nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-02-25 13:35:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge master into haskell-updates

Browse Source
This commit is contained in:
github-actions[bot] 2023-11-18 00:12:19 +00:00 committed by GitHub
commit 36c8f24928
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
260 changed files with 1912 additions and 4184 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
maintainers/maintainer-list.nix
View File

@ -6003,13 +6003,6 @@
githubId = 92793;
name = "Friedrich von Never";
};
fortuneteller2k = {
email = "lythe1107@gmail.com";
matrix = "@fortuneteller2k:matrix.org";
github = "fortuneteller2k";
githubId = 20619776;
name = "fortuneteller2k";
};
fpletz = {
email = "fpletz@fnordicwalking.de";
github = "fpletz";
@ -12095,6 +12088,13 @@
github = "ribosomerocker";
githubId = 46468162;
};
moni = {
email = "lythe1107@gmail.com";
matrix = "@fortuneteller2k:matrix.org";
github = "moni";
githubId = 20619776;
name = "moni";
};
monsieurp = {
email = "monsieurp@gentoo.org";
github = "monsieurp";
@ -12758,6 +12758,12 @@
githubId = 13920346;
name = "Sébastien Iooss";
};
netthier = {
email = "netthier@proton.me";
name = "nett_hier";
github = "netthier";
githubId = 66856670;
};
networkexception = {
name = "networkException";
email = "nix@nwex.de";

1
maintainers/team-list.nix
View File

@ -917,7 +917,6 @@ with lib.maintainers; {
tts = {
members = [
hexa
mic92
];
scope = "coqui-ai TTS (formerly Mozilla TTS) and leaf packages";

9
nixos/doc/manual/release-notes/rl-2311.section.md
View File

@ -104,6 +104,8 @@
- [eris-server](https://codeberg.org/eris/eris-go). [ERIS](https://eris.codeberg.page/) is an encoding for immutable storage and this server provides block exchange as well as content decoding over HTTP and through a FUSE file-system. Available as [services.eris-server](#opt-services.eris-server.enable).
- [forgejo](https://forgejo.org/), a git forge. Previously deployed as a drop-in replacement package in the [gitea module](#opt-services.gitea.package). Available as [services.forgejo](#opt-services.forgejo.enable). See migration instructions in the [NixOS manual](#module-forgejo) on how to migrate your forgejo instance using [`services.gitea.package = pkgs.forgejo`](#opt-services.gitea.package) to [`services.forgejo`](#opt-services.forgejo.enable).
- hardware/infiniband.nix adds infiniband subnet manager support using an [opensm](https://github.com/linux-rdma/opensm) systemd-template service, instantiated on card guids. The module also adds kernel modules and cli tooling to help administrators debug and measure performance. Available as [hardware.infiniband.enable](#opt-hardware.infiniband.enable).
- [zwave-js](https://github.com/zwave-js/zwave-js-server), a small server wrapper around Z-Wave JS to access it via a WebSocket. Available as [services.zwave-js](#opt-services.zwave-js.enable).
@ -143,6 +145,9 @@
## Backward Incompatibilities {#sec-release-23.11-incompatibilities}
- `services.postgresql.ensurePermissions` has been deprecated in favor of `services.postgresql.ensureUsers.*.ensureDBOwnership` which simplifies the setup of database owned by a certain system user
in local database contexts (which make use of peer authentication via UNIX sockets), migration guidelines were provided in the NixOS manual, please refer to them if you are affected by a PostgreSQL 15 changing the way `GRANT ALL PRIVILEGES` is working. `services.postgresql.ensurePermissions` will be removed in 24.05. All NixOS modules were migrated using one of the strategy, e.g. `ensureDBOwnership` or `postStart`. More about this situation can be learnt in https://github.com/NixOS/nixpkgs/pull/266270.
- `network-online.target` has been fixed to no longer time out for systems with `networking.useDHCP = true` and `networking.useNetworkd = true`.
Workarounds for this can be removed.
@ -545,6 +550,10 @@ The module update takes care of the new config syntax and the data itself (user
## Nixpkgs internals {#sec-release-23.11-nixpkgs-internals}
- Node.js v14, v16 has been removed as they were end of life. Any dependent packages that contributors were not able to reasonably upgrade were dropped after a month of notice to their maintainers, were **removed**.
- This includes VSCode Server.
- This includes Kibana 7 as the ELK stack is unmaintained in nixpkgs and is marked for slow removal.
- The use of `sourceRoot = "source";`, `sourceRoot = "source/subdir";`, and similar lines in package derivations using the default `unpackPhase` is deprecated as it requires `unpackPhase` to always produce a directory named "source". Use `sourceRoot = src.name`, `sourceRoot = "${src.name}/subdir";`, or `setSourceRoot = "sourceRoot=$(echo */subdir)";` or similar instead.
- The `django` alias in the python package set was upgraded to Django 4.x.

2
nixos/modules/config/stevenblack.nix
View File

@ -30,5 +30,5 @@ in
++ optionals (activatedHosts == [ ]) [ "${pkgs.stevenblack-blocklist}/hosts" ];
};
meta.maintainers = [ maintainers.fortuneteller2k maintainers.artturin ];
meta.maintainers = [ maintainers.moni maintainers.artturin ];
}

2
nixos/modules/module-list.nix
View File

@ -1147,7 +1147,6 @@
./services/search/elasticsearch-curator.nix
./services/search/elasticsearch.nix
./services/search/hound.nix
./services/search/kibana.nix
./services/search/meilisearch.nix
./services/search/opensearch.nix
./services/search/qdrant.nix
@ -1241,7 +1240,6 @@
./services/web-apps/changedetection-io.nix
./services/web-apps/chatgpt-retrieval-plugin.nix
./services/web-apps/cloudlog.nix
./services/web-apps/code-server.nix
./services/web-apps/convos.nix
./services/web-apps/dex.nix
./services/web-apps/discourse.nix

2
nixos/modules/services/audio/slimserver.nix
View File

@ -54,7 +54,7 @@ in {
serviceConfig = {
User = "slimserver";
# Issue 40589: Disable broken image/video support (audio still works!)
ExecStart = "${cfg.package}/slimserver.pl --logdir ${cfg.dataDir}/logs --prefsdir ${cfg.dataDir}/prefs --cachedir ${cfg.dataDir}/cache --noimage --novideo";
ExecStart = "${lib.getExe cfg.package} --logdir ${cfg.dataDir}/logs --prefsdir ${cfg.dataDir}/prefs --cachedir ${cfg.dataDir}/cache --noimage --novideo";
};
};

119
nixos/modules/services/databases/postgresql.md
View File

@ -39,6 +39,125 @@ By default, PostgreSQL stores its databases in {file}`/var/lib/postgresql/$psqlS
services.postgresql.dataDir = "/data/postgresql";
```
## Initializing {#module-services-postgres-initializing}
As of NixOS 23.11,
`services.postgresql.ensureUsers.*.ensurePermissions` has been
deprecated, after a change to default permissions in PostgreSQL 15
invalidated most of its previous use cases:
- In psql < 15, `ALL PRIVILEGES` used to include `CREATE TABLE`, where
in psql >= 15 that would be a separate permission
- psql >= 15 instead gives only the database owner create permissions
- Even on psql < 15 (or databases migrated to >= 15), it is
recommended to manually assign permissions along these lines
- https://www.postgresql.org/docs/release/15.0/
- https://www.postgresql.org/docs/15/ddl-schemas.html#DDL-SCHEMAS-PRIV
### Assigning ownership {#module-services-postgres-initializing-ownership}
Usually, the database owner should be a database user of the same
name. This can be done with
`services.postgresql.ensureUsers.*.ensureDBOwnership = true;`.
If the database user name equals the connecting system user name,
postgres by default will accept a passwordless connection via unix
domain socket. This makes it possible to run many postgres-backed
services without creating any database secrets at all
### Assigning extra permissions {#module-services-postgres-initializing-extra-permissions}
For many cases, it will be enough to have the database user be the
owner. Until `services.postgresql.ensureUsers.*.ensurePermissions` has
been re-thought, if more users need access to the database, please use
one of the following approaches:
**WARNING:** `services.postgresql.initialScript` is not recommended
for `ensurePermissions` replacement, as that is *only run on first
start of PostgreSQL*.
**NOTE:** all of these methods may be obsoleted, when `ensure*` is
reworked, but it is expected that they will stay viable for running
database migrations.
**NOTE:** please make sure that any added migrations are idempotent (re-runnable).
#### as superuser {#module-services-postgres-initializing-extra-permissions-superuser}
**Advantage:** compatible with postgres < 15, because it's run
as the database superuser `postgres`.
##### in database `postStart` {#module-services-postgres-initializing-extra-permissions-superuser-post-start}
**Disadvantage:** need to take care of ordering yourself. In this
example, `mkAfter` ensures that permissions are assigned after any
databases from `ensureDatabases` and `extraUser1` from `ensureUsers`
are already created.
```nix
systemd.services.postgresql.postStart = lib.mkAfter ''
$PSQL service1 -c 'GRANT SELECT ON ALL TABLES IN SCHEMA public TO "extraUser1"'
$PSQL service1 -c 'GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO "extraUser1"'
# ....
'';
```
##### in intermediate oneshot service {#module-services-postgres-initializing-extra-permissions-superuser-oneshot}
```nix
systemd.services."migrate-service1-db1" = {
serviceConfig.Type = "oneshot";
requiredBy = "service1.service";
before = "service1.service";
after = "postgresql.service";
serviceConfig.User = "postgres";
environment.PSQL = "psql --port=${toString services.postgresql.port}";
path = [ postgresql ];
script = ''
$PSQL service1 -c 'GRANT SELECT ON ALL TABLES IN SCHEMA public TO "extraUser1"'
$PSQL service1 -c 'GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO "extraUser1"'
# ....
'';
};
```
#### as service user {#module-services-postgres-initializing-extra-permissions-service-user}
**Advantage:** re-uses systemd's dependency ordering;
**Disadvantage:** relies on service user having grant permission. To be combined with `ensureDBOwnership`.
##### in service `preStart` {#module-services-postgres-initializing-extra-permissions-service-user-pre-start}
```nix
environment.PSQL = "psql --port=${toString services.postgresql.port}";
path = [ postgresql ];
systemd.services."service1".preStart = ''
$PSQL -c 'GRANT SELECT ON ALL TABLES IN SCHEMA public TO "extraUser1"'
$PSQL -c 'GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO "extraUser1"'
# ....
'';
```
##### in intermediate oneshot service {#module-services-postgres-initializing-extra-permissions-service-user-oneshot}
```nix
systemd.services."migrate-service1-db1" = {
serviceConfig.Type = "oneshot";
requiredBy = "service1.service";
before = "service1.service";
after = "postgresql.service";
serviceConfig.User = "service1";
environment.PSQL = "psql --port=${toString services.postgresql.port}";
path = [ postgresql ];
script = ''
$PSQL -c 'GRANT SELECT ON ALL TABLES IN SCHEMA public TO "extraUser1"'
$PSQL -c 'GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO "extraUser1"'
# ....
'';
};
```
## Upgrading {#module-services-postgres-upgrading}
::: {.note}

58
nixos/modules/services/databases/postgresql.nix
View File

@ -168,7 +168,12 @@ in
ensurePermissions = mkOption {
type = types.attrsOf types.str;
default = {};
visible = false; # This option has been deprecated.
description = lib.mdDoc ''
This option is DEPRECATED and should not be used in nixpkgs anymore,
use `ensureDBOwnership` instead. It can also break with newer
versions of PostgreSQL ( 15).
Permissions to ensure for the user, specified as an attribute set.
The attribute names specify the database and tables to grant the permissions for.
The attribute values specify the permissions to grant. You may specify one or
@ -187,6 +192,16 @@ in
'';
};
ensureDBOwnership = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Grants the user ownership to a database with the same name.
This database must be defined manually in
[](#opt-services.postgresql.ensureDatabases).
'';
};
ensureClauses = mkOption {
description = lib.mdDoc ''
An attrset of clauses to grant to the user. Under the hood this uses the
@ -338,26 +353,21 @@ in
});
default = [];
description = lib.mdDoc ''
Ensures that the specified users exist and have at least the ensured permissions.
Ensures that the specified users exist.
The PostgreSQL users will be identified using peer authentication. This authenticates the Unix user with the
same name only, and that without the need for a password.
This option will never delete existing users or remove permissions, especially not when the value of this
option is changed. This means that users created and permissions assigned once through this option or
otherwise have to be removed manually.
This option will never delete existing users or remove DB ownership of databases
once granted with `ensureDBOwnership = true;`. This means that this must be
cleaned up manually when changing after changing the config in here.
'';
example = literalExpression ''
[
{
name = "nextcloud";
ensurePermissions = {
"DATABASE nextcloud" = "ALL PRIVILEGES";
};
}
{
name = "superuser";
ensurePermissions = {
"ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}
]
'';
@ -445,6 +455,27 @@ in
config = mkIf cfg.enable {
assertions = map ({ name, ensureDBOwnership, ... }: {
assertion = ensureDBOwnership -> builtins.elem name cfg.ensureDatabases;
message = ''
For each database user defined with `services.postgresql.ensureUsers` and
`ensureDBOwnership = true;`, a database with the same name must be defined
in `services.postgresql.ensureDatabases`.
Offender: ${name} has not been found among databases.
'';
}) cfg.ensureUsers;
# `ensurePermissions` is now deprecated, let's avoid it.
warnings = lib.optional (any ({ ensurePermissions, ... }: ensurePermissions != {}) cfg.ensureUsers) "
`services.postgresql.*.ensurePermissions` is used in your expressions,
this option is known to be broken with newer PostgreSQL versions,
consider migrating to `services.postgresql.*.ensureDBOwnership` or
consult the release notes or manual for more migration guidelines.
This option will be removed in NixOS 24.05 unless it sees significant
maintenance improvements.
";
services.postgresql.settings =
{
hba_file = "${pkgs.writeText "pg_hba.conf" cfg.authentication}";
@ -556,12 +587,15 @@ in
${
concatMapStrings
(user:
let
let
userPermissions = concatStringsSep "\n"
(mapAttrsToList
(database: permission: ''$PSQL -tAc 'GRANT ${permission} ON ${database} TO "${user.name}"' '')
user.ensurePermissions
);
dbOwnershipStmt = optionalString
user.ensureDBOwnership
''$PSQL -tAc 'ALTER DATABASE "${user.name}" OWNER TO "${user.name}";' '';
filteredClauses = filterAttrs (name: value: value != null) user.ensureClauses;
@ -572,6 +606,8 @@ in
$PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"'
${userPermissions}
${userClauses}
${dbOwnershipStmt}
''
)
cfg.ensureUsers

4
nixos/modules/services/development/zammad.nix
View File

@ -204,7 +204,7 @@ in
assertions = [
{
assertion = cfg.database.createLocally -> cfg.database.user == "zammad";
assertion = cfg.database.createLocally -> cfg.database.user == "zammad" && cfg.database.name == "zammad";
message = "services.zammad.database.user must be set to \"zammad\" if services.zammad.database.createLocally is set to true";
}
{
@ -231,7 +231,7 @@ in
ensureUsers = [
{
name = cfg.database.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

2
nixos/modules/services/finance/odoo.nix
View File

@ -121,7 +121,7 @@ in
ensureDatabases = [ "odoo" ];
ensureUsers = [{
name = "odoo";
ensurePermissions = { "DATABASE odoo" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}];
};
});

2
nixos/modules/services/mail/listmonk.nix
View File

@ -168,7 +168,7 @@ in {
ensureUsers = [{
name = "listmonk";
ensurePermissions = { "DATABASE listmonk" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}];
ensureDatabases = [ "listmonk" ];

14
nixos/modules/services/mail/roundcube.nix
View File

@ -179,14 +179,22 @@ in
};
};
assertions = [
{
assertion = localDB -> cfg.database.username == cfg.database.dbname;
message = ''
When setting up a DB and its owner user, the owner and the DB name must be
equal!
'';
}
];
services.postgresql = mkIf localDB {
enable = true;
ensureDatabases = [ cfg.database.dbname ];
ensureUsers = [ {
name = cfg.database.username;
ensurePermissions = {
"DATABASE ${cfg.database.username}" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
} ];
};

10
nixos/modules/services/mail/sympa.nix
View File

@ -218,7 +218,7 @@ in
default = null;
example = "/run/keys/sympa-dbpassword";
description = lib.mdDoc ''
A file containing the password for {option}`services.sympa.database.user`.
A file containing the password for {option}`services.sympa.database.name`.
'';
};
@ -342,6 +342,7 @@ in
db_type = cfg.database.type;
db_name = cfg.database.name;
db_user = cfg.database.name;
}
// (optionalAttrs (cfg.database.host != null) {
db_host = cfg.database.host;
@ -355,9 +356,6 @@ in
// (optionalAttrs (cfg.database.port != null) {
db_port = cfg.database.port;
})
// (optionalAttrs (cfg.database.user != null) {
db_user = cfg.database.user;
})
// (optionalAttrs (cfg.mta.type == "postfix") {
sendmail_aliases = "${dataDir}/sympa_transport";
aliases_program = "${pkgs.postfix}/bin/postmap";
@ -393,7 +391,7 @@ in
users.groups.${group} = {};
assertions = [
{ assertion = cfg.database.createLocally -> cfg.database.user == user;
{ assertion = cfg.database.createLocally -> cfg.database.user == user && cfg.database.name == cfg.database.user;
message = "services.sympa.database.user must be set to ${user} if services.sympa.database.createLocally is set to true";
}
{ assertion = cfg.database.createLocally -> cfg.database.passwordFile == null;
@ -579,7 +577,7 @@ in
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{ name = cfg.database.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

4
nixos/modules/services/matrix/matrix-sliding-sync.nix
View File

@ -74,9 +74,9 @@ in
services.postgresql = lib.optionalAttrs cfg.createDatabase {
enable = true;
ensureDatabases = [ "matrix-sliding-sync" ];
ensureUsers = [ rec {
ensureUsers = [ {
name = "matrix-sliding-sync";
ensurePermissions."DATABASE \"${name}\"" = "ALL PRIVILEGES";
ensureDBOwnership = true;
} ];
};

4
nixos/modules/services/matrix/mautrix-facebook.nix
View File

@ -135,9 +135,7 @@ in {
ensureDatabases = ["mautrix-facebook"];
ensureUsers = [{
name = "mautrix-facebook";
ensurePermissions = {
"DATABASE \"mautrix-facebook\"" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}];
};

4
nixos/modules/services/misc/atuin.nix
View File

@ -73,9 +73,7 @@ in
enable = true;
ensureUsers = [{
name = "atuin";
ensurePermissions = {
"DATABASE atuin" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}];
ensureDatabases = [ "atuin" ];
};

79
nixos/modules/services/misc/forgejo.md Normal file
View File

@ -0,0 +1,79 @@
# Forgejo {#module-forgejo}
Forgejo is a soft-fork of gitea, with strong community focus, as well
as on self-hosting and federation. [Codeberg](https://codeberg.org) is
deployed from it.
See [upstream docs](https://forgejo.org/docs/latest/).
The method of choice for running forgejo is using [`services.forgejo`](#opt-services.forgejo.enable).
::: {.warning}
Running forgejo using `services.gitea.package = pkgs.forgejo` is no longer
recommended.
If you experience issues with your instance using `services.gitea`,
**DO NOT** report them to the `services.gitea` module maintainers.
**DO** report them to the `services.forgejo` module maintainers instead.
:::
## Migration from Gitea {#module-forgejo-migration-gitea}
::: {.note}
Migrating is, while not strictly necessary at this point, highly recommended.
Both modules and projects are likely to divide further with each release.
Which might lead to an even more involved migration.
:::
### Full-Migration {#module-forgejo-migration-gitea-default}
This will migrate the state directory (data), rename and chown the database and
delete the gitea user.
::: {.note}
This will also change the git remote ssh-url user from `gitea@` to `forgejo@`,
when using the host's openssh server (default) instead of the integrated one.
:::
Instructions for PostgreSQL (default). Adapt accordingly for other databases:
```sh
systemctl stop gitea
mv /var/lib/gitea /var/lib/forgejo
runuser -u postgres -- psql -c '
ALTER USER gitea RENAME TO forgejo;
ALTER DATABASE gitea RENAME TO forgejo;
'
nixos-rebuild switch
systemctl stop forgejo
chown -R forgejo:forgejo /var/lib/forgejo
systemctl restart forgejo
```
### Alternatively, keeping the gitea user {#module-forgejo-migration-gitea-impersonate}
Alternatively, instead of renaming the database, copying the state folder and
changing the user, the forgejo module can be set up to re-use the old storage
locations and database, instead of having to copy or rename them.
Make sure to disable `services.gitea`, when doing this.
```nix
services.gitea.enable = false;
services.forgejo = {
enable = true;
user = "gitea";
group = "gitea";
stateDir = "/var/lib/gitea";
database.name = "gitea";
database.user = "gitea";
};
users.users,gitea = {
home = "/var/lib/gitea";
useDefaultShell = true;
group = "gitea";
isSystemUser = true;
};
users.groups.gitea = {};
```

11
nixos/modules/services/misc/forgejo.nix
View File

@ -357,6 +357,14 @@ in
assertion = cfg.database.createDatabase -> useSqlite || cfg.database.user == cfg.user;
message = "services.forgejo.database.user must match services.forgejo.user if the database is to be automatically provisioned";
}
{ assertion = cfg.database.createDatabase && usePostgresql -> cfg.database.user == cfg.database.name;
message = ''
When creating a database via NixOS, the db user and db name must be equal!
If you already have an existing DB+user and this assertion is new, you can safely set
`services.forgejo.createDatabase` to `false` because removal of `ensureUsers`
and `ensureDatabases` doesn't have any effect.
'';
}
];
services.forgejo.settings = {
@ -423,7 +431,7 @@ in
ensureUsers = [
{
name = cfg.database.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};
@ -677,5 +685,6 @@ in
};
};
meta.doc = ./forgejo.md;
meta.maintainers = with lib.maintainers; [ bendlas emilylange ];
}

10
nixos/modules/services/misc/gitea.nix
View File

@ -394,6 +394,14 @@ in
{ assertion = cfg.database.createDatabase -> useSqlite || cfg.database.user == cfg.user;
message = "services.gitea.database.user must match services.gitea.user if the database is to be automatically provisioned";
}
{ assertion = cfg.database.createDatabase && usePostgresql -> cfg.database.user == cfg.database.name;
message = ''
When creating a database via NixOS, the db user and db name must be equal!
If you already have an existing DB+user and this assertion is new, you can safely set
`services.gitea.createDatabase` to `false` because removal of `ensureUsers`
and `ensureDatabases` doesn't have any effect.
'';
}
];
services.gitea.settings = {
@ -461,7 +469,7 @@ in
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{ name = cfg.database.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

4
nixos/modules/services/misc/redmine.nix
View File

@ -267,7 +267,7 @@ in
{ assertion = cfg.database.passwordFile != null || cfg.database.socket != null;
message = "one of services.redmine.database.socket or services.redmine.database.passwordFile must be set";
}
{ assertion = cfg.database.createLocally -> cfg.database.user == cfg.user;
{ assertion = cfg.database.createLocally -> cfg.database.user == cfg.user && cfg.database.user == cfg.database.name;
message = "services.redmine.database.user must be set to ${cfg.user} if services.redmine.database.createLocally is set true";
}
{ assertion = cfg.database.createLocally -> cfg.database.socket != null;
@ -315,7 +315,7 @@ in
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{ name = cfg.database.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

10
nixos/modules/services/misc/sourcehut/service.nix
View File

@ -249,10 +249,13 @@ in
ensureDatabases = [ srvCfg.postgresql.database ];
ensureUsers = map (name: {
inherit name;
ensurePermissions = { "DATABASE \"${srvCfg.postgresql.database}\"" = "ALL PRIVILEGES"; };
# We don't use it because we have a special default database name with dots.
# TODO(for maintainers of sourcehut): migrate away from custom preStart script.
ensureDBOwnership = false;
}) [srvCfg.user];
};
services.sourcehut.settings = mkMerge [
{
"${srv}.sr.ht".origin = mkDefault "https://${srv}.${cfg.settings."sr.ht".global-domain}";
@ -378,10 +381,11 @@ in
extraService
])) extraServices)
# Work around 'pq: permission denied for schema public' with postgres v15, until a
# solution for `services.postgresql.ensureUsers` is found.
# Work around 'pq: permission denied for schema public' with postgres v15.
# See https://github.com/NixOS/nixpkgs/issues/216989
# Workaround taken from nixos/forgejo: https://github.com/NixOS/nixpkgs/pull/262741
# TODO(to maintainers of sourcehut): please migrate away from this workaround
# by migrating away from database name defaults with dots.
(lib.mkIf (
cfg.postgresql.enable
&& lib.strings.versionAtLeast config.services.postgresql.package.version "15.0"

4
nixos/modules/services/monitoring/zabbix-proxy.nix
View File

@ -203,7 +203,7 @@ in
{ assertion = !config.services.zabbixServer.enable;
message = "Please choose one of services.zabbixServer or services.zabbixProxy.";
}
{ assertion = cfg.database.createLocally -> cfg.database.user == user;
{ assertion = cfg.database.createLocally -> cfg.database.user == user && cfg.database.name == cfg.database.user;
message = "services.zabbixProxy.database.user must be set to ${user} if services.zabbixProxy.database.createLocally is set true";
}
{ assertion = cfg.database.createLocally -> cfg.database.passwordFile == null;
@ -252,7 +252,7 @@ in
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{ name = cfg.database.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

4
nixos/modules/services/monitoring/zabbix-server.nix
View File

@ -191,7 +191,7 @@ in
config = mkIf cfg.enable {
assertions = [
{ assertion = cfg.database.createLocally -> cfg.database.user == user;
{ assertion = cfg.database.createLocally -> cfg.database.user == user && cfg.database.user == cfg.database.name;
message = "services.zabbixServer.database.user must be set to ${user} if services.zabbixServer.database.createLocally is set true";
}
{ assertion = cfg.database.createLocally -> cfg.database.passwordFile == null;
@ -240,7 +240,7 @@ in
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{ name = cfg.database.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

4
nixos/modules/services/networking/syncthing.nix
View File

@ -666,7 +666,9 @@ in {
${cfg.package}/bin/syncthing \
-no-browser \
-gui-address=${if isUnixGui then "unix://" else ""}${cfg.guiAddress} \
-home=${cfg.configDir} ${escapeShellArgs cfg.extraFlags}
-config=${cfg.configDir} \
-data=${cfg.dataDir} \
${escapeShellArgs cfg.extraFlags}
'';
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;

213
nixos/modules/services/search/kibana.nix
View File

@ -1,213 +0,0 @@
{ config, lib, options, pkgs, ... }:
with lib;
let
cfg = config.services.kibana;
opt = options.services.kibana;
ge7 = builtins.compareVersions cfg.package.version "7" >= 0;
lt6_6 = builtins.compareVersions cfg.package.version "6.6" < 0;
cfgFile = pkgs.writeText "kibana.json" (builtins.toJSON (
(filterAttrsRecursive (n: v: v != null && v != []) ({
server.host = cfg.listenAddress;
server.port = cfg.port;
server.ssl.certificate = cfg.cert;
server.ssl.key = cfg.key;
kibana.index = cfg.index;
kibana.defaultAppId = cfg.defaultAppId;
elasticsearch.url = cfg.elasticsearch.url;
elasticsearch.hosts = cfg.elasticsearch.hosts;
elasticsearch.username = cfg.elasticsearch.username;
elasticsearch.password = cfg.elasticsearch.password;
elasticsearch.ssl.certificate = cfg.elasticsearch.cert;
elasticsearch.ssl.key = cfg.elasticsearch.key;
elasticsearch.ssl.certificateAuthorities = cfg.elasticsearch.certificateAuthorities;
} // cfg.extraConf)
)));
in {
options.services.kibana = {
enable = mkEnableOption (lib.mdDoc "kibana service");
listenAddress = mkOption {
description = lib.mdDoc "Kibana listening host";
default = "127.0.0.1";
type = types.str;
};
port = mkOption {
description = lib.mdDoc "Kibana listening port";
default = 5601;
type = types.port;
};
cert = mkOption {
description = lib.mdDoc "Kibana ssl certificate.";
default = null;
type = types.nullOr types.path;
};
key = mkOption {
description = lib.mdDoc "Kibana ssl key.";
default = null;
type = types.nullOr types.path;
};
index = mkOption {
description = lib.mdDoc "Elasticsearch index to use for saving kibana config.";
default = ".kibana";
type = types.str;
};
defaultAppId = mkOption {
description = lib.mdDoc "Elasticsearch default application id.";
default = "discover";
type = types.str;
};
elasticsearch = {
url = mkOption {
description = lib.mdDoc ''
Elasticsearch url.
Defaults to `"http://localhost:9200"`.
Don't set this when using Kibana >= 7.0.0 because it will result in a
configuration error. Use {option}`services.kibana.elasticsearch.hosts`
instead.
'';
default = null;
type = types.nullOr types.str;
};
hosts = mkOption {
description = lib.mdDoc ''
The URLs of the Elasticsearch instances to use for all your queries.
All nodes listed here must be on the same cluster.
Defaults to `[ "http://localhost:9200" ]`.
This option is only valid when using kibana >= 6.6.
'';
default = null;
type = types.nullOr (types.listOf types.str);
};
username = mkOption {
description = lib.mdDoc "Username for elasticsearch basic auth.";
default = null;
type = types.nullOr types.str;
};
password = mkOption {
description = lib.mdDoc "Password for elasticsearch basic auth.";
default = null;
type = types.nullOr types.str;
};
ca = mkOption {
description = lib.mdDoc ''
CA file to auth against elasticsearch.
It's recommended to use the {option}`certificateAuthorities` option
when using kibana-5.4 or newer.
'';
default = null;
type = types.nullOr types.path;
};
certificateAuthorities = mkOption {
description = lib.mdDoc ''
CA files to auth against elasticsearch.
Please use the {option}`ca` option when using kibana \< 5.4
because those old versions don't support setting multiple CA's.
This defaults to the singleton list [ca] when the {option}`ca` option is defined.
'';
default = lib.optional (cfg.elasticsearch.ca != null) ca;
defaultText = literalExpression ''
lib.optional (config.${opt.elasticsearch.ca} != null) ca
'';
type = types.listOf types.path;
};
cert = mkOption {
description = lib.mdDoc "Certificate file to auth against elasticsearch.";
default = null;
type = types.nullOr types.path;
};
key = mkOption {
description = lib.mdDoc "Key file to auth against elasticsearch.";
default = null;
type = types.nullOr types.path;
};
};
package = mkOption {
description = lib.mdDoc "Kibana package to use";
default = pkgs.kibana;
defaultText = literalExpression "pkgs.kibana";
type = types.package;
};
dataDir = mkOption {
description = lib.mdDoc "Kibana data directory";
default = "/var/lib/kibana";
type = types.path;
};
extraConf = mkOption {
description = lib.mdDoc "Kibana extra configuration";
default = {};
type = types.attrs;
};
};
config = mkIf (cfg.enable) {
assertions = [
{
assertion = ge7 -> cfg.elasticsearch.url == null;
message =
"The option services.kibana.elasticsearch.url has been removed when using kibana >= 7.0.0. " +
"Please use option services.kibana.elasticsearch.hosts instead.";
}
{
assertion = lt6_6 -> cfg.elasticsearch.hosts == null;
message =
"The option services.kibana.elasticsearch.hosts is only valid for kibana >= 6.6.";
}
];
systemd.services.kibana = {
description = "Kibana Service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "elasticsearch.service" ];
environment = { BABEL_CACHE_PATH = "${cfg.dataDir}/.babelcache.json"; };
serviceConfig = {
ExecStart =
"${cfg.package}/bin/kibana" +
" --config ${cfgFile}" +
" --path.data ${cfg.dataDir}";
User = "kibana";
WorkingDirectory = cfg.dataDir;
};
};
environment.systemPackages = [ cfg.package ];
users.users.kibana = {
isSystemUser = true;
description = "Kibana service user";
home = cfg.dataDir;
createHome = true;
group = "kibana";
};
users.groups.kibana = {};
};
}

2
nixos/modules/services/security/hockeypuck.nix
View File

@ -55,7 +55,7 @@ in {
ensureDatabases = [ "hockeypuck" ];
ensureUsers = [{
name = "hockeypuck";
ensurePermissions."DATABASE hockeypuck" = "ALL PRIVILEGES";
ensureDBOwnership = true;
}];
};
```

259
nixos/modules/services/web-apps/code-server.nix
View File

@ -1,259 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.code-server;
defaultUser = "code-server";
defaultGroup = defaultUser;
in {
options = {
services.code-server = {
enable = lib.mkEnableOption (lib.mdDoc "code-server");
package = lib.mkPackageOptionMD pkgs "code-server" {
example = ''
pkgs.vscode-with-extensions.override {
vscode = pkgs.code-server;
vscodeExtensions = with pkgs.vscode-extensions; [
bbenoist.nix
dracula-theme.theme-dracula
];
}
'';
};
extraPackages = lib.mkOption {
default = [ ];
description = lib.mdDoc ''
Additional packages to add to the code-server {env}`PATH`.
'';
example = lib.literalExpression "[ pkgs.go ]";
type = lib.types.listOf lib.types.package;
};
extraEnvironment = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
description = lib.mdDoc ''
Additional environment variables to pass to code-server.
'';
default = { };
example = { PKG_CONFIG_PATH = "/run/current-system/sw/lib/pkgconfig"; };
};
extraArguments = lib.mkOption {
default = [ ];
description = lib.mdDoc ''
Additional arguments to pass to code-server.
'';
example = lib.literalExpression ''[ "--log=info" ]'';
type = lib.types.listOf lib.types.str;
};
host = lib.mkOption {
default = "localhost";
description = lib.mdDoc ''
The host name or IP address the server should listen to.
'';
type = lib.types.str;
};
port = lib.mkOption {
default = 4444;
description = lib.mdDoc ''
The port the server should listen to.
'';
type = lib.types.port;
};
auth = lib.mkOption {
default = "password";
description = lib.mdDoc ''
The type of authentication to use.
'';
type = lib.types.enum [ "none" "password" ];
};
hashedPassword = lib.mkOption {
default = "";
description = lib.mdDoc ''
Create the password with: `echo -n 'thisismypassword' | npx argon2-cli -e`.
'';
type = lib.types.str;
};
user = lib.mkOption {
default = defaultUser;
example = "yourUser";
description = lib.mdDoc ''
The user to run code-server as.
By default, a user named `${defaultUser}` will be created.
'';
type = lib.types.str;
};
group = lib.mkOption {
default = defaultGroup;
example = "yourGroup";
description = lib.mdDoc ''
The group to run code-server under.
By default, a group named `${defaultGroup}` will be created.
'';
type = lib.types.str;
};
extraGroups = lib.mkOption {
default = [ ];
description = lib.mdDoc ''
An array of additional groups for the `${defaultUser}` user.
'';
example = [ "docker" ];
type = lib.types.listOf lib.types.str;
};
socket = lib.mkOption {
default = null;
example = "/run/code-server/socket";
description = lib.mdDoc ''
Path to a socket (bind-addr will be ignored).
'';
type = lib.types.nullOr lib.types.str;
};
socketMode = lib.mkOption {
default = null;
description = lib.mdDoc ''
File mode of the socket.
'';
type = lib.types.nullOr lib.types.str;
};
userDataDir = lib.mkOption {
default = null;
description = lib.mdDoc ''
Path to the user data directory.
'';
type = lib.types.nullOr lib.types.str;
};
extensionsDir = lib.mkOption {
default = null;
description = lib.mdDoc ''
Path to the extensions directory.
'';
type = lib.types.nullOr lib.types.str;
};
proxyDomain = lib.mkOption {
default = null;
example = "code-server.lan";
description = lib.mdDoc ''
Domain used for proxying ports.
'';
type = lib.types.nullOr lib.types.str;
};
disableTelemetry = lib.mkOption {
default = false;
example = true;
description = lib.mdDoc ''
Disable telemetry.
'';
type = lib.types.bool;
};
disableUpdateCheck = lib.mkOption {
default = false;
example = true;
description = lib.mdDoc ''
Disable update check.
Without this flag, code-server checks every 6 hours against the latest github release and
then notifies you once every week that a new release is available.
'';
type = lib.types.bool;
};
disableFileDownloads = lib.mkOption {
default = false;
example = true;
description = lib.mdDoc ''
Disable file downloads from Code.
'';
type = lib.types.bool;
};
disableWorkspaceTrust = lib.mkOption {
default = false;
example = true;
description = lib.mdDoc ''
Disable Workspace Trust feature.
'';
type = lib.types.bool;
};
disableGettingStartedOverride = lib.mkOption {
default = false;
example = true;
description = lib.mdDoc ''
Disable the coder/coder override in the Help: Getting Started page.
'';
type = lib.types.bool;
};
};
};
config = lib.mkIf cfg.enable {
systemd.services.code-server = {
description = "Code server";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
path = cfg.extraPackages;
environment = {
HASHED_PASSWORD = cfg.hashedPassword;
} // cfg.extraEnvironment;
serviceConfig = {
ExecStart = ''
${lib.getExe cfg.package} \
--auth=${cfg.auth} \
--bind-addr=${cfg.host}:${toString cfg.port} \
'' + lib.optionalString (cfg.socket != null) ''
--socket=${cfg.socket} \
'' + lib.optionalString (cfg.userDataDir != null) ''
--user-data-dir=${cfg.userDataDir} \
'' + lib.optionalString (cfg.extensionsDir != null) ''
--extensions-dir=${cfg.extensionsDir} \
'' + lib.optionalString (cfg.disableTelemetry == true) ''
--disable-telemetry \
'' + lib.optionalString (cfg.disableUpdateCheck == true) ''
--disable-update-check \
'' + lib.optionalString (cfg.disableFileDownloads == true) ''
--disable-file-downloads \
'' + lib.optionalString (cfg.disableWorkspaceTrust == true) ''
--disable-workspace-trust \
'' + lib.optionalString (cfg.disableGettingStartedOverride == true) ''
--disable-getting-started-override \
'' + lib.escapeShellArgs cfg.extraArguments;
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
RuntimeDirectory = cfg.user;
User = cfg.user;
Group = cfg.group;
Restart = "on-failure";
};
};
users.users."${cfg.user}" = lib.mkMerge [
(lib.mkIf (cfg.user == defaultUser) {
isNormalUser = true;
description = "code-server user";
inherit (cfg) group;
})
{
packages = cfg.extraPackages;
inherit (cfg) extraGroups;
}
];
users.groups."${defaultGroup}" = lib.mkIf (cfg.group == defaultGroup) { };
};
meta.maintainers = [ lib.maintainers.stackshadow ];
}

10
nixos/modules/services/web-apps/coder.nix
View File

@ -149,8 +149,8 @@ in {
config = mkIf cfg.enable {
assertions = [
{ assertion = cfg.database.createLocally -> cfg.database.username == name;
message = "services.coder.database.username must be set to ${user} if services.coder.database.createLocally is set true";
{ assertion = cfg.database.createLocally -> cfg.database.username == name && cfg.database.database == cfg.database.username;
message = "services.coder.database.username must be set to ${name} if services.coder.database.createLocally is set true";
}
];
@ -193,10 +193,8 @@ in {
cfg.database.database
];
ensureUsers = [{
name = cfg.database.username;
ensurePermissions = {
"DATABASE \"${cfg.database.database}\"" = "ALL PRIVILEGES";
};
name = cfg.user;
ensureDBOwnership = true;
}
];
};

4
nixos/modules/services/web-apps/gotosocial.nix
View File

@ -128,9 +128,7 @@ in
ensureUsers = [
{
name = "gotosocial";
ensurePermissions = {
"DATABASE gotosocial" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}
];
};

15
nixos/modules/services/web-apps/invidious.nix
View File

@ -109,15 +109,17 @@ let
# Default to using the local database if we create it
services.invidious.database.host = lib.mkDefault null;
# TODO(raitobezarius to maintainers of invidious): I strongly advise to clean up the kemal specific
# thing for 24.05 and use `ensureDBOwnership`.
# See https://github.com/NixOS/nixpkgs/issues/216989
systemd.services.postgresql.postStart = lib.mkAfter ''
$PSQL -tAc 'ALTER DATABASE "${cfg.settings.db.dbname}" OWNER TO "${cfg.settings.db.user}";'
'';
services.postgresql = {
enable = true;
ensureUsers = lib.singleton { name = cfg.settings.db.user; ensureDBOwnership = false; };
ensureDatabases = lib.singleton cfg.settings.db.dbname;
ensureUsers = lib.singleton {
name = cfg.settings.db.user;
ensurePermissions = {
"DATABASE ${cfg.settings.db.dbname}" = "ALL PRIVILEGES";
};
};
# This is only needed because the unix user invidious isn't the same as
# the database user. This tells postgres to map one to the other.
identMap = ''
@ -136,6 +138,7 @@ let
documentation = [ "https://docs.invidious.io/Database-Information-and-Maintenance.md" ];
startAt = lib.mkDefault "weekly";
path = [ config.services.postgresql.package ];
after = [ "postgresql.service" ];
script = ''
psql ${cfg.settings.db.dbname} ${cfg.settings.db.user} -c "DELETE FROM nonces * WHERE expire < current_timestamp"
psql ${cfg.settings.db.dbname} ${cfg.settings.db.user} -c "TRUNCATE TABLE videos"

178
nixos/modules/services/web-apps/jitsi-meet.nix
View File

@ -169,6 +169,15 @@ in
off if you want to configure it manually.
'';
};
excalidraw.enable = mkEnableOption (lib.mdDoc "Excalidraw collaboration backend for Jitsi");
excalidraw.port = mkOption {
type = types.port;
default = 3002;
description = lib.mdDoc ''The port which the Excalidraw backend for Jitsi should listen to.'';
};
secureDomain.enable = mkEnableOption (lib.mdDoc "Authenticated room creation");
};
config = mkIf cfg.enable {
@ -192,41 +201,118 @@ in
roomLocking = false;
roomDefaultPublicJids = true;
extraConfig = ''
restrict_room_creation = true
storage = "memory"
admins = { "focus@auth.${cfg.hostName}" }
'';
}
{
domain = "internal.${cfg.hostName}";
domain = "breakout.${cfg.hostName}";
name = "Jitsi Meet Breakout MUC";
roomLocking = false;
roomDefaultPublicJids = true;
extraConfig = ''
restrict_room_creation = true
storage = "memory"
admins = { "focus@auth.${cfg.hostName}" }
'';
}
{
domain = "internal.auth.${cfg.hostName}";
name = "Jitsi Meet Videobridge MUC";
roomLocking = false;
roomDefaultPublicJids = true;
extraConfig = ''
storage = "memory"
admins = { "focus@auth.${cfg.hostName}", "jvb@auth.${cfg.hostName}" }
'';
#-- muc_room_cache_size = 1000
}
{
domain = "lobby.${cfg.hostName}";
name = "Jitsi Meet Lobby MUC";
roomLocking = false;
roomDefaultPublicJids = true;
extraConfig = ''
restrict_room_creation = true
storage = "memory"
'';
}
];
extraModules = [
"pubsub"
"smacks"
"speakerstats"
"external_services"
"conference_duration"
"end_conference"
"muc_lobby_rooms"
"muc_breakout_rooms"
"av_moderation"
"muc_hide_all"
"muc_meeting_id"
"muc_domain_mapper"
"muc_rate_limit"
"limits_exception"
"persistent_lobby"
"room_metadata"
];
extraModules = [ "pubsub" "smacks" ];
extraPluginPaths = [ "${pkgs.jitsi-meet-prosody}/share/prosody-plugins" ];
extraConfig = lib.mkMerge [ (mkAfter ''
Component "focus.${cfg.hostName}" "client_proxy"
target_address = "focus@auth.${cfg.hostName}"
extraConfig = lib.mkMerge [
(mkAfter ''
Component "focus.${cfg.hostName}" "client_proxy"
target_address = "focus@auth.${cfg.hostName}"
Component "speakerstats.${cfg.hostName}" "speakerstats_component"
muc_component = "conference.${cfg.hostName}"
Component "conferenceduration.${cfg.hostName}" "conference_duration_component"
muc_component = "conference.${cfg.hostName}"
Component "endconference.${cfg.hostName}" "end_conference"
muc_component = "conference.${cfg.hostName}"
Component "avmoderation.${cfg.hostName}" "av_moderation_component"
muc_component = "conference.${cfg.hostName}"
Component "metadata.${cfg.hostName}" "room_metadata_component"
muc_component = "conference.${cfg.hostName}"
breakout_rooms_component = "breakout.${cfg.hostName}"
'')
(mkBefore ''
muc_mapper_domain_base = "${cfg.hostName}"
cross_domain_websocket = true;
consider_websocket_secure = true;
unlimited_jids = {
"focus@auth.${cfg.hostName}",
"jvb@auth.${cfg.hostName}"
}
'')
];
virtualHosts.${cfg.hostName} = {
enabled = true;
domain = cfg.hostName;
extraConfig = ''
authentication = "anonymous"
authentication = ${if cfg.secureDomain.enable then "\"internal_hashed\"" else "\"jitsi-anonymous\""}
c2s_require_encryption = false
admins = { "focus@auth.${cfg.hostName}" }
smacks_max_unacked_stanzas = 5
smacks_hibernation_time = 60
smacks_max_hibernated_sessions = 1
smacks_max_old_sessions = 1
av_moderation_component = "avmoderation.${cfg.hostName}"
speakerstats_component = "speakerstats.${cfg.hostName}"
conference_duration_component = "conferenceduration.${cfg.hostName}"
end_conference_component = "endconference.${cfg.hostName}"
c2s_require_encryption = false
lobby_muc = "lobby.${cfg.hostName}"
breakout_rooms_muc = "breakout.${cfg.hostName}"
room_metadata_component = "metadata.${cfg.hostName}"
main_muc = "conference.${cfg.hostName}"
'';
ssl = {
cert = "/var/lib/jitsi-meet/jitsi-meet.crt";
@ -237,7 +323,7 @@ in
enabled = true;
domain = "auth.${cfg.hostName}";
extraConfig = ''
authentication = "internal_plain"
authentication = "internal_hashed"
'';
ssl = {
cert = "/var/lib/jitsi-meet/jitsi-meet.crt";
@ -252,6 +338,14 @@ in
c2s_require_encryption = false
'';
};
virtualHosts."guest.${cfg.hostName}" = {
enabled = true;
domain = "guest.${cfg.hostName}";
extraConfig = ''
authentication = "anonymous"
c2s_require_encryption = false
'';
};
};
systemd.services.prosody = mkIf cfg.prosody.enable {
preStart = let
@ -270,7 +364,7 @@ in
reloadIfChanged = true;
};
users.groups.jitsi-meet = {};
users.groups.jitsi-meet = { };
systemd.tmpfiles.rules = [
"d '/var/lib/jitsi-meet' 0750 root jitsi-meet - -"
];
@ -317,6 +411,20 @@ in
'';
};
systemd.services.jitsi-excalidraw = mkIf cfg.excalidraw.enable {
description = "Excalidraw collaboration backend for Jitsi";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment.PORT = toString cfg.excalidraw.port;
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.jitsi-excalidraw}/bin/jitsi-excalidraw-backend";
Restart = "on-failure";
Group = "jitsi-meet";
};
};
services.nginx = mkIf cfg.nginx.enable {
enable = mkDefault true;
virtualHosts.${cfg.hostName} = {
@ -345,12 +453,23 @@ in
locations."=/external_api.js" = mkDefault {
alias = "${pkgs.jitsi-meet}/libs/external_api.min.js";
};
locations."=/_api/room-info" = {
proxyPass = "http://localhost:5280/room-info";
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
'';
};
locations."=/config.js" = mkDefault {
alias = overrideJs "${pkgs.jitsi-meet}/config.js" "config" (recursiveUpdate defaultCfg cfg.config) cfg.extraConfig;
};
locations."=/interface_config.js" = mkDefault {
alias = overrideJs "${pkgs.jitsi-meet}/interface_config.js" "interfaceConfig" cfg.interfaceConfig "";
};
locations."/socket.io/" = mkIf cfg.excalidraw.enable {
proxyPass = "http://127.0.0.1:${toString cfg.excalidraw.port}";
proxyWebsockets = true;
};
};
};
@ -359,7 +478,7 @@ in
virtualHosts.${cfg.hostName} = {
extraConfig =
let
templatedJitsiMeet = pkgs.runCommand "templated-jitsi-meet" {} ''
templatedJitsiMeet = pkgs.runCommand "templated-jitsi-meet" { } ''
cp -R ${pkgs.jitsi-meet}/* .
for file in *.html **/*.html ; do
${pkgs.sd}/bin/sd '<!--#include virtual="(.*)" -->' '{{ include "$1" }}' $file
@ -390,13 +509,24 @@ in
};
};
services.jitsi-meet.config = recursiveUpdate
(mkIf cfg.excalidraw.enable {
whiteboard = {
enabled = true;
collabServerBaseUrl = "https://${cfg.hostName}";
};
})
(mkIf cfg.secureDomain.enable {
hosts.anonymousdomain = "guest.${cfg.hostName}";
});
services.jitsi-videobridge = mkIf cfg.videobridge.enable {
enable = true;
xmppConfigs."localhost" = {
userName = "jvb";
domain = "auth.${cfg.hostName}";
passwordFile = "/var/lib/jitsi-meet/videobridge-secret";
mucJids = "jvbbrewery@internal.${cfg.hostName}";
mucJids = "jvbbrewery@internal.auth.${cfg.hostName}";
disableCertificateVerification = true;
};
};
@ -409,17 +539,27 @@ in
userName = "focus";
userPasswordFile = "/var/lib/jitsi-meet/jicofo-user-secret";
componentPasswordFile = "/var/lib/jitsi-meet/jicofo-component-secret";
bridgeMuc = "jvbbrewery@internal.${cfg.hostName}";
bridgeMuc = "jvbbrewery@internal.auth.${cfg.hostName}";
config = mkMerge [{
jicofo.xmpp.service.disable-certificate-verification = true;
jicofo.xmpp.client.disable-certificate-verification = true;
#} (lib.mkIf cfg.jibri.enable {
} (lib.mkIf (config.services.jibri.enable || cfg.jibri.enable) {
jicofo.jibri = {
brewery-jid = "JibriBrewery@internal.${cfg.hostName}";
pending-timeout = "90";
};
})];
}
(lib.mkIf (config.services.jibri.enable || cfg.jibri.enable) {
jicofo.jibri = {
brewery-jid = "JibriBrewery@internal.auth.${cfg.hostName}";
pending-timeout = "90";
};
})
(lib.mkIf cfg.secureDomain.enable {
jicofo = {
authentication = {
enabled = "true";
type = "XMPP";
login-url = cfg.hostName;
};
xmpp.client.client-proxy = "focus.${cfg.hostName}";
};
})];
};
services.jibri = mkIf cfg.jibri.enable {
@ -430,7 +570,7 @@ in
xmppDomain = cfg.hostName;
control.muc = {
domain = "internal.${cfg.hostName}";
domain = "internal.auth.${cfg.hostName}";
roomName = "JibriBrewery";
nickname = "jibri";
};

2
nixos/modules/services/web-apps/lemmy.nix
View File

@ -146,7 +146,7 @@ in
ensureDatabases = [ cfg.settings.database.database ];
ensureUsers = [{
name = cfg.settings.database.user;
ensurePermissions."DATABASE ${cfg.settings.database.database}" = "ALL PRIVILEGES";
ensureDBOwnership = true;
}];
};

6
nixos/modules/services/web-apps/mastodon.nix
View File

@ -612,7 +612,7 @@ in {
config = lib.mkIf cfg.enable (lib.mkMerge [{
assertions = [
{
assertion = databaseActuallyCreateLocally -> (cfg.user == cfg.database.user);
assertion = databaseActuallyCreateLocally -> (cfg.user == cfg.database.user && cfg.database.user == cfg.database.name);
message = ''
For local automatic database provisioning (services.mastodon.database.createLocally == true) with peer
authentication (services.mastodon.database.host == "/run/postgresql") to work services.mastodon.user
@ -845,8 +845,8 @@ in {
enable = true;
ensureUsers = [
{
name = cfg.database.user;
ensurePermissions."DATABASE ${cfg.database.name}" = "ALL PRIVILEGES";
name = cfg.database.name;
ensureDBOwnership = true;
}
];
ensureDatabases = [ cfg.database.name ];

4
nixos/modules/services/web-apps/mediawiki.nix
View File

@ -454,7 +454,7 @@ in
{ assertion = cfg.database.createLocally -> (cfg.database.type == "mysql" || cfg.database.type == "postgres");
message = "services.mediawiki.createLocally is currently only supported for database type 'mysql' and 'postgres'";
}
{ assertion = cfg.database.createLocally -> cfg.database.user == user;
{ assertion = cfg.database.createLocally -> cfg.database.user == user && cfg.database.name == cfg.database.user;
message = "services.mediawiki.database.user must be set to ${user} if services.mediawiki.database.createLocally is set true";
}
{ assertion = cfg.database.createLocally -> cfg.database.socket != null;
@ -486,7 +486,7 @@ in
ensureDatabases = [ cfg.database.name ];
ensureUsers = [{
name = cfg.database.user;
ensurePermissions = { "DATABASE \"${cfg.database.name}\"" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}];
};

17
nixos/modules/services/web-apps/miniflux.nix
View File

@ -6,13 +6,10 @@ let
defaultAddress = "localhost:8080";
dbUser = "miniflux";
dbName = "miniflux";
pgbin = "${config.services.postgresql.package}/bin";
preStart = pkgs.writeScript "miniflux-pre-start" ''
#!${pkgs.runtimeShell}
${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore"
${pgbin}/psql "miniflux" -c "CREATE EXTENSION IF NOT EXISTS hstore"
'';
in
@ -62,7 +59,7 @@ in
services.miniflux.config = {
LISTEN_ADDR = mkDefault defaultAddress;
DATABASE_URL = "user=${dbUser} host=/run/postgresql dbname=${dbName}";
DATABASE_URL = "user=miniflux host=/run/postgresql dbname=miniflux";
RUN_MIGRATIONS = "1";
CREATE_ADMIN = "1";
};
@ -70,12 +67,10 @@ in
services.postgresql = {
enable = true;
ensureUsers = [ {
name = dbUser;
ensurePermissions = {
"DATABASE ${dbName}" = "ALL PRIVILEGES";
};
name = "miniflux";
ensureDBOwnership = true;
} ];
ensureDatabases = [ dbName ];
ensureDatabases = [ "miniflux" ];
};
systemd.services.miniflux-dbsetup = {
@ -97,7 +92,7 @@ in
serviceConfig = {
ExecStart = "${cfg.package}/bin/miniflux";
User = dbUser;
User = "miniflux";
DynamicUser = true;
RuntimeDirectory = "miniflux";
RuntimeDirectoryMode = "0700";

13
nixos/modules/services/web-apps/mobilizon.nix
View File

@ -347,12 +347,18 @@ in
# Taken from here:
# https://framagit.org/framasoft/mobilizon/-/blob/1.1.0/priv/templates/setup_db.eex
# TODO(to maintainers of mobilizon): the owner database alteration is necessary
# as PostgreSQL 15 changed their behaviors w.r.t. to privileges.
# See https://github.com/NixOS/nixpkgs/issues/216989 to get rid
# of that workaround.
script =
''
psql "${repoSettings.database}" -c "\
CREATE EXTENSION IF NOT EXISTS postgis; \
CREATE EXTENSION IF NOT EXISTS pg_trgm; \
CREATE EXTENSION IF NOT EXISTS unaccent;"
psql -tAc 'ALTER DATABASE "${repoSettings.database}" OWNER TO "${dbUser}";'
'';
serviceConfig = {
@ -372,9 +378,10 @@ in
ensureUsers = [
{
name = dbUser;
ensurePermissions = {
"DATABASE \"${repoSettings.database}\"" = "ALL PRIVILEGES";
};
# Given that `dbUser` is potentially arbitrarily custom, we will perform
# manual fixups in mobilizon-postgres.
# TODO(to maintainers of mobilizon): Feel free to simplify your setup by using `ensureDBOwnership`.
ensureDBOwnership = false;
}
];
extraPlugins = with postgresql.pkgs; [ postgis ];

4
nixos/modules/services/web-apps/moodle.nix
View File

@ -194,7 +194,7 @@ in
config = mkIf cfg.enable {
assertions = [
{ assertion = cfg.database.createLocally -> cfg.database.user == user;
{ assertion = cfg.database.createLocally -> cfg.database.user == user && cfg.database.user == cfg.database.name;
message = "services.moodle.database.user must be set to ${user} if services.moodle.database.createLocally is set true";
}
{ assertion = cfg.database.createLocally -> cfg.database.passwordFile == null;
@ -220,7 +220,7 @@ in
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{ name = cfg.database.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

4
nixos/modules/services/web-apps/netbox.nix
View File

@ -257,9 +257,7 @@ in {
ensureUsers = [
{
name = "netbox";
ensurePermissions = {
"DATABASE netbox" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}
];
};

2
nixos/modules/services/web-apps/nextcloud.nix
View File

@ -1042,7 +1042,7 @@ in {
ensureDatabases = [ cfg.config.dbname ];
ensureUsers = [{
name = cfg.config.dbuser;
ensurePermissions = { "DATABASE ${cfg.config.dbname}" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}];
};

2
nixos/modules/services/web-apps/onlyoffice.nix
View File

@ -198,7 +198,7 @@ in
ensureDatabases = [ "onlyoffice" ];
ensureUsers = [{
name = "onlyoffice";
ensurePermissions = { "DATABASE \"onlyoffice\"" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}];
};
};

2
nixos/modules/services/web-apps/outline.nix
View File

@ -581,7 +581,7 @@ in
enable = true;
ensureUsers = [{
name = "outline";
ensurePermissions."DATABASE outline" = "ALL PRIVILEGES";
ensureDBOwnership = true;
}];
ensureDatabases = [ "outline" ];
};

4
nixos/modules/services/web-apps/peering-manager.nix
View File

@ -186,9 +186,7 @@ in {
ensureUsers = [
{
name = "peering-manager";
ensurePermissions = {
"DATABASE \"peering-manager\"" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}
];
};

1
nixos/modules/services/web-apps/pixelfed.nix
View File

@ -271,7 +271,6 @@ in {
ensureDatabases = [ cfg.database.name ];
ensureUsers = [{
name = user;
ensurePermissions = { };
}];
};

13
nixos/modules/services/web-apps/tt-rss.nix
View File

@ -529,6 +529,15 @@ let
assertion = cfg.database.password != null -> cfg.database.passwordFile == null;
message = "Cannot set both password and passwordFile";
}
{
assertion = cfg.database.createLocally -> cfg.database.name == cfg.user && cfg.database.user == cfg.user;
message = ''
When creating a database via NixOS, the db user and db name must be equal!
If you already have an existing DB+user and this assertion is new, you can safely set
`services.tt-rss.database.createLocally` to `false` because removal of `ensureUsers`
and `ensureDatabases` doesn't have any effect.
'';
}
];
services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") {
@ -632,8 +641,8 @@ let
enable = mkDefault true;
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{ name = cfg.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
{ name = cfg.database.user;
ensureDBOwnership = true;
}
];
};

2
nixos/modules/services/web-servers/hydron.nix
View File

@ -93,7 +93,7 @@ in with lib; {
ensureDatabases = [ "hydron" ];
ensureUsers = [
{ name = "hydron";
ensurePermissions = { "DATABASE hydron" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

17
nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
View File

@ -88,9 +88,20 @@ def write_loader_conf(profile: str | None, generation: int, specialisation: str
def get_bootspec(profile: str | None, generation: int) -> BootSpec:
boot_json_path = os.path.realpath("%s/%s" % (system_dir(profile, generation, None), "boot.json"))
boot_json_f = open(boot_json_path, 'r')
bootspec_json = json.load(boot_json_f)
system_directory = system_dir(profile, generation, None)
boot_json_path = os.path.realpath("%s/%s" % (system_directory, "boot.json"))
if os.path.isfile(boot_json_path):
boot_json_f = open(boot_json_path, 'r')
bootspec_json = json.load(boot_json_f)
else:
boot_json_str = subprocess.check_output([
"@bootspecTools@/bin/synthesize",
"--version",
"1",
system_directory,
"/dev/stdout"],
universal_newlines=True)
bootspec_json = json.loads(boot_json_str)
return bootspec_from_json(bootspec_json)
def bootspec_from_json(bootspec_json: Dict) -> BootSpec:

2
nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
View File

@ -16,6 +16,8 @@ let
systemd = config.systemd.package;
bootspecTools = pkgs.bootspec;
nix = config.nix.package.out;
timeout = optionalString (config.boot.loader.timeout != null) config.boot.loader.timeout;

2
nixos/tests/all-tests.nix
View File

@ -192,7 +192,6 @@ in {
cntr = handleTestOn ["aarch64-linux" "x86_64-linux"] ./cntr.nix {};
cockpit = handleTest ./cockpit.nix {};
cockroachdb = handleTestOn ["x86_64-linux"] ./cockroachdb.nix {};
code-server = handleTest ./code-server.nix {};
coder = handleTest ./coder.nix {};
collectd = handleTest ./collectd.nix {};
connman = handleTest ./connman.nix {};
@ -750,6 +749,7 @@ in {
signal-desktop = handleTest ./signal-desktop.nix {};
simple = handleTest ./simple.nix {};
sing-box = handleTest ./sing-box.nix {};
slimserver = handleTest ./slimserver.nix {};
slurm = handleTest ./slurm.nix {};
smokeping = handleTest ./smokeping.nix {};
snapcast = handleTest ./snapcast.nix {};

22
nixos/tests/code-server.nix
View File

@ -1,22 +0,0 @@
import ./make-test-python.nix ({pkgs, lib, ...}:
{
name = "code-server";
nodes = {
machine = {pkgs, ...}: {
services.code-server = {
enable = true;
auth = "none";
};
};
};
testScript = ''
start_all()
machine.wait_for_unit("code-server.service")
machine.wait_for_open_port(4444)
machine.succeed("curl -k --fail http://localhost:4444", timeout=10)
'';
meta.maintainers = [ lib.maintainers.drupol ];
})

2
nixos/tests/dex-oidc.nix
View File

@ -49,7 +49,7 @@ import ./make-test-python.nix ({ lib, ... }: {
ensureUsers = [
{
name = "dex";
ensurePermissions = { "DATABASE dex" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

14
nixos/tests/elk.nix
View File

@ -119,11 +119,6 @@ let
package = elk.elasticsearch;
};
kibana = {
enable = true;
package = elk.kibana;
};
elasticsearch-curator = {
enable = true;
actionYAML = ''
@ -217,13 +212,6 @@ let
one.wait_until_succeeds("cat /tmp/logstash.out | grep flowers")
one.wait_until_succeeds("cat /tmp/logstash.out | grep -v dragons")
with subtest("Kibana is healthy"):
one.wait_for_unit("kibana.service")
one.wait_until_succeeds(
"curl --silent --show-error --fail-with-body 'http://localhost:5601/api/status'"
+ " | jq -es 'if . == [] then null else .[] | .status.overall.state == \"green\" end'"
)
with subtest("Metricbeat is running"):
one.wait_for_unit("metricbeat.service")
@ -274,7 +262,6 @@ in {
# name = "elk-7";
# elasticsearch = pkgs.elasticsearch7-oss;
# logstash = pkgs.logstash7-oss;
# kibana = pkgs.kibana7-oss;
# filebeat = pkgs.filebeat7;
# metricbeat = pkgs.metricbeat7;
# };
@ -282,7 +269,6 @@ in {
ELK-7 = mkElkTest "elk-7" {
elasticsearch = pkgs.elasticsearch7;
logstash = pkgs.logstash7;
kibana = pkgs.kibana7;
filebeat = pkgs.filebeat7;
metricbeat = pkgs.metricbeat7;
};

2
nixos/tests/ferretdb.nix
View File

@ -39,7 +39,7 @@ with import ../lib/testing-python.nix { inherit system; };
ensureDatabases = [ "ferretdb" ];
ensureUsers = [{
name = "ferretdb";
ensurePermissions."DATABASE ferretdb" = "ALL PRIVILEGES";
ensureDBOwnership = true;
}];
};

4
nixos/tests/freshrss-pgsql.nix
View File

@ -22,9 +22,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: {
ensureUsers = [
{
name = "freshrss";
ensurePermissions = {
"DATABASE freshrss" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}
];
initialScript = pkgs.writeText "postgresql-password" ''

2
nixos/tests/grafana/basic.nix
View File

@ -55,7 +55,7 @@ let
ensureDatabases = [ "grafana" ];
ensureUsers = [{
name = "grafana";
ensurePermissions."DATABASE grafana" = "ALL PRIVILEGES";
ensureDBOwnership = true;
}];
};
systemd.services.grafana.after = [ "postgresql.service" ];

2
nixos/tests/hockeypuck.nix
View File

@ -35,7 +35,7 @@ in {
ensureDatabases = [ "hockeypuck" ];
ensureUsers = [{
name = "hockeypuck";
ensurePermissions."DATABASE hockeypuck" = "ALL PRIVILEGES";
ensureDBOwnership = true;
}];
};
};

12
nixos/tests/home-assistant.nix
View File

@ -9,13 +9,11 @@ in {
nodes.hass = { pkgs, ... }: {
services.postgresql = {
enable = true;
# FIXME: hack for https://github.com/NixOS/nixpkgs/issues/216989
# Should be replaced with ensureUsers again when a solution for that is found
initialScript = pkgs.writeText "hass-setup-db.sql" ''
CREATE ROLE hass WITH LOGIN;
CREATE DATABASE hass WITH OWNER hass;
'';
ensureDatabases = [ "hass" ];
ensureUsers = [{
name = "hass";
ensureDBOwnership = true;
}];
};
services.home-assistant = {

3
nixos/tests/invidious.nix
View File

@ -44,8 +44,7 @@ import ./make-test-python.nix ({ pkgs, ... }: {
enable = true;
initialScript = pkgs.writeText "init-postgres-with-password" ''
CREATE USER kemal WITH PASSWORD 'correct horse battery staple';
CREATE DATABASE invidious;
GRANT ALL PRIVILEGES ON DATABASE invidious TO kemal;
CREATE DATABASE invidious OWNER kemal;
'';
};
};

2
nixos/tests/paperless.nix
View File

@ -17,7 +17,7 @@ import ./make-test-python.nix ({ lib, ... }: {
ensureDatabases = [ "paperless" ];
ensureUsers = [
{ name = config.services.paperless.user;
ensurePermissions = { "DATABASE \"paperless\"" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

8
nixos/tests/pgadmin4.nix
View File

@ -19,14 +19,6 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
authentication = ''
host all all localhost trust
'';
ensureUsers = [
{
name = "postgres";
ensurePermissions = {
"DATABASE \"postgres\"" = "ALL PRIVILEGES";
};
}
];
};
services.pgadmin = {

10
nixos/tests/pgbouncer.nix
View File

@ -17,7 +17,8 @@ in
systemd.services.postgresql = {
postStart = ''
${pkgs.postgresql}/bin/psql -U postgres -c "ALTER ROLE testuser WITH LOGIN PASSWORD 'testpass'";
${pkgs.postgresql}/bin/psql -U postgres -c "ALTER ROLE testuser WITH LOGIN PASSWORD 'testpass'";
${pkgs.postgresql}/bin/psql -U postgres -c "ALTER DATABASE testdb OWNER TO testuser;";
'';
};
@ -28,9 +29,6 @@ in
ensureUsers = [
{
name = "testuser";
ensurePermissions = {
"DATABASE testdb" = "ALL PRIVILEGES";
};
}];
authentication = ''
local testdb testuser scram-sha-256
@ -40,7 +38,7 @@ in
pgbouncer = {
enable = true;
listenAddress = "localhost";
databases = { testdb = "host=/run/postgresql/ port=5432 auth_user=testuser dbname=testdb"; };
databases = { test = "host=/run/postgresql/ port=5432 auth_user=testuser dbname=testdb"; };
authType = "scram-sha-256";
authFile = testAuthFile;
};
@ -55,7 +53,7 @@ in
# Test if we can make a query through PgBouncer
one.wait_until_succeeds(
"psql 'postgres://testuser:testpass@localhost:6432/testdb' -c 'SELECT 1;'"
"psql 'postgres://testuser:testpass@localhost:6432/test' -c 'SELECT 1;'"
)
'';
})

4
nixos/tests/powerdns-admin.nix
View File

@ -87,9 +87,7 @@ let
ensureUsers = [
{
name = "powerdnsadmin";
ensurePermissions = {
"DATABASE powerdnsadmin" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}
];
};

2
nixos/tests/sftpgo.nix
View File

@ -156,7 +156,7 @@ in
ensureDatabases = [ "sftpgo" ];
ensureUsers = [{
name = "sftpgo";
ensurePermissions."DATABASE sftpgo" = "ALL PRIVILEGES";
ensureDBOwnership = true;
}];
};

47
nixos/tests/slimserver.nix Normal file
View File

@ -0,0 +1,47 @@
import ./make-test-python.nix ({ pkgs, ...} : {
name = "slimserver";
meta.maintainers = with pkgs.lib.maintainers; [ adamcstephens ];
nodes.machine = { ... }: {
services.slimserver.enable = true;
services.squeezelite = {
enable = true;
extraArguments = "-s 127.0.0.1 -d slimproto=info";
};
sound.enable = true;
boot.initrd.kernelModules = ["snd-dummy"];
};
testScript =
''
import json
rpc_get_player = {
"id": 1,
"method": "slim.request",
"params":[0,["player", "id", "0", "?"]]
}
with subtest("slimserver is started"):
machine.wait_for_unit("slimserver.service")
# give slimserver a moment to report errors
machine.sleep(2)
with subtest('slimserver module errors are not reported'):
machine.fail("journalctl -u slimserver.service | grep 'throw_exception'")
machine.fail("journalctl -u slimserver.service | grep 'not installed'")
machine.fail("journalctl -u slimserver.service | grep 'not found'")
machine.fail("journalctl -u slimserver.service | grep 'The following CPAN modules were found but cannot work with Logitech Media Server'")
machine.fail("journalctl -u slimserver.service | grep 'please use the buildme.sh'")
with subtest('slimserver is ready'):
machine.wait_for_open_port(9000)
machine.wait_until_succeeds("journalctl -u slimserver.service | grep 'Completed dbOptimize Scan'")
with subtest("squeezelite player successfully connects to slimserver"):
machine.wait_for_unit("squeezelite.service")
machine.wait_until_succeeds("journalctl -u squeezelite.service | grep 'slimproto:937 connected'")
player_mac = machine.wait_until_succeeds("journalctl -eu squeezelite.service | grep 'sendHELO:148 mac:'").strip().split(" ")[-1]
player_id = machine.succeed(f"curl http://localhost:9000/jsonrpc.js -g -X POST -d '{json.dumps(rpc_get_player)}'")
assert player_mac == json.loads(player_id)["result"]["_id"], "squeezelite player not found"
'';
})

45
nixos/tests/systemd-boot.nix
View File

@ -252,6 +252,35 @@ in
'';
};
garbage-collect-entry = makeTest {
name = "systemd-boot-switch-test";
meta.maintainers = with pkgs.lib.maintainers; [ julienmalka ];
nodes = {
inherit common;
machine = { pkgs, nodes, ... }: {
imports = [ common ];
# These are configs for different nodes, but we'll use them here in `machine`
system.extraDependencies = [
nodes.common.system.build.toplevel
];
};
};
testScript = { nodes, ... }:
let
baseSystem = nodes.common.system.build.toplevel;
in
''
machine.succeed("nix-env -p /nix/var/nix/profiles/system --set ${baseSystem}")
machine.succeed("nix-env -p /nix/var/nix/profiles/system --delete-generations 1")
machine.succeed("${baseSystem}/bin/switch-to-configuration boot")
machine.fail("test -e /boot/loader/entries/nixos-generation-1.conf")
machine.succeed("test -e /boot/loader/entries/nixos-generation-2.conf")
'';
};
# Some UEFI firmwares fail on large reads. Now that systemd-boot loads initrd
# itself, systems with such firmware won't boot without this fix
uefiLargeFileWorkaround = makeTest {
@ -277,4 +306,20 @@ in
machine.wait_for_unit("multi-user.target")
'';
};
no-bootspec = makeTest
{
name = "systemd-boot-no-bootspec";
meta.maintainers = with pkgs.lib.maintainers; [ julienmalka ];
nodes.machine = {
imports = [ common ];
boot.bootspec.enable = false;
};
testScript = ''
machine.start()
machine.wait_for_unit("multi-user.target")
'';
};
}

23
nixos/tests/tandoor-recipes.nix
View File

@ -5,6 +5,29 @@ import ./make-test-python.nix ({ lib, ... }: {
nodes.machine = { pkgs, ... }: {
services.tandoor-recipes = {
enable = true;
extraConfig = {
DB_ENGINE = "django.db.backends.postgresql";
POSTGRES_HOST = "/run/postgresql";
POSTGRES_USER = "tandoor_recipes";
POSTGRES_DB = "tandoor_recipes";
};
};
services.postgresql = {
enable = true;
ensureDatabases = [ "tandoor_recipes" ];
ensureUsers = [
{
name = "tandoor_recipes";
ensureDBOwnership = true;
}
];
};
systemd.services = {
tandoor-recipes = {
after = [ "postgresql.service" ];
};
};
};

2
nixos/tests/vikunja.nix
View File

@ -33,7 +33,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: {
ensureDatabases = [ "vikunja-api" ];
ensureUsers = [
{ name = "vikunja-api";
ensurePermissions = { "DATABASE \"vikunja-api\"" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

5
nixos/tests/wiki-js.nix
View File

@ -10,14 +10,15 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : {
enable = true;
settings.db.host = "/run/postgresql";
settings.db.user = "wiki-js";
settings.db.db = "wiki-js";
settings.logLevel = "debug";
};
services.postgresql = {
enable = true;
ensureDatabases = [ "wiki" ];
ensureDatabases = [ "wiki-js" ];
ensureUsers = [
{ name = "wiki-js";
ensurePermissions."DATABASE wiki" = "ALL PRIVILEGES";
ensureDBOwnership = true;
}
];
};

35
pkgs/applications/audio/reaper/default.nix
View File

@ -2,6 +2,7 @@
, fetchurl
, autoPatchelfHook
, makeWrapper
, undmg
, alsa-lib
, curl
@ -14,14 +15,16 @@
, xdotool
, which
, jackSupport ? true
, jackSupport ? stdenv.isLinux
, jackLibrary
, pulseaudioSupport ? config.pulseaudio or true
, pulseaudioSupport ? config.pulseaudio or stdenv.isLinux
, libpulseaudio
}:
let
url_for_platform = version: arch: "https://www.reaper.fm/files/${lib.versions.major version}.x/reaper${builtins.replaceStrings ["."] [""] version}_linux_${arch}.tar.xz";
url_for_platform = version: arch: if stdenv.isDarwin
then "https://www.reaper.fm/files/${lib.versions.major version}.x/reaper${builtins.replaceStrings ["."] [""] version}_universal.dmg"
else "https://www.reaper.fm/files/${lib.versions.major version}.x/reaper${builtins.replaceStrings ["."] [""] version}_linux_${arch}.tar.xz";
in
stdenv.mkDerivation rec {
pname = "reaper";
@ -29,26 +32,32 @@ stdenv.mkDerivation rec {
src = fetchurl {
url = url_for_platform version stdenv.hostPlatform.qemuArch;
hash = {
hash = if stdenv.isDarwin then "sha256-jaT+3cIFVfBopgeeTkpNs9rFX50unlPJogdhkI9bsWU=" else {
x86_64-linux = "sha256-P/PnbJPr4ErDz5ho1/dLERhqkKjdetHzKpCpfVZAYb0=";
aarch64-linux = "sha256-PdnBVlHwoEEv2SPq/p5oyiOlduCEqL35gAY+QIJU1Ys=";
}.${stdenv.hostPlatform.system};
};
nativeBuildInputs = [
autoPatchelfHook
makeWrapper
xdg-utils # Required for desktop integration
] ++ lib.optionals stdenv.isLinux [
which
autoPatchelfHook
xdg-utils # Required for desktop integration
] ++ lib.optionals stdenv.isDarwin [
undmg
];
sourceRoot = lib.optionalString stdenv.isDarwin "Reaper.app";
buildInputs = [
alsa-lib
stdenv.cc.cc.lib # reaper and libSwell need libstdc++.so.6
] ++ lib.optionals stdenv.isLinux [
gtk3
alsa-lib
];
runtimeDependencies = [
runtimeDependencies = lib.optionals stdenv.isLinux [
gtk3 # libSwell needs libgdk-3.so.0
]
++ lib.optional jackSupport jackLibrary
@ -56,7 +65,13 @@ stdenv.mkDerivation rec {
dontBuild = true;
installPhase = ''
installPhase = if stdenv.isDarwin then ''
runHook preInstall
mkdir -p "$out/Applications/Reaper.app"
cp -r * "$out/Applications/Reaper.app/"
makeWrapper "$out/Applications/Reaper.app/Contents/MacOS/REAPER" "$out/bin/reaper"
runHook postInstall
'' else ''
runHook preInstall
HOME="$out/share" XDG_DATA_HOME="$out/share" ./install-reaper.sh \
@ -89,7 +104,7 @@ stdenv.mkDerivation rec {
homepage = "https://www.reaper.fm/";
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
license = licenses.unfree;
platforms = [ "x86_64-linux" "aarch64-linux" ];
platforms = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ];
maintainers = with maintainers; [ jfrankenau ilian orivej uniquepointer viraptor ];
};
}

16
pkgs/applications/audio/reaper/updater.sh
View File

@ -5,7 +5,7 @@ set -euo pipefail
reaper_ver=$(curl -Ls https://www.reaper.fm/download.php | grep -o 'Version [0-9]\.[0-9]*' | head -n1 | cut -d' ' -f2)
function set_hash_for_arch() {
function set_hash_for_linux() {
local arch=$1
pkg_hash=$(nix-prefetch-url https://www.reaper.fm/files/${reaper_ver%.*}.x/reaper${reaper_ver/./}_linux_$arch.tar.xz)
pkg_hash=$(nix hash to-sri "sha256:$pkg_hash")
@ -14,5 +14,15 @@ function set_hash_for_arch() {
update-source-version reaper "${reaper_ver}" "$pkg_hash" --system=$arch-linux
}
set_hash_for_arch aarch64
set_hash_for_arch x86_64
function set_hash_for_darwin() {
local arch=$1
pkg_hash=$(nix-prefetch-url https://www.reaper.fm/files/${reaper_ver%.*}.x/reaper${reaper_ver/./}_universal.dmg)
pkg_hash=$(nix hash to-sri "sha256:$pkg_hash")
# reset the version so the second architecture update doesn't get ignored
update-source-version reaper 0 "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" --system=$arch-darwin
update-source-version reaper "${reaper_ver}" "$pkg_hash" --system=$arch-darwin
}
set_hash_for_linux aarch64
set_hash_for_linux x86_64
set_hash_for_darwin aarch64

6
pkgs/applications/audio/squeezelite/default.nix
View File

@ -22,6 +22,7 @@
, openssl
, portaudioSupport ? stdenv.isDarwin
, portaudio
, slimserver
, AudioToolbox
, AudioUnit
, Carbon
@ -95,7 +96,10 @@ stdenv.mkDerivation {
runHook postInstall
'';
passthru.updateScript = ./update.sh;
passthru = {
inherit (slimserver) tests;
updateScript = ./update.sh;
};
meta = with lib; {
description = "Lightweight headless squeezebox client emulator";

6
pkgs/applications/blockchains/erigon/default.nix
View File

@ -2,7 +2,7 @@
let
pname = "erigon";
version = "2.53.1";
version = "2.54.0";
in
buildGoModule {
inherit pname version;
@ -11,11 +11,11 @@ buildGoModule {
owner = "ledgerwatch";
repo = pname;
rev = "v${version}";
hash = "sha256-Gsrt/+6fhpwg3DzPtXPj9T9VPaMIaRcYBdWuFOotsbA=";
hash = "sha256-1kgbIg/3SvVT83UfwAYUixs1RQk4PP1quiOcI1mzbZ0=";
fetchSubmodules = true;
};
vendorHash = "sha256-zsLPqcLCZSnhlFWvNXZJwlfS+NsaTS07TmWd+x4ZPXA=";
vendorHash = "sha256-Gr9mrME8/ZDxp2ORKessNhfguklDf+jC4RSpzLOSBhQ=";
proxyVendor = true;
# Build errors in mdbx when format hardening is enabled:

2
pkgs/applications/editors/molsketch/default.nix
View File

@ -48,6 +48,6 @@ mkDerivation rec {
description = "2D molecule editor";
homepage = "https://sourceforge.net/projects/molsketch/";
license = licenses.gpl2Plus;
maintainers = [ maintainers.fortuneteller2k ];
maintainers = [ maintainers.moni ];
};
}

2
pkgs/applications/editors/ox/default.nix
View File

@ -18,6 +18,6 @@ rustPlatform.buildRustPackage rec {
homepage = "https://github.com/curlpipe/ox";
changelog = "https://github.com/curlpipe/ox/releases/tag/${version}";
license = licenses.gpl2Only;
maintainers = with maintainers; [ fortuneteller2k ];
maintainers = with maintainers; [ moni ];
};
}

8
pkgs/applications/editors/texstudio/default.nix
View File

@ -29,6 +29,12 @@ stdenv.mkDerivation (finalAttrs: {
zlib
];
postInstall = lib.optionalString stdenv.isDarwin ''
mkdir -p "$out/Applications"
mv "$out/bin/texstudio.app" "$out/Applications"
rm -d "$out/bin"
'';
meta = with lib; {
description = "TeX and LaTeX editor";
longDescription=''
@ -39,7 +45,7 @@ stdenv.mkDerivation (finalAttrs: {
homepage = "https://texstudio.org";
changelog = "https://github.com/texstudio-org/texstudio/blob/${version}/utilities/manual/CHANGELOG.txt";
license = licenses.gpl2Plus;
platforms = platforms.linux;
platforms = platforms.unix;
maintainers = with maintainers; [ ajs124 cfouche ];
};
})

4
pkgs/applications/editors/vim/plugins/overrides.nix
View File

@ -847,6 +847,10 @@ self: super: {
dependencies = with self; [ plenary-nvim ];
};
neotest = super.neorg.overrideAttrs {
dependencies = with self; [ plenary-nvim ];
};
neo-tree-nvim = super.neo-tree-nvim.overrideAttrs {
dependencies = with self; [ plenary-nvim nui-nvim ];
};

28
pkgs/applications/emulators/firebird-emu/default.nix
View File

@ -1,6 +1,13 @@
{ mkDerivation, lib, fetchFromGitHub, qmake, qtbase, qtdeclarative }:
mkDerivation rec {
{ stdenv
, lib
, fetchFromGitHub
, qmake
, qtbase
, qtdeclarative
, qtquickcontrols
, wrapQtAppsHook
}:
stdenv.mkDerivation rec {
pname = "firebird-emu";
version = "1.6";
@ -12,16 +19,23 @@ mkDerivation rec {
hash = "sha256-ZptjlnOiF+hKuKYvBFJL95H5YQuR99d4biOco/MVEmE=";
};
nativeBuildInputs = [ qmake ];
# work around https://github.com/NixOS/nixpkgs/issues/19098
env.NIX_CFLAGS_COMPILE = lib.optionalString (stdenv.cc.isClang && stdenv.isDarwin) "-fno-lto";
buildInputs = [ qtbase qtdeclarative ];
nativeBuildInputs = [ wrapQtAppsHook qmake ];
buildInputs = [ qtbase qtdeclarative qtquickcontrols ];
postInstall = lib.optionalString stdenv.hostPlatform.isDarwin ''
mkdir $out/Applications
mv $out/bin/${pname}.app $out/Applications/
'';
meta = {
homepage = "https://github.com/nspire-emus/firebird";
description = "Third-party multi-platform emulator of the ARM-based TI-Nspire calculators";
license = lib.licenses.gpl3;
maintainers = with lib.maintainers; [ pneumaticat ];
# Only tested on Linux, but likely possible to build on, e.g. macOS
platforms = lib.platforms.linux;
platforms = lib.platforms.unix;
};
}

4
pkgs/applications/graphics/gscreenshot/default.nix
View File

@ -18,13 +18,13 @@
python3Packages.buildPythonApplication rec {
pname = "gscreenshot";
version = "3.4.1";
version = "3.4.2";
src = fetchFromGitHub {
owner = "thenaterhood";
repo = "${pname}";
rev = "v${version}";
sha256 = "sLJ+Fk+ePrmJeSllGd30uEQ/uFDl5CIob//1cDLKZHg=";
sha256 = "sha256-Ha9PTvr6XNGhe4I0ZUwrdbsNHWhz+Ubw2gp+ctLTO64=";
};
# needed for wrapGAppsHook to function

4
pkgs/applications/graphics/hydrus/default.nix
View File

@ -12,14 +12,14 @@
python3Packages.buildPythonPackage rec {
pname = "hydrus";
version = "551";
version = "552";
format = "other";
src = fetchFromGitHub {
owner = "hydrusnetwork";
repo = "hydrus";
rev = "refs/tags/v${version}";
hash = "sha256-P/U44ndfucbRnwGLdSnnA0VE4K40zPz3wtNpQj8rh5Q=";
hash = "sha256-MaS9WxYlbQ7V/2mrETKS0UyWb5IzCrSwDcp4UlVS3zk=";
};
nativeBuildInputs = [

2
pkgs/applications/misc/flavours/default.nix
View File

@ -29,6 +29,6 @@ rustPlatform.buildRustPackage rec {
homepage = "https://github.com/Misterio77/flavours";
changelog = "https://github.com/Misterio77/flavours/releases/tag/v${version}";
license = licenses.mit;
maintainers = with maintainers; [ fortuneteller2k misterio77 ];
maintainers = with maintainers; [ moni misterio77 ];
};
}

2
pkgs/applications/misc/kile-wl/default.nix
View File

@ -27,7 +27,7 @@ rustPlatform.buildRustPackage rec {
homepage = "https://gitlab.com/snakedye/kile";
license = licenses.mit;
platforms = platforms.linux; # It's meant for river, a wayland compositor
maintainers = with maintainers; [ fortuneteller2k ];
maintainers = with maintainers; [ moni ];
mainProgram = "kile";
};
}

2
pkgs/applications/misc/tiramisu/default.nix
View File

@ -27,6 +27,6 @@ stdenv.mkDerivation rec {
homepage = "https://github.com/Sweets/tiramisu";
license = licenses.mit;
platforms = platforms.linux;
maintainers = with maintainers; [ wishfort36 fortuneteller2k ];
maintainers = with maintainers; [ wishfort36 moni ];
};
}

4
pkgs/applications/misc/upwork/default.nix
View File

@ -6,12 +6,12 @@
stdenv.mkDerivation rec {
pname = "upwork";
version = "5.8.0.31";
version = "5.8.0.33";
src = requireFile {
name = "${pname}_${version}_amd64.deb";
url = "https://www.upwork.com/ab/downloads/os/linux/";
sha256 = "sha256-tQV6v0U6xxqBl7nQaBhXSrc9iv+7SPHfABTiJJQDnPI=";
sha256 = "sha256-MU0usTAfNNMN8OYmS6dWU6Xk2o5dg5J0V7OQiv3dLug=";
};
nativeBuildInputs = [

16
pkgs/applications/networking/browsers/chromium/upstream-info.nix
View File

@ -15,9 +15,9 @@
version = "2023-09-12";
};
};
hash = "sha256-UR8EowMYZ668qQ/6C9C/M+0HSguyUGKVhY46FTG+ShA=";
hash_deb_amd64 = "sha256-PIBWkCwU/7N242wR/WmpJDDJKLDGk/sJxPxa05bOQSE=";
version = "119.0.6045.123";
hash = "sha256-8xPm3vNF0HjfL7ewTz7iz7GMfiJi6mhMK1YSC7VeoSM=";
hash_deb_amd64 = "sha256-xAm7bPsnnJD7UWNTtHKMv5enHo3rM9w0M81QPqZVlP4=";
version = "119.0.6045.159";
};
ungoogled-chromium = {
deps = {
@ -28,12 +28,12 @@
version = "2023-09-12";
};
ungoogled-patches = {
hash = "sha256-4EbfM62KuG8nHrYWwp183V5G9ac7FICjpyJahnKbQjE=";
rev = "119.0.6045.123-1";
hash = "sha256-kgUrYXy2avfwfRckSYI6YPMW1uuvl2Osg4Vr9Q1ksMc=";
rev = "119.0.6045.159-1";
};
};
hash = "sha256-UR8EowMYZ668qQ/6C9C/M+0HSguyUGKVhY46FTG+ShA=";
hash_deb_amd64 = "sha256-PIBWkCwU/7N242wR/WmpJDDJKLDGk/sJxPxa05bOQSE=";
version = "119.0.6045.123";
hash = "sha256-8xPm3vNF0HjfL7ewTz7iz7GMfiJi6mhMK1YSC7VeoSM=";
hash_deb_amd64 = "sha256-xAm7bPsnnJD7UWNTtHKMv5enHo3rM9w0M81QPqZVlP4=";
version = "119.0.6045.159";
};
}

2
pkgs/applications/networking/browsers/vieb/default.nix
View File

@ -58,7 +58,7 @@ buildNpmPackage rec {
homepage = "https://vieb.dev/";
changelog = "https://github.com/Jelmerro/Vieb/releases/tag/${version}";
description = "Vim Inspired Electron Browser";
maintainers = with maintainers; [ gebner fortuneteller2k tejing ];
maintainers = with maintainers; [ gebner tejing ];
platforms = platforms.unix;
license = licenses.gpl3Plus;
};

2
pkgs/applications/networking/cluster/kluctl/default.nix
View File

@ -33,6 +33,6 @@ buildGoModule rec {
description = "The missing glue to put together large Kubernetes deployments";
homepage = "https://kluctl.io/";
license = licenses.asl20;
maintainers = with maintainers; [ sikmir ];
maintainers = with maintainers; [ sikmir netthier ];
};
}

6
pkgs/applications/networking/cluster/kubefirst/default.nix
View File

@ -2,16 +2,16 @@
buildGoModule rec {
pname = "kubefirst";
version = "2.3.0";
version = "2.3.5";
src = fetchFromGitHub {
owner = "kubefirst";
repo = pname;
rev = "v${version}";
hash = "sha256-5znZMr0Dj6kpKJbypICN5+Fv/+3FgTLBok3YMrWaHdo=";
hash = "sha256-RqysUaHLgTNuTeLt5xsD06Qxv5qsGTPE0H7r4RqPf30=";
};
vendorHash = "sha256-/iAGUnIMH2+IrvvXig56SpZ0eTfVwaCgGMUDp5/MtEo=";
vendorHash = "sha256-IH43F809dr6LGb87pqW2G9xrJLsQcHfjOm5PUj8r4Qo=";
ldflags = [ "-s" "-w" "-X github.com/kubefirst/runtime/configs.K1Version=v${version}"];

4
pkgs/applications/networking/cluster/rke/default.nix
View File

@ -2,13 +2,13 @@
buildGoModule rec {
pname = "rke";
version = "1.4.10";
version = "1.4.11";
src = fetchFromGitHub {
owner = "rancher";
repo = pname;
rev = "v${version}";
hash = "sha256-rr6CN5ik4vuLNqzNPvISfRfOjTcD48pSre2K6xr6xSk=";
hash = "sha256-bsvAyyf/ITIm8pxVF61idM91Ztd/2ufH2lBHR6a7lCQ=";
};
vendorHash = "sha256-3bivFrn2xDyILD1ugSr7IehhNq4vkqShFQI3sbeY0iY=";

6
pkgs/applications/networking/cluster/tfautomv/default.nix
View File

@ -5,16 +5,16 @@
buildGoModule rec {
pname = "tfautomv";
version = "0.5.3";
version = "0.5.4";
src = fetchFromGitHub {
owner = "busser";
repo = pname;
rev = "v${version}";
hash = "sha256-A1/sf+QjxQ8S2Cqmw9mD0r4aqA2Ssopeni0YNLND9L8=";
hash = "sha256-irB0Kfd8eqIKq0ooJRxB0X4t2/1aFCNYRwaG6lAw3ic=";
};
vendorHash = "sha256-zAshnSqZT9lx9EWvJsMwi6rqvhUWJ/3uJnk+44TGzlU=";
vendorHash = "sha256-Wc5hpiHL5I01IodcHX0IzeKfthkFS7SuUxmaxOU6WkA=";
ldflags = [ "-s" "-w" ];

4
pkgs/applications/networking/instant-messengers/skypeforlinux/default.nix
View File

@ -7,7 +7,7 @@ let
# Please keep the version x.y.0.z and do not update to x.y.76.z because the
# source of the latter disappears much faster.
version = "8.106.0.212";
version = "8.108.0.205";
rpath = lib.makeLibraryPath [
alsa-lib
@ -68,7 +68,7 @@ let
"https://mirror.cs.uchicago.edu/skype/pool/main/s/skypeforlinux/skypeforlinux_${version}_amd64.deb"
"https://web.archive.org/web/https://repo.skype.com/deb/pool/main/s/skypeforlinux/skypeforlinux_${version}_amd64.deb"
];
sha256 = "sha256-TlqhCj5nyL8SEo3M6ahPLYOTDrEjHvxtu1qFSR8LtkM=";
sha256 = "sha256-9V+/tTFco69NkCeswbGobr3ZxcS3q+Zd7fiei4N8uTY=";
}
else
throw "Skype for linux is not supported on ${stdenv.hostPlatform.system}";

5
pkgs/applications/networking/mailreaders/mailspring/default.nix
View File

@ -22,11 +22,11 @@
stdenv.mkDerivation rec {
pname = "mailspring";
version = "1.11.0";
version = "1.12.0";
src = fetchurl {
url = "https://github.com/Foundry376/Mailspring/releases/download/${version}/mailspring-${version}-amd64.deb";
hash = "sha256-aAqkltVxIlGwRVGM+1QkrVgfnitl+D3Xb0qi0o8ow+Q=";
hash = "sha256-6dTAPetJgYrvIEtu+2QxcBOeYFZfN/dFhM0CZFzcC/E=";
};
nativeBuildInputs = [
@ -57,6 +57,7 @@ stdenv.mkDerivation rec {
openssl
(lib.getLib udev)
libappindicator
libsecret
];
unpackPhase = ''

6
pkgs/applications/radio/uhd/default.nix
View File

@ -53,7 +53,7 @@ stdenv.mkDerivation (finalAttrs: {
#
# nix-shell maintainers/scripts/update.nix --argstr package uhd --argstr commit true
#
version = "4.5.0.0";
version = "4.6.0.0";
outputs = [ "out" "dev" ];
@ -63,14 +63,14 @@ stdenv.mkDerivation (finalAttrs: {
rev = "v${finalAttrs.version}";
# The updateScript relies on the `src` using `hash`, and not `sha256. To
# update the correct hash for the `src` vs the `uhdImagesSrc`
hash = "sha256-0EqMBaQiNr8PE542YNkPvX3o1HhnhrO0Kz1euphY6Ps=";
hash = "sha256-9ZGt0ZrGbprCmpAuOue6pg2gliu4MvlRFHGxyMJeKAc=";
};
# Firmware images are downloaded (pre-built) from the respective release on Github
uhdImagesSrc = fetchurl {
url = "https://github.com/EttusResearch/uhd/releases/download/v${finalAttrs.version}/uhd-images_${finalAttrs.version}.tar.xz";
# Please don't convert this to a hash, in base64, see comment near src's
# hash.
sha256 = "13cn41wv7vldk4vx7vy3jbb3wb3a5vpfg3ay893klpi6vzxc1dly";
sha256 = "17g503mhndaabrdl7qai3rdbafr8xx8awsyr7h2bdzwzprzmh4m3";
};
passthru = {
updateScript = [

2
pkgs/applications/terminal-emulators/contour/default.nix
View File

@ -103,7 +103,7 @@ mkDerivation rec {
homepage = "https://github.com/contour-terminal/contour";
changelog = "https://github.com/contour-terminal/contour/raw/v${version}/Changelog.md";
license = licenses.asl20;
maintainers = with maintainers; [ fortuneteller2k ];
maintainers = with maintainers; [ moni ];
platforms = platforms.unix;
};
}

4
pkgs/applications/version-management/gitlab/default.nix
View File

@ -1,5 +1,5 @@
{ stdenv, lib, fetchurl, fetchpatch, fetchFromGitLab, bundlerEnv
, ruby_3_0, tzdata, git, nettools, nixosTests, nodejs, openssl
, ruby_3_2, tzdata, git, nettools, nixosTests, nodejs, openssl
, gitlabEnterprise ? false, callPackage, yarn
, fixup_yarn_lock, replace, file, cacert, fetchYarnDeps, makeWrapper, pkg-config
}:
@ -17,7 +17,7 @@ let
rubyEnv = bundlerEnv rec {
name = "gitlab-env-${version}";
ruby = ruby_3_0;
ruby = ruby_3_2;
gemdir = ./rubyEnv;
gemset =
let x = import (gemdir + "/gemset.nix") src;

4
pkgs/applications/video/bilibili/default.nix
View File

@ -7,10 +7,10 @@
stdenv.mkDerivation rec {
pname = "bilibili";
version = "1.12.1-2";
version = "1.12.3-1";
src = fetchurl {
url = "https://github.com/msojocs/bilibili-linux/releases/download/v${version}/io.github.msojocs.bilibili_${version}_amd64.deb";
hash = "sha256-vYoVHVT/Deooxq/0WVzPebR68N9KBJfgLU30lJPB89M=";
hash = "sha256-F2y5daIdNJZGNjOctN9iA6kHSRVSMWK8s80X+kXxzb4=";
};
unpackPhase = ''

6
pkgs/applications/virtualization/singularity/packages.nix
View File

@ -38,20 +38,20 @@ let
singularity = callPackage
(import ./generic.nix rec {
pname = "singularity-ce";
version = "4.0.1";
version = "4.0.2";
projectName = "singularity";
src = fetchFromGitHub {
owner = "sylabs";
repo = "singularity";
rev = "refs/tags/v${version}";
hash = "sha256-rdpIAiLh4mlSu+1UUDN79gIzxy5X5wOB5XOW9oBm+HU=";
hash = "sha256-R+vAKYR4lJmC7PIITYyg4UeGYjGXoPqqUai3HmPzwG0=";
};
# Update by running
# nix-prefetch -E "{ sha256 }: ((import ./. { }).singularity.override { vendorHash = sha256; }).goModules"
# at the root directory of the Nixpkgs repository
vendorHash = "sha256-kV4Yu9MBoF8spJroWqLOUt2v8YV79AoNUG9hYgPgXRc=";
vendorHash = "sha256-z3VozeMpaqh4ddZxB3xqo25Gm+8JYeIwASOq+Mmerr4=";
# Do not build conmon and squashfuse from the Git submodule sources,
# Use Nixpkgs provided version

27
pkgs/applications/window-managers/leftwm/default.nix
View File

@ -1,4 +1,9 @@
{ stdenv, lib, fetchFromGitHub, rustPlatform, libX11, libXinerama }:
{ lib
, fetchFromGitHub
, rustPlatform
, libX11
, libXinerama
}:
let
rpathLibs = [ libXinerama libX11 ];
@ -6,16 +11,16 @@ in
rustPlatform.buildRustPackage rec {
pname = "leftwm";
version = "0.4.2";
version = "0.5.1";
src = fetchFromGitHub {
owner = "leftwm";
repo = "leftwm";
rev = version;
sha256 = "sha256-SjEp0gQHwq3Omhx/EPnyLeQJ50Ov0rHDxmYVWBwIDBs=";
rev = "refs/tags/${version}";
hash = "sha256-wn5DurPWFwSUtc5naEL4lBSQpKWTJkugpN9mKx+Ed2Y=";
};
cargoSha256 = "sha256-kdGqnfzO+Ev9QeZcZqISPTehEXZzCWT5S8p6JbTBreE=";
cargoHash = "sha256-TylRxdpAVuGtZ3Lm8je6FZ0JUwetBi6mOGRoT2M3Jyk=";
buildInputs = rpathLibs;
@ -23,16 +28,18 @@ rustPlatform.buildRustPackage rec {
for p in $out/bin/left*; do
patchelf --set-rpath "${lib.makeLibraryPath rpathLibs}" $p
done
install -D -m 0555 leftwm/doc/leftwm.1 $out/share/man/man1/leftwm.1
'';
dontPatchELF = true;
meta = with lib; {
meta = {
description = "A tiling window manager for the adventurer";
homepage = "https://github.com/leftwm/leftwm";
license = licenses.mit;
platforms = platforms.linux;
maintainers = with maintainers; [ yanganto ];
changelog = "https://github.com/leftwm/leftwm/blob/${version}/CHANGELOG";
license = lib.licenses.mit;
platforms = lib.platforms.linux;
maintainers = with lib.maintainers; [ yanganto ];
changelog = "https://github.com/leftwm/leftwm/blob/${version}/CHANGELOG.md";
};
}

2
pkgs/applications/window-managers/lemonbar/default.nix
View File

@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
meta = with lib; {
description = "A lightweight xcb based bar";
homepage = "https://github.com/LemonBoy/bar";
maintainers = with maintainers; [ meisternu fortuneteller2k ];
maintainers = with maintainers; [ meisternu moni ];
license = licenses.mit;
platforms = platforms.linux;
};

2
pkgs/applications/window-managers/lemonbar/xft.nix
View File

@ -20,6 +20,6 @@ stdenv.mkDerivation {
homepage = "https://github.com/drscream/lemonbar-xft";
license = licenses.mit;
platforms = platforms.linux;
maintainers = with maintainers; [ fortuneteller2k ];
maintainers = with maintainers; [ moni ];
};
}

2
pkgs/applications/window-managers/neocomp/default.nix
View File

@ -76,7 +76,7 @@ stdenv.mkDerivation rec {
meta = with lib; {
homepage = "https://github.com/DelusionalLogic/NeoComp";
license = licenses.gpl3Only;
maintainers = with maintainers; [ twey fortuneteller2k ];
maintainers = with maintainers; [ twey moni ];
platforms = platforms.linux;
description = "A fork of Compton, a compositor for X11";
longDescription = ''

2
pkgs/applications/window-managers/river/default.nix
View File

@ -83,7 +83,7 @@ stdenv.mkDerivation (finalAttrs: {
license = lib.licenses.gpl3Plus;
maintainers = with lib.maintainers; [
adamcstephens
fortuneteller2k
moni
rodrgz
];
mainProgram = "river";

Some files were not shown because too many files have changed in this diff Show More