b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merging against upstream master

Browse source
This commit is contained in:
Parnell Springmeyer 2017-02-13 17:16:28 -06:00
parent 128bdac94f 486b9be579
commit 9e36a58649
No known key found for this signature in database
GPG key ID: DCCF89258EAD874A
887 changed files with 22064 additions and 22473 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
.github/CONTRIBUTING.md vendored
View file

@ -14,14 +14,22 @@ under the terms of [COPYING](../COPYING), which is an MIT-like license.
* Format the commits in the following way:
`(pkg-name | service-name): (from -> to | init at version | refactor | etc)`
```
(pkg-name | service-name): (from -> to | init at version | refactor | etc)
(Motivation for change. Additional information.)
```
Examples:
* nginx: init at 2.0.1
* firefox: 3.0 -> 3.1.1
* hydra service: add bazBaz option
Dual baz behavior is needed to do foo.
* nginx service: refactor config generation
The old config generation system used impure shell scripts and could break in specific circumstances (see #1234).
* `meta.description` should:
* Be capitalized
@ -30,6 +38,12 @@ under the terms of [COPYING](../COPYING), which is an MIT-like license.
See the nixpkgs manual for more details on how to [Submit changes to nixpkgs](https://nixos.org/nixpkgs/manual/#chap-submitting-changes).
## Writing good commit messages
In addition to writing properly formatted commit messages, it's important to include relevant information so other developers can later understand *why* a change was made. While this information usually can be found by digging code, mailing list archives, pull request discussions or upstream changes, it may require a lot of work.
For package version upgrades and such a one-line commit message is usually sufficient.
## Reviewing contributions
See the nixpkgs manual for more details on how to [Review contributions](https://nixos.org/nixpkgs/manual/#sec-reviewing-contributions).

6
doc/coding-conventions.xml
View file

@ -623,7 +623,7 @@ evaluate correctly.</para>
from bad to good:
<itemizedlist>
<listitem>
<para>Uses <literal>git://</literal> which won't be proxied.
<para>Bad: Uses <literal>git://</literal> which won't be proxied.
<programlisting>
src = fetchgit {
url = "git://github.com/NixOS/nix.git";
@ -634,7 +634,7 @@ src = fetchgit {
</para>
</listitem>
<listitem>
<para>This is ok, but an archive fetch will still be faster.
<para>Better: This is ok, but an archive fetch will still be faster.
<programlisting>
src = fetchgit {
url = "https://github.com/NixOS/nix.git";
@ -645,7 +645,7 @@ src = fetchgit {
</para>
</listitem>
<listitem>
<para>Fetches a snapshot archive and you get the rev you want.
<para>Best: Fetches a snapshot archive and you get the rev you want.
<programlisting>
src = fetchFromGitHub {
owner = "NixOS";

6
doc/configuration.xml
View file

@ -2,12 +2,12 @@
xmlns:xlink="http://www.w3.org/1999/xlink"
xml:id="chap-packageconfig">
<title><filename>~/.nixpkgs/config.nix</filename>: global configuration</title>
<title>Global configuration</title>
<para>Nix packages can be configured to allow or deny certain options.</para>
<para>To apply the configuration edit
<filename>~/.nixpkgs/config.nix</filename> and set it like
<filename>~/.config/nixpkgs/config.nix</filename> and set it like
<programlisting>
{
@ -89,7 +89,7 @@ packages via <literal>packageOverrides</literal></title>
<para>You can define a function called
<varname>packageOverrides</varname> in your local
<filename>~/.nixpkgs/config.nix</filename> to overide nix packages. It
<filename>~/.config/nixpkgs/config.nix</filename> to overide nix packages. It
must be a function that takes pkgs as an argument and return modified
set of packages.

31
doc/cross-compilation.xml
View file

@ -25,7 +25,7 @@
<!--============================================================-->
<section xml:id="sec-cross-packaging">
<title>Packing in a cross-friendly manner</title>
<title>Packaging in a cross-friendly manner</title>
<section>
<title>Platform parameters</title>
@ -105,14 +105,15 @@
This is the most important guiding principle behind cross-compilation with Nixpkgs, and will be called the <wordasword>sliding window principle</wordasword>.
In this manner, given the 3 platforms for one package, we can determine the three platforms for all its transitive dependencies.
</para>
<para>
Some examples will probably make this clearer.
If a package is being built with a <literal>(build, host, target)</literal> platform triple of <literal>(foo, bar, bar)</literal>, then its build-time dependencies would have a triple of <literal>(foo, foo, bar)</literal>, and <emphasis>those packages'</emphasis> build-time dependencies would have triple of <literal>(foo, foo, foo)</literal>.
In other words, it should take two "rounds" of following build-time dependency edges before one reaches a fixed point where, by the sliding window principle, the platform triple no longer changes.
Indeed, this happens with cross compilation, where only rounds of native dependencies starting with the second necessarily coincide with native packages.
</para>
<note><para>
The depending package's target platform is unconstrained by the sliding window principle, which makes sense in that one can in principle build cross compilers targeting arbitrary platforms.
</para></note>
<warning><para>
From the above, one would surmise that if a package is being built with a <literal>(build, host, target)</literal> platform triple of <literal>(foo, bar, bar)</literal>, then its build-time dependencies would have a triple of <literal>(foo, foo, bar)</literal>, and <emphasis>those packages'</emphasis> build-time dependencies would have triple of <literal>(foo, foo, foo)</literal>.
In other words, it should take two "rounds" of following build-time dependency edges before one reaches a fixed point where, by the sliding window principle, the platform triple no longer changes.
Unfortunately, at the moment, we do <emphasis>not</emphasis> implement this correctly, and after only one round of following build-time dependencies is the fixed point reached, with target incorrectly kept different than the others.
</para></warning>
<para>
How does this work in practice? Nixpkgs is now structured so that build-time dependencies are taken from from <varname>buildPackages</varname>, whereas run-time dependencies are taken from the top level attribute set.
For example, <varname>buildPackages.gcc</varname> should be used at build time, while <varname>gcc</varname> should be used at run time.
@ -131,9 +132,23 @@
<section xml:id="sec-cross-usage">
<title>Cross-building packages</title>
<note><para>
More information needs to moved from the old wiki, especially <link xlink:href="https://nixos.org/wiki/CrossCompiling" />, for this section.
</para></note>
<para>
To be written.
This is basically unchanged so see the old wiki for now.
Many sources (manual, wiki, etc) probably mention passing <varname>system</varname>, <varname>platform</varname>, and, optionally, <varname>crossSystem</varname> to nixpkgs:
<literal>import &lt;nixpkgs&gt; { system = ..; platform = ..; crossSystem = ..; }</literal>.
<varname>system</varname> and <varname>platform</varname> together determine the system on which packages are built, and <varname>crossSystem</varname> specifies the platform on which packages are ultimately intended to run, if it is different.
This still works, but with more recent changes, one can alternatively pass <varname>localSystem</varname>, containing <varname>system</varname> and <varname>platform</varname>, for symmetry.
</para>
<para>
One would think that <varname>localSystem</varname> and <varname>crossSystem</varname> overlap horribly with the three <varname>*Platforms</varname> (<varname>buildPlatform</varname>, <varname>hostPlatform,</varname> and <varname>targetPlatform</varname>; see <varname>stage.nix</varname> or the manual).
Actually, those identifiers are purposefully not used here to draw a subtle but important distinction:
While the granularity of having 3 platforms is necessary to properly *build* packages, it is overkill for specifying the user's *intent* when making a build plan or package set.
A simple "build vs deploy" dichotomy is adequate: the sliding window principle described in the previous section shows how to interpolate between the these two "end points" to get the 3 platform triple for each bootstrapping stage.
That means for any package a given package set, even those not bound on the top level but only reachable via dependencies or <varname>buildPackages</varname>, the three platforms will be defined as one of <varname>localSystem</varname> or <varname>crossSystem</varname>, with the former replacing the latter as one traverses build-time dependencies.
A last simple difference then is <varname>crossSystem</varname> should be null when one doesn't want to cross-compile, while the <varname>*Platform</varname>s are always non-null.
<varname>localSystem</varname> is always non-null.
</para>
</section>

4
doc/default.nix
View file

@ -68,6 +68,10 @@ pkgs.stdenv.mkDerivation {
inputFile = ../pkgs/development/r-modules/README.md;
outputFile = "languages-frameworks/r.xml";
}
+ toDocbook {
inputFile = ./languages-frameworks/vim.md;
outputFile = "./languages-frameworks/vim.xml";
}
+ ''
echo ${lib.nixpkgsVersion} > .version

2
doc/functions.xml
View file

@ -119,7 +119,7 @@
evaluation-per-function application incurs a performance penalty,
which can become a problem if many overrides are used.
It is only intended for ad-hoc customisation, such as in
<filename>~/.nixpkgs/config.nix</filename>.
<filename>~/.config/nixpkgs/config.nix</filename>.
</para>
</warning>

66
doc/languages-frameworks/haskell.md
View file

@ -195,7 +195,7 @@ its normal core packages:
mtl-2.2.1
This function allows users to define their own development environment by means
of an override. After adding the following snippet to `~/.nixpkgs/config.nix`,
of an override. After adding the following snippet to `~/.config/nixpkgs/config.nix`,
{
packageOverrides = super: let self = super.pkgs; in
@ -522,7 +522,7 @@ file with `cabal2nix`:
$ cd ~/src/foo && cabal2nix . >default.nix
$ cd ~/src/bar && cabal2nix . >default.nix
Then edit your `~/.nixpkgs/config.nix` file to register those builds in the
Then edit your `~/.config/nixpkgs/config.nix` file to register those builds in the
default Haskell package set:
{
@ -554,7 +554,7 @@ Every Haskell package set takes a function called `overrides` that you can use
to manipulate the package as much as you please. One useful application of this
feature is to replace the default `mkDerivation` function with one that enables
library profiling for all packages. To accomplish that, add configure the
following snippet in your `~/.nixpkgs/config.nix` file:
following snippet in your `~/.config/nixpkgs/config.nix` file:
{
packageOverrides = super: let self = super.pkgs; in
@ -583,7 +583,7 @@ The first step is to generate Nix build instructions with `cabal2nix`:
$ cabal2nix cabal://ghc-events-0.4.3.0 >~/.nixpkgs/ghc-events-0.4.3.0.nix
Then add the override in `~/.nixpkgs/config.nix`:
Then add the override in `~/.config/nixpkgs/config.nix`:
{
packageOverrides = super: let self = super.pkgs; in
@ -793,6 +793,64 @@ It's important to realize, however, that most system libraries in Nix are built
as shared libraries only, i.e. there is just no static library available that
Cabal could link!
### Building GHC with integer-simple
By default GHC implements the Integer type using the
[GNU Multiple Precision Arithmetic (GMP) library](https://gmplib.org/).
The implementation can be found in the
[integer-gmp](http://hackage.haskell.org/package/integer-gmp) package.
A potential problem with this is that GMP is licensed under the
[GNU Lesser General Public License (LGPL)](http://www.gnu.org/copyleft/lesser.html),
a kind of "copyleft" license. According to the terms of the LGPL, paragraph 5,
you may distribute a program that is designed to be compiled and dynamically
linked with the library under the terms of your choice (i.e., commercially) but
if your program incorporates portions of the library, if it is linked
statically, then your program is a "derivative"--a "work based on the
library"--and according to paragraph 2, section c, you "must cause the whole of
the work to be licensed" under the terms of the LGPL (including for free).
The LGPL licensing for GMP is a problem for the overall licensing of binary
programs compiled with GHC because most distributions (and builds) of GHC use
static libraries. (Dynamic libraries are currently distributed only for OS X.)
The LGPL licensing situation may be worse: even though
[The Glasgow Haskell Compiler License](https://www.haskell.org/ghc/license)
is essentially a "free software" license (BSD3), according to
paragraph 2 of the LGPL, GHC must be distributed under the terms of the LGPL!
To work around these problems GHC can be build with a slower but LGPL-free
alternative implemention for Integer called
[integer-simple](http://hackage.haskell.org/package/integer-simple).
To get a GHC compiler build with `integer-simple` instead of `integer-gmp` use
the attribute: `pkgs.haskell.compiler.integer-simple."${ghcVersion}"`.
For example:
$ nix-build -E '(import <nixpkgs> {}).pkgs.haskell.compiler.integer-simple.ghc802'
...
$ result/bin/ghc-pkg list | grep integer
integer-simple-0.1.1.1
The following command displays the complete list of GHC compilers build with `integer-simple`:
$ nix-env -f "<nixpkgs>" -qaP -A haskell.compiler.integer-simple
haskell.compiler.integer-simple.ghc7102 ghc-7.10.2
haskell.compiler.integer-simple.ghc7103 ghc-7.10.3
haskell.compiler.integer-simple.ghc722 ghc-7.2.2
haskell.compiler.integer-simple.ghc742 ghc-7.4.2
haskell.compiler.integer-simple.ghc763 ghc-7.6.3
haskell.compiler.integer-simple.ghc783 ghc-7.8.3
haskell.compiler.integer-simple.ghc784 ghc-7.8.4
haskell.compiler.integer-simple.ghc801 ghc-8.0.1
haskell.compiler.integer-simple.ghc802 ghc-8.0.2
haskell.compiler.integer-simple.ghcHEAD ghc-8.1.20170106
To get a package set supporting `integer-simple` use the attribute:
`pkgs.haskell.packages.integer-simple."${ghcVersion}"`. For example
use the following to get the `scientific` package build with `integer-simple`:
$ nix-build -A pkgs.haskell.packages.integer-simple.ghc802.scientific
## Other resources

1
doc/languages-frameworks/index.xml
View file

@ -28,6 +28,7 @@ such as Perl or Haskell. These are described in this chapter.</para>
<xi:include href="r.xml" /> <!-- generated from ../../pkgs/development/r-modules/README.md -->
<xi:include href="ruby.xml" />
<xi:include href="texlive.xml" />
<xi:include href="vim.xml" />
</chapter>

2
doc/languages-frameworks/python.md
View file

@ -781,7 +781,7 @@ If you get the following error:
could not create '/nix/store/6l1bvljpy8gazlsw2aw9skwwp4pmvyxw-python-2.7.8/etc':
Permission denied
This is a [known bug](https://bitbucket.org/pypa/setuptools/issue/130/install_data-doesnt-respect-prefix) in setuptools.
This is a [known bug](https://github.com/pypa/setuptools/issues/130) in setuptools.
Setuptools `install_data` does not respect `--prefix`. An example of such package using the feature is `pkgs/tools/X11/xpra/default.nix`.
As workaround install it as an extra `preInstall` step:

102
doc/languages-frameworks/vim.md Normal file
View file

@ -0,0 +1,102 @@
---
title: User's Guide for Vim in Nixpkgs
author: Marc Weber
date: 2016-06-25
---
# User's Guide to Vim Plugins/Addons/Bundles/Scripts in Nixpkgs
You'll get a vim(-your-suffix) in PATH also loading the plugins you want.
Loading can be deferred; see examples.
VAM (=vim-addon-manager) and Pathogen plugin managers are supported.
Vundle, NeoBundle could be your turn.
## dependencies by Vim plugins
VAM introduced .json files supporting dependencies without versioning
assuming that "using latest version" is ok most of the time.
## HOWTO
First create a vim-scripts file having one plugin name per line. Example:
"tlib"
{'name': 'vim-addon-sql'}
{'filetype_regex': '\%(vim)$', 'names': ['reload', 'vim-dev-plugin']}
Such vim-scripts file can be read by VAM as well like this:
call vam#Scripts(expand('~/.vim-scripts'), {})
Create a default.nix file:
{ nixpkgs ? import <nixpkgs> {}, compiler ? "ghc7102" }:
nixpkgs.vim_configurable.customize { name = "vim"; vimrcConfig.vam.pluginDictionaries = [ "vim-addon-vim2nix" ]; }
Create a generate.vim file:
ActivateAddons vim-addon-vim2nix
let vim_scripts = "vim-scripts"
call nix#ExportPluginsForNix({
\ 'path_to_nixpkgs': eval('{"'.substitute(substitute(substitute($NIX_PATH, ':', ',', 'g'), '=',':', 'g'), '\([:,]\)', '"\1"',"g").'"}')["nixpkgs"],
\ 'cache_file': '/tmp/vim2nix-cache',
\ 'try_catch': 0,
\ 'plugin_dictionaries': ["vim-addon-manager"]+map(readfile(vim_scripts), 'eval(v:val)')
\ })
Then run
nix-shell -p vimUtils.vim_with_vim2nix --command "vim -c 'source generate.vim'"
You should get a Vim buffer with the nix derivations (output1) and vam.pluginDictionaries (output2).
You can add your vim to your system's configuration file like this and start it by "vim-my":
my-vim =
let plugins = let inherit (vimUtils) buildVimPluginFrom2Nix; in {
copy paste output1 here
}; in vim_configurable.customize {
name = "vim-my";
vimrcConfig.vam.knownPlugins = plugins; # optional
vimrcConfig.vam.pluginDictionaries = [
copy paste output2 here
];
# Pathogen would be
# vimrcConfig.pathogen.knownPlugins = plugins; # plugins
# vimrcConfig.pathogen.pluginNames = ["tlib"];
};
Sample output1:
"reload" = buildVimPluginFrom2Nix { # created by nix#NixDerivation
name = "reload";
src = fetchgit {
url = "git://github.com/xolox/vim-reload";
rev = "0a601a668727f5b675cb1ddc19f6861f3f7ab9e1";
sha256 = "0vb832l9yxj919f5hfg6qj6bn9ni57gnjd3bj7zpq7d4iv2s4wdh";
};
dependencies = ["nim-misc"];
};
[...]
Sample output2:
[
''vim-addon-manager''
''tlib''
{ "name" = ''vim-addon-sql''; }
{ "filetype_regex" = ''\%(vim)$$''; "names" = [ ''reload'' ''vim-dev-plugin'' ]; }
]
## Important repositories
- [vim-pi](https://bitbucket.org/vimcommunity/vim-pi) is a plugin repository
from VAM plugin manager meant to be used by others as well used by
- [vim2nix](http://github.com/MarcWeber/vim-addon-vim2nix) which generates the
.nix code

4
doc/overlays.xml
View file

@ -28,8 +28,8 @@ first one present is considered, and all the rest are ignored:
<listitem>
<para>In the directory pointed by the environment variable
<varname>NIXPKGS_OVERLAYS</varname>.</para>
<para>In the directory pointed to by the Nix search path entry
<literal>&lt;nixpkgs-overlays></literal>.</para>
</listitem>
<listitem>

2
doc/package-notes.xml
View file

@ -278,7 +278,7 @@ packageOverrides = pkgs: {
</screen>
to your Nixpkgs configuration
(<filename>~/.nixpkgs/config.nix</filename>) and install it by
(<filename>~/.config/nixpkgs/config.nix</filename>) and install it by
running <command>nix-env -f '&lt;nixpkgs&gt;' -iA
myEclipse</command> and afterward run Eclipse as usual. It is
possible to find out which plugins are available for installation

44
doc/stdenv.xml
View file

@ -1111,6 +1111,34 @@ functions.</para>
<variablelist>
<varlistentry xml:id='fun-makeWrapper'>
<term><function>makeWrapper</function>
<replaceable>executable</replaceable>
<replaceable>wrapperfile</replaceable>
<replaceable>args</replaceable></term>
<listitem><para>Constructs a wrapper for a program with various
possible arguments. For example:
<programlisting>
# adds `FOOBAR=baz` to `$out/bin/foo`s environment
makeWrapper $out/bin/foo $wrapperfile --set FOOBAR baz
# prefixes the binary paths of `hello` and `git`
# Be advised that paths often should be patched in directly
# (via string replacements or in `configurePhase`).
makeWrapper $out/bin/foo $wrapperfile --prefix PATH : ${lib.makeBinPath [ hello git ]}
</programlisting>
Theres many more kinds of arguments, they are documented in
<literal>nixpkgs/pkgs/build-support/setup-hooks/make-wrapper.sh</literal>.</para>
<para><literal>wrapProgram</literal> is a convenience function you probably
want to use most of the time.</para>
</listitem>
</varlistentry>
<varlistentry xml:id='fun-substitute'>
<term><function>substitute</function>
<replaceable>infile</replaceable>
@ -1268,6 +1296,22 @@ someVar=$(stripHash $name)
</para></listitem>
</varlistentry>
<varlistentry xml:id='fun-wrapProgram'>
<term><function>wrapProgram</function>
<replaceable>executable</replaceable>
<replaceable>makeWrapperArgs</replaceable></term>
<listitem><para>Convenience function for <literal>makeWrapper</literal>
that automatically creates a sane wrapper file
It takes all the same arguments as <literal>makeWrapper</literal>,
except for <literal>--argv0</literal>.</para>
<para>It cannot be applied multiple times, since it will overwrite the wrapper
file.</para>
</listitem>
</varlistentry>
</variablelist>

8
lib/customisation.nix
View file

@ -15,10 +15,10 @@ rec {
the original derivation attributes.
`overrideDerivation' allows certain "ad-hoc" customisation
scenarios (e.g. in ~/.nixpkgs/config.nix). For instance, if you
want to "patch" the derivation returned by a package function in
Nixpkgs to build another version than what the function itself
provides, you can do something like this:
scenarios (e.g. in ~/.config/nixpkgs/config.nix). For instance,
if you want to "patch" the derivation returned by a package
function in Nixpkgs to build another version than what the
function itself provides, you can do something like this:
mySed = overrideDerivation pkgs.gnused (oldAttrs: {
name = "sed-4.2.2-pre";

5
lib/licenses.nix
View file

@ -379,6 +379,11 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
fullName = "Mozilla Public License 2.0";
};
mspl = spdx {
spdxId = "MS-PL";
fullName = "Microsoft Public License";
};
msrla = {
fullName = "Microsoft Research License Agreement";
url = "http://research.microsoft.com/en-us/projects/pex/msr-la.txt";

15
lib/maintainers.nix
View file

@ -81,11 +81,13 @@
c0dehero = "CodeHero <codehero@nerdpol.ch>";
calrama = "Moritz Maxeiner <moritz@ucworks.org>";
campadrenalin = "Philip Horger <campadrenalin@gmail.com>";
canndrew = "Andrew Cann <shum@canndrew.org>";
carlsverre = "Carl Sverre <accounts@carlsverre.com>";
cdepillabout = "Dennis Gosnell <cdep.illabout@gmail.com>";
cfouche = "Chaddaï Fouché <chaddai.fouche@gmail.com>";
chaoflow = "Florian Friesdorf <flo@chaoflow.net>";
chattered = "Phil Scott <me@philscotted.com>";
changlinli = "Changlin Li <mail@changlinli.com>";
choochootrain = "Hurshal Patel <hurshal@imap.cc>";
chris-martin = "Chris Martin <ch.martin@gmail.com>";
chrisjefferson = "Christopher Jefferson <chris@bubblescope.net>";
@ -111,6 +113,7 @@
cwoac = "Oliver Matthews <oliver@codersoffortune.net>";
DamienCassou = "Damien Cassou <damien@cassou.me>";
danbst = "Danylo Hlynskyi <abcz2.uprola@gmail.com>";
dancek = "Hannu Hartikainen <hannu.hartikainen@gmail.com>";
danielfullmer = "Daniel Fullmer <danielrf12@gmail.com>";
dasuxullebt = "Christoph-Simon Senjak <christoph.senjak@googlemail.com>";
davidak = "David Kleuker <post@davidak.de>";
@ -138,6 +141,7 @@
dtzWill = "Will Dietz <nix@wdtz.org>";
e-user = "Alexander Kahl <nixos@sodosopa.io>";
ebzzry = "Rommel Martinez <ebzzry@gmail.com>";
edanaher = "Evan Danaher <nixos@edanaher.net>";
ederoyd46 = "Matthew Brown <matt@ederoyd.co.uk>";
eduarrrd = "Eduard Bachmakov <e.bachmakov@gmail.com>";
edwtjo = "Edward Tjörnhammar <ed@cflags.cc>";
@ -296,6 +300,7 @@
mdaiter = "Matthew S. Daiter <mdaiter8121@gmail.com>";
meditans = "Carlo Nucera <meditans@gmail.com>";
meisternu = "Matt Miemiec <meister@krutt.org>";
metabar = "Celine Mercier <softs@metabarcoding.org>";
mguentner = "Maximilian Güntner <code@klandest.in>";
mic92 = "Jörg Thalheim <joerg@higgsboson.tk>";
michaelpj = "Michael Peyton Jones <michaelpj@gmail.com>";
@ -331,6 +336,7 @@
Nate-Devv = "Nathan Moore <natedevv@gmail.com>";
nathan-gs = "Nathan Bijnens <nathan@nathan.gs>";
nckx = "Tobias Geerinckx-Rice <tobias.geerinckx.rice@gmail.com>";
ndowens = "Nathan Owens <ndowens04@gmail.com>";
nequissimus = "Tim Steinbach <tim@nequissimus.com>";
nfjinjing = "Jinjing Wang <nfjinjing@gmail.com>";
nhooyr = "Anmol Sethi <anmol@aubble.com>";
@ -351,12 +357,14 @@
olejorgenb = "Ole Jørgen Brønner <olejorgenb@yahoo.no>";
orbekk = "KJ Ørbekk <kjetil.orbekk@gmail.com>";
orbitz = "Malcolm Matalka <mmatalka@gmail.com>";
orivej = "Orivej Desh <orivej@gmx.fr>";
osener = "Ozan Sener <ozan@ozansener.com>";
otwieracz = "Slawomir Gonet <slawek@otwiera.cz>";
oxij = "Jan Malakhovski <oxij@oxij.org>";
paholg = "Paho Lurie-Gregg <paho@paholg.com>";
pakhfn = "Fedor Pakhomov <pakhfn@gmail.com>";
palo = "Ingolf Wanger <palipalo9@googlemail.com>";
paperdigits = "Mica Semrick <mica@silentumbrella.com>";
pashev = "Igor Pashev <pashev.igor@gmail.com>";
pawelpacana = "Paweł Pacana <pawel.pacana@gmail.com>";
periklis = "theopompos@gmail.com";
@ -414,6 +422,7 @@
roblabla = "Robin Lambertz <robinlambertz+dev@gmail.com>";
roconnor = "Russell O'Connor <roconnor@theorem.ca>";
romildo = "José Romildo Malaquias <malaquias@gmail.com>";
rongcuid = "Rongcui Dong <rongcuid@outlook.com>";
ronny = "Ronny Pfannschmidt <nixos@ronnypfannschmidt.de>";
rszibele = "Richard Szibele <richard_szibele@hotmail.com>";
rushmorem = "Rushmore Mushambi <rushmore@webenchanter.com>";
@ -456,6 +465,7 @@
SShrike = "Severen Redwood <severen@shrike.me>";
stephenmw = "Stephen Weinberg <stephen@q5comm.com>";
sternenseemann = "Lukas Epple <post@lukasepple.de>";
stesie = "Stefan Siegl <stesie@brokenpipe.de>";
steveej = "Stefan Junker <mail@stefanjunker.de>";
swarren83 = "Shawn Warren <shawn.w.warren@gmail.com>";
swistak35 = "Rafał Łasocha <me@swistak35.com>";
@ -480,7 +490,7 @@
travisbhartwell = "Travis B. Hartwell <nafai@travishartwell.net>";
trino = "Hubert Mühlhans <muehlhans.hubert@ekodia.de>";
tstrobel = "Thomas Strobel <4ZKTUB6TEP74PYJOPWIR013S2AV29YUBW5F9ZH2F4D5UMJUJ6S@hash.domains>";
ttuegel = "Thomas Tuegel <ttuegel@gmail.com>";
ttuegel = "Thomas Tuegel <ttuegel@mailbox.org>";
tv = "Tomislav Viljetić <tv@shackspace.de>";
tvestelind = "Tomas Vestelind <tomas.vestelind@fripost.org>";
tvorog = "Marsel Zaripov <marszaripov@gmail.com>";
@ -495,6 +505,7 @@
vcunat = "Vladimír Čunát <vcunat@gmail.com>";
vdemeester = "Vincent Demeester <vincent@sbr.pm>";
veprbl = "Dmitry Kalinkin <veprbl@gmail.com>";
vifino = "Adrian Pistol <vifino@tty.sh>";
viric = "Lluís Batlle i Rossell <viric@viric.name>";
vizanto = "Danny Wilson <danny@prime.vc>";
vklquevs = "vklquevs <vklquevs@gmail.com>";
@ -514,8 +525,10 @@
womfoo = "Kranium Gikos Mendoza <kranium@gikos.net>";
wscott = "Wayne Scott <wsc9tt@gmail.com>";
wyvie = "Elijah Rum <elijahrum@gmail.com>";
xwvvvvwx = "David Terry <davidterry@posteo.de>";
yarr = "Dmitry V. <savraz@gmail.com>";
yochai = "Yochai <yochai@titat.info>";
yorickvp = "Yorick van Pelt <yorickvanpelt@gmail.com>";
yurrriq = "Eric Bailey <eric@ericb.me>";
z77z = "Marco Maggesi <maggesi@math.unifi.it>";
zagy = "Christian Zagrodnick <cz@flyingcircus.io>";

2
lib/modules.nix
View file

@ -326,7 +326,7 @@ rec {
# Type-check the remaining definitions, and merge them.
mergedValue = foldl' (res: def:
if type.check def.value then res
else throw "The option value `${showOption loc}' in `${def.file}' is not a ${type.name}.")
else throw "The option value `${showOption loc}' in `${def.file}' is not a ${type.description}.")
(type.merge loc defsFinal) defsFinal;
isDefined = defsFinal != [];

5
lib/tests/modules.sh
View file

@ -115,6 +115,11 @@ set -- config.enable ./declare-enable.nix ./define-enable.nix ./define-loaOfSub-
checkConfigError 'The option .* defined in .* does not exist.' "$@"
checkConfigOutput "true" "$@" ./define-module-check.nix
# Check coerced value.
checkConfigOutput "\"42\"" config.value ./declare-coerced-value.nix
checkConfigOutput "\"24\"" config.value ./declare-coerced-value.nix ./define-value-string.nix
checkConfigError 'The option value .* in .* is not a string or integer.' config.value ./declare-coerced-value.nix ./define-value-list.nix
cat <<EOF
====== module tests ======
$pass Pass

10
lib/tests/modules/declare-coerced-value.nix Normal file
View file

@ -0,0 +1,10 @@
{ lib, ... }:
{
options = {
value = lib.mkOption {
default = 42;
type = lib.types.coercedTo lib.types.int builtins.toString lib.types.str;
};
};
}

3
lib/tests/modules/define-value-list.nix Normal file
View file

@ -0,0 +1,3 @@
{
value = [];
}

3
lib/tests/modules/define-value-string.nix Normal file
View file

@ -0,0 +1,3 @@
{
value = "24";
}

20
lib/trivial.nix
View file

@ -102,25 +102,7 @@ rec {
min = x: y: if x < y then x else y;
max = x: y: if x > y then x else y;
/* Reads a JSON file. It is useful to import pure data into other nix
expressions.
Example:
mkDerivation {
src = fetchgit (importJSON ./repo.json)
#...
}
where repo.json contains:
{
"url": "git://some-domain/some/repo",
"rev": "265de7283488964f44f0257a8b4a055ad8af984d",
"sha256": "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h"
}
*/
/* Reads a JSON file. */
importJSON = path:
builtins.fromJSON (builtins.readFile path);

22
lib/types.nix
View file

@ -352,6 +352,28 @@ rec {
functor = (defaultFunctor name) // { wrapped = [ t1 t2 ]; };
};
coercedTo = coercedType: coerceFunc: finalType:
assert coercedType.getSubModules == null;
mkOptionType rec {
name = "coercedTo";
description = "${finalType.description} or ${coercedType.description}";
check = x: finalType.check x || coercedType.check x;
merge = loc: defs:
let
coerceVal = val:
if finalType.check val then val
else let
coerced = coerceFunc val;
in assert finalType.check coerced; coerced;
in finalType.merge loc (map (def: def // { value = coerceVal def.value; }) defs);
getSubOptions = finalType.getSubOptions;
getSubModules = finalType.getSubModules;
substSubModules = m: coercedTo coercedType coerceFunc (finalType.substSubModules m);
typeMerge = t1: t2: null;
functor = (defaultFunctor name) // { wrapped = finalType; };
};
# Obsolete alternative to configOf. It takes its option
# declarations from the options attribute of containing option
# declaration.

1
nixos/doc/manual/configuration/configuration.xml
View file

@ -21,6 +21,7 @@ effect after you run <command>nixos-rebuild</command>.</para>
<xi:include href="user-mgmt.xml" />
<xi:include href="file-systems.xml" />
<xi:include href="x-windows.xml" />
<xi:include href="xfce.xml" />
<xi:include href="networking.xml" />
<xi:include href="linux-kernel.xml" />

20
nixos/doc/manual/configuration/ipv6-config.xml
View file

@ -22,5 +22,25 @@ boot.kernel.sysctl."net.ipv6.conf.eth0.disable_ipv6" = true;
</programlisting>
</para>
<para>As with IPv4 networking interfaces are automatically configured via
DHCPv6. You can configure an interface manually:
<programlisting>
networking.interfaces.eth0.ip6 = [ { address = "fe00:aa:bb:cc::2"; prefixLength = 64; } ];
</programlisting>
</para>
<para>For configuring a gateway, optionally with explicitly specified interface:
<programlisting>
networking.defaultGateway6 = {
address = "fe00::1";
interface = "enp0s3";
}
</programlisting>
</para>
<para>See <xref linkend='sec-ipv4' /> for similar examples and additional information.
</para>
</section>

4
nixos/doc/manual/configuration/luks-file-systems.xml
View file

@ -37,6 +37,10 @@ boot.initrd.luks.devices.crypted.device = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-
fileSystems."/".device = "/dev/mapper/crypted";
</programlisting>
Should grub be used as bootloader, and <filename>/boot</filename> is located
on an encrypted partition, it is necessary to add the following grub option:
<programlisting>boot.loader.grub.enableCryptodisk = true;</programlisting>
</para>
</section>

5
nixos/doc/manual/configuration/modularity.xml
View file

@ -36,9 +36,8 @@ latter might look like this:
{ config, pkgs, ... }:
{ services.xserver.enable = true;
services.xserver.displayManager.kdm.enable = true;
services.xserver.desktopManager.kde4.enable = true;
environment.systemPackages = [ pkgs.kde4.kscreensaver ];
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.kde5.enable = true;
}
</programlisting>

5
nixos/doc/manual/configuration/user-mgmt.xml
View file

@ -36,7 +36,10 @@ to set a password, which is retained across invocations of
and /etc/group will be congruent to your NixOS configuration. For instance,
if you remove a user from users.extraUsers and run nixos-rebuild, the user
account will cease to exist. Also, imperative commands for managing users
and groups, such as useradd, are no longer available.</para>
and groups, such as useradd, are no longer available. Passwords may still be
assigned by setting the user's <literal>hashedPassword</literal> option. A
hashed password can be generated using <command>mkpasswd -m sha-512</command>
after installing the <literal>mkpasswd</literal> package.</para>
<para>A user ID (uid) is assigned automatically. You can also specify
a uid manually by adding

6
nixos/doc/manual/configuration/x-windows.xml
View file

@ -25,7 +25,7 @@ Otherwise, you can only log into a plain undecorated
<command>xterm</command> window. Thus you should pick one or more of
the following lines:
<programlisting>
services.xserver.desktopManager.kde4.enable = true;
services.xserver.desktopManager.kde5.enable = true;
services.xserver.desktopManager.xfce.enable = true;
services.xserver.windowManager.xmonad.enable = true;
services.xserver.windowManager.twm.enable = true;
@ -35,9 +35,9 @@ services.xserver.windowManager.icewm.enable = true;
<para>NixOSs default <emphasis>display manager</emphasis> (the
program that provides a graphical login prompt and manages the X
server) is SLiM. You can select KDEs <command>kdm</command> instead:
server) is SLiM. You can select KDEs <command>sddm</command> instead:
<programlisting>
services.xserver.displayManager.kdm.enable = true;
services.xserver.displayManager.sddm.enable = true;
</programlisting>
</para>

105
nixos/doc/manual/configuration/xfce.xml Normal file
View file

@ -0,0 +1,105 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-xfce">
<title>Xfce Desktop Environment</title>
<para>
To enable the Xfce Desktop Environment, set
<programlisting>
services.xserver.desktopManager = {
xfce.enable = true;
default = "xfce";
};
</programlisting>
</para>
<para>
Optionally, <emphasis>compton</emphasis>
can be enabled for nice graphical effects, some example settings:
<programlisting>
services.compton = {
enable = true;
fade = true;
inactiveOpacity = "0.9";
shadow = true;
fadeDelta = 4;
};
</programlisting>
</para>
<para>
Some Xfce programs are not installed automatically.
To install them manually (system wide), put them into your
<literal>environment.systemPackages</literal>.
</para>
<para>
NixOSs default <emphasis>display manager</emphasis>is SLiM.
(DM is the program that provides a graphical login prompt
and manages the X server.)
You can, for example, select KDEs
<command>sddm</command> instead:
<programlisting>
services.xserver.displayManager.sddm.enable = true;
</programlisting>
</para>
<simplesect>
<title>Thunar Volume Support</title>
<para>
To enable
<emphasis>Thunar</emphasis>
volume support, put
<programlisting>
services.xserver.desktopManager.xfce.enable = true;
</programlisting>
into your <emphasis>configuration.nix</emphasis>.
</para>
</simplesect>
<simplesect>
<title>Polkit Authentication Agent</title>
<para>
There is no authentication agent automatically installed alongside
Xfce. To allow mounting of local (non-removable) filesystems, you
will need to install one.
Installing <emphasis>polkit_gnome</emphasis>, a rebuild, logout and
login did the trick.
</para>
</simplesect>
<simplesect>
<title>Troubleshooting</title>
<para>
Even after enabling udisks2, volume management might not work.
Thunar and/or the desktop takes time to show up.
Thunar will spit out this kind of message on start
(look at journalctl --user -b).
<programlisting>
Thunar:2410): GVFS-RemoteVolumeMonitor-WARNING **: remote volume monitor with dbus name org.gtk.Private.UDisks2VolumeMonitor is not supported
</programlisting>
This is caused by some needed GNOME services not running.
This is all fixed by enabling "Launch GNOME services on startup" in
the Advanced tab of the Session and Startup settings panel.
Alternatively, you can run this command to do the same thing.
<programlisting>
$ xfconf-query -c xfce4-session -p /compat/LaunchGNOME -s true
</programlisting>
A log-out and re-log will be needed for this to take effect.
</para>
</simplesect>
</chapter>

48
nixos/doc/manual/development/option-declarations.xml
View file

@ -65,22 +65,22 @@ options = {
</para>
<section xml:id="sec-option-declarations-eot"><title>Extensible Option
<section xml:id="sec-option-declarations-eot"><title>Extensible Option
Types</title>
<para>Extensible option types is a feature that allow to extend certain types
<para>Extensible option types is a feature that allow to extend certain types
declaration through multiple module files.
This feature only work with a restricted set of types, namely
This feature only work with a restricted set of types, namely
<literal>enum</literal> and <literal>submodules</literal> and any composed
forms of them.</para>
<para>Extensible option types can be used for <literal>enum</literal> options
that affects multiple modules, or as an alternative to related
<para>Extensible option types can be used for <literal>enum</literal> options
that affects multiple modules, or as an alternative to related
<literal>enable</literal> options.</para>
<para>As an example, we will take the case of display managers. There is a
central display manager module for generic display manager options and a
module file per display manager backend (slim, kdm, gdm ...).
module file per display manager backend (slim, sddm, gdm ...).
</para>
<para>There are two approach to this module structure:
@ -96,7 +96,7 @@ options = {
</para>
<para>Both approachs have problems.</para>
<para>Making backends independent can quickly become hard to manage. For
display managers, there can be only one enabled at a time, but the type
system can not enforce this restriction as there is no relation between
@ -108,18 +108,18 @@ options = {
central module will require to change the central module option every time
a new backend is added or removed.</para>
<para>By using extensible option types, it is possible to create a placeholder
option in the central module (<xref linkend='ex-option-declaration-eot-service'
/>), and to extend it in each backend module (<xref
linkend='ex-option-declaration-eot-backend-slim' />, <xref
linkend='ex-option-declaration-eot-backend-kdm' />).</para>
<para>By using extensible option types, it is possible to create a placeholder
option in the central module (<xref linkend='ex-option-declaration-eot-service'
/>), and to extend it in each backend module (<xref
linkend='ex-option-declaration-eot-backend-slim' />, <xref
linkend='ex-option-declaration-eot-backend-sddm' />).</para>
<para>As a result, <literal>displayManager.enable</literal> option values can
be added without changing the main service module file and the type system
automatically enforce that there can only be a single display manager
enabled.</para>
<example xml:id='ex-option-declaration-eot-service'><title>Extensible type
<example xml:id='ex-option-declaration-eot-service'><title>Extensible type
placeholder in the service module</title>
<screen>
services.xserver.displayManager.enable = mkOption {
@ -127,29 +127,29 @@ services.xserver.displayManager.enable = mkOption {
type = with types; nullOr (enum [ ]);
};</screen></example>
<example xml:id='ex-option-declaration-eot-backend-slim'><title>Extending
<literal>services.xserver.displayManager.enable</literal> in the
<example xml:id='ex-option-declaration-eot-backend-slim'><title>Extending
<literal>services.xserver.displayManager.enable</literal> in the
<literal>slim</literal> module</title>
<screen>
services.xserver.displayManager.enable = mkOption {
type = with types; nullOr (enum [ "slim" ]);
};</screen></example>
<example xml:id='ex-option-declaration-eot-backend-kdm'><title>Extending
<literal>services.foo.backend</literal> in the <literal>kdm</literal>
<example xml:id='ex-option-declaration-eot-backend-sddm'><title>Extending
<literal>services.foo.backend</literal> in the <literal>sddm</literal>
module</title>
<screen>
services.xserver.displayManager.enable = mkOption {
type = with types; nullOr (enum [ "kdm" ]);
type = with types; nullOr (enum [ "sddm" ]);
};</screen></example>
<para>The placeholder declaration is a standard <literal>mkOption</literal>
declaration, but it is important that extensible option declarations only use
<para>The placeholder declaration is a standard <literal>mkOption</literal>
declaration, but it is important that extensible option declarations only use
the <literal>type</literal> argument.</para>
<para>Extensible option types work with any of the composed variants of
<literal>enum</literal> such as
<literal>with types; nullOr (enum [ "foo" "bar" ])</literal>
<para>Extensible option types work with any of the composed variants of
<literal>enum</literal> such as
<literal>with types; nullOr (enum [ "foo" "bar" ])</literal>
or <literal>with types; listOf (enum [ "foo" "bar" ])</literal>.</para>
</section>

72
nixos/doc/manual/release-notes/rl-1703.xml
View file

@ -17,12 +17,21 @@ has the following highlights: </para>
</listitem>
<listitem>
<para>Setting capabilities on programs is now supported with a
<literal>setcap-wrapper</literal> functionality. This
functionality and the <literal>setuid-wrapper</literal> are merged
into a single "wrappers" module.</para>
</listitem>
<listitem>
<para>X.org server uses branch 1.19. Due to ABI incompatibilities,
<literal>ati_unfree</literal> keeps forcing 1.17
and <literal>amdgpu-pro</literal> starts forcing 1.18.</para>
</listitem>
<listitem>
<para>PHP now defaults to PHP 7.1</para>
</listitem>
</itemizedlist>
<para>The following new services were added since the last release:</para>
@ -54,6 +63,7 @@ following incompatible changes:</para>
for what those parameters represent.
</para>
</listitem>
<listitem>
<para>
<literal>ansible</literal> now defaults to ansible version 2 as version 1
@ -62,6 +72,7 @@ following incompatible changes:</para>
vulnerability</link> unpatched by upstream.
</para>
</listitem>
<listitem>
<para>
<literal>gnome</literal> alias has been removed along with
@ -103,6 +114,15 @@ following incompatible changes:</para>
</para>
</listitem>
<listitem>
<para>
Two lone top-level dict dbs moved into <literal>dictdDBs</literal>. This
affects: <literal>dictdWordnet</literal> which is now at
<literal>dictdDBs.wordnet</literal> and <literal>dictdWiktionary</literal>
which is now at <literal>dictdDBs.wiktionary</literal>
</para>
</listitem>
<listitem>
<para>
Parsoid service now uses YAML configuration format.
@ -124,7 +144,36 @@ following incompatible changes:</para>
</listitem>
<listitem>
<para>
<literal>service.nylon</literal> is now declared using named instances.
As an example:
<programlisting>
services.nylon = {
enable = true;
acceptInterface = "br0";
bindInterface = "tun1";
port = 5912;
};
</programlisting>
should be replaced with:
<programlisting>
services.nylon.myvpn = {
enable = true;
acceptInterface = "br0";
bindInterface = "tun1";
port = 5912;
};
</programlisting>
this enables you to declare a SOCKS proxy for each uplink.
</para>
</listitem>
<listitem>
<para><literal>overridePackages</literal> function no longer exists.
It is replaced by <link
xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
@ -161,18 +210,39 @@ following incompatible changes:</para>
</para>
</listitem>
<listitem>
<para>
<literal>local_recipient_maps</literal> is not set to empty value by
Postfix service. It's an insecure default as stated by Postfix
documentation. Those who want to retain this setting need to set it via
<literal>services.postfix.extraConfig</literal>.
</para>
</listitem>
</itemizedlist>
<para>Other notable improvements:</para>
<itemizedlist>
<listitem>
<para>Module type system have a new extensible option types feature that
allow to extend certain types, such as enum, through multiple option
declarations of the same option across multiple modules.
</para>
</listitem>
<listitem>
<para>
<literal>jre</literal> now defaults to GTK+ UI by default. This
improves visual consistency and makes Java follow system font style,
improving the situation on HighDPI displays. This has a cost of increased
closure size; for server and other headless workloads it's recommended to
use <literal>jre_headless</literal>.
</para>
</listitem>
</itemizedlist>

2
nixos/lib/test-driver/Machine.pm
View file

@ -508,7 +508,7 @@ sub screenshot {
sub getTTYText {
my ($self, $tty) = @_;
my ($status, $out) = $self->execute("fold -w 80 /dev/vcs${tty}");
my ($status, $out) = $self->execute("fold -w\$(stty -F /dev/tty${tty} size | awk '{print \$2}') /dev/vcs${tty}");
return $out;
}

9
nixos/modules/hardware/opengl.nix
View file

@ -133,13 +133,10 @@ in
'';
environment.sessionVariables.LD_LIBRARY_PATH =
[ "/run/opengl-driver/lib" "/run/opengl-driver-32/lib" ];
[ "/run/opengl-driver/lib" ] ++ optional cfg.driSupport32Bit "/run/opengl-driver-32/lib";
environment.extraInit = ''
export XDG_DATA_DIRS=$XDG_DATA_DIRS:/run/opengl-driver/share
'' + optionalString cfg.driSupport32Bit ''
export XDG_DATA_DIRS=$XDG_DATA_DIRS:/run/opengl-driver-32/share
'';
environment.variables.XDG_DATA_DIRS =
[ "/run/opengl-driver/share" ] ++ optional cfg.driSupport32Bit "/run/opengl-driver-32/share";
hardware.opengl.package = mkDefault (makePackage pkgs);
hardware.opengl.package32 = mkDefault (makePackage pkgs_i686);

5
nixos/modules/hardware/video/amdgpu-pro.nix
View file

@ -21,6 +21,8 @@ in
config = mkIf enabled {
nixpkgs.config.xorg.abiCompat = "1.18";
services.xserver.drivers = singleton
{ name = "amdgpu"; modules = [ package ]; libPath = [ package ]; };
@ -44,9 +46,6 @@ in
"amd/amdrc".source = package + "/etc/amd/amdrc";
"amd/amdapfxx.blb".source = package + "/etc/amd/amdapfxx.blb";
"gbm/gbm.conf".source = package + "/etc/gbm/gbm.conf";
"OpenCL/vendors/amdocl64.icd".source = package + "/etc/OpenCL/vendors/amdocl64.icd";
} // optionalAttrs opengl.driSupport32Bit {
"OpenCL/vendors/amdocl32.icd".source = package32 + "/etc/OpenCL/vendors/amdocl32.icd";
};
};

2
nixos/modules/hardware/video/ati.nix
View file

@ -18,7 +18,7 @@ in
config = mkIf enabled {
nixpkgs.config.xorg.fglrxCompat = true;
nixpkgs.config.xorg.abiCompat = "1.17";
services.xserver.drivers = singleton
{ name = "fglrx"; modules = [ ati_x11 ]; libPath = [ "${ati_x11}/lib" ]; };

4
nixos/modules/hardware/video/bumblebee.nix
View file

@ -76,8 +76,8 @@ in
config = mkIf cfg.enable {
boot.blacklistedKernelModules = [ "nvidia-drm" "nvidia" "nouveau" ];
boot.kernelModules = optional useBbswitch [ "bbswitch" ];
boot.extraModulePackages = optional useBbswitch kernel.bbswitch ++ optional useNvidia kernel.nvidia_x11;
boot.kernelModules = optional useBbswitch "bbswitch";
boot.extraModulePackages = optional useBbswitch kernel.bbswitch ++ optional useNvidia kernel.nvidia_x11.bin;
environment.systemPackages = [ bumblebee primus ];

19
nixos/modules/hardware/video/nvidia.nix
View file

@ -27,6 +27,13 @@ let
nvidia_x11 = nvidiaForKernel config.boot.kernelPackages;
nvidia_libs32 = (nvidiaForKernel pkgs_i686.linuxPackages).override { libsOnly = true; kernel = null; };
nvidiaPackage = nvidia: pkgs:
if !nvidia.useGLVND then nvidia
else pkgs.buildEnv {
name = "nvidia-libs";
paths = [ pkgs.libglvnd nvidia.out ];
};
enabled = nvidia_x11 != null;
in
@ -35,19 +42,19 @@ in
config = mkIf enabled {
services.xserver.drivers = singleton
{ name = "nvidia"; modules = [ nvidia_x11 ]; libPath = [ nvidia_x11 ]; };
{ name = "nvidia"; modules = [ nvidia_x11.bin ]; libPath = [ nvidia_x11 ]; };
services.xserver.screenSection =
''
Option "RandRRotation" "on"
'';
hardware.opengl.package = nvidia_x11;
hardware.opengl.package32 = nvidia_libs32;
hardware.opengl.package = nvidiaPackage nvidia_x11 pkgs;
hardware.opengl.package32 = nvidiaPackage nvidia_libs32 pkgs_i686;
environment.systemPackages = [ nvidia_x11 ];
environment.systemPackages = [ nvidia_x11.bin nvidia_x11.settings nvidia_x11.persistenced ];
boot.extraModulePackages = [ nvidia_x11 ];
boot.extraModulePackages = [ nvidia_x11.bin ];
# nvidia-uvm is required by CUDA applications.
boot.kernelModules = [ "nvidia-uvm" ];
@ -62,8 +69,6 @@ in
services.acpid.enable = true;
environment.etc."OpenCL/vendors/nvidia.icd".source = "${nvidia_x11}/lib/vendors/nvidia.icd";
};
}

4
nixos/modules/installer/cd-dvd/sd-image-aarch64.nix
View file

@ -52,9 +52,7 @@ in
enable_uart=1
'';
in ''
for f in bootcode.bin fixup.dat start.elf; do
cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/$f boot/
done
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/boot/)
cp ${patchedUboot}/u-boot.bin boot/u-boot-rpi3.bin
cp ${configTxt} boot/config.txt
${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./boot

4
nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix
View file

@ -44,9 +44,7 @@ in
enable_uart=1
'';
in ''
for f in bootcode.bin fixup.dat start.elf; do
cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/$f boot/
done
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/boot/)
cp ${pkgs.ubootRaspberryPi2}/u-boot.bin boot/u-boot-rpi2.bin
cp ${pkgs.ubootRaspberryPi3_32bit}/u-boot.bin boot/u-boot-rpi3.bin
cp ${configTxt} boot/config.txt

4
nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix
View file

@ -34,9 +34,7 @@ in
sdImage = {
populateBootCommands = ''
for f in bootcode.bin fixup.dat start.elf; do
cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/$f boot/
done
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/boot/)
cp ${pkgs.ubootRaspberryPi}/u-boot.bin boot/u-boot-rpi.bin
echo 'kernel u-boot-rpi.bin' > boot/config.txt
${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./boot

20
nixos/modules/installer/tools/nixos-generate-config.pl
View file

@ -208,9 +208,6 @@ foreach my $path (glob "/sys/bus/pci/devices/*") {
pciCheck $path;
}
push @attrs, "services.xserver.videoDrivers = [ \"$videoDriver\" ];" if $videoDriver;
# Idem for USB devices.
sub usbCheck {
@ -277,6 +274,12 @@ if ($virt eq "qemu" || $virt eq "kvm" || $virt eq "bochs") {
push @imports, "<nixpkgs/nixos/modules/profiles/qemu-guest.nix>";
}
# Also for Hyper-V.
if ($virt eq "microsoft") {
push @initrdAvailableKernelModules, "hv_storvsc";
$videoDriver = "fbdev";
}
# Pull in NixOS configuration for containers.
if ($virt eq "systemd-nspawn") {
@ -307,6 +310,7 @@ sub findStableDevPath {
return $dev;
}
push @attrs, "services.xserver.videoDrivers = [ \"$videoDriver\" ];" if $videoDriver;
# Generate the swapDevices option from the currently activated swap
# devices.
@ -588,6 +592,12 @@ $bootLoaderConfig
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Enable CUPS to print documents.
# services.printing.enable = true;
@ -597,8 +607,8 @@ $bootLoaderConfig
# services.xserver.xkbOptions = "eurosign:e";
# Enable the KDE Desktop Environment.
# services.xserver.displayManager.kdm.enable = true;
# services.xserver.desktopManager.kde4.enable = true;
# services.xserver.displayManager.sddm.enable = true;
# services.xserver.desktopManager.kde5.enable = true;
# Define a user account. Don't forget to set a password with passwd.
# users.extraUsers.guest = {

10
nixos/modules/misc/ids.nix
View file

@ -64,7 +64,7 @@
cups = 36;
foldingathome = 37;
sabnzbd = 38;
kdm = 39;
#kdm = 39; # dropped in 17.03
ghostone = 40;
git = 41;
fourstore = 42;
@ -206,7 +206,7 @@
ripple-data-api = 186;
mediatomb = 187;
rdnssd = 188;
ihaskell = 189;
# ihaskell = 189; # unused
i2p = 190;
lambdabot = 191;
asterisk = 192;
@ -286,6 +286,7 @@
gogs = 268;
pdns-recursor = 269;
kresd = 270;
rpc = 271;
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -332,7 +333,7 @@
#cups = 36; # unused
#foldingathome = 37; # unused
#sabnzd = 38; # unused
#kdm = 39; # unused
#kdm = 39; # unused, even before 17.03
ghostone = 40;
git = 41;
fourstore = 42;
@ -469,7 +470,7 @@
#ripple-data-api = 186; #unused
mediatomb = 187;
#rdnssd = 188; # unused
ihaskell = 189;
# ihaskell = 189; # unused
i2p = 190;
lambdabot = 191;
asterisk = 192;
@ -541,6 +542,7 @@
couchpotato = 267;
gogs = 268;
kresd = 270;
#rpc = 271; # unused
# When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal

16
nixos/modules/misc/nixpkgs.nix
View file

@ -45,9 +45,8 @@ let
in
{
options = {
nixpkgs.config = mkOption {
options.nixpkgs = {
config = mkOption {
default = {};
example = literalExample
''
@ -61,7 +60,7 @@ in
'';
};
nixpkgs.overlays = mkOption {
overlays = mkOption {
default = [];
example = literalExample
''
@ -85,7 +84,7 @@ in
'';
};
nixpkgs.system = mkOption {
system = mkOption {
type = types.str;
example = "i686-linux";
description = ''
@ -95,14 +94,9 @@ in
multi-platform deployment, or when building virtual machines.
'';
};
};
config = {
_module.args.pkgs = import ../../.. {
system = config.nixpkgs.system;
inherit (config.nixpkgs) config;
};
_module.args.pkgs = import ../../.. config.nixpkgs;
};
}

14
nixos/modules/module-list.nix
View file

@ -141,6 +141,7 @@
./services/computing/torque/mom.nix
./services/computing/slurm/slurm.nix
./services/continuous-integration/buildbot/master.nix
./services/continuous-integration/buildbot/worker.nix
./services/continuous-integration/buildkite-agent.nix
./services/continuous-integration/hydra/default.nix
./services/continuous-integration/gitlab-runner.nix
@ -197,6 +198,7 @@
./services/hardware/bluetooth.nix
./services/hardware/brltty.nix
./services/hardware/freefall.nix
./services/hardware/illum.nix
./services/hardware/irqbalance.nix
./services/hardware/nvidia-optimus.nix
./services/hardware/pcscd.nix
@ -205,6 +207,7 @@
./services/hardware/tcsd.nix
./services/hardware/tlp.nix
./services/hardware/thinkfan.nix
./services/hardware/trezord.nix
./services/hardware/udev.nix
./services/hardware/udisks2.nix
./services/hardware/upower.nix
@ -256,12 +259,13 @@
./services/misc/felix.nix
./services/misc/folding-at-home.nix
./services/misc/gammu-smsd.nix
./services/misc/geoip-updater.nix
#./services/misc/gitit.nix
./services/misc/gitlab.nix
./services/misc/gitolite.nix
./services/misc/gogs.nix
./services/misc/gpsd.nix
./services/misc/ihaskell.nix
#./services/misc/ihaskell.nix
./services/misc/leaps.nix
./services/misc/mantisbt.nix
./services/misc/mathics.nix
@ -290,6 +294,7 @@
./services/misc/siproxd.nix
./services/misc/sonarr.nix
./services/misc/spice-vdagentd.nix
./services/misc/ssm-agent.nix
./services/misc/sssd.nix
./services/misc/subsonic.nix
./services/misc/sundtek.nix
@ -339,6 +344,7 @@
./services/monitoring/zabbix-server.nix
./services/network-filesystems/cachefilesd.nix
./services/network-filesystems/drbd.nix
./services/network-filesystems/glusterfs.nix
./services/network-filesystems/ipfs.nix
./services/network-filesystems/netatalk.nix
./services/network-filesystems/nfsd.nix
@ -442,6 +448,7 @@
./services/networking/radicale.nix
./services/networking/radvd.nix
./services/networking/rdnssd.nix
./services/networking/redsocks.nix
./services/networking/rpcbind.nix
./services/networking/sabnzbd.nix
./services/networking/searx.nix
@ -498,7 +505,8 @@
./services/security/frandom.nix
./services/security/haka.nix
./services/security/haveged.nix
./services/security/hologram.nix
./services/security/hologram-server.nix
./services/security/hologram-agent.nix
./services/security/munge.nix
./services/security/oauth2_proxy.nix
./services/security/physlock.nix
@ -553,7 +561,6 @@
./services/x11/display-managers/auto.nix
./services/x11/display-managers/default.nix
./services/x11/display-managers/gdm.nix
./services/x11/display-managers/kdm.nix
./services/x11/display-managers/lightdm.nix
./services/x11/display-managers/sddm.nix
./services/x11/display-managers/slim.nix
@ -639,6 +646,7 @@
./virtualisation/container-config.nix
./virtualisation/containers.nix
./virtualisation/docker.nix
./virtualisation/ecs-agent.nix
./virtualisation/libvirtd.nix
./virtualisation/lxc.nix
./virtualisation/lxcfs.nix

3
nixos/modules/profiles/all-hardware.nix
View file

@ -42,6 +42,9 @@
# Virtio (QEMU, KVM etc.) support.
"virtio_net" "virtio_pci" "virtio_blk" "virtio_scsi" "virtio_balloon" "virtio_console"
# Hyper-V support.
"hv_storvsc"
# Keyboards
"usbhid" "hid_apple" "hid_logitech_dj" "hid_lenovo_tpkbd" "hid_roccat"
];

4
nixos/modules/profiles/graphical.nix
View file

@ -6,8 +6,8 @@
{
services.xserver = {
enable = true;
displayManager.kdm.enable = true;
desktopManager.kde4.enable = true;
displayManager.sddm.enable = true;
desktopManager.kde5.enable = true;
synaptics.enable = true; # for touchpad support on many laptops
};

4
nixos/modules/rename.nix
View file

@ -171,6 +171,10 @@ with lib;
(mkRenamedOptionModule [ "services" "locate" "period" ] [ "services" "locate" "interval" ])
(mkRemovedOptionModule [ "services" "locate" "includeStore" ] "Use services.locate.prunePaths" )
# nfs
(mkRenamedOptionModule [ "services" "nfs" "lockdPort" ] [ "services" "nfs" "server" "lockdPort" ])
(mkRenamedOptionModule [ "services" "nfs" "statdPort" ] [ "services" "nfs" "server" "statdPort" ])
# Options that are obsolete and have no replacement.
(mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "")
(mkRemovedOptionModule [ "programs" "bash" "enable" ] "")

38
nixos/modules/security/grsecurity.xml
View file

@ -7,21 +7,20 @@
<title>Grsecurity/PaX</title>
<para>
Grsecurity/PaX is a set of patches against the Linux kernel that make it
harder to exploit bugs. The patchset includes protections such as
enforcement of non-executable memory, address space layout randomization,
and chroot jail hardening. These and other
Grsecurity/PaX is a set of patches against the Linux kernel that
implements an extensive suite of
<link xlink:href="https://grsecurity.net/features.php">features</link>
render entire classes of exploits inert without additional efforts on the
part of the adversary.
designed to increase the difficulty of exploiting kernel and
application bugs.
</para>
<para>
The NixOS grsecurity/PaX module is designed with casual users in mind and is
intended to be compatible with normal desktop usage, without unnecessarily
compromising security. The following sections describe the configuration
and administration of a grsecurity/PaX enabled NixOS system. For
more comprehensive coverage, please refer to the
intended to be compatible with normal desktop usage, without
<emphasis>unnecessarily</emphasis> compromising security. The
following sections describe the configuration and administration of
a grsecurity/PaX enabled NixOS system. For more comprehensive
coverage, please refer to the
<link xlink:href="https://en.wikibooks.org/wiki/Grsecurity">grsecurity wikibook</link>
and the
<link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch
@ -35,7 +34,7 @@
and each configuration requires quite a bit of testing to ensure that the
resulting packages work as advertised. Defining additional package sets
would likely result in a large number of functionally broken packages, to
nobody's benefit.</para></note>.
nobody's benefit.</para></note>
</para>
<sect1 xml:id="sec-grsec-enable"><title>Enabling grsecurity/PaX</title>
@ -126,10 +125,10 @@
The NixOS kernel is built using upstream's recommended settings for a
desktop deployment that generally favours security over performance. This
section details deviations from upstream's recommendations that may
compromise operational security.
compromise security.
<warning><para>There may be additional problems not covered here!</para>
</warning>.
</warning>
</para>
<itemizedlist>
@ -159,8 +158,8 @@
<listitem><para>
The NixOS module conditionally weakens <command>chroot</command>
restrictions to accommodate NixOS lightweight containers and sandboxed Nix
builds. This is problematic if the deployment also runs a privileged
network facing process that <emphasis>relies</emphasis> on
builds. This can be problematic if the deployment also runs privileged
network facing processes that <emphasis>rely</emphasis> on
<command>chroot</command> for isolation.
</para></listitem>
@ -221,15 +220,18 @@
</para>
<para>
The wikibook provides an exhaustive listing of
The grsecurity/PaX wikibook provides an exhaustive listing of
<link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">kernel configuration options</link>.
</para>
<para>
The NixOS module makes several assumptions about the kernel and so
may be incompatible with your customised kernel. Currently, the only way
to work around incompatibilities is to eschew the NixOS module.
to work around these incompatibilities is to eschew the NixOS
module.
</para>
<para>
If not using the NixOS module, a custom grsecurity package set can
be specified inline instead, as in
<programlisting>
@ -290,7 +292,7 @@
<listitem><para>User initiated autoloading of modules (e.g., when
using fuse or loop devices) is disallowed; either load requisite modules
as root or add them to<option>boot.kernelModules</option>.</para></listitem>
as root or add them to <option>boot.kernelModules</option>.</para></listitem>
<listitem><para>Virtualization: KVM is the preferred virtualization
solution. Xen, Virtualbox, and VMWare are

4
nixos/modules/security/pam.nix
View file

@ -253,6 +253,8 @@ let
"auth sufficient ${pkgs.pam_u2f}/lib/security/pam_u2f.so"}
${optionalString cfg.usbAuth
"auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
"auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
'' +
# Modules in this block require having the password set in PAM_AUTHTOK.
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run
@ -271,8 +273,6 @@ let
"auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}
${optionalString cfg.otpwAuth
"auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
"auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
${optionalString use_ldap
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
${optionalString config.services.sssd.enable

2
nixos/modules/services/cluster/kubernetes.nix
View file

@ -775,7 +775,7 @@ in {
--bind-address=${cfg.proxy.address} \
${optionalString cfg.verbose "--v=6"} \
${optionalString cfg.verbose "--log-flush-frequency=1s"} \
${cfg.controllerManager.extraOpts}
${cfg.proxy.extraOpts}
'';
WorkingDirectory = cfg.dataDir;
};

30
nixos/modules/services/continuous-integration/buildbot/master.nix
View file

@ -7,7 +7,7 @@ with lib;
let
cfg = config.services.buildbot-master;
escapeStr = s: escape ["'"] s;
masterCfg = pkgs.writeText "master.cfg" ''
masterCfg = if cfg.masterCfg == null then pkgs.writeText "master.cfg" ''
from buildbot.plugins import *
factory = util.BuildFactory()
c = BuildmasterConfig = dict(
@ -27,9 +27,8 @@ let
factory.addStep(step)
${cfg.extraConfig}
'';
configFile = if cfg.masterCfg == null then masterCfg else cfg.masterCfg;
''
else pkgs.writeText "master.cfg" cfg.masterCfg;
in {
options = {
@ -67,15 +66,13 @@ in {
};
masterCfg = mkOption {
type = with types; nullOr path;
type = types.str;
description = ''
Optionally pass path to raw master.cfg file.
Optionally pass raw master.cfg file as string.
Other options in this configuration will be ignored.
'';
default = null;
example = literalExample ''
pkgs.writeText "master.cfg" "BuildmasterConfig = c = {}"
'';
example = "BuildmasterConfig = c = {}";
};
schedulers = mkOption {
@ -99,9 +96,9 @@ in {
type = types.listOf types.str;
description = "List of Workers.";
default = [
"worker.Worker('default-worker', 'password')"
"worker.Worker('example-worker', 'pass')"
];
example = [ "worker.LocalWorker('default-worker')" ];
example = [ "worker.LocalWorker('example-worker')" ];
};
status = mkOption {
@ -209,7 +206,7 @@ in {
users.extraUsers = optional (cfg.user == "buildbot") {
name = "buildbot";
description = "buildbot user";
description = "Buildbot User.";
isNormalUser = true;
createHome = true;
home = cfg.home;
@ -219,7 +216,7 @@ in {
};
systemd.services.buildbot-master = {
description = "Buildbot Continuous Integration Server";
description = "Buildbot Continuous Integration Server.";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = cfg.packages;
@ -233,9 +230,8 @@ in {
};
preStart = ''
mkdir -vp ${cfg.buildbotDir}
chown -c ${cfg.user}:${cfg.group} ${cfg.buildbotDir}
ln -sf ${configFile} ${cfg.buildbotDir}/master.cfg
${pkgs.coreutils}/bin/mkdir -vp ${cfg.buildbotDir}
${pkgs.coreutils}/bin/ln -sfv ${masterCfg} ${cfg.buildbotDir}/master.cfg
${cfg.package}/bin/buildbot create-master ${cfg.buildbotDir}
'';
@ -247,4 +243,6 @@ in {
};
};
meta.maintainers = with lib.maintainers; [ nand0p Mic92 ];
}

128
nixos/modules/services/continuous-integration/buildbot/worker.nix Normal file
View file

@ -0,0 +1,128 @@
# NixOS module for Buildbot Worker.
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.buildbot-worker;
in {
options = {
services.buildbot-worker = {
enable = mkOption {
type = types.bool;
default = false;
description = "Whether to enable the Buildbot Worker.";
};
user = mkOption {
default = "bbworker";
type = types.str;
description = "User the buildbot Worker should execute under.";
};
group = mkOption {
default = "bbworker";
type = types.str;
description = "Primary group of buildbot Worker user.";
};
extraGroups = mkOption {
type = types.listOf types.str;
default = [ "nixbld" ];
description = "List of extra groups that the Buildbot Worker user should be a part of.";
};
home = mkOption {
default = "/home/bbworker";
type = types.path;
description = "Buildbot home directory.";
};
buildbotDir = mkOption {
default = "${cfg.home}/worker";
type = types.path;
description = "Specifies the Buildbot directory.";
};
workerUser = mkOption {
default = "example-worker";
type = types.str;
description = "Specifies the Buildbot Worker user.";
};
workerPass = mkOption {
default = "pass";
type = types.str;
description = "Specifies the Buildbot Worker password.";
};
masterUrl = mkOption {
default = "localhost:9989";
type = types.str;
description = "Specifies the Buildbot Worker connection string.";
};
package = mkOption {
type = types.package;
default = pkgs.buildbot-worker;
description = "Package to use for buildbot worker.";
example = pkgs.buildbot-worker;
};
packages = mkOption {
default = [ ];
example = [ pkgs.git ];
type = types.listOf types.package;
description = "Packages to add to PATH for the buildbot process.";
};
};
};
config = mkIf cfg.enable {
users.extraGroups = optional (cfg.group == "bbworker") {
name = "bbworker";
};
users.extraUsers = optional (cfg.user == "bbworker") {
name = "bbworker";
description = "Buildbot Worker User.";
isNormalUser = true;
createHome = true;
home = cfg.home;
group = cfg.group;
extraGroups = cfg.extraGroups;
useDefaultShell = true;
};
systemd.services.buildbot-worker = {
description = "Buildbot Worker.";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
wants = [ "buildbot-master.service" ];
path = cfg.packages;
preStart = ''
# NOTE: ensure master has time to start in case running on localhost
${pkgs.coreutils}/bin/sleep 4
${pkgs.coreutils}/bin/mkdir -vp ${cfg.buildbotDir}
${cfg.package}/bin/buildbot-worker create-worker ${cfg.buildbotDir} ${cfg.masterUrl} ${cfg.workerUser} ${cfg.workerPass}
'';
serviceConfig = {
Type = "forking";
User = cfg.user;
Group = cfg.group;
WorkingDirectory = cfg.home;
ExecStart = "${cfg.package}/bin/buildbot-worker start ${cfg.buildbotDir}";
};
};
};
meta.maintainers = with lib.maintainers; [ nand0p ];
}

4
nixos/modules/services/editors/emacs.xml
View file

@ -316,10 +316,10 @@ https://nixos.org/nixpkgs/manual/#sec-modify-via-packageOverrides
<para>
If you are not on NixOS or want to install this particular
Emacs only for yourself, you can do so by adding it to your
<filename>~/.nixpkgs/config.nix</filename>
<filename>~/.config/nixpkgs/config.nix</filename>
(see <link xlink:href="http://nixos.org/nixpkgs/manual/#sec-modify-via-packageOverrides">Nixpkgs manual</link>):
<example>
<title>Custom Emacs in <filename>~/.nixpkgs/system.nix</filename></title>
<title>Custom Emacs in <filename>~/.config/nixpkgs/config.nix</filename></title>
<programlisting><![CDATA[
{
packageOverrides = super: let self = super.pkgs; in {

53
nixos/modules/services/hardware/bluetooth.nix
View file

@ -2,41 +2,7 @@
with lib;
let
bluez-bluetooth = if config.services.xserver.desktopManager.kde4.enable then pkgs.bluez else pkgs.bluez5;
configBluez = {
description = "Bluetooth Service";
serviceConfig = {
Type = "dbus";
BusName = "org.bluez";
ExecStart = "${getBin bluez-bluetooth}/bin/bluetoothd -n";
};
wantedBy = [ "bluetooth.target" ];
};
configBluez5 = {
description = "Bluetooth Service";
serviceConfig = {
Type = "dbus";
BusName = "org.bluez";
ExecStart = "${getBin bluez-bluetooth}/bin/bluetoothd -n";
NotifyAccess="main";
CapabilityBoundingSet="CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
LimitNPROC=1;
};
wantedBy = [ "bluetooth.target" ];
};
obexConfig = {
description = "Bluetooth OBEX service";
serviceConfig = {
Type = "dbus";
BusName = "org.bluez.obex";
ExecStart = "${getBin bluez-bluetooth}/bin/obexd";
};
};
bluezConfig = if config.services.xserver.desktopManager.kde4.enable then configBluez else configBluez5;
bluez-bluetooth = pkgs.bluez;
in
{
@ -54,14 +20,25 @@ in
};
###### implementation
config = mkIf config.hardware.bluetooth.enable {
environment.systemPackages = [ bluez-bluetooth pkgs.openobex pkgs.obexftp ];
services.udev.packages = [ bluez-bluetooth ];
services.dbus.packages = [ bluez-bluetooth ];
systemd.services."dbus-org.bluez" = bluezConfig;
systemd.services."dbus-org.bluez.obex" = obexConfig;
systemd.packages = [ bluez-bluetooth ];
systemd.services.bluetooth = {
wantedBy = [ "bluetooth.target" ];
aliases = [ "dbus-org.bluez.service" ];
};
systemd.user.services.obex = {
aliases = [ "dbus-org.bluez.obex.service" ];
};
};

35
nixos/modules/services/hardware/illum.nix Normal file
View file

@ -0,0 +1,35 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.illum;
in {
options = {
services.illum = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Enable illum, a daemon for controlling screen brightness with brightness buttons.
'';
};
};
};
config = mkIf cfg.enable {
systemd.services.illum = {
description = "Backlight Adjustment Service";
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${pkgs.illum}/bin/illum-d";
};
};
}

2
nixos/modules/services/hardware/sane.nix
View file

@ -51,7 +51,7 @@ in
Enable support for SANE scanners.
<note><para>
Users in the "scanner" group will gain access to the scanner.
Users in the "scanner" group will gain access to the scanner, or the "lp" group if it's also a printer.
</para></note>
'';
};

54
nixos/modules/services/hardware/trezord.nix Normal file
View file

@ -0,0 +1,54 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.trezord;
in {
### interface
options = {
services.trezord = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable Trezor bridge daemon, for use with Trezor hardware bitcoin wallets.
'';
};
};
};
### implementation
config = mkIf cfg.enable {
services.udev.packages = lib.singleton (pkgs.writeTextFile {
name = "trezord-udev-rules";
destination = "/etc/udev/rules.d/51-trezor.rules";
text = ''
SUBSYSTEM=="usb", ATTR{idVendor}=="534c", ATTR{idProduct}=="0001", MODE="0666", GROUP="dialout", SYMLINK+="trezor%n"
KERNEL=="hidraw*", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", MODE="0666", GROUP="dialout"
'';
});
systemd.services.trezord = {
description = "TREZOR Bridge";
after = [ "systemd-udev-settle.service" "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [];
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.trezord}/bin/trezord -f";
User = "trezord";
};
};
users.users.trezord = {
group = "trezord";
description = "Trezor bridge daemon user";
};
users.groups.trezord = {};
};
}

2
nixos/modules/services/mail/postfix.nix
View file

@ -79,8 +79,6 @@ let
relay_domains = ${concatStringsSep ", " cfg.relayDomains}
''
+ ''
local_recipient_maps =
relayhost = ${if cfg.lookupMX || cfg.relayHost == "" then
cfg.relayHost
else

300
nixos/modules/services/misc/geoip-updater.nix Normal file
View file

@ -0,0 +1,300 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.geoip-updater;
dbBaseUrl = "https://geolite.maxmind.com/download/geoip/database";
randomizedTimerDelaySec = "3600";
# Use writeScriptBin instead of writeScript, so that argv[0] (logged to the
# journal) doesn't include the long nix store path hash. (Prefixing the
# ExecStart= command with '@' doesn't work because we start a shell (new
# process) that creates a new argv[0].)
geoip-updater = pkgs.writeScriptBin "geoip-updater" ''
#!${pkgs.stdenv.shell}
skipExisting=0
debug()
{
echo "<7>$@"
}
info()
{
echo "<6>$@"
}
error()
{
echo "<3>$@"
}
die()
{
error "$@"
exit 1
}
waitNetworkOnline()
{
ret=1
for i in $(seq 6); do
curl_out=$("${pkgs.curl.bin}/bin/curl" \
--silent --fail --show-error --max-time 60 "${dbBaseUrl}" 2>&1)
if [ $? -eq 0 ]; then
debug "Server is reachable (try $i)"
ret=0
break
else
debug "Server is unreachable (try $i): $curl_out"
sleep 10
fi
done
return $ret
}
dbFnameTmp()
{
dburl=$1
echo "${cfg.databaseDir}/.$(basename "$dburl")"
}
dbFnameTmpDecompressed()
{
dburl=$1
echo "${cfg.databaseDir}/.$(basename "$dburl")" | sed 's/\.\(gz\|xz\)$//'
}
dbFname()
{
dburl=$1
echo "${cfg.databaseDir}/$(basename "$dburl")" | sed 's/\.\(gz\|xz\)$//'
}
downloadDb()
{
dburl=$1
curl_out=$("${pkgs.curl.bin}/bin/curl" \
--silent --fail --show-error --max-time 900 -L -o "$(dbFnameTmp "$dburl")" "$dburl" 2>&1)
if [ $? -ne 0 ]; then
error "Failed to download $dburl: $curl_out"
return 1
fi
}
decompressDb()
{
fn=$(dbFnameTmp "$1")
ret=0
case "$fn" in
*.gz)
cmd_out=$("${pkgs.gzip}/bin/gzip" --decompress --force "$fn" 2>&1)
;;
*.xz)
cmd_out=$("${pkgs.xz.bin}/bin/xz" --decompress --force "$fn" 2>&1)
;;
*)
cmd_out=$(echo "File \"$fn\" is neither a .gz nor .xz file")
false
;;
esac
if [ $? -ne 0 ]; then
error "$cmd_out"
ret=1
fi
}
atomicRename()
{
dburl=$1
mv "$(dbFnameTmpDecompressed "$dburl")" "$(dbFname "$dburl")"
}
removeIfNotInConfig()
{
# Arg 1 is the full path of an installed DB.
# If the corresponding database is not specified in the NixOS config we
# remove it.
db=$1
for cdb in ${lib.concatStringsSep " " cfg.databases}; do
confDb=$(echo "$cdb" | sed 's/\.\(gz\|xz\)$//')
if [ "$(basename "$db")" = "$(basename "$confDb")" ]; then
return 0
fi
done
rm "$db"
if [ $? -eq 0 ]; then
debug "Removed $(basename "$db") (not listed in services.geoip-updater.databases)"
else
error "Failed to remove $db"
fi
}
removeUnspecifiedDbs()
{
for f in "${cfg.databaseDir}/"*; do
test -f "$f" || continue
case "$f" in
*.dat|*.mmdb|*.csv)
removeIfNotInConfig "$f"
;;
*)
debug "Not removing \"$f\" (unknown file extension)"
;;
esac
done
}
downloadAndInstall()
{
dburl=$1
if [ "$skipExisting" -eq 1 -a -f "$(dbFname "$dburl")" ]; then
debug "Skipping existing file: $(dbFname "$dburl")"
return 0
fi
downloadDb "$dburl" || return 1
decompressDb "$dburl" || return 1
atomicRename "$dburl" || return 1
info "Updated $(basename "$(dbFname "$dburl")")"
}
for arg in "$@"; do
case "$arg" in
--skip-existing)
skipExisting=1
info "Option --skip-existing is set: not updating existing databases"
;;
*)
error "Unknown argument: $arg";;
esac
done
waitNetworkOnline || die "Network is down (${dbBaseUrl} is unreachable)"
test -d "${cfg.databaseDir}" || die "Database directory (${cfg.databaseDir}) doesn't exist"
debug "Starting update of GeoIP databases in ${cfg.databaseDir}"
all_ret=0
for db in ${lib.concatStringsSep " \\\n " cfg.databases}; do
downloadAndInstall "${dbBaseUrl}/$db" || all_ret=1
done
removeUnspecifiedDbs || all_ret=1
if [ $all_ret -eq 0 ]; then
info "Completed GeoIP database update in ${cfg.databaseDir}"
else
error "Completed GeoIP database update in ${cfg.databaseDir}, with error(s)"
fi
# Hack to work around systemd journal race:
# https://github.com/systemd/systemd/issues/2913
sleep 2
exit $all_ret
'';
in
{
options = {
services.geoip-updater = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Whether to enable periodic downloading of GeoIP databases from
maxmind.com. You might want to enable this if you, for instance, use
ntopng or Wireshark.
'';
};
interval = mkOption {
type = types.str;
default = "weekly";
description = ''
Update the GeoIP databases at this time / interval.
The format is described in
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>7</manvolnum></citerefentry>.
To prevent load spikes on maxmind.com, the timer interval is
randomized by an additional delay of ${randomizedTimerDelaySec}
seconds. Setting a shorter interval than this is not recommended.
'';
};
databaseDir = mkOption {
type = types.path;
default = "/var/lib/geoip-databases";
description = ''
Directory that will contain GeoIP databases.
'';
};
databases = mkOption {
type = types.listOf types.str;
default = [
"GeoLiteCountry/GeoIP.dat.gz"
"GeoIPv6.dat.gz"
"GeoLiteCity.dat.xz"
"GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz"
"asnum/GeoIPASNum.dat.gz"
"asnum/GeoIPASNumv6.dat.gz"
"GeoLite2-Country.mmdb.gz"
"GeoLite2-City.mmdb.gz"
];
description = ''
Which GeoIP databases to update. The full URL is ${dbBaseUrl}/ +
<literal>the_database</literal>.
'';
};
};
};
config = mkIf cfg.enable {
assertions = [
{ assertion = (builtins.filter
(x: builtins.match ".*\.(gz|xz)$" x == null) cfg.databases) == [];
message = ''
services.geoip-updater.databases supports only .gz and .xz databases.
Current value:
${toString cfg.databases}
Offending element(s):
${toString (builtins.filter (x: builtins.match ".*\.(gz|xz)$" x == null) cfg.databases)};
'';
}
];
systemd.timers.geoip-updater =
{ description = "GeoIP Updater Timer";
partOf = [ "geoip-updater.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = cfg.interval;
timerConfig.Persistent = "true";
timerConfig.RandomizedDelaySec = randomizedTimerDelaySec;
};
systemd.services.geoip-updater = {
description = "GeoIP Updater";
after = [ "network-online.target" "nss-lookup.target" ];
wants = [ "network-online.target" ];
preStart = ''
mkdir -p "${cfg.databaseDir}"
chmod 755 "${cfg.databaseDir}"
chown nobody:root "${cfg.databaseDir}"
'';
serviceConfig = {
ExecStart = "${geoip-updater}/bin/geoip-updater";
User = "nobody";
PermissionsStartOnly = true;
};
};
systemd.services.geoip-updater-setup = {
description = "GeoIP Updater Setup";
after = [ "network-online.target" "nss-lookup.target" ];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
conflicts = [ "geoip-updater.service" ];
preStart = ''
mkdir -p "${cfg.databaseDir}"
chmod 755 "${cfg.databaseDir}"
chown nobody:root "${cfg.databaseDir}"
'';
serviceConfig = {
ExecStart = "${geoip-updater}/bin/geoip-updater --skip-existing";
User = "nobody";
PermissionsStartOnly = true;
# So it won't be (needlessly) restarted:
RemainAfterExit = true;
};
};
};
}

4
nixos/modules/services/misc/gitlab.nix
View file

@ -528,8 +528,8 @@ in {
if [ "${cfg.databaseHost}" = "127.0.0.1" ]; then
if ! test -e "${cfg.statePath}/db-created"; then
psql postgres -c "CREATE ROLE gitlab WITH LOGIN NOCREATEDB NOCREATEROLE NOCREATEUSER ENCRYPTED PASSWORD '${cfg.databasePassword}'"
${config.services.postgresql.package}/bin/createdb --owner gitlab gitlab || true
psql postgres -c "CREATE ROLE ${cfg.databaseUsername} WITH LOGIN NOCREATEDB NOCREATEROLE NOCREATEUSER ENCRYPTED PASSWORD '${cfg.databasePassword}'"
${config.services.postgresql.package}/bin/createdb --owner ${cfg.databaseUsername} ${cfg.databaseName} || true
touch "${cfg.statePath}/db-created"
fi
fi

1
nixos/modules/services/misc/gogs.nix
View file

@ -208,6 +208,7 @@ in
group = "gogs";
home = cfg.stateDir;
createHome = true;
shell = pkgs.bash;
};
extraGroups.gogs.gid = config.ids.gids.gogs;
};

12
nixos/modules/services/misc/ihaskell.nix
View file

@ -20,18 +20,6 @@ in
description = "Autostart an IHaskell notebook service.";
};
haskellPackages = mkOption {
default = pkgs.haskellPackages;
defaultText = "pkgs.haskellPackages";
example = literalExample "pkgs.haskell.packages.ghc784";
description = ''
haskellPackages used to build IHaskell and other packages.
This can be used to change the GHC version used to build
IHaskell and the packages listed in
<varname>extraPackages</varname>.
'';
};
extraPackages = mkOption {
default = self: [];
example = literalExample ''

45
nixos/modules/services/misc/ssm-agent.nix Normal file
View file

@ -0,0 +1,45 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.ssm-agent;
# The SSM agent doesn't pay attention to our /etc/os-release yet, and the lsb-release tool
# in nixpkgs doesn't seem to work properly on NixOS, so let's just fake the two fields SSM
# looks for. See https://github.com/aws/amazon-ssm-agent/issues/38 for upstream fix.
fake-lsb-release = pkgs.writeScriptBin "lsb_release" ''
#!${pkgs.stdenv.shell}
case "$1" in
-i) echo "nixos";;
-r) echo "${config.system.nixosVersion}";;
esac
'';
in {
options.services.ssm-agent = {
enable = mkEnableOption "AWS SSM agent";
package = mkOption {
type = types.path;
description = "The SSM agent package to use";
default = pkgs.ssm-agent;
};
};
config = mkIf cfg.enable {
systemd.services.ssm-agent = {
inherit (cfg.package.meta) description;
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [ fake-lsb-release ];
serviceConfig = {
ExecStart = "${cfg.package.bin}/bin/agent";
KillMode = "process";
Restart = "on-failure";
RestartSec = "15min";
};
};
};
}

8
nixos/modules/services/misc/taskserver/default.nix
View file

@ -125,10 +125,10 @@ let
server.key = ${cfg.dataDir}/keys/server.key
server.crl = ${cfg.dataDir}/keys/server.crl
'' else ''
ca.cert = ${cfg.pki.ca.cert}
server.cert = ${cfg.pki.server.cert}
server.key = ${cfg.pki.server.key}
server.crl = ${cfg.pki.server.crl}
ca.cert = ${cfg.pki.manual.ca.cert}
server.cert = ${cfg.pki.manual.server.cert}
server.key = ${cfg.pki.manual.server.key}
server.crl = ${cfg.pki.manual.server.crl}
''}
'' + cfg.extraConfig);

9
nixos/modules/services/monitoring/grafana.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ options, config, lib, pkgs, ... }:
with lib;
@ -232,9 +232,10 @@ in {
};
config = mkIf cfg.enable {
warnings = [
"Grafana passwords will be stored as plaintext in the Nix store!"
];
warnings = optional (
cfg.database.password != options.services.grafana.database.password.default ||
cfg.security.adminPassword != options.services.grafana.security.adminPassword.default
) "Grafana passwords will be stored as plaintext in the Nix store!";
environment.systemPackages = [ cfg.package ];

84
nixos/modules/services/network-filesystems/glusterfs.nix Normal file
View file

@ -0,0 +1,84 @@
{ config, lib, pkgs, ... }:
with lib;
let
inherit (pkgs) glusterfs;
cfg = config.services.glusterfs;
in
{
###### interface
options = {
services.glusterfs = {
enable = mkEnableOption "GlusterFS Daemon";
logLevel = mkOption {
type = types.enum ["DEBUG" "INFO" "WARNING" "ERROR" "CRITICAL" "TRACE" "NONE"];
description = "Log level used by the GlusterFS daemon";
default = "INFO";
};
extraFlags = mkOption {
type = types.listOf types.str;
description = "Extra flags passed to the GlusterFS daemon";
default = [];
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.glusterfs ];
services.rpcbind.enable = true;
systemd.services.glusterd = {
description = "GlusterFS, a clustered file-system server";
wantedBy = [ "multi-user.target" ];
requires = [ "rpcbind.service" ];
after = [ "rpcbind.service" "network.target" "local-fs.target" ];
before = [ "network-online.target" ];
preStart = ''
install -m 0755 -d /var/log/glusterfs
'';
serviceConfig = {
Type="forking";
PIDFile="/run/glusterd.pid";
LimitNOFILE=65536;
ExecStart="${glusterfs}/sbin/glusterd -p /run/glusterd.pid --log-level=${cfg.logLevel} ${toString cfg.extraFlags}";
KillMode="process";
};
};
systemd.services.glustereventsd = {
description = "Gluster Events Notifier";
wantedBy = [ "multi-user.target" ];
after = [ "syslog.target" "network.target" ];
serviceConfig = {
Type="simple";
Environment="PYTHONPATH=${glusterfs}/usr/lib/python2.7/site-packages";
PIDFile="/run/glustereventsd.pid";
ExecStart="${glusterfs}/sbin/glustereventsd --pid-file /run/glustereventsd.pid";
ExecReload="/bin/kill -SIGUSR2 $MAINPID";
KillMode="control-group";
};
};
};
}

62
nixos/modules/services/network-filesystems/ipfs.nix
View file

@ -104,30 +104,72 @@ in
};
};
systemd.services.ipfs = {
description = "IPFS Daemon";
systemd.services.ipfs-init = {
description = "IPFS Initializer";
after = [ "local-fs.target" ];
before = [ "ipfs.service" "ipfs-offline.service" ];
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "local-fs.target" ];
path = [ pkgs.ipfs pkgs.su pkgs.bash ];
preStart = ''
install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.dataDir}
'';
script = ''
if [[ ! -d ${cfg.dataDir}/.ipfs ]]; then
cd ${cfg.dataDir}
${pkgs.su}/bin/su -s ${pkgs.bash}/bin/sh ${cfg.user} -c \
"${ipfs}/bin/ipfs init ${if cfg.emptyRepo then "-e" else ""}"
${ipfs}/bin/ipfs init ${optionalString cfg.emptyRepo "-e"}
fi
${pkgs.su}/bin/su -s ${pkgs.bash}/bin/sh ${cfg.user} -c \
"${ipfs}/bin/ipfs --local config Addresses.API ${cfg.apiAddress} && \
${ipfs}/bin/ipfs --local config Addresses.Gateway ${cfg.gatewayAddress}"
${ipfs}/bin/ipfs --local config Addresses.API ${cfg.apiAddress}
${ipfs}/bin/ipfs --local config Addresses.Gateway ${cfg.gatewayAddress}
'';
serviceConfig = {
User = cfg.user;
Group = cfg.group;
Type = "oneshot";
RemainAfterExit = true;
PermissionsStartOnly = true;
};
};
systemd.services.ipfs = {
description = "IPFS Daemon";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "local-fs.target" "ipfs-init.service" ];
conflicts = [ "ipfs-offline.service" ];
wants = [ "ipfs-init.service" ];
path = [ pkgs.ipfs ];
serviceConfig = {
ExecStart = "${ipfs}/bin/ipfs daemon ${ipfsFlags}";
User = cfg.user;
Group = cfg.group;
PermissionsStartOnly = true;
Restart = "on-failure";
RestartSec = 1;
};
};
systemd.services.ipfs-offline = {
description = "IPFS Daemon (offline mode)";
after = [ "local-fs.target" "ipfs-init.service" ];
conflicts = [ "ipfs.service" ];
wants = [ "ipfs-init.service" ];
path = [ pkgs.ipfs ];
serviceConfig = {
ExecStart = "${ipfs}/bin/ipfs daemon ${ipfsFlags} --offline";
User = cfg.user;
Group = cfg.group;
Restart = "on-failure";
RestartSec = 1;
};
};
};

97
nixos/modules/services/network-filesystems/nfsd.nix
View file

@ -20,6 +20,7 @@ in
server = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable the kernel's NFS server.
@ -27,6 +28,7 @@ in
};
exports = mkOption {
type = types.lines;
default = "";
description = ''
Contents of the /etc/exports file. See
@ -36,6 +38,7 @@ in
};
hostName = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Hostname or address on which NFS requests will be accepted.
@ -46,6 +49,7 @@ in
};
nproc = mkOption {
type = types.int;
default = 8;
description = ''
Number of NFS server threads. Defaults to the recommended value of 8.
@ -53,11 +57,13 @@ in
};
createMountPoints = mkOption {
type = types.bool;
default = false;
description = "Whether to create the mount points in the exports file at startup time.";
};
mountdPort = mkOption {
type = types.nullOr types.int;
default = null;
example = 4002;
description = ''
@ -66,11 +72,26 @@ in
};
lockdPort = mkOption {
default = 0;
type = types.nullOr types.int;
default = null;
example = 4001;
description = ''
Fix the lockd port number. This can help setting firewall rules for NFS.
Use a fixed port for the NFS lock manager kernel module
(<literal>lockd/nlockmgr</literal>). This is useful if the
NFS server is behind a firewall.
'';
};
statdPort = mkOption {
type = types.nullOr types.int;
default = null;
example = 4000;
description = ''
Use a fixed port for <command>rpc.statd</command>. This is
useful if the NFS server is behind a firewall.
'';
};
};
};
@ -82,60 +103,47 @@ in
config = mkIf cfg.enable {
services.nfs.extraConfig = ''
[nfsd]
threads=${toString cfg.nproc}
${optionalString (cfg.hostName != null) "host=${cfg.hostName}"}
[mountd]
${optionalString (cfg.mountdPort != null) "port=${toString cfg.mountdPort}"}
[statd]
${optionalString (cfg.statdPort != null) "port=${toString cfg.statdPort}"}
[lockd]
${optionalString (cfg.lockdPort != null) ''
port=${toString cfg.lockdPort}
udp-port=${toString cfg.lockdPort}
''}
'';
services.rpcbind.enable = true;
boot.supportedFilesystems = [ "nfs" ]; # needed for statd and idmapd
environment.systemPackages = [ pkgs.nfs-utils ];
environment.etc.exports.source = exports;
boot.kernelModules = [ "nfsd" ];
systemd.services.nfsd =
{ description = "NFS Server";
systemd.services.nfs-server =
{ enable = true;
wantedBy = [ "multi-user.target" ];
requires = [ "rpcbind.service" "mountd.service" ];
after = [ "rpcbind.service" "mountd.service" "idmapd.service" ];
before = [ "statd.service" ];
path = [ pkgs.nfs-utils ];
script =
preStart =
''
# Create a state directory required by NFSv4.
mkdir -p /var/lib/nfs/v4recovery
${pkgs.procps}/sbin/sysctl -w fs.nfs.nlm_tcpport=${builtins.toString cfg.lockdPort}
${pkgs.procps}/sbin/sysctl -w fs.nfs.nlm_udpport=${builtins.toString cfg.lockdPort}
rpc.nfsd \
${if cfg.hostName != null then "-H ${cfg.hostName}" else ""} \
${builtins.toString cfg.nproc}
'';
postStop = "rpc.nfsd 0";
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
};
systemd.services.mountd =
{ description = "NFSv3 Mount Daemon";
requires = [ "rpcbind.service" ];
after = [ "rpcbind.service" "local-fs.target" ];
path = [ pkgs.nfs-utils pkgs.sysvtools pkgs.utillinux ];
systemd.services.nfs-mountd =
{ enable = true;
restartTriggers = [ exports ];
preStart =
''
mkdir -p /var/lib/nfs
touch /var/lib/nfs/rmtab
mountpoint -q /proc/fs/nfsd || mount -t nfsd none /proc/fs/nfsd
${optionalString cfg.createMountPoints
''
@ -146,18 +154,7 @@ in
| xargs -d '\n' mkdir -p
''
}
exportfs -rav
'';
restartTriggers = [ exports ];
serviceConfig.Type = "forking";
serviceConfig.ExecStart = ''
@${pkgs.nfs-utils}/sbin/rpc.mountd rpc.mountd \
${if cfg.mountdPort != null then "-p ${toString cfg.mountdPort}" else ""}
'';
serviceConfig.Restart = "always";
};
};

20
nixos/modules/services/networking/asterisk.nix
View file

@ -17,7 +17,7 @@ let
allConfFiles =
cfg.confFiles //
builtins.listToAttrs (map (x: { name = x;
value = builtins.readFile (pkgs.asterisk + "/etc/asterisk/" + x); })
value = builtins.readFile (cfg.package + "/etc/asterisk/" + x); })
defaultConfFiles);
asteriskEtc = pkgs.stdenv.mkDerivation
@ -38,7 +38,7 @@ let
asteriskConf = ''
[directories]
astetcdir => /etc/asterisk
astmoddir => ${pkgs.asterisk}/lib/asterisk/modules
astmoddir => ${cfg.package}/lib/asterisk/modules
astvarlibdir => /var/lib/asterisk
astdbdir => /var/lib/asterisk
astkeydir => /var/lib/asterisk
@ -47,7 +47,7 @@ let
astspooldir => /var/spool/asterisk
astrundir => /var/run/asterisk
astlogdir => /var/log/asterisk
astsbindir => ${pkgs.asterisk}/sbin
astsbindir => ${cfg.package}/sbin
'';
extraConf = cfg.extraConfig;
@ -197,11 +197,17 @@ in
Additional command line arguments to pass to Asterisk.
'';
};
package = mkOption {
type = types.package;
default = pkgs.asterisk;
defaultText = "pkgs.asterisk";
description = "The Asterisk package to use.";
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.asterisk ];
environment.systemPackages = [ cfg.package ];
environment.etc.asterisk.source = asteriskEtc;
@ -234,7 +240,7 @@ in
# TODO: Make exceptions for /var directories that likely should be updated
if [ ! -e "$d" ]; then
mkdir -p "$d"
cp --recursive ${pkgs.asterisk}/"$d"/* "$d"/
cp --recursive ${cfg.package}/"$d"/* "$d"/
chown --recursive ${asteriskUser}:${asteriskGroup} "$d"
find "$d" -type d | xargs chmod 0755
fi
@ -247,8 +253,8 @@ in
# FIXME: This doesn't account for arguments with spaces
argString = concatStringsSep " " cfg.extraArguments;
in
"${pkgs.asterisk}/bin/asterisk -U ${asteriskUser} -C /etc/asterisk/asterisk.conf ${argString} -F";
ExecReload = ''${pkgs.asterisk}/bin/asterisk -x "core reload"
"${cfg.package}/bin/asterisk -U ${asteriskUser} -C /etc/asterisk/asterisk.conf ${argString} -F";
ExecReload = ''${cfg.package}/bin/asterisk -x "core reload"
'';
Type = "forking";
PIDFile = "/var/run/asterisk/asterisk.pid";

47
nixos/modules/services/networking/chrony.nix
View file

@ -12,6 +12,25 @@ let
cfg = config.services.chrony;
configFile = pkgs.writeText "chrony.conf" ''
${concatMapStringsSep "\n" (server: "server " + server) cfg.servers}
${optionalString
cfg.initstepslew.enabled
"initstepslew ${toString cfg.initstepslew.threshold} ${concatStringsSep " " cfg.initstepslew.servers}"
}
driftfile ${stateDir}/chrony.drift
keyfile ${keyFile}
${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"}
${cfg.extraConfig}
'';
chronyFlags = "-n -m -u chrony -f ${configFile} ${toString cfg.extraFlags}";
in
{
@ -58,6 +77,13 @@ in
<literal>chrony.conf</literal>
'';
};
extraFlags = mkOption {
default = [];
example = [ "-s" ];
type = types.listOf types.str;
description = "Extra flags passed to the chronyd command.";
};
};
};
@ -70,25 +96,6 @@ in
# Make chronyc available in the system path
environment.systemPackages = [ pkgs.chrony ];
environment.etc."chrony.conf".text =
''
${concatMapStringsSep "\n" (server: "server " + server) cfg.servers}
${optionalString
cfg.initstepslew.enabled
"initstepslew ${toString cfg.initstepslew.threshold} ${concatStringsSep " " cfg.initstepslew.servers}"
}
driftfile ${stateDir}/chrony.drift
keyfile ${keyFile}
generatecommandkey
${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"}
${cfg.extraConfig}
'';
users.extraGroups = singleton
{ name = "chrony";
gid = config.ids.gids.chrony;
@ -124,7 +131,7 @@ in
'';
serviceConfig =
{ ExecStart = "${pkgs.chrony}/bin/chronyd -n -m -u chrony";
{ ExecStart = "${pkgs.chrony}/bin/chronyd ${chronyFlags}";
};
};

5
nixos/modules/services/networking/cjdns.nix
View file

@ -258,9 +258,8 @@ in
Restart = "always";
StartLimitInterval = 0;
RestartSec = 1;
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW";
ProtectSystem = "full";
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID";
ProtectSystem = true;
MemoryDenyWriteExecute = true;
ProtectHome = true;
PrivateTmp = true;

181
nixos/modules/services/networking/dnschain.nix
View file

@ -3,23 +3,28 @@
with lib;
let
cfg = config.services;
cfgs = config.services;
cfg = cfgs.dnschain;
dnschainConf = pkgs.writeText "dnschain.conf" ''
dataDir = "/var/lib/dnschain";
username = "dnschain";
configFile = pkgs.writeText "dnschain.conf" ''
[log]
level=info
level = info
[dns]
host = 127.0.0.1
port = 5333
host = ${cfg.dns.address}
port = ${toString cfg.dns.port}
oldDNSMethod = NO_OLD_DNS
# TODO: check what that address is acutally used for
externalIP = 127.0.0.1
externalIP = ${cfg.dns.address}
[http]
host = 127.0.0.1
port=8088
tlsPort=4443
host = ${cfg.api.hostname}
port = ${toString cfg.api.port}
tlsPort = ${toString cfg.api.tlsPort}
${cfg.extraConfig}
'';
in
@ -32,28 +37,81 @@ in
services.dnschain = {
enable = mkOption {
type = types.bool;
default = false;
enable = mkEnableOption ''
DNSChain, a blockchain based DNS + HTTP server.
To resolve .bit domains set <literal>services.namecoind.enable = true;</literal>
and an RPC username/password.
'';
dns.address = mkOption {
type = types.str;
default = "127.0.0.1";
description = ''
Whether to run dnschain. That implies running
namecoind as well, so make sure to configure
it appropriately.
The IP address that will be used to reach this machine.
Leave this unchanged if you do not wish to directly expose the DNSChain resolver.
'';
};
dns.port = mkOption {
type = types.int;
default = 5333;
description = ''
The port the DNSChain resolver will bind to.
'';
};
api.hostname = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
The hostname (or IP address) the DNSChain API server will bind to.
'';
};
api.port = mkOption {
type = types.int;
default = 8080;
description = ''
The port the DNSChain API server (HTTP) will bind to.
'';
};
api.tlsPort = mkOption {
type = types.int;
default = 4433;
description = ''
The port the DNSChain API server (HTTPS) will bind to.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
example = ''
[log]
level = debug
'';
description = ''
Additional options that will be appended to the configuration file.
'';
};
};
services.dnsmasq = {
resolveDnschainQueries = mkOption {
type = types.bool;
default = false;
description = ''
Resolve <literal>.bit</literal> top-level domains
with dnschain and namecoind.
'';
};
services.dnsmasq.resolveDNSChainQueries = mkOption {
type = types.bool;
default = false;
description = ''
Resolve <literal>.bit</literal> top-level domains using DNSChain and namecoin.
'';
};
services.pdns-recursor.resolveDNSChainQueries = mkOption {
type = types.bool;
default = false;
description = ''
Resolve <literal>.bit</literal> top-level domains using DNSChain and namecoin.
'';
};
};
@ -61,48 +119,47 @@ in
###### implementation
config = mkIf cfg.dnschain.enable {
config = mkIf cfg.enable {
services.namecoind.enable = true;
services.dnsmasq.servers = optionals cfgs.dnsmasq.resolveDNSChainQueries
[ "/.bit/127.0.0.1#${toString cfg.dns.port}"
"/.dns/127.0.0.1#${toString cfg.dns.port}"
];
services.dnsmasq.servers = optionals cfg.dnsmasq.resolveDnschainQueries [ "/.bit/127.0.0.1#5333" ];
users.extraUsers = singleton
{ name = "dnschain";
uid = config.ids.uids.dnschain;
extraGroups = [ "namecoin" ];
description = "Dnschain daemon user";
home = "/var/lib/dnschain";
createHome = true;
services.pdns-recursor.forwardZones = mkIf cfgs.pdns-recursor.resolveDNSChainQueries
{ bit = "127.0.0.1:${toString cfg.dns.port}";
dns = "127.0.0.1:${toString cfg.dns.port}";
};
systemd.services.dnschain = {
description = "Dnschain Daemon";
after = [ "namecoind.target" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.openssl ];
preStart = ''
# Link configuration file into dnschain HOME directory
if [ "$(${pkgs.coreutils}/bin/realpath /var/lib/dnschain/.dnschain.conf)" != "${dnschainConf}" ]; then
rm -rf /var/lib/dnschain/.dnschain.conf
ln -s ${dnschainConf} /var/lib/dnschain/.dnschain.conf
fi
users.extraUsers = singleton {
name = username;
description = "DNSChain daemon user";
home = dataDir;
createHome = true;
uid = config.ids.uids.dnschain;
extraGroups = optional cfgs.namecoind.enable "namecoin";
};
# Create empty namecoin.conf so that dnschain is not
# searching for /etc/namecoin/namecoin.conf
if [ ! -e /var/lib/dnschain/.namecoin/namecoin.conf ]; then
mkdir -p /var/lib/dnschain/.namecoin
touch /var/lib/dnschain/.namecoin/namecoin.conf
fi
'';
serviceConfig = {
Type = "simple";
User = "dnschain";
EnvironmentFile = config.services.namecoind.userFile;
ExecStart = "${pkgs.dnschain}/bin/dnschain --rpcuser=\${USER} --rpcpassword=\${PASSWORD} --rpcport=8336";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
ExecStop = "${pkgs.coreutils}/bin/kill -KILL $MAINPID";
};
systemd.services.dnschain = {
description = "DNSChain daemon";
after = optional cfgs.namecoind.enable "namecoind.target";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "dnschain";
Restart = "on-failure";
ExecStart = "${pkgs.dnschain}/bin/dnschain";
};
preStart = ''
# Link configuration file into dnschain home directory
configPath=${dataDir}/.dnschain/dnschain.conf
mkdir -p ${dataDir}/.dnschain
if [ "$(realpath $configPath)" != "${configFile}" ]; then
rm -f $configPath
ln -s ${configFile} $configPath
fi
'';
};
};

4
nixos/modules/services/networking/firewall.nix
View file

@ -38,9 +38,9 @@ let
cfg = config.networking.firewall;
kernelPackages = config.boot.kernelPackages;
inherit (config.boot.kernelPackages) kernel;
kernelHasRPFilter = kernelPackages.kernel.features.netfilterRPFilter or false;
kernelHasRPFilter = ((kernel.config.isEnabled or (x: false)) "IP_NF_MATCH_RPFILTER") || (kernel.features.netfilterRPFilter or false);
helpers =
''

2
nixos/modules/services/networking/i2pd.nix
View file

@ -8,7 +8,7 @@ let
homeDir = "/var/lib/i2pd";
extip = "EXTIP=\$(${pkgs.curl.bin}/bin/curl -sf \"http://jsonip.com\" | ${pkgs.gawk}/bin/awk -F'\"' '{print $4}')";
extip = "EXTIP=\$(${pkgs.curl.bin}/bin/curl -sLf \"http://jsonip.com\" | ${pkgs.gawk}/bin/awk -F'\"' '{print $4}')";
toYesNo = b: if b then "true" else "false";

2
nixos/modules/services/networking/libreswan.nix
View file

@ -102,7 +102,7 @@ in
serviceConfig = {
Type = "simple";
Restart = "always";
EnvironmentFile = "${pkgs.libreswan}/etc/sysconfig/pluto";
EnvironmentFile = "-${pkgs.libreswan}/etc/sysconfig/pluto";
ExecStartPre = [
"${libexec}/addconn --config ${configFile} --checkconfig"
"${libexec}/_stackmanager start"

215
nixos/modules/services/networking/namecoind.nix
View file

@ -3,25 +3,35 @@
with lib;
let
cfg = config.services.namecoind;
cfg = config.services.namecoind;
dataDir = "/var/lib/namecoind";
useSSL = (cfg.rpc.certificate != null) && (cfg.rpc.key != null);
useRPC = (cfg.rpc.user != null) && (cfg.rpc.password != null);
namecoinConf =
let
useSSL = (cfg.rpcCertificate != null) && (cfg.rpcKey != null);
in
pkgs.writeText "namecoin.conf" ''
listToConf = option: list:
concatMapStrings (value :"${option}=${value}\n") list;
configFile = pkgs.writeText "namecoin.conf" (''
server=1
daemon=0
rpcallowip=127.0.0.1
walletpath=${cfg.wallet}
gen=${if cfg.generate then "1" else "0"}
rpcssl=${if useSSL then "1" else "0"}
${optionalString useSSL "rpcsslcertificatechainfile=${cfg.rpcCertificate}"}
${optionalString useSSL "rpcsslprivatekeyfile=${cfg.rpcKey}"}
${optionalString useSSL "rpcsslciphers=TLSv1.2+HIGH:TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH"}
txindex=1
txprevcache=1
'';
walletpath=${cfg.wallet}
gen=${if cfg.generate then "1" else "0"}
${listToConf "addnode" cfg.extraNodes}
${listToConf "connect" cfg.trustedNodes}
'' + optionalString useRPC ''
rpcbind=${cfg.rpc.address}
rpcport=${toString cfg.rpc.port}
rpcuser=${cfg.rpc.user}
rpcpassword=${cfg.rpc.password}
${listToConf "rpcallowip" cfg.rpc.allowFrom}
'' + optionalString useSSL ''
rpcssl=1
rpcsslcertificatechainfile=${cfg.rpc.certificate}
rpcsslprivatekeyfile=${cfg.rpc.key}
rpcsslciphers=TLSv1.2+HIGH:TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH
'');
in
@ -33,40 +43,17 @@ in
services.namecoind = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to run namecoind.
'';
};
enable = mkEnableOption "namecoind, Namecoin client.";
wallet = mkOption {
type = types.path;
example = "/etc/namecoin/wallet.dat";
default = "${dataDir}/wallet.dat";
description = ''
Wallet file. The ownership of the file has to be
namecoin:namecoin, and the permissions must be 0640.
'';
};
userFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/etc/namecoin/user";
description = ''
File containing the user name and user password to
authenticate RPC connections to namecoind.
The content of the file is of the form:
<literal>
USER=namecoin
PASSWORD=secret
</literal>
The ownership of the file has to be namecoin:namecoin,
and the permissions must be 0640.
'';
};
generate = mkOption {
type = types.bool;
default = false;
@ -75,24 +62,83 @@ in
'';
};
rpcCertificate = mkOption {
extraNodes = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
List of additional peer IP addresses to connect to.
'';
};
trustedNodes = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
List of the only peer IP addresses to connect to. If specified
no other connection will be made.
'';
};
rpc.user = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
User name for RPC connections.
'';
};
rpc.password = mkOption {
type = types.str;
default = null;
description = ''
Password for RPC connections.
'';
};
rpc.address = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
IP address the RPC server will bind to.
'';
};
rpc.port = mkOption {
type = types.int;
default = 8332;
description = ''
Port the RPC server will bind to.
'';
};
rpc.certificate = mkOption {
type = types.nullOr types.path;
default = null;
example = "/etc/namecoin/server.cert";
example = "/var/lib/namecoind/server.cert";
description = ''
Certificate file for securing RPC connections.
'';
};
rpcKey = mkOption {
rpc.key = mkOption {
type = types.nullOr types.path;
default = null;
example = "/etc/namecoin/server.pem";
example = "/var/lib/namecoind/server.pem";
description = ''
Key file for securing RPC connections.
'';
};
rpc.allowFrom = mkOption {
type = types.listOf types.str;
default = [ "127.0.0.1" ];
description = ''
List of IP address ranges allowed to use the RPC API.
Wiledcards (*) can be user to specify a range.
'';
};
};
};
@ -102,47 +148,54 @@ in
config = mkIf cfg.enable {
users.extraUsers = singleton
{ name = "namecoin";
uid = config.ids.uids.namecoin;
description = "Namecoin daemon user";
home = "/var/lib/namecoin";
createHome = true;
};
services.dnschain.extraConfig = ''
[namecoin]
config = ${configFile}
'';
users.extraGroups = singleton
{ name = "namecoin";
gid = config.ids.gids.namecoin;
};
users.extraUsers = singleton {
name = "namecoin";
uid = config.ids.uids.namecoin;
description = "Namecoin daemon user";
home = dataDir;
createHome = true;
};
users.extraGroups = singleton {
name = "namecoin";
gid = config.ids.gids.namecoin;
};
systemd.services.namecoind = {
description = "Namecoind Daemon";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
preStart = ''
if [ "$(stat --printf '%u' ${cfg.userFile})" != "${toString config.ids.uids.namecoin}" \
-o "$(stat --printf '%g' ${cfg.userFile})" != "${toString config.ids.gids.namecoin}" \
-o "$(stat --printf '%a' ${cfg.userFile})" != "640" ]; then
echo "ERROR: bad ownership or rights on ${cfg.userFile}" >&2
exit 1
fi
if [ "$(stat --printf '%u' ${cfg.wallet})" != "${toString config.ids.uids.namecoin}" \
-o "$(stat --printf '%g' ${cfg.wallet})" != "${toString config.ids.gids.namecoin}" \
-o "$(stat --printf '%a' ${cfg.wallet})" != "640" ]; then
echo "ERROR: bad ownership or rights on ${cfg.wallet}" >&2
exit 1
fi
'';
serviceConfig = {
Type = "simple";
User = "namecoin";
EnvironmentFile = cfg.userFile;
ExecStart = "${pkgs.altcoins.namecoind}/bin/namecoind -conf=${namecoinConf} -rpcuser=\${USER} -rpcpassword=\${PASSWORD} -printtoconsole";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
ExecStop = "${pkgs.coreutils}/bin/kill -KILL $MAINPID";
StandardOutput = "null";
Nice = "10";
};
description = "Namecoind daemon";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "namecoin";
Griup = "namecoin";
ExecStart = "${pkgs.altcoins.namecoind}/bin/namecoind -conf=${configFile} -datadir=${dataDir} -printtoconsole";
ExecStop = "${pkgs.coreutils}/bin/kill -KILL $MAINPID";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Nice = "10";
PrivateTmp = true;
TimeoutStopSec = "60s";
TimeoutStartSec = "2s";
Restart = "always";
StartLimitInterval = "120s";
StartLimitBurst = "5";
};
preStart = optionalString (cfg.wallet != "${dataDir}/wallet.dat") ''
# check wallet file permissions
if [ "$(stat --printf '%u' ${cfg.wallet})" != "${toString config.ids.uids.namecoin}" \
-o "$(stat --printf '%g' ${cfg.wallet})" != "${toString config.ids.gids.namecoin}" \
-o "$(stat --printf '%a' ${cfg.wallet})" != "640" ]; then
echo "ERROR: bad ownership or rights on ${cfg.wallet}" >&2
exit 1
fi
'';
};
};

74
nixos/modules/services/networking/nylon.nix
View file

@ -8,7 +8,7 @@ let
homeDir = "/var/lib/nylon";
configFile = pkgs.writeText "nylon.conf" ''
configFile = cfg: pkgs.writeText "nylon-${cfg.name}.conf" ''
[General]
No-Simultaneous-Conn=${toString cfg.nrConnections}
Log=${if cfg.logging then "1" else "0"}
@ -22,15 +22,9 @@ let
Deny-IP=${concatStringsSep " " cfg.deniedIPRanges}
'';
in
nylonOpts = { name, config, ... }: {
{
###### interface
options = {
services.nylon = {
options = {
enable = mkOption {
type = types.bool;
@ -40,6 +34,12 @@ in
'';
};
name = mkOption {
type = types.str;
default = "";
description = "The name of this nylon instance.";
};
nrConnections = mkOption {
type = types.int;
default = 10;
@ -107,13 +107,51 @@ in
'';
};
};
config = { name = mkDefault name; };
};
mkNamedNylon = cfg: {
"nylon-${cfg.name}" = {
description = "Nylon, a lightweight SOCKS proxy server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig =
{
User = "nylon";
Group = "nylon";
WorkingDirectory = homeDir;
ExecStart = "${pkgs.nylon}/bin/nylon -f -c ${configFile cfg}";
};
};
};
anyNylons = collect (p: p ? enable) cfg;
enabledNylons = filter (p: p.enable == true) anyNylons;
nylonUnits = map (nylon: mkNamedNylon nylon) enabledNylons;
in
{
###### interface
options = {
services.nylon = mkOption {
default = {};
description = "Collection of named nylon instances";
type = with types; loaOf (submodule nylonOpts);
internal = true;
options = [ nylonOpts ];
};
};
###### implementation
config = mkIf cfg.enable {
config = mkIf (length(enabledNylons) > 0) {
users.extraUsers.nylon= {
users.extraUsers.nylon = {
group = "nylon";
description = "Nylon SOCKS Proxy";
home = homeDir;
@ -123,17 +161,7 @@ in
users.extraGroups.nylon.gid = config.ids.gids.nylon;
systemd.services.nylon = {
description = "Nylon, a lightweight SOCKS proxy server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig =
{
User = "nylon";
Group = "nylon";
WorkingDirectory = homeDir;
ExecStart = "${pkgs.nylon}/bin/nylon -f -c ${configFile}";
};
};
systemd.services = fold (a: b: a // b) {} nylonUnits;
};
}

6
nixos/modules/services/networking/quassel.nix
View file

@ -25,12 +25,12 @@ in
package = mkOption {
type = types.package;
default = pkgs.kde4.quasselDaemon;
defaultText = "pkgs.kde4.quasselDaemon";
default = pkgs.quasselDaemon_qt5;
defaultText = "pkgs.quasselDaemon_qt5";
description = ''
The package of the quassel daemon.
'';
example = literalExample "pkgs.quasselDaemon";
example = literalExample "pkgs.quasselDaemon_qt5";
};
interfaces = mkOption {

270
nixos/modules/services/networking/redsocks.nix Normal file
View file

@ -0,0 +1,270 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.redsocks;
in
{
##### interface
options = {
services.redsocks = {
enable = mkOption {
type = types.bool;
default = false;
description = "Whether to enable redsocks.";
};
log_debug = mkOption {
type = types.bool;
default = false;
description = "Log connection progress.";
};
log_info = mkOption {
type = types.bool;
default = false;
description = "Log start and end of client sessions.";
};
log = mkOption {
type = types.str;
default = "stderr";
description =
''
Where to send logs.
Possible values are:
- stderr
- file:/path/to/file
- syslog:FACILITY where FACILITY is any of "daemon", "local0",
etc.
'';
};
chroot = mkOption {
type = with types; nullOr str;
default = null;
description =
''
Chroot under which to run redsocks. Log file is opened before
chroot, but if logging to syslog /etc/localtime may be required.
'';
};
redsocks = mkOption {
description =
''
Local port to proxy associations to be performed.
The example shows how to configure a proxy to handle port 80 as HTTP
relay, and all other ports as HTTP connect.
'';
example = [
{ port = 23456; proxy = "1.2.3.4:8080"; type = "http-relay";
redirectCondition = "--dport 80";
doNotRedirect = [ "-d 1.2.0.0/16" ];
}
{ port = 23457; proxy = "1.2.3.4:8080"; type = "http-connect";
redirectCondition = true;
doNotRedirect = [ "-d 1.2.0.0/16" ];
}
];
type = types.listOf (types.submodule { options = {
ip = mkOption {
type = types.str;
default = "127.0.0.1";
description =
''
IP on which redsocks should listen. Defaults to 127.0.0.1 for
security reasons.
'';
};
port = mkOption {
type = types.int;
default = 12345;
description = "Port on which redsocks should listen.";
};
proxy = mkOption {
type = types.str;
description =
''
Proxy through which redsocks should forward incoming traffic.
Example: "example.org:8080"
'';
};
type = mkOption {
type = types.enum [ "socks4" "socks5" "http-connect" "http-relay" ];
description = "Type of proxy.";
};
login = mkOption {
type = with types; nullOr str;
default = null;
description = "Login to send to proxy.";
};
password = mkOption {
type = with types; nullOr str;
default = null;
description =
''
Password to send to proxy. WARNING, this will end up
world-readable in the store! Awaiting
https://github.com/NixOS/nix/issues/8 to be able to fix.
'';
};
disclose_src = mkOption {
type = types.enum [ "false" "X-Forwarded-For" "Forwarded_ip"
"Forwarded_ipport" ];
default = "false";
description =
''
Way to disclose client IP to the proxy.
- "false": do not disclose
http-connect supports the following ways:
- "X-Forwarded-For": add header "X-Forwarded-For: IP"
- "Forwarded_ip": add header "Forwarded: for=IP" (see RFC7239)
- "Forwarded_ipport": add header 'Forwarded: for="IP:port"'
'';
};
redirectInternetOnly = mkOption {
type = types.bool;
default = true;
description = "Exclude all non-globally-routable IPs from redsocks";
};
doNotRedirect = mkOption {
type = with types; listOf str;
default = [];
description =
''
Iptables filters that if matched will get the packet off of
redsocks.
'';
example = [ "-d 1.2.3.4" ];
};
redirectCondition = mkOption {
type = with types; either bool str;
default = false;
description =
''
Conditions to make outbound packets go through this redsocks
instance.
If set to false, no packet will be forwarded. If set to true,
all packets will be forwarded (except packets excluded by
redirectInternetOnly).
If set to a string, this is an iptables filter that will be
matched against packets before getting them into redsocks. For
example, setting it to "--dport 80" will only send
packets to port 80 to redsocks. Note "-p tcp" is always
implicitly added, as udp can only be proxied through redudp or
the like.
'';
};
};});
};
# TODO: Add support for redudp and dnstc
};
};
##### implementation
config = let
redsocks_blocks = concatMapStrings (block:
let proxy = splitString ":" block.proxy; in
''
redsocks {
local_ip = ${block.ip};
local_port = ${toString block.port};
ip = ${elemAt proxy 0};
port = ${elemAt proxy 1};
type = ${block.type};
${optionalString (block.login != null) "login = \"${block.login}\";"}
${optionalString (block.password != null) "password = \"${block.password}\";"}
disclose_src = ${block.disclose_src};
}
'') cfg.redsocks;
configfile = pkgs.writeText "redsocks.conf"
''
base {
log_debug = ${if cfg.log_debug then "on" else "off" };
log_info = ${if cfg.log_info then "on" else "off" };
log = ${cfg.log};
daemon = off;
redirector = iptables;
user = redsocks;
group = redsocks;
${optionalString (cfg.chroot != null) "chroot = ${cfg.chroot};"}
}
${redsocks_blocks}
'';
internetOnly = [ # TODO: add ipv6-equivalent
"-d 0.0.0.0/8"
"-d 10.0.0.0/8"
"-d 127.0.0.0/8"
"-d 169.254.0.0/16"
"-d 172.16.0.0/12"
"-d 192.168.0.0/16"
"-d 224.168.0.0/4"
"-d 240.168.0.0/4"
];
redCond = block:
optionalString (isString block.redirectCondition) block.redirectCondition;
iptables = concatImapStrings (idx: block:
let chain = "REDSOCKS${toString idx}"; doNotRedirect =
concatMapStringsSep "\n"
(f: "ip46tables -t nat -A ${chain} ${f} -j RETURN 2>/dev/null || true")
(block.doNotRedirect ++ (optionals block.redirectInternetOnly internetOnly));
in
optionalString (block.redirectCondition != false)
''
ip46tables -t nat -F ${chain} 2>/dev/null || true
ip46tables -t nat -N ${chain} 2>/dev/null || true
${doNotRedirect}
ip46tables -t nat -A ${chain} -p tcp -j REDIRECT --to-ports ${toString block.port}
# TODO: show errors, when it will be easily possible by a switch to
# iptables-restore
ip46tables -t nat -A OUTPUT -p tcp ${redCond block} -j ${chain} 2>/dev/null || true
''
) cfg.redsocks;
in
mkIf cfg.enable {
users.groups.redsocks = {};
users.users.redsocks = {
description = "Redsocks daemon";
group = "redsocks";
isSystemUser = true;
};
systemd.services.redsocks = {
description = "Redsocks";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
script = "${pkgs.redsocks}/bin/redsocks -c ${configfile}";
};
networking.firewall.extraCommands = iptables;
networking.firewall.extraStopCommands =
concatImapStringsSep "\n" (idx: block:
let chain = "REDSOCKS${toString idx}"; in
optionalString (block.redirectCondition != false)
"ip46tables -t nat -D OUTPUT -p tcp ${redCond block} -j ${chain} 2>/dev/null || true"
) cfg.redsocks;
};
}

52
nixos/modules/services/networking/rpcbind.nix
View file

@ -2,35 +2,6 @@
with lib;
let
netconfigFile = {
target = "netconfig";
source = pkgs.writeText "netconfig" ''
#
# The network configuration file. This file is currently only used in
# conjunction with the TI-RPC code in the libtirpc library.
#
# Entries consist of:
#
# <network_id> <semantics> <flags> <protofamily> <protoname> \
# <device> <nametoaddr_libs>
#
# The <device> and <nametoaddr_libs> fields are always empty in this
# implementation.
#
udp tpi_clts v inet udp - -
tcp tpi_cots_ord v inet tcp - -
udp6 tpi_clts v inet6 udp - -
tcp6 tpi_cots_ord v inet6 tcp - -
rawip tpi_raw - inet - - -
local tpi_cots_ord - loopback - - -
unix tpi_cots_ord - loopback - - -
'';
};
in
{
###### interface
@ -58,25 +29,18 @@ in
###### implementation
config = mkIf config.services.rpcbind.enable {
environment.systemPackages = [ pkgs.rpcbind ];
environment.etc = [ netconfigFile ];
systemd.packages = [ pkgs.rpcbind ];
systemd.services.rpcbind =
{ description = "ONC RPC Directory Service";
wantedBy = [ "multi-user.target" ];
requires = [ "basic.target" ];
after = [ "basic.target" ];
unitConfig.DefaultDependencies = false; # don't stop during shutdown
serviceConfig.Type = "forking";
serviceConfig.ExecStart = "@${pkgs.rpcbind}/bin/rpcbind rpcbind";
};
systemd.services.rpcbind = {
wantedBy = [ "multi-user.target" ];
};
users.extraUsers.rpc = {
group = "nogroup";
uid = config.ids.uids.rpc;
};
};
}

10
nixos/modules/services/networking/searx.nix
View file

@ -34,6 +34,11 @@ in
";
};
package = mkOption {
default = pkgs.pythonPackages.searx;
description = "searx package to use.";
};
};
};
@ -61,14 +66,13 @@ in
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "searx";
ExecStart = "${pkgs.pythonPackages.searx}/bin/searx-run";
ExecStart = "${cfg.package}/bin/searx-run";
};
} // (optionalAttrs (configFile != "") {
environment.SEARX_SETTINGS_PATH = configFile;
});
environment.systemPackages = [ pkgs.pythonPackages.searx ];
environment.systemPackages = [ cfg.package ];
};

3
nixos/modules/services/networking/supplicant.nix
View file

@ -82,7 +82,8 @@ in
configFile = {
path = mkOption {
type = types.path;
type = types.nullOr types.path;
default = null;
example = literalExample "/etc/wpa_supplicant.conf";
description = ''
External <literal>wpa_supplicant.conf</literal> configuration file.

57
nixos/modules/services/security/hologram-agent.nix Normal file
View file

@ -0,0 +1,57 @@
{pkgs, config, lib, ...}:
with lib;
let
cfg = config.services.hologram-agent;
cfgFile = pkgs.writeText "hologram-agent.json" (builtins.toJSON {
host = cfg.dialAddress;
});
in {
options = {
services.hologram-agent = {
enable = mkOption {
type = types.bool;
default = false;
description = "Whether to enable the Hologram agent for AWS instance credentials";
};
dialAddress = mkOption {
type = types.str;
default = "localhost:3100";
description = "Hologram server and port.";
};
httpPort = mkOption {
type = types.str;
default = "80";
description = "Port for metadata service to listen on.";
};
};
};
config = mkIf cfg.enable {
networking.interfaces.dummy0 = {
ipAddress = "169.254.169.254";
prefixLength = 32;
};
systemd.services.hologram-agent = {
description = "Provide EC2 instance credentials to machines outside of EC2";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
requires = [ "network-link-dummy0.service" "network-addresses-dummy0.service" ];
preStart = ''
/run/current-system/sw/bin/rm -fv /var/run/hologram.sock
'';
serviceConfig = {
ExecStart = "${pkgs.hologram.bin}/bin/hologram-agent -debug -conf ${cfgFile} -port ${cfg.httpPort}";
};
};
};
meta.maintainers = with lib.maintainers; [ nand0p ];
}

0
nixos/modules/services/security/hologram.nix → nixos/modules/services/security/hologram-server.nix
View file

24
nixos/modules/services/system/dbus.nix
View file

@ -20,8 +20,6 @@ let
"<includedir>${d}/etc/dbus-1/session.d</includedir>"
]));
daemonArgs = "--address=systemd: --nofork --nopidfile --systemd-activation";
configDir = pkgs.runCommand "dbus-conf"
{ preferLocalBuild = true;
allowSubstitutes = false;
@ -29,11 +27,6 @@ let
''
mkdir -p $out
cp ${pkgs.dbus.out}/share/dbus-1/{system,session}.conf $out
# include by full path
sed -ri "s@/etc/dbus-1/(system|session)-@$out/\1-@" $out/{system,session}.conf
sed '${./dbus-system-local.conf.in}' \
-e 's,@servicehelper@,${config.security.wrapperDir}/dbus-daemon-launch-helper,g' \
-e 's,@extra@,${systemExtraxml},' \
@ -95,6 +88,11 @@ in
environment.systemPackages = [ pkgs.dbus.daemon pkgs.dbus ];
environment.etc = singleton
{ source = configDir;
target = "dbus-1";
};
users.extraUsers.messagebus = {
uid = config.ids.uids.messagebus;
description = "D-Bus system message bus daemon user";
@ -124,10 +122,6 @@ in
# Don't restart dbus-daemon. Bad things tend to happen if we do.
reloadIfChanged = true;
restartTriggers = [ configDir ];
serviceConfig.ExecStart = [
"" # Default dbus.service has two entries, we need to override both.
"${lib.getBin pkgs.dbus}/bin/dbus-daemon --config-file=/run/current-system/dbus/system.conf ${daemonArgs}"
];
};
systemd.user = {
@ -135,18 +129,10 @@ in
# Don't restart dbus-daemon. Bad things tend to happen if we do.
reloadIfChanged = true;
restartTriggers = [ configDir ];
serviceConfig.ExecStart = [
"" # Default dbus.service has two entries, we need to override both.
"${lib.getBin pkgs.dbus}/bin/dbus-daemon --config-file=/run/current-system/dbus/session.conf ${daemonArgs}"
];
};
sockets.dbus.wantedBy = mkIf cfg.socketActivated [ "sockets.target" ];
};
environment.pathsToLink = [ "/etc/dbus-1" "/share/dbus-1" ];
system.extraSystemBuilderCmds = ''
ln -s ${configDir} $out/dbus
'';
};
}

2
nixos/modules/services/web-servers/apache-httpd/default.nix
View file

@ -63,6 +63,8 @@ let
let
svcFunction =
if svc ? function then svc.function
# instead of using serviceType="mediawiki"; you can copy mediawiki.nix to any location outside nixpkgs, modify it at will, and use serviceExpression=./mediawiki.nix;
else if svc ? serviceExpression then import (toString svc.serviceExpression)
else import (toString "${toString ./.}/${if svc ? serviceType then svc.serviceType else svc.serviceName}.nix");
config = (evalModules
{ modules = [ { options = res.options; config = svc.config or svc; } ];

198
nixos/modules/services/web-servers/apache-httpd/moodle.nix
View file

@ -1,198 +0,0 @@
{ config, lib, pkgs, serverInfo, php, ... }:
with lib;
let
httpd = serverInfo.serverConfig.package;
version24 = !versionOlder httpd.version "2.4";
allGranted = if version24 then ''
Require all granted
'' else ''
Order allow,deny
Allow from all
'';
moodleConfig = pkgs.writeText "config.php"
''
<?php
unset($CFG);
global $CFG;
$CFG = new stdClass();
$CFG->dbtype = '${config.dbType}';
$CFG->dblibrary = 'native';
$CFG->dbhost = '${config.dbHost}';
$CFG->dbname = '${config.dbName}';
$CFG->dbuser = '${config.dbUser}';
$CFG->dbpass = '${config.dbPassword}';
$CFG->prefix = '${config.dbPrefix}';
$CFG->dboptions = array(
'dbpersist' => false,
'dbsocket' => false,
'dbport' => "${config.dbPort}",
);
$CFG->wwwroot = '${config.wwwRoot}';
$CFG->dataroot = '${config.dataRoot}';
$CFG->directorypermissions = 02777;
$CFG->admin = 'admin';
${optionalString (config.debug.noEmailEver == true) ''
$CFG->noemailever = true;
''}
${config.extraConfig}
require_once(dirname(__FILE__) . '/lib/setup.php'); // Do not edit
'';
# Unpack Moodle and put the config file in its root directory.
moodleRoot = pkgs.stdenv.mkDerivation rec {
name= "moodle-2.8.10";
src = pkgs.fetchurl {
url = "https://download.moodle.org/stable28/${name}.tgz";
sha256 = "0c3r5081ipcwc9s6shakllnrkd589y2ln5z5m1q09l4h6a7cy4z2";
};
buildPhase =
''
'';
installPhase =
''
mkdir -p $out
cp -r * $out
cp ${moodleConfig} $out/config.php
'';
# Marked as broken due to needing an update for security issues.
# See: https://github.com/NixOS/nixpkgs/issues/18856
meta.broken = true;
};
in
{
extraConfig =
''
# this should be config.urlPrefix instead of /
Alias / ${moodleRoot}/
<Directory ${moodleRoot}>
DirectoryIndex index.php
</Directory>
'';
documentRoot = moodleRoot; # TODO: fix this, should be config.urlPrefix
enablePHP = true;
options = {
id = mkOption {
default = "main";
description = ''
A unique identifier necessary to keep multiple Moodle server
instances on the same machine apart.
'';
};
dbType = mkOption {
default = "postgres";
example = "mysql";
description = "Database type.";
};
dbName = mkOption {
default = "moodle";
description = "Name of the database that holds the Moodle data.";
};
dbHost = mkOption {
default = "localhost";
example = "10.0.2.2";
description = ''
The location of the database server.
'';
};
dbPort = mkOption {
default = ""; # use the default port
example = "12345";
description = ''
The port that is used to connect to the database server.
'';
};
dbUser = mkOption {
default = "moodle";
description = "The user name for accessing the database.";
};
dbPassword = mkOption {
default = "";
example = "password";
description = ''
The password of the database user. Warning: this is stored in
cleartext in the Nix store!
'';
};
dbPrefix = mkOption {
default = "mdl_";
example = "my_other_mdl_";
description = ''
A prefix for each table, if multiple moodles should run in a single database.
'';
};
wwwRoot = mkOption {
type = types.string;
example = "http://my.machine.com/my-moodle";
description = ''
The full web address where moodle has been installed.
'';
};
dataRoot = mkOption {
default = "/var/lib/moodledata";
example = "/var/lib/moodledata";
description = ''
The data directory for moodle. Needs to be writable!
'';
type = types.path;
};
extraConfig = mkOption {
type = types.lines;
default = "";
example =
''
'';
description = ''
Any additional text to be appended to Moodle's
configuration file. This is a PHP script.
'';
};
debug = {
noEmailEver = mkOption {
default = false;
example = "true";
description = ''
Set this to true to prevent Moodle from ever sending any email.
'';
};
};
};
startupScript = pkgs.writeScript "moodle_startup.sh" ''
echo "Checking for existence of ${config.dataRoot}"
if [ ! -e "${config.dataRoot}" ]
then
mkdir -p "${config.dataRoot}"
chown ${serverInfo.serverConfig.user}.${serverInfo.serverConfig.group} "${config.dataRoot}"
fi
'';
}

4
nixos/modules/services/web-servers/apache-httpd/wordpress.nix
View file

@ -6,7 +6,7 @@ with lib;
let
# Upgrading? We have a test! nix-build ./nixos/tests/wordpress.nix
version = "4.7.1";
version = "4.7.2";
fullversion = "${version}";
# Our bare-bones wp-config.php file using the above settings
@ -75,7 +75,7 @@ let
owner = "WordPress";
repo = "WordPress";
rev = "${fullversion}";
sha256 = "1wb4f4zn55d23qi0whsfpbpcd4sjvzswgmni6f5rzrmlawq9ssgr";
sha256 = "0vph12708drf8ww0xd05hpdvbyy7n5gj9ca598lhdhy2i1j6wy32";
};
installPhase = ''
mkdir -p $out

1
nixos/modules/services/web-servers/caddy.nix
View file

@ -61,6 +61,7 @@ in
User = "caddy";
Group = "caddy";
AmbientCapabilities = "cap_net_bind_service";
LimitNOFILE = 8192;
};
};

17
nixos/modules/services/web-servers/nginx/default.nix
View file

@ -16,7 +16,20 @@ let
) cfg.virtualHosts;
enableIPv6 = config.networking.enableIPv6;
configFile = pkgs.writeText "nginx.conf" ''
configFile = pkgs.runCommand "nginx.conf" {
inherit configFileUnformatted;
passAsFile = [ "configFileUnformatted" ];
# configFileUnformatted is created locally, therefore so should this be.
preferLocalBuild = true;
allowSubstitutes = false;
} ''
cp ${configFileUnformatted} nginx.conf
chmod u+w nginx.conf
${pkgs.nginx-config-formatter}/bin/nginxfmt nginx.conf
cp nginx.conf $out
'';
configFileUnformatted = pkgs.writeText "nginx.unformatted.conf" ''
user ${cfg.user} ${cfg.group};
error_log stderr;
daemon off;
@ -403,7 +416,7 @@ in
acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME) vhostsConfigs;
acmePairs = map (vhostConfig: { name = vhostConfig.serverName; value = {
user = cfg.user;
group = cfg.group;
group = lib.mkDefault cfg.group;
webroot = vhostConfig.acmeRoot;
extraDomains = genAttrs vhostConfig.serverAliases (alias: null);
postRun = ''

5
nixos/modules/services/x11/desktop-managers/default.nix
View file

@ -18,9 +18,8 @@ in
# determines the default: later modules (if enabled) are preferred.
# E.g., if KDE is enabled, it supersedes xterm.
imports = [
./none.nix ./xterm.nix ./xfce.nix ./kde4.nix ./kde5.nix
./lumina.nix ./lxqt.nix ./enlightenment.nix ./gnome3.nix
./kodi.nix
./none.nix ./xterm.nix ./xfce.nix ./kde5.nix ./lumina.nix
./lxqt.nix ./enlightenment.nix ./gnome3.nix ./kodi.nix
];
options = {

5
nixos/modules/services/x11/desktop-managers/enlightenment.nix
View file

@ -64,7 +64,10 @@ in
security.wrappers.e_freqset.source = "${e.enlightenment.out}/bin/e_freqset";
services.xserver.exportConfiguration = true;
environment.etc = singleton
{ source = "${pkgs.xkeyboard_config}/etc/X11/xkb";
target = "X11/xkb";
};
fonts.fonts = [ pkgs.dejavu_fonts pkgs.ubuntu_font_family ];

7
nixos/modules/services/x11/desktop-managers/gnome3.nix
View file

@ -78,7 +78,7 @@ in {
};
debug = mkEnableOption "gnome-session debug messages";
};
};
environment.gnome3.packageSet = mkOption {
default = null;
@ -86,7 +86,7 @@ in {
description = "Which GNOME 3 package set to use.";
apply = p: if p == null then pkgs.gnome3 else p;
};
environment.gnome3.excludePackages = mkOption {
default = [];
example = literalExample "[ pkgs.gnome3.totem ]";
@ -125,6 +125,9 @@ in {
services.xserver.libinput.enable = mkDefault true; # for controlling touchpad settings via gnome control center
services.udev.packages = [ pkgs.gnome3.gnome_settings_daemon ];
# If gnome3 is installed, build vim for gtk3 too.
nixpkgs.config.vim.gui = "gtk3";
fonts.fonts = [ pkgs.dejavu_fonts pkgs.cantarell_fonts ];
services.xserver.desktopManager.session = singleton

190
nixos/modules/services/x11/desktop-managers/kde4.nix
View file

@ -1,190 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
xcfg = config.services.xserver;
cfg = xcfg.desktopManager.kde4;
xorg = pkgs.xorg;
kde_workspace = config.services.xserver.desktopManager.kde4.kdeWorkspacePackage;
# Disable Nepomuk and Strigi by default. As of KDE 4.7, they don't
# really work very well (e.g. searching files often fails to find
# files), segfault sometimes and consume significant resources.
# They can be re-enabled in the KDE System Settings under "Desktop
# Search".
disableNepomuk = pkgs.writeTextFile
{ name = "nepomuk-config";
destination = "/share/config/nepomukserverrc";
text =
''
[Basic Settings]
Start Nepomuk=false
[Service-nepomukstrigiservice]
autostart=false
'';
};
phononBackends = {
gstreamer = [
pkgs.phonon-backend-gstreamer
pkgs.gst_all.gstPluginsBase
pkgs.gst_all.gstPluginsGood
pkgs.gst_all.gstPluginsUgly
pkgs.gst_all.gstPluginsBad
pkgs.gst_all.gstFfmpeg # for mp3 playback
pkgs.gst_all.gstreamer # needed?
];
vlc = [pkgs.phonon-backend-vlc];
};
phononBackendPackages = flip concatMap cfg.phononBackends
(name: attrByPath [name] (throw "unknown phonon backend `${name}'") phononBackends);
in
{
options = {
services.xserver.desktopManager.kde4 = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable the KDE 4 desktop environment.";
};
phononBackends = mkOption {
type = types.listOf types.str;
default = ["gstreamer"];
example = ["gstreamer" "vlc"];
description = "Which phonon multimedia backend kde should use";
};
kdeWorkspacePackage = mkOption {
internal = true;
default = pkgs.kde4.kde_workspace;
defaultText = "pkgs.kde4.kde_workspace";
type = types.package;
description = "Custom kde-workspace, used for NixOS rebranding.";
};
enablePIM = mkOption {
type = types.bool;
default = true;
description = "Whether to enable PIM support. Note that enabling this pulls in Akonadi and MariaDB as dependencies.";
};
enableNepomuk = mkOption {
type = types.bool;
default = false;
description = "Whether to enable Nepomuk (deprecated).";
};
};
};
config = mkIf (xcfg.enable && cfg.enable) {
# If KDE 4 is enabled, make it the default desktop manager (unless
# overridden by the user's configuration).
# !!! doesn't work yet ("Multiple definitions. Only one is allowed
# for this option.")
# services.xserver.desktopManager.default = mkOverride 900 "kde4";
services.xserver.desktopManager.session = singleton
{ name = "kde4";
bgSupport = true;
start =
''
# The KDE icon cache is supposed to update itself
# automatically, but it uses the timestamp on the icon
# theme directory as a trigger. Since in Nix the
# timestamp is always the same, this doesn't work. So as
# a workaround, nuke the icon cache on login. This isn't
# perfect, since it may require logging out after
# installing new applications to update the cache.
# See http://lists-archives.org/kde-devel/26175-what-when-will-icon-cache-refresh.html
rm -fv $HOME/.kde/cache-*/icon-cache.kcache
# Qt writes a weird libraryPath line to
# ~/.config/Trolltech.conf that causes the KDE plugin
# paths of previous KDE invocations to be searched.
# Obviously using mismatching KDE libraries is potentially
# disastrous, so here we nuke references to the Nix store
# in Trolltech.conf. A better solution would be to stop
# Qt from doing this wackiness in the first place.
if [ -e $HOME/.config/Trolltech.conf ]; then
sed -e '/nix\\store\|nix\/store/ d' -i $HOME/.config/Trolltech.conf
fi
# Load PulseAudio module for routing support.
# See http://colin.guthr.ie/2009/10/so-how-does-the-kde-pulseaudio-support-work-anyway/
${optionalString config.hardware.pulseaudio.enable ''
${getBin config.hardware.pulseaudio.package}/bin/pactl load-module module-device-manager "do_routing=1"
''}
# Start KDE.
exec ${kde_workspace}/bin/startkde
'';
};
security.wrappers.kcheckpass.source = "${kde_workspace}/lib/kde4/libexec/kcheckpass";
environment.systemPackages =
[ pkgs.kde4.kdelibs
pkgs.kde4.kde_baseapps # Splitted kdebase
kde_workspace
pkgs.kde4.kde_runtime
pkgs.kde4.konsole
pkgs.kde4.kate
pkgs.kde4.kde_wallpapers # contains kdm's default background
pkgs.kde4.oxygen_icons
# Starts KDE's Polkit authentication agent.
pkgs.kde4.polkit_kde_agent
# Miscellaneous runtime dependencies.
pkgs.kde4.qt4 # needed for qdbus
pkgs.shared_mime_info
xorg.xmessage # so that startkde can show error messages
xorg.xset # used by startkde, non-essential
xorg.xauth # used by kdesu
]
++ optionals cfg.enablePIM
[ pkgs.kde4.kdepim_runtime
pkgs.kde4.akonadi
pkgs.mysql # used by akonadi
]
++ (if cfg.enableNepomuk then
[ pkgs.shared_desktop_ontologies # used by nepomuk
pkgs.strigi # used by nepomuk
pkgs.virtuoso # to enable Nepomuk to find Virtuoso
] else
[ disableNepomuk ])
++ optional config.hardware.pulseaudio.enable pkgs.kde4.kmix # Perhaps this should always be enabled
++ optional config.hardware.bluetooth.enable pkgs.kde4.bluedevil
++ optional config.networking.networkmanager.enable pkgs.kde4.plasma-nm
++ phononBackendPackages;
environment.pathsToLink = [ "/share" ];
environment.profileRelativeEnvVars = mkIf (elem "gstreamer" cfg.phononBackends) {
GST_PLUGIN_SYSTEM_PATH = [ "/lib/gstreamer-0.10" ];
};
services.xserver.exportConfiguration = true;
# Enable helpful DBus services.
services.udisks2.enable = true;
services.upower.enable = config.powerManagement.enable;
security.pam.services.kde = { allowNullPassword = true; };
};
}

9
nixos/modules/services/x11/desktop-managers/kde5.nix
View file

@ -50,10 +50,6 @@ in
})
(mkIf (xcfg.enable && cfg.enable) {
warnings = optional config.services.xserver.desktopManager.kde4.enable
"KDE 4 should not be enabled at the same time as KDE 5";
services.xserver.desktopManager.session = singleton {
name = "kde5";
bgSupport = true;
@ -188,7 +184,10 @@ in
environment.pathsToLink = [ "/share" ];
services.xserver.exportConfiguration = true;
environment.etc = singleton {
source = "${pkgs.xkeyboard_config}/etc/X11/xkb";
target = "X11/xkb";
};
environment.variables =
{

8
nixos/modules/services/x11/display-managers/default.nix
View file

@ -1,5 +1,5 @@
# This module declares the options to define a *display manager*, the
# program responsible for handling X logins (such as xdm, kdm, gdb, or
# program responsible for handling X logins (such as xdm, gdb, or
# SLiM). The display manager allows the user to select a *session
# type*. When the user logs in, the display manager starts the
# *session script* ("xsession" below) to launch the selected session
@ -32,6 +32,9 @@ let
''
#! ${pkgs.bash}/bin/bash
# Handle being called by SDDM.
if test "''${1:0:1}" = / ; then eval exec $1 $2 ; fi
${optionalString cfg.displayManager.logToJournal ''
if [ -z "$_DID_SYSTEMD_CAT" ]; then
_DID_SYSTEMD_CAT=1 exec ${config.systemd.package}/bin/systemd-cat -t xsession -- "$0" "$@"
@ -55,9 +58,6 @@ let
fi
''}
# Handle being called by kdm.
if test "''${1:0:1}" = /; then eval exec "$1"; fi
# Start PulseAudio if enabled.
${optionalString (config.hardware.pulseaudio.enable) ''
${optionalString (!config.hardware.pulseaudio.systemWide)

158
nixos/modules/services/x11/display-managers/kdm.nix
View file

@ -1,158 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
dmcfg = config.services.xserver.displayManager;
cfg = dmcfg.kdm;
inherit (pkgs.kde4) kdebase_workspace;
defaultConfig =
''
[Shutdown]
HaltCmd=${config.systemd.package}/sbin/shutdown -h now
RebootCmd=${config.systemd.package}/sbin/shutdown -r now
${optionalString (config.system.boot.loader.id == "grub") ''
BootManager=${if config.boot.loader.grub.version == 2 then "Grub2" else "Grub"}
''}
[X-*-Core]
Xrdb=${pkgs.xorg.xrdb}/bin/xrdb
SessionsDirs=${dmcfg.session.desktops}
Session=${dmcfg.session.script}
FailsafeClient=${pkgs.xterm}/bin/xterm
[X-:*-Core]
ServerCmd=${dmcfg.xserverBin} ${toString dmcfg.xserverArgs}
# KDM calls `rm' somewhere to clean up some temporary directory.
SystemPath=${pkgs.coreutils}/bin
# The default timeout (15) is too short in a heavily loaded boot process.
ServerTimeout=60
# Needed to prevent the X server from dying on logout and not coming back:
TerminateServer=true
${optionalString (cfg.setupScript != "")
''
Setup=${cfg.setupScript}
''}
[X-*-Greeter]
HiddenUsers=root,${concatStringsSep "," dmcfg.hiddenUsers}
PluginsLogin=${kdebase_workspace}/lib/kde4/kgreet_classic.so
${optionalString (cfg.themeDirectory != null)
''
UseTheme=true
Theme=${cfg.themeDirectory}
''
}
${optionalString (cfg.enableXDMCP)
''
[Xdmcp]
Enable=true
''}
'';
kdmrc = pkgs.runCommand "kdmrc"
{ config = defaultConfig + cfg.extraConfig;
preferLocalBuild = true;
}
''
echo "$config" > $out
# The default kdmrc would add "-nolisten tcp", and we already
# have that managed by nixos. Hence the grep.
cat ${kdebase_workspace}/share/config/kdm/kdmrc | grep -v nolisten >> $out
'';
in
{
###### interface
options = {
services.xserver.displayManager.kdm = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable the KDE display manager.
'';
};
enableXDMCP = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable XDMCP, which allows remote logins.
'';
};
themeDirectory = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
The path to a KDM theme directory. This theme
will be used by the KDM greeter.
'';
};
setupScript = mkOption {
type = types.lines;
default = "";
description = ''
The path to a KDM setup script. This script is run as root just
before KDM starts. Can be used for setting up
monitors with xrandr, for example.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Options appended to <filename>kdmrc</filename>, the
configuration file of KDM.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
services.xserver.displayManager.slim.enable = false;
services.xserver.displayManager.job =
{ execCmd =
''
mkdir -m 0755 -p /var/lib/kdm
chown kdm /var/lib/kdm
${(optionalString (config.system.boot.loader.id == "grub" && config.system.build.grub != null) "PATH=${config.system.build.grub}/sbin:$PATH ") +
"KDEDIRS=/run/current-system/sw exec ${kdebase_workspace}/bin/kdm -config ${kdmrc} -nodaemon -logfile /dev/stderr"}
'';
logsXsession = true;
};
security.pam.services.kde = { allowNullPassword = true; startSession = true; };
users.extraUsers = singleton
{ name = "kdm";
uid = config.ids.uids.kdm;
description = "KDM user";
};
environment.systemPackages =
[ pkgs.kde4.kde_wallpapers ]; # contains kdm's default background
};
}

14
nixos/modules/services/x11/terminal-server.nix
View file

@ -16,18 +16,8 @@ with lib;
services.xserver.enable = true;
services.xserver.videoDrivers = [];
# Enable KDM. Any display manager will do as long as it supports XDMCP.
services.xserver.displayManager.kdm.enable = true;
services.xserver.displayManager.kdm.enableXDMCP = true;
services.xserver.displayManager.kdm.extraConfig =
''
[General]
# We're headless, so don't bother starting an X server.
StaticServers=
[Xdmcp]
Xaccess=${pkgs.writeText "Xaccess" "localhost"}
'';
# Enable GDM. Any display manager will do as long as it supports XDMCP.
services.xserver.displayManager.gdm.enable = true;
systemd.sockets.terminal-server =
{ description = "Terminal Server Socket";

26
nixos/modules/services/x11/xserver.nix
View file

@ -459,21 +459,31 @@ in
knownVideoDrivers;
in optional (driver != null) ({ inherit name; modules = []; driverName = name; } // driver));
nixpkgs.config.xorg = optionalAttrs (elem "vboxvideo" cfg.videoDrivers) { abiCompat = "1.18"; };
assertions =
[ { assertion = config.security.polkit.enable;
message = "X11 requires Polkit to be enabled (security.polkit.enable = true).";
}
];
environment.etc = mkMerge [
(mkIf cfg.exportConfiguration {
"X11/xorg.conf".source = configFile;
"X11/xkb".source = cfg.xkbDir;
})
environment.etc =
(optionals cfg.exportConfiguration
[ { source = "${configFile}";
target = "X11/xorg.conf";
}
# -xkbdir command line option does not seems to be passed to xkbcomp.
{ source = "${cfg.xkbDir}";
target = "X11/xkb";
}
])
# Needed since 1.18; see https://bugs.freedesktop.org/show_bug.cgi?id=89023#c5
(let cfgPath = "X11/xorg.conf.d/10-evdev.conf"; in
{ "${cfgPath}".source = xorg.xf86inputevdev.out + "/share" + cfgPath; })
];
++ (let cfgPath = "/X11/xorg.conf.d/10-evdev.conf"; in
[{
source = xorg.xf86inputevdev.out + "/share" + cfgPath;
target = cfgPath;
}]
);
environment.systemPackages =
[ xorg.xorgserver.out

Some files were not shown because too many files have changed in this diff Show more