b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into hardened-stdenv

Browse source
This commit is contained in:
Robin Gloster 2016-06-10 09:27:04 +00:00
parent 2a5e64b69c 656c48f141
commit 8031cba2ab
1116 changed files with 79612 additions and 24052 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
.travis.yml
View file

@ -1,7 +1,14 @@
language: python
python: "3.4"
sudo: required
dist: trusty
matrix:
allow_failures:
- os: osx
include:
- os: linux
language: generic
sudo: required
dist: trusty
- os: osx
language: generic
osx_image: xcode7.3
before_install: ./maintainers/scripts/travis-nox-review-pr.sh nix
install: ./maintainers/scripts/travis-nox-review-pr.sh nox
script: ./maintainers/scripts/travis-nox-review-pr.sh build

4
lib/maintainers.nix
View file

@ -11,6 +11,7 @@
abaldeau = "Andreas Baldeau <andreas@baldeau.net>";
abbradar = "Nikolay Amiantov <ab@fmap.me>";
aboseley = "Adam Boseley <adam.boseley@gmail.com>";
abuibrahim = "Ruslan Babayev <ruslan@babayev.com>";
adev = "Adrien Devresse <adev@adev.name>";
Adjective-Object = "Maxwell Huang-Hobbs <mhuan13@gmail.com>";
adnelson = "Allen Nelson <ithinkican@gmail.com>";
@ -74,6 +75,8 @@
chaoflow = "Florian Friesdorf <flo@chaoflow.net>";
chattered = "Phil Scott <me@philscotted.com>";
choochootrain = "Hurshal Patel <hurshal@imap.cc>";
chris-martin = "Chris Martin <ch.martin@gmail.com>";
chrisjefferson = "Christopher Jefferson <chris@bubblescope.net>";
christopherpoole = "Christopher Mark Poole <mail@christopherpoole.net>";
cleverca22 = "Michael Bishop <cleverca22@gmail.com>";
cmcdragonkai = "Roger Qiu <roger.qiu@matrix.ai>";
@ -238,6 +241,7 @@
meisternu = "Matt Miemiec <meister@krutt.org>";
michaelpj = "Michael Peyton Jones <michaelpj@gmail.com>";
michelk = "Michel Kuhlmann <michel@kuhlmanns.info>";
mimadrid = "Miguel Madrid <mimadrid@ucm.es>";
mingchuan = "Ming Chuan <ming@culpring.com>";
mirdhyn = "Merlin Gaillard <mirdhyn@gmail.com>";
mirrexagon = "Andrew Abbott <mirrexagon@mirrexagon.com>";

2
lib/modules.nix
View file

@ -554,12 +554,10 @@ rec {
apply = x: use (toOf config);
});
config = {
/*
warnings =
let opt = getAttrFromPath from options; in
optional (warn && opt.isDefined)
"The option `${showOption from}' defined in ${showFiles opt.files} has been renamed to `${showOption to}'.";
*/
} // setAttrByPath to (mkAliasDefinitions (getAttrFromPath from options));
};

6
lib/sources.nix
View file

@ -4,6 +4,11 @@ let lib = import ./default.nix; in
rec {
# Returns the type of a path: regular (for file), symlink, or directory
pathType = p: with builtins; getAttr (baseNameOf p) (readDir (dirOf p));
# Returns true if the path exists and is a directory, false otherwise
pathIsDirectory = p: if builtins.pathExists p then (pathType p) == "directory" else false;
# Bring in a path as a source, filtering out all Subversion and CVS
# directories, as well as backup files (*~).
@ -29,6 +34,7 @@ rec {
in type == "directory" || lib.any (ext: lib.hasSuffix ext base) exts;
in builtins.filterSource filter path;
# Get the commit id of a git repo
# Example: commitIdFromGitRepo <nixpkgs/.git>
commitIdFromGitRepo =

22
maintainers/scripts/travis-nox-review-pr.sh
View file

@ -13,28 +13,36 @@ if [[ $1 == nix ]]; then
sudo mkdir /etc/nix
sudo sh -c 'echo "build-max-jobs = 4" > /etc/nix/nix.conf'
# Nix builds in /tmp and we need exec support
sudo mount
sudo mount -o remount,exec /run
# Verify evaluation
echo "=== Verifying that nixpkgs evaluates..."
nix-env -f. -qa --json >/dev/null
elif [[ $1 == nox ]]; then
source $HOME/.nix-profile/etc/profile.d/nix.sh
echo "=== Installing nox..."
git clone -q https://github.com/madjar/nox
pip --quiet install -e nox
nix-build -A nox '<nixpkgs>' --show-trace
elif [[ $1 == build ]]; then
source $HOME/.nix-profile/etc/profile.d/nix.sh
echo "=== Checking NixOS options"
nix-build nixos/release.nix -A options
if [[ $TRAVIS_OS_NAME == "osx" ]]; then
echo "Skipping NixOS things on darwin"
else
echo "=== Checking NixOS options"
nix-build nixos/release.nix -A options --show-trace
echo "=== Checking tarball creation"
nix-build pkgs/top-level/release.nix -A tarball
echo "=== Checking tarball creation"
nix-build pkgs/top-level/release.nix -A tarball --show-trace
fi
if [[ $TRAVIS_PULL_REQUEST == false ]]; then
echo "=== Not a pull request"
else
echo "=== Checking PR"
if ! nox-review pr ${TRAVIS_PULL_REQUEST}; then
if ! nix-shell -p nox --run "nox-review pr ${TRAVIS_PULL_REQUEST}"; then
if sudo dmesg | egrep 'Out of memory|Killed process' > /tmp/oom-log; then
echo "=== The build failed due to running out of memory:"
cat /tmp/oom-log

4
nixos/doc/manual/administration/cleaning-store.xml
View file

@ -21,7 +21,7 @@ Alternatively, you can use a systemd unit that does the same in the
background:
<screen>
$ systemctl start nix-gc.service
# systemctl start nix-gc.service
</screen>
You can tell NixOS in <filename>configuration.nix</filename> to run
@ -59,4 +59,4 @@ $ nix-store --optimise
Since this command needs to read the entire Nix store, it can take
quite a while to finish.</para>
</chapter>
</chapter>

4
nixos/doc/manual/administration/container-networking.xml
View file

@ -13,7 +13,7 @@ create</literal>, it gets it own private IPv4 address in the range
address as follows:
<screen>
$ nixos-container show-ip foo
# nixos-container show-ip foo
10.233.4.2
$ ping -c1 10.233.4.2
@ -47,4 +47,4 @@ where <literal>eth0</literal> should be replaced with the desired
external interface. Note that <literal>ve-+</literal> is a wildcard
that matches all container interfaces.</para>
</section>
</section>

24
nixos/doc/manual/administration/imperative-containers.xml
View file

@ -11,7 +11,7 @@
identifier <literal>foo</literal> as follows:
<screen>
$ nixos-container create foo
# nixos-container create foo
</screen>
This creates the containers root directory in
@ -25,7 +25,7 @@ line. For instance, to create a container that has
<literal>root</literal>:
<screen>
$ nixos-container create foo --config 'services.openssh.enable = true; \
# nixos-container create foo --config 'services.openssh.enable = true; \
users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-dss AAAAB3N…"];'
</screen>
@ -35,7 +35,7 @@ $ nixos-container create foo --config 'services.openssh.enable = true; \
run:
<screen>
$ nixos-container start foo
# nixos-container start foo
</screen>
This command will return as soon as the container has booted and has
@ -46,7 +46,7 @@ Thus, if something went wrong, you can get status info using
<command>systemctl</command>:
<screen>
$ systemctl status container@foo
# systemctl status container@foo
</screen>
</para>
@ -55,7 +55,7 @@ $ systemctl status container@foo
root using the <command>root-login</command> operation:
<screen>
$ nixos-container root-login foo
# nixos-container root-login foo
[root@foo:~]#
</screen>
@ -65,7 +65,7 @@ authentication). You can also get a regular login prompt using the
the host:
<screen>
$ nixos-container login foo
# nixos-container login foo
foo login: alice
Password: ***
</screen>
@ -74,7 +74,7 @@ With <command>nixos-container run</command>, you can execute arbitrary
commands in the container:
<screen>
$ nixos-container run foo -- uname -a
# nixos-container run foo -- uname -a
Linux foo 3.4.82 #1-NixOS SMP Thu Mar 20 14:44:05 UTC 2014 x86_64 GNU/Linux
</screen>
@ -86,17 +86,17 @@ container. First, on the host, you can edit
and run
<screen>
$ nixos-container update foo
# nixos-container update foo
</screen>
This will build and activate the new configuration. You can also
specify a new configuration on the command line:
<screen>
$ nixos-container update foo --config 'services.httpd.enable = true; \
# nixos-container update foo --config 'services.httpd.enable = true; \
services.httpd.adminAddr = "foo@example.org";'
$ curl http://$(nixos-container show-ip foo)/
# curl http://$(nixos-container show-ip foo)/
&lt;!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">…
</screen>
@ -116,9 +116,9 @@ start</literal>, respectively, or by using
destroy a container, including its file system, do
<screen>
$ nixos-container destroy foo
# nixos-container destroy foo
</screen>
</para>
</section>
</section>

4
nixos/doc/manual/administration/maintenance-mode.xml
View file

@ -9,10 +9,10 @@
<para>You can enter rescue mode by running:
<screen>
$ systemctl rescue</screen>
# systemctl rescue</screen>
This will eventually give you a single-user root shell. Systemd will
stop (almost) all system services. To get out of maintenance mode,
just exit from the rescue shell.</para>
</section>
</section>

4
nixos/doc/manual/administration/network-problems.xml
View file

@ -18,14 +18,14 @@ You can disable the use of the binary cache by adding <option>--option
use-binary-caches false</option>, e.g.
<screen>
$ nixos-rebuild switch --option use-binary-caches false
# nixos-rebuild switch --option use-binary-caches false
</screen>
If you have an alternative binary cache at your disposal, you can use
it instead:
<screen>
$ nixos-rebuild switch --option binary-caches http://my-cache.example.org/
# nixos-rebuild switch --option binary-caches http://my-cache.example.org/
</screen>
</para>

8
nixos/doc/manual/administration/rebooting.xml
View file

@ -10,7 +10,7 @@
doing:
<screen>
$ shutdown
# shutdown
</screen>
This is equivalent to running <command>systemctl
@ -19,7 +19,7 @@ poweroff</command>.</para>
<para>To reboot the system, run
<screen>
$ reboot
# reboot
</screen>
which is equivalent to <command>systemctl reboot</command>.
@ -28,7 +28,7 @@ Alternatively, you can quickly reboot the system using
the new kernel into memory:
<screen>
$ systemctl kexec
# systemctl kexec
</screen>
</para>
@ -41,4 +41,4 @@ $ systemctl kexec
i.e. on a virtual console or in X11; otherwise, the user is asked for
authentication.</para>
</chapter>
</chapter>

8
nixos/doc/manual/administration/rollback.xml
View file

@ -19,7 +19,7 @@ fails to boot. After the system has booted, you can make the selected
configuration the default for subsequent boots:
<screen>
$ /run/current-system/bin/switch-to-configuration boot</screen>
# /run/current-system/bin/switch-to-configuration boot</screen>
</para>
@ -27,12 +27,12 @@ $ /run/current-system/bin/switch-to-configuration boot</screen>
system:
<screen>
$ nixos-rebuild switch --rollback</screen>
# nixos-rebuild switch --rollback</screen>
This is equivalent to running:
<screen>
$ /nix/var/nix/profiles/system-<replaceable>N</replaceable>-link/bin/switch-to-configuration switch</screen>
# /nix/var/nix/profiles/system-<replaceable>N</replaceable>-link/bin/switch-to-configuration switch</screen>
where <replaceable>N</replaceable> is the number of the NixOS system
configuration. To get a list of the available configurations, do:
@ -45,4 +45,4 @@ lrwxrwxrwx 1 root root 78 Aug 12 13:54 /nix/var/nix/profiles/system-268-link ->
</para>
</section>
</section>

6
nixos/doc/manual/administration/service-mgmt.xml
View file

@ -66,9 +66,9 @@ messages from the service.
<para>Units can be stopped, started or restarted:
<screen>
$ systemctl stop postgresql.service
$ systemctl start postgresql.service
$ systemctl restart postgresql.service
# systemctl stop postgresql.service
# systemctl start postgresql.service
# systemctl restart postgresql.service
</screen>
These operations are synchronous: they wait until the service has

6
nixos/doc/manual/administration/store-corruption.xml
View file

@ -18,7 +18,7 @@ you may be able to fix it automatically.</para>
system configuration, you can fix it by doing
<screen>
$ nixos-rebuild switch --repair
# nixos-rebuild switch --repair
</screen>
This will cause Nix to check every path in the closure, and if its
@ -28,10 +28,10 @@ the path is rebuilt or redownloaded.</para>
<para>You can also scan the entire Nix store for corrupt paths:
<screen>
$ nix-store --verify --check-contents --repair
# nix-store --verify --check-contents --repair
</screen>
Any corrupt paths will be redownloaded if theyre available in a
binary cache; otherwise, they cannot be repaired.</para>
</section>
</section>

4
nixos/doc/manual/administration/user-sessions.xml
View file

@ -45,9 +45,9 @@ track of this, you can terminate a session in a way that ensures that
all the sessions processes are gone:
<screen>
$ loginctl terminate-session c3
# loginctl terminate-session c3
</screen>
</para>
</chapter>
</chapter>

2
nixos/doc/manual/configuration/adding-custom-packages.xml
View file

@ -31,7 +31,7 @@ and you run <command>nixos-rebuild</command>, specifying your own
Nixpkgs tree:
<screen>
$ nixos-rebuild switch -I nixpkgs=/path/to/my/nixpkgs</screen>
# nixos-rebuild switch -I nixpkgs=/path/to/my/nixpkgs</screen>
</para>

2
nixos/doc/manual/configuration/linux-kernel.xml
View file

@ -82,7 +82,7 @@ $ nix-shell '<nixpkgs>' -A linuxPackages.kernel
$ unpackPhase
$ cd linux-*
$ make -C $dev/lib/modules/*/build M=$(pwd)/drivers/net/ethernet/mellanox modules
$ sudo insmod ./drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.ko
# insmod ./drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.ko
]]></screen>
</section>

6
nixos/doc/manual/configuration/luks-file-systems.xml
View file

@ -12,7 +12,7 @@ here is how you create an encrypted Ext4 file system on the device
<filename>/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</filename>:
<screen>
$ cryptsetup luksFormat /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d
# cryptsetup luksFormat /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d
WARNING!
========
@ -22,10 +22,10 @@ Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: ***
Verify passphrase: ***
$ cryptsetup luksOpen /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d crypted
# cryptsetup luksOpen /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d crypted
Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: ***
$ mkfs.ext4 /dev/mapper/crypted
# mkfs.ext4 /dev/mapper/crypted
</screen>
To ensure that this file system is automatically mounted at boot time

8
nixos/doc/manual/configuration/user-mgmt.xml
View file

@ -63,14 +63,14 @@ commands such as <command>useradd</command>,
account named <literal>alice</literal>:
<screen>
$ useradd -m alice</screen>
# useradd -m alice</screen>
To make all nix tools available to this new user use `su - USER` which
opens a login shell (==shell that loads the profile) for given user.
This will create the ~/.nix-defexpr symlink. So run:
<screen>
$ su - alice -c "true"</screen>
# su - alice -c "true"</screen>
The flag <option>-m</option> causes the creation of a home directory
@ -79,7 +79,7 @@ have an initial password and therefore cannot log in. A password can
be set using the <command>passwd</command> utility:
<screen>
$ passwd alice
# passwd alice
Enter new UNIX password: ***
Retype new UNIX password: ***
</screen>
@ -87,7 +87,7 @@ Retype new UNIX password: ***
A user can be deleted using <command>userdel</command>:
<screen>
$ userdel -r alice</screen>
# userdel -r alice</screen>
The flag <option>-r</option> deletes the users home directory.
Accounts can be modified using <command>usermod</command>. Unix

4
nixos/doc/manual/configuration/wireless.xml
View file

@ -41,13 +41,13 @@ If you are using WPA2 the <command>wpa_passphrase</command> tool might be useful
to generate the <literal>wpa_supplicant.conf</literal>.
<screen>
$ wpa_passphrase ESSID PSK > /etc/wpa_supplicant.conf</screen>
# wpa_passphrase ESSID PSK > /etc/wpa_supplicant.conf</screen>
After you have edited the <literal>wpa_supplicant.conf</literal>,
you need to restart the wpa_supplicant service.
<screen>
$ systemctl restart wpa_supplicant.service</screen>
# systemctl restart wpa_supplicant.service</screen>
</para>
</section>

13
nixos/doc/manual/configuration/x-windows.xml
View file

@ -5,7 +5,7 @@
xml:id="sec-x11">
<title>X Window System</title>
<para>The X Window System (X11) provides the basis of NixOS graphical
user interface. It can be enabled as follows:
<programlisting>
@ -48,7 +48,7 @@ services.xserver.autorun = false;
</programlisting>
The X server can then be started manually:
<screen>
$ systemctl start display-manager.service
# systemctl start display-manager.service
</screen>
</para>
@ -115,5 +115,14 @@ services.xserver.synaptics.twoFingerScroll = true;
</simplesect>
<simplesect><title>GTK/Qt themes</title>
<para>GTK themes can be installed either to user profile or system-wide (via
<literal>system.environmentPackages</literal>). To make Qt 5 applications look similar
to GTK2 ones, you can install <literal>qt5.qtbase.gtk</literal> package into your
system environment. It should work for all Qt 5 library versions.
</para>
</simplesect>
</chapter>

4
nixos/doc/manual/development/building-nixos.xml
View file

@ -25,8 +25,8 @@ $ nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd
suggested by the following command:
<screen>
$ mount -o loop -t iso9660 ./result/iso/cd.iso /mnt/iso</screen>
# mount -o loop -t iso9660 ./result/iso/cd.iso /mnt/iso</screen>
</para>
</chapter>
</chapter>

6
nixos/doc/manual/development/building-parts.xml
View file

@ -94,8 +94,8 @@ $ nix-build -A 'config.systemd.units."httpd.service".unit'
<screen>
$ cp $(nix-build -A 'config.systemd.units."httpd.service".unit')/httpd.service \
/run/systemd/system/tmp-httpd.service
$ systemctl daemon-reload
$ systemctl start tmp-httpd.service
# systemctl daemon-reload
# systemctl start tmp-httpd.service
</screen>
Note that the unit must not have the same name as any unit in
@ -110,4 +110,4 @@ $ systemctl start tmp-httpd.service
</para>
</chapter>
</chapter>

2
nixos/doc/manual/development/sources.xml
View file

@ -70,7 +70,7 @@ sources, you need to tell <command>nixos-rebuild</command> about them
using the <option>-I</option> flag:
<screen>
$ nixos-rebuild switch -I nixpkgs=<replaceable>/my/sources</replaceable>/nixpkgs
# nixos-rebuild switch -I nixpkgs=<replaceable>/my/sources</replaceable>/nixpkgs
</screen>
</para>

8
nixos/doc/manual/development/testing-installer.xml
View file

@ -12,16 +12,16 @@ properly:
<screen>
$ nix-build -A config.system.build.nixos-install
$ mount -t tmpfs none /mnt
$ ./result/bin/nixos-install</screen>
# mount -t tmpfs none /mnt
# ./result/bin/nixos-install</screen>
To start a login shell in the new NixOS installation in
<filename>/mnt</filename>:
<screen>
$ ./result/bin/nixos-install --chroot
# ./result/bin/nixos-install --chroot
</screen>
</para>
</chapter>
</chapter>

8
nixos/doc/manual/installation/changing-config.xml
View file

@ -10,7 +10,7 @@ contains the current configuration of your machine. Whenever youve
changed something to that file, you should do
<screen>
$ nixos-rebuild switch</screen>
# nixos-rebuild switch</screen>
to build the new configuration, make it the default configuration for
booting, and try to realise the configuration in the running system
@ -23,7 +23,7 @@ either run them from a root shell or by prefixing them with
<para>You can also do
<screen>
$ nixos-rebuild test</screen>
# nixos-rebuild test</screen>
to build the configuration and switch the running system to it, but
without making it the boot default. So if (say) the configuration
@ -33,7 +33,7 @@ configuration.</para>
<para>There is also
<screen>
$ nixos-rebuild boot</screen>
# nixos-rebuild boot</screen>
to build the configuration and make it the boot default, but not
switch to it now (so it will only take effect after the next
@ -44,7 +44,7 @@ of the GRUB 2 boot screen by giving it a different <emphasis>profile
name</emphasis>, e.g.
<screen>
$ nixos-rebuild switch -p test </screen>
# nixos-rebuild switch -p test </screen>
which causes the new configuration (and previous ones created using
<literal>-p test</literal>) to show up in the GRUB submenu “NixOS -

6
nixos/doc/manual/installation/installing-uefi.xml
View file

@ -5,7 +5,7 @@
xml:id="sec-uefi-installation">
<title>UEFI Installation</title>
<para>NixOS can also be installed on UEFI systems. The procedure
is by and large the same as a BIOS installation, with the following
changes:
@ -26,7 +26,7 @@ changes:
<literal>vfat</literal> filesystem.</para>
</listitem>
<listitem>
<para>You must set <option>boot.loader.gummiboot.enable</option> to
<para>You must set <option>boot.loader.systemd-boot.enable</option> to
<literal>true</literal>. <command>nixos-generate-config</command>
should do this automatically for new configurations when booted in
UEFI mode.</para>
@ -38,7 +38,7 @@ changes:
</listitem>
<listitem>
<para>You may want to look at the options starting with
<option>boot.loader.efi</option> and <option>boot.loader.gummiboot</option>
<option>boot.loader.efi</option> and <option>boot.loader.systemd-boot</option>
as well.</para>
</listitem>
</itemizedlist>

38
nixos/doc/manual/installation/installing.xml
View file

@ -54,7 +54,7 @@
changes. For example:
<screen>
$ mkfs.ext4 -L nixos /dev/sda1</screen>
# mkfs.ext4 -L nixos /dev/sda1</screen>
</para></listitem>
@ -66,10 +66,10 @@ $ mkfs.ext4 -L nixos /dev/sda1</screen>
<listitem><para>For creating LVM volumes, the LVM commands, e.g.,
<screen>
$ pvcreate /dev/sda1 /dev/sdb1
$ vgcreate MyVolGroup /dev/sda1 /dev/sdb1
$ lvcreate --size 2G --name bigdisk MyVolGroup
$ lvcreate --size 1G --name smalldisk MyVolGroup</screen>
# pvcreate /dev/sda1 /dev/sdb1
# vgcreate MyVolGroup /dev/sda1 /dev/sdb1
# lvcreate --size 2G --name bigdisk MyVolGroup
# lvcreate --size 1G --name smalldisk MyVolGroup</screen>
</para></listitem>
@ -84,7 +84,7 @@ $ lvcreate --size 1G --name smalldisk MyVolGroup</screen>
be installed on <filename>/mnt</filename>, e.g.
<screen>
$ mount /dev/disk/by-label/nixos /mnt
# mount /dev/disk/by-label/nixos /mnt
</screen>
</para></listitem>
@ -113,14 +113,14 @@ $ mount /dev/disk/by-label/nixos /mnt
generate an initial configuration file for you:
<screen>
$ nixos-generate-config --root /mnt</screen>
# nixos-generate-config --root /mnt</screen>
You should then edit
<filename>/mnt/etc/nixos/configuration.nix</filename> to suit your
needs:
<screen>
$ nano /mnt/etc/nixos/configuration.nix
# nano /mnt/etc/nixos/configuration.nix
</screen>
If youre using the graphical ISO image, other editors may be
@ -162,7 +162,7 @@ $ nano /mnt/etc/nixos/configuration.nix
<listitem><para>Do the installation:
<screen>
$ nixos-install</screen>
# nixos-install</screen>
Cross fingers. If this fails due to a temporary problem (such as
a network issue while downloading binaries from the NixOS binary
@ -186,7 +186,7 @@ Retype new UNIX password: ***
<listitem><para>If everything went well:
<screen>
$ reboot</screen>
# reboot</screen>
</para></listitem>
@ -235,15 +235,15 @@ drive (here <filename>/dev/sda</filename>). <xref linkend="ex-config"
<example xml:id='ex-install-sequence'><title>Commands for Installing NixOS on <filename>/dev/sda</filename></title>
<screen>
$ fdisk /dev/sda # <lineannotation>(or whatever device you want to install on)</lineannotation>
$ mkfs.ext4 -L nixos /dev/sda1
$ mkswap -L swap /dev/sda2
$ swapon /dev/sda2
$ mount /dev/disk/by-label/nixos /mnt
$ nixos-generate-config --root /mnt
$ nano /mnt/etc/nixos/configuration.nix
$ nixos-install
$ reboot</screen>
# fdisk /dev/sda # <lineannotation>(or whatever device you want to install on)</lineannotation>
# mkfs.ext4 -L nixos /dev/sda1
# mkswap -L swap /dev/sda2
# swapon /dev/sda2
# mount /dev/disk/by-label/nixos /mnt
# nixos-generate-config --root /mnt
# nano /mnt/etc/nixos/configuration.nix
# nixos-install
# reboot</screen>
</example>
<example xml:id='ex-config'><title>NixOS Configuration</title>

12
nixos/doc/manual/installation/upgrading.xml
View file

@ -60,33 +60,33 @@ the <literal>nixos-14.12</literal> channel. To see which NixOS
channel youre subscribed to, run the following as root:
<screen>
$ nix-channel --list | grep nixos
# nix-channel --list | grep nixos
nixos https://nixos.org/channels/nixos-unstable
</screen>
To switch to a different NixOS channel, do
<screen>
$ nix-channel --add https://nixos.org/channels/<replaceable>channel-name</replaceable> nixos
# nix-channel --add https://nixos.org/channels/<replaceable>channel-name</replaceable> nixos
</screen>
(Be sure to include the <literal>nixos</literal> parameter at the
end.) For instance, to use the NixOS 14.12 stable channel:
<screen>
$ nix-channel --add https://nixos.org/channels/nixos-14.12 nixos
# nix-channel --add https://nixos.org/channels/nixos-14.12 nixos
</screen>
If you have a server, you may want to use the “small” channel instead:
<screen>
$ nix-channel --add https://nixos.org/channels/nixos-14.12-small nixos
# nix-channel --add https://nixos.org/channels/nixos-14.12-small nixos
</screen>
And if you want to live on the bleeding edge:
<screen>
$ nix-channel --add https://nixos.org/channels/nixos-unstable nixos
# nix-channel --add https://nixos.org/channels/nixos-unstable nixos
</screen>
</para>
@ -95,7 +95,7 @@ $ nix-channel --add https://nixos.org/channels/nixos-unstable nixos
channel by running
<screen>
$ nixos-rebuild switch --upgrade
# nixos-rebuild switch --upgrade
</screen>
which is equivalent to the more verbose <literal>nix-channel --update

4
nixos/doc/manual/man-configuration.xml
View file

@ -1,7 +1,7 @@
<refentry xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude">
<refmeta>
<refentrytitle><filename>configuration.nix</filename></refentrytitle>
<manvolnum>5</manvolnum>
@ -34,5 +34,5 @@ therein.</para>
<xi:include href="options-db.xml" />
</refsection>
</refentry>

8
nixos/doc/manual/man-nixos-build-vms.xml
View file

@ -1,7 +1,7 @@
<refentry xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude">
<refmeta>
<refentrytitle><command>nixos-build-vms</command></refentrytitle>
<manvolnum>8</manvolnum>
@ -42,10 +42,10 @@ points to the generated virtual network.
services.openssh.enable = true;
nixpkgs.system = "i686-linux";
deployment.targetHost = "test1.example.net";
# Other NixOS options
};
test2 = {pkgs, config, ...}:
{
services.openssh.enable = true;
@ -53,7 +53,7 @@ points to the generated virtual network.
environment.systemPackages = [ pkgs.lynx ];
nixpkgs.system = "x86_64-linux";
deployment.targetHost = "test2.example.net";
# Other NixOS options
};
}

4
nixos/doc/manual/man-nixos-option.xml
View file

@ -1,7 +1,7 @@
<refentry xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude">
<refmeta>
<refentrytitle><command>nixos-option</command></refentrytitle>
<manvolnum>8</manvolnum>
@ -64,7 +64,7 @@ $ nixos-option boot.loader.grub.enable
Value:
true
Default:
Default:
true
Description:

5
nixos/doc/manual/manual.xml
View file

@ -3,7 +3,7 @@
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="book-nixos-manual">
<info>
<title>NixOS Manual</title>
<subtitle>Version <xi:include href="version" parse="text" /></subtitle>
@ -26,6 +26,9 @@
xlink:href="https://github.com/NixOS/nixpkgs/issues">NixOS GitHub
issue tracker</link>.</para>
<note><para>Commands prefixed with <literal>#</literal> have to be run as
root, either requiring to login as root user or temporarily switching
to it using <literal>sudo</literal> for example.</para></note>
</preface>
<xi:include href="installation/installation.xml" />

3
nixos/doc/manual/options-to-docbook.xsl
View file

@ -11,6 +11,7 @@
<xsl:output method='xml' encoding="UTF-8" />
<xsl:param name="revision" />
<xsl:param name="program" />
<xsl:template match="/expr/list">
@ -188,7 +189,7 @@
</xsl:otherwise>
</xsl:choose>
</xsl:when>
<xsl:when test="$revision != 'local' and contains(@value, 'nixops') and contains(@value, '/nix/')">
<xsl:when test="$revision != 'local' and $program = 'nixops' and contains(@value, '/nix/')">
<xsl:attribute name="xlink:href">https://github.com/NixOS/nixops/blob/<xsl:value-of select="$revision"/>/nix/<xsl:value-of select="substring-after(@value, '/nix/')"/></xsl:attribute>
</xsl:when>
<xsl:otherwise>

4
nixos/doc/manual/release-notes/rl-1609.xml
View file

@ -16,6 +16,10 @@ has the following highlights: </para>
See <xref linkend="sec-booting-from-pxe" /> for documentation.</para>
</listitem>
<listitem>
<para>Xorg-server-1.18.*. If you choose <literal>"ati_unfree"</literal> driver,
1.17.* is still used due to ABI incompatibility.</para>
</listitem>
</itemizedlist>
<para>The following new services were added since the last release:</para>

2
nixos/modules/hardware/video/ati.nix
View file

@ -18,6 +18,8 @@ in
config = mkIf enabled {
nixpkgs.config.xorg.fglrxCompat = true;
services.xserver.drivers = singleton
{ name = "fglrx"; modules = [ ati_x11 ]; libPath = [ "${ati_x11}/lib" ]; };

2
nixos/modules/installer/cd-dvd/iso-image.nix
View file

@ -64,7 +64,7 @@ let
# The EFI boot image.
efiDir = pkgs.runCommand "efi-directory" {} ''
mkdir -p $out/EFI/boot
cp -v ${pkgs.gummiboot}/lib/gummiboot/gummiboot${targetArch}.efi $out/EFI/boot/boot${targetArch}.efi
cp -v ${pkgs.systemd}/lib/systemd/boot/efi/systemd-boot${targetArch}.efi $out/EFI/boot/boot${targetArch}.efi
mkdir -p $out/loader/entries
echo "title NixOS Live CD" > $out/loader/entries/nixos-livecd.conf

4
nixos/modules/installer/tools/nixos-generate-config.pl
View file

@ -518,8 +518,8 @@ if ($showHardwareConfig) {
my $bootLoaderConfig = "";
if (-e "/sys/firmware/efi/efivars") {
$bootLoaderConfig = <<EOF;
# Use the gummiboot efi boot loader.
boot.loader.gummiboot.enable = true;
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
EOF
} elsif ($virt ne "systemd-nspawn") {

4
nixos/modules/misc/version.nix
View file

@ -104,8 +104,8 @@ in
# changing them would not rebuild the manual
nixosLabel = mkDefault (maybeEnv "NIXOS_LABEL" cfg.nixosVersion);
nixosVersion = mkDefault (maybeEnv "NIXOS_VERSION" (cfg.nixosRelease + cfg.nixosVersionSuffix));
nixosRevision = mkIf (pathExists gitRepo) (mkDefault gitCommitId);
nixosVersionSuffix = mkIf (pathExists gitRepo) (mkDefault (".git." + gitCommitId));
nixosRevision = mkIf (pathIsDirectory gitRepo) (mkDefault gitCommitId);
nixosVersionSuffix = mkIf (pathIsDirectory gitRepo) (mkDefault (".git." + gitCommitId));
# Note: code names must only increase in alphabetical order.
nixosCodeName = "Flounder";

5
nixos/modules/module-list.nix
View file

@ -79,6 +79,7 @@
./programs/ssh.nix
./programs/ssmtp.nix
./programs/tmux.nix
./programs/unity3d.nix
./programs/venus.nix
./programs/wvdial.nix
./programs/xfs_quota.nix
@ -127,6 +128,7 @@
./services/continuous-integration/jenkins/default.nix
./services/continuous-integration/jenkins/slave.nix
./services/continuous-integration/jenkins/job-builder.nix
./services/continuous-integration/hydra/default.nix
./services/databases/4store-endpoint.nix
./services/databases/4store.nix
./services/databases/couchdb.nix
@ -428,6 +430,7 @@
./services/security/haveged.nix
./services/security/hologram.nix
./services/security/munge.nix
./services/security/oauth2_proxy.nix
./services/security/physlock.nix
./services/security/torify.nix
./services/security/tor.nix
@ -503,10 +506,10 @@
./system/boot/loader/grub/grub.nix
./system/boot/loader/grub/ipxe.nix
./system/boot/loader/grub/memtest.nix
./system/boot/loader/gummiboot/gummiboot.nix
./system/boot/loader/init-script/init-script.nix
./system/boot/loader/loader.nix
./system/boot/loader/raspberrypi/raspberrypi.nix
./system/boot/loader/systemd-boot/systemd-boot.nix
./system/boot/luksroot.nix
./system/boot/modprobe.nix
./system/boot/networkd.nix

25
nixos/modules/programs/unity3d.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.programs.unity3d;
in {
options = {
programs.unity3d.enable = mkEnableOption "Unity3D, a game development tool";
};
config = mkIf cfg.enable {
security.setuidOwners = [{
program = "unity-chrome-sandbox";
source = "${pkgs.unity3d.sandbox}/bin/unity-chrome-sandbox";
owner = "root";
#group = "root";
setuid = true;
#setgid = true;
}];
environment.systemPackages = [ pkgs.unity3d ];
};
}

180
nixos/modules/security/acme.nix
View file

@ -114,6 +114,19 @@ in
'';
};
preliminarySelfsigned = mkOption {
type = types.bool;
default = true;
description = ''
Whether a preliminary self-signed certificate should be generated before
doing ACME requests. This can be useful when certificates are required in
a webserver, but ACME needs the webserver to make its requests.
With preliminary self-signed certificate the webserver can be started and
can later reload the correct ACME certificates.
'';
};
certs = mkOption {
default = { };
type = types.loaOf types.optionSet;
@ -140,54 +153,126 @@ in
config = mkMerge [
(mkIf (cfg.certs != { }) {
systemd.services = flip mapAttrs' cfg.certs (cert: data:
let
cpath = "${cfg.directory}/${cert}";
rights = if data.allowKeysForGroup then "750" else "700";
cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ]
++ optionals (data.email != null) [ "--email" data.email ]
++ concatMap (p: [ "-f" p ]) data.plugins
++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);
systemd.services = let
services = concatLists servicesLists;
servicesLists = mapAttrsToList certToServices cfg.certs;
certToServices = cert: data:
let
cpath = "${cfg.directory}/${cert}";
rights = if data.allowKeysForGroup then "750" else "700";
cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ]
++ optionals (data.email != null) [ "--email" data.email ]
++ concatMap (p: [ "-f" p ]) data.plugins
++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);
acmeService = {
description = "Renew ACME Certificate for ${cert}";
after = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
SuccessExitStatus = [ "0" "1" ];
PermissionsStartOnly = true;
User = data.user;
Group = data.group;
PrivateTmp = true;
};
path = [ pkgs.simp_le ];
preStart = ''
mkdir -p '${cfg.directory}'
if [ ! -d '${cpath}' ]; then
mkdir '${cpath}'
fi
chmod ${rights} '${cpath}'
chown -R '${data.user}:${data.group}' '${cpath}'
'';
script = ''
cd '${cpath}'
set +e
simp_le ${concatMapStringsSep " " (arg: escapeShellArg (toString arg)) cmdline}
EXITCODE=$?
set -e
echo "$EXITCODE" > /tmp/lastExitCode
exit "$EXITCODE"
'';
postStop = ''
if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then
echo "Executing postRun hook..."
${data.postRun}
fi
'';
in nameValuePair
("acme-${cert}")
({
description = "Renew ACME Certificate for ${cert}";
after = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
SuccessExitStatus = [ "0" "1" ];
PermissionsStartOnly = true;
User = data.user;
Group = data.group;
PrivateTmp = true;
before = [ "acme-certificates.target" ];
wantedBy = [ "acme-certificates.target" ];
};
selfsignedService = {
description = "Create preliminary self-signed certificate for ${cert}";
preStart = ''
if [ ! -d '${cpath}' ]
then
mkdir -p '${cpath}'
chmod ${rights} '${cpath}'
chown '${data.user}:${data.group}' '${cpath}'
fi
'';
script =
''
# Create self-signed key
workdir="/run/acme-selfsigned-${cert}"
${pkgs.openssl.bin}/bin/openssl genrsa -des3 -passout pass:x -out $workdir/server.pass.key 2048
${pkgs.openssl.bin}/bin/openssl rsa -passin pass:x -in $workdir/server.pass.key -out $workdir/server.key
${pkgs.openssl.bin}/bin/openssl req -new -key $workdir/server.key -out $workdir/server.csr \
-subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com"
${pkgs.openssl.bin}/bin/openssl x509 -req -days 1 -in $workdir/server.csr -signkey $workdir/server.key -out $workdir/server.crt
# Move key to destination
mv $workdir/server.key ${cpath}/key.pem
mv $workdir/server.crt ${cpath}/fullchain.pem
# Clean up working directory
rm $workdir/server.csr
rm $workdir/server.pass.key
# Give key acme permissions
chmod ${rights} '${cpath}/key.pem'
chown '${data.user}:${data.group}' '${cpath}/key.pem'
chmod ${rights} '${cpath}/fullchain.pem'
chown '${data.user}:${data.group}' '${cpath}/fullchain.pem'
'';
serviceConfig = {
Type = "oneshot";
RuntimeDirectory = "acme-selfsigned-${cert}";
PermissionsStartOnly = true;
User = data.user;
Group = data.group;
};
unitConfig = {
# Do not create self-signed key when key already exists
ConditionPathExists = "!${cpath}/key.pem";
};
before = [
"acme-selfsigned-certificates.target"
];
wantedBy = [
"acme-selfsigned-certificates.target"
];
};
in (
[ { name = "acme-${cert}"; value = acmeService; } ]
++
(if cfg.preliminarySelfsigned
then [ { name = "acme-selfsigned-${cert}"; value = selfsignedService; } ]
else []
)
);
servicesAttr = listToAttrs services;
nginxAttr = {
nginx = {
after = [ "acme-selfsigned-certificates.target" ];
wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ];
};
};
path = [ pkgs.simp_le ];
preStart = ''
mkdir -p '${cfg.directory}'
if [ ! -d '${cpath}' ]; then
mkdir '${cpath}'
fi
chmod ${rights} '${cpath}'
chown -R '${data.user}:${data.group}' '${cpath}'
'';
script = ''
cd '${cpath}'
set +e
simp_le ${concatMapStringsSep " " (arg: escapeShellArg (toString arg)) cmdline}
EXITCODE=$?
set -e
echo "$EXITCODE" > /tmp/lastExitCode
exit "$EXITCODE"
'';
postStop = ''
if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then
echo "Executing postRun hook..."
${data.postRun}
fi
'';
})
);
in
servicesAttr //
(if config.services.nginx.enable then nginxAttr else {});
systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
("acme-${cert}")
@ -200,6 +285,9 @@ in
};
})
);
systemd.targets."acme-selfsigned-certificates" = mkIf cfg.preliminarySelfsigned {};
systemd.targets."acme-certificates" = {};
})
{ meta.maintainers = with lib.maintainers; [ abbradar fpletz globin ];

28
nixos/modules/security/acme.xml
View file

@ -66,4 +66,32 @@ options for the <literal>security.acme</literal> module.</para>
</section>
<section><title>Using ACME certificates in Nginx</title>
<para>In practice ACME is mostly used for retrieval and renewal of
certificates that will be used in a webserver like Nginx. A configuration for
Nginx that uses the certificates from ACME for
<literal>foo.example.com</literal> will look similar to:
</para>
<programlisting>
services.nginx.httpConfig = ''
server {
server_name foo.example.com;
listen 443 ssl;
ssl_certificate ${config.security.acme.directory}/foo.example.com/fullchain.pem;
ssl_certificate_key ${config.security.acme.directory}/foo.example.com/key.pem;
root /var/www/foo.example.com/;
}
'';
</programlisting>
<para>Now Nginx will try to use the certificates that will be retrieved by ACME.
ACME needs Nginx (or any other webserver) to function and Nginx needs
the certificates to actually start. For this reason the ACME module
automatically generates self-signed certificates that will be used by Nginx to
start. After that Nginx is used by ACME to retrieve the actual ACME
certificates. <literal>security.acme.preliminarySelfsigned</literal> can be
used to control whether to generate the self-signed certificates.
</para>
</section>
</chapter>

418
nixos/modules/services/continuous-integration/hydra/default.nix Normal file
View file

@ -0,0 +1,418 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.hydra;
baseDir = "/var/lib/hydra";
hydraConf = pkgs.writeScript "hydra.conf" cfg.extraConfig;
hydraEnv =
{ HYDRA_DBI = cfg.dbi;
HYDRA_CONFIG = "${baseDir}/hydra.conf";
HYDRA_DATA = "${baseDir}";
};
env =
{ NIX_REMOTE = "daemon";
SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; # Remove in 16.03
PGPASSFILE = "${baseDir}/pgpass";
NIX_REMOTE_SYSTEMS = concatStringsSep ":" cfg.buildMachinesFiles;
} // optionalAttrs (cfg.smtpHost != null) {
EMAIL_SENDER_TRANSPORT = "SMTP";
EMAIL_SENDER_TRANSPORT_host = cfg.smtpHost;
} // hydraEnv // cfg.extraEnv;
serverEnv = env //
{ HYDRA_TRACKER = cfg.tracker;
COLUMNS = "80";
PGPASSFILE = "${baseDir}/pgpass-www"; # grrr
} // (optionalAttrs cfg.debugServer { DBIC_TRACE = "1"; });
localDB = "dbi:Pg:dbname=hydra;user=hydra;";
haveLocalDB = cfg.dbi == localDB;
in
{
###### interface
options = {
services.hydra = rec {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to run Hydra services.
'';
};
dbi = mkOption {
type = types.str;
default = localDB;
example = "dbi:Pg:dbname=hydra;host=postgres.example.org;user=foo;";
description = ''
The DBI string for Hydra database connection.
'';
};
package = mkOption {
type = types.path;
default = pkgs.hydra;
defaultText = "pkgs.hydra";
description = "The Hydra package.";
};
hydraURL = mkOption {
type = types.str;
description = ''
The base URL for the Hydra webserver instance. Used for links in emails.
'';
};
listenHost = mkOption {
type = types.str;
default = "*";
example = "localhost";
description = ''
The hostname or address to listen on or <literal>*</literal> to listen
on all interfaces.
'';
};
port = mkOption {
type = types.int;
default = 3000;
description = ''
TCP port the web server should listen to.
'';
};
minimumDiskFree = mkOption {
type = types.int;
default = 0;
description = ''
Threshold of minimum disk space (GiB) to determine if the queue runner should run or not.
'';
};
minimumDiskFreeEvaluator = mkOption {
type = types.int;
default = 0;
description = ''
Threshold of minimum disk space (GiB) to determine if the evaluator should run or not.
'';
};
notificationSender = mkOption {
type = types.str;
description = ''
Sender email address used for email notifications.
'';
};
smtpHost = mkOption {
type = types.nullOr types.str;
default = null;
example = ["localhost"];
description = ''
Hostname of the SMTP server to use to send email.
'';
};
tracker = mkOption {
type = types.str;
default = "";
description = ''
Piece of HTML that is included on all pages.
'';
};
logo = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Path to a file containing the logo of your Hydra instance.
'';
};
debugServer = mkOption {
type = types.bool;
default = false;
description = "Whether to run the server in debug mode.";
};
extraConfig = mkOption {
type = types.lines;
description = "Extra lines for the Hydra configuration.";
};
extraEnv = mkOption {
type = types.attrsOf types.str;
default = {};
description = "Extra environment variables for Hydra.";
};
gcRootsDir = mkOption {
type = types.path;
default = "/nix/var/nix/gcroots/hydra";
description = "Directory that holds Hydra garbage collector roots.";
};
buildMachinesFiles = mkOption {
type = types.listOf types.path;
default = [];
example = [ "/etc/nix/machines" "/var/lib/hydra/provisioner/machines" ];
description = "List of files containing build machines.";
};
useSubstitutes = mkOption {
type = types.bool;
default = false;
description = ''
Whether to use binary caches for downloading store paths. Note that
binary substitutions trigger (a potentially large number of) additional
HTTP requests that slow down the queue monitor thread significantly.
Also, this Hydra instance will serve those downloaded store paths to
its users with its own signature attached as if it had built them
itself, so don't enable this feature unless your active binary caches
are absolute trustworthy.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
users.extraGroups.hydra = { };
users.extraUsers.hydra =
{ description = "Hydra";
group = "hydra";
createHome = true;
home = baseDir;
useDefaultShell = true;
};
users.extraUsers.hydra-queue-runner =
{ description = "Hydra queue runner";
group = "hydra";
useDefaultShell = true;
home = "${baseDir}/queue-runner"; # really only to keep SSH happy
};
users.extraUsers.hydra-www =
{ description = "Hydra web server";
group = "hydra";
useDefaultShell = true;
};
nix.trustedUsers = [ "hydra-queue-runner" ];
services.hydra.extraConfig =
''
using_frontend_proxy 1
base_uri ${cfg.hydraURL}
notification_sender ${cfg.notificationSender}
max_servers 25
${optionalString (cfg.logo != null) ''
hydra_logo ${cfg.logo}
''}
gc_roots_dir ${cfg.gcRootsDir}
'';
environment.systemPackages = [ cfg.package ];
environment.variables = hydraEnv;
nix.extraOptions = ''
gc-keep-outputs = true
gc-keep-derivations = true
# The default (`true') slows Nix down a lot since the build farm
# has so many GC roots.
gc-check-reachability = false
'';
systemd.services.hydra-init =
{ wantedBy = [ "multi-user.target" ];
requires = optional haveLocalDB "postgresql.service";
after = optional haveLocalDB "postgresql.service";
environment = env;
preStart = ''
mkdir -p ${baseDir}
chown hydra.hydra ${baseDir}
chmod 0750 ${baseDir}
ln -sf ${hydraConf} ${baseDir}/hydra.conf
mkdir -m 0700 -p ${baseDir}/www
chown hydra-www.hydra ${baseDir}/www
mkdir -m 0700 -p ${baseDir}/queue-runner
mkdir -m 0750 -p ${baseDir}/build-logs
chown hydra-queue-runner.hydra ${baseDir}/queue-runner ${baseDir}/build-logs
${optionalString haveLocalDB ''
if ! [ -e ${baseDir}/.db-created ]; then
${config.services.postgresql.package}/bin/createuser hydra
${config.services.postgresql.package}/bin/createdb -O hydra hydra
touch ${baseDir}/.db-created
fi
''}
if [ ! -e ${cfg.gcRootsDir} ]; then
# Move legacy roots directory.
if [ -e /nix/var/nix/gcroots/per-user/hydra/hydra-roots ]; then
mv /nix/var/nix/gcroots/per-user/hydra/hydra-roots ${cfg.gcRootsDir}
fi
mkdir -p ${cfg.gcRootsDir}
fi
# Move legacy hydra-www roots.
if [ -e /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots ]; then
find /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots/ -type f \
| xargs -r mv -f -t ${cfg.gcRootsDir}/
rmdir /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots
fi
chown hydra.hydra ${cfg.gcRootsDir}
chmod 2775 ${cfg.gcRootsDir}
'';
serviceConfig.ExecStart = "${cfg.package}/bin/hydra-init";
serviceConfig.PermissionsStartOnly = true;
serviceConfig.User = "hydra";
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
};
systemd.services.hydra-server =
{ wantedBy = [ "multi-user.target" ];
requires = [ "hydra-init.service" ];
after = [ "hydra-init.service" ];
environment = serverEnv;
serviceConfig =
{ ExecStart =
"@${cfg.package}/bin/hydra-server hydra-server -f -h '${cfg.listenHost}' "
+ "-p ${toString cfg.port} --max_spare_servers 5 --max_servers 25 "
+ "--max_requests 100 ${optionalString cfg.debugServer "-d"}";
User = "hydra-www";
PermissionsStartOnly = true;
Restart = "always";
};
};
systemd.services.hydra-queue-runner =
{ wantedBy = [ "multi-user.target" ];
requires = [ "hydra-init.service" ];
after = [ "hydra-init.service" "network.target" ];
path = [ cfg.package pkgs.nettools pkgs.openssh pkgs.bzip2 config.nix.package ];
environment = env // {
PGPASSFILE = "${baseDir}/pgpass-queue-runner"; # grrr
IN_SYSTEMD = "1"; # to get log severity levels
};
serviceConfig =
{ ExecStart = "@${cfg.package}/bin/hydra-queue-runner hydra-queue-runner -v --option build-use-substitutes ${if cfg.useSubstitutes then "true" else "false"}";
ExecStopPost = "${cfg.package}/bin/hydra-queue-runner --unlock";
User = "hydra-queue-runner";
Restart = "always";
# Ensure we can get core dumps.
LimitCORE = "infinity";
WorkingDirectory = "${baseDir}/queue-runner";
};
};
systemd.services.hydra-evaluator =
{ wantedBy = [ "multi-user.target" ];
requires = [ "hydra-init.service" ];
after = [ "hydra-init.service" "network.target" ];
path = [ pkgs.nettools ];
environment = env;
serviceConfig =
{ ExecStart = "@${cfg.package}/bin/hydra-evaluator hydra-evaluator";
User = "hydra";
Restart = "always";
WorkingDirectory = baseDir;
};
};
systemd.services.hydra-update-gc-roots =
{ requires = [ "hydra-init.service" ];
after = [ "hydra-init.service" ];
environment = env;
serviceConfig =
{ ExecStart = "@${cfg.package}/bin/hydra-update-gc-roots hydra-update-gc-roots";
User = "hydra";
};
startAt = "2,14:15";
};
systemd.services.hydra-send-stats =
{ wantedBy = [ "multi-user.target" ];
after = [ "hydra-init.service" ];
environment = env;
serviceConfig =
{ ExecStart = "@${cfg.package}/bin/hydra-send-stats hydra-send-stats";
User = "hydra";
};
};
# If there is less than a certain amount of free disk space, stop
# the queue/evaluator to prevent builds from failing or aborting.
systemd.services.hydra-check-space =
{ script =
''
if [ $(($(stat -f -c '%a' /nix/store) * $(stat -f -c '%S' /nix/store))) -lt $((${toString cfg.minimumDiskFree} * 1024**3)) ]; then
echo "stopping Hydra queue runner due to lack of free space..."
systemctl stop hydra-queue-runner
fi
if [ $(($(stat -f -c '%a' /nix/store) * $(stat -f -c '%S' /nix/store))) -lt $((${toString cfg.minimumDiskFreeEvaluator} * 1024**3)) ]; then
echo "stopping Hydra evaluator due to lack of free space..."
systemctl stop hydra-evaluator
fi
'';
startAt = "*:0/5";
};
# Periodically compress build logs. The queue runner compresses
# logs automatically after a step finishes, but this doesn't work
# if the queue runner is stopped prematurely.
systemd.services.hydra-compress-logs =
{ path = [ pkgs.bzip2 ];
script =
''
find /var/lib/hydra/build-logs -type f -name "*.drv" -mtime +3 -size +0c | xargs -r bzip2 -v -f
'';
startAt = "Sun 01:45";
};
services.postgresql.enable = mkIf haveLocalDB true;
services.postgresql.identMap = optionalString haveLocalDB
''
hydra-users hydra hydra
hydra-users hydra-queue-runner hydra
hydra-users hydra-www hydra
hydra-users root hydra
'';
services.postgresql.authentication = optionalString haveLocalDB
''
local hydra all ident map=hydra-users
'';
};
}

12
nixos/modules/services/databases/openldap.nix
View file

@ -52,11 +52,12 @@ in
description = "
sldapd.conf configuration
";
example = ''
include ''${pkgs.openldap}/etc/openldap/schema/core.schema
include ''${pkgs.openldap}/etc/openldap/schema/cosine.schema
include ''${pkgs.openldap}/etc/openldap/schema/inetorgperson.schema
include ''${pkgs.openldap}/etc/openldap/schema/nis.schema
example = literalExample ''
'''
include ${pkgs.openldap.out}/etc/openldap/schema/core.schema
include ${pkgs.openldap.out}/etc/openldap/schema/cosine.schema
include ${pkgs.openldap.out}/etc/openldap/schema/inetorgperson.schema
include ${pkgs.openldap.out}/etc/openldap/schema/nis.schema
database bdb
suffix dc=example,dc=org
@ -64,6 +65,7 @@ in
# NOTE: change after first start
rootpw secret
directory /var/db/openldap
'''
'';
};
};

55
nixos/modules/services/hardware/pcscd.nix
View file

@ -1,29 +1,51 @@
{ config, lib, pkgs, ... }:
let
cfgFile = pkgs.writeText "reader.conf" "";
in
with lib;
{
let
cfgFile = pkgs.writeText "reader.conf" config.services.pcscd.readerConfig;
pluginEnv = pkgs.buildEnv {
name = "pcscd-plugins";
paths = map (p: "${p}/pcsc/drivers") config.services.pcscd.plugins;
};
in {
###### interface
options = {
services.pcscd = {
enable = mkEnableOption "PCSC-Lite daemon";
enable = mkOption {
default = false;
description = "Whether to enable the PCSC-Lite daemon.";
plugins = mkOption {
type = types.listOf types.package;
default = [ pkgs.ccid ];
defaultText = "[ pkgs.ccid ]";
example = literalExample "[ pkgs.pcsc-cyberjack ]";
description = "Plugin packages to be used for PCSC-Lite.";
};
readerConfig = mkOption {
type = types.lines;
default = "";
example = ''
FRIENDLYNAME "Some serial reader"
DEVICENAME /dev/ttyS0
LIBPATH /path/to/serial_reader.so
CHANNELID 1
'';
description = ''
Configuration for devices that aren't hotpluggable.
See <citerefentry><refentrytitle>reader.conf</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for valid options.
'';
};
};
};
###### implementation
config = mkIf config.services.pcscd.enable {
@ -37,18 +59,11 @@ with lib;
systemd.services.pcscd = {
description = "PCSC-Lite daemon";
preStart = ''
mkdir -p /var/lib/pcsc
rm -Rf /var/lib/pcsc/drivers
ln -s ${pkgs.ccid}/pcsc/drivers /var/lib/pcsc/
'';
environment.PCSCLITE_HP_DROPDIR = pluginEnv;
serviceConfig = {
Type = "forking";
ExecStart = "${pkgs.pcsclite}/sbin/pcscd --auto-exit -c ${cfgFile}";
ExecReload = "${pkgs.pcsclite}/sbin/pcscd --hotplug";
ExecStart = "${pkgs.pcsclite}/sbin/pcscd -f -x -c ${cfgFile}";
ExecReload = "${pkgs.pcsclite}/sbin/pcscd -H";
};
};
};
}

4
nixos/modules/services/networking/dnscrypt-proxy.nix
View file

@ -89,8 +89,8 @@ in
'';
example = literalExample "${pkgs.dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv";
default = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv";
sha256 = "0lac20qhcgjxxiiz8jzcn3hkqj4ywl58hahp5n2i6vf9akfyqp7c";
url = https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv;
sha256 = "171zvdqcqqvcw3zr7wl9h1wmdmk6m3h55xr4gq2z1j7a0x0ba2in";
};
defaultText = "pkgs.fetchurl { url = ...; sha256 = ...; }";
};

22
nixos/modules/services/networking/openvpn.nix
View file

@ -29,21 +29,27 @@ let
done
${cfg.up}
${optionalString cfg.updateResolvConf
"${pkgs.update-resolv-conf}/libexec/openvpn/update-resolv-conf"}
'';
downScript = ''
#! /bin/sh
export PATH=${path}
${optionalString cfg.updateResolvConf
"${pkgs.update-resolv-conf}/libexec/openvpn/update-resolv-conf"}
${cfg.down}
'';
configFile = pkgs.writeText "openvpn-config-${name}"
''
errors-to-stderr
${optionalString (cfg.up != "" || cfg.down != "") "script-security 2"}
${optionalString (cfg.up != "" || cfg.down != "" || cfg.updateResolvConf) "script-security 2"}
${cfg.config}
${optionalString (cfg.up != "") "up ${pkgs.writeScript "openvpn-${name}-up" upScript}"}
${optionalString (cfg.down != "") "down ${pkgs.writeScript "openvpn-${name}-down" downScript}"}
${optionalString (cfg.up != "" || cfg.updateResolvConf)
"up ${pkgs.writeScript "openvpn-${name}-up" upScript}"}
${optionalString (cfg.down != "" || cfg.updateResolvConf)
"down ${pkgs.writeScript "openvpn-${name}-down" downScript}"}
'';
in {
@ -145,6 +151,16 @@ in
description = "Whether this OpenVPN instance should be started automatically.";
};
updateResolvConf = mkOption {
default = false;
type = types.bool;
description = ''
Use the script from the update-resolv-conf package to automatically
update resolv.conf with the DNS information provided by openvpn. The
script will be run after the "up" commands and before the "down" commands.
'';
};
};
};

523
nixos/modules/services/security/oauth2_proxy.nix Normal file
View file

@ -0,0 +1,523 @@
# NixOS module for oauth2_proxy.
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.oauth2_proxy;
# Use like:
# repeatedArgs (arg: "--arg=${arg}") args
repeatedArgs = concatMapStringsSep " ";
# 'toString' doesn't quite do what we want for bools.
fromBool = x: if x then "true" else "false";
# oauth2_proxy provides many options that are only relevant if you are using
# a certain provider. This set maps from provider name to a function that
# takes the configuration and returns a string that can be inserted into the
# command-line to launch oauth2_proxy.
providerSpecificOptions = {
azure = cfg: ''
--azure-tenant=${cfg.azure.tenant} \
--resource=${cfg.azure.resource} \
'';
github = cfg: ''
$(optionalString (!isNull cfg.github.org) "--github-org=${cfg.github.org}") \
$(optionalString (!isNull cfg.github.team) "--github-org=${cfg.github.team}") \
'';
google = cfg: ''
--google-admin-email=${cfg.google.adminEmail} \
--google-service-account=${cfg.google.serviceAccountJSON} \
$(repeatedArgs (group: "--google-group=${group}") cfg.google.groups) \
'';
};
authenticatedEmailsFile = pkgs.writeText "authenticated-emails" cfg.email.addresses;
getProviderOptions = cfg: provider:
if providerSpecificOptions ? provider then providerSpecificOptions.provider cfg else "";
mkCommandLine = cfg: ''
--provider='${cfg.provider}' \
${optionalString (!isNull cfg.email.addresses) "--authenticated-emails-file='${authenticatedEmailsFile}'"} \
--approval-prompt='${cfg.approvalPrompt}' \
${optionalString (cfg.passBasicAuth && !isNull cfg.basicAuthPassword) "--basic-auth-password='${cfg.basicAuthPassword}'"} \
--client-id='${cfg.clientID}' \
--client-secret='${cfg.clientSecret}' \
${optionalString (!isNull cfg.cookie.domain) "--cookie-domain='${cfg.cookie.domain}'"} \
--cookie-expire='${cfg.cookie.expire}' \
--cookie-httponly=${fromBool cfg.cookie.httpOnly} \
--cookie-name='${cfg.cookie.name}' \
--cookie-secret='${cfg.cookie.secret}' \
--cookie-secure=${fromBool cfg.cookie.secure} \
${optionalString (!isNull cfg.cookie.refresh) "--cookie-refresh='${cfg.cookie.refresh}'"} \
${optionalString (!isNull cfg.customTemplatesDir) "--custom-templates-dir='${cfg.customTemplatesDir}'"} \
${repeatedArgs (x: "--email-domain='${x}'") cfg.email.domains} \
--http-address='${cfg.httpAddress}' \
${optionalString (!isNull cfg.htpasswd.file) "--htpasswd-file='${cfg.htpasswd.file}' --display-htpasswd-form=${fromBool cfg.htpasswd.displayForm}"} \
${optionalString (!isNull cfg.loginURL) "--login-url='${cfg.loginURL}'"} \
--pass-access-token=${fromBool cfg.passAccessToken} \
--pass-basic-auth=${fromBool cfg.passBasicAuth} \
--pass-host-header=${fromBool cfg.passHostHeader} \
--proxy-prefix='${cfg.proxyPrefix}' \
${optionalString (!isNull cfg.profileURL) "--profile-url='${cfg.profileURL}'"} \
${optionalString (!isNull cfg.redeemURL) "--redeem-url='${cfg.redeemURL}'"} \
${optionalString (!isNull cfg.redirectURL) "--redirect-url='${cfg.redirectURL}'"} \
--request-logging=${fromBool cfg.requestLogging} \
${optionalString (!isNull cfg.scope) "--scope='${cfg.scope}'"} \
${repeatedArgs (x: "--skip-auth-regex='${x}'") cfg.skipAuthRegexes} \
${optionalString (!isNull cfg.signatureKey) "--signature-key='${cfg.signatureKey}'"} \
--upstream='${cfg.upstream}' \
${optionalString (!isNull cfg.validateURL) "--validate-url='${cfg.validateURL}'"} \
${optionalString cfg.tls.enable "--tls-cert='${cfg.tls.certificate}' --tls-key='${cfg.tls.key}' --https-address='${cfg.tls.httpsAddress}'"} \
'' + getProviderOptions cfg cfg.provider;
in
{
options.services.oauth2_proxy = {
enable = mkEnableOption "oauth2_proxy";
package = mkOption {
type = types.package;
default = pkgs.oauth2_proxy;
defaultText = "pkgs.oauth2_proxy";
description = ''
The package that provides oauth2_proxy.
'';
};
##############################################
# PROVIDER configuration
provider = mkOption {
type = types.enum [
"google"
"github"
"azure"
"gitlab"
"linkedin"
"myusa"
];
default = "google";
description = ''
OAuth provider.
'';
};
approvalPrompt = mkOption {
type = types.enum ["force" "auto"];
default = "force";
description = ''
OAuth approval_prompt.
'';
};
clientID = mkOption {
type = types.str;
description = ''
The OAuth Client ID.
'';
example = "123456.apps.googleusercontent.com";
};
clientSecret = mkOption {
type = types.str;
description = ''
The OAuth Client Secret.
'';
};
skipAuthRegexes = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Skip authentication for requests matching any of these regular
expressions.
'';
};
# XXX: Not clear whether these two options are mutually exclusive or not.
email = {
domains = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Authenticate emails with the specified domains. Use
<literal>*</literal> to authenticate any email.
'';
};
addresses = mkOption {
type = types.nullOr types.lines;
default = null;
description = ''
Line-separated email addresses that are allowed to authenticate.
'';
};
};
loginURL = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Authentication endpoint.
You only need to set this if you are using a self-hosted provider (e.g.
Github Enterprise). If you're using a publicly hosted provider
(e.g github.com), then the default works.
'';
example = "https://provider.example.com/oauth/authorize";
};
redeemURL = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Token redemption endpoint.
You only need to set this if you are using a self-hosted provider (e.g.
Github Enterprise). If you're using a publicly hosted provider
(e.g github.com), then the default works.
'';
example = "https://provider.example.com/oauth/token";
};
validateURL = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Access token validation endpoint.
You only need to set this if you are using a self-hosted provider (e.g.
Github Enterprise). If you're using a publicly hosted provider
(e.g github.com), then the default works.
'';
example = "https://provider.example.com/user/emails";
};
redirectURL = mkOption {
# XXX: jml suspects this is always necessary, but the command-line
# doesn't require it so making it optional.
type = types.nullOr types.str;
default = null;
description = ''
The OAuth2 redirect URL.
'';
example = "https://internalapp.yourcompany.com/oauth2/callback";
};
azure = {
tenant = mkOption {
type = types.str;
default = "common";
description = ''
Go to a tenant-specific or common (tenant-independent) endpoint.
'';
};
resource = mkOption {
type = types.str;
description = ''
The resource that is protected.
'';
};
};
google = {
adminEmail = mkOption {
type = types.str;
description = ''
The Google Admin to impersonate for API calls.
Only users with access to the Admin APIs can access the Admin SDK
Directory API, thus the service account needs to impersonate one of
those users to access the Admin SDK Directory API.
See <link xlink:href="https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account" />.
'';
};
groups = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Restrict logins to members of these Google groups.
'';
};
serviceAccountJSON = mkOption {
type = types.path;
description = ''
The path to the service account JSON credentials.
'';
};
};
github = {
org = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Restrict logins to members of this organisation.
'';
};
team = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Restrict logins to members of this team.
'';
};
};
####################################################
# UPSTREAM Configuration
upstream = mkOption {
type = types.commas;
description = ''
The http url(s) of the upstream endpoint or <literal>file://</literal>
paths for static files. Routing is based on the path.
'';
};
passAccessToken = mkOption {
type = types.bool;
default = false;
description = ''
Pass OAuth access_token to upstream via X-Forwarded-Access-Token header.
'';
};
passBasicAuth = mkOption {
type = types.bool;
default = true;
description = ''
Pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream.
'';
};
basicAuthPassword = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
The password to set when passing the HTTP Basic Auth header.
'';
};
passHostHeader = mkOption {
type = types.bool;
default = true;
description = ''
Pass the request Host Header to upstream.
'';
};
signatureKey = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
GAP-Signature request signature key.
'';
example = "sha1:secret0";
};
cookie = {
domain = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
An optional cookie domain to force cookies to.
'';
example = ".yourcompany.com";
};
expire = mkOption {
type = types.str;
default = "168h0m0s";
description = ''
Expire timeframe for cookie.
'';
};
httpOnly = mkOption {
type = types.bool;
default = true;
description = ''
Set HttpOnly cookie flag.
'';
};
name = mkOption {
type = types.str;
default = "_oauth2_proxy";
description = ''
The name of the cookie that the oauth_proxy creates.
'';
};
refresh = mkOption {
# XXX: Unclear what the behavior is when this is not specified.
type = types.nullOr types.str;
default = null;
description = ''
Refresh the cookie after this duration; 0 to disable.
'';
example = "168h0m0s";
};
secret = mkOption {
type = types.str;
description = ''
The seed string for secure cookies.
'';
};
secure = mkOption {
type = types.bool;
default = true;
description = ''
Set secure (HTTPS) cookie flag.
'';
};
};
####################################################
# OAUTH2 PROXY configuration
httpAddress = mkOption {
type = types.str;
default = "127.0.0.1:4180";
description = ''
HTTPS listening address. This module does not expose the port by
default. If you want this URL to be accessible to other machines, please
add the port to <literal>networking.firewall.allowedTCPPorts</literal>.
'';
};
htpasswd = {
file = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Additionally authenticate against a htpasswd file. Entries must be
created with <literal>htpasswd -s</literal> for SHA encryption.
'';
};
displayForm = mkOption {
type = types.bool;
default = true;
description = ''
Display username / password login form if an htpasswd file is provided.
'';
};
};
customTemplatesDir = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Path to custom HTML templates.
'';
};
proxyPrefix = mkOption {
type = types.str;
default = "/oauth2";
description = ''
The url root path that this proxy should be nested under.
'';
};
tls = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to serve over TLS.
'';
};
certificate = mkOption {
type = types.path;
description = ''
Path to certificate file.
'';
};
key = mkOption {
type = types.path;
description = ''
Path to private key file.
'';
};
httpsAddress = mkOption {
type = types.str;
default = ":443";
description = ''
<literal>addr:port</literal> to listen on for HTTPS clients.
Remember to add <literal>port</literal> to
<literal>allowedTCPPorts</literal> if you want other machines to be
able to connect to it.
'';
};
};
requestLogging = mkOption {
type = types.bool;
default = true;
description = ''
Log requests to stdout.
'';
};
####################################################
# UNKNOWN
# XXX: Is this mandatory? Is it part of another group? Is it part of the provider specification?
scope = mkOption {
# XXX: jml suspects this is always necessary, but the command-line
# doesn't require it so making it optional.
type = types.nullOr types.str;
default = null;
description = ''
OAuth scope specification.
'';
};
profileURL = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Profile access endpoint.
'';
};
};
config = mkIf cfg.enable {
users.extraUsers.oauth2_proxy = {
description = "OAuth2 Proxy";
};
systemd.services.oauth2_proxy = {
description = "OAuth2 Proxy";
path = [ cfg.package ];
wantedBy = [ "multi-user.target" ];
after = [ "network-interfaces.target" ];
serviceConfig = {
User = "oauth2_proxy";
Restart = "always";
ExecStart = "${cfg.package}/bin/oauth2_proxy ${mkCommandLine cfg}";
};
};
};
}

1
nixos/modules/services/x11/desktop-managers/gnome3.nix
View file

@ -81,7 +81,6 @@ in {
};
environment.gnome3.packageSet = mkOption {
type = types.nullOr types.package;
default = null;
example = literalExample "pkgs.gnome3_18";
description = "Which GNOME 3 package set to use.";

5
nixos/modules/services/x11/desktop-managers/kde5.nix
View file

@ -117,6 +117,9 @@ in
# Install activity manager if available
++ lib.optional (lib.hasAttr "kactivitymanagerd" kde5) kde5.kactivitymanagerd
# frameworkintegration was split with plasma-integration in Plasma 5.6
++ lib.optional (lib.hasAttr "plasma-integration" kde5) kde5.plasma-integration
# Optional hardware support features
++ lib.optional config.hardware.bluetooth.enable kde5.bluedevil
++ lib.optional config.networking.networkmanager.enable kde5.plasma-nm
@ -167,7 +170,9 @@ in
services.xserver.displayManager.sddm = {
theme = "breeze";
themes = [
kde5.extra-cmake-modules # for the setup-hook
kde5.plasma-workspace
kde5.breeze-icons
(kde5.oxygen-icons or kde5.oxygen-icons5)
];
};

12
nixos/modules/services/x11/xserver.nix
View file

@ -463,7 +463,14 @@ in
{ source = "${cfg.xkbDir}";
target = "X11/xkb";
}
]);
])
# Needed since 1.18; see https://bugs.freedesktop.org/show_bug.cgi?id=89023#c5
++ (let cfgPath = "/X11/xorg.conf.d/10-evdev.conf"; in
[{
source = xorg.xf86inputevdev.out + "/share" + cfgPath;
target = cfgPath;
}]
);
environment.systemPackages =
[ xorg.xorgserver.out
@ -479,6 +486,7 @@ in
xorg.xauth
pkgs.xterm
pkgs.xdg_utils
xorg.xf86inputevdev.out # get evdev.4 man page
]
++ optional (elem "virtualbox" cfg.videoDrivers) xorg.xrefresh;
@ -538,7 +546,7 @@ in
services.xserver.modules =
concatLists (catAttrs "modules" cfg.drivers) ++
[ xorg.xorgserver.out
xorg.xf86inputevdev
xorg.xf86inputevdev.out
];
services.xserver.xkbDir = mkDefault "${pkgs.xkeyboard_config}/etc/X11/xkb";

7
nixos/modules/system/boot/loader/efi.nix
View file

@ -4,19 +4,16 @@ with lib;
{
options.boot.loader.efi = {
canTouchEfiVariables = mkOption {
default = false;
type = types.bool;
description = "Whether or not the installation process should modify efi boot variables.";
description = "Whether the installation process is allowed to modify EFI boot variables.";
};
efiSysMountPoint = mkOption {
default = "/boot";
type = types.str;
description = "Where the EFI System Partition is mounted.";
};
};

2
nixos/modules/system/boot/loader/grub/grub.nix
View file

@ -488,7 +488,7 @@ in
}
{
assertion = if args.efiSysMountPoint == null then true else hasPrefix "/" args.efiSysMountPoint;
message = "Efi paths must be absolute, not ${args.efiSysMountPoint}";
message = "EFI paths must be absolute, not ${args.efiSysMountPoint}";
}
] ++ flip map args.devices (device: {
assertion = device == "nodev" || hasPrefix "/" device;

6
nixos/modules/system/boot/loader/gummiboot/gummiboot-builder.py → nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
View file

@ -88,16 +88,16 @@ def remove_old_entries(gens):
if not path in known_paths:
os.unlink(path)
parser = argparse.ArgumentParser(description='Update NixOS-related gummiboot files')
parser = argparse.ArgumentParser(description='Update NixOS-related systemd-boot files')
parser.add_argument('default_config', metavar='DEFAULT-CONFIG', help='The default NixOS config to boot')
args = parser.parse_args()
# We deserve our own env var!
if os.getenv("NIXOS_INSTALL_GRUB") == "1":
if "@canTouchEfiVariables@" == "1":
subprocess.check_call(["@gummiboot@/bin/gummiboot", "--path=@efiSysMountPoint@", "install"])
subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "install"])
else:
subprocess.check_call(["@gummiboot@/bin/gummiboot", "--path=@efiSysMountPoint@", "--no-variables", "install"])
subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "--no-variables", "install"])
mkdir_p("@efiSysMountPoint@/efi/nixos")
mkdir_p("@efiSysMountPoint@/loader/entries")

19
nixos/modules/system/boot/loader/gummiboot/gummiboot.nix → nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
View file

@ -3,16 +3,18 @@
with lib;
let
cfg = config.boot.loader.gummiboot;
cfg = config.boot.loader.systemd-boot;
efi = config.boot.loader.efi;
gummibootBuilder = pkgs.substituteAll {
src = ./gummiboot-builder.py;
src = ./systemd-boot-builder.py;
isExecutable = true;
inherit (pkgs) python gummiboot;
inherit (pkgs) python;
systemd = config.systemd.package;
nix = config.nix.package.out;
@ -21,13 +23,18 @@ let
inherit (efi) efiSysMountPoint canTouchEfiVariables;
};
in {
options.boot.loader.gummiboot = {
imports =
[ (mkRenamedOptionModule [ "boot" "loader" "gummiboot" "enable" ] [ "boot" "loader" "systemd-boot" "enable" ])
];
options.boot.loader.systemd-boot = {
enable = mkOption {
default = false;
type = types.bool;
description = "Whether to enable the gummiboot UEFI boot manager";
description = "Whether to enable the systemd-boot (formerly gummiboot) EFI boot manager";
};
};
@ -45,7 +52,7 @@ in {
system = {
build.installBootLoader = gummibootBuilder;
boot.loader.id = "gummiboot";
boot.loader.id = "systemd-boot";
requiredKernelConfig = with config.lib.kernelConfig; [
(isYes "EFI_STUB")

2
nixos/modules/system/boot/stage-2-init.sh
View file

@ -41,6 +41,8 @@ if [ ! -e /proc/1 ]; then
mount -n -t proc proc /proc
mkdir -m 0755 -p /dev
mount -t devtmpfs devtmpfs /dev
mkdir -m 0755 -p /sys
mount -t sysfs sysfs /sys
fi

2
nixos/modules/virtualisation/virtualbox-guest.nix
View file

@ -77,7 +77,7 @@ in
KERNEL=="vboxuser", OWNER="root", GROUP="root", MODE="0666"
# Allow systemd dependencies on vboxguest.
KERNEL=="vboxguest", TAG+="systemd"
SUBSYSTEM=="misc", KERNEL=="vboxguest", TAG+="systemd"
'';
};

41
nixos/tests/gnome3_20-gdm.nix Normal file
View file

@ -0,0 +1,41 @@
import ./make-test.nix ({ pkgs, ...} : {
name = "gnome3-gdm";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ lethalman ];
};
machine =
{ config, pkgs, ... }:
{ imports = [ ./common/user-account.nix ];
services.xserver.enable = true;
services.xserver.displayManager.gdm = {
enable = true;
autoLogin = {
enable = true;
user = "alice";
};
};
services.xserver.desktopManager.gnome3.enable = true;
environment.gnome3.packageSet = pkgs.gnome3_20;
virtualisation.memorySize = 512;
};
testScript =
''
$machine->waitForX;
$machine->sleep(15);
# Check that logging in has given the user ownership of devices.
$machine->succeed("getfacl /dev/snd/timer | grep -q alice");
$machine->succeed("su - alice -c 'DISPLAY=:0.0 gnome-terminal &'");
$machine->succeed("xauth merge ~alice/.Xauthority");
$machine->waitForWindow(qr/Terminal/);
$machine->sleep(20);
$machine->screenshot("screen");
'';
})

38
nixos/tests/gnome3_20.nix Normal file
View file

@ -0,0 +1,38 @@
import ./make-test.nix ({ pkgs, ...} : {
name = "gnome3";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ domenkozar eelco chaoflow lethalman ];
};
machine =
{ config, pkgs, ... }:
{ imports = [ ./common/user-account.nix ];
services.xserver.enable = true;
services.xserver.displayManager.auto.enable = true;
services.xserver.displayManager.auto.user = "alice";
services.xserver.desktopManager.gnome3.enable = true;
environment.gnome3.packageSet = pkgs.gnome3_20;
virtualisation.memorySize = 512;
};
testScript =
''
$machine->waitForX;
$machine->sleep(15);
# Check that logging in has given the user ownership of devices.
$machine->succeed("getfacl /dev/snd/timer | grep -q alice");
$machine->succeed("su - alice -c 'DISPLAY=:0.0 gnome-terminal &'");
$machine->succeed("xauth merge ~alice/.Xauthority");
$machine->waitForWindow(qr/Terminal/);
$machine->mustSucceed("timeout 900 bash -c 'journalctl -f|grep -m 1 \"GNOME Shell started\"'");
$machine->sleep(10);
$machine->screenshot("screen");
'';
})

15
nixos/tests/installer.nix
View file

@ -30,8 +30,8 @@ let
boot.loader.grub.configurationLimit = 100 + ${toString forceGrubReinstallCount};
''}
${optionalString (bootLoader == "gummiboot") ''
boot.loader.gummiboot.enable = true;
${optionalString (bootLoader == "systemd-boot") ''
boot.loader.systemd-boot.enable = true;
''}
hardware.enableAllFirmware = lib.mkForce false;
@ -57,7 +57,7 @@ let
(if system == "x86_64-linux" then "-m 768 " else "-m 512 ") +
(optionalString (system == "x86_64-linux") "-cpu kvm64 ");
hdFlags = ''hda => "vm-state-machine/machine.qcow2", hdaInterface => "${iface}", ''
+ optionalString (bootLoader == "gummiboot") ''bios => "${pkgs.OVMF}/FV/OVMF.fd", '';
+ optionalString (bootLoader == "systemd-boot") ''bios => "${pkgs.OVMF}/FV/OVMF.fd", '';
in
''
$machine->start;
@ -159,7 +159,7 @@ let
makeInstallerTest = name:
{ createPartitions, preBootCommands ? "", extraConfig ? ""
, bootLoader ? "grub" # either "grub" or "gummiboot"
, bootLoader ? "grub" # either "grub" or "systemd-boot"
, grubVersion ? 2, grubDevice ? "/dev/vda", grubIdentifier ? "uuid"
, enableOCR ? false, meta ? {}
}:
@ -195,7 +195,7 @@ let
virtualisation.qemu.diskInterface =
if grubVersion == 1 then "scsi" else "virtio";
boot.loader.gummiboot.enable = mkIf (bootLoader == "gummiboot") true;
boot.loader.systemd-boot.enable = mkIf (bootLoader == "systemd-boot") true;
hardware.enableAllFirmware = mkForce false;
@ -208,7 +208,6 @@ let
pkgs.unionfs-fuse
pkgs.ntp
pkgs.nixos-artwork
pkgs.gummiboot
pkgs.perlPackages.XMLLibXML
pkgs.perlPackages.ListCompare
]
@ -250,7 +249,7 @@ in {
'';
};
# Simple GPT/UEFI configuration using Gummiboot with 3 partitions: ESP, swap & root filesystem
# Simple GPT/UEFI configuration using systemd-boot with 3 partitions: ESP, swap & root filesystem
simpleUefiGummiboot = makeInstallerTest "simpleUefiGummiboot"
{ createPartitions =
''
@ -270,7 +269,7 @@ in {
"mount LABEL=BOOT /mnt/boot",
);
'';
bootLoader = "gummiboot";
bootLoader = "systemd-boot";
};
# Same as the previous, but now with a separate /boot partition.

41
nixos/tests/sddm-kde5.nix
View file

@ -1,4 +1,6 @@
import ./make-test.nix ({ pkgs, ...} : {
import ./make-test.nix ({ pkgs, ...} :
{
name = "sddm";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ ttuegel ];
@ -6,6 +8,7 @@ import ./make-test.nix ({ pkgs, ...} : {
machine = { lib, ... }: {
imports = [ ./common/user-account.nix ];
virtualisation.memorySize = 1024;
services.xserver.enable = true;
services.xserver.displayManager.sddm = {
enable = true;
@ -14,18 +17,38 @@ import ./make-test.nix ({ pkgs, ...} : {
user = "alice";
};
};
services.xserver.windowManager.default = "icewm";
services.xserver.windowManager.icewm.enable = true;
services.xserver.desktopManager.default = "none";
services.xserver.desktopManager.kde5.enable = true;
};
enableOCR = true;
testScript = { nodes, ... }: ''
startAll;
$machine->waitForFile("/home/alice/.Xauthority");
$machine->succeed("xauth merge ~alice/.Xauthority");
$machine->waitForWindow("^IceWM ");
testScript = { nodes, ... }:
let xdo = "${pkgs.xdotool}/bin/xdotool"; in
''
sub krunner {
my ($win,) = @_;
$machine->execute("${xdo} key Alt+F2 sleep 1 type $win");
$machine->execute("${xdo} search --sync --onlyvisible --class krunner sleep 5 key Return");
}
$machine->waitUntilSucceeds("pgrep plasmashell");
$machine->succeed("xauth merge ~alice/.Xauthority");
$machine->waitForWindow(qr/Desktop.*/);
# Check that logging in has given the user ownership of devices.
$machine->succeed("getfacl /dev/snd/timer | grep -q alice");
krunner("dolphin");
$machine->waitForWindow(qr/.*Dolphin/);
krunner("konsole");
$machine->waitForWindow(qr/.*Konsole/);
krunner("systemsettings5");
$machine->waitForWindow(qr/.*Settings/);
$machine->sleep(20);
$machine->execute("${xdo} key Alt+F1 sleep 10");
$machine->screenshot("screen");
'';
})

2
pkgs/applications/audio/abcde/default.nix
View file

@ -52,7 +52,7 @@ in
--replace '#!/usr/bin/perl' '#!${perl}/bin/perl'
wrapProgram "$out/bin/abcde" --prefix PATH ":" \
"$out/bin:${which}/bin:${libcdio}/bin:${cddiscid}/bin:${wget}/bin:${vorbis-tools}/bin:${id3v2}/bin:${eyeD3}/bin:${lame}/bin:${flac}/bin"
${stdenv.lib.makeBinPath [ "$out" which libcdio cddiscid wget vorbis-tools id3v2 eyeD3 lame flac ]}
wrapProgram "$out/bin/cddb-tool" --prefix PATH ":" \
"${wget}/bin"

2
pkgs/applications/audio/ardour/ardour3.nix
View file

@ -35,7 +35,7 @@ stdenv.mkDerivation rec {
src = fetchgit {
url = git://git.ardour.org/ardour/ardour.git;
rev = "7024232855d268633760674d34c096ce447b7240";
sha256 = "ede3730455c3c91b2fd612871fa7262bdacd3dff4ba77c5dfbc3c1f0de9b8a36";
sha256 = "0pnnx22asizin5rvf352nfv6003zarw3jd64magp10310wrfiwbq";
};
buildInputs =

2
pkgs/applications/audio/artyFX/default.nix
View file

@ -7,7 +7,7 @@ stdenv.mkDerivation rec {
src = fetchgit {
url = "https://github.com/harryhaaren/openAV-ArtyFX.git";
rev = "3a8cb9a5e4ffaf27a497a31cc9cd6f2e79622d5b";
sha256 = "2e3f6ab6f829c0ec177e85f4e419286616cf35fb7303445caa09d3438cac27d5";
sha256 = "0nsmycm64a686ysfnmdvnaazijvfj90z5wyp96kyr81nsrbcv2ij";
};
buildInputs = [ cairomm cmake libjack2 libpthreadstubs libXdmcp libxshmfence libsndfile lv2 ntk pkgconfig ];

2
pkgs/applications/audio/distrho/default.nix
View file

@ -7,7 +7,7 @@ stdenv.mkDerivation rec {
src = fetchgit {
url = "https://github.com/DISTRHO/DISTRHO-Ports.git";
rev = "53458838505efef91ed069d0a7d970b6b3588eba";
sha256 = "0fb4dxfvvqy8lnm9c91sxwn5wbcw8grfpm52zag25vrls251aih3";
sha256 = "1wjzgy5yyi52fn4si2m8zrbbzqsh3p75avfx744jmxj5gpq5qa92";
};
patchPhase = ''

2
pkgs/applications/audio/faust/faust1git.nix
View file

@ -14,7 +14,7 @@ let
src = fetchgit {
url = "git://git.code.sf.net/p/faudiostream/code";
rev = "931fca3e649f99ef09025d37bd6a7dc70a03e6f6";
sha256 = "05yam8jfdnziysvpxa5w118k5bbl103vamyqgka6vyhjjizp1nx7";
sha256 = "1h2qfwxqf9406v0w6kqyxlzn88zw3xmwgxg9f01n4jvd72zxll78";
};
meta = with stdenv.lib; {

2
pkgs/applications/audio/i-score/default.nix
View file

@ -27,7 +27,7 @@ stdenv.mkDerivation rec {
src = fetchgit {
url = "https://github.com/OSSIA/i-score.git";
rev = "ede2453b139346ae46702b5e2643c5488f8c89fb";
sha256 = "04li771nj0k8gym7vg6rnawjkp2f6d5m5mby26h0k6ksf7hg7h70";
sha256 = "0mk0zsqhx9z7ry1amjki89h6yp5ysi1qgy2j3kzhrm5sfazvf0x3";
leaveDotGit = true;
deepClone = true;
};

2
pkgs/applications/audio/ladspa-plugins/git.nix
View file

@ -7,7 +7,7 @@ stdenv.mkDerivation {
src = fetchgit {
url = https://github.com/swh/ladspa.git;
rev = "4b8437e8037cace3d5bf8ce6d1d1da0182aba686";
sha256 = "7d9aa13a064903b330bd52e35c1f810f1c8a253ea5eb4e5a3a69a051af03150e";
sha256 = "1rmqm4780dhp0pj2scl3k7m8hpp1x6w6ln4wwg954zb9570rqaxx";
};
buildInputs = [ autoreconfHook fftw ladspaH libxml2 pkgconfig perl perlPackages.XMLParser ];

2
pkgs/applications/audio/lastwatch/default.nix
View file

@ -8,7 +8,7 @@ pythonPackages.buildPythonApplication rec {
src = fetchgit {
url = "git://github.com/aszlig/LastWatch.git";
rev = "refs/tags/v${version}";
sha256 = "c43f0fd87e9f3daafc7e8676daf2e89c8e21fbabc278eb1455e28d2997587a92";
sha256 = "0nlng3595j5jvnikk8i5hb915zak5zsmfn2306cc4gfcns9xzjwp";
};
pythonPath = [

2
pkgs/applications/audio/morituri/default.nix
View file

@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
url = "https://github.com/thomasvs/morituri.git";
fetchSubmodules = true;
rev = "135b2f7bf27721177e3aeb1d26403f1b29116599";
sha256 = "1ccxq1spny6xgd7nqwn13n9nqa00ay0nhflg3vbdkvbirh8fgxwq";
sha256 = "1sl5y5j3gdbynf2v0gf9dwd2hzawj8lm8ywadid7qm34yn8lx12k";
};
pythonPath = [

2
pkgs/applications/audio/plugin-torture/default.nix
View file

@ -7,7 +7,7 @@ stdenv.mkDerivation rec {
src = fetchgit {
url = "https://github.com/cth103/plugin-torture";
rev = "9ee06016982bdfbaa215cd0468cc6ada6367462a";
sha256 = "bfe9213fd2c1451d7acc1381d63301c4e6ff69ce86d31a886ece5159ba850706";
sha256 = "0ynzfs3z95lbw4l1w276as2a37zxp0cw6pi3lbikr0qk0r7j5j10";
};
buildInputs = [ boost ladspaH lilv lv2 pkgconfig serd sord sratom ];

2
pkgs/applications/audio/swh-lv2/default.nix
View file

@ -6,7 +6,7 @@ stdenv.mkDerivation rec {
src = fetchgit {
url = "https://github.com/swh/lv2.git";
rev = "978d5d8f549fd22048157a6d044af0faeaacbd7f";
sha256 = "3a9c042785b856623339aedafa5bc019b41beb8034d8594c7bbd6c9c26368065";
sha256 = "10jj8sp67caxvmzjxwyzapc34jpry5nrkkp49kyyvyk5dgkpbsjw";
};
patchPhase = ''

2
pkgs/applications/audio/zam-plugins/default.nix
View file

@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
url = "https://github.com/zamaudio/zam-plugins.git";
deepClone = true;
rev = "91fe56931a3e57b80f18c740d2dde6b44f962aee";
sha256 = "1s0s028h3z3pfd4qvi63fsg6bv33bvz0p5fbmbmhypzqjlx6mlkb";
sha256 = "1ldrqh6nk0m1axb553wjp1gfznw8b6b3k0v0z1jdwy425sl6g07d";
};
buildInputs = [ boost libX11 mesa liblo libjack2 ladspaH lv2 pkgconfig rubberband libsndfile ];

6
pkgs/applications/backup/crashplan/default.nix
View file

@ -1,15 +1,15 @@
{ stdenv, fetchurl, makeWrapper, jre, cpio, gawk, gnugrep, gnused, procps, swt, gtk2, glib, libXtst }:
let
version = "4.6.0";
rev = "3"; #tracks unversioned changes that occur on download.code42.com from time to time
version = "4.7.0";
rev = "1"; #tracks unversioned changes that occur on download.code42.com from time to time
in stdenv.mkDerivation rec {
name = "crashplan-${version}-r${rev}";
crashPlanArchive = fetchurl {
url = "https://download.code42.com/installs/linux/install/CrashPlan/CrashPlan_${version}_Linux.tgz";
sha256 = "0crrx8gy132xcpjfah08qhsl8g2arx14p5mpypcihl9j6mldi6mz";
sha256 = "1r50fyswvqjxsdslbyibbxwz2fs8iim15hxr0k05jrzmkhjm4g5v";
};
srcs = [ crashPlanArchive ];

9
pkgs/applications/display-managers/sddm/default.nix
View file

@ -68,14 +68,19 @@ in
stdenv.mkDerivation {
name = "sddm-${version}";
phases = "installPhase";
nativeBuildInputs = [ lndir makeQtWrapper ];
buildInputs = [ unwrapped ] ++ themes;
themes = map (pkg: pkg.out or pkg) themes;
inherit unwrapped;
unpackPhase = "true";
configurePhase = "runHook preConfigure; runHook postConfigure";
buildPhase = "runHook preBuild; runHook postBuild";
installPhase = ''
runHook preInstall
makeQtWrapper "$unwrapped/bin/sddm" "$out/bin/sddm"
mkdir -p "$out/share/sddm"
@ -85,6 +90,8 @@ stdenv.mkDerivation {
lndir -silent "$sddmDir" "$out/share/sddm"
fi
done
runHook postInstall
'';
inherit (unwrapped) meta;

2
pkgs/applications/editors/atom/default.nix
View file

@ -31,6 +31,8 @@ stdenv.mkDerivation rec {
patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
--set-rpath "${atomEnv.libPath}" \
$out/share/atom/resources/app/apm/bin/node
patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
$out/share/atom/resources/app.asar.unpacked/node_modules/symbols-view/vendor/ctags-linux
'';
meta = with stdenv.lib; {

6
pkgs/applications/editors/emacs-24/at-fdcwd.patch
View file

@ -1,12 +1,14 @@
diff --git a/lib/careadlinkat.h b/lib/careadlinkat.h
index 5cdb813..7a272e8 100644
index 84ede3e..8e8f42e 100644
--- a/lib/careadlinkat.h
+++ b/lib/careadlinkat.h
@@ -23,6 +23,8 @@
@@ -23,6 +23,10 @@
#include <fcntl.h>
#include <unistd.h>
+#ifndef AT_FDCWD
+#define AT_FDCWD -2
+#endif
+
struct allocator;

6
pkgs/applications/editors/emacs-25/at-fdcwd.patch
View file

@ -1,12 +1,14 @@
diff --git a/lib/careadlinkat.h b/lib/careadlinkat.h
index 5cdb813..7a272e8 100644
index 84ede3e..8e8f42e 100644
--- a/lib/careadlinkat.h
+++ b/lib/careadlinkat.h
@@ -23,6 +23,8 @@
@@ -23,6 +23,10 @@
#include <fcntl.h>
#include <unistd.h>
+#ifndef AT_FDCWD
+#define AT_FDCWD -2
+#endif
+
struct allocator;

2
pkgs/applications/editors/emacs-modes/cask/default.nix
View file

@ -6,7 +6,7 @@ stdenv.mkDerivation rec {
src = fetchgit {
url = "https://github.com/cask/cask.git";
rev = "717b64a9ba7640ec366e8573da0c01f9c4d57b0c";
sha256 = "0j18rzgpibisfcci6kcgjs8nlkfi1dw33dxp6ab6zaiarydwgcs5";
sha256 = "0bq24hac1z77g1bybwlk991dcc3pss2gjpwq0a6vvrqg5hw02lsf";
};
buildInputs = [ emacs python ];

2
pkgs/applications/editors/emacs-modes/emacs-clang-complete-async/default.nix
View file

@ -5,7 +5,7 @@ clangStdenv.mkDerivation {
src = fetchgit {
url = "git://github.com/Golevka/emacs-clang-complete-async.git";
rev = "f01488971ec8b5752780d130fb84de0c16a46f31";
sha256 = "1c8zqi6axbsb951azz9iqx3j52j30nd9ypv396hvids3g02cirrf";
sha256 = "01smjinrvx0w5z847a43fh2hyr6rrq1kaglfakbr6dcr313w89x9";
};
buildInputs = [ llvmPackages.llvm ];

2
pkgs/applications/editors/emacs-modes/gh/default.nix
View file

@ -6,7 +6,7 @@ stdenv.mkDerivation rec {
src = fetchgit {
url = "https://github.com/sigma/gh.el.git";
rev = "ef03b63d063ec22f03af449aa955c98dfad7f80e";
sha256 = "efa231e0091e8c7785385149dc97b2d8dc24aba65f4b0974b8ed7f62b7596ad3";
sha256 = "1pciq16vl5l4kvj08q4ib1jzk2bb2y1makcsyaw8k9jblqviw756";
};
buildInputs = [ emacs ];

2
pkgs/applications/editors/emacs-modes/js2/default.nix
View file

@ -6,7 +6,7 @@ stdenv.mkDerivation {
src = fetchgit {
url = "git://github.com/mooz/js2-mode.git";
rev = "3abcd90ddc2f446ddf0fb874dd79ba870c26ad2d";
sha256 = "c0aaab4eeb8d60cfd5c382c3e30d4725e5ec492720d573e663ea69ee43aa73a8";
sha256 = "0sh9ax2w0ydhjjn4vnwbgy3926p7ad6h6nmsnm0a3zlldj9a4vwn";
};
buildInputs = [ emacs ];

14086
pkgs/applications/editors/emacs-modes/melpa-generated.nix
View file

File diff suppressed because it is too large Load diff

2
pkgs/applications/editors/emacs-modes/melpa-packages.nix
View file

@ -37,7 +37,7 @@ self:
overrides = {
ac-php = super.ac-php.override {
inherit (self.melpaPackages) company popup;
inherit (self.melpaPackages) popup;
};
# upstream issue: mismatched filename

3402
pkgs/applications/editors/emacs-modes/melpa-stable-generated.nix
View file

File diff suppressed because it is too large Load diff

2
pkgs/applications/editors/emacs-modes/proofgeneral/HEAD.nix
View file

@ -6,7 +6,7 @@ stdenv.mkDerivation (rec {
src = fetchgit {
url = "https://github.com/ProofGeneral/PG.git";
rev = "16991280fb09743ae7320aef77f6a166afb907d7";
sha256 = "08zhfl6xbl4q7lrl7wdp72xr155k06778by0d60g28mfx59b7sqc";
sha256 = "1yakjxfz6a09m7lrxff04sj1717gpmhq2bsibd5f9lkp6z0w2i0q";
};
buildInputs = [ emacs texinfo perl which ] ++ stdenv.lib.optional enableDoc texLive;

2
pkgs/applications/editors/leo-editor/default.nix
View file

@ -8,7 +8,7 @@ pythonPackages.buildPythonApplication rec {
src = fetchgit {
url = "https://github.com/leo-editor/leo-editor";
rev = "refs/tags/Leo-${version}-final";
sha256 = "3cc5259609890bbde9cfee71f4f60b959b3f5b740f7d403c99ea2d9796b4758e";
sha256 = "0km5mvzfpfbxxhcjr4if24qhgk2c7dsvmfinz0zrbfriip848vcp";
};
propagatedBuildInputs = with pythonPackages; [ pyqt4 sqlite3 ];

38
pkgs/applications/editors/neovim/default.nix
View file

@ -1,6 +1,6 @@
{ stdenv, fetchFromGitHub, cmake, gettext, glib, libmsgpack, libtermkey
, libtool, libuv, lpeg, lua, luajit, luaMessagePack, luabitop, man, ncurses
, perl, pkgconfig, unibilium, makeWrapper, vimUtils, xsel
, libtool, libuv, lua, luajit, luaPackages, man, ncurses, perl, pkgconfig
, unibilium, makeWrapper, vimUtils, xsel
, withPython ? true, pythonPackages, extraPythonPackages ? []
, withPython3 ? true, python3Packages, extraPython3Packages ? []
@ -21,10 +21,10 @@ let
version = "2015-11-06";
src = fetchFromGitHub {
sha256 = "090pyf1n5asaw1m2l9bsbdv3zd753aq1plb0w0drbc2k43ds7k3g";
rev = "a9c7c6fd20fa35e0ad3e0e98901ca12dfca9c25c";
repo = "libvterm";
owner = "neovim";
repo = "libvterm";
rev = "a9c7c6fd20fa35e0ad3e0e98901ca12dfca9c25c";
sha256 = "090pyf1n5asaw1m2l9bsbdv3zd753aq1plb0w0drbc2k43ds7k3g";
};
buildInputs = [ perl ];
@ -39,7 +39,7 @@ let
description = "VT220/xterm/ECMA-48 terminal emulator library";
homepage = http://www.leonerd.org.uk/code/libvterm/;
license = licenses.mit;
maintainers = with maintainers; [ nckx ];
maintainers = with maintainers; [ nckx garbas ];
platforms = platforms.unix;
};
};
@ -60,13 +60,13 @@ let
neovim = stdenv.mkDerivation rec {
name = "neovim-${version}";
version = "0.1.3";
version = "0.1.4";
src = fetchFromGitHub {
sha256 = "1bkyfxsgb7894848nphsi6shr8bvi9z6ch0zvh2df7vkkzji8chr";
rev = "v${version}";
repo = "neovim";
owner = "neovim";
repo = "neovim";
rev = "v${version}";
sha256 = "14c4gydkm2mz22i616190yif1k0i6d7h5hyxa1mf5cmcyqmp3kkp";
};
enableParallelBuilding = true;
@ -79,13 +79,15 @@ let
# https://github.com/NixOS/nixpkgs/issues/14442
lua
luajit
lpeg
luaMessagePack
luabitop
libmsgpack
ncurses
neovimLibvterm
unibilium
luaPackages.lpeg
luaPackages.mpack
luaPackages.luabitop
] ++ optional withJemalloc jemalloc;
nativeBuildInputs = [
@ -95,8 +97,12 @@ let
pkgconfig
];
LUA_CPATH="${lpeg}/lib/lua/${lua.luaversion}/?.so;${luabitop}/lib/lua/5.2/?.so";
LUA_PATH="${luaMessagePack}/share/lua/5.1/?.lua";
LUA_CPATH = "${luaPackages.lpeg}/lib/lua/${lua.luaversion}/?.so;${luaPackages.mpack}/lib/lua/${lua.luaversion}/?.so;${luaPackages.luabitop}/lib/lua/${lua.luaversion}/?.so";
configureFlags = [
"-DCMAKE_BUILD_TYPE=RelWithDebInfo"
"-DENABLE_JEMALLOC=ON"
];
# triggers on buffer overflow bug while running tests
hardeningDisable = [ "fortify" ];
@ -114,7 +120,7 @@ let
install_name_tool -change libjemalloc.1.dylib \
${jemalloc}/lib/libjemalloc.1.dylib \
$out/bin/nvim
sed -i -e "s|'xsel|'${xsel}/bin/xsel|" share/nvim/runtime/autoload/provider/clipboard.vim
sed -i -e "s|'xsel|'${xsel}/bin/xsel|" $out/share/nvim/runtime/autoload/provider/clipboard.vim
'' + optionalString withPython ''
ln -s ${pythonEnv}/bin/python $out/bin/nvim-python
'' + optionalString withPyGUI ''

2
pkgs/applications/editors/vim/qvim.nix
View file

@ -4,7 +4,7 @@ args@{ fetchgit, stdenv, ncurses, pkgconfig, gettext
, libICE, ... }: with args;
let tag = "20140827";
sha256 = "02adf2212872db3c5d133642d2c12fbfc28b506e4c0c42552e3d079756f63f65";
sha256 = "0ncgbcm23z25naicxqkblz0mcl1zar2qwgi37y5ar8q8884w9ml2";
in
let inherit (args.composableDerivation) composableDerivation edf; in

2
pkgs/applications/graphics/antimony/default.nix
View file

@ -12,7 +12,7 @@ in
src = fetchgit {
url = "git://github.com/mkeeter/antimony.git";
rev = gitRev;
sha256 = "19ir3y5ipmfyygcn8mbxika4j3af6dfrv54dvhn6maz7dy8h30f4";
sha256 = "0azjdkbixz2pyk2yy7a0ya5xk60xgw3l2pd4pj4ijyqxx5jmh0sy";
};
patches = [ ./paths-fix.patch ];

14
pkgs/applications/graphics/feh/default.nix
View file

@ -1,18 +1,19 @@
{ stdenv, makeWrapper, fetchurl, xlibsWrapper, imlib2, libjpeg, libpng
, libXinerama, curl, libexif }:
, libXinerama, curl, libexif, perlPackages }:
stdenv.mkDerivation rec {
name = "feh-2.15.2";
name = "feh-2.15.4";
src = fetchurl {
url = "http://feh.finalrewind.org/${name}.tar.bz2";
sha256 = "0bnfk50y2l5zkr292l4yyws1m7ibdmr398vxj7c0djh965frpj1q";
sha256 = "b8a9c29f37b1349228b19866f712b677e2a150837bc46be8c5d6348dd4850758";
};
outputs = [ "out" "doc" ];
nativeBuildInputs = [ makeWrapper ];
buildInputs = [ xlibsWrapper imlib2 libjpeg libpng libXinerama curl libexif ];
buildInputs = [ xlibsWrapper imlib2 libjpeg libpng libXinerama curl libexif ]
++ stdenv.lib.optional doCheck [ perlPackages.TestCommand perlPackages.TestHarness ];
preBuild = ''
makeFlags="PREFIX=$out exif=1"
@ -23,6 +24,11 @@ stdenv.mkDerivation rec {
--add-flags '--theme=feh'
'';
checkPhase = ''
PERL5LIB="${perlPackages.TestCommand}/lib/perl5/site_perl" make test
'';
doCheck = true;
meta = {
description = "A light-weight image viewer";
homepage = https://derf.homelinux.org/projects/feh/;

2
pkgs/applications/graphics/inkscape/default.nix
View file

@ -25,6 +25,8 @@ stdenv.mkDerivation rec {
sha256 = "06ql3x732x2rlnanv0a8aharsnj91j5kplksg574090rks51z42d";
};
patches = [ ./deprecated-scopedptr.patch ];
postPatch = ''
patchShebangs share/extensions
''

16
pkgs/applications/graphics/inkscape/deprecated-scopedptr.patch Normal file
View file

@ -0,0 +1,16 @@
glibmm deprecated ScopedPtr
---
diff -u src/ui/clipboard.cpp src/ui/clipboard.cpp
--- a/src/ui/clipboard.cpp 2015-01-28 04:32:28.162676000 +0100
+++ b/src/ui/clipboard.cpp 2016-04-03 09:13:12.360980533 +0200
@@ -1402,7 +1402,7 @@
Glib::ustring target;
if (atom_name) {
- target = Glib::ScopedPtr<char>(atom_name).get(); //This frees the gchar*.
+ target = Glib::make_unique_ptr_gfree(atom_name).get(); //This frees the gchar*.
}
listTargets.push_back(target);
Diff finished. Sun Apr 3 09:13:51 2016

45
pkgs/applications/graphics/krita/default.nix Normal file
View file

@ -0,0 +1,45 @@
{ stdenv, lib, fetchgit, cmake, extra-cmake-modules, makeQtWrapper
, karchive, kconfig, kwidgetsaddons, kcompletion, kcoreaddons
, kguiaddons, ki18n, kitemmodels, kitemviews, kwindowsystem
, kio, kcrash
, boost, libraw, fftw, eigen, exiv2, lcms2, gsl, openexr
, openjpeg, opencolorio, vc, poppler_qt5, curl, ilmbase
}:
stdenv.mkDerivation rec {
name = "krita-${version}";
version = "3.0";
src = fetchgit {
url = "http://phabricator.kde.org/diffusion/KRITA/krita.git";
rev = "refs/tags/v${version}";
sha256 = "0aas86667ncp8jz00c8qk7bm26g76l65cysh06wxr8kxbvqynrdn";
};
nativeBuildInputs = [ cmake extra-cmake-modules makeQtWrapper ];
buildInputs = [
karchive kconfig kwidgetsaddons kcompletion kcoreaddons kguiaddons
ki18n kitemmodels kitemviews kwindowsystem kio kcrash
boost libraw fftw eigen exiv2 lcms2 gsl openexr
openjpeg opencolorio vc poppler_qt5 curl ilmbase
];
NIX_CFLAGS_COMPILE = [ "-I${ilmbase}/include/OpenEXR" ];
enableParallelBuilding = true;
postInstall = ''
for i in $out/bin/*; do
wrapQtProgram "$i"
done
'';
meta = with stdenv.lib; {
description = "A free an open source painting application";
homepage = "https://krita.org/";
maintainers = with maintainers; [ abbradar ];
platforms = platforms.linux;
licenses = licenses.gpl2;
};
}

78
pkgs/applications/graphics/ktikz/default.nix Normal file
View file

@ -0,0 +1,78 @@
{ withKDE ? true
, stdenv, fetchurl, gettext, poppler_qt4, qt4
# Qt only (no KDE):
, pkgconfig
# With KDE
, cmake, automoc4, kdelibs
}:
# Warning: You will also need a working pdflatex installation containing (at
# least) auctex and pgf.
assert withKDE -> kdelibs != null;
let
version = "0.10";
qtikz = {
name = "qtikz-${version}";
conf = ''
# installation prefix:
#PREFIX = ""
# install desktop file here (*nix only):
DESKTOPDIR = ''$''${PREFIX}/share/applications
# install mimetype here:
MIMEDIR = ''$''${PREFIX}/share/mime/packages
CONFIG -= debug
CONFIG += release
# qmake command:
QMAKECOMMAND = qmake
# lrelease command:
LRELEASECOMMAND = lrelease
# qcollectiongenerator command:
#QCOLLECTIONGENERATORCOMMAND = qcollectiongenerator
# TikZ documentation default file path:
TIKZ_DOCUMENTATION_DEFAULT = ''$''${PREFIX}/share/doc/texmf/pgf/pgfmanual.pdf.gz
'';
patchPhase = ''
echo "$conf" > conf.pri
'';
configurePhase = ''
qmake PREFIX="$out" ./qtikz.pro
'';
buildInputs = [ gettext qt4 poppler_qt4 pkgconfig ];
};
ktikz = {
name = "ktikz-${version}";
buildInputs = [ kdelibs cmake qt4 automoc4 gettext poppler_qt4 ];
};
common = {
inherit version;
src = fetchurl {
url = "http://www.hackenberger.at/ktikz/ktikz_${version}.tar.gz";
md5 = "e8f0826cba2447250bcdcd389a71a2ac";
};
enableParallelBuilding = true;
meta = with stdenv.lib; {
description = "Editor for the TikZ language";
license = licenses.gpl2;
platforms = platforms.linux;
maintainers = [ maintainers.layus ];
};
};
in stdenv.mkDerivation (common // (if withKDE then ktikz else qtikz))

2
pkgs/applications/graphics/pinta/default.nix
View file

@ -58,7 +58,7 @@ buildDotnetPackage rec {
makeWrapperArgs = [
''--prefix MONO_GAC_PREFIX ':' "${gtksharp}"''
''--prefix LD_LIBRARY_PATH ':' "${gtksharp}/lib"''
''--prefix LD_LIBRARY_PATH ':' "${gtksharp.gtk}/lib"''
''--prefix LD_LIBRARY_PATH ':' "${gtksharp.gtk.out}/lib"''
];
postInstall = ''

2
pkgs/applications/graphics/rapcad/default.nix
View file

@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
src = fetchgit {
url = "https://github.com/GilesBathgate/RapCAD.git";
rev = "refs/tags/v${version}";
sha256 = "15c18jvgbwyrfhv7r35ih0gzx35vjlsbi984h1sckgh2z17hjq8l";
sha256 = "1i5h4sw7mdbpdbssmbjccwgidndrsc606zz4wy9pjsg2wzrabw7x";
};
buildInputs = [ qtbase qmakeHook cgal boost gmp mpfr flex bison dxflib readline mesa_glu ];

2
pkgs/applications/graphics/sane/backends/git.nix
View file

@ -3,7 +3,7 @@
callPackage ./generic.nix (args // {
version = "2016-05-09";
src = fetchgit {
sha256 = "5e3d647503d1231395a6782c6aa536b52b3d45585a87a0600ce0aca8b422cf82";
sha256 = "17y2l59vz2l0y5ya89390x6lim75p1mp8s5c2wzp9l4d5fy8j8dd";
rev = "1e013654cc3af09f4731ab9ec8d8324d03a7de4a";
url = "git://alioth.debian.org/git/sane/sane-backends.git";
};

2
pkgs/applications/graphics/shutter/default.nix
View file

@ -27,7 +27,7 @@ stdenv.mkDerivation rec {
wrapProgram $out/bin/shutter \
--set PERL5LIB "${stdenv.lib.makePerlPath perlModules}" \
--prefix PATH : "${imagemagick}/bin" \
--prefix PATH : "${imagemagick.out}/bin" \
--set GDK_PIXBUF_MODULE_FILE "$GDK_PIXBUF_MODULE_FILE"
'';

Some files were not shown because too many files have changed in this diff Show more