b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge branch 'staging-next' into staging

Browse source 
Minor conflicts; I hope I didn't mess up:
	pkgs/development/tools/misc/binutils/default.nix
	pkgs/games/openjk/default.nix
This commit is contained in:
Vladimír Čunát 2022-04-14 09:50:48 +02:00
parent 43c910047f 069038f093
commit d5d94127fd
No known key found for this signature in database
GPG key ID: E747DF1F9575A3AA
425 changed files with 11759 additions and 6081 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
doc/stdenv/stdenv.chapter.md
View file

@ -1043,7 +1043,7 @@ You can also specify a `runtimeDependencies` variable which lists dependencies t
In certain situations you may want to run the main command (`autoPatchelf`) of the setup hook on a file or a set of directories instead of unconditionally patching all outputs. This can be done by setting the `dontAutoPatchelf` environment variable to a non-empty value. In certain situations you may want to run the main command (`autoPatchelf`) of the setup hook on a file or a set of directories instead of unconditionally patching all outputs. This can be done by setting the `dontAutoPatchelf` environment variable to a non-empty value.
By default `autoPatchelf` will fail as soon as any ELF file requires a dependency which cannot be resolved via the given build inputs. In some situations you might prefer to just leave missing dependencies unpatched and continue to patch the rest. This can be achieved by setting the `autoPatchelfIgnoreMissingDeps` environment variable to a non-empty value. By default `autoPatchelf` will fail as soon as any ELF file requires a dependency which cannot be resolved via the given build inputs. In some situations you might prefer to just leave missing dependencies unpatched and continue to patch the rest. This can be achieved by setting the `autoPatchelfIgnoreMissingDeps` environment variable to a non-empty value. `autoPatchelfIgnoreMissingDeps` can be set to a list like `autoPatchelfIgnoreMissingDeps = [ "libcuda.so.1" "libcudart.so.1" ];` or to simply `[ "*" ]` to ignore all missing dependencies.
The `autoPatchelf` command also recognizes a `--no-recurse` command line flag, which prevents it from recursing into subdirectories. The `autoPatchelf` command also recognizes a `--no-recurse` command line flag, which prevents it from recursing into subdirectories.

24
maintainers/maintainer-list.nix
View file

@ -4714,6 +4714,12 @@
githubId = 343415; githubId = 343415;
name = "Greg Roodt"; name = "Greg Roodt";
}; };
grnnja = {
email = "grnnja@gmail.com";
github = "grnnja";
githubId = 31556469;
name = "Prem Netsuwan";
};
gruve-p = { gruve-p = {
email = "groestlcoin@gmail.com"; email = "groestlcoin@gmail.com";
github = "gruve-p"; github = "gruve-p";
@ -9945,6 +9951,12 @@
fingerprint = "2CD2 B030 BD22 32EF DF5A 008A 3618 20A4 5DB4 1E9A"; fingerprint = "2CD2 B030 BD22 32EF DF5A 008A 3618 20A4 5DB4 1E9A";
}]; }];
}; };
podocarp = {
email = "xdjiaxd@gmail.com";
github = "podocarp";
githubId = 10473184;
name = "Jia Xiaodong";
};
polendri = { polendri = {
email = "paul@ijj.li"; email = "paul@ijj.li";
github = "polendri"; github = "polendri";
@ -10204,6 +10216,12 @@
githubId = 115877; githubId = 115877;
name = "Kenny Shen"; name = "Kenny Shen";
}; };
quag = {
email = "quaggy@gmail.com";
github = "quag";
githubId = 35086;
name = "Jonathan Wright";
};
queezle = { queezle = {
email = "git@queezle.net"; email = "git@queezle.net";
github = "qzle"; github = "qzle";
@ -11528,6 +11546,12 @@
githubId = 2770647; githubId = 2770647;
name = "Simon Vandel Sillesen"; name = "Simon Vandel Sillesen";
}; };
sir4ur0n = {
email = "sir4ur0n@users.noreply.github.com";
github = "sir4ur0n";
githubId = 1204125;
name = "sir4ur0n";
};
siraben = { siraben = {
email = "bensiraphob@gmail.com"; email = "bensiraphob@gmail.com";
matrix = "@siraben:matrix.org"; matrix = "@siraben:matrix.org";

47
nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
View file

@ -381,6 +381,14 @@
cluster resource manager cluster resource manager
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<link xlink:href="https://nifi.apache.org">nifi</link>, an
easy to use, powerful, and reliable system to process and
distribute data. Available as
<link xlink:href="options.html#opt-services.nifi.enable">services.nifi</link>.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>
<section xml:id="sec-release-22.05-incompatibilities"> <section xml:id="sec-release-22.05-incompatibilities">
@ -518,6 +526,13 @@
} }
</programlisting> </programlisting>
</listitem> </listitem>
<listitem>
<para>
<literal>services.prometheus.alertManagerTimeout</literal> has
been removed as it has been deprecated upstream and has no
effect.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
The DHCP server (<literal>services.dhcpd4</literal>, The DHCP server (<literal>services.dhcpd4</literal>,
@ -551,6 +566,17 @@
work. work.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<literal>services.paperless-ng</literal> was renamed to
<literal>services.paperless</literal>. Accordingly, the
<literal>paperless-ng-manage</literal> script (located in
<literal>dataDir</literal>) was renamed to
<literal>paperless-manage</literal>.
<literal>services.paperless</literal> now uses
<literal>paperless-ngx</literal>.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
The <literal>matrix-synapse</literal> service The <literal>matrix-synapse</literal> service
@ -1689,6 +1715,13 @@
<literal>true</literal>. <literal>true</literal>.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
A module for declarative configuration of openconnect VPN
profiles was added under
<literal>networking.openconnect</literal>.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
The <literal>element-desktop</literal> package now has an The <literal>element-desktop</literal> package now has an
@ -1787,6 +1820,15 @@
should now be used instead. should now be used instead.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<literal>security.pam.ussh</literal> has been added, which
allows authorizing PAM sessions based on SSH
<emphasis>certificates</emphasis> held within an SSH agent,
using
<link xlink:href="https://github.com/uber/pam-ussh">pam-ussh</link>.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
The <literal>zrepl</literal> package has been updated from The <literal>zrepl</literal> package has been updated from
@ -1882,7 +1924,10 @@
<para> <para>
<literal>services.xserver.desktopManager.xfce</literal> now <literal>services.xserver.desktopManager.xfce</literal> now
includes Xfces screen locker, includes Xfces screen locker,
<literal>xfce4-screensaver</literal>. <literal>xfce4-screensaver</literal> that is enabled by
default. You can disable it by setting
<literal>false</literal> to
<link linkend="opt-services.xserver.desktopManager.xfce.enableScreensaver">services.xserver.desktopManager.xfce.enableScreensaver</link>.
</para> </para>
</listitem> </listitem>
<listitem> <listitem>

12
nixos/doc/manual/release-notes/rl-2205.section.md
View file

@ -109,6 +109,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- [pacemaker](https://clusterlabs.org/pacemaker/) cluster resource manager - [pacemaker](https://clusterlabs.org/pacemaker/) cluster resource manager
- [nifi](https://nifi.apache.org), an easy to use, powerful, and reliable system to process and distribute data. Available as [services.nifi](options.html#opt-services.nifi.enable).
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
## Backward Incompatibilities {#sec-release-22.05-incompatibilities} ## Backward Incompatibilities {#sec-release-22.05-incompatibilities}
@ -173,6 +175,8 @@ In addition to numerous new and upgraded packages, this release has the followin
} }
``` ```
- `services.prometheus.alertManagerTimeout` has been removed as it has been deprecated upstream and has no effect.
- The DHCP server (`services.dhcpd4`, `services.dhcpd6`) has been hardened. - The DHCP server (`services.dhcpd4`, `services.dhcpd6`) has been hardened.
The service is now using the systemd's `DynamicUser` mechanism to run as an unprivileged dynamically-allocated user with limited capabilities. The service is now using the systemd's `DynamicUser` mechanism to run as an unprivileged dynamically-allocated user with limited capabilities.
The dhcpd state files are now always stored in `/var/lib/dhcpd{4,6}` and the `services.dhcpd4.stateDir` and `service.dhcpd6.stateDir` options have been removed. The dhcpd state files are now always stored in `/var/lib/dhcpd{4,6}` and the `services.dhcpd4.stateDir` and `service.dhcpd6.stateDir` options have been removed.
@ -182,6 +186,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- `services.ipfs.extraFlags` is now escaped with `utils.escapeSystemdExecArgs`. If you rely on systemd interpolating `extraFlags` in the service `ExecStart`, this will no longer work. - `services.ipfs.extraFlags` is now escaped with `utils.escapeSystemdExecArgs`. If you rely on systemd interpolating `extraFlags` in the service `ExecStart`, this will no longer work.
- `services.paperless-ng` was renamed to `services.paperless`. Accordingly, the `paperless-ng-manage` script (located in `dataDir`) was renamed to `paperless-manage`. `services.paperless` now uses `paperless-ngx`.
- The `matrix-synapse` service (`services.matrix-synapse`) has been converted to use the `settings` option defined in RFC42. - The `matrix-synapse` service (`services.matrix-synapse`) has been converted to use the `settings` option defined in RFC42.
This means that options that are part of your `homeserver.yaml` configuration, and that were specified at the top-level of the This means that options that are part of your `homeserver.yaml` configuration, and that were specified at the top-level of the
module (`services.matrix-synapse`) now need to be moved into `services.matrix-synapse.settings`. And while not all options you module (`services.matrix-synapse`) now need to be moved into `services.matrix-synapse.settings`. And while not all options you
@ -583,6 +589,8 @@ In addition to numerous new and upgraded packages, this release has the followin
using `fetchgit` or `fetchhg` if the argument `fetchSubmodules` using `fetchgit` or `fetchhg` if the argument `fetchSubmodules`
is set to `true`. is set to `true`.
- A module for declarative configuration of openconnect VPN profiles was added under `networking.openconnect`.
- The `element-desktop` package now has an `useKeytar` option (defaults to `true`), - The `element-desktop` package now has an `useKeytar` option (defaults to `true`),
which allows disabling `keytar` and in turn `libsecret` usage which allows disabling `keytar` and in turn `libsecret` usage
(which binds to native credential managers / keychain libraries). (which binds to native credential managers / keychain libraries).
@ -613,6 +621,8 @@ In addition to numerous new and upgraded packages, this release has the followin
and [services.logrotate.extraConfig](#opt-services.logrotate.extraConfig) will work, but issue deprecation and [services.logrotate.extraConfig](#opt-services.logrotate.extraConfig) will work, but issue deprecation
warnings and [services.logrotate.settings](#opt-services.logrotate.settings) should now be used instead. warnings and [services.logrotate.settings](#opt-services.logrotate.settings) should now be used instead.
- `security.pam.ussh` has been added, which allows authorizing PAM sessions based on SSH _certificates_ held within an SSH agent, using [pam-ussh](https://github.com/uber/pam-ussh).
- The `zrepl` package has been updated from 0.4.0 to 0.5: - The `zrepl` package has been updated from 0.4.0 to 0.5:
- The RPC protocol version was bumped; all zrepl daemons in a setup must be updated and restarted before replication can resume. - The RPC protocol version was bumped; all zrepl daemons in a setup must be updated and restarted before replication can resume.
@ -642,7 +652,7 @@ In addition to numerous new and upgraded packages, this release has the followin
- xfsprogs was update to version 5.15, which enables inobtcount and bigtime by default on filesystem creation. Support for these features was added in kernel 5.10 and deemed stable in kernel 5.15. - xfsprogs was update to version 5.15, which enables inobtcount and bigtime by default on filesystem creation. Support for these features was added in kernel 5.10 and deemed stable in kernel 5.15.
If you want to be able to mount XFS filesystems created with this release of xfsprogs on kernel releases older than 5.10, you need to format them with `mkfs.xfs -m bigtime=0 -m inobtcount=0`. If you want to be able to mount XFS filesystems created with this release of xfsprogs on kernel releases older than 5.10, you need to format them with `mkfs.xfs -m bigtime=0 -m inobtcount=0`.
- `services.xserver.desktopManager.xfce` now includes Xfce's screen locker, `xfce4-screensaver`. - `services.xserver.desktopManager.xfce` now includes Xfce's screen locker, `xfce4-screensaver` that is enabled by default. You can disable it by setting `false` to [services.xserver.desktopManager.xfce.enableScreensaver](#opt-services.xserver.desktopManager.xfce.enableScreensaver).
- The `hadoop` package has added support for `aarch64-linux` and `aarch64-darwin` as of 3.3.1 ([#158613](https://github.com/NixOS/nixpkgs/pull/158613)). - The `hadoop` package has added support for `aarch64-linux` and `aarch64-darwin` as of 3.3.1 ([#158613](https://github.com/NixOS/nixpkgs/pull/158613)).

16
nixos/lib/utils.nix
View file

@ -194,6 +194,22 @@ rec {
(( ! $inherit_errexit_enabled )) && shopt -u inherit_errexit (( ! $inherit_errexit_enabled )) && shopt -u inherit_errexit
''; '';
/* Remove packages of packagesToRemove from packages, based on their names.
Relies on package names and has quadratic complexity so use with caution!
Type:
removePackagesByName :: [package] -> [package] -> [package]
Example:
removePackagesByName [ nautilus file-roller ] [ file-roller totem ]
=> [ nautilus ]
*/
removePackagesByName = packages: packagesToRemove:
let
namesToRemove = map lib.getName packagesToRemove;
in
lib.filter (x: !(builtins.elem (lib.getName x) namesToRemove)) packages;
systemdUtils = { systemdUtils = {
lib = import ./systemd-lib.nix { inherit lib config pkgs; }; lib = import ./systemd-lib.nix { inherit lib config pkgs; };
unitOptions = import ./systemd-unit-options.nix { inherit lib systemdUtils; }; unitOptions = import ./systemd-unit-options.nix { inherit lib systemdUtils; };

26
nixos/modules/config/terminfo.nix
View file

@ -1,9 +1,33 @@
# This module manages the terminfo database # This module manages the terminfo database
# and its integration in the system. # and its integration in the system.
{ config, ... }: { config, lib, pkgs, ... }:
with lib;
{ {
options.environment.enableAllTerminfo = with lib; mkOption {
default = false;
type = types.bool;
description = ''
Whether to install all terminfo outputs
'';
};
config = { config = {
# can be generated with: filter (drv: (builtins.tryEval (drv ? terminfo)).value) (attrValues pkgs)
environment.systemPackages = mkIf config.environment.enableAllTerminfo (map (x: x.terminfo) (with pkgs; [
alacritty
foot
kitty
mtm
rxvt-unicode-unwrapped
rxvt-unicode-unwrapped-emoji
termite
wezterm
]));
environment.pathsToLink = [ environment.pathsToLink = [
"/share/terminfo" "/share/terminfo"
]; ];

4
nixos/modules/module-list.nix
View file

@ -597,7 +597,7 @@
./services/misc/osrm.nix ./services/misc/osrm.nix
./services/misc/owncast.nix ./services/misc/owncast.nix
./services/misc/packagekit.nix ./services/misc/packagekit.nix
./services/misc/paperless-ng.nix ./services/misc/paperless.nix
./services/misc/parsoid.nix ./services/misc/parsoid.nix
./services/misc/plex.nix ./services/misc/plex.nix
./services/misc/plikd.nix ./services/misc/plikd.nix
@ -853,6 +853,7 @@
./services/networking/ofono.nix ./services/networking/ofono.nix
./services/networking/oidentd.nix ./services/networking/oidentd.nix
./services/networking/onedrive.nix ./services/networking/onedrive.nix
./services/networking/openconnect.nix
./services/networking/openvpn.nix ./services/networking/openvpn.nix
./services/networking/ostinato.nix ./services/networking/ostinato.nix
./services/networking/owamp.nix ./services/networking/owamp.nix
@ -1054,6 +1055,7 @@
./services/web-apps/netbox.nix ./services/web-apps/netbox.nix
./services/web-apps/nextcloud.nix ./services/web-apps/nextcloud.nix
./services/web-apps/nexus.nix ./services/web-apps/nexus.nix
./services/web-apps/nifi.nix
./services/web-apps/node-red.nix ./services/web-apps/node-red.nix
./services/web-apps/pict-rs.nix ./services/web-apps/pict-rs.nix
./services/web-apps/peertube.nix ./services/web-apps/peertube.nix

109
nixos/modules/security/pam.nix
View file

@ -61,6 +61,19 @@ let
''; '';
}; };
usshAuth = mkOption {
default = false;
type = types.bool;
description = ''
If set, users with an SSH certificate containing an authorized principal
in their SSH agent are able to log in. Specific options are controlled
using the <option>security.pam.ussh</option> options.
Note that the <option>security.pam.ussh.enable</option> must also be
set for this option to take effect.
'';
};
yubicoAuth = mkOption { yubicoAuth = mkOption {
default = config.security.pam.yubico.enable; default = config.security.pam.yubico.enable;
defaultText = literalExpression "config.security.pam.yubico.enable"; defaultText = literalExpression "config.security.pam.yubico.enable";
@ -475,6 +488,9 @@ let
optionalString cfg.usbAuth '' optionalString cfg.usbAuth ''
auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so
'' + '' +
(let ussh = config.security.pam.ussh; in optionalString (config.security.pam.ussh.enable && cfg.usshAuth) ''
auth ${ussh.control} ${pkgs.pam_ussh}/lib/security/pam_ussh.so ${optionalString (ussh.caFile != null) "ca_file=${ussh.caFile}"} ${optionalString (ussh.authorizedPrincipals != null) "authorized_principals=${ussh.authorizedPrincipals}"} ${optionalString (ussh.authorizedPrincipalsFile != null) "authorized_principals_file=${ussh.authorizedPrincipalsFile}"} ${optionalString (ussh.group != null) "group=${ussh.group}"}
'') +
(let oath = config.security.pam.oath; in optionalString cfg.oathAuth '' (let oath = config.security.pam.oath; in optionalString cfg.oathAuth ''
auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits} auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}
'') + '') +
@ -927,6 +943,96 @@ in
}; };
}; };
security.pam.ussh = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Enables Uber's USSH PAM (<literal>pam-ussh</literal>) module.
This is similar to <literal>pam-ssh-agent</literal>, except that
the presence of a CA-signed SSH key with a valid principal is checked
instead.
Note that this module must both be enabled using this option and on a
per-PAM-service level as well (using <literal>usshAuth</literal>).
More information can be found <link
xlink:href="https://github.com/uber/pam-ussh">here</link>.
'';
};
caFile = mkOption {
default = null;
type = with types; nullOr path;
description = ''
By default <literal>pam-ussh</literal> reads the trusted user CA keys
from <filename>/etc/ssh/trusted_user_ca</filename>.
This should be set the same as your <literal>TrustedUserCAKeys</literal>
option for sshd.
'';
};
authorizedPrincipals = mkOption {
default = null;
type = with types; nullOr commas;
description = ''
Comma-separated list of authorized principals to permit; if the user
presents a certificate with one of these principals, then they will be
authorized.
Note that <literal>pam-ussh</literal> also requires that the certificate
contain a principal matching the user's username. The principals from
this list are in addition to those principals.
Mutually exclusive with <literal>authorizedPrincipalsFile</literal>.
'';
};
authorizedPrincipalsFile = mkOption {
default = null;
type = with types; nullOr path;
description = ''
Path to a list of principals; if the user presents a certificate with
one of these principals, then they will be authorized.
Note that <literal>pam-ussh</literal> also requires that the certificate
contain a principal matching the user's username. The principals from
this file are in addition to those principals.
Mutually exclusive with <literal>authorizedPrincipals</literal>.
'';
};
group = mkOption {
default = null;
type = with types; nullOr str;
description = ''
If set, then the authenticating user must be a member of this group
to use this module.
'';
};
control = mkOption {
default = "sufficient";
type = types.enum [ "required" "requisite" "sufficient" "optional" ];
description = ''
This option sets pam "control".
If you want to have multi factor authentication, use "required".
If you want to use the SSH certificate instead of the regular password,
use "sufficient".
Read
<citerefentry>
<refentrytitle>pam.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>
for better understanding of this option.
'';
};
};
security.pam.yubico = { security.pam.yubico = {
enable = mkOption { enable = mkOption {
default = false; default = false;
@ -1111,6 +1217,9 @@ in
optionalString (isEnabled (cfg: cfg.usbAuth)) '' optionalString (isEnabled (cfg: cfg.usbAuth)) ''
mr ${pkgs.pam_usb}/lib/security/pam_usb.so, mr ${pkgs.pam_usb}/lib/security/pam_usb.so,
'' + '' +
optionalString (isEnabled (cfg: cfg.usshAuth)) ''
mr ${pkgs.pam_ussh}/lib/security/pam_ussh.so,
'' +
optionalString (isEnabled (cfg: cfg.oathAuth)) '' optionalString (isEnabled (cfg: cfg.oathAuth)) ''
"mr ${pkgs.oathToolkit}/lib/security/pam_oath.so, "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,
'' + '' +

2
nixos/modules/security/sudo.nix
View file

@ -245,7 +245,7 @@ in
environment.systemPackages = [ sudo ]; environment.systemPackages = [ sudo ];
security.pam.services.sudo = { sshAgentAuth = true; }; security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };
environment.etc.sudoers = environment.etc.sudoers =
{ source = { source =

66
nixos/modules/services/databases/cockroachdb.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, utils, ... }:
with lib; with lib;
@ -6,46 +6,44 @@ let
cfg = config.services.cockroachdb; cfg = config.services.cockroachdb;
crdb = cfg.package; crdb = cfg.package;
escape = builtins.replaceStrings ["%"] ["%%"]; startupCommand = utils.escapeSystemdExecArgs
ifNotNull = v: s: optionalString (v != null) s; ([
# Basic startup
startupCommand = lib.concatStringsSep " " "${crdb}/bin/cockroach"
[ # Basic startup "start"
"${crdb}/bin/cockroach start"
"--logtostderr" "--logtostderr"
"--store=/var/lib/cockroachdb" "--store=/var/lib/cockroachdb"
(ifNotNull cfg.locality "--locality='${cfg.locality}'")
# WebUI settings # WebUI settings
"--http-addr='${cfg.http.address}:${toString cfg.http.port}'" "--http-addr=${cfg.http.address}:${toString cfg.http.port}"
# Cluster listen address # Cluster listen address
"--listen-addr='${cfg.listen.address}:${toString cfg.listen.port}'" "--listen-addr=${cfg.listen.address}:${toString cfg.listen.port}"
# Cluster configuration # Cache and memory settings.
(ifNotNull cfg.join "--join=${cfg.join}") "--cache=${cfg.cache}"
"--max-sql-memory=${cfg.maxSqlMemory}"
# Cache and memory settings. Must be escaped.
"--cache='${escape cfg.cache}'"
"--max-sql-memory='${escape cfg.maxSqlMemory}'"
# Certificate/security settings. # Certificate/security settings.
(if cfg.insecure then "--insecure" else "--certs-dir=${cfg.certsDir}") (if cfg.insecure then "--insecure" else "--certs-dir=${cfg.certsDir}")
]; ]
++ lib.optional (cfg.join != null) "--join=${cfg.join}"
++ lib.optional (cfg.locality != null) "--locality=${cfg.locality}"
++ cfg.extraArgs);
addressOption = descr: defaultPort: { addressOption = descr: defaultPort: {
address = mkOption { address = mkOption {
type = types.str; type = types.str;
default = "localhost"; default = "localhost";
description = "Address to bind to for ${descr}"; description = "Address to bind to for ${descr}";
};
port = mkOption {
type = types.port;
default = defaultPort;
description = "Port to bind to for ${descr}";
};
}; };
port = mkOption {
type = types.port;
default = defaultPort;
description = "Port to bind to for ${descr}";
};
};
in in
{ {
@ -159,6 +157,16 @@ in
only contain open source features and open source code). only contain open source features and open source code).
''; '';
}; };
extraArgs = mkOption {
type = types.listOf types.str;
default = [];
example = [ "--advertise-addr" "[fe80::f6f2:::]" ];
description = ''
Extra CLI arguments passed to <command>cockroach start</command>.
For the full list of supported argumemnts, check <link xlink:href="https://www.cockroachlabs.com/docs/stable/cockroach-start.html#flags"/>
'';
};
}; };
}; };

123
nixos/modules/services/hardware/udev.nix
View file

@ -23,17 +23,16 @@ let
nixosRules = '' nixosRules = ''
# Miscellaneous devices. # Miscellaneous devices.
KERNEL=="kvm", MODE="0666" KERNEL=="kvm", MODE="0666"
KERNEL=="kqemu", MODE="0666"
# Needed for gpm. # Needed for gpm.
SUBSYSTEM=="input", KERNEL=="mice", TAG+="systemd" SUBSYSTEM=="input", KERNEL=="mice", TAG+="systemd"
''; '';
# Perform substitutions in all udev rules files. # Perform substitutions in all udev rules files.
udevRules = pkgs.runCommand "udev-rules" udevRulesFor = { name, udevPackages, udevPath, udev, systemd, binPackages, initrdBin ? null }: pkgs.runCommand name
{ preferLocalBuild = true; { preferLocalBuild = true;
allowSubstitutes = false; allowSubstitutes = false;
packages = unique (map toString cfg.packages); packages = unique (map toString udevPackages);
} }
'' ''
mkdir -p $out mkdir -p $out
@ -61,6 +60,9 @@ let
--replace \"/bin/mount \"${pkgs.util-linux}/bin/mount \ --replace \"/bin/mount \"${pkgs.util-linux}/bin/mount \
--replace /usr/bin/readlink ${pkgs.coreutils}/bin/readlink \ --replace /usr/bin/readlink ${pkgs.coreutils}/bin/readlink \
--replace /usr/bin/basename ${pkgs.coreutils}/bin/basename --replace /usr/bin/basename ${pkgs.coreutils}/bin/basename
${optionalString (initrdBin != null) ''
substituteInPlace $i --replace '/run/current-system/systemd' "${removeSuffix "/bin" initrdBin}"
''}
done done
echo -n "Checking that all programs called by relative paths in udev rules exist in ${udev}/lib/udev... " echo -n "Checking that all programs called by relative paths in udev rules exist in ${udev}/lib/udev... "
@ -85,8 +87,9 @@ let
for i in $import_progs $run_progs; do for i in $import_progs $run_progs; do
# if the path refers to /run/current-system/systemd, replace with config.systemd.package # if the path refers to /run/current-system/systemd, replace with config.systemd.package
if [[ $i == /run/current-system/systemd* ]]; then if [[ $i == /run/current-system/systemd* ]]; then
i="${config.systemd.package}/''${i#/run/current-system/systemd/}" i="${systemd}/''${i#/run/current-system/systemd/}"
fi fi
if [[ ! -x $i ]]; then if [[ ! -x $i ]]; then
echo "FAIL" echo "FAIL"
echo "$i is called in udev rules but is not executable or does not exist" echo "$i is called in udev rules but is not executable or does not exist"
@ -103,7 +106,7 @@ let
echo "Consider fixing the following udev rules:" echo "Consider fixing the following udev rules:"
echo "$filesToFixup" | while read localFile; do echo "$filesToFixup" | while read localFile; do
remoteFile="origin unknown" remoteFile="origin unknown"
for i in ${toString cfg.packages}; do for i in ${toString binPackages}; do
for j in "$i"/*/udev/rules.d/*; do for j in "$i"/*/udev/rules.d/*; do
[ -e "$out/$(basename "$j")" ] || continue [ -e "$out/$(basename "$j")" ] || continue
[ "$(basename "$j")" = "$(basename "$localFile")" ] || continue [ "$(basename "$j")" = "$(basename "$localFile")" ] || continue
@ -126,7 +129,7 @@ let
${optionalString (!config.boot.hardwareScan) '' ${optionalString (!config.boot.hardwareScan) ''
ln -s /dev/null $out/80-drivers.rules ln -s /dev/null $out/80-drivers.rules
''} ''}
''; # */ '';
hwdbBin = pkgs.runCommand "hwdb.bin" hwdbBin = pkgs.runCommand "hwdb.bin"
{ preferLocalBuild = true; { preferLocalBuild = true;
@ -202,20 +205,6 @@ in
''; '';
}; };
initrdRules = mkOption {
default = "";
example = ''
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:1D:60:B9:6D:4F", KERNEL=="eth*", NAME="my_fast_network_card"
'';
type = types.lines;
description = ''
<command>udev</command> rules to include in the initrd
<emphasis>only</emphasis>. They'll be written into file
<filename>99-local.rules</filename>. Thus they are read and applied
after the essential initrd rules.
'';
};
extraRules = mkOption { extraRules = mkOption {
default = ""; default = "";
example = '' example = ''
@ -283,6 +272,52 @@ in
''; '';
}; };
boot.initrd.services.udev = {
packages = mkOption {
type = types.listOf types.path;
default = [];
visible = false;
description = ''
<emphasis>This will only be used when systemd is used in stage 1.</emphasis>
List of packages containing <command>udev</command> rules that will be copied to stage 1.
All files found in
<filename><replaceable>pkg</replaceable>/etc/udev/rules.d</filename> and
<filename><replaceable>pkg</replaceable>/lib/udev/rules.d</filename>
will be included.
'';
};
binPackages = mkOption {
type = types.listOf types.path;
default = [];
visible = false;
description = ''
<emphasis>This will only be used when systemd is used in stage 1.</emphasis>
Packages to search for binaries that are referenced by the udev rules in stage 1.
This list always contains /bin of the initrd.
'';
apply = map getBin;
};
rules = mkOption {
default = "";
example = ''
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:1D:60:B9:6D:4F", KERNEL=="eth*", NAME="my_fast_network_card"
'';
type = types.lines;
description = ''
<command>udev</command> rules to include in the initrd
<emphasis>only</emphasis>. They'll be written into file
<filename>99-local.rules</filename>. Thus they are read and applied
after the essential initrd rules.
'';
};
};
}; };
@ -298,16 +333,54 @@ in
boot.kernelParams = mkIf (!config.networking.usePredictableInterfaceNames) [ "net.ifnames=0" ]; boot.kernelParams = mkIf (!config.networking.usePredictableInterfaceNames) [ "net.ifnames=0" ];
boot.initrd.extraUdevRulesCommands = optionalString (cfg.initrdRules != "") boot.initrd.extraUdevRulesCommands = optionalString (!config.boot.initrd.systemd.enable && config.boot.initrd.services.udev.rules != "")
'' ''
cat <<'EOF' > $out/99-local.rules cat <<'EOF' > $out/99-local.rules
${cfg.initrdRules} ${config.boot.initrd.services.udev.rules}
EOF EOF
''; '';
boot.initrd.systemd.additionalUpstreamUnits = [
# TODO: "initrd-udevadm-cleanup-db.service" is commented out because of https://github.com/systemd/systemd/issues/12953
"systemd-udevd-control.socket"
"systemd-udevd-kernel.socket"
"systemd-udevd.service"
"systemd-udev-settle.service"
"systemd-udev-trigger.service"
];
boot.initrd.systemd.storePaths = [
"${config.boot.initrd.systemd.package}/lib/systemd/systemd-udevd"
"${config.boot.initrd.systemd.package}/lib/udev"
] ++ map (x: "${x}/bin") config.boot.initrd.services.udev.binPackages;
# Generate the udev rules for the initrd
boot.initrd.systemd.contents = {
"/etc/udev/rules.d".source = udevRulesFor {
name = "initrd-udev-rules";
initrdBin = config.boot.initrd.systemd.contents."/bin".source;
udevPackages = config.boot.initrd.services.udev.packages;
udevPath = config.boot.initrd.systemd.contents."/bin".source;
udev = config.boot.initrd.systemd.package;
systemd = config.boot.initrd.systemd.package;
binPackages = config.boot.initrd.services.udev.binPackages ++ [ config.boot.initrd.systemd.contents."/bin".source ];
};
};
# Insert custom rules
boot.initrd.services.udev.packages = mkIf (config.boot.initrd.services.udev.rules != "") (pkgs.writeTextFile {
name = "initrd-udev-rules";
destination = "/etc/udev/rules.d/99-local.rules";
text = config.boot.initrd.services.udev.rules;
});
environment.etc = environment.etc =
{ {
"udev/rules.d".source = udevRules; "udev/rules.d".source = udevRulesFor {
name = "udev-rules";
udevPackages = cfg.packages;
systemd = config.systemd.package;
binPackages = cfg.packages;
inherit udevPath udev;
};
"udev/hwdb.bin".source = hwdbBin; "udev/hwdb.bin".source = hwdbBin;
}; };
@ -338,4 +411,8 @@ in
}; };
}; };
imports = [
(mkRenamedOptionModule [ "services" "udev" "initrdRules" ] [ "boot" "initrd" "services" "udev" "rules" ])
];
} }

1
nixos/modules/services/mail/mailman.nix
View file

@ -192,7 +192,6 @@ in {
log_dir = "/var/log/mailman"; log_dir = "/var/log/mailman";
lock_dir = "$var_dir/lock"; lock_dir = "$var_dir/lock";
etc_dir = "/etc"; etc_dir = "/etc";
ext_dir = "$etc_dir/mailman.d";
pid_file = "/run/mailman/master.pid"; pid_file = "/run/mailman/master.pid";
}; };

100
nixos/modules/services/misc/paperless-ng.nix → nixos/modules/services/misc/paperless.nix
View file

@ -2,11 +2,13 @@
with lib; with lib;
let let
cfg = config.services.paperless-ng; cfg = config.services.paperless;
defaultUser = "paperless"; defaultUser = "paperless";
hasCustomRedis = hasAttr "PAPERLESS_REDIS" cfg.extraConfig; # Don't start a redis instance if the user sets a custom redis connection
enableRedis = !hasAttr "PAPERLESS_REDIS" cfg.extraConfig;
redisServer = config.services.redis.servers.paperless;
env = { env = {
PAPERLESS_DATA_DIR = cfg.dataDir; PAPERLESS_DATA_DIR = cfg.dataDir;
@ -15,15 +17,15 @@ let
GUNICORN_CMD_ARGS = "--bind=${cfg.address}:${toString cfg.port}"; GUNICORN_CMD_ARGS = "--bind=${cfg.address}:${toString cfg.port}";
} // ( } // (
lib.mapAttrs (_: toString) cfg.extraConfig lib.mapAttrs (_: toString) cfg.extraConfig
) // (optionalAttrs (!hasCustomRedis) { ) // (optionalAttrs enableRedis {
PAPERLESS_REDIS = "unix://${config.services.redis.servers.paperless-ng.unixSocket}"; PAPERLESS_REDIS = "unix://${redisServer.unixSocket}";
}); });
manage = let manage = let
setupEnv = lib.concatStringsSep "\n" (mapAttrsToList (name: val: "export ${name}=\"${val}\"") env); setupEnv = lib.concatStringsSep "\n" (mapAttrsToList (name: val: "export ${name}=\"${val}\"") env);
in pkgs.writeShellScript "manage" '' in pkgs.writeShellScript "manage" ''
${setupEnv} ${setupEnv}
exec ${cfg.package}/bin/paperless-ng "$@" exec ${cfg.package}/bin/paperless-ngx "$@"
''; '';
# Secure the services # Secure the services
@ -36,7 +38,7 @@ let
"-/etc/hosts" "-/etc/hosts"
"-/etc/localtime" "-/etc/localtime"
"-/run/postgresql" "-/run/postgresql"
] ++ (optional (!hasCustomRedis) config.services.redis.servers.paperless-ng.unixSocket); ] ++ (optional enableRedis redisServer.unixSocket);
BindPaths = [ BindPaths = [
cfg.consumptionDir cfg.consumptionDir
cfg.dataDir cfg.dataDir
@ -53,7 +55,6 @@ let
PrivateNetwork = true; PrivateNetwork = true;
PrivateTmp = true; PrivateTmp = true;
PrivateUsers = true; PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true; ProtectClock = true;
# Breaks if the home dir of the user is in /home # Breaks if the home dir of the user is in /home
# Also does not add much value in combination with the TemporaryFileSystem. # Also does not add much value in combination with the TemporaryFileSystem.
@ -66,11 +67,15 @@ let
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectProc = "invisible"; ProtectProc = "invisible";
# Don't restrict ProcSubset because django-q requires read access to /proc/stat
# to query CPU and memory information.
# Note that /proc only contains processes of user `paperless`, so this is safe.
# ProcSubset = "pid";
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SupplementaryGroups = optional (!hasCustomRedis) config.services.redis.servers.paperless-ng.user; SupplementaryGroups = optional enableRedis redisServer.user;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ]; SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ];
# Does not work well with the temporary root # Does not work well with the temporary root
@ -81,26 +86,22 @@ in
meta.maintainers = with maintainers; [ earvstedt Flakebi ]; meta.maintainers = with maintainers; [ earvstedt Flakebi ];
imports = [ imports = [
(mkRemovedOptionModule [ "services" "paperless"] '' (mkRenamedOptionModule [ "services" "paperless-ng" ] [ "services" "paperless" ])
The paperless module has been removed as the upstream project died.
Users should migrate to the paperless-ng module (services.paperless-ng).
More information can be found in the NixOS 21.11 release notes.
'')
]; ];
options.services.paperless-ng = { options.services.paperless = {
enable = mkOption { enable = mkOption {
type = lib.types.bool; type = lib.types.bool;
default = false; default = false;
description = '' description = ''
Enable Paperless-ng. Enable Paperless.
When started, the Paperless database is automatically created if it doesn't When started, the Paperless database is automatically created if it doesn't
exist and updated if the Paperless package has changed. exist and updated if the Paperless package has changed.
Both tasks are achieved by running a Django migration. Both tasks are achieved by running a Django migration.
A script to manage the Paperless instance (by wrapping Django's manage.py) is linked to A script to manage the Paperless instance (by wrapping Django's manage.py) is linked to
<literal>''${dataDir}/paperless-ng-manage</literal>. <literal>''${dataDir}/paperless-manage</literal>.
''; '';
}; };
@ -133,13 +134,13 @@ in
passwordFile = mkOption { passwordFile = mkOption {
type = types.nullOr types.path; type = types.nullOr types.path;
default = null; default = null;
example = "/run/keys/paperless-ng-password"; example = "/run/keys/paperless-password";
description = '' description = ''
A file containing the superuser password. A file containing the superuser password.
A superuser is required to access the web interface. A superuser is required to access the web interface.
If unset, you can create a superuser manually by running If unset, you can create a superuser manually by running
<literal>''${dataDir}/paperless-ng-manage createsuperuser</literal>. <literal>''${dataDir}/paperless-manage createsuperuser</literal>.
The default superuser name is <literal>admin</literal>. To change it, set The default superuser name is <literal>admin</literal>. To change it, set
option <option>extraConfig.PAPERLESS_ADMIN_USER</option>. option <option>extraConfig.PAPERLESS_ADMIN_USER</option>.
@ -168,9 +169,9 @@ in
type = types.attrs; type = types.attrs;
default = {}; default = {};
description = '' description = ''
Extra paperless-ng config options. Extra paperless config options.
See <link xlink:href="https://paperless-ng.readthedocs.io/en/latest/configuration.html">the documentation</link> See <link xlink:href="https://paperless-ngx.readthedocs.io/en/latest/configuration.html">the documentation</link>
for available options. for available options.
''; '';
example = literalExpression '' example = literalExpression ''
@ -188,15 +189,14 @@ in
package = mkOption { package = mkOption {
type = types.package; type = types.package;
default = pkgs.paperless-ng; default = pkgs.paperless-ngx;
defaultText = literalExpression "pkgs.paperless-ng"; defaultText = literalExpression "pkgs.paperless-ngx";
description = "The Paperless package to use."; description = "The Paperless package to use.";
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
# Enable redis if no special url is set services.redis.servers.paperless.enable = mkIf enableRedis true;
services.redis.servers.paperless-ng.enable = mkIf (!hasCustomRedis) true;
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
@ -208,11 +208,11 @@ in
) )
]; ];
systemd.services.paperless-ng-server = { systemd.services.paperless-scheduler = {
description = "Paperless document server"; description = "Paperless scheduler";
serviceConfig = defaultServiceConfig // { serviceConfig = defaultServiceConfig // {
User = cfg.user; User = cfg.user;
ExecStart = "${cfg.package}/bin/paperless-ng qcluster"; ExecStart = "${cfg.package}/bin/paperless-ngx qcluster";
Restart = "on-failure"; Restart = "on-failure";
# The `mbind` syscall is needed for running the classifier. # The `mbind` syscall is needed for running the classifier.
SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "mbind" ]; SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "mbind" ];
@ -221,15 +221,15 @@ in
}; };
environment = env; environment = env;
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
wants = [ "paperless-ng-consumer.service" "paperless-ng-web.service" ]; wants = [ "paperless-consumer.service" "paperless-web.service" ];
preStart = '' preStart = ''
ln -sf ${manage} ${cfg.dataDir}/paperless-ng-manage ln -sf ${manage} ${cfg.dataDir}/paperless-manage
# Auto-migrate on first run or if the package has changed # Auto-migrate on first run or if the package has changed
versionFile="${cfg.dataDir}/src-version" versionFile="${cfg.dataDir}/src-version"
if [[ $(cat "$versionFile" 2>/dev/null) != ${cfg.package} ]]; then if [[ $(cat "$versionFile" 2>/dev/null) != ${cfg.package} ]]; then
${cfg.package}/bin/paperless-ng migrate ${cfg.package}/bin/paperless-ngx migrate
echo ${cfg.package} > "$versionFile" echo ${cfg.package} > "$versionFile"
fi fi
'' ''
@ -240,20 +240,18 @@ in
superuserStateFile="${cfg.dataDir}/superuser-state" superuserStateFile="${cfg.dataDir}/superuser-state"
if [[ $(cat "$superuserStateFile" 2>/dev/null) != $superuserState ]]; then if [[ $(cat "$superuserStateFile" 2>/dev/null) != $superuserState ]]; then
${cfg.package}/bin/paperless-ng manage_superuser ${cfg.package}/bin/paperless-ngx manage_superuser
echo "$superuserState" > "$superuserStateFile" echo "$superuserState" > "$superuserStateFile"
fi fi
''; '';
} // optionalAttrs (!hasCustomRedis) { } // optionalAttrs enableRedis {
after = [ "redis-paperless-ng.service" ]; after = [ "redis-paperless.service" ];
}; };
# Password copying can't be implemented as a privileged preStart script # Reading the user-provided password file requires root access
# in 'paperless-ng-server' because 'defaultServiceConfig' limits the filesystem systemd.services.paperless-copy-password = mkIf (cfg.passwordFile != null) {
# paths accessible by the service. requiredBy = [ "paperless-scheduler.service" ];
systemd.services.paperless-ng-copy-password = mkIf (cfg.passwordFile != null) { before = [ "paperless-scheduler.service" ];
requiredBy = [ "paperless-ng-server.service" ];
before = [ "paperless-ng-server.service" ];
serviceConfig = { serviceConfig = {
ExecStart = '' ExecStart = ''
${pkgs.coreutils}/bin/install --mode 600 --owner '${cfg.user}' --compare \ ${pkgs.coreutils}/bin/install --mode 600 --owner '${cfg.user}' --compare \
@ -263,27 +261,27 @@ in
}; };
}; };
systemd.services.paperless-ng-consumer = { systemd.services.paperless-consumer = {
description = "Paperless document consumer"; description = "Paperless document consumer";
serviceConfig = defaultServiceConfig // { serviceConfig = defaultServiceConfig // {
User = cfg.user; User = cfg.user;
ExecStart = "${cfg.package}/bin/paperless-ng document_consumer"; ExecStart = "${cfg.package}/bin/paperless-ngx document_consumer";
Restart = "on-failure"; Restart = "on-failure";
}; };
environment = env; environment = env;
# Bind to `paperless-ng-server` so that the consumer never runs # Bind to `paperless-scheduler` so that the consumer never runs
# during migrations # during migrations
bindsTo = [ "paperless-ng-server.service" ]; bindsTo = [ "paperless-scheduler.service" ];
after = [ "paperless-ng-server.service" ]; after = [ "paperless-scheduler.service" ];
}; };
systemd.services.paperless-ng-web = { systemd.services.paperless-web = {
description = "Paperless web server"; description = "Paperless web server";
serviceConfig = defaultServiceConfig // { serviceConfig = defaultServiceConfig // {
User = cfg.user; User = cfg.user;
ExecStart = '' ExecStart = ''
${pkgs.python3Packages.gunicorn}/bin/gunicorn \ ${pkgs.python3Packages.gunicorn}/bin/gunicorn \
-c ${cfg.package}/lib/paperless-ng/gunicorn.conf.py paperless.asgi:application -c ${cfg.package}/lib/paperless-ngx/gunicorn.conf.py paperless.asgi:application
''; '';
Restart = "on-failure"; Restart = "on-failure";
@ -296,15 +294,15 @@ in
}; };
environment = env // { environment = env // {
PATH = mkForce cfg.package.path; PATH = mkForce cfg.package.path;
PYTHONPATH = "${cfg.package.pythonPath}:${cfg.package}/lib/paperless-ng/src"; PYTHONPATH = "${cfg.package.pythonPath}:${cfg.package}/lib/paperless-ngx/src";
}; };
# Allow the web interface to access the private /tmp directory of the server. # Allow the web interface to access the private /tmp directory of the server.
# This is required to support uploading files via the web interface. # This is required to support uploading files via the web interface.
unitConfig.JoinsNamespaceOf = "paperless-ng-server.service"; unitConfig.JoinsNamespaceOf = "paperless-scheduler.service";
# Bind to `paperless-ng-server` so that the web server never runs # Bind to `paperless-scheduler` so that the web server never runs
# during migrations # during migrations
bindsTo = [ "paperless-ng-server.service" ]; bindsTo = [ "paperless-scheduler.service" ];
after = [ "paperless-ng-server.service" ]; after = [ "paperless-scheduler.service" ];
}; };
users = optionalAttrs (cfg.user == defaultUser) { users = optionalAttrs (cfg.user == defaultUser) {

11
nixos/modules/services/monitoring/prometheus/default.nix
View file

@ -74,7 +74,6 @@ let
}" }"
"--web.listen-address=${cfg.listenAddress}:${builtins.toString cfg.port}" "--web.listen-address=${cfg.listenAddress}:${builtins.toString cfg.port}"
"--alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity}" "--alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity}"
"--alertmanager.timeout=${toString cfg.alertmanagerTimeout}s"
] ++ optional (cfg.webExternalUrl != null) "--web.external-url=${cfg.webExternalUrl}" ] ++ optional (cfg.webExternalUrl != null) "--web.external-url=${cfg.webExternalUrl}"
++ optional (cfg.retentionTime != null) "--storage.tsdb.retention.time=${cfg.retentionTime}"; ++ optional (cfg.retentionTime != null) "--storage.tsdb.retention.time=${cfg.retentionTime}";
@ -1563,6 +1562,8 @@ in
(mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ]) (mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ])
(mkRemovedOptionModule [ "services" "prometheus" "environmentFile" ] (mkRemovedOptionModule [ "services" "prometheus" "environmentFile" ]
"It has been removed since it was causing issues (https://github.com/NixOS/nixpkgs/issues/126083) and Prometheus now has native support for secret files, i.e. `basic_auth.password_file` and `authorization.credentials_file`.") "It has been removed since it was causing issues (https://github.com/NixOS/nixpkgs/issues/126083) and Prometheus now has native support for secret files, i.e. `basic_auth.password_file` and `authorization.credentials_file`.")
(mkRemovedOptionModule [ "services" "prometheus" "alertmanagerTimeout" ]
"Deprecated upstream and no longer had any effect")
]; ];
options.services.prometheus = { options.services.prometheus = {
@ -1719,14 +1720,6 @@ in
''; '';
}; };
alertmanagerTimeout = mkOption {
type = types.int;
default = 10;
description = ''
Alert manager HTTP API timeout (in seconds).
'';
};
webExternalUrl = mkOption { webExternalUrl = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = null;

137
nixos/modules/services/networking/openconnect.nix Normal file
View file

@ -0,0 +1,137 @@
{ config, lib, options, pkgs, ... }:
with lib;
let
cfg = config.networking.openconnect;
openconnect = cfg.package;
pkcs11 = types.strMatching "pkcs11:.+" // {
name = "pkcs11";
description = "PKCS#11 URI";
};
interfaceOptions = {
options = {
gateway = mkOption {
description = "Gateway server to connect to.";
example = "gateway.example.com";
type = types.str;
};
protocol = mkOption {
description = "Protocol to use.";
example = "anyconnect";
type =
types.enum [ "anyconnect" "array" "nc" "pulse" "gp" "f5" "fortinet" ];
};
user = mkOption {
description = "Username to authenticate with.";
example = "example-user";
type = types.nullOr types.str;
};
# Note: It does not make sense to provide a way to declaratively
# set an authentication cookie, because they have to be requested
# for every new connection and would only work once.
passwordFile = mkOption {
description = ''
File containing the password to authenticate with. This
is passed to <code>openconnect</code> via the
<code>--passwd-on-stdin</code> option.
'';
default = null;
example = "/var/lib/secrets/openconnect-passwd";
type = types.nullOr types.path;
};
certificate = mkOption {
description = "Certificate to authenticate with.";
default = null;
example = "/var/lib/secrets/openconnect_certificate.pem";
type = with types; nullOr (either path pkcs11);
};
privateKey = mkOption {
description = "Private key to authenticate with.";
example = "/var/lib/secrets/openconnect_private_key.pem";
default = null;
type = with types; nullOr (either path pkcs11);
};
extraOptions = mkOption {
description = ''
Extra config to be appended to the interface config. It should
contain long-format options as would be accepted on the command
line by <code>openconnect</code>
(see https://www.infradead.org/openconnect/manual.html).
Non-key-value options like <code>deflate</code> can be used by
declaring them as booleans, i. e. <code>deflate = true;</code>.
'';
default = { };
example = {
compression = "stateless";
no-http-keepalive = true;
no-dtls = true;
};
type = with types; attrsOf (either str bool);
};
};
};
generateExtraConfig = extra_cfg:
strings.concatStringsSep "\n" (attrsets.mapAttrsToList
(name: value: if (value == true) then name else "${name}=${value}")
(attrsets.filterAttrs (_: value: value != false) extra_cfg));
generateConfig = name: icfg:
pkgs.writeText "config" ''
interface=${name}
${optionalString (icfg.user != null) "user=${icfg.user}"}
${optionalString (icfg.passwordFile != null) "passwd-on-stdin"}
${optionalString (icfg.certificate != null)
"certificate=${icfg.certificate}"}
${optionalString (icfg.privateKey != null) "sslkey=${icfg.privateKey}"}
${generateExtraConfig icfg.extraOptions}
'';
generateUnit = name: icfg: {
description = "OpenConnect Interface - ${name}";
requires = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${openconnect}/bin/openconnect --config=${
generateConfig name icfg
} ${icfg.gateway}";
StandardInput = "file:${icfg.passwordFile}";
ProtectHome = true;
};
};
in {
options.networking.openconnect = {
package = mkPackageOption pkgs "openconnect" { };
interfaces = mkOption {
description = "OpenConnect interfaces.";
default = { };
example = {
openconnect0 = {
gateway = "gateway.example.com";
protocol = "anyconnect";
user = "example-user";
passwordFile = "/var/lib/secrets/openconnect-passwd";
};
};
type = with types; attrsOf (submodule interfaceOptions);
};
};
config = {
systemd.services = mapAttrs' (name: value: {
name = "openconnect-${name}";
value = generateUnit name value;
}) cfg.interfaces;
};
meta.maintainers = with maintainers; [ alyaeanyx ];
}

43
nixos/modules/services/networking/shellhub-agent.nix
View file

@ -1,31 +1,37 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib; with lib;
let let
cfg = config.services.shellhub-agent; cfg = config.services.shellhub-agent;
in { in
{
###### interface ###### interface
options = { options = {
services.shellhub-agent = { services.shellhub-agent = {
enable = mkOption { enable = mkEnableOption "ShellHub Agent daemon";
type = types.bool;
default = false; package = mkPackageOption pkgs "shellhub-agent" { };
preferredHostname = mkOption {
type = types.str;
default = "";
description = '' description = ''
Whether to enable the ShellHub Agent daemon, which allows Set the device preferred hostname. This provides a hint to
secure remote logins. the server to use this as hostname if it is available.
''; '';
}; };
package = mkOption { keepAliveInterval = mkOption {
type = types.package; type = types.int;
default = pkgs.shellhub-agent; default = 30;
defaultText = literalExpression "pkgs.shellhub-agent";
description = '' description = ''
Which ShellHub Agent package to use. Determine the interval to send the keep alive message to
the server. This has a direct impact of the bandwidth
used by the device.
''; '';
}; };
@ -74,9 +80,13 @@ in {
"time-sync.target" "time-sync.target"
]; ];
environment.SERVER_ADDRESS = cfg.server; environment = {
environment.PRIVATE_KEY = cfg.privateKey; SHELLHUB_SERVER_ADDRESS = cfg.server;
environment.TENANT_ID = cfg.tenantId; SHELLHUB_PRIVATE_KEY = cfg.privateKey;
SHELLHUB_TENANT_ID = cfg.tenantId;
SHELLHUB_KEEPALIVE_INTERVAL = toString cfg.keepAliveInterval;
SHELLHUB_PREFERRED_HOSTNAME = cfg.preferredHostname;
};
serviceConfig = { serviceConfig = {
# The service starts sessions for different users. # The service starts sessions for different users.
@ -85,7 +95,6 @@ in {
ExecStart = "${cfg.package}/bin/agent"; ExecStart = "${cfg.package}/bin/agent";
}; };
}; };
environment.systemPackages = [ cfg.package ];
}; };
} }

12
nixos/modules/services/web-apps/discourse.nix
View file

@ -609,6 +609,7 @@ in
connection_reaper_interval = 30; connection_reaper_interval = 30;
relative_url_root = null; relative_url_root = null;
message_bus_max_backlog_size = 100; message_bus_max_backlog_size = 100;
message_bus_clear_every = 50;
secret_key_base = cfg.secretKeyBaseFile; secret_key_base = cfg.secretKeyBaseFile;
fallback_assets_path = null; fallback_assets_path = null;
@ -655,7 +656,12 @@ in
long_polling_interval = null; long_polling_interval = null;
}; };
services.redis.enable = lib.mkDefault (cfg.redis.host == "localhost"); services.redis.servers.discourse =
lib.mkIf (lib.elem cfg.redis.host [ "localhost" "127.0.0.1" ]) {
enable = true;
bind = cfg.redis.host;
port = cfg.backendSettings.redis_port;
};
services.postgresql = lib.mkIf databaseActuallyCreateLocally { services.postgresql = lib.mkIf databaseActuallyCreateLocally {
enable = true; enable = true;
@ -696,12 +702,12 @@ in
systemd.services.discourse = { systemd.services.discourse = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ after = [
"redis.service" "redis-discourse.service"
"postgresql.service" "postgresql.service"
"discourse-postgresql.service" "discourse-postgresql.service"
]; ];
bindsTo = [ bindsTo = [
"redis.service" "redis-discourse.service"
] ++ lib.optionals (cfg.database.host == null) [ ] ++ lib.optionals (cfg.database.host == null) [
"postgresql.service" "postgresql.service"
"discourse-postgresql.service" "discourse-postgresql.service"

318
nixos/modules/services/web-apps/nifi.nix Normal file
View file

@ -0,0 +1,318 @@
{ lib, pkgs, config, options, ... }:
let
cfg = config.services.nifi;
opt = options.services.nifi;
env = {
NIFI_OVERRIDE_NIFIENV = "true";
NIFI_HOME = "/var/lib/nifi";
NIFI_PID_DIR = "/run/nifi";
NIFI_LOG_DIR = "/var/log/nifi";
};
envFile = pkgs.writeText "nifi.env" (lib.concatMapStrings (s: s + "\n") (
(lib.concatLists (lib.mapAttrsToList (name: value:
if value != null then [
"${name}=\"${toString value}\""
] else []
) env))));
nifiEnv = pkgs.writeShellScriptBin "nifi-env" ''
set -a
source "${envFile}"
eval -- "\$@"
'';
in {
options = {
services.nifi = {
enable = lib.mkEnableOption "Apache NiFi";
package = lib.mkOption {
type = lib.types.package;
default = pkgs.nifi;
defaultText = lib.literalExpression "pkgs.nifi";
description = "Apache NiFi package to use.";
};
user = lib.mkOption {
type = lib.types.str;
default = "nifi";
description = "User account where Apache NiFi runs.";
};
group = lib.mkOption {
type = lib.types.str;
default = "nifi";
description = "Group account where Apache NiFi runs.";
};
enableHTTPS = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Enable HTTPS protocol. Don`t use in production.";
};
listenHost = lib.mkOption {
type = lib.types.str;
default = if cfg.enableHTTPS then "0.0.0.0" else "127.0.0.1";
defaultText = lib.literalExpression ''
if config.${opt.enableHTTPS}
then "0.0.0.0"
else "127.0.0.1"
'';
description = "Bind to an ip for Apache NiFi web-ui.";
};
listenPort = lib.mkOption {
type = lib.types.int;
default = if cfg.enableHTTPS then 8443 else 8080;
defaultText = lib.literalExpression ''
if config.${opt.enableHTTPS}
then "8443"
else "8000"
'';
description = "Bind to a port for Apache NiFi web-ui.";
};
proxyHost = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = if cfg.enableHTTPS then "0.0.0.0" else null;
defaultText = lib.literalExpression ''
if config.${opt.enableHTTPS}
then "0.0.0.0"
else null
'';
description = "Allow requests from a specific host.";
};
proxyPort = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = if cfg.enableHTTPS then 8443 else null;
defaultText = lib.literalExpression ''
if config.${opt.enableHTTPS}
then "8443"
else null
'';
description = "Allow requests from a specific port.";
};
initUser = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Initial user account for Apache NiFi. Username must be at least 4 characters.";
};
initPasswordFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
example = "/run/keys/nifi/password-nifi";
description = "nitial password for Apache NiFi. Password must be at least 12 characters.";
};
initJavaHeapSize = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
example = 1024;
description = "Set the initial heap size for the JVM in MB.";
};
maxJavaHeapSize = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
example = 2048;
description = "Set the initial heap size for the JVM in MB.";
};
};
};
config = lib.mkIf cfg.enable {
assertions = [
{ assertion = cfg.initUser!=null || cfg.initPasswordFile==null;
message = ''
<option>services.nifi.initUser</option> needs to be set if <option>services.nifi.initPasswordFile</option> enabled.
'';
}
{ assertion = cfg.initUser==null || cfg.initPasswordFile!=null;
message = ''
<option>services.nifi.initPasswordFile</option> needs to be set if <option>services.nifi.initUser</option> enabled.
'';
}
{ assertion = cfg.proxyHost==null || cfg.proxyPort!=null;
message = ''
<option>services.nifi.proxyPort</option> needs to be set if <option>services.nifi.proxyHost</option> value specified.
'';
}
{ assertion = cfg.proxyHost!=null || cfg.proxyPort==null;
message = ''
<option>services.nifi.proxyHost</option> needs to be set if <option>services.nifi.proxyPort</option> value specified.
'';
}
{ assertion = cfg.initJavaHeapSize==null || cfg.maxJavaHeapSize!=null;
message = ''
<option>services.nifi.maxJavaHeapSize</option> needs to be set if <option>services.nifi.initJavaHeapSize</option> value specified.
'';
}
{ assertion = cfg.initJavaHeapSize!=null || cfg.maxJavaHeapSize==null;
message = ''
<option>services.nifi.initJavaHeapSize</option> needs to be set if <option>services.nifi.maxJavaHeapSize</option> value specified.
'';
}
];
warnings = lib.optional (cfg.enableHTTPS==false) ''
Please do not disable HTTPS mode in production. In this mode, access to the nifi is opened without authentication.
'';
systemd.tmpfiles.rules = [
"d '/var/lib/nifi/conf' 0750 ${cfg.user} ${cfg.group}"
"L+ '/var/lib/nifi/lib' - - - - ${cfg.package}/lib"
];
systemd.services.nifi = {
description = "Apache NiFi";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = env;
path = [ pkgs.gawk ];
serviceConfig = {
Type = "forking";
PIDFile = "/run/nifi/nifi.pid";
ExecStartPre = pkgs.writeScript "nifi-pre-start.sh" ''
#!/bin/sh
umask 077
test -f '/var/lib/nifi/conf/authorizers.xml' || (cp '${cfg.package}/share/nifi/conf/authorizers.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/authorizers.xml')
test -f '/var/lib/nifi/conf/bootstrap.conf' || (cp '${cfg.package}/share/nifi/conf/bootstrap.conf' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/bootstrap.conf')
test -f '/var/lib/nifi/conf/bootstrap-hashicorp-vault.conf' || (cp '${cfg.package}/share/nifi/conf/bootstrap-hashicorp-vault.conf' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/bootstrap-hashicorp-vault.conf')
test -f '/var/lib/nifi/conf/bootstrap-notification-services.xml' || (cp '${cfg.package}/share/nifi/conf/bootstrap-notification-services.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/bootstrap-notification-services.xml')
test -f '/var/lib/nifi/conf/logback.xml' || (cp '${cfg.package}/share/nifi/conf/logback.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/logback.xml')
test -f '/var/lib/nifi/conf/login-identity-providers.xml' || (cp '${cfg.package}/share/nifi/conf/login-identity-providers.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/login-identity-providers.xml')
test -f '/var/lib/nifi/conf/nifi.properties' || (cp '${cfg.package}/share/nifi/conf/nifi.properties' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/nifi.properties')
test -f '/var/lib/nifi/conf/stateless-logback.xml' || (cp '${cfg.package}/share/nifi/conf/stateless-logback.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/stateless-logback.xml')
test -f '/var/lib/nifi/conf/stateless.properties' || (cp '${cfg.package}/share/nifi/conf/stateless.properties' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/stateless.properties')
test -f '/var/lib/nifi/conf/state-management.xml' || (cp '${cfg.package}/share/nifi/conf/state-management.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/state-management.xml')
test -f '/var/lib/nifi/conf/zookeeper.properties' || (cp '${cfg.package}/share/nifi/conf/zookeeper.properties' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/zookeeper.properties')
test -d '/var/lib/nifi/docs/html' || (mkdir -p /var/lib/nifi/docs && cp -r '${cfg.package}/share/nifi/docs/html' '/var/lib/nifi/docs/html')
${lib.optionalString ((cfg.initUser != null) && (cfg.initPasswordFile != null)) ''
awk -F'[<|>]' '/property name="Username"/ {if ($3!="") f=1} END{exit !f}' /var/lib/nifi/conf/login-identity-providers.xml || ${cfg.package}/bin/nifi.sh set-single-user-credentials ${cfg.initUser} $(cat ${cfg.initPasswordFile})
''}
${lib.optionalString (cfg.enableHTTPS == false) ''
sed -i /var/lib/nifi/conf/nifi.properties \
-e 's|nifi.remote.input.secure=.*|nifi.remote.input.secure=false|g' \
-e 's|nifi.web.http.host=.*|nifi.web.http.host=${cfg.listenHost}|g' \
-e 's|nifi.web.http.port=.*|nifi.web.http.port=${(toString cfg.listenPort)}|g' \
-e 's|nifi.web.https.host=.*|nifi.web.https.host=|g' \
-e 's|nifi.web.https.port=.*|nifi.web.https.port=|g' \
-e 's|nifi.security.keystore=.*|nifi.security.keystore=|g' \
-e 's|nifi.security.keystoreType=.*|nifi.security.keystoreType=|g' \
-e 's|nifi.security.truststore=.*|nifi.security.truststore=|g' \
-e 's|nifi.security.truststoreType=.*|nifi.security.truststoreType=|g' \
-e '/nifi.security.keystorePasswd/s|^|#|' \
-e '/nifi.security.keyPasswd/s|^|#|' \
-e '/nifi.security.truststorePasswd/s|^|#|'
''}
${lib.optionalString (cfg.enableHTTPS == true) ''
sed -i /var/lib/nifi/conf/nifi.properties \
-e 's|nifi.remote.input.secure=.*|nifi.remote.input.secure=true|g' \
-e 's|nifi.web.http.host=.*|nifi.web.http.host=|g' \
-e 's|nifi.web.http.port=.*|nifi.web.http.port=|g' \
-e 's|nifi.web.https.host=.*|nifi.web.https.host=${cfg.listenHost}|g' \
-e 's|nifi.web.https.port=.*|nifi.web.https.port=${(toString cfg.listenPort)}|g' \
-e 's|nifi.security.keystore=.*|nifi.security.keystore=./conf/keystore.p12|g' \
-e 's|nifi.security.keystoreType=.*|nifi.security.keystoreType=PKCS12|g' \
-e 's|nifi.security.truststore=.*|nifi.security.truststore=./conf/truststore.p12|g' \
-e 's|nifi.security.truststoreType=.*|nifi.security.truststoreType=PKCS12|g' \
-e '/nifi.security.keystorePasswd/s|^#\+||' \
-e '/nifi.security.keyPasswd/s|^#\+||' \
-e '/nifi.security.truststorePasswd/s|^#\+||'
''}
${lib.optionalString ((cfg.enableHTTPS == true) && (cfg.proxyHost != null) && (cfg.proxyPort != null)) ''
sed -i /var/lib/nifi/conf/nifi.properties \
-e 's|nifi.web.proxy.host=.*|nifi.web.proxy.host=${cfg.proxyHost}:${(toString cfg.proxyPort)}|g'
''}
${lib.optionalString ((cfg.enableHTTPS == false) || (cfg.proxyHost == null) && (cfg.proxyPort == null)) ''
sed -i /var/lib/nifi/conf/nifi.properties \
-e 's|nifi.web.proxy.host=.*|nifi.web.proxy.host=|g'
''}
${lib.optionalString ((cfg.initJavaHeapSize != null) && (cfg.maxJavaHeapSize != null))''
sed -i /var/lib/nifi/conf/bootstrap.conf \
-e 's|java.arg.2=.*|java.arg.2=-Xms${(toString cfg.initJavaHeapSize)}m|g' \
-e 's|java.arg.3=.*|java.arg.3=-Xmx${(toString cfg.maxJavaHeapSize)}m|g'
''}
${lib.optionalString ((cfg.initJavaHeapSize == null) && (cfg.maxJavaHeapSize == null))''
sed -i /var/lib/nifi/conf/bootstrap.conf \
-e 's|java.arg.2=.*|java.arg.2=-Xms512m|g' \
-e 's|java.arg.3=.*|java.arg.3=-Xmx512m|g'
''}
'';
ExecStart = "${cfg.package}/bin/nifi.sh start";
ExecStop = "${cfg.package}/bin/nifi.sh stop";
# User and group
User = cfg.user;
Group = cfg.group;
# Runtime directory and mode
RuntimeDirectory = "nifi";
RuntimeDirectoryMode = "0750";
# State directory and mode
StateDirectory = "nifi";
StateDirectoryMode = "0750";
# Logs directory and mode
LogsDirectory = "nifi";
LogsDirectoryMode = "0750";
# Proc filesystem
ProcSubset = "pid";
ProtectProc = "invisible";
# Access write directories
ReadWritePaths = [ cfg.initPasswordFile ];
UMask = "0027";
# Capabilities
CapabilityBoundingSet = "";
# Security
NoNewPrivileges = true;
# Sandboxing
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateIPC = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
RestrictNamespaces = true;
LockPersonality = true;
MemoryDenyWriteExecute = false;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @memlock @mount @obsolete @resources @privileged @setuid" "@chown" ];
};
};
users.users = lib.mkMerge [
(lib.mkIf (cfg.user == "nifi") {
nifi = {
group = cfg.group;
isSystemUser = true;
home = cfg.package;
};
})
(lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package nifiEnv ])
];
users.groups = lib.optionalAttrs (cfg.group == "nifi") {
nifi = { };
};
};
}

33
nixos/modules/services/web-servers/nginx/default.nix
View file

@ -255,20 +255,22 @@ let
else defaultListen; else defaultListen;
listenString = { addr, port, ssl, extraParameters ? [], ... }: listenString = { addr, port, ssl, extraParameters ? [], ... }:
"listen ${addr}:${toString port} " (if ssl && vhost.http3 then "
+ optionalString ssl "ssl "
+ optionalString (ssl && vhost.http2) "http2 "
+ optionalString vhost.default "default_server "
+ optionalString (extraParameters != []) (concatStringsSep " " extraParameters)
+ ";"
+ (if ssl && vhost.http3 then ''
# UDP listener for **QUIC+HTTP/3 # UDP listener for **QUIC+HTTP/3
listen ${addr}:${toString port} http3 reuseport; listen ${addr}:${toString port} http3 "
# Advertise that HTTP/3 is available + optionalString vhost.default "default_server "
add_header Alt-Svc 'h3=":443"'; + optionalString vhost.reuseport "reuseport "
# Sent when QUIC was used + optionalString (extraParameters != []) (concatStringsSep " " extraParameters)
add_header QUIC-Status $quic; + ";" else "")
'' else ""); + "
listen ${addr}:${toString port} "
+ optionalString (ssl && vhost.http2) "http2 "
+ optionalString ssl "ssl "
+ optionalString vhost.default "default_server "
+ optionalString vhost.reuseport "reuseport "
+ optionalString (extraParameters != []) (concatStringsSep " " extraParameters)
+ ";";
redirectListen = filter (x: !x.ssl) defaultListen; redirectListen = filter (x: !x.ssl) defaultListen;
@ -321,6 +323,11 @@ let
ssl_conf_command Options KTLS; ssl_conf_command Options KTLS;
''} ''}
${optionalString (hasSSL && vhost.http3) ''
# Advertise that HTTP/3 is available
add_header Alt-Svc 'h3=":443"; ma=86400' always;
''}
${mkBasicAuth vhostName vhost} ${mkBasicAuth vhostName vhost}
${mkLocations vhost.locations} ${mkLocations vhost.locations}

15
nixos/modules/services/web-servers/nginx/vhost-options.nix
View file

@ -20,7 +20,7 @@ with lib;
serverAliases = mkOption { serverAliases = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = []; default = [];
example = ["www.example.org" "example.org"]; example = [ "www.example.org" "example.org" ];
description = '' description = ''
Additional names of virtual hosts served by this virtual host configuration. Additional names of virtual hosts served by this virtual host configuration.
''; '';
@ -31,11 +31,11 @@ with lib;
addr = mkOption { type = str; description = "IP address."; }; addr = mkOption { type = str; description = "IP address."; };
port = mkOption { type = int; description = "Port number."; default = 80; }; port = mkOption { type = int; description = "Port number."; default = 80; };
ssl = mkOption { type = bool; description = "Enable SSL."; default = false; }; ssl = mkOption { type = bool; description = "Enable SSL."; default = false; };
extraParameters = mkOption { type = listOf str; description = "Extra parameters of this listen directive."; default = []; example = [ "reuseport" "deferred" ]; }; extraParameters = mkOption { type = listOf str; description = "Extra parameters of this listen directive."; default = []; example = [ "backlog=1024" "deferred" ]; };
}; }); }; });
default = []; default = [];
example = [ example = [
{ addr = "195.154.1.1"; port = 443; ssl = true;} { addr = "195.154.1.1"; port = 443; ssl = true; }
{ addr = "192.154.1.1"; port = 80; } { addr = "192.154.1.1"; port = 80; }
]; ];
description = '' description = ''
@ -207,6 +207,15 @@ with lib;
''; '';
}; };
reuseport = mkOption {
type = types.bool;
default = false;
description = ''
Create an individual listening socket .
It is required to specify only once on one of the hosts.
'';
};
root = mkOption { root = mkOption {
type = types.nullOr types.path; type = types.nullOr types.path;
default = null; default = null;

6
nixos/modules/services/x11/desktop-managers/cinnamon.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, utils, ... }:
with lib; with lib;
@ -196,7 +196,7 @@ in
programs.evince.enable = mkDefault true; programs.evince.enable = mkDefault true;
programs.file-roller.enable = mkDefault true; programs.file-roller.enable = mkDefault true;
environment.systemPackages = (with pkgs // pkgs.gnome // pkgs.cinnamon; pkgs.gnome.removePackagesByName [ environment.systemPackages = with pkgs // pkgs.gnome // pkgs.cinnamon; utils.removePackagesByName [
# cinnamon team apps # cinnamon team apps
bulky bulky
blueberry blueberry
@ -212,7 +212,7 @@ in
# external apps shipped with linux-mint # external apps shipped with linux-mint
hexchat hexchat
gnome-calculator gnome-calculator
] config.environment.cinnamon.excludePackages); ] config.environment.cinnamon.excludePackages;
}) })
]; ];
} }

15
nixos/modules/services/x11/desktop-managers/gnome.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, utils, ... }:
with lib; with lib;
@ -42,7 +42,8 @@ let
chmod -R a+w $out/share/gsettings-schemas/nixos-gsettings-overrides chmod -R a+w $out/share/gsettings-schemas/nixos-gsettings-overrides
cat - > $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas/nixos-defaults.gschema.override <<- EOF cat - > $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas/nixos-defaults.gschema.override <<- EOF
[org.gnome.desktop.background] [org.gnome.desktop.background]
picture-uri='file://${pkgs.nixos-artwork.wallpapers.simple-dark-gray.gnomeFilePath}' picture-uri='file://${pkgs.nixos-artwork.wallpapers.simple-blue.gnomeFilePath}'
picture-uri-dark='file://${pkgs.nixos-artwork.wallpapers.simple-dark-gray.gnomeFilePath}'
[org.gnome.desktop.screensaver] [org.gnome.desktop.screensaver]
picture-uri='file://${pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom.gnomeFilePath}' picture-uri='file://${pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom.gnomeFilePath}'
@ -455,7 +456,7 @@ in
(mkIf serviceCfg.core-utilities.enable { (mkIf serviceCfg.core-utilities.enable {
environment.systemPackages = environment.systemPackages =
with pkgs.gnome; with pkgs.gnome;
removePackagesByName utils.removePackagesByName
([ ([
baobab baobab
cheese cheese
@ -515,7 +516,7 @@ in
}) })
(mkIf serviceCfg.games.enable { (mkIf serviceCfg.games.enable {
environment.systemPackages = (with pkgs.gnome; removePackagesByName [ environment.systemPackages = with pkgs.gnome; utils.removePackagesByName [
aisleriot aisleriot
atomix atomix
five-or-more five-or-more
@ -536,12 +537,12 @@ in
quadrapassel quadrapassel
swell-foop swell-foop
tali tali
] config.environment.gnome.excludePackages); ] config.environment.gnome.excludePackages;
}) })
# Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/-/blob/3.38.0/elements/core/meta-gnome-core-developer-tools.bst # Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/-/blob/3.38.0/elements/core/meta-gnome-core-developer-tools.bst
(mkIf serviceCfg.core-developer-tools.enable { (mkIf serviceCfg.core-developer-tools.enable {
environment.systemPackages = (with pkgs.gnome; removePackagesByName [ environment.systemPackages = with pkgs.gnome; utils.removePackagesByName [
dconf-editor dconf-editor
devhelp devhelp
pkgs.gnome-builder pkgs.gnome-builder
@ -550,7 +551,7 @@ in
# in default configurations. # in default configurations.
# https://github.com/NixOS/nixpkgs/issues/60908 # https://github.com/NixOS/nixpkgs/issues/60908
/* gnome-boxes */ /* gnome-boxes */
] config.environment.gnome.excludePackages); ] config.environment.gnome.excludePackages;
services.sysprof.enable = notExcluded pkgs.sysprof; services.sysprof.enable = notExcluded pkgs.sysprof;
}) })

4
nixos/modules/services/x11/desktop-managers/lxqt.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, utils, ... }:
with lib; with lib;
@ -51,7 +51,7 @@ in
environment.systemPackages = environment.systemPackages =
pkgs.lxqt.preRequisitePackages ++ pkgs.lxqt.preRequisitePackages ++
pkgs.lxqt.corePackages ++ pkgs.lxqt.corePackages ++
(pkgs.gnome.removePackagesByName (utils.removePackagesByName
pkgs.lxqt.optionalPackages pkgs.lxqt.optionalPackages
config.environment.lxqt.excludePackages); config.environment.lxqt.excludePackages);

4
nixos/modules/services/x11/desktop-managers/mate.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, utils, ... }:
with lib; with lib;
@ -47,7 +47,7 @@ in
# Debugging # Debugging
environment.sessionVariables.MATE_SESSION_DEBUG = mkIf cfg.debug "1"; environment.sessionVariables.MATE_SESSION_DEBUG = mkIf cfg.debug "1";
environment.systemPackages = pkgs.gnome.removePackagesByName environment.systemPackages = utils.removePackagesByName
(pkgs.mate.basePackages ++ (pkgs.mate.basePackages ++
pkgs.mate.extraPackages ++ pkgs.mate.extraPackages ++
[ [

6
nixos/modules/services/x11/desktop-managers/pantheon.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, utils, pkgs, ... }:
with lib; with lib;
@ -214,7 +214,7 @@ in
elementary-settings-daemon elementary-settings-daemon
pantheon-agent-geoclue2 pantheon-agent-geoclue2
pantheon-agent-polkit pantheon-agent-polkit
]) ++ (gnome.removePackagesByName [ ]) ++ (utils.removePackagesByName [
gnome.gnome-font-viewer gnome.gnome-font-viewer
gnome.gnome-settings-daemon338 gnome.gnome-settings-daemon338
] config.environment.pantheon.excludePackages); ] config.environment.pantheon.excludePackages);
@ -272,7 +272,7 @@ in
}) })
(mkIf serviceCfg.apps.enable { (mkIf serviceCfg.apps.enable {
environment.systemPackages = with pkgs.pantheon; pkgs.gnome.removePackagesByName ([ environment.systemPackages = with pkgs.pantheon; utils.removePackagesByName ([
elementary-calculator elementary-calculator
elementary-calendar elementary-calendar
elementary-camera elementary-camera

11
nixos/modules/services/x11/desktop-managers/xfce.nix
View file

@ -66,6 +66,12 @@ in
default = true; default = true;
description = "Enable the XFWM (default) window manager."; description = "Enable the XFWM (default) window manager.";
}; };
enableScreensaver = mkOption {
type = types.bool;
default = true;
description = "Enable the XFCE screensaver.";
};
}; };
}; };
@ -99,7 +105,6 @@ in
ristretto ristretto
xfce4-appfinder xfce4-appfinder
xfce4-notifyd xfce4-notifyd
xfce4-screensaver
xfce4-screenshooter xfce4-screenshooter
xfce4-session xfce4-session
xfce4-settings xfce4-settings
@ -123,7 +128,7 @@ in
] ++ optionals (!cfg.noDesktop) [ ] ++ optionals (!cfg.noDesktop) [
xfce4-panel xfce4-panel
xfdesktop xfdesktop
]; ] ++ optional cfg.enableScreensaver xfce4-screensaver;
environment.pathsToLink = [ environment.pathsToLink = [
"/share/xfce4" "/share/xfce4"
@ -169,6 +174,6 @@ in
xfce4-notifyd xfce4-notifyd
]; ];
security.pam.services.xfce4-screensaver.unixAuth = true; security.pam.services.xfce4-screensaver.unixAuth = cfg.enableScreensaver;
}; };
} }

13
nixos/modules/services/x11/xserver.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, utils, pkgs, ... }:
with lib; with lib;
@ -181,6 +181,13 @@ in
''; '';
}; };
excludePackages = mkOption {
default = [];
example = literalExpression "[ pkgs.xterm ]";
type = types.listOf types.package;
description = "Which X11 packages to exclude from the default environment";
};
exportConfiguration = mkOption { exportConfiguration = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@ -655,7 +662,7 @@ in
${cfgPath}.source = xorg.xf86inputevdev.out + "/share" + cfgPath; ${cfgPath}.source = xorg.xf86inputevdev.out + "/share" + cfgPath;
}); });
environment.systemPackages = environment.systemPackages = utils.removePackagesByName
[ xorg.xorgserver.out [ xorg.xorgserver.out
xorg.xrandr xorg.xrandr
xorg.xrdb xorg.xrdb
@ -671,7 +678,7 @@ in
pkgs.xdg-utils pkgs.xdg-utils
xorg.xf86inputevdev.out # get evdev.4 man page xorg.xf86inputevdev.out # get evdev.4 man page
pkgs.nixos-icons # needed for gnome and pantheon about dialog, nixos-manual and maybe more pkgs.nixos-icons # needed for gnome and pantheon about dialog, nixos-manual and maybe more
] ] config.services.xserver.excludePackages
++ optional (elem "virtualbox" cfg.videoDrivers) xorg.xrefresh; ++ optional (elem "virtualbox" cfg.videoDrivers) xorg.xrefresh;
environment.pathsToLink = [ "/share/X11" ]; environment.pathsToLink = [ "/share/X11" ];

12
nixos/modules/system/activation/top-level.nix
View file

@ -55,11 +55,15 @@ let
substituteInPlace $out/dry-activate --subst-var out substituteInPlace $out/dry-activate --subst-var out
chmod u+x $out/activate $out/dry-activate chmod u+x $out/activate $out/dry-activate
unset activationScript dryActivationScript unset activationScript dryActivationScript
${pkgs.stdenv.shellDryRun} $out/activate
${pkgs.stdenv.shellDryRun} $out/dry-activate
cp ${config.system.build.bootStage2} $out/init ${if config.boot.initrd.systemd.enable then ''
substituteInPlace $out/init --subst-var-by systemConfig $out cp ${config.system.build.bootStage2} $out/prepare-root
substituteInPlace $out/prepare-root --subst-var-by systemConfig $out
ln -s "$systemd/lib/systemd/systemd" $out/init
'' else ''
cp ${config.system.build.bootStage2} $out/init
substituteInPlace $out/init --subst-var-by systemConfig $out
''}
ln -s ${config.system.build.etc}/etc $out/etc ln -s ${config.system.build.etc}/etc $out/etc
ln -s ${config.system.path} $out/sw ln -s ${config.system.path} $out/sw

136
nixos/modules/system/boot/networkd.nix
View file

@ -10,6 +10,36 @@ let
check = { check = {
global = {
sectionNetwork = checkUnitConfig "Network" [
(assertOnlyFields [
"SpeedMeter"
"SpeedMeterIntervalSec"
"ManageForeignRoutingPolicyRules"
"ManageForeignRoutes"
"RouteTable"
])
(assertValueOneOf "SpeedMeter" boolValues)
(assertInt "SpeedMeterIntervalSec")
(assertValueOneOf "ManageForeignRoutingPolicyRules" boolValues)
(assertValueOneOf "ManageForeignRoutes" boolValues)
];
sectionDHCPv4 = checkUnitConfig "DHCPv4" [
(assertOnlyFields [
"DUIDType"
"DUIDRawData"
])
];
sectionDHCPv6 = checkUnitConfig "DHCPv6" [
(assertOnlyFields [
"DUIDType"
"DUIDRawData"
])
];
};
link = { link = {
sectionLink = checkUnitConfig "Link" [ sectionLink = checkUnitConfig "Link" [
@ -871,6 +901,44 @@ let
}; };
}; };
networkdOptions = {
networkConfig = mkOption {
default = {};
example = { SpeedMeter = true; ManageForeignRoutingPolicyRules = false; };
type = types.addCheck (types.attrsOf unitOption) check.global.sectionNetwork;
description = ''
Each attribute in this set specifies an option in the
<literal>[Network]</literal> section of the networkd config.
See <citerefentry><refentrytitle>networkd.conf</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
'';
};
dhcpV4Config = mkOption {
default = {};
example = { DUIDType = "vendor"; };
type = types.addCheck (types.attrsOf unitOption) check.global.sectionDHCPv4;
description = ''
Each attribute in this set specifies an option in the
<literal>[DHCPv4]</literal> section of the networkd config.
See <citerefentry><refentrytitle>networkd.conf</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
'';
};
dhcpV6Config = mkOption {
default = {};
example = { DUIDType = "vendor"; };
type = types.addCheck (types.attrsOf unitOption) check.global.sectionDHCPv6;
description = ''
Each attribute in this set specifies an option in the
<literal>[DHCPv6]</literal> section of the networkd config.
See <citerefentry><refentrytitle>networkd.conf</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
'';
};
};
linkOptions = commonNetworkOptions // { linkOptions = commonNetworkOptions // {
# overwrite enable option from above # overwrite enable option from above
enable = mkOption { enable = mkOption {
@ -1519,6 +1587,39 @@ let
}; };
}; };
networkdConfig = { config, ... }: {
options = {
routeTables = mkOption {
default = {};
example = { foo = 27; };
type = with types; attrsOf int;
description = ''
Defines route table names as an attrset of name to number.
See <citerefentry><refentrytitle>networkd.conf</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
'';
};
addRouteTablesToIPRoute2 = mkOption {
default = true;
example = false;
type = types.bool;
description = ''
If true and routeTables are set, then the specified route tables
will also be installed into /etc/iproute2/rt_tables.
'';
};
};
config = {
networkConfig = optionalAttrs (config.routeTables != { }) {
RouteTable = mapAttrsToList
(name: number: "${name}:${toString number}")
config.routeTables;
};
};
};
commonMatchText = def: optionalString (def.matchConfig != { }) '' commonMatchText = def: optionalString (def.matchConfig != { }) ''
[Match] [Match]
${attrsToSection def.matchConfig} ${attrsToSection def.matchConfig}
@ -1600,6 +1701,20 @@ let
+ def.extraConfig; + def.extraConfig;
}; };
renderConfig = def:
{ text = ''
[Network]
${attrsToSection def.networkConfig}
''
+ optionalString (def.dhcpV4Config != { }) ''
[DHCPv4]
${attrsToSection def.dhcpV4Config}
''
+ optionalString (def.dhcpV6Config != { }) ''
[DHCPv6]
${attrsToSection def.dhcpV6Config}
''; };
networkToUnit = name: def: networkToUnit = name: def:
{ inherit (def) enable; { inherit (def) enable;
text = commonMatchText def text = commonMatchText def
@ -1732,6 +1847,12 @@ in
description = "Definition of systemd networks."; description = "Definition of systemd networks.";
}; };
systemd.network.config = mkOption {
default = {};
type = with types; submodule [ { options = networkdOptions; } networkdConfig ];
description = "Definition of global systemd network config.";
};
systemd.network.units = mkOption { systemd.network.units = mkOption {
description = "Definition of networkd units."; description = "Definition of networkd units.";
default = {}; default = {};
@ -1823,7 +1944,9 @@ in
systemd.services.systemd-networkd = { systemd.services.systemd-networkd = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
aliases = [ "dbus-org.freedesktop.network1.service" ]; aliases = [ "dbus-org.freedesktop.network1.service" ];
restartTriggers = map (x: x.source) (attrValues unitFiles); restartTriggers = map (x: x.source) (attrValues unitFiles) ++ [
config.environment.etc."systemd/networkd.conf".source
];
}; };
systemd.services.systemd-networkd-wait-online = { systemd.services.systemd-networkd-wait-online = {
@ -1846,6 +1969,17 @@ in
}; };
}; };
environment.etc."systemd/networkd.conf" = renderConfig cfg.config;
networking.iproute2 = mkIf (cfg.config.addRouteTablesToIPRoute2 && cfg.config.routeTables != { }) {
enable = mkDefault true;
rttablesExtraConfig = ''
# Extra tables defined in NixOS systemd.networkd.config.routeTables.
${concatStringsSep "\n" (mapAttrsToList (name: number: "${toString number} ${name}") cfg.config.routeTables)}
'';
};
services.resolved.enable = mkDefault true; services.resolved.enable = mkDefault true;
}) })
]; ];

100
nixos/modules/system/boot/stage-2-init.sh
View file

@ -5,28 +5,30 @@ systemConfig=@systemConfig@
export HOME=/root PATH="@path@" export HOME=/root PATH="@path@"
# Process the kernel command line. if [ "${IN_NIXOS_SYSTEMD_STAGE1:-}" != true ]; then
for o in $(</proc/cmdline); do # Process the kernel command line.
case $o in for o in $(</proc/cmdline); do
boot.debugtrace) case $o in
# Show each command. boot.debugtrace)
set -x # Show each command.
;; set -x
esac ;;
done esac
done
# Print a greeting. # Print a greeting.
echo echo
echo -e "\e[1;32m<<< NixOS Stage 2 >>>\e[0m" echo -e "\e[1;32m<<< NixOS Stage 2 >>>\e[0m"
echo echo
# Normally, stage 1 mounts the root filesystem read/writable. # Normally, stage 1 mounts the root filesystem read/writable.
# However, in some environments, stage 2 is executed directly, and the # However, in some environments, stage 2 is executed directly, and the
# root is read-only. So make it writable here. # root is read-only. So make it writable here.
if [ -z "$container" ]; then if [ -z "$container" ]; then
mount -n -o remount,rw none / mount -n -o remount,rw none /
fi
fi fi
@ -39,6 +41,12 @@ if [ ! -e /proc/1 ]; then
local options="$3" local options="$3"
local fsType="$4" local fsType="$4"
# We must not overwrite this mount because it's bind-mounted
# from stage 1's /run
if [ "${IN_NIXOS_SYSTEMD_STAGE1:-}" = true ] && [ "${mountPoint}" = /run ]; then
return
fi
install -m 0755 -d "$mountPoint" install -m 0755 -d "$mountPoint"
mount -n -t "$fsType" -o "$options" "$device" "$mountPoint" mount -n -t "$fsType" -o "$options" "$device" "$mountPoint"
} }
@ -46,7 +54,11 @@ if [ ! -e /proc/1 ]; then
fi fi
echo "booting system configuration $systemConfig" > /dev/kmsg if [ "${IN_NIXOS_SYSTEMD_STAGE1:-}" = true ]; then
echo "booting system configuration ${systemConfig}"
else
echo "booting system configuration $systemConfig" > /dev/kmsg
fi
# Make /nix/store a read-only bind mount to enforce immutability of # Make /nix/store a read-only bind mount to enforce immutability of
@ -68,24 +80,26 @@ if [ -n "@readOnlyStore@" ]; then
fi fi
# Use /etc/resolv.conf supplied by systemd-nspawn, if applicable. if [ "${IN_NIXOS_SYSTEMD_STAGE1:-}" != true ]; then
if [ -n "@useHostResolvConf@" ] && [ -e /etc/resolv.conf ]; then # Use /etc/resolv.conf supplied by systemd-nspawn, if applicable.
resolvconf -m 1000 -a host </etc/resolv.conf if [ -n "@useHostResolvConf@" ] && [ -e /etc/resolv.conf ]; then
fi resolvconf -m 1000 -a host </etc/resolv.conf
fi
# Log the script output to /dev/kmsg or /run/log/stage-2-init.log. # Log the script output to /dev/kmsg or /run/log/stage-2-init.log.
# Only at this point are all the necessary prerequisites ready for these commands. # Only at this point are all the necessary prerequisites ready for these commands.
exec {logOutFd}>&1 {logErrFd}>&2 exec {logOutFd}>&1 {logErrFd}>&2
if test -w /dev/kmsg; then if test -w /dev/kmsg; then
exec > >(tee -i /proc/self/fd/"$logOutFd" | while read -r line; do exec > >(tee -i /proc/self/fd/"$logOutFd" | while read -r line; do
if test -n "$line"; then if test -n "$line"; then
echo "<7>stage-2-init: $line" > /dev/kmsg echo "<7>stage-2-init: $line" > /dev/kmsg
fi fi
done) 2>&1 done) 2>&1
else else
mkdir -p /run/log mkdir -p /run/log
exec > >(tee -i /run/log/stage-2-init.log) 2>&1 exec > >(tee -i /run/log/stage-2-init.log) 2>&1
fi
fi fi
@ -116,11 +130,15 @@ ln -sfn "$systemConfig" /run/booted-system
: >> /etc/machine-id : >> /etc/machine-id
# Reset the logging file descriptors. # No need to restore the stdout/stderr streams we never redirected and
exec 1>&$logOutFd 2>&$logErrFd # especially no need to start systemd
exec {logOutFd}>&- {logErrFd}>&- if [ "${IN_NIXOS_SYSTEMD_STAGE1:-}" != true ]; then
# Reset the logging file descriptors.
exec 1>&$logOutFd 2>&$logErrFd
exec {logOutFd}>&- {logErrFd}>&-
# Start systemd in a clean environment. # Start systemd in a clean environment.
echo "starting systemd..." echo "starting systemd..."
exec @systemdExecutable@ "$@" exec @systemdExecutable@ "$@"
fi

8
nixos/modules/system/boot/systemd.nix
View file

@ -573,14 +573,6 @@ in
}) })
(filterAttrs (name: service: service.enable && service.startAt != []) cfg.services); (filterAttrs (name: service: service.enable && service.startAt != []) cfg.services);
# Generate timer units for all services that have a startAt value.
systemd.user.timers =
mapAttrs (name: service:
{ wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = service.startAt;
})
(filterAttrs (name: service: service.startAt != []) cfg.user.services);
# Some overrides to upstream units. # Some overrides to upstream units.
systemd.services."systemd-backlight@".restartIfChanged = false; systemd.services."systemd-backlight@".restartIfChanged = false;
systemd.services."systemd-fsck@".restartIfChanged = false; systemd.services."systemd-fsck@".restartIfChanged = false;

89
nixos/modules/system/boot/systemd/initrd.nix
View file

@ -34,7 +34,6 @@ let
"initrd-switch-root.service" "initrd-switch-root.service"
"initrd-switch-root.target" "initrd-switch-root.target"
"initrd.target" "initrd.target"
"initrd-udevadm-cleanup-db.service"
"kexec.target" "kexec.target"
"kmod-static-nodes.service" "kmod-static-nodes.service"
"local-fs-pre.target" "local-fs-pre.target"
@ -71,12 +70,6 @@ let
"systemd-sysctl.service" "systemd-sysctl.service"
"systemd-tmpfiles-setup-dev.service" "systemd-tmpfiles-setup-dev.service"
"systemd-tmpfiles-setup.service" "systemd-tmpfiles-setup.service"
"systemd-udevd-control.socket"
"systemd-udevd-kernel.socket"
"systemd-udevd.service"
"systemd-udev-settle.service"
"systemd-udev-trigger.service"
"systemd-vconsole-setup.service"
"timers.target" "timers.target"
"umount.target" "umount.target"
@ -125,7 +118,7 @@ let
}; };
initrdBinEnv = pkgs.buildEnv { initrdBinEnv = pkgs.buildEnv {
name = "initrd-emergency-env"; name = "initrd-bin-env";
paths = map getBin cfg.initrdBin; paths = map getBin cfg.initrdBin;
pathsToLink = ["/bin" "/sbin"]; pathsToLink = ["/bin" "/sbin"];
postBuild = concatStringsSep "\n" (mapAttrsToList (n: v: "ln -s '${v}' $out/bin/'${n}'") cfg.extraBin); postBuild = concatStringsSep "\n" (mapAttrsToList (n: v: "ln -s '${v}' $out/bin/'${n}'") cfg.extraBin);
@ -355,8 +348,9 @@ in {
boot.initrd.availableKernelModules = [ "autofs4" ]; # systemd needs this for some features boot.initrd.availableKernelModules = [ "autofs4" ]; # systemd needs this for some features
boot.initrd.systemd = { boot.initrd.systemd = {
initrdBin = [pkgs.bash pkgs.coreutils pkgs.kmod cfg.package] ++ config.system.fsPackages; initrdBin = [pkgs.bash pkgs.coreutils cfg.package.kmod cfg.package] ++ config.system.fsPackages;
extraBin = { extraBin = {
less = "${pkgs.less}/bin/less";
mount = "${cfg.package.util-linux}/bin/mount"; mount = "${cfg.package.util-linux}/bin/mount";
umount = "${cfg.package.util-linux}/bin/umount"; umount = "${cfg.package.util-linux}/bin/umount";
}; };
@ -367,7 +361,7 @@ in {
"/etc/systemd/system.conf".text = '' "/etc/systemd/system.conf".text = ''
[Manager] [Manager]
DefaultEnvironment=PATH=/bin:/sbin DefaultEnvironment=PATH=/bin:/sbin ${optionalString (isBool cfg.emergencyAccess && cfg.emergencyAccess) "SYSTEMD_SULOGIN_FORCE=1"}
''; '';
"/etc/fstab".source = fstab; "/etc/fstab".source = fstab;
@ -384,6 +378,11 @@ in {
"/etc/sysctl.d/nixos.conf".text = "kernel.modprobe = /sbin/modprobe"; "/etc/sysctl.d/nixos.conf".text = "kernel.modprobe = /sbin/modprobe";
"/etc/modprobe.d/systemd.conf".source = "${cfg.package}/lib/modprobe.d/systemd.conf"; "/etc/modprobe.d/systemd.conf".source = "${cfg.package}/lib/modprobe.d/systemd.conf";
"/etc/modprobe.d/ubuntu.conf".source = pkgs.runCommand "initrd-kmod-blacklist-ubuntu" { } ''
${pkgs.buildPackages.perl}/bin/perl -0pe 's/## file: iwlwifi.conf(.+?)##/##/s;' $src > $out
'';
"/etc/modprobe.d/debian.conf".source = pkgs.kmod-debian-aliases;
}; };
storePaths = [ storePaths = [
@ -394,15 +393,15 @@ in {
"${cfg.package}/lib/systemd/systemd-journald" "${cfg.package}/lib/systemd/systemd-journald"
"${cfg.package}/lib/systemd/systemd-makefs" "${cfg.package}/lib/systemd/systemd-makefs"
"${cfg.package}/lib/systemd/systemd-modules-load" "${cfg.package}/lib/systemd/systemd-modules-load"
"${cfg.package}/lib/systemd/systemd-random-seed"
"${cfg.package}/lib/systemd/systemd-remount-fs" "${cfg.package}/lib/systemd/systemd-remount-fs"
"${cfg.package}/lib/systemd/systemd-shutdown"
"${cfg.package}/lib/systemd/systemd-sulogin-shell" "${cfg.package}/lib/systemd/systemd-sulogin-shell"
"${cfg.package}/lib/systemd/systemd-sysctl" "${cfg.package}/lib/systemd/systemd-sysctl"
"${cfg.package}/lib/systemd/systemd-udevd"
"${cfg.package}/lib/systemd/systemd-vconsole-setup" "${cfg.package}/lib/systemd/systemd-vconsole-setup"
# additional systemd directories # additional systemd directories
"${cfg.package}/lib/systemd/system-generators" "${cfg.package}/lib/systemd/system-generators"
"${cfg.package}/lib/udev"
# utilities needed by systemd # utilities needed by systemd
"${cfg.package.util-linux}/bin/mount" "${cfg.package.util-linux}/bin/mount"
@ -410,7 +409,7 @@ in {
"${cfg.package.util-linux}/bin/sulogin" "${cfg.package.util-linux}/bin/sulogin"
# so NSS can look up usernames # so NSS can look up usernames
"${pkgs.glibc}/lib/libnss_files.so" "${pkgs.glibc}/lib/libnss_files.so.2"
] ++ jobScripts; ] ++ jobScripts;
targets.initrd.aliases = ["default.target"]; targets.initrd.aliases = ["default.target"];
@ -428,9 +427,6 @@ in {
(v: let n = escapeSystemdPath v.where; (v: let n = escapeSystemdPath v.where;
in nameValuePair "${n}.automount" (automountToUnit n v)) cfg.automounts); in nameValuePair "${n}.automount" (automountToUnit n v)) cfg.automounts);
services.emergency = mkIf (isBool cfg.emergencyAccess && cfg.emergencyAccess) {
environment.SYSTEMD_SULOGIN_FORCE = "1";
};
# The unit in /run/systemd/generator shadows the unit in # The unit in /run/systemd/generator shadows the unit in
# /etc/systemd/system, but will still apply drop-ins from # /etc/systemd/system, but will still apply drop-ins from
# /etc/systemd/system/foo.service.d/ # /etc/systemd/system/foo.service.d/
@ -445,6 +441,67 @@ in {
'')]; '')];
services."systemd-makefs@".unitConfig.IgnoreOnIsolate = true; services."systemd-makefs@".unitConfig.IgnoreOnIsolate = true;
services."systemd-growfs@".unitConfig.IgnoreOnIsolate = true; services."systemd-growfs@".unitConfig.IgnoreOnIsolate = true;
services.initrd-nixos-activation = {
after = [ "initrd-fs.target" ];
requiredBy = [ "initrd.target" ];
unitConfig.AssertPathExists = "/etc/initrd-release";
serviceConfig.Type = "oneshot";
description = "NixOS Activation";
script = /* bash */ ''
set -uo pipefail
export PATH="/bin:${cfg.package.util-linux}/bin"
# Figure out what closure to boot
closure=
for o in $(< /proc/cmdline); do
case $o in
init=*)
IFS== read -r -a initParam <<< "$o"
closure="$(dirname "''${initParam[1]}")"
;;
esac
done
# Sanity check
if [ -z "''${closure:-}" ]; then
echo 'No init= parameter on the kernel command line' >&2
exit 1
fi
# If we are not booting a NixOS closure (e.g. init=/bin/sh),
# we don't know what root to prepare so we don't do anything
if ! [ -x "/sysroot$closure/prepare-root" ]; then
echo "NEW_INIT=''${initParam[1]}" > /etc/switch-root.conf
echo "$closure does not look like a NixOS installation - not activating"
exit 0
fi
echo 'NEW_INIT=' > /etc/switch-root.conf
# We need to propagate /run for things like /run/booted-system
# and /run/current-system.
mkdir -p /sysroot/run
mount --bind /run /sysroot/run
# Initialize the system
export IN_NIXOS_SYSTEMD_STAGE1=true
exec chroot /sysroot $closure/prepare-root
'';
};
# This will either call systemctl with the new init as the last parameter (which
# is the case when not booting a NixOS system) or with an empty string, causing
# systemd to bypass its verification code that checks whether the next file is a systemd
# and using its compiled-in value
services.initrd-switch-root.serviceConfig = {
EnvironmentFile = "-/etc/switch-root.conf";
ExecStart = [
""
''systemctl --no-block switch-root /sysroot "''${NEW_INIT}"''
];
};
}; };
}; };
} }

8
nixos/modules/virtualisation/qemu-vm.nix
View file

@ -853,8 +853,12 @@ in
(mkIf (pkgs.stdenv.isAarch32 || pkgs.stdenv.isAarch64) [ (mkIf (pkgs.stdenv.isAarch32 || pkgs.stdenv.isAarch64) [
"-device virtio-gpu-pci" "-device usb-ehci,id=usb0" "-device usb-kbd" "-device usb-tablet" "-device virtio-gpu-pci" "-device usb-ehci,id=usb0" "-device usb-kbd" "-device usb-tablet"
]) ])
(mkIf (!cfg.useBootLoader) [ (let
"-kernel \${NIXPKGS_QEMU_KERNEL_${config.system.name}:-${config.system.build.toplevel}/kernel}" alphaNumericChars = lowerChars ++ upperChars ++ (map toString (range 0 9));
# Replace all non-alphanumeric characters with underscores
sanitizeShellIdent = s: concatMapStrings (c: if builtins.elem c alphaNumericChars then c else "_") (stringToCharacters s);
in mkIf (!cfg.useBootLoader) [
"-kernel \${NIXPKGS_QEMU_KERNEL_${sanitizeShellIdent config.system.name}:-${config.system.build.toplevel}/kernel}"
"-initrd ${config.system.build.toplevel}/initrd" "-initrd ${config.system.build.toplevel}/initrd"
''-append "$(cat ${config.system.build.toplevel}/kernel-params) init=${config.system.build.toplevel}/init regInfo=${regInfo}/registration ${consoles} $QEMU_KERNEL_PARAMS"'' ''-append "$(cat ${config.system.build.toplevel}/kernel-params) init=${config.system.build.toplevel}/init regInfo=${regInfo}/registration ${consoles} $QEMU_KERNEL_PARAMS"''
]) ])

31
nixos/tests/all-terminfo.nix Normal file
View file

@ -0,0 +1,31 @@
import ./make-test-python.nix ({ pkgs, ... }: rec {
name = "all-terminfo";
meta = with pkgs.lib.maintainers; {
maintainers = [ jkarlson ];
};
nodes.machine = { pkgs, config, lib, ... }:
let
infoFilter = name: drv:
let
o = builtins.tryEval drv;
in
o.success && lib.isDerivation o.value && o.value ? outputs && builtins.elem "terminfo" o.value.outputs;
terminfos = lib.filterAttrs infoFilter pkgs;
excludedTerminfos = lib.filterAttrs (_: drv: !(builtins.elem drv.terminfo config.environment.systemPackages)) terminfos;
includedOuts = lib.filterAttrs (_: drv: builtins.elem drv.out config.environment.systemPackages) terminfos;
in
{
environment = {
enableAllTerminfo = true;
etc."terminfo-missing".text = builtins.concatStringsSep "\n" (builtins.attrNames excludedTerminfos);
etc."terminfo-extra-outs".text = builtins.concatStringsSep "\n" (builtins.attrNames includedOuts);
};
};
testScript =
''
machine.fail("grep . /etc/terminfo-missing >&2")
machine.fail("grep . /etc/terminfo-extra-outs >&2")
'';
})

5
nixos/tests/all-tests.nix
View file

@ -35,6 +35,7 @@ in
agate = handleTest ./web-servers/agate.nix {}; agate = handleTest ./web-servers/agate.nix {};
agda = handleTest ./agda.nix {}; agda = handleTest ./agda.nix {};
airsonic = handleTest ./airsonic.nix {}; airsonic = handleTest ./airsonic.nix {};
allTerminfo = handleTest ./all-terminfo.nix {};
amazon-init-shell = handleTest ./amazon-init-shell.nix {}; amazon-init-shell = handleTest ./amazon-init-shell.nix {};
apfs = handleTest ./apfs.nix {}; apfs = handleTest ./apfs.nix {};
apparmor = handleTest ./apparmor.nix {}; apparmor = handleTest ./apparmor.nix {};
@ -362,6 +363,7 @@ in
nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {}; nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {};
nginx-sso = handleTest ./nginx-sso.nix {}; nginx-sso = handleTest ./nginx-sso.nix {};
nginx-variants = handleTest ./nginx-variants.nix {}; nginx-variants = handleTest ./nginx-variants.nix {};
nifi = handleTestOn ["x86_64-linux"] ./web-apps/nifi.nix {};
nitter = handleTest ./nitter.nix {}; nitter = handleTest ./nitter.nix {};
nix-ld = handleTest ./nix-ld {}; nix-ld = handleTest ./nix-ld {};
nix-serve = handleTest ./nix-serve.nix {}; nix-serve = handleTest ./nix-serve.nix {};
@ -398,9 +400,10 @@ in
pam-file-contents = handleTest ./pam/pam-file-contents.nix {}; pam-file-contents = handleTest ./pam/pam-file-contents.nix {};
pam-oath-login = handleTest ./pam/pam-oath-login.nix {}; pam-oath-login = handleTest ./pam/pam-oath-login.nix {};
pam-u2f = handleTest ./pam/pam-u2f.nix {}; pam-u2f = handleTest ./pam/pam-u2f.nix {};
pam-ussh = handleTest ./pam/pam-ussh.nix {};
pantalaimon = handleTest ./matrix/pantalaimon.nix {}; pantalaimon = handleTest ./matrix/pantalaimon.nix {};
pantheon = handleTest ./pantheon.nix {}; pantheon = handleTest ./pantheon.nix {};
paperless-ng = handleTest ./paperless-ng.nix {}; paperless = handleTest ./paperless.nix {};
parsedmarc = handleTest ./parsedmarc {}; parsedmarc = handleTest ./parsedmarc {};
pdns-recursor = handleTest ./pdns-recursor.nix {}; pdns-recursor = handleTest ./pdns-recursor.nix {};
peerflix = handleTest ./peerflix.nix {}; peerflix = handleTest ./peerflix.nix {};

2
nixos/tests/networking.nix
View file

@ -878,7 +878,7 @@ let
linkConfig.Name = "custom_name"; linkConfig.Name = "custom_name";
}; };
} }
else { services.udev.initrdRules = '' else { boot.initrd.services.udev.rules = ''
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="52:54:00:12:01:01", KERNEL=="eth*", NAME="custom_name" SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="52:54:00:12:01:01", KERNEL=="eth*", NAME="custom_name"
''; '';
}); });

70
nixos/tests/pam/pam-ussh.nix Normal file
View file

@ -0,0 +1,70 @@
import ../make-test-python.nix ({ pkgs, lib, ... }:
let
testOnlySSHCredentials = pkgs.runCommand "pam-ussh-test-ca" {
nativeBuildInputs = [ pkgs.openssh ];
} ''
mkdir $out
ssh-keygen -t ed25519 -N "" -f $out/ca
ssh-keygen -t ed25519 -N "" -f $out/alice
ssh-keygen -s $out/ca -I "alice user key" -n "alice,root" -V 19700101:forever $out/alice.pub
ssh-keygen -t ed25519 -N "" -f $out/bob
ssh-keygen -s $out/ca -I "bob user key" -n "bob" -V 19700101:forever $out/bob.pub
'';
makeTestScript = user: pkgs.writeShellScript "pam-ussh-${user}-test-script" ''
set -euo pipefail
eval $(${pkgs.openssh}/bin/ssh-agent)
mkdir -p $HOME/.ssh
chmod 700 $HOME/.ssh
cp ${testOnlySSHCredentials}/${user}{,.pub,-cert.pub} $HOME/.ssh
chmod 600 $HOME/.ssh/${user}
chmod 644 $HOME/.ssh/${user}{,-cert}.pub
set -x
${pkgs.openssh}/bin/ssh-add $HOME/.ssh/${user}
${pkgs.openssh}/bin/ssh-add -l &>2
exec sudo id -u -n
'';
in {
name = "pam-ussh";
meta.maintainers = with lib.maintainers; [ lukegb ];
machine =
{ ... }:
{
users.users.alice = { isNormalUser = true; extraGroups = [ "wheel" ]; };
users.users.bob = { isNormalUser = true; extraGroups = [ "wheel" ]; };
security.pam.ussh = {
enable = true;
authorizedPrincipals = "root";
caFile = "${testOnlySSHCredentials}/ca.pub";
};
security.sudo = {
enable = true;
extraConfig = ''
Defaults lecture="never"
'';
};
};
testScript =
''
with subtest("alice should be allowed to escalate to root"):
machine.succeed(
'su -c "${makeTestScript "alice"}" -l alice | grep root'
)
with subtest("bob should not be allowed to escalate to root"):
machine.fail(
'su -c "${makeTestScript "bob"}" -l bob | grep root'
)
'';
})

23
nixos/tests/paperless-ng.nix → nixos/tests/paperless.nix
View file

@ -1,30 +1,32 @@
import ./make-test-python.nix ({ lib, ... }: { import ./make-test-python.nix ({ lib, ... }: {
name = "paperless-ng"; name = "paperless";
meta.maintainers = with lib.maintainers; [ earvstedt Flakebi ]; meta.maintainers = with lib.maintainers; [ earvstedt Flakebi ];
nodes.machine = { pkgs, ... }: { nodes.machine = { pkgs, ... }: {
environment.systemPackages = with pkgs; [ imagemagick jq ]; environment.systemPackages = with pkgs; [ imagemagick jq ];
services.paperless-ng = { services.paperless = {
enable = true; enable = true;
passwordFile = builtins.toFile "password" "admin"; passwordFile = builtins.toFile "password" "admin";
}; };
}; };
testScript = '' testScript = ''
machine.wait_for_unit("paperless-ng-consumer.service") import json
with subtest("Create test doc"): machine.wait_for_unit("paperless-consumer.service")
with subtest("Add a document via the file system"):
machine.succeed( machine.succeed(
"convert -size 400x40 xc:white -font 'DejaVu-Sans' -pointsize 20 -fill black " "convert -size 400x40 xc:white -font 'DejaVu-Sans' -pointsize 20 -fill black "
"-annotate +5+20 'hello world 16-10-2005' /var/lib/paperless/consume/doc.png" "-annotate +5+20 'hello world 16-10-2005' /var/lib/paperless/consume/doc.png"
) )
with subtest("Web interface gets ready"): with subtest("Web interface gets ready"):
machine.wait_for_unit("paperless-ng-web.service") machine.wait_for_unit("paperless-web.service")
# Wait until server accepts connections # Wait until server accepts connections
machine.wait_until_succeeds("curl -fs localhost:28981") machine.wait_until_succeeds("curl -fs localhost:28981")
with subtest("Create web test doc"): with subtest("Add a document via the web interface"):
machine.succeed( machine.succeed(
"convert -size 400x40 xc:white -font 'DejaVu-Sans' -pointsize 20 -fill black " "convert -size 400x40 xc:white -font 'DejaVu-Sans' -pointsize 20 -fill black "
"-annotate +5+20 'hello web 16-10-2005' /tmp/webdoc.png" "-annotate +5+20 'hello web 16-10-2005' /tmp/webdoc.png"
@ -35,11 +37,8 @@ import ./make-test-python.nix ({ lib, ... }: {
machine.wait_until_succeeds( machine.wait_until_succeeds(
"(($(curl -u admin:admin -fs localhost:28981/api/documents/ | jq .count) == 2))" "(($(curl -u admin:admin -fs localhost:28981/api/documents/ | jq .count) == 2))"
) )
assert "2005-10-16" in machine.succeed( docs = json.loads(machine.succeed("curl -u admin:admin -fs localhost:28981/api/documents/"))['results']
"curl -u admin:admin -fs localhost:28981/api/documents/ | jq '.results | .[0] | .created'" assert "2005-10-16" in docs[0]['created']
) assert "2005-10-16" in docs[1]['created']
assert "2005-10-16" in machine.succeed(
"curl -u admin:admin -fs localhost:28981/api/documents/ | jq '.results | .[1] | .created'"
)
''; '';
}) })

29
nixos/tests/systemd-initrd-simple.nix
View file

@ -14,14 +14,31 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: {
testScript = '' testScript = ''
import subprocess import subprocess
oldAvail = machine.succeed("df --output=avail / | sed 1d") with subtest("handover to stage-2 systemd works"):
machine.shutdown() machine.wait_for_unit("multi-user.target")
machine.succeed("systemd-analyze | grep -q '(initrd)'") # direct handover
machine.succeed("touch /testfile") # / is writable
machine.fail("touch /nix/store/testfile") # /nix/store is not writable
# Special filesystems are mounted by systemd
machine.succeed("[ -e /run/booted-system ]") # /run
machine.succeed("[ -e /sys/class ]") # /sys
machine.succeed("[ -e /dev/null ]") # /dev
machine.succeed("[ -e /proc/1 ]") # /proc
# stage-2-init mounted more special filesystems
machine.succeed("[ -e /dev/shm ]") # /dev/shm
machine.succeed("[ -e /dev/pts/ptmx ]") # /dev/pts
machine.succeed("[ -e /run/keys ]") # /run/keys
subprocess.check_call(["qemu-img", "resize", "vm-state-machine/machine.qcow2", "+1G"])
machine.start() with subtest("growfs works"):
newAvail = machine.succeed("df --output=avail / | sed 1d") oldAvail = machine.succeed("df --output=avail / | sed 1d")
machine.shutdown()
assert int(oldAvail) < int(newAvail), "File system did not grow" subprocess.check_call(["qemu-img", "resize", "vm-state-machine/machine.qcow2", "+1G"])
machine.start()
newAvail = machine.succeed("df --output=avail / | sed 1d")
assert int(oldAvail) < int(newAvail), "File system did not grow"
''; '';
}) })

10
nixos/tests/systemd-networkd.nix
View file

@ -8,6 +8,9 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: {
environment.systemPackages = with pkgs; [ wireguard-tools ]; environment.systemPackages = with pkgs; [ wireguard-tools ];
systemd.network = { systemd.network = {
enable = true; enable = true;
config = {
routeTables.custom = 23;
};
netdevs = { netdevs = {
"90-wg0" = { "90-wg0" = {
netdevConfig = { Kind = "wireguard"; Name = "wg0"; }; netdevConfig = { Kind = "wireguard"; Name = "wg0"; };
@ -39,6 +42,7 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: {
address = [ "10.0.0.${nodeId}/32" ]; address = [ "10.0.0.${nodeId}/32" ];
routes = [ routes = [
{ routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; }; } { routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; }; }
{ routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; Table = "custom"; }; }
]; ];
}; };
"30-eth1" = { "30-eth1" = {
@ -87,6 +91,12 @@ testScript = ''
node1.wait_for_unit("systemd-networkd-wait-online.service") node1.wait_for_unit("systemd-networkd-wait-online.service")
node2.wait_for_unit("systemd-networkd-wait-online.service") node2.wait_for_unit("systemd-networkd-wait-online.service")
# ================================
# Networkd Config
# ================================
node1.succeed("grep RouteTable=custom:23 /etc/systemd/networkd.conf")
node1.succeed("sudo ip route show table custom | grep '10.0.0.0/24 via 10.0.0.1 dev wg0 proto static'")
# ================================ # ================================
# Wireguard # Wireguard
# ================================ # ================================

30
nixos/tests/web-apps/nifi.nix Normal file
View file

@ -0,0 +1,30 @@
import ../make-test-python.nix ({pkgs, ...}:
{
name = "nifi";
meta.maintainers = with pkgs.lib.maintainers; [ izorkin ];
nodes = {
nifi = { pkgs, ... }: {
virtualisation = {
memorySize = 2048;
diskSize = 4096;
};
services.nifi = {
enable = true;
enableHTTPS = false;
};
};
};
testScript = ''
nifi.start()
nifi.wait_for_unit("nifi.service")
nifi.wait_for_open_port(8080)
# Check if NiFi is running
nifi.succeed("curl --fail http://127.0.0.1:8080/nifi/login 2> /dev/null | grep 'NiFi Login'")
nifi.shutdown()
'';
})

4
pkgs/applications/audio/faustPhysicalModeling/default.nix
View file

@ -1,13 +1,13 @@
{ stdenv, lib, fetchFromGitHub, faust2jaqt, faust2lv2 }: { stdenv, lib, fetchFromGitHub, faust2jaqt, faust2lv2 }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "faustPhysicalModeling"; pname = "faustPhysicalModeling";
version = "2.37.3"; version = "2.40.0";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "grame-cncm"; owner = "grame-cncm";
repo = "faust"; repo = "faust";
rev = version; rev = version;
sha256 = "sha256-h6L+qRkN2chnI4821WrjD3uRFw3J0sUYVLL8w57vR1U="; sha256 = "sha256-t3I3j5s2ACHfub+fxxaTwu+5ptEwH0JQpVdmHYOzbCA=";
}; };
buildInputs = [ faust2jaqt faust2lv2 ]; buildInputs = [ faust2jaqt faust2lv2 ];

4
pkgs/applications/audio/jmusicbot/default.nix
View file

@ -2,11 +2,11 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "JMusicBot"; pname = "JMusicBot";
version = "0.3.6"; version = "0.3.8";
src = fetchurl { src = fetchurl {
url = "https://github.com/jagrosh/MusicBot/releases/download/${version}/JMusicBot-${version}.jar"; url = "https://github.com/jagrosh/MusicBot/releases/download/${version}/JMusicBot-${version}.jar";
sha256 = "sha256-Hc3dsOADC+jVZScY19OYDkHimntMjdw/BoB3EUS/d0k="; sha256 = "sha256-wzmrh9moY6oo3RqOy9Zl1X70BZlvbJkQmz8BaBIFtIM=";
}; };
dontUnpack = true; dontUnpack = true;

4
pkgs/applications/audio/lollypop/default.nix
View file

@ -25,7 +25,7 @@
python3.pkgs.buildPythonApplication rec { python3.pkgs.buildPythonApplication rec {
pname = "lollypop"; pname = "lollypop";
version = "1.4.26"; version = "1.4.31";
format = "other"; format = "other";
doCheck = false; doCheck = false;
@ -34,7 +34,7 @@ python3.pkgs.buildPythonApplication rec {
url = "https://gitlab.gnome.org/World/lollypop"; url = "https://gitlab.gnome.org/World/lollypop";
rev = "refs/tags/${version}"; rev = "refs/tags/${version}";
fetchSubmodules = true; fetchSubmodules = true;
sha256 = "sha256-Q/z9oET06DimMRZl03TgjEeheoVHtIkH+Z69qWZetcI="; sha256 = "sha256-kWqTDhk7QDmN0yr6x8ER5oHkUAkP3i5yOabnNXSHSqA=";
}; };
nativeBuildInputs = [ nativeBuildInputs = [

4
pkgs/applications/audio/ocenaudio/default.nix
View file

@ -11,11 +11,11 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "ocenaudio"; pname = "ocenaudio";
version = "3.11.7"; version = "3.11.10";
src = fetchurl { src = fetchurl {
url = "https://www.ocenaudio.com/downloads/index.php/ocenaudio_debian9_64.deb?version=${version}"; url = "https://www.ocenaudio.com/downloads/index.php/ocenaudio_debian9_64.deb?version=${version}";
sha256 = "sha256-fTeDRo7gCM1jXTQGm9MsmKu4KvTGDUogF3VSZWk91RM="; sha256 = "sha256-Ah6Ni5EbFdIQ/wN7uGeMrSP5ybQfI4iy9gI1VT5LztU=";
}; };
nativeBuildInputs = [ nativeBuildInputs = [

79
pkgs/applications/audio/odin2/default.nix Normal file
View file

@ -0,0 +1,79 @@
{ stdenv
, lib
, fetchFromGitHub
, cmake
, pkg-config
, alsa-lib
, freetype
, libjack2
, lv2
, libX11
, libXcursor
, libXext
, libXinerama
, libXrandr
, libGL
, gcc-unwrapped
}:
stdenv.mkDerivation rec {
pname = "odin2";
version = "unstable-2022-02-23";
src = fetchFromGitHub {
owner = "baconpaul";
repo = "odin2";
rev = "ed02d06cfb5db8a118d291c00bd2e4cd6e262cde";
fetchSubmodules = true;
sha256 = "sha256-VkZ+mqCmqWQafdN0nQxJdPxbiaZ37/0jOhLvVbnGLvQ=";
};
nativeBuildInputs = [
cmake
pkg-config
];
buildInputs = [
alsa-lib
freetype
libjack2
lv2
libX11
libXcursor
libXext
libXinerama
libXrandr
libGL
];
# JUCE dlopen's these at runtime, crashes without them
NIX_LDFLAGS = (toString [
"-lX11"
"-lXext"
"-lXcursor"
"-lXinerama"
"-lXrandr"
]);
cmakeFlags = [
"-DCMAKE_AR=${gcc-unwrapped}/bin/gcc-ar"
"-DCMAKE_RANLIB=${gcc-unwrapped}/bin/gcc-ranlib"
"-DCMAKE_NM=${gcc-unwrapped}/bin/gcc-nm"
];
installPhase = ''
mkdir -p $out/bin $out/lib/vst3
cd Odin2_artefacts/Release
cp -r VST3/Odin2.vst3 $out/lib/vst3
cp -r Standalone/Odin2 $out/bin
'';
meta = with lib; {
description = "Odin 2 Synthesizer Plugin";
homepage = "https://thewavewarden.com/odin2";
license = licenses.gpl3;
platforms = [ "x86_64-linux" ];
maintainers = with maintainers; [ magnetophon ];
};
}

50
pkgs/applications/audio/pipecontrol/default.nix Normal file
View file

@ -0,0 +1,50 @@
{ lib
, stdenv
, fetchFromGitHub
, pipewire
, cmake
, extra-cmake-modules
, gnumake
, wrapQtAppsHook
, qtbase
, qttools
, kirigami2
, kcoreaddons
, ki18n
, qtquickcontrols2
}:
stdenv.mkDerivation rec {
pname = "pipecontrol";
version = "0.2.2";
src = fetchFromGitHub {
owner = "portaloffreedom";
repo = pname;
rev = "v${version}";
sha256 = "sha256-BeubRDx82MQX1gB7GnGJlQ2FyYX1S83C3gqPZgIjgoM=";
};
nativeBuildInputs = [
cmake
extra-cmake-modules
wrapQtAppsHook
qttools
];
buildInputs = [
pipewire
qtbase
kirigami2
kcoreaddons
ki18n
qtquickcontrols2
];
meta = with lib; {
description = "Pipewire control GUI program in Qt (Kirigami2)";
homepage = "https://github.com/portaloffreedom/pipecontrol";
license = licenses.gpl3Only;
maintainers = with maintainers; [ tilcreator ];
};
}

6
pkgs/applications/audio/plexamp/default.nix
View file

@ -2,12 +2,12 @@
let let
pname = "plexamp"; pname = "plexamp";
version = "4.1.0"; version = "4.2.0";
src = fetchurl { src = fetchurl {
url = "https://plexamp.plex.tv/plexamp.plex.tv/desktop/Plexamp-${version}.AppImage"; url = "https://plexamp.plex.tv/plexamp.plex.tv/desktop/Plexamp-${version}.AppImage";
name="${pname}-${version}.AppImage"; name="${pname}-${version}.AppImage";
sha512 = "N+WkH6n7MWfRd2rsk/2b/rABL6pcjpKa1iBZSHslIOEc5fYWjGAxjwwTU0RgSaqptS1DyPeCUeWuphWPZJsQgw=="; sha512 = "yIdZoKTJJEpUzEqvixQ7JJBxzrtCRov31dGBDOjMiK/oA2q00Xo6XVDvAhYuIn6ocZqK+I5jHfmf4qYaRePDvg==";
}; };
appimageContents = appimageTools.extractType2 { appimageContents = appimageTools.extractType2 {
@ -33,7 +33,7 @@ in appimageTools.wrapType2 {
meta = with lib; { meta = with lib; {
description = "A beautiful Plex music player for audiophiles, curators, and hipsters"; description = "A beautiful Plex music player for audiophiles, curators, and hipsters";
homepage = "https://plexamp.com/"; homepage = "https://plexamp.com/";
changelog = "https://forums.plex.tv/t/plexamp-release-notes/221280/42"; changelog = "https://forums.plex.tv/t/plexamp-release-notes/221280/43";
license = licenses.unfree; license = licenses.unfree;
maintainers = with maintainers; [ killercup synthetica ]; maintainers = with maintainers; [ killercup synthetica ];
platforms = [ "x86_64-linux" ]; platforms = [ "x86_64-linux" ];

27
pkgs/applications/audio/sonixd/default.nix Normal file
View file

@ -0,0 +1,27 @@
{ lib
, fetchurl
, appimageTools
}:
appimageTools.wrapType2 rec {
pname = "sonixd";
version = "0.14.0";
src = fetchurl {
url = "https://github.com/jeffvli/sonixd/releases/download/v${version}/Sonixd-${version}-linux-x86_64.AppImage";
sha256 = "sha256-q+26Ut5wN9gFDBdqirR+he/ppu/b1wiqq23WkcRAQd4=";
};
extraInstallCommands = ''
mv $out/bin/sonixd-${version} $out/bin/sonixd
'';
meta = with lib; {
description = "Full-featured Subsonic/Jellyfin compatible desktop music player";
homepage = "https://github.com/jeffvli/sonixd";
license = licenses.gpl3Only;
maintainers = with maintainers; [ onny ];
platforms = [ "x86_64-linux" ];
};
}

4
pkgs/applications/audio/x42-plugins/default.nix
View file

@ -3,12 +3,12 @@
, libGLU, lv2, gtk2, cairo, pango, fftwFloat, zita-convolver }: , libGLU, lv2, gtk2, cairo, pango, fftwFloat, zita-convolver }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
version = "20220107"; version = "20220327";
pname = "x42-plugins"; pname = "x42-plugins";
src = fetchurl { src = fetchurl {
url = "https://gareus.org/misc/x42-plugins/${pname}-${version}.tar.xz"; url = "https://gareus.org/misc/x42-plugins/${pname}-${version}.tar.xz";
sha256 = "sha256-+lzgkRQHe6moid3h6az/iqt2XL5vbyM0BjSTwMBvd3I="; sha256 = "sha256-IhuPqTlCbCxExT5B9Au42RQQl4sDEvz6+HhsuT02KVs=";
}; };
nativeBuildInputs = [ pkg-config ]; nativeBuildInputs = [ pkg-config ];

6
pkgs/applications/blockchains/lightning-loop/default.nix
View file

@ -5,16 +5,16 @@
buildGoModule rec { buildGoModule rec {
pname = "lightning-loop"; pname = "lightning-loop";
version = "0.17.0-beta"; version = "0.18.0-beta";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "lightninglabs"; owner = "lightninglabs";
repo = "loop"; repo = "loop";
rev = "v${version}"; rev = "v${version}";
sha256 = "0hjawagn1dfgj67i52bvf3phvm9f9708z3jqs6cvyz0w7vp107py"; sha256 = "1kg5nlvb4lb3cjn84wcylhq0l73d2n6rg4n1srnxmgs96v41y78f";
}; };
vendorSha256 = "1fpc73hwdn3baz5ykrykvqdr5861gj9p6liy8qll5525kdv560f6"; vendorSha256 = "0q3wbjfaqdj29sjlhx6fhc0p4d12aa31s6ia36jalcvf659ybb0l";
subPackages = [ "cmd/loop" "cmd/loopd" ]; subPackages = [ "cmd/loop" "cmd/loopd" ];

4
pkgs/applications/editors/cudatext/default.nix
View file

@ -38,13 +38,13 @@ let
in in
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "cudatext"; pname = "cudatext";
version = "1.160.0"; version = "1.160.2";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "Alexey-T"; owner = "Alexey-T";
repo = "CudaText"; repo = "CudaText";
rev = version; rev = version;
sha256 = "sha256-42V6RFa+mAXyaUuKeDQa9Voi1MjnzcVl+cOA65VabxM="; sha256 = "sha256-moKuiW5kd0jdAk0lBLX8ZWeT/locxGAvM4oOqvMGsr4=";
}; };
postPatch = '' postPatch = ''

4
pkgs/applications/editors/cudatext/deps.json
View file

@ -26,8 +26,8 @@
}, },
"EControl": { "EControl": {
"owner": "Alexey-T", "owner": "Alexey-T",
"rev": "2022.03.28", "rev": "2022.04.08",
"sha256": "sha256-jh3lqisiPNMxCapP6O5oJdUL3PLQ3JyomtgWix+bML0=" "sha256": "sha256-pPlb8rr5loYVzKw/7R2kogSAosmViwGM3cehVwf4EYY="
}, },
"ATSynEdit_Ex": { "ATSynEdit_Ex": {
"owner": "Alexey-T", "owner": "Alexey-T",

22
pkgs/applications/editors/jupyter-kernels/wolfram/default.nix Normal file
View file

@ -0,0 +1,22 @@
{ callPackage
, wolfram-engine
}:
# To test:
# $(nix-build -E 'with import ./. {}; jupyter.override { definitions = { wolfram = wolfram-for-jupyter-kernel.definition; }; }')/bin/jupyter-notebook
let kernel = callPackage ./kernel.nix {};
in {
definition = {
displayName = "Wolfram Language ${wolfram-engine.version}";
argv = [
"${wolfram-engine}/bin/wolfram"
"-script"
"${kernel}/share/Wolfram/WolframLanguageForJupyter/Resources/KernelForWolframLanguageForJupyter.wl"
"{connection_file}"
"ScriptInstall" # suppresses prompt
];
language = "Wolfram Language";
logo32 = "${wolfram-engine}/share/icons/hicolor/32x32/apps/wolfram-wolframlanguage.png";
logo64 = "${wolfram-engine}/share/icons/hicolor/64x64/apps/wolfram-wolframlanguage.png";
};
}

32
pkgs/applications/editors/jupyter-kernels/wolfram/kernel.nix Normal file
View file

@ -0,0 +1,32 @@
{ stdenv, lib, fetchFromGitHub }:
stdenv.mkDerivation rec {
pname = "wolfram-for-jupyter-kernel";
version = "0.9.2";
src = fetchFromGitHub {
owner = "WolframResearch";
repo = "WolframLanguageForJupyter";
rev = "v${version}";
sha256 = "19d9dvr0bv7iy0x8mk4f576ha7z7h7id39nyrggwf9cp7gymxf47";
};
dontConfigure = true;
installPhase = ''
patchShebangs ./configure-jupyter.wls
mkdir -p $out/share/Wolfram
cp -r {WolframLanguageForJupyter,images,extras,LICENSE} $out/share/Wolfram
'';
# no tests
doCheck = false;
meta = with lib; {
description = "A Jupyter kernel for Wolfram Language.";
homepage = "https://github.com/WolframResearch/WolframLanguageForJupyter";
license = licenses.mit;
maintainers = with maintainers; [ fbeffa ];
platforms = platforms.all;
};
}

8
pkgs/applications/editors/lapce/default.nix
View file

@ -21,18 +21,16 @@
rustPlatform.buildRustPackage rec { rustPlatform.buildRustPackage rec {
pname = "lapce"; pname = "lapce";
version = "0.0.10"; version = "0.0.12";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "lapce"; owner = "lapce";
repo = pname; repo = pname;
rev = "v${version}"; rev = "v${version}";
sha256 = "tOVFm4DFQurFU4DtpPwxXQLbTGCZnrV1FfYKtvkRxRE="; sha256 = "sha256-ZFQjQ5+G0b0Fgg3+du/drt+62rC/TCNR5MIdJXAkTrE=";
}; };
cargoPatches = [ ./fix-version.patch ]; cargoSha256 = "sha256-sMTootPsenaWzLLFImo6HWC1pcm2uFupPhVWsUJp1Ak=";
cargoSha256 = "BwB3KgmI5XnZ5uHv6f+kGKBzpyxPWcoKvF7qw90eorI=";
nativeBuildInputs = [ nativeBuildInputs = [
cmake cmake

31
pkgs/applications/editors/lapce/fix-version.patch
View file

@ -1,31 +0,0 @@
diff --git a/Cargo.lock b/Cargo.lock
index bc9a0f8..45a74ad 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2165,7 +2165,7 @@ dependencies = [
[[package]]
name = "lapce"
-version = "0.0.9"
+version = "0.0.10"
dependencies = [
"lapce-core",
"lapce-proxy",
@@ -2173,7 +2173,7 @@ dependencies = [
[[package]]
name = "lapce-core"
-version = "0.0.9"
+version = "0.0.10"
dependencies = [
"Inflector",
"alacritty_terminal 0.15.0",
@@ -2233,7 +2233,7 @@ dependencies = [
[[package]]
name = "lapce-proxy"
-version = "0.0.9"
+version = "0.0.10"
dependencies = [
"alacritty_terminal 0.16.0-rc2",
"anyhow",

616
pkgs/applications/editors/vim/plugins/generated.nix
View file

File diff suppressed because it is too large Load diff

1
pkgs/applications/editors/vim/plugins/vim-plugin-names
View file

@ -956,6 +956,7 @@ https://github.com/tpope/vim-vinegar/,,
https://github.com/triglav/vim-visual-increment/,, https://github.com/triglav/vim-visual-increment/,,
https://github.com/mg979/vim-visual-multi/,, https://github.com/mg979/vim-visual-multi/,,
https://github.com/thinca/vim-visualstar/,, https://github.com/thinca/vim-visualstar/,,
https://github.com/ngemily/vim-vp4/,HEAD,
https://github.com/hrsh7th/vim-vsnip/,, https://github.com/hrsh7th/vim-vsnip/,,
https://github.com/hrsh7th/vim-vsnip-integ/,, https://github.com/hrsh7th/vim-vsnip-integ/,,
https://github.com/posva/vim-vue/,, https://github.com/posva/vim-vue/,,

28
pkgs/applications/emulators/basiliskii/default.nix Normal file
View file

@ -0,0 +1,28 @@
{ stdenv, lib, fetchFromGitHub, autoconf, automake, pkg-config, SDL2, gtk2 }:
stdenv.mkDerivation {
pname = "basiliskii";
version = "unstable-2022-04-05";
src = fetchFromGitHub {
owner = "kanjitalk755";
repo = "macemu";
rev = "d4baa318e49a29d7ea5fc71a637191d6c470546f";
sha256 = "jBKTC2fIPJ6mSkMABNxcd2ujXJ+duCXw291iz5ZmiVg=";
};
sourceRoot = "source/BasiliskII/src/Unix";
patches = [ ./remove-redhat-6-workaround-for-scsi-sg.h.patch ];
nativeBuildInputs = [ autoconf automake pkg-config ];
buildInputs = [ SDL2 gtk2 ];
preConfigure = ''
NO_CONFIGURE=1 ./autogen.sh
'';
configureFlags = [ "--enable-sdl-video" "--enable-sdl-audio" "--with-bincue" ];
meta = with lib; {
description = "68k Macintosh emulator";
homepage = "https://basilisk.cebix.net/";
license = licenses.gpl2;
maintainers = with maintainers; [ quag ];
platforms = platforms.linux;
};
}

10
pkgs/applications/emulators/basiliskii/remove-redhat-6-workaround-for-scsi-sg.h.patch Normal file
View file

@ -0,0 +1,10 @@
diff --git a/Linux/scsi_linux.cpp b/Linux/scsi_linux.cpp
--- a/Linux/scsi_linux.cpp
+++ b/Linux/scsi_linux.cpp
@@ -22,5 +22,5 @@
#include <sys/ioctl.h>
#include <linux/param.h>
-#include <linux/../scsi/sg.h> // workaround for broken RedHat 6.0 /usr/include/scsi
+#include <scsi/sg.h>
#include <unistd.h>
#include <errno.h>

4
pkgs/applications/emulators/flycast/default.nix
View file

@ -15,13 +15,13 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "flycast"; pname = "flycast";
version = "1.2"; version = "1.3";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "flyinghead"; owner = "flyinghead";
repo = "flycast"; repo = "flycast";
rev = "v${version}"; rev = "v${version}";
sha256 = "sha256-MzHAGK++oukIs84OR/l6gBwCJssdi8Iyte5Rtro2+Q0="; sha256 = "sha256-FAHm8Fu/yv2rJvWCY+g50TYH4zOT6rO7F+jTL2T6EOU=";
fetchSubmodules = true; fetchSubmodules = true;
}; };

13
pkgs/applications/graphics/ImageMagick/7.0.nix
View file

@ -45,13 +45,13 @@ in
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "imagemagick"; pname = "imagemagick";
version = "7.1.0-26"; version = "7.1.0-29";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "ImageMagick"; owner = "ImageMagick";
repo = "ImageMagick"; repo = "ImageMagick";
rev = version; rev = version;
hash = "sha256-q1CL64cfyb5fN9aVYJfls+v0XRFd4jH+B8n+UJqPE1I="; hash = "sha256-46fJMOIGnK5aNIcG7+8mJdZDcSFyFmhmkLcuVlnupSU=";
}; };
outputs = [ "out" "dev" "doc" ]; # bin/ isn't really big outputs = [ "out" "dev" "doc" ]; # bin/ isn't really big
@ -64,9 +64,7 @@ stdenv.mkDerivation rec {
++ (if arch != null then [ "--with-gcc-arch=${arch}" ] else [ "--without-gcc-arch" ]) ++ (if arch != null then [ "--with-gcc-arch=${arch}" ] else [ "--without-gcc-arch" ])
++ lib.optional (librsvg != null) "--with-rsvg" ++ lib.optional (librsvg != null) "--with-rsvg"
++ lib.optional (liblqr1 != null) "--with-lqr" ++ lib.optional (liblqr1 != null) "--with-lqr"
# libjxl is broken on aarch64 (see meta.broken in libjxl) for now, ++ lib.optional (libjxl != null ) "--with-jxl"
# let's disable it for now to unbreak the imagemagick build.
++ lib.optional (libjxl != null && !stdenv.isAarch64) "--with-jxl"
++ lib.optionals (ghostscript != null) ++ lib.optionals (ghostscript != null)
[ [
"--with-gs-font-dir=${ghostscript}/share/ghostscript/fonts" "--with-gs-font-dir=${ghostscript}/share/ghostscript/fonts"
@ -92,11 +90,8 @@ stdenv.mkDerivation rec {
libxml2 libxml2
libheif libheif
djvulibre djvulibre
libjxl
] ]
# libjxl is broken on aarch64 (see meta.broken in libjxl) for now,
# let's disable it for now to unbreak the imagemagick build.
++ lib.optionals (!stdenv.isAarch64)
[ libjxl ]
++ lib.optionals (!stdenv.hostPlatform.isMinGW) ++ lib.optionals (!stdenv.hostPlatform.isMinGW)
[ openexr librsvg openjpeg ] [ openexr librsvg openjpeg ]
++ lib.optionals stdenv.isDarwin [ ++ lib.optionals stdenv.isDarwin [

57
pkgs/applications/graphics/cloudcompare/default.nix
View file

@ -1,13 +1,16 @@
{ lib { lib
, mkDerivation , mkDerivation
, fetchFromGitHub , fetchFromGitHub
, fetchpatch
, cmake , cmake
, dxflib , boost
, cgal_5
, eigen , eigen
, flann , flann
, gdal , gdal
, gmp
, LASzip , LASzip
, libLAS , mpfr
, pdal , pdal
, pcl , pcl
, qtbase , qtbase
@ -15,36 +18,43 @@
, qttools , qttools
, tbb , tbb
, xercesc , xercesc
, wrapGAppsHook
}: }:
mkDerivation rec { mkDerivation rec {
pname = "cloudcompare"; pname = "cloudcompare";
# Released version(v2.11.3) doesn't work with packaged PCL. version = "2.12.0";
version = "unstable-2021-10-14";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "CloudCompare"; owner = "CloudCompare";
repo = "CloudCompare"; repo = "CloudCompare";
rev = "1f65ba63756e23291ae91ff52d04da468ade8249"; rev = "v${version}";
sha256 = "x1bDjFjXIl3r+yo1soWvRB+4KGP50/WBoGlrH013JQo="; sha256 = "sha256-hu3ckVocExi9lvxelHAwKb/MZacH4CcCE+vIzElgP/A=";
# As of writing includes (https://github.com/CloudCompare/CloudCompare/blob/a1c589c006fc325e8b560c77340809b9c7e7247a/.gitmodules):
# * libE57Format
# * PoissonRecon
# * CCCoreLib
fetchSubmodules = true; fetchSubmodules = true;
}; };
patches = [
# fix issues compiling on aarch64. remove once upgraded past 2.12.0
(fetchpatch {
url = "https://github.com/CloudCompare/CloudCompare/commit/7e71861fdbd6ea704add5ba69343f47d8fc3d5ae.patch";
sha256 = "sha256-CRUPjxtKUbsqOyYsjKF+dRZ+E3rqrv5mS3ZaOay2wk8=";
})
];
nativeBuildInputs = [ nativeBuildInputs = [
cmake cmake
eigen # header-only eigen # header-only
wrapGAppsHook
]; ];
buildInputs = [ buildInputs = [
dxflib boost
cgal_5
flann flann
gdal gdal
gmp
LASzip LASzip
libLAS mpfr
pdal pdal
pcl pcl
qtbase qtbase
@ -72,9 +82,32 @@ mkDerivation rec {
"-DPLUGIN_IO_QPHOTOSCAN=ON" "-DPLUGIN_IO_QPHOTOSCAN=ON"
"-DPLUGIN_IO_QRDB=OFF" # Riegl rdblib is proprietary; not packaged in nixpkgs "-DPLUGIN_IO_QRDB=OFF" # Riegl rdblib is proprietary; not packaged in nixpkgs
"-DCCCORELIB_USE_CGAL=ON" # enables Delauney triangulation support
"-DPLUGIN_STANDARD_QPCL=ON" # Adds PCD import and export support "-DPLUGIN_STANDARD_QPCL=ON" # Adds PCD import and export support
"-DPLUGIN_STANDARD_QANIMATION=ON"
"-DPLUGIN_STANDARD_QBROOM=ON"
"-DPLUGIN_STANDARD_QCANUPO=ON"
"-DPLUGIN_STANDARD_QCOMPASS=ON"
"-DPLUGIN_STANDARD_QCSF=ON"
"-DPLUGIN_STANDARD_QFACETS=ON"
"-DPLUGIN_STANDARD_QHOUGH_NORMALS=ON"
"-DEIGEN_ROOT_DIR=${eigen}/include/eigen3" # needed for hough normals
"-DPLUGIN_STANDARD_QHPR=ON"
"-DPLUGIN_STANDARD_QM3C2=ON"
"-DPLUGIN_STANDARD_QMPLANE=ON"
"-DPLUGIN_STANDARD_QPOISSON_RECON=ON"
"-DPLUGIN_STANDARD_QRANSAC_SD=ON"
"-DPLUGIN_STANDARD_QSRA=ON"
"-DPLUGIN_STANDARD_QCLOUDLAYERS=ON"
]; ];
dontWrapGApps = true;
# fix file dialogs crashing on non-NixOS (and avoid double wrapping)
preFixup = ''
qtWrapperArgs+=("''${gappsWrapperArgs[@]}")
'';
meta = with lib; { meta = with lib; {
description = "3D point cloud and mesh processing software"; description = "3D point cloud and mesh processing software";
homepage = "https://cloudcompare.org"; homepage = "https://cloudcompare.org";

4
pkgs/applications/graphics/drawio/default.nix
View file

@ -11,11 +11,11 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "drawio"; pname = "drawio";
version = "17.2.4"; version = "17.4.2";
src = fetchurl { src = fetchurl {
url = "https://github.com/jgraph/drawio-desktop/releases/download/v${version}/drawio-x86_64-${version}.rpm"; url = "https://github.com/jgraph/drawio-desktop/releases/download/v${version}/drawio-x86_64-${version}.rpm";
sha256 = "sha256-dKl7DxNneoQEL+QhZmpfQCd15RoeDRnkZt3sv8t2KM4="; sha256 = "294f99d9060bc394490b20d2ddab75ed5c0166d7960850f065eb8897ef31a2e3";
}; };
nativeBuildInputs = [ nativeBuildInputs = [

4
pkgs/applications/graphics/geeqie/default.nix
View file

@ -6,13 +6,13 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "geeqie"; pname = "geeqie";
version = "1.7.2"; version = "1.7.3";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "BestImageViewer"; owner = "BestImageViewer";
repo = "geeqie"; repo = "geeqie";
rev = "v${version}"; rev = "v${version}";
sha256 = "sha256-Abr7trlms6bxOAqE6xNKRv51TBGNilNdBhUZUg7OTKY="; sha256 = "sha256-O+yz/uNxueR+naEJG8EZ+k/JutRjJ5wwbB9DYb8YNLw=";
}; };
patches = [ patches = [

95
pkgs/applications/graphics/unigine-tropics/default.nix Normal file
View file

@ -0,0 +1,95 @@
{ lib
, stdenv
, fetchurl
, makeWrapper
, autoPatchelfHook
, libX11
, libXext
, libXrandr
, libXinerama
, libglvnd
, openal
, glibc
, makeDesktopItem
, copyDesktopItems
, imagemagick
}:
let
version = "1.3";
in
stdenv.mkDerivation {
pname = "unigine-tropics";
inherit version;
src = fetchurl {
url = "http://m12-assets.unigine.com/d/Unigine_Tropics-${version}.run";
sha256 = "0icasdp46fjnic7gk83pknjx0gpap9j202dm0llcfg5zin5kbq7x";
};
libPath = lib.makeLibraryPath [
libglvnd
openal
glibc
];
installPhase = ''
bash $src --target $name
install -D -m 0755 $name/bin/libUnigine_x86.so $out/lib/unigine/tropics/bin/libUnigine_x86.so
install -D -m 0755 $name/bin/Tropics $out/lib/unigine/tropics/bin/Tropics
install -D -m 0755 $name/1024x768_windowed.sh $out/bin/Tropics
cp -R $name/data $out/lib/unigine/tropics
wrapProgram $out/bin/Tropics \
--prefix LD_LIBRARY_PATH : $libPath:$out/lib/unigine/tropics/bin \
--run "cd $out/lib/unigine/tropics"
convert -size 256x256 xc:Transparent -fill gradient:'dodgerblue-white' -stroke Transparent -draw "roundrectangle 0,0 256,256 50,50" $name/icon.png
convert $name/icon.png -fill white -stroke white -draw "polygon 69.2564,84.1261 117.9,84.1261 117.9,206.56 138.1,206.56 138.1,84.1261 186.744,84.1261 186.744,65.9877 69.2564,65.9877 69.2564,84.1261" $name/icon.png
for RES in 16 24 32 48 64 128 256
do
mkdir -p $out/share/icons/hicolor/"$RES"x"$RES"/apps
convert $name/icon.png -resize "$RES"x"$RES" $out/share/icons/hicolor/"$RES"x"$RES"/apps/Tropics.png
done
convert $name/icon.png -resize 128x128 $out/share/icons/Tropics.png
runHook postInstall
'';
desktopItems = [
(makeDesktopItem {
name = "Tropics";
exec = "Tropics";
genericName = "A GPU Stress test tool from the UNIGINE";
icon = "Tropics";
desktopName = "Tropics Benchmark";
})
];
nativeBuildInputs = [
autoPatchelfHook
makeWrapper
imagemagick
copyDesktopItems
];
buildInputs = [
stdenv.cc.cc
libX11
libXext
libXrandr
libXinerama
];
dontUnpack = true;
meta = {
description = "The Unigine Heaven GPU benchmarking tool";
homepage = "https://benchmark.unigine.com/tropics";
license = lib.licenses.unfree;
maintainers = [ lib.maintainers.BarinovMaxim ];
platforms = [ "x86_64-linux" "i686-linux" ];
};
}

1
pkgs/applications/misc/ArchiSteamFarm/default.nix
View file

@ -11,6 +11,7 @@
buildDotnetModule rec { buildDotnetModule rec {
pname = "archisteamfarm"; pname = "archisteamfarm";
# nixpkgs-update: no auto update
version = "5.2.2.4"; version = "5.2.2.4";
src = fetchFromGitHub { src = fetchFromGitHub {

8
pkgs/applications/misc/charm/default.nix
View file

@ -2,18 +2,16 @@
buildGoModule rec { buildGoModule rec {
pname = "charm"; pname = "charm";
version = "0.10.3"; version = "0.11.0";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "charmbracelet"; owner = "charmbracelet";
repo = "charm"; repo = "charm";
rev = "v${version}"; rev = "v${version}";
sha256 = "sha256-7WdSIpmpN8Zz2k5PveYZoCueQo5sLxLLZvZdzxRlkaE="; sha256 = "sha256-98TUiFy4X7lMUostkgZikk6r6wzBPF0pqWthrS9nU+U=";
}; };
vendorSha256 = "sha256-5cqZxh2uvmJV7DtAGzQwt//heF3kF9mjyB0KAs8nWZY="; vendorSha256 = "sha256-enkt7BUAntbB75LR12NB0vW6z9dTPzk0bGdRrn3JHm4=";
doCheck = false;
ldflags = [ "-s" "-w" "-X=main.Version=${version}" ]; ldflags = [ "-s" "-w" "-X=main.Version=${version}" ];

24
pkgs/applications/misc/electrum-grs/default.nix
View file

@ -9,7 +9,7 @@
}: }:
let let
version = "4.1.5"; version = "4.2.0";
libsecp256k1_name = libsecp256k1_name =
if stdenv.isLinux then "libsecp256k1.so.0" if stdenv.isLinux then "libsecp256k1.so.0"
@ -20,19 +20,6 @@ let
if stdenv.isLinux then "libzbar.so.0" if stdenv.isLinux then "libzbar.so.0"
else "libzbar${stdenv.hostPlatform.extensions.sharedLibrary}"; else "libzbar${stdenv.hostPlatform.extensions.sharedLibrary}";
py = python3.override {
packageOverrides = self: super: {
aiorpcx = super.aiorpcx.overridePythonAttrs (oldAttrs: rec {
version = "0.18.7";
src = oldAttrs.src.override {
inherit version;
sha256 = "1rswrspv27x33xa5bnhrkjqzhv0sknv5kd7pl1vidw9d2z4rx2l0";
};
});
};
};
in in
python3.pkgs.buildPythonApplication { python3.pkgs.buildPythonApplication {
@ -43,17 +30,12 @@ python3.pkgs.buildPythonApplication {
owner = "Groestlcoin"; owner = "Groestlcoin";
repo = "electrum-grs"; repo = "electrum-grs";
rev = "refs/tags/v${version}"; rev = "refs/tags/v${version}";
sha256 = "0wvbjj80r1zxpz24adkicxsdjnv3nciga6rl1wfmky463w03rca2"; sha256 = "15n6snrs1kgdqkhp4wgs0bxxdz6mzl8dvf8h7s0jzc6r4b74vv3n";
}; };
postPatch = ''
substituteInPlace contrib/requirements/requirements.txt \
--replace "dnspython>=2.0,<2.1" "dnspython>=2.0"
'';
nativeBuildInputs = lib.optionals enableQt [ wrapQtAppsHook ]; nativeBuildInputs = lib.optionals enableQt [ wrapQtAppsHook ];
propagatedBuildInputs = with py.pkgs; [ propagatedBuildInputs = with python3.pkgs; [
aiohttp aiohttp
aiohttp-socks aiohttp-socks
aiorpcx aiorpcx

4
pkgs/applications/misc/gremlin-console/default.nix
View file

@ -2,10 +2,10 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "gremlin-console"; pname = "gremlin-console";
version = "3.5.2"; version = "3.5.3";
src = fetchzip { src = fetchzip {
url = "https://downloads.apache.org/tinkerpop/${version}/apache-tinkerpop-gremlin-console-${version}-bin.zip"; url = "https://downloads.apache.org/tinkerpop/${version}/apache-tinkerpop-gremlin-console-${version}-bin.zip";
sha256 = "sha256-PCr8lDQzypgozKCzD8FV4X4ls5lYZRMey1vfcFzo+Uc="; sha256 = "sha256-pcxJYK+hBFlJ8CmuHGcI+U3x3nE/f9Nu37Nkd3C2Hy8=";
}; };
nativeBuildInputs = [ makeWrapper ]; nativeBuildInputs = [ makeWrapper ];

14
pkgs/applications/misc/gsctl/default.nix
View file

@ -1,4 +1,4 @@
{ lib, buildGoModule, fetchFromGitHub }: { lib, buildGoModule, fetchFromGitHub, kubectl, stdenv }:
buildGoModule rec { buildGoModule rec {
pname = "gsctl"; pname = "gsctl";
@ -13,10 +13,16 @@ buildGoModule rec {
vendorSha256 = "sha256-NeRABlKUpD2ZHRid/vu34Dh9uHZ+7IXWFPX8jkexUog="; vendorSha256 = "sha256-NeRABlKUpD2ZHRid/vu34Dh9uHZ+7IXWFPX8jkexUog=";
ldflags = ldflags = [
[ "-s" "-w" "-X github.com/giantswarm/gsctl/buildinfo.Version=${version}" ]; "-s" "-w"
"-X github.com/giantswarm/gsctl/buildinfo.Version=${version}"
];
doCheck = false; checkInputs = [
kubectl
];
doCheck = !stdenv.isDarwin;
meta = with lib; { meta = with lib; {
description = "The Giant Swarm command line interface"; description = "The Giant Swarm command line interface";

12
pkgs/applications/misc/hugo/default.nix
View file

@ -2,16 +2,16 @@
buildGoModule rec { buildGoModule rec {
pname = "hugo"; pname = "hugo";
version = "0.92.2"; version = "0.96.0";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "gohugoio"; owner = "gohugoio";
repo = pname; repo = pname;
rev = "v${version}"; rev = "v${version}";
sha256 = "sha256-kwqN/9H/ZI2eL09K/9bOMBWW9bow8LtKpbfxyfxIucA="; sha256 = "sha256-3O+ZdOloh5gILPQssztt7s/MwRgDOnpJItwLn7FXnPU=";
}; };
vendorSha256 = "sha256-7dJUl0IxsLj0ds2jqtChNCQEBiK9PahG159IhyFxwdM="; vendorSha256 = "sha256-TgE/ToHBg2QBgtk0gPZTV/icIbQN14RpVAbL/8b+W0U=";
doCheck = false; doCheck = false;
@ -27,9 +27,9 @@ buildGoModule rec {
$out/bin/hugo gen man $out/bin/hugo gen man
installManPage man/* installManPage man/*
installShellCompletion --cmd hugo \ installShellCompletion --cmd hugo \
--bash <($out/bin/hugo gen autocomplete --type=bash) \ --bash <($out/bin/hugo completion bash) \
--fish <($out/bin/hugo gen autocomplete --type=fish) \ --fish <($out/bin/hugo completion fish) \
--zsh <($out/bin/hugo gen autocomplete --type=zsh) --zsh <($out/bin/hugo completion zsh)
''; '';
meta = with lib; { meta = with lib; {

4
pkgs/applications/misc/otpclient/default.nix
View file

@ -15,13 +15,13 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "otpclient"; pname = "otpclient";
version = "2.4.9.1"; version = "2.5.1";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "paolostivanin"; owner = "paolostivanin";
repo = pname; repo = pname;
rev = "v${version}"; rev = "v${version}";
sha256 = "sha256-QcdPyuwbGK12Kul+gGTfRGmXfghr0qugpBEcrgATOT4="; sha256 = "sha256-VUrLbGaDfPE+Ak20ZCJDmO/sgBzdf4S+SqvyQ7F6SQU=";
}; };
buildInputs = [ gtk3 jansson libgcrypt libzip libpng libcotp zbar ]; buildInputs = [ gtk3 jansson libgcrypt libzip libpng libcotp zbar ];

56
pkgs/applications/misc/sioyek/default.nix Normal file
View file

@ -0,0 +1,56 @@
{ lib
, stdenv
, installShellFiles
, fetchFromGitHub
, gumbo
, harfbuzz
, jbig2dec
, mupdf
, openjpeg
, qt3d
, qtbase
, qmake
, wrapQtAppsHook
}:
stdenv.mkDerivation rec {
pname = "sioyek";
version = "1.2.0";
src = fetchFromGitHub {
owner = "ahrm";
repo = pname;
rev = "v${version}";
sha256 = "sha256-G4iZi6xTJjWZN0T3lO0jPquxJ3p8Mc0ewmjJEKcGJ34=";
};
buildInputs = [ gumbo harfbuzz jbig2dec mupdf openjpeg qt3d qtbase ];
nativeBuildInputs = [ installShellFiles wrapQtAppsHook qmake ];
postPatch = ''
substituteInPlace pdf_viewer_build_config.pro \
--replace "-lmupdf-threads" "-lfreetype -lgumbo -ljbig2dec -lopenjp2 -ljpeg"
substituteInPlace pdf_viewer/main.cpp \
--replace "/usr/share/sioyek" "$out/share" \
--replace "/etc/sioyek" "$out/etc"
'';
qmakeFlags = "DEFINES+=\"LINUX_STANDARD_PATHS\" pdf_viewer_build_config.pro";
postInstall = ''
install -Dm644 tutorial.pdf $out/share/tutorial.pdf
cp -r pdf_viewer/shaders $out/share/
install -Dm644 -t $out/etc/ pdf_viewer/{keys,prefs}.config
installManPage resources/sioyek.1
'';
meta = with lib; {
description = "Sioyek is a PDF viewer designed for reading research papers and technical books.";
homepage = "https://sioyek.info/";
changelog = "https://github.com/ahrm/sioyek/releases";
license = licenses.gpl3Only;
platforms = platforms.linux;
maintainers = [ maintainers.podocarp ];
};
}

6
pkgs/applications/misc/toipe/default.nix
View file

@ -2,14 +2,14 @@
rustPlatform.buildRustPackage rec { rustPlatform.buildRustPackage rec {
pname = "toipe"; pname = "toipe";
version = "0.3.1"; version = "0.4.0";
src = fetchCrate { src = fetchCrate {
inherit pname version; inherit pname version;
sha256 = "sha256-/vO5ABMldw3soh7mscjhN5TAZOcs+iMTaMxcdMmV0Xo="; sha256 = "sha256-lAvFCvNm55SjRmrhIkMBiM0nSlAG+jUEKLlLaGs1RkY=";
}; };
cargoSha256 = "sha256-AsRQ8kvDy1cH4/kaFAoU7en3dzDiG1T+O+4r6PKa0hM="; cargoSha256 = "sha256-WmWH/x69H17uHQEB0+GRUtApJnSEkoeFLLweP8NoBrk=";
meta = with lib; { meta = with lib; {
description = "Trusty terminal typing tester"; description = "Trusty terminal typing tester";

4
pkgs/applications/misc/xmrig/default.nix
View file

@ -4,13 +4,13 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "xmrig"; pname = "xmrig";
version = "6.16.4"; version = "6.17.0";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "xmrig"; owner = "xmrig";
repo = "xmrig"; repo = "xmrig";
rev = "v${version}"; rev = "v${version}";
sha256 = "sha256-hfdKhTUGoVN4DIURO+e3MOSpsL6GWxOV3LItd0nA51Y="; sha256 = "sha256-K8mN3Wzlay2Qgoo70mu3Bh4lXUXNDpXYt17aNnwWkIc=";
}; };
nativeBuildInputs = [ cmake ]; nativeBuildInputs = [ cmake ];

4
pkgs/applications/misc/zettlr/default.nix
View file

@ -10,11 +10,11 @@
# Based on https://gist.github.com/msteen/96cb7df66a359b827497c5269ccbbf94 and joplin-desktop nixpkgs. # Based on https://gist.github.com/msteen/96cb7df66a359b827497c5269ccbbf94 and joplin-desktop nixpkgs.
let let
pname = "zettlr"; pname = "zettlr";
version = "2.2.4"; version = "2.2.5";
name = "${pname}-${version}"; name = "${pname}-${version}";
src = fetchurl { src = fetchurl {
url = "https://github.com/Zettlr/Zettlr/releases/download/v${version}/Zettlr-${version}-x86_64.appimage"; url = "https://github.com/Zettlr/Zettlr/releases/download/v${version}/Zettlr-${version}-x86_64.appimage";
sha256 = "sha256-lzXciToyUsHl8WV0IvdP6R2pYegL7/G04YPLb6gbCgQ="; sha256 = "sha256-KP3lt0CweT1f/BR3IpnjwCqNvhFbrpz9KLg6K8OMs+I=";
}; };
appimageContents = appimageTools.extractType2 { appimageContents = appimageTools.extractType2 {
inherit name src; inherit name src;

4
pkgs/applications/networking/appgate-sdp/default.nix
View file

@ -87,11 +87,11 @@ let
in in
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "appgate-sdp"; pname = "appgate-sdp";
version = "5.5.3"; version = "5.5.4";
src = fetchurl { src = fetchurl {
url = "https://bin.appgate-sdp.com/${versions.majorMinor version}/client/appgate-sdp_${version}_amd64.deb"; url = "https://bin.appgate-sdp.com/${versions.majorMinor version}/client/appgate-sdp_${version}_amd64.deb";
sha256 = "sha256-qSo4JX/Jj+JkeetZIMw88MK7SzOgT8aNbQby2kJ91oo="; sha256 = "sha256-7qfgUYD7uPb+ZEierREVfnHoGz0/b/J+hcsX/duDFWU=";
}; };
# just patch interpreter # just patch interpreter

3
pkgs/applications/networking/browsers/brave/default.nix
View file

@ -37,6 +37,7 @@
, pango , pango
, pipewire , pipewire
, udev , udev
, wayland
, xorg , xorg
, zlib , zlib
, xdg-utils , xdg-utils
@ -82,6 +83,7 @@ rpath = lib.makeLibraryPath [
pango pango
pipewire pipewire
udev udev
wayland
xdg-utils xdg-utils
xorg.libxcb xorg.libxcb
zlib zlib
@ -160,6 +162,7 @@ stdenv.mkDerivation rec {
preFixup = '' preFixup = ''
# Add command line args to wrapGApp. # Add command line args to wrapGApp.
gappsWrapperArgs+=(--add-flags ${lib.escapeShellArg commandLineArgs}) gappsWrapperArgs+=(--add-flags ${lib.escapeShellArg commandLineArgs})
gappsWrapperArgs+=(--add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform=wayland}}")
''; '';
installCheckPhase = '' installCheckPhase = ''

6
pkgs/applications/networking/browsers/chromium/get-commit-message.py
View file

@ -38,9 +38,9 @@ for entry in feed.entries:
else: else:
print('chromium: TODO -> ' + version + '\n') print('chromium: TODO -> ' + version + '\n')
print(url) print(url)
if fixes := re.search(r'This update includes .+ security fixes\.', content).group(0): if fixes := re.search(r'This update includes .+ security fix(es)?\.', content):
zero_days = re.search(r'Google is aware( of reports)? th(e|at) .+ in the wild\.', content) fixes = fixes.group(0)
if zero_days: if zero_days := re.search(r'Google is aware( of reports)? th(e|at) .+ in the wild\.', content):
fixes += " " + zero_days.group(0) fixes += " " + zero_days.group(0)
print('\n' + '\n'.join(textwrap.wrap(fixes, width=72))) print('\n' + '\n'.join(textwrap.wrap(fixes, width=72)))
if cve_list := re.findall(r'CVE-[^: ]+', content): if cve_list := re.findall(r'CVE-[^: ]+', content):

34
pkgs/applications/networking/browsers/chromium/upstream-info.json
View file

@ -1,8 +1,8 @@
{ {
"stable": { "stable": {
"version": "100.0.4896.75", "version": "100.0.4896.88",
"sha256": "1h60l1g340gvm4lz2lps6dqpvahpzn24hz47y2qvc6mavx9d6ki4", "sha256": "0l628x41krsjgzff9996k5wkbcvcjqf4128z32hpj1pkg23719f5",
"sha256bin64": "0nrrkgwcnqg4l8x1nk1rdxnv9xa0c24ync1yls7s9rc34wkk8sc5", "sha256bin64": "1wqzs3f70ayi9vy3ncm5mild22xvhwn4d2lcfra31wwnzxi1nqxm",
"deps": { "deps": {
"gn": { "gn": {
"version": "2022-01-21", "version": "2022-01-21",
@ -19,9 +19,9 @@
} }
}, },
"beta": { "beta": {
"version": "101.0.4951.15", "version": "101.0.4951.26",
"sha256": "1gm70mz6gzildh1g082q4dg5q9namm9kvxfj5qrdcj67gvz5m66y", "sha256": "1wpdi5l0bic0z9ydvx5vj35z6fh21b3n8dsxyvcbm0rq4fca5zcg",
"sha256bin64": "0z2rx7mw9wg5ly8wmxkflk8f9gifq4cxqvi224v9dr11qqj8gwm2", "sha256bin64": "13mx2jxq5pjzp6dxvnzkfs83krhvpbw0pim7z4c7hhyphjc4fhzr",
"deps": { "deps": {
"gn": { "gn": {
"version": "2022-03-14", "version": "2022-03-14",
@ -32,22 +32,22 @@
} }
}, },
"dev": { "dev": {
"version": "102.0.4972.0", "version": "102.0.4997.0",
"sha256": "1aihdym7h8sd52wiybnrgjrd618f3yby4bpbkc26xyrl8gviz31d", "sha256": "05y9b426wcarq18faw5i79qrfqy158dinvba5d7lwrcjnbqyfr1f",
"sha256bin64": "0mb67cfr397aclkiy0v9xqga07c166qdylq257k2kmhj7df1gcvn", "sha256bin64": "0846y3dbs7vghrb8s2s57a2lk7a0x2dha5q0d915qrn29g5x9c6p",
"deps": { "deps": {
"gn": { "gn": {
"version": "2022-03-29", "version": "2022-04-07",
"url": "https://gn.googlesource.com/gn", "url": "https://gn.googlesource.com/gn",
"rev": "e39d5251c25155b9dfdb96adeab31b795095fd3b", "rev": "ae110f8b525009255ba1f9ae96982176d3bfad3d",
"sha256": "1clr0f847rmwwpmsl9zv4q6rw1shn09my775666v480szpahj9pk" "sha256": "131y1v2m59hn7s00zc9p7rhfi956p744mp96g2i80f0i020dyl6w"
} }
} }
}, },
"ungoogled-chromium": { "ungoogled-chromium": {
"version": "100.0.4896.75", "version": "100.0.4896.88",
"sha256": "1h60l1g340gvm4lz2lps6dqpvahpzn24hz47y2qvc6mavx9d6ki4", "sha256": "0l628x41krsjgzff9996k5wkbcvcjqf4128z32hpj1pkg23719f5",
"sha256bin64": "0nrrkgwcnqg4l8x1nk1rdxnv9xa0c24ync1yls7s9rc34wkk8sc5", "sha256bin64": "1wqzs3f70ayi9vy3ncm5mild22xvhwn4d2lcfra31wwnzxi1nqxm",
"deps": { "deps": {
"gn": { "gn": {
"version": "2022-01-21", "version": "2022-01-21",
@ -56,8 +56,8 @@
"sha256": "1dzdvcn2r5c9giknvasf3y5y4901kav7igivjvrpww66ywsj8fzr" "sha256": "1dzdvcn2r5c9giknvasf3y5y4901kav7igivjvrpww66ywsj8fzr"
}, },
"ungoogled-patches": { "ungoogled-patches": {
"rev": "100.0.4896.75-1", "rev": "100.0.4896.88-1",
"sha256": "0s31dclgk3x9302wr5yij77361bqam2sfki39p651gwysfizb73n" "sha256": "0f0c5mrjvk6lg59p4x6lg2az4f83y7zzikv5hlmqzpgydivk7c13"
} }
} }
} }

786
pkgs/applications/networking/browsers/firefox-bin/devedition_sources.nix
View file

File diff suppressed because it is too large Load diff

786
pkgs/applications/networking/browsers/firefox-bin/release_sources.nix
View file

File diff suppressed because it is too large Load diff

4
pkgs/applications/networking/browsers/firefox/packages.nix
View file

@ -7,10 +7,10 @@ in
rec { rec {
firefox = common rec { firefox = common rec {
pname = "firefox"; pname = "firefox";
version = "99.0"; version = "99.0.1";
src = fetchurl { src = fetchurl {
url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz"; url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
sha512 = "08f6d5a668140c4275aba6df463ed3af596043dfe5f27573583afbc1e9f6b27ebca79a52ce2c9598261c631b400b5378744e9e70f51ef9c4098b419e9904aa7c"; sha512 = "0006b773ef1057a6e0b959d4f39849ad4a79272b38d565da98062b9aaf0effd2b729349c1f9fa10fccf7d2462d2c536b02c167ae6ad4556d6e519c6d22c25a7f";
}; };
meta = { meta = {

4
pkgs/applications/networking/browsers/palemoon/default.nix
View file

@ -46,12 +46,12 @@ assert with lib.strings; (
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "palemoon"; pname = "palemoon";
version = "29.4.5.1"; version = "29.4.6";
src = fetchzip { src = fetchzip {
name = "${pname}-${version}"; name = "${pname}-${version}";
url = "http://archive.palemoon.org/source/${pname}-${version}.source.tar.xz"; url = "http://archive.palemoon.org/source/${pname}-${version}.source.tar.xz";
sha256 = "sha256-IC7E88dECAz2diVLEEdjMltpNMBhPTlPvbz05BniBMI="; sha256 = "sha256-6bI3AnIhp0x3BCgTvmbOXDBGrJXg3cN+AmwI8XCKD8g=";
}; };
nativeBuildInputs = [ nativeBuildInputs = [

8
pkgs/applications/networking/browsers/qutebrowser/default.nix
View file

@ -1,10 +1,12 @@
{ stdenv, lib, fetchurl, fetchzip, python3 { stdenv, lib, fetchurl, fetchzip, python3
, mkDerivationWith, wrapQtAppsHook, wrapGAppsHook, qtbase, qtwebengine, glib-networking , mkDerivationWith, wrapQtAppsHook, wrapGAppsHook, qtbase, qtwebengine, glib-networking
, asciidoc, docbook_xml_dtd_45, docbook_xsl, libxml2, pipewire_0_2 , asciidoc, docbook_xml_dtd_45, docbook_xsl, libxml2
, libxslt, gst_all_1 ? null , libxslt, gst_all_1 ? null
, withPdfReader ? true , withPdfReader ? true
, withMediaPlayback ? true , withMediaPlayback ? true
, backend ? "webengine" , backend ? "webengine"
, pipewireSupport ? stdenv.isLinux
, pipewire_0_2
}: }:
assert withMediaPlayback -> gst_all_1 != null; assert withMediaPlayback -> gst_all_1 != null;
@ -77,7 +79,7 @@ in mkDerivationWith python3Packages.buildPythonApplication rec {
postPatch = '' postPatch = ''
substituteInPlace qutebrowser/misc/quitter.py --subst-var-by qutebrowser "$out/bin/qutebrowser" substituteInPlace qutebrowser/misc/quitter.py --subst-var-by qutebrowser "$out/bin/qutebrowser"
sed -i "s,/usr/share/,$out/share/,g" qutebrowser/utils/standarddir.py sed -i "s,/usr,$out,g" qutebrowser/utils/standarddir.py
'' + lib.optionalString withPdfReader '' '' + lib.optionalString withPdfReader ''
sed -i "s,/usr/share/pdf.js,${pdfjs},g" qutebrowser/browser/pdfjs.py sed -i "s,/usr/share/pdf.js,${pdfjs},g" qutebrowser/browser/pdfjs.py
''; '';
@ -121,7 +123,7 @@ in mkDerivationWith python3Packages.buildPythonApplication rec {
"''${qtWrapperArgs[@]}" "''${qtWrapperArgs[@]}"
--add-flags '--backend ${backend}' --add-flags '--backend ${backend}'
--set QUTE_QTWEBENGINE_VERSION_OVERRIDE "${lib.getVersion qtwebengine}" --set QUTE_QTWEBENGINE_VERSION_OVERRIDE "${lib.getVersion qtwebengine}"
${lib.optionalString (!stdenv.isDarwin && backend == "webengine") ''--prefix LD_LIBRARY_PATH : ${libPath}''} ${lib.optionalString (pipewireSupport && backend == "webengine") ''--prefix LD_LIBRARY_PATH : ${libPath}''}
) )
''; '';

21
pkgs/applications/networking/cloudflared/default.nix
View file

@ -1,22 +1,33 @@
{ lib, buildGoModule, fetchFromGitHub }: { lib, buildGoModule, fetchFromGitHub, stdenv }:
buildGoModule rec { buildGoModule rec {
pname = "cloudflared"; pname = "cloudflared";
version = "2022.4.0"; version = "2022.4.1";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "cloudflare"; owner = "cloudflare";
repo = "cloudflared"; repo = "cloudflared";
rev = version; rev = version;
hash = "sha256-+40OK2q4WdvlLhoPfZH6q+pghgS7ZLmaZl2VbZK4rdA="; hash = "sha256-dgvXbWtLP6sXBlqcx/xpw9LIbcE4VlYZQO5rrS34+9I=";
}; };
vendorSha256 = null; vendorSha256 = null;
doCheck = false;
ldflags = [ "-X main.Version=${version}" ]; ldflags = [ "-X main.Version=${version}" ];
preCheck = ''
# Workaround for: sshgen_test.go:74: mkdir /homeless-shelter/.cloudflared: no such file or directory
export HOME="$(mktemp -d)";
# Workaround for: protocol_test.go:11:
# lookup protocol-v2.argotunnel.com on [::1]:53: read udp [::1]:51876->[::1]:53: read: connection refused
substituteInPlace "edgediscovery/protocol_test.go" \
--replace "TestProtocolPercentage" "SkipProtocolPercentage"
'';
doCheck = !stdenv.isDarwin;
meta = with lib; { meta = with lib; {
description = "CloudFlare Tunnel daemon (and DNS-over-HTTPS client)"; description = "CloudFlare Tunnel daemon (and DNS-over-HTTPS client)";
homepage = "https://www.cloudflare.com/products/tunnel"; homepage = "https://www.cloudflare.com/products/tunnel";

6
pkgs/applications/networking/cluster/argocd-autopilot/default.nix
View file

@ -2,16 +2,16 @@
buildGoModule rec { buildGoModule rec {
pname = "argocd-autopilot"; pname = "argocd-autopilot";
version = "0.3.1"; version = "0.3.2";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "argoproj-labs"; owner = "argoproj-labs";
repo = "argocd-autopilot"; repo = "argocd-autopilot";
rev = "v${version}"; rev = "v${version}";
sha256 = "sha256-L8+sb0lGPuc6smOFwijRGFS+oSCxEqB5c1tG55MPlgE="; sha256 = "sha256-9si2zqYhmAqzhdUWMkfQ/yLeyNcZSAWypvZTbDDrPvA=";
}; };
vendorSha256 = "sha256-sxPTOao3scTmiVKFyGeWPMzXQz/d0HSVmUYocNGm1vA="; vendorSha256 = "sha256-UfZCGG24JjPoc5nbX9vPeFCP8YGMNF5oUrdwTC6RpKI=";
proxyVendor = true; proxyVendor = true;

4
pkgs/applications/networking/cluster/arkade/default.nix
View file

@ -6,13 +6,13 @@
buildGoModule rec { buildGoModule rec {
pname = "arkade"; pname = "arkade";
version = "0.8.20"; version = "0.8.22";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "alexellis"; owner = "alexellis";
repo = "arkade"; repo = "arkade";
rev = version; rev = version;
sha256 = "sha256-DIXvsYYckNlxFzeJqk3TYRQIAtafAfylyDc/a20kl+0="; sha256 = "sha256-mn/UX2xNMthCtXYFUXqiiPnMltwO2Hk/qveudEYAOZ0=";
}; };
CGO_ENABLED = 0; CGO_ENABLED = 0;

13
pkgs/applications/networking/cluster/atlantis/default.nix
View file

@ -2,21 +2,24 @@
buildGoModule rec { buildGoModule rec {
pname = "atlantis"; pname = "atlantis";
version = "0.16.1"; version = "0.19.2";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "runatlantis"; owner = "runatlantis";
repo = "atlantis"; repo = "atlantis";
rev = "v${version}"; rev = "v${version}";
sha256 = "sha256-D549pInoK8ispgcn8LYdix19Hp7wO6w2/d2Y1L/9Px8="; sha256 = "sha256-cd2dhrqJl/VRhOYB1g9OpOnPV92EQm8f3rRGZGVN+IY=";
}; };
vendorSha256 = null; vendorSha256 = "sha256-ux+Hw/TjeiY9VYhIQxaltZGk5CkxAab8R7kAsTaMUGc=";
doCheck = false;
subPackages = [ "." ]; subPackages = [ "." ];
doInstallCheck = true;
installCheckPhase = ''
$out/bin/atlantis version | grep ${version} > /dev/null
'';
meta = with lib; { meta = with lib; {
homepage = "https://github.com/runatlantis/atlantis"; homepage = "https://github.com/runatlantis/atlantis";
description = "Terraform Pull Request Automation"; description = "Terraform Pull Request Automation";

6
pkgs/applications/networking/cluster/cmctl/default.nix
View file

@ -2,16 +2,16 @@
buildGoModule rec { buildGoModule rec {
pname = "cmctl"; pname = "cmctl";
version = "1.7.2"; version = "1.8.0";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "cert-manager"; owner = "cert-manager";
repo = "cert-manager"; repo = "cert-manager";
rev = "v${version}"; rev = "v${version}";
sha256 = "sha256-Hx6MG5GCZyOX0tfpg1bfUT0BOI3p7Mws1VCz2PuUuw8="; sha256 = "sha256-h7GyzjVrfyMHY7yuNmmsym6KGKCQr5R71gjPBTUeMCg=";
}; };
vendorSha256 = "sha256-4zhdpedOmLl/i1G0QCto4ACxguWRZLzOm5HfMBMtvPY="; vendorSha256 = "sha256-UYw9WdQ6VwzuuiOsa1yovkLZG7NmLYSW51p8UhmQMeI=";
subPackages = [ "cmd/ctl" ]; subPackages = [ "cmd/ctl" ];

31
pkgs/applications/networking/cluster/k3s/default.nix
View file

@ -46,12 +46,12 @@ with lib;
# Those pieces of software we entirely ignore upstream's handling of, and just # Those pieces of software we entirely ignore upstream's handling of, and just
# make sure they're in the path if desired. # make sure they're in the path if desired.
let let
k3sVersion = "1.23.4+k3s1"; # k3s git tag k3sVersion = "1.23.5+k3s1"; # k3s git tag
k3sCommit = "43b1cb48200d8f6af85c16ed944d68fcc96b6506"; # k3s git commit at the above version k3sCommit = "313aaca547f030752788dce696fdf8c9568bc035"; # k3s git commit at the above version
k3sRepoSha256 = "1sn7rd5hqfqvwj036blk0skmq6r8igbmiqk1dnpaqnkkddpzdgmc"; k3sRepoSha256 = "0vk72609cyyh64irp14jp2zspnxw34jm710cbwgklx0ch6kiz88d";
k3sVendorSha256 = "sha256-1/kQvNqFUWwch1JH+twWzBdjNYseoZyVObB1+s9WPM4="; k3sVendorSha256 = "sha256-d7kQsJi/eQbaTUDglp3gFpc5Im6CyD9coKeM3kMrbjI=";
k3sServerVendorSha256 = "sha256-2KIFff43jfqWdxX61aWofrjmc5mMkr5aEJRFdGpLyU8="; k3sServerVendorSha256 = "sha256-E3USXNuXY0lzZH+t3O7BOQ8rKNNQ6avOMItgOEi1cEg=";
# taken from ./manifests/traefik.yaml, extracted from '.spec.chart' https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/download#L9 # taken from ./manifests/traefik.yaml, extracted from '.spec.chart' https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/download#L9
# The 'patch' and 'minor' versions are currently hardcoded as single digits only, so ignore the trailing two digits. Weird, I know. # The 'patch' and 'minor' versions are currently hardcoded as single digits only, so ignore the trailing two digits. Weird, I know.
@ -68,8 +68,8 @@ let
# taken from go.mod, the 'github.com/containerd/containerd' line # taken from go.mod, the 'github.com/containerd/containerd' line
# run `grep github.com/containerd/containerd go.mod | head -n1 | awk '{print $4}'` # run `grep github.com/containerd/containerd go.mod | head -n1 | awk '{print $4}'`
containerdVersion = "1.5.9-k3s1"; containerdVersion = "1.5.10-k3s1";
containerdSha256 = "09wfy20z3c9fnla353pibpsb10xzl0f4xwp8qdjh3fwa1q2626gg"; containerdSha256 = "1ff2sfaqpjimq7w0lprci6ibyi6v65ap6b9sr6b0j12gqr2sqwa5";
# run `grep github.com/kubernetes-sigs/cri-tools go.mod | head -n1 | awk '{print $4}'` in the k3s repo at the tag # run `grep github.com/kubernetes-sigs/cri-tools go.mod | head -n1 | awk '{print $4}'` in the k3s repo at the tag
criCtlVersion = "1.22.0-k3s1"; criCtlVersion = "1.22.0-k3s1";
@ -228,9 +228,24 @@ buildGoModule rec {
patches = [ patches = [
./patches/0001-scrips-download-strip-downloading-just-package-CRD.patch ./patches/0001-scrips-download-strip-downloading-just-package-CRD.patch
./patches/0002-Don-t-build-a-static-binary-in-package-cli.patch
]; ];
postPatch = ''
# Nix prefers dynamically linked binaries over static binary.
substituteInPlace scripts/package-cli \
--replace '"$LDFLAGS $STATIC" -o' \
'"$LDFLAGS" -o' \
--replace "STATIC=\"-extldflags \'-static\'\"" \
""
# Upstream codegen fails with trimpath set. Removes "trimpath" for 'go generate':
substituteInPlace scripts/package-cli \
--replace '"''${GO}" generate' \
'GOFLAGS="" "''${GO}" generate'
'';
# Important utilities used by the kubelet, see # Important utilities used by the kubelet, see
# https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-237202494 # https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-237202494
# Note the list in that issue is stale and some aren't relevant for k3s. # Note the list in that issue is stale and some aren't relevant for k3s.

37
pkgs/applications/networking/cluster/k3s/patches/0002-Don-t-build-a-static-binary-in-package-cli.patch
View file

@ -1,37 +0,0 @@
From 49c000c7c5dd7a502a2be4c638d2c32b65673c00 Mon Sep 17 00:00:00 2001
From: Euan Kemp <euank@euank.com>
Date: Sun, 6 Feb 2022 23:13:00 -0800
Subject: [PATCH] Don't build a static binary in package-cli
since nixpkgs prefers dynamically linked binaries.
Also remove "trimpath" for the 'go generate' step because the codegen
they use doesn't work with trimpath set.
---
scripts/package-cli | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/scripts/package-cli b/scripts/package-cli
index 28927327b7..95dbb469f1 100755
--- a/scripts/package-cli
+++ b/scripts/package-cli
@@ -48,14 +48,13 @@ fi
CMD_NAME=dist/artifacts/k3s${BIN_SUFFIX}
-"${GO}" generate
+GOFLAGS="" "${GO}" generate
LDFLAGS="
-X github.com/rancher/k3s/pkg/version.Version=$VERSION
-X github.com/rancher/k3s/pkg/version.GitCommit=${COMMIT:0:8}
-w -s
"
-STATIC="-extldflags '-static'"
-CGO_ENABLED=0 "${GO}" build -ldflags "$LDFLAGS $STATIC" -o ${CMD_NAME} ./cmd/k3s/main.go
+CGO_ENABLED=0 "${GO}" build -ldflags "$LDFLAGS" -o ${CMD_NAME} ./cmd/k3s/main.go
stat ${CMD_NAME}
--
2.34.1

24
pkgs/applications/networking/cluster/starboard/default.nix
View file

@ -2,36 +2,42 @@
buildGoModule rec { buildGoModule rec {
pname = "starboard"; pname = "starboard";
version = "0.14.1"; version = "0.15.3";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "aquasecurity"; owner = "aquasecurity";
repo = pname; repo = pname;
rev = "v${version}"; rev = "v${version}";
sha256 = "sha256-sB7C0IKadgpQ2h6HuH4D6ku/GXnFfFS+fGCW/RBSc10="; sha256 = "sha256-EBjAB0uSMAyiVr6KxqrT/F+GIkntmOKNPHL1D0RBdG0=";
# populate values that require us to use git. By doing this in postFetch we # populate values that require us to use git. By doing this in postFetch we
# can delete .git afterwards and maintain better reproducibility of the src. # can delete .git afterwards and maintain better reproducibility of the src.
leaveDotGit = true; leaveDotGit = true;
postFetch = '' postFetch = ''
cd "$out" cd "$out"
commit="$(git rev-parse HEAD)" git rev-parse HEAD > $out/COMMIT
source_date_epoch=$(git log --date=format:'%Y-%m-%dT%H:%M:%SZ' -1 --pretty=%ad) # 0000-00-00T00:00:00Z
substituteInPlace "$out/cmd/starboard/main.go" \ date -u -d "@$(git log -1 --pretty=%ct)" "+%Y-%m-%dT%H:%M:%SZ" > $out/SOURCE_DATE_EPOCH
--replace 'commit = "none"' "commit = \"$commit\"" \
--replace 'date = "unknown"' "date = \"$source_date_epoch\""
find "$out" -name .git -print0 | xargs -0 rm -rf find "$out" -name .git -print0 | xargs -0 rm -rf
''; '';
}; };
vendorSha256 = "sha256-R7tF724y5WNIByE+9nRoNSZDZzfLtPfK/9tSBkARaN0="; vendorSha256 = "sha256-BxXH+dJyAQRGAq25CljUImxYIT+nCQpmUPUjHOYF0kc=";
nativeBuildInputs = [ installShellFiles ]; nativeBuildInputs = [ installShellFiles ];
subPackages = [ "cmd/starboard" ]; subPackages = [ "cmd/starboard" ];
ldflags = [ ldflags = [
"-s" "-w" "-X main.version=v${version}" "-s"
"-w"
"-X main.version=v${version}"
]; ];
# ldflags based on metadata from git and source
preBuild = ''
ldflags+=" -X main.gitCommit=$(cat COMMIT)"
ldflags+=" -X main.buildDate=$(cat SOURCE_DATE_EPOCH)"
'';
preCheck = '' preCheck = ''
# Remove test that requires networking # Remove test that requires networking
rm pkg/plugin/aqua/client/client_integration_test.go rm pkg/plugin/aqua/client/client_integration_test.go

53
pkgs/applications/networking/cluster/terraform-providers/providers.json
View file

@ -40,10 +40,10 @@
"owner": "aliyun", "owner": "aliyun",
"provider-source-address": "registry.terraform.io/aliyun/alicloud", "provider-source-address": "registry.terraform.io/aliyun/alicloud",
"repo": "terraform-provider-alicloud", "repo": "terraform-provider-alicloud",
"rev": "v1.162.0", "rev": "v1.163.0",
"sha256": "sha256-xqZv15Tst+7o9HhNu6/bW+a4z7FTkra+MfS8jKrfeNs=", "sha256": "sha256-lSg8jAzQfRc++U6zAhkfbVf/+hIW/1Nov35o6M8mRrw=",
"vendorSha256": "sha256-RbOf/S0rkbhW0s+/YOqu+BQuE0V4aS2x36Xf+hgBkqY=", "vendorSha256": "sha256-8dAk23ISxYuYKj5s0W6g93RBW1++NuZEPva5MaNBSyw=",
"version": "1.162.0" "version": "1.163.0"
}, },
"ansible": { "ansible": {
"owner": "nbering", "owner": "nbering",
@ -76,10 +76,10 @@
"owner": "vmware", "owner": "vmware",
"provider-source-address": "registry.terraform.io/vmware/avi", "provider-source-address": "registry.terraform.io/vmware/avi",
"repo": "terraform-provider-avi", "repo": "terraform-provider-avi",
"rev": "v21.1.3", "rev": "v21.1.4",
"sha256": "160l9864p73283hc27qaabd3lrh7lm8fyh6k9xlal5isfd9vrm5p", "sha256": "sha256-6H56TRA3I0CQ9/d8JdP5JNL0u3lpS8YhCvdSM5bxYp8=",
"vendorSha256": "1hw1xp20nhs4p1q9l887m82456fg5977pm66165gdkczwrq2zr6v", "vendorSha256": "sha256-b0MwGmgugZdmVk7ZVBSCivDQ4n+tLABymH/igo/S1Wc=",
"version": "21.1.3" "version": "21.1.4"
}, },
"aviatrix": { "aviatrix": {
"owner": "AviatrixSystems", "owner": "AviatrixSystems",
@ -148,10 +148,10 @@
"owner": "DrFaust92", "owner": "DrFaust92",
"provider-source-address": "registry.terraform.io/DrFaust92/bitbucket", "provider-source-address": "registry.terraform.io/DrFaust92/bitbucket",
"repo": "terraform-provider-bitbucket", "repo": "terraform-provider-bitbucket",
"rev": "v2.13.1", "rev": "v2.14.0",
"sha256": "sha256-P/6scAuRMRrACHmEdWjn+W37ptVmVgtj+iTXQDrG+WM=", "sha256": "sha256-tF1Q55mxwPU6dziiNzdacNtHvemd9ciQHE2E6een1WY=",
"vendorSha256": "sha256-o1CZ4VuGCPALqSIz8KSm1zCwd3r9bR13CRvP7XpVBAM=", "vendorSha256": "sha256-L8QYz1xgw8ZQjrU33uP18XxNUjImPYATZ02h46G4aXs=",
"version": "2.13.1" "version": "2.14.0"
}, },
"brightbox": { "brightbox": {
"owner": "brightbox", "owner": "brightbox",
@ -194,10 +194,10 @@
"owner": "cloudflare", "owner": "cloudflare",
"provider-source-address": "registry.terraform.io/cloudflare/cloudflare", "provider-source-address": "registry.terraform.io/cloudflare/cloudflare",
"repo": "terraform-provider-cloudflare", "repo": "terraform-provider-cloudflare",
"rev": "v3.12.0", "rev": "v3.12.1",
"sha256": "sha256-y2qq0asEnhnOjthLBFxyQjf1N5KNlXXK0eXjT1/vCXg=", "sha256": "sha256-8l6+hyjW+N3N5OGj/cviH97EFqouSrnJULk/SXrYCTk=",
"vendorSha256": "sha256-v6fUzYwrYt4rk5LT0LyNd8e9X79r3dwtd3s1QIV/w/s=", "vendorSha256": "sha256-v6fUzYwrYt4rk5LT0LyNd8e9X79r3dwtd3s1QIV/w/s=",
"version": "3.12.0" "version": "3.12.1"
}, },
"cloudfoundry": { "cloudfoundry": {
"owner": "cloudfoundry-community", "owner": "cloudfoundry-community",
@ -471,6 +471,15 @@
"vendorSha256": "sha256-HrsjhaMlzs+uel5tBlxJD69Kkjl+4qVisWWREANBx40=", "vendorSha256": "sha256-HrsjhaMlzs+uel5tBlxJD69Kkjl+4qVisWWREANBx40=",
"version": "5.0.2" "version": "5.0.2"
}, },
"htpasswd": {
"owner": "loafoe",
"provider-source-address": "registry.terraform.io/loafoe/htpasswd",
"repo": "terraform-provider-htpasswd",
"rev": "v1.0.1",
"sha256": "sha256-RUkPIsKVMooGy2hYsNFkctMFdJ8MEbtbMB9Qak6HJgQ=",
"vendorSha256": "sha256-4P3IX7KGDqcWVYRiD6tXoEjF/phI89rz5QdR09xtnAo=",
"version": "1.0.1"
},
"http": { "http": {
"owner": "hashicorp", "owner": "hashicorp",
"provider-source-address": "registry.terraform.io/hashicorp/http", "provider-source-address": "registry.terraform.io/hashicorp/http",
@ -754,10 +763,10 @@
"owner": "vmware", "owner": "vmware",
"provider-source-address": "registry.terraform.io/vmware/nsxt", "provider-source-address": "registry.terraform.io/vmware/nsxt",
"repo": "terraform-provider-nsxt", "repo": "terraform-provider-nsxt",
"rev": "v3.2.5", "rev": "v3.2.6",
"sha256": "0j5kspfmqxdnvk3sfb476rckkn9fdgpw5haf495901a114wynr2l", "sha256": "sha256-1uQMjzqMJ1NQVVCXy5aHrrZ4vDK5s1JqUnLyYf1qLVw=",
"vendorSha256": null, "vendorSha256": null,
"version": "3.2.5" "version": "3.2.6"
}, },
"null": { "null": {
"owner": "hashicorp", "owner": "hashicorp",
@ -791,10 +800,10 @@
"owner": "okta", "owner": "okta",
"provider-source-address": "registry.terraform.io/okta/okta", "provider-source-address": "registry.terraform.io/okta/okta",
"repo": "terraform-provider-okta", "repo": "terraform-provider-okta",
"rev": "v3.22.1", "rev": "v3.23.0",
"sha256": "sha256-G1KJJSxJmzFlIUWOs+7htcgp61oWCu+ryCKaIHzxhzw=", "sha256": "sha256-azqWTQA4FW79U+GrdCBO4BWA5c+Cce3ELANS2Os5bSs=",
"vendorSha256": "sha256-n7ih8QtapA+xno1twlM2b2XGEesdJdJIPD+QWpmJDVA=", "vendorSha256": "sha256-S4HVfl/PbgpgWFedkWM+EGyYAL5P0cdkLMYL+y+aX8w=",
"version": "3.22.1" "version": "3.23.0"
}, },
"oktaasa": { "oktaasa": {
"owner": "oktadeveloper", "owner": "oktadeveloper",

15
pkgs/applications/networking/cluster/werf/default.nix
View file

@ -2,6 +2,7 @@
, stdenv , stdenv
, buildGoModule , buildGoModule
, fetchFromGitHub , fetchFromGitHub
, installShellFiles
, pkg-config , pkg-config
, gpgme , gpgme
, glibc , glibc
@ -11,18 +12,18 @@
buildGoModule rec { buildGoModule rec {
pname = "werf"; pname = "werf";
version = "1.2.78"; version = "1.2.87";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "werf"; owner = "werf";
repo = "werf"; repo = "werf";
rev = "v${version}"; rev = "v${version}";
sha256 = "sha256-ehrzb7WvkYL8oj2RSzKc1KDagV0zg6vMzgpT2sPyhcI="; sha256 = "sha256-DMP//gh79WuQ8VY4sV6lQlwR+k+rwqODf/pagOBP+4U=";
}; };
vendorSha256 = "sha256-w8ZeAQbZIVOBoRa9fJhXgTeYRCYpkh/U4pwb5u6A9mQ="; vendorSha256 = "sha256-OrvGDNj48W1tVAs3tdtAuesHnh8fHRsGd6KL0Uaf9Zg=";
proxyVendor = true; proxyVendor = true;
nativeBuildInputs = [ pkg-config ]; nativeBuildInputs = [ installShellFiles pkg-config ];
buildInputs = [ gpgme ] buildInputs = [ gpgme ]
++ lib.optionals stdenv.isLinux [ glibc.static lvm2 btrfs-progs ]; ++ lib.optionals stdenv.isLinux [ glibc.static lvm2 btrfs-progs ];
@ -44,6 +45,12 @@ buildGoModule rec {
subPackages = [ "cmd/werf" ]; subPackages = [ "cmd/werf" ];
postInstall = ''
installShellCompletion --cmd werf \
--bash <($out/bin/werf completion --shell=bash) \
--zsh <($out/bin/werf completion --shell=zsh)
'';
meta = with lib; { meta = with lib; {
homepage = "https://github.com/werf/werf"; homepage = "https://github.com/werf/werf";
description = "GitOps delivery tool"; description = "GitOps delivery tool";

2
pkgs/applications/networking/instant-messengers/element/element-desktop-package.json
View file

@ -2,7 +2,7 @@
"name": "element-desktop", "name": "element-desktop",
"productName": "Element", "productName": "Element",
"main": "lib/electron-main.js", "main": "lib/electron-main.js",
"version": "1.10.8", "version": "1.10.9",
"description": "A feature-rich client for Matrix.org", "description": "A feature-rich client for Matrix.org",
"author": "Element", "author": "Element",
"repository": { "repository": {

8
pkgs/applications/networking/instant-messengers/element/pin.json
View file

@ -1,6 +1,6 @@
{ {
"version": "1.10.8", "version": "1.10.9",
"desktopSrcHash": "S9MQIn773BzCH4dsTkD1DpIThDzoIGr4Heaie2Qs0jY=", "desktopSrcHash": "vbVnkb/sVW+c7JGIT8Fcjtwe7i10aY0mBoiNeAD8tvY=",
"desktopYarnHash": "1imx43qbpj08l6d0fji31kcxqshcpr0ch8dzfbbgxyjvblq2p8ln", "desktopYarnHash": "0jm0i1yyfkg1ll11pb3qif1vdxx6rp0yl9kd8jg9nhsg2jzw66pr",
"webHash": "02i6l3armzr19kki3hgshhzkdpb3001nilh4h10hr3xw5z711ppr" "webHash": "0yp29h2cmi18y8g8scqx3zmc1l80q28gid709ysqqb349gy1kls8"
} }

2
pkgs/applications/networking/instant-messengers/kaidan/default.nix
View file

@ -12,6 +12,7 @@
, knotifications , knotifications
, zxing-cpp , zxing-cpp
, qxmpp , qxmpp
, sonnet
, gst_all_1 , gst_all_1
}: }:
@ -38,6 +39,7 @@ mkDerivation rec {
knotifications knotifications
zxing-cpp zxing-cpp
qxmpp qxmpp
sonnet
gstreamer gstreamer
gst-plugins-bad gst-plugins-bad
gst-plugins-base gst-plugins-base

Some files were not shown because too many files have changed in this diff Show more