mirror of
https://github.com/NixOS/nixpkgs.git
synced 2026-07-19 15:11:30 +00:00
Compare commits
1 Commits
staging-ne
...
dependabot
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
3a670fbf75 |
2
.github/workflows/backport.yml
vendored
2
.github/workflows/backport.yml
vendored
@@ -36,7 +36,7 @@ jobs:
|
||||
permission-pull-requests: write
|
||||
permission-workflows: write
|
||||
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }}
|
||||
token: ${{ steps.app-token.outputs.token }}
|
||||
|
||||
2
.github/workflows/bot.yml
vendored
2
.github/workflows/bot.yml
vendored
@@ -46,7 +46,7 @@ jobs:
|
||||
# https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
|
||||
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: |
|
||||
|
||||
4
.github/workflows/build.yml
vendored
4
.github/workflows/build.yml
vendored
@@ -49,7 +49,7 @@ jobs:
|
||||
runs-on: ${{ matrix.runner }}
|
||||
timeout-minutes: 60
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: .github/actions
|
||||
@@ -59,7 +59,7 @@ jobs:
|
||||
merged-as-untrusted-at: ${{ inputs.mergedSha }}
|
||||
target-as-trusted-at: ${{ inputs.targetSha }}
|
||||
|
||||
- uses: cachix/install-nix-action@630ae543ea3a38a9a4166f03376c02c50f408342 # v31.11.0
|
||||
- uses: cachix/install-nix-action@a49548c11d9846ad46ecc0115273879b045f001c # v31.10.7
|
||||
with:
|
||||
# Sandbox is disabled on MacOS by default.
|
||||
extra_nix_config: sandbox = true
|
||||
|
||||
8
.github/workflows/check.yml
vendored
8
.github/workflows/check.yml
vendored
@@ -43,7 +43,7 @@ jobs:
|
||||
runs-on: ubuntu-slim
|
||||
timeout-minutes: 3
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
path: trusted
|
||||
@@ -95,7 +95,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04-arm
|
||||
timeout-minutes: 8
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
path: trusted
|
||||
@@ -137,7 +137,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04-arm
|
||||
timeout-minutes: 5
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: .github/actions
|
||||
@@ -147,7 +147,7 @@ jobs:
|
||||
merged-as-untrusted-at: ${{ inputs.mergedSha }}
|
||||
target-as-trusted-at: ${{ inputs.targetSha }}
|
||||
|
||||
- uses: cachix/install-nix-action@630ae543ea3a38a9a4166f03376c02c50f408342 # v31.11.0
|
||||
- uses: cachix/install-nix-action@a49548c11d9846ad46ecc0115273879b045f001c # v31.10.7
|
||||
|
||||
- uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
|
||||
continue-on-error: true
|
||||
|
||||
2
.github/workflows/comment.yml
vendored
2
.github/workflows/comment.yml
vendored
@@ -23,7 +23,7 @@ jobs:
|
||||
timeout-minutes: 2
|
||||
if: contains(github.event.comment.body, '@NixOS/nixpkgs-merge-bot merge')
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: |
|
||||
|
||||
18
.github/workflows/eval.yml
vendored
18
.github/workflows/eval.yml
vendored
@@ -50,7 +50,7 @@ jobs:
|
||||
ciPinBumpCommit: ${{ steps.find-pinned-commit.outputs.ciPinBumpCommit }}
|
||||
ciPinBumpCommitShort: ${{ steps.find-pinned-commit.outputs.ciPinBumpCommitShort }}
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
path: trusted
|
||||
@@ -58,7 +58,7 @@ jobs:
|
||||
ci/supportedVersions.nix
|
||||
|
||||
- name: Check out the PR at the test merge commit
|
||||
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
ref: ${{ inputs.mergedSha }}
|
||||
@@ -139,7 +139,7 @@ jobs:
|
||||
core.info(`Found pinned.json commit: ${ciPinBumpCommit}`)
|
||||
|
||||
- name: Install Nix
|
||||
uses: cachix/install-nix-action@630ae543ea3a38a9a4166f03376c02c50f408342 # v31.11.0
|
||||
uses: cachix/install-nix-action@a49548c11d9846ad46ecc0115273879b045f001c # v31.10.7
|
||||
|
||||
- name: Load supported versions
|
||||
id: versions
|
||||
@@ -174,7 +174,7 @@ jobs:
|
||||
sudo mkswap /swap
|
||||
sudo swapon /swap
|
||||
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: .github/actions
|
||||
@@ -187,7 +187,7 @@ jobs:
|
||||
target-as-trusted-at: ${{ inputs.targetSha }}
|
||||
|
||||
- name: Install Nix
|
||||
uses: cachix/install-nix-action@630ae543ea3a38a9a4166f03376c02c50f408342 # v31.11.0
|
||||
uses: cachix/install-nix-action@a49548c11d9846ad46ecc0115273879b045f001c # v31.10.7
|
||||
|
||||
- uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
|
||||
continue-on-error: true
|
||||
@@ -259,7 +259,7 @@ jobs:
|
||||
statuses: write # creating 'Eval Summary' commit statuses
|
||||
timeout-minutes: 5
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: .github/actions
|
||||
@@ -277,7 +277,7 @@ jobs:
|
||||
merge-multiple: true
|
||||
|
||||
- name: Install Nix
|
||||
uses: cachix/install-nix-action@630ae543ea3a38a9a4166f03376c02c50f408342 # v31.11.0
|
||||
uses: cachix/install-nix-action@a49548c11d9846ad46ecc0115273879b045f001c # v31.10.7
|
||||
|
||||
- name: Combine all output paths and eval stats
|
||||
run: |
|
||||
@@ -476,7 +476,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04-arm
|
||||
timeout-minutes: 10
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: .github/actions
|
||||
@@ -486,7 +486,7 @@ jobs:
|
||||
merged-as-untrusted-at: ${{ inputs.mergedSha }}
|
||||
|
||||
- name: Install Nix
|
||||
uses: cachix/install-nix-action@630ae543ea3a38a9a4166f03376c02c50f408342 # v31.11.0
|
||||
uses: cachix/install-nix-action@a49548c11d9846ad46ecc0115273879b045f001c # v31.10.7
|
||||
|
||||
- name: Ensure flake outputs on all systems still evaluate
|
||||
run: nix flake check --all-systems --no-build './nixpkgs/untrusted?shallow=1'
|
||||
|
||||
14
.github/workflows/lint.yml
vendored
14
.github/workflows/lint.yml
vendored
@@ -26,7 +26,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04-arm
|
||||
timeout-minutes: 10
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: .github/actions
|
||||
@@ -35,7 +35,7 @@ jobs:
|
||||
with:
|
||||
merged-as-untrusted-at: ${{ inputs.mergedSha }}
|
||||
|
||||
- uses: cachix/install-nix-action@630ae543ea3a38a9a4166f03376c02c50f408342 # v31.11.0
|
||||
- uses: cachix/install-nix-action@a49548c11d9846ad46ecc0115273879b045f001c # v31.10.7
|
||||
|
||||
# TODO: Figure out how to best enable caching for the treefmt job. Cachix won't work well,
|
||||
# because the cache would be invalidated on every commit - treefmt checks every file.
|
||||
@@ -61,7 +61,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04-arm
|
||||
timeout-minutes: 10
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: .github/actions
|
||||
@@ -70,7 +70,7 @@ jobs:
|
||||
with:
|
||||
merged-as-untrusted-at: ${{ inputs.mergedSha }}
|
||||
|
||||
- uses: cachix/install-nix-action@630ae543ea3a38a9a4166f03376c02c50f408342 # v31.11.0
|
||||
- uses: cachix/install-nix-action@a49548c11d9846ad46ecc0115273879b045f001c # v31.10.7
|
||||
|
||||
- uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
|
||||
continue-on-error: true
|
||||
@@ -90,7 +90,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04-arm
|
||||
timeout-minutes: 10
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: .github/actions
|
||||
@@ -100,7 +100,7 @@ jobs:
|
||||
merged-as-untrusted-at: ${{ inputs.mergedSha }}
|
||||
target-as-trusted-at: ${{ inputs.targetSha }}
|
||||
|
||||
- uses: cachix/install-nix-action@630ae543ea3a38a9a4166f03376c02c50f408342 # v31.11.0
|
||||
- uses: cachix/install-nix-action@a49548c11d9846ad46ecc0115273879b045f001c # v31.10.7
|
||||
|
||||
- uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
|
||||
continue-on-error: true
|
||||
@@ -134,7 +134,7 @@ jobs:
|
||||
runs-on: ubuntu-24.04-arm
|
||||
timeout-minutes: 8
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: true # Needed to run git fetch for large PRs.
|
||||
path: trusted
|
||||
|
||||
2
.github/workflows/merge-group.yml
vendored
2
.github/workflows/merge-group.yml
vendored
@@ -25,7 +25,7 @@ jobs:
|
||||
targetSha: ${{ steps.prepare.outputs.targetSha }}
|
||||
systems: ${{ steps.prepare.outputs.systems }}
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: |
|
||||
|
||||
2
.github/workflows/periodic-merge.yml
vendored
2
.github/workflows/periodic-merge.yml
vendored
@@ -34,7 +34,7 @@ jobs:
|
||||
permission-contents: write
|
||||
permission-pull-requests: write
|
||||
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
|
||||
2
.github/workflows/pull-request-target.yml
vendored
2
.github/workflows/pull-request-target.yml
vendored
@@ -36,7 +36,7 @@ jobs:
|
||||
systems: ${{ steps.prepare.outputs.systems }}
|
||||
touched: ${{ steps.prepare.outputs.touched }}
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout-cone-mode: true # default, for clarity
|
||||
|
||||
2
.github/workflows/review.yml
vendored
2
.github/workflows/review.yml
vendored
@@ -20,7 +20,7 @@ jobs:
|
||||
runs-on: ubuntu-slim
|
||||
timeout-minutes: 2
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: |
|
||||
|
||||
2
.github/workflows/teams.yml
vendored
2
.github/workflows/teams.yml
vendored
@@ -30,7 +30,7 @@ jobs:
|
||||
permission-pull-requests: write
|
||||
|
||||
- name: Fetch source
|
||||
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout: |
|
||||
|
||||
2
.github/workflows/test.yml
vendored
2
.github/workflows/test.yml
vendored
@@ -19,7 +19,7 @@ jobs:
|
||||
push: ${{ steps.files.outputs.push }}
|
||||
targetSha: ${{ steps.prepare.outputs.targetSha }}
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
sparse-checkout-cone-mode: true # default, for clarity
|
||||
|
||||
@@ -41,7 +41,7 @@
|
||||
/lib/meta.nix @alyssais @NixOS/stdenv @llakala
|
||||
/lib/meta-types.nix @infinisil @adisbladis @NixOS/stdenv @llakala
|
||||
/lib/source-types.nix @alyssais @NixOS/stdenv @llakala
|
||||
/lib/systems @alyssais @NixOS/stdenv
|
||||
/lib/systems @alyssais @NixOS/stdenv @llakala
|
||||
## Libraries / Module system
|
||||
/lib/modules.nix @infinisil @roberth @hsjobeki @llakala
|
||||
/lib/types.nix @infinisil @roberth @hsjobeki @llakala
|
||||
@@ -260,7 +260,7 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
|
||||
/pkgs/applications/editors/jetbrains @leona-ya @theCapypara
|
||||
|
||||
# Licenses
|
||||
/lib/licenses @alyssais @emilazy @jopejoe1
|
||||
/lib/licenses @alyssais @emilazy @jopejoe1 @llakala
|
||||
|
||||
# Qt
|
||||
/pkgs/development/libraries/qt-5 @K900 @NickCao @SuperSandro2000
|
||||
|
||||
@@ -395,13 +395,6 @@ module.exports = async ({ github, context, core, dry }) => {
|
||||
pull_number,
|
||||
per_page: 100,
|
||||
})
|
||||
|
||||
// label llm-assisted PRs accordingly
|
||||
const assistedByPattern = /Assisted-by: (?!nix-init)/i
|
||||
evalLabels['llm-assisted'] = prCommits.some((c) =>
|
||||
assistedByPattern.test(c.commit.message),
|
||||
)
|
||||
|
||||
const commitSubjects = prCommits.map(
|
||||
(c) => c.commit.message.split('\n')[0],
|
||||
)
|
||||
|
||||
@@ -143,4 +143,3 @@ lib.extendMkDerivation {
|
||||
});
|
||||
}
|
||||
```
|
||||
:::
|
||||
|
||||
@@ -165,7 +165,7 @@ They are useful for creating files from Nix expressions, and are all implemented
|
||||
Each of these functions will cause a derivation to be produced.
|
||||
When you coerce the result of each of these functions to a string with [string interpolation](https://nixos.org/manual/nix/stable/language/string-interpolation) or [`toString`](https://nixos.org/manual/nix/stable/language/builtins#builtins-toString), it will evaluate to the [store path](https://nixos.org/manual/nix/stable/store/store-path) of this derivation.
|
||||
|
||||
::: {.note}
|
||||
:::: {.note}
|
||||
Some of these functions will put the resulting files within a directory inside the [derivation output](https://nixos.org/manual/nix/stable/language/derivations#attr-outputs).
|
||||
If you need to refer to the resulting files somewhere else in a Nix expression, append their path to the derivation's store path.
|
||||
|
||||
@@ -190,7 +190,7 @@ writeShellScript "evaluate-my-file.sh" ''
|
||||
cat ${my-file}/share/my-file
|
||||
''
|
||||
```
|
||||
:::
|
||||
::::
|
||||
|
||||
### `makeDesktopItem` {#trivial-builder-makeDesktopItem}
|
||||
|
||||
|
||||
@@ -1,7 +0,0 @@
|
||||
<div class="manual-header">
|
||||
<nav class="manual-header--tabs">
|
||||
<a class="manual-header--tab manual-header--tab-active" href="#">Nixpkgs</a>
|
||||
<a class="manual-header--tab" href="https://nixos.org/manual/nixos/stable/">NixOS</a>
|
||||
</nav>
|
||||
<span class="manual-header--title">Nixpkgs Manual</span>
|
||||
</div>
|
||||
@@ -119,8 +119,6 @@ stdenvNoCC.mkDerivation (
|
||||
--script ./anchor-use.js \
|
||||
--sidebar-depth 3 \
|
||||
--nav ./nav.json \
|
||||
--header ${./header.html}\
|
||||
--no-navheader \
|
||||
manual.md \
|
||||
out/index.html
|
||||
|
||||
|
||||
@@ -1,24 +0,0 @@
|
||||
# checkPhaseThreadLimitHook {#setup-hook-check-phase-thread-limit}
|
||||
|
||||
This hook defaults a variety of environment variables known
|
||||
to control thread counts to 1. Many of these otherwise default
|
||||
to `$(nproc)`, which causes massive overloads on build machines
|
||||
if nix build jobs and build cores are already tuned to fully utilize
|
||||
compute capacity of a builder without additional parallelism.
|
||||
|
||||
Currently sets the following environment variables:
|
||||
- [`OMP_NUM_THREADS`](https://www.openmp.org/spec-html/5.0/openmpse50.html)
|
||||
- [`OPENBLAS_NUM_THREADS`](https://github.com/OpenMathLib/OpenBLAS/blob/e7b45174355edec1f04de1cabcf5ca6a98ea7fbc/USAGE.md#how-can-i-use-openblas-in-multi-threaded-applications)
|
||||
- [`MKL_NUM_THREADS`](https://www.intel.com/content/www/us/en/docs/onemkl/developer-guide-linux/2023-0/mkl-domain-num-threads.html)
|
||||
- [`BLIS_NUM_THREADS`](https://github.com/flame/blis/blob/b8b75b4e19459f5d618b57aa814ca38b1d82eb82/docs/Multithreading.md#specifying-multithreading)
|
||||
- `VECLIB_MAXIMUM_THREADS`: Only affects darwin, see [`man 7 Accelerate`](https://manp.gs/mac/7/Accelerate)
|
||||
- [`NUMBA_NUM_THREADS`](https://numba.readthedocs.io/en/stable/reference/envvars.html#threading-control)
|
||||
- [`NUMEXPR_NUM_THREADS`](https://numexpr.readthedocs.io/en/latest/user_guide.html#threadpool-configuration)
|
||||
|
||||
The `NIX_CHECK_PHASE_DEFAULT_NUM_THREADS` environment variable
|
||||
can be used to override the default thread count limit.
|
||||
`dontLimitCheckPhaseThreads = true;` can be used to disable
|
||||
thread limiting on an individual package.
|
||||
|
||||
This hook will not attempt to override already existing
|
||||
definitions for thread count environment variables.
|
||||
@@ -13,7 +13,6 @@ aws-c-common.section.md
|
||||
bmake.section.md
|
||||
breakpoint.section.md
|
||||
cernlib.section.md
|
||||
check-phase-thread-limit-hook.section.md
|
||||
cmake.section.md
|
||||
desktop-file-utils.section.md
|
||||
gdk-pixbuf.section.md
|
||||
@@ -35,6 +34,7 @@ nodejs-install-manuals.section.md
|
||||
npm-build-hook.section.md
|
||||
npm-config-hook.section.md
|
||||
npm-install-hook.section.md
|
||||
openmp-check-hook.section.md
|
||||
patch-rc-path-hooks.section.md
|
||||
perl.section.md
|
||||
pkg-config.section.md
|
||||
|
||||
10
doc/hooks/openmp-check-hook.section.md
Normal file
10
doc/hooks/openmp-check-hook.section.md
Normal file
@@ -0,0 +1,10 @@
|
||||
# openmpCheckPhaseHook {#setup-hook-omp-check}
|
||||
|
||||
|
||||
This hook can be used to setup a check phase that
|
||||
requires running a OpenMP application. It mostly
|
||||
serves to limit `OMP_NUM_THREADS` to avoid overloading
|
||||
build machines.
|
||||
|
||||
This hook will not attempt to override an already existing
|
||||
definition of `OMP_NUM_THREADS` in the environment.
|
||||
@@ -59,7 +59,7 @@ The recommended way of defining a derivation for a Rocq library, is to use the `
|
||||
* `releaseRev` (optional, defaults to `(v: v)`), provides a default mapping from release names to revision hashes/branch names/tags,
|
||||
* `releaseArtifact` (optional, defaults to `(v: null)`), provides a default mapping from release names to artifact names (only works for github artifact for now),
|
||||
* `displayVersion` (optional), provides a way to alter the computation of `name` from `pname`, by explaining how to display version numbers,
|
||||
* `namePrefix` (optional, defaults to `[ "rocq" ]`), provides a way to alter the computation of `name` from `pname`, by explaining which dependencies must occur in `name`,
|
||||
* `namePrefix` (optional, defaults to `[ "rocq-core" ]`), provides a way to alter the computation of `name` from `pname`, by explaining which dependencies must occur in `name`,
|
||||
* `nativeBuildInputs` (optional), is a list of executables that are required to build the current derivation, in addition to the default ones (namely `which`, `dune` and `ocaml` depending on whether `useDune`, `useDuneifVersion` and `mlPlugin` are set).
|
||||
* `extraNativeBuildInputs` (optional, deprecated), an additional list of derivation to add to `nativeBuildInputs`,
|
||||
* `overrideNativeBuildInputs` (optional) replaces the default list of derivation to which `nativeBuildInputs` and `extraNativeBuildInputs` adds extra elements,
|
||||
@@ -74,8 +74,6 @@ The recommended way of defining a derivation for a Rocq library, is to use the `
|
||||
* `enableParallelBuilding` (optional, defaults to `true`), since it is activated by default, we provide a way to disable it.
|
||||
* `extraInstallFlags` (optional), allows to extend `installFlags` which initializes the variables `COQLIBINSTALL` and `COQPLUGININSTALL` so as to install in the proper subdirectory. Indeed Rocq libraries should be installed in `$(out)/lib/coq/${rocq-core.rocq-version}/user-contrib/`. Such directories are automatically added to the `$ROCQPATH` environment variable by the hook defined in the Rocq derivation.
|
||||
* `setROCQBIN` (optional, defaults to `true`), by default, the environment variable `$ROCQBIN` is set to the current Rocq's binary, but one can disable this behavior by setting it to `false`,
|
||||
* `useCoq` (optional, defaults to `false`), adds the Coq compatibility binaries to the build environment, which is necessary for some packages that still depend on them and sets `COQBIN` to the path of the `coqc` binary (if `setROCQBIN` is also set to `true`). A wrapper `mkCoqDerivation` is provided that sets this option to `true`.
|
||||
* `useCoqifVersion` (optional, defaults to `(x: false)`), adds the Coq compatibility binaries to the build environment if the provided predicate evaluates to true on the version. This can be useful for supporting old package versions that need the Coq compatibility binaries, while newer versions do not.
|
||||
* `useMelquiondRemake` (optional, default to `null`) is an attribute set, which, if given, overloads the `preConfigurePhases`, `configureFlags`, `buildPhase`, and `installPhase` attributes of the derivation for a specific use in libraries using `remake` as set up by Guillaume Melquiond for `flocq`, `gappalib`, `interval`, and `coquelicot` (see the corresponding derivation for concrete examples of use of this option). For backward compatibility, the attribute `useMelquiondRemake.logpath` must be set to the logical root of the library (otherwise, one can pass `useMelquiondRemake = {}` to activate this without backward compatibility).
|
||||
* `dropAttrs`, `keepAttrs`, `dropDerivationAttrs` are all optional and allow to tune which attribute is added or removed from the final call to `mkDerivation`.
|
||||
|
||||
|
||||
@@ -2920,8 +2920,7 @@
|
||||
"setup-hook-mpi-check": [
|
||||
"index.html#setup-hook-mpi-check"
|
||||
],
|
||||
"setup-hook-check-phase-thread-limit": [
|
||||
"index.html#setup-hook-check-phase-thread-limit",
|
||||
"setup-hook-omp-check": [
|
||||
"index.html#setup-hook-omp-check"
|
||||
],
|
||||
"ninja": [
|
||||
|
||||
@@ -31,9 +31,6 @@
|
||||
By the time of this release, Homebrew will offer only limited [Tier 3](https://docs.brew.sh/Support-Tiers#tier-3) support for the platform, but MacPorts will likely continue to support it for a long time.
|
||||
We also recommend users consider installing NixOS, which should continue to run on essentially all Intel Macs, especially after Apple stops security support for macOS 26 in 2028.
|
||||
|
||||
- `bundlerApp` now sets `__structuredAttrs = true` for its result package.
|
||||
Out-of-tree packages passing `postBuild` to `bundlerApp` should examine if their `postBuild` commands are compatible with structured attributes.
|
||||
|
||||
- `databricks-cli` has been updated from `0.290.2` to `1.x.x`, the first major release. OAuth tokens for interactive logins (`auth_type = databricks-cli`) are now stored in the OS-native secure store by default (Secret Service on Linux) instead of `~/.databricks/token-cache.json`; cached tokens from older versions are not migrated, so run `databricks auth login` once per profile after upgrading. To keep the previous file-backed storage, set `DATABRICKS_AUTH_STORAGE=plaintext` or add `auth_storage = plaintext` under `[__settings__]` in `~/.databrickscfg`. Additionally, the `vector_search_endpoints` DABs resource renamed `min_qps` to `target_qps` (and the `vector-search-endpoints` command renamed `--min-qps` to `--target-qps`). See the [upstream changelog](https://github.com/databricks/cli/blob/main/CHANGELOG.md) for details.
|
||||
|
||||
- `hurl` has been updated to `8.x.x` which has some breaking changes. See [upstream changelog](https://github.com/Orange-OpenSource/hurl/releases/tag/8.0.0) for details.
|
||||
@@ -45,21 +42,13 @@
|
||||
|
||||
- `python3Packages.django-health-check` has been updated to major version 4. See its [migration guide](https://codingjoe.dev/django-health-check/migrate-to-v4/) and [changelog](https://github.com/codingjoe/django-health-check/releases/tag/4.0.0) for breaking changes.
|
||||
|
||||
- `jmtpfs` has been removed due to lack of maintenance and fuse3 support.
|
||||
|
||||
- `libgdata` has been removed, as it was archived upstream and relied on the insecure libsoup 2.4.
|
||||
|
||||
- `mcphost` has been removed, as it was archived upstream and declared unmaintained.
|
||||
|
||||
- `fflogs` has been removed because it was no longer functional. Users should switch to `archon-lite`.
|
||||
|
||||
- `services.mysql` now sets `root@localhost` authentication to `auth_socket` when used with `mysql` or `percona-server`.
|
||||
Existing deployments will also be adjusted if possible. See the [security advisory GHSA-6qxx-6rg8-c4p8](https://github.com/NixOS/nixpkgs/security/advisories/GHSA-6qxx-6rg8-c4p8) for more information.
|
||||
|
||||
- `zerofs` has been updated from `1.x` to `2.x` which is a breaking change. Volumes created by earlier releases are refused at open with a clear error. There is no migration tool; older volumes remain readable and writable by the release that created them.
|
||||
|
||||
- `keycloak.plugins.keycloak-metrics-spi` has been removed. Keycloak exposes Prometheus metrics natively on its management interface; enable them with the `metrics-enabled` setting (and `event-metrics-user-enabled` for login and event counters). See [Gaining insights with metrics](https://www.keycloak.org/observability/configuration-metrics).
|
||||
|
||||
- `alps` has been rewritten upstream, see [upstream repository](https://github.com/migadu/alps) for documentation.
|
||||
|
||||
- `uhttpmock` providing 0.0 ABI was removed. `uhttpmock_1_0` providing 1.0 ABI was renamed to `uhttpmock` and `uhttpmock_1_0` was kept as an alias.
|
||||
@@ -101,8 +90,6 @@
|
||||
|
||||
- `texlive.combine` is deprecated and scheduled for removal in 27.05. Please migrate to `texliveSmall.withPackages` (see [](#sec-language-texlive-user-guide)).
|
||||
|
||||
- `keycloak` was updated to >= 26.7.0 and includes some breaking internal (API) changes. See the [upstream migration guide](https://www.keycloak.org/docs/latest/upgrading/#migrating-to-26-7-0) for more information.
|
||||
|
||||
- `librest` providing 0.7 ABI was removed. `librest_1_0` providing 1.0 ABI was renamed to `librest` and `librest_1_0` was kept as an alias.
|
||||
|
||||
- `pnpm_10` was upgraded to version 10.34.1+, which introduced stricter integrity checks. If you encounter `ERR_PNPM_MISSING_TARBALL_INTEGRITY`, you can fall back to the older `pnpm_10_34_0`.
|
||||
@@ -119,7 +106,6 @@
|
||||
- Starting with v14, `flameshot` will primarily utilise xdg-desktop-portal calls for screenshotting. This will directly affect users on X11 window managers due to the lack of a compatible portal with Screenshot feature. See [upstream changelog](https://github.com/flameshot-org/flameshot/releases/tag/v14.0.0) or [NixOS Flameshot](https://wiki.nixos.org/wiki/Flameshot) wiki page for workarounds.
|
||||
- `nim1` and respective aliases have been removed due to entering EOL; please migrate to `nim` or `nim-unwrapped` (nim 2).
|
||||
- `nim-2_0` & `nim-2_2` and respective aliases have been removed; please migrate to `nim` or `nim-unwrapped` (nim 2.2.10).
|
||||
- `domoticz` has been updated from `2024.7` to `2026.x`, breaking third party applications and scripts using the old RType calls. Review the [release notes](https://github.com/domoticz/domoticz/blob/2026.2/History.txt#L398) for more information.
|
||||
|
||||
- `vimacs` has been removed, as it has not been maintained in 10 years and was built for an old version of vim (6.0).
|
||||
|
||||
@@ -151,15 +137,15 @@
|
||||
|
||||
### Breaking changes {#sec-nixpkgs-release-26.11-lib-breaking}
|
||||
|
||||
- `fittrackee` 1.0.0 now requires postgres with postgis. The [upgrade guide](https://docs.fittrackee.org/en/upgrading-to-1.0.0.html) has steps to prepare for this upgrade.
|
||||
- Create the first release note entry in this section!
|
||||
|
||||
|
||||
### Deprecations {#sec-nixpkgs-release-26.11-lib-deprecations}
|
||||
|
||||
- Setting `config.allowBrokenPredicate` is deprecated in favor of
|
||||
using `config.problems.handlers.PackageName.broken = "warn"` (or `=
|
||||
"ignore"`). For more information see [](#sec-allow-broken).
|
||||
- Create the first release note entry in this section!
|
||||
|
||||
|
||||
### Additions and Improvements {#sec-nixpkgs-release-26.11-lib-additions-improvements}
|
||||
|
||||
- Create the first release note entry in this section!
|
||||
|
||||
|
||||
142
doc/style.css
142
doc/style.css
@@ -23,14 +23,14 @@ body {
|
||||
@media screen and (min-width: 992px) {
|
||||
.book,
|
||||
.appendix {
|
||||
max-width: 55rem;
|
||||
max-width: 60rem;
|
||||
}
|
||||
}
|
||||
|
||||
@media screen and (min-width: 1200px) {
|
||||
.book,
|
||||
.appendix {
|
||||
max-width: 55rem;
|
||||
max-width: 73rem;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -156,7 +156,8 @@ body {
|
||||
}
|
||||
|
||||
a {
|
||||
text-decoration: underline;
|
||||
text-decoration: none;
|
||||
border-bottom: 1px solid;
|
||||
color: var(--link-color);
|
||||
}
|
||||
|
||||
@@ -397,7 +398,6 @@ div.appendix .variablelist .term {
|
||||
|
||||
:root {
|
||||
--sidebar-width: 20rem;
|
||||
--header-height: 3rem;
|
||||
--background: #fff;
|
||||
--main-text-color: #000;
|
||||
--link-color: #405d99;
|
||||
@@ -479,8 +479,6 @@ div.appendix .variablelist .term {
|
||||
nav.toc-sidebar {
|
||||
height: 100%;
|
||||
padding: 0 1rem 2rem;
|
||||
background-color: var(--background);
|
||||
color: var(--main-text-color);
|
||||
}
|
||||
|
||||
/* menu button, shown on mobile, hidden on desktop */
|
||||
@@ -522,59 +520,6 @@ nav.toc-sidebar li {
|
||||
|
||||
nav.toc-sidebar summary {
|
||||
cursor: pointer;
|
||||
display: flex;
|
||||
align-items: center;
|
||||
list-style: none;
|
||||
}
|
||||
|
||||
nav.toc-sidebar summary::before {
|
||||
content: "▸";
|
||||
flex: none;
|
||||
font-size: 0.75em;
|
||||
}
|
||||
nav.toc-sidebar details[open] > summary::before {
|
||||
content: "▾";
|
||||
}
|
||||
|
||||
nav.toc-sidebar a {
|
||||
display: block;
|
||||
width: 100%;
|
||||
padding: 3px 8px;
|
||||
border-left: 3px solid transparent;
|
||||
border-radius: 3px;
|
||||
color: inherit;
|
||||
transition:
|
||||
background-color 120ms ease,
|
||||
border-color 120ms ease;
|
||||
}
|
||||
nav.toc-sidebar a:hover {
|
||||
background-color: #f2f2f2 !important;
|
||||
}
|
||||
|
||||
nav.toc-sidebar a.active {
|
||||
background-color: #d8d8d8;
|
||||
border-left-color: #444;
|
||||
font-weight: 600;
|
||||
}
|
||||
nav.toc-sidebar a.active-trail {
|
||||
border-left-color: #bbb;
|
||||
background-color: #e8e8e8;
|
||||
}
|
||||
|
||||
@media (prefers-color-scheme: dark) {
|
||||
nav.toc-sidebar a:hover {
|
||||
/* hover should win over scroll selectors despite beeing less specific */
|
||||
background-color: #606060 !important;
|
||||
}
|
||||
nav.toc-sidebar a.active {
|
||||
background-color: #373737;
|
||||
border-left-color: #eee;
|
||||
font-weight: 600;
|
||||
}
|
||||
nav.toc-sidebar a.active-trail {
|
||||
border-left-color: #eee;
|
||||
background-color: #323232;
|
||||
}
|
||||
}
|
||||
|
||||
@media screen and (min-width: 768px) {
|
||||
@@ -583,7 +528,7 @@ nav.toc-sidebar a.active-trail {
|
||||
min-height: 0;
|
||||
display: grid;
|
||||
grid-template-columns: minmax(0, 1fr);
|
||||
grid-template-rows: var(--header-height) auto minmax(0, 1fr);
|
||||
grid-template-rows: auto minmax(0, 1fr);
|
||||
}
|
||||
|
||||
body:has(> nav.toc-sidebar) {
|
||||
@@ -592,7 +537,7 @@ nav.toc-sidebar a.active-trail {
|
||||
|
||||
.navheader {
|
||||
grid-column: 1 / -1;
|
||||
grid-row: 2;
|
||||
grid-row: 1;
|
||||
}
|
||||
|
||||
nav.toc-sidebar {
|
||||
@@ -603,10 +548,11 @@ nav.toc-sidebar a.active-trail {
|
||||
/* */
|
||||
margin: 0;
|
||||
grid-column: 1;
|
||||
grid-row: 3;
|
||||
grid-row: 2;
|
||||
max-height: none;
|
||||
overflow-y: auto;
|
||||
border: none;
|
||||
border-right: 0.0625rem solid #d8d8d8;
|
||||
}
|
||||
|
||||
/* Hide the toggle button on desktop */
|
||||
@@ -616,7 +562,7 @@ nav.toc-sidebar a.active-trail {
|
||||
|
||||
main.content {
|
||||
grid-column: 1 / -1;
|
||||
grid-row: 3;
|
||||
grid-row: 2;
|
||||
overflow-y: auto;
|
||||
padding: 0 1rem;
|
||||
}
|
||||
@@ -625,73 +571,3 @@ nav.toc-sidebar a.active-trail {
|
||||
grid-column: 2;
|
||||
}
|
||||
}
|
||||
|
||||
.manual-header {
|
||||
background-color: var(--background);
|
||||
border-bottom: 0.0625rem solid #d8d8d8;
|
||||
display: flex;
|
||||
flex-direction: column;
|
||||
}
|
||||
|
||||
.manual-header--title {
|
||||
order: -1;
|
||||
padding: 0.5rem 1rem 0;
|
||||
font-size: 0.875rem;
|
||||
font-weight: 500;
|
||||
color: var(--small-heading-color);
|
||||
text-align: center;
|
||||
}
|
||||
|
||||
.manual-header--tabs {
|
||||
display: flex;
|
||||
align-items: stretch;
|
||||
justify-content: space-around;
|
||||
margin: 0;
|
||||
padding: 0;
|
||||
}
|
||||
|
||||
.manual-header--tab {
|
||||
display: flex;
|
||||
align-items: center;
|
||||
padding: 0 1rem;
|
||||
font-size: 0.875rem;
|
||||
font-weight: 500;
|
||||
color: var(--main-text-color);
|
||||
text-decoration: none;
|
||||
border-bottom: 0.1875rem solid transparent;
|
||||
border-top: 0.1875rem solid transparent;
|
||||
transition: border-bottom-color 0.15s ease;
|
||||
}
|
||||
|
||||
.manual-header--tab:hover {
|
||||
border-bottom-color: var(--heading-color);
|
||||
color: var(--main-text-color);
|
||||
}
|
||||
|
||||
.manual-header--tab-active {
|
||||
border-bottom-color: var(--heading-color);
|
||||
color: var(--heading-color);
|
||||
font-weight: 700;
|
||||
}
|
||||
|
||||
@media screen and (min-width: 768px) {
|
||||
.manual-header {
|
||||
height: var(--header-height);
|
||||
flex-direction: row;
|
||||
align-items: stretch;
|
||||
grid-column: 1 / -1;
|
||||
grid-row: 1;
|
||||
}
|
||||
|
||||
.manual-header--title {
|
||||
order: 0;
|
||||
margin-left: auto;
|
||||
padding: 0 1rem;
|
||||
align-self: center;
|
||||
}
|
||||
|
||||
.manual-header--tabs {
|
||||
justify-content: flex-start;
|
||||
padding: 0 1rem;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,16 +1,16 @@
|
||||
# Platform Support {#chap-platform-support}
|
||||
|
||||
Packages receive varying degrees of support, both in terms of maintainer and security team attention and available computation resources for continuous integration (CI). We have 7 defined tiers denoting how well supported each platform is.
|
||||
Packages receive varying degrees of support, both in terms of maintainer attention and available computation resources for continuous integration (CI). We have 7 defined tiers denoting how well supported each platform is.
|
||||
|
||||
## Tiers {#sec-platform-tiers}
|
||||
|
||||
### Tier 1 {#sec-platform-tier1}
|
||||
|
||||
[Tier 1](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-1) platforms receive the highest level of support where problems can block updates, security fixes are treated with urgency, platform-specific patches are freely applied, and most packages are expected to work.
|
||||
[Tier 1](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-1) platforms receive the highest level of support where problems can block updates, platform-specific patches are freely applied, and most packages are expected to work.
|
||||
|
||||
### Tier 2 {#sec-platform-tier2}
|
||||
|
||||
[Tier 2](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-2) platforms are expected to remain functional and secure with updates, receive platform-specific patches as needed, and have many packages built by Hydra with full ofBorg support.
|
||||
[Tier 2](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-2) platforms are expected to remain functional with updates, receive platform-specific patches as needed, and have many packages built by Hydra with full ofBorg support.
|
||||
|
||||
### Tier 3 {#sec-platform-tier3}
|
||||
|
||||
@@ -22,25 +22,25 @@ Platform Tiers [4 through 7](https://github.com/NixOS/rfcs/blob/master/rfcs/0046
|
||||
|
||||
## Breakdown {#sec-platform-breakdown}
|
||||
|
||||
| Triple | Support Tier | Channel Blockers | Hydra Support | Security Support | Ofborg Support | Bootstrap Tarballs | Cross Compiling Support |
|
||||
|---------------------------------------|------------------------------------------------------------------------------------------------|------------------|---------------|------------------|----------------|--------------------|-------------------------|
|
||||
| `x86_64-unknown-linux-gnu` | [Tier 1](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-1) | Many | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
|
||||
| `aarch64-unknown-linux-gnu` | [Tier 2](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-2) | Some | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
|
||||
| `x86_64-unknown-linux-musl` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | Limited | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `aarch64-unknown-linux-musl` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | Limited | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `x86_64-unknown-unknown-freebsd` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `arm64-apple-darwin` | [Tier 2](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-2) | Some | ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
|
||||
| `i686-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | Limited | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `riscv32-unknown-linux-gnu` | [Tier 4](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-4) | None | ❌ | ❌ | ❌ | ❌ | ✔️ |
|
||||
| `riscv64-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `loongarch64-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `armv6l-unknown-linux-gnueabihf` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `armv6l-unknown-linux-musleabihf` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `armv7l-unknown-linux-gnueabihf` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `armv5tel-unknown-linux-gnueabi` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `mips64el-unknown-linux-gnuabi64` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `mips64el-unknown-linux-gnuabin32` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `mipsel-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `powerpc64-unknown-linux-gnuabielfv2` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `powerpc64le-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `s390x-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| Triple | Support Tier | Channel Blockers | Hydra Support | Ofborg Support | Bootstrap Tarballs | Cross Compiling Support |
|
||||
| ------------------------------------- | ------------ | ---------------- | ------------- | -------------- | ------------------ | ----------------------- |
|
||||
| `x86_64-unknown-linux-gnu` | [Tier 1](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-1) | Many | ✔️ | ✔️ | ✔️ | ✔️ |
|
||||
| `aarch64-unknown-linux-gnu` | [Tier 2](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-2) | Some | ✔️ | ✔️ | ✔️ | ✔️ |
|
||||
| `x86_64-unknown-linux-musl` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | Limited | ❌ | ✔️ | ✔️ |
|
||||
| `aarch64-unknown-linux-musl` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | Limited | ❌ | ✔️ | ✔️ |
|
||||
| `x86_64-unknown-unknown-freebsd` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `arm64-apple-darwin` | [Tier 2](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-2) | Some | ✔️ | ✔️ | ✔️ | ❌ |
|
||||
| `i686-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | Limited | ❌ | ✔️ | ✔️ |
|
||||
| `riscv32-unknown-linux-gnu` | [Tier 4](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-4) | None | ❌ | ❌ | ❌ | ✔️ |
|
||||
| `riscv64-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `loongarch64-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `armv6l-unknown-linux-gnueabihf` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `armv6l-unknown-linux-musleabihf` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `armv7l-unknown-linux-gnueabihf` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `armv5tel-unknown-linux-gnueabi` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `mips64el-unknown-linux-gnuabi64` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `mips64el-unknown-linux-gnuabin32` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `mipsel-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `powerpc64-unknown-linux-gnuabielfv2` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `powerpc64le-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
| `s390x-unknown-linux-gnu` | [Tier 3](https://github.com/NixOS/rfcs/blob/master/rfcs/0046-platform-support-tiers.md#tier-3) | None | ❌ | ❌ | ✔️ | ✔️ |
|
||||
|
||||
@@ -1140,7 +1140,7 @@ rec {
|
||||
|
||||
For a function that gives you control over what counts as a leaf, see `mapAttrsRecursiveCond`.
|
||||
|
||||
::: {.example #map-attrs-recursive-example}
|
||||
:::{#map-attrs-recursive-example .example}
|
||||
# Map over leaf attributes
|
||||
|
||||
```nix
|
||||
@@ -1165,7 +1165,7 @@ rec {
|
||||
If the predicate returns false, `mapAttrsRecursiveCond` does not recurse, but instead applies the mapping function.
|
||||
If the predicate returns true, it does recurse, and does not apply the mapping function.
|
||||
|
||||
::: {.example #map-attrs-recursive-cond-example}
|
||||
:::{#map-attrs-recursive-cond-example .example}
|
||||
# Map over an leaf attributes defined by a condition
|
||||
|
||||
Map derivations to their `name` attribute.
|
||||
|
||||
@@ -564,7 +564,7 @@ rec {
|
||||
|
||||
# Examples
|
||||
|
||||
:::{.example #ex-makeScope}
|
||||
:::{#ex-makeScope .example}
|
||||
# Create an interdependent package set on top of `pkgs`
|
||||
|
||||
The functions in `foo.nix` and `bar.nix` can depend on each other, in the sense that `foo.nix` can contain a function that expects `bar` as an attribute in its argument.
|
||||
@@ -593,7 +593,7 @@ rec {
|
||||
```
|
||||
:::
|
||||
|
||||
:::{.example #ex-makeScope-callPackage}
|
||||
:::{#ex-makeScope-callPackage .example}
|
||||
# Using `callPackage` from a scope
|
||||
|
||||
```nix
|
||||
|
||||
@@ -310,11 +310,6 @@ lib.mapAttrs mkLicense (
|
||||
redistributable = true;
|
||||
};
|
||||
|
||||
buddy = {
|
||||
spdxId = "Buddy";
|
||||
fullName = "Buddy License";
|
||||
};
|
||||
|
||||
bzip2 = {
|
||||
spdxId = "bzip2-1.0.6";
|
||||
fullName = "bzip2 and libbzip2 License v1.0.6";
|
||||
@@ -387,13 +382,6 @@ lib.mapAttrs mkLicense (
|
||||
free = false;
|
||||
};
|
||||
|
||||
cc-by-nc-30-igo = {
|
||||
# Currently does not have a spdxID will get one in the future https://github.com/spdx/license-list-XML/issues/2845
|
||||
# spdxId = "CC-BY-NC-3.0-IGO";
|
||||
fullName = "Creative Commons Attribution Non Commercial 3.0 IGO";
|
||||
free = false;
|
||||
};
|
||||
|
||||
cc-by-nc-40 = {
|
||||
spdxId = "CC-BY-NC-4.0";
|
||||
fullName = "Creative Commons Attribution Non Commercial 4.0 International";
|
||||
@@ -938,11 +926,6 @@ lib.mapAttrs mkLicense (
|
||||
free = false;
|
||||
};
|
||||
|
||||
jpl-image = {
|
||||
fullName = "JPL Image Use Policy";
|
||||
spdxId = "JPL-image";
|
||||
};
|
||||
|
||||
knuth = {
|
||||
fullName = "Knuth CTAN License";
|
||||
spdxId = "Knuth-CTAN";
|
||||
@@ -1190,11 +1173,6 @@ lib.mapAttrs mkLicense (
|
||||
fullName = "Nethack General Public License";
|
||||
};
|
||||
|
||||
ngrep = {
|
||||
spdxId = "ngrep";
|
||||
fullName = "ngrep License";
|
||||
};
|
||||
|
||||
nistSoftware = {
|
||||
spdxId = "NIST-Software";
|
||||
fullName = "NIST Software License";
|
||||
@@ -1628,11 +1606,6 @@ lib.mapAttrs mkLicense (
|
||||
url = "https://fedoraproject.org/wiki/Licensing:Wadalab?rd=Licensing/Wadalab";
|
||||
};
|
||||
|
||||
wordnet = {
|
||||
spdxId = "WordNet";
|
||||
fullName = "WordNet License";
|
||||
};
|
||||
|
||||
wtfpl = {
|
||||
spdxId = "WTFPL";
|
||||
fullName = "Do What The F*ck You Want To Public License";
|
||||
|
||||
@@ -90,12 +90,12 @@ rec {
|
||||
`defaultText`
|
||||
: Substitute for documenting the `default`, if evaluating the default value during documentation rendering is not possible.
|
||||
: Can be any nix value that evaluates.
|
||||
: Usage with `lib.literalMD`, `lib.literalExpression`, or `lib.literalCode` is supported
|
||||
: Usage with `lib.literalMD` or `lib.literalExpression` is supported
|
||||
|
||||
`example`
|
||||
: Optional example value used in the manual.
|
||||
: Can be any nix value that evaluates.
|
||||
: Usage with `lib.literalMD`, `lib.literalExpression`, or `lib.literalCode` is supported
|
||||
: Usage with `lib.literalMD` or `lib.literalExpression` is supported
|
||||
|
||||
`description`
|
||||
: Optional string describing the option. This is required if option documentation is generated.
|
||||
|
||||
@@ -151,7 +151,6 @@
|
||||
"samuela": 226872
|
||||
},
|
||||
"members": {
|
||||
"ethancedwards8": 60861925,
|
||||
"prusnak": 42201
|
||||
},
|
||||
"name": "cuda-maintainers"
|
||||
@@ -366,10 +365,10 @@
|
||||
"freedesktop": {
|
||||
"description": "Maintain Freedesktop.org packages for graphical desktop.",
|
||||
"id": 3806136,
|
||||
"maintainers": {
|
||||
"maintainers": {},
|
||||
"members": {
|
||||
"jtojnar": 705123
|
||||
},
|
||||
"members": {},
|
||||
"name": "Freedesktop"
|
||||
},
|
||||
"geospatial": {
|
||||
|
||||
@@ -1289,12 +1289,6 @@
|
||||
name = "Alexandru Tocar";
|
||||
keys = [ { fingerprint = "B617 DD24 3AB0 2E3F 2E67 DBFD 1305 2A85 D7A4 2AA4"; } ];
|
||||
};
|
||||
AlexAntonik = {
|
||||
email = "antonikavv@gmail.com";
|
||||
github = "AlexAntonik";
|
||||
githubId = 55547934;
|
||||
name = "Alex Antonik";
|
||||
};
|
||||
alexarice = {
|
||||
email = "alexrice999@hotmail.co.uk";
|
||||
github = "alexarice";
|
||||
@@ -1635,6 +1629,12 @@
|
||||
githubId = 382798;
|
||||
name = "amfl";
|
||||
};
|
||||
amiddelk = {
|
||||
email = "amiddelk@gmail.com";
|
||||
github = "amiddelk";
|
||||
githubId = 1358320;
|
||||
name = "Arie Middelkoop";
|
||||
};
|
||||
aminechikhaoui = {
|
||||
email = "amine.chikhaoui91@gmail.com";
|
||||
github = "AmineChikhaoui";
|
||||
@@ -1943,11 +1943,6 @@
|
||||
githubId = 143312793;
|
||||
name = "Annin";
|
||||
};
|
||||
anntnzrb = {
|
||||
github = "anntnzrb";
|
||||
githubId = 51257127;
|
||||
name = "anntnzrb";
|
||||
};
|
||||
anoa = {
|
||||
matrix = "@andrewm:amorgan.xyz";
|
||||
email = "andrew@amorgan.xyz";
|
||||
@@ -2007,12 +2002,6 @@
|
||||
githubId = 14838767;
|
||||
name = "Jacopo Scannella";
|
||||
};
|
||||
antoineco = {
|
||||
email = "hello@acotten.com";
|
||||
github = "antoineco";
|
||||
githubId = 3299086;
|
||||
name = "Antoine Cotten";
|
||||
};
|
||||
anton-4 = {
|
||||
name = "Anton";
|
||||
github = "Anton-4";
|
||||
@@ -4438,12 +4427,6 @@
|
||||
{ fingerprint = "8916 F727 734E 77AB 437F A33A 19AB 76F5 CEE1 1392"; }
|
||||
];
|
||||
};
|
||||
caguiclajmg = {
|
||||
email = "jmg.caguicla@guarandoo.me";
|
||||
github = "caguiclajmg";
|
||||
githubId = 32662060;
|
||||
name = "John Mark Gabriel Caguicla";
|
||||
};
|
||||
CaiqueFigueiredo = {
|
||||
email = "public@caiquefigueiredo.me";
|
||||
github = "caiquefigueiredo";
|
||||
@@ -4657,13 +4640,6 @@
|
||||
githubId = 53847249;
|
||||
name = "Casey Avila";
|
||||
};
|
||||
cassandracomar = {
|
||||
name = "Cassandra Comar";
|
||||
github = "cassandracomar";
|
||||
githubId = 320772;
|
||||
email = "cass@mountclare.net";
|
||||
keys = [ { fingerprint = "104E E74E 24A0 372B EAF5 5533 B019 18F7 7E04 AC99"; } ];
|
||||
};
|
||||
castorNova2 = {
|
||||
email = "solemnsquire@gmail.com";
|
||||
github = "castorNova2";
|
||||
@@ -4743,6 +4719,12 @@
|
||||
githubId = 52760912;
|
||||
name = "Cameron Brown";
|
||||
};
|
||||
ccellado = {
|
||||
email = "annplague@gmail.com";
|
||||
github = "ccellado";
|
||||
githubId = 44584960;
|
||||
name = "Denis Khalmatov";
|
||||
};
|
||||
ccicnce113424 = {
|
||||
email = "ccicnce113424@gmail.com";
|
||||
matrix = "@ccicnce113424:matrix.org";
|
||||
@@ -5613,11 +5595,6 @@
|
||||
githubId = 5953003;
|
||||
name = "Connor Nelson";
|
||||
};
|
||||
conny = {
|
||||
github = "ConstantConstantin";
|
||||
githubId = 162139822;
|
||||
name = "Constantin-Paul Hertel";
|
||||
};
|
||||
conradmearns = {
|
||||
email = "conradmearns+github@pm.me";
|
||||
github = "ConradMearns";
|
||||
@@ -6263,12 +6240,6 @@
|
||||
github = "darkyzhou";
|
||||
githubId = 7220778;
|
||||
};
|
||||
darshancode2005 = {
|
||||
name = "Darshan Thakare";
|
||||
email = "darshanthakaregsoc2023@gmail.com";
|
||||
github = "DarshanCode2005";
|
||||
githubId = 143271270;
|
||||
};
|
||||
daru-san = {
|
||||
name = "Daru";
|
||||
email = "zadarumaka@proton.me";
|
||||
@@ -6374,12 +6345,6 @@
|
||||
github = "David-Kopczynski";
|
||||
githubId = 53194670;
|
||||
};
|
||||
David-Moody = {
|
||||
name = "David Moody";
|
||||
email = "david.moody@scot.me.uk";
|
||||
github = "David-Moody";
|
||||
githubId = 63956662;
|
||||
};
|
||||
david-sawatzke = {
|
||||
email = "d-nix@sawatzke.dev";
|
||||
github = "david-sawatzke";
|
||||
@@ -6814,13 +6779,6 @@
|
||||
githubId = 77843198;
|
||||
name = "Vasilis Manetas";
|
||||
};
|
||||
Deric-W = {
|
||||
email = "robo-eric@gmx.de";
|
||||
github = "Deric-W";
|
||||
githubId = 42873573;
|
||||
name = "Eric Wolf";
|
||||
keys = [ { fingerprint = "ADAA B6F3 A955 5589 D66C CE61 80D2 DA42 8A4A 537F"; } ];
|
||||
};
|
||||
DerickEddington = {
|
||||
email = "derick.eddington@pm.me";
|
||||
github = "DerickEddington";
|
||||
@@ -7078,6 +7036,12 @@
|
||||
github = "DimitarNestorov";
|
||||
githubId = 8790386;
|
||||
};
|
||||
diniamo = {
|
||||
name = "diniamo";
|
||||
email = "diniamo53@gmail.com";
|
||||
github = "diniamo";
|
||||
githubId = 55629891;
|
||||
};
|
||||
diogomdp = {
|
||||
email = "me@diogodp.dev";
|
||||
github = "diogomdp";
|
||||
@@ -8883,13 +8847,6 @@
|
||||
githubId = 345808;
|
||||
name = "Jakub Okoński";
|
||||
};
|
||||
FatBoyXPC = {
|
||||
name = "FatBoyXPC";
|
||||
email = "fatboyxpc@gmail.com";
|
||||
github = "FatBoyXPC";
|
||||
githubId = 744962;
|
||||
keys = [ { fingerprint = "0E08 1B81 CBCA 1CF7 9568 A13F C4ED 3CA2 3211 8969"; } ];
|
||||
};
|
||||
faukah = {
|
||||
github = "faukah";
|
||||
name = "faukah";
|
||||
@@ -9070,11 +9027,6 @@
|
||||
githubId = 5198058;
|
||||
name = "Udo Sauer";
|
||||
};
|
||||
fernvenue = {
|
||||
github = "fernvenue";
|
||||
githubId = 84565547;
|
||||
name = "fernvenue";
|
||||
};
|
||||
feyorsh = {
|
||||
email = "george@feyor.sh";
|
||||
github = "Feyorsh";
|
||||
@@ -9131,12 +9083,6 @@
|
||||
githubId = 41450706;
|
||||
name = "fin-w";
|
||||
};
|
||||
fiona = {
|
||||
email = "mail@fiona.hamburg";
|
||||
github = "Fiona42069";
|
||||
githubId = 260108682;
|
||||
name = "fiona";
|
||||
};
|
||||
fionera = {
|
||||
email = "nix@fionera.de";
|
||||
github = "fionera";
|
||||
@@ -10078,6 +10024,12 @@
|
||||
name = "Will Owens";
|
||||
keys = [ { fingerprint = "8E98 BB01 BFF8 AEA4 E303 FC4C 8074 09C9 2CE2 3033"; } ];
|
||||
};
|
||||
ghuntley = {
|
||||
email = "ghuntley@ghuntley.com";
|
||||
github = "ghuntley";
|
||||
githubId = 127353;
|
||||
name = "Geoffrey Huntley";
|
||||
};
|
||||
gibbert = {
|
||||
email = "gbjgms@gmail.com";
|
||||
github = "zgibberish";
|
||||
@@ -10440,12 +10392,6 @@
|
||||
githubId = 273582;
|
||||
name = "greg";
|
||||
};
|
||||
gregshuflin = {
|
||||
email = "greg@everdayimshuflin.com";
|
||||
github = "neunenak";
|
||||
githubId = 311545;
|
||||
name = "Greg Shuflin";
|
||||
};
|
||||
greizgh = {
|
||||
email = "greizgh@ephax.org";
|
||||
github = "greizgh";
|
||||
@@ -11505,18 +11451,6 @@
|
||||
githubId = 69209;
|
||||
name = "Ian Duncan";
|
||||
};
|
||||
IanHollow = {
|
||||
github = "IanHollow";
|
||||
githubId = 72767437;
|
||||
name = "Ian Holloway";
|
||||
};
|
||||
iank = {
|
||||
email = "iank@iank.org";
|
||||
github = "iank";
|
||||
githubId = 109598;
|
||||
name = "Ian Kilgore";
|
||||
keys = [ { fingerprint = "21F7 244E 095F 619E 8E3E 1EB4 9F3A 4AAB 4D90 D879"; } ];
|
||||
};
|
||||
ianliu = {
|
||||
email = "ian.liu88@gmail.com";
|
||||
github = "ianliu";
|
||||
@@ -11927,6 +11861,12 @@
|
||||
name = "Silvan Mosberger";
|
||||
keys = [ { fingerprint = "6C2B 55D4 4E04 8266 6B7D DA1A 422E 9EDA E015 7170"; } ];
|
||||
};
|
||||
iniw = {
|
||||
email = "git@vini.cat";
|
||||
github = "iniw";
|
||||
githubId = 30220881;
|
||||
name = "Vinicius Deolindo";
|
||||
};
|
||||
insipx = {
|
||||
email = "github@andrewplaza.dev";
|
||||
github = "insipx";
|
||||
@@ -11970,12 +11910,6 @@
|
||||
githubId = 16307070;
|
||||
name = "iosmanthus";
|
||||
};
|
||||
ipetkov = {
|
||||
name = "Ivan Petkov";
|
||||
github = "ipetkov";
|
||||
githubId = 1638690;
|
||||
email = "nixpkgs@ipetkov.dev";
|
||||
};
|
||||
ipsavitsky = {
|
||||
email = "ipsavitsky234@gmail.com";
|
||||
github = "ipsavitsky";
|
||||
@@ -12817,12 +12751,6 @@
|
||||
githubId = 5741620;
|
||||
name = "Jeremy Schlatter";
|
||||
};
|
||||
jeremystucki = {
|
||||
email = "dev@jeremystucki.ch";
|
||||
github = "jeremystucki";
|
||||
githubId = 7629727;
|
||||
name = "Jeremy Stucki";
|
||||
};
|
||||
jerith666 = {
|
||||
email = "github@matt.mchenryfamily.org";
|
||||
github = "jerith666";
|
||||
@@ -14174,14 +14102,6 @@
|
||||
name = "Kenichi Kamiya";
|
||||
keys = [ { fingerprint = "9121 5D87 20CA B405 C63F 24D2 EF6E 574D 040A E2A5"; } ];
|
||||
};
|
||||
kacper-uminski = {
|
||||
name = "Kacper Uminski";
|
||||
email = "kacper+nixpkgs@lysator.liu.se";
|
||||
github = "kacper-uminski";
|
||||
githubId = 57466578;
|
||||
matrix = "@kacper.uminski:matrix.org";
|
||||
keys = [ { fingerprint = "3DF9 3DEB CAA9 81FA B3E2 A7F0 87DA 201D E02F 14B1"; } ];
|
||||
};
|
||||
kaction = {
|
||||
name = "Dmitry Bogatov";
|
||||
email = "KAction@disroot.org";
|
||||
@@ -14421,12 +14341,6 @@
|
||||
github = "keller00";
|
||||
githubId = 8452750;
|
||||
};
|
||||
kenis1108 = {
|
||||
email = "1836362346@qq.com";
|
||||
github = "kenis1108";
|
||||
githubId = 45393183;
|
||||
name = "kenis";
|
||||
};
|
||||
kenran = {
|
||||
email = "johannes.maier@mailbox.org";
|
||||
github = "kenranunderscore";
|
||||
@@ -16449,11 +16363,6 @@
|
||||
githubId = 83420438;
|
||||
name = "Lewis";
|
||||
};
|
||||
lubsch = {
|
||||
github = "lubsch";
|
||||
githubId = 33580245;
|
||||
name = "Benjamin Lohmar";
|
||||
};
|
||||
luc65r = {
|
||||
email = "lucas@ransan.fr";
|
||||
github = "luc65r";
|
||||
@@ -18905,12 +18814,6 @@
|
||||
githubId = 830082;
|
||||
name = "Nathan Moos";
|
||||
};
|
||||
mootfrost = {
|
||||
email = "hello@mootfrost.dev";
|
||||
github = "mootfrost";
|
||||
githubId = 75925945;
|
||||
name = "Andrew Semeykin";
|
||||
};
|
||||
moraxyc = {
|
||||
name = "Moraxyc Xu";
|
||||
email = "i@qaq.li";
|
||||
@@ -20181,12 +20084,6 @@
|
||||
github = "nigelgbanks";
|
||||
githubId = 487373;
|
||||
};
|
||||
nightconcept = {
|
||||
email = "dark@nightconcept.net";
|
||||
github = "nightconcept";
|
||||
githubId = 486025;
|
||||
name = "Danny Solivan";
|
||||
};
|
||||
nikhilmaddirala = {
|
||||
name = "Nikhil Maddirala";
|
||||
github = "nikhilmaddirala";
|
||||
@@ -20412,12 +20309,6 @@
|
||||
githubId = 4242897;
|
||||
name = "Nikolai Mishin";
|
||||
};
|
||||
nmoya = {
|
||||
email = "nikolasmoya@gmail.com";
|
||||
github = "nmoya";
|
||||
githubId = 1767648;
|
||||
name = "Nikolas Moya";
|
||||
};
|
||||
noaccos = {
|
||||
name = "Francesco Noacco";
|
||||
email = "francesco.noacco2000@gmail.com";
|
||||
@@ -21255,6 +21146,12 @@
|
||||
githubId = 19862;
|
||||
name = "KJ Ørbekk";
|
||||
};
|
||||
orbitz = {
|
||||
email = "mmatalka@gmail.com";
|
||||
github = "orbitz";
|
||||
githubId = 75299;
|
||||
name = "Malcolm Matalka";
|
||||
};
|
||||
orhun = {
|
||||
email = "orhunparmaksiz@gmail.com";
|
||||
github = "orhun";
|
||||
@@ -24452,12 +24349,6 @@
|
||||
githubId = 20300874;
|
||||
name = "Mohammad Rafiq";
|
||||
};
|
||||
rsahwe = {
|
||||
email = "rsahwe@gmx.net";
|
||||
github = "rsahwe";
|
||||
githubId = 201613730;
|
||||
name = "rsahwe";
|
||||
};
|
||||
rseichter = {
|
||||
email = "nixos.org@seichter.de";
|
||||
github = "rseichter";
|
||||
@@ -25717,6 +25608,12 @@
|
||||
githubId = 106669955;
|
||||
name = "Léon Gessner";
|
||||
};
|
||||
shardy = {
|
||||
email = "shardul@baral.ca";
|
||||
github = "shardulbee";
|
||||
githubId = 16765155;
|
||||
name = "Shardul Baral";
|
||||
};
|
||||
sharpchen = {
|
||||
github = "sharpchen";
|
||||
githubId = 77432836;
|
||||
@@ -26016,12 +25913,6 @@
|
||||
name = "Nikolay Korotkiy";
|
||||
keys = [ { fingerprint = "ADF4 C13D 0E36 1240 BD01 9B51 D1DE 6D7F 6936 63A5"; } ];
|
||||
};
|
||||
silicalet = {
|
||||
name = "Mr. why";
|
||||
email = "silicalet@outlook.com";
|
||||
github = "silicalet";
|
||||
githubId = 188071249;
|
||||
};
|
||||
silky = {
|
||||
name = "Noon van der Silk";
|
||||
email = "noonsilk+nixpkgs@gmail.com";
|
||||
@@ -26492,14 +26383,6 @@
|
||||
githubId = 7116239;
|
||||
keys = [ { fingerprint = "E067 520F 5EF2 C175 3F60 50C0 BA46 725F 6A26 7442"; } ];
|
||||
};
|
||||
Soliprem = {
|
||||
email = "me@soliprem.eu";
|
||||
matrix = "@soliprem:soliprem.eu";
|
||||
name = "Francesco Prem Solidoro";
|
||||
github = "Soliprem";
|
||||
githubId = 73885403;
|
||||
keys = [ { fingerprint = "F779 4E05 D8BB A608 73D0 1312 4FD6 B0D5 1C9A B6BD"; } ];
|
||||
};
|
||||
solson = {
|
||||
email = "scott@solson.me";
|
||||
matrix = "@solson:matrix.org";
|
||||
@@ -26692,6 +26575,12 @@
|
||||
github = "spreetin";
|
||||
githubId = 7392173;
|
||||
};
|
||||
sprock = {
|
||||
email = "rmason@mun.ca";
|
||||
github = "sprock";
|
||||
githubId = 6391601;
|
||||
name = "Roger Mason";
|
||||
};
|
||||
sputn1ck = {
|
||||
email = "kon@kon.ninja";
|
||||
github = "sputn1ck";
|
||||
@@ -27266,13 +27155,6 @@
|
||||
githubId = 36695359;
|
||||
name = "Vasyl Solovei";
|
||||
};
|
||||
swaggeroo = {
|
||||
email = "swaggerooo@pm.me";
|
||||
github = "swaggeroo";
|
||||
githubId = 57057662;
|
||||
name = "Swaggeroo";
|
||||
keys = [ { fingerprint = "D221 99EC 4FFF EF4D F29D 2435 5208 74E7 3291 4E0B"; } ];
|
||||
};
|
||||
swarren83 = {
|
||||
email = "shawn.w.warren@gmail.com";
|
||||
github = "swarren83";
|
||||
@@ -29770,6 +29652,12 @@
|
||||
githubId = 20145996;
|
||||
name = "Victor Fuentes";
|
||||
};
|
||||
vlstill = {
|
||||
email = "xstill@fi.muni.cz";
|
||||
github = "vlstill";
|
||||
githubId = 4070422;
|
||||
name = "Vladimír Štill";
|
||||
};
|
||||
vmandela = {
|
||||
email = "venkat.mandela@gmail.com";
|
||||
github = "vmandela";
|
||||
@@ -30355,12 +30243,6 @@
|
||||
githubId = 22803888;
|
||||
name = "Lu Hongxu";
|
||||
};
|
||||
wini = {
|
||||
email = "dev@vini.cat";
|
||||
github = "iniw";
|
||||
githubId = 30220881;
|
||||
name = "Vinicius Deolindo";
|
||||
};
|
||||
winpat = {
|
||||
email = "patrickwinter@posteo.ch";
|
||||
github = "winpat";
|
||||
@@ -31131,13 +31013,6 @@
|
||||
{ fingerprint = "D2A8 A906 ACA7 B6D6 575E 9A2F 3A49 5054 6EA6 9E5C"; }
|
||||
];
|
||||
};
|
||||
yoquec = {
|
||||
email = "alvaro.viejo@yoquec.com";
|
||||
github = "yoquec";
|
||||
githubId = 59575696;
|
||||
name = "Alvaro Viejo";
|
||||
matrix = "@yoquec.com:matrix.org";
|
||||
};
|
||||
yorickvp = {
|
||||
email = "yorickvanpelt@gmail.com";
|
||||
matrix = "@yorickvp:matrix.org";
|
||||
|
||||
@@ -8,7 +8,6 @@ binaryheap,,,,,,vcunat
|
||||
bit32,,,,,5.1,lblasc
|
||||
busted,,,,,,
|
||||
busted-htest,,,,,,mrcjkb
|
||||
canola.nvim,,,,,,saadndm
|
||||
cassowary,,,,,,alerque
|
||||
cldr,,,,,,alerque
|
||||
commons.nvim,,,,,5.1,mrcjkb
|
||||
|
||||
|
@@ -307,7 +307,7 @@ async def commit_changes(
|
||||
commit_message = "{attrPath}: {oldVersion} -> {newVersion}".format(**change)
|
||||
if "commitMessage" in change:
|
||||
commit_message = change["commitMessage"]
|
||||
if "commitBody" in change:
|
||||
elif "commitBody" in change:
|
||||
commit_message = commit_message + "\n\n" + change["commitBody"]
|
||||
await check_subprocess_output(
|
||||
"git",
|
||||
|
||||
@@ -717,15 +717,6 @@ with lib.maintainers;
|
||||
github = "security-review";
|
||||
};
|
||||
|
||||
stardust-xr = {
|
||||
members = [
|
||||
pandapip1
|
||||
technobaboo
|
||||
];
|
||||
scope = "Maintain Stardust XR packages";
|
||||
shortName = "StardustXR";
|
||||
};
|
||||
|
||||
stdenv = {
|
||||
enableFeatureFreezePing = true;
|
||||
github = "stdenv";
|
||||
|
||||
@@ -41,6 +41,5 @@ and non-critical by adding `options = [ "nofail" ];`.
|
||||
```{=include=} sections
|
||||
luks-file-systems.section.md
|
||||
sshfs-file-systems.section.md
|
||||
nfs-file-systems.section.md
|
||||
overlayfs.section.md
|
||||
```
|
||||
|
||||
@@ -1,52 +0,0 @@
|
||||
# NFS File Systems {#sec-nfs-file-systems}
|
||||
|
||||
[NFS][nfs] (Network File System) allows you to mount directories from remote machines over the network.
|
||||
|
||||
[nfs]: https://en.wikipedia.org/wiki/Network_File_System
|
||||
[nfs-man]: https://man7.org/linux/man-pages/man5/nfs.5.html
|
||||
|
||||
To mount NFS filesystems persistently, use the `fileSystems` option:
|
||||
|
||||
```nix
|
||||
{
|
||||
fileSystems."/mnt/data" = {
|
||||
device = "server.example.com:/export/data";
|
||||
fsType = "nfs";
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
## Automounting {#sec-nfs-automount}
|
||||
|
||||
To have NFS filesystems mounted on-demand instead of at boot, add the `noauto` and `x-systemd.automount` options:
|
||||
|
||||
```nix
|
||||
{
|
||||
fileSystems."/mnt/data" = {
|
||||
device = "server.example.com:/export/data";
|
||||
fsType = "nfs";
|
||||
options = [
|
||||
"noauto"
|
||||
"x-systemd.automount"
|
||||
];
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
## Ad-hoc Mounting {#sec-nfs-adhoc}
|
||||
|
||||
To mount NFS filesystems ad-hoc using the `mount` command, enable NFS and required RPC services:
|
||||
|
||||
```nix
|
||||
{
|
||||
boot.supportedFilesystems = [ "nfs" ];
|
||||
}
|
||||
```
|
||||
|
||||
Then you can mount filesystems manually:
|
||||
|
||||
```shell
|
||||
$ sudo mount -t nfs server.example.com:/export/data /mnt/data
|
||||
```
|
||||
|
||||
For more information on NFS mount options, see the [nfs(5) man page][nfs-man].
|
||||
@@ -202,8 +202,6 @@ rec {
|
||||
--script ./anchor.min.js \
|
||||
--script ./anchor-use.js \
|
||||
--sidebar-depth 2 \
|
||||
--header ${./header.html}\
|
||||
--no-navheader \
|
||||
./manual.md \
|
||||
$dst/${common.indexPath}
|
||||
|
||||
|
||||
@@ -1,7 +0,0 @@
|
||||
<div class="manual-header">
|
||||
<nav class="manual-header--tabs">
|
||||
<a class="manual-header--tab" href="https://nixos.org/manual/nixos/stable/">Nixpkgs</a>
|
||||
<a class="manual-header--tab manual-header--tab-active" href="#">NixOS</a>
|
||||
</nav>
|
||||
<span class="manual-header--title">Nixos Manual</span>
|
||||
</div>
|
||||
@@ -47,7 +47,7 @@ The first steps to all these are the same:
|
||||
|
||||
Where `<version>` corresponds to the latest version available on [channels.nixos.org](https://channels.nixos.org/).
|
||||
|
||||
You must run `$ nix-channel --update` for the channel change to take effect.
|
||||
You may want to throw in a `nix-channel --update` for good measure.
|
||||
|
||||
1. Install the NixOS installation tools:
|
||||
|
||||
|
||||
@@ -619,15 +619,6 @@
|
||||
"sec-luks-file-systems-fido2-systemd": [
|
||||
"index.html#sec-luks-file-systems-fido2-systemd"
|
||||
],
|
||||
"sec-nfs-file-systems": [
|
||||
"index.html#sec-nfs-file-systems"
|
||||
],
|
||||
"sec-nfs-automount": [
|
||||
"index.html#sec-nfs-automount"
|
||||
],
|
||||
"sec-nfs-adhoc": [
|
||||
"index.html#sec-nfs-adhoc"
|
||||
],
|
||||
"sec-sshfs-file-systems": [
|
||||
"index.html#sec-sshfs-file-systems"
|
||||
],
|
||||
@@ -1900,9 +1891,6 @@
|
||||
"sec-kubernetes": [
|
||||
"index.html#sec-kubernetes"
|
||||
],
|
||||
"module-services-nordvpn": [
|
||||
"index.html#module-services-nordvpn"
|
||||
],
|
||||
"ch-running": [
|
||||
"index.html#ch-running"
|
||||
],
|
||||
|
||||
@@ -110,8 +110,6 @@
|
||||
|
||||
- [clevis-luks-askpass](https://github.com/latchset/clevis), automatic LUKS unlocking in initrd using clevis token bindings stored in LUKS headers. Available as [boot.initrd.clevisLuksAskpass](#opt-boot.initrd.clevisLuksAskpass.enable).
|
||||
|
||||
- [passless](https://github.com/pando85/passless), a daemon for using Webauthn Passkeys backed by password-store.
|
||||
|
||||
- [bentopdf](https://github.com/alam00000/bentopdf), a privacy-first PDF toolkit running completely in-browser. Available as [services.bentopdf](#opt-services.bentopdf.enable).
|
||||
|
||||
- [hyprwhspr-rs](https://github.com/better-slop/hyprwhspr-rs), a keybind activated speech-to-text voice dictation utility built for use with Hyprland. Available as [services.hyprwhspr-rs](#opt-services.hyprwhspr-rs.enable).
|
||||
|
||||
@@ -32,8 +32,6 @@
|
||||
|
||||
- [Nezha](https://github.com/nezhahq/nezha), a self-hosted, lightweight server and website monitoring and O&M tool. Available as [services.nezha](#opt-services.nezha.enable).
|
||||
|
||||
- [Watt](https://github.com/NotAShelf/watt), a CPU frequency and power management daemon for Linux. Available as [services.watt](#opt-services.watt.enable).
|
||||
|
||||
- [mail-tlsa-check-exporter](https://github.com/ietf-tools/mail-tlsa-check-exporter), validates SMTP / IMAP server certificates against a TLSA record as a Prometheus exporter. Available as [services.prometheus.exporters.mail-tlsa-check](#opt-services.prometheus.exporters.mail-tlsa-check.enable).
|
||||
|
||||
- [CastSponsorSkip](https://github.com/gabe565/CastSponsorSkip/), skips YouTube sponsorships (and sometimes ads) on all local Google Cast devices.
|
||||
@@ -56,8 +54,6 @@
|
||||
|
||||
- [OO7](https://github.com/linux-credentials/oo7) is a desktop-agnostic Secret Service provider. Available as [services.oo7](#opt-services.oo7.enable)
|
||||
|
||||
- [NordVPN](https://github.com/NordSecurity/nordvpn-linux), a NordVPN client for linux. Available as [services.nordvpn](options.html#opt-services.nordvpn.enable).
|
||||
|
||||
## Backward Incompatibilities {#sec-release-26.11-incompatibilities}
|
||||
|
||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
||||
@@ -99,8 +95,6 @@
|
||||
|
||||
- `services.plantuml-server.packages.jetty` now supports `jetty_12`, it no longer supports `jetty_11`.
|
||||
|
||||
- `services.komodo-periphery` has been updated to support version 2.0.0. Some options have been renamed to match the new configuration structure; compatibility aliases are provided for the renamed options. The `passkeys` and `outbound.onboardingKey` options have been removed; use `passkeyFiles`, `auth.privateKey`/`auth.corePublicKeys`, or `outbound.onboardingKeyFile` instead. New outbound mode configuration is available under `outbound.*`.
|
||||
|
||||
## Other Notable Changes {#sec-release-26.11-notable-changes}
|
||||
|
||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
||||
@@ -144,8 +138,6 @@
|
||||
|
||||
- The `newuidmap` and `newgidmap` security wrappers are now installed with `cap_setuid`/`cap_setgid` file capabilities instead of the setuid-root bit, matching shadow's `--with-fcaps` install mode and other major distributions. Rootless containers (podman, docker-rootless, unprivileged user namespaces) are unaffected. The only behavioural change is that mapping host uid 0 via `/etc/subuid` (which NixOS never configures by default) additionally requires `cap_setfcap`; users who explicitly grant uid 0 in a subuid range can restore the previous behaviour with `security.wrappers.newuidmap.capabilities = lib.mkForce "cap_setuid,cap_setfcap+ep";`.
|
||||
|
||||
- The `authelia` module now uses systemd's `LoadCredential` to load all files defined in `secrets`. As such, these files no longer need to be readable by the authelia user and group: they can for example be set to be only readable by the root user.
|
||||
|
||||
- `zoneminder` has been updated to 1.38.x release. See [upstream release note](https://github.com/ZoneMinder/zoneminder/releases/tag/1.38.0). While database migration should happen automatically, it's recommended that you make a backup of the database before upgrading your system.
|
||||
|
||||
- The latest available version of Nextcloud is v34 (available as `pkgs.nextcloud34`). The installation logic is as follows:
|
||||
|
||||
@@ -625,7 +625,7 @@ rec {
|
||||
|
||||
listenStreams = mkOption {
|
||||
default = [ ];
|
||||
type = types.listOf (types.coercedTo types.port toString types.str);
|
||||
type = types.listOf types.str;
|
||||
example = [
|
||||
"0.0.0.0:993"
|
||||
"/run/my-socket"
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
utils,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
@@ -60,7 +59,7 @@ in
|
||||
};
|
||||
|
||||
output = lib.mkOption {
|
||||
type = lib.types.externalPath;
|
||||
type = lib.types.path;
|
||||
default = "/var/cache/locatedb";
|
||||
description = ''
|
||||
The database file to build.
|
||||
@@ -250,35 +249,27 @@ in
|
||||
systemd.services.update-locatedb = {
|
||||
description = "Update Locate Database";
|
||||
|
||||
serviceConfig = {
|
||||
# mlocate's updatedb takes flags via a configuration file or
|
||||
# on the command line, but not by environment variable.
|
||||
ExecStart =
|
||||
let
|
||||
toFlags =
|
||||
x:
|
||||
lib.optionals (cfg.${x} != [ ]) [
|
||||
"--${lib.toLower x}"
|
||||
(lib.concatStringsSep " " cfg.${x})
|
||||
];
|
||||
args = lib.concatMap toFlags [
|
||||
# mlocate's updatedb takes flags via a configuration file or
|
||||
# on the command line, but not by environment variable.
|
||||
script =
|
||||
let
|
||||
toFlags =
|
||||
x: lib.optional (cfg.${x} != [ ]) "--${lib.toLower x} '${lib.concatStringsSep " " cfg.${x}}'";
|
||||
args = lib.concatLists (
|
||||
map toFlags [
|
||||
"pruneFS"
|
||||
"pruneNames"
|
||||
"prunePaths"
|
||||
];
|
||||
in
|
||||
utils.escapeSystemdExecArgs (
|
||||
[
|
||||
(lib.getExe' cfg.package "updatedb")
|
||||
"--output"
|
||||
cfg.output
|
||||
"--prune-bind-mounts"
|
||||
(lib.boolToYesNo cfg.pruneBindMounts)
|
||||
]
|
||||
++ args
|
||||
++ cfg.extraFlags
|
||||
);
|
||||
|
||||
in
|
||||
''
|
||||
exec ${cfg.package}/bin/updatedb \
|
||||
--output ${toString cfg.output} ${lib.concatStringsSep " " args} \
|
||||
--prune-bind-mounts ${lib.boolToYesNo cfg.pruneBindMounts} \
|
||||
${lib.concatStringsSep " " cfg.extraFlags}
|
||||
'';
|
||||
serviceConfig = {
|
||||
CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_CHOWN";
|
||||
Nice = 19;
|
||||
IOSchedulingClass = "idle";
|
||||
|
||||
@@ -54,8 +54,7 @@ let
|
||||
BUG_REPORT_URL = optionalString isNixos "https://github.com/NixOS/nixpkgs/issues";
|
||||
ANSI_COLOR = optionalString isNixos "0;38;2;126;186;228";
|
||||
IMAGE_ID = optionalString (config.system.image.id != null) config.system.image.id;
|
||||
${if config.system.image.version != null then "IMAGE_VERSION" else null} =
|
||||
config.system.image.version;
|
||||
IMAGE_VERSION = optionalString (config.system.image.version != null) config.system.image.version;
|
||||
VARIANT = optionalString (cfg.variantName != null) cfg.variantName;
|
||||
VARIANT_ID = optionalString (cfg.variant_id != null) cfg.variant_id;
|
||||
DEFAULT_HOSTNAME = config.system.nixos.distroId;
|
||||
|
||||
@@ -296,7 +296,6 @@
|
||||
./programs/opengamepadui.nix
|
||||
./programs/openvpn3.nix
|
||||
./programs/partition-manager.nix
|
||||
./programs/passless.nix
|
||||
./programs/pay-respects.nix
|
||||
./programs/plotinus.nix
|
||||
./programs/pmount.nix
|
||||
@@ -358,7 +357,6 @@
|
||||
./programs/wayland/mangowc.nix
|
||||
./programs/wayland/miracle-wm.nix
|
||||
./programs/wayland/niri.nix
|
||||
./programs/wayland/pinnacle.nix
|
||||
./programs/wayland/river.nix
|
||||
./programs/wayland/sway.nix
|
||||
./programs/wayland/uwsm.nix
|
||||
@@ -732,7 +730,6 @@
|
||||
./services/hardware/usbmuxd.nix
|
||||
./services/hardware/usbrelayd.nix
|
||||
./services/hardware/vdr.nix
|
||||
./services/hardware/watt.nix
|
||||
./services/home-automation/deye-dummycloud.nix
|
||||
./services/home-automation/ebusd.nix
|
||||
./services/home-automation/esphome.nix
|
||||
@@ -1344,7 +1341,6 @@
|
||||
./services/networking/nncp.nix
|
||||
./services/networking/nntp-proxy.nix
|
||||
./services/networking/nomad.nix
|
||||
./services/networking/nordvpn.nix
|
||||
./services/networking/nsd.nix
|
||||
./services/networking/ntopng.nix
|
||||
./services/networking/ntp/chrony.nix
|
||||
@@ -1861,7 +1857,6 @@
|
||||
./services/web-servers/nginx/tailscale-auth.nix
|
||||
./services/web-servers/phpfpm/default.nix
|
||||
./services/web-servers/pomerium.nix
|
||||
./services/web-servers/rustfs.nix
|
||||
./services/web-servers/rustus.nix
|
||||
./services/web-servers/send.nix
|
||||
./services/web-servers/stargazer.nix
|
||||
|
||||
@@ -1,134 +0,0 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.programs.passless;
|
||||
settingsFormat = pkgs.formats.toml { };
|
||||
settingsFile = settingsFormat.generate "passless.toml" cfg.settings;
|
||||
in
|
||||
{
|
||||
|
||||
options.programs.passless = {
|
||||
enable = lib.mkEnableOption "passless";
|
||||
|
||||
package = lib.mkPackageOption pkgs "passless" { };
|
||||
|
||||
users = lib.options.mkOption {
|
||||
type = with lib.types; listOf str;
|
||||
description = ''
|
||||
Users that intend to use passless and should be added to the fido group.
|
||||
'';
|
||||
default = [ ];
|
||||
example = [ "alice" ];
|
||||
};
|
||||
|
||||
settings = lib.mkOption {
|
||||
inherit (settingsFormat) type;
|
||||
default = { };
|
||||
example = {
|
||||
pass.store-path = "/home/alice/.local/share/password-store";
|
||||
};
|
||||
description = ''
|
||||
Configuration included in `config.toml`.
|
||||
|
||||
See <https://github.com/pando85/passless#configuration-1> for documentation or run `passless config print` to see default configuration.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf config.programs.passless.enable {
|
||||
users.groups.fido.members = cfg.users;
|
||||
|
||||
boot.kernelModules = [ "uhid" ];
|
||||
|
||||
services.udev.extraRules = ''
|
||||
KERNEL=="uhid", GROUP="fido", MODE="0660"
|
||||
'';
|
||||
|
||||
# From https://github.com/pando85/passless/blob/master/contrib/systemd/passless.service
|
||||
systemd.user.services.passless = {
|
||||
description = "Passless FIDO2 Software Authenticator";
|
||||
documentation = [ "https://github.com/pando85/passless" ];
|
||||
after = [ "network-online.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
wantedBy = [ "default.target" ];
|
||||
path = [ config.programs.gnupg.package ];
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
ExecStart = "${lib.getExe cfg.package} --config-path ${settingsFile}";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "5s";
|
||||
# Security hardening
|
||||
# The application already handles its own memory locking and core dump prevention
|
||||
# but we can add additional systemd protections
|
||||
NoNewPrivileges = true;
|
||||
LimitMEMLOCK = "2M";
|
||||
SyslogIdentifier = "passless";
|
||||
|
||||
# Found with shh
|
||||
ProtectSystem = "strict";
|
||||
PrivateTmp = "disconnected";
|
||||
PrivateMounts = "true";
|
||||
ProtectKernelTunables = "true";
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelLogs = true;
|
||||
LockPersonality = true;
|
||||
RestrictRealtime = true;
|
||||
ProtectClock = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
RestrictAddressFamilies = "AF_UNIX";
|
||||
SocketBindDeny = [
|
||||
"ipv4:tcp"
|
||||
"ipv4:udp"
|
||||
"ipv6:tcp"
|
||||
"ipv6:udp"
|
||||
];
|
||||
CapabilityBoundingSet = [
|
||||
"~CAP_BLOCK_SUSPEND"
|
||||
"CAP_BPF"
|
||||
"CAP_CHOWN"
|
||||
"CAP_MKNOD"
|
||||
"CAP_NET_RAW"
|
||||
"CAP_PERFMON"
|
||||
"CAP_SYS_BOOT"
|
||||
"CAP_SYS_CHROOT"
|
||||
"CAP_SYS_MODULE"
|
||||
"CAP_SYS_NICE"
|
||||
"CAP_SYS_PACCT"
|
||||
"CAP_SYS_PTRACE"
|
||||
"CAP_SYS_TIME"
|
||||
"CAP_SYSLOG"
|
||||
"CAP_WAKE_ALARM"
|
||||
];
|
||||
SystemCallFilter = [
|
||||
"~@aio:EPERM"
|
||||
"@chown:EPERM"
|
||||
"@clock:EPERM"
|
||||
"@cpu-emulation:EPERM"
|
||||
"@debug:EPERM"
|
||||
"@ipc:EPERM"
|
||||
"@keyring:EPERM"
|
||||
"@module:EPERM"
|
||||
"@mount:EPERM"
|
||||
"@obsolete:EPERM"
|
||||
"@pkey:EPERM"
|
||||
"@privileged:EPERM"
|
||||
"@raw-io:EPERM"
|
||||
"@reboot:EPERM"
|
||||
"@resources:EPERM"
|
||||
"@sandbox:EPERM"
|
||||
"@setuid:EPERM"
|
||||
"@swap:EPERM"
|
||||
"@sync:EPERM"
|
||||
];
|
||||
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
meta.maintainers = with lib.maintainers; [ erictapen ];
|
||||
|
||||
}
|
||||
@@ -1,70 +0,0 @@
|
||||
{
|
||||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.programs.pinnacle;
|
||||
inherit (lib.options) mkEnableOption mkPackageOption;
|
||||
in
|
||||
{
|
||||
options.programs.pinnacle = {
|
||||
enable = mkEnableOption "pinnacle";
|
||||
package = mkPackageOption pkgs "pinnacle" {
|
||||
default = "pinnacle";
|
||||
example = "pkgs.pinnacle";
|
||||
extraDescription = "package containing the pinnacle server binary";
|
||||
};
|
||||
xdg-portals.enable = mkEnableOption "enable xdg-portals for pinnacle";
|
||||
withUWSM = mkEnableOption ''
|
||||
manage the pinnacle session with [UWSM](https://github.com/Vladimir-csp/uwsm) instead
|
||||
of independent systemd services and targets.
|
||||
'';
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable (
|
||||
lib.mkMerge [
|
||||
{
|
||||
environment.systemPackages = [
|
||||
cfg.package
|
||||
pkgs.protobuf
|
||||
cfg.package.lua-client-api
|
||||
];
|
||||
environment.pathsToLink = [
|
||||
# For /run/current-system/sw/share/pinnacle protobuf files - for
|
||||
# pinnacle to be able to launch with a non-default config out of the
|
||||
# box.
|
||||
"/share/pinnacle"
|
||||
];
|
||||
xdg.portal = lib.mkIf cfg.xdg-portals.enable {
|
||||
enable = true;
|
||||
wlr.enable = true;
|
||||
configPackages = [ cfg.package ];
|
||||
extraPortals = [
|
||||
pkgs.xdg-desktop-portal-wlr
|
||||
pkgs.xdg-desktop-portal-gtk
|
||||
pkgs.gnome-keyring
|
||||
];
|
||||
};
|
||||
}
|
||||
(lib.mkIf (cfg.withUWSM) {
|
||||
programs.uwsm.enable = true;
|
||||
# Configure UWSM to launch Pinnacle from a display manager like SDDM
|
||||
programs.uwsm.waylandCompositors = {
|
||||
pinnacle = {
|
||||
prettyName = "Pinnacle";
|
||||
comment = "Pinnacle compositor managed by UWSM";
|
||||
binPath = "/run/current-system/sw/bin/pinnacle";
|
||||
extraArgs = [ "--session" ];
|
||||
};
|
||||
};
|
||||
})
|
||||
(lib.mkIf (!cfg.withUWSM) {
|
||||
services.displayManager.sessionPackages = [ cfg.package ];
|
||||
})
|
||||
]
|
||||
);
|
||||
|
||||
meta.maintainers = with lib.maintainers; [ cassandracomar ];
|
||||
}
|
||||
@@ -511,7 +511,7 @@ in
|
||||
services.simplesamlphp has been vulnerable and unmaintained in nixpkgs.
|
||||
'')
|
||||
(mkRemovedOptionModule [ "security" "pam" "enableEcryptfs" ] ''
|
||||
security.pam.enableEcryptfs was removed since it was unmaintained in nixpkgs.
|
||||
security.pam.enableFscrypt was removed since it was unmaintained in nixpkgs.
|
||||
'')
|
||||
(mkRemovedOptionModule [ "security" "rngd" ] ''
|
||||
rngd is not necessary for any device that the kernel recognises
|
||||
|
||||
@@ -241,7 +241,7 @@ in
|
||||
{
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = "yes";
|
||||
ExecStartPre = lib.getExe' pkgs.apparmor-init "aa-teardown";
|
||||
ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown";
|
||||
ExecStart = lib.mapAttrsToList (
|
||||
n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts n p}"
|
||||
) enabledPolicies;
|
||||
@@ -262,7 +262,7 @@ in
|
||||
# Optionally kill the processes which are unconfined but now have a profile loaded
|
||||
# (because AppArmor can only start to confine new processes).
|
||||
lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
|
||||
ExecStop = lib.getExe' pkgs.apparmor-init "aa-teardown";
|
||||
ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown";
|
||||
CacheDirectory = [
|
||||
"apparmor"
|
||||
"apparmor/logprof"
|
||||
|
||||
@@ -1832,6 +1832,11 @@ let
|
||||
else
|
||||
config.users.motdFile;
|
||||
|
||||
makePAMService = name: service: {
|
||||
name = "pam.d/${name}";
|
||||
value.source = pkgs.writeText "${name}.pam" service.text;
|
||||
};
|
||||
|
||||
optionalSudoConfigForSSHAgentAuth =
|
||||
lib.optionalString (config.security.pam.sshAgentAuth.enable || config.security.pam.rssh.enable)
|
||||
''
|
||||
@@ -2643,26 +2648,7 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
environment.etc =
|
||||
let
|
||||
# Write all pam config in a single derivation for performance
|
||||
pamd =
|
||||
pkgs.runCommand "pam.d"
|
||||
{
|
||||
__structuredAttrs = true;
|
||||
services = lib.mapAttrs (_: svc: svc.text) enabledServices;
|
||||
}
|
||||
''
|
||||
mkdir $out
|
||||
for i in "''${!services[@]}"; do
|
||||
printf '%s' "''${services[$i]}" > "$out/$i"
|
||||
done
|
||||
'';
|
||||
in
|
||||
lib.mapAttrs' (name: service: {
|
||||
name = "pam.d/${name}";
|
||||
value.source = "${pamd}/${name}";
|
||||
}) enabledServices;
|
||||
environment.etc = lib.mapAttrs' makePAMService enabledServices;
|
||||
|
||||
systemd =
|
||||
lib.mkIf (lib.any (service: service.lastlog.enable) (lib.attrValues config.security.pam.services))
|
||||
|
||||
@@ -8,65 +8,41 @@ let
|
||||
cfg = config.services.komodo-periphery;
|
||||
settingsFormat = pkgs.formats.toml { };
|
||||
|
||||
actualRepoDir = if cfg.repoDir != null then cfg.repoDir else "${cfg.rootDirectory}/repos";
|
||||
actualStackDir = if cfg.stackDir != null then cfg.stackDir else "${cfg.rootDirectory}/stacks";
|
||||
actualBuildDir = if cfg.buildDir != null then cfg.buildDir else "${cfg.rootDirectory}/builds";
|
||||
|
||||
genFinalSettings =
|
||||
let
|
||||
actualServerEnabled =
|
||||
if cfg.inbound.serverEnabled != null then
|
||||
cfg.inbound.serverEnabled
|
||||
else
|
||||
(cfg.outbound.coreAddress == "");
|
||||
|
||||
hasAnyPrivateKey = cfg.auth.privateKey != "";
|
||||
|
||||
baseSettings = {
|
||||
default_terminal_command = cfg.defaultTerminalCommand;
|
||||
disable_terminals = cfg.disableTerminals;
|
||||
disable_container_terminals = cfg.disableContainerTerminals;
|
||||
|
||||
stats_polling_rate = cfg.statsPollingRate;
|
||||
container_stats_polling_rate = cfg.containerStatsPollingRate;
|
||||
legacy_compose_cli = cfg.legacyComposeCli;
|
||||
|
||||
include_disk_mounts = cfg.includeDiskMounts;
|
||||
exclude_disk_mounts = cfg.excludeDiskMounts;
|
||||
|
||||
# When a private key is explicitly configured, it's passed via env var.
|
||||
# Otherwise, use the default file path so Periphery auto-generates a key.
|
||||
private_key = if !hasAnyPrivateKey then "file:${cfg.rootDirectory}/keys/periphery.key" else "";
|
||||
core_public_keys = [ ];
|
||||
passkeys = [ ];
|
||||
|
||||
server_enabled = actualServerEnabled;
|
||||
port = cfg.inbound.port;
|
||||
bind_ip = cfg.inbound.bindIp;
|
||||
allowed_ips = cfg.inbound.allowedIps;
|
||||
ssl_enabled = cfg.inbound.ssl.enable;
|
||||
port = cfg.port;
|
||||
bind_ip = cfg.bindIp;
|
||||
root_directory = cfg.rootDirectory;
|
||||
repo_dir = "${cfg.rootDirectory}/repos";
|
||||
stack_dir = "${cfg.rootDirectory}/stacks";
|
||||
ssl_enabled = cfg.ssl.enable;
|
||||
}
|
||||
// {
|
||||
core_address = cfg.outbound.coreAddress;
|
||||
connect_as = cfg.outbound.connectAs;
|
||||
onboarding_key = "";
|
||||
// lib.optionalAttrs cfg.ssl.enable {
|
||||
ssl_key_file = cfg.ssl.keyFile;
|
||||
ssl_cert_file = cfg.ssl.certFile;
|
||||
}
|
||||
// {
|
||||
logging = {
|
||||
level = cfg.logging.level;
|
||||
stdio = cfg.logging.stdio;
|
||||
opentelemetry_service_name = cfg.logging.opentelemetryServiceName;
|
||||
opentelemetry_scope_name = cfg.logging.opentelemetryScopeName;
|
||||
pretty = cfg.logging.pretty;
|
||||
}
|
||||
// lib.optionalAttrs (cfg.logging.otlpEndpoint != "") {
|
||||
otlp_endpoint = cfg.logging.otlpEndpoint;
|
||||
};
|
||||
pretty_startup_config = cfg.prettyStartupConfig;
|
||||
allowed_ips = cfg.allowedIps;
|
||||
passkeys = cfg.passkeys;
|
||||
disable_terminals = cfg.disableTerminals;
|
||||
disable_container_exec = cfg.disableContainerExec;
|
||||
stats_polling_rate = cfg.statsPollingRate;
|
||||
container_stats_polling_rate = cfg.containerStatsPollingRate;
|
||||
legacy_compose_cli = cfg.legacyComposeCli;
|
||||
include_disk_mounts = cfg.includeDiskMounts;
|
||||
exclude_disk_mounts = cfg.excludeDiskMounts;
|
||||
}
|
||||
// cfg.extraSettings;
|
||||
in
|
||||
lib.filterAttrsRecursive (_: v: v != null && v != { } && v != [ ] && v != "") baseSettings;
|
||||
lib.filterAttrsRecursive (_: v: v != null && v != { } && v != [ ]) baseSettings;
|
||||
|
||||
configFile =
|
||||
if cfg.configFile == null then
|
||||
@@ -75,125 +51,62 @@ let
|
||||
cfg.configFile;
|
||||
in
|
||||
{
|
||||
imports = with lib; [
|
||||
(mkRenamedOptionModule
|
||||
[ "services" "komodo-periphery" "port" ]
|
||||
[ "services" "komodo-periphery" "inbound" "port" ]
|
||||
)
|
||||
(mkRenamedOptionModule
|
||||
[ "services" "komodo-periphery" "bindIp" ]
|
||||
[ "services" "komodo-periphery" "inbound" "bindIp" ]
|
||||
)
|
||||
(mkRenamedOptionModule
|
||||
[ "services" "komodo-periphery" "allowedIps" ]
|
||||
[ "services" "komodo-periphery" "inbound" "allowedIps" ]
|
||||
)
|
||||
(mkRenamedOptionModule
|
||||
[ "services" "komodo-periphery" "ssl" "enable" ]
|
||||
[ "services" "komodo-periphery" "inbound" "ssl" "enable" ]
|
||||
)
|
||||
(mkRenamedOptionModule
|
||||
[ "services" "komodo-periphery" "ssl" "keyFile" ]
|
||||
[ "services" "komodo-periphery" "inbound" "ssl" "keyFile" ]
|
||||
)
|
||||
(mkRenamedOptionModule
|
||||
[ "services" "komodo-periphery" "ssl" "certFile" ]
|
||||
[ "services" "komodo-periphery" "inbound" "ssl" "certFile" ]
|
||||
)
|
||||
(mkRenamedOptionModule
|
||||
[ "services" "komodo-periphery" "serverEnabled" ]
|
||||
[ "services" "komodo-periphery" "inbound" "serverEnabled" ]
|
||||
)
|
||||
(mkRenamedOptionModule
|
||||
[ "services" "komodo-periphery" "disableContainerExec" ]
|
||||
[ "services" "komodo-periphery" "disableContainerTerminals" ]
|
||||
)
|
||||
(mkRemovedOptionModule [ "services" "komodo-periphery" "passkeys" ]
|
||||
"services.komodo-periphery.passkeys has been removed. Use passkeyFiles for v1.X compatibility, or migrate to auth.privateKey and auth.corePublicKeys (v2.0+)."
|
||||
)
|
||||
(mkRemovedOptionModule [ "services" "komodo-periphery" "outbound" "onboardingKey" ]
|
||||
"services.komodo-periphery.outbound.onboardingKey has been removed. Use outbound.onboardingKeyFile instead for better security."
|
||||
)
|
||||
];
|
||||
|
||||
options.services.komodo-periphery = {
|
||||
enable = lib.mkEnableOption "Periphery, a multi-server Docker and Git deployment agent by Komodo";
|
||||
|
||||
package = lib.mkPackageOption pkgs "komodo" { };
|
||||
|
||||
dockerHost = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
Docker host socket URI to use for container operations.
|
||||
If null, uses the default Docker socket and automatically enables Docker.
|
||||
Set this to use alternative container runtimes like Podman or remote Docker hosts.
|
||||
'';
|
||||
example = lib.literalExpression ''
|
||||
# Podman rootless
|
||||
"unix:///run/user/1000/podman/podman.sock"
|
||||
|
||||
# Podman rootful
|
||||
"unix:///run/podman/podman.sock"
|
||||
|
||||
# Remote Docker
|
||||
"tcp://192.168.1.100:2375"
|
||||
'';
|
||||
};
|
||||
|
||||
configFile = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Path to the Periphery configuration file.
|
||||
|
||||
- If `null` (default), a configuration file will be automatically generated
|
||||
from the module options (recommended for most users).
|
||||
- If set to a path, that file will be used directly as the configuration file.
|
||||
- You can also use `pkgs.writeText` to write configuration inline in your NixOS configuration.
|
||||
|
||||
When using a custom config file, all other module options (except `package`, `user`, `group`,
|
||||
`environment`, and `environmentFile`) will be ignored.
|
||||
'';
|
||||
description = "Path to the periphery configuration file. If null, a configuration file will be generated from the module options.";
|
||||
example = lib.literalExpression ''
|
||||
# Option 1: Use an existing config file
|
||||
"/etc/komodo/periphery.toml"
|
||||
|
||||
# Option 2: Write config inline using pkgs.writeText
|
||||
pkgs.writeText "periphery.toml" '''
|
||||
root_directory = "/var/lib/komodo-periphery"
|
||||
|
||||
logging.level = "info"
|
||||
logging.stdio = "standard"
|
||||
port = 8120
|
||||
bind_ip = "[::]"
|
||||
ssl_enabled = true
|
||||
[logging]
|
||||
level = "info"
|
||||
'''
|
||||
'';
|
||||
};
|
||||
|
||||
port = lib.mkOption {
|
||||
type = lib.types.port;
|
||||
default = 8120;
|
||||
description = "Port for the Periphery agent to listen on.";
|
||||
};
|
||||
|
||||
bindIp = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "[::]";
|
||||
description = "IP address to bind to.";
|
||||
};
|
||||
|
||||
rootDirectory = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
default = "/var/lib/komodo-periphery";
|
||||
description = "Root directory for Komodo Periphery data.";
|
||||
};
|
||||
|
||||
repoDir = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.path;
|
||||
default = null;
|
||||
defaultText = lib.literalExpression ''"''${config.services.komodo-periphery.rootDirectory}/repos"'';
|
||||
description = "Directory for Komodo Periphery to manage repos. If null, defaults to `\${rootDirectory}/repos`.";
|
||||
};
|
||||
ssl = {
|
||||
enable = lib.mkEnableOption "SSL/TLS support" // {
|
||||
default = true;
|
||||
};
|
||||
|
||||
stackDir = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.path;
|
||||
default = null;
|
||||
defaultText = lib.literalExpression ''"''${config.services.komodo-periphery.rootDirectory}/stacks"'';
|
||||
description = "Directory for Komodo Periphery to manage stacks. If null, defaults to `\${rootDirectory}/stacks`.";
|
||||
};
|
||||
keyFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
default = "${cfg.rootDirectory}/ssl/key.pem";
|
||||
defaultText = lib.literalExpression ''"''${config.services.komodo-periphery.rootDirectory}/ssl/key.pem"'';
|
||||
description = "Path to SSL key file.";
|
||||
};
|
||||
|
||||
buildDir = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.path;
|
||||
default = null;
|
||||
defaultText = lib.literalExpression ''"''${config.services.komodo-periphery.rootDirectory}/builds"'';
|
||||
description = "Directory for Komodo Periphery to manage builds. If null, defaults to `\${rootDirectory}/builds`.";
|
||||
certFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
default = "${cfg.rootDirectory}/ssl/cert.pem";
|
||||
defaultText = lib.literalExpression ''"''${config.services.komodo-periphery.rootDirectory}/ssl/cert.pem"'';
|
||||
description = "Path to SSL certificate file.";
|
||||
};
|
||||
};
|
||||
|
||||
logging = {
|
||||
@@ -226,41 +139,26 @@ in
|
||||
description = "OpenTelemetry OTLP endpoint for traces.";
|
||||
example = "http://localhost:4317";
|
||||
};
|
||||
|
||||
opentelemetryServiceName = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "Periphery";
|
||||
description = "(v2.0+) OpenTelemetry service name attached to telemetry.";
|
||||
};
|
||||
|
||||
opentelemetryScopeName = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "Komodo";
|
||||
description = "(v2.0+) OpenTelemetry scope name attached to telemetry.";
|
||||
};
|
||||
|
||||
pretty = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = "(v2.0+) Enable human-readable logging (multi-line).";
|
||||
};
|
||||
};
|
||||
|
||||
prettyStartupConfig = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = "(v2.0+) Enable human-readable startup config log (multi-line).";
|
||||
allowedIps = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
default = [ ];
|
||||
description = "IP addresses or subnets allowed to call the periphery API. Empty list allows all.";
|
||||
example = [
|
||||
"::ffff:12.34.56.78"
|
||||
"10.0.10.0/24"
|
||||
];
|
||||
};
|
||||
|
||||
passkeyFiles = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.path;
|
||||
default = null;
|
||||
passkeys = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
default = [ ];
|
||||
description = ''
|
||||
Path to file containing passkeys (v1.X compatibility).
|
||||
This will be passed via `PERIPHERY_PASSKEYS_FILE` environment variable.
|
||||
Consider migrating to the new v2.0+ authentication mechanism.
|
||||
Passkeys required to access the periphery API.
|
||||
WARNING: These will be stored in the Nix store in plain text!
|
||||
'';
|
||||
example = "/run/secrets/komodo-passkey";
|
||||
example = [ "your-secure-passkey" ];
|
||||
};
|
||||
|
||||
extraSettings = lib.mkOption {
|
||||
@@ -272,23 +170,16 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
defaultTerminalCommand = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "bash";
|
||||
description = "(v2.0+) Default terminal command used to initialize the shell.";
|
||||
example = "zsh";
|
||||
};
|
||||
|
||||
disableTerminals = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = "Disable remote shell access through Periphery.";
|
||||
};
|
||||
|
||||
disableContainerTerminals = lib.mkOption {
|
||||
disableContainerExec = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = "(v2.0+) Disable remote container shell access through Periphery.";
|
||||
description = "Disable remote container shell access through Periphery.";
|
||||
};
|
||||
|
||||
statsPollingRate = lib.mkOption {
|
||||
@@ -331,147 +222,6 @@ in
|
||||
];
|
||||
};
|
||||
|
||||
auth = {
|
||||
privateKey = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "";
|
||||
description = ''
|
||||
(v2.0+) Private key used with the Noise handshake.
|
||||
|
||||
Use `file:/path/to/file` prefix to load from a file. If the file doesn't exist,
|
||||
Periphery will generate and write a new key to the path.
|
||||
|
||||
If empty, defaults to `file:''${rootDirectory}/keys/periphery.key`.
|
||||
'';
|
||||
example = lib.literalExpression ''
|
||||
# Reference a secret file
|
||||
"file:''${config.age.secrets.komodo-private-key.path}"
|
||||
|
||||
# Or direct path
|
||||
"file:/run/secrets/komodo-private-key"
|
||||
'';
|
||||
};
|
||||
|
||||
corePublicKeys = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
default = [ ];
|
||||
description = ''
|
||||
(v2.0+) Accepted public keys to allow Core(s) to connect.
|
||||
Accepts Spki base64 DER directly or can reference files using `file:/path/to/core.pub` prefix.
|
||||
You can mix direct keys and file references.
|
||||
|
||||
For better security, use the `file:` prefix to reference secret files.
|
||||
'';
|
||||
example = lib.literalExpression ''
|
||||
[
|
||||
# Direct key value
|
||||
"MCowBQYDK2VuAyEATZgrjGHeF0KJUe0+n77+qAWOg3YzEzXOmQWaRgO3OGQ="
|
||||
# Reference secret files
|
||||
"file:''${config.age.secrets.komodo-core1-pub.path}"
|
||||
"file:''${config.age.secrets.komodo-core2-pub.path}"
|
||||
]
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
inbound = {
|
||||
serverEnabled = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.bool;
|
||||
default = null;
|
||||
description = ''
|
||||
Enable the inbound connection server for Core -> Periphery connections.
|
||||
If null, defaults to false when `outbound.coreAddress` is defined, otherwise true.
|
||||
'';
|
||||
};
|
||||
|
||||
port = lib.mkOption {
|
||||
type = lib.types.port;
|
||||
default = 8120;
|
||||
description = "Port for the inbound Periphery server to listen on.";
|
||||
};
|
||||
|
||||
bindIp = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "[::]";
|
||||
description = ''
|
||||
IP address the periphery server will bind to.
|
||||
The default allows external IPv4 and IPv6 connections.
|
||||
'';
|
||||
};
|
||||
|
||||
allowedIps = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
default = [ ];
|
||||
description = ''
|
||||
Limit the IP addresses which can connect to Periphery.
|
||||
Supports IPv4/IPv6 addresses and subnets.
|
||||
Empty list allows all connections.
|
||||
'';
|
||||
example = [
|
||||
"::ffff:12.34.56.78"
|
||||
"10.0.10.0/24"
|
||||
];
|
||||
};
|
||||
|
||||
ssl = {
|
||||
enable = lib.mkEnableOption "(v2.0+) SSL/TLS support for inbound connections" // {
|
||||
default = true;
|
||||
};
|
||||
|
||||
keyFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
default = "${cfg.rootDirectory}/ssl/key.pem";
|
||||
defaultText = lib.literalExpression ''"''${config.services.komodo-periphery.rootDirectory}/ssl/key.pem"'';
|
||||
description = ''
|
||||
Path to SSL key file.
|
||||
If the file doesn't exist and SSL is enabled, self-signed keys will be generated using openssl.
|
||||
'';
|
||||
};
|
||||
|
||||
certFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
default = "${cfg.rootDirectory}/ssl/cert.pem";
|
||||
defaultText = lib.literalExpression ''"''${config.services.komodo-periphery.rootDirectory}/ssl/cert.pem"'';
|
||||
description = ''
|
||||
Path to SSL certificate file.
|
||||
If the file doesn't exist and SSL is enabled, self-signed certificate will be generated using openssl.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
outbound = {
|
||||
coreAddress = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "";
|
||||
description = ''
|
||||
(v2.0+) The address of Komodo Core. Must be reachable from this host.
|
||||
If provided, Periphery will operate in outbound mode.
|
||||
'';
|
||||
example = "demo.komo.do";
|
||||
};
|
||||
|
||||
connectAs = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "";
|
||||
description = ''
|
||||
(v2.0+) The Server this Periphery agent should connect as.
|
||||
Must match an existing Server name or id.
|
||||
'';
|
||||
example = "server-name";
|
||||
};
|
||||
|
||||
onboardingKeyFile = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
(v2.0+) Path to file containing the onboarding key.
|
||||
This will be passed via `PERIPHERY_ONBOARDING_KEY_FILE` environment variable.
|
||||
'';
|
||||
example = lib.literalExpression ''"''${config.age.secrets.komodo-onboarding.path}"'';
|
||||
};
|
||||
};
|
||||
|
||||
user = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "komodo-periphery";
|
||||
@@ -503,14 +253,14 @@ in
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
virtualisation.docker.enable = lib.mkDefault (cfg.dockerHost == null);
|
||||
virtualisation.docker.enable = true;
|
||||
|
||||
users.users.${cfg.user} = lib.mkIf (cfg.user == "komodo-periphery") {
|
||||
isSystemUser = true;
|
||||
group = cfg.group;
|
||||
description = "Komodo Periphery service user";
|
||||
home = cfg.rootDirectory;
|
||||
extraGroups = lib.optional (cfg.dockerHost == null) "docker";
|
||||
extraGroups = [ "docker" ];
|
||||
};
|
||||
|
||||
users.groups.${cfg.group} = lib.mkIf (cfg.group == "komodo-periphery") { };
|
||||
@@ -521,26 +271,16 @@ in
|
||||
user = cfg.user;
|
||||
group = cfg.group;
|
||||
};
|
||||
"${actualRepoDir}".d = {
|
||||
"${cfg.rootDirectory}/repos".d = {
|
||||
mode = "0755";
|
||||
user = cfg.user;
|
||||
group = cfg.group;
|
||||
};
|
||||
"${actualStackDir}".d = {
|
||||
"${cfg.rootDirectory}/stacks".d = {
|
||||
mode = "0755";
|
||||
user = cfg.user;
|
||||
group = cfg.group;
|
||||
};
|
||||
"${actualBuildDir}".d = {
|
||||
mode = "0755";
|
||||
user = cfg.user;
|
||||
group = cfg.group;
|
||||
};
|
||||
"${cfg.rootDirectory}/keys".d = {
|
||||
mode = "0700";
|
||||
user = cfg.user;
|
||||
group = cfg.group;
|
||||
};
|
||||
"${cfg.rootDirectory}/ssl".d = {
|
||||
mode = "0700";
|
||||
user = cfg.user;
|
||||
@@ -552,63 +292,35 @@ in
|
||||
description = "Komodo Periphery - Multi-server Docker and Git deployment agent";
|
||||
after = [
|
||||
"network-online.target"
|
||||
]
|
||||
++ lib.optional (cfg.dockerHost == null) "docker.service";
|
||||
"docker.service"
|
||||
];
|
||||
wants = [
|
||||
"network-online.target"
|
||||
]
|
||||
++ lib.optional (cfg.dockerHost == null) "docker.service";
|
||||
"docker.service"
|
||||
];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
SupplementaryGroups = lib.mkIf (cfg.dockerHost == null) [ "docker" ];
|
||||
SupplementaryGroups = [ "docker" ];
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
WorkingDirectory = cfg.rootDirectory;
|
||||
|
||||
ExecStart = lib.escapeShellArgs [
|
||||
(lib.getExe' cfg.package "periphery")
|
||||
"${lib.getExe' cfg.package "periphery"}"
|
||||
"--config-path"
|
||||
configFile
|
||||
(if cfg.configFile != null then cfg.configFile else configFile)
|
||||
];
|
||||
|
||||
Environment = lib.mapAttrsToList (name: value: "${name}=${value}") (
|
||||
lib.optionalAttrs (cfg.configFile == null) {
|
||||
PERIPHERY_ROOT_DIRECTORY = cfg.rootDirectory;
|
||||
PERIPHERY_REPO_DIR = actualRepoDir;
|
||||
PERIPHERY_STACK_DIR = actualStackDir;
|
||||
PERIPHERY_BUILD_DIR = actualBuildDir;
|
||||
cfg.environment
|
||||
// lib.optionalAttrs (!cfg.disableTerminals) {
|
||||
PATH = "/run/current-system/sw/bin:/run/wrappers/bin";
|
||||
}
|
||||
// lib.optionalAttrs (cfg.configFile == null && cfg.inbound.ssl.enable) {
|
||||
PERIPHERY_SSL_KEY_FILE = cfg.inbound.ssl.keyFile;
|
||||
PERIPHERY_SSL_CERT_FILE = cfg.inbound.ssl.certFile;
|
||||
}
|
||||
// lib.optionalAttrs (cfg.dockerHost != null) {
|
||||
DOCKER_HOST = cfg.dockerHost;
|
||||
}
|
||||
// lib.optionalAttrs (cfg.passkeyFiles != null) {
|
||||
PERIPHERY_PASSKEYS_FILE = cfg.passkeyFiles;
|
||||
}
|
||||
// lib.optionalAttrs (cfg.auth.privateKey != "") {
|
||||
PERIPHERY_PRIVATE_KEY = cfg.auth.privateKey;
|
||||
}
|
||||
// lib.optionalAttrs (cfg.auth.corePublicKeys != [ ]) {
|
||||
PERIPHERY_CORE_PUBLIC_KEYS = lib.concatStringsSep "," cfg.auth.corePublicKeys;
|
||||
}
|
||||
// lib.optionalAttrs (cfg.outbound.onboardingKeyFile != null) {
|
||||
PERIPHERY_ONBOARDING_KEY_FILE = cfg.outbound.onboardingKeyFile;
|
||||
}
|
||||
// cfg.environment
|
||||
);
|
||||
|
||||
ExecSearchPath = lib.mkIf (!cfg.disableTerminals) [
|
||||
"/run/current-system/sw/bin"
|
||||
"/run/wrappers/bin"
|
||||
];
|
||||
|
||||
EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
|
||||
|
||||
StateDirectory = "komodo-periphery";
|
||||
@@ -617,7 +329,7 @@ in
|
||||
NoNewPrivileges = true;
|
||||
PrivateTmp = true;
|
||||
ProtectSystem = "full";
|
||||
ProtectHome = "read-only";
|
||||
ProtectHome = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@@ -10,7 +10,7 @@ in
|
||||
{
|
||||
options.services.oo7 = {
|
||||
enable = lib.mkEnableOption ''
|
||||
oo7, a service providing the Secret Service D-Bus API
|
||||
oo7, a service providing the Secret Service D-Bus API.
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
@@ -40,6 +40,7 @@ in
|
||||
config = lib.mkIf cfg.enable {
|
||||
environment.systemPackages = with pkgs; [
|
||||
seatd
|
||||
sdnotify-wrapper
|
||||
];
|
||||
users.groups.seat = lib.mkIf (cfg.group == "seat") { };
|
||||
|
||||
@@ -54,7 +55,7 @@ in
|
||||
Type = "notify";
|
||||
NotifyAccess = "all";
|
||||
SyslogIdentifier = "seatd";
|
||||
ExecStart = "${lib.getExe' pkgs.s6 "s6-notify-socket-from-fd"} ${pkgs.seatd.bin}/bin/seatd -n 1 -u ${cfg.user} -g ${cfg.group} -l ${cfg.logLevel}";
|
||||
ExecStart = "${pkgs.sdnotify-wrapper}/bin/sdnotify-wrapper ${pkgs.seatd.bin}/bin/seatd -n 1 -u ${cfg.user} -g ${cfg.group} -l ${cfg.logLevel}";
|
||||
RestartSec = 1;
|
||||
Restart = "always";
|
||||
};
|
||||
|
||||
@@ -80,9 +80,6 @@ in
|
||||
unitConfig = lib.optionalAttrs cfg.startWithGraphical {
|
||||
After = "graphical-session.target";
|
||||
};
|
||||
|
||||
# Long-lived session that ought to only be restarted manually
|
||||
restartIfChanged = false;
|
||||
}
|
||||
// lib.optionalAttrs cfg.enable {
|
||||
wantedBy = if cfg.startWithGraphical then [ "graphical-session.target" ] else [ "default.target" ];
|
||||
|
||||
@@ -58,17 +58,17 @@ stdenv.mkDerivation {
|
||||
dontConfigure = true;
|
||||
|
||||
buildPhase = ''
|
||||
TARGET_DIR="$out/tmp"
|
||||
TARGET_DIR="$out/etc/opt/brother/scanner/brscan5"
|
||||
mkdir -p "$TARGET_DIR"
|
||||
cp -rp "./models" "$TARGET_DIR"
|
||||
cp -rp "./brscan5.ini" "$TARGET_DIR"
|
||||
cp -rp "./brsanenetdevice.cfg" "$TARGET_DIR"
|
||||
export NIX_REDIRECTS="/etc/opt/brother/scanner/brscan5/=$TARGET_DIR/"
|
||||
printf '${addAllNetDev netDevices}\n'
|
||||
${addAllNetDev netDevices}
|
||||
|
||||
mkdir -p "$out/etc/opt/brother/scanner/brscan5"
|
||||
mv -T "$TARGET_DIR" "$out/etc/opt/brother/scanner/brscan5"
|
||||
export NIX_REDIRECTS="/etc/opt/brother/scanner/brscan5/=$TARGET_DIR/"
|
||||
|
||||
printf '${addAllNetDev netDevices}\n'
|
||||
|
||||
${addAllNetDev netDevices}
|
||||
'';
|
||||
|
||||
dontInstall = true;
|
||||
|
||||
@@ -1,71 +0,0 @@
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (lib)
|
||||
mkIf
|
||||
mkOption
|
||||
mkEnableOption
|
||||
mkPackageOption
|
||||
getExe
|
||||
;
|
||||
inherit (lib.types) submodule;
|
||||
|
||||
cfg = config.services.watt;
|
||||
|
||||
format = pkgs.formats.toml { };
|
||||
cfgFile = format.generate "watt-config.toml" cfg.settings;
|
||||
|
||||
conflictingServices = [
|
||||
"power-profiles-daemon"
|
||||
"auto-cpufreq"
|
||||
"tlp"
|
||||
"cpupower-gui"
|
||||
"thermald"
|
||||
];
|
||||
|
||||
in
|
||||
{
|
||||
options.services.watt = {
|
||||
enable = mkEnableOption "automatic CPU speed & power optimizer for Linux";
|
||||
package = mkPackageOption pkgs "watt" { };
|
||||
|
||||
settings = mkOption {
|
||||
default = { };
|
||||
type = submodule { freeformType = format.type; };
|
||||
description = "Configuration for Watt. Options at https://github.com/notaShelf/watt";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
assertions = map (service: {
|
||||
assertion = !config.services.${service}.enable;
|
||||
message = "You have set services.${service}.enable = true; which conflicts with Watt.";
|
||||
}) conflictingServices;
|
||||
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
|
||||
# This is necessary for the Watt CLI. The environment variable
|
||||
# passed to the systemd service will take priority in read order.
|
||||
environment.etc."watt.toml".source = cfgFile;
|
||||
|
||||
services.dbus.packages = [ cfg.package ];
|
||||
|
||||
systemd.services.watt = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
conflicts = map (service: "${service}.service") conflictingServices;
|
||||
serviceConfig = {
|
||||
WorkingDirectory = "";
|
||||
ExecStart = getExe cfg.package;
|
||||
Restart = "on-failure";
|
||||
|
||||
RuntimeDirectory = "watt";
|
||||
RuntimeDirectoryMode = "0755";
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
@@ -281,7 +281,7 @@ in
|
||||
environment.etc."postsrsd.conf".source = configFile;
|
||||
|
||||
systemd.services.postsrsd = {
|
||||
description = "Sender Rewriting Scheme daemon for Postfix";
|
||||
description = "PostSRSd SRS rewriting server";
|
||||
after = [
|
||||
"network.target"
|
||||
"postsrsd-generate-secrets.service"
|
||||
@@ -289,20 +289,14 @@ in
|
||||
before = [ "postfix.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
requires = [ "postsrsd-generate-secrets.service" ];
|
||||
reloadTriggers = [ configFile ];
|
||||
restartTriggers = [ configFile ];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "notify-reload";
|
||||
ExecStart = utils.escapeSystemdExecArgs [
|
||||
(lib.getExe cfg.package)
|
||||
"-C"
|
||||
"/etc/postsrsd.conf"
|
||||
];
|
||||
ExecReload = toString [
|
||||
(lib.getExe' pkgs.coreutils "kill")
|
||||
"-SIGHUP"
|
||||
"$MAINPID"
|
||||
];
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
RuntimeDirectory = "postsrsd";
|
||||
@@ -325,7 +319,7 @@ in
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectSystem = "strict";
|
||||
ProtectProc = "noaccess";
|
||||
ProtectProc = "invisible";
|
||||
ProcSubset = "pid";
|
||||
RemoveIPC = true;
|
||||
RestrictAddressFamilies =
|
||||
|
||||
@@ -57,7 +57,7 @@ in
|
||||
default = { };
|
||||
description = ''
|
||||
Configuration options for the Stalwart server.
|
||||
See <https://stalw.art/docs/configuration> for available options.
|
||||
See <https://stalw.art/docs/category/configuration> for available options.
|
||||
|
||||
By default, the module is configured to store everything locally.
|
||||
'';
|
||||
|
||||
@@ -13,7 +13,6 @@ in
|
||||
{
|
||||
options.services.dendrite = {
|
||||
enable = lib.mkEnableOption "matrix.org dendrite";
|
||||
package = lib.mkPackageOption pkgs "dendrite" { };
|
||||
httpPort = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.port;
|
||||
default = 8008;
|
||||
@@ -322,7 +321,7 @@ in
|
||||
];
|
||||
ExecStart = lib.strings.concatStringsSep " " (
|
||||
[
|
||||
(lib.getExe cfg.package)
|
||||
"${pkgs.dendrite}/bin/dendrite"
|
||||
"--config /run/dendrite/dendrite.yaml"
|
||||
]
|
||||
++ lib.optionals (cfg.httpPort != null) [
|
||||
|
||||
@@ -45,9 +45,7 @@ let
|
||||
pruned;
|
||||
configFile = format.generate "config.yaml" finalSettings;
|
||||
|
||||
extraConfigFiles = lib.imap0 (
|
||||
i: _: "\${CREDENTIALS_DIRECTORY}/config-${toString i}"
|
||||
) cfg.extraConfigFiles;
|
||||
extraConfigFiles = lib.imap0 (i: _: "%d/config-${toString i}") cfg.extraConfigFiles;
|
||||
runtimeConfig = "/run/matrix-authentication-service/config.yaml";
|
||||
in
|
||||
{
|
||||
|
||||
@@ -22,23 +22,17 @@ in
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
environment = {
|
||||
# systemd-localed looks into 00-keyboard.conf
|
||||
# systemd-localed does not like if Option values are ""
|
||||
etc."X11/xorg.conf.d/00-keyboard.conf".text =
|
||||
let
|
||||
optionLine =
|
||||
name: value: lib.optionalString (value != null && value != "") ''Option "${name}" "${value}"'';
|
||||
in
|
||||
''
|
||||
Section "InputClass"
|
||||
Identifier "Keyboard catchall"
|
||||
MatchIsKeyboard "on"
|
||||
${optionLine "XkbModel" xcfg.xkb.model}
|
||||
${optionLine "XkbLayout" xcfg.xkb.layout}
|
||||
${optionLine "XkbOptions" xcfg.xkb.options}
|
||||
${optionLine "XkbVariant" xcfg.xkb.variant}
|
||||
EndSection
|
||||
'';
|
||||
# localectl looks into 00-keyboard.conf
|
||||
etc."X11/xorg.conf.d/00-keyboard.conf".text = ''
|
||||
Section "InputClass"
|
||||
Identifier "Keyboard catchall"
|
||||
MatchIsKeyboard "on"
|
||||
Option "XkbModel" "${xcfg.xkb.model}"
|
||||
Option "XkbLayout" "${xcfg.xkb.layout}"
|
||||
Option "XkbOptions" "${xcfg.xkb.options}"
|
||||
Option "XkbVariant" "${xcfg.xkb.variant}"
|
||||
EndSection
|
||||
'';
|
||||
systemPackages = with pkgs; [
|
||||
nixos-icons # needed for gnome and pantheon about dialog, nixos-manual and maybe more
|
||||
xdg-utils
|
||||
|
||||
@@ -245,19 +245,19 @@ in
|
||||
};
|
||||
|
||||
components = {
|
||||
subversion = lib.mkEnableOption "Subversion integration";
|
||||
subversion = lib.mkEnableOption "Subversion integration.";
|
||||
|
||||
mercurial = lib.mkEnableOption "Mercurial integration";
|
||||
mercurial = lib.mkEnableOption "Mercurial integration.";
|
||||
|
||||
git = lib.mkEnableOption "git integration";
|
||||
git = lib.mkEnableOption "git integration.";
|
||||
|
||||
cvs = lib.mkEnableOption "cvs integration";
|
||||
cvs = lib.mkEnableOption "cvs integration.";
|
||||
|
||||
breezy = lib.mkEnableOption "bazaar integration";
|
||||
breezy = lib.mkEnableOption "bazaar integration.";
|
||||
|
||||
imagemagick = lib.mkEnableOption "exporting Gant diagrams as PNG";
|
||||
imagemagick = lib.mkEnableOption "exporting Gant diagrams as PNG.";
|
||||
|
||||
ghostscript = lib.mkEnableOption "exporting Gant diagrams as PDF";
|
||||
ghostscript = lib.mkEnableOption "exporting Gant diagrams as PDF.";
|
||||
|
||||
minimagick_font_path = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
@@ -265,8 +265,6 @@ in
|
||||
description = "MiniMagick font path";
|
||||
example = "/run/current-system/sw/share/X11/fonts/LiberationSans-Regular.ttf";
|
||||
};
|
||||
|
||||
pandoc = lib.mkEnableOption "pandoc integration for previewing LibreOffice and Microsoft Office documents";
|
||||
};
|
||||
};
|
||||
};
|
||||
@@ -312,7 +310,6 @@ in
|
||||
imagemagick_convert_command = lib.optionalString cfg.components.imagemagick "${pkgs.imagemagick}/bin/convert";
|
||||
gs_command = lib.optionalString cfg.components.ghostscript "${pkgs.ghostscript}/bin/gs";
|
||||
minimagick_font_path = "${cfg.components.minimagick_font_path}";
|
||||
pandoc_command = lib.optionalString cfg.components.pandoc "${pkgs.pandoc}/bin/pandoc";
|
||||
};
|
||||
};
|
||||
|
||||
@@ -460,7 +457,7 @@ in
|
||||
Group = cfg.group;
|
||||
TimeoutSec = "300";
|
||||
WorkingDirectory = "${cfg.package}/share/redmine";
|
||||
ExecStart = "${bundle} exec rails server -u webrick -e production -b ${toString cfg.address} -p ${toString cfg.port}";
|
||||
ExecStart = "${bundle} exec rails server -u webrick -e production -b ${toString cfg.address} -p ${toString cfg.port} -P '${cfg.stateDir}/redmine.pid'";
|
||||
RuntimeDirectory = "redmine";
|
||||
RuntimeDirectoryMode = "0750";
|
||||
AmbientCapabilities = "";
|
||||
|
||||
@@ -90,5 +90,8 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
meta.maintainers = with lib.maintainers; [ nanoyaki ];
|
||||
meta.maintainers = with lib.maintainers; [
|
||||
diniamo
|
||||
nanoyaki
|
||||
];
|
||||
}
|
||||
|
||||
@@ -94,8 +94,8 @@ in
|
||||
serviceConfig = {
|
||||
ExecStart = ''
|
||||
${pkgs.prometheus-imap-mailstat-exporter}/bin/imap-mailstat-exporter \
|
||||
--config.file="${createConfigFile cfg.accounts}" \
|
||||
${optionalString cfg.oldestUnseenDate "--oldestunseen.feature"} \
|
||||
-config ${createConfigFile cfg.accounts} \
|
||||
${optionalString cfg.oldestUnseenDate "-oldestunseendate"} \
|
||||
${concatStringsSep " \\\n " cfg.extraFlags}
|
||||
'';
|
||||
};
|
||||
|
||||
@@ -102,7 +102,7 @@ in
|
||||
${lib.getExe pkgs.envsubst} \
|
||||
-i ${configuration} \
|
||||
-o ${configFilePath}
|
||||
umask "$old_umask"
|
||||
umask $old_umask
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
|
||||
@@ -6,32 +6,17 @@
|
||||
}:
|
||||
let
|
||||
cfg = config.services.vnstat;
|
||||
settingsFormat = pkgs.formats.keyValue { };
|
||||
in
|
||||
{
|
||||
options.services.vnstat = {
|
||||
enable = lib.mkEnableOption "update of network usage statistics via vnstatd";
|
||||
package = lib.mkPackageOption pkgs "vnstat" { };
|
||||
settings = lib.mkOption {
|
||||
type = lib.types.submodule { freeformType = settingsFormat.type; };
|
||||
default = { };
|
||||
description = ''
|
||||
Configuration for vnstat. Refer to
|
||||
[https://humdi.net/vnstat/man/vnstat.conf.html]
|
||||
or {manpage}`vnstat.conf(5)` for more information.
|
||||
'';
|
||||
example = {
|
||||
AlwaysAddNewInterfaces = 1;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
|
||||
environment.etc."vnstat.conf".source = settingsFormat.generate "vnstat.conf" cfg.settings;
|
||||
|
||||
users = {
|
||||
groups.vnstatd = { };
|
||||
|
||||
@@ -74,8 +59,4 @@ in
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
meta = {
|
||||
maintainers = with lib.maintainers; [ hmenke ];
|
||||
};
|
||||
}
|
||||
|
||||
@@ -132,7 +132,7 @@ in
|
||||
description = "socket for fast remote file copy program daemon";
|
||||
conflicts = [ "rsync.service" ];
|
||||
|
||||
listenStreams = [ cfg.port ];
|
||||
listenStreams = [ (toString cfg.port) ];
|
||||
socketConfig.Accept = true;
|
||||
|
||||
wantedBy = [ "sockets.target" ];
|
||||
|
||||
@@ -44,7 +44,7 @@ in
|
||||
settings = mkOption {
|
||||
description = ''
|
||||
Headplane configuration options. Generates a YAML config file.
|
||||
See <https://github.com/tale/headplane/blob/main/config.example.yaml>.
|
||||
See: https://github.com/tale/headplane/blob/main/config.example.yaml
|
||||
'';
|
||||
type = types.submodule {
|
||||
options = {
|
||||
@@ -129,16 +129,6 @@ in
|
||||
headscale = mkOption {
|
||||
type = types.submodule {
|
||||
options = {
|
||||
api_key_path = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Path to a file containing a Headscale API key.
|
||||
This is required for OIDC authentication aswell for the Headplane agent.
|
||||
'';
|
||||
example = lib.literalExpression "config.sops.secrets.headplane_pre_authkey.path";
|
||||
};
|
||||
|
||||
url = mkOption {
|
||||
type = types.str;
|
||||
default = "http://127.0.0.1:${toString config.services.headscale.port}";
|
||||
@@ -221,6 +211,15 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
pre_authkey_path = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Path to a file containing a Headscale pre-auth key for the agent.
|
||||
'';
|
||||
example = lib.literalExpression "config.sops.secrets.headplane_pre_authkey.path";
|
||||
};
|
||||
|
||||
executable_path = mkOption {
|
||||
type = types.path;
|
||||
readOnly = true;
|
||||
@@ -238,14 +237,20 @@ in
|
||||
};
|
||||
|
||||
cache_ttl = mkOption {
|
||||
type = types.ints.positive;
|
||||
default = 180000;
|
||||
type = types.nullOr types.int;
|
||||
default = null;
|
||||
description = ''
|
||||
How long to cache agent information (in milliseconds).
|
||||
If you want data to update faster, reduce the TTL, but this will increase the frequency of requests to Headscale.
|
||||
Deprecated cache TTL for the agent. This option is accepted
|
||||
by Headplane 0.6.2 but has no effect.
|
||||
'';
|
||||
};
|
||||
|
||||
cache_path = mkOption {
|
||||
type = types.path;
|
||||
default = "/var/lib/headplane/agent_cache.json";
|
||||
description = "The path to store the agent's cache.";
|
||||
};
|
||||
|
||||
work_dir = mkOption {
|
||||
type = types.path;
|
||||
default = "/var/lib/headplane/agent";
|
||||
@@ -320,6 +325,16 @@ in
|
||||
example = lib.literalExpression "config.sops.secrets.oidc_client_secret.path";
|
||||
};
|
||||
|
||||
headscale_api_key_path = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Path to a file containing the Headscale API key.
|
||||
Required for OIDC authentication.
|
||||
'';
|
||||
example = lib.literalExpression "config.sops.secrets.headscale_api_key.path";
|
||||
};
|
||||
|
||||
disable_api_key_login = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
@@ -351,6 +366,25 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
redirect_uri = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
Deprecated OIDC redirect URI. Use services.headplane.settings.server.base_url
|
||||
instead; Headplane derives the callback URL from it.
|
||||
'';
|
||||
example = "https://headplane.example.com/admin/oidc/callback";
|
||||
};
|
||||
|
||||
strict_validation = mkOption {
|
||||
type = types.nullOr types.bool;
|
||||
default = null;
|
||||
description = ''
|
||||
Deprecated OIDC validation setting. This option is accepted
|
||||
by Headplane 0.6.2 but has no effect.
|
||||
'';
|
||||
};
|
||||
|
||||
profile_picture_source = mkOption {
|
||||
type = types.enum [
|
||||
"oidc"
|
||||
@@ -395,6 +429,16 @@ in
|
||||
description = "Custom userinfo endpoint URL.";
|
||||
example = "https://provider.example.com/userinfo";
|
||||
};
|
||||
|
||||
user_storage_file = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Deprecated path to the pre-0.6.2 JSON user database.
|
||||
Headplane uses this once to migrate users into its internal database.
|
||||
'';
|
||||
example = "/var/lib/headplane/users.json";
|
||||
};
|
||||
};
|
||||
}
|
||||
);
|
||||
@@ -408,6 +452,33 @@ in
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
warnings =
|
||||
lib.optionals (cfg.settings.oidc != null && cfg.settings.oidc.redirect_uri != null) [
|
||||
''
|
||||
services.headplane.settings.oidc.redirect_uri is deprecated by Headplane 0.6.2.
|
||||
Use services.headplane.settings.server.base_url instead; Headplane derives
|
||||
the OIDC callback URL from it.
|
||||
''
|
||||
]
|
||||
++ lib.optionals (cfg.settings.oidc != null && cfg.settings.oidc.strict_validation != null) [
|
||||
''
|
||||
services.headplane.settings.oidc.strict_validation is deprecated and has no effect
|
||||
in Headplane 0.6.2.
|
||||
''
|
||||
]
|
||||
++ lib.optionals (cfg.settings.oidc != null && cfg.settings.oidc.user_storage_file != null) [
|
||||
''
|
||||
services.headplane.settings.oidc.user_storage_file is deprecated. Headplane 0.6.2
|
||||
uses it only to migrate the pre-0.6.2 JSON user database into the internal database.
|
||||
''
|
||||
]
|
||||
++ lib.optionals (agentSettings != null && agentSettings.cache_ttl != null) [
|
||||
''
|
||||
services.headplane.settings.integration.agent.cache_ttl is deprecated and has no
|
||||
effect in Headplane 0.6.2.
|
||||
''
|
||||
];
|
||||
|
||||
assertions = [
|
||||
{
|
||||
assertion = config.services.headscale.enable;
|
||||
@@ -431,25 +502,26 @@ in
|
||||
'';
|
||||
}
|
||||
{
|
||||
assertion = cfg.settings.oidc == null || cfg.settings.headscale.api_key_path != null;
|
||||
assertion = cfg.settings.oidc == null || cfg.settings.oidc.headscale_api_key_path != null;
|
||||
message = ''
|
||||
services.headplane.settings.headscale.api_key_path must be set
|
||||
when services.headplane.settings.oidc is non-null.
|
||||
Headplane's OIDC flow requires a Headscale API key to mint sessions.
|
||||
services.headplane.settings.oidc.headscale_api_key_path must be set
|
||||
when services.headplane.settings.oidc is non-null. Headplane's OIDC
|
||||
flow requires a Headscale API key to mint sessions.
|
||||
'';
|
||||
}
|
||||
{
|
||||
assertion =
|
||||
agentSettings == null || !agentSettings.enabled || cfg.settings.headscale.api_key_path != null;
|
||||
agentSettings == null || !agentSettings.enabled || agentSettings.pre_authkey_path != null;
|
||||
message = ''
|
||||
services.headplane.settings.headscale.api_key_path must be set when the agent is enabled.
|
||||
services.headplane.settings.integration.agent.pre_authkey_path must be set
|
||||
when the agent is enabled.
|
||||
'';
|
||||
}
|
||||
];
|
||||
|
||||
environment = {
|
||||
systemPackages = [ cfg.package ];
|
||||
etc."headplane/config.yaml".source = settingsFile;
|
||||
etc."headplane/config.yaml".source = "${settingsFile}";
|
||||
};
|
||||
|
||||
systemd.services.headplane = {
|
||||
@@ -462,7 +534,6 @@ in
|
||||
config.systemd.services.headscale.name
|
||||
];
|
||||
requires = [ config.systemd.services.headscale.name ];
|
||||
restartTriggers = [ settingsFile ];
|
||||
|
||||
environment = {
|
||||
HEADPLANE_DEBUG_LOG = toString cfg.debug;
|
||||
|
||||
@@ -93,10 +93,6 @@ in
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
warnings = mkIf (!config.systemd.network.enable) [
|
||||
"services.networkd-dispatcher will not execute any scripts unless networkd is enabled, either via `systemd.network.enable` or via `networking.useNetworkd`."
|
||||
];
|
||||
|
||||
systemd = {
|
||||
packages = [ pkgs.networkd-dispatcher ];
|
||||
services.networkd-dispatcher = {
|
||||
|
||||
@@ -1,65 +0,0 @@
|
||||
# NordVPN {#module-services-nordvpn}
|
||||
|
||||
*Source:* {file}`modules/services/networking/nordvpn.nix`
|
||||
|
||||
*Upstream documentation:* <https://github.com/NordSecurity/nordvpn-linux>
|
||||
|
||||
NordVPN offers a paid virtual private network (VPN) service.
|
||||
The service operates as closed-source,
|
||||
but the Linux client uses open-source code licensed under GPLv3.
|
||||
A minimal configuration in NixOS appears as follows:
|
||||
|
||||
```nix
|
||||
{
|
||||
services.nordvpn.enable = true;
|
||||
networking.firewall.enable = true;
|
||||
networking.firewall.checkReversePath = "loose";
|
||||
}
|
||||
```
|
||||
|
||||
When using a firewall, set `networking.firewall.checkReversePath` to `"loose"` or `false`.
|
||||
NordVPN includes a `kill-switch` feature that blocks all packets not associated with the VPN connection.
|
||||
|
||||
Additionally, add your user to the `nordvpn` group.
|
||||
|
||||
```nix
|
||||
{
|
||||
users.users.yourUser = {
|
||||
#..
|
||||
extraGroups = [
|
||||
#..
|
||||
"nordvpn"
|
||||
];
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
If you prefer to use your own user and group, you can do so using
|
||||
|
||||
```nix
|
||||
{
|
||||
services.nordvpn.user = "SOME-USER";
|
||||
services.nordvpn.group = "SOME-GROUP";
|
||||
}
|
||||
```
|
||||
|
||||
NordVPN provides several useful CLI commands, including:
|
||||
|
||||
```bash
|
||||
nordvpn login # Log in using an OAuth URL
|
||||
nordvpn login --token <token> # Log in with a token obtained from your NordVPN account
|
||||
nordvpn c # Connect to the VPN
|
||||
nordvpn c ie # Connect to a NordVPN server in Ireland
|
||||
nordvpn d # Disconnect from the VPN
|
||||
nordvpn set technology openvpn # Switch to OpenVPN technology
|
||||
nordvpn c # Reconnect after changing technology
|
||||
```
|
||||
|
||||
Additionally, if you prefer to use the friendly GUI,
|
||||
|
||||
```bash
|
||||
nordvpn-gui
|
||||
```
|
||||
|
||||
**Disclaimer:** NixOS currently does not support meshnet.
|
||||
Contributions welcome!
|
||||
@@ -1,171 +0,0 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.services.nordvpn;
|
||||
defaultUser = "nordvpn";
|
||||
defaultGroup = "nordvpn";
|
||||
|
||||
nordvpn =
|
||||
let
|
||||
cli = cfg.package.cli.overrideAttrs (old: {
|
||||
preBuild =
|
||||
let
|
||||
extraPreBuild = lib.optionalString (cfg.group != defaultGroup) ''
|
||||
substituteInPlace internal/permissions.go \
|
||||
--replace-fail \
|
||||
'string{"nordvpn"}' \
|
||||
'string{"${cfg.group}"}'
|
||||
|
||||
substituteInPlace internal/constants.go \
|
||||
--replace-fail \
|
||||
'NordvpnGroup = "nordvpn"' \
|
||||
'NordvpnGroup = "${cfg.group}"'
|
||||
'';
|
||||
in
|
||||
extraPreBuild + (old.preBuild or "");
|
||||
|
||||
# postFixup wraps nordvpnd so that it can find binaries that it calls.
|
||||
# here, instead, use systemd to update the path to those binaries.
|
||||
postFixup = "";
|
||||
});
|
||||
in
|
||||
pkgs.symlinkJoin {
|
||||
inherit (cfg.package) pname version meta;
|
||||
paths = [
|
||||
cli
|
||||
cfg.package.gui
|
||||
];
|
||||
};
|
||||
in
|
||||
{
|
||||
options.services.nordvpn = {
|
||||
enable = lib.mkEnableOption "Enable NordVPN";
|
||||
package = lib.mkPackageOption pkgs "nordvpn" { };
|
||||
user = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = defaultUser;
|
||||
description = ''
|
||||
The User that owns the `nordvpnd` systemd process.
|
||||
If overriding the default, a user with the same name must exist.
|
||||
'';
|
||||
};
|
||||
group = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = defaultGroup;
|
||||
description = ''
|
||||
The Group that owns the `nordvpnd` systemd process.
|
||||
If overriding the default, a group with the same name must exist.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
# create the default user if that's the one used
|
||||
users.users = lib.mkIf (cfg.user == defaultUser) {
|
||||
${defaultUser} = {
|
||||
description = "User that runs `nordvpnd`.";
|
||||
group = cfg.group;
|
||||
isSystemUser = true;
|
||||
};
|
||||
};
|
||||
|
||||
# create the default group if that's the one used
|
||||
users.groups = lib.mkIf (cfg.group == defaultGroup) {
|
||||
${defaultGroup} = { };
|
||||
};
|
||||
|
||||
# nordvpnd uses resolved to configure dns
|
||||
services.resolved.enable = true;
|
||||
|
||||
# policy that allows nordvpnd to configure dns
|
||||
security.polkit = {
|
||||
enable = true;
|
||||
extraConfig = ''
|
||||
polkit.addRule(function(action, subject) {
|
||||
if (action.id == "org.freedesktop.resolve1.set-dns-servers"
|
||||
&& subject.isInGroup("${cfg.group}")) {
|
||||
return polkit.Result.YES;
|
||||
}
|
||||
});
|
||||
'';
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
nordvpn
|
||||
];
|
||||
|
||||
systemd.services.nordvpnd = {
|
||||
after = [ "network-online.target" ];
|
||||
description = "NordVPN daemon.";
|
||||
path = (
|
||||
with pkgs;
|
||||
[
|
||||
e2fsprogs
|
||||
iproute2
|
||||
libxslt
|
||||
nftables
|
||||
procps
|
||||
wireguard-tools
|
||||
]
|
||||
++ [ nordvpn ]
|
||||
);
|
||||
serviceConfig = {
|
||||
# nordvpnd needs CAP_NET_ADMIN to configure network interfaces
|
||||
AmbientCapabilities = "CAP_NET_ADMIN";
|
||||
CapabilityBoundingSet = "CAP_NET_ADMIN";
|
||||
ExecStart = lib.getExe' nordvpn "nordvpnd";
|
||||
Group = cfg.group;
|
||||
KillMode = "process";
|
||||
NonBlocking = true;
|
||||
Requires = "nordvpnd.socket";
|
||||
Restart = "on-failure";
|
||||
RestartSec = 5;
|
||||
RuntimeDirectory = "nordvpn";
|
||||
RuntimeDirectoryMode = "0750";
|
||||
StateDirectory = "nordvpn";
|
||||
StateDirectoryMode = "0750";
|
||||
User = cfg.user;
|
||||
};
|
||||
wantedBy = [ "default.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
};
|
||||
|
||||
systemd.sockets.nordvpnd = {
|
||||
description = "NordVPN Daemon Socket";
|
||||
listenStreams = [ "/run/nordvpn/nordvpnd.sock" ];
|
||||
partOf = [ "nordvpnd.service" ];
|
||||
socketConfig = {
|
||||
DirectoryMode = "0750";
|
||||
NoDelay = true;
|
||||
SocketGroup = cfg.group;
|
||||
SocketMode = "0770";
|
||||
SocketUser = cfg.user;
|
||||
};
|
||||
wantedBy = [ "sockets.target" ];
|
||||
};
|
||||
|
||||
systemd.user.services.norduserd = {
|
||||
after = [ "network-online.target" ];
|
||||
description = "NordUserD Service";
|
||||
serviceConfig = {
|
||||
ExecStart = lib.getExe' nordvpn "norduserd";
|
||||
NonBlocking = true;
|
||||
Restart = "on-failure";
|
||||
RestartSec = 5;
|
||||
};
|
||||
wantedBy = [ "graphical-session.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
meta = {
|
||||
doc = ./nordvpn.md;
|
||||
maintainers = with lib.maintainers; [ different-error ];
|
||||
};
|
||||
}
|
||||
@@ -232,10 +232,6 @@ in
|
||||
"openssh"
|
||||
"banner"
|
||||
] "Use services.openssh.settings.Banner instead.")
|
||||
(lib.mkRenamedOptionModule
|
||||
[ "services" "openssh" "moduliFile" ]
|
||||
[ "services" "openssh" "settings" "ModuliFile" ]
|
||||
)
|
||||
];
|
||||
|
||||
###### interface
|
||||
@@ -733,14 +729,6 @@ in
|
||||
'';
|
||||
example = "/etc/ssh/banner";
|
||||
};
|
||||
ModuliFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
default = "${config.services.openssh.package}/etc/ssh/moduli";
|
||||
defaultText = lib.literalExpression ''"''${config.services.openssh.package}/etc/ssh/moduli"'';
|
||||
description = ''
|
||||
Specifies the {manpage}`moduli(5)` file to use for Diffie-Hellman key exchange.
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
);
|
||||
@@ -752,6 +740,16 @@ in
|
||||
description = "Verbatim contents of {file}`sshd_config`.";
|
||||
};
|
||||
|
||||
moduliFile = lib.mkOption {
|
||||
example = "/etc/my-local-ssh-moduli;";
|
||||
type = lib.types.path;
|
||||
description = ''
|
||||
Path to `moduli` file to install in
|
||||
`/etc/ssh/moduli`. If this option is unset, then
|
||||
the `moduli` file shipped with OpenSSH will be used.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
users.users = lib.mkOption {
|
||||
@@ -772,12 +770,14 @@ in
|
||||
};
|
||||
users.groups.sshd = { };
|
||||
|
||||
services.openssh.moduliFile = lib.mkDefault "${cfg.package}/etc/ssh/moduli";
|
||||
services.openssh.sftpServerExecutable = lib.mkDefault "${cfg.package}/libexec/sftp-server";
|
||||
|
||||
environment.etc =
|
||||
authKeysFiles
|
||||
// authPrincipalsFiles
|
||||
// {
|
||||
"ssh/moduli".source = cfg.moduliFile;
|
||||
"ssh/sshd_config".source = sshconf;
|
||||
};
|
||||
|
||||
|
||||
@@ -65,7 +65,6 @@ in
|
||||
DynamicUser = true;
|
||||
|
||||
StateDirectory = "technitium-dns-server";
|
||||
LogsDirectory = "technitium";
|
||||
|
||||
Restart = "always";
|
||||
RestartSec = 10;
|
||||
@@ -103,8 +102,5 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
meta.maintainers = with lib.maintainers; [
|
||||
fabianrig
|
||||
awildleon
|
||||
];
|
||||
meta.maintainers = with lib.maintainers; [ fabianrig ];
|
||||
}
|
||||
|
||||
@@ -96,13 +96,13 @@ with lib;
|
||||
config = mkIf cfg.enable {
|
||||
services.tor = mkIf cfg.tor {
|
||||
enable = true;
|
||||
controlPort = 9051;
|
||||
|
||||
settings = {
|
||||
ControlPort = 9051;
|
||||
CacheDirectoryGroupReadable = true;
|
||||
CookieAuthentication = true;
|
||||
CookieAuthFileGroupReadable = true;
|
||||
};
|
||||
extraConfig = ''
|
||||
CacheDirectoryGroupReadable 1
|
||||
CookieAuthentication 1
|
||||
CookieAuthFileGroupReadable 1
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.zeronet = {
|
||||
|
||||
@@ -268,6 +268,15 @@ let
|
||||
};
|
||||
};
|
||||
|
||||
writeOidcJwksConfigFile =
|
||||
oidcIssuerPrivateKeyFile:
|
||||
pkgs.writeText "oidc-jwks.yaml" ''
|
||||
identity_providers:
|
||||
oidc:
|
||||
jwks:
|
||||
- key: {{ secret "${oidcIssuerPrivateKeyFile}" | mindent 10 "|" | msquote }}
|
||||
'';
|
||||
|
||||
# Remove an attribute in a nested set
|
||||
# https://discourse.nixos.org/t/modify-an-attrset-in-nix/29919/5
|
||||
removeAttrByPath =
|
||||
@@ -353,12 +362,7 @@ in
|
||||
execCommand = "${instance.package}/bin/authelia";
|
||||
configFile = format.generate "config.yml" cleanedSettings;
|
||||
oidcJwksConfigFile = lib.optional (instance.secrets.oidcIssuerPrivateKeyFile != null) (
|
||||
pkgs.writeText "oidc-jwks.yaml" ''
|
||||
identity_providers:
|
||||
oidc:
|
||||
jwks:
|
||||
- key: {{ mustEnv "CREDENTIALS_DIRECTORY" | printf "%s/oidcIssuerPrivateKeyFile" | secret | mindent 10 "|" | msquote }}
|
||||
''
|
||||
writeOidcJwksConfigFile instance.secrets.oidcIssuerPrivateKeyFile
|
||||
);
|
||||
configArg = "--config ${
|
||||
builtins.concatStringsSep "," (
|
||||
@@ -369,25 +373,21 @@ in
|
||||
]
|
||||
)
|
||||
}";
|
||||
# Mapping between the Authelia env variables and the secret keys defined in the module
|
||||
envSecretsMap = {
|
||||
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = "jwtSecretFile";
|
||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "storageEncryptionKeyFile";
|
||||
AUTHELIA_SESSION_SECRET_FILE = "sessionSecretFile";
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = "oidcHmacSecretFile";
|
||||
};
|
||||
nonNullEnvSecretsMap = lib.filterAttrs (_: v: instance.secrets.${v} != null) envSecretsMap;
|
||||
in
|
||||
{
|
||||
description = "Authelia authentication and authorization server";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network-online.target" ]; # Checks SMTP notifier creds during startup
|
||||
wants = [ "network-online.target" ];
|
||||
environment = {
|
||||
X_AUTHELIA_CONFIG_FILTERS = lib.mkIf (oidcJwksConfigFile != [ ]) "template";
|
||||
}
|
||||
// lib.mapAttrs (_: v: "%d/${v}") nonNullEnvSecretsMap
|
||||
// instance.environmentVariables;
|
||||
environment =
|
||||
(lib.filterAttrs (_: v: v != null) {
|
||||
X_AUTHELIA_CONFIG_FILTERS = lib.mkIf (oidcJwksConfigFile != [ ]) "template";
|
||||
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = instance.secrets.jwtSecretFile;
|
||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = instance.secrets.storageEncryptionKeyFile;
|
||||
AUTHELIA_SESSION_SECRET_FILE = instance.secrets.sessionSecretFile;
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = instance.secrets.oidcHmacSecretFile;
|
||||
})
|
||||
// instance.environmentVariables;
|
||||
|
||||
preStart = "${execCommand} ${configArg} validate-config";
|
||||
serviceConfig = {
|
||||
@@ -399,12 +399,6 @@ in
|
||||
StateDirectory = autheliaName instance.name;
|
||||
StateDirectoryMode = "0700";
|
||||
|
||||
LoadCredential =
|
||||
lib.optional (
|
||||
instance.secrets.oidcIssuerPrivateKeyFile != null
|
||||
) "oidcIssuerPrivateKeyFile:${instance.secrets.oidcIssuerPrivateKeyFile}"
|
||||
++ lib.mapAttrsToList (_: v: "${v}:${instance.secrets.${v}}") nonNullEnvSecretsMap;
|
||||
|
||||
# Security options:
|
||||
AmbientCapabilities = "";
|
||||
CapabilityBoundingSet = "";
|
||||
|
||||
@@ -86,7 +86,7 @@ in
|
||||
The primary motivation for this is an immutable `/etc`, where we cannot
|
||||
write the files directly to `/etc`.
|
||||
|
||||
However this can also serve other use cases, e.g. when `/etc` is on a `tmpfs`.
|
||||
However this an also serve other use cases, e.g. when `/etc` is on a `tmpfs`.
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
@@ -149,6 +149,13 @@ in
|
||||
|
||||
protocol.encryption.set = allow_incoming,try_outgoing,enable_retry
|
||||
|
||||
# Limits for file handle resources, this is optimized for
|
||||
# an `ulimit` of 1024 (a common default). You MUST leave
|
||||
# a ceiling of handles reserved for rTorrent's internal needs!
|
||||
network.http.max_open.set = 50
|
||||
network.max_open_files.set = 600
|
||||
network.max_open_sockets.set = 3000
|
||||
|
||||
# Memory resource usage (increase if you have a large number of items loaded,
|
||||
# and/or the available resources to spend)
|
||||
pieces.memory.max.set = 1800M
|
||||
@@ -162,14 +169,15 @@ in
|
||||
execute.nothrow = sh, -c, (cat, "echo >", (session.path), "rtorrent.pid", " ", (system.pid))
|
||||
|
||||
# Other operational settings (check & adapt)
|
||||
encoding.add = utf8
|
||||
system.umask.set = 0027
|
||||
system.cwd.set = (cfg.basedir)
|
||||
network.http.dns_cache_timeout.set = 25
|
||||
schedule = monitor_diskspace, 15, 60, ((close_low_diskspace, 1000M))
|
||||
schedule2 = monitor_diskspace, 15, 60, ((close_low_diskspace, 1000M))
|
||||
|
||||
# Watch directories (add more as you like, but use unique schedule names)
|
||||
#schedule = watch_start, 10, 10, ((load.start, (cat, (cfg.watch), "start/*.torrent")))
|
||||
#schedule = watch_load, 11, 10, ((load.normal, (cat, (cfg.watch), "load/*.torrent")))
|
||||
#schedule2 = watch_start, 10, 10, ((load.start, (cat, (cfg.watch), "start/*.torrent")))
|
||||
#schedule2 = watch_load, 11, 10, ((load.normal, (cat, (cfg.watch), "load/*.torrent")))
|
||||
|
||||
# Logging:
|
||||
# Levels = critical error warn notice info debug
|
||||
@@ -210,10 +218,6 @@ in
|
||||
RuntimeDirectory = "rtorrent";
|
||||
RuntimeDirectoryMode = 750;
|
||||
|
||||
# rtorrent derives socket limits from this value since 0.16.15; see table in
|
||||
# https://github.com/rakshasa/rtorrent/wiki/Socket-Manager-and-Resource-Allocation
|
||||
LimitNOFILE = lib.mkDefault 16384;
|
||||
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
LockPersonality = true;
|
||||
NoNewPrivileges = true;
|
||||
|
||||
@@ -169,25 +169,11 @@ in
|
||||
enable = true;
|
||||
virtualHosts."${cfg.virtualHost.domain}".extraConfig = ''
|
||||
root * ${cfg.package}
|
||||
encode zstd gzip
|
||||
|
||||
@immutable path /resources/*
|
||||
header @immutable Cache-Control "public, max-age=31536000, immutable"
|
||||
|
||||
@html not path /resources/*
|
||||
header @html Cache-Control "no-store"
|
||||
|
||||
header {
|
||||
-ETag
|
||||
-Last-Modified
|
||||
}
|
||||
|
||||
file_server
|
||||
handle_path /assets/config.yml {
|
||||
root * ${configFile}
|
||||
file_server
|
||||
}
|
||||
|
||||
file_server
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
@@ -134,40 +134,6 @@ in
|
||||
Type = "simple";
|
||||
Restart = "on-failure";
|
||||
RestartSec = 3;
|
||||
|
||||
# systemd hardening, based on jellyfin (also .NET) but stricter
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
DevicePolicy = "closed";
|
||||
LockPersonality = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateUsers = true;
|
||||
ProcSubset = "pid";
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = !config.boot.isContainer;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = !config.boot.isContainer;
|
||||
ProtectKernelTunables = !config.boot.isContainer;
|
||||
ProtectProc = "invisible";
|
||||
ProtectSystem = "strict";
|
||||
# no AF_NETLINK here since there's no network connection monitoring
|
||||
RestrictAddressFamilies = [
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
"AF_UNIX"
|
||||
];
|
||||
RestrictNamespaces = !config.boot.isContainer;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallErrorNumber = "EPERM";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@privileged"
|
||||
];
|
||||
UMask = "0077";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@@ -37,8 +37,6 @@ in
|
||||
|
||||
See [Isso Server Configuration](https://posativ.org/isso/docs/configuration/server/)
|
||||
for supported values.
|
||||
You can set secrets using the secretFile option with environment variables following
|
||||
[the documentation](https://isso-comments.de/docs/reference/server-config/#environment-variables).
|
||||
'';
|
||||
|
||||
type = types.submodule {
|
||||
@@ -53,16 +51,6 @@ in
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
secretFile = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
A file containing secrets as environment variables that will be used in the configuration.
|
||||
See [the documentation](https://isso-comments.de/docs/reference/server-config/#environment-variables) for details.
|
||||
'';
|
||||
example = "/run/secrets/isso.env";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@@ -77,8 +65,6 @@ in
|
||||
User = "isso";
|
||||
Group = "isso";
|
||||
|
||||
EnvironmentFile = mkIf (cfg.secretFile != null) [ cfg.secretFile ];
|
||||
|
||||
DynamicUser = true;
|
||||
|
||||
StateDirectory = "isso";
|
||||
|
||||
@@ -50,6 +50,7 @@ let
|
||||
environment = pythonEnvironment;
|
||||
|
||||
serviceConfig = {
|
||||
RuntimeDirectory = "lasuite-meet";
|
||||
StateDirectory = "lasuite-meet";
|
||||
WorkingDirectory = "/var/lib/lasuite-meet";
|
||||
|
||||
@@ -381,8 +382,6 @@ in
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
# needs to be here so that cronjobs don't nuke it
|
||||
RuntimeDirectory = "lasuite-meet";
|
||||
BindReadOnlyPaths = "${cfg.package}/share/static:/var/lib/lasuite-meet/static";
|
||||
|
||||
ExecStart = utils.escapeSystemdExecArgs (
|
||||
|
||||
@@ -1617,7 +1617,8 @@ in
|
||||
MemoryDenyWriteExecute =
|
||||
!(
|
||||
(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) cfg.package.modules)
|
||||
|| (lib.getName cfg.package == "openresty")
|
||||
|| cfg.lua.enable
|
||||
|| (cfg.package == pkgs.openresty)
|
||||
);
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
|
||||
@@ -1,151 +0,0 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
cfg = config.services.rustfs;
|
||||
in
|
||||
{
|
||||
meta.maintainers = with lib.maintainers; [
|
||||
marcel
|
||||
];
|
||||
|
||||
options.services.rustfs = {
|
||||
enable = lib.mkEnableOption "RustFS Object Storage Server";
|
||||
|
||||
package = lib.mkPackageOption pkgs "rustfs" { };
|
||||
|
||||
user = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "rustfs";
|
||||
description = "The user RustFS should run as.";
|
||||
};
|
||||
|
||||
group = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "rustfs";
|
||||
description = "The group RustFS should run as.";
|
||||
};
|
||||
|
||||
settings = lib.mkOption {
|
||||
default = { };
|
||||
description = ''
|
||||
Options for RustFS configuration. Refer to
|
||||
<https://docs.rustfs.com/installation/linux/single-node-single-disk.html#_5-configure-environment-variables>
|
||||
for details on supported values.
|
||||
'';
|
||||
example = lib.literalExpression ''
|
||||
{
|
||||
RUSTFS_CONSOLE_ENABLE = "true";
|
||||
RUSTFS_VOLUMES = "/mnt/rustfs";
|
||||
}
|
||||
'';
|
||||
type = lib.types.submodule {
|
||||
freeformType = lib.types.attrsOf (
|
||||
lib.types.oneOf [
|
||||
lib.types.str
|
||||
lib.types.int
|
||||
]
|
||||
);
|
||||
options = {
|
||||
RUSTFS_VOLUMES = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
default = "/var/lib/rustfs";
|
||||
description = "The directory where RustFS stores it's data.";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
environmentFile = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Path to environment file containing secrets like RUSTFS_ACCESS_KEY or RUSTFS_SECRET_KEY.";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
assertions = [
|
||||
{
|
||||
assertion = !(cfg.settings ? RUSTFS_ACCESS_KEY);
|
||||
message = "RUSTFS_ACCESS_KEY must not be set in services.rustfs.settings. Use environmentFile instead.";
|
||||
}
|
||||
{
|
||||
assertion = !(cfg.settings ? RUSTFS_SECRET_KEY);
|
||||
message = "RUSTFS_SECRET_KEY must not be set in services.rustfs.settings. Use environmentFile instead.";
|
||||
}
|
||||
];
|
||||
|
||||
systemd = {
|
||||
tmpfiles.settings."10-rustfs".${cfg.settings.RUSTFS_VOLUMES}.d = {
|
||||
inherit (cfg) user group;
|
||||
};
|
||||
|
||||
# https://docs.rustfs.com/installation/linux/single-node-single-disk.html#_6-configure-system-service
|
||||
services.rustfs = {
|
||||
description = "RustFS Object Storage Server";
|
||||
documentation = [ "https://rustfs.com/docs/" ];
|
||||
|
||||
after = [ "network-online.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
environment = cfg.settings;
|
||||
|
||||
preStart = ''
|
||||
if [ -z "$RUSTFS_ACCESS_KEY" ] || [ -z "$RUSTFS_SECRET_KEY" ]; then
|
||||
echo "RustFS uses well-known default values for RUSTFS_ACCESS_KEY and RUSTFS_SECRET_KEY,"
|
||||
echo "please configure them using services.rustfs.environmentFile."
|
||||
exit 1
|
||||
fi
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
Type = "notify";
|
||||
NotifyAccess = "main";
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
|
||||
EnvironmentFile = cfg.environmentFile;
|
||||
ExecStart = lib.getExe cfg.package;
|
||||
|
||||
LimitNOFILE = 1048576;
|
||||
LimitNPROC = 32768;
|
||||
TasksMax = "infinity";
|
||||
|
||||
Restart = "always";
|
||||
RestartSec = "10s";
|
||||
|
||||
OOMScoreAdjust = "-1000";
|
||||
SendSIGKILL = false;
|
||||
|
||||
TimeoutStartSec = "30s";
|
||||
TimeoutStopSec = "30s";
|
||||
|
||||
NoNewPrivileges = true;
|
||||
|
||||
ProtectHome = true;
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = true;
|
||||
ProtectClock = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectControlGroups = true;
|
||||
RestrictSUIDSGID = true;
|
||||
RestrictRealtime = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
users = {
|
||||
users.${cfg.user} = {
|
||||
isSystemUser = true;
|
||||
inherit (cfg) group;
|
||||
};
|
||||
groups.${cfg.group} = { };
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -141,10 +141,6 @@ in
|
||||
services.libinput.enable = mkDefault true;
|
||||
|
||||
security.pam.services.mate-screensaver.unixAuth = true;
|
||||
security.polkit = {
|
||||
enable = true;
|
||||
enablePkexecWrapper = mkDefault true;
|
||||
};
|
||||
|
||||
xdg.portal.configPackages = mkDefault [ pkgs.mate-desktop ];
|
||||
|
||||
|
||||
@@ -347,7 +347,7 @@ def config_entry(levels: int, bootspec: BootSpec, label: str, time: str) -> str:
|
||||
os.path.basename(bootspec.toplevel) + "-secrets"
|
||||
)
|
||||
|
||||
if subprocess.run([bootspec.initrdSecrets, initrd_secrets_path_temp]).returncode != 0:
|
||||
if os.system(bootspec.initrdSecrets + " " + initrd_secrets_path_temp) != 0:
|
||||
print(
|
||||
f'warning: failed to create initrd secrets for "{label}"',
|
||||
file=sys.stderr,
|
||||
|
||||
@@ -68,7 +68,7 @@ let
|
||||
|
||||
configFile = pkgs.writeText "plymouthd.conf" ''
|
||||
[Daemon]
|
||||
ShowDelay=${toString cfg.showDelay}
|
||||
ShowDelay=0
|
||||
DeviceTimeout=8
|
||||
Theme=${cfg.theme}
|
||||
${cfg.extraConfig}
|
||||
@@ -166,15 +166,6 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
showDelay = mkOption {
|
||||
type = types.numbers.nonnegative;
|
||||
default = 0;
|
||||
example = 0.5;
|
||||
description = ''
|
||||
Time (in seconds) to delay the splash screen.
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
|
||||
@@ -27,8 +27,6 @@ in
|
||||
"${cfg.package}/lib/udev/fido_id"
|
||||
"${cfg.package}/lib/cryptsetup/libcryptsetup-token-systemd-fido2.so"
|
||||
"${pkgs.libfido2}/lib/libfido2.so.1"
|
||||
# dlopened by the libpcsclite.so.1 shim, invisible to make-initrd-ng
|
||||
"${lib.getLib pkgs.pcsclite}/lib/libpcsclite_real.so.1"
|
||||
];
|
||||
};
|
||||
}
|
||||
|
||||
@@ -45,7 +45,6 @@
|
||||
"systemd-tpm2-setup.service"
|
||||
"systemd-pcrextend.socket"
|
||||
"systemd-pcrextend@.service"
|
||||
"systemd-pcrlogin@.service"
|
||||
];
|
||||
}
|
||||
)
|
||||
|
||||
@@ -396,7 +396,7 @@ in
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
include if exists "/var/lib/incus/security/apparmor/profiles"
|
||||
include "/var/lib/incus/security/apparmor/profiles"
|
||||
'';
|
||||
};
|
||||
includes."abstractions/base" = ''
|
||||
|
||||
@@ -81,6 +81,34 @@ in
|
||||
which is prohibited within the Nix build sandbox where the test is run.
|
||||
'';
|
||||
}
|
||||
{
|
||||
# Check every interface defined in allInterfaces.
|
||||
# Containers try to create a bridge "${config.system.name}-${interfaceName}"
|
||||
assertion = lib.all (
|
||||
iface:
|
||||
let
|
||||
hostName = "${config.system.name}-${iface.name}";
|
||||
in
|
||||
lib.stringLength hostName <= 15
|
||||
) (lib.attrValues cfg.allInterfaces);
|
||||
|
||||
message =
|
||||
let
|
||||
offendingInterfaces = lib.filter (
|
||||
iface: lib.stringLength "${config.system.name}-${iface.name}" > 15
|
||||
) (lib.attrValues cfg.allInterfaces);
|
||||
offenderList = map (
|
||||
i:
|
||||
"${config.system.name}-${i.name} (${toString (lib.stringLength "${config.system.name}-${i.name}")} chars)"
|
||||
) offendingInterfaces;
|
||||
in
|
||||
''
|
||||
The following generated host interface names exceed the Linux 15-character limit:
|
||||
${lib.concatStringsSep "\n " offenderList}
|
||||
|
||||
Please shorten 'config.system.name' or the interface names in 'virtualisation.interfaces'.
|
||||
'';
|
||||
}
|
||||
];
|
||||
|
||||
virtualisation.systemd-nspawn.options = [
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
import contextlib
|
||||
import dataclasses
|
||||
import fcntl
|
||||
import hashlib
|
||||
import logging
|
||||
import os
|
||||
import signal
|
||||
@@ -125,13 +124,6 @@ def mk_veth(
|
||||
vlan: int,
|
||||
) -> typing.Generator[None, None, None]:
|
||||
host_intf_name = f"{container_name}-{container_intf_name}"
|
||||
# If the names for systemd-nspawn containers are too long,
|
||||
# the generated bridge interface names will surpass the
|
||||
# kernel limit IFNAMSIZ (15 characters + '\0').
|
||||
if len(host_intf_name) > 15:
|
||||
hashed = hashlib.sha256(host_intf_name.encode()).hexdigest()[:6]
|
||||
host_intf_name = f"{host_intf_name[:8]}-{hashed}"
|
||||
|
||||
with ensure_vlan_bridge(vlan) as bridge_name:
|
||||
logger.info("creating interface %s", host_intf_name)
|
||||
run_ip(
|
||||
|
||||
@@ -201,7 +201,7 @@ rec {
|
||||
(onFullSupported "nixos.tests.printing-socket")
|
||||
(onFullSupported "nixos.tests.proxy")
|
||||
(onFullSupported "nixos.tests.sddm.default")
|
||||
(onFullSupported "nixos.tests.shadow.login")
|
||||
(onFullSupported "nixos.tests.shadow")
|
||||
(onFullSupported "nixos.tests.simple-container")
|
||||
(onFullSupported "nixos.tests.simple-vm")
|
||||
(onFullSupported "nixos.tests.sway")
|
||||
|
||||
@@ -63,7 +63,7 @@ let
|
||||
- `config.node.pkgs.<name>` or `config.nodes.foo.nixpkgs.pkgs.<name>` to refer
|
||||
to the Nixpkgs used on the VM guest(s).
|
||||
- `hostPkgs.<name>` when invoking commands on the VM host (e.g. in Python
|
||||
`subprocess.run(["foo"])`)
|
||||
`os.system("foo")`)
|
||||
- Since the runTest argument is a module instead of a function, arguments
|
||||
must be passed as option definitions.
|
||||
You may declare explicit `options` for the test parameter(s), or use the
|
||||
@@ -1205,7 +1205,6 @@ in
|
||||
nominatim = runTest ./nominatim.nix;
|
||||
non-default-filesystems = handleTest ./non-default-filesystems.nix { };
|
||||
non-switchable-system = runTest ./non-switchable-system.nix;
|
||||
nordvpn = runTest ./nordvpn.nix;
|
||||
noto-fonts = runTest ./noto-fonts.nix;
|
||||
noto-fonts-cjk-qt-default-weight = runTest ./noto-fonts-cjk-qt-default-weight.nix;
|
||||
novacomd = handleTestOn [ "x86_64-linux" ] ./novacomd.nix { };
|
||||
@@ -1512,7 +1511,6 @@ in
|
||||
rtkit = runTest ./rtkit.nix;
|
||||
rtorrent = runTest ./rtorrent.nix;
|
||||
rush = runTest ./rush.nix;
|
||||
rustfs = runTest ./rustfs.nix;
|
||||
rustical = runTest ./web-apps/rustical.nix;
|
||||
rustls-libssl = runTest ./rustls-libssl.nix;
|
||||
rxe = runTest ./rxe.nix;
|
||||
@@ -1540,7 +1538,7 @@ in
|
||||
sftpgo = runTest ./sftpgo.nix;
|
||||
sfxr-qt = runTest ./sfxr-qt.nix;
|
||||
sgt-puzzles = runTest ./sgt-puzzles.nix;
|
||||
shadow = import ./shadow { inherit runTest; };
|
||||
shadow = runTest ./shadow.nix;
|
||||
shadowsocks = handleTest ./shadowsocks { };
|
||||
shadps4 = runTest ./shadps4.nix;
|
||||
sharkey = runTest ./web-apps/sharkey.nix;
|
||||
@@ -1586,8 +1584,6 @@ in
|
||||
sssd-ldap = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd-ldap.nix { };
|
||||
sssd-legacy-config = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd-legacy-config.nix { };
|
||||
stalwart = runTest ./stalwart/stalwart.nix;
|
||||
stardust-xr-atmosphere = runTest ./stardust-xr/atmosphere.nix;
|
||||
stardust-xr-flatland = runTest ./stardust-xr/flatland.nix;
|
||||
stargazer = runTest ./web-servers/stargazer.nix;
|
||||
starship = runTest ./starship.nix;
|
||||
startx = import ./startx.nix { inherit pkgs runTest; };
|
||||
@@ -1687,7 +1683,6 @@ in
|
||||
systemd-journal = runTest ./systemd-journal.nix;
|
||||
systemd-journal-gateway = runTest ./systemd-journal-gateway.nix;
|
||||
systemd-journal-upload = runTest ./systemd-journal-upload.nix;
|
||||
systemd-localed = runTest ./systemd-localed.nix;
|
||||
systemd-lock-handler = runTestOn [ "aarch64-linux" "x86_64-linux" ] ./systemd-lock-handler.nix;
|
||||
systemd-machinectl = runTest ./systemd-machinectl.nix;
|
||||
systemd-misc = runTest ./systemd-misc.nix;
|
||||
@@ -1846,7 +1841,6 @@ in
|
||||
};
|
||||
virtualbox = handleTestOn [ "x86_64-linux" ] ./virtualbox.nix { };
|
||||
vm-variant = handleTest ./vm-variant.nix { };
|
||||
vnstat = runTest ./vnstat.nix;
|
||||
vscode-remote-ssh = handleTestOn [ "x86_64-linux" ] ./vscode-remote-ssh.nix { };
|
||||
vscodium = import ./vscodium.nix { inherit runTest; };
|
||||
vsftpd = runTest ./vsftpd.nix;
|
||||
@@ -1857,7 +1851,6 @@ in
|
||||
wasabibackend = runTest ./wasabibackend.nix;
|
||||
wastebin = runTest ./wastebin.nix;
|
||||
watchdogd = runTest ./watchdogd.nix;
|
||||
watt = runTest ./watt.nix;
|
||||
webhook = runTest ./webhook.nix;
|
||||
weblate = runTest ./web-apps/weblate.nix;
|
||||
wg-access-server = runTest ./wg-access-server.nix;
|
||||
|
||||
@@ -28,10 +28,12 @@
|
||||
# This is purely for testing purposes!
|
||||
environment.etc."authelia/storageEncryptionKeyFile" = {
|
||||
mode = "0400";
|
||||
user = "authelia-testing";
|
||||
text = "you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this";
|
||||
};
|
||||
environment.etc."authelia/jwtSecretFile" = {
|
||||
mode = "0400";
|
||||
user = "authelia-testing";
|
||||
text = "a_very_important_secret";
|
||||
};
|
||||
environment.etc."authelia/users_database.yml" = {
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
]
|
||||
++ teams.ngi.members;
|
||||
|
||||
containers.machine = {
|
||||
nodes.machine = {
|
||||
environment.systemPackages = with pkgs; [
|
||||
blint
|
||||
jq
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
{
|
||||
name = "PDS";
|
||||
|
||||
containers.machine = {
|
||||
nodes.machine = {
|
||||
services.bluesky-pds = {
|
||||
enable = true;
|
||||
settings = {
|
||||
|
||||
@@ -203,26 +203,11 @@ in
|
||||
makeTest {
|
||||
name = "boot-uboot-extlinux";
|
||||
nodes = { };
|
||||
testScript = /* py */ ''
|
||||
import subprocess
|
||||
testScript = ''
|
||||
import os
|
||||
|
||||
# Create a mutable linked image backed by the read-only SD image
|
||||
if (
|
||||
subprocess.run(
|
||||
[
|
||||
"${pkgs.qemu}/bin/qemu-img",
|
||||
"create",
|
||||
"-f",
|
||||
"qcow2",
|
||||
"-F",
|
||||
"raw",
|
||||
"-b",
|
||||
"${sdImage}",
|
||||
"${mutableImage}",
|
||||
]
|
||||
).returncode
|
||||
!= 0
|
||||
):
|
||||
if os.system("${pkgs.qemu}/bin/qemu-img create -f qcow2 -F raw -b ${sdImage} ${mutableImage}") != 0:
|
||||
raise RuntimeError("Could not create mutable linked image")
|
||||
|
||||
machine = create_machine("${startCommand}")
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user