nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-22 15:03:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into staging-next

Browse Source 
Hydra nixpkgs: ?compare=1512490
This commit is contained in:
Vladimír Čunát 2019-04-02 20:56:53 +02:00
commit 2771375d6e
No known key found for this signature in database
GPG Key ID: E747DF1F9575A3AA
677 changed files with 14350 additions and 6998 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.github/CODEOWNERS vendored
View File

@ -58,11 +58,11 @@
/doc/languages-frameworks/python.section.md @FRidh
# Haskell
/pkgs/development/compilers/ghc @peti @basvandijk
/pkgs/development/haskell-modules @peti @basvandijk
/pkgs/development/haskell-modules/default.nix @peti @basvandijk
/pkgs/development/haskell-modules/generic-builder.nix @peti @basvandijk
/pkgs/development/haskell-modules/hoogle.nix @peti @basvandijk
/pkgs/development/compilers/ghc @basvandijk
/pkgs/development/haskell-modules @basvandijk
/pkgs/development/haskell-modules/default.nix @basvandijk
/pkgs/development/haskell-modules/generic-builder.nix @basvandijk
/pkgs/development/haskell-modules/hoogle.nix @basvandijk
# Perl
/pkgs/development/interpreters/perl @volth

11
doc/Makefile
View File

@ -78,15 +78,14 @@ manual-full.xml: ${MD_TARGETS} .version functions/library/locations.xml function
nix-instantiate --eval \
-E '(import ../lib).version' > .version
function_locations := $(shell nix-build --no-out-link ./lib-function-locations.nix)
functions/library/locations.xml:
ln -s $(function_locations) ./functions/library/locations.xml
nix-build ./lib-function-locations.nix \
--out-link $@
functions/library/generated:
functions/library/generated: functions/library/locations.xml
nix-build ./lib-function-docs.nix \
--arg locationsXml $(function_locations)\
--out-link ./functions/library/generated
--arg locationsXml $< \
--out-link $@
%.section.xml: %.section.md
pandoc $^ -w docbook+smart \

374
doc/cross-compilation.xml
View File

@ -12,11 +12,12 @@
computing power and memory to compile their own programs. One might think
that cross-compilation is a fairly niche concern. However, there are
significant advantages to rigorously distinguishing between build-time and
run-time environments! This applies even when one is developing and
deploying on the same machine. Nixpkgs is increasingly adopting the opinion
that packages should be written with cross-compilation in mind, and nixpkgs
should evaluate in a similar way (by minimizing cross-compilation-specific
special cases) whether or not one is cross-compiling.
run-time environments! Significant, because the benefits apply even when one
is developing and deploying on the same machine. Nixpkgs is increasingly
adopting the opinion that packages should be written with cross-compilation
in mind, and nixpkgs should evaluate in a similar way (by minimizing
cross-compilation-specific special cases) whether or not one is
cross-compiling.
</para>
<para>
@ -30,7 +31,7 @@
<section xml:id="sec-cross-packaging">
<title>Packaging in a cross-friendly manner</title>
<section xml:id="sec-cross-platform-parameters">
<section xml:id="ssec-cross-platform-parameters">
<title>Platform parameters</title>
<para>
@ -218,8 +219,20 @@
</variablelist>
</section>
<section xml:id="sec-cross-specifying-dependencies">
<title>Specifying Dependencies</title>
<section xml:id="ssec-cross-dependency-categorization">
<title>Theory of dependency categorization</title>
<note>
<para>
This is a rather philosophical description that isn't very
Nixpkgs-specific. For an overview of all the relevant attributes given to
<varname>mkDerivation</varname>, see
<xref
linkend="ssec-stdenv-dependencies"/>. For a description of how
everything is implemented, see
<xref linkend="ssec-cross-dependency-implementation" />.
</para>
</note>
<para>
In this section we explore the relationship between both runtime and
@ -227,84 +240,98 @@
</para>
<para>
A runtime dependency between 2 packages implies that between them both the
host and target platforms match. This is directly implied by the meaning of
"host platform" and "runtime dependency": The package dependency exists
while both packages are running on a single host platform.
A run time dependency between two packages requires that their host
platforms match. This is directly implied by the meaning of "host platform"
and "runtime dependency": The package dependency exists while both packages
are running on a single host platform.
</para>
<para>
A build time dependency, however, implies a shift in platforms between the
depending package and the depended-on package. The meaning of a build time
dependency is that to build the depending package we need to be able to run
the depended-on's package. The depending package's build platform is
therefore equal to the depended-on package's host platform. Analogously,
the depending package's host platform is equal to the depended-on package's
target platform.
A build time dependency, however, has a shift in platforms between the
depending package and the depended-on package. "build time dependency"
means that to build the depending package we need to be able to run the
depended-on's package. The depending package's build platform is therefore
equal to the depended-on package's host platform.
</para>
<para>
In this manner, given the 3 platforms for one package, we can determine the
three platforms for all its transitive dependencies. This is the most
important guiding principle behind cross-compilation with Nixpkgs, and will
be called the <wordasword>sliding window principle</wordasword>.
If both the dependency and depending packages aren't compilers or other
machine-code-producing tools, we're done. And indeed
<varname>buildInputs</varname> and <varname>nativeBuildInputs</varname>
have covered these simpler build-time and run-time (respectively) changes
for many years. But if the dependency does produce machine code, we might
need to worry about its target platform too. In principle, that target
platform might be any of the depending package's build, host, or target
platforms, but we prohibit dependencies from a "later" platform to an
earlier platform to limit confusion because we've never seen a legitimate
use for them.
</para>
<para>
Some examples will make this clearer. If a package is being built with a
<literal>(build, host, target)</literal> platform triple of <literal>(foo,
bar, bar)</literal>, then its build-time dependencies would have a triple
of <literal>(foo, foo, bar)</literal>, and <emphasis>those
packages'</emphasis> build-time dependencies would have a triple of
<literal>(foo, foo, foo)</literal>. In other words, it should take two
"rounds" of following build-time dependency edges before one reaches a
fixed point where, by the sliding window principle, the platform triple no
longer changes. Indeed, this happens with cross-compilation, where only
rounds of native dependencies starting with the second necessarily coincide
with native packages.
Finally, if the depending package is a compiler or other
machine-code-producing tool, it might need dependencies that run at "emit
time". This is for compilers that (regrettably) insist on being built
together with their source langauges' standard libraries. Assuming build !=
host != target, a run-time dependency of the standard library cannot be run
at the compiler's build time or run time, but only at the run time of code
emitted by the compiler.
</para>
<note>
<para>
The depending package's target platform is unconstrained by the sliding
window principle, which makes sense in that one can in principle build
cross compilers targeting arbitrary platforms.
</para>
</note>
<para>
How does this work in practice? Nixpkgs is now structured so that
build-time dependencies are taken from <varname>buildPackages</varname>,
whereas run-time dependencies are taken from the top level attribute set.
For example, <varname>buildPackages.gcc</varname> should be used at
build-time, while <varname>gcc</varname> should be used at run-time. Now,
for most of Nixpkgs's history, there was no
<varname>buildPackages</varname>, and most packages have not been
refactored to use it explicitly. Instead, one can use the six
(<emphasis>gasp</emphasis>) attributes used for specifying dependencies as
documented in <xref linkend="ssec-stdenv-dependencies"/>. We "splice"
together the run-time and build-time package sets with
<varname>callPackage</varname>, and then <varname>mkDerivation</varname>
for each of four attributes pulls the right derivation out. This splicing
can be skipped when not cross-compiling as the package sets are the same,
but is a bit slow for cross-compiling. Because of this, a
best-of-both-worlds solution is in the works with no splicing or explicit
access of <varname>buildPackages</varname> needed. For now, feel free to
use either method.
Putting this all together, that means we have dependencies in the form
"host → target", in at most the following six combinations:
<table>
<caption>Possible dependency types</caption>
<thead>
<tr>
<th>Dependency's host platform</th>
<th>Dependency's target platform</th>
</tr>
</thead>
<tbody>
<tr>
<td>build</td>
<td>build</td>
</tr>
<tr>
<td>build</td>
<td>host</td>
</tr>
<tr>
<td>build</td>
<td>target</td>
</tr>
<tr>
<td>host</td>
<td>host</td>
</tr>
<tr>
<td>host</td>
<td>target</td>
</tr>
<tr>
<td>target</td>
<td>target</td>
</tr>
</tbody>
</table>
</para>
<note>
<para>
There is also a "backlink" <varname>targetPackages</varname>, yielding a
package set whose <varname>buildPackages</varname> is the current package
set. This is a hack, though, to accommodate compilers with lousy build
systems. Please do not use this unless you are absolutely sure you are
packaging such a compiler and there is no other way.
</para>
</note>
<para>
Some examples will make this table clearer. Suppose there's some package
that is being built with a <literal>(build, host, target)</literal>
platform triple of <literal>(foo, bar, baz)</literal>. If it has a
build-time library dependency, that would be a "host → build" dependency
with a triple of <literal>(foo, foo, *)</literal> (the target platform is
irrelevant). If it needs a compiler to be built, that would be a "build →
host" dependency with a triple of <literal>(foo, foo, *)</literal> (the
target platform is irrelevant). That compiler, would be built with another
compiler, also "build → host" dependency, with a triple of <literal>(foo,
foo, foo)</literal>.
</para>
</section>
<section xml:id="sec-cross-cookbook">
<section xml:id="ssec-cross-cookbook">
<title>Cross packaging cookbook</title>
<para>
@ -450,21 +477,202 @@ nix-build &lt;nixpkgs&gt; --arg crossSystem '{ config = "&lt;arch&gt;-&lt;os&gt;
<section xml:id="sec-cross-infra">
<title>Cross-compilation infrastructure</title>
<para>
To be written.
</para>
<section xml:id="ssec-cross-dependency-implementation">
<title>Implementation of dependencies</title>
<note>
<para>
If one explores Nixpkgs, they will see derivations with names like
<literal>gccCross</literal>. Such <literal>*Cross</literal> derivations is
a holdover from before we properly distinguished between the host and
target platforms—the derivation with "Cross" in the name covered the
<literal>build = host != target</literal> case, while the other covered the
<literal>host = target</literal>, with build platform the same or not based
on whether one was using its <literal>.nativeDrv</literal> or
<literal>.crossDrv</literal>. This ugliness will disappear soon.
The categorizes of dependencies developed in
<xref
linkend="ssec-cross-dependency-categorization"/> are specified as
lists of derivations given to <varname>mkDerivation</varname>, as
documented in <xref linkend="ssec-stdenv-dependencies"/>. In short,
each list of dependencies for "host → target" of "foo → bar" is called
<varname>depsFooBar</varname>, with exceptions for backwards
compatibility that <varname>depsBuildHost</varname> is instead called
<varname>nativeBuildInputs</varname> and <varname>depsHostTarget</varname>
is instead called <varname>buildInputs</varname>. Nixpkgs is now structured
so that each <varname>depsFooBar</varname> is automatically taken from
<varname>pkgsFooBar</varname>. (These <varname>pkgsFooBar</varname>s are
quite new, so there is no special case for
<varname>nativeBuildInputs</varname> and <varname>buildInputs</varname>.)
For example, <varname>pkgsBuildHost.gcc</varname> should be used at
build-time, while <varname>pkgsHostTarget.gcc</varname> should be used at
run-time.
</para>
</note>
<para>
Now, for most of Nixpkgs's history, there were no
<varname>pkgsFooBar</varname> attributes, and most packages have not been
refactored to use it explicitly. Prior to those, there were just
<varname>buildPackages</varname>, <varname>pkgs</varname>, and
<varname>targetPackages</varname>. Those are now redefined as aliases to
<varname>pkgsBuildHost</varname>, <varname>pkgsHostTarget</varname>, and
<varname>pkgsTargetTarget</varname>. It is acceptable, even
recommended, to use them for libraries to show that the host platform is
irrelevant.
</para>
<para>
But before that, there was just <varname>pkgs</varname>, even though both
<varname>buildInputs</varname> and <varname>nativeBuildInputs</varname>
existed. [Cross barely worked, and those were implemented with some hacks
on <varname>mkDerivation</varname> to override dependencies.] What this
means is the vast majority of packages do not use any explicit package set
to populate their dependencies, just using whatever
<varname>callPackage</varname> gives them even if they do correctly sort
their dependencies into the multiple lists described above. And indeed,
asking that users both sort their dependencies, <emphasis>and</emphasis>
take them from the right attribute set, is both too onerous and redundant,
so the recommended approach (for now) is to continue just categorizing by
list and not using an explicit package set.
</para>
<para>
To make this work, we "splice" together the six
<varname>pkgsFooBar</varname> package sets and have
<varname>callPackage</varname> actually take its arguments from that. This
is currently implemented in <filename>pkgs/top-level/splice.nix</filename>.
<varname>mkDerivation</varname> then, for each dependency attribute, pulls
the right derivation out from the splice. This splicing can be skipped when
not cross-compiling as the package sets are the same, but still is a bit
slow for cross-compiling. We'd like to do something better, but haven't
come up with anything yet.
</para>
</section>
<section xml:id="ssec-bootstrapping">
<title>Bootstrapping</title>
<para>
Each of the package sets described above come from a single bootstrapping
stage. While <filename>pkgs/top-level/default.nix</filename>, coordinates
the composition of stages at a high level,
<filename>pkgs/top-level/stage.nix</filename> "ties the knot" (creates the
fixed point) of each stage. The package sets are defined per-stage however,
so they can be thought of as edges between stages (the nodes) in a graph.
Compositions like <literal>pkgsBuildTarget.targetPackages</literal> can be
thought of as paths to this graph.
</para>
<para>
While there are many package sets, and thus many edges, the stages can also
be arranged in a linear chain. In other words, many of the edges are
redundant as far as connectivity is concerned. This hinges on the type of
bootstrapping we do. Currently for cross it is:
<orderedlist>
<listitem>
<para>
<literal>(native, native, native)</literal>
</para>
</listitem>
<listitem>
<para>
<literal>(native, native, foreign)</literal>
</para>
</listitem>
<listitem>
<para>
<literal>(native, foreign, foreign)</literal>
</para>
</listitem>
</orderedlist>
In each stage, <varname>pkgsBuildHost</varname> refers the the previous
stage, <varname>pkgsBuildBuild</varname> refers to the one before that, and
<varname>pkgsHostTarget</varname> refers to the current one, and
<varname>pkgsTargetTarget</varname> refers to the next one. When there is
no previous or next stage, they instead refer to the current stage. Note
how all the invariants regarding the mapping between dependency and depending
packages' build host and target platforms are preserved.
<varname>pkgsBuildTarget</varname> and <varname>pkgsHostHost</varname> are
more complex in that the stage fitting the requirements isn't always a
fixed chain of "prevs" and "nexts" away (modulo the "saturating"
self-references at the ends). We just special case each instead. All the primary
edges are implemented is in <filename>pkgs/stdenv/booter.nix</filename>,
and secondarily aliases in <filename>pkgs/top-level/stage.nix</filename>.
</para>
<note>
<para>
Note the native stages are bootstrapped in legacy ways that predate the
current cross implementation. This is why the the bootstrapping stages
leading up to the final stages are ignored inthe previous paragraph.
</para>
</note>
<para>
If one looks at the 3 platform triples, one can see that they overlap such
that one could put them together into a chain like:
<programlisting>
(native, native, native, foreign, foreign)
</programlisting>
If one imagines the saturating self references at the end being replaced
with infinite stages, and then overlays those platform triples, one ends up
with the infinite tuple:
<programlisting>
(native..., native, native, native, foreign, foreign, foreign...)
</programlisting>
On can then imagine any sequence of platforms such that there are bootstrap
stages with their 3 platforms determined by "sliding a window" that is the
3 tuple through the sequence. This was the original model for
bootstrapping. Without a target platform (assume a better world where all
compilers are multi-target and all standard libraries are built in their
own derivation), this is sufficient. Conversely if one wishes to cross
compile "faster", with a "Canadian Cross" bootstraping stage where
<literal>build != host != target</literal>, more bootstrapping stages are
needed since no sliding window providess the pesky
<varname>pkgsBuildTarget</varname> package set since it skips the Canadian
cross stage's "host".
</para>
<note>
<para>
It is much better to refer to <varname>buildPackages</varname> than
<varname>targetPackages</varname>, or more broadly package sets that do
not mention "target". There are three reasons for this.
</para>
<para>
First, it is because bootstrapping stages do not have a unique
<varname>targetPackages</varname>. For example a <literal>(x86-linux,
x86-linux, arm-linux)</literal> and <literal>(x86-linux, x86-linux,
x86-windows)</literal> package set both have a <literal>(x86-linux,
x86-linux, x86-linux)</literal> package set. Because there is no canonical
<varname>targetPackages</varname> for such a native (<literal>build ==
host == target</literal>) package set, we set their
<varname>targetPackages</varname>
</para>
<para>
Second, it is because this is a frequent source of hard-to-follow
"infinite recursions" / cycles. When only package sets that don't mention
target are used, the package set forms a directed acyclic graph. This
means that all cycles that exist are confined to one stage. This means
they are a lot smaller, and easier to follow in the code or a backtrace. It
also means they are present in native and cross builds alike, and so more
likely to be caught by CI and other users.
</para>
<para>
Thirdly, it is because everything target-mentioning only exists to
accommodate compilers with lousy build systems that insist on the compiler
itself and standard library being built together. Of course that is bad
because bigger derivations means longer rebuilds. It is also problematic because
it tends to make the standard libraries less like other libraries than
they could be, complicating code and build systems alike. Because of the
other problems, and because of these innate disadvantages, compilers ought
to be packaged another way where possible.
</para>
</note>
<note>
<para>
If one explores Nixpkgs, they will see derivations with names like
<literal>gccCross</literal>. Such <literal>*Cross</literal> derivations is
a holdover from before we properly distinguished between the host and
target platforms—the derivation with "Cross" in the name covered the
<literal>build = host != target</literal> case, while the other covered
the <literal>host = target</literal>, with build platform the same or not
based on whether one was using its <literal>.nativeDrv</literal> or
<literal>.crossDrv</literal>. This ugliness will disappear soon.
</para>
</note>
</section>
</section>
</chapter>

23
doc/functions/dockertools.xml
View File

@ -417,10 +417,11 @@ pkgs.dockerTools.buildLayeredImage {
pullImage {
imageName = "nixos/nix"; <co xml:id='ex-dockerTools-pullImage-1' />
imageDigest = "sha256:20d9485b25ecfd89204e843a962c1bd70e9cc6858d65d7f5fadc340246e2116b"; <co xml:id='ex-dockerTools-pullImage-2' />
finalImageTag = "1.11"; <co xml:id='ex-dockerTools-pullImage-3' />
sha256 = "0mqjy3zq2v6rrhizgb9nvhczl87lcfphq9601wcprdika2jz7qh8"; <co xml:id='ex-dockerTools-pullImage-4' />
os = "linux"; <co xml:id='ex-dockerTools-pullImage-5' />
arch = "x86_64"; <co xml:id='ex-dockerTools-pullImage-6' />
finalImageName = "nix"; <co xml:id='ex-dockerTools-pullImage-3' />
finalImageTag = "1.11"; <co xml:id='ex-dockerTools-pullImage-4' />
sha256 = "0mqjy3zq2v6rrhizgb9nvhczl87lcfphq9601wcprdika2jz7qh8"; <co xml:id='ex-dockerTools-pullImage-5' />
os = "linux"; <co xml:id='ex-dockerTools-pullImage-6' />
arch = "x86_64"; <co xml:id='ex-dockerTools-pullImage-7' />
}
</programlisting>
</example>
@ -451,6 +452,14 @@ sha256:20d9485b25ecfd89204e843a962c1bd70e9cc6858d65d7f5fadc340246e2116b
</para>
</callout>
<callout arearefs='ex-dockerTools-pullImage-3'>
<para>
<varname>finalImageName</varname>, if specified, this is the name of the
image to be created. Note it is never used to fetch the image since we
prefer to rely on the immutable digest ID. By default it's equal to
<varname>imageName</varname>.
</para>
</callout>
<callout arearefs='ex-dockerTools-pullImage-4'>
<para>
<varname>finalImageTag</varname>, if specified, this is the tag of the
image to be created. Note it is never used to fetch the image since we
@ -458,19 +467,19 @@ sha256:20d9485b25ecfd89204e843a962c1bd70e9cc6858d65d7f5fadc340246e2116b
<literal>latest</literal>.
</para>
</callout>
<callout arearefs='ex-dockerTools-pullImage-4'>
<callout arearefs='ex-dockerTools-pullImage-5'>
<para>
<varname>sha256</varname> is the checksum of the whole fetched image. This
argument is required.
</para>
</callout>
<callout arearefs='ex-dockerTools-pullImage-5'>
<callout arearefs='ex-dockerTools-pullImage-6'>
<para>
<varname>os</varname>, if specified, is the operating system of the
fetched image. By default it's <literal>linux</literal>.
</para>
</callout>
<callout arearefs='ex-dockerTools-pullImage-6'>
<callout arearefs='ex-dockerTools-pullImage-7'>
<para>
<varname>arch</varname>, if specified, is the cpu architecture of the
fetched image. By default it's <literal>x86_64</literal>.

7
doc/multiple-output.xml
View File

@ -101,6 +101,13 @@
contain <varname>$outputBin</varname> and <varname>$outputLib</varname> are
also added. (See <xref linkend="multiple-output-file-type-groups" />.)
</para>
<para>
In some cases it may be desirable to combine different outputs under a
single store path. A function <literal>symlinkJoin</literal> can be used to
do this. (Note that it may negate some closure size benefits of using a
multiple-output package.)
</para>
</section>
<section xml:id="sec-multiple-outputs-">
<title>Writing a split derivation</title>

27
doc/package-notes.xml
View File

@ -883,6 +883,33 @@ citrix_receiver.override {
On NixOS it can be installed using the following expression:
<programlisting>{ pkgs, ... }: {
fonts.fonts = with pkgs; [ noto-fonts-emoji ];
}</programlisting>
</para>
</section>
</section>
<section xml:id="dlib">
<title>DLib</title>
<para>
<link xlink:href="http://dlib.net/">DLib</link> is a modern, C++-based toolkit which
provides several machine learning algorithms.
</para>
<section xml:id="compiling-without-avx-support">
<title>Compiling without AVX support</title>
<para>
Especially older CPUs don't support
<link xlink:href="https://en.wikipedia.org/wiki/Advanced_Vector_Extensions">AVX</link>
(<abbrev>Advanced Vector Extensions</abbrev>) instructions that are used by DLib to
optimize their algorithms.
</para>
<para>
On the affected hardware errors like <literal>Illegal instruction</literal> will occur.
In those cases AVX support needs to be disabled:
<programlisting>self: super: {
dlib = super.dlib.override { avxSupport = false; };
}</programlisting>
</para>
</section>

3
doc/reviewing-contributions.xml
View File

@ -189,7 +189,8 @@ $ git rebase --onto nixos-unstable BASEBRANCH FETCH_HEAD <co
</listitem>
<listitem>
<para>
The <link xlink:href="https://github.com/Mic92/nix-review">nix-review</link>
The
<link xlink:href="https://github.com/Mic92/nix-review">nix-review</link>
tool can be used to review a pull request content in a single command.
<varname>PRNUMBER</varname> should be replaced by the number at the end
of the pull request title. You can also provide the full github pull

41
doc/stdenv.xml
View File

@ -222,9 +222,10 @@ genericBuild
</footnote>
But even if one is not cross compiling, the platforms imply whether or not
the dependency is needed at run-time or build-time, a concept that makes
perfect sense outside of cross compilation. For now, the run-time/build-time
distinction is just a hint for mental clarity, but in the future it perhaps
could be enforced.
perfect sense outside of cross compilation. By default, the
run-time/build-time distinction is just a hint for mental clarity, but with
<varname>strictDeps</varname> set it is mostly enforced even in the native
case.
</para>
<para>
@ -348,7 +349,10 @@ let f(h, h + 1, i) = i + h
<para>
Overall, the unifying theme here is that propagation shouldn't be
introducing transitive dependencies involving platforms the depending
package is unaware of. The offset bounds checking and definition of
package is unaware of. [One can imagine the dependending package asking for
dependencies with the platforms it knows about; other platforms it doesn't
know how to ask for. The platform description in that scenario is a kind of
unforagable capability.] The offset bounds checking and definition of
<function>mapOffset</function> together ensure that this is the case.
Discovering a new offset is discovering a new platform, and since those
platforms weren't in the derivation "spec" of the needing package, they
@ -2633,21 +2637,20 @@ addEnvHooks "$hostOffset" myBashFunction
happens. It prevents nix from cleaning up the build environment
immediately and allows the user to attach to a build environment using
the <command>cntr</command> command. Upon build error it will print
instructions on how to use <command>cntr</command>, which can be used
to enter the environment for debugging. Installing cntr and
running the command will provide shell access to the build sandbox of
failed build. At <filename>/var/lib/cntr</filename> the sandboxed
filesystem is mounted. All commands and files of the system are still
accessible within the shell. To execute commands from the sandbox use
the cntr exec subcommand. Note that <command>cntr</command> also needs
to be executed on the machine that is doing the build, which might not
be the case when remote builders are enabled. <command>cntr</command> is
only supported on Linux-based platforms. To use it first add
<literal>cntr</literal> to your
<literal>environment.systemPackages</literal> on NixOS or alternatively
to the root user on non-NixOS systems. Then in the package that is
supposed to be inspected, add <literal>breakpointHook</literal> to
<literal>nativeBuildInputs</literal>.
instructions on how to use <command>cntr</command>, which can be used to
enter the environment for debugging. Installing cntr and running the
command will provide shell access to the build sandbox of failed build.
At <filename>/var/lib/cntr</filename> the sandboxed filesystem is
mounted. All commands and files of the system are still accessible
within the shell. To execute commands from the sandbox use the cntr exec
subcommand. Note that <command>cntr</command> also needs to be executed
on the machine that is doing the build, which might not be the case when
remote builders are enabled. <command>cntr</command> is only supported
on Linux-based platforms. To use it first add <literal>cntr</literal> to
your <literal>environment.systemPackages</literal> on NixOS or
alternatively to the root user on non-NixOS systems. Then in the package
that is supposed to be inspected, add <literal>breakpointHook</literal>
to <literal>nativeBuildInputs</literal>.
<programlisting>
nativeBuildInputs = [ breakpointHook ];
</programlisting>

19
doc/submitting-changes.xml
View File

@ -354,23 +354,22 @@ Additional information.
<title>Tested compilation of all pkgs that depend on this change using <command>nix-review</command></title>
<para>
If you are updating a package's version, you can use nix-review to make sure all
packages that depend on the updated package still compile correctly.
The <command>nix-review</command> utility can look for and build all dependencies
either based on uncommited changes with the <literal>wip</literal> option or
specifying a github pull request number.
If you are updating a package's version, you can use nix-review to make
sure all packages that depend on the updated package still compile
correctly. The <command>nix-review</command> utility can look for and build
all dependencies either based on uncommited changes with the
<literal>wip</literal> option or specifying a github pull request number.
</para>
<para>
review changes from pull request number 12345:
<screen>nix-shell -p nix-review --run "nix-review pr 12345"</screen>
review changes from pull request number 12345:
<screen>nix-shell -p nix-review --run "nix-review pr 12345"</screen>
</para>
<para>
review uncommitted changes:
<screen>nix-shell -p nix-review --run "nix-review wip"</screen>
review uncommitted changes:
<screen>nix-shell -p nix-review --run "nix-review wip"</screen>
</para>
</section>
<section xml:id="submitting-changes-tested-execution">

2
lib/lists.nix
View File

@ -7,7 +7,7 @@ let
in
rec {
inherit (builtins) head tail length isList elemAt concatLists filter elem genList;
inherit (builtins) head tail length isList elemAt concatLists filter elem genList map;
/* Create a list consisting of a single element. `singleton x` is
sometimes more convenient with respect to indentation than `[x]`

1
lib/systems/default.nix
View File

@ -34,6 +34,7 @@ rec {
else if final.isUClibc then "uclibc"
else if final.isAndroid then "bionic"
else if final.isLinux /* default */ then "glibc"
else if final.isMsp430 then "newlib"
else if final.isAvr then "avrlibc"
else if final.isNetBSD then "nblibc"
# TODO(@Ericson2314) think more about other operating systems

5
lib/systems/examples.nix
View File

@ -102,6 +102,11 @@ rec {
riscv64 = riscv "64";
riscv32 = riscv "32";
msp430 = {
config = "msp430-elf";
libc = "newlib";
};
avr = {
config = "avr";
};

1
lib/systems/inspect.nix
View File

@ -20,6 +20,7 @@ rec {
isRiscV = { cpu = { family = "riscv"; }; };
isSparc = { cpu = { family = "sparc"; }; };
isWasm = { cpu = { family = "wasm"; }; };
isMsp430 = { cpu = { family = "msp430"; }; };
isAvr = { cpu = { family = "avr"; }; };
isAlpha = { cpu = { family = "alpha"; }; };

1
lib/systems/parse.nix
View File

@ -109,6 +109,7 @@ rec {
alpha = { bits = 64; significantByte = littleEndian; family = "alpha"; };
msp430 = { bits = 16; significantByte = littleEndian; family = "msp430"; };
avr = { bits = 8; family = "avr"; };
};

15
maintainers/maintainer-list.nix
View File

@ -147,6 +147,11 @@
github = "aepsil0n";
name = "Eduard Bopp";
};
aerialx = {
email = "aaron+nixos@aaronlindsay.com";
github = "AerialX";
name = "Aaron Lindsay";
};
aespinosa = {
email = "allan.espinosa@outlook.com";
github = "aespinosa";
@ -335,6 +340,11 @@
github = "andrew-d";
name = "Andrew Dunham";
};
andrewchambers = {
email = "ac@acha.ninja";
github = "andrewchambers";
name = "Andrew Chambers";
};
andrewrk = {
email = "superjoe30@gmail.com";
github = "andrewrk";
@ -5391,4 +5401,9 @@
github = "minijackson";
name = "Rémi Nicole";
};
shazow = {
email = "andrey.petrov@shazow.net";
github = "shazow";
name = "Andrey Petrov";
};
}

9
maintainers/scripts/fetch-kde-qt.sh
View File

@ -14,12 +14,13 @@ fi
tmp=$(mktemp -d)
pushd $tmp >/dev/null
wget -nH -r -c --no-parent "${WGET_ARGS[@]}" >/dev/null
wget -nH -r -c --no-parent "${WGET_ARGS[@]}" -A '*.tar.xz.sha256' -A '*.mirrorlist' >/dev/null
find -type f -name '*.mirrorlist' -delete
csv=$(mktemp)
find . -type f | while read src; do
# Sanitize file name
filename=$(basename "$src" | tr '@' '_')
filename=$(gawk '{ print $2 }' "$src" | tr '@' '_')
nameVersion="${filename%.tar.*}"
name=$(echo "$nameVersion" | sed -e 's,-[[:digit:]].*,,' | sed -e 's,-opensource-src$,,' | sed -e 's,-everywhere-src$,,')
version=$(echo "$nameVersion" | sed -e 's,^\([[:alpha:]][[:alnum:]]*-\)\+,,')
@ -38,8 +39,8 @@ gawk -F , "{ print \$1 }" $csv | sort | uniq | while read name; do
latestVersion=$(echo "$versions" | sort -rV | head -n 1)
src=$(gawk -F , "/^$name,$latestVersion,/ { print \$3 }" $csv)
filename=$(gawk -F , "/^$name,$latestVersion,/ { print \$4 }" $csv)
url="${src:2}"
sha256=$(nix-hash --type sha256 --base32 --flat "$src")
url="$(dirname "${src:2}")/$filename"
sha256=$(gawk '{ print $1 }' "$src")
cat >>"$SRCS" <<EOF
$name = {
version = "$latestVersion";

9
nixos/doc/manual/configuration/declarative-packages.xml
View File

@ -27,8 +27,13 @@ nixos.firefox firefox-23.0 Mozilla Firefox - the browser, reloaded
<replaceable>...</replaceable>
</screen>
The first column in the output is the <emphasis>attribute name</emphasis>,
such as <literal>nixos.thunderbird</literal>. (The <literal>nixos</literal>
prefix allows distinguishing between different channels that you might have.)
such as <literal>nixos.thunderbird</literal>.
</para>
<para>
Note: the <literal>nixos</literal> prefix tells us that we want to get the
package from the <literal>nixos</literal> channel and works only in CLI tools.
In declarative configuration use <literal>pkgs</literal> prefix (variable).
</para>
<para>

18
nixos/doc/manual/release-notes/rl-1903.xml
View File

@ -68,6 +68,17 @@
<xref linkend="sec-kubernetes"/> for details.
</para>
</listitem>
<listitem>
<para>
There is now a set of <option>confinement</option> options for
<option>systemd.services</option>, which allows to restrict services
into a <citerefentry>
<refentrytitle>chroot</refentrytitle>
<manvolnum>2</manvolnum>
</citerefentry>ed environment that only contains the store paths from
the runtime closure of the service.
</para>
</listitem>
</itemizedlist>
</section>
@ -516,6 +527,13 @@
Graylog</link> for details.
</para>
</listitem>
<listitem>
<para>
The option <literal>users.ldap.bind.password</literal> was renamed to <literal>users.ldap.bind.passwordFile</literal>,
and needs to be readable by the <literal>nslcd</literal> user.
Same applies to the new <literal>users.ldap.daemon.rootpwmodpwFile</literal> option.
</para>
</listitem>
</itemizedlist>
</section>

43
nixos/doc/manual/release-notes/rl-1909.xml
View File

@ -42,6 +42,39 @@
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-19.09-incompatibilities">
<title>Backward Incompatibilities</title>
<para>
When upgrading from a previous release, please be aware of the following
incompatible changes:
</para>
<itemizedlist>
<listitem>
<para>
Buildbot no longer supports Python 2, as support was dropped upstream in
version 2.0.0. Configurations may need to be modified to make them
compatible with Python 3.
</para>
</listitem>
<listitem>
<para>
PostgreSQL now uses
<filename class="directory">/run/postgresql</filename> as its socket
directory instead of <filename class="directory">/tmp</filename>. So
if you run an application like eg. Nextcloud, where you need to use
the Unix socket path as the database host name, you need to change it
accordingly.
</para>
</listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
@ -66,6 +99,16 @@
and fix all the bugs it uncovers.
</para>
</listitem>
<listitem>
<para>
The <literal>vlc</literal> package gained support for Chromecast
streaming, enabled by default. TCP port 8010 must be open for it to work,
so something like <literal>networking.firewall.allowedTCPPorts = [ 8010
];</literal> may be required in your configuration. Also consider enabling
<link xlink:href="https://nixos.wiki/wiki/Accelerated_Video_Playback">
Accelerated Video Playback</link> for better transcoding performance.
</para>
</listitem>
</itemizedlist>
</section>
</section>

87
nixos/modules/config/ldap.nix
View File

@ -27,25 +27,29 @@ let
'';
};
nslcdConfig = {
target = "nslcd.conf";
source = writeText "nslcd.conf" ''
uid nslcd
gid nslcd
uri ${cfg.server}
base ${cfg.base}
timelimit ${toString cfg.timeLimit}
bind_timelimit ${toString cfg.bind.timeLimit}
${optionalString (cfg.bind.distinguishedName != "")
"binddn ${cfg.bind.distinguishedName}" }
${optionalString (cfg.daemon.rootpwmoddn != "")
"rootpwmoddn ${cfg.daemon.rootpwmoddn}" }
${optionalString (cfg.daemon.extraConfig != "") cfg.daemon.extraConfig }
'';
};
nslcdConfig = writeText "nslcd.conf" ''
uid nslcd
gid nslcd
uri ${cfg.server}
base ${cfg.base}
timelimit ${toString cfg.timeLimit}
bind_timelimit ${toString cfg.bind.timeLimit}
${optionalString (cfg.bind.distinguishedName != "")
"binddn ${cfg.bind.distinguishedName}" }
${optionalString (cfg.daemon.rootpwmoddn != "")
"rootpwmoddn ${cfg.daemon.rootpwmoddn}" }
${optionalString (cfg.daemon.extraConfig != "") cfg.daemon.extraConfig }
'';
insertLdapPassword = !config.users.ldap.daemon.enable &&
config.users.ldap.bind.distinguishedName != "";
# nslcd normally reads configuration from /etc/nslcd.conf.
# this file might contain secrets. We append those at runtime,
# so redirect its location to something more temporary.
nslcdWrapped = runCommandNoCC "nslcd-wrapped" { nativeBuildInputs = [ makeWrapper ]; } ''
mkdir -p $out/bin
makeWrapper ${nss_pam_ldapd}/sbin/nslcd $out/bin/nslcd \
--set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so" \
--set NIX_REDIRECTS "/etc/nslcd.conf=/run/nslcd/nslcd.conf"
'';
in
@ -139,13 +143,13 @@ in
'';
};
rootpwmodpw = mkOption {
rootpwmodpwFile = mkOption {
default = "";
example = "/run/keys/nslcd.rootpwmodpw";
type = types.str;
description = ''
The path to a file containing the credentials with which
to bind to the LDAP server if the root user tries to change a user's password
The path to a file containing the credentials with which to bind to
the LDAP server if the root user tries to change a user's password.
'';
};
};
@ -161,7 +165,7 @@ in
'';
};
password = mkOption {
passwordFile = mkOption {
default = "/etc/ldap/bind.password";
type = types.str;
description = ''
@ -220,14 +224,14 @@ in
config = mkIf cfg.enable {
environment.etc = if cfg.daemon.enable then [nslcdConfig] else [ldapConfig];
environment.etc = optional (!cfg.daemon.enable) ldapConfig;
system.activationScripts = mkIf insertLdapPassword {
system.activationScripts = mkIf (!cfg.daemon.enable) {
ldap = stringAfter [ "etc" "groups" "users" ] ''
if test -f "${cfg.bind.password}" ; then
if test -f "${cfg.bind.passwordFile}" ; then
umask 0077
conf="$(mktemp)"
printf 'bindpw %s\n' "$(cat ${cfg.bind.password})" |
printf 'bindpw %s\n' "$(cat ${cfg.bind.passwordFile})" |
cat ${ldapConfig.source} - >"$conf"
mv -fT "$conf" /etc/ldap.conf
fi
@ -251,7 +255,6 @@ in
};
systemd.services = mkIf cfg.daemon.enable {
nslcd = {
wantedBy = [ "multi-user.target" ];
@ -259,32 +262,32 @@ in
umask 0077
conf="$(mktemp)"
{
cat ${nslcdConfig.source}
test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.password}' ||
printf 'bindpw %s\n' "$(cat '${cfg.bind.password}')"
test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpw}' ||
printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpw}')"
cat ${nslcdConfig}
test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.passwordFile}' ||
printf 'bindpw %s\n' "$(cat '${cfg.bind.passwordFile}')"
test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpwFile}' ||
printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpwFile}')"
} >"$conf"
mv -fT "$conf" /etc/nslcd.conf
mv -fT "$conf" /run/nslcd/nslcd.conf
'';
# NOTE: because one cannot pass a custom config path to `nslcd`
# (which is only able to use `/etc/nslcd.conf`)
# changes in `nslcdConfig` won't change `serviceConfig`,
# and thus won't restart `nslcd`.
# Therefore `restartTriggers` is used on `/etc/nslcd.conf`.
restartTriggers = [ nslcdConfig.source ];
restartTriggers = [ "/run/nslcd/nslcd.conf" ];
serviceConfig = {
ExecStart = "${nss_pam_ldapd}/sbin/nslcd";
ExecStart = "${nslcdWrapped}/bin/nslcd";
Type = "forking";
PIDFile = "/run/nslcd/nslcd.pid";
Restart = "always";
User = "nslcd";
Group = "nslcd";
RuntimeDirectory = [ "nslcd" ];
PIDFile = "/run/nslcd/nslcd.pid";
};
};
};
};
imports =
[ (mkRenamedOptionModule [ "users" "ldap" "bind" "password"] [ "users" "ldap" "bind" "passwordFile"])
];
}

2
nixos/modules/installer/cd-dvd/iso-image.nix
View File

@ -88,7 +88,7 @@ let
# result in incorrect boot entries.
baseIsolinuxCfg = ''
SERIAL 0 38400
SERIAL 0 115200
TIMEOUT ${builtins.toString syslinuxTimeout}
UI vesamenu.c32
MENU TITLE NixOS

4
nixos/modules/module-list.nix
View File

@ -172,6 +172,7 @@
./security/rtkit.nix
./security/wrappers/default.nix
./security/sudo.nix
./security/systemd-confinement.nix
./services/admin/oxidized.nix
./services/admin/salt/master.nix
./services/admin/salt/minion.nix
@ -349,6 +350,7 @@
./services/mail/exim.nix
./services/mail/freepops.nix
./services/mail/mail.nix
./services/mail/mailcatcher.nix
./services/mail/mailhog.nix
./services/mail/mlmmj.nix
./services/mail/offlineimap.nix
@ -630,6 +632,7 @@
./services/networking/prosody.nix
./services/networking/quagga.nix
./services/networking/quassel.nix
./services/networking/quicktun.nix
./services/networking/racoon.nix
./services/networking/radicale.nix
./services/networking/radvd.nix
@ -880,6 +883,7 @@
./virtualisation/container-config.nix
./virtualisation/containers.nix
./virtualisation/docker.nix
./virtualisation/docker-containers.nix
./virtualisation/ecs-agent.nix
./virtualisation/libvirtd.nix
./virtualisation/lxc.nix

33
nixos/modules/programs/browserpass.nix
View File

@ -4,15 +4,34 @@ with lib;
{
###### interface
options = {
programs.browserpass.enable = mkEnableOption "the NativeMessaging configuration for Chromium, Chrome, and Vivaldi.";
};
options.programs.browserpass.enable = mkEnableOption "Browserpass native messaging host";
###### implementation
config = mkIf config.programs.browserpass.enable {
environment.systemPackages = [ pkgs.browserpass ];
environment.etc = {
environment.etc = let
appId = "com.github.browserpass.native.json";
source = part: "${pkgs.browserpass}/lib/browserpass/${part}/${appId}";
in {
# chromium
"chromium/native-messaging-hosts/${appId}".source = source "hosts/chromium";
"chromium/policies/managed/${appId}".source = source "policies/chromium";
# chrome
"opt/chrome/native-messaging-hosts/${appId}".source = source "hosts/chromium";
"opt/chrome/policies/managed/${appId}".source = source "policies/chromium";
# vivaldi
"opt/vivaldi/native-messaging-hosts/${appId}".source = source "hosts/chromium";
"opt/vivaldi/policies/managed/${appId}".source = source "policies/chromium";
# brave
"opt/brave/native-messaging-hosts/${appId}".source = source "hosts/chromium";
"opt/brave/policies/managed/${appId}".source = source "policies/chromium";
}
# As with the v2 backwards compatibility in the pkgs.browserpass
# declaration, this part can be removed once the browser extension
# auto-updates to v3 (planned 2019-04-13, see
# https://github.com/browserpass/browserpass-native/issues/31)
// {
"chromium/native-messaging-hosts/com.dannyvankooten.browserpass.json".source = "${pkgs.browserpass}/etc/chrome-host.json";
"chromium/policies/managed/com.dannyvankooten.browserpass.json".source = "${pkgs.browserpass}/etc/chrome-policy.json";
"opt/chrome/native-messaging-hosts/com.dannyvankooten.browserpass.json".source = "${pkgs.browserpass}/etc/chrome-host.json";

74
nixos/modules/rename.nix
View File

@ -4,26 +4,12 @@ with lib;
{
imports = [
# !!! These were renamed the other way, but got reverted later.
# !!! Drop these before 18.09 is released.
(mkRenamedOptionModule [ "system" "nixos" "stateVersion" ] [ "system" "stateVersion" ])
(mkRenamedOptionModule [ "system" "nixos" "defaultChannel" ] [ "system" "defaultChannel" ])
(mkRenamedOptionModule [ "environment" "x11Packages" ] [ "environment" "systemPackages" ])
(mkRenamedOptionModule [ "environment" "enableBashCompletion" ] [ "programs" "bash" "enableCompletion" ])
(mkRenamedOptionModule [ "environment" "nix" ] [ "nix" "package" ])
(mkRenamedOptionModule [ "fonts" "enableFontConfig" ] [ "fonts" "fontconfig" "enable" ])
(mkRenamedOptionModule [ "fonts" "extraFonts" ] [ "fonts" "fonts" ])
(mkRenamedOptionModule [ "networking" "enableWLAN" ] [ "networking" "wireless" "enable" ])
(mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "hardware" "enableRedistributableFirmware" ])
(mkRenamedOptionModule [ "networking" "enableIntel3945ABGFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
(mkRenamedOptionModule [ "networking" "enableIntel2100BGFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
(mkRenamedOptionModule [ "networking" "enableRalinkFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
(mkRenamedOptionModule [ "networking" "enableRTL8192cFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
(mkRenamedOptionModule [ "networking" "networkmanager" "useDnsmasq" ] [ "networking" "networkmanager" "dns" ])
(mkRenamedOptionModule [ "services" "cadvisor" "host" ] [ "services" "cadvisor" "listenAddress" ])
(mkChangedOptionModule [ "services" "printing" "gutenprint" ] [ "services" "printing" "drivers" ]
(config:
let enabled = getAttrFromPath [ "services" "printing" "gutenprint" ] config;
@ -33,11 +19,7 @@ with lib;
let value = getAttrFromPath [ "services" "ddclient" "domain" ] config;
in if value != "" then [ value ] else []))
(mkRemovedOptionModule [ "services" "ddclient" "homeDir" ] "")
(mkRenamedOptionModule [ "services" "elasticsearch" "host" ] [ "services" "elasticsearch" "listenAddress" ])
(mkRenamedOptionModule [ "services" "graphite" "api" "host" ] [ "services" "graphite" "api" "listenAddress" ])
(mkRenamedOptionModule [ "services" "graphite" "web" "host" ] [ "services" "graphite" "web" "listenAddress" ])
(mkRenamedOptionModule [ "services" "i2pd" "extIp" ] [ "services" "i2pd" "address" ])
(mkRenamedOptionModule [ "services" "kibana" "host" ] [ "services" "kibana" "listenAddress" ])
(mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "admissionControl" ] [ "services" "kubernetes" "apiserver" "enableAdmissionPlugins" ])
(mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "address" ] ["services" "kubernetes" "apiserver" "bindAddress"])
(mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "port" ] ["services" "kubernetes" "apiserver" "insecurePort"])
@ -54,7 +36,6 @@ with lib;
(mkRenamedOptionModule [ "services" "kubernetes" "proxy" "address" ] ["services" "kubernetes" "proxy" "bindAddress"])
(mkRemovedOptionModule [ "services" "kubernetes" "verbose" ] "")
(mkRenamedOptionModule [ "services" "logstash" "address" ] [ "services" "logstash" "listenAddress" ])
(mkRenamedOptionModule [ "services" "mpd" "network" "host" ] [ "services" "mpd" "network" "listenAddress" ])
(mkRenamedOptionModule [ "services" "neo4j" "host" ] [ "services" "neo4j" "defaultListenAddress" ])
(mkRenamedOptionModule [ "services" "neo4j" "listenAddress" ] [ "services" "neo4j" "defaultListenAddress" ])
(mkRenamedOptionModule [ "services" "neo4j" "enableBolt" ] [ "services" "neo4j" "bolt" "enable" ])
@ -64,10 +45,6 @@ with lib;
(mkRemovedOptionModule [ "services" "neo4j" "port" ] "Use services.neo4j.http.listenAddress instead.")
(mkRemovedOptionModule [ "services" "neo4j" "boltPort" ] "Use services.neo4j.bolt.listenAddress instead.")
(mkRemovedOptionModule [ "services" "neo4j" "httpsPort" ] "Use services.neo4j.https.listenAddress instead.")
(mkRenamedOptionModule [ "services" "shout" "host" ] [ "services" "shout" "listenAddress" ])
(mkRenamedOptionModule [ "services" "sslh" "host" ] [ "services" "sslh" "listenAddress" ])
(mkRenamedOptionModule [ "services" "statsd" "host" ] [ "services" "statsd" "listenAddress" ])
(mkRenamedOptionModule [ "services" "subsonic" "host" ] [ "services" "subsonic" "listenAddress" ])
(mkRenamedOptionModule [ "services" "tor" "relay" "portSpec" ] [ "services" "tor" "relay" "port" ])
(mkRenamedOptionModule [ "services" "vmwareGuest" ] [ "virtualisation" "vmware" "guest" ])
(mkRenamedOptionModule [ "jobs" ] [ "systemd" "services" ])
@ -91,82 +68,31 @@ with lib;
(mkRenamedOptionModule [ "services" "xserver" "displayManager" "logToJournal" ] [ "services" "xserver" "displayManager" "job" "logToJournal" ])
# Old Grub-related options.
(mkRenamedOptionModule [ "boot" "initrd" "extraKernelModules" ] [ "boot" "initrd" "kernelModules" ])
(mkRenamedOptionModule [ "boot" "extraKernelParams" ] [ "boot" "kernelParams" ])
(mkRenamedOptionModule [ "boot" "loader" "grub" "timeout" ] [ "boot" "loader" "timeout" ])
(mkRenamedOptionModule [ "boot" "loader" "gummiboot" "timeout" ] [ "boot" "loader" "timeout" ])
# smartd
(mkRenamedOptionModule [ "services" "smartd" "deviceOpts" ] [ "services" "smartd" "defaults" "monitored" ])
# OpenSSH
(mkRenamedOptionModule [ "services" "sshd" "ports" ] [ "services" "openssh" "ports" ])
(mkAliasOptionModule [ "services" "sshd" "enable" ] [ "services" "openssh" "enable" ])
(mkRenamedOptionModule [ "services" "sshd" "allowSFTP" ] [ "services" "openssh" "allowSFTP" ])
(mkRenamedOptionModule [ "services" "sshd" "forwardX11" ] [ "services" "openssh" "forwardX11" ])
(mkRenamedOptionModule [ "services" "sshd" "gatewayPorts" ] [ "services" "openssh" "gatewayPorts" ])
(mkRenamedOptionModule [ "services" "sshd" "permitRootLogin" ] [ "services" "openssh" "permitRootLogin" ])
(mkRenamedOptionModule [ "services" "xserver" "startSSHAgent" ] [ "services" "xserver" "startOpenSSHAgent" ])
(mkRenamedOptionModule [ "services" "xserver" "startOpenSSHAgent" ] [ "programs" "ssh" "startAgent" ])
(mkAliasOptionModule [ "services" "openssh" "knownHosts" ] [ "programs" "ssh" "knownHosts" ])
# VirtualBox
(mkRenamedOptionModule [ "services" "virtualbox" "enable" ] [ "virtualisation" "virtualbox" "guest" "enable" ])
(mkRenamedOptionModule [ "services" "virtualboxGuest" "enable" ] [ "virtualisation" "virtualbox" "guest" "enable" ])
(mkRenamedOptionModule [ "programs" "virtualbox" "enable" ] [ "virtualisation" "virtualbox" "host" "enable" ])
(mkRenamedOptionModule [ "programs" "virtualbox" "addNetworkInterface" ] [ "virtualisation" "virtualbox" "host" "addNetworkInterface" ])
(mkRenamedOptionModule [ "programs" "virtualbox" "enableHardening" ] [ "virtualisation" "virtualbox" "host" "enableHardening" ])
(mkRenamedOptionModule [ "services" "virtualboxHost" "enable" ] [ "virtualisation" "virtualbox" "host" "enable" ])
(mkRenamedOptionModule [ "services" "virtualboxHost" "addNetworkInterface" ] [ "virtualisation" "virtualbox" "host" "addNetworkInterface" ])
(mkRenamedOptionModule [ "services" "virtualboxHost" "enableHardening" ] [ "virtualisation" "virtualbox" "host" "enableHardening" ])
# libvirtd
(mkRemovedOptionModule [ "virtualisation" "libvirtd" "enableKVM" ]
"Set the option `virtualisation.libvirtd.qemuPackage' instead.")
# Tarsnap
(mkRenamedOptionModule [ "services" "tarsnap" "config" ] [ "services" "tarsnap" "archives" ])
# ibus
(mkRenamedOptionModule [ "programs" "ibus" "plugins" ] [ "i18n" "inputMethod" "ibus" "engines" ])
# proxy
(mkRenamedOptionModule [ "nix" "proxy" ] [ "networking" "proxy" "default" ])
# sandboxing
(mkRenamedOptionModule [ "nix" "useChroot" ] [ "nix" "useSandbox" ])
(mkRenamedOptionModule [ "nix" "chrootDirs" ] [ "nix" "sandboxPaths" ])
# KDE
(mkRenamedOptionModule [ "kde" "extraPackages" ] [ "environment" "systemPackages" ])
(mkRenamedOptionModule [ "environment" "kdePackages" ] [ "environment" "systemPackages" ])
# Multiple efi bootloaders now
(mkRenamedOptionModule [ "boot" "loader" "efi" "efibootmgr" "enable" ] [ "boot" "loader" "efi" "canTouchEfiVariables" ])
# NixOS environment changes
# !!! this hardcodes bash, could we detect from config which shell is actually used?
(mkRenamedOptionModule [ "environment" "promptInit" ] [ "programs" "bash" "promptInit" ])
(mkRenamedOptionModule [ "services" "xserver" "driSupport" ] [ "hardware" "opengl" "driSupport" ])
(mkRenamedOptionModule [ "services" "xserver" "driSupport32Bit" ] [ "hardware" "opengl" "driSupport32Bit" ])
(mkRenamedOptionModule [ "services" "xserver" "s3tcSupport" ] [ "hardware" "opengl" "s3tcSupport" ])
(mkRenamedOptionModule [ "hardware" "opengl" "videoDrivers" ] [ "services" "xserver" "videoDrivers" ])
(mkRenamedOptionModule [ "services" "xserver" "vaapiDrivers" ] [ "hardware" "opengl" "extraPackages" ])
(mkRenamedOptionModule [ "services" "mysql55" ] [ "services" "mysql" ])
(mkAliasOptionModule [ "environment" "checkConfigurationOptions" ] [ "_module" "check" ])
# opendkim
(mkRenamedOptionModule [ "services" "opendkim" "keyFile" ] [ "services" "opendkim" "keyPath" ])
# XBMC
(mkRenamedOptionModule [ "services" "xserver" "windowManager" "xbmc" ] [ "services" "xserver" "desktopManager" "kodi" ])
(mkRenamedOptionModule [ "services" "xserver" "desktopManager" "xbmc" ] [ "services" "xserver" "desktopManager" "kodi" ])
(mkRenamedOptionModule [ "services" "hostapd" "extraCfg" ] [ "services" "hostapd" "extraConfig" ])
# Enlightenment
(mkRenamedOptionModule [ "services" "xserver" "desktopManager" "e19" "enable" ] [ "services" "xserver" "desktopManager" "enlightenment" "enable" ])

2
nixos/modules/security/duosec.nix
View File

@ -76,7 +76,7 @@ in
};
failmode = mkOption {
type = types.enum [ "safe" "enum" ];
type = types.enum [ "safe" "secure" ];
default = "safe";
description = ''
On service or configuration errors that prevent Duo

60
nixos/modules/security/pam.nix
View File

@ -48,6 +48,16 @@ let
'';
};
yubicoAuth = mkOption {
default = config.security.pam.yubico.enable;
type = types.bool;
description = ''
If set, users listed in
<filename>~/.yubico/authorized_yubikeys</filename>
are able to log in with the asociated Yubikey tokens.
'';
};
googleAuthenticator = {
enable = mkOption {
default = false;
@ -340,6 +350,8 @@ let
"auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
"auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
${let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth
"auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so id=${toString yubi.id} ${optionalString yubi.debug "debug"}"}
'' +
# Modules in this block require having the password set in PAM_AUTHTOK.
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run
@ -636,6 +648,54 @@ in
};
};
security.pam.yubico = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Enables Yubico PAM (<literal>yubico-pam</literal>) module.
If set, users listed in
<filename>~/.yubico/authorized_yubikeys</filename>
are able to log in with the associated Yubikey tokens.
The file must have only one line:
<literal>username:yubikey_token_id1:yubikey_token_id2</literal>
More information can be found <link
xlink:href="https://developers.yubico.com/yubico-pam/">here</link>.
'';
};
control = mkOption {
default = "sufficient";
type = types.enum [ "required" "requisite" "sufficient" "optional" ];
description = ''
This option sets pam "control".
If you want to have multi factor authentication, use "required".
If you want to use Yubikey instead of regular password, use "sufficient".
Read
<citerefentry>
<refentrytitle>pam.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>
for better understanding of this option.
'';
};
id = mkOption {
example = "42";
type = types.string;
description = "client id";
};
debug = mkOption {
default = false;
type = types.bool;
description = ''
Debug output to stderr.
'';
};
};
security.pam.enableEcryptfs = mkOption {
default = false;
description = ''

199
nixos/modules/security/systemd-confinement.nix Normal file
View File

@ -0,0 +1,199 @@
{ config, pkgs, lib, ... }:
let
toplevelConfig = config;
inherit (lib) types;
inherit (import ../system/boot/systemd-lib.nix {
inherit config pkgs lib;
}) mkPathSafeName;
in {
options.systemd.services = lib.mkOption {
type = types.attrsOf (types.submodule ({ name, config, ... }: {
options.confinement.enable = lib.mkOption {
type = types.bool;
default = false;
description = ''
If set, all the required runtime store paths for this service are
bind-mounted into a <literal>tmpfs</literal>-based <citerefentry>
<refentrytitle>chroot</refentrytitle>
<manvolnum>2</manvolnum>
</citerefentry>.
'';
};
options.confinement.fullUnit = lib.mkOption {
type = types.bool;
default = false;
description = ''
Whether to include the full closure of the systemd unit file into the
chroot, instead of just the dependencies for the executables.
<warning><para>While it may be tempting to just enable this option to
make things work quickly, please be aware that this might add paths
to the closure of the chroot that you didn't anticipate. It's better
to use <option>confinement.packages</option> to <emphasis
role="strong">explicitly</emphasis> add additional store paths to the
chroot.</para></warning>
'';
};
options.confinement.packages = lib.mkOption {
type = types.listOf (types.either types.str types.package);
default = [];
description = let
mkScOption = optName: "<option>serviceConfig.${optName}</option>";
in ''
Additional packages or strings with context to add to the closure of
the chroot. By default, this includes all the packages from the
${lib.concatMapStringsSep ", " mkScOption [
"ExecReload" "ExecStartPost" "ExecStartPre" "ExecStop"
"ExecStopPost"
]} and ${mkScOption "ExecStart"} options. If you want to have all the
dependencies of this systemd unit, you can use
<option>confinement.fullUnit</option>.
<note><para>The store paths listed in <option>path</option> are
<emphasis role="strong">not</emphasis> included in the closure as
well as paths from other options except those listed
above.</para></note>
'';
};
options.confinement.binSh = lib.mkOption {
type = types.nullOr types.path;
default = toplevelConfig.environment.binsh;
defaultText = "config.environment.binsh";
example = lib.literalExample "\${pkgs.dash}/bin/dash";
description = ''
The program to make available as <filename>/bin/sh</filename> inside
the chroot. If this is set to <literal>null</literal>, no
<filename>/bin/sh</filename> is provided at all.
This is useful for some applications, which for example use the
<citerefentry>
<refentrytitle>system</refentrytitle>
<manvolnum>3</manvolnum>
</citerefentry> library function to execute commands.
'';
};
options.confinement.mode = lib.mkOption {
type = types.enum [ "full-apivfs" "chroot-only" ];
default = "full-apivfs";
description = ''
The value <literal>full-apivfs</literal> (the default) sets up
private <filename class="directory">/dev</filename>, <filename
class="directory">/proc</filename>, <filename
class="directory">/sys</filename> and <filename
class="directory">/tmp</filename> file systems in a separate user
name space.
If this is set to <literal>chroot-only</literal>, only the file
system name space is set up along with the call to <citerefentry>
<refentrytitle>chroot</refentrytitle>
<manvolnum>2</manvolnum>
</citerefentry>.
<note><para>This doesn't cover network namespaces and is solely for
file system level isolation.</para></note>
'';
};
config = let
rootName = "${mkPathSafeName name}-chroot";
inherit (config.confinement) binSh fullUnit;
wantsAPIVFS = lib.mkDefault (config.confinement.mode == "full-apivfs");
in lib.mkIf config.confinement.enable {
serviceConfig = {
RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\"";
TemporaryFileSystem = "/";
PrivateMounts = lib.mkDefault true;
# https://github.com/NixOS/nixpkgs/issues/14645 is a future attempt
# to change some of these to default to true.
#
# If we run in chroot-only mode, having something like PrivateDevices
# set to true by default will mount /dev within the chroot, whereas
# with "chroot-only" it's expected that there are no /dev, /proc and
# /sys file systems available.
#
# However, if this suddenly becomes true, the attack surface will
# increase, so let's explicitly set these options to true/false
# depending on the mode.
MountAPIVFS = wantsAPIVFS;
PrivateDevices = wantsAPIVFS;
PrivateTmp = wantsAPIVFS;
PrivateUsers = wantsAPIVFS;
ProtectControlGroups = wantsAPIVFS;
ProtectKernelModules = wantsAPIVFS;
ProtectKernelTunables = wantsAPIVFS;
};
confinement.packages = let
execOpts = [
"ExecReload" "ExecStart" "ExecStartPost" "ExecStartPre" "ExecStop"
"ExecStopPost"
];
execPkgs = lib.concatMap (opt: let
isSet = config.serviceConfig ? ${opt};
in lib.optional isSet config.serviceConfig.${opt}) execOpts;
unitAttrs = toplevelConfig.systemd.units."${name}.service";
allPkgs = lib.singleton (builtins.toJSON unitAttrs);
unitPkgs = if fullUnit then allPkgs else execPkgs;
in unitPkgs ++ lib.optional (binSh != null) binSh;
};
}));
};
config.assertions = lib.concatLists (lib.mapAttrsToList (name: cfg: let
whatOpt = optName: "The 'serviceConfig' option '${optName}' for"
+ " service '${name}' is enabled in conjunction with"
+ " 'confinement.enable'";
in lib.optionals cfg.confinement.enable [
{ assertion = !cfg.serviceConfig.RootDirectoryStartOnly or false;
message = "${whatOpt "RootDirectoryStartOnly"}, but right now systemd"
+ " doesn't support restricting bind-mounts to 'ExecStart'."
+ " Please either define a separate service or find a way to run"
+ " commands other than ExecStart within the chroot.";
}
{ assertion = !cfg.serviceConfig.DynamicUser or false;
message = "${whatOpt "DynamicUser"}. Please create a dedicated user via"
+ " the 'users.users' option instead as this combination is"
+ " currently not supported.";
}
]) config.systemd.services);
config.systemd.packages = lib.concatLists (lib.mapAttrsToList (name: cfg: let
rootPaths = let
contents = lib.concatStringsSep "\n" cfg.confinement.packages;
in pkgs.writeText "${mkPathSafeName name}-string-contexts.txt" contents;
chrootPaths = pkgs.runCommand "${mkPathSafeName name}-chroot-paths" {
closureInfo = pkgs.closureInfo { inherit rootPaths; };
serviceName = "${name}.service";
excludedPath = rootPaths;
} ''
mkdir -p "$out/lib/systemd/system"
serviceFile="$out/lib/systemd/system/$serviceName"
echo '[Service]' > "$serviceFile"
# /bin/sh is special here, because the option value could contain a
# symlink and we need to properly resolve it.
${lib.optionalString (cfg.confinement.binSh != null) ''
binsh=${lib.escapeShellArg cfg.confinement.binSh}
realprog="$(readlink -e "$binsh")"
echo "BindReadOnlyPaths=$realprog:/bin/sh" >> "$serviceFile"
''}
while read storePath; do
if [ -L "$storePath" ]; then
# Currently, systemd can't cope with symlinks in Bind(ReadOnly)Paths,
# so let's just bind-mount the target to that location.
echo "BindReadOnlyPaths=$(readlink -e "$storePath"):$storePath"
elif [ "$storePath" != "$excludedPath" ]; then
echo "BindReadOnlyPaths=$storePath"
fi
done < "$closureInfo/store-paths" >> "$serviceFile"
'';
in lib.optional cfg.confinement.enable chrootPaths) config.systemd.services);
}

6
nixos/modules/services/continuous-integration/buildbot/master.nix
View File

@ -199,10 +199,10 @@ in {
package = mkOption {
type = types.package;
default = pkgs.pythonPackages.buildbot-full;
defaultText = "pkgs.pythonPackages.buildbot-full";
default = pkgs.python3Packages.buildbot-full;
defaultText = "pkgs.python3Packages.buildbot-full";
description = "Package to use for buildbot.";
example = literalExample "pkgs.python3Packages.buildbot-full";
example = literalExample "pkgs.python3Packages.buildbot";
};
packages = mkOption {

6
nixos/modules/services/continuous-integration/buildbot/worker.nix
View File

@ -118,10 +118,10 @@ in {
package = mkOption {
type = types.package;
default = pkgs.pythonPackages.buildbot-worker;
defaultText = "pkgs.pythonPackages.buildbot-worker";
default = pkgs.python3Packages.buildbot-worker;
defaultText = "pkgs.python3Packages.buildbot-worker";
description = "Package to use for buildbot worker.";
example = literalExample "pkgs.python3Packages.buildbot-worker";
example = literalExample "pkgs.python2Packages.buildbot-worker";
};
packages = mkOption {

82
nixos/modules/services/databases/mysql.nix
View File

@ -103,6 +103,24 @@ in
};
initialDatabases = mkOption {
type = types.listOf (types.submodule {
options = {
name = mkOption {
type = types.str;
description = ''
The name of the database to create.
'';
};
schema = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
The initial schema of the database; if null (the default),
an empty database is created.
'';
};
};
});
default = [];
description = ''
List of database names and their initial schemas that should be used to create databases on the first startup
@ -115,11 +133,13 @@ in
};
initialScript = mkOption {
type = types.nullOr types.lines;
default = null;
description = "A file containing SQL statements to be executed on the first startup. Can be used for granting certain permissions on the database";
};
ensureDatabases = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Ensures that the specified databases exist.
@ -134,6 +154,38 @@ in
};
ensureUsers = mkOption {
type = types.listOf (types.submodule {
options = {
name = mkOption {
type = types.str;
description = ''
Name of the user to ensure.
'';
};
ensurePermissions = mkOption {
type = types.attrsOf types.str;
default = {};
description = ''
Permissions to ensure for the user, specified as attribute set.
The attribute names specify the database and tables to grant the permissions for,
separated by a dot. You may use wildcards here.
The attribute values specfiy the permissions to grant.
You may specify one or multiple comma-separated SQL privileges here.
For more information on how to specify the target
and on which privileges exist, see the
<link xlink:href="https://mariadb.com/kb/en/library/grant/">GRANT syntax</link>.
The attributes are used as <code>GRANT ''${attrName} ON ''${attrValue}</code>.
'';
example = literalExample ''
{
"database.*" = "ALL PRIVILEGES";
"*.*" = "SELECT, LOCK TABLES";
}
'';
};
};
});
default = [];
description = ''
Ensures that the specified users exist and have at least the ensured permissions.
@ -143,20 +195,22 @@ in
option is changed. This means that users created and permissions assigned once through this option or
otherwise have to be removed manually.
'';
example = literalExample ''[
{
name = "nextcloud";
ensurePermissions = {
"nextcloud.*" = "ALL PRIVILEGES";
};
}
{
name = "backup";
ensurePermissions = {
"*.*" = "SELECT, LOCK TABLES";
};
}
]'';
example = literalExample ''
[
{
name = "nextcloud";
ensurePermissions = {
"nextcloud.*" = "ALL PRIVILEGES";
};
}
{
name = "backup";
ensurePermissions = {
"*.*" = "SELECT, LOCK TABLES";
};
}
]
'';
};
# FIXME: remove this option; it's a really bad idea.

94
nixos/modules/services/databases/openldap.nix
View File

@ -8,7 +8,20 @@ let
openldap = pkgs.openldap;
dataFile = pkgs.writeText "ldap-contents.ldif" cfg.declarativeContents;
configFile = pkgs.writeText "slapd.conf" cfg.extraConfig;
configFile = pkgs.writeText "slapd.conf" ((optionalString cfg.defaultSchemas ''
include ${pkgs.openldap.out}/etc/schema/core.schema
include ${pkgs.openldap.out}/etc/schema/cosine.schema
include ${pkgs.openldap.out}/etc/schema/inetorgperson.schema
include ${pkgs.openldap.out}/etc/schema/nis.schema
'') + ''
${cfg.extraConfig}
database ${cfg.database}
suffix ${cfg.suffix}
rootdn ${cfg.rootdn}
rootpw ${cfg.rootpw}
directory ${cfg.dataDir}
${cfg.extraDatabaseConfig}
'');
configOpts = if cfg.configDir == null then "-f ${configFile}"
else "-F ${cfg.configDir}";
in
@ -54,6 +67,52 @@ in
description = "The database directory.";
};
defaultSchemas = mkOption {
type = types.bool;
default = true;
description = ''
Include the default schemas core, cosine, inetorgperson and nis.
This setting will be ignored if configDir is set.
'';
};
database = mkOption {
type = types.str;
default = "mdb";
description = ''
Database type to use for the LDAP.
This setting will be ignored if configDir is set.
'';
};
suffix = mkOption {
type = types.str;
example = "dc=example,dc=org";
description = ''
Specify the DN suffix of queries that will be passed to this backend
database.
This setting will be ignored if configDir is set.
'';
};
rootdn = mkOption {
type = types.str;
example = "cn=admin,dc=example,dc=org";
description = ''
Specify the distinguished name that is not subject to access control
or administrative limit restrictions for operations on this database.
This setting will be ignored if configDir is set.
'';
};
rootpw = mkOption {
type = types.str;
description = ''
Password for the root user.
This setting will be ignored if configDir is set.
'';
};
logLevel = mkOption {
type = types.str;
default = "0";
@ -118,6 +177,39 @@ in
# ...
'';
};
extraDatabaseConfig = mkOption {
type = types.lines;
default = "";
description = ''
slapd.conf configuration after the database option.
This setting will be ignored if configDir is set.
'';
example = ''
# Indices to maintain for this directory
# unique id so equality match only
index uid eq
# allows general searching on commonname, givenname and email
index cn,gn,mail eq,sub
# allows multiple variants on surname searching
index sn eq,sub
# sub above includes subintial,subany,subfinal
# optimise department searches
index ou eq
# if searches will include objectClass uncomment following
# index objectClass eq
# shows use of default index parameter
index default eq,sub
# indices missing - uses default eq,sub
index telephonenumber
# other database parameters
# read more in slapd.conf reference section
cachesize 10000
checkpoint 128 15
'';
};
};
};

1
nixos/modules/services/databases/postgresql.nix
View File

@ -238,6 +238,7 @@ in
User = "postgres";
Group = "postgres";
PermissionsStartOnly = true;
RuntimeDirectory = "postgresql";
Type = if lib.versionAtLeast cfg.package.version "9.6"
then "notify"
else "simple";

2
nixos/modules/services/desktops/gsignond.nix
View File

@ -9,6 +9,8 @@ let
in
{
meta.maintainers = pkgs.pantheon.maintainers;
###### interface
options = {

2
nixos/modules/services/desktops/pantheon/contractor.nix
View File

@ -6,6 +6,8 @@ with lib;
{
meta.maintainers = pkgs.pantheon.maintainers;
###### interface
options = {

2
nixos/modules/services/desktops/pantheon/files.nix
View File

@ -6,6 +6,8 @@ with lib;
{
meta.maintainers = pkgs.pantheon.maintainers;
###### interface
options = {

60
nixos/modules/services/mail/mailcatcher.nix Normal file
View File

@ -0,0 +1,60 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.mailcatcher;
inherit (lib) mkEnableOption mkIf mkOption types;
in
{
# interface
options = {
services.mailcatcher = {
enable = mkEnableOption "Enable MailCatcher.";
http.ip = mkOption {
type = types.str;
default = "127.0.0.1";
description = "The ip address of the http server.";
};
http.port = mkOption {
type = types.port;
default = 1080;
description = "The port address of the http server.";
};
smtp.ip = mkOption {
type = types.str;
default = "127.0.0.1";
description = "The ip address of the smtp server.";
};
smtp.port = mkOption {
type = types.port;
default = 1025;
description = "The port address of the smtp server.";
};
};
};
# implementation
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.mailcatcher ];
systemd.services.mailcatcher = {
description = "MailCatcher Service";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
DynamicUser = true;
Restart = "always";
ExecStart = "${pkgs.mailcatcher}/bin/mailcatcher --foreground --no-quit --http-ip ${cfg.http.ip} --http-port ${toString cfg.http.port} --smtp-ip ${cfg.smtp.ip} --smtp-port ${toString cfg.smtp.port}";
};
};
};
}

23
nixos/modules/services/misc/docker-registry.nix
View File

@ -14,9 +14,10 @@ let
log.fields.service = "registry";
storage = {
cache.blobdescriptor = blobCache;
filesystem.rootdirectory = cfg.storagePath;
delete.enabled = cfg.enableDelete;
};
} // (if cfg.storagePath != null
then { filesystem.rootdirectory = cfg.storagePath; }
else {});
http = {
addr = "${cfg.listenAddress}:${builtins.toString cfg.port}";
headers.X-Content-Type-Options = ["nosniff"];
@ -61,9 +62,12 @@ in {
};
storagePath = mkOption {
type = types.path;
type = types.nullOr types.path;
default = "/var/lib/docker-registry";
description = "Docker registry storage path.";
description = ''
Docker registry storage path for the filesystem storage backend. Set to
null to configure another backend via extraConfig.
'';
};
enableDelete = mkOption {
@ -140,9 +144,12 @@ in {
startAt = optional cfg.enableGarbageCollect cfg.garbageCollectDates;
};
users.users.docker-registry = {
createHome = true;
home = cfg.storagePath;
};
users.users.docker-registry =
if cfg.storagePath != null
then {
createHome = true;
home = cfg.storagePath;
}
else {};
};
}

40
nixos/modules/services/misc/gitlab.nix
View File

@ -160,6 +160,22 @@ let
'';
};
gitlab-rails = pkgs.stdenv.mkDerivation rec {
name = "gitlab-rails";
buildInputs = [ pkgs.makeWrapper ];
dontBuild = true;
unpackPhase = ":";
installPhase = ''
mkdir -p $out/bin
makeWrapper ${cfg.packages.gitlab.rubyEnv}/bin/rails $out/bin/gitlab-rails \
${concatStrings (mapAttrsToList (name: value: "--set ${name} '${value}' ") gitlabEnv)} \
--set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip pkgs.git pkgs.gnutar config.services.postgresql.package pkgs.coreutils pkgs.procps ]}:$PATH' \
--run 'cd ${cfg.packages.gitlab}/share/gitlab'
'';
};
extraGitlabRb = pkgs.writeText "extra-gitlab.rb" cfg.extraGitlabRb;
smtpSettings = pkgs.writeText "gitlab-smtp-settings.rb" ''
if Rails.env.production?
Rails.application.config.action_mailer.delivery_method = :smtp
@ -266,6 +282,26 @@ in {
description = "Extra configuration in config/database.yml.";
};
extraGitlabRb = mkOption {
type = types.str;
default = "";
example = ''
if Rails.env.production?
Rails.application.config.action_mailer.delivery_method = :sendmail
ActionMailer::Base.delivery_method = :sendmail
ActionMailer::Base.sendmail_settings = {
location: "/run/wrappers/bin/sendmail",
arguments: "-i -t"
}
end
'';
description = ''
Extra configuration to be placed in config/extra-gitlab.rb. This can
be used to add configuration not otherwise exposed through this module's
options.
'';
};
host = mkOption {
type = types.str;
default = config.networking.hostName;
@ -439,7 +475,7 @@ in {
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.git gitlab-rake cfg.packages.gitlab-shell ];
environment.systemPackages = [ pkgs.git gitlab-rake gitlab-rails cfg.packages.gitlab-shell ];
# Redis is required for the sidekiq queue runner.
services.redis.enable = mkDefault true;
@ -512,6 +548,7 @@ in {
wantedBy = [ "multi-user.target" ];
path = with pkgs; [
openssh
procps # See https://gitlab.com/gitlab-org/gitaly/issues/1562
gitAndTools.git
cfg.packages.gitaly.rubyEnv
cfg.packages.gitaly.rubyEnv.wrappedRuby
@ -586,6 +623,7 @@ in {
[ -L /run/gitlab/uploads ] || ln -sf ${cfg.statePath}/uploads /run/gitlab/uploads
cp ${cfg.packages.gitlab}/share/gitlab/VERSION ${cfg.statePath}/VERSION
cp -rf ${cfg.packages.gitlab}/share/gitlab/config.dist/* ${cfg.statePath}/config
ln -sf ${extraGitlabRb} ${cfg.statePath}/config/initializers/extra-gitlab.rb
${optionalString cfg.smtp.enable ''
ln -sf ${smtpSettings} ${cfg.statePath}/config/initializers/smtp_settings.rb
''}

2
nixos/modules/services/misc/plex.nix
View File

@ -146,7 +146,7 @@ in
PLEX_MEDIA_SERVER_MAX_PLUGIN_PROCS="6";
PLEX_MEDIA_SERVER_TMPDIR="/tmp";
PLEX_MEDIA_SERVER_USE_SYSLOG="true";
LD_LIBRARY_PATH="/run/opengl-driver/lib:${cfg.package}/usr/lib/plexmediaserver";
LD_LIBRARY_PATH="/run/opengl-driver/lib:${cfg.package}/usr/lib/plexmediaserver/lib";
LC_ALL="en_US.UTF-8";
LANG="en_US.UTF-8";
};

13
nixos/modules/services/networking/firewall.nix
View File

@ -261,10 +261,14 @@ let
fi
'';
canonicalizePortList =
ports: lib.unique (builtins.sort builtins.lessThan ports);
commonOptions = {
allowedTCPPorts = mkOption {
type = types.listOf types.int;
type = types.listOf types.port;
default = [ ];
apply = canonicalizePortList;
example = [ 22 80 ];
description =
''
@ -274,7 +278,7 @@ let
};
allowedTCPPortRanges = mkOption {
type = types.listOf (types.attrsOf types.int);
type = types.listOf (types.attrsOf types.port);
default = [ ];
example = [ { from = 8999; to = 9003; } ];
description =
@ -285,8 +289,9 @@ let
};
allowedUDPPorts = mkOption {
type = types.listOf types.int;
type = types.listOf types.port;
default = [ ];
apply = canonicalizePortList;
example = [ 53 ];
description =
''
@ -295,7 +300,7 @@ let
};
allowedUDPPortRanges = mkOption {
type = types.listOf (types.attrsOf types.int);
type = types.listOf (types.attrsOf types.port);
default = [ ];
example = [ { from = 60000; to = 61000; } ];
description =

118
nixos/modules/services/networking/quicktun.nix Normal file
View File

@ -0,0 +1,118 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.quicktun;
in
with lib;
{
options = {
services.quicktun = mkOption {
default = { };
description = "QuickTun tunnels";
type = types.attrsOf (types.submodule {
options = {
tunMode = mkOption {
type = types.int;
default = 0;
example = 1;
description = "";
};
remoteAddress = mkOption {
type = types.str;
example = "tunnel.example.com";
description = "";
};
localAddress = mkOption {
type = types.str;
example = "0.0.0.0";
description = "";
};
localPort = mkOption {
type = types.int;
default = 2998;
description = "";
};
remotePort = mkOption {
type = types.int;
default = 2998;
description = "";
};
remoteFloat = mkOption {
type = types.int;
default = 0;
description = "";
};
protocol = mkOption {
type = types.str;
default = "nacltai";
description = "";
};
privateKey = mkOption {
type = types.str;
description = "";
};
publicKey = mkOption {
type = types.str;
description = "";
};
timeWindow = mkOption {
type = types.int;
default = 5;
description = "";
};
upScript = mkOption {
type = types.lines;
default = "";
description = "";
};
};
});
};
};
config = mkIf (cfg != []) {
systemd.services = fold (a: b: a // b) {} (
mapAttrsToList (name: qtcfg: {
"quicktun-${name}" = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
environment = {
"INTERFACE" = name;
"TUN_MODE" = toString qtcfg.tunMode;
"REMOTE_ADDRESS" = qtcfg.remoteAddress;
"LOCAL_ADDRESS" = qtcfg.localAddress;
"LOCAL_PORT" = toString qtcfg.localPort;
"REMOTE_PORT" = toString qtcfg.remotePort;
"REMOTE_FLOAT" = toString qtcfg.remoteFloat;
"PRIVATE_KEY" = qtcfg.privateKey;
"PUBLIC_KEY" = qtcfg.publicKey;
"TIME_WINDOW" = toString qtcfg.timeWindow;
"TUN_UP_SCRIPT" = pkgs.writeScript "quicktun-${name}-up.sh" qtcfg.upScript;
"SUID" = "nobody";
};
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.quicktun}/bin/quicktun.${qtcfg.protocol}";
};
};
}) cfg
);
};
}

4
nixos/modules/services/scheduling/cron.nix
View File

@ -64,8 +64,8 @@ in
sendmail. See <option>security.wrappers</option>
If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root
will is allowed to have its own crontab file. The /var/cron/cron.deny file
is created automatically for you. So every user can use a crontab.
is allowed to have its own crontab file. The /var/cron/cron.deny file
is created automatically for you, so every user can use a crontab.
Many nixos modules set systemCronJobs, so if you decide to disable vixie cron
and enable another cron daemon, you may want it to get its system crontab

2
nixos/modules/services/web-apps/nextcloud.nix
View File

@ -172,7 +172,7 @@ in {
Database host.
Note: for using Unix authentication with PostgreSQL, this should be
set to <literal>/tmp</literal>.
set to <literal>/run/postgresql</literal>.
'';
};
dbport = mkOption {

2
nixos/modules/services/web-apps/nextcloud.xml
View File

@ -33,7 +33,7 @@
config = {
<link linkend="opt-services.nextcloud.config.dbtype">dbtype</link> = "pgsql";
<link linkend="opt-services.nextcloud.config.dbuser">dbuser</link> = "nextcloud";
<link linkend="opt-services.nextcloud.config.dbhost">dbhost</link> = "/tmp"; # nextcloud will add /.s.PGSQL.5432 by itself
<link linkend="opt-services.nextcloud.config.dbhost">dbhost</link> = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
<link linkend="opt-services.nextcloud.config.dbname">dbname</link> = "nextcloud";
<link linkend="opt-services.nextcloud.config.adminpassFile">adminpassFile</link> = "/path/to/admin-pass-file";
<link linkend="opt-services.nextcloud.config.adminuser">adminuser</link> = "root";

20
nixos/modules/services/web-servers/meguca.nix
View File

@ -86,11 +86,19 @@ in with lib; {
default = false;
description = "Serve and listen only through HTTPS.";
};
videoPaths = mkOption {
type = types.listOf types.path;
default = [];
example = [ "/home/okina/Videos/tehe_pero.webm" ];
description = "Videos that will be symlinked into www/videos.";
};
};
config = mkIf cfg.enable {
security.sudo.enable = cfg.enable;
services.postgresql.enable = cfg.enable;
services.postgresql.package = pkgs.postgresql_11;
services.meguca.passwordFile = mkDefault (pkgs.writeText "meguca-password-file" cfg.password);
services.meguca.postgresArgsFile = mkDefault (pkgs.writeText "meguca-postgres-args" cfg.postgresArgs);
services.meguca.postgresArgs = mkDefault "user=meguca password=${cfg.password} dbname=meguca sslmode=disable";
@ -102,8 +110,16 @@ in with lib; {
preStart = ''
# Ensure folder exists or create it and links and permissions are correct
mkdir -p ${escapeShellArg cfg.dataDir}
ln -sf ${pkgs.meguca}/share/meguca/www ${escapeShellArg cfg.dataDir}
mkdir -p ${escapeShellArg cfg.dataDir}/www
rm -rf ${escapeShellArg cfg.dataDir}/www/videos
ln -sf ${pkgs.meguca}/share/meguca/www/* ${escapeShellArg cfg.dataDir}/www
unlink ${escapeShellArg cfg.dataDir}/www/videos
mkdir -p ${escapeShellArg cfg.dataDir}/www/videos
for vid in ${escapeShellArg cfg.videoPaths}; do
ln -sf $vid ${escapeShellArg cfg.dataDir}/www/videos
done
chmod 750 ${escapeShellArg cfg.dataDir}
chown -R meguca:meguca ${escapeShellArg cfg.dataDir}

19
nixos/modules/services/x11/colord.nix
View File

@ -18,22 +18,23 @@ in {
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.colord ];
services.dbus.packages = [ pkgs.colord ];
services.udev.packages = [ pkgs.colord ];
environment.systemPackages = [ pkgs.colord ];
systemd.packages = [ pkgs.colord ];
systemd.services.colord = {
description = "Manage, Install and Generate Color Profiles";
serviceConfig = {
Type = "dbus";
BusName = "org.freedesktop.ColorManager";
ExecStart = "${pkgs.colord}/libexec/colord";
PrivateTmp = true;
};
environment.etc."tmpfiles.d/colord.conf".source = "${pkgs.colord}/lib/tmpfiles.d/colord.conf";
users.users.colord = {
home = "/var/lib/colord";
group = "colord";
};
users.groups.colord = {};
};
}

3
nixos/modules/services/x11/desktop-managers/pantheon.nix
View File

@ -14,6 +14,9 @@ let
in
{
meta.maintainers = pkgs.pantheon.maintainers;
options = {
services.xserver.desktopManager.pantheon = {

2
nixos/modules/services/x11/window-managers/dwm.nix
View File

@ -25,7 +25,7 @@ in
{ name = "dwm";
start =
''
${pkgs.dwm}/bin/dwm &
dwm &
waitPID=$!
'';
};

9
nixos/modules/system/boot/systemd-lib.nix
View File

@ -9,12 +9,11 @@ in rec {
shellEscape = s: (replaceChars [ "\\" ] [ "\\\\" ] s);
mkPathSafeName = lib.replaceChars ["@" ":" "\\" "[" "]"] ["-" "-" "-" "" ""];
makeUnit = name: unit:
let
pathSafeName = lib.replaceChars ["@" ":" "\\" "[" "]"] ["-" "-" "-" "" ""] name;
in
if unit.enable then
pkgs.runCommand "unit-${pathSafeName}"
pkgs.runCommand "unit-${mkPathSafeName name}"
{ preferLocalBuild = true;
allowSubstitutes = false;
inherit (unit) text;
@ -24,7 +23,7 @@ in rec {
echo -n "$text" > $out/${shellEscape name}
''
else
pkgs.runCommand "unit-${pathSafeName}-disabled"
pkgs.runCommand "unit-${mkPathSafeName name}-disabled"
{ preferLocalBuild = true;
allowSubstitutes = false;
}

14
nixos/modules/virtualisation/containers.nix
View File

@ -36,8 +36,9 @@ let
#! ${pkgs.runtimeShell} -e
# Initialise the container side of the veth pair.
if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ] || [ -n "$HOST_BRIDGE" ]; then
if [ -n "$HOST_ADDRESS" ] || [ -n "$HOST_ADDRESS6" ] ||
[ -n "$LOCAL_ADDRESS" ] || [ -n "$LOCAL_ADDRESS6" ] ||
[ -n "$HOST_BRIDGE" ]; then
ip link set host0 name eth0
ip link set dev eth0 up
@ -88,7 +89,8 @@ let
extraFlags+=" --private-network"
fi
if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ]; then
if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ] ||
[ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS6" ]; then
extraFlags+=" --network-veth"
fi
@ -159,7 +161,8 @@ let
# Clean up existing machined registration and interfaces.
machinectl terminate "$INSTANCE" 2> /dev/null || true
if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ]; then
if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ] ||
[ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS6" ]; then
ip link del dev "ve-$INSTANCE" 2> /dev/null || true
ip link del dev "vb-$INSTANCE" 2> /dev/null || true
fi
@ -208,7 +211,8 @@ let
'';
in
''
if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ]; then
if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ] ||
[ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS6" ]; then
if [ -z "$HOST_BRIDGE" ]; then
ifaceHost=ve-$INSTANCE
ip link set dev $ifaceHost up

233
nixos/modules/virtualisation/docker-containers.nix Normal file
View File

@ -0,0 +1,233 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.docker-containers;
dockerContainer =
{ name, config, ... }: {
options = {
image = mkOption {
type = types.str;
description = "Docker image to run.";
example = "library/hello-world";
};
cmd = mkOption {
type = with types; listOf str;
default = [];
description = "Commandline arguments to pass to the image's entrypoint.";
example = literalExample ''
["--port=9000"]
'';
};
entrypoint = mkOption {
type = with types; nullOr str;
description = "Overwrite the default entrypoint of the image.";
default = null;
example = "/bin/my-app";
};
environment = mkOption {
type = with types; attrsOf str;
default = {};
description = "Environment variables to set for this container.";
example = literalExample ''
{
DATABASE_HOST = "db.example.com";
DATABASE_PORT = "3306";
}
'';
};
log-driver = mkOption {
type = types.str;
default = "none";
description = ''
Logging driver for the container. The default of
<literal>"none"</literal> means that the container's logs will be
handled as part of the systemd unit. Setting this to
<literal>"journald"</literal> will result in duplicate logging, but
the container's logs will be visible to the <command>docker
logs</command> command.
For more details and a full list of logging drivers, refer to the
<link xlink:href="https://docs.docker.com/engine/reference/run/#logging-drivers---log-driver">
Docker engine documentation</link>
'';
};
ports = mkOption {
type = with types; listOf str;
default = [];
description = ''
Network ports to publish from the container to the outer host.
</para>
<para>
Valid formats:
</para>
<itemizedlist>
<listitem>
<para>
<literal>&lt;ip&gt;:&lt;hostPort&gt;:&lt;containerPort&gt;</literal>
</para>
</listitem>
<listitem>
<para>
<literal>&lt;ip&gt;::&lt;containerPort&gt;</literal>
</para>
</listitem>
<listitem>
<para>
<literal>&lt;hostPort&gt;:&lt;containerPort&gt;</literal>
</para>
</listitem>
<listitem>
<para>
<literal>&lt;containerPort&gt;</literal>
</para>
</listitem>
</itemizedlist>
<para>
Both <literal>hostPort</literal> and
<literal>containerPort</literal> can be specified as a range of
ports. When specifying ranges for both, the number of container
ports in the range must match the number of host ports in the
range. Example: <literal>1234-1236:1234-1236/tcp</literal>
</para>
<para>
When specifying a range for <literal>hostPort</literal> only, the
<literal>containerPort</literal> must <emphasis>not</emphasis> be a
range. In this case, the container port is published somewhere
within the specified <literal>hostPort</literal> range. Example:
<literal>1234-1236:1234/tcp</literal>
</para>
<para>
Refer to the
<link xlink:href="https://docs.docker.com/engine/reference/run/#expose-incoming-ports">
Docker engine documentation</link> for full details.
'';
example = literalExample ''
[
"8080:9000"
]
'';
};
user = mkOption {
type = with types; nullOr str;
default = null;
description = ''
Override the username or UID (and optionally groupname or GID) used
in the container.
'';
example = "nobody:nogroup";
};
volumes = mkOption {
type = with types; listOf str;
default = [];
description = ''
List of volumes to attach to this container.
Note that this is a list of <literal>"src:dst"</literal> strings to
allow for <literal>src</literal> to refer to
<literal>/nix/store</literal> paths, which would difficult with an
attribute set. There are also a variety of mount options available
as a third field; please refer to the
<link xlink:href="https://docs.docker.com/engine/reference/run/#volume-shared-filesystems">
docker engine documentation</link> for details.
'';
example = literalExample ''
[
"volume_name:/path/inside/container"
"/path/on/host:/path/inside/container"
]
'';
};
workdir = mkOption {
type = with types; nullOr str;
default = null;
description = "Override the default working directory for the container.";
example = "/var/lib/hello_world";
};
extraDockerOptions = mkOption {
type = with types; listOf str;
default = [];
description = "Extra options for <command>docker run</command>.";
example = literalExample ''
["--network=host"]
'';
};
};
};
mkService = name: container: {
wantedBy = [ "multi-user.target" ];
after = [ "docker.service" "docker.socket" ];
requires = [ "docker.service" "docker.socket" ];
serviceConfig = {
ExecStart = concatStringsSep " \\\n " ([
"${pkgs.docker}/bin/docker run"
"--rm"
"--name=%n"
"--log-driver=${container.log-driver}"
] ++ optional (! isNull container.entrypoint)
"--entrypoint=${escapeShellArg container.entrypoint}"
++ (mapAttrsToList (k: v: "-e ${escapeShellArg k}=${escapeShellArg v}") container.environment)
++ map (p: "-p ${escapeShellArg p}") container.ports
++ optional (! isNull container.user) "-u ${escapeShellArg container.user}"
++ map (v: "-v ${escapeShellArg v}") container.volumes
++ optional (! isNull container.workdir) "-w ${escapeShellArg container.workdir}"
++ map escapeShellArg container.extraDockerOptions
++ [container.image]
++ map escapeShellArg container.cmd
);
ExecStartPre = "-${pkgs.docker}/bin/docker rm -f %n";
ExecStop = "${pkgs.docker}/bin/docker stop %n";
ExecStopPost = "-${pkgs.docker}/bin/docker rm -f %n";
### There is no generalized way of supporting `reload` for docker
### containers. Some containers may respond well to SIGHUP sent to their
### init process, but it is not guaranteed; some apps have other reload
### mechanisms, some don't have a reload signal at all, and some docker
### images just have broken signal handling. The best compromise in this
### case is probably to leave ExecReload undefined, so `systemctl reload`
### will at least result in an error instead of potentially undefined
### behaviour.
###
### Advanced users can still override this part of the unit to implement
### a custom reload handler, since the result of all this is a normal
### systemd service from the perspective of the NixOS module system.
###
# ExecReload = ...;
###
TimeoutStartSec = 0;
TimeoutStopSec = 120;
Restart = "always";
};
};
in {
options.docker-containers = mkOption {
default = {};
type = types.attrsOf (types.submodule dockerContainer);
description = "Docker containers to run as systemd services.";
};
config = mkIf (cfg != {}) {
systemd.services = mapAttrs' (n: v: nameValuePair "docker-${n}" (mkService n v)) cfg;
virtualisation.docker.enable = true;
};
}

1
nixos/modules/virtualisation/virtualbox-image.nix
View File

@ -94,6 +94,7 @@ in {
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
autoResize = true;
fsType = "ext4";
};
boot.growPartition = true;

1
nixos/release-combined.nix
View File

@ -64,6 +64,7 @@ in rec {
#(all nixos.tests.containers)
(all nixos.tests.containers-imperative)
(all nixos.tests.containers-ipv4)
(all nixos.tests.containers-ipv6)
nixos.tests.chromium.x86_64-linux or []
(all nixos.tests.firefox)
(all nixos.tests.firewall)

1
nixos/release-small.nix
View File

@ -33,6 +33,7 @@ in rec {
inherit (nixos'.tests)
containers-imperative
containers-ipv4
containers-ipv6
firewall
ipv6
login

7
nixos/tests/all-tests.nix
View File

@ -59,6 +59,7 @@ in
dhparams = handleTest ./dhparams.nix {};
dnscrypt-proxy = handleTestOn ["x86_64-linux"] ./dnscrypt-proxy.nix {};
docker = handleTestOn ["x86_64-linux"] ./docker.nix {};
docker-containers = handleTestOn ["x86_64-linux"] ./docker-containers.nix {};
docker-edge = handleTestOn ["x86_64-linux"] ./docker-edge.nix {};
docker-preloader = handleTestOn ["x86_64-linux"] ./docker-preloader.nix {};
docker-registry = handleTest ./docker-registry.nix {};
@ -113,10 +114,11 @@ in
ipv6 = handleTest ./ipv6.nix {};
jackett = handleTest ./jackett.nix {};
jenkins = handleTest ./jenkins.nix {};
#kafka = handleTest ./kafka.nix {}; # broken since openjdk: 8u181 -> 8u192
kafka = handleTest ./kafka.nix {};
kerberos = handleTest ./kerberos/default.nix {};
kernel-latest = handleTest ./kernel-latest.nix {};
kernel-lts = handleTest ./kernel-lts.nix {};
kernel-testing = handleTest ./kernel-testing.nix {};
keymap = handleTest ./keymap.nix {};
knot = handleTest ./knot.nix {};
kubernetes.dns = handleTestOn ["x86_64-linux"] ./kubernetes/dns.nix {};
@ -130,6 +132,7 @@ in
#lightdm = handleTest ./lightdm.nix {};
login = handleTest ./login.nix {};
#logstash = handleTest ./logstash.nix {};
mailcatcher = handleTest ./mailcatcher.nix {};
mathics = handleTest ./mathics.nix {};
matrix-synapse = handleTest ./matrix-synapse.nix {};
memcached = handleTest ./memcached.nix {};
@ -219,6 +222,7 @@ in
switchTest = handleTest ./switch-test.nix {};
syncthing-relay = handleTest ./syncthing-relay.nix {};
systemd = handleTest ./systemd.nix {};
systemd-confinement = handleTest ./systemd-confinement.nix {};
taskserver = handleTest ./taskserver.nix {};
telegraf = handleTest ./telegraf.nix {};
tomcat = handleTest ./tomcat.nix {};
@ -228,6 +232,7 @@ in
upnp = handleTest ./upnp.nix {};
vault = handleTest ./vault.nix {};
virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {};
wireguard = handleTest ./wireguard {};
wordpress = handleTest ./wordpress.nix {};
xautolock = handleTest ./xautolock.nix {};
xdg-desktop-portal = handleTest ./xdg-desktop-portal.nix {};

203
nixos/tests/buildbot.nix
View File

@ -5,116 +5,109 @@
with import ../lib/testing.nix { inherit system pkgs; };
let
# Test ensures buildbot master comes up correctly and workers can connect
mkBuildbotTest = python: makeTest {
name = "buildbot";
# Test ensures buildbot master comes up correctly and workers can connect
makeTest {
name = "buildbot";
nodes = {
bbmaster = { pkgs, ... }: {
services.buildbot-master = {
enable = true;
package = python.pkgs.buildbot-full;
nodes = {
bbmaster = { pkgs, ... }: {
services.buildbot-master = {
enable = true;
# NOTE: use fake repo due to no internet in hydra ci
factorySteps = [
"steps.Git(repourl='git://gitrepo/fakerepo.git', mode='incremental')"
"steps.ShellCommand(command=['bash', 'fakerepo.sh'])"
];
changeSource = [
"changes.GitPoller('git://gitrepo/fakerepo.git', workdir='gitpoller-workdir', branch='master', pollinterval=300)"
];
};
networking.firewall.allowedTCPPorts = [ 8010 8011 9989 ];
environment.systemPackages = with pkgs; [ git python.pkgs.buildbot-full ];
};
bbworker = { pkgs, ... }: {
services.buildbot-worker = {
enable = true;
masterUrl = "bbmaster:9989";
};
environment.systemPackages = with pkgs; [ git python.pkgs.buildbot-worker ];
};
gitrepo = { pkgs, ... }: {
services.openssh.enable = true;
networking.firewall.allowedTCPPorts = [ 22 9418 ];
environment.systemPackages = with pkgs; [ git ];
# NOTE: use fake repo due to no internet in hydra ci
factorySteps = [
"steps.Git(repourl='git://gitrepo/fakerepo.git', mode='incremental')"
"steps.ShellCommand(command=['bash', 'fakerepo.sh'])"
];
changeSource = [
"changes.GitPoller('git://gitrepo/fakerepo.git', workdir='gitpoller-workdir', branch='master', pollinterval=300)"
];
};
networking.firewall.allowedTCPPorts = [ 8010 8011 9989 ];
environment.systemPackages = with pkgs; [ git python3Packages.buildbot-full ];
};
testScript = ''
#Start up and populate fake repo
$gitrepo->waitForUnit("multi-user.target");
print($gitrepo->execute(" \
git config --global user.name 'Nobody Fakeuser' && \
git config --global user.email 'nobody\@fakerepo.com' && \
rm -rvf /srv/repos/fakerepo.git /tmp/fakerepo && \
mkdir -pv /srv/repos/fakerepo ~/.ssh && \
ssh-keyscan -H gitrepo > ~/.ssh/known_hosts && \
cat ~/.ssh/known_hosts && \
cd /srv/repos/fakerepo && \
git init && \
echo -e '#!/bin/sh\necho fakerepo' > fakerepo.sh && \
cat fakerepo.sh && \
touch .git/git-daemon-export-ok && \
git add fakerepo.sh .git/git-daemon-export-ok && \
git commit -m fakerepo && \
git daemon --verbose --export-all --base-path=/srv/repos --reuseaddr & \
"));
# Test gitrepo
$bbmaster->waitForUnit("network-online.target");
#$bbmaster->execute("nc -z gitrepo 9418");
print($bbmaster->execute(" \
rm -rfv /tmp/fakerepo && \
git clone git://gitrepo/fakerepo /tmp/fakerepo && \
pwd && \
ls -la && \
ls -la /tmp/fakerepo \
"));
# Test start master and connect worker
$bbmaster->waitForUnit("buildbot-master.service");
$bbmaster->waitUntilSucceeds("curl -s --head http://bbmaster:8010") =~ /200 OK/;
$bbworker->waitForUnit("network-online.target");
$bbworker->execute("nc -z bbmaster 8010");
$bbworker->execute("nc -z bbmaster 9989");
$bbworker->waitForUnit("buildbot-worker.service");
print($bbworker->execute("ls -la /home/bbworker/worker"));
# Test stop buildbot master and worker
print($bbmaster->execute(" \
systemctl -l --no-pager status buildbot-master && \
systemctl stop buildbot-master \
"));
$bbworker->fail("nc -z bbmaster 8010");
$bbworker->fail("nc -z bbmaster 9989");
print($bbworker->execute(" \
systemctl -l --no-pager status buildbot-worker && \
systemctl stop buildbot-worker && \
ls -la /home/bbworker/worker \
"));
# Test buildbot daemon mode
$bbmaster->execute("buildbot create-master /tmp");
$bbmaster->execute("mv -fv /tmp/master.cfg.sample /tmp/master.cfg");
$bbmaster->execute("sed -i 's/8010/8011/' /tmp/master.cfg");
$bbmaster->execute("buildbot start /tmp");
$bbworker->execute("nc -z bbmaster 8011");
$bbworker->waitUntilSucceeds("curl -s --head http://bbmaster:8011") =~ /200 OK/;
$bbmaster->execute("buildbot stop /tmp");
$bbworker->fail("nc -z bbmaster 8011");
'';
meta.maintainers = with pkgs.stdenv.lib.maintainers; [ nand0p ];
bbworker = { pkgs, ... }: {
services.buildbot-worker = {
enable = true;
masterUrl = "bbmaster:9989";
};
environment.systemPackages = with pkgs; [ git python3Packages.buildbot-worker ];
};
gitrepo = { pkgs, ... }: {
services.openssh.enable = true;
networking.firewall.allowedTCPPorts = [ 22 9418 ];
environment.systemPackages = with pkgs; [ git ];
};
};
in {
python2 = mkBuildbotTest pkgs.python2;
python3 = mkBuildbotTest pkgs.python3;
testScript = ''
#Start up and populate fake repo
$gitrepo->waitForUnit("multi-user.target");
print($gitrepo->execute(" \
git config --global user.name 'Nobody Fakeuser' && \
git config --global user.email 'nobody\@fakerepo.com' && \
rm -rvf /srv/repos/fakerepo.git /tmp/fakerepo && \
mkdir -pv /srv/repos/fakerepo ~/.ssh && \
ssh-keyscan -H gitrepo > ~/.ssh/known_hosts && \
cat ~/.ssh/known_hosts && \
cd /srv/repos/fakerepo && \
git init && \
echo -e '#!/bin/sh\necho fakerepo' > fakerepo.sh && \
cat fakerepo.sh && \
touch .git/git-daemon-export-ok && \
git add fakerepo.sh .git/git-daemon-export-ok && \
git commit -m fakerepo && \
git daemon --verbose --export-all --base-path=/srv/repos --reuseaddr & \
"));
# Test gitrepo
$bbmaster->waitForUnit("network-online.target");
#$bbmaster->execute("nc -z gitrepo 9418");
print($bbmaster->execute(" \
rm -rfv /tmp/fakerepo && \
git clone git://gitrepo/fakerepo /tmp/fakerepo && \
pwd && \
ls -la && \
ls -la /tmp/fakerepo \
"));
# Test start master and connect worker
$bbmaster->waitForUnit("buildbot-master.service");
$bbmaster->waitUntilSucceeds("curl -s --head http://bbmaster:8010") =~ /200 OK/;
$bbworker->waitForUnit("network-online.target");
$bbworker->execute("nc -z bbmaster 8010");
$bbworker->execute("nc -z bbmaster 9989");
$bbworker->waitForUnit("buildbot-worker.service");
print($bbworker->execute("ls -la /home/bbworker/worker"));
# Test stop buildbot master and worker
print($bbmaster->execute(" \
systemctl -l --no-pager status buildbot-master && \
systemctl stop buildbot-master \
"));
$bbworker->fail("nc -z bbmaster 8010");
$bbworker->fail("nc -z bbmaster 9989");
print($bbworker->execute(" \
systemctl -l --no-pager status buildbot-worker && \
systemctl stop buildbot-worker && \
ls -la /home/bbworker/worker \
"));
# Test buildbot daemon mode
$bbmaster->execute("buildbot create-master /tmp");
$bbmaster->execute("mv -fv /tmp/master.cfg.sample /tmp/master.cfg");
$bbmaster->execute("sed -i 's/8010/8011/' /tmp/master.cfg");
$bbmaster->execute("buildbot start /tmp");
$bbworker->execute("nc -z bbmaster 8011");
$bbworker->waitUntilSucceeds("curl -s --head http://bbmaster:8011") =~ /200 OK/;
$bbmaster->execute("buildbot stop /tmp");
$bbworker->fail("nc -z bbmaster 8011");
'';
meta.maintainers = with pkgs.stdenv.lib.maintainers; [ nand0p ];
}

29
nixos/tests/docker-containers.nix Normal file
View File

@ -0,0 +1,29 @@
# Test Docker containers as systemd units
import ./make-test.nix ({ pkgs, lib, ... }: {
name = "docker-containers";
meta = {
maintainers = with lib.maintainers; [ benley ];
};
nodes = {
docker = { pkgs, ... }:
{
virtualisation.docker.enable = true;
virtualisation.dockerPreloader.images = [ pkgs.dockerTools.examples.nginx ];
docker-containers.nginx = {
image = "nginx-container";
ports = ["8181:80"];
};
};
};
testScript = ''
startAll;
$docker->waitForUnit("docker-nginx.service");
$docker->waitForOpenPort(8181);
$docker->waitUntilSucceeds("curl http://localhost:8181|grep Hello");
'';
})

4
nixos/tests/docker-tools.nix
View File

@ -34,8 +34,8 @@ import ./make-test.nix ({ pkgs, ... }: {
# To test the pullImage tool
$docker->succeed("docker load --input='${pkgs.dockerTools.examples.nixFromDockerHub}'");
$docker->succeed("docker run --rm nixos/nix:2.2.1 nix-store --version");
$docker->succeed("docker rmi nixos/nix:2.2.1");
$docker->succeed("docker run --rm nix:2.2.1 nix-store --version");
$docker->succeed("docker rmi nix:2.2.1");
# To test runAsRoot and entry point
$docker->succeed("docker load --input='${pkgs.dockerTools.examples.nginx}'");

6
nixos/tests/home-assistant.nix
View File

@ -33,11 +33,13 @@ in {
longitude = "0.0";
elevation = 0;
auth_providers = [
{ type = "legacy_api_password"; }
{
type = "legacy_api_password";
api_password = apiPassword;
}
];
};
frontend = { };
http.api_password = apiPassword;
mqtt = { # Use hbmqtt as broker
password = mqttPassword;
};

1
nixos/tests/kafka.nix
View File

@ -72,4 +72,5 @@ in with pkgs; {
kafka_1_1 = makeKafkaTest "kafka_1_1" apacheKafka_1_1;
kafka_2_0 = makeKafkaTest "kafka_2_0" apacheKafka_2_0;
kafka_2_1 = makeKafkaTest "kafka_2_1" apacheKafka_2_1;
kafka_2_2 = makeKafkaTest "kafka_2_2" apacheKafka_2_2;
}

17
nixos/tests/kernel-testing.nix Normal file
View File

@ -0,0 +1,17 @@
import ./make-test.nix ({ pkgs, ...} : {
name = "kernel-testing";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ nequissimus ];
};
machine = { pkgs, ... }:
{
boot.kernelPackages = pkgs.linuxPackages_testing;
};
testScript =
''
$machine->succeed("uname -s | grep 'Linux'");
$machine->succeed("uname -a | grep '${pkgs.linuxPackages_testing.kernel.modDirVersion}'");
'';
})

9
nixos/tests/ldap.nix
View File

@ -28,20 +28,19 @@ let
users.ldap.daemon = {
enable = useDaemon;
rootpwmoddn = "cn=admin,${dbSuffix}";
rootpwmodpw = "/etc/nslcd.rootpwmodpw";
rootpwmodpwFile = "/etc/nslcd.rootpwmodpw";
};
# NOTE: password stored in clear in Nix's store, but this is a test.
environment.etc."nslcd.rootpwmodpw".source = pkgs.writeText "rootpwmodpw" dbAdminPwd;
users.ldap.loginPam = true;
users.ldap.nsswitch = true;
users.ldap.server = "ldap://server";
users.ldap.base = "ou=posix,${dbSuffix}";
users.ldap.bind = {
distinguishedName = "cn=admin,${dbSuffix}";
password = "/etc/ldap/bind.password";
passwordFile = "/etc/ldap/bind.password";
};
# NOTE: password stored in clear in Nix's store, but this is a test.
# NOTE: passwords stored in clear in Nix's store, but this is a test.
environment.etc."ldap/bind.password".source = pkgs.writeText "password" dbAdminPwd;
environment.etc."nslcd.rootpwmodpw".source = pkgs.writeText "rootpwmodpw" dbAdminPwd;
};
in

26
nixos/tests/mailcatcher.nix Normal file
View File

@ -0,0 +1,26 @@
import ./make-test.nix ({ lib, ... }:
{
name = "mailcatcher";
meta.maintainers = [ lib.maintainers.aanderse ];
machine =
{ pkgs, ... }:
{
services.mailcatcher.enable = true;
networking.defaultMailServer.directDelivery = true;
networking.defaultMailServer.hostName = "localhost:1025";
environment.systemPackages = [ pkgs.mailutils ];
};
testScript = ''
startAll;
$machine->waitForUnit('mailcatcher.service');
$machine->waitForOpenPort('1025');
$machine->succeed('echo "this is the body of the email" | mail -s "subject" root@example.org');
$machine->succeed('curl http://localhost:1080/messages/1.source') =~ /this is the body of the email/ or die;
'';
})

29
nixos/tests/minio.nix
View File

@ -1,4 +1,24 @@
import ./make-test.nix ({ pkgs, ...} : {
import ./make-test.nix ({ pkgs, ...} :
let
accessKey = "BKIKJAA5BMMU2RHO6IBB";
secretKey = "V7f1CwQqAcwo80UEIJEjc5gVQUSSx5ohQ9GSrr12";
minioPythonScript = pkgs.writeScript "minio-test.py" ''
#! ${pkgs.python3.withPackages(ps: [ ps.minio ])}/bin/python
import io
import os
from minio import Minio
minioClient = Minio('localhost:9000',
access_key='${accessKey}',
secret_key='${secretKey}',
secure=False)
sio = io.BytesIO()
sio.write(b'Test from Python')
sio.seek(0, os.SEEK_END)
sio_len = sio.tell()
sio.seek(0)
minioClient.put_object('test-bucket', 'test.txt', sio, sio_len, content_type='text/plain')
'';
in {
name = "minio";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ bachp ];
@ -8,8 +28,7 @@ import ./make-test.nix ({ pkgs, ...} : {
machine = { pkgs, ... }: {
services.minio = {
enable = true;
accessKey = "BKIKJAA5BMMU2RHO6IBB";
secretKey = "V7f1CwQqAcwo80UEIJEjc5gVQUSSx5ohQ9GSrr12";
inherit accessKey secretKey;
};
environment.systemPackages = [ pkgs.minio-client ];
@ -25,9 +44,11 @@ import ./make-test.nix ({ pkgs, ...} : {
$machine->waitForOpenPort(9000);
# Create a test bucket on the server
$machine->succeed("mc config host add minio http://localhost:9000 BKIKJAA5BMMU2RHO6IBB V7f1CwQqAcwo80UEIJEjc5gVQUSSx5ohQ9GSrr12 S3v4");
$machine->succeed("mc config host add minio http://localhost:9000 ${accessKey} ${secretKey} S3v4");
$machine->succeed("mc mb minio/test-bucket");
$machine->succeed("${minioPythonScript}");
$machine->succeed("mc ls minio") =~ /test-bucket/ or die;
$machine->succeed("mc cat minio/test-bucket/test.txt") =~ /Test from Python/ or die;
$machine->shutdown;
'';

28
nixos/tests/mysql.nix
View File

@ -5,7 +5,7 @@ import ./make-test.nix ({ pkgs, ...} : {
};
nodes = {
master =
mysql =
{ pkgs, ... }:
{
@ -13,12 +13,34 @@ import ./make-test.nix ({ pkgs, ...} : {
services.mysql.initialDatabases = [ { name = "testdb"; schema = ./testdb.sql; } ];
services.mysql.package = pkgs.mysql;
};
mariadb =
{ pkgs, ... }:
{
users.users.testuser = { };
services.mysql.enable = true;
services.mysql.ensureDatabases = [ "testdb" ];
services.mysql.ensureUsers = [{
name = "testuser";
ensurePermissions = {
"testdb.*" = "ALL PRIVILEGES";
};
}];
services.mysql.package = pkgs.mariadb;
};
};
testScript = ''
startAll;
$master->waitForUnit("mysql");
$master->succeed("echo 'use testdb; select * from tests' | mysql -u root -N | grep 4");
$mysql->waitForUnit("mysql");
$mysql->succeed("echo 'use testdb; select * from tests' | mysql -u root -N | grep 4");
$mariadb->waitForUnit("mysql");
$mariadb->succeed("echo 'use testdb; create table tests (test_id INT, PRIMARY KEY (test_id));' | sudo -u testuser mysql -u testuser");
$mariadb->succeed("echo 'use testdb; insert into tests values (42);' | sudo -u testuser mysql -u testuser");
$mariadb->succeed("echo 'use testdb; select test_id from tests' | sudo -u testuser mysql -u testuser -N | grep 42");
'';
})

14
nixos/tests/openldap.nix
View File

@ -4,16 +4,12 @@ import ./make-test.nix {
machine = { pkgs, ... }: {
services.openldap = {
enable = true;
extraConfig = ''
include ${pkgs.openldap}/etc/schema/core.schema
include ${pkgs.openldap}/etc/schema/cosine.schema
include ${pkgs.openldap}/etc/schema/inetorgperson.schema
include ${pkgs.openldap}/etc/schema/nis.schema
database bdb
suffix dc=example
suffix = "dc=example";
rootdn = "cn=root,dc=example";
rootpw = "notapassword";
database = "bdb";
extraDatabaseConfig = ''
directory /var/db/openldap
rootdn cn=root,dc=example
rootpw notapassword
'';
declarativeContents = ''
dn: dc=example

3
nixos/tests/predictable-interface-names.nix
View File

@ -20,8 +20,7 @@ in pkgs.lib.listToAttrs (pkgs.lib.crossLists (predictable: withNetworkd: {
testScript = ''
print $machine->succeed("ip link");
$machine->succeed("ip link show ${if predictable then "ens3" else "eth0"}");
$machine->fail("ip link show ${if predictable then "eth0" else "ens3"}");
$machine->${if predictable then "fail" else "succeed"}("ip link show eth0 ");
'';
};
}) [[true false] [true false]])

168
nixos/tests/systemd-confinement.nix Normal file
View File

@ -0,0 +1,168 @@
import ./make-test.nix {
name = "systemd-confinement";
machine = { pkgs, lib, ... }: let
testServer = pkgs.writeScript "testserver.sh" ''
#!${pkgs.stdenv.shell}
export PATH=${lib.escapeShellArg "${pkgs.coreutils}/bin"}
${lib.escapeShellArg pkgs.stdenv.shell} 2>&1
echo "exit-status:$?"
'';
testClient = pkgs.writeScriptBin "chroot-exec" ''
#!${pkgs.stdenv.shell} -e
output="$(echo "$@" | nc -NU "/run/test$(< /teststep).sock")"
ret="$(echo "$output" | sed -nre '$s/^exit-status:([0-9]+)$/\1/p')"
echo "$output" | head -n -1
exit "''${ret:-1}"
'';
mkTestStep = num: { description, config ? {}, testScript }: {
systemd.sockets."test${toString num}" = {
description = "Socket for Test Service ${toString num}";
wantedBy = [ "sockets.target" ];
socketConfig.ListenStream = "/run/test${toString num}.sock";
socketConfig.Accept = true;
};
systemd.services."test${toString num}@" = {
description = "Confined Test Service ${toString num}";
confinement = (config.confinement or {}) // { enable = true; };
serviceConfig = (config.serviceConfig or {}) // {
ExecStart = testServer;
StandardInput = "socket";
};
} // removeAttrs config [ "confinement" "serviceConfig" ];
__testSteps = lib.mkOrder num ''
subtest '${lib.escape ["\\" "'"] description}', sub {
$machine->succeed('echo ${toString num} > /teststep');
${testScript}
};
'';
};
in {
imports = lib.imap1 mkTestStep [
{ description = "chroot-only confinement";
config.confinement.mode = "chroot-only";
testScript = ''
$machine->succeed(
'test "$(chroot-exec ls -1 / | paste -sd,)" = bin,nix',
'test "$(chroot-exec id -u)" = 0',
'chroot-exec chown 65534 /bin',
);
'';
}
{ description = "full confinement with APIVFS";
testScript = ''
$machine->fail(
'chroot-exec ls -l /etc',
'chroot-exec ls -l /run',
'chroot-exec chown 65534 /bin',
);
$machine->succeed(
'test "$(chroot-exec id -u)" = 0',
'chroot-exec chown 0 /bin',
);
'';
}
{ description = "check existence of bind-mounted /etc";
config.serviceConfig.BindReadOnlyPaths = [ "/etc" ];
testScript = ''
$machine->succeed('test -n "$(chroot-exec cat /etc/passwd)"');
'';
}
{ description = "check if User/Group really runs as non-root";
config.serviceConfig.User = "chroot-testuser";
config.serviceConfig.Group = "chroot-testgroup";
testScript = ''
$machine->succeed('chroot-exec ls -l /dev');
$machine->succeed('test "$(chroot-exec id -u)" != 0');
$machine->fail('chroot-exec touch /bin/test');
'';
}
(let
symlink = pkgs.runCommand "symlink" {
target = pkgs.writeText "symlink-target" "got me\n";
} "ln -s \"$target\" \"$out\"";
in {
description = "check if symlinks are properly bind-mounted";
config.confinement.packages = lib.singleton symlink;
testScript = ''
$machine->fail('chroot-exec test -e /etc');
$machine->succeed('chroot-exec cat ${symlink} >&2');
$machine->succeed('test "$(chroot-exec cat ${symlink})" = "got me"');
'';
})
{ description = "check if StateDirectory works";
config.serviceConfig.User = "chroot-testuser";
config.serviceConfig.Group = "chroot-testgroup";
config.serviceConfig.StateDirectory = "testme";
testScript = ''
$machine->succeed('chroot-exec touch /tmp/canary');
$machine->succeed('chroot-exec "echo works > /var/lib/testme/foo"');
$machine->succeed('test "$(< /var/lib/testme/foo)" = works');
$machine->succeed('test ! -e /tmp/canary');
'';
}
{ description = "check if /bin/sh works";
testScript = ''
$machine->succeed(
'chroot-exec test -e /bin/sh',
'test "$(chroot-exec \'/bin/sh -c "echo bar"\')" = bar',
);
'';
}
{ description = "check if suppressing /bin/sh works";
config.confinement.binSh = null;
testScript = ''
$machine->succeed(
'chroot-exec test ! -e /bin/sh',
'test "$(chroot-exec \'/bin/sh -c "echo foo"\')" != foo',
);
'';
}
{ description = "check if we can set /bin/sh to something different";
config.confinement.binSh = "${pkgs.hello}/bin/hello";
testScript = ''
$machine->succeed(
'chroot-exec test -e /bin/sh',
'test "$(chroot-exec /bin/sh -g foo)" = foo',
);
'';
}
{ description = "check if only Exec* dependencies are included";
config.environment.FOOBAR = pkgs.writeText "foobar" "eek\n";
testScript = ''
$machine->succeed('test "$(chroot-exec \'cat "$FOOBAR"\')" != eek');
'';
}
{ description = "check if all unit dependencies are included";
config.environment.FOOBAR = pkgs.writeText "foobar" "eek\n";
config.confinement.fullUnit = true;
testScript = ''
$machine->succeed('test "$(chroot-exec \'cat "$FOOBAR"\')" = eek');
'';
}
];
options.__testSteps = lib.mkOption {
type = lib.types.lines;
description = "All of the test steps combined as a single script.";
};
config.environment.systemPackages = lib.singleton testClient;
config.users.groups.chroot-testgroup = {};
config.users.users.chroot-testuser = {
description = "Chroot Test User";
group = "chroot-testgroup";
};
};
testScript = { nodes, ... }: ''
$machine->waitForUnit('multi-user.target');
${nodes.machine.config.__testSteps}
'';
}

97
nixos/tests/wireguard/default.nix Normal file
View File

@ -0,0 +1,97 @@
let
wg-snakeoil-keys = import ./snakeoil-keys.nix;
in
import ../make-test.nix ({ pkgs, ...} : {
name = "wireguard";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ ma27 ];
};
nodes = {
peer0 = { lib, ... }: {
boot.kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = "1";
"net.ipv6.conf.default.forwarding" = "1";
"net.ipv4.ip_forward" = "1";
};
networking.useDHCP = false;
networking.interfaces.eth1 = {
ipv4.addresses = lib.singleton {
address = "192.168.0.1";
prefixLength = 24;
};
ipv6.addresses = lib.singleton {
address = "fd00::1";
prefixLength = 64;
};
};
networking.firewall.allowedUDPPorts = [ 23542 ];
networking.wireguard.interfaces.wg0 = {
ips = [ "10.23.42.1/32" "fc00::1/128" ];
listenPort = 23542;
inherit (wg-snakeoil-keys.peer0) privateKey;
peers = lib.singleton {
allowedIPs = [ "10.23.42.2/32" "fc00::2/128" ];
inherit (wg-snakeoil-keys.peer1) publicKey;
};
};
};
peer1 = { pkgs, lib, ... }: {
boot.kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = "1";
"net.ipv6.conf.default.forwarding" = "1";
"net.ipv4.ip_forward" = "1";
};
networking.useDHCP = false;
networking.interfaces.eth1 = {
ipv4.addresses = lib.singleton {
address = "192.168.0.2";
prefixLength = 24;
};
ipv6.addresses = lib.singleton {
address = "fd00::2";
prefixLength = 64;
};
};
networking.wireguard.interfaces.wg0 = {
ips = [ "10.23.42.2/32" "fc00::2/128" ];
listenPort = 23542;
allowedIPsAsRoutes = false;
inherit (wg-snakeoil-keys.peer1) privateKey;
peers = lib.singleton {
allowedIPs = [ "0.0.0.0/0" "::/0" ];
endpoint = "192.168.0.1:23542";
persistentKeepalive = 25;
inherit (wg-snakeoil-keys.peer0) publicKey;
};
postSetup = let inherit (pkgs) iproute; in ''
${iproute}/bin/ip route replace 10.23.42.1/32 dev wg0
${iproute}/bin/ip route replace fc00::1/128 dev wg0
'';
};
};
};
testScript = ''
startAll;
$peer0->waitForUnit("wireguard-wg0.service");
$peer1->waitForUnit("wireguard-wg0.service");
$peer1->succeed("ping -c5 fc00::1");
$peer1->succeed("ping -c5 10.23.42.1")
'';
})

11
nixos/tests/wireguard/snakeoil-keys.nix Normal file
View File

@ -0,0 +1,11 @@
{
peer0 = {
privateKey = "OPuVRS2T0/AtHDp3PXkNuLQYDiqJaBEEnYe42BSnJnQ=";
publicKey = "IujkG119YPr2cVQzJkSLYCdjpHIDjvr/qH1w1tdKswY=";
};
peer1 = {
privateKey = "uO8JVo/sanx2DOM0L9GUEtzKZ82RGkRnYgpaYc7iXmg=";
publicKey = "Ks9yRJIi/0vYgRmn14mIOQRwkcUGBujYINbMpik2SBI=";
};
}

28
pkgs/applications/altcoins/monero-gui/default.nix
View File

@ -2,8 +2,8 @@
, makeWrapper, makeDesktopItem
, qtbase, qmake, qtmultimedia, qttools
, qtgraphicaleffects, qtdeclarative
, qtlocation, qtquickcontrols2, qtwebchannel
, qtwebengine, qtx11extras, qtxmlpatterns
, qtlocation, qtquickcontrols, qtquickcontrols2
, qtwebchannel, qtwebengine, qtx11extras, qtxmlpatterns
, monero, unbound, readline, boost, libunwind
, libsodium, pcsclite, zeromq, cppzmq, pkgconfig
, hidapi
@ -11,22 +11,35 @@
with stdenv.lib;
let
qmlPath = qmlLib: "${qmlLib}/${qtbase.qtQmlPrefix}";
qml2ImportPath = concatMapStringsSep ":" qmlPath [
qtbase.bin qtmultimedia.bin qtgraphicaleffects
qtdeclarative.bin qtlocation.bin
qtquickcontrols qtquickcontrols2.bin
qtwebchannel.bin qtwebengine.bin qtxmlpatterns
];
in
stdenv.mkDerivation rec {
name = "monero-gui-${version}";
version = "0.13.0.4";
version = "0.14.0.0";
src = fetchFromGitHub {
owner = "monero-project";
repo = "monero-gui";
rev = "v${version}";
sha256 = "142yj5s15bhm300dislq3x5inw1f37shnrd5vyj78jjcvry3wymw";
sha256 = "1l4kx2vidr7bpds43jdbwyaz0q1dy7sricpz061ff1fkappbxdh8";
};
nativeBuildInputs = [ qmake pkgconfig ];
buildInputs = [
qtbase qtmultimedia qtgraphicaleffects
qtdeclarative qtlocation qtquickcontrols2
qtdeclarative qtlocation
qtquickcontrols qtquickcontrols2
qtwebchannel qtwebengine qtx11extras
qtxmlpatterns monero unbound readline
boost libunwind libsodium pcsclite zeromq
@ -81,6 +94,11 @@ stdenv.mkDerivation rec {
cp $src/images/appicons/$size.png \
$out/share/icons/hicolor/$size/apps/monero.png
done;
# wrap runtime dependencies
wrapProgram $out/bin/monero-wallet-gui \
--set QML2_IMPORT_PATH "${qml2ImportPath}" \
--set QT_PLUGIN_PATH "${qtbase.bin}/${qtbase.qtPluginPrefix}"
'';
meta = {

12
pkgs/applications/altcoins/monero-gui/move-log-file.patch
View File

@ -13,15 +13,17 @@ index 79223c0..e80b317 100644
parser.addHelpOption();
parser.process(app);
diff --git a/Logger.cpp b/Logger.cpp
index 660bafc..dae24d4 100644
index 6b1daba..c357762 100644
--- a/Logger.cpp
+++ b/Logger.cpp
@@ -15,7 +15,7 @@ static const QString default_name = "monero-wallet-gui.log";
#elif defined(Q_OS_MAC)
static const QString osPath = QStandardPaths::standardLocations(QStandardPaths::HomeLocation).at(0) + "/Library/Logs";
@@ -28,8 +28,8 @@ static const QString defaultLogName = "monero-wallet-gui.log";
static const QString appFolder = "Library/Logs";
#else // linux + bsd
//HomeLocation = "~"
- static const QString osPath = QStandardPaths::standardLocations(QStandardPaths::HomeLocation).at(0);
- static const QString appFolder = ".bitmonero";
+ static const QString osPath = QStandardPaths::standardLocations(QStandardPaths::CacheLocation).at(0);
+ static const QString appFolder = "bitmonero";
#endif

4
pkgs/applications/altcoins/monero/default.nix
View File

@ -11,12 +11,12 @@ with stdenv.lib;
stdenv.mkDerivation rec {
name = "monero-${version}";
version = "0.13.0.4";
version = "0.14.0.2";
src = fetchgit {
url = "https://github.com/monero-project/monero.git";
rev = "v${version}";
sha256 = "1ambgakapijhsi1pd70vw8vvnlwa3nid944lqkbfq3wl25lmc70d";
sha256 = "1471iy6c8dfdqcmcwcp0m7fp9xl74dcm5hqlfdfi217abhawfs8k";
};
nativeBuildInputs = [ cmake pkgconfig git ];

3
pkgs/applications/audio/clementine/default.nix
View File

@ -1,5 +1,5 @@
{ stdenv, fetchFromGitHub, fetchpatch, boost, cmake, chromaprint, gettext, gst_all_1, liblastfm
, qt4, taglib, fftw, glew, qjson, sqlite, libgpod, libplist, usbmuxd, libmtp
, taglib, fftw, glew, qjson, sqlite, libgpod, libplist, usbmuxd, libmtp
, libpulseaudio, gvfs, libcdio, libechonest, libspotify, pcre, projectm, protobuf
, qca2, pkgconfig, sparsehash, config, makeWrapper, gst_plugins }:
@ -49,7 +49,6 @@ let
protobuf
qca2
qjson
qt4
sqlite
taglib
]

24
pkgs/applications/audio/csound/csound-manual/default.nix
View File

@ -1,18 +1,19 @@
{
stdenv, fetchurl, docbook_xsl,
docbook_xml_dtd_45, python, pygments,
libxslt
{
stdenv, fetchFromGitHub, docbook_xsl,
docbook_xml_dtd_45, python, pygments,
libxslt
}:
stdenv.mkDerivation rec {
version = "6.12.0";
name = "csound-manual-${version}";
src = fetchurl {
url = "https://github.com/csound/manual/archive/${version}.tar.gz";
sha256 = "1v1scp468rnfbcajnp020kdj8zigimc2mbcwzxxqi8sf8paccdrp";
};
pname = "csound-manual";
version = "unstable-2019-02-22";
src = fetchFromGitHub {
owner = "csound";
repo = "manual";
rev = "3b0bdc83f9245261b4b85a57c3ed636d5d924a4f";
sha256 = "074byjhaxraapyg54dxgg7hi1d4978aa9c1rmyi50p970nsxnacn";
};
prePatch = ''
substituteInPlace manual.xml \
@ -41,4 +42,3 @@ stdenv.mkDerivation rec {
platforms = stdenv.lib.platforms.all;
};
}

4
pkgs/applications/audio/lollypop/default.nix
View File

@ -5,7 +5,7 @@
python3.pkgs.buildPythonApplication rec {
pname = "lollypop";
version = "1.0";
version = "1.0.3";
format = "other";
doCheck = false;
@ -14,7 +14,7 @@ python3.pkgs.buildPythonApplication rec {
url = "https://gitlab.gnome.org/World/lollypop";
rev = "refs/tags/${version}";
fetchSubmodules = true;
sha256 = "00hjxpgmhzhyjjdpm92cbbxwnc17xdhhk8svk5ih3n18yk5655fs";
sha256 = "1gjxcwl467h7011j9v4zy1j0fjlz480ibvk4akr6xwjg894jykbx";
};
nativeBuildInputs = [

13
pkgs/applications/audio/muse/default.nix
View File

@ -18,7 +18,7 @@
stdenv.mkDerivation rec {
name = "muse-sequencer-${version}";
version = "3.0.2";
version = "3.1pre1";
meta = with stdenv.lib; {
homepage = http://www.muse-sequencer.org;
@ -38,11 +38,16 @@ stdenv.mkDerivation rec {
fetchFromGitHub {
owner = "muse-sequencer";
repo = "muse";
rev = "02d9dc6abd757c3c1783fdd46dacd3c4ef2c0a6d";
sha256 = "0pn0mcg79z3bhjwxbss3ylypdz3gg70q5d1ij3x8yw65ryxbqf51";
rev = "2167ae053c16a633d8377acdb1debaac10932838";
sha256 = "0rsdx8lvcbz5bapnjvypw8h8bq587s9z8cf2znqrk6ah38s6fsrf";
};
nativeBuildInputs = [
pkgconfig
gitAndTools.gitFull
];
buildInputs = [
libjack2
qt5.qtsvg
@ -57,8 +62,6 @@ stdenv.mkDerivation rec {
lash
dssi
liblo
pkgconfig
gitAndTools.gitFull
];
sourceRoot = "source/muse3";

4
pkgs/applications/audio/musescore/default.nix
View File

@ -6,11 +6,11 @@
stdenv.mkDerivation rec {
name = "musescore-${version}";
version = "3.0.1";
version = "3.0.5";
src = fetchzip {
url = "https://download.musescore.com/releases/MuseScore-${version}/MuseScore-${version}.zip";
sha256 = "1l9djxq5hdfqiya2jwcag7qq4dhmb9qcv68y27dlza19imrnim80";
sha256 = "1pbf6v0l3nixxr8k5igwhj09wnqvw92av6q6yjrbb3kyjh5br2d8";
stripRoot = false;
};

4
pkgs/applications/audio/padthv1/default.nix
View File

@ -2,11 +2,11 @@
stdenv.mkDerivation rec {
name = "padthv1-${version}";
version = "0.9.4";
version = "0.9.5";
src = fetchurl {
url = "mirror://sourceforge/padthv1/${name}.tar.gz";
sha256 = "0k4vlg3clsn2i4k12imvcjiwlp9nx1mikwyrnarg9shxzzdzcf4y";
sha256 = "0cd1jfb3ynfrsbz8jwfsbvs5liyddxg4zghrvz931qkkqi117hbh";
};
buildInputs = [ libjack2 alsaLib libsndfile liblo lv2 qt5.qtbase qt5.qttools fftw ];

4
pkgs/applications/audio/paprefs/default.nix
View File

@ -1,11 +1,11 @@
{ fetchurl, stdenv, meson, ninja, gettext, pkgconfig, pulseaudioFull, gtkmm3, dbus-glib, wrapGAppsHook }:
stdenv.mkDerivation rec {
name = "paprefs-1.0";
name = "paprefs-1.1";
src = fetchurl {
url = "https://freedesktop.org/software/pulseaudio/paprefs/${name}.tar.xz";
sha256 = "0y77i9gaaassvvjrpwb4xbgqcmr51zmj5rh4z8zm687i5izf84md";
sha256 = "189z5p20hk0xv9vwvym293503j4pwl03xqk9hl7cl6dwgv0l7wkf";
};
nativeBuildInputs = [ meson ninja gettext pkgconfig wrapGAppsHook ];

4
pkgs/applications/audio/parlatype/default.nix
View File

@ -1,4 +1,4 @@
{ stdenv, fetchFromGitHub, pkgconfig, meson, gnome3, at-spi2-core, dbus, gst_all_1, sphinxbase, pocketsphinx, ninja, gettext, appstream-glib, python3, glib, gobject-introspection, gsettings-desktop-schemas, itstool, wrapGAppsHook, makeWrapper, hicolor-icon-theme }:
{ stdenv, fetchFromGitHub, pkgconfig, meson, gtk3, at-spi2-core, dbus, gst_all_1, sphinxbase, pocketsphinx, ninja, gettext, appstream-glib, python3, glib, gobject-introspection, gsettings-desktop-schemas, itstool, wrapGAppsHook, makeWrapper, hicolor-icon-theme }:
stdenv.mkDerivation rec {
pname = "parlatype";
@ -24,7 +24,7 @@ stdenv.mkDerivation rec {
];
buildInputs = [
gnome3.gtk
gtk3
at-spi2-core
dbus
gst_all_1.gstreamer

50
pkgs/applications/audio/paulstretch/default.nix Normal file
View File

@ -0,0 +1,50 @@
{ stdenv, fetchFromGitHub, audiofile, libvorbis, fltk, fftw, fftwFloat,
minixml, pkgconfig, libmad, libjack2, portaudio, libsamplerate }:
stdenv.mkDerivation {
pname = "paulstretch";
version = "2.2-2";
src = fetchFromGitHub {
owner = "paulnasca";
repo = "paulstretch_cpp";
rev = "7f5c3993abe420661ea0b808304b0e2b4b0048c5";
sha256 = "06dy03dbz1yznhsn0xvsnkpc5drzwrgxbxdx0hfpsjn2xcg0jrnc";
};
nativeBuildInputs = [ pkgconfig ];
buildInputs = [
audiofile
libvorbis
fltk
fftw
fftwFloat
minixml
libmad
libjack2
portaudio
libsamplerate
];
buildPhase = ''
bash compile_linux_fftw_jack.sh
'';
installPhase = ''
install -Dm555 ./paulstretch $out/bin/paulstretch
'';
meta = with stdenv.lib; {
description = "Produces high quality extreme sound stretching";
longDescription = ''
This is a program for stretching the audio. It is suitable only for
extreme sound stretching of the audio (like 50x) and for applying
special effects by "spectral smoothing" the sounds.
It can transform any sound/music to a texture.
'';
homepage = http://hypermammut.sourceforge.net/paulstretch/;
platforms = platforms.linux;
license = licenses.gpl2;
};
}

4
pkgs/applications/audio/qmmp/default.nix
View File

@ -29,11 +29,11 @@
# handle that.
stdenv.mkDerivation rec {
name = "qmmp-1.2.5";
name = "qmmp-1.3.1";
src = fetchurl {
url = "http://qmmp.ylsoftware.com/files/${name}.tar.bz2";
sha256 = "1xs8kg65088yzdhdkymmknkp1s4adzv095f5jhjvy62s8ymyjvnx";
sha256 = "1dmybzibpr6hpr2iv1wvrjgww842mng2x0rh1mr8gs8j191xvlhw";
};
buildInputs =

4
pkgs/applications/audio/reaper/default.nix
View File

@ -1,6 +1,6 @@
{ stdenv, fetchurl, autoPatchelfHook, makeWrapper
, alsaLib, xorg
, gnome3, pango, gdk_pixbuf, cairo, glib, freetype
, gnome3, gtk3, pango, gdk_pixbuf, cairo, glib, freetype
, libpulseaudio, xdg_utils
}:
@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
];
runtimeDependencies = [
gnome3.gtk
gtk3
];
dontBuild = true;

3
pkgs/applications/audio/rhythmbox/default.nix
View File

@ -4,6 +4,7 @@
, perlPackages
, gtk3
, intltool
, libpeas
, libsoup
, gnome3
, totem-pl-parser
@ -48,7 +49,7 @@ in stdenv.mkDerivation rec {
json-glib
gtk3
gnome3.libpeas
libpeas
totem-pl-parser
gnome3.adwaita-icon-theme

4
pkgs/applications/audio/samplv1/default.nix
View File

@ -2,11 +2,11 @@
stdenv.mkDerivation rec {
name = "samplv1-${version}";
version = "0.9.4";
version = "0.9.5";
src = fetchurl {
url = "mirror://sourceforge/samplv1/${name}.tar.gz";
sha256 = "17a61lliplhs14b3x83qz3kv7ww4dn3a02jfdlcx2z903hwn5sld";
sha256 = "0402rdr46za21w34m7ajzbwiiqcd1h0da3b0ldsr2z5g2mrkzxv8";
};
buildInputs = [ libjack2 alsaLib liblo libsndfile lv2 qt5.qtbase qt5.qttools];

4
pkgs/applications/audio/synthv1/default.nix
View File

@ -2,11 +2,11 @@
stdenv.mkDerivation rec {
name = "synthv1-${version}";
version = "0.9.4";
version = "0.9.5";
src = fetchurl {
url = "mirror://sourceforge/synthv1/${name}.tar.gz";
sha256 = "18xjj14g8gnnbwyrf39bdxc5aswb620w9i323skdf6rnaq229jyv";
sha256 = "1b9w4cml3cmcg09kh852cahas6l9ks8wl3gzp1az8rzxz4229yg1";
};
buildInputs = [ qt5.qtbase qt5.qttools libjack2 alsaLib liblo lv2 ];

4
pkgs/applications/audio/yoshimi/default.nix
View File

@ -6,11 +6,11 @@ assert stdenv ? glibc;
stdenv.mkDerivation rec {
name = "yoshimi-${version}";
version = "1.5.10.1";
version = "1.5.10.2";
src = fetchurl {
url = "mirror://sourceforge/yoshimi/${name}.tar.bz2";
sha256 = "02mmy17sa3dlwmjjahn8rfd6h67c5s0q3fvkf6ljrc2mbbpwc375";
sha256 = "1rr99qkq80s8l2iv3x4ccxan07m15dvmd5s9b10386bfjbwbya01";
};
buildInputs = [

4
pkgs/applications/backup/deja-dup/default.nix
View File

@ -1,6 +1,6 @@
{ stdenv, fetchFromGitLab, substituteAll, meson, ninja, pkgconfig, vala_0_40, gettext
, gnome3, libnotify, itstool, glib, gtk3, libxml2
, coreutils, libsecret, pcre, libxkbcommon, wrapGAppsHook
, coreutils, libpeas, libsecret, pcre, libxkbcommon, wrapGAppsHook
, libpthreadstubs, libXdmcp, epoxy, at-spi2-core, dbus, libgpgerror
, appstream-glib, desktop-file-utils, duplicity
}:
@ -35,7 +35,7 @@ stdenv.mkDerivation rec {
];
buildInputs = [
libnotify gnome3.libpeas glib gtk3 libsecret
libnotify libpeas glib gtk3 libsecret
pcre libxkbcommon libpthreadstubs libXdmcp epoxy gnome3.nautilus
at-spi2-core dbus gnome3.gnome-online-accounts libgpgerror
];

3
pkgs/applications/editors/android-studio/common.nix
View File

@ -39,11 +39,12 @@
let
drvName = "android-studio-${channel}-${version}";
archiveFormat = if builtins.elem channel [ "dev" "canary" ] then "tar.gz" else "zip";
androidStudio = stdenv.mkDerivation {
name = drvName;
src = fetchurl {
url = "https://dl.google.com/dl/android/studio/ide-zips/${version}/android-studio-ide-${build}-linux.zip";
url = "https://dl.google.com/dl/android/studio/ide-zips/${version}/android-studio-ide-${build}-linux.${archiveFormat}";
sha256 = sha256Hash;
};

12
pkgs/applications/editors/android-studio/default.nix
View File

@ -13,14 +13,14 @@ let
sha256Hash = "0smh3d3v8n0isxg7fkls20622gp52f58i2b6wa4a0g8wnvmd6mw2";
};
betaVersion = {
version = "3.4.0.16"; # "Android Studio 3.4 RC 2"
build = "183.5370308";
sha256Hash = "0d7d6n7n1zzhxpdykbwwbrw139mqxkp20d4l0570pk7975p1s2q9";
version = "3.4.0.17"; # "Android Studio 3.4 RC 3"
build = "183.5400832";
sha256Hash = "1v4apc73jdhavhzj8j46mzh15rw08w1hd9y9ykarj3b5q7i2vyq1";
};
latestVersion = { # canary & dev
version = "3.5.0.6"; # "Android Studio 3.5 Canary 7"
build = "183.5346365";
sha256Hash = "0dfkhzsxabrv8cwgyv3gicpglgpccmi1ig5shlhp6a006awgfyj0";
version = "3.5.0.8"; # "Android Studio 3.5 Canary 9"
build = "191.5409101";
sha256Hash = "06fc5l40nxm0hyn8c34wsckxxyh1i2q5a53zd4nbhwxi8wsrda7i";
};
in rec {
# Old alias (TODO @primeos: Remove after 19.03 is branched off):

13
pkgs/applications/editors/emacs/default.nix
View File

@ -1,5 +1,5 @@
{ stdenv, lib, fetchurl, ncurses, xlibsWrapper, libXaw, libXpm, Xaw3d, libXcursor
, pkgconfig, gettext, libXft, dbus, libpng, libjpeg, libungif
{ stdenv, lib, fetchpatch, fetchurl, ncurses, xlibsWrapper, libXaw, libXpm
, Xaw3d, libXcursor, pkgconfig, gettext, libXft, dbus, libpng, libjpeg, libungif
, libtiff, librsvg, gconf, libxml2, imagemagick, gnutls, libselinux
, alsaLib, cairo, acl, gpm, cf-private, AppKit, GSS, ImageIO, m17n_lib, libotf
, systemd ? null
@ -44,6 +44,13 @@ stdenv.mkDerivation rec {
patches = [
./clean-env.patch
./tramp-detect-wrapped-gvfsd.patch
# should drop this at next package update
(fetchpatch {
name = "support-hunspell-1.7.0-in-ispell.el.patch";
url = "https://git.savannah.gnu.org/cgit/emacs.git/patch/?id=2925ce5a7ec1424cfaea9f2f86bd3cab27832584";
sha256 = "0w7cgw6zgr7phbivb98innps1rlqf5q2lhwkrwdmai8sbca5bd11";
})
];
postPatch = lib.optionalString srcRepo ''
@ -123,7 +130,7 @@ stdenv.mkDerivation rec {
let libPath = lib.makeLibraryPath [
libXcursor
];
in lib.optionalString (withX && toolkit == "lucid") ''
in lib.optionalString (stdenv.isLinux && withX && toolkit == "lucid") ''
patchelf --set-rpath \
"$(patchelf --print-rpath "$out/bin/emacs"):${libPath}" \
"$out/bin/emacs"

3
pkgs/applications/editors/gnome-builder/default.nix
View File

@ -17,6 +17,7 @@
, json-glib
, jsonrpc-glib
, libdazzle
, libpeas
, libxml2
, meson
, ninja
@ -64,7 +65,7 @@ in stdenv.mkDerivation {
flatpak
gnome3.devhelp
libgit2-glib
gnome3.libpeas
libpeas
vte
gspell
gtk3

46
pkgs/applications/editors/jetbrains/default.nix
View File

@ -250,12 +250,12 @@ in
clion = buildClion rec {
name = "clion-${version}";
version = "2018.3.4"; /* updated by script */
version = "2019.1"; /* updated by script */
description = "C/C++ IDE. New. Intelligent. Cross-platform";
license = stdenv.lib.licenses.unfree;
src = fetchurl {
url = "https://download.jetbrains.com/cpp/CLion-${version}.tar.gz";
sha256 = "1zglpw9vc3ybdmwymi0c2m6anhcmx9jcqi69gnn06n9f4x1v6gwn"; /* updated by script */
sha256 = "1rlqnnv6b7lg18si31zd97ixnslwp8j6imkkjq0j5n9sydsr8xzj"; /* updated by script */
};
wmClass = "jetbrains-clion";
update-channel = "CLion RELEASE"; # channel's id as in http://www.jetbrains.com/updates/updates.xml
@ -263,12 +263,12 @@ in
datagrip = buildDataGrip rec {
name = "datagrip-${version}";
version = "2018.3.2"; /* updated by script */
version = "2018.3.4"; /* updated by script */
description = "Your Swiss Army Knife for Databases and SQL";
license = stdenv.lib.licenses.unfree;
src = fetchurl {
url = "https://download.jetbrains.com/datagrip/${name}.tar.gz";
sha256 = "0vj1cgmg33626i38x9wmh5hqr1lf0x3m23gzq30rp4q4cbi38806"; /* updated by script */
sha256 = "10sw41kkf2k60xjpwgc73i182y7px3dmqz2awnrl4gffdb9jgzmy"; /* updated by script */
};
wmClass = "jetbrains-datagrip";
update-channel = "DataGrip RELEASE";
@ -276,12 +276,12 @@ in
goland = buildGoland rec {
name = "goland-${version}";
version = "2018.3.3"; /* updated by script */
version = "2019.1"; /* updated by script */
description = "Up and Coming Go IDE";
license = stdenv.lib.licenses.unfree;
src = fetchurl {
url = "https://download.jetbrains.com/go/${name}.tar.gz";
sha256 = "065z8084xkv6w8m7pq98rgls1avzrqm23mrxdq5172rs5p1c5r9f"; /* updated by script */
sha256 = "0aq3x5aixh86h1zvvwrbr2f1nnqdpfvlsadd2ckmf5s5kghvg5r9"; /* updated by script */
};
wmClass = "jetbrains-goland";
update-channel = "GoLand RELEASE";
@ -289,12 +289,12 @@ in
idea-community = buildIdea rec {
name = "idea-community-${version}";
version = "2018.3.4"; /* updated by script */
version = "2019.1"; /* updated by script */
description = "Integrated Development Environment (IDE) by Jetbrains, community edition";
license = stdenv.lib.licenses.asl20;
src = fetchurl {
url = "https://download.jetbrains.com/idea/ideaIC-${version}.tar.gz";
sha256 = "0j5yc7n04jlyyghmwllpfvcd2g6k1syjp07xb1ljyx7rm4jcf8q6"; /* updated by script */
sha256 = "0zyw88dd2v4igp080l99cyq6h0bmyri8a50fjp69ripiz9qaawx1"; /* updated by script */
};
wmClass = "jetbrains-idea-ce";
update-channel = "IntelliJ IDEA RELEASE";
@ -302,12 +302,12 @@ in
idea-ultimate = buildIdea rec {
name = "idea-ultimate-${version}";
version = "2018.3.4"; /* updated by script */
version = "2019.1"; /* updated by script */
description = "Integrated Development Environment (IDE) by Jetbrains, requires paid license";
license = stdenv.lib.licenses.unfree;
src = fetchurl {
url = "https://download.jetbrains.com/idea/ideaIU-${version}-no-jdk.tar.gz";
sha256 = "0s3r3h1zcwkfqhsfb224fgy62fdhnd4gjgk2h6pyhq1frnh3x5bg"; /* updated by script */
url = "https://download.jetbrains.com/idea/ideaIU-${version}-no-jbr.tar.gz";
sha256 = "0fsdf090cwwrsq3azknc9rpwwsl71cvsx4flivnqwfakb6rh4f1j"; /* updated by script */
};
wmClass = "jetbrains-idea";
update-channel = "IntelliJ IDEA RELEASE";
@ -315,12 +315,12 @@ in
phpstorm = buildPhpStorm rec {
name = "phpstorm-${version}";
version = "2018.3.3"; /* updated by script */
version = "2019.1"; /* updated by script */
description = "Professional IDE for Web and PHP developers";
license = stdenv.lib.licenses.unfree;
src = fetchurl {
url = "https://download.jetbrains.com/webide/PhpStorm-${version}.tar.gz";
sha256 = "0znhw83h46a3haspwcin5xjf3ask8ijxla778p9vdbi9xs0zqx39"; /* updated by script */
sha256 = "1bv2a16wsc9j82w14qfrfjgszwkihk0jwp8bp8z9618q04c8vmgf"; /* updated by script */
};
wmClass = "jetbrains-phpstorm";
update-channel = "PhpStorm RELEASE";
@ -328,12 +328,12 @@ in
pycharm-community = buildPycharm rec {
name = "pycharm-community-${version}";
version = "2018.3.4"; /* updated by script */
version = "2019.1"; /* updated by script */
description = "PyCharm Community Edition";
license = stdenv.lib.licenses.asl20;
src = fetchurl {
url = "https://download.jetbrains.com/python/${name}.tar.gz";
sha256 = "11kzzwkp206l466ii6vm6iqmhpx0s594vh37x2lwwsgmg6qzz6vq"; /* updated by script */
sha256 = "173qm2g6pjga2jlw8sa59bxw543b56r56ikqwv2wp0jq5z61v26f"; /* updated by script */
};
wmClass = "jetbrains-pycharm-ce";
update-channel = "PyCharm RELEASE";
@ -341,12 +341,12 @@ in
pycharm-professional = buildPycharm rec {
name = "pycharm-professional-${version}";
version = "2018.3.4"; /* updated by script */
version = "2019.1"; /* updated by script */
description = "PyCharm Professional Edition";
license = stdenv.lib.licenses.unfree;
src = fetchurl {
url = "https://download.jetbrains.com/python/${name}.tar.gz";
sha256 = "1m8lzghs6g57fwcv6bpmnf21d4w2k10gsmi0i2wv2j8ff4hcy7ij"; /* updated by script */
sha256 = "0gjphdzdxgvflkzaakf3c1wnig86lxhxyx6xk6rg40yj6f2hzi47"; /* updated by script */
};
wmClass = "jetbrains-pycharm";
update-channel = "PyCharm RELEASE";
@ -354,12 +354,12 @@ in
rider = buildRider rec {
name = "rider-${version}";
version = "2018.3.2"; /* updated by script */
version = "2018.3.4"; /* updated by script */
description = "A cross-platform .NET IDE based on the IntelliJ platform and ReSharper";
license = stdenv.lib.licenses.unfree;
src = fetchurl {
url = "https://download.jetbrains.com/rider/JetBrains.Rider-${version}.tar.gz";
sha256 = "1ffzbp2xca2z8g0wlkvmqr0j2f2dnqafpnvzk9zd5asfhhbyrhg5"; /* updated by script */
sha256 = "1klmg8wgj3shp4s0n2nn7n39zsk1mch6g9ifhwn5cgywpbzgam4p"; /* updated by script */
};
wmClass = "jetbrains-rider";
update-channel = "Rider RELEASE";
@ -367,12 +367,12 @@ in
ruby-mine = buildRubyMine rec {
name = "ruby-mine-${version}";
version = "2018.3.3"; /* updated by script */
version = "2018.3.5"; /* updated by script */
description = "The Most Intelligent Ruby and Rails IDE";
license = stdenv.lib.licenses.unfree;
src = fetchurl {
url = "https://download.jetbrains.com/ruby/RubyMine-${version}.tar.gz";
sha256 = "1zjcdsr91y07dhqmhqy2yq6c0rhsxg2m52fz14hhmphddlwvhzny"; /* updated by script */
sha256 = "1gykag8fsfqxv0d6fipn18hhpdvn4qxva2kkb0v330vp73wm2i2w"; /* updated by script */
};
wmClass = "jetbrains-rubymine";
update-channel = "RubyMine RELEASE";
@ -380,12 +380,12 @@ in
webstorm = buildWebStorm rec {
name = "webstorm-${version}";
version = "2018.3.4"; /* updated by script */
version = "2019.1"; /* updated by script */
description = "Professional IDE for Web and JavaScript development";
license = stdenv.lib.licenses.unfree;
src = fetchurl {
url = "https://download.jetbrains.com/webstorm/WebStorm-${version}.tar.gz";
sha256 = "11l39yy8qdrr89y9x3i9acp0am4xb86z6v7wg1kc9fd5p13jr2xs"; /* updated by script */
sha256 = "0r6a9g8ydnxf805gn2wajnwkcyfn0xksbsrs8wq6j4ghipkhscxj"; /* updated by script */
};
wmClass = "jetbrains-webstorm";
update-channel = "WebStorm RELEASE";

10
pkgs/applications/editors/jucipp/default.nix
View File

@ -1,6 +1,6 @@
{ stdenv, fetchgit, gnome3, at-spi2-core,
{ stdenv, fetchgit, gnome3, gtksourceview3, at-spi2-core, gtksourceviewmm,
boost, epoxy, cmake, aspell, llvmPackages, libgit2, pkgconfig, pcre,
libXdmcp, libxkbcommon, libpthreadstubs, wrapGAppsHook, aspellDicts,
libXdmcp, libxkbcommon, libpthreadstubs, wrapGAppsHook, aspellDicts, gtkmm3,
coreutils, glibc, dbus, openssl, libxml2, gnumake, ctags }:
with stdenv.lib;
@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
dbus
openssl
libxml2
gnome3.gtksourceview
gtksourceview3
at-spi2-core
pcre
epoxy
@ -39,9 +39,9 @@ stdenv.mkDerivation rec {
aspell
libgit2
libxkbcommon
gnome3.gtkmm3
gtkmm3
libpthreadstubs
gnome3.gtksourceviewmm
gtksourceviewmm
llvmPackages.clang.cc
llvmPackages.lldb
gnome3.dconf

4
pkgs/applications/editors/kdevelop5/kdev-php.nix
View File

@ -2,14 +2,14 @@
let
pname = "kdev-php";
version = "5.3.1";
version = "5.3.2";
in
stdenv.mkDerivation rec {
name = "${pname}-${version}";
src = fetchurl {
url = "https://github.com/KDE/${pname}/archive/v${version}.tar.gz";
sha256 = "1xiz4v6w30dsa7l4nk3jw3hxpkx71b0yaaj2k8s7xzgjif824bgl";
sha256 = "0yjn7y7al2xs8g0mrjvcym8gbjy4wmiv7lsljcrasjd7ymag1wgs";
};
cmakeFlags = [

4
pkgs/applications/editors/kdevelop5/kdev-python.nix
View File

@ -2,14 +2,14 @@
let
pname = "kdev-python";
version = "5.3.1";
version = "5.3.2";
in
stdenv.mkDerivation rec {
name = "${pname}-${version}";
src = fetchurl {
url = "https://github.com/KDE/${pname}/archive/v${version}.tar.gz";
sha256 = "11hf8n6vrlaz31c0p3xbnf0df2q5j6ykgc9ip0l5g33kadwn5b9j";
sha256 = "0gqv1abzfpxkrf538rb62d2291lmlra8rghm9q9r3x8a46wh96zm";
};
cmakeFlags = [

4
pkgs/applications/editors/kdevelop5/kdevelop.nix
View File

@ -9,7 +9,7 @@
let
pname = "kdevelop";
version = "5.3.1";
version = "5.3.2";
qtVersion = "5.${lib.versions.minor qtbase.version}";
in
mkDerivation rec {
@ -17,7 +17,7 @@ mkDerivation rec {
src = fetchurl {
url = "mirror://kde/stable/${pname}/${version}/src/${name}.tar.xz";
sha256 = "1098ra7qpal6578hsv20kvxc63v47sp85wjhqr5rgzr2fm7jf6fr";
sha256 = "0akgdnvrab6mbwnmvgzsplk0qh83k1hnm5xc06yxr1s1a5sxbk08";
};
nativeBuildInputs = [

4
pkgs/applications/editors/neovim/neovim-remote.nix
View File

@ -4,14 +4,14 @@ with stdenv.lib;
pythonPackages.buildPythonApplication rec {
pname = "neovim-remote";
version = "2.1.4";
version = "2.1.5";
disabled = !pythonPackages.isPy3k;
src = fetchFromGitHub {
owner = "mhinz";
repo = "neovim-remote";
rev = "v${version}";
sha256 = "1s438cbyyzgg96b6639wk1ny6d6p2ywcba41l3r027wzyl7wrn8v";
sha256 = "1h05b68ka1ka217f6svq8yxvnscwf9sl5cx46c0b6ygcbz1vr3ba";
};
propagatedBuildInputs = with pythonPackages; [ pynvim psutil ];

63
pkgs/applications/editors/retext/default.nix Normal file
View File

@ -0,0 +1,63 @@
{ lib, stdenv, python3, fetchFromGitHub, makeWrapper, buildEnv, aspellDicts
# Use `lib.collect lib.isDerivation aspellDicts;` to make all dictionaries
# available.
, enchantAspellDicts ? with aspellDicts; [ en en-computers en-science ]
}:
let
version = "7.0.4";
python = let
packageOverrides = self: super: {
markdown = super.markdown.overridePythonAttrs(old: rec {
src = super.fetchPypi {
version = "3.0.1";
pname = "Markdown";
sha256 = "d02e0f9b04c500cde6637c11ad7c72671f359b87b9fe924b2383649d8841db7c";
};
});
chardet = super.chardet.overridePythonAttrs(old: rec {
src = super.fetchPypi {
version = "2.3.0";
pname = "chardet";
sha256 = "e53e38b3a4afe6d1132de62b7400a4ac363452dc5dfcf8d88e8e0cce663c68aa";
};
});
};
in python3.override { inherit packageOverrides; };
pythonEnv = python.withPackages (ps: with ps; [
pyqt5 docutils pyenchant Markups markdown pygments chardet
]);
in python.pkgs.buildPythonApplication {
inherit version;
pname = "retext";
src = fetchFromGitHub {
owner = "retext-project";
repo = "retext";
rev = "${version}";
sha256 = "1zcapywspc9v5zf5cxqkcy019np9n41gmryqixj66zsvd544c6si";
};
doCheck = false;
nativeBuildInputs = [ makeWrapper ];
propagatedBuildInputs = [ pythonEnv ];
postInstall = ''
mv $out/bin/retext $out/bin/.retext
makeWrapper "$out/bin/.retext" "$out/bin/retext" \
--set ASPELL_CONF "dict-dir ${buildEnv {
name = "aspell-all-dicts";
paths = map (path: "${path}/lib/aspell") enchantAspellDicts;
}}"
'';
meta = with stdenv.lib; {
homepage = https://github.com/retext-project/retext/;
description = "Simple but powerful editor for Markdown and reStructuredText";
license = licenses.gpl3;
maintainers = with maintainers; [ klntsky ];
platforms = platforms.unix;
};
}

Some files were not shown because too many files have changed in this diff Show More