 ${password-file}
< /dev/urandom tr -dc _A-Z-a-z-0-9 2> /dev/null | head -c32 | install -m 600 /dev/stdin ${password-file}
echo "Initialized ${password-file} from /dev/urandom"
fi
if [ ! -f ${data-dir}/keys/libp2p.key ]; then

4
nixos/modules/services/networking/blocky.nix
View File

@ -12,6 +12,8 @@ in
options.services.blocky = {
enable = mkEnableOption "blocky, a fast and lightweight DNS proxy as ad-blocker for local network with many features";
package = mkPackageOption pkgs "blocky" { };
settings = mkOption {
type = format.type;
default = { };
@ -30,7 +32,7 @@ in
serviceConfig = {
DynamicUser = true;
ExecStart = "${pkgs.blocky}/bin/blocky --config ${configFile}";
ExecStart = "${getExe cfg.package} --config ${configFile}";
Restart = "on-failure";
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];

82
nixos/modules/services/networking/cgit.nix
View File

@ -25,14 +25,14 @@ let
regexLocation = cfg: regexEscape (stripLocation cfg);
mkFastcgiPass = cfg: ''
mkFastcgiPass = name: cfg: ''
${if cfg.nginx.location == "/" then ''
fastcgi_param PATH_INFO $uri;
'' else ''
fastcgi_split_path_info ^(${regexLocation cfg})(/.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
''
}fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
}fastcgi_pass unix:${config.services.fcgiwrap."cgit-${name}".socket.address};
'';
cgitrcLine = name: value: "${name}=${
@ -72,25 +72,11 @@ let
${cfg.extraConfig}
'';
mkCgitReposDir = cfg:
if cfg.scanPath != null then
cfg.scanPath
else
pkgs.runCommand "cgit-repos" {
preferLocalBuild = true;
allowSubstitutes = false;
} ''
mkdir -p "$out"
${
concatStrings (
mapAttrsToList
(name: value: ''
ln -s ${escapeShellArg value.path} "$out"/${escapeShellArg name}
'')
cfg.repos
)
}
'';
fcgiwrapUnitName = name: "fcgiwrap-cgit-${name}";
fcgiwrapRuntimeDir = name: "/run/${fcgiwrapUnitName name}";
gitProjectRoot = name: cfg: if cfg.scanPath != null
then cfg.scanPath
else "${fcgiwrapRuntimeDir name}/repos";
in
{
@ -154,6 +140,18 @@ in
type = types.lines;
default = "";
};
user = mkOption {
description = "User to run the cgit service as.";
type = types.str;
default = "cgit";
};
group = mkOption {
description = "Group to run the cgit service as.";
type = types.str;
default = "cgit";
};
};
}));
};
@ -165,18 +163,46 @@ in
message = "Exactly one of services.cgit.${vhost}.scanPath or services.cgit.${vhost}.repos must be set.";
}) cfgs;
services.fcgiwrap.enable = true;
users = mkMerge (flip mapAttrsToList cfgs (_: cfg: {
users.${cfg.user} = {
isSystemUser = true;
inherit (cfg) group;
};
groups.${cfg.group} = { };
}));
services.fcgiwrap = flip mapAttrs' cfgs (name: cfg:
nameValuePair "cgit-${name}" {
process = { inherit (cfg) user group; };
socket = { inherit (config.services.nginx) user group; };
}
);
systemd.services = flip mapAttrs' cfgs (name: cfg:
nameValuePair (fcgiwrapUnitName name)
(mkIf (cfg.repos != { }) {
serviceConfig.RuntimeDirectory = fcgiwrapUnitName name;
preStart = ''
GIT_PROJECT_ROOT=${escapeShellArg (gitProjectRoot name cfg)}
mkdir -p "$GIT_PROJECT_ROOT"
cd "$GIT_PROJECT_ROOT"
${concatLines (flip mapAttrsToList cfg.repos (name: repo: ''
ln -s ${escapeShellArg repo.path} ${escapeShellArg name}
''))}
'';
}
));
services.nginx.enable = true;
services.nginx.virtualHosts = mkMerge (mapAttrsToList (_: cfg: {
services.nginx.virtualHosts = mkMerge (mapAttrsToList (name: cfg: {
${cfg.nginx.virtualHost} = {
locations = (
genAttrs'
[ "cgit.css" "cgit.png" "favicon.ico" "robots.txt" ]
(name: nameValuePair "= ${stripLocation cfg}/${name}" {
(fileName: nameValuePair "= ${stripLocation cfg}/${fileName}" {
extraConfig = ''
alias ${cfg.package}/cgit/${name};
alias ${cfg.package}/cgit/${fileName};
'';
})
) // {
@ -184,10 +210,10 @@ in
fastcgiParams = rec {
SCRIPT_FILENAME = "${pkgs.git}/libexec/git-core/git-http-backend";
GIT_HTTP_EXPORT_ALL = "1";
GIT_PROJECT_ROOT = mkCgitReposDir cfg;
GIT_PROJECT_ROOT = gitProjectRoot name cfg;
HOME = GIT_PROJECT_ROOT;
};
extraConfig = mkFastcgiPass cfg;
extraConfig = mkFastcgiPass name cfg;
};
"${stripLocation cfg}/" = {
fastcgiParams = {
@ -196,7 +222,7 @@ in
HTTP_HOST = "$server_name";
CGIT_CONFIG = mkCgitrc cfg;
};
extraConfig = mkFastcgiPass cfg;
extraConfig = mkFastcgiPass name cfg;
};
};
};

13
nixos/modules/services/networking/cloudflare-dyndns.nix
View File

@ -28,6 +28,16 @@ in
'';
};
frequency = mkOption {
type = types.nullOr types.str;
default = "*:0/5";
description = ''
Run cloudflare-dyndns with the given frequency (see
{manpage}`systemd.time(7)` for the format).
If null, do not run automatically.
'';
};
proxied = mkOption {
type = types.bool;
default = false;
@ -67,7 +77,6 @@ in
description = "CloudFlare Dynamic DNS Client";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
startAt = "*:0/5";
environment = {
CLOUDFLARE_DOMAINS = toString cfg.domains;
@ -88,6 +97,8 @@ in
in
"${pkgs.cloudflare-dyndns}/bin/cloudflare-dyndns ${toString args}";
};
} // optionalAttrs (cfg.frequency != null) {
startAt = cfg.frequency;
};
};
}

10
nixos/modules/services/networking/cloudflared.nix
View File

@ -131,7 +131,7 @@ let
`cloudflared` starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are:
- `""` for the regular proxy
- `"socks"` for a SOCKS5 proxy. Refer to the [https://developers.cloudflare.com/cloudflare-one/tutorials/kubectl/](tutorial on connecting through Cloudflare Access using kubectl) for more information.
- `"socks"` for a SOCKS5 proxy. Refer to the [tutorial on connecting through Cloudflare Access using kubectl](https://developers.cloudflare.com/cloudflare-one/tutorials/kubectl/) for more information.
'';
};
};
@ -167,7 +167,7 @@ in
description = ''
Credential file.
See [https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-useful-terms/#credentials-file](Credentials file).
See [Credentials file](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-useful-terms/#credentials-file).
'';
};
@ -178,7 +178,7 @@ in
description = ''
Enable warp routing.
See [https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel/](Connect from WARP to a private network on Cloudflare using Cloudflare Tunnel).
See [Connect from WARP to a private network on Cloudflare using Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel/).
'';
};
};
@ -204,7 +204,7 @@ in
description = ''
Service to pass the traffic.
See [https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/local-management/ingress/#supported-protocols](Supported protocols).
See [Supported protocols](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/local-management/ingress/#supported-protocols).
'';
example = "http://localhost:80, tcp://localhost:8000, unix:/home/production/echo.sock, hello_world or http_status:404";
};
@ -226,7 +226,7 @@ in
description = ''
Ingress rules.
See [https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/local-management/ingress/](Ingress rules).
See [Ingress rules](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/local-management/ingress/).
'';
example = {
"*.domain.com" = "http://localhost:80";

1
nixos/modules/services/networking/deconz.nix
View File

@ -122,6 +122,7 @@ in
RuntimeDirectory = name;
RuntimeDirectoryMode = "0700";
StateDirectory = name;
SuccessExitStatus = [ 143 ];
WorkingDirectory = stateDir;
# For access to /dev/ttyACM0 (ConBee).
SupplementaryGroups = [ "dialout" ];

2
nixos/modules/services/networking/firefox-syncserver.nix
View File

@ -316,7 +316,7 @@ in
};
meta = {
maintainers = with lib.maintainers; [ pennae ];
maintainers = with lib.maintainers; [ ];
doc = ./firefox-syncserver.md;
};
}

Some files were not shown because too many files have changed in this diff Show More