Merge master into staging-next

This commit is contained in:
Frederik Rietdijk 2019-08-31 09:50:38 +02:00
commit fc74ba8291
364 changed files with 8989 additions and 6877 deletions

11
.github/CODEOWNERS vendored
View File

@ -139,3 +139,14 @@
# Bazel
/pkgs/development/tools/build-managers/bazel @mboes @Profpatsch
# NixOS modules for e-mail and dns services
/nixos/modules/services/mail/mailman.nix @peti
/nixos/modules/services/mail/postfix.nix @peti
/nixos/modules/services/networking/bind.nix @peti
/nixos/modules/services/mail/rspamd.nix @peti
# Emacs
/pkgs/applications/editors/emacs-modes @adisbladis
/pkgs/applications/editors/emacs @adisbladis
/pkgs/top-level/emacs-packages.nix @adisbladis

View File

@ -0,0 +1,71 @@
# Crystal
## Building a Crystal package
This section uses [Mint](https://github.com/mint-lang/mint) as an example for how to build a Crystal package.
If the Crystal project has any dependencies, the first step is to get a `shards.nix` file encoding those. Get a copy of the project and go to its root directory such that its `shard.lock` file is in the current directory, then run `crystal2nix` in it
```bash
$ git clone https://github.com/mint-lang/mint
$ cd mint
$ git checkout 0.5.0
$ nix-shell -p crystal2nix --run crystal2nix
```
This should have generated a `shards.nix` file.
Next create a Nix file for your derivation and use `pkgs.crystal.buildCrystalPackage` as follows:
```nix
with import <nixpkgs> {};
crystal.buildCrystalPackage rec {
pname = "mint";
version = "0.5.0";
src = fetchFromGitHub {
owner = "mint-lang";
repo = "mint";
rev = version;
sha256 = "0vxbx38c390rd2ysvbwgh89v2232sh5rbsp3nk9wzb70jybpslvl";
};
# Insert the path to your shards.nix file here
shardsFile = ./shards.nix;
...
}
```
This won't build anything yet, because we haven't told it what files build. We can specify a mapping from binary names to source files with the `crystalBinaries` attribute. The project's compilation instructions should show this. For Mint, the binary is called "mint", which is compiled from the source file `src/mint.cr`, so we'll specify this as follows:
```nix
crystalBinaries.mint.src = "src/mint.cr";
# ...
```
Additionally you can override the default `crystal build` options (which are currently `--release --progress --no-debug --verbose`) with
```nix
crystalBinaries.mint.options = [ "--release" "--verbose" ];
```
Depending on the project, you might need additional steps to get it to compile successfully. In Mint's case, we need to link against openssl, so in the end the Nix file looks as follows:
```nix
with import <nixpkgs> {};
crystal.buildCrystalPackage rec {
version = "0.5.0";
pname = "mint";
src = fetchFromGitHub {
owner = "mint-lang";
repo = "mint";
rev = version;
sha256 = "0vxbx38c390rd2ysvbwgh89v2232sh5rbsp3nk9wzb70jybpslvl";
};
shardsFile = ./shards.nix;
crystalBinaries.mint.src = "src/mint.cr";
buildInputs = [ openssl_1_0_2 ];
}
```

View File

@ -32,4 +32,5 @@
<xi:include href="titanium.section.xml" />
<xi:include href="vim.section.xml" />
<xi:include href="emscripten.section.xml" />
<xi:include href="crystal.section.xml" />
</chapter>

View File

@ -6,7 +6,7 @@
answer some of the frequently asked questions
related to Nixpkgs use.
Some useful information related to package use
Some useful information related to package use
can be found in <link linkend="chap-package-notes">package-specific development notes</link>.
</para>
@ -196,7 +196,7 @@ overrides = self: super: rec {
haskell-mode = self.melpaPackages.haskell-mode;
...
};
((emacsPackagesNgGen emacs).overrideScope' overrides).emacsWithPackages (p: with p; [
((emacsPackagesGen emacs).overrideScope' overrides).emacsWithPackages (p: with p; [
# here both these package will use haskell-mode of our own choice
ghc-mod
dante

View File

@ -323,16 +323,14 @@ rec {
else
mergeDefinitions loc opt.type defs';
# Check whether the option is defined, and apply the apply
# function to the merged value. This allows options to yield a
# value computed from the definitions.
value =
if !res.isDefined then
throw "The option `${showOption loc}' is used but not defined."
else if opt ? apply then
opt.apply res.mergedValue
else
res.mergedValue;
# The value with a check that it is defined
valueDefined = if res.isDefined then res.mergedValue else
throw "The option `${showOption loc}' is used but not defined.";
# Apply the 'apply' function to the merged value. This allows options to
# yield a value computed from the definitions
value = if opt ? apply then opt.apply valueDefined else valueDefined;
in opt //
{ value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;

View File

@ -478,7 +478,7 @@
name = "Stanislas Lange";
};
ankhers = {
email = "justin.k.wood@gmail.com";
email = "me@ankhers.dev";
github = "ankhers";
githubId = 750786;
name = "Justin Wood";
@ -5340,10 +5340,16 @@
name = "Richard Lupton";
};
rnhmjoj = {
email = "micheleguerinirocco@me.com";
email = "rnhmjoj@inventati.org";
github = "rnhmjoj";
githubId = 2817565;
name = "Michele Guerini Rocco";
keys =
[
{ longkeyid = "ed25519/0xBFBAF4C975F76450";
fingerprint = "92B2 904F D293 C94D C4C9 3E6B BFBA F4C9 75F7 6450";
}
];
};
rob = {
email = "rob.vermaas@gmail.com";
@ -5686,6 +5692,12 @@
githubId = 918365;
name = "Stefan Frijters";
};
sgo = {
email = "stig@stig.io";
github = "stigtsp";
githubId = 75371;
name = "Stig Palmquist";
};
sgraf = {
email = "sgraf1337@gmail.com";
github = "sgraf812";
@ -6655,6 +6667,16 @@
githubId = 5837359;
name = "Adrian Pistol";
};
vika_nezrimaya = {
email = "vika@fireburn.ru";
github = "kisik21";
githubId = 7953163;
name = "Vika Shleina";
keys = [{
longkeyid = "rsa4096/0x5402B9B5497BACDB";
fingerprint = "A03C D09C 36CF D9F6 1ADF AF11 5402 B9B5 497B ACDB";
}];
};
vinymeuh = {
email = "vinymeuh@gmail.com";
github = "vinymeuh";

View File

@ -18,6 +18,7 @@ http,,,,,vcunat
inspect,,,,,
ldoc,,,,,
lgi,,,,,
ljsyscall,,,,lua5_1,lblasc
lpeg,,,,,vyp
lpeg_patterns,,,,,
lpeglabel,,,,,

1 # nix name luarocks name server version luaversion maintainers
18 inspect
19 ldoc
20 lgi
21 ljsyscall lua5_1 lblasc
22 lpeg vyp
23 lpeg_patterns
24 lpeglabel

View File

@ -11,4 +11,11 @@
creating the image in the first place. As a result it allows users to edit
and rebuild the live-system.
</para>
<para>
On images where the installation media also becomes an installation target,
copying over <literal>configuration.nix</literal> should be disabled by
setting <literal>installer.cloneConfig</literal> to <literal>false</literal>.
This is already done in <literal>sd-image.nix</literal>.
</para>
</section>

View File

@ -6,33 +6,31 @@
<title>Installation Device</title>
<para>
Provides a basic configuration for installation devices like CDs. This means
enabling hardware scans, using the <link linkend="sec-profile-clone-config">
Clone Config profile</link> to guarantee
<filename>/etc/nixos/configuration.nix</filename> exists (for
<command>nixos-rebuild</command> to work), a copy of the Nixpkgs channel
snapshot used to create the install media.
Provides a basic configuration for installation devices like CDs.
This enables redistributable firmware, includes the
<link linkend="sec-profile-clone-config">Clone Config profile</link>
and a copy of the Nixpkgs channel, so <command>nixos-install</command>
works out of the box.
</para>
<para>
Additionally, documentation for <link linkend="opt-documentation.enable">
Nixpkgs</link> and <link linkend="opt-documentation.nixos.enable">NixOS
</link> are forcefully enabled (to override the
Documentation for <link linkend="opt-documentation.enable">Nixpkgs</link>
and <link linkend="opt-documentation.nixos.enable">NixOS</link> are
forcefully enabled (to override the
<link linkend="sec-profile-minimal">Minimal profile</link> preference); the
NixOS manual is shown automatically on TTY 8, sudo and udisks are disabled.
Autologin is enabled as root.
NixOS manual is shown automatically on TTY 8, udisks is disabled.
Autologin is enabled as <literal>nixos</literal> user, while passwordless
login as both <literal>root</literal> and <literal>nixos</literal> is possible.
Passwordless <command>sudo</command> is enabled too.
<link linkend="opt-networking.wireless.enable">wpa_supplicant</link> is
enabled, but configured to not autostart.
</para>
<para>
It is explained how to login, start the ssh server, and if available,
how to start the display manager.
</para>
<para>
A message is shown to the user to start a display manager if needed, ssh with
<xref linkend="opt-services.openssh.permitRootLogin"/> are enabled (but
doesn't autostart). WPA Supplicant is also enabled without autostart.
</para>
<para>
Finally, vim is installed, root is set to not have a password, the kernel is
made more silent for remote public IP installs, and several settings are
tweaked so that the installer has a better chance of succeeding under
low-memory environments.
Several settings are tweaked so that the installer has a better chance of
succeeding under low-memory environments.
</para>
</section>

View File

@ -48,6 +48,15 @@
To gain root privileges use <literal>sudo -i</literal> without a password.
</para>
</listitem>
<listitem>
<para>
We've updated to Xfce 4.14, which brings a new module <option>services.xserver.desktopManager.xfce4-14</option>.
If you'd like to upgrade, please switch from the <option>services.xserver.desktopManager.xfce</option> module as it
will be deprecated in a future release. They're incompatibilities with the current Xfce module; it doesn't support
<option>thunarPlugins</option> and it isn't recommended to use <option>services.xserver.desktopManager.xfce</option>
and <option>services.xserver.desktopManager.xfce4-14</option> simultaneously or to downgrade from Xfce 4.14 after upgrading.
</para>
</listitem>
</itemizedlist>
</section>
@ -291,6 +300,55 @@
configuration while being better type-checked and mergeable.
</para>
</listitem>
<listitem>
<para>
No service depends on <literal>keys.target</literal> anymore which is a systemd
target that indicates if all <link xlink:href="https://nixos.org/nixops/manual/#idm140737322342384">NixOps keys</link> were successfully uploaded.
Instead, <literal>&lt;key-name&gt;-key.service</literal> should be used to define
a dependency of a key in a service. The full issue behind the <literal>keys.target</literal>
dependency is described at <link xlink:href="https://github.com/NixOS/nixpkgs/issues/67265">NixOS/nixpkgs#67265</link>.
</para>
<para>
The following services are affected by this:
<itemizedlist>
<listitem><para><link linkend="opt-services.dovecot2.enable"><literal>services.dovecot2</literal></link></para></listitem>
<listitem><para><link linkend="opt-services.nsd.enable"><literal>services.nsd</literal></link></para></listitem>
<listitem><para><link linkend="opt-services.softether.enable"><literal>services.softether</literal></link></para></listitem>
<listitem><para><link linkend="opt-services.strongswan.enable"><literal>services.strongswan</literal></link></para></listitem>
<listitem><para><link linkend="opt-services.strongswan-swanctl.enable"><literal>services.strongswan-swanctl</literal></link></para></listitem>
<listitem><para><link linkend="opt-services.httpd.enable"><literal>services.httpd</literal></link></para></listitem>
</itemizedlist>
</para>
</listitem>
<listitem>
<para>
The <option>security.acme.directory</option> option has been replaced by a read-only <option>security.acme.certs.&lt;cert&gt;.directory</option> option for each certificate you define. This will be
a subdirectory of <literal>/var/lib/acme</literal>. You can use this read-only option to figure out where the certificates are stored for a specific certificate. For example,
the <option>services.nginx.virtualhosts.&lt;name&gt;.enableACME</option> option will use this directory option to find the certs for the virtual host.
</para>
<para>
<option>security.acme.preDelay</option> and <option>security.acme.activationDelay</option> options have been removed. To execute a service before certificates
are provisioned or renewed add a <literal>RequiredBy=acme-${cert}.service</literal> to any service.
</para>
<para>
Furthermore, the acme module will not automatically add a dependency on <literal>lighttpd.service</literal> anymore. If you are using certficates provided by letsencrypt
for lighttpd, then you should depend on the certificate service <literal>acme-${cert}.service></literal> manually.
</para>
<para>
For nginx, the dependencies are still automatically managed when <option>services.nginx.virtualhosts.&lt;name&gt;.enableACME</option> is enabled just like before. What changed is that nginx now directly depends on the specific certificates that it needs,
instead of depending on the catch-all <literal>acme-certificates.target</literal>. This target unit was also removed from the codebase.
This will mean nginx will no longer depend on certificates it isn't explicitly managing and fixes a bug with certificate renewal
ordering racing with nginx restarting which could lead to nginx getting in a broken state as described at
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/60180">NixOS/nixpkgs#60180</link>.
</para>
</listitem>
<listitem>
<para>
The old deprecated <literal>emacs</literal> package sets have been dropped.
What used to be called <literal>emacsPackagesNg</literal> is now simply called <literal>emacsPackages</literal>.
</para>
</listitem>
</itemizedlist>
</section>
@ -506,27 +564,33 @@
<option>boot.kernel.sysctl."kernel.core_pattern"</option> to <literal>"core"</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>systemd.packages</literal> option now also supports generators and
shutdown scripts. Old <literal>systemd.generator-packages</literal> option has
been removed.
</para>
</listitem>
<listitem>
<para>
The <literal>rmilter</literal> package was removed with associated module and options due deprecation by upstream developer.
Use <literal>rspamd</literal> in proxy mode instead.
</para>
</listitem>
<listitem>
<para>
systemd cgroup accounting via the
<link linkend="opt-systemd.enableCgroupAccounting">systemd.enableCgroupAccounting</link>
option is now enabled by default. It now also enables the more recent Block IO and IP accounting
features.
</para>
</listitem>
<listitem>
<para>
<literal>systemd.packages</literal> option now also supports generators and
shutdown scripts. Old <literal>systemd.generator-packages</literal> option has
been removed.
</para>
</listitem>
<listitem>
<para>
The <literal>rmilter</literal> package was removed with associated module and options due deprecation by upstream developer.
Use <literal>rspamd</literal> in proxy mode instead.
</para>
</listitem>
<listitem>
<para>
systemd cgroup accounting via the
<link linkend="opt-systemd.enableCgroupAccounting">systemd.enableCgroupAccounting</link>
option is now enabled by default. It now also enables the more recent Block IO and IP accounting
features.
</para>
</listitem>
<listitem>
<para>
We no longer enable custom font rendering settings with <option>fonts.fontconfig.penultimate.enable</option> by default.
The defaults from fontconfig are sufficient.
</para>
</listitem>
</itemizedlist>
</section>
</section>

View File

@ -269,7 +269,7 @@ in
penultimate = {
enable = mkOption {
type = types.bool;
default = true;
default = false;
description = ''
Enable fontconfig-penultimate settings to supplement the
NixOS defaults by providing per-font rendering defaults and

View File

@ -194,5 +194,9 @@ in
rm -f /nix-path-registration
fi
'';
# the installation media is also the installation target,
# so we don't want to provide the installation configuration.nix.
installer.cloneConfig = false;
};
}

View File

@ -340,7 +340,7 @@
cockroachdb = 313;
zoneminder = 314;
paperless = 315;
mailman = 316;
#mailman = 316; # removed 2019-08-30
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -641,7 +641,7 @@
cockroachdb = 313;
zoneminder = 314;
paperless = 315;
mailman = 316;
#mailman = 316; # removed 2019-08-30
# When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal

View File

@ -376,6 +376,7 @@
./services/mail/mail.nix
./services/mail/mailcatcher.nix
./services/mail/mailhog.nix
./services/mail/mailman.nix
./services/mail/mlmmj.nix
./services/mail/offlineimap.nix
./services/mail/opendkim.nix
@ -770,6 +771,7 @@
./services/system/uptimed.nix
./services/torrent/deluge.nix
./services/torrent/flexget.nix
./services/torrent/magnetico.nix
./services/torrent/opentracker.nix
./services/torrent/peerflix.nix
./services/torrent/transmission.nix

View File

@ -55,13 +55,16 @@ with lib;
services.mingetty.autologinUser = "nixos";
# Some more help text.
services.mingetty.helpLine =
''
services.mingetty.helpLine = ''
The "nixos" and "root" accounts have empty passwords.
The "nixos" and "root" account have empty passwords. ${
optionalString config.services.xserver.enable
"Type `sudo systemctl start display-manager' to\nstart the graphical user interface."}
'';
Type `sudo systemctl start sshd` to start the SSH daemon.
You then must set a password for either "root" or "nixos"
with `passwd` to be able to login.
'' + optionalString config.services.xserver.enable ''
Type `sudo systemctl start display-manager' to
start the graphical user interface.
'';
# Allow sshd to be started manually through "systemctl start sshd".
services.openssh = {

View File

@ -98,7 +98,7 @@ in
if [ "$TERM" != "dumb" -o -n "$INSIDE_EMACS" ]; then
PROMPT_COLOR="1;31m"
let $UID && PROMPT_COLOR="1;32m"
if [ -n "$INSIDE_EMACS" ]; then
if [ -n "$INSIDE_EMACS" -o "$TERM" == "eterm" -o "$TERM" == "eterm-color" ]; then
# Emacs term mode doesn't support xterm title escape sequence (\e]0;)
PS1="\n\[\033[$PROMPT_COLOR\][\u@\h:\w]\\$\[\033[0m\] "
else

View File

@ -214,7 +214,6 @@ in
# Need to disable features to support TRAMP
if [ "$TERM" = dumb ]; then
unsetopt zle prompt_cr prompt_subst
unfunction precmd preexec
unset RPS1 RPROMPT
PS1='$ '
PROMPT='$ '

View File

@ -256,6 +256,11 @@ with lib;
# binfmt
(mkRenamedOptionModule [ "boot" "binfmtMiscRegistrations" ] [ "boot" "binfmt" "registrations" ])
# ACME
(mkRemovedOptionModule [ "security" "acme" "directory"] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.")
(mkRemovedOptionModule [ "security" "acme" "preDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
(mkRemovedOptionModule [ "security" "acme" "activationDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
# KSM
(mkRenamedOptionModule [ "hardware" "enableKSM" ] [ "hardware" "ksm" "enable" ])

View File

@ -80,25 +80,11 @@ let
'';
};
activationDelay = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Systemd time span expression to delay copying new certificates to main
state directory. See <citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>7</manvolnum></citerefentry>.
'';
};
preDelay = mkOption {
type = types.lines;
default = "";
description = ''
Commands to run after certificates are re-issued but before they are
activated. Typically the new certificate is published to DNS.
Executed in the same directory with the new certificate.
'';
directory = mkOption {
type = types.str;
readOnly = true;
default = "/var/lib/acme/${name}";
description = "Directory where certificate and other state is stored.";
};
extraDomains = mkOption {
@ -126,13 +112,6 @@ in
options = {
security.acme = {
directory = mkOption {
default = "/var/lib/acme";
type = types.str;
description = ''
Directory where certs and other state will be stored by default.
'';
};
validMin = mkOption {
type = types.int;
@ -181,7 +160,11 @@ in
default = { };
type = with types; attrsOf (submodule certOpts);
description = ''
Attribute set of certificates to get signed and renewed.
Attribute set of certificates to get signed and renewed. Creates
<literal>acme-''${cert}.{service,timer}</literal> systemd units for
each certificate defined here. Other services can add dependencies
to those units if they rely on the certificates being present,
or trigger restarts of the service if certificates get renewed.
'';
example = literalExample ''
{
@ -209,8 +192,7 @@ in
servicesLists = mapAttrsToList certToServices cfg.certs;
certToServices = cert: data:
let
cpath = lpath + optionalString (data.activationDelay != null) ".staging";
lpath = "${cfg.directory}/${cert}";
lpath = "acme/${cert}";
rights = if data.allowKeysForGroup then "750" else "700";
cmdline = [ "-v" "-d" data.domain "--default_root" data.webroot "--valid_min" cfg.validMin ]
++ optionals (data.email != null) [ "--email" data.email ]
@ -224,79 +206,27 @@ in
serviceConfig = {
Type = "oneshot";
SuccessExitStatus = [ "0" "1" ];
PermissionsStartOnly = true;
User = data.user;
Group = data.group;
PrivateTmp = true;
StateDirectory = lpath;
StateDirectoryMode = rights;
WorkingDirectory = "/var/lib/${lpath}";
ExecStart = "${pkgs.simp_le}/bin/simp_le ${escapeShellArgs cmdline}";
ExecStopPost =
let
script = pkgs.writeScript "acme-post-stop" ''
#!${pkgs.runtimeShell} -e
${data.postRun}
'';
in
"+${script}";
};
path = with pkgs; [ simp_le systemd ];
preStart = ''
mkdir -p '${cfg.directory}'
chown 'root:root' '${cfg.directory}'
chmod 755 '${cfg.directory}'
if [ ! -d '${cpath}' ]; then
mkdir '${cpath}'
fi
chmod ${rights} '${cpath}'
chown -R '${data.user}:${data.group}' '${cpath}'
mkdir -p '${data.webroot}/.well-known/acme-challenge'
chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
'';
script = ''
cd '${cpath}'
set +e
simp_le ${escapeShellArgs cmdline}
EXITCODE=$?
set -e
echo "$EXITCODE" > /tmp/lastExitCode
exit "$EXITCODE"
'';
postStop = ''
cd '${cpath}'
if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then
${if data.activationDelay != null then ''
${data.preDelay}
if [ -d '${lpath}' ]; then
systemd-run --no-block --on-active='${data.activationDelay}' --unit acme-setlive-${cert}.service
else
systemctl --wait start acme-setlive-${cert}.service
fi
'' else data.postRun}
# noop ensuring that the "if" block is non-empty even if
# activationDelay == null and postRun == ""
true
fi
'';
before = [ "acme-certificates.target" ];
wantedBy = [ "acme-certificates.target" ];
};
delayService = {
description = "Set certificate for ${cert} live";
path = with pkgs; [ rsync ];
serviceConfig = {
Type = "oneshot";
};
script = ''
rsync -a --delete-after '${cpath}/' '${lpath}'
'';
postStop = data.postRun;
};
selfsignedService = {
description = "Create preliminary self-signed certificate for ${cert}";
path = [ pkgs.openssl ];
preStart = ''
if [ ! -d '${cpath}' ]
then
mkdir -p '${cpath}'
chmod ${rights} '${cpath}'
chown '${data.user}:${data.group}' '${cpath}'
fi
'';
script =
''
workdir="$(mktemp -d)"
@ -318,50 +248,41 @@ in
-out $workdir/server.crt
# Copy key to destination
cp $workdir/server.key ${cpath}/key.pem
cp $workdir/server.key /var/lib/${lpath}/key.pem
# Create fullchain.pem (same format as "simp_le ... -f fullchain.pem" creates)
cat $workdir/{server.crt,ca.crt} > "${cpath}/fullchain.pem"
cat $workdir/{server.crt,ca.crt} > "/var/lib/${lpath}/fullchain.pem"
# Create full.pem for e.g. lighttpd
cat $workdir/{server.key,server.crt,ca.crt} > "${cpath}/full.pem"
cat $workdir/{server.key,server.crt,ca.crt} > "/var/lib/${lpath}/full.pem"
# Give key acme permissions
chown '${data.user}:${data.group}' "${cpath}/"{key,fullchain,full}.pem
chmod ${rights} "${cpath}/"{key,fullchain,full}.pem
chown '${data.user}:${data.group}' "/var/lib/${lpath}/"{key,fullchain,full}.pem
chmod ${rights} "/var/lib/${lpath}/"{key,fullchain,full}.pem
'';
serviceConfig = {
Type = "oneshot";
PermissionsStartOnly = true;
PrivateTmp = true;
StateDirectory = lpath;
User = data.user;
Group = data.group;
};
unitConfig = {
# Do not create self-signed key when key already exists
ConditionPathExists = "!${cpath}/key.pem";
ConditionPathExists = "!/var/lib/${lpath}/key.pem";
};
before = [
"acme-selfsigned-certificates.target"
];
wantedBy = [
"acme-selfsigned-certificates.target"
];
};
in (
[ { name = "acme-${cert}"; value = acmeService; } ]
++ optional cfg.preliminarySelfsigned { name = "acme-selfsigned-${cert}"; value = selfsignedService; }
++ optional (data.activationDelay != null) { name = "acme-setlive-${cert}"; value = delayService; }
);
servicesAttr = listToAttrs services;
injectServiceDep = {
after = [ "acme-selfsigned-certificates.target" ];
wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ];
};
in
servicesAttr //
(if config.services.nginx.enable then { nginx = injectServiceDep; } else {}) //
(if config.services.lighttpd.enable then { lighttpd = injectServiceDep; } else {});
servicesAttr;
systemd.tmpfiles.rules =
flip mapAttrsToList cfg.certs
(cert: data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}");
systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
("acme-${cert}")
@ -377,9 +298,6 @@ in
};
})
);
systemd.targets."acme-selfsigned-certificates" = mkIf cfg.preliminarySelfsigned {};
systemd.targets."acme-certificates" = {};
})
];

View File

@ -59,10 +59,8 @@ http {
<para>
The private key <filename>key.pem</filename> and certificate
<filename>fullchain.pem</filename> will be put into
<filename>/var/lib/acme/foo.example.com</filename>. The target directory can
be configured with the option <xref linkend="opt-security.acme.directory"/>.
<filename>/var/lib/acme/foo.example.com</filename>.
</para>
<para>
Refer to <xref linkend="ch-options" /> for all available configuration
options for the <link linkend="opt-security.acme.certs">security.acme</link>

View File

@ -111,7 +111,10 @@ in
config = mkIf cfg.enable {
systemd.services.gitlab-runner = {
path = cfg.packages;
environment = config.networking.proxy.envVars;
environment = config.networking.proxy.envVars // {
# Gitlab runner will not start if the HOME variable is not set
HOME = cfg.workDir;
};
description = "Gitlab Runner";
after = [ "network.target" ]
++ optional hasDocker "docker.service";

View File

@ -224,26 +224,17 @@ in
environment.systemPackages = [ cfg.package ];
systemd.services.redis_init =
{ description = "Redis Server Initialisation";
wantedBy = [ "redis.service" ];
before = [ "redis.service" ];
serviceConfig.Type = "oneshot";
script = ''
install -d -m0700 -o ${cfg.user} ${cfg.dbpath}
chown -R ${cfg.user} ${cfg.dbpath}
'';
};
systemd.services.redis =
{ description = "Redis Server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
preStart = ''
install -d -m0700 -o ${cfg.user} ${cfg.dbpath}
chown -R ${cfg.user} ${cfg.dbpath}
'';
serviceConfig = {
ExecStart = "${cfg.package}/bin/redis-server ${redisConfig}";
User = cfg.user;

View File

@ -12,14 +12,7 @@ with lib;
services.gnome3.gnome-user-share = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable GNOME User Share, a service that exports the
contents of the Public folder in your home directory on the local network.
'';
};
enable = mkEnableOption "GNOME User Share, a user-level file sharing service for GNOME";
};
@ -30,12 +23,13 @@ with lib;
config = mkIf config.services.gnome3.gnome-user-share.enable {
environment.systemPackages = [ pkgs.gnome3.gnome-user-share ];
environment.systemPackages = [
pkgs.gnome3.gnome-user-share
];
services.xserver.displayManager.sessionCommands = with pkgs.gnome3; ''
# Don't let gnome-control-center depend upon gnome-user-share
export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${gnome-user-share}/share/gsettings-schemas/${gnome-user-share.name}
'';
systemd.packages = [
pkgs.gnome3.gnome-user-share
];
};

View File

@ -9,6 +9,7 @@
Damien Cassou @DamienCassou
Thomas Tuegel @ttuegel
Rodney Lorrimar @rvl
Adam Hoese @adisbladis
-->
<para>
<link xlink:href="https://www.gnu.org/software/emacs/">Emacs</link> is an
@ -130,15 +131,6 @@
Emacs packages through nixpkgs.
</para>
<note>
<para>
This documentation describes the new Emacs packages framework in NixOS
16.03 (<varname>emacsPackagesNg</varname>) which should not be confused
with the previous and deprecated framework
(<varname>emacs24Packages</varname>).
</para>
</note>
<para>
The first step to declare the list of packages you want in your Emacs
installation is to create a dedicated derivation. This can be done in a
@ -164,7 +156,7 @@ $ ./result/bin/emacs
let
myEmacs = pkgs.emacs; <co xml:id="ex-emacsNix-2" />
emacsWithPackages = (pkgs.emacsPackagesNgGen myEmacs).emacsWithPackages; <co xml:id="ex-emacsNix-3" />
emacsWithPackages = (pkgs.emacsPackagesGen myEmacs).emacsWithPackages; <co xml:id="ex-emacsNix-3" />
in
emacsWithPackages (epkgs: (with epkgs.melpaStablePackages; [ <co xml:id="ex-emacsNix-4" />
magit # ; Integrate git &lt;C-x g&gt;
@ -262,10 +254,10 @@ in
<example xml:id="module-services-emacs-querying-packages">
<title>Querying Emacs packages</title>
<programlisting><![CDATA[
nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.elpaPackages
nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.melpaPackages
nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.melpaStablePackages
nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.orgPackages
nix-env -f "<nixpkgs>" -qaP -A emacsPackages.elpaPackages
nix-env -f "<nixpkgs>" -qaP -A emacsPackages.melpaPackages
nix-env -f "<nixpkgs>" -qaP -A emacsPackages.melpaStablePackages
nix-env -f "<nixpkgs>" -qaP -A emacsPackages.orgPackages
]]></programlisting>
</example>
</para>

View File

@ -8,8 +8,8 @@ let
cfg = config.services.fwupd;
originalEtc =
let
mkEtcFile = n: nameValuePair n { source = "${pkgs.fwupd}/etc/${n}"; };
in listToAttrs (map mkEtcFile pkgs.fwupd.filesInstalledToEtc);
mkEtcFile = n: nameValuePair n { source = "${cfg.package}/etc/${n}"; };
in listToAttrs (map mkEtcFile cfg.package.filesInstalledToEtc);
extraTrustedKeys =
let
mkName = p: "pki/fwupd/${baseNameOf (toString p)}";
@ -24,7 +24,7 @@ let
"fwupd/remotes.d/fwupd-tests.conf" = {
source = pkgs.runCommand "fwupd-tests-enabled.conf" {} ''
sed "s,^Enabled=false,Enabled=true," \
"${pkgs.fwupd.installedTests}/etc/fwupd/remotes.d/fwupd-tests.conf" > "$out"
"${cfg.package.installedTests}/etc/fwupd/remotes.d/fwupd-tests.conf" > "$out"
'';
};
} else {};
@ -77,13 +77,21 @@ in {
<link xlink:href="https://github.com/hughsie/fwupd/blob/master/data/installed-tests/README.md">installed tests</link>.
'';
};
package = mkOption {
type = types.package;
default = pkgs.fwupd;
description = ''
Which fwupd package to use.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.fwupd ];
environment.systemPackages = [ cfg.package ];
environment.etc = {
"fwupd/daemon.conf" = {
@ -102,11 +110,11 @@ in {
} // originalEtc // extraTrustedKeys // testRemote;
services.dbus.packages = [ pkgs.fwupd ];
services.dbus.packages = [ cfg.package ];
services.udev.packages = [ pkgs.fwupd ];
services.udev.packages = [ cfg.package ];
systemd.packages = [ pkgs.fwupd ];
systemd.packages = [ cfg.package ];
systemd.tmpfiles.rules = [
"d /var/lib/fwupd 0755 root root -"

View File

@ -344,8 +344,7 @@ in
systemd.services.dovecot2 = {
description = "Dovecot IMAP/POP3 server";
after = [ "keys.target" "network.target" ];
wants = [ "keys.target" ];
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
restartTriggers = [ cfg.configFile ];

View File

@ -0,0 +1,114 @@
{ config, pkgs, lib, ... }: # mailman.nix
with lib;
let
cfg = config.services.mailman;
pythonEnv = pkgs.python3.withPackages (ps: [ps.mailman]);
mailmanExe = with pkgs; stdenv.mkDerivation {
name = "mailman-" + python3Packages.mailman.version;
unpackPhase = ":";
installPhase = ''
mkdir -p $out/bin
sed >"$out/bin/mailman" <"${pythonEnv}/bin/mailman" \
-e "2 iexport MAILMAN_CONFIG_FILE=/etc/mailman.cfg"
chmod +x $out/bin/mailman
'';
};
mailmanCfg = ''
[mailman]
site_owner: ${cfg.siteOwner}
layout: fhs
[paths.fhs]
bin_dir: ${pkgs.python3Packages.mailman}/bin
var_dir: /var/lib/mailman
queue_dir: $var_dir/queue
log_dir: $var_dir/log
lock_dir: $var_dir/lock
etc_dir: /etc
ext_dir: $etc_dir/mailman.d
pid_file: /run/mailman/master.pid
'';
in {
###### interface
options = {
services.mailman = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable Mailman on this host. Requires an active Postfix installation.";
};
siteOwner = mkOption {
type = types.str;
default = "postmaster";
description = ''
Certain messages that must be delivered to a human, but which can't
be delivered to a list owner (e.g. a bounce from a list owner), will
be sent to this address. It should point to a human.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
assertions = [
{ assertion = cfg.enable -> config.services.postfix.enable;
message = "Mailman requires Postfix";
}
{ assertion = config.services.postfix.recipientDelimiter == "+";
message = "Postfix's recipientDelimiter must be set to '+'.";
}
];
users.users.mailman = { description = "GNU Mailman"; isSystemUser = true; };
environment = {
systemPackages = [ mailmanExe ];
etc."mailman.cfg".text = mailmanCfg;
};
services.postfix = {
relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ];
config = {
transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
# Mailman uses recipient delimiters, so we don't need special handling.
owner_request_special = "no";
};
};
systemd.services.mailman = {
description = "GNU Mailman Master Process";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${mailmanExe}/bin/mailman start";
ExecStop = "${mailmanExe}/bin/mailman stop";
User = "mailman";
Type = "forking";
StateDirectory = "mailman";
StateDirectoryMode = "0700";
RuntimeDirectory = "mailman";
PIDFile = "/run/mailman/master.pid";
};
};
};
}

View File

@ -8,7 +8,9 @@ let
nix = cfg.package.out;
isNix20 = versionAtLeast (getVersion nix) "2.0pre";
nixVersion = getVersion nix;
isNix20 = versionAtLeast nixVersion "2.0pre";
makeNixBuildUser = nr:
{ name = "nixbld${toString nr}";
@ -61,6 +63,9 @@ let
builders =
''}
system-features = ${toString cfg.systemFeatures}
${optionalString (versionAtLeast nixVersion "2.3pre") ''
sandbox-fallback = false
''}
$extraOptions
END
'' + optionalString cfg.checkConfig (

View File

@ -156,6 +156,8 @@ in {
};
};
systemd.enableCgroupAccounting = true;
security.wrappers."apps.plugin" = {
source = "${pkgs.netdata}/libexec/netdata/plugins.d/apps.plugin.org";
capabilities = "cap_dac_read_search,cap_sys_ptrace+ep";

View File

@ -916,9 +916,8 @@ in
systemd.services.nsd = {
description = "NSD authoritative only domain name service";
after = [ "keys.target" "network.target" ];
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
wants = [ "keys.target" ];
serviceConfig = {
ExecStart = "${nsdPkg}/sbin/nsd -d -c ${nsdEnv}/nsd.conf";

View File

@ -70,8 +70,6 @@ in
systemd.services."softether-init" = {
description = "SoftEther VPN services initial task";
after = [ "keys.target" ];
wants = [ "keys.target" ];
wantedBy = [ "network.target" ];
serviceConfig = {
Type = "oneshot";

View File

@ -62,9 +62,8 @@ in {
systemd.services.strongswan-swanctl = {
description = "strongSwan IPsec IKEv1/IKEv2 daemon using swanctl";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" "keys.target" ];
wants = [ "keys.target" ];
path = with pkgs; [ kmod iproute iptables utillinux ];
after = [ "network-online.target" ];
path = with pkgs; [ kmod iproute iptables utillinux ];
environment = {
STRONGSWAN_CONF = pkgs.writeTextFile {
name = "strongswan.conf";

View File

@ -151,8 +151,7 @@ in
description = "strongSwan IPSec Service";
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ kmod iproute iptables utillinux ]; # XXX Linux
wants = [ "keys.target" ];
after = [ "network-online.target" "keys.target" ];
after = [ "network-online.target" ];
environment = {
STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; };
};

View File

@ -70,7 +70,7 @@ in
};
storageBackend = mkOption {
type = types.enum [ "inmem" "file" "consul" "zookeeper" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs" ];
type = types.enum [ "inmem" "file" "consul" "zookeeper" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs" "raft" ];
default = "inmem";
description = "The name of the type of storage backend";
};

View File

@ -0,0 +1,214 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.magnetico;
dataDir = "/var/lib/magnetico";
credFile = with cfg.web;
if credentialsFile != null
then credentialsFile
else pkgs.writeText "magnetico-credentials"
(concatStrings (mapAttrsToList
(user: hash: "${user}:${hash}\n")
cfg.web.credentials));
# default options in magneticod/main.go
dbURI = concatStrings
[ "sqlite3://${dataDir}/database.sqlite3"
"?_journal_mode=WAL"
"&_busy_timeout=3000"
"&_foreign_keys=true"
];
crawlerArgs = with cfg.crawler; escapeShellArgs
([ "--database=${dbURI}"
"--indexer-addr=${address}:${toString port}"
"--indexer-max-neighbors=${toString maxNeighbors}"
"--leech-max-n=${toString maxLeeches}"
] ++ extraOptions);
webArgs = with cfg.web; escapeShellArgs
([ "--database=${dbURI}"
(if (cfg.web.credentialsFile != null || cfg.web.credentials != { })
then "--credentials=${toString credFile}"
else "--no-auth")
] ++ extraOptions);
in {
###### interface
options.services.magnetico = {
enable = mkEnableOption "Magnetico, Bittorrent DHT crawler";
crawler.address = mkOption {
type = types.str;
default = "0.0.0.0";
example = "1.2.3.4";
description = ''
Address to be used for indexing DHT nodes.
'';
};
crawler.port = mkOption {
type = types.port;
default = 0;
description = ''
Port to be used for indexing DHT nodes.
This port should be added to
<option>networking.firewall.allowedTCPPorts</option>.
'';
};
crawler.maxNeighbors = mkOption {
type = types.ints.positive;
default = 1000;
description = ''
Maximum number of simultaneous neighbors of an indexer.
Be careful changing this number: high values can very
easily cause your network to be congested or even crash
your router.
'';
};
crawler.maxLeeches = mkOption {
type = types.ints.positive;
default = 200;
description = ''
Maximum number of simultaneous leeches.
'';
};
crawler.extraOptions = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Extra command line arguments to pass to magneticod.
'';
};
web.address = mkOption {
type = types.str;
default = "localhost";
example = "1.2.3.4";
description = ''
Address the web interface will listen to.
'';
};
web.port = mkOption {
type = types.port;
default = 8080;
description = ''
Port the web interface will listen to.
'';
};
web.credentials = mkOption {
type = types.attrsOf types.str;
default = {};
example = lib.literalExample ''
{
myuser = "$2y$12$YE01LZ8jrbQbx6c0s2hdZO71dSjn2p/O9XsYJpz.5968yCysUgiaG";
}
'';
description = ''
The credentials to access the web interface, in case authentication is
enabled, in the format <literal>username:hash</literal>. If unset no
authentication will be required.
Usernames must start with a lowercase ([a-z]) ASCII character, might
contain non-consecutive underscores except at the end, and consists of
small-case a-z characters and digits 0-9. The
<command>htpasswd</command> tool from the <package>apacheHttpd
</package> package may be used to generate the hash: <command>htpasswd
-bnBC 12 username password</command>
<warning>
<para>
The hashes will be stored world-readable in the nix store.
Consider using the <literal>credentialsFile</literal> option if you
don't want this.
</para>
</warning>
'';
};
web.credentialsFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
The path to the file holding the credentials to access the web
interface. If unset no authentication will be required.
The file must constain user names and password hashes in the format
<literal>username:hash </literal>, one for each line. Usernames must
start with a lowecase ([a-z]) ASCII character, might contain
non-consecutive underscores except at the end, and consists of
small-case a-z characters and digits 0-9.
The <command>htpasswd</command> tool from the <package>apacheHttpd
</package> package may be used to generate the hash:
<command>htpasswd -bnBC 12 username password</command>
'';
};
web.extraOptions = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Extra command line arguments to pass to magneticow.
'';
};
};
###### implementation
config = mkIf cfg.enable {
users.users.magnetico = {
description = "Magnetico daemons user";
};
systemd.services.magneticod = {
description = "Magnetico DHT crawler";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
serviceConfig = {
User = "magnetico";
Restart = "on-failure";
ExecStart = "${pkgs.magnetico}/bin/magneticod ${crawlerArgs}";
};
};
systemd.services.magneticow = {
description = "Magnetico web interface";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" "magneticod.service"];
serviceConfig = {
User = "magnetico";
StateDirectory = "magnetico";
Restart = "on-failure";
ExecStart = "${pkgs.magnetico}/bin/magneticow ${webArgs}";
};
};
assertions =
[
{
assertion = cfg.web.credentialsFile != null || cfg.web.credentials != { };
message = ''
The options services.magnetico.web.credentialsFile and
services.magnetico.web.credentials are mutually exclusives.
'';
}
];
};
}

View File

@ -670,8 +670,7 @@ in
{ description = "Apache HTTPD";
wantedBy = [ "multi-user.target" ];
wants = [ "keys.target" ];
after = [ "network.target" "fs.target" "keys.target" ];
after = [ "network.target" "fs.target" ];
path =
[ httpd pkgs.coreutils pkgs.gnugrep ]

View File

@ -4,23 +4,25 @@ with lib;
let
cfg = config.services.nginx;
certs = config.security.acme.certs;
vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts;
acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME && vhostConfig.useACMEHost == null) vhostsConfigs;
virtualHosts = mapAttrs (vhostName: vhostConfig:
let
serverName = if vhostConfig.serverName != null
then vhostConfig.serverName
else vhostName;
acmeDirectory = config.security.acme.directory;
in
vhostConfig // {
inherit serverName;
} // (optionalAttrs vhostConfig.enableACME {
sslCertificate = "${acmeDirectory}/${serverName}/fullchain.pem";
sslCertificateKey = "${acmeDirectory}/${serverName}/key.pem";
sslTrustedCertificate = "${acmeDirectory}/${serverName}/fullchain.pem";
sslCertificate = "${certs.${serverName}.directory}/fullchain.pem";
sslCertificateKey = "${certs.${serverName}.directory}/key.pem";
sslTrustedCertificate = "${certs.${serverName}.directory}/full.pem";
}) // (optionalAttrs (vhostConfig.useACMEHost != null) {
sslCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem";
sslCertificateKey = "${acmeDirectory}/${vhostConfig.useACMEHost}/key.pem";
sslTrustedCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem";
sslCertificate = "${certs.${vhostConfig.useACMEHost}.directory}/fullchain.pem";
sslCertificateKey = "${certs.${vhostConfig.useACMEHost}.directory}/key.pem";
sslTrustedCertificate = "${certs.${vhostConfig.useACMEHost}.directory}/fullchain.pem";
})
) cfg.virtualHosts;
enableIPv6 = config.networking.enableIPv6;
@ -646,8 +648,9 @@ in
systemd.services.nginx = {
description = "Nginx Web Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
wants = concatLists (map (vhostConfig: ["acme-${vhostConfig.serverName}.service" "acme-selfsigned-${vhostConfig.serverName}.service"]) acmeEnabledVhosts);
after = [ "network.target" ] ++ map (vhostConfig: "acme-selfsigned-${vhostConfig.serverName}.service") acmeEnabledVhosts;
stopIfChanged = false;
preStart =
''
@ -680,8 +683,6 @@ in
security.acme.certs = filterAttrs (n: v: v != {}) (
let
vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts;
acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME && vhostConfig.useACMEHost == null) vhostsConfigs;
acmePairs = map (vhostConfig: { name = vhostConfig.serverName; value = {
user = cfg.user;
group = lib.mkDefault cfg.group;

View File

@ -18,7 +18,7 @@ in
# determines the default: later modules (if enabled) are preferred.
# E.g., if Plasma 5 is enabled, it supersedes xterm.
imports = [
./none.nix ./xterm.nix ./xfce.nix ./plasma5.nix ./lumina.nix
./none.nix ./xterm.nix ./xfce.nix ./xfce4-14.nix ./plasma5.nix ./lumina.nix
./lxqt.nix ./enlightenment.nix ./gnome3.nix ./kodi.nix ./maxx.nix
./mate.nix ./pantheon.nix ./surf-display.nix
];

View File

@ -0,0 +1,157 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.xserver.desktopManager.xfce4-14;
in
{
# added 2019-08-18
# needed to preserve some semblance of UI familarity
# with original XFCE module
imports = [
(mkRenamedOptionModule
[ "services" "xserver" "desktopManager" "xfce4-14" "extraSessionCommands" ]
[ "services" "xserver" "displayManager" "sessionCommands" ])
];
options = {
services.xserver.desktopManager.xfce4-14 = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable the Xfce desktop environment.";
};
# TODO: support thunar plugins
# thunarPlugins = mkOption {
# default = [];
# type = types.listOf types.package;
# example = literalExample "[ pkgs.xfce4-14.thunar-archive-plugin ]";
# description = ''
# A list of plugin that should be installed with Thunar.
# '';
# };
noDesktop = mkOption {
type = types.bool;
default = false;
description = "Don't install XFCE desktop components (xfdesktop, panel and notification daemon).";
};
enableXfwm = mkOption {
type = types.bool;
default = true;
description = "Enable the XFWM (default) window manager.";
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs.xfce4-14 // pkgs; [
glib # for gsettings
gtk3.out # gtk-update-icon-cache
gnome3.adwaita-icon-theme
hicolor-icon-theme
tango-icon-theme
xfce4-icon-theme
desktop-file-utils
shared-mime-info # for update-mime-database
# For a polkit authentication agent
polkit_gnome
# Needed by Xfce's xinitrc script
xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/
exo
garcon
gtk-xfce-engine
libxfce4ui
xfconf
mousepad
ristretto
xfce4-appfinder
xfce4-screenshooter
xfce4-session
xfce4-settings
xfce4-terminal
# TODO: resync patch for plugins
#(thunar.override { thunarPlugins = cfg.thunarPlugins; })
thunar
] # TODO: NetworkManager doesn't belong here
++ optional config.networking.networkmanager.enable networkmanagerapplet
++ optional config.hardware.pulseaudio.enable xfce4-pulseaudio-plugin
++ optional config.powerManagement.enable xfce4-power-manager
++ optional cfg.enableXfwm xfwm4
++ optionals (!cfg.noDesktop) [
xfce4-panel
xfce4-notifyd
xfdesktop
];
environment.pathsToLink = [
"/share/xfce4"
"/lib/xfce4"
"/share/gtksourceview-3.0"
"/share/gtksourceview-4.0"
];
# Use the correct gnome3 packageSet
networking.networkmanager.basePackages = mkIf config.networking.networkmanager.enable {
inherit (pkgs) networkmanager modemmanager wpa_supplicant crda;
inherit (pkgs.gnome3) networkmanager-openvpn networkmanager-vpnc
networkmanager-openconnect networkmanager-fortisslvpn
networkmanager-iodine networkmanager-l2tp;
};
services.xserver.desktopManager.session = [{
name = "xfce4-14";
bgSupport = true;
start = ''
# Set GTK_PATH so that GTK+ can find the theme engines.
export GTK_PATH="${config.system.path}/lib/gtk-2.0:${config.system.path}/lib/gtk-3.0"
# Set GTK_DATA_PREFIX so that GTK+ can find the Xfce themes.
export GTK_DATA_PREFIX=${config.system.path}
${pkgs.runtimeShell} ${pkgs.xfce4-14.xinitrc} &
waitPID=$!
'';
}];
services.xserver.updateDbusEnvironment = true;
services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ];
# Enable helpful DBus services.
services.udisks2.enable = true;
security.polkit.enable = true;
services.accounts-daemon.enable = true;
services.upower.enable = config.powerManagement.enable;
services.gnome3.glib-networking.enable = true;
services.gvfs.enable = true;
services.gvfs.package = pkgs.xfce.gvfs;
services.tumbler.enable = true;
services.dbus.packages =
optional config.services.printing.enable pkgs.system-config-printer;
services.xserver.libinput.enable = mkDefault true; # used in xfce4-settings-manager
# Enable default programs
programs.dconf.enable = true;
# Shell integration for VTE terminals
programs.bash.vteIntegration = mkDefault true;
programs.zsh.vteIntegration = mkDefault true;
# Systemd services
systemd.packages = with pkgs.xfce4-14; [
thunar
] ++ optional (!cfg.noDesktop) xfce4-notifyd;
};
}

View File

@ -109,7 +109,7 @@ let
# Allow the user to setup a custom session type.
if test -x ~/.xsession; then
exec ~/.xsession
eval exec ~/.xsession "$@"
fi
if test "$1"; then

View File

@ -112,11 +112,13 @@ let
# Hibernate / suspend.
"hibernate.target"
"suspend.target"
"suspend-then-hibernate.target"
"sleep.target"
"hybrid-sleep.target"
"systemd-hibernate.service"
"systemd-hybrid-sleep.service"
"systemd-suspend.service"
"systemd-suspend-then-hibernate.service"
# Reboot stuff.
"reboot.target"

View File

@ -256,6 +256,10 @@ let
RestartForceExitStatus = "133";
SuccessExitStatus = "133";
# Some containers take long to start
# especially when you automatically start many at once
TimeoutStartSec = cfg.timeoutStartSec;
Restart = "on-failure";
Slice = "machine.slice";
@ -423,6 +427,7 @@ let
extraVeths = {};
additionalCapabilities = [];
ephemeral = false;
timeoutStartSec = "15s";
allowedDevices = [];
hostAddress = null;
hostAddress6 = null;
@ -595,6 +600,18 @@ in
'';
};
timeoutStartSec = mkOption {
type = types.str;
default = "1min";
description = ''
Time for the container to start. In case of a timeout,
the container processes get killed.
See <citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>7</manvolnum></citerefentry>
for more information about the format.
'';
};
bindMounts = mkOption {
type = with types; loaOf (submodule bindMountOpts);
default = {};

View File

@ -136,6 +136,7 @@ in rec {
(all nixos.tests.switchTest)
(all nixos.tests.udisks2)
(all nixos.tests.xfce)
(all nixos.tests.xfce4-14)
nixpkgs.tarball
(all allSupportedNixpkgs.emacs)

View File

@ -3,19 +3,49 @@ let
in import ./make-test.nix {
name = "acme";
nodes = {
nodes = rec {
letsencrypt = ./common/letsencrypt;
acmeStandalone = { config, pkgs, ... }: {
imports = [ commonConfig ];
networking.firewall.allowedTCPPorts = [ 80 ];
networking.extraHosts = ''
${config.networking.primaryIPAddress} standalone.com
'';
security.acme.certs."standalone.com" = {
webroot = "/var/lib/acme/acme-challenges";
};
systemd.targets."acme-finished-standalone.com" = {};
systemd.services."acme-standalone.com" = {
wants = [ "acme-finished-standalone.com.target" ];
before = [ "acme-finished-standalone.com.target" ];
};
services.nginx.enable = true;
services.nginx.virtualHosts."standalone.com" = {
locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenges";
};
};
webserver = { config, pkgs, ... }: {
imports = [ commonConfig ];
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.extraHosts = ''
${config.networking.primaryIPAddress} example.com
${config.networking.primaryIPAddress} a.example.com
${config.networking.primaryIPAddress} b.example.com
'';
# A target remains active. Use this to probe the fact that
# a service fired eventhough it is not RemainAfterExit
systemd.targets."acme-finished-a.example.com" = {};
systemd.services."acme-a.example.com" = {
wants = [ "acme-finished-a.example.com.target" ];
before = [ "acme-finished-a.example.com.target" ];
};
services.nginx.enable = true;
services.nginx.virtualHosts."example.com" = {
services.nginx.virtualHosts."a.example.com" = {
enableACME = true;
forceSSL = true;
locations."/".root = pkgs.runCommand "docroot" {} ''
@ -23,17 +53,63 @@ in import ./make-test.nix {
echo hello world > "$out/index.html"
'';
};
nesting.clone = [
({pkgs, ...}: {
networking.extraHosts = ''
${config.networking.primaryIPAddress} b.example.com
'';
systemd.targets."acme-finished-b.example.com" = {};
systemd.services."acme-b.example.com" = {
wants = [ "acme-finished-b.example.com.target" ];
before = [ "acme-finished-b.example.com.target" ];
};
services.nginx.virtualHosts."b.example.com" = {
enableACME = true;
forceSSL = true;
locations."/".root = pkgs.runCommand "docroot" {} ''
mkdir -p "$out"
echo hello world > "$out/index.html"
'';
};
})
];
};
client = commonConfig;
};
testScript = ''
$letsencrypt->waitForUnit("default.target");
$letsencrypt->waitForUnit("boulder.service");
$webserver->waitForUnit("default.target");
$webserver->waitForUnit("acme-certificates.target");
$client->waitForUnit("default.target");
$client->succeed('curl https://example.com/ | grep -qF "hello world"');
'';
testScript = {nodes, ...}:
let
newServerSystem = nodes.webserver2.config.system.build.toplevel;
switchToNewServer = "${newServerSystem}/bin/switch-to-configuration test";
in
# Note, waitForUnit does not work for oneshot services that do not have RemainAfterExit=true,
# this is because a oneshot goes from inactive => activating => inactive, and never
# reaches the active state. To work around this, we create some mock target units which
# get pulled in by the oneshot units. The target units linger after activation, and hence we
# can use them to probe that a oneshot fired. It is a bit ugly, but it is the best we can do
''
$client->waitForUnit("default.target");
$letsencrypt->waitForUnit("default.target");
$letsencrypt->waitForUnit("boulder.service");
subtest "can request certificate with HTTPS-01 challenge", sub {
$acmeStandalone->waitForUnit("default.target");
$acmeStandalone->succeed("systemctl start acme-standalone.com.service");
$acmeStandalone->waitForUnit("acme-finished-standalone.com.target");
};
subtest "Can request certificate for nginx service", sub {
$webserver->waitForUnit("acme-finished-a.example.com.target");
$client->succeed('curl https://a.example.com/ | grep -qF "hello world"');
};
subtest "Can add another certificate for nginx service", sub {
$webserver->succeed("/run/current-system/fine-tune/child-1/bin/switch-to-configuration test");
$webserver->waitForUnit("acme-finished-b.example.com.target");
$client->succeed('curl https://b.example.com/ | grep -qF "hello world"');
};
'';
}

View File

@ -278,6 +278,7 @@ in
xautolock = handleTest ./xautolock.nix {};
xdg-desktop-portal = handleTest ./xdg-desktop-portal.nix {};
xfce = handleTest ./xfce.nix {};
xfce4-14 = handleTest ./xfce4-14.nix {};
xmonad = handleTest ./xmonad.nix {};
xrdp = handleTest ./xrdp.nix {};
xss-lock = handleTest ./xss-lock.nix {};

28
nixos/tests/magnetico.nix Normal file
View File

@ -0,0 +1,28 @@
import ./make-test.nix ({ pkgs, ...} : {
name = "magnetico";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ rnhmjoj ];
};
machine = { ... }: {
imports = [ ../modules/profiles/minimal.nix ];
networking.firewall.allowedTCPPorts = [ 9000 ];
services.magnetico = {
enable = true;
crawler.port = 9000;
web.credentials.user = "$2y$12$P88ZF6soFthiiAeXnz64aOWDsY3Dw7Yw8fZ6GtiqFNjknD70zDmNe";
};
};
testScript =
''
startAll;
$machine->waitForUnit("magneticod");
$machine->waitForUnit("magneticow");
$machine->succeed("${pkgs.curl}/bin/curl -u user:password http://localhost:8080");
$machine->succeed("${pkgs.curl}/bin/curl -u user:wrongpwd http://localhost:8080") =~ "Unauthorised." or die;
$machine->shutdown();
'';
})

View File

@ -71,11 +71,13 @@ import ./make-test.nix ({ pkgs, ... }: {
# Regression test for https://github.com/NixOS/nixpkgs/issues/35268
subtest "file system with x-initrd.mount is not unmounted", sub {
$machine->succeed('mountpoint -q /test-x-initrd-mount');
$machine->shutdown;
$machine->waitForUnit('multi-user.target');
# If the file system was unmounted during the shutdown the file system
# has a last mount time, because the file system wasn't checked.
$machine->fail('dumpe2fs /dev/vdb | grep -q "^Last mount time: *n/a"');
system('qemu-img', 'convert', '-O', 'raw',
'vm-state-machine/empty2.qcow2', 'x-initrd-mount.raw');
my $extinfo = `${pkgs.e2fsprogs}/bin/dumpe2fs x-initrd-mount.raw`;
die "File system was not cleanly unmounted: $extinfo"
unless $extinfo =~ /^Filesystem state: *clean$/m;
};
subtest "systemd-shutdown works", sub {

33
nixos/tests/xfce4-14.nix Normal file
View File

@ -0,0 +1,33 @@
import ./make-test.nix ({ pkgs, ...} : {
name = "xfce4-14";
machine =
{ pkgs, ... }:
{ imports = [ ./common/user-account.nix ];
services.xserver.enable = true;
services.xserver.displayManager.auto.enable = true;
services.xserver.displayManager.auto.user = "alice";
services.xserver.desktopManager.xfce4-14.enable = true;
};
testScript =
''
$machine->waitForX;
$machine->waitForFile("/home/alice/.Xauthority");
$machine->succeed("xauth merge ~alice/.Xauthority");
$machine->waitForWindow(qr/xfce4-panel/);
$machine->sleep(10);
# Check that logging in has given the user ownership of devices.
$machine->succeed("getfacl /dev/snd/timer | grep -q alice");
$machine->succeed("su - alice -c 'DISPLAY=:0.0 xfce4-terminal &'");
$machine->waitForWindow(qr/Terminal/);
$machine->sleep(10);
$machine->screenshot("screen");
'';
})

View File

@ -1,90 +0,0 @@
{ callPackage, boost155, boost165, darwin, libsForQt5, libsForQt59, miniupnpc_2, python3, buildGo110Package }:
rec {
aeon = callPackage ./aeon { };
bitcoin = libsForQt5.callPackage ./bitcoin.nix { miniupnpc = miniupnpc_2; withGui = true; };
bitcoind = callPackage ./bitcoin.nix { miniupnpc = miniupnpc_2; withGui = false; };
clightning = callPackage ./clightning.nix { };
bitcoin-abc = libsForQt5.callPackage ./bitcoin-abc.nix { boost = boost165; withGui = true; };
bitcoind-abc = callPackage ./bitcoin-abc.nix { boost = boost165; withGui = false; };
bitcoin-unlimited = libsForQt5.callPackage ./bitcoin-unlimited.nix {
inherit (darwin.apple_sdk.frameworks) Foundation ApplicationServices AppKit;
withGui = true;
};
bitcoind-unlimited = callPackage ./bitcoin-unlimited.nix {
inherit (darwin.apple_sdk.frameworks) Foundation ApplicationServices AppKit;
withGui = false;
};
bitcoin-classic = libsForQt5.callPackage ./bitcoin-classic.nix { boost = boost165; withGui = true; };
bitcoind-classic = callPackage ./bitcoin-classic.nix { boost = boost165; withGui = false; };
btc1 = callPackage ./btc1.nix {
inherit (darwin.apple_sdk.frameworks) AppKit;
boost = boost165;
};
btc1d = btc1.override { withGui = false; };
cryptop = python3.pkgs.callPackage ./cryptop { };
dashpay = callPackage ./dashpay.nix { };
dcrd = callPackage ./dcrd.nix { };
dcrwallet = callPackage ./dcrwallet.nix { };
dero = callPackage ./dero.nix { boost = boost165; };
dogecoin = callPackage ./dogecoin.nix { boost = boost165; withGui = true; };
dogecoind = callPackage ./dogecoin.nix { boost = boost165; withGui = false; };
freicoin = callPackage ./freicoin.nix { boost = boost155; };
go-ethereum = callPackage ./go-ethereum.nix {
inherit (darwin) libobjc;
inherit (darwin.apple_sdk.frameworks) IOKit;
};
go-ethereum-classic = callPackage ./go-ethereum-classic {
buildGoPackage = buildGo110Package;
};
litecoin = callPackage ./litecoin.nix {
inherit (darwin.apple_sdk.frameworks) AppKit;
};
litecoind = litecoin.override { withGui = false; };
lnd = callPackage ./lnd.nix { };
masari = callPackage ./masari.nix { boost = boost165; };
mist = callPackage ./mist.nix { };
namecoin = callPackage ./namecoin.nix { withGui = true; };
namecoind = callPackage ./namecoin.nix { withGui = false; };
pivx = libsForQt59.callPackage ./pivx.nix { withGui = true; };
pivxd = callPackage ./pivx.nix { withGui = false; };
ethabi = callPackage ./ethabi.nix { };
stellar-core = callPackage ./stellar-core.nix { };
sumokoin = callPackage ./sumokoin.nix { boost = boost165; };
wownero = callPackage ./wownero.nix {};
zcash = callPackage ./zcash {
withGui = false;
};
parity = callPackage ./parity { };
parity-beta = callPackage ./parity/beta.nix { };
parity-ui = callPackage ./parity-ui { };
polkadot = callPackage ./polkadot { };
particl-core = callPackage ./particl/particl-core.nix { miniupnpc = miniupnpc_2; };
}

View File

@ -1,33 +1,29 @@
{ fetchFromGitHub, stdenv, pythonPackages, gtk3, gobject-introspection, libnotify
, gst_all_1, wrapGAppsHook }:
{ stdenv, fetchFromGitHub, meson, ninja, pkgconfig, appstream-glib
, wrapGAppsHook, pythonPackages, gtk3, gnome3, gobject-introspection
, libnotify, libsecret, gst_all_1 }:
pythonPackages.buildPythonApplication rec {
pname = "pithos";
version = "1.1.2";
version = "1.4.1";
src = fetchFromGitHub {
owner = pname;
repo = pname;
rev = version;
sha256 = "0zk9clfawsnwmgjbk7y5d526ksxd1pkh09ln6sb06v4ygaiifcxp";
sha256 = "0vaw0rfcdh4bsp9b8la9bs36kw0iwia54y5x060byxhff9av6nj4";
};
# No tests in repo
doCheck = false;
format = "other";
postPatch = ''
substituteInPlace setup.py --replace "/usr/share" "$out/share"
chmod +x meson_post_install.py
patchShebangs meson_post_install.py
'';
postInstall = ''
mkdir -p $out/share/applications
cp -v data/pithos.desktop $out/share/applications
'';
buildInputs = [ wrapGAppsHook ];
nativeBuildInputs = [ meson ninja pkgconfig appstream-glib wrapGAppsHook ];
propagatedBuildInputs =
[ gtk3 gobject-introspection libnotify ] ++
[ gtk3 gobject-introspection libnotify libsecret gnome3.adwaita-icon-theme ] ++
(with gst_all_1; [ gstreamer gst-plugins-base gst-plugins-good gst-plugins-ugly gst-plugins-bad ]) ++
(with pythonPackages; [ pygobject3 pylast ]);

View File

@ -1,5 +1,4 @@
{ stdenv, fetchFromGitHub
, wrapQtAppsHook, makeDesktopItem
{ mkDerivation, lib, makeDesktopItem, fetchFromGitHub
, qtbase, qmake, qtmultimedia, qttools
, qtgraphicaleffects, qtdeclarative
, qtlocation, qtquickcontrols, qtquickcontrols2
@ -9,21 +8,9 @@
, hidapi
}:
with stdenv.lib;
with lib;
let
qmlPath = qmlLib: "${qmlLib}/${qtbase.qtQmlPrefix}";
qml2ImportPath = concatMapStringsSep ":" qmlPath [
qtbase.bin qtmultimedia.bin qtgraphicaleffects
qtdeclarative.bin qtlocation.bin
qtquickcontrols qtquickcontrols2.bin
qtwebchannel.bin qtwebengine.bin qtxmlpatterns
];
in
stdenv.mkDerivation rec {
mkDerivation rec {
pname = "monero-gui";
version = "0.14.1.2";
@ -34,7 +21,7 @@ stdenv.mkDerivation rec {
sha256 = "1rm043r6y2mzy8pclnzbjjfxgps8pkfa2b92p66k8y8rdmgq6m1k";
};
nativeBuildInputs = [ qmake pkgconfig wrapQtAppsHook ];
nativeBuildInputs = [ qmake pkgconfig ];
buildInputs = [
qtbase qtmultimedia qtgraphicaleffects
@ -46,9 +33,7 @@ stdenv.mkDerivation rec {
cppzmq hidapi
];
patches = [
./move-log-file.patch
];
patches = [ ./move-log-file.patch ];
postPatch = ''
echo '

View File

@ -14,9 +14,9 @@ let
};
betaVersion = stableVersion;
latestVersion = { # canary & dev
version = "3.6.0.7"; # "Android Studio 3.6 Canary 7"
build = "192.5807797";
sha256Hash = "1l47miiyd8z7v0hbvda06953pp9ilyrsma83gxqx35ghnc0n7g81";
version = "3.6.0.9"; # "Android Studio 3.6 Canary 9"
build = "192.5830636";
sha256Hash = "0c9zmxf2scsf9pygcbabzngl7cdyjgpir5pggjaj535ni0nsrr7p";
};
in rec {
# Attributes are named by their corresponding release channels

View File

@ -1,30 +0,0 @@
{ stdenv, fetchurl, emacs }:
stdenv.mkDerivation rec {
name = "auto-complete-1.3.1";
src = fetchurl {
url = "http://cx4a.org/pub/auto-complete/${name}.tar.bz2";
sha256 = "124qxfp0pcphwlmrasbfrci48brxnrzc38h4wcf2sn20x1mvcrlj";
};
buildInputs = [ emacs ];
preInstall = ''
install -d $out/share/emacs/site-lisp
'';
installFlags = "DIR=$(out)/share/emacs/site-lisp";
postInstall = ''
ln -s javascript-mode $out/share/emacs/site-lisp/ac-dict/js2-mode
'';
meta = {
description = "Auto-complete extension for Emacs";
homepage = http://cx4a.org/software/auto-complete/;
license = stdenv.lib.licenses.gpl3Plus;
platforms = stdenv.lib.platforms.all;
};
}

View File

@ -1,25 +0,0 @@
{ stdenv, fetchurl, emacs }:
stdenv.mkDerivation rec {
name = "bbdb-3.1.2";
src = fetchurl {
url = "https://download.savannah.gnu.org/releases/bbdb/${name}.tar.gz";
sha256 = "1gs16bbpiiy01w9pyg12868r57kx1v3hnw04gmqsmpc40l1hyy05";
};
buildInputs = [ emacs ];
# Hack to disable documentation as there is no way to tell bbdb to
# NOT build pdfs. I really don't want to pull in TexLive here...
preConfigure = ''
substituteInPlace ./Makefile.in \
--replace "SUBDIRS = lisp doc tex" "SUBDIRS = lisp"
'';
meta = {
homepage = https://savannah.nongnu.org/projects/bbdb/;
description = "The Insidious Big Brother Database (BBDB), a contact management utility for Emacs, version 3";
license = "GPL";
};
}

Some files were not shown because too many files have changed in this diff Show More