Compare commits

..

1 Commits

Author SHA1 Message Date
dependabot[bot]
3a670fbf75 .github: Bump actions/checkout from 6.0.3 to 7.0.0
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.3 to 7.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](df4cb1c069...9c091bb21b)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-12 00:12:58 +00:00
3711 changed files with 18064 additions and 30988 deletions

View File

@@ -36,7 +36,7 @@ jobs:
permission-pull-requests: write
permission-workflows: write
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ github.event.pull_request.head.sha }}
token: ${{ steps.app-token.outputs.token }}

View File

@@ -46,7 +46,7 @@ jobs:
# https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
sparse-checkout: |

View File

@@ -49,7 +49,7 @@ jobs:
runs-on: ${{ matrix.runner }}
timeout-minutes: 60
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
sparse-checkout: .github/actions

View File

@@ -43,7 +43,7 @@ jobs:
runs-on: ubuntu-slim
timeout-minutes: 3
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
path: trusted
@@ -95,7 +95,7 @@ jobs:
runs-on: ubuntu-24.04-arm
timeout-minutes: 8
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
path: trusted
@@ -137,7 +137,7 @@ jobs:
runs-on: ubuntu-24.04-arm
timeout-minutes: 5
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
sparse-checkout: .github/actions

View File

@@ -23,7 +23,7 @@ jobs:
timeout-minutes: 2
if: contains(github.event.comment.body, '@NixOS/nixpkgs-merge-bot merge')
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
sparse-checkout: |

View File

@@ -50,7 +50,7 @@ jobs:
ciPinBumpCommit: ${{ steps.find-pinned-commit.outputs.ciPinBumpCommit }}
ciPinBumpCommitShort: ${{ steps.find-pinned-commit.outputs.ciPinBumpCommitShort }}
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
path: trusted
@@ -58,7 +58,7 @@ jobs:
ci/supportedVersions.nix
- name: Check out the PR at the test merge commit
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
ref: ${{ inputs.mergedSha }}
@@ -174,7 +174,7 @@ jobs:
sudo mkswap /swap
sudo swapon /swap
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
sparse-checkout: .github/actions
@@ -259,7 +259,7 @@ jobs:
statuses: write # creating 'Eval Summary' commit statuses
timeout-minutes: 5
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
sparse-checkout: .github/actions
@@ -476,7 +476,7 @@ jobs:
runs-on: ubuntu-24.04-arm
timeout-minutes: 10
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
sparse-checkout: .github/actions

View File

@@ -26,7 +26,7 @@ jobs:
runs-on: ubuntu-24.04-arm
timeout-minutes: 10
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
sparse-checkout: .github/actions
@@ -61,7 +61,7 @@ jobs:
runs-on: ubuntu-24.04-arm
timeout-minutes: 10
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
sparse-checkout: .github/actions
@@ -90,7 +90,7 @@ jobs:
runs-on: ubuntu-24.04-arm
timeout-minutes: 10
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
sparse-checkout: .github/actions
@@ -134,7 +134,7 @@ jobs:
runs-on: ubuntu-24.04-arm
timeout-minutes: 8
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: true # Needed to run git fetch for large PRs.
path: trusted

View File

@@ -25,7 +25,7 @@ jobs:
targetSha: ${{ steps.prepare.outputs.targetSha }}
systems: ${{ steps.prepare.outputs.systems }}
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
sparse-checkout: |

View File

@@ -34,7 +34,7 @@ jobs:
permission-contents: write
permission-pull-requests: write
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false

View File

@@ -36,7 +36,7 @@ jobs:
systems: ${{ steps.prepare.outputs.systems }}
touched: ${{ steps.prepare.outputs.touched }}
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
sparse-checkout-cone-mode: true # default, for clarity

View File

@@ -20,7 +20,7 @@ jobs:
runs-on: ubuntu-slim
timeout-minutes: 2
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
sparse-checkout: |

View File

@@ -30,7 +30,7 @@ jobs:
permission-pull-requests: write
- name: Fetch source
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
sparse-checkout: |

View File

@@ -19,7 +19,7 @@ jobs:
push: ${{ steps.files.outputs.push }}
targetSha: ${{ steps.prepare.outputs.targetSha }}
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
sparse-checkout-cone-mode: true # default, for clarity

View File

@@ -41,7 +41,7 @@
/lib/meta.nix @alyssais @NixOS/stdenv @llakala
/lib/meta-types.nix @infinisil @adisbladis @NixOS/stdenv @llakala
/lib/source-types.nix @alyssais @NixOS/stdenv @llakala
/lib/systems @alyssais @NixOS/stdenv
/lib/systems @alyssais @NixOS/stdenv @llakala
## Libraries / Module system
/lib/modules.nix @infinisil @roberth @hsjobeki @llakala
/lib/types.nix @infinisil @roberth @hsjobeki @llakala
@@ -260,7 +260,7 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
/pkgs/applications/editors/jetbrains @leona-ya @theCapypara
# Licenses
/lib/licenses @alyssais @emilazy @jopejoe1
/lib/licenses @alyssais @emilazy @jopejoe1 @llakala
# Qt
/pkgs/development/libraries/qt-5 @K900 @NickCao @SuperSandro2000

View File

@@ -395,13 +395,6 @@ module.exports = async ({ github, context, core, dry }) => {
pull_number,
per_page: 100,
})
// label llm-assisted PRs accordingly
const assistedByPattern = /Assisted-by: (?!nix-init)/i
evalLabels['llm-assisted'] = prCommits.some((c) =>
assistedByPattern.test(c.commit.message),
)
const commitSubjects = prCommits.map(
(c) => c.commit.message.split('\n')[0],
)

View File

@@ -143,4 +143,3 @@ lib.extendMkDerivation {
});
}
```
:::

View File

@@ -165,7 +165,7 @@ They are useful for creating files from Nix expressions, and are all implemented
Each of these functions will cause a derivation to be produced.
When you coerce the result of each of these functions to a string with [string interpolation](https://nixos.org/manual/nix/stable/language/string-interpolation) or [`toString`](https://nixos.org/manual/nix/stable/language/builtins#builtins-toString), it will evaluate to the [store path](https://nixos.org/manual/nix/stable/store/store-path) of this derivation.
::: {.note}
:::: {.note}
Some of these functions will put the resulting files within a directory inside the [derivation output](https://nixos.org/manual/nix/stable/language/derivations#attr-outputs).
If you need to refer to the resulting files somewhere else in a Nix expression, append their path to the derivation's store path.
@@ -190,7 +190,7 @@ writeShellScript "evaluate-my-file.sh" ''
cat ${my-file}/share/my-file
''
```
:::
::::
### `makeDesktopItem` {#trivial-builder-makeDesktopItem}

View File

@@ -1,7 +0,0 @@
<div class="manual-header">
<nav class="manual-header--tabs">
<a class="manual-header--tab manual-header--tab-active" href="#">Nixpkgs</a>
<a class="manual-header--tab" href="https://nixos.org/manual/nixos/stable/">NixOS</a>
</nav>
<span class="manual-header--title">Nixpkgs Manual</span>
</div>

View File

@@ -119,8 +119,6 @@ stdenvNoCC.mkDerivation (
--script ./anchor-use.js \
--sidebar-depth 3 \
--nav ./nav.json \
--header ${./header.html}\
--no-navheader \
manual.md \
out/index.html

View File

@@ -59,7 +59,7 @@ The recommended way of defining a derivation for a Rocq library, is to use the `
* `releaseRev` (optional, defaults to `(v: v)`), provides a default mapping from release names to revision hashes/branch names/tags,
* `releaseArtifact` (optional, defaults to `(v: null)`), provides a default mapping from release names to artifact names (only works for github artifact for now),
* `displayVersion` (optional), provides a way to alter the computation of `name` from `pname`, by explaining how to display version numbers,
* `namePrefix` (optional, defaults to `[ "rocq" ]`), provides a way to alter the computation of `name` from `pname`, by explaining which dependencies must occur in `name`,
* `namePrefix` (optional, defaults to `[ "rocq-core" ]`), provides a way to alter the computation of `name` from `pname`, by explaining which dependencies must occur in `name`,
* `nativeBuildInputs` (optional), is a list of executables that are required to build the current derivation, in addition to the default ones (namely `which`, `dune` and `ocaml` depending on whether `useDune`, `useDuneifVersion` and `mlPlugin` are set).
* `extraNativeBuildInputs` (optional, deprecated), an additional list of derivation to add to `nativeBuildInputs`,
* `overrideNativeBuildInputs` (optional) replaces the default list of derivation to which `nativeBuildInputs` and `extraNativeBuildInputs` adds extra elements,
@@ -74,8 +74,6 @@ The recommended way of defining a derivation for a Rocq library, is to use the `
* `enableParallelBuilding` (optional, defaults to `true`), since it is activated by default, we provide a way to disable it.
* `extraInstallFlags` (optional), allows to extend `installFlags` which initializes the variables `COQLIBINSTALL` and `COQPLUGININSTALL` so as to install in the proper subdirectory. Indeed Rocq libraries should be installed in `$(out)/lib/coq/${rocq-core.rocq-version}/user-contrib/`. Such directories are automatically added to the `$ROCQPATH` environment variable by the hook defined in the Rocq derivation.
* `setROCQBIN` (optional, defaults to `true`), by default, the environment variable `$ROCQBIN` is set to the current Rocq's binary, but one can disable this behavior by setting it to `false`,
* `useCoq` (optional, defaults to `false`), adds the Coq compatibility binaries to the build environment, which is necessary for some packages that still depend on them and sets `COQBIN` to the path of the `coqc` binary (if `setROCQBIN` is also set to `true`). A wrapper `mkCoqDerivation` is provided that sets this option to `true`.
* `useCoqifVersion` (optional, defaults to `(x: false)`), adds the Coq compatibility binaries to the build environment if the provided predicate evaluates to true on the version. This can be useful for supporting old package versions that need the Coq compatibility binaries, while newer versions do not.
* `useMelquiondRemake` (optional, default to `null`) is an attribute set, which, if given, overloads the `preConfigurePhases`, `configureFlags`, `buildPhase`, and `installPhase` attributes of the derivation for a specific use in libraries using `remake` as set up by Guillaume Melquiond for `flocq`, `gappalib`, `interval`, and `coquelicot` (see the corresponding derivation for concrete examples of use of this option). For backward compatibility, the attribute `useMelquiondRemake.logpath` must be set to the logical root of the library (otherwise, one can pass `useMelquiondRemake = {}` to activate this without backward compatibility).
* `dropAttrs`, `keepAttrs`, `dropDerivationAttrs` are all optional and allow to tune which attribute is added or removed from the final call to `mkDerivation`.

View File

@@ -44,17 +44,11 @@
- `libgdata` has been removed, as it was archived upstream and relied on the insecure libsoup 2.4.
- `mcphost` has been removed, as it was archived upstream and declared unmaintained.
- `fflogs` has been removed because it was no longer functional. Users should switch to `archon-lite`.
- `services.mysql` now sets `root@localhost` authentication to `auth_socket` when used with `mysql` or `percona-server`.
Existing deployments will also be adjusted if possible. See the [security advisory GHSA-6qxx-6rg8-c4p8](https://github.com/NixOS/nixpkgs/security/advisories/GHSA-6qxx-6rg8-c4p8) for more information.
- `zerofs` has been updated from `1.x` to `2.x` which is a breaking change. Volumes created by earlier releases are refused at open with a clear error. There is no migration tool; older volumes remain readable and writable by the release that created them.
- `keycloak.plugins.keycloak-metrics-spi` has been removed. Keycloak exposes Prometheus metrics natively on its management interface; enable them with the `metrics-enabled` setting (and `event-metrics-user-enabled` for login and event counters). See [Gaining insights with metrics](https://www.keycloak.org/observability/configuration-metrics).
- `alps` has been rewritten upstream, see [upstream repository](https://github.com/migadu/alps) for documentation.
- `uhttpmock` providing 0.0 ABI was removed. `uhttpmock_1_0` providing 1.0 ABI was renamed to `uhttpmock` and `uhttpmock_1_0` was kept as an alias.
@@ -96,8 +90,6 @@
- `texlive.combine` is deprecated and scheduled for removal in 27.05. Please migrate to `texliveSmall.withPackages` (see [](#sec-language-texlive-user-guide)).
- `keycloak` was updated to >= 26.7.0 and includes some breaking internal (API) changes. See the [upstream migration guide](https://www.keycloak.org/docs/latest/upgrading/#migrating-to-26-7-0) for more information.
- `librest` providing 0.7 ABI was removed. `librest_1_0` providing 1.0 ABI was renamed to `librest` and `librest_1_0` was kept as an alias.
- `pnpm_10` was upgraded to version 10.34.1+, which introduced stricter integrity checks. If you encounter `ERR_PNPM_MISSING_TARBALL_INTEGRITY`, you can fall back to the older `pnpm_10_34_0`.
@@ -114,7 +106,6 @@
- Starting with v14, `flameshot` will primarily utilise xdg-desktop-portal calls for screenshotting. This will directly affect users on X11 window managers due to the lack of a compatible portal with Screenshot feature. See [upstream changelog](https://github.com/flameshot-org/flameshot/releases/tag/v14.0.0) or [NixOS Flameshot](https://wiki.nixos.org/wiki/Flameshot) wiki page for workarounds.
- `nim1` and respective aliases have been removed due to entering EOL; please migrate to `nim` or `nim-unwrapped` (nim 2).
- `nim-2_0` & `nim-2_2` and respective aliases have been removed; please migrate to `nim` or `nim-unwrapped` (nim 2.2.10).
- `domoticz` has been updated from `2024.7` to `2026.x`, breaking third party applications and scripts using the old RType calls. Review the [release notes](https://github.com/domoticz/domoticz/blob/2026.2/History.txt#L398) for more information.
- `vimacs` has been removed, as it has not been maintained in 10 years and was built for an old version of vim (6.0).
@@ -146,15 +137,15 @@
### Breaking changes {#sec-nixpkgs-release-26.11-lib-breaking}
- `fittrackee` 1.0.0 now requires postgres with postgis. The [upgrade guide](https://docs.fittrackee.org/en/upgrading-to-1.0.0.html) has steps to prepare for this upgrade.
- Create the first release note entry in this section!
### Deprecations {#sec-nixpkgs-release-26.11-lib-deprecations}
- Setting `config.allowBrokenPredicate` is deprecated in favor of
using `config.problems.handlers.PackageName.broken = "warn"` (or `=
"ignore"`). For more information see [](#sec-allow-broken).
- Create the first release note entry in this section!
### Additions and Improvements {#sec-nixpkgs-release-26.11-lib-additions-improvements}
- Create the first release note entry in this section!

View File

@@ -23,14 +23,14 @@ body {
@media screen and (min-width: 992px) {
.book,
.appendix {
max-width: 55rem;
max-width: 60rem;
}
}
@media screen and (min-width: 1200px) {
.book,
.appendix {
max-width: 55rem;
max-width: 73rem;
}
}
@@ -156,7 +156,8 @@ body {
}
a {
text-decoration: underline;
text-decoration: none;
border-bottom: 1px solid;
color: var(--link-color);
}
@@ -397,7 +398,6 @@ div.appendix .variablelist .term {
:root {
--sidebar-width: 20rem;
--header-height: 3rem;
--background: #fff;
--main-text-color: #000;
--link-color: #405d99;
@@ -479,8 +479,6 @@ div.appendix .variablelist .term {
nav.toc-sidebar {
height: 100%;
padding: 0 1rem 2rem;
background-color: var(--background);
color: var(--main-text-color);
}
/* menu button, shown on mobile, hidden on desktop */
@@ -522,59 +520,6 @@ nav.toc-sidebar li {
nav.toc-sidebar summary {
cursor: pointer;
display: flex;
align-items: center;
list-style: none;
}
nav.toc-sidebar summary::before {
content: "▸";
flex: none;
font-size: 0.75em;
}
nav.toc-sidebar details[open] > summary::before {
content: "▾";
}
nav.toc-sidebar a {
display: block;
width: 100%;
padding: 3px 8px;
border-left: 3px solid transparent;
border-radius: 3px;
color: inherit;
transition:
background-color 120ms ease,
border-color 120ms ease;
}
nav.toc-sidebar a:hover {
background-color: #f2f2f2 !important;
}
nav.toc-sidebar a.active {
background-color: #d8d8d8;
border-left-color: #444;
font-weight: 600;
}
nav.toc-sidebar a.active-trail {
border-left-color: #bbb;
background-color: #e8e8e8;
}
@media (prefers-color-scheme: dark) {
nav.toc-sidebar a:hover {
/* hover should win over scroll selectors despite beeing less specific */
background-color: #606060 !important;
}
nav.toc-sidebar a.active {
background-color: #373737;
border-left-color: #eee;
font-weight: 600;
}
nav.toc-sidebar a.active-trail {
border-left-color: #eee;
background-color: #323232;
}
}
@media screen and (min-width: 768px) {
@@ -583,7 +528,7 @@ nav.toc-sidebar a.active-trail {
min-height: 0;
display: grid;
grid-template-columns: minmax(0, 1fr);
grid-template-rows: var(--header-height) auto minmax(0, 1fr);
grid-template-rows: auto minmax(0, 1fr);
}
body:has(> nav.toc-sidebar) {
@@ -592,7 +537,7 @@ nav.toc-sidebar a.active-trail {
.navheader {
grid-column: 1 / -1;
grid-row: 2;
grid-row: 1;
}
nav.toc-sidebar {
@@ -603,10 +548,11 @@ nav.toc-sidebar a.active-trail {
/* */
margin: 0;
grid-column: 1;
grid-row: 3;
grid-row: 2;
max-height: none;
overflow-y: auto;
border: none;
border-right: 0.0625rem solid #d8d8d8;
}
/* Hide the toggle button on desktop */
@@ -616,7 +562,7 @@ nav.toc-sidebar a.active-trail {
main.content {
grid-column: 1 / -1;
grid-row: 3;
grid-row: 2;
overflow-y: auto;
padding: 0 1rem;
}
@@ -625,73 +571,3 @@ nav.toc-sidebar a.active-trail {
grid-column: 2;
}
}
.manual-header {
background-color: var(--background);
border-bottom: 0.0625rem solid #d8d8d8;
display: flex;
flex-direction: column;
}
.manual-header--title {
order: -1;
padding: 0.5rem 1rem 0;
font-size: 0.875rem;
font-weight: 500;
color: var(--small-heading-color);
text-align: center;
}
.manual-header--tabs {
display: flex;
align-items: stretch;
justify-content: space-around;
margin: 0;
padding: 0;
}
.manual-header--tab {
display: flex;
align-items: center;
padding: 0 1rem;
font-size: 0.875rem;
font-weight: 500;
color: var(--main-text-color);
text-decoration: none;
border-bottom: 0.1875rem solid transparent;
border-top: 0.1875rem solid transparent;
transition: border-bottom-color 0.15s ease;
}
.manual-header--tab:hover {
border-bottom-color: var(--heading-color);
color: var(--main-text-color);
}
.manual-header--tab-active {
border-bottom-color: var(--heading-color);
color: var(--heading-color);
font-weight: 700;
}
@media screen and (min-width: 768px) {
.manual-header {
height: var(--header-height);
flex-direction: row;
align-items: stretch;
grid-column: 1 / -1;
grid-row: 1;
}
.manual-header--title {
order: 0;
margin-left: auto;
padding: 0 1rem;
align-self: center;
}
.manual-header--tabs {
justify-content: flex-start;
padding: 0 1rem;
}
}

View File

@@ -1,16 +1,16 @@
# Platform Support {#chap-platform-support}
Packages receive varying degrees of support, both in terms of maintainer and security team attention and available computation resources for continuous integration (CI). We have 7 defined tiers denoting how well supported each platform is.
Packages receive varying degrees of support, both in terms of maintainer attention and available computation resources for continuous integration (CI). We have 7 defined tiers denoting how well supported each platform is.
## Tiers {#sec-platform-tiers}
### Tier 1 {#sec-platform-tier1}
[Tier 1](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-1) platforms receive the highest level of support where problems can block updates, security fixes are treated with urgency, platform-specific patches are freely applied, and most packages are expected to work.
[Tier 1](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-1) platforms receive the highest level of support where problems can block updates, platform-specific patches are freely applied, and most packages are expected to work.
### Tier 2 {#sec-platform-tier2}
[Tier 2](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-2) platforms are expected to remain functional and secure with updates, receive platform-specific patches as needed, and have many packages built by Hydra with full ofBorg support.
[Tier 2](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-2) platforms are expected to remain functional with updates, receive platform-specific patches as needed, and have many packages built by Hydra with full ofBorg support.
### Tier 3 {#sec-platform-tier3}
@@ -22,25 +22,25 @@ Platform Tiers [4 through 7](https://github.com/NixOS/rfcs/blob/master/rfcs/0046
## Breakdown {#sec-platform-breakdown}
| Triple | Support Tier | Channel Blockers | Hydra Support | Security Support | Ofborg Support | Bootstrap Tarballs | Cross Compiling Support |
|---------------------------------------|------------------------------------------------------------------------------------------------|------------------|---------------|------------------|----------------|--------------------|-------------------------|
| `x86_64-unknown-linux-gnu` | [Tier 1](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-1) | Many | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
| `aarch64-unknown-linux-gnu` | [Tier 2](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-2) | Some | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
| `x86_64-unknown-linux-musl` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | Limited | ❌ | ❌ | ✔️ | ✔️ |
| `aarch64-unknown-linux-musl` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | Limited | ❌ | ❌ | ✔️ | ✔️ |
| `x86_64-unknown-unknown-freebsd` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
| `arm64-apple-darwin` | [Tier 2](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-2) | Some | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
| `i686-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | Limited | ❌ | ❌ | ✔️ | ✔️ |
| `riscv32-unknown-linux-gnu` | [Tier 4](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-4) | None | ❌ | ❌ | ❌ | ❌ | ✔️ |
| `riscv64-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
| `loongarch64-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
| `armv6l-unknown-linux-gnueabihf` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
| `armv6l-unknown-linux-musleabihf` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
| `armv7l-unknown-linux-gnueabihf` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
| `armv5tel-unknown-linux-gnueabi` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
| `mips64el-unknown-linux-gnuabi64` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
| `mips64el-unknown-linux-gnuabin32` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
| `mipsel-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
| `powerpc64-unknown-linux-gnuabielfv2` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
| `powerpc64le-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
| `s390x-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
| Triple | Support Tier | Channel Blockers | Hydra Support | Ofborg Support | Bootstrap Tarballs | Cross Compiling Support |
| ------------------------------------- | ------------ | ---------------- | ------------- | -------------- | ------------------ | ----------------------- |
| `x86_64-unknown-linux-gnu` | [Tier 1](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-1) | Many | ✔️ | ✔️ | ✔️ | ✔️ |
| `aarch64-unknown-linux-gnu` | [Tier 2](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-2) | Some | ✔️ | ✔️ | ✔️ | ✔️ |
| `x86_64-unknown-linux-musl` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | Limited | ❌ | ✔️ | ✔️ |
| `aarch64-unknown-linux-musl` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | Limited | ❌ | ✔️ | ✔️ |
| `x86_64-unknown-unknown-freebsd` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
| `arm64-apple-darwin` | [Tier 2](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-2) | Some | ✔️ | ✔️ | ✔️ | ❌ |
| `i686-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | Limited | ❌ | ✔️ | ✔️ |
| `riscv32-unknown-linux-gnu` | [Tier 4](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-4) | None | ❌ | ❌ | ❌ | ✔️ |
| `riscv64-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
| `loongarch64-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
| `armv6l-unknown-linux-gnueabihf` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
| `armv6l-unknown-linux-musleabihf` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
| `armv7l-unknown-linux-gnueabihf` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
| `armv5tel-unknown-linux-gnueabi` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
| `mips64el-unknown-linux-gnuabi64` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
| `mips64el-unknown-linux-gnuabin32` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
| `mipsel-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
| `powerpc64-unknown-linux-gnuabielfv2` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
| `powerpc64le-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
| `s390x-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |

View File

@@ -1140,7 +1140,7 @@ rec {
For a function that gives you control over what counts as a leaf, see `mapAttrsRecursiveCond`.
::: {.example #map-attrs-recursive-example}
:::{#map-attrs-recursive-example .example}
# Map over leaf attributes
```nix
@@ -1165,7 +1165,7 @@ rec {
If the predicate returns false, `mapAttrsRecursiveCond` does not recurse, but instead applies the mapping function.
If the predicate returns true, it does recurse, and does not apply the mapping function.
::: {.example #map-attrs-recursive-cond-example}
:::{#map-attrs-recursive-cond-example .example}
# Map over an leaf attributes defined by a condition
Map derivations to their `name` attribute.

View File

@@ -564,7 +564,7 @@ rec {
# Examples
:::{.example #ex-makeScope}
:::{#ex-makeScope .example}
# Create an interdependent package set on top of `pkgs`
The functions in `foo.nix` and `bar.nix` can depend on each other, in the sense that `foo.nix` can contain a function that expects `bar` as an attribute in its argument.
@@ -593,7 +593,7 @@ rec {
```
:::
:::{.example #ex-makeScope-callPackage}
:::{#ex-makeScope-callPackage .example}
# Using `callPackage` from a scope
```nix

View File

@@ -310,11 +310,6 @@ lib.mapAttrs mkLicense (
redistributable = true;
};
buddy = {
spdxId = "Buddy";
fullName = "Buddy License";
};
bzip2 = {
spdxId = "bzip2-1.0.6";
fullName = "bzip2 and libbzip2 License v1.0.6";
@@ -387,13 +382,6 @@ lib.mapAttrs mkLicense (
free = false;
};
cc-by-nc-30-igo = {
# Currently does not have a spdxID will get one in the future https://github.com/spdx/license-list-XML/issues/2845
# spdxId = "CC-BY-NC-3.0-IGO";
fullName = "Creative Commons Attribution Non Commercial 3.0 IGO";
free = false;
};
cc-by-nc-40 = {
spdxId = "CC-BY-NC-4.0";
fullName = "Creative Commons Attribution Non Commercial 4.0 International";
@@ -938,11 +926,6 @@ lib.mapAttrs mkLicense (
free = false;
};
jpl-image = {
fullName = "JPL Image Use Policy";
spdxId = "JPL-image";
};
knuth = {
fullName = "Knuth CTAN License";
spdxId = "Knuth-CTAN";
@@ -1190,11 +1173,6 @@ lib.mapAttrs mkLicense (
fullName = "Nethack General Public License";
};
ngrep = {
spdxId = "ngrep";
fullName = "ngrep License";
};
nistSoftware = {
spdxId = "NIST-Software";
fullName = "NIST Software License";
@@ -1628,11 +1606,6 @@ lib.mapAttrs mkLicense (
url = "https://fedoraproject.org/wiki/Licensing:Wadalab?rd=Licensing/Wadalab";
};
wordnet = {
spdxId = "WordNet";
fullName = "WordNet License";
};
wtfpl = {
spdxId = "WTFPL";
fullName = "Do What The F*ck You Want To Public License";

View File

@@ -90,12 +90,12 @@ rec {
`defaultText`
: Substitute for documenting the `default`, if evaluating the default value during documentation rendering is not possible.
: Can be any nix value that evaluates.
: Usage with `lib.literalMD`, `lib.literalExpression`, or `lib.literalCode` is supported
: Usage with `lib.literalMD` or `lib.literalExpression` is supported
`example`
: Optional example value used in the manual.
: Can be any nix value that evaluates.
: Usage with `lib.literalMD`, `lib.literalExpression`, or `lib.literalCode` is supported
: Usage with `lib.literalMD` or `lib.literalExpression` is supported
`description`
: Optional string describing the option. This is required if option documentation is generated.

View File

@@ -151,7 +151,6 @@
"samuela": 226872
},
"members": {
"ethancedwards8": 60861925,
"prusnak": 42201
},
"name": "cuda-maintainers"
@@ -366,10 +365,10 @@
"freedesktop": {
"description": "Maintain Freedesktop.org packages for graphical desktop.",
"id": 3806136,
"maintainers": {
"maintainers": {},
"members": {
"jtojnar": 705123
},
"members": {},
"name": "Freedesktop"
},
"geospatial": {

View File

@@ -1629,6 +1629,12 @@
githubId = 382798;
name = "amfl";
};
amiddelk = {
email = "amiddelk@gmail.com";
github = "amiddelk";
githubId = 1358320;
name = "Arie Middelkoop";
};
aminechikhaoui = {
email = "amine.chikhaoui91@gmail.com";
github = "AmineChikhaoui";
@@ -1937,11 +1943,6 @@
githubId = 143312793;
name = "Annin";
};
anntnzrb = {
github = "anntnzrb";
githubId = 51257127;
name = "anntnzrb";
};
anoa = {
matrix = "@andrewm:amorgan.xyz";
email = "andrew@amorgan.xyz";
@@ -2001,12 +2002,6 @@
githubId = 14838767;
name = "Jacopo Scannella";
};
antoineco = {
email = "hello@acotten.com";
github = "antoineco";
githubId = 3299086;
name = "Antoine Cotten";
};
anton-4 = {
name = "Anton";
github = "Anton-4";
@@ -4432,12 +4427,6 @@
{ fingerprint = "8916 F727 734E 77AB 437F A33A 19AB 76F5 CEE1 1392"; }
];
};
caguiclajmg = {
email = "jmg.caguicla@guarandoo.me";
github = "caguiclajmg";
githubId = 32662060;
name = "John Mark Gabriel Caguicla";
};
CaiqueFigueiredo = {
email = "public@caiquefigueiredo.me";
github = "caiquefigueiredo";
@@ -4651,13 +4640,6 @@
githubId = 53847249;
name = "Casey Avila";
};
cassandracomar = {
name = "Cassandra Comar";
github = "cassandracomar";
githubId = 320772;
email = "cass@mountclare.net";
keys = [ { fingerprint = "104E E74E 24A0 372B EAF5 5533 B019 18F7 7E04 AC99"; } ];
};
castorNova2 = {
email = "solemnsquire@gmail.com";
github = "castorNova2";
@@ -5613,11 +5595,6 @@
githubId = 5953003;
name = "Connor Nelson";
};
conny = {
github = "ConstantConstantin";
githubId = 162139822;
name = "Constantin-Paul Hertel";
};
conradmearns = {
email = "conradmearns+github@pm.me";
github = "ConradMearns";
@@ -6263,12 +6240,6 @@
github = "darkyzhou";
githubId = 7220778;
};
darshancode2005 = {
name = "Darshan Thakare";
email = "darshanthakaregsoc2023@gmail.com";
github = "DarshanCode2005";
githubId = 143271270;
};
daru-san = {
name = "Daru";
email = "zadarumaka@proton.me";
@@ -6808,13 +6779,6 @@
githubId = 77843198;
name = "Vasilis Manetas";
};
Deric-W = {
email = "robo-eric@gmx.de";
github = "Deric-W";
githubId = 42873573;
name = "Eric Wolf";
keys = [ { fingerprint = "ADAA B6F3 A955 5589 D66C CE61 80D2 DA42 8A4A 537F"; } ];
};
DerickEddington = {
email = "derick.eddington@pm.me";
github = "DerickEddington";
@@ -7072,6 +7036,12 @@
github = "DimitarNestorov";
githubId = 8790386;
};
diniamo = {
name = "diniamo";
email = "diniamo53@gmail.com";
github = "diniamo";
githubId = 55629891;
};
diogomdp = {
email = "me@diogodp.dev";
github = "diogomdp";
@@ -8877,13 +8847,6 @@
githubId = 345808;
name = "Jakub Okoński";
};
FatBoyXPC = {
name = "FatBoyXPC";
email = "fatboyxpc@gmail.com";
github = "FatBoyXPC";
githubId = 744962;
keys = [ { fingerprint = "0E08 1B81 CBCA 1CF7 9568 A13F C4ED 3CA2 3211 8969"; } ];
};
faukah = {
github = "faukah";
name = "faukah";
@@ -9064,11 +9027,6 @@
githubId = 5198058;
name = "Udo Sauer";
};
fernvenue = {
github = "fernvenue";
githubId = 84565547;
name = "fernvenue";
};
feyorsh = {
email = "george@feyor.sh";
github = "Feyorsh";
@@ -9125,12 +9083,6 @@
githubId = 41450706;
name = "fin-w";
};
fiona = {
email = "mail@fiona.hamburg";
github = "Fiona42069";
githubId = 260108682;
name = "fiona";
};
fionera = {
email = "nix@fionera.de";
github = "fionera";
@@ -10072,6 +10024,12 @@
name = "Will Owens";
keys = [ { fingerprint = "8E98 BB01 BFF8 AEA4 E303 FC4C 8074 09C9 2CE2 3033"; } ];
};
ghuntley = {
email = "ghuntley@ghuntley.com";
github = "ghuntley";
githubId = 127353;
name = "Geoffrey Huntley";
};
gibbert = {
email = "gbjgms@gmail.com";
github = "zgibberish";
@@ -10434,12 +10392,6 @@
githubId = 273582;
name = "greg";
};
gregshuflin = {
email = "greg@everdayimshuflin.com";
github = "neunenak";
githubId = 311545;
name = "Greg Shuflin";
};
greizgh = {
email = "greizgh@ephax.org";
github = "greizgh";
@@ -11499,11 +11451,6 @@
githubId = 69209;
name = "Ian Duncan";
};
IanHollow = {
github = "IanHollow";
githubId = 72767437;
name = "Ian Holloway";
};
ianliu = {
email = "ian.liu88@gmail.com";
github = "ianliu";
@@ -11914,6 +11861,12 @@
name = "Silvan Mosberger";
keys = [ { fingerprint = "6C2B 55D4 4E04 8266 6B7D DA1A 422E 9EDA E015 7170"; } ];
};
iniw = {
email = "git@vini.cat";
github = "iniw";
githubId = 30220881;
name = "Vinicius Deolindo";
};
insipx = {
email = "github@andrewplaza.dev";
github = "insipx";
@@ -12798,12 +12751,6 @@
githubId = 5741620;
name = "Jeremy Schlatter";
};
jeremystucki = {
email = "dev@jeremystucki.ch";
github = "jeremystucki";
githubId = 7629727;
name = "Jeremy Stucki";
};
jerith666 = {
email = "github@matt.mchenryfamily.org";
github = "jerith666";
@@ -14155,14 +14102,6 @@
name = "Kenichi Kamiya";
keys = [ { fingerprint = "9121 5D87 20CA B405 C63F 24D2 EF6E 574D 040A E2A5"; } ];
};
kacper-uminski = {
name = "Kacper Uminski";
email = "kacper+nixpkgs@lysator.liu.se";
github = "kacper-uminski";
githubId = 57466578;
matrix = "@kacper.uminski:matrix.org";
keys = [ { fingerprint = "3DF9 3DEB CAA9 81FA B3E2 A7F0 87DA 201D E02F 14B1"; } ];
};
kaction = {
name = "Dmitry Bogatov";
email = "KAction@disroot.org";
@@ -14402,12 +14341,6 @@
github = "keller00";
githubId = 8452750;
};
kenis1108 = {
email = "1836362346@qq.com";
github = "kenis1108";
githubId = 45393183;
name = "kenis";
};
kenran = {
email = "johannes.maier@mailbox.org";
github = "kenranunderscore";
@@ -16430,11 +16363,6 @@
githubId = 83420438;
name = "Lewis";
};
lubsch = {
github = "lubsch";
githubId = 33580245;
name = "Benjamin Lohmar";
};
luc65r = {
email = "lucas@ransan.fr";
github = "luc65r";
@@ -18886,12 +18814,6 @@
githubId = 830082;
name = "Nathan Moos";
};
mootfrost = {
email = "hello@mootfrost.dev";
github = "mootfrost";
githubId = 75925945;
name = "Andrew Semeykin";
};
moraxyc = {
name = "Moraxyc Xu";
email = "i@qaq.li";
@@ -20387,12 +20309,6 @@
githubId = 4242897;
name = "Nikolai Mishin";
};
nmoya = {
email = "nikolasmoya@gmail.com";
github = "nmoya";
githubId = 1767648;
name = "Nikolas Moya";
};
noaccos = {
name = "Francesco Noacco";
email = "francesco.noacco2000@gmail.com";
@@ -21230,6 +21146,12 @@
githubId = 19862;
name = "KJ Ørbekk";
};
orbitz = {
email = "mmatalka@gmail.com";
github = "orbitz";
githubId = 75299;
name = "Malcolm Matalka";
};
orhun = {
email = "orhunparmaksiz@gmail.com";
github = "orhun";
@@ -24427,12 +24349,6 @@
githubId = 20300874;
name = "Mohammad Rafiq";
};
rsahwe = {
email = "rsahwe@gmx.net";
github = "rsahwe";
githubId = 201613730;
name = "rsahwe";
};
rseichter = {
email = "nixos.org@seichter.de";
github = "rseichter";
@@ -25692,6 +25608,12 @@
githubId = 106669955;
name = "Léon Gessner";
};
shardy = {
email = "shardul@baral.ca";
github = "shardulbee";
githubId = 16765155;
name = "Shardul Baral";
};
sharpchen = {
github = "sharpchen";
githubId = 77432836;
@@ -25991,12 +25913,6 @@
name = "Nikolay Korotkiy";
keys = [ { fingerprint = "ADF4 C13D 0E36 1240 BD01 9B51 D1DE 6D7F 6936 63A5"; } ];
};
silicalet = {
name = "Mr. why";
email = "silicalet@outlook.com";
github = "silicalet";
githubId = 188071249;
};
silky = {
name = "Noon van der Silk";
email = "noonsilk+nixpkgs@gmail.com";
@@ -26467,14 +26383,6 @@
githubId = 7116239;
keys = [ { fingerprint = "E067 520F 5EF2 C175 3F60 50C0 BA46 725F 6A26 7442"; } ];
};
Soliprem = {
email = "me@soliprem.eu";
matrix = "@soliprem:soliprem.eu";
name = "Francesco Prem Solidoro";
github = "Soliprem";
githubId = 73885403;
keys = [ { fingerprint = "F779 4E05 D8BB A608 73D0 1312 4FD6 B0D5 1C9A B6BD"; } ];
};
solson = {
email = "scott@solson.me";
matrix = "@solson:matrix.org";
@@ -26667,6 +26575,12 @@
github = "spreetin";
githubId = 7392173;
};
sprock = {
email = "rmason@mun.ca";
github = "sprock";
githubId = 6391601;
name = "Roger Mason";
};
sputn1ck = {
email = "kon@kon.ninja";
github = "sputn1ck";
@@ -29738,6 +29652,12 @@
githubId = 20145996;
name = "Victor Fuentes";
};
vlstill = {
email = "xstill@fi.muni.cz";
github = "vlstill";
githubId = 4070422;
name = "Vladimír Štill";
};
vmandela = {
email = "venkat.mandela@gmail.com";
github = "vmandela";
@@ -30323,12 +30243,6 @@
githubId = 22803888;
name = "Lu Hongxu";
};
wini = {
email = "dev@vini.cat";
github = "iniw";
githubId = 30220881;
name = "Vinicius Deolindo";
};
winpat = {
email = "patrickwinter@posteo.ch";
github = "winpat";

View File

@@ -307,7 +307,7 @@ async def commit_changes(
commit_message = "{attrPath}: {oldVersion} -> {newVersion}".format(**change)
if "commitMessage" in change:
commit_message = change["commitMessage"]
if "commitBody" in change:
elif "commitBody" in change:
commit_message = commit_message + "\n\n" + change["commitBody"]
await check_subprocess_output(
"git",

View File

@@ -717,15 +717,6 @@ with lib.maintainers;
github = "security-review";
};
stardust-xr = {
members = [
pandapip1
technobaboo
];
scope = "Maintain Stardust XR packages";
shortName = "StardustXR";
};
stdenv = {
enableFeatureFreezePing = true;
github = "stdenv";

View File

@@ -41,6 +41,5 @@ and non-critical by adding `options = [ "nofail" ];`.
```{=include=} sections
luks-file-systems.section.md
sshfs-file-systems.section.md
nfs-file-systems.section.md
overlayfs.section.md
```

View File

@@ -1,52 +0,0 @@
# NFS File Systems {#sec-nfs-file-systems}
[NFS][nfs] (Network File System) allows you to mount directories from remote machines over the network.
[nfs]: https://en.wikipedia.org/wiki/Network_File_System
[nfs-man]: https://man7.org/linux/man-pages/man5/nfs.5.html
To mount NFS filesystems persistently, use the `fileSystems` option:
```nix
{
fileSystems."/mnt/data" = {
device = "server.example.com:/export/data";
fsType = "nfs";
};
}
```
## Automounting {#sec-nfs-automount}
To have NFS filesystems mounted on-demand instead of at boot, add the `noauto` and `x-systemd.automount` options:
```nix
{
fileSystems."/mnt/data" = {
device = "server.example.com:/export/data";
fsType = "nfs";
options = [
"noauto"
"x-systemd.automount"
];
};
}
```
## Ad-hoc Mounting {#sec-nfs-adhoc}
To mount NFS filesystems ad-hoc using the `mount` command, enable NFS and required RPC services:
```nix
{
boot.supportedFilesystems = [ "nfs" ];
}
```
Then you can mount filesystems manually:
```shell
$ sudo mount -t nfs server.example.com:/export/data /mnt/data
```
For more information on NFS mount options, see the [nfs(5) man page][nfs-man].

View File

@@ -202,8 +202,6 @@ rec {
--script ./anchor.min.js \
--script ./anchor-use.js \
--sidebar-depth 2 \
--header ${./header.html}\
--no-navheader \
./manual.md \
$dst/${common.indexPath}

View File

@@ -1,7 +0,0 @@
<div class="manual-header">
<nav class="manual-header--tabs">
<a class="manual-header--tab" href="https://nixos.org/manual/nixos/stable/">Nixpkgs</a>
<a class="manual-header--tab manual-header--tab-active" href="#">NixOS</a>
</nav>
<span class="manual-header--title">Nixos Manual</span>
</div>

View File

@@ -47,7 +47,7 @@ The first steps to all these are the same:
Where `<version>` corresponds to the latest version available on [channels.nixos.org](https://channels.nixos.org/).
You must run `$ nix-channel --update` for the channel change to take effect.
You may want to throw in a `nix-channel --update` for good measure.
1. Install the NixOS installation tools:

View File

@@ -619,15 +619,6 @@
"sec-luks-file-systems-fido2-systemd": [
"index.html#sec-luks-file-systems-fido2-systemd"
],
"sec-nfs-file-systems": [
"index.html#sec-nfs-file-systems"
],
"sec-nfs-automount": [
"index.html#sec-nfs-automount"
],
"sec-nfs-adhoc": [
"index.html#sec-nfs-adhoc"
],
"sec-sshfs-file-systems": [
"index.html#sec-sshfs-file-systems"
],
@@ -1900,9 +1891,6 @@
"sec-kubernetes": [
"index.html#sec-kubernetes"
],
"module-services-nordvpn": [
"index.html#module-services-nordvpn"
],
"ch-running": [
"index.html#ch-running"
],

View File

@@ -110,8 +110,6 @@
- [clevis-luks-askpass](https://github.com/latchset/clevis), automatic LUKS unlocking in initrd using clevis token bindings stored in LUKS headers. Available as [boot.initrd.clevisLuksAskpass](#opt-boot.initrd.clevisLuksAskpass.enable).
- [passless](https://github.com/pando85/passless), a daemon for using Webauthn Passkeys backed by password-store.
- [bentopdf](https://github.com/alam00000/bentopdf), a privacy-first PDF toolkit running completely in-browser. Available as [services.bentopdf](#opt-services.bentopdf.enable).
- [hyprwhspr-rs](https://github.com/better-slop/hyprwhspr-rs), a keybind activated speech-to-text voice dictation utility built for use with Hyprland. Available as [services.hyprwhspr-rs](#opt-services.hyprwhspr-rs.enable).

View File

@@ -32,8 +32,6 @@
- [Nezha](https://github.com/nezhahq/nezha), a self-hosted, lightweight server and website monitoring and O&M tool. Available as [services.nezha](#opt-services.nezha.enable).
- [Watt](https://github.com/NotAShelf/watt), a CPU frequency and power management daemon for Linux. Available as [services.watt](#opt-services.watt.enable).
- [mail-tlsa-check-exporter](https://github.com/ietf-tools/mail-tlsa-check-exporter), validates SMTP / IMAP server certificates against a TLSA record as a Prometheus exporter. Available as [services.prometheus.exporters.mail-tlsa-check](#opt-services.prometheus.exporters.mail-tlsa-check.enable).
- [CastSponsorSkip](https://github.com/gabe565/CastSponsorSkip/), skips YouTube sponsorships (and sometimes ads) on all local Google Cast devices.
@@ -56,8 +54,6 @@
- [OO7](https://github.com/linux-credentials/oo7) is a desktop-agnostic Secret Service provider. Available as [services.oo7](#opt-services.oo7.enable)
- [NordVPN](https://github.com/NordSecurity/nordvpn-linux), a NordVPN client for linux. Available as [services.nordvpn](options.html#opt-services.nordvpn.enable).
## Backward Incompatibilities {#sec-release-26.11-incompatibilities}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@@ -142,8 +138,6 @@
- The `newuidmap` and `newgidmap` security wrappers are now installed with `cap_setuid`/`cap_setgid` file capabilities instead of the setuid-root bit, matching shadow's `--with-fcaps` install mode and other major distributions. Rootless containers (podman, docker-rootless, unprivileged user namespaces) are unaffected. The only behavioural change is that mapping host uid 0 via `/etc/subuid` (which NixOS never configures by default) additionally requires `cap_setfcap`; users who explicitly grant uid 0 in a subuid range can restore the previous behaviour with `security.wrappers.newuidmap.capabilities = lib.mkForce "cap_setuid,cap_setfcap+ep";`.
- The `authelia` module now uses systemd's `LoadCredential` to load all files defined in `secrets`. As such, these files no longer need to be readable by the authelia user and group: they can for example be set to be only readable by the root user.
- `zoneminder` has been updated to 1.38.x release. See [upstream release note](https://github.com/ZoneMinder/zoneminder/releases/tag/1.38.0). While database migration should happen automatically, it's recommended that you make a backup of the database before upgrading your system.
- The latest available version of Nextcloud is v34 (available as `pkgs.nextcloud34`). The installation logic is as follows:

View File

@@ -625,7 +625,7 @@ rec {
listenStreams = mkOption {
default = [ ];
type = types.listOf (types.coercedTo types.port toString types.str);
type = types.listOf types.str;
example = [
"0.0.0.0:993"
"/run/my-socket"

View File

@@ -1,7 +1,6 @@
{
config,
lib,
utils,
pkgs,
...
}:
@@ -60,7 +59,7 @@ in
};
output = lib.mkOption {
type = lib.types.externalPath;
type = lib.types.path;
default = "/var/cache/locatedb";
description = ''
The database file to build.
@@ -250,35 +249,27 @@ in
systemd.services.update-locatedb = {
description = "Update Locate Database";
serviceConfig = {
# mlocate's updatedb takes flags via a configuration file or
# on the command line, but not by environment variable.
ExecStart =
let
toFlags =
x:
lib.optionals (cfg.${x} != [ ]) [
"--${lib.toLower x}"
(lib.concatStringsSep " " cfg.${x})
];
args = lib.concatMap toFlags [
# mlocate's updatedb takes flags via a configuration file or
# on the command line, but not by environment variable.
script =
let
toFlags =
x: lib.optional (cfg.${x} != [ ]) "--${lib.toLower x} '${lib.concatStringsSep " " cfg.${x}}'";
args = lib.concatLists (
map toFlags [
"pruneFS"
"pruneNames"
"prunePaths"
];
in
utils.escapeSystemdExecArgs (
[
(lib.getExe' cfg.package "updatedb")
"--output"
cfg.output
"--prune-bind-mounts"
(lib.boolToYesNo cfg.pruneBindMounts)
]
++ args
++ cfg.extraFlags
);
in
''
exec ${cfg.package}/bin/updatedb \
--output ${toString cfg.output} ${lib.concatStringsSep " " args} \
--prune-bind-mounts ${lib.boolToYesNo cfg.pruneBindMounts} \
${lib.concatStringsSep " " cfg.extraFlags}
'';
serviceConfig = {
CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_CHOWN";
Nice = 19;
IOSchedulingClass = "idle";

View File

@@ -296,7 +296,6 @@
./programs/opengamepadui.nix
./programs/openvpn3.nix
./programs/partition-manager.nix
./programs/passless.nix
./programs/pay-respects.nix
./programs/plotinus.nix
./programs/pmount.nix
@@ -358,7 +357,6 @@
./programs/wayland/mangowc.nix
./programs/wayland/miracle-wm.nix
./programs/wayland/niri.nix
./programs/wayland/pinnacle.nix
./programs/wayland/river.nix
./programs/wayland/sway.nix
./programs/wayland/uwsm.nix
@@ -732,7 +730,6 @@
./services/hardware/usbmuxd.nix
./services/hardware/usbrelayd.nix
./services/hardware/vdr.nix
./services/hardware/watt.nix
./services/home-automation/deye-dummycloud.nix
./services/home-automation/ebusd.nix
./services/home-automation/esphome.nix
@@ -1344,7 +1341,6 @@
./services/networking/nncp.nix
./services/networking/nntp-proxy.nix
./services/networking/nomad.nix
./services/networking/nordvpn.nix
./services/networking/nsd.nix
./services/networking/ntopng.nix
./services/networking/ntp/chrony.nix
@@ -1861,7 +1857,6 @@
./services/web-servers/nginx/tailscale-auth.nix
./services/web-servers/phpfpm/default.nix
./services/web-servers/pomerium.nix
./services/web-servers/rustfs.nix
./services/web-servers/rustus.nix
./services/web-servers/send.nix
./services/web-servers/stargazer.nix

View File

@@ -1,134 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.programs.passless;
settingsFormat = pkgs.formats.toml { };
settingsFile = settingsFormat.generate "passless.toml" cfg.settings;
in
{
options.programs.passless = {
enable = lib.mkEnableOption "passless";
package = lib.mkPackageOption pkgs "passless" { };
users = lib.options.mkOption {
type = with lib.types; listOf str;
description = ''
Users that intend to use passless and should be added to the fido group.
'';
default = [ ];
example = [ "alice" ];
};
settings = lib.mkOption {
inherit (settingsFormat) type;
default = { };
example = {
pass.store-path = "/home/alice/.local/share/password-store";
};
description = ''
Configuration included in `config.toml`.
See <https://github.com/pando85/passless#configuration-1> for documentation or run `passless config print` to see default configuration.
'';
};
};
config = lib.mkIf config.programs.passless.enable {
users.groups.fido.members = cfg.users;
boot.kernelModules = [ "uhid" ];
services.udev.extraRules = ''
KERNEL=="uhid", GROUP="fido", MODE="0660"
'';
# From https://github.com/pando85/passless/blob/master/contrib/systemd/passless.service
systemd.user.services.passless = {
description = "Passless FIDO2 Software Authenticator";
documentation = [ "https://github.com/pando85/passless" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
wantedBy = [ "default.target" ];
path = [ config.programs.gnupg.package ];
serviceConfig = {
Type = "simple";
ExecStart = "${lib.getExe cfg.package} --config-path ${settingsFile}";
Restart = "on-failure";
RestartSec = "5s";
# Security hardening
# The application already handles its own memory locking and core dump prevention
# but we can add additional systemd protections
NoNewPrivileges = true;
LimitMEMLOCK = "2M";
SyslogIdentifier = "passless";
# Found with shh
ProtectSystem = "strict";
PrivateTmp = "disconnected";
PrivateMounts = "true";
ProtectKernelTunables = "true";
ProtectKernelModules = true;
ProtectKernelLogs = true;
LockPersonality = true;
RestrictRealtime = true;
ProtectClock = true;
MemoryDenyWriteExecute = true;
RestrictAddressFamilies = "AF_UNIX";
SocketBindDeny = [
"ipv4:tcp"
"ipv4:udp"
"ipv6:tcp"
"ipv6:udp"
];
CapabilityBoundingSet = [
"~CAP_BLOCK_SUSPEND"
"CAP_BPF"
"CAP_CHOWN"
"CAP_MKNOD"
"CAP_NET_RAW"
"CAP_PERFMON"
"CAP_SYS_BOOT"
"CAP_SYS_CHROOT"
"CAP_SYS_MODULE"
"CAP_SYS_NICE"
"CAP_SYS_PACCT"
"CAP_SYS_PTRACE"
"CAP_SYS_TIME"
"CAP_SYSLOG"
"CAP_WAKE_ALARM"
];
SystemCallFilter = [
"~@aio:EPERM"
"@chown:EPERM"
"@clock:EPERM"
"@cpu-emulation:EPERM"
"@debug:EPERM"
"@ipc:EPERM"
"@keyring:EPERM"
"@module:EPERM"
"@mount:EPERM"
"@obsolete:EPERM"
"@pkey:EPERM"
"@privileged:EPERM"
"@raw-io:EPERM"
"@reboot:EPERM"
"@resources:EPERM"
"@sandbox:EPERM"
"@setuid:EPERM"
"@swap:EPERM"
"@sync:EPERM"
];
};
};
};
meta.maintainers = with lib.maintainers; [ erictapen ];
}

View File

@@ -1,70 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
cfg = config.programs.pinnacle;
inherit (lib.options) mkEnableOption mkPackageOption;
in
{
options.programs.pinnacle = {
enable = mkEnableOption "pinnacle";
package = mkPackageOption pkgs "pinnacle" {
default = "pinnacle";
example = "pkgs.pinnacle";
extraDescription = "package containing the pinnacle server binary";
};
xdg-portals.enable = mkEnableOption "enable xdg-portals for pinnacle";
withUWSM = mkEnableOption ''
manage the pinnacle session with [UWSM](https://github.com/Vladimir-csp/uwsm) instead
of independent systemd services and targets.
'';
};
config = lib.mkIf cfg.enable (
lib.mkMerge [
{
environment.systemPackages = [
cfg.package
pkgs.protobuf
cfg.package.lua-client-api
];
environment.pathsToLink = [
# For /run/current-system/sw/share/pinnacle protobuf files - for
# pinnacle to be able to launch with a non-default config out of the
# box.
"/share/pinnacle"
];
xdg.portal = lib.mkIf cfg.xdg-portals.enable {
enable = true;
wlr.enable = true;
configPackages = [ cfg.package ];
extraPortals = [
pkgs.xdg-desktop-portal-wlr
pkgs.xdg-desktop-portal-gtk
pkgs.gnome-keyring
];
};
}
(lib.mkIf (cfg.withUWSM) {
programs.uwsm.enable = true;
# Configure UWSM to launch Pinnacle from a display manager like SDDM
programs.uwsm.waylandCompositors = {
pinnacle = {
prettyName = "Pinnacle";
comment = "Pinnacle compositor managed by UWSM";
binPath = "/run/current-system/sw/bin/pinnacle";
extraArgs = [ "--session" ];
};
};
})
(lib.mkIf (!cfg.withUWSM) {
services.displayManager.sessionPackages = [ cfg.package ];
})
]
);
meta.maintainers = with lib.maintainers; [ cassandracomar ];
}

View File

@@ -511,7 +511,7 @@ in
services.simplesamlphp has been vulnerable and unmaintained in nixpkgs.
'')
(mkRemovedOptionModule [ "security" "pam" "enableEcryptfs" ] ''
security.pam.enableEcryptfs was removed since it was unmaintained in nixpkgs.
security.pam.enableFscrypt was removed since it was unmaintained in nixpkgs.
'')
(mkRemovedOptionModule [ "security" "rngd" ] ''
rngd is not necessary for any device that the kernel recognises

View File

@@ -241,7 +241,7 @@ in
{
Type = "oneshot";
RemainAfterExit = "yes";
ExecStartPre = lib.getExe' pkgs.apparmor-init "aa-teardown";
ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown";
ExecStart = lib.mapAttrsToList (
n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts n p}"
) enabledPolicies;
@@ -262,7 +262,7 @@ in
# Optionally kill the processes which are unconfined but now have a profile loaded
# (because AppArmor can only start to confine new processes).
lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
ExecStop = lib.getExe' pkgs.apparmor-init "aa-teardown";
ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown";
CacheDirectory = [
"apparmor"
"apparmor/logprof"

View File

@@ -10,7 +10,7 @@ in
{
options.services.oo7 = {
enable = lib.mkEnableOption ''
oo7, a service providing the Secret Service D-Bus API
oo7, a service providing the Secret Service D-Bus API.
'';
};

View File

@@ -40,6 +40,7 @@ in
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [
seatd
sdnotify-wrapper
];
users.groups.seat = lib.mkIf (cfg.group == "seat") { };
@@ -54,7 +55,7 @@ in
Type = "notify";
NotifyAccess = "all";
SyslogIdentifier = "seatd";
ExecStart = "${lib.getExe' pkgs.s6 "s6-notify-socket-from-fd"} ${pkgs.seatd.bin}/bin/seatd -n 1 -u ${cfg.user} -g ${cfg.group} -l ${cfg.logLevel}";
ExecStart = "${pkgs.sdnotify-wrapper}/bin/sdnotify-wrapper ${pkgs.seatd.bin}/bin/seatd -n 1 -u ${cfg.user} -g ${cfg.group} -l ${cfg.logLevel}";
RestartSec = 1;
Restart = "always";
};

View File

@@ -80,9 +80,6 @@ in
unitConfig = lib.optionalAttrs cfg.startWithGraphical {
After = "graphical-session.target";
};
# Long-lived session that ought to only be restarted manually
restartIfChanged = false;
}
// lib.optionalAttrs cfg.enable {
wantedBy = if cfg.startWithGraphical then [ "graphical-session.target" ] else [ "default.target" ];

View File

@@ -1,71 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
inherit (lib)
mkIf
mkOption
mkEnableOption
mkPackageOption
getExe
;
inherit (lib.types) submodule;
cfg = config.services.watt;
format = pkgs.formats.toml { };
cfgFile = format.generate "watt-config.toml" cfg.settings;
conflictingServices = [
"power-profiles-daemon"
"auto-cpufreq"
"tlp"
"cpupower-gui"
"thermald"
];
in
{
options.services.watt = {
enable = mkEnableOption "automatic CPU speed & power optimizer for Linux";
package = mkPackageOption pkgs "watt" { };
settings = mkOption {
default = { };
type = submodule { freeformType = format.type; };
description = "Configuration for Watt. Options at https://github.com/notaShelf/watt";
};
};
config = mkIf cfg.enable {
assertions = map (service: {
assertion = !config.services.${service}.enable;
message = "You have set services.${service}.enable = true; which conflicts with Watt.";
}) conflictingServices;
environment.systemPackages = [ cfg.package ];
# This is necessary for the Watt CLI. The environment variable
# passed to the systemd service will take priority in read order.
environment.etc."watt.toml".source = cfgFile;
services.dbus.packages = [ cfg.package ];
systemd.services.watt = {
wantedBy = [ "multi-user.target" ];
conflicts = map (service: "${service}.service") conflictingServices;
serviceConfig = {
WorkingDirectory = "";
ExecStart = getExe cfg.package;
Restart = "on-failure";
RuntimeDirectory = "watt";
RuntimeDirectoryMode = "0755";
};
};
};
}

View File

@@ -281,7 +281,7 @@ in
environment.etc."postsrsd.conf".source = configFile;
systemd.services.postsrsd = {
description = "Sender Rewriting Scheme daemon for Postfix";
description = "PostSRSd SRS rewriting server";
after = [
"network.target"
"postsrsd-generate-secrets.service"
@@ -289,20 +289,14 @@ in
before = [ "postfix.service" ];
wantedBy = [ "multi-user.target" ];
requires = [ "postsrsd-generate-secrets.service" ];
reloadTriggers = [ configFile ];
restartTriggers = [ configFile ];
serviceConfig = {
Type = "notify-reload";
ExecStart = utils.escapeSystemdExecArgs [
(lib.getExe cfg.package)
"-C"
"/etc/postsrsd.conf"
];
ExecReload = toString [
(lib.getExe' pkgs.coreutils "kill")
"-SIGHUP"
"$MAINPID"
];
User = cfg.user;
Group = cfg.group;
RuntimeDirectory = "postsrsd";
@@ -325,7 +319,7 @@ in
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
ProtectProc = "noaccess";
ProtectProc = "invisible";
ProcSubset = "pid";
RemoveIPC = true;
RestrictAddressFamilies =

View File

@@ -57,7 +57,7 @@ in
default = { };
description = ''
Configuration options for the Stalwart server.
See <https://stalw.art/docs/configuration> for available options.
See <https://stalw.art/docs/category/configuration> for available options.
By default, the module is configured to store everything locally.
'';

View File

@@ -13,7 +13,6 @@ in
{
options.services.dendrite = {
enable = lib.mkEnableOption "matrix.org dendrite";
package = lib.mkPackageOption pkgs "dendrite" { };
httpPort = lib.mkOption {
type = lib.types.nullOr lib.types.port;
default = 8008;
@@ -322,7 +321,7 @@ in
];
ExecStart = lib.strings.concatStringsSep " " (
[
(lib.getExe cfg.package)
"${pkgs.dendrite}/bin/dendrite"
"--config /run/dendrite/dendrite.yaml"
]
++ lib.optionals (cfg.httpPort != null) [

View File

@@ -45,9 +45,7 @@ let
pruned;
configFile = format.generate "config.yaml" finalSettings;
extraConfigFiles = lib.imap0 (
i: _: "\${CREDENTIALS_DIRECTORY}/config-${toString i}"
) cfg.extraConfigFiles;
extraConfigFiles = lib.imap0 (i: _: "%d/config-${toString i}") cfg.extraConfigFiles;
runtimeConfig = "/run/matrix-authentication-service/config.yaml";
in
{

View File

@@ -22,23 +22,17 @@ in
config = lib.mkIf cfg.enable {
environment = {
# systemd-localed looks into 00-keyboard.conf
# systemd-localed does not like if Option values are ""
etc."X11/xorg.conf.d/00-keyboard.conf".text =
let
optionLine =
name: value: lib.optionalString (value != null && value != "") ''Option "${name}" "${value}"'';
in
''
Section "InputClass"
Identifier "Keyboard catchall"
MatchIsKeyboard "on"
${optionLine "XkbModel" xcfg.xkb.model}
${optionLine "XkbLayout" xcfg.xkb.layout}
${optionLine "XkbOptions" xcfg.xkb.options}
${optionLine "XkbVariant" xcfg.xkb.variant}
EndSection
'';
# localectl looks into 00-keyboard.conf
etc."X11/xorg.conf.d/00-keyboard.conf".text = ''
Section "InputClass"
Identifier "Keyboard catchall"
MatchIsKeyboard "on"
Option "XkbModel" "${xcfg.xkb.model}"
Option "XkbLayout" "${xcfg.xkb.layout}"
Option "XkbOptions" "${xcfg.xkb.options}"
Option "XkbVariant" "${xcfg.xkb.variant}"
EndSection
'';
systemPackages = with pkgs; [
nixos-icons # needed for gnome and pantheon about dialog, nixos-manual and maybe more
xdg-utils

View File

@@ -245,19 +245,19 @@ in
};
components = {
subversion = lib.mkEnableOption "Subversion integration";
subversion = lib.mkEnableOption "Subversion integration.";
mercurial = lib.mkEnableOption "Mercurial integration";
mercurial = lib.mkEnableOption "Mercurial integration.";
git = lib.mkEnableOption "git integration";
git = lib.mkEnableOption "git integration.";
cvs = lib.mkEnableOption "cvs integration";
cvs = lib.mkEnableOption "cvs integration.";
breezy = lib.mkEnableOption "bazaar integration";
breezy = lib.mkEnableOption "bazaar integration.";
imagemagick = lib.mkEnableOption "exporting Gant diagrams as PNG";
imagemagick = lib.mkEnableOption "exporting Gant diagrams as PNG.";
ghostscript = lib.mkEnableOption "exporting Gant diagrams as PDF";
ghostscript = lib.mkEnableOption "exporting Gant diagrams as PDF.";
minimagick_font_path = lib.mkOption {
type = lib.types.str;
@@ -265,8 +265,6 @@ in
description = "MiniMagick font path";
example = "/run/current-system/sw/share/X11/fonts/LiberationSans-Regular.ttf";
};
pandoc = lib.mkEnableOption "pandoc integration for previewing LibreOffice and Microsoft Office documents";
};
};
};
@@ -312,7 +310,6 @@ in
imagemagick_convert_command = lib.optionalString cfg.components.imagemagick "${pkgs.imagemagick}/bin/convert";
gs_command = lib.optionalString cfg.components.ghostscript "${pkgs.ghostscript}/bin/gs";
minimagick_font_path = "${cfg.components.minimagick_font_path}";
pandoc_command = lib.optionalString cfg.components.pandoc "${pkgs.pandoc}/bin/pandoc";
};
};

View File

@@ -90,5 +90,8 @@ in
};
};
meta.maintainers = with lib.maintainers; [ nanoyaki ];
meta.maintainers = with lib.maintainers; [
diniamo
nanoyaki
];
}

View File

@@ -6,32 +6,17 @@
}:
let
cfg = config.services.vnstat;
settingsFormat = pkgs.formats.keyValue { };
in
{
options.services.vnstat = {
enable = lib.mkEnableOption "update of network usage statistics via vnstatd";
package = lib.mkPackageOption pkgs "vnstat" { };
settings = lib.mkOption {
type = lib.types.submodule { freeformType = settingsFormat.type; };
default = { };
description = ''
Configuration for vnstat. Refer to
[https://humdi.net/vnstat/man/vnstat.conf.html]
or {manpage}`vnstat.conf(5)` for more information.
'';
example = {
AlwaysAddNewInterfaces = 1;
};
};
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
environment.etc."vnstat.conf".source = settingsFormat.generate "vnstat.conf" cfg.settings;
users = {
groups.vnstatd = { };
@@ -74,8 +59,4 @@ in
};
};
};
meta = {
maintainers = with lib.maintainers; [ hmenke ];
};
}

View File

@@ -132,7 +132,7 @@ in
description = "socket for fast remote file copy program daemon";
conflicts = [ "rsync.service" ];
listenStreams = [ cfg.port ];
listenStreams = [ (toString cfg.port) ];
socketConfig.Accept = true;
wantedBy = [ "sockets.target" ];

View File

@@ -44,7 +44,7 @@ in
settings = mkOption {
description = ''
Headplane configuration options. Generates a YAML config file.
See <https://github.com/tale/headplane/blob/main/config.example.yaml>.
See: https://github.com/tale/headplane/blob/main/config.example.yaml
'';
type = types.submodule {
options = {
@@ -129,16 +129,6 @@ in
headscale = mkOption {
type = types.submodule {
options = {
api_key_path = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Path to a file containing a Headscale API key.
This is required for OIDC authentication aswell for the Headplane agent.
'';
example = lib.literalExpression "config.sops.secrets.headplane_pre_authkey.path";
};
url = mkOption {
type = types.str;
default = "http://127.0.0.1:${toString config.services.headscale.port}";
@@ -221,6 +211,15 @@ in
'';
};
pre_authkey_path = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Path to a file containing a Headscale pre-auth key for the agent.
'';
example = lib.literalExpression "config.sops.secrets.headplane_pre_authkey.path";
};
executable_path = mkOption {
type = types.path;
readOnly = true;
@@ -238,14 +237,20 @@ in
};
cache_ttl = mkOption {
type = types.ints.positive;
default = 180000;
type = types.nullOr types.int;
default = null;
description = ''
How long to cache agent information (in milliseconds).
If you want data to update faster, reduce the TTL, but this will increase the frequency of requests to Headscale.
Deprecated cache TTL for the agent. This option is accepted
by Headplane 0.6.2 but has no effect.
'';
};
cache_path = mkOption {
type = types.path;
default = "/var/lib/headplane/agent_cache.json";
description = "The path to store the agent's cache.";
};
work_dir = mkOption {
type = types.path;
default = "/var/lib/headplane/agent";
@@ -320,6 +325,16 @@ in
example = lib.literalExpression "config.sops.secrets.oidc_client_secret.path";
};
headscale_api_key_path = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Path to a file containing the Headscale API key.
Required for OIDC authentication.
'';
example = lib.literalExpression "config.sops.secrets.headscale_api_key.path";
};
disable_api_key_login = mkOption {
type = types.bool;
default = false;
@@ -351,6 +366,25 @@ in
'';
};
redirect_uri = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Deprecated OIDC redirect URI. Use services.headplane.settings.server.base_url
instead; Headplane derives the callback URL from it.
'';
example = "https://headplane.example.com/admin/oidc/callback";
};
strict_validation = mkOption {
type = types.nullOr types.bool;
default = null;
description = ''
Deprecated OIDC validation setting. This option is accepted
by Headplane 0.6.2 but has no effect.
'';
};
profile_picture_source = mkOption {
type = types.enum [
"oidc"
@@ -395,6 +429,16 @@ in
description = "Custom userinfo endpoint URL.";
example = "https://provider.example.com/userinfo";
};
user_storage_file = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Deprecated path to the pre-0.6.2 JSON user database.
Headplane uses this once to migrate users into its internal database.
'';
example = "/var/lib/headplane/users.json";
};
};
}
);
@@ -408,6 +452,33 @@ in
};
config = mkIf cfg.enable {
warnings =
lib.optionals (cfg.settings.oidc != null && cfg.settings.oidc.redirect_uri != null) [
''
services.headplane.settings.oidc.redirect_uri is deprecated by Headplane 0.6.2.
Use services.headplane.settings.server.base_url instead; Headplane derives
the OIDC callback URL from it.
''
]
++ lib.optionals (cfg.settings.oidc != null && cfg.settings.oidc.strict_validation != null) [
''
services.headplane.settings.oidc.strict_validation is deprecated and has no effect
in Headplane 0.6.2.
''
]
++ lib.optionals (cfg.settings.oidc != null && cfg.settings.oidc.user_storage_file != null) [
''
services.headplane.settings.oidc.user_storage_file is deprecated. Headplane 0.6.2
uses it only to migrate the pre-0.6.2 JSON user database into the internal database.
''
]
++ lib.optionals (agentSettings != null && agentSettings.cache_ttl != null) [
''
services.headplane.settings.integration.agent.cache_ttl is deprecated and has no
effect in Headplane 0.6.2.
''
];
assertions = [
{
assertion = config.services.headscale.enable;
@@ -431,25 +502,26 @@ in
'';
}
{
assertion = cfg.settings.oidc == null || cfg.settings.headscale.api_key_path != null;
assertion = cfg.settings.oidc == null || cfg.settings.oidc.headscale_api_key_path != null;
message = ''
services.headplane.settings.headscale.api_key_path must be set
when services.headplane.settings.oidc is non-null.
Headplane's OIDC flow requires a Headscale API key to mint sessions.
services.headplane.settings.oidc.headscale_api_key_path must be set
when services.headplane.settings.oidc is non-null. Headplane's OIDC
flow requires a Headscale API key to mint sessions.
'';
}
{
assertion =
agentSettings == null || !agentSettings.enabled || cfg.settings.headscale.api_key_path != null;
agentSettings == null || !agentSettings.enabled || agentSettings.pre_authkey_path != null;
message = ''
services.headplane.settings.headscale.api_key_path must be set when the agent is enabled.
services.headplane.settings.integration.agent.pre_authkey_path must be set
when the agent is enabled.
'';
}
];
environment = {
systemPackages = [ cfg.package ];
etc."headplane/config.yaml".source = settingsFile;
etc."headplane/config.yaml".source = "${settingsFile}";
};
systemd.services.headplane = {
@@ -462,7 +534,6 @@ in
config.systemd.services.headscale.name
];
requires = [ config.systemd.services.headscale.name ];
restartTriggers = [ settingsFile ];
environment = {
HEADPLANE_DEBUG_LOG = toString cfg.debug;

View File

@@ -93,10 +93,6 @@ in
config = mkIf cfg.enable {
warnings = mkIf (!config.systemd.network.enable) [
"services.networkd-dispatcher will not execute any scripts unless networkd is enabled, either via `systemd.network.enable` or via `networking.useNetworkd`."
];
systemd = {
packages = [ pkgs.networkd-dispatcher ];
services.networkd-dispatcher = {

View File

@@ -1,65 +0,0 @@
# NordVPN {#module-services-nordvpn}
*Source:* {file}`modules/services/networking/nordvpn.nix`
*Upstream documentation:* <https://github.com/NordSecurity/nordvpn-linux>
NordVPN offers a paid virtual private network (VPN) service.
The service operates as closed-source,
but the Linux client uses open-source code licensed under GPLv3.
A minimal configuration in NixOS appears as follows:
```nix
{
services.nordvpn.enable = true;
networking.firewall.enable = true;
networking.firewall.checkReversePath = "loose";
}
```
When using a firewall, set `networking.firewall.checkReversePath` to `"loose"` or `false`.
NordVPN includes a `kill-switch` feature that blocks all packets not associated with the VPN connection.
Additionally, add your user to the `nordvpn` group.
```nix
{
users.users.yourUser = {
#..
extraGroups = [
#..
"nordvpn"
];
};
}
```
If you prefer to use your own user and group, you can do so using
```nix
{
services.nordvpn.user = "SOME-USER";
services.nordvpn.group = "SOME-GROUP";
}
```
NordVPN provides several useful CLI commands, including:
```bash
nordvpn login # Log in using an OAuth URL
nordvpn login --token <token> # Log in with a token obtained from your NordVPN account
nordvpn c # Connect to the VPN
nordvpn c ie # Connect to a NordVPN server in Ireland
nordvpn d # Disconnect from the VPN
nordvpn set technology openvpn # Switch to OpenVPN technology
nordvpn c # Reconnect after changing technology
```
Additionally, if you prefer to use the friendly GUI,
```bash
nordvpn-gui
```
**Disclaimer:** NixOS currently does not support meshnet.
Contributions welcome!

View File

@@ -1,171 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.nordvpn;
defaultUser = "nordvpn";
defaultGroup = "nordvpn";
nordvpn =
let
cli = cfg.package.cli.overrideAttrs (old: {
preBuild =
let
extraPreBuild = lib.optionalString (cfg.group != defaultGroup) ''
substituteInPlace internal/permissions.go \
--replace-fail \
'string{"nordvpn"}' \
'string{"${cfg.group}"}'
substituteInPlace internal/constants.go \
--replace-fail \
'NordvpnGroup = "nordvpn"' \
'NordvpnGroup = "${cfg.group}"'
'';
in
extraPreBuild + (old.preBuild or "");
# postFixup wraps nordvpnd so that it can find binaries that it calls.
# here, instead, use systemd to update the path to those binaries.
postFixup = "";
});
in
pkgs.symlinkJoin {
inherit (cfg.package) pname version meta;
paths = [
cli
cfg.package.gui
];
};
in
{
options.services.nordvpn = {
enable = lib.mkEnableOption "Enable NordVPN";
package = lib.mkPackageOption pkgs "nordvpn" { };
user = lib.mkOption {
type = lib.types.str;
default = defaultUser;
description = ''
The User that owns the `nordvpnd` systemd process.
If overriding the default, a user with the same name must exist.
'';
};
group = lib.mkOption {
type = lib.types.str;
default = defaultGroup;
description = ''
The Group that owns the `nordvpnd` systemd process.
If overriding the default, a group with the same name must exist.
'';
};
};
config = lib.mkIf cfg.enable {
# create the default user if that's the one used
users.users = lib.mkIf (cfg.user == defaultUser) {
${defaultUser} = {
description = "User that runs `nordvpnd`.";
group = cfg.group;
isSystemUser = true;
};
};
# create the default group if that's the one used
users.groups = lib.mkIf (cfg.group == defaultGroup) {
${defaultGroup} = { };
};
# nordvpnd uses resolved to configure dns
services.resolved.enable = true;
# policy that allows nordvpnd to configure dns
security.polkit = {
enable = true;
extraConfig = ''
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.resolve1.set-dns-servers"
&& subject.isInGroup("${cfg.group}")) {
return polkit.Result.YES;
}
});
'';
};
environment.systemPackages = [
nordvpn
];
systemd.services.nordvpnd = {
after = [ "network-online.target" ];
description = "NordVPN daemon.";
path = (
with pkgs;
[
e2fsprogs
iproute2
libxslt
nftables
procps
wireguard-tools
]
++ [ nordvpn ]
);
serviceConfig = {
# nordvpnd needs CAP_NET_ADMIN to configure network interfaces
AmbientCapabilities = "CAP_NET_ADMIN";
CapabilityBoundingSet = "CAP_NET_ADMIN";
ExecStart = lib.getExe' nordvpn "nordvpnd";
Group = cfg.group;
KillMode = "process";
NonBlocking = true;
Requires = "nordvpnd.socket";
Restart = "on-failure";
RestartSec = 5;
RuntimeDirectory = "nordvpn";
RuntimeDirectoryMode = "0750";
StateDirectory = "nordvpn";
StateDirectoryMode = "0750";
User = cfg.user;
};
wantedBy = [ "default.target" ];
wants = [ "network-online.target" ];
};
systemd.sockets.nordvpnd = {
description = "NordVPN Daemon Socket";
listenStreams = [ "/run/nordvpn/nordvpnd.sock" ];
partOf = [ "nordvpnd.service" ];
socketConfig = {
DirectoryMode = "0750";
NoDelay = true;
SocketGroup = cfg.group;
SocketMode = "0770";
SocketUser = cfg.user;
};
wantedBy = [ "sockets.target" ];
};
systemd.user.services.norduserd = {
after = [ "network-online.target" ];
description = "NordUserD Service";
serviceConfig = {
ExecStart = lib.getExe' nordvpn "norduserd";
NonBlocking = true;
Restart = "on-failure";
RestartSec = 5;
};
wantedBy = [ "graphical-session.target" ];
wants = [ "network-online.target" ];
};
};
meta = {
doc = ./nordvpn.md;
maintainers = with lib.maintainers; [ different-error ];
};
}

View File

@@ -232,10 +232,6 @@ in
"openssh"
"banner"
] "Use services.openssh.settings.Banner instead.")
(lib.mkRenamedOptionModule
[ "services" "openssh" "moduliFile" ]
[ "services" "openssh" "settings" "ModuliFile" ]
)
];
###### interface
@@ -733,14 +729,6 @@ in
'';
example = "/etc/ssh/banner";
};
ModuliFile = lib.mkOption {
type = lib.types.path;
default = "${config.services.openssh.package}/etc/ssh/moduli";
defaultText = lib.literalExpression ''"''${config.services.openssh.package}/etc/ssh/moduli"'';
description = ''
Specifies the {manpage}`moduli(5)` file to use for Diffie-Hellman key exchange.
'';
};
};
}
);
@@ -752,6 +740,16 @@ in
description = "Verbatim contents of {file}`sshd_config`.";
};
moduliFile = lib.mkOption {
example = "/etc/my-local-ssh-moduli;";
type = lib.types.path;
description = ''
Path to `moduli` file to install in
`/etc/ssh/moduli`. If this option is unset, then
the `moduli` file shipped with OpenSSH will be used.
'';
};
};
users.users = lib.mkOption {
@@ -772,12 +770,14 @@ in
};
users.groups.sshd = { };
services.openssh.moduliFile = lib.mkDefault "${cfg.package}/etc/ssh/moduli";
services.openssh.sftpServerExecutable = lib.mkDefault "${cfg.package}/libexec/sftp-server";
environment.etc =
authKeysFiles
// authPrincipalsFiles
// {
"ssh/moduli".source = cfg.moduliFile;
"ssh/sshd_config".source = sshconf;
};

View File

@@ -65,7 +65,6 @@ in
DynamicUser = true;
StateDirectory = "technitium-dns-server";
LogsDirectory = "technitium";
Restart = "always";
RestartSec = 10;
@@ -103,8 +102,5 @@ in
};
};
meta.maintainers = with lib.maintainers; [
fabianrig
awildleon
];
meta.maintainers = with lib.maintainers; [ fabianrig ];
}

View File

@@ -96,13 +96,13 @@ with lib;
config = mkIf cfg.enable {
services.tor = mkIf cfg.tor {
enable = true;
controlPort = 9051;
settings = {
ControlPort = 9051;
CacheDirectoryGroupReadable = true;
CookieAuthentication = true;
CookieAuthFileGroupReadable = true;
};
extraConfig = ''
CacheDirectoryGroupReadable 1
CookieAuthentication 1
CookieAuthFileGroupReadable 1
'';
};
systemd.services.zeronet = {

View File

@@ -268,6 +268,15 @@ let
};
};
writeOidcJwksConfigFile =
oidcIssuerPrivateKeyFile:
pkgs.writeText "oidc-jwks.yaml" ''
identity_providers:
oidc:
jwks:
- key: {{ secret "${oidcIssuerPrivateKeyFile}" | mindent 10 "|" | msquote }}
'';
# Remove an attribute in a nested set
# https://discourse.nixos.org/t/modify-an-attrset-in-nix/29919/5
removeAttrByPath =
@@ -353,12 +362,7 @@ in
execCommand = "${instance.package}/bin/authelia";
configFile = format.generate "config.yml" cleanedSettings;
oidcJwksConfigFile = lib.optional (instance.secrets.oidcIssuerPrivateKeyFile != null) (
pkgs.writeText "oidc-jwks.yaml" ''
identity_providers:
oidc:
jwks:
- key: {{ mustEnv "CREDENTIALS_DIRECTORY" | printf "%s/oidcIssuerPrivateKeyFile" | secret | mindent 10 "|" | msquote }}
''
writeOidcJwksConfigFile instance.secrets.oidcIssuerPrivateKeyFile
);
configArg = "--config ${
builtins.concatStringsSep "," (
@@ -369,25 +373,21 @@ in
]
)
}";
# Mapping between the Authelia env variables and the secret keys defined in the module
envSecretsMap = {
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = "jwtSecretFile";
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "storageEncryptionKeyFile";
AUTHELIA_SESSION_SECRET_FILE = "sessionSecretFile";
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = "oidcHmacSecretFile";
};
nonNullEnvSecretsMap = lib.filterAttrs (_: v: instance.secrets.${v} != null) envSecretsMap;
in
{
description = "Authelia authentication and authorization server";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ]; # Checks SMTP notifier creds during startup
wants = [ "network-online.target" ];
environment = {
X_AUTHELIA_CONFIG_FILTERS = lib.mkIf (oidcJwksConfigFile != [ ]) "template";
}
// lib.mapAttrs (_: v: "%d/${v}") nonNullEnvSecretsMap
// instance.environmentVariables;
environment =
(lib.filterAttrs (_: v: v != null) {
X_AUTHELIA_CONFIG_FILTERS = lib.mkIf (oidcJwksConfigFile != [ ]) "template";
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = instance.secrets.jwtSecretFile;
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = instance.secrets.storageEncryptionKeyFile;
AUTHELIA_SESSION_SECRET_FILE = instance.secrets.sessionSecretFile;
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = instance.secrets.oidcHmacSecretFile;
})
// instance.environmentVariables;
preStart = "${execCommand} ${configArg} validate-config";
serviceConfig = {
@@ -399,12 +399,6 @@ in
StateDirectory = autheliaName instance.name;
StateDirectoryMode = "0700";
LoadCredential =
lib.optional (
instance.secrets.oidcIssuerPrivateKeyFile != null
) "oidcIssuerPrivateKeyFile:${instance.secrets.oidcIssuerPrivateKeyFile}"
++ lib.mapAttrsToList (_: v: "${v}:${instance.secrets.${v}}") nonNullEnvSecretsMap;
# Security options:
AmbientCapabilities = "";
CapabilityBoundingSet = "";

View File

@@ -86,7 +86,7 @@ in
The primary motivation for this is an immutable `/etc`, where we cannot
write the files directly to `/etc`.
However this can also serve other use cases, e.g. when `/etc` is on a `tmpfs`.
However this an also serve other use cases, e.g. when `/etc` is on a `tmpfs`.
'';
};

View File

@@ -149,6 +149,13 @@ in
protocol.encryption.set = allow_incoming,try_outgoing,enable_retry
# Limits for file handle resources, this is optimized for
# an `ulimit` of 1024 (a common default). You MUST leave
# a ceiling of handles reserved for rTorrent's internal needs!
network.http.max_open.set = 50
network.max_open_files.set = 600
network.max_open_sockets.set = 3000
# Memory resource usage (increase if you have a large number of items loaded,
# and/or the available resources to spend)
pieces.memory.max.set = 1800M
@@ -162,14 +169,15 @@ in
execute.nothrow = sh, -c, (cat, "echo >", (session.path), "rtorrent.pid", " ", (system.pid))
# Other operational settings (check & adapt)
encoding.add = utf8
system.umask.set = 0027
system.cwd.set = (cfg.basedir)
network.http.dns_cache_timeout.set = 25
schedule = monitor_diskspace, 15, 60, ((close_low_diskspace, 1000M))
schedule2 = monitor_diskspace, 15, 60, ((close_low_diskspace, 1000M))
# Watch directories (add more as you like, but use unique schedule names)
#schedule = watch_start, 10, 10, ((load.start, (cat, (cfg.watch), "start/*.torrent")))
#schedule = watch_load, 11, 10, ((load.normal, (cat, (cfg.watch), "load/*.torrent")))
#schedule2 = watch_start, 10, 10, ((load.start, (cat, (cfg.watch), "start/*.torrent")))
#schedule2 = watch_load, 11, 10, ((load.normal, (cat, (cfg.watch), "load/*.torrent")))
# Logging:
# Levels = critical error warn notice info debug
@@ -210,10 +218,6 @@ in
RuntimeDirectory = "rtorrent";
RuntimeDirectoryMode = 750;
# rtorrent derives socket limits from this value since 0.16.15; see table in
# https://github.com/rakshasa/rtorrent/wiki/Socket-Manager-and-Resource-Allocation
LimitNOFILE = lib.mkDefault 16384;
CapabilityBoundingSet = [ "" ];
LockPersonality = true;
NoNewPrivileges = true;

View File

@@ -169,25 +169,11 @@ in
enable = true;
virtualHosts."${cfg.virtualHost.domain}".extraConfig = ''
root * ${cfg.package}
encode zstd gzip
@immutable path /resources/*
header @immutable Cache-Control "public, max-age=31536000, immutable"
@html not path /resources/*
header @html Cache-Control "no-store"
header {
-ETag
-Last-Modified
}
file_server
handle_path /assets/config.yml {
root * ${configFile}
file_server
}
file_server
'';
};
};

View File

@@ -37,8 +37,6 @@ in
See [Isso Server Configuration](https://posativ.org/isso/docs/configuration/server/)
for supported values.
You can set secrets using the secretFile option with environment variables following
[the documentation](https://isso-comments.de/docs/reference/server-config/#environment-variables).
'';
type = types.submodule {
@@ -53,16 +51,6 @@ in
}
'';
};
secretFile = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
A file containing secrets as environment variables that will be used in the configuration.
See [the documentation](https://isso-comments.de/docs/reference/server-config/#environment-variables) for details.
'';
example = "/run/secrets/isso.env";
};
};
};
@@ -77,8 +65,6 @@ in
User = "isso";
Group = "isso";
EnvironmentFile = mkIf (cfg.secretFile != null) [ cfg.secretFile ];
DynamicUser = true;
StateDirectory = "isso";

View File

@@ -50,6 +50,7 @@ let
environment = pythonEnvironment;
serviceConfig = {
RuntimeDirectory = "lasuite-meet";
StateDirectory = "lasuite-meet";
WorkingDirectory = "/var/lib/lasuite-meet";
@@ -381,8 +382,6 @@ in
'';
serviceConfig = {
# needs to be here so that cronjobs don't nuke it
RuntimeDirectory = "lasuite-meet";
BindReadOnlyPaths = "${cfg.package}/share/static:/var/lib/lasuite-meet/static";
ExecStart = utils.escapeSystemdExecArgs (

View File

@@ -1617,7 +1617,8 @@ in
MemoryDenyWriteExecute =
!(
(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) cfg.package.modules)
|| (lib.getName cfg.package == "openresty")
|| cfg.lua.enable
|| (cfg.package == pkgs.openresty)
);
RestrictRealtime = true;
RestrictSUIDSGID = true;

View File

@@ -1,151 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.rustfs;
in
{
meta.maintainers = with lib.maintainers; [
marcel
];
options.services.rustfs = {
enable = lib.mkEnableOption "RustFS Object Storage Server";
package = lib.mkPackageOption pkgs "rustfs" { };
user = lib.mkOption {
type = lib.types.str;
default = "rustfs";
description = "The user RustFS should run as.";
};
group = lib.mkOption {
type = lib.types.str;
default = "rustfs";
description = "The group RustFS should run as.";
};
settings = lib.mkOption {
default = { };
description = ''
Options for RustFS configuration. Refer to
<https://docs.rustfs.com/installation/linux/single-node-single-disk.html#_5-configure-environment-variables>
for details on supported values.
'';
example = lib.literalExpression ''
{
RUSTFS_CONSOLE_ENABLE = "true";
RUSTFS_VOLUMES = "/mnt/rustfs";
}
'';
type = lib.types.submodule {
freeformType = lib.types.attrsOf (
lib.types.oneOf [
lib.types.str
lib.types.int
]
);
options = {
RUSTFS_VOLUMES = lib.mkOption {
type = lib.types.path;
default = "/var/lib/rustfs";
description = "The directory where RustFS stores it's data.";
};
};
};
};
environmentFile = lib.mkOption {
type = lib.types.str;
description = "Path to environment file containing secrets like RUSTFS_ACCESS_KEY or RUSTFS_SECRET_KEY.";
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = !(cfg.settings ? RUSTFS_ACCESS_KEY);
message = "RUSTFS_ACCESS_KEY must not be set in services.rustfs.settings. Use environmentFile instead.";
}
{
assertion = !(cfg.settings ? RUSTFS_SECRET_KEY);
message = "RUSTFS_SECRET_KEY must not be set in services.rustfs.settings. Use environmentFile instead.";
}
];
systemd = {
tmpfiles.settings."10-rustfs".${cfg.settings.RUSTFS_VOLUMES}.d = {
inherit (cfg) user group;
};
# https://docs.rustfs.com/installation/linux/single-node-single-disk.html#_6-configure-system-service
services.rustfs = {
description = "RustFS Object Storage Server";
documentation = [ "https://rustfs.com/docs/" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
environment = cfg.settings;
preStart = ''
if [ -z "$RUSTFS_ACCESS_KEY" ] || [ -z "$RUSTFS_SECRET_KEY" ]; then
echo "RustFS uses well-known default values for RUSTFS_ACCESS_KEY and RUSTFS_SECRET_KEY,"
echo "please configure them using services.rustfs.environmentFile."
exit 1
fi
'';
serviceConfig = {
Type = "notify";
NotifyAccess = "main";
User = cfg.user;
Group = cfg.group;
EnvironmentFile = cfg.environmentFile;
ExecStart = lib.getExe cfg.package;
LimitNOFILE = 1048576;
LimitNPROC = 32768;
TasksMax = "infinity";
Restart = "always";
RestartSec = "10s";
OOMScoreAdjust = "-1000";
SendSIGKILL = false;
TimeoutStartSec = "30s";
TimeoutStopSec = "30s";
NoNewPrivileges = true;
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
RestrictSUIDSGID = true;
RestrictRealtime = true;
};
};
};
users = {
users.${cfg.user} = {
isSystemUser = true;
inherit (cfg) group;
};
groups.${cfg.group} = { };
};
};
}

View File

@@ -141,10 +141,6 @@ in
services.libinput.enable = mkDefault true;
security.pam.services.mate-screensaver.unixAuth = true;
security.polkit = {
enable = true;
enablePkexecWrapper = mkDefault true;
};
xdg.portal.configPackages = mkDefault [ pkgs.mate-desktop ];

View File

@@ -347,7 +347,7 @@ def config_entry(levels: int, bootspec: BootSpec, label: str, time: str) -> str:
os.path.basename(bootspec.toplevel) + "-secrets"
)
if subprocess.run([bootspec.initrdSecrets, initrd_secrets_path_temp]).returncode != 0:
if os.system(bootspec.initrdSecrets + " " + initrd_secrets_path_temp) != 0:
print(
f'warning: failed to create initrd secrets for "{label}"',
file=sys.stderr,

View File

@@ -68,7 +68,7 @@ let
configFile = pkgs.writeText "plymouthd.conf" ''
[Daemon]
ShowDelay=${toString cfg.showDelay}
ShowDelay=0
DeviceTimeout=8
Theme=${cfg.theme}
${cfg.extraConfig}
@@ -166,15 +166,6 @@ in
'';
};
showDelay = mkOption {
type = types.numbers.nonnegative;
default = 0;
example = 0.5;
description = ''
Time (in seconds) to delay the splash screen.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";

View File

@@ -396,7 +396,7 @@ in
abi <abi/4.0>,
include <tunables/global>
include if exists "/var/lib/incus/security/apparmor/profiles"
include "/var/lib/incus/security/apparmor/profiles"
'';
};
includes."abstractions/base" = ''

View File

@@ -201,7 +201,7 @@ rec {
(onFullSupported "nixos.tests.printing-socket")
(onFullSupported "nixos.tests.proxy")
(onFullSupported "nixos.tests.sddm.default")
(onFullSupported "nixos.tests.shadow.login")
(onFullSupported "nixos.tests.shadow")
(onFullSupported "nixos.tests.simple-container")
(onFullSupported "nixos.tests.simple-vm")
(onFullSupported "nixos.tests.sway")

View File

@@ -63,7 +63,7 @@ let
- `config.node.pkgs.<name>` or `config.nodes.foo.nixpkgs.pkgs.<name>` to refer
to the Nixpkgs used on the VM guest(s).
- `hostPkgs.<name>` when invoking commands on the VM host (e.g. in Python
`subprocess.run(["foo"])`)
`os.system("foo")`)
- Since the runTest argument is a module instead of a function, arguments
must be passed as option definitions.
You may declare explicit `options` for the test parameter(s), or use the
@@ -1205,7 +1205,6 @@ in
nominatim = runTest ./nominatim.nix;
non-default-filesystems = handleTest ./non-default-filesystems.nix { };
non-switchable-system = runTest ./non-switchable-system.nix;
nordvpn = runTest ./nordvpn.nix;
noto-fonts = runTest ./noto-fonts.nix;
noto-fonts-cjk-qt-default-weight = runTest ./noto-fonts-cjk-qt-default-weight.nix;
novacomd = handleTestOn [ "x86_64-linux" ] ./novacomd.nix { };
@@ -1512,7 +1511,6 @@ in
rtkit = runTest ./rtkit.nix;
rtorrent = runTest ./rtorrent.nix;
rush = runTest ./rush.nix;
rustfs = runTest ./rustfs.nix;
rustical = runTest ./web-apps/rustical.nix;
rustls-libssl = runTest ./rustls-libssl.nix;
rxe = runTest ./rxe.nix;
@@ -1540,7 +1538,7 @@ in
sftpgo = runTest ./sftpgo.nix;
sfxr-qt = runTest ./sfxr-qt.nix;
sgt-puzzles = runTest ./sgt-puzzles.nix;
shadow = import ./shadow { inherit runTest; };
shadow = runTest ./shadow.nix;
shadowsocks = handleTest ./shadowsocks { };
shadps4 = runTest ./shadps4.nix;
sharkey = runTest ./web-apps/sharkey.nix;
@@ -1586,8 +1584,6 @@ in
sssd-ldap = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd-ldap.nix { };
sssd-legacy-config = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd-legacy-config.nix { };
stalwart = runTest ./stalwart/stalwart.nix;
stardust-xr-atmosphere = runTest ./stardust-xr/atmosphere.nix;
stardust-xr-flatland = runTest ./stardust-xr/flatland.nix;
stargazer = runTest ./web-servers/stargazer.nix;
starship = runTest ./starship.nix;
startx = import ./startx.nix { inherit pkgs runTest; };
@@ -1687,7 +1683,6 @@ in
systemd-journal = runTest ./systemd-journal.nix;
systemd-journal-gateway = runTest ./systemd-journal-gateway.nix;
systemd-journal-upload = runTest ./systemd-journal-upload.nix;
systemd-localed = runTest ./systemd-localed.nix;
systemd-lock-handler = runTestOn [ "aarch64-linux" "x86_64-linux" ] ./systemd-lock-handler.nix;
systemd-machinectl = runTest ./systemd-machinectl.nix;
systemd-misc = runTest ./systemd-misc.nix;
@@ -1846,7 +1841,6 @@ in
};
virtualbox = handleTestOn [ "x86_64-linux" ] ./virtualbox.nix { };
vm-variant = handleTest ./vm-variant.nix { };
vnstat = runTest ./vnstat.nix;
vscode-remote-ssh = handleTestOn [ "x86_64-linux" ] ./vscode-remote-ssh.nix { };
vscodium = import ./vscodium.nix { inherit runTest; };
vsftpd = runTest ./vsftpd.nix;
@@ -1857,7 +1851,6 @@ in
wasabibackend = runTest ./wasabibackend.nix;
wastebin = runTest ./wastebin.nix;
watchdogd = runTest ./watchdogd.nix;
watt = runTest ./watt.nix;
webhook = runTest ./webhook.nix;
weblate = runTest ./web-apps/weblate.nix;
wg-access-server = runTest ./wg-access-server.nix;

View File

@@ -28,10 +28,12 @@
# This is purely for testing purposes!
environment.etc."authelia/storageEncryptionKeyFile" = {
mode = "0400";
user = "authelia-testing";
text = "you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this";
};
environment.etc."authelia/jwtSecretFile" = {
mode = "0400";
user = "authelia-testing";
text = "a_very_important_secret";
};
environment.etc."authelia/users_database.yml" = {

View File

@@ -14,7 +14,7 @@
]
++ teams.ngi.members;
containers.machine = {
nodes.machine = {
environment.systemPackages = with pkgs; [
blint
jq

View File

@@ -2,7 +2,7 @@
{
name = "PDS";
containers.machine = {
nodes.machine = {
services.bluesky-pds = {
enable = true;
settings = {

View File

@@ -203,26 +203,11 @@ in
makeTest {
name = "boot-uboot-extlinux";
nodes = { };
testScript = /* py */ ''
import subprocess
testScript = ''
import os
# Create a mutable linked image backed by the read-only SD image
if (
subprocess.run(
[
"${pkgs.qemu}/bin/qemu-img",
"create",
"-f",
"qcow2",
"-F",
"raw",
"-b",
"${sdImage}",
"${mutableImage}",
]
).returncode
!= 0
):
if os.system("${pkgs.qemu}/bin/qemu-img create -f qcow2 -F raw -b ${sdImage} ${mutableImage}") != 0:
raise RuntimeError("Could not create mutable linked image")
machine = create_machine("${startCommand}")

View File

@@ -1,39 +0,0 @@
{
lib,
pkgs,
config,
...
}:
{
imports = [
./user-account.nix
./x11.nix
];
test-support.displayManager.auto.user = "alice";
systemd.user.targets.xdg-desktop-autostart = {
wantedBy = [ "graphical-session.target" ];
after = [ "graphical-session.target" ];
};
hardware.graphics.enable = true;
services.monado = {
enable = true;
defaultRuntime = true;
forceDefaultRuntime = true;
};
systemd.user.services.monado = {
requires = [ "graphical-session.target" ];
environment = {
# Stop Monado from probing for any hardware
SIMULATED_ENABLE = "1";
SIMULATED_LEFT = "simple";
SIMULATED_RIGHT = "simple";
# Run as X11 client rather than using direct mode
XRT_COMPOSITOR_FORCE_XCB = "1";
# And run fullscreen so that we can hide the DE
XRT_COMPOSITOR_XCB_FULLSCREEN = "1";
};
};
}

View File

@@ -135,17 +135,7 @@ in
public_key = os.path.join(key_dir, "id_ed25519.pub")
# Generate key pair using host SSH tools
ret = subprocess.run(
[
"${hostPkgs.openssh}/bin/ssh-keygen",
"-t",
"ed25519",
"-f",
private_key,
"-N",
""
]
).returncode
ret = os.system(f"${hostPkgs.openssh}/bin/ssh-keygen -t ed25519 -f {private_key} -N \"\"")
if ret != 0:
raise Exception("Failed to generate SSH key pair")

View File

@@ -54,13 +54,13 @@
};
testScript = ''
import subprocess
import os
# prepare certificates
def cmd(command):
print(f"+{command}")
r = subprocess.run(command, shell=True).returncode
r = os.system(command)
if r != 0:
raise Exception(f"Command {command} failed with exit code {r}")

View File

@@ -48,13 +48,13 @@
};
testScript = ''
import subprocess
import os
# prepare certificates
def cmd(command):
print(f"+{command}")
r = subprocess.run(command, shell=True).returncode
r = os.system(command)
if r != 0:
raise Exception(f"Command {command} failed with exit code {r}")

View File

@@ -69,12 +69,12 @@
};
};
testScript = ''
import subprocess
import os
# Helpers
def cmd(command):
print(f"+{command}")
r = subprocess.run(command, shell=True).returncode
r = os.system(command)
if r != 0:
raise Exception(f"Command {command} failed with exit code {r}")

View File

@@ -38,7 +38,6 @@ let
enable = true;
settings = {
hostname = certs.domain;
metrics-enabled = true;
};
inherit initialAdminPassword;
sslCertificate = "${certs.${certs.domain}.cert}";
@@ -51,6 +50,7 @@ let
};
plugins = with config.services.keycloak.package.plugins; [
keycloak-discord
keycloak-metrics-spi
];
};
environment.systemPackages = with pkgs; [
@@ -131,7 +131,13 @@ let
| jq -r '"Authorization: bearer " + .access_token' >admin_auth_header
""")
keycloak.succeed("curl -sSf https://${certs.domain}:9000/metrics | grep '^jvm_'")
# Register the metrics SPI
keycloak.succeed(
"""${pkgs.jre}/bin/keytool -import -alias snakeoil -file ${certs.ca.cert} -storepass aaaaaa -keystore cacert.jks -noprompt""",
"""KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh config credentials --server '${frontendUrl}' --realm master --user admin --password "$(<${adminPasswordFile})" """,
"""KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh update events/config -s 'eventsEnabled=true' -s 'adminEventsEnabled=true' -s 'eventsListeners+=metrics-listener'""",
"""curl -sSf '${frontendUrl}/realms/master/metrics' | grep '^keycloak_admin_event_UPDATE'"""
)
# Publish the realm, including a test OIDC client and user
keycloak.succeed(

View File

@@ -20,66 +20,61 @@ in
};
networking.firewall.allowedTCPPorts = [ 6167 ];
};
client =
{ pkgs, ... }:
{
environment.systemPackages = [
(pkgs.writers.writePython3Bin "do_test" { libraries = [ pkgs.python3Packages.mautrix ]; } ''
(pkgs.writers.writePython3Bin "do_test" { libraries = [ pkgs.python3Packages.matrix-nio ]; } ''
import asyncio
from mautrix.client import Client
from mautrix.types import EventType, RoomFilter
import nio
async def main() -> None:
# Connect to continuwuity
client = Client(
mxid="@${user}:${name}",
base_url="http://continuwuity:6167",
)
client = nio.AsyncClient("http://continuwuity:6167", "${user}")
# Log in as user alice
await client.login(password="${pass}")
response = await client.login("${pass}")
# Create a new room
room_id = await client.create_room()
print("Created room:", room_id)
response = await client.room_create(federate=False)
print("Matrix room create response:", response)
assert isinstance(response, nio.RoomCreateResponse)
room_id = response.room_id
# Join the room
await client.join_room_by_id(room_id)
print("Joined room")
response = await client.join(room_id)
print("Matrix join response:", response)
assert isinstance(response, nio.JoinResponse)
# Send a message to the room
received = asyncio.Event()
msg = "Hello continuwuity!"
response = await client.room_send(
room_id=room_id,
message_type="m.room.message",
content={
"msgtype": "m.text",
"body": "Hello continuwuity!"
}
)
print("Matrix room send response:", response)
assert isinstance(response, nio.RoomSendResponse)
async def on_message(evt):
if (
evt.room_id != room_id
or evt.sender != client.mxid
or evt.type != EventType.ROOM_MESSAGE
):
return
# Sync responses
response = await client.sync(timeout=30000)
print("Matrix sync response:", response)
assert isinstance(response, nio.SyncResponse)
assert evt.content.body == msg
received.set()
client.add_event_handler(EventType.ROOM_MESSAGE, on_message)
sync_task = client.start(RoomFilter(rooms=[room_id]))
await client.send_text(room_id, msg)
# Sync until message is received
await asyncio.wait_for(received.wait(), timeout=30)
# Check the message was received by continuwuity
last_message = response.rooms.join[room_id].timeline.events[-1].body
assert last_message == "Hello continuwuity!"
# Leave the room
await client.leave_room(room_id)
print("Left room")
response = await client.room_leave(room_id)
print("Matrix room leave response:", response)
assert isinstance(response, nio.RoomLeaveResponse)
# Close the client
client.stop()
await sync_task
await client.close()
if __name__ == "__main__":
@@ -101,7 +96,6 @@ in
'';
meta.maintainers = with lib.maintainers; [
bartoostveen
nyabinary
snaki
];

View File

@@ -189,26 +189,11 @@ in
{ nodes, ... }:
let
bundle = mkBundle masDomain;
extraConfig = pkgs.writeText "masExtraConfig.yml" (
builtins.toJSON {
secrets = {
encryption_file = "/var/lib/matrix-authentication-service/encryption";
keys = [
{
kid = "rsa-4096";
key_file = "/var/lib/matrix-authentication-service/key_rsa_4096";
}
];
};
}
);
in
{
services.matrix-authentication-service = {
enable = true;
createDatabase = true;
extraConfigFiles = [ (toString extraConfig) ];
settings = {
http = {
public_base = "https://${masDomain}:8080/";
@@ -238,7 +223,15 @@ in
secret_file = "/var/lib/matrix-authentication-service/matrix_secret";
};
database.uri = "postgresql:///matrix-authentication-service?host=/run/postgresql&user=matrix-authentication-service";
# secrets is defined in extraConfigFiles
secrets = {
encryption_file = "/var/lib/matrix-authentication-service/encryption";
keys = [
{
kid = "rsa-4096";
key_file = "/var/lib/matrix-authentication-service/key_rsa_4096";
}
];
};
policy.data.client_registration.allow_insecure_uris = true;
upstream_oauth2.providers = [
{

View File

@@ -1,7 +1,7 @@
{ pkgs, lib, ... }:
let
chipVersion = pkgs.python3Packages.home-assistant-chip-core.version;
chipVersion = pkgs.python311Packages.home-assistant-chip-core.version;
in
{

View File

@@ -3,57 +3,47 @@
name = "monado";
nodes.machine =
{
lib,
pkgs,
config,
...
}:
{ pkgs, ... }:
{
imports = [ ./common/openxr.nix ];
systemd.user.services.print-openxr-info = {
wantedBy = [ "xdg-desktop-autostart.target" ];
requires = [ "monado.service" ];
script = lib.getExe' pkgs.openxr-loader "openxr_runtime_list";
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
hardware.graphics.enable = true;
users.users.alice = {
isNormalUser = true;
uid = 1000;
};
systemd.user.services.xrgears = {
wantedBy = [ "xdg-desktop-autostart.target" ];
requires = [ "monado.service" ];
script = lib.getExe pkgs.xrgears;
services.monado = {
enable = true;
defaultRuntime = true;
forceDefaultRuntime = true;
};
# Stop Monado from probing for any hardware
systemd.user.services.monado.environment.SIMULATED_ENABLE = "1";
environment.systemPackages = with pkgs; [ openxr-loader ];
};
testScript =
{ nodes, ... }:
let
userId = toString nodes.machine.users.users.alice.uid;
runtimePath = "/run/user/${userId}";
in
''
with subtest("Ensure X11 starts"):
start_all()
machine.succeed("loginctl enable-linger alice")
machine.wait_for_x()
# for defaultRuntime
machine.succeed("stat /etc/xdg/openxr/1/active_runtime.json")
with subtest("Ensure default runtime present"):
machine.succeed("stat /etc/xdg/openxr/1/active_runtime.json")
machine.succeed("loginctl enable-linger alice")
machine.wait_for_unit("user@${userId}.service")
with subtest("Ensure forced runtime present"):
# Monado needs to be started to create the forced runtime file
machine.systemctl("start monado.service", "alice")
machine.wait_for_unit("monado.service", "alice")
machine.succeed("stat /home/alice/.config/openxr/1/active_runtime.json")
machine.wait_for_unit("monado.socket", "alice")
machine.systemctl("start monado.service", "alice")
machine.wait_for_unit("monado.service", "alice")
with subtest("Ensure openxr_runtime_list can find runtime"):
machine.wait_for_unit("print-openxr-info.service", "alice")
# for forceDefaultRuntime
machine.succeed("stat /home/alice/.config/openxr/1/active_runtime.json")
with subtest("Ensure xrgears launches"):
machine.wait_for_unit("xrgears.service", "alice")
# TODO: 10 seconds should be long enough for anything, but this is theoretically flaky
machine.sleep(10)
machine.screenshot("screen")
machine.succeed("su -- alice -c env XDG_RUNTIME_DIR=${runtimePath} openxr_runtime_list")
'';
}

View File

@@ -1,129 +0,0 @@
{ lib, ... }:
{
name = "nordvpn";
meta.maintainers = with lib.maintainers; [ different-error ];
nodes =
let
commonConfig = user: {
# norduserd reads DBUS_SESSION_BUS_ADDRESS which the
# desktopManager sets on user session creation (i.e. login)
services.xserver.enable = true;
services.desktopManager.plasma6.enable = true;
services.displayManager.gdm.enable = true;
services.displayManager.autoLogin = {
enable = true;
user = user;
};
};
in
{
nada = { ... }: { };
basic =
{ ... }:
lib.recursiveUpdate {
users.users.alice = {
extraGroups = [ "nordvpn" ];
isNormalUser = true;
};
# default: run nordvpnd as nordvpn:nordvpn
services.nordvpn.enable = true;
} (commonConfig "alice");
userOnly =
{ ... }:
lib.recursiveUpdate {
users.users.kanye = {
extraGroups = [ "nordvpn" ];
isNormalUser = true;
};
# run nordvpnd as kanye:nordvpn
services.nordvpn = {
enable = true;
user = "kanye";
};
} (commonConfig "kanye");
groupOnly =
{ ... }:
lib.recursiveUpdate {
users.users.alice = {
extraGroups = [ "kanye" ];
isNormalUser = true;
};
users.groups.kanye = { };
# run nordvpnd as nordvpn:kanye
services.nordvpn = {
enable = true;
group = "kanye";
};
} (commonConfig "alice");
userAndGroup =
{ ... }:
lib.recursiveUpdate {
users.users.kanye = {
group = "kanye";
isNormalUser = true;
};
users.groups.kanye = { };
# run nordvpnd as kanye:kanye
services.nordvpn = {
enable = true;
group = "kanye";
user = "kanye";
};
} (commonConfig "kanye");
};
testScript = ''
class UserGroupTestCase:
def __init__(self, machine, user, has_nordvpn_usr, has_nordvpn_gp):
self.machine = machine
self.user = user
self.has_nordvpn_usr = has_nordvpn_usr
self.has_nordvpn_gp = has_nordvpn_gp
def run(self):
self.machine.start()
self.verify_nordvpn_user()
self.verify_nordvpn_group()
self.verify_services()
self.machine.shutdown()
def verify_nordvpn_user(self):
if self.has_nordvpn_usr:
self.machine.succeed("id nordvpn")
else:
self.machine.fail("id nordvpn")
def verify_nordvpn_group(self):
group_str = self.machine.succeed(f"sudo -u {self.user} groups")
groups = [x.strip() for x in group_str.split(" ")]
if self.has_nordvpn_gp:
assert "nordvpn" in groups, f"nordvpn is not in {groups} but should be"
else:
assert "nordvpn" not in groups, f"nordvpn is in {groups} but should not be"
def verify_services(self):
self.machine.wait_for_unit("nordvpnd", timeout=60)
self.machine.wait_for_unit("norduserd", self.user, timeout=90)
# verify can talk to nordvpnd. give nordvpnd at most 5s to initialize.
self.machine.wait_until_succeeds("nordvpn status", timeout=5)
self.machine.succeed("nordvpn status")
test_cases = [
UserGroupTestCase(basic, "alice", has_nordvpn_usr=True, has_nordvpn_gp=True),
UserGroupTestCase(userOnly, "kanye", has_nordvpn_usr=False, has_nordvpn_gp=True),
UserGroupTestCase(groupOnly, "alice", has_nordvpn_usr=True, has_nordvpn_gp=False),
UserGroupTestCase(userAndGroup, "kanye", has_nordvpn_usr=False, has_nordvpn_gp=False),
]
# NADA
nada.start()
nada.wait_for_unit("multi-user.target", timeout=60)
nada.fail("nordvpnd")
nada.fail("nordvpn")
nada.fail("norduserd")
nada.shutdown()
for test_case in test_cases:
test_case.run()
'';
}

View File

@@ -1,69 +0,0 @@
{ pkgs, ... }:
let
accessKey = "BKIKJAA5BMMU2RHO6IBB";
secretKey = "V7f1CwQqAcwo80UEIJEjc5gVQUSSx5ohQ9GSrr12";
rustfsPythonScript =
pkgs.writers.writePython3 "rustfs-test" { libraries = with pkgs.python3Packages; [ minio ]; }
/* python */ ''
import io
import os
from minio import Minio
minioClient = Minio(
'localhost:9000',
access_key='${accessKey}',
secret_key='${secretKey}',
secure=False
)
sio = io.BytesIO()
sio.write(b'Test from Python')
sio.seek(0, os.SEEK_END)
sio_len = sio.tell()
sio.seek(0)
minioClient.put_object(
'test-bucket',
'test.txt',
sio,
sio_len,
content_type='text/plain'
)
'';
in
{
name = "rustfs";
meta = with pkgs.lib.maintainers; {
maintainers = [
marcel
];
};
containers.machine =
{ pkgs, ... }:
{
services.rustfs = {
enable = true;
environmentFile = builtins.toString (
pkgs.writeText "rustfs-secrets.env" ''
RUSTFS_ACCESS_KEY=${accessKey}
RUSTFS_SECRET_KEY=${secretKey}
''
);
};
environment.systemPackages = with pkgs; [ minio-client ];
};
testScript = /* python */ ''
machine.wait_for_unit("rustfs.service")
machine.succeed("mc alias set rustfs http://localhost:9000 ${accessKey} ${secretKey} --api s3v4")
machine.succeed("mc mb rustfs/test-bucket")
machine.succeed("${rustfsPythonScript}")
assert "test-bucket" in machine.succeed("mc ls rustfs")
assert "Test from Python" in machine.succeed("mc cat rustfs/test-bucket/test.txt")
machine.succeed("mc rb --force rustfs/test-bucket")
'';
}

View File

@@ -1,5 +0,0 @@
{ runTest }:
{
login = runTest ./login.nix;
system = runTest ./system.nix;
}

View File

@@ -1,147 +0,0 @@
{ pkgs, ... }:
let
# Create a Python environment for the controller with all necessary test framework dependencies
controllerPython = pkgs.python3.withPackages (ps: [
ps.flaky
ps.jc
ps.pytest
ps.pytest-mh
ps.pytest-ticket
]);
shadowHostName = "shadowhost";
in
{
name = "shadow-system-tests";
meta.maintainers = with pkgs.lib.maintainers; [ joaosreis ];
nodes = {
# The target host: runs sshd, has shadow and other test dependencies installed, mutable users, and some specific settings to match the expectations of the test suite
shadowhost =
{ pkgs, ... }:
{
networking.hostName = shadowHostName;
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "yes";
PasswordAuthentication = false;
};
};
users.mutableUsers = true;
environment.systemPackages = with pkgs; [
shadow
expect
];
users.defaultUserShell = "/bin/sh";
security.loginDefs.settings = {
PASS_MAX_DAYS = 99999;
PASS_MIN_DAYS = 0;
PASS_WARN_AGE = 7;
USERGROUPS_ENAB = "yes";
CREATE_HOME = "yes";
UID_MIN = 1001;
GID_MIN = 1001;
};
security.pam.services = {
newusers.text = ''
auth required pam_permit.so
account required pam_permit.so
password required pam_permit.so
session required pam_permit.so
'';
};
services.envfs.enable = true;
};
# The controller: runs pytest-mh against the shadow host
controller =
{ pkgs, ... }:
{
environment.systemPackages = [
controllerPython
pkgs.openssh
];
};
};
testScript = ''
import textwrap
start_all()
# ------------------------------------------------------------------
# 1. Generate an SSH keypair on the controller and authorise it
# on the shadow host
# ------------------------------------------------------------------
controller.succeed("mkdir -p /root/.ssh && chmod 700 /root/.ssh")
controller.succeed(
"ssh-keygen -t ed25519 -N \'\' -f /root/.ssh/id_ed25519 2>&1"
)
pub_key = controller.succeed("cat /root/.ssh/id_ed25519.pub").strip()
# Inject the generated public key into the shadow host at runtime
shadowhost.succeed("mkdir -p /root/.ssh && chmod 700 /root/.ssh")
shadowhost.succeed(
f"echo '{pub_key}' >> /root/.ssh/authorized_keys && "
"chmod 600 /root/.ssh/authorized_keys"
)
# ------------------------------------------------------------------
# 2. Make sure the shadow host has a writable /etc/login.defs,
# since the test framework expects to be able to write to it.
# ------------------------------------------------------------------
shadowhost.succeed(
"cp --remove-destination $(readlink -f /etc/login.defs) /etc/login.defs && "
"chmod 644 /etc/login.defs"
)
# ------------------------------------------------------------------
# 3. Copy the upstream test suite onto the controller
# ------------------------------------------------------------------
controller.succeed(
"cp -r ${pkgs.shadow.passthru.testFramework} /root/shadow-tests && "
"chmod -R u+w /root/shadow-tests"
)
# ------------------------------------------------------------------
# 4. Write the mhc.yaml topology config
# This tells pytest-mh where the shadow host is and which role
# it plays. The hostname must match the NixOS node name.
# ------------------------------------------------------------------
controller.succeed(textwrap.dedent("""
cat > /root/shadow-tests/mhc.yaml << 'EOF'
domains:
- id: shadow
hosts:
- hostname: ${shadowHostName}
role: shadow
ssh:
user: root
private_key: /root/.ssh/id_ed25519
EOF
"""))
# ------------------------------------------------------------------
# 5. Run the upstream pytest-mh test suite from the controller
# ------------------------------------------------------------------
shadowhost.wait_for_unit("sshd.service")
# gpasswd tests are disabled, since they rely on specific behavior of the gpasswd command that is not applicable to NixOS
controller.succeed(
"cd /root/shadow-tests && "
"${controllerPython}/bin/pytest "
"--mh-config=mhc.yaml "
"--deselect=tests/test_gpasswd.py "
"-v tests/"
)
'';
}

View File

@@ -17,7 +17,10 @@
machine.succeed("curl --fail http://localhost:8111")
'';
meta.maintainers = with lib.maintainers; [ nanoyaki ];
meta.maintainers = with lib.maintainers; [
diniamo
nanoyaki
];
}
);

Some files were not shown because too many files have changed in this diff Show More