mirror of
https://github.com/NixOS/nixpkgs.git
synced 2026-07-18 14:41:18 +00:00
Compare commits
1 Commits
master
...
dependabot
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
3a670fbf75 |
2
.github/workflows/backport.yml
vendored
2
.github/workflows/backport.yml
vendored
@@ -36,7 +36,7 @@ jobs:
|
||||
permission-pull-requests: write
|
||||
permission-workflows: write
|
||||
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }}
|
||||
token: ${{ steps.app-token.outputs.token }}
|
||||
|
||||
2
.github/workflows/bot.yml
vendored
2
.github/workflows/bot.yml
vendored
@@ -46,7 +46,7 @@ jobs:
|
||||
# https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
|
||||
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: |
|
||||
|
||||
2
.github/workflows/build.yml
vendored
2
.github/workflows/build.yml
vendored
@@ -49,7 +49,7 @@ jobs:
|
||||
runs-on: ${{ matrix.runner }}
|
||||
timeout-minutes: 60
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: .github/actions
|
||||
|
||||
6
.github/workflows/check.yml
vendored
6
.github/workflows/check.yml
vendored
@@ -43,7 +43,7 @@ jobs:
|
||||
runs-on: ubuntu-slim
|
||||
timeout-minutes: 3
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
path: trusted
|
||||
@@ -95,7 +95,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04-arm
|
||||
timeout-minutes: 8
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
path: trusted
|
||||
@@ -137,7 +137,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04-arm
|
||||
timeout-minutes: 5
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: .github/actions
|
||||
|
||||
2
.github/workflows/comment.yml
vendored
2
.github/workflows/comment.yml
vendored
@@ -23,7 +23,7 @@ jobs:
|
||||
timeout-minutes: 2
|
||||
if: contains(github.event.comment.body, '@NixOS/nixpkgs-merge-bot merge')
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: |
|
||||
|
||||
10
.github/workflows/eval.yml
vendored
10
.github/workflows/eval.yml
vendored
@@ -50,7 +50,7 @@ jobs:
|
||||
ciPinBumpCommit: ${{ steps.find-pinned-commit.outputs.ciPinBumpCommit }}
|
||||
ciPinBumpCommitShort: ${{ steps.find-pinned-commit.outputs.ciPinBumpCommitShort }}
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
path: trusted
|
||||
@@ -58,7 +58,7 @@ jobs:
|
||||
ci/supportedVersions.nix
|
||||
|
||||
- name: Check out the PR at the test merge commit
|
||||
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
ref: ${{ inputs.mergedSha }}
|
||||
@@ -174,7 +174,7 @@ jobs:
|
||||
sudo mkswap /swap
|
||||
sudo swapon /swap
|
||||
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: .github/actions
|
||||
@@ -259,7 +259,7 @@ jobs:
|
||||
statuses: write # creating 'Eval Summary' commit statuses
|
||||
timeout-minutes: 5
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: .github/actions
|
||||
@@ -476,7 +476,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04-arm
|
||||
timeout-minutes: 10
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: .github/actions
|
||||
|
||||
8
.github/workflows/lint.yml
vendored
8
.github/workflows/lint.yml
vendored
@@ -26,7 +26,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04-arm
|
||||
timeout-minutes: 10
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: .github/actions
|
||||
@@ -61,7 +61,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04-arm
|
||||
timeout-minutes: 10
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: .github/actions
|
||||
@@ -90,7 +90,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04-arm
|
||||
timeout-minutes: 10
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: .github/actions
|
||||
@@ -134,7 +134,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04-arm
|
||||
timeout-minutes: 8
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: true # Needed to run git fetch for large PRs.
|
||||
path: trusted
|
||||
|
||||
2
.github/workflows/merge-group.yml
vendored
2
.github/workflows/merge-group.yml
vendored
@@ -25,7 +25,7 @@ jobs:
|
||||
targetSha: ${{ steps.prepare.outputs.targetSha }}
|
||||
systems: ${{ steps.prepare.outputs.systems }}
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: |
|
||||
|
||||
2
.github/workflows/periodic-merge.yml
vendored
2
.github/workflows/periodic-merge.yml
vendored
@@ -34,7 +34,7 @@ jobs:
|
||||
permission-contents: write
|
||||
permission-pull-requests: write
|
||||
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
|
||||
2
.github/workflows/pull-request-target.yml
vendored
2
.github/workflows/pull-request-target.yml
vendored
@@ -36,7 +36,7 @@ jobs:
|
||||
systems: ${{ steps.prepare.outputs.systems }}
|
||||
touched: ${{ steps.prepare.outputs.touched }}
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout-cone-mode: true # default, for clarity
|
||||
|
||||
2
.github/workflows/review.yml
vendored
2
.github/workflows/review.yml
vendored
@@ -20,7 +20,7 @@ jobs:
|
||||
runs-on: ubuntu-slim
|
||||
timeout-minutes: 2
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: |
|
||||
|
||||
2
.github/workflows/teams.yml
vendored
2
.github/workflows/teams.yml
vendored
@@ -30,7 +30,7 @@ jobs:
|
||||
permission-pull-requests: write
|
||||
|
||||
- name: Fetch source
|
||||
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: |
|
||||
|
||||
2
.github/workflows/test.yml
vendored
2
.github/workflows/test.yml
vendored
@@ -19,7 +19,7 @@ jobs:
|
||||
push: ${{ steps.files.outputs.push }}
|
||||
targetSha: ${{ steps.prepare.outputs.targetSha }}
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout-cone-mode: true # default, for clarity
|
||||
|
||||
@@ -41,7 +41,7 @@
|
||||
/lib/meta.nix @alyssais @NixOS/stdenv @llakala
|
||||
/lib/meta-types.nix @infinisil @adisbladis @NixOS/stdenv @llakala
|
||||
/lib/source-types.nix @alyssais @NixOS/stdenv @llakala
|
||||
/lib/systems @alyssais @NixOS/stdenv
|
||||
/lib/systems @alyssais @NixOS/stdenv @llakala
|
||||
## Libraries / Module system
|
||||
/lib/modules.nix @infinisil @roberth @hsjobeki @llakala
|
||||
/lib/types.nix @infinisil @roberth @hsjobeki @llakala
|
||||
@@ -260,7 +260,7 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
|
||||
/pkgs/applications/editors/jetbrains @leona-ya @theCapypara
|
||||
|
||||
# Licenses
|
||||
/lib/licenses @alyssais @emilazy @jopejoe1
|
||||
/lib/licenses @alyssais @emilazy @jopejoe1 @llakala
|
||||
|
||||
# Qt
|
||||
/pkgs/development/libraries/qt-5 @K900 @NickCao @SuperSandro2000
|
||||
|
||||
@@ -395,13 +395,6 @@ module.exports = async ({ github, context, core, dry }) => {
|
||||
pull_number,
|
||||
per_page: 100,
|
||||
})
|
||||
|
||||
// label llm-assisted PRs accordingly
|
||||
const assistedByPattern = /Assisted-by: (?!nix-init)/i
|
||||
evalLabels['llm-assisted'] = prCommits.some((c) =>
|
||||
assistedByPattern.test(c.commit.message),
|
||||
)
|
||||
|
||||
const commitSubjects = prCommits.map(
|
||||
(c) => c.commit.message.split('\n')[0],
|
||||
)
|
||||
|
||||
@@ -143,4 +143,3 @@ lib.extendMkDerivation {
|
||||
});
|
||||
}
|
||||
```
|
||||
:::
|
||||
|
||||
@@ -165,7 +165,7 @@ They are useful for creating files from Nix expressions, and are all implemented
|
||||
Each of these functions will cause a derivation to be produced.
|
||||
When you coerce the result of each of these functions to a string with [string interpolation](https://nixos.org/manual/nix/stable/language/string-interpolation) or [`toString`](https://nixos.org/manual/nix/stable/language/builtins#builtins-toString), it will evaluate to the [store path](https://nixos.org/manual/nix/stable/store/store-path) of this derivation.
|
||||
|
||||
::: {.note}
|
||||
:::: {.note}
|
||||
Some of these functions will put the resulting files within a directory inside the [derivation output](https://nixos.org/manual/nix/stable/language/derivations#attr-outputs).
|
||||
If you need to refer to the resulting files somewhere else in a Nix expression, append their path to the derivation's store path.
|
||||
|
||||
@@ -190,7 +190,7 @@ writeShellScript "evaluate-my-file.sh" ''
|
||||
cat ${my-file}/share/my-file
|
||||
''
|
||||
```
|
||||
:::
|
||||
::::
|
||||
|
||||
### `makeDesktopItem` {#trivial-builder-makeDesktopItem}
|
||||
|
||||
|
||||
@@ -1,7 +0,0 @@
|
||||
<div class="manual-header">
|
||||
<nav class="manual-header--tabs">
|
||||
<a class="manual-header--tab manual-header--tab-active" href="#">Nixpkgs</a>
|
||||
<a class="manual-header--tab" href="https://nixos.org/manual/nixos/stable/">NixOS</a>
|
||||
</nav>
|
||||
<span class="manual-header--title">Nixpkgs Manual</span>
|
||||
</div>
|
||||
@@ -119,8 +119,6 @@ stdenvNoCC.mkDerivation (
|
||||
--script ./anchor-use.js \
|
||||
--sidebar-depth 3 \
|
||||
--nav ./nav.json \
|
||||
--header ${./header.html}\
|
||||
--no-navheader \
|
||||
manual.md \
|
||||
out/index.html
|
||||
|
||||
|
||||
@@ -59,7 +59,7 @@ The recommended way of defining a derivation for a Rocq library, is to use the `
|
||||
* `releaseRev` (optional, defaults to `(v: v)`), provides a default mapping from release names to revision hashes/branch names/tags,
|
||||
* `releaseArtifact` (optional, defaults to `(v: null)`), provides a default mapping from release names to artifact names (only works for github artifact for now),
|
||||
* `displayVersion` (optional), provides a way to alter the computation of `name` from `pname`, by explaining how to display version numbers,
|
||||
* `namePrefix` (optional, defaults to `[ "rocq" ]`), provides a way to alter the computation of `name` from `pname`, by explaining which dependencies must occur in `name`,
|
||||
* `namePrefix` (optional, defaults to `[ "rocq-core" ]`), provides a way to alter the computation of `name` from `pname`, by explaining which dependencies must occur in `name`,
|
||||
* `nativeBuildInputs` (optional), is a list of executables that are required to build the current derivation, in addition to the default ones (namely `which`, `dune` and `ocaml` depending on whether `useDune`, `useDuneifVersion` and `mlPlugin` are set).
|
||||
* `extraNativeBuildInputs` (optional, deprecated), an additional list of derivation to add to `nativeBuildInputs`,
|
||||
* `overrideNativeBuildInputs` (optional) replaces the default list of derivation to which `nativeBuildInputs` and `extraNativeBuildInputs` adds extra elements,
|
||||
@@ -74,8 +74,6 @@ The recommended way of defining a derivation for a Rocq library, is to use the `
|
||||
* `enableParallelBuilding` (optional, defaults to `true`), since it is activated by default, we provide a way to disable it.
|
||||
* `extraInstallFlags` (optional), allows to extend `installFlags` which initializes the variables `COQLIBINSTALL` and `COQPLUGININSTALL` so as to install in the proper subdirectory. Indeed Rocq libraries should be installed in `$(out)/lib/coq/${rocq-core.rocq-version}/user-contrib/`. Such directories are automatically added to the `$ROCQPATH` environment variable by the hook defined in the Rocq derivation.
|
||||
* `setROCQBIN` (optional, defaults to `true`), by default, the environment variable `$ROCQBIN` is set to the current Rocq's binary, but one can disable this behavior by setting it to `false`,
|
||||
* `useCoq` (optional, defaults to `false`), adds the Coq compatibility binaries to the build environment, which is necessary for some packages that still depend on them and sets `COQBIN` to the path of the `coqc` binary (if `setROCQBIN` is also set to `true`). A wrapper `mkCoqDerivation` is provided that sets this option to `true`.
|
||||
* `useCoqifVersion` (optional, defaults to `(x: false)`), adds the Coq compatibility binaries to the build environment if the provided predicate evaluates to true on the version. This can be useful for supporting old package versions that need the Coq compatibility binaries, while newer versions do not.
|
||||
* `useMelquiondRemake` (optional, default to `null`) is an attribute set, which, if given, overloads the `preConfigurePhases`, `configureFlags`, `buildPhase`, and `installPhase` attributes of the derivation for a specific use in libraries using `remake` as set up by Guillaume Melquiond for `flocq`, `gappalib`, `interval`, and `coquelicot` (see the corresponding derivation for concrete examples of use of this option). For backward compatibility, the attribute `useMelquiondRemake.logpath` must be set to the logical root of the library (otherwise, one can pass `useMelquiondRemake = {}` to activate this without backward compatibility).
|
||||
* `dropAttrs`, `keepAttrs`, `dropDerivationAttrs` are all optional and allow to tune which attribute is added or removed from the final call to `mkDerivation`.
|
||||
|
||||
|
||||
@@ -44,17 +44,11 @@
|
||||
|
||||
- `libgdata` has been removed, as it was archived upstream and relied on the insecure libsoup 2.4.
|
||||
|
||||
- `mcphost` has been removed, as it was archived upstream and declared unmaintained.
|
||||
|
||||
- `fflogs` has been removed because it was no longer functional. Users should switch to `archon-lite`.
|
||||
|
||||
- `services.mysql` now sets `root@localhost` authentication to `auth_socket` when used with `mysql` or `percona-server`.
|
||||
Existing deployments will also be adjusted if possible. See the [security advisory GHSA-6qxx-6rg8-c4p8](https://github.com/NixOS/nixpkgs/security/advisories/GHSA-6qxx-6rg8-c4p8) for more information.
|
||||
|
||||
- `zerofs` has been updated from `1.x` to `2.x` which is a breaking change. Volumes created by earlier releases are refused at open with a clear error. There is no migration tool; older volumes remain readable and writable by the release that created them.
|
||||
|
||||
- `keycloak.plugins.keycloak-metrics-spi` has been removed. Keycloak exposes Prometheus metrics natively on its management interface; enable them with the `metrics-enabled` setting (and `event-metrics-user-enabled` for login and event counters). See [Gaining insights with metrics](https://www.keycloak.org/observability/configuration-metrics).
|
||||
|
||||
- `alps` has been rewritten upstream, see [upstream repository](https://github.com/migadu/alps) for documentation.
|
||||
|
||||
- `uhttpmock` providing 0.0 ABI was removed. `uhttpmock_1_0` providing 1.0 ABI was renamed to `uhttpmock` and `uhttpmock_1_0` was kept as an alias.
|
||||
@@ -96,8 +90,6 @@
|
||||
|
||||
- `texlive.combine` is deprecated and scheduled for removal in 27.05. Please migrate to `texliveSmall.withPackages` (see [](#sec-language-texlive-user-guide)).
|
||||
|
||||
- `keycloak` was updated to >= 26.7.0 and includes some breaking internal (API) changes. See the [upstream migration guide](https://www.keycloak.org/docs/latest/upgrading/#migrating-to-26-7-0) for more information.
|
||||
|
||||
- `librest` providing 0.7 ABI was removed. `librest_1_0` providing 1.0 ABI was renamed to `librest` and `librest_1_0` was kept as an alias.
|
||||
|
||||
- `pnpm_10` was upgraded to version 10.34.1+, which introduced stricter integrity checks. If you encounter `ERR_PNPM_MISSING_TARBALL_INTEGRITY`, you can fall back to the older `pnpm_10_34_0`.
|
||||
@@ -114,7 +106,6 @@
|
||||
- Starting with v14, `flameshot` will primarily utilise xdg-desktop-portal calls for screenshotting. This will directly affect users on X11 window managers due to the lack of a compatible portal with Screenshot feature. See [upstream changelog](https://github.com/flameshot-org/flameshot/releases/tag/v14.0.0) or [NixOS Flameshot](https://wiki.nixos.org/wiki/Flameshot) wiki page for workarounds.
|
||||
- `nim1` and respective aliases have been removed due to entering EOL; please migrate to `nim` or `nim-unwrapped` (nim 2).
|
||||
- `nim-2_0` & `nim-2_2` and respective aliases have been removed; please migrate to `nim` or `nim-unwrapped` (nim 2.2.10).
|
||||
- `domoticz` has been updated from `2024.7` to `2026.x`, breaking third party applications and scripts using the old RType calls. Review the [release notes](https://github.com/domoticz/domoticz/blob/2026.2/History.txt#L398) for more information.
|
||||
|
||||
- `vimacs` has been removed, as it has not been maintained in 10 years and was built for an old version of vim (6.0).
|
||||
|
||||
@@ -146,15 +137,15 @@
|
||||
|
||||
### Breaking changes {#sec-nixpkgs-release-26.11-lib-breaking}
|
||||
|
||||
- `fittrackee` 1.0.0 now requires postgres with postgis. The [upgrade guide](https://docs.fittrackee.org/en/upgrading-to-1.0.0.html) has steps to prepare for this upgrade.
|
||||
- Create the first release note entry in this section!
|
||||
|
||||
|
||||
### Deprecations {#sec-nixpkgs-release-26.11-lib-deprecations}
|
||||
|
||||
- Setting `config.allowBrokenPredicate` is deprecated in favor of
|
||||
using `config.problems.handlers.PackageName.broken = "warn"` (or `=
|
||||
"ignore"`). For more information see [](#sec-allow-broken).
|
||||
- Create the first release note entry in this section!
|
||||
|
||||
|
||||
### Additions and Improvements {#sec-nixpkgs-release-26.11-lib-additions-improvements}
|
||||
|
||||
- Create the first release note entry in this section!
|
||||
|
||||
|
||||
142
doc/style.css
142
doc/style.css
@@ -23,14 +23,14 @@ body {
|
||||
@media screen and (min-width: 992px) {
|
||||
.book,
|
||||
.appendix {
|
||||
max-width: 55rem;
|
||||
max-width: 60rem;
|
||||
}
|
||||
}
|
||||
|
||||
@media screen and (min-width: 1200px) {
|
||||
.book,
|
||||
.appendix {
|
||||
max-width: 55rem;
|
||||
max-width: 73rem;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -156,7 +156,8 @@ body {
|
||||
}
|
||||
|
||||
a {
|
||||
text-decoration: underline;
|
||||
text-decoration: none;
|
||||
border-bottom: 1px solid;
|
||||
color: var(--link-color);
|
||||
}
|
||||
|
||||
@@ -397,7 +398,6 @@ div.appendix .variablelist .term {
|
||||
|
||||
:root {
|
||||
--sidebar-width: 20rem;
|
||||
--header-height: 3rem;
|
||||
--background: #fff;
|
||||
--main-text-color: #000;
|
||||
--link-color: #405d99;
|
||||
@@ -479,8 +479,6 @@ div.appendix .variablelist .term {
|
||||
nav.toc-sidebar {
|
||||
height: 100%;
|
||||
padding: 0 1rem 2rem;
|
||||
background-color: var(--background);
|
||||
color: var(--main-text-color);
|
||||
}
|
||||
|
||||
/* menu button, shown on mobile, hidden on desktop */
|
||||
@@ -522,59 +520,6 @@ nav.toc-sidebar li {
|
||||
|
||||
nav.toc-sidebar summary {
|
||||
cursor: pointer;
|
||||
display: flex;
|
||||
align-items: center;
|
||||
list-style: none;
|
||||
}
|
||||
|
||||
nav.toc-sidebar summary::before {
|
||||
content: "▸";
|
||||
flex: none;
|
||||
font-size: 0.75em;
|
||||
}
|
||||
nav.toc-sidebar details[open] > summary::before {
|
||||
content: "▾";
|
||||
}
|
||||
|
||||
nav.toc-sidebar a {
|
||||
display: block;
|
||||
width: 100%;
|
||||
padding: 3px 8px;
|
||||
border-left: 3px solid transparent;
|
||||
border-radius: 3px;
|
||||
color: inherit;
|
||||
transition:
|
||||
background-color 120ms ease,
|
||||
border-color 120ms ease;
|
||||
}
|
||||
nav.toc-sidebar a:hover {
|
||||
background-color: #f2f2f2 !important;
|
||||
}
|
||||
|
||||
nav.toc-sidebar a.active {
|
||||
background-color: #d8d8d8;
|
||||
border-left-color: #444;
|
||||
font-weight: 600;
|
||||
}
|
||||
nav.toc-sidebar a.active-trail {
|
||||
border-left-color: #bbb;
|
||||
background-color: #e8e8e8;
|
||||
}
|
||||
|
||||
@media (prefers-color-scheme: dark) {
|
||||
nav.toc-sidebar a:hover {
|
||||
/* hover should win over scroll selectors despite beeing less specific */
|
||||
background-color: #606060 !important;
|
||||
}
|
||||
nav.toc-sidebar a.active {
|
||||
background-color: #373737;
|
||||
border-left-color: #eee;
|
||||
font-weight: 600;
|
||||
}
|
||||
nav.toc-sidebar a.active-trail {
|
||||
border-left-color: #eee;
|
||||
background-color: #323232;
|
||||
}
|
||||
}
|
||||
|
||||
@media screen and (min-width: 768px) {
|
||||
@@ -583,7 +528,7 @@ nav.toc-sidebar a.active-trail {
|
||||
min-height: 0;
|
||||
display: grid;
|
||||
grid-template-columns: minmax(0, 1fr);
|
||||
grid-template-rows: var(--header-height) auto minmax(0, 1fr);
|
||||
grid-template-rows: auto minmax(0, 1fr);
|
||||
}
|
||||
|
||||
body:has(> nav.toc-sidebar) {
|
||||
@@ -592,7 +537,7 @@ nav.toc-sidebar a.active-trail {
|
||||
|
||||
.navheader {
|
||||
grid-column: 1 / -1;
|
||||
grid-row: 2;
|
||||
grid-row: 1;
|
||||
}
|
||||
|
||||
nav.toc-sidebar {
|
||||
@@ -603,10 +548,11 @@ nav.toc-sidebar a.active-trail {
|
||||
/* */
|
||||
margin: 0;
|
||||
grid-column: 1;
|
||||
grid-row: 3;
|
||||
grid-row: 2;
|
||||
max-height: none;
|
||||
overflow-y: auto;
|
||||
border: none;
|
||||
border-right: 0.0625rem solid #d8d8d8;
|
||||
}
|
||||
|
||||
/* Hide the toggle button on desktop */
|
||||
@@ -616,7 +562,7 @@ nav.toc-sidebar a.active-trail {
|
||||
|
||||
main.content {
|
||||
grid-column: 1 / -1;
|
||||
grid-row: 3;
|
||||
grid-row: 2;
|
||||
overflow-y: auto;
|
||||
padding: 0 1rem;
|
||||
}
|
||||
@@ -625,73 +571,3 @@ nav.toc-sidebar a.active-trail {
|
||||
grid-column: 2;
|
||||
}
|
||||
}
|
||||
|
||||
.manual-header {
|
||||
background-color: var(--background);
|
||||
border-bottom: 0.0625rem solid #d8d8d8;
|
||||
display: flex;
|
||||
flex-direction: column;
|
||||
}
|
||||
|
||||
.manual-header--title {
|
||||
order: -1;
|
||||
padding: 0.5rem 1rem 0;
|
||||
font-size: 0.875rem;
|
||||
font-weight: 500;
|
||||
color: var(--small-heading-color);
|
||||
text-align: center;
|
||||
}
|
||||
|
||||
.manual-header--tabs {
|
||||
display: flex;
|
||||
align-items: stretch;
|
||||
justify-content: space-around;
|
||||
margin: 0;
|
||||
padding: 0;
|
||||
}
|
||||
|
||||
.manual-header--tab {
|
||||
display: flex;
|
||||
align-items: center;
|
||||
padding: 0 1rem;
|
||||
font-size: 0.875rem;
|
||||
font-weight: 500;
|
||||
color: var(--main-text-color);
|
||||
text-decoration: none;
|
||||
border-bottom: 0.1875rem solid transparent;
|
||||
border-top: 0.1875rem solid transparent;
|
||||
transition: border-bottom-color 0.15s ease;
|
||||
}
|
||||
|
||||
.manual-header--tab:hover {
|
||||
border-bottom-color: var(--heading-color);
|
||||
color: var(--main-text-color);
|
||||
}
|
||||
|
||||
.manual-header--tab-active {
|
||||
border-bottom-color: var(--heading-color);
|
||||
color: var(--heading-color);
|
||||
font-weight: 700;
|
||||
}
|
||||
|
||||
@media screen and (min-width: 768px) {
|
||||
.manual-header {
|
||||
height: var(--header-height);
|
||||
flex-direction: row;
|
||||
align-items: stretch;
|
||||
grid-column: 1 / -1;
|
||||
grid-row: 1;
|
||||
}
|
||||
|
||||
.manual-header--title {
|
||||
order: 0;
|
||||
margin-left: auto;
|
||||
padding: 0 1rem;
|
||||
align-self: center;
|
||||
}
|
||||
|
||||
.manual-header--tabs {
|
||||
justify-content: flex-start;
|
||||
padding: 0 1rem;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,16 +1,16 @@
|
||||
# Platform Support {#chap-platform-support}
|
||||
|
||||
Packages receive varying degrees of support, both in terms of maintainer and security team attention and available computation resources for continuous integration (CI). We have 7 defined tiers denoting how well supported each platform is.
|
||||
Packages receive varying degrees of support, both in terms of maintainer attention and available computation resources for continuous integration (CI). We have 7 defined tiers denoting how well supported each platform is.
|
||||
|
||||
## Tiers {#sec-platform-tiers}
|
||||
|
||||
### Tier 1 {#sec-platform-tier1}
|
||||
|
||||
[Tier 1](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-1) platforms receive the highest level of support where problems can block updates, security fixes are treated with urgency, platform-specific patches are freely applied, and most packages are expected to work.
|
||||
[Tier 1](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-1) platforms receive the highest level of support where problems can block updates, platform-specific patches are freely applied, and most packages are expected to work.
|
||||
|
||||
### Tier 2 {#sec-platform-tier2}
|
||||
|
||||
[Tier 2](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-2) platforms are expected to remain functional and secure with updates, receive platform-specific patches as needed, and have many packages built by Hydra with full ofBorg support.
|
||||
[Tier 2](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-2) platforms are expected to remain functional with updates, receive platform-specific patches as needed, and have many packages built by Hydra with full ofBorg support.
|
||||
|
||||
### Tier 3 {#sec-platform-tier3}
|
||||
|
||||
@@ -22,25 +22,25 @@ Platform Tiers [4 through 7](https://github.com/NixOS/rfcs/blob/master/rfcs/0046
|
||||
|
||||
## Breakdown {#sec-platform-breakdown}
|
||||
|
||||
| Triple | Support Tier | Channel Blockers | Hydra Support | Security Support | Ofborg Support | Bootstrap Tarballs | Cross Compiling Support |
|
||||
|---------------------------------------|------------------------------------------------------------------------------------------------|------------------|---------------|------------------|----------------|--------------------|-------------------------|
|
||||
| `x86_64-unknown-linux-gnu` | [Tier 1](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-1) | Many | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
|
||||
| `aarch64-unknown-linux-gnu` | [Tier 2](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-2) | Some | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
|
||||
| `x86_64-unknown-linux-musl` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | Limited | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `aarch64-unknown-linux-musl` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | Limited | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `x86_64-unknown-unknown-freebsd` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `arm64-apple-darwin` | [Tier 2](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-2) | Some | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
|
||||
| `i686-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | Limited | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `riscv32-unknown-linux-gnu` | [Tier 4](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-4) | None | ❌ | ❌ | ❌ | ❌ | ✔️ |
|
||||
| `riscv64-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `loongarch64-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `armv6l-unknown-linux-gnueabihf` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `armv6l-unknown-linux-musleabihf` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `armv7l-unknown-linux-gnueabihf` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `armv5tel-unknown-linux-gnueabi` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `mips64el-unknown-linux-gnuabi64` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `mips64el-unknown-linux-gnuabin32` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `mipsel-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `powerpc64-unknown-linux-gnuabielfv2` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `powerpc64le-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `s390x-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| Triple | Support Tier | Channel Blockers | Hydra Support | Ofborg Support | Bootstrap Tarballs | Cross Compiling Support |
|
||||
| ------------------------------------- | ------------ | ---------------- | ------------- | -------------- | ------------------ | ----------------------- |
|
||||
| `x86_64-unknown-linux-gnu` | [Tier 1](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-1) | Many | ✔️ | ✔️ | ✔️ | ✔️ |
|
||||
| `aarch64-unknown-linux-gnu` | [Tier 2](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-2) | Some | ✔️ | ✔️ | ✔️ | ✔️ |
|
||||
| `x86_64-unknown-linux-musl` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | Limited | ❌ | ✔️ | ✔️ |
|
||||
| `aarch64-unknown-linux-musl` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | Limited | ❌ | ✔️ | ✔️ |
|
||||
| `x86_64-unknown-unknown-freebsd` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `arm64-apple-darwin` | [Tier 2](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-2) | Some | ✔️ | ✔️ | ✔️ | ❌ |
|
||||
| `i686-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | Limited | ❌ | ✔️ | ✔️ |
|
||||
| `riscv32-unknown-linux-gnu` | [Tier 4](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-4) | None | ❌ | ❌ | ❌ | ✔️ |
|
||||
| `riscv64-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `loongarch64-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `armv6l-unknown-linux-gnueabihf` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `armv6l-unknown-linux-musleabihf` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `armv7l-unknown-linux-gnueabihf` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `armv5tel-unknown-linux-gnueabi` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `mips64el-unknown-linux-gnuabi64` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `mips64el-unknown-linux-gnuabin32` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `mipsel-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `powerpc64-unknown-linux-gnuabielfv2` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `powerpc64le-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `s390x-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
|
||||
@@ -1140,7 +1140,7 @@ rec {
|
||||
|
||||
For a function that gives you control over what counts as a leaf, see `mapAttrsRecursiveCond`.
|
||||
|
||||
::: {.example #map-attrs-recursive-example}
|
||||
:::{#map-attrs-recursive-example .example}
|
||||
# Map over leaf attributes
|
||||
|
||||
```nix
|
||||
@@ -1165,7 +1165,7 @@ rec {
|
||||
If the predicate returns false, `mapAttrsRecursiveCond` does not recurse, but instead applies the mapping function.
|
||||
If the predicate returns true, it does recurse, and does not apply the mapping function.
|
||||
|
||||
::: {.example #map-attrs-recursive-cond-example}
|
||||
:::{#map-attrs-recursive-cond-example .example}
|
||||
# Map over an leaf attributes defined by a condition
|
||||
|
||||
Map derivations to their `name` attribute.
|
||||
|
||||
@@ -564,7 +564,7 @@ rec {
|
||||
|
||||
# Examples
|
||||
|
||||
:::{.example #ex-makeScope}
|
||||
:::{#ex-makeScope .example}
|
||||
# Create an interdependent package set on top of `pkgs`
|
||||
|
||||
The functions in `foo.nix` and `bar.nix` can depend on each other, in the sense that `foo.nix` can contain a function that expects `bar` as an attribute in its argument.
|
||||
@@ -593,7 +593,7 @@ rec {
|
||||
```
|
||||
:::
|
||||
|
||||
:::{.example #ex-makeScope-callPackage}
|
||||
:::{#ex-makeScope-callPackage .example}
|
||||
# Using `callPackage` from a scope
|
||||
|
||||
```nix
|
||||
|
||||
@@ -310,11 +310,6 @@ lib.mapAttrs mkLicense (
|
||||
redistributable = true;
|
||||
};
|
||||
|
||||
buddy = {
|
||||
spdxId = "Buddy";
|
||||
fullName = "Buddy License";
|
||||
};
|
||||
|
||||
bzip2 = {
|
||||
spdxId = "bzip2-1.0.6";
|
||||
fullName = "bzip2 and libbzip2 License v1.0.6";
|
||||
@@ -387,13 +382,6 @@ lib.mapAttrs mkLicense (
|
||||
free = false;
|
||||
};
|
||||
|
||||
cc-by-nc-30-igo = {
|
||||
# Currently does not have a spdxID will get one in the future https://github.com/spdx/license-list-XML/issues/2845
|
||||
# spdxId = "CC-BY-NC-3.0-IGO";
|
||||
fullName = "Creative Commons Attribution Non Commercial 3.0 IGO";
|
||||
free = false;
|
||||
};
|
||||
|
||||
cc-by-nc-40 = {
|
||||
spdxId = "CC-BY-NC-4.0";
|
||||
fullName = "Creative Commons Attribution Non Commercial 4.0 International";
|
||||
@@ -938,11 +926,6 @@ lib.mapAttrs mkLicense (
|
||||
free = false;
|
||||
};
|
||||
|
||||
jpl-image = {
|
||||
fullName = "JPL Image Use Policy";
|
||||
spdxId = "JPL-image";
|
||||
};
|
||||
|
||||
knuth = {
|
||||
fullName = "Knuth CTAN License";
|
||||
spdxId = "Knuth-CTAN";
|
||||
@@ -1190,11 +1173,6 @@ lib.mapAttrs mkLicense (
|
||||
fullName = "Nethack General Public License";
|
||||
};
|
||||
|
||||
ngrep = {
|
||||
spdxId = "ngrep";
|
||||
fullName = "ngrep License";
|
||||
};
|
||||
|
||||
nistSoftware = {
|
||||
spdxId = "NIST-Software";
|
||||
fullName = "NIST Software License";
|
||||
@@ -1628,11 +1606,6 @@ lib.mapAttrs mkLicense (
|
||||
url = "https://fedoraproject.org/wiki/Licensing:Wadalab?rd=Licensing/Wadalab";
|
||||
};
|
||||
|
||||
wordnet = {
|
||||
spdxId = "WordNet";
|
||||
fullName = "WordNet License";
|
||||
};
|
||||
|
||||
wtfpl = {
|
||||
spdxId = "WTFPL";
|
||||
fullName = "Do What The F*ck You Want To Public License";
|
||||
|
||||
@@ -90,12 +90,12 @@ rec {
|
||||
`defaultText`
|
||||
: Substitute for documenting the `default`, if evaluating the default value during documentation rendering is not possible.
|
||||
: Can be any nix value that evaluates.
|
||||
: Usage with `lib.literalMD`, `lib.literalExpression`, or `lib.literalCode` is supported
|
||||
: Usage with `lib.literalMD` or `lib.literalExpression` is supported
|
||||
|
||||
`example`
|
||||
: Optional example value used in the manual.
|
||||
: Can be any nix value that evaluates.
|
||||
: Usage with `lib.literalMD`, `lib.literalExpression`, or `lib.literalCode` is supported
|
||||
: Usage with `lib.literalMD` or `lib.literalExpression` is supported
|
||||
|
||||
`description`
|
||||
: Optional string describing the option. This is required if option documentation is generated.
|
||||
|
||||
@@ -151,7 +151,6 @@
|
||||
"samuela": 226872
|
||||
},
|
||||
"members": {
|
||||
"ethancedwards8": 60861925,
|
||||
"prusnak": 42201
|
||||
},
|
||||
"name": "cuda-maintainers"
|
||||
@@ -366,10 +365,10 @@
|
||||
"freedesktop": {
|
||||
"description": "Maintain Freedesktop.org packages for graphical desktop.",
|
||||
"id": 3806136,
|
||||
"maintainers": {
|
||||
"maintainers": {},
|
||||
"members": {
|
||||
"jtojnar": 705123
|
||||
},
|
||||
"members": {},
|
||||
"name": "Freedesktop"
|
||||
},
|
||||
"geospatial": {
|
||||
|
||||
@@ -1629,6 +1629,12 @@
|
||||
githubId = 382798;
|
||||
name = "amfl";
|
||||
};
|
||||
amiddelk = {
|
||||
email = "amiddelk@gmail.com";
|
||||
github = "amiddelk";
|
||||
githubId = 1358320;
|
||||
name = "Arie Middelkoop";
|
||||
};
|
||||
aminechikhaoui = {
|
||||
email = "amine.chikhaoui91@gmail.com";
|
||||
github = "AmineChikhaoui";
|
||||
@@ -1937,11 +1943,6 @@
|
||||
githubId = 143312793;
|
||||
name = "Annin";
|
||||
};
|
||||
anntnzrb = {
|
||||
github = "anntnzrb";
|
||||
githubId = 51257127;
|
||||
name = "anntnzrb";
|
||||
};
|
||||
anoa = {
|
||||
matrix = "@andrewm:amorgan.xyz";
|
||||
email = "andrew@amorgan.xyz";
|
||||
@@ -2001,12 +2002,6 @@
|
||||
githubId = 14838767;
|
||||
name = "Jacopo Scannella";
|
||||
};
|
||||
antoineco = {
|
||||
email = "hello@acotten.com";
|
||||
github = "antoineco";
|
||||
githubId = 3299086;
|
||||
name = "Antoine Cotten";
|
||||
};
|
||||
anton-4 = {
|
||||
name = "Anton";
|
||||
github = "Anton-4";
|
||||
@@ -4432,12 +4427,6 @@
|
||||
{ fingerprint = "8916 F727 734E 77AB 437F A33A 19AB 76F5 CEE1 1392"; }
|
||||
];
|
||||
};
|
||||
caguiclajmg = {
|
||||
email = "jmg.caguicla@guarandoo.me";
|
||||
github = "caguiclajmg";
|
||||
githubId = 32662060;
|
||||
name = "John Mark Gabriel Caguicla";
|
||||
};
|
||||
CaiqueFigueiredo = {
|
||||
email = "public@caiquefigueiredo.me";
|
||||
github = "caiquefigueiredo";
|
||||
@@ -4651,13 +4640,6 @@
|
||||
githubId = 53847249;
|
||||
name = "Casey Avila";
|
||||
};
|
||||
cassandracomar = {
|
||||
name = "Cassandra Comar";
|
||||
github = "cassandracomar";
|
||||
githubId = 320772;
|
||||
email = "cass@mountclare.net";
|
||||
keys = [ { fingerprint = "104E E74E 24A0 372B EAF5 5533 B019 18F7 7E04 AC99"; } ];
|
||||
};
|
||||
castorNova2 = {
|
||||
email = "solemnsquire@gmail.com";
|
||||
github = "castorNova2";
|
||||
@@ -5613,11 +5595,6 @@
|
||||
githubId = 5953003;
|
||||
name = "Connor Nelson";
|
||||
};
|
||||
conny = {
|
||||
github = "ConstantConstantin";
|
||||
githubId = 162139822;
|
||||
name = "Constantin-Paul Hertel";
|
||||
};
|
||||
conradmearns = {
|
||||
email = "conradmearns+github@pm.me";
|
||||
github = "ConradMearns";
|
||||
@@ -6263,12 +6240,6 @@
|
||||
github = "darkyzhou";
|
||||
githubId = 7220778;
|
||||
};
|
||||
darshancode2005 = {
|
||||
name = "Darshan Thakare";
|
||||
email = "darshanthakaregsoc2023@gmail.com";
|
||||
github = "DarshanCode2005";
|
||||
githubId = 143271270;
|
||||
};
|
||||
daru-san = {
|
||||
name = "Daru";
|
||||
email = "zadarumaka@proton.me";
|
||||
@@ -6808,13 +6779,6 @@
|
||||
githubId = 77843198;
|
||||
name = "Vasilis Manetas";
|
||||
};
|
||||
Deric-W = {
|
||||
email = "robo-eric@gmx.de";
|
||||
github = "Deric-W";
|
||||
githubId = 42873573;
|
||||
name = "Eric Wolf";
|
||||
keys = [ { fingerprint = "ADAA B6F3 A955 5589 D66C CE61 80D2 DA42 8A4A 537F"; } ];
|
||||
};
|
||||
DerickEddington = {
|
||||
email = "derick.eddington@pm.me";
|
||||
github = "DerickEddington";
|
||||
@@ -7072,6 +7036,12 @@
|
||||
github = "DimitarNestorov";
|
||||
githubId = 8790386;
|
||||
};
|
||||
diniamo = {
|
||||
name = "diniamo";
|
||||
email = "diniamo53@gmail.com";
|
||||
github = "diniamo";
|
||||
githubId = 55629891;
|
||||
};
|
||||
diogomdp = {
|
||||
email = "me@diogodp.dev";
|
||||
github = "diogomdp";
|
||||
@@ -8877,13 +8847,6 @@
|
||||
githubId = 345808;
|
||||
name = "Jakub Okoński";
|
||||
};
|
||||
FatBoyXPC = {
|
||||
name = "FatBoyXPC";
|
||||
email = "fatboyxpc@gmail.com";
|
||||
github = "FatBoyXPC";
|
||||
githubId = 744962;
|
||||
keys = [ { fingerprint = "0E08 1B81 CBCA 1CF7 9568 A13F C4ED 3CA2 3211 8969"; } ];
|
||||
};
|
||||
faukah = {
|
||||
github = "faukah";
|
||||
name = "faukah";
|
||||
@@ -9064,11 +9027,6 @@
|
||||
githubId = 5198058;
|
||||
name = "Udo Sauer";
|
||||
};
|
||||
fernvenue = {
|
||||
github = "fernvenue";
|
||||
githubId = 84565547;
|
||||
name = "fernvenue";
|
||||
};
|
||||
feyorsh = {
|
||||
email = "george@feyor.sh";
|
||||
github = "Feyorsh";
|
||||
@@ -9125,12 +9083,6 @@
|
||||
githubId = 41450706;
|
||||
name = "fin-w";
|
||||
};
|
||||
fiona = {
|
||||
email = "mail@fiona.hamburg";
|
||||
github = "Fiona42069";
|
||||
githubId = 260108682;
|
||||
name = "fiona";
|
||||
};
|
||||
fionera = {
|
||||
email = "nix@fionera.de";
|
||||
github = "fionera";
|
||||
@@ -10072,6 +10024,12 @@
|
||||
name = "Will Owens";
|
||||
keys = [ { fingerprint = "8E98 BB01 BFF8 AEA4 E303 FC4C 8074 09C9 2CE2 3033"; } ];
|
||||
};
|
||||
ghuntley = {
|
||||
email = "ghuntley@ghuntley.com";
|
||||
github = "ghuntley";
|
||||
githubId = 127353;
|
||||
name = "Geoffrey Huntley";
|
||||
};
|
||||
gibbert = {
|
||||
email = "gbjgms@gmail.com";
|
||||
github = "zgibberish";
|
||||
@@ -10434,12 +10392,6 @@
|
||||
githubId = 273582;
|
||||
name = "greg";
|
||||
};
|
||||
gregshuflin = {
|
||||
email = "greg@everdayimshuflin.com";
|
||||
github = "neunenak";
|
||||
githubId = 311545;
|
||||
name = "Greg Shuflin";
|
||||
};
|
||||
greizgh = {
|
||||
email = "greizgh@ephax.org";
|
||||
github = "greizgh";
|
||||
@@ -11499,11 +11451,6 @@
|
||||
githubId = 69209;
|
||||
name = "Ian Duncan";
|
||||
};
|
||||
IanHollow = {
|
||||
github = "IanHollow";
|
||||
githubId = 72767437;
|
||||
name = "Ian Holloway";
|
||||
};
|
||||
ianliu = {
|
||||
email = "ian.liu88@gmail.com";
|
||||
github = "ianliu";
|
||||
@@ -11914,6 +11861,12 @@
|
||||
name = "Silvan Mosberger";
|
||||
keys = [ { fingerprint = "6C2B 55D4 4E04 8266 6B7D DA1A 422E 9EDA E015 7170"; } ];
|
||||
};
|
||||
iniw = {
|
||||
email = "git@vini.cat";
|
||||
github = "iniw";
|
||||
githubId = 30220881;
|
||||
name = "Vinicius Deolindo";
|
||||
};
|
||||
insipx = {
|
||||
email = "github@andrewplaza.dev";
|
||||
github = "insipx";
|
||||
@@ -12798,12 +12751,6 @@
|
||||
githubId = 5741620;
|
||||
name = "Jeremy Schlatter";
|
||||
};
|
||||
jeremystucki = {
|
||||
email = "dev@jeremystucki.ch";
|
||||
github = "jeremystucki";
|
||||
githubId = 7629727;
|
||||
name = "Jeremy Stucki";
|
||||
};
|
||||
jerith666 = {
|
||||
email = "github@matt.mchenryfamily.org";
|
||||
github = "jerith666";
|
||||
@@ -14155,14 +14102,6 @@
|
||||
name = "Kenichi Kamiya";
|
||||
keys = [ { fingerprint = "9121 5D87 20CA B405 C63F 24D2 EF6E 574D 040A E2A5"; } ];
|
||||
};
|
||||
kacper-uminski = {
|
||||
name = "Kacper Uminski";
|
||||
email = "kacper+nixpkgs@lysator.liu.se";
|
||||
github = "kacper-uminski";
|
||||
githubId = 57466578;
|
||||
matrix = "@kacper.uminski:matrix.org";
|
||||
keys = [ { fingerprint = "3DF9 3DEB CAA9 81FA B3E2 A7F0 87DA 201D E02F 14B1"; } ];
|
||||
};
|
||||
kaction = {
|
||||
name = "Dmitry Bogatov";
|
||||
email = "KAction@disroot.org";
|
||||
@@ -14402,12 +14341,6 @@
|
||||
github = "keller00";
|
||||
githubId = 8452750;
|
||||
};
|
||||
kenis1108 = {
|
||||
email = "1836362346@qq.com";
|
||||
github = "kenis1108";
|
||||
githubId = 45393183;
|
||||
name = "kenis";
|
||||
};
|
||||
kenran = {
|
||||
email = "johannes.maier@mailbox.org";
|
||||
github = "kenranunderscore";
|
||||
@@ -16430,11 +16363,6 @@
|
||||
githubId = 83420438;
|
||||
name = "Lewis";
|
||||
};
|
||||
lubsch = {
|
||||
github = "lubsch";
|
||||
githubId = 33580245;
|
||||
name = "Benjamin Lohmar";
|
||||
};
|
||||
luc65r = {
|
||||
email = "lucas@ransan.fr";
|
||||
github = "luc65r";
|
||||
@@ -18886,12 +18814,6 @@
|
||||
githubId = 830082;
|
||||
name = "Nathan Moos";
|
||||
};
|
||||
mootfrost = {
|
||||
email = "hello@mootfrost.dev";
|
||||
github = "mootfrost";
|
||||
githubId = 75925945;
|
||||
name = "Andrew Semeykin";
|
||||
};
|
||||
moraxyc = {
|
||||
name = "Moraxyc Xu";
|
||||
email = "i@qaq.li";
|
||||
@@ -20387,12 +20309,6 @@
|
||||
githubId = 4242897;
|
||||
name = "Nikolai Mishin";
|
||||
};
|
||||
nmoya = {
|
||||
email = "nikolasmoya@gmail.com";
|
||||
github = "nmoya";
|
||||
githubId = 1767648;
|
||||
name = "Nikolas Moya";
|
||||
};
|
||||
noaccos = {
|
||||
name = "Francesco Noacco";
|
||||
email = "francesco.noacco2000@gmail.com";
|
||||
@@ -21230,6 +21146,12 @@
|
||||
githubId = 19862;
|
||||
name = "KJ Ørbekk";
|
||||
};
|
||||
orbitz = {
|
||||
email = "mmatalka@gmail.com";
|
||||
github = "orbitz";
|
||||
githubId = 75299;
|
||||
name = "Malcolm Matalka";
|
||||
};
|
||||
orhun = {
|
||||
email = "orhunparmaksiz@gmail.com";
|
||||
github = "orhun";
|
||||
@@ -24427,12 +24349,6 @@
|
||||
githubId = 20300874;
|
||||
name = "Mohammad Rafiq";
|
||||
};
|
||||
rsahwe = {
|
||||
email = "rsahwe@gmx.net";
|
||||
github = "rsahwe";
|
||||
githubId = 201613730;
|
||||
name = "rsahwe";
|
||||
};
|
||||
rseichter = {
|
||||
email = "nixos.org@seichter.de";
|
||||
github = "rseichter";
|
||||
@@ -25692,6 +25608,12 @@
|
||||
githubId = 106669955;
|
||||
name = "Léon Gessner";
|
||||
};
|
||||
shardy = {
|
||||
email = "shardul@baral.ca";
|
||||
github = "shardulbee";
|
||||
githubId = 16765155;
|
||||
name = "Shardul Baral";
|
||||
};
|
||||
sharpchen = {
|
||||
github = "sharpchen";
|
||||
githubId = 77432836;
|
||||
@@ -25991,12 +25913,6 @@
|
||||
name = "Nikolay Korotkiy";
|
||||
keys = [ { fingerprint = "ADF4 C13D 0E36 1240 BD01 9B51 D1DE 6D7F 6936 63A5"; } ];
|
||||
};
|
||||
silicalet = {
|
||||
name = "Mr. why";
|
||||
email = "silicalet@outlook.com";
|
||||
github = "silicalet";
|
||||
githubId = 188071249;
|
||||
};
|
||||
silky = {
|
||||
name = "Noon van der Silk";
|
||||
email = "noonsilk+nixpkgs@gmail.com";
|
||||
@@ -26467,14 +26383,6 @@
|
||||
githubId = 7116239;
|
||||
keys = [ { fingerprint = "E067 520F 5EF2 C175 3F60 50C0 BA46 725F 6A26 7442"; } ];
|
||||
};
|
||||
Soliprem = {
|
||||
email = "me@soliprem.eu";
|
||||
matrix = "@soliprem:soliprem.eu";
|
||||
name = "Francesco Prem Solidoro";
|
||||
github = "Soliprem";
|
||||
githubId = 73885403;
|
||||
keys = [ { fingerprint = "F779 4E05 D8BB A608 73D0 1312 4FD6 B0D5 1C9A B6BD"; } ];
|
||||
};
|
||||
solson = {
|
||||
email = "scott@solson.me";
|
||||
matrix = "@solson:matrix.org";
|
||||
@@ -26667,6 +26575,12 @@
|
||||
github = "spreetin";
|
||||
githubId = 7392173;
|
||||
};
|
||||
sprock = {
|
||||
email = "rmason@mun.ca";
|
||||
github = "sprock";
|
||||
githubId = 6391601;
|
||||
name = "Roger Mason";
|
||||
};
|
||||
sputn1ck = {
|
||||
email = "kon@kon.ninja";
|
||||
github = "sputn1ck";
|
||||
@@ -29738,6 +29652,12 @@
|
||||
githubId = 20145996;
|
||||
name = "Victor Fuentes";
|
||||
};
|
||||
vlstill = {
|
||||
email = "xstill@fi.muni.cz";
|
||||
github = "vlstill";
|
||||
githubId = 4070422;
|
||||
name = "Vladimír Štill";
|
||||
};
|
||||
vmandela = {
|
||||
email = "venkat.mandela@gmail.com";
|
||||
github = "vmandela";
|
||||
@@ -30323,12 +30243,6 @@
|
||||
githubId = 22803888;
|
||||
name = "Lu Hongxu";
|
||||
};
|
||||
wini = {
|
||||
email = "dev@vini.cat";
|
||||
github = "iniw";
|
||||
githubId = 30220881;
|
||||
name = "Vinicius Deolindo";
|
||||
};
|
||||
winpat = {
|
||||
email = "patrickwinter@posteo.ch";
|
||||
github = "winpat";
|
||||
|
||||
@@ -307,7 +307,7 @@ async def commit_changes(
|
||||
commit_message = "{attrPath}: {oldVersion} -> {newVersion}".format(**change)
|
||||
if "commitMessage" in change:
|
||||
commit_message = change["commitMessage"]
|
||||
if "commitBody" in change:
|
||||
elif "commitBody" in change:
|
||||
commit_message = commit_message + "\n\n" + change["commitBody"]
|
||||
await check_subprocess_output(
|
||||
"git",
|
||||
|
||||
@@ -717,15 +717,6 @@ with lib.maintainers;
|
||||
github = "security-review";
|
||||
};
|
||||
|
||||
stardust-xr = {
|
||||
members = [
|
||||
pandapip1
|
||||
technobaboo
|
||||
];
|
||||
scope = "Maintain Stardust XR packages";
|
||||
shortName = "StardustXR";
|
||||
};
|
||||
|
||||
stdenv = {
|
||||
enableFeatureFreezePing = true;
|
||||
github = "stdenv";
|
||||
|
||||
@@ -41,6 +41,5 @@ and non-critical by adding `options = [ "nofail" ];`.
|
||||
```{=include=} sections
|
||||
luks-file-systems.section.md
|
||||
sshfs-file-systems.section.md
|
||||
nfs-file-systems.section.md
|
||||
overlayfs.section.md
|
||||
```
|
||||
|
||||
@@ -1,52 +0,0 @@
|
||||
# NFS File Systems {#sec-nfs-file-systems}
|
||||
|
||||
[NFS][nfs] (Network File System) allows you to mount directories from remote machines over the network.
|
||||
|
||||
[nfs]: https://en.wikipedia.org/wiki/Network_File_System
|
||||
[nfs-man]: https://man7.org/linux/man-pages/man5/nfs.5.html
|
||||
|
||||
To mount NFS filesystems persistently, use the `fileSystems` option:
|
||||
|
||||
```nix
|
||||
{
|
||||
fileSystems."/mnt/data" = {
|
||||
device = "server.example.com:/export/data";
|
||||
fsType = "nfs";
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
## Automounting {#sec-nfs-automount}
|
||||
|
||||
To have NFS filesystems mounted on-demand instead of at boot, add the `noauto` and `x-systemd.automount` options:
|
||||
|
||||
```nix
|
||||
{
|
||||
fileSystems."/mnt/data" = {
|
||||
device = "server.example.com:/export/data";
|
||||
fsType = "nfs";
|
||||
options = [
|
||||
"noauto"
|
||||
"x-systemd.automount"
|
||||
];
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
## Ad-hoc Mounting {#sec-nfs-adhoc}
|
||||
|
||||
To mount NFS filesystems ad-hoc using the `mount` command, enable NFS and required RPC services:
|
||||
|
||||
```nix
|
||||
{
|
||||
boot.supportedFilesystems = [ "nfs" ];
|
||||
}
|
||||
```
|
||||
|
||||
Then you can mount filesystems manually:
|
||||
|
||||
```shell
|
||||
$ sudo mount -t nfs server.example.com:/export/data /mnt/data
|
||||
```
|
||||
|
||||
For more information on NFS mount options, see the [nfs(5) man page][nfs-man].
|
||||
@@ -202,8 +202,6 @@ rec {
|
||||
--script ./anchor.min.js \
|
||||
--script ./anchor-use.js \
|
||||
--sidebar-depth 2 \
|
||||
--header ${./header.html}\
|
||||
--no-navheader \
|
||||
./manual.md \
|
||||
$dst/${common.indexPath}
|
||||
|
||||
|
||||
@@ -1,7 +0,0 @@
|
||||
<div class="manual-header">
|
||||
<nav class="manual-header--tabs">
|
||||
<a class="manual-header--tab" href="https://nixos.org/manual/nixos/stable/">Nixpkgs</a>
|
||||
<a class="manual-header--tab manual-header--tab-active" href="#">NixOS</a>
|
||||
</nav>
|
||||
<span class="manual-header--title">Nixos Manual</span>
|
||||
</div>
|
||||
@@ -47,7 +47,7 @@ The first steps to all these are the same:
|
||||
|
||||
Where `<version>` corresponds to the latest version available on [channels.nixos.org](https://channels.nixos.org/).
|
||||
|
||||
You must run `$ nix-channel --update` for the channel change to take effect.
|
||||
You may want to throw in a `nix-channel --update` for good measure.
|
||||
|
||||
1. Install the NixOS installation tools:
|
||||
|
||||
|
||||
@@ -619,15 +619,6 @@
|
||||
"sec-luks-file-systems-fido2-systemd": [
|
||||
"index.html#sec-luks-file-systems-fido2-systemd"
|
||||
],
|
||||
"sec-nfs-file-systems": [
|
||||
"index.html#sec-nfs-file-systems"
|
||||
],
|
||||
"sec-nfs-automount": [
|
||||
"index.html#sec-nfs-automount"
|
||||
],
|
||||
"sec-nfs-adhoc": [
|
||||
"index.html#sec-nfs-adhoc"
|
||||
],
|
||||
"sec-sshfs-file-systems": [
|
||||
"index.html#sec-sshfs-file-systems"
|
||||
],
|
||||
@@ -1900,9 +1891,6 @@
|
||||
"sec-kubernetes": [
|
||||
"index.html#sec-kubernetes"
|
||||
],
|
||||
"module-services-nordvpn": [
|
||||
"index.html#module-services-nordvpn"
|
||||
],
|
||||
"ch-running": [
|
||||
"index.html#ch-running"
|
||||
],
|
||||
|
||||
@@ -110,8 +110,6 @@
|
||||
|
||||
- [clevis-luks-askpass](https://github.com/latchset/clevis), automatic LUKS unlocking in initrd using clevis token bindings stored in LUKS headers. Available as [boot.initrd.clevisLuksAskpass](#opt-boot.initrd.clevisLuksAskpass.enable).
|
||||
|
||||
- [passless](https://github.com/pando85/passless), a daemon for using Webauthn Passkeys backed by password-store.
|
||||
|
||||
- [bentopdf](https://github.com/alam00000/bentopdf), a privacy-first PDF toolkit running completely in-browser. Available as [services.bentopdf](#opt-services.bentopdf.enable).
|
||||
|
||||
- [hyprwhspr-rs](https://github.com/better-slop/hyprwhspr-rs), a keybind activated speech-to-text voice dictation utility built for use with Hyprland. Available as [services.hyprwhspr-rs](#opt-services.hyprwhspr-rs.enable).
|
||||
|
||||
@@ -32,8 +32,6 @@
|
||||
|
||||
- [Nezha](https://github.com/nezhahq/nezha), a self-hosted, lightweight server and website monitoring and O&M tool. Available as [services.nezha](#opt-services.nezha.enable).
|
||||
|
||||
- [Watt](https://github.com/NotAShelf/watt), a CPU frequency and power management daemon for Linux. Available as [services.watt](#opt-services.watt.enable).
|
||||
|
||||
- [mail-tlsa-check-exporter](https://github.com/ietf-tools/mail-tlsa-check-exporter), validates SMTP / IMAP server certificates against a TLSA record as a Prometheus exporter. Available as [services.prometheus.exporters.mail-tlsa-check](#opt-services.prometheus.exporters.mail-tlsa-check.enable).
|
||||
|
||||
- [CastSponsorSkip](https://github.com/gabe565/CastSponsorSkip/), skips YouTube sponsorships (and sometimes ads) on all local Google Cast devices.
|
||||
@@ -56,8 +54,6 @@
|
||||
|
||||
- [OO7](https://github.com/linux-credentials/oo7) is a desktop-agnostic Secret Service provider. Available as [services.oo7](#opt-services.oo7.enable)
|
||||
|
||||
- [NordVPN](https://github.com/NordSecurity/nordvpn-linux), a NordVPN client for linux. Available as [services.nordvpn](options.html#opt-services.nordvpn.enable).
|
||||
|
||||
## Backward Incompatibilities {#sec-release-26.11-incompatibilities}
|
||||
|
||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
||||
@@ -142,8 +138,6 @@
|
||||
|
||||
- The `newuidmap` and `newgidmap` security wrappers are now installed with `cap_setuid`/`cap_setgid` file capabilities instead of the setuid-root bit, matching shadow's `--with-fcaps` install mode and other major distributions. Rootless containers (podman, docker-rootless, unprivileged user namespaces) are unaffected. The only behavioural change is that mapping host uid 0 via `/etc/subuid` (which NixOS never configures by default) additionally requires `cap_setfcap`; users who explicitly grant uid 0 in a subuid range can restore the previous behaviour with `security.wrappers.newuidmap.capabilities = lib.mkForce "cap_setuid,cap_setfcap+ep";`.
|
||||
|
||||
- The `authelia` module now uses systemd's `LoadCredential` to load all files defined in `secrets`. As such, these files no longer need to be readable by the authelia user and group: they can for example be set to be only readable by the root user.
|
||||
|
||||
- `zoneminder` has been updated to 1.38.x release. See [upstream release note](https://github.com/ZoneMinder/zoneminder/releases/tag/1.38.0). While database migration should happen automatically, it's recommended that you make a backup of the database before upgrading your system.
|
||||
|
||||
- The latest available version of Nextcloud is v34 (available as `pkgs.nextcloud34`). The installation logic is as follows:
|
||||
|
||||
@@ -625,7 +625,7 @@ rec {
|
||||
|
||||
listenStreams = mkOption {
|
||||
default = [ ];
|
||||
type = types.listOf (types.coercedTo types.port toString types.str);
|
||||
type = types.listOf types.str;
|
||||
example = [
|
||||
"0.0.0.0:993"
|
||||
"/run/my-socket"
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
utils,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
@@ -60,7 +59,7 @@ in
|
||||
};
|
||||
|
||||
output = lib.mkOption {
|
||||
type = lib.types.externalPath;
|
||||
type = lib.types.path;
|
||||
default = "/var/cache/locatedb";
|
||||
description = ''
|
||||
The database file to build.
|
||||
@@ -250,35 +249,27 @@ in
|
||||
systemd.services.update-locatedb = {
|
||||
description = "Update Locate Database";
|
||||
|
||||
serviceConfig = {
|
||||
# mlocate's updatedb takes flags via a configuration file or
|
||||
# on the command line, but not by environment variable.
|
||||
ExecStart =
|
||||
let
|
||||
toFlags =
|
||||
x:
|
||||
lib.optionals (cfg.${x} != [ ]) [
|
||||
"--${lib.toLower x}"
|
||||
(lib.concatStringsSep " " cfg.${x})
|
||||
];
|
||||
args = lib.concatMap toFlags [
|
||||
# mlocate's updatedb takes flags via a configuration file or
|
||||
# on the command line, but not by environment variable.
|
||||
script =
|
||||
let
|
||||
toFlags =
|
||||
x: lib.optional (cfg.${x} != [ ]) "--${lib.toLower x} '${lib.concatStringsSep " " cfg.${x}}'";
|
||||
args = lib.concatLists (
|
||||
map toFlags [
|
||||
"pruneFS"
|
||||
"pruneNames"
|
||||
"prunePaths"
|
||||
];
|
||||
in
|
||||
utils.escapeSystemdExecArgs (
|
||||
[
|
||||
(lib.getExe' cfg.package "updatedb")
|
||||
"--output"
|
||||
cfg.output
|
||||
"--prune-bind-mounts"
|
||||
(lib.boolToYesNo cfg.pruneBindMounts)
|
||||
]
|
||||
++ args
|
||||
++ cfg.extraFlags
|
||||
);
|
||||
|
||||
in
|
||||
''
|
||||
exec ${cfg.package}/bin/updatedb \
|
||||
--output ${toString cfg.output} ${lib.concatStringsSep " " args} \
|
||||
--prune-bind-mounts ${lib.boolToYesNo cfg.pruneBindMounts} \
|
||||
${lib.concatStringsSep " " cfg.extraFlags}
|
||||
'';
|
||||
serviceConfig = {
|
||||
CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_CHOWN";
|
||||
Nice = 19;
|
||||
IOSchedulingClass = "idle";
|
||||
|
||||
@@ -296,7 +296,6 @@
|
||||
./programs/opengamepadui.nix
|
||||
./programs/openvpn3.nix
|
||||
./programs/partition-manager.nix
|
||||
./programs/passless.nix
|
||||
./programs/pay-respects.nix
|
||||
./programs/plotinus.nix
|
||||
./programs/pmount.nix
|
||||
@@ -358,7 +357,6 @@
|
||||
./programs/wayland/mangowc.nix
|
||||
./programs/wayland/miracle-wm.nix
|
||||
./programs/wayland/niri.nix
|
||||
./programs/wayland/pinnacle.nix
|
||||
./programs/wayland/river.nix
|
||||
./programs/wayland/sway.nix
|
||||
./programs/wayland/uwsm.nix
|
||||
@@ -732,7 +730,6 @@
|
||||
./services/hardware/usbmuxd.nix
|
||||
./services/hardware/usbrelayd.nix
|
||||
./services/hardware/vdr.nix
|
||||
./services/hardware/watt.nix
|
||||
./services/home-automation/deye-dummycloud.nix
|
||||
./services/home-automation/ebusd.nix
|
||||
./services/home-automation/esphome.nix
|
||||
@@ -1344,7 +1341,6 @@
|
||||
./services/networking/nncp.nix
|
||||
./services/networking/nntp-proxy.nix
|
||||
./services/networking/nomad.nix
|
||||
./services/networking/nordvpn.nix
|
||||
./services/networking/nsd.nix
|
||||
./services/networking/ntopng.nix
|
||||
./services/networking/ntp/chrony.nix
|
||||
@@ -1861,7 +1857,6 @@
|
||||
./services/web-servers/nginx/tailscale-auth.nix
|
||||
./services/web-servers/phpfpm/default.nix
|
||||
./services/web-servers/pomerium.nix
|
||||
./services/web-servers/rustfs.nix
|
||||
./services/web-servers/rustus.nix
|
||||
./services/web-servers/send.nix
|
||||
./services/web-servers/stargazer.nix
|
||||
|
||||
@@ -1,134 +0,0 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.programs.passless;
|
||||
settingsFormat = pkgs.formats.toml { };
|
||||
settingsFile = settingsFormat.generate "passless.toml" cfg.settings;
|
||||
in
|
||||
{
|
||||
|
||||
options.programs.passless = {
|
||||
enable = lib.mkEnableOption "passless";
|
||||
|
||||
package = lib.mkPackageOption pkgs "passless" { };
|
||||
|
||||
users = lib.options.mkOption {
|
||||
type = with lib.types; listOf str;
|
||||
description = ''
|
||||
Users that intend to use passless and should be added to the fido group.
|
||||
'';
|
||||
default = [ ];
|
||||
example = [ "alice" ];
|
||||
};
|
||||
|
||||
settings = lib.mkOption {
|
||||
inherit (settingsFormat) type;
|
||||
default = { };
|
||||
example = {
|
||||
pass.store-path = "/home/alice/.local/share/password-store";
|
||||
};
|
||||
description = ''
|
||||
Configuration included in `config.toml`.
|
||||
|
||||
See <https://github.com/pando85/passless#configuration-1> for documentation or run `passless config print` to see default configuration.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf config.programs.passless.enable {
|
||||
users.groups.fido.members = cfg.users;
|
||||
|
||||
boot.kernelModules = [ "uhid" ];
|
||||
|
||||
services.udev.extraRules = ''
|
||||
KERNEL=="uhid", GROUP="fido", MODE="0660"
|
||||
'';
|
||||
|
||||
# From https://github.com/pando85/passless/blob/master/contrib/systemd/passless.service
|
||||
systemd.user.services.passless = {
|
||||
description = "Passless FIDO2 Software Authenticator";
|
||||
documentation = [ "https://github.com/pando85/passless" ];
|
||||
after = [ "network-online.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
wantedBy = [ "default.target" ];
|
||||
path = [ config.programs.gnupg.package ];
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
ExecStart = "${lib.getExe cfg.package} --config-path ${settingsFile}";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "5s";
|
||||
# Security hardening
|
||||
# The application already handles its own memory locking and core dump prevention
|
||||
# but we can add additional systemd protections
|
||||
NoNewPrivileges = true;
|
||||
LimitMEMLOCK = "2M";
|
||||
SyslogIdentifier = "passless";
|
||||
|
||||
# Found with shh
|
||||
ProtectSystem = "strict";
|
||||
PrivateTmp = "disconnected";
|
||||
PrivateMounts = "true";
|
||||
ProtectKernelTunables = "true";
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelLogs = true;
|
||||
LockPersonality = true;
|
||||
RestrictRealtime = true;
|
||||
ProtectClock = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
RestrictAddressFamilies = "AF_UNIX";
|
||||
SocketBindDeny = [
|
||||
"ipv4:tcp"
|
||||
"ipv4:udp"
|
||||
"ipv6:tcp"
|
||||
"ipv6:udp"
|
||||
];
|
||||
CapabilityBoundingSet = [
|
||||
"~CAP_BLOCK_SUSPEND"
|
||||
"CAP_BPF"
|
||||
"CAP_CHOWN"
|
||||
"CAP_MKNOD"
|
||||
"CAP_NET_RAW"
|
||||
"CAP_PERFMON"
|
||||
"CAP_SYS_BOOT"
|
||||
"CAP_SYS_CHROOT"
|
||||
"CAP_SYS_MODULE"
|
||||
"CAP_SYS_NICE"
|
||||
"CAP_SYS_PACCT"
|
||||
"CAP_SYS_PTRACE"
|
||||
"CAP_SYS_TIME"
|
||||
"CAP_SYSLOG"
|
||||
"CAP_WAKE_ALARM"
|
||||
];
|
||||
SystemCallFilter = [
|
||||
"~@aio:EPERM"
|
||||
"@chown:EPERM"
|
||||
"@clock:EPERM"
|
||||
"@cpu-emulation:EPERM"
|
||||
"@debug:EPERM"
|
||||
"@ipc:EPERM"
|
||||
"@keyring:EPERM"
|
||||
"@module:EPERM"
|
||||
"@mount:EPERM"
|
||||
"@obsolete:EPERM"
|
||||
"@pkey:EPERM"
|
||||
"@privileged:EPERM"
|
||||
"@raw-io:EPERM"
|
||||
"@reboot:EPERM"
|
||||
"@resources:EPERM"
|
||||
"@sandbox:EPERM"
|
||||
"@setuid:EPERM"
|
||||
"@swap:EPERM"
|
||||
"@sync:EPERM"
|
||||
];
|
||||
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
meta.maintainers = with lib.maintainers; [ erictapen ];
|
||||
|
||||
}
|
||||
@@ -1,70 +0,0 @@
|
||||
{
|
||||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.programs.pinnacle;
|
||||
inherit (lib.options) mkEnableOption mkPackageOption;
|
||||
in
|
||||
{
|
||||
options.programs.pinnacle = {
|
||||
enable = mkEnableOption "pinnacle";
|
||||
package = mkPackageOption pkgs "pinnacle" {
|
||||
default = "pinnacle";
|
||||
example = "pkgs.pinnacle";
|
||||
extraDescription = "package containing the pinnacle server binary";
|
||||
};
|
||||
xdg-portals.enable = mkEnableOption "enable xdg-portals for pinnacle";
|
||||
withUWSM = mkEnableOption ''
|
||||
manage the pinnacle session with [UWSM](https://github.com/Vladimir-csp/uwsm) instead
|
||||
of independent systemd services and targets.
|
||||
'';
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable (
|
||||
lib.mkMerge [
|
||||
{
|
||||
environment.systemPackages = [
|
||||
cfg.package
|
||||
pkgs.protobuf
|
||||
cfg.package.lua-client-api
|
||||
];
|
||||
environment.pathsToLink = [
|
||||
# For /run/current-system/sw/share/pinnacle protobuf files - for
|
||||
# pinnacle to be able to launch with a non-default config out of the
|
||||
# box.
|
||||
"/share/pinnacle"
|
||||
];
|
||||
xdg.portal = lib.mkIf cfg.xdg-portals.enable {
|
||||
enable = true;
|
||||
wlr.enable = true;
|
||||
configPackages = [ cfg.package ];
|
||||
extraPortals = [
|
||||
pkgs.xdg-desktop-portal-wlr
|
||||
pkgs.xdg-desktop-portal-gtk
|
||||
pkgs.gnome-keyring
|
||||
];
|
||||
};
|
||||
}
|
||||
(lib.mkIf (cfg.withUWSM) {
|
||||
programs.uwsm.enable = true;
|
||||
# Configure UWSM to launch Pinnacle from a display manager like SDDM
|
||||
programs.uwsm.waylandCompositors = {
|
||||
pinnacle = {
|
||||
prettyName = "Pinnacle";
|
||||
comment = "Pinnacle compositor managed by UWSM";
|
||||
binPath = "/run/current-system/sw/bin/pinnacle";
|
||||
extraArgs = [ "--session" ];
|
||||
};
|
||||
};
|
||||
})
|
||||
(lib.mkIf (!cfg.withUWSM) {
|
||||
services.displayManager.sessionPackages = [ cfg.package ];
|
||||
})
|
||||
]
|
||||
);
|
||||
|
||||
meta.maintainers = with lib.maintainers; [ cassandracomar ];
|
||||
}
|
||||
@@ -511,7 +511,7 @@ in
|
||||
services.simplesamlphp has been vulnerable and unmaintained in nixpkgs.
|
||||
'')
|
||||
(mkRemovedOptionModule [ "security" "pam" "enableEcryptfs" ] ''
|
||||
security.pam.enableEcryptfs was removed since it was unmaintained in nixpkgs.
|
||||
security.pam.enableFscrypt was removed since it was unmaintained in nixpkgs.
|
||||
'')
|
||||
(mkRemovedOptionModule [ "security" "rngd" ] ''
|
||||
rngd is not necessary for any device that the kernel recognises
|
||||
|
||||
@@ -241,7 +241,7 @@ in
|
||||
{
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = "yes";
|
||||
ExecStartPre = lib.getExe' pkgs.apparmor-init "aa-teardown";
|
||||
ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown";
|
||||
ExecStart = lib.mapAttrsToList (
|
||||
n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts n p}"
|
||||
) enabledPolicies;
|
||||
@@ -262,7 +262,7 @@ in
|
||||
# Optionally kill the processes which are unconfined but now have a profile loaded
|
||||
# (because AppArmor can only start to confine new processes).
|
||||
lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
|
||||
ExecStop = lib.getExe' pkgs.apparmor-init "aa-teardown";
|
||||
ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown";
|
||||
CacheDirectory = [
|
||||
"apparmor"
|
||||
"apparmor/logprof"
|
||||
|
||||
@@ -10,7 +10,7 @@ in
|
||||
{
|
||||
options.services.oo7 = {
|
||||
enable = lib.mkEnableOption ''
|
||||
oo7, a service providing the Secret Service D-Bus API
|
||||
oo7, a service providing the Secret Service D-Bus API.
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
@@ -40,6 +40,7 @@ in
|
||||
config = lib.mkIf cfg.enable {
|
||||
environment.systemPackages = with pkgs; [
|
||||
seatd
|
||||
sdnotify-wrapper
|
||||
];
|
||||
users.groups.seat = lib.mkIf (cfg.group == "seat") { };
|
||||
|
||||
@@ -54,7 +55,7 @@ in
|
||||
Type = "notify";
|
||||
NotifyAccess = "all";
|
||||
SyslogIdentifier = "seatd";
|
||||
ExecStart = "${lib.getExe' pkgs.s6 "s6-notify-socket-from-fd"} ${pkgs.seatd.bin}/bin/seatd -n 1 -u ${cfg.user} -g ${cfg.group} -l ${cfg.logLevel}";
|
||||
ExecStart = "${pkgs.sdnotify-wrapper}/bin/sdnotify-wrapper ${pkgs.seatd.bin}/bin/seatd -n 1 -u ${cfg.user} -g ${cfg.group} -l ${cfg.logLevel}";
|
||||
RestartSec = 1;
|
||||
Restart = "always";
|
||||
};
|
||||
|
||||
@@ -80,9 +80,6 @@ in
|
||||
unitConfig = lib.optionalAttrs cfg.startWithGraphical {
|
||||
After = "graphical-session.target";
|
||||
};
|
||||
|
||||
# Long-lived session that ought to only be restarted manually
|
||||
restartIfChanged = false;
|
||||
}
|
||||
// lib.optionalAttrs cfg.enable {
|
||||
wantedBy = if cfg.startWithGraphical then [ "graphical-session.target" ] else [ "default.target" ];
|
||||
|
||||
@@ -1,71 +0,0 @@
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (lib)
|
||||
mkIf
|
||||
mkOption
|
||||
mkEnableOption
|
||||
mkPackageOption
|
||||
getExe
|
||||
;
|
||||
inherit (lib.types) submodule;
|
||||
|
||||
cfg = config.services.watt;
|
||||
|
||||
format = pkgs.formats.toml { };
|
||||
cfgFile = format.generate "watt-config.toml" cfg.settings;
|
||||
|
||||
conflictingServices = [
|
||||
"power-profiles-daemon"
|
||||
"auto-cpufreq"
|
||||
"tlp"
|
||||
"cpupower-gui"
|
||||
"thermald"
|
||||
];
|
||||
|
||||
in
|
||||
{
|
||||
options.services.watt = {
|
||||
enable = mkEnableOption "automatic CPU speed & power optimizer for Linux";
|
||||
package = mkPackageOption pkgs "watt" { };
|
||||
|
||||
settings = mkOption {
|
||||
default = { };
|
||||
type = submodule { freeformType = format.type; };
|
||||
description = "Configuration for Watt. Options at https://github.com/notaShelf/watt";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
assertions = map (service: {
|
||||
assertion = !config.services.${service}.enable;
|
||||
message = "You have set services.${service}.enable = true; which conflicts with Watt.";
|
||||
}) conflictingServices;
|
||||
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
|
||||
# This is necessary for the Watt CLI. The environment variable
|
||||
# passed to the systemd service will take priority in read order.
|
||||
environment.etc."watt.toml".source = cfgFile;
|
||||
|
||||
services.dbus.packages = [ cfg.package ];
|
||||
|
||||
systemd.services.watt = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
conflicts = map (service: "${service}.service") conflictingServices;
|
||||
serviceConfig = {
|
||||
WorkingDirectory = "";
|
||||
ExecStart = getExe cfg.package;
|
||||
Restart = "on-failure";
|
||||
|
||||
RuntimeDirectory = "watt";
|
||||
RuntimeDirectoryMode = "0755";
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
@@ -281,7 +281,7 @@ in
|
||||
environment.etc."postsrsd.conf".source = configFile;
|
||||
|
||||
systemd.services.postsrsd = {
|
||||
description = "Sender Rewriting Scheme daemon for Postfix";
|
||||
description = "PostSRSd SRS rewriting server";
|
||||
after = [
|
||||
"network.target"
|
||||
"postsrsd-generate-secrets.service"
|
||||
@@ -289,20 +289,14 @@ in
|
||||
before = [ "postfix.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
requires = [ "postsrsd-generate-secrets.service" ];
|
||||
reloadTriggers = [ configFile ];
|
||||
restartTriggers = [ configFile ];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "notify-reload";
|
||||
ExecStart = utils.escapeSystemdExecArgs [
|
||||
(lib.getExe cfg.package)
|
||||
"-C"
|
||||
"/etc/postsrsd.conf"
|
||||
];
|
||||
ExecReload = toString [
|
||||
(lib.getExe' pkgs.coreutils "kill")
|
||||
"-SIGHUP"
|
||||
"$MAINPID"
|
||||
];
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
RuntimeDirectory = "postsrsd";
|
||||
@@ -325,7 +319,7 @@ in
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectSystem = "strict";
|
||||
ProtectProc = "noaccess";
|
||||
ProtectProc = "invisible";
|
||||
ProcSubset = "pid";
|
||||
RemoveIPC = true;
|
||||
RestrictAddressFamilies =
|
||||
|
||||
@@ -57,7 +57,7 @@ in
|
||||
default = { };
|
||||
description = ''
|
||||
Configuration options for the Stalwart server.
|
||||
See <https://stalw.art/docs/configuration> for available options.
|
||||
See <https://stalw.art/docs/category/configuration> for available options.
|
||||
|
||||
By default, the module is configured to store everything locally.
|
||||
'';
|
||||
|
||||
@@ -13,7 +13,6 @@ in
|
||||
{
|
||||
options.services.dendrite = {
|
||||
enable = lib.mkEnableOption "matrix.org dendrite";
|
||||
package = lib.mkPackageOption pkgs "dendrite" { };
|
||||
httpPort = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.port;
|
||||
default = 8008;
|
||||
@@ -322,7 +321,7 @@ in
|
||||
];
|
||||
ExecStart = lib.strings.concatStringsSep " " (
|
||||
[
|
||||
(lib.getExe cfg.package)
|
||||
"${pkgs.dendrite}/bin/dendrite"
|
||||
"--config /run/dendrite/dendrite.yaml"
|
||||
]
|
||||
++ lib.optionals (cfg.httpPort != null) [
|
||||
|
||||
@@ -45,9 +45,7 @@ let
|
||||
pruned;
|
||||
configFile = format.generate "config.yaml" finalSettings;
|
||||
|
||||
extraConfigFiles = lib.imap0 (
|
||||
i: _: "\${CREDENTIALS_DIRECTORY}/config-${toString i}"
|
||||
) cfg.extraConfigFiles;
|
||||
extraConfigFiles = lib.imap0 (i: _: "%d/config-${toString i}") cfg.extraConfigFiles;
|
||||
runtimeConfig = "/run/matrix-authentication-service/config.yaml";
|
||||
in
|
||||
{
|
||||
|
||||
@@ -22,23 +22,17 @@ in
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
environment = {
|
||||
# systemd-localed looks into 00-keyboard.conf
|
||||
# systemd-localed does not like if Option values are ""
|
||||
etc."X11/xorg.conf.d/00-keyboard.conf".text =
|
||||
let
|
||||
optionLine =
|
||||
name: value: lib.optionalString (value != null && value != "") ''Option "${name}" "${value}"'';
|
||||
in
|
||||
''
|
||||
Section "InputClass"
|
||||
Identifier "Keyboard catchall"
|
||||
MatchIsKeyboard "on"
|
||||
${optionLine "XkbModel" xcfg.xkb.model}
|
||||
${optionLine "XkbLayout" xcfg.xkb.layout}
|
||||
${optionLine "XkbOptions" xcfg.xkb.options}
|
||||
${optionLine "XkbVariant" xcfg.xkb.variant}
|
||||
EndSection
|
||||
'';
|
||||
# localectl looks into 00-keyboard.conf
|
||||
etc."X11/xorg.conf.d/00-keyboard.conf".text = ''
|
||||
Section "InputClass"
|
||||
Identifier "Keyboard catchall"
|
||||
MatchIsKeyboard "on"
|
||||
Option "XkbModel" "${xcfg.xkb.model}"
|
||||
Option "XkbLayout" "${xcfg.xkb.layout}"
|
||||
Option "XkbOptions" "${xcfg.xkb.options}"
|
||||
Option "XkbVariant" "${xcfg.xkb.variant}"
|
||||
EndSection
|
||||
'';
|
||||
systemPackages = with pkgs; [
|
||||
nixos-icons # needed for gnome and pantheon about dialog, nixos-manual and maybe more
|
||||
xdg-utils
|
||||
|
||||
@@ -245,19 +245,19 @@ in
|
||||
};
|
||||
|
||||
components = {
|
||||
subversion = lib.mkEnableOption "Subversion integration";
|
||||
subversion = lib.mkEnableOption "Subversion integration.";
|
||||
|
||||
mercurial = lib.mkEnableOption "Mercurial integration";
|
||||
mercurial = lib.mkEnableOption "Mercurial integration.";
|
||||
|
||||
git = lib.mkEnableOption "git integration";
|
||||
git = lib.mkEnableOption "git integration.";
|
||||
|
||||
cvs = lib.mkEnableOption "cvs integration";
|
||||
cvs = lib.mkEnableOption "cvs integration.";
|
||||
|
||||
breezy = lib.mkEnableOption "bazaar integration";
|
||||
breezy = lib.mkEnableOption "bazaar integration.";
|
||||
|
||||
imagemagick = lib.mkEnableOption "exporting Gant diagrams as PNG";
|
||||
imagemagick = lib.mkEnableOption "exporting Gant diagrams as PNG.";
|
||||
|
||||
ghostscript = lib.mkEnableOption "exporting Gant diagrams as PDF";
|
||||
ghostscript = lib.mkEnableOption "exporting Gant diagrams as PDF.";
|
||||
|
||||
minimagick_font_path = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
@@ -265,8 +265,6 @@ in
|
||||
description = "MiniMagick font path";
|
||||
example = "/run/current-system/sw/share/X11/fonts/LiberationSans-Regular.ttf";
|
||||
};
|
||||
|
||||
pandoc = lib.mkEnableOption "pandoc integration for previewing LibreOffice and Microsoft Office documents";
|
||||
};
|
||||
};
|
||||
};
|
||||
@@ -312,7 +310,6 @@ in
|
||||
imagemagick_convert_command = lib.optionalString cfg.components.imagemagick "${pkgs.imagemagick}/bin/convert";
|
||||
gs_command = lib.optionalString cfg.components.ghostscript "${pkgs.ghostscript}/bin/gs";
|
||||
minimagick_font_path = "${cfg.components.minimagick_font_path}";
|
||||
pandoc_command = lib.optionalString cfg.components.pandoc "${pkgs.pandoc}/bin/pandoc";
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
@@ -90,5 +90,8 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
meta.maintainers = with lib.maintainers; [ nanoyaki ];
|
||||
meta.maintainers = with lib.maintainers; [
|
||||
diniamo
|
||||
nanoyaki
|
||||
];
|
||||
}
|
||||
|
||||
@@ -6,32 +6,17 @@
|
||||
}:
|
||||
let
|
||||
cfg = config.services.vnstat;
|
||||
settingsFormat = pkgs.formats.keyValue { };
|
||||
in
|
||||
{
|
||||
options.services.vnstat = {
|
||||
enable = lib.mkEnableOption "update of network usage statistics via vnstatd";
|
||||
package = lib.mkPackageOption pkgs "vnstat" { };
|
||||
settings = lib.mkOption {
|
||||
type = lib.types.submodule { freeformType = settingsFormat.type; };
|
||||
default = { };
|
||||
description = ''
|
||||
Configuration for vnstat. Refer to
|
||||
[https://humdi.net/vnstat/man/vnstat.conf.html]
|
||||
or {manpage}`vnstat.conf(5)` for more information.
|
||||
'';
|
||||
example = {
|
||||
AlwaysAddNewInterfaces = 1;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
|
||||
environment.etc."vnstat.conf".source = settingsFormat.generate "vnstat.conf" cfg.settings;
|
||||
|
||||
users = {
|
||||
groups.vnstatd = { };
|
||||
|
||||
@@ -74,8 +59,4 @@ in
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
meta = {
|
||||
maintainers = with lib.maintainers; [ hmenke ];
|
||||
};
|
||||
}
|
||||
|
||||
@@ -132,7 +132,7 @@ in
|
||||
description = "socket for fast remote file copy program daemon";
|
||||
conflicts = [ "rsync.service" ];
|
||||
|
||||
listenStreams = [ cfg.port ];
|
||||
listenStreams = [ (toString cfg.port) ];
|
||||
socketConfig.Accept = true;
|
||||
|
||||
wantedBy = [ "sockets.target" ];
|
||||
|
||||
@@ -44,7 +44,7 @@ in
|
||||
settings = mkOption {
|
||||
description = ''
|
||||
Headplane configuration options. Generates a YAML config file.
|
||||
See <https://github.com/tale/headplane/blob/main/config.example.yaml>.
|
||||
See: https://github.com/tale/headplane/blob/main/config.example.yaml
|
||||
'';
|
||||
type = types.submodule {
|
||||
options = {
|
||||
@@ -129,16 +129,6 @@ in
|
||||
headscale = mkOption {
|
||||
type = types.submodule {
|
||||
options = {
|
||||
api_key_path = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Path to a file containing a Headscale API key.
|
||||
This is required for OIDC authentication aswell for the Headplane agent.
|
||||
'';
|
||||
example = lib.literalExpression "config.sops.secrets.headplane_pre_authkey.path";
|
||||
};
|
||||
|
||||
url = mkOption {
|
||||
type = types.str;
|
||||
default = "http://127.0.0.1:${toString config.services.headscale.port}";
|
||||
@@ -221,6 +211,15 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
pre_authkey_path = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Path to a file containing a Headscale pre-auth key for the agent.
|
||||
'';
|
||||
example = lib.literalExpression "config.sops.secrets.headplane_pre_authkey.path";
|
||||
};
|
||||
|
||||
executable_path = mkOption {
|
||||
type = types.path;
|
||||
readOnly = true;
|
||||
@@ -238,14 +237,20 @@ in
|
||||
};
|
||||
|
||||
cache_ttl = mkOption {
|
||||
type = types.ints.positive;
|
||||
default = 180000;
|
||||
type = types.nullOr types.int;
|
||||
default = null;
|
||||
description = ''
|
||||
How long to cache agent information (in milliseconds).
|
||||
If you want data to update faster, reduce the TTL, but this will increase the frequency of requests to Headscale.
|
||||
Deprecated cache TTL for the agent. This option is accepted
|
||||
by Headplane 0.6.2 but has no effect.
|
||||
'';
|
||||
};
|
||||
|
||||
cache_path = mkOption {
|
||||
type = types.path;
|
||||
default = "/var/lib/headplane/agent_cache.json";
|
||||
description = "The path to store the agent's cache.";
|
||||
};
|
||||
|
||||
work_dir = mkOption {
|
||||
type = types.path;
|
||||
default = "/var/lib/headplane/agent";
|
||||
@@ -320,6 +325,16 @@ in
|
||||
example = lib.literalExpression "config.sops.secrets.oidc_client_secret.path";
|
||||
};
|
||||
|
||||
headscale_api_key_path = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Path to a file containing the Headscale API key.
|
||||
Required for OIDC authentication.
|
||||
'';
|
||||
example = lib.literalExpression "config.sops.secrets.headscale_api_key.path";
|
||||
};
|
||||
|
||||
disable_api_key_login = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
@@ -351,6 +366,25 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
redirect_uri = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
Deprecated OIDC redirect URI. Use services.headplane.settings.server.base_url
|
||||
instead; Headplane derives the callback URL from it.
|
||||
'';
|
||||
example = "https://headplane.example.com/admin/oidc/callback";
|
||||
};
|
||||
|
||||
strict_validation = mkOption {
|
||||
type = types.nullOr types.bool;
|
||||
default = null;
|
||||
description = ''
|
||||
Deprecated OIDC validation setting. This option is accepted
|
||||
by Headplane 0.6.2 but has no effect.
|
||||
'';
|
||||
};
|
||||
|
||||
profile_picture_source = mkOption {
|
||||
type = types.enum [
|
||||
"oidc"
|
||||
@@ -395,6 +429,16 @@ in
|
||||
description = "Custom userinfo endpoint URL.";
|
||||
example = "https://provider.example.com/userinfo";
|
||||
};
|
||||
|
||||
user_storage_file = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Deprecated path to the pre-0.6.2 JSON user database.
|
||||
Headplane uses this once to migrate users into its internal database.
|
||||
'';
|
||||
example = "/var/lib/headplane/users.json";
|
||||
};
|
||||
};
|
||||
}
|
||||
);
|
||||
@@ -408,6 +452,33 @@ in
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
warnings =
|
||||
lib.optionals (cfg.settings.oidc != null && cfg.settings.oidc.redirect_uri != null) [
|
||||
''
|
||||
services.headplane.settings.oidc.redirect_uri is deprecated by Headplane 0.6.2.
|
||||
Use services.headplane.settings.server.base_url instead; Headplane derives
|
||||
the OIDC callback URL from it.
|
||||
''
|
||||
]
|
||||
++ lib.optionals (cfg.settings.oidc != null && cfg.settings.oidc.strict_validation != null) [
|
||||
''
|
||||
services.headplane.settings.oidc.strict_validation is deprecated and has no effect
|
||||
in Headplane 0.6.2.
|
||||
''
|
||||
]
|
||||
++ lib.optionals (cfg.settings.oidc != null && cfg.settings.oidc.user_storage_file != null) [
|
||||
''
|
||||
services.headplane.settings.oidc.user_storage_file is deprecated. Headplane 0.6.2
|
||||
uses it only to migrate the pre-0.6.2 JSON user database into the internal database.
|
||||
''
|
||||
]
|
||||
++ lib.optionals (agentSettings != null && agentSettings.cache_ttl != null) [
|
||||
''
|
||||
services.headplane.settings.integration.agent.cache_ttl is deprecated and has no
|
||||
effect in Headplane 0.6.2.
|
||||
''
|
||||
];
|
||||
|
||||
assertions = [
|
||||
{
|
||||
assertion = config.services.headscale.enable;
|
||||
@@ -431,25 +502,26 @@ in
|
||||
'';
|
||||
}
|
||||
{
|
||||
assertion = cfg.settings.oidc == null || cfg.settings.headscale.api_key_path != null;
|
||||
assertion = cfg.settings.oidc == null || cfg.settings.oidc.headscale_api_key_path != null;
|
||||
message = ''
|
||||
services.headplane.settings.headscale.api_key_path must be set
|
||||
when services.headplane.settings.oidc is non-null.
|
||||
Headplane's OIDC flow requires a Headscale API key to mint sessions.
|
||||
services.headplane.settings.oidc.headscale_api_key_path must be set
|
||||
when services.headplane.settings.oidc is non-null. Headplane's OIDC
|
||||
flow requires a Headscale API key to mint sessions.
|
||||
'';
|
||||
}
|
||||
{
|
||||
assertion =
|
||||
agentSettings == null || !agentSettings.enabled || cfg.settings.headscale.api_key_path != null;
|
||||
agentSettings == null || !agentSettings.enabled || agentSettings.pre_authkey_path != null;
|
||||
message = ''
|
||||
services.headplane.settings.headscale.api_key_path must be set when the agent is enabled.
|
||||
services.headplane.settings.integration.agent.pre_authkey_path must be set
|
||||
when the agent is enabled.
|
||||
'';
|
||||
}
|
||||
];
|
||||
|
||||
environment = {
|
||||
systemPackages = [ cfg.package ];
|
||||
etc."headplane/config.yaml".source = settingsFile;
|
||||
etc."headplane/config.yaml".source = "${settingsFile}";
|
||||
};
|
||||
|
||||
systemd.services.headplane = {
|
||||
@@ -462,7 +534,6 @@ in
|
||||
config.systemd.services.headscale.name
|
||||
];
|
||||
requires = [ config.systemd.services.headscale.name ];
|
||||
restartTriggers = [ settingsFile ];
|
||||
|
||||
environment = {
|
||||
HEADPLANE_DEBUG_LOG = toString cfg.debug;
|
||||
|
||||
@@ -93,10 +93,6 @@ in
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
warnings = mkIf (!config.systemd.network.enable) [
|
||||
"services.networkd-dispatcher will not execute any scripts unless networkd is enabled, either via `systemd.network.enable` or via `networking.useNetworkd`."
|
||||
];
|
||||
|
||||
systemd = {
|
||||
packages = [ pkgs.networkd-dispatcher ];
|
||||
services.networkd-dispatcher = {
|
||||
|
||||
@@ -1,65 +0,0 @@
|
||||
# NordVPN {#module-services-nordvpn}
|
||||
|
||||
*Source:* {file}`modules/services/networking/nordvpn.nix`
|
||||
|
||||
*Upstream documentation:* <https://github.com/NordSecurity/nordvpn-linux>
|
||||
|
||||
NordVPN offers a paid virtual private network (VPN) service.
|
||||
The service operates as closed-source,
|
||||
but the Linux client uses open-source code licensed under GPLv3.
|
||||
A minimal configuration in NixOS appears as follows:
|
||||
|
||||
```nix
|
||||
{
|
||||
services.nordvpn.enable = true;
|
||||
networking.firewall.enable = true;
|
||||
networking.firewall.checkReversePath = "loose";
|
||||
}
|
||||
```
|
||||
|
||||
When using a firewall, set `networking.firewall.checkReversePath` to `"loose"` or `false`.
|
||||
NordVPN includes a `kill-switch` feature that blocks all packets not associated with the VPN connection.
|
||||
|
||||
Additionally, add your user to the `nordvpn` group.
|
||||
|
||||
```nix
|
||||
{
|
||||
users.users.yourUser = {
|
||||
#..
|
||||
extraGroups = [
|
||||
#..
|
||||
"nordvpn"
|
||||
];
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
If you prefer to use your own user and group, you can do so using
|
||||
|
||||
```nix
|
||||
{
|
||||
services.nordvpn.user = "SOME-USER";
|
||||
services.nordvpn.group = "SOME-GROUP";
|
||||
}
|
||||
```
|
||||
|
||||
NordVPN provides several useful CLI commands, including:
|
||||
|
||||
```bash
|
||||
nordvpn login # Log in using an OAuth URL
|
||||
nordvpn login --token <token> # Log in with a token obtained from your NordVPN account
|
||||
nordvpn c # Connect to the VPN
|
||||
nordvpn c ie # Connect to a NordVPN server in Ireland
|
||||
nordvpn d # Disconnect from the VPN
|
||||
nordvpn set technology openvpn # Switch to OpenVPN technology
|
||||
nordvpn c # Reconnect after changing technology
|
||||
```
|
||||
|
||||
Additionally, if you prefer to use the friendly GUI,
|
||||
|
||||
```bash
|
||||
nordvpn-gui
|
||||
```
|
||||
|
||||
**Disclaimer:** NixOS currently does not support meshnet.
|
||||
Contributions welcome!
|
||||
@@ -1,171 +0,0 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.services.nordvpn;
|
||||
defaultUser = "nordvpn";
|
||||
defaultGroup = "nordvpn";
|
||||
|
||||
nordvpn =
|
||||
let
|
||||
cli = cfg.package.cli.overrideAttrs (old: {
|
||||
preBuild =
|
||||
let
|
||||
extraPreBuild = lib.optionalString (cfg.group != defaultGroup) ''
|
||||
substituteInPlace internal/permissions.go \
|
||||
--replace-fail \
|
||||
'string{"nordvpn"}' \
|
||||
'string{"${cfg.group}"}'
|
||||
|
||||
substituteInPlace internal/constants.go \
|
||||
--replace-fail \
|
||||
'NordvpnGroup = "nordvpn"' \
|
||||
'NordvpnGroup = "${cfg.group}"'
|
||||
'';
|
||||
in
|
||||
extraPreBuild + (old.preBuild or "");
|
||||
|
||||
# postFixup wraps nordvpnd so that it can find binaries that it calls.
|
||||
# here, instead, use systemd to update the path to those binaries.
|
||||
postFixup = "";
|
||||
});
|
||||
in
|
||||
pkgs.symlinkJoin {
|
||||
inherit (cfg.package) pname version meta;
|
||||
paths = [
|
||||
cli
|
||||
cfg.package.gui
|
||||
];
|
||||
};
|
||||
in
|
||||
{
|
||||
options.services.nordvpn = {
|
||||
enable = lib.mkEnableOption "Enable NordVPN";
|
||||
package = lib.mkPackageOption pkgs "nordvpn" { };
|
||||
user = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = defaultUser;
|
||||
description = ''
|
||||
The User that owns the `nordvpnd` systemd process.
|
||||
If overriding the default, a user with the same name must exist.
|
||||
'';
|
||||
};
|
||||
group = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = defaultGroup;
|
||||
description = ''
|
||||
The Group that owns the `nordvpnd` systemd process.
|
||||
If overriding the default, a group with the same name must exist.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
# create the default user if that's the one used
|
||||
users.users = lib.mkIf (cfg.user == defaultUser) {
|
||||
${defaultUser} = {
|
||||
description = "User that runs `nordvpnd`.";
|
||||
group = cfg.group;
|
||||
isSystemUser = true;
|
||||
};
|
||||
};
|
||||
|
||||
# create the default group if that's the one used
|
||||
users.groups = lib.mkIf (cfg.group == defaultGroup) {
|
||||
${defaultGroup} = { };
|
||||
};
|
||||
|
||||
# nordvpnd uses resolved to configure dns
|
||||
services.resolved.enable = true;
|
||||
|
||||
# policy that allows nordvpnd to configure dns
|
||||
security.polkit = {
|
||||
enable = true;
|
||||
extraConfig = ''
|
||||
polkit.addRule(function(action, subject) {
|
||||
if (action.id == "org.freedesktop.resolve1.set-dns-servers"
|
||||
&& subject.isInGroup("${cfg.group}")) {
|
||||
return polkit.Result.YES;
|
||||
}
|
||||
});
|
||||
'';
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
nordvpn
|
||||
];
|
||||
|
||||
systemd.services.nordvpnd = {
|
||||
after = [ "network-online.target" ];
|
||||
description = "NordVPN daemon.";
|
||||
path = (
|
||||
with pkgs;
|
||||
[
|
||||
e2fsprogs
|
||||
iproute2
|
||||
libxslt
|
||||
nftables
|
||||
procps
|
||||
wireguard-tools
|
||||
]
|
||||
++ [ nordvpn ]
|
||||
);
|
||||
serviceConfig = {
|
||||
# nordvpnd needs CAP_NET_ADMIN to configure network interfaces
|
||||
AmbientCapabilities = "CAP_NET_ADMIN";
|
||||
CapabilityBoundingSet = "CAP_NET_ADMIN";
|
||||
ExecStart = lib.getExe' nordvpn "nordvpnd";
|
||||
Group = cfg.group;
|
||||
KillMode = "process";
|
||||
NonBlocking = true;
|
||||
Requires = "nordvpnd.socket";
|
||||
Restart = "on-failure";
|
||||
RestartSec = 5;
|
||||
RuntimeDirectory = "nordvpn";
|
||||
RuntimeDirectoryMode = "0750";
|
||||
StateDirectory = "nordvpn";
|
||||
StateDirectoryMode = "0750";
|
||||
User = cfg.user;
|
||||
};
|
||||
wantedBy = [ "default.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
};
|
||||
|
||||
systemd.sockets.nordvpnd = {
|
||||
description = "NordVPN Daemon Socket";
|
||||
listenStreams = [ "/run/nordvpn/nordvpnd.sock" ];
|
||||
partOf = [ "nordvpnd.service" ];
|
||||
socketConfig = {
|
||||
DirectoryMode = "0750";
|
||||
NoDelay = true;
|
||||
SocketGroup = cfg.group;
|
||||
SocketMode = "0770";
|
||||
SocketUser = cfg.user;
|
||||
};
|
||||
wantedBy = [ "sockets.target" ];
|
||||
};
|
||||
|
||||
systemd.user.services.norduserd = {
|
||||
after = [ "network-online.target" ];
|
||||
description = "NordUserD Service";
|
||||
serviceConfig = {
|
||||
ExecStart = lib.getExe' nordvpn "norduserd";
|
||||
NonBlocking = true;
|
||||
Restart = "on-failure";
|
||||
RestartSec = 5;
|
||||
};
|
||||
wantedBy = [ "graphical-session.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
meta = {
|
||||
doc = ./nordvpn.md;
|
||||
maintainers = with lib.maintainers; [ different-error ];
|
||||
};
|
||||
}
|
||||
@@ -232,10 +232,6 @@ in
|
||||
"openssh"
|
||||
"banner"
|
||||
] "Use services.openssh.settings.Banner instead.")
|
||||
(lib.mkRenamedOptionModule
|
||||
[ "services" "openssh" "moduliFile" ]
|
||||
[ "services" "openssh" "settings" "ModuliFile" ]
|
||||
)
|
||||
];
|
||||
|
||||
###### interface
|
||||
@@ -733,14 +729,6 @@ in
|
||||
'';
|
||||
example = "/etc/ssh/banner";
|
||||
};
|
||||
ModuliFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
default = "${config.services.openssh.package}/etc/ssh/moduli";
|
||||
defaultText = lib.literalExpression ''"''${config.services.openssh.package}/etc/ssh/moduli"'';
|
||||
description = ''
|
||||
Specifies the {manpage}`moduli(5)` file to use for Diffie-Hellman key exchange.
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
);
|
||||
@@ -752,6 +740,16 @@ in
|
||||
description = "Verbatim contents of {file}`sshd_config`.";
|
||||
};
|
||||
|
||||
moduliFile = lib.mkOption {
|
||||
example = "/etc/my-local-ssh-moduli;";
|
||||
type = lib.types.path;
|
||||
description = ''
|
||||
Path to `moduli` file to install in
|
||||
`/etc/ssh/moduli`. If this option is unset, then
|
||||
the `moduli` file shipped with OpenSSH will be used.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
users.users = lib.mkOption {
|
||||
@@ -772,12 +770,14 @@ in
|
||||
};
|
||||
users.groups.sshd = { };
|
||||
|
||||
services.openssh.moduliFile = lib.mkDefault "${cfg.package}/etc/ssh/moduli";
|
||||
services.openssh.sftpServerExecutable = lib.mkDefault "${cfg.package}/libexec/sftp-server";
|
||||
|
||||
environment.etc =
|
||||
authKeysFiles
|
||||
// authPrincipalsFiles
|
||||
// {
|
||||
"ssh/moduli".source = cfg.moduliFile;
|
||||
"ssh/sshd_config".source = sshconf;
|
||||
};
|
||||
|
||||
|
||||
@@ -65,7 +65,6 @@ in
|
||||
DynamicUser = true;
|
||||
|
||||
StateDirectory = "technitium-dns-server";
|
||||
LogsDirectory = "technitium";
|
||||
|
||||
Restart = "always";
|
||||
RestartSec = 10;
|
||||
@@ -103,8 +102,5 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
meta.maintainers = with lib.maintainers; [
|
||||
fabianrig
|
||||
awildleon
|
||||
];
|
||||
meta.maintainers = with lib.maintainers; [ fabianrig ];
|
||||
}
|
||||
|
||||
@@ -96,13 +96,13 @@ with lib;
|
||||
config = mkIf cfg.enable {
|
||||
services.tor = mkIf cfg.tor {
|
||||
enable = true;
|
||||
controlPort = 9051;
|
||||
|
||||
settings = {
|
||||
ControlPort = 9051;
|
||||
CacheDirectoryGroupReadable = true;
|
||||
CookieAuthentication = true;
|
||||
CookieAuthFileGroupReadable = true;
|
||||
};
|
||||
extraConfig = ''
|
||||
CacheDirectoryGroupReadable 1
|
||||
CookieAuthentication 1
|
||||
CookieAuthFileGroupReadable 1
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.zeronet = {
|
||||
|
||||
@@ -268,6 +268,15 @@ let
|
||||
};
|
||||
};
|
||||
|
||||
writeOidcJwksConfigFile =
|
||||
oidcIssuerPrivateKeyFile:
|
||||
pkgs.writeText "oidc-jwks.yaml" ''
|
||||
identity_providers:
|
||||
oidc:
|
||||
jwks:
|
||||
- key: {{ secret "${oidcIssuerPrivateKeyFile}" | mindent 10 "|" | msquote }}
|
||||
'';
|
||||
|
||||
# Remove an attribute in a nested set
|
||||
# https://discourse.nixos.org/t/modify-an-attrset-in-nix/29919/5
|
||||
removeAttrByPath =
|
||||
@@ -353,12 +362,7 @@ in
|
||||
execCommand = "${instance.package}/bin/authelia";
|
||||
configFile = format.generate "config.yml" cleanedSettings;
|
||||
oidcJwksConfigFile = lib.optional (instance.secrets.oidcIssuerPrivateKeyFile != null) (
|
||||
pkgs.writeText "oidc-jwks.yaml" ''
|
||||
identity_providers:
|
||||
oidc:
|
||||
jwks:
|
||||
- key: {{ mustEnv "CREDENTIALS_DIRECTORY" | printf "%s/oidcIssuerPrivateKeyFile" | secret | mindent 10 "|" | msquote }}
|
||||
''
|
||||
writeOidcJwksConfigFile instance.secrets.oidcIssuerPrivateKeyFile
|
||||
);
|
||||
configArg = "--config ${
|
||||
builtins.concatStringsSep "," (
|
||||
@@ -369,25 +373,21 @@ in
|
||||
]
|
||||
)
|
||||
}";
|
||||
# Mapping between the Authelia env variables and the secret keys defined in the module
|
||||
envSecretsMap = {
|
||||
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = "jwtSecretFile";
|
||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "storageEncryptionKeyFile";
|
||||
AUTHELIA_SESSION_SECRET_FILE = "sessionSecretFile";
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = "oidcHmacSecretFile";
|
||||
};
|
||||
nonNullEnvSecretsMap = lib.filterAttrs (_: v: instance.secrets.${v} != null) envSecretsMap;
|
||||
in
|
||||
{
|
||||
description = "Authelia authentication and authorization server";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network-online.target" ]; # Checks SMTP notifier creds during startup
|
||||
wants = [ "network-online.target" ];
|
||||
environment = {
|
||||
X_AUTHELIA_CONFIG_FILTERS = lib.mkIf (oidcJwksConfigFile != [ ]) "template";
|
||||
}
|
||||
// lib.mapAttrs (_: v: "%d/${v}") nonNullEnvSecretsMap
|
||||
// instance.environmentVariables;
|
||||
environment =
|
||||
(lib.filterAttrs (_: v: v != null) {
|
||||
X_AUTHELIA_CONFIG_FILTERS = lib.mkIf (oidcJwksConfigFile != [ ]) "template";
|
||||
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = instance.secrets.jwtSecretFile;
|
||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = instance.secrets.storageEncryptionKeyFile;
|
||||
AUTHELIA_SESSION_SECRET_FILE = instance.secrets.sessionSecretFile;
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = instance.secrets.oidcHmacSecretFile;
|
||||
})
|
||||
// instance.environmentVariables;
|
||||
|
||||
preStart = "${execCommand} ${configArg} validate-config";
|
||||
serviceConfig = {
|
||||
@@ -399,12 +399,6 @@ in
|
||||
StateDirectory = autheliaName instance.name;
|
||||
StateDirectoryMode = "0700";
|
||||
|
||||
LoadCredential =
|
||||
lib.optional (
|
||||
instance.secrets.oidcIssuerPrivateKeyFile != null
|
||||
) "oidcIssuerPrivateKeyFile:${instance.secrets.oidcIssuerPrivateKeyFile}"
|
||||
++ lib.mapAttrsToList (_: v: "${v}:${instance.secrets.${v}}") nonNullEnvSecretsMap;
|
||||
|
||||
# Security options:
|
||||
AmbientCapabilities = "";
|
||||
CapabilityBoundingSet = "";
|
||||
|
||||
@@ -86,7 +86,7 @@ in
|
||||
The primary motivation for this is an immutable `/etc`, where we cannot
|
||||
write the files directly to `/etc`.
|
||||
|
||||
However this can also serve other use cases, e.g. when `/etc` is on a `tmpfs`.
|
||||
However this an also serve other use cases, e.g. when `/etc` is on a `tmpfs`.
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
@@ -149,6 +149,13 @@ in
|
||||
|
||||
protocol.encryption.set = allow_incoming,try_outgoing,enable_retry
|
||||
|
||||
# Limits for file handle resources, this is optimized for
|
||||
# an `ulimit` of 1024 (a common default). You MUST leave
|
||||
# a ceiling of handles reserved for rTorrent's internal needs!
|
||||
network.http.max_open.set = 50
|
||||
network.max_open_files.set = 600
|
||||
network.max_open_sockets.set = 3000
|
||||
|
||||
# Memory resource usage (increase if you have a large number of items loaded,
|
||||
# and/or the available resources to spend)
|
||||
pieces.memory.max.set = 1800M
|
||||
@@ -162,14 +169,15 @@ in
|
||||
execute.nothrow = sh, -c, (cat, "echo >", (session.path), "rtorrent.pid", " ", (system.pid))
|
||||
|
||||
# Other operational settings (check & adapt)
|
||||
encoding.add = utf8
|
||||
system.umask.set = 0027
|
||||
system.cwd.set = (cfg.basedir)
|
||||
network.http.dns_cache_timeout.set = 25
|
||||
schedule = monitor_diskspace, 15, 60, ((close_low_diskspace, 1000M))
|
||||
schedule2 = monitor_diskspace, 15, 60, ((close_low_diskspace, 1000M))
|
||||
|
||||
# Watch directories (add more as you like, but use unique schedule names)
|
||||
#schedule = watch_start, 10, 10, ((load.start, (cat, (cfg.watch), "start/*.torrent")))
|
||||
#schedule = watch_load, 11, 10, ((load.normal, (cat, (cfg.watch), "load/*.torrent")))
|
||||
#schedule2 = watch_start, 10, 10, ((load.start, (cat, (cfg.watch), "start/*.torrent")))
|
||||
#schedule2 = watch_load, 11, 10, ((load.normal, (cat, (cfg.watch), "load/*.torrent")))
|
||||
|
||||
# Logging:
|
||||
# Levels = critical error warn notice info debug
|
||||
@@ -210,10 +218,6 @@ in
|
||||
RuntimeDirectory = "rtorrent";
|
||||
RuntimeDirectoryMode = 750;
|
||||
|
||||
# rtorrent derives socket limits from this value since 0.16.15; see table in
|
||||
# https://github.com/rakshasa/rtorrent/wiki/Socket-Manager-and-Resource-Allocation
|
||||
LimitNOFILE = lib.mkDefault 16384;
|
||||
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
LockPersonality = true;
|
||||
NoNewPrivileges = true;
|
||||
|
||||
@@ -169,25 +169,11 @@ in
|
||||
enable = true;
|
||||
virtualHosts."${cfg.virtualHost.domain}".extraConfig = ''
|
||||
root * ${cfg.package}
|
||||
encode zstd gzip
|
||||
|
||||
@immutable path /resources/*
|
||||
header @immutable Cache-Control "public, max-age=31536000, immutable"
|
||||
|
||||
@html not path /resources/*
|
||||
header @html Cache-Control "no-store"
|
||||
|
||||
header {
|
||||
-ETag
|
||||
-Last-Modified
|
||||
}
|
||||
|
||||
file_server
|
||||
handle_path /assets/config.yml {
|
||||
root * ${configFile}
|
||||
file_server
|
||||
}
|
||||
|
||||
file_server
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
@@ -37,8 +37,6 @@ in
|
||||
|
||||
See [Isso Server Configuration](https://posativ.org/isso/docs/configuration/server/)
|
||||
for supported values.
|
||||
You can set secrets using the secretFile option with environment variables following
|
||||
[the documentation](https://isso-comments.de/docs/reference/server-config/#environment-variables).
|
||||
'';
|
||||
|
||||
type = types.submodule {
|
||||
@@ -53,16 +51,6 @@ in
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
secretFile = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
A file containing secrets as environment variables that will be used in the configuration.
|
||||
See [the documentation](https://isso-comments.de/docs/reference/server-config/#environment-variables) for details.
|
||||
'';
|
||||
example = "/run/secrets/isso.env";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@@ -77,8 +65,6 @@ in
|
||||
User = "isso";
|
||||
Group = "isso";
|
||||
|
||||
EnvironmentFile = mkIf (cfg.secretFile != null) [ cfg.secretFile ];
|
||||
|
||||
DynamicUser = true;
|
||||
|
||||
StateDirectory = "isso";
|
||||
|
||||
@@ -50,6 +50,7 @@ let
|
||||
environment = pythonEnvironment;
|
||||
|
||||
serviceConfig = {
|
||||
RuntimeDirectory = "lasuite-meet";
|
||||
StateDirectory = "lasuite-meet";
|
||||
WorkingDirectory = "/var/lib/lasuite-meet";
|
||||
|
||||
@@ -381,8 +382,6 @@ in
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
# needs to be here so that cronjobs don't nuke it
|
||||
RuntimeDirectory = "lasuite-meet";
|
||||
BindReadOnlyPaths = "${cfg.package}/share/static:/var/lib/lasuite-meet/static";
|
||||
|
||||
ExecStart = utils.escapeSystemdExecArgs (
|
||||
|
||||
@@ -1617,7 +1617,8 @@ in
|
||||
MemoryDenyWriteExecute =
|
||||
!(
|
||||
(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) cfg.package.modules)
|
||||
|| (lib.getName cfg.package == "openresty")
|
||||
|| cfg.lua.enable
|
||||
|| (cfg.package == pkgs.openresty)
|
||||
);
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
|
||||
@@ -1,151 +0,0 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
cfg = config.services.rustfs;
|
||||
in
|
||||
{
|
||||
meta.maintainers = with lib.maintainers; [
|
||||
marcel
|
||||
];
|
||||
|
||||
options.services.rustfs = {
|
||||
enable = lib.mkEnableOption "RustFS Object Storage Server";
|
||||
|
||||
package = lib.mkPackageOption pkgs "rustfs" { };
|
||||
|
||||
user = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "rustfs";
|
||||
description = "The user RustFS should run as.";
|
||||
};
|
||||
|
||||
group = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "rustfs";
|
||||
description = "The group RustFS should run as.";
|
||||
};
|
||||
|
||||
settings = lib.mkOption {
|
||||
default = { };
|
||||
description = ''
|
||||
Options for RustFS configuration. Refer to
|
||||
<https://docs.rustfs.com/installation/linux/single-node-single-disk.html#_5-configure-environment-variables>
|
||||
for details on supported values.
|
||||
'';
|
||||
example = lib.literalExpression ''
|
||||
{
|
||||
RUSTFS_CONSOLE_ENABLE = "true";
|
||||
RUSTFS_VOLUMES = "/mnt/rustfs";
|
||||
}
|
||||
'';
|
||||
type = lib.types.submodule {
|
||||
freeformType = lib.types.attrsOf (
|
||||
lib.types.oneOf [
|
||||
lib.types.str
|
||||
lib.types.int
|
||||
]
|
||||
);
|
||||
options = {
|
||||
RUSTFS_VOLUMES = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
default = "/var/lib/rustfs";
|
||||
description = "The directory where RustFS stores it's data.";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
environmentFile = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Path to environment file containing secrets like RUSTFS_ACCESS_KEY or RUSTFS_SECRET_KEY.";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
assertions = [
|
||||
{
|
||||
assertion = !(cfg.settings ? RUSTFS_ACCESS_KEY);
|
||||
message = "RUSTFS_ACCESS_KEY must not be set in services.rustfs.settings. Use environmentFile instead.";
|
||||
}
|
||||
{
|
||||
assertion = !(cfg.settings ? RUSTFS_SECRET_KEY);
|
||||
message = "RUSTFS_SECRET_KEY must not be set in services.rustfs.settings. Use environmentFile instead.";
|
||||
}
|
||||
];
|
||||
|
||||
systemd = {
|
||||
tmpfiles.settings."10-rustfs".${cfg.settings.RUSTFS_VOLUMES}.d = {
|
||||
inherit (cfg) user group;
|
||||
};
|
||||
|
||||
# https://docs.rustfs.com/installation/linux/single-node-single-disk.html#_6-configure-system-service
|
||||
services.rustfs = {
|
||||
description = "RustFS Object Storage Server";
|
||||
documentation = [ "https://rustfs.com/docs/" ];
|
||||
|
||||
after = [ "network-online.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
environment = cfg.settings;
|
||||
|
||||
preStart = ''
|
||||
if [ -z "$RUSTFS_ACCESS_KEY" ] || [ -z "$RUSTFS_SECRET_KEY" ]; then
|
||||
echo "RustFS uses well-known default values for RUSTFS_ACCESS_KEY and RUSTFS_SECRET_KEY,"
|
||||
echo "please configure them using services.rustfs.environmentFile."
|
||||
exit 1
|
||||
fi
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
Type = "notify";
|
||||
NotifyAccess = "main";
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
|
||||
EnvironmentFile = cfg.environmentFile;
|
||||
ExecStart = lib.getExe cfg.package;
|
||||
|
||||
LimitNOFILE = 1048576;
|
||||
LimitNPROC = 32768;
|
||||
TasksMax = "infinity";
|
||||
|
||||
Restart = "always";
|
||||
RestartSec = "10s";
|
||||
|
||||
OOMScoreAdjust = "-1000";
|
||||
SendSIGKILL = false;
|
||||
|
||||
TimeoutStartSec = "30s";
|
||||
TimeoutStopSec = "30s";
|
||||
|
||||
NoNewPrivileges = true;
|
||||
|
||||
ProtectHome = true;
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = true;
|
||||
ProtectClock = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectControlGroups = true;
|
||||
RestrictSUIDSGID = true;
|
||||
RestrictRealtime = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
users = {
|
||||
users.${cfg.user} = {
|
||||
isSystemUser = true;
|
||||
inherit (cfg) group;
|
||||
};
|
||||
groups.${cfg.group} = { };
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -141,10 +141,6 @@ in
|
||||
services.libinput.enable = mkDefault true;
|
||||
|
||||
security.pam.services.mate-screensaver.unixAuth = true;
|
||||
security.polkit = {
|
||||
enable = true;
|
||||
enablePkexecWrapper = mkDefault true;
|
||||
};
|
||||
|
||||
xdg.portal.configPackages = mkDefault [ pkgs.mate-desktop ];
|
||||
|
||||
|
||||
@@ -347,7 +347,7 @@ def config_entry(levels: int, bootspec: BootSpec, label: str, time: str) -> str:
|
||||
os.path.basename(bootspec.toplevel) + "-secrets"
|
||||
)
|
||||
|
||||
if subprocess.run([bootspec.initrdSecrets, initrd_secrets_path_temp]).returncode != 0:
|
||||
if os.system(bootspec.initrdSecrets + " " + initrd_secrets_path_temp) != 0:
|
||||
print(
|
||||
f'warning: failed to create initrd secrets for "{label}"',
|
||||
file=sys.stderr,
|
||||
|
||||
@@ -68,7 +68,7 @@ let
|
||||
|
||||
configFile = pkgs.writeText "plymouthd.conf" ''
|
||||
[Daemon]
|
||||
ShowDelay=${toString cfg.showDelay}
|
||||
ShowDelay=0
|
||||
DeviceTimeout=8
|
||||
Theme=${cfg.theme}
|
||||
${cfg.extraConfig}
|
||||
@@ -166,15 +166,6 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
showDelay = mkOption {
|
||||
type = types.numbers.nonnegative;
|
||||
default = 0;
|
||||
example = 0.5;
|
||||
description = ''
|
||||
Time (in seconds) to delay the splash screen.
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
|
||||
@@ -396,7 +396,7 @@ in
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
include if exists "/var/lib/incus/security/apparmor/profiles"
|
||||
include "/var/lib/incus/security/apparmor/profiles"
|
||||
'';
|
||||
};
|
||||
includes."abstractions/base" = ''
|
||||
|
||||
@@ -201,7 +201,7 @@ rec {
|
||||
(onFullSupported "nixos.tests.printing-socket")
|
||||
(onFullSupported "nixos.tests.proxy")
|
||||
(onFullSupported "nixos.tests.sddm.default")
|
||||
(onFullSupported "nixos.tests.shadow.login")
|
||||
(onFullSupported "nixos.tests.shadow")
|
||||
(onFullSupported "nixos.tests.simple-container")
|
||||
(onFullSupported "nixos.tests.simple-vm")
|
||||
(onFullSupported "nixos.tests.sway")
|
||||
|
||||
@@ -63,7 +63,7 @@ let
|
||||
- `config.node.pkgs.<name>` or `config.nodes.foo.nixpkgs.pkgs.<name>` to refer
|
||||
to the Nixpkgs used on the VM guest(s).
|
||||
- `hostPkgs.<name>` when invoking commands on the VM host (e.g. in Python
|
||||
`subprocess.run(["foo"])`)
|
||||
`os.system("foo")`)
|
||||
- Since the runTest argument is a module instead of a function, arguments
|
||||
must be passed as option definitions.
|
||||
You may declare explicit `options` for the test parameter(s), or use the
|
||||
@@ -1205,7 +1205,6 @@ in
|
||||
nominatim = runTest ./nominatim.nix;
|
||||
non-default-filesystems = handleTest ./non-default-filesystems.nix { };
|
||||
non-switchable-system = runTest ./non-switchable-system.nix;
|
||||
nordvpn = runTest ./nordvpn.nix;
|
||||
noto-fonts = runTest ./noto-fonts.nix;
|
||||
noto-fonts-cjk-qt-default-weight = runTest ./noto-fonts-cjk-qt-default-weight.nix;
|
||||
novacomd = handleTestOn [ "x86_64-linux" ] ./novacomd.nix { };
|
||||
@@ -1512,7 +1511,6 @@ in
|
||||
rtkit = runTest ./rtkit.nix;
|
||||
rtorrent = runTest ./rtorrent.nix;
|
||||
rush = runTest ./rush.nix;
|
||||
rustfs = runTest ./rustfs.nix;
|
||||
rustical = runTest ./web-apps/rustical.nix;
|
||||
rustls-libssl = runTest ./rustls-libssl.nix;
|
||||
rxe = runTest ./rxe.nix;
|
||||
@@ -1540,7 +1538,7 @@ in
|
||||
sftpgo = runTest ./sftpgo.nix;
|
||||
sfxr-qt = runTest ./sfxr-qt.nix;
|
||||
sgt-puzzles = runTest ./sgt-puzzles.nix;
|
||||
shadow = import ./shadow { inherit runTest; };
|
||||
shadow = runTest ./shadow.nix;
|
||||
shadowsocks = handleTest ./shadowsocks { };
|
||||
shadps4 = runTest ./shadps4.nix;
|
||||
sharkey = runTest ./web-apps/sharkey.nix;
|
||||
@@ -1586,8 +1584,6 @@ in
|
||||
sssd-ldap = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd-ldap.nix { };
|
||||
sssd-legacy-config = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd-legacy-config.nix { };
|
||||
stalwart = runTest ./stalwart/stalwart.nix;
|
||||
stardust-xr-atmosphere = runTest ./stardust-xr/atmosphere.nix;
|
||||
stardust-xr-flatland = runTest ./stardust-xr/flatland.nix;
|
||||
stargazer = runTest ./web-servers/stargazer.nix;
|
||||
starship = runTest ./starship.nix;
|
||||
startx = import ./startx.nix { inherit pkgs runTest; };
|
||||
@@ -1687,7 +1683,6 @@ in
|
||||
systemd-journal = runTest ./systemd-journal.nix;
|
||||
systemd-journal-gateway = runTest ./systemd-journal-gateway.nix;
|
||||
systemd-journal-upload = runTest ./systemd-journal-upload.nix;
|
||||
systemd-localed = runTest ./systemd-localed.nix;
|
||||
systemd-lock-handler = runTestOn [ "aarch64-linux" "x86_64-linux" ] ./systemd-lock-handler.nix;
|
||||
systemd-machinectl = runTest ./systemd-machinectl.nix;
|
||||
systemd-misc = runTest ./systemd-misc.nix;
|
||||
@@ -1846,7 +1841,6 @@ in
|
||||
};
|
||||
virtualbox = handleTestOn [ "x86_64-linux" ] ./virtualbox.nix { };
|
||||
vm-variant = handleTest ./vm-variant.nix { };
|
||||
vnstat = runTest ./vnstat.nix;
|
||||
vscode-remote-ssh = handleTestOn [ "x86_64-linux" ] ./vscode-remote-ssh.nix { };
|
||||
vscodium = import ./vscodium.nix { inherit runTest; };
|
||||
vsftpd = runTest ./vsftpd.nix;
|
||||
@@ -1857,7 +1851,6 @@ in
|
||||
wasabibackend = runTest ./wasabibackend.nix;
|
||||
wastebin = runTest ./wastebin.nix;
|
||||
watchdogd = runTest ./watchdogd.nix;
|
||||
watt = runTest ./watt.nix;
|
||||
webhook = runTest ./webhook.nix;
|
||||
weblate = runTest ./web-apps/weblate.nix;
|
||||
wg-access-server = runTest ./wg-access-server.nix;
|
||||
|
||||
@@ -28,10 +28,12 @@
|
||||
# This is purely for testing purposes!
|
||||
environment.etc."authelia/storageEncryptionKeyFile" = {
|
||||
mode = "0400";
|
||||
user = "authelia-testing";
|
||||
text = "you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this";
|
||||
};
|
||||
environment.etc."authelia/jwtSecretFile" = {
|
||||
mode = "0400";
|
||||
user = "authelia-testing";
|
||||
text = "a_very_important_secret";
|
||||
};
|
||||
environment.etc."authelia/users_database.yml" = {
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
]
|
||||
++ teams.ngi.members;
|
||||
|
||||
containers.machine = {
|
||||
nodes.machine = {
|
||||
environment.systemPackages = with pkgs; [
|
||||
blint
|
||||
jq
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
{
|
||||
name = "PDS";
|
||||
|
||||
containers.machine = {
|
||||
nodes.machine = {
|
||||
services.bluesky-pds = {
|
||||
enable = true;
|
||||
settings = {
|
||||
|
||||
@@ -203,26 +203,11 @@ in
|
||||
makeTest {
|
||||
name = "boot-uboot-extlinux";
|
||||
nodes = { };
|
||||
testScript = /* py */ ''
|
||||
import subprocess
|
||||
testScript = ''
|
||||
import os
|
||||
|
||||
# Create a mutable linked image backed by the read-only SD image
|
||||
if (
|
||||
subprocess.run(
|
||||
[
|
||||
"${pkgs.qemu}/bin/qemu-img",
|
||||
"create",
|
||||
"-f",
|
||||
"qcow2",
|
||||
"-F",
|
||||
"raw",
|
||||
"-b",
|
||||
"${sdImage}",
|
||||
"${mutableImage}",
|
||||
]
|
||||
).returncode
|
||||
!= 0
|
||||
):
|
||||
if os.system("${pkgs.qemu}/bin/qemu-img create -f qcow2 -F raw -b ${sdImage} ${mutableImage}") != 0:
|
||||
raise RuntimeError("Could not create mutable linked image")
|
||||
|
||||
machine = create_machine("${startCommand}")
|
||||
|
||||
@@ -1,39 +0,0 @@
|
||||
{
|
||||
lib,
|
||||
pkgs,
|
||||
config,
|
||||
...
|
||||
}:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./user-account.nix
|
||||
./x11.nix
|
||||
];
|
||||
test-support.displayManager.auto.user = "alice";
|
||||
systemd.user.targets.xdg-desktop-autostart = {
|
||||
wantedBy = [ "graphical-session.target" ];
|
||||
after = [ "graphical-session.target" ];
|
||||
};
|
||||
|
||||
hardware.graphics.enable = true;
|
||||
|
||||
services.monado = {
|
||||
enable = true;
|
||||
defaultRuntime = true;
|
||||
forceDefaultRuntime = true;
|
||||
};
|
||||
systemd.user.services.monado = {
|
||||
requires = [ "graphical-session.target" ];
|
||||
environment = {
|
||||
# Stop Monado from probing for any hardware
|
||||
SIMULATED_ENABLE = "1";
|
||||
SIMULATED_LEFT = "simple";
|
||||
SIMULATED_RIGHT = "simple";
|
||||
# Run as X11 client rather than using direct mode
|
||||
XRT_COMPOSITOR_FORCE_XCB = "1";
|
||||
# And run fullscreen so that we can hide the DE
|
||||
XRT_COMPOSITOR_XCB_FULLSCREEN = "1";
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -135,17 +135,7 @@ in
|
||||
public_key = os.path.join(key_dir, "id_ed25519.pub")
|
||||
|
||||
# Generate key pair using host SSH tools
|
||||
ret = subprocess.run(
|
||||
[
|
||||
"${hostPkgs.openssh}/bin/ssh-keygen",
|
||||
"-t",
|
||||
"ed25519",
|
||||
"-f",
|
||||
private_key,
|
||||
"-N",
|
||||
""
|
||||
]
|
||||
).returncode
|
||||
ret = os.system(f"${hostPkgs.openssh}/bin/ssh-keygen -t ed25519 -f {private_key} -N \"\"")
|
||||
if ret != 0:
|
||||
raise Exception("Failed to generate SSH key pair")
|
||||
|
||||
|
||||
@@ -54,13 +54,13 @@
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
import subprocess
|
||||
import os
|
||||
|
||||
# prepare certificates
|
||||
|
||||
def cmd(command):
|
||||
print(f"+{command}")
|
||||
r = subprocess.run(command, shell=True).returncode
|
||||
r = os.system(command)
|
||||
if r != 0:
|
||||
raise Exception(f"Command {command} failed with exit code {r}")
|
||||
|
||||
|
||||
@@ -48,13 +48,13 @@
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
import subprocess
|
||||
import os
|
||||
|
||||
# prepare certificates
|
||||
|
||||
def cmd(command):
|
||||
print(f"+{command}")
|
||||
r = subprocess.run(command, shell=True).returncode
|
||||
r = os.system(command)
|
||||
if r != 0:
|
||||
raise Exception(f"Command {command} failed with exit code {r}")
|
||||
|
||||
|
||||
@@ -69,12 +69,12 @@
|
||||
};
|
||||
};
|
||||
testScript = ''
|
||||
import subprocess
|
||||
import os
|
||||
|
||||
# Helpers
|
||||
def cmd(command):
|
||||
print(f"+{command}")
|
||||
r = subprocess.run(command, shell=True).returncode
|
||||
r = os.system(command)
|
||||
if r != 0:
|
||||
raise Exception(f"Command {command} failed with exit code {r}")
|
||||
|
||||
|
||||
@@ -38,7 +38,6 @@ let
|
||||
enable = true;
|
||||
settings = {
|
||||
hostname = certs.domain;
|
||||
metrics-enabled = true;
|
||||
};
|
||||
inherit initialAdminPassword;
|
||||
sslCertificate = "${certs.${certs.domain}.cert}";
|
||||
@@ -51,6 +50,7 @@ let
|
||||
};
|
||||
plugins = with config.services.keycloak.package.plugins; [
|
||||
keycloak-discord
|
||||
keycloak-metrics-spi
|
||||
];
|
||||
};
|
||||
environment.systemPackages = with pkgs; [
|
||||
@@ -131,7 +131,13 @@ let
|
||||
| jq -r '"Authorization: bearer " + .access_token' >admin_auth_header
|
||||
""")
|
||||
|
||||
keycloak.succeed("curl -sSf https://${certs.domain}:9000/metrics | grep '^jvm_'")
|
||||
# Register the metrics SPI
|
||||
keycloak.succeed(
|
||||
"""${pkgs.jre}/bin/keytool -import -alias snakeoil -file ${certs.ca.cert} -storepass aaaaaa -keystore cacert.jks -noprompt""",
|
||||
"""KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh config credentials --server '${frontendUrl}' --realm master --user admin --password "$(<${adminPasswordFile})" """,
|
||||
"""KC_OPTS='-Djavax.net.ssl.trustStore=cacert.jks -Djavax.net.ssl.trustStorePassword=aaaaaa' kcadm.sh update events/config -s 'eventsEnabled=true' -s 'adminEventsEnabled=true' -s 'eventsListeners+=metrics-listener'""",
|
||||
"""curl -sSf '${frontendUrl}/realms/master/metrics' | grep '^keycloak_admin_event_UPDATE'"""
|
||||
)
|
||||
|
||||
# Publish the realm, including a test OIDC client and user
|
||||
keycloak.succeed(
|
||||
|
||||
@@ -20,66 +20,61 @@ in
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [ 6167 ];
|
||||
};
|
||||
|
||||
client =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
environment.systemPackages = [
|
||||
(pkgs.writers.writePython3Bin "do_test" { libraries = [ pkgs.python3Packages.mautrix ]; } ''
|
||||
(pkgs.writers.writePython3Bin "do_test" { libraries = [ pkgs.python3Packages.matrix-nio ]; } ''
|
||||
import asyncio
|
||||
|
||||
from mautrix.client import Client
|
||||
from mautrix.types import EventType, RoomFilter
|
||||
import nio
|
||||
|
||||
|
||||
async def main() -> None:
|
||||
# Connect to continuwuity
|
||||
client = Client(
|
||||
mxid="@${user}:${name}",
|
||||
base_url="http://continuwuity:6167",
|
||||
)
|
||||
client = nio.AsyncClient("http://continuwuity:6167", "${user}")
|
||||
|
||||
# Log in as user alice
|
||||
await client.login(password="${pass}")
|
||||
response = await client.login("${pass}")
|
||||
|
||||
# Create a new room
|
||||
room_id = await client.create_room()
|
||||
print("Created room:", room_id)
|
||||
response = await client.room_create(federate=False)
|
||||
print("Matrix room create response:", response)
|
||||
assert isinstance(response, nio.RoomCreateResponse)
|
||||
room_id = response.room_id
|
||||
|
||||
# Join the room
|
||||
await client.join_room_by_id(room_id)
|
||||
print("Joined room")
|
||||
response = await client.join(room_id)
|
||||
print("Matrix join response:", response)
|
||||
assert isinstance(response, nio.JoinResponse)
|
||||
|
||||
# Send a message to the room
|
||||
received = asyncio.Event()
|
||||
msg = "Hello continuwuity!"
|
||||
response = await client.room_send(
|
||||
room_id=room_id,
|
||||
message_type="m.room.message",
|
||||
content={
|
||||
"msgtype": "m.text",
|
||||
"body": "Hello continuwuity!"
|
||||
}
|
||||
)
|
||||
print("Matrix room send response:", response)
|
||||
assert isinstance(response, nio.RoomSendResponse)
|
||||
|
||||
async def on_message(evt):
|
||||
if (
|
||||
evt.room_id != room_id
|
||||
or evt.sender != client.mxid
|
||||
or evt.type != EventType.ROOM_MESSAGE
|
||||
):
|
||||
return
|
||||
# Sync responses
|
||||
response = await client.sync(timeout=30000)
|
||||
print("Matrix sync response:", response)
|
||||
assert isinstance(response, nio.SyncResponse)
|
||||
|
||||
assert evt.content.body == msg
|
||||
received.set()
|
||||
|
||||
client.add_event_handler(EventType.ROOM_MESSAGE, on_message)
|
||||
sync_task = client.start(RoomFilter(rooms=[room_id]))
|
||||
|
||||
await client.send_text(room_id, msg)
|
||||
|
||||
# Sync until message is received
|
||||
await asyncio.wait_for(received.wait(), timeout=30)
|
||||
# Check the message was received by continuwuity
|
||||
last_message = response.rooms.join[room_id].timeline.events[-1].body
|
||||
assert last_message == "Hello continuwuity!"
|
||||
|
||||
# Leave the room
|
||||
await client.leave_room(room_id)
|
||||
print("Left room")
|
||||
response = await client.room_leave(room_id)
|
||||
print("Matrix room leave response:", response)
|
||||
assert isinstance(response, nio.RoomLeaveResponse)
|
||||
|
||||
# Close the client
|
||||
client.stop()
|
||||
await sync_task
|
||||
await client.close()
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
@@ -101,7 +96,6 @@ in
|
||||
'';
|
||||
|
||||
meta.maintainers = with lib.maintainers; [
|
||||
bartoostveen
|
||||
nyabinary
|
||||
snaki
|
||||
];
|
||||
|
||||
@@ -189,26 +189,11 @@ in
|
||||
{ nodes, ... }:
|
||||
let
|
||||
bundle = mkBundle masDomain;
|
||||
|
||||
extraConfig = pkgs.writeText "masExtraConfig.yml" (
|
||||
builtins.toJSON {
|
||||
secrets = {
|
||||
encryption_file = "/var/lib/matrix-authentication-service/encryption";
|
||||
keys = [
|
||||
{
|
||||
kid = "rsa-4096";
|
||||
key_file = "/var/lib/matrix-authentication-service/key_rsa_4096";
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
);
|
||||
in
|
||||
{
|
||||
services.matrix-authentication-service = {
|
||||
enable = true;
|
||||
createDatabase = true;
|
||||
extraConfigFiles = [ (toString extraConfig) ];
|
||||
settings = {
|
||||
http = {
|
||||
public_base = "https://${masDomain}:8080/";
|
||||
@@ -238,7 +223,15 @@ in
|
||||
secret_file = "/var/lib/matrix-authentication-service/matrix_secret";
|
||||
};
|
||||
database.uri = "postgresql:///matrix-authentication-service?host=/run/postgresql&user=matrix-authentication-service";
|
||||
# secrets is defined in extraConfigFiles
|
||||
secrets = {
|
||||
encryption_file = "/var/lib/matrix-authentication-service/encryption";
|
||||
keys = [
|
||||
{
|
||||
kid = "rsa-4096";
|
||||
key_file = "/var/lib/matrix-authentication-service/key_rsa_4096";
|
||||
}
|
||||
];
|
||||
};
|
||||
policy.data.client_registration.allow_insecure_uris = true;
|
||||
upstream_oauth2.providers = [
|
||||
{
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
{ pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
chipVersion = pkgs.python3Packages.home-assistant-chip-core.version;
|
||||
chipVersion = pkgs.python311Packages.home-assistant-chip-core.version;
|
||||
in
|
||||
|
||||
{
|
||||
|
||||
@@ -3,57 +3,47 @@
|
||||
name = "monado";
|
||||
|
||||
nodes.machine =
|
||||
{
|
||||
lib,
|
||||
pkgs,
|
||||
config,
|
||||
...
|
||||
}:
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [ ./common/openxr.nix ];
|
||||
|
||||
systemd.user.services.print-openxr-info = {
|
||||
wantedBy = [ "xdg-desktop-autostart.target" ];
|
||||
requires = [ "monado.service" ];
|
||||
script = lib.getExe' pkgs.openxr-loader "openxr_runtime_list";
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
hardware.graphics.enable = true;
|
||||
users.users.alice = {
|
||||
isNormalUser = true;
|
||||
uid = 1000;
|
||||
};
|
||||
|
||||
systemd.user.services.xrgears = {
|
||||
wantedBy = [ "xdg-desktop-autostart.target" ];
|
||||
requires = [ "monado.service" ];
|
||||
script = lib.getExe pkgs.xrgears;
|
||||
services.monado = {
|
||||
enable = true;
|
||||
defaultRuntime = true;
|
||||
|
||||
forceDefaultRuntime = true;
|
||||
};
|
||||
# Stop Monado from probing for any hardware
|
||||
systemd.user.services.monado.environment.SIMULATED_ENABLE = "1";
|
||||
|
||||
environment.systemPackages = with pkgs; [ openxr-loader ];
|
||||
};
|
||||
|
||||
testScript =
|
||||
{ nodes, ... }:
|
||||
let
|
||||
userId = toString nodes.machine.users.users.alice.uid;
|
||||
runtimePath = "/run/user/${userId}";
|
||||
in
|
||||
''
|
||||
with subtest("Ensure X11 starts"):
|
||||
start_all()
|
||||
machine.succeed("loginctl enable-linger alice")
|
||||
machine.wait_for_x()
|
||||
# for defaultRuntime
|
||||
machine.succeed("stat /etc/xdg/openxr/1/active_runtime.json")
|
||||
|
||||
with subtest("Ensure default runtime present"):
|
||||
machine.succeed("stat /etc/xdg/openxr/1/active_runtime.json")
|
||||
machine.succeed("loginctl enable-linger alice")
|
||||
machine.wait_for_unit("user@${userId}.service")
|
||||
|
||||
with subtest("Ensure forced runtime present"):
|
||||
# Monado needs to be started to create the forced runtime file
|
||||
machine.systemctl("start monado.service", "alice")
|
||||
machine.wait_for_unit("monado.service", "alice")
|
||||
machine.succeed("stat /home/alice/.config/openxr/1/active_runtime.json")
|
||||
machine.wait_for_unit("monado.socket", "alice")
|
||||
machine.systemctl("start monado.service", "alice")
|
||||
machine.wait_for_unit("monado.service", "alice")
|
||||
|
||||
with subtest("Ensure openxr_runtime_list can find runtime"):
|
||||
machine.wait_for_unit("print-openxr-info.service", "alice")
|
||||
# for forceDefaultRuntime
|
||||
machine.succeed("stat /home/alice/.config/openxr/1/active_runtime.json")
|
||||
|
||||
with subtest("Ensure xrgears launches"):
|
||||
machine.wait_for_unit("xrgears.service", "alice")
|
||||
# TODO: 10 seconds should be long enough for anything, but this is theoretically flaky
|
||||
machine.sleep(10)
|
||||
machine.screenshot("screen")
|
||||
machine.succeed("su -- alice -c env XDG_RUNTIME_DIR=${runtimePath} openxr_runtime_list")
|
||||
'';
|
||||
}
|
||||
|
||||
@@ -1,129 +0,0 @@
|
||||
{ lib, ... }:
|
||||
{
|
||||
name = "nordvpn";
|
||||
meta.maintainers = with lib.maintainers; [ different-error ];
|
||||
nodes =
|
||||
let
|
||||
commonConfig = user: {
|
||||
# norduserd reads DBUS_SESSION_BUS_ADDRESS which the
|
||||
# desktopManager sets on user session creation (i.e. login)
|
||||
services.xserver.enable = true;
|
||||
services.desktopManager.plasma6.enable = true;
|
||||
services.displayManager.gdm.enable = true;
|
||||
services.displayManager.autoLogin = {
|
||||
enable = true;
|
||||
user = user;
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
nada = { ... }: { };
|
||||
basic =
|
||||
{ ... }:
|
||||
lib.recursiveUpdate {
|
||||
users.users.alice = {
|
||||
extraGroups = [ "nordvpn" ];
|
||||
isNormalUser = true;
|
||||
};
|
||||
# default: run nordvpnd as nordvpn:nordvpn
|
||||
services.nordvpn.enable = true;
|
||||
} (commonConfig "alice");
|
||||
userOnly =
|
||||
{ ... }:
|
||||
lib.recursiveUpdate {
|
||||
users.users.kanye = {
|
||||
extraGroups = [ "nordvpn" ];
|
||||
isNormalUser = true;
|
||||
};
|
||||
# run nordvpnd as kanye:nordvpn
|
||||
services.nordvpn = {
|
||||
enable = true;
|
||||
user = "kanye";
|
||||
};
|
||||
} (commonConfig "kanye");
|
||||
groupOnly =
|
||||
{ ... }:
|
||||
lib.recursiveUpdate {
|
||||
users.users.alice = {
|
||||
extraGroups = [ "kanye" ];
|
||||
isNormalUser = true;
|
||||
};
|
||||
users.groups.kanye = { };
|
||||
# run nordvpnd as nordvpn:kanye
|
||||
services.nordvpn = {
|
||||
enable = true;
|
||||
group = "kanye";
|
||||
};
|
||||
} (commonConfig "alice");
|
||||
userAndGroup =
|
||||
{ ... }:
|
||||
lib.recursiveUpdate {
|
||||
users.users.kanye = {
|
||||
group = "kanye";
|
||||
isNormalUser = true;
|
||||
};
|
||||
users.groups.kanye = { };
|
||||
# run nordvpnd as kanye:kanye
|
||||
services.nordvpn = {
|
||||
enable = true;
|
||||
group = "kanye";
|
||||
user = "kanye";
|
||||
};
|
||||
} (commonConfig "kanye");
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
class UserGroupTestCase:
|
||||
def __init__(self, machine, user, has_nordvpn_usr, has_nordvpn_gp):
|
||||
self.machine = machine
|
||||
self.user = user
|
||||
self.has_nordvpn_usr = has_nordvpn_usr
|
||||
self.has_nordvpn_gp = has_nordvpn_gp
|
||||
|
||||
def run(self):
|
||||
self.machine.start()
|
||||
self.verify_nordvpn_user()
|
||||
self.verify_nordvpn_group()
|
||||
self.verify_services()
|
||||
self.machine.shutdown()
|
||||
|
||||
def verify_nordvpn_user(self):
|
||||
if self.has_nordvpn_usr:
|
||||
self.machine.succeed("id nordvpn")
|
||||
else:
|
||||
self.machine.fail("id nordvpn")
|
||||
|
||||
def verify_nordvpn_group(self):
|
||||
group_str = self.machine.succeed(f"sudo -u {self.user} groups")
|
||||
groups = [x.strip() for x in group_str.split(" ")]
|
||||
if self.has_nordvpn_gp:
|
||||
assert "nordvpn" in groups, f"nordvpn is not in {groups} but should be"
|
||||
else:
|
||||
assert "nordvpn" not in groups, f"nordvpn is in {groups} but should not be"
|
||||
|
||||
def verify_services(self):
|
||||
self.machine.wait_for_unit("nordvpnd", timeout=60)
|
||||
self.machine.wait_for_unit("norduserd", self.user, timeout=90)
|
||||
# verify can talk to nordvpnd. give nordvpnd at most 5s to initialize.
|
||||
self.machine.wait_until_succeeds("nordvpn status", timeout=5)
|
||||
self.machine.succeed("nordvpn status")
|
||||
|
||||
test_cases = [
|
||||
UserGroupTestCase(basic, "alice", has_nordvpn_usr=True, has_nordvpn_gp=True),
|
||||
UserGroupTestCase(userOnly, "kanye", has_nordvpn_usr=False, has_nordvpn_gp=True),
|
||||
UserGroupTestCase(groupOnly, "alice", has_nordvpn_usr=True, has_nordvpn_gp=False),
|
||||
UserGroupTestCase(userAndGroup, "kanye", has_nordvpn_usr=False, has_nordvpn_gp=False),
|
||||
]
|
||||
|
||||
# NADA
|
||||
nada.start()
|
||||
nada.wait_for_unit("multi-user.target", timeout=60)
|
||||
nada.fail("nordvpnd")
|
||||
nada.fail("nordvpn")
|
||||
nada.fail("norduserd")
|
||||
nada.shutdown()
|
||||
|
||||
for test_case in test_cases:
|
||||
test_case.run()
|
||||
'';
|
||||
}
|
||||
@@ -1,69 +0,0 @@
|
||||
{ pkgs, ... }:
|
||||
|
||||
let
|
||||
accessKey = "BKIKJAA5BMMU2RHO6IBB";
|
||||
secretKey = "V7f1CwQqAcwo80UEIJEjc5gVQUSSx5ohQ9GSrr12";
|
||||
|
||||
rustfsPythonScript =
|
||||
pkgs.writers.writePython3 "rustfs-test" { libraries = with pkgs.python3Packages; [ minio ]; }
|
||||
/* python */ ''
|
||||
import io
|
||||
import os
|
||||
from minio import Minio
|
||||
|
||||
minioClient = Minio(
|
||||
'localhost:9000',
|
||||
access_key='${accessKey}',
|
||||
secret_key='${secretKey}',
|
||||
secure=False
|
||||
)
|
||||
sio = io.BytesIO()
|
||||
sio.write(b'Test from Python')
|
||||
sio.seek(0, os.SEEK_END)
|
||||
sio_len = sio.tell()
|
||||
sio.seek(0)
|
||||
minioClient.put_object(
|
||||
'test-bucket',
|
||||
'test.txt',
|
||||
sio,
|
||||
sio_len,
|
||||
content_type='text/plain'
|
||||
)
|
||||
'';
|
||||
|
||||
in
|
||||
{
|
||||
name = "rustfs";
|
||||
meta = with pkgs.lib.maintainers; {
|
||||
maintainers = [
|
||||
marcel
|
||||
];
|
||||
};
|
||||
|
||||
containers.machine =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
services.rustfs = {
|
||||
enable = true;
|
||||
environmentFile = builtins.toString (
|
||||
pkgs.writeText "rustfs-secrets.env" ''
|
||||
RUSTFS_ACCESS_KEY=${accessKey}
|
||||
RUSTFS_SECRET_KEY=${secretKey}
|
||||
''
|
||||
);
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [ minio-client ];
|
||||
};
|
||||
|
||||
testScript = /* python */ ''
|
||||
machine.wait_for_unit("rustfs.service")
|
||||
|
||||
machine.succeed("mc alias set rustfs http://localhost:9000 ${accessKey} ${secretKey} --api s3v4")
|
||||
machine.succeed("mc mb rustfs/test-bucket")
|
||||
machine.succeed("${rustfsPythonScript}")
|
||||
assert "test-bucket" in machine.succeed("mc ls rustfs")
|
||||
assert "Test from Python" in machine.succeed("mc cat rustfs/test-bucket/test.txt")
|
||||
machine.succeed("mc rb --force rustfs/test-bucket")
|
||||
'';
|
||||
}
|
||||
@@ -1,5 +0,0 @@
|
||||
{ runTest }:
|
||||
{
|
||||
login = runTest ./login.nix;
|
||||
system = runTest ./system.nix;
|
||||
}
|
||||
@@ -1,147 +0,0 @@
|
||||
{ pkgs, ... }:
|
||||
let
|
||||
# Create a Python environment for the controller with all necessary test framework dependencies
|
||||
controllerPython = pkgs.python3.withPackages (ps: [
|
||||
ps.flaky
|
||||
ps.jc
|
||||
ps.pytest
|
||||
ps.pytest-mh
|
||||
ps.pytest-ticket
|
||||
]);
|
||||
|
||||
shadowHostName = "shadowhost";
|
||||
in
|
||||
{
|
||||
name = "shadow-system-tests";
|
||||
|
||||
meta.maintainers = with pkgs.lib.maintainers; [ joaosreis ];
|
||||
|
||||
nodes = {
|
||||
# The target host: runs sshd, has shadow and other test dependencies installed, mutable users, and some specific settings to match the expectations of the test suite
|
||||
shadowhost =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
networking.hostName = shadowHostName;
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings = {
|
||||
PermitRootLogin = "yes";
|
||||
PasswordAuthentication = false;
|
||||
};
|
||||
};
|
||||
|
||||
users.mutableUsers = true;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
shadow
|
||||
expect
|
||||
];
|
||||
|
||||
users.defaultUserShell = "/bin/sh";
|
||||
|
||||
security.loginDefs.settings = {
|
||||
PASS_MAX_DAYS = 99999;
|
||||
PASS_MIN_DAYS = 0;
|
||||
PASS_WARN_AGE = 7;
|
||||
USERGROUPS_ENAB = "yes";
|
||||
CREATE_HOME = "yes";
|
||||
UID_MIN = 1001;
|
||||
GID_MIN = 1001;
|
||||
};
|
||||
|
||||
security.pam.services = {
|
||||
newusers.text = ''
|
||||
auth required pam_permit.so
|
||||
account required pam_permit.so
|
||||
password required pam_permit.so
|
||||
session required pam_permit.so
|
||||
'';
|
||||
};
|
||||
|
||||
services.envfs.enable = true;
|
||||
};
|
||||
|
||||
# The controller: runs pytest-mh against the shadow host
|
||||
controller =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
environment.systemPackages = [
|
||||
controllerPython
|
||||
pkgs.openssh
|
||||
];
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
import textwrap
|
||||
|
||||
start_all()
|
||||
|
||||
# ------------------------------------------------------------------
|
||||
# 1. Generate an SSH keypair on the controller and authorise it
|
||||
# on the shadow host
|
||||
# ------------------------------------------------------------------
|
||||
controller.succeed("mkdir -p /root/.ssh && chmod 700 /root/.ssh")
|
||||
controller.succeed(
|
||||
"ssh-keygen -t ed25519 -N \'\' -f /root/.ssh/id_ed25519 2>&1"
|
||||
)
|
||||
pub_key = controller.succeed("cat /root/.ssh/id_ed25519.pub").strip()
|
||||
|
||||
# Inject the generated public key into the shadow host at runtime
|
||||
shadowhost.succeed("mkdir -p /root/.ssh && chmod 700 /root/.ssh")
|
||||
shadowhost.succeed(
|
||||
f"echo '{pub_key}' >> /root/.ssh/authorized_keys && "
|
||||
"chmod 600 /root/.ssh/authorized_keys"
|
||||
)
|
||||
|
||||
# ------------------------------------------------------------------
|
||||
# 2. Make sure the shadow host has a writable /etc/login.defs,
|
||||
# since the test framework expects to be able to write to it.
|
||||
# ------------------------------------------------------------------
|
||||
shadowhost.succeed(
|
||||
"cp --remove-destination $(readlink -f /etc/login.defs) /etc/login.defs && "
|
||||
"chmod 644 /etc/login.defs"
|
||||
)
|
||||
|
||||
# ------------------------------------------------------------------
|
||||
# 3. Copy the upstream test suite onto the controller
|
||||
# ------------------------------------------------------------------
|
||||
controller.succeed(
|
||||
"cp -r ${pkgs.shadow.passthru.testFramework} /root/shadow-tests && "
|
||||
"chmod -R u+w /root/shadow-tests"
|
||||
)
|
||||
|
||||
# ------------------------------------------------------------------
|
||||
# 4. Write the mhc.yaml topology config
|
||||
# This tells pytest-mh where the shadow host is and which role
|
||||
# it plays. The hostname must match the NixOS node name.
|
||||
# ------------------------------------------------------------------
|
||||
controller.succeed(textwrap.dedent("""
|
||||
cat > /root/shadow-tests/mhc.yaml << 'EOF'
|
||||
domains:
|
||||
- id: shadow
|
||||
hosts:
|
||||
- hostname: ${shadowHostName}
|
||||
role: shadow
|
||||
ssh:
|
||||
user: root
|
||||
private_key: /root/.ssh/id_ed25519
|
||||
EOF
|
||||
"""))
|
||||
|
||||
|
||||
# ------------------------------------------------------------------
|
||||
# 5. Run the upstream pytest-mh test suite from the controller
|
||||
# ------------------------------------------------------------------
|
||||
shadowhost.wait_for_unit("sshd.service")
|
||||
# gpasswd tests are disabled, since they rely on specific behavior of the gpasswd command that is not applicable to NixOS
|
||||
controller.succeed(
|
||||
"cd /root/shadow-tests && "
|
||||
"${controllerPython}/bin/pytest "
|
||||
"--mh-config=mhc.yaml "
|
||||
"--deselect=tests/test_gpasswd.py "
|
||||
"-v tests/"
|
||||
)
|
||||
'';
|
||||
}
|
||||
@@ -17,7 +17,10 @@
|
||||
machine.succeed("curl --fail http://localhost:8111")
|
||||
'';
|
||||
|
||||
meta.maintainers = with lib.maintainers; [ nanoyaki ];
|
||||
meta.maintainers = with lib.maintainers; [
|
||||
diniamo
|
||||
nanoyaki
|
||||
];
|
||||
}
|
||||
);
|
||||
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user