colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge master into haskell-updates

Browse Source
This commit is contained in:
github-actions[bot] 2021-09-19 00:06:50 +00:00 committed by GitHub
commit 7f8bee8617
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
246 changed files with 3602 additions and 2553 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
maintainers/maintainer-list.nix
View File

@ -9182,6 +9182,12 @@
githubId = 546296;
name = "Eric Ren";
};
renesat = {
name = "Ivan Smolyakov";
email = "smol.ivan97@gmail.com";
github = "renesat";
githubId = 11363539;
};
renzo = {
email = "renzocarbonara@gmail.com";
github = "k0001";
@ -12512,6 +12518,16 @@
fingerprint = "61AE D40F 368B 6F26 9DAE 3892 6861 6B2D 8AC4 DCC5";
}];
};
zenithal = {
name = "zenithal";
email = "i@zenithal.me";
github = "ZenithalHourlyRate";
githubId = 19512674;
keys = [{
longkeyid = "rsa4096/0x87E17EEF9B18B6C9";
fingerprint = "1127 F188 280A E312 3619 3329 87E1 7EEF 9B18 B6C9";
}];
};
zeri = {
name = "zeri";
email = "68825133+zeri42@users.noreply.github.com";

65
nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
View File

@ -37,6 +37,13 @@
PostgreSQL now defaults to major version 13.
</para>
</listitem>
<listitem>
<para>
spark now defaults to spark 3, updated from 2. A
<link xlink:href="https://spark.apache.org/docs/latest/core-migration-guide.html#upgrading-from-core-24-to-30">migration
guide</link> is available.
</para>
</listitem>
<listitem>
<para>
Activation scripts can now opt int to be run when running
@ -48,6 +55,13 @@
actions.
</para>
</listitem>
<listitem>
<para>
Pantheon desktop has been updated to version 6. Due to changes
of screen locker, if locking doesnt work for you, please try
<literal>gsettings set org.gnome.desktop.lockdown disable-lock-screen false</literal>.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-21.11-new-services">
@ -182,8 +196,6 @@
<link linkend="opt-services.isso.enable">isso</link>
</para>
</listitem>
</itemizedlist>
<itemizedlist spacing="compact">
<listitem>
<para>
<link xlink:href="https://www.navidrome.org/">navidrome</link>,
@ -192,8 +204,6 @@
<link linkend="opt-services.navidrome.enable">navidrome</link>.
</para>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para>
<link xlink:href="https://docs.fluidd.xyz/">fluidd</link>, a
@ -250,11 +260,34 @@
entry</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://spark.apache.org/">spark</link>, a
unified analytics engine for large-scale data processing.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/JoseExposito/touchegg">touchegg</link>,
a multi-touch gesture recognizer. Available as
<link linkend="opt-services.touchegg.enable">services.touchegg</link>.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-21.11-incompatibilities">
<title>Backward Incompatibilities</title>
<itemizedlist>
<listitem>
<para>
The <literal>security.wrappers</literal> option now requires
to always specify an owner, group and whether the
setuid/setgid bit should be set. This is motivated by the fact
that before NixOS 21.11, specifying either setuid or setgid
but not owner/group resulted in wrappers owned by
nobody/nogroup, which is unsafe.
</para>
</listitem>
<listitem>
<para>
The <literal>paperless</literal> module and package have been
@ -1016,6 +1049,14 @@ Superuser created successfully.
attempts from the SSH logs.
</para>
</listitem>
<listitem>
<para>
The
<link xlink:href="options.html#opt-services.xserver.extraLayouts"><literal>services.xserver.extraLayouts</literal></link>
no longer cause additional rebuilds when a layout is added or
modified.
</para>
</listitem>
<listitem>
<para>
Sway: The terminal emulator <literal>rxvt-unicode</literal> is
@ -1067,6 +1108,22 @@ Superuser created successfully.
be removed in 22.05.
</para>
</listitem>
<listitem>
<para>
The dokuwiki module provides a new interface which allows to
use different webservers with the new option
<link xlink:href="options.html#opt-services.dokuwiki.webserver"><literal>services.dokuwiki.webserver</literal></link>.
Currently <literal>caddy</literal> and
<literal>nginx</literal> are supported. The definitions of
dokuwiki sites should now be set in
<link xlink:href="options.html#opt-services.dokuwiki.sites"><literal>services.dokuwiki.sites</literal></link>.
</para>
<para>
Sites definitions that use the old interface are automatically
migrated in the new option. This backward compatibility will
be removed in 22.05.
</para>
</listitem>
<listitem>
<para>
The order of NSS (host) modules has been brought in line with

18
nixos/doc/manual/release-notes/rl-2111.section.md
View File

@ -14,10 +14,14 @@ In addition to numerous new and upgraded packages, this release has the followin
- PostgreSQL now defaults to major version 13.
- spark now defaults to spark 3, updated from 2. A [migration guide](https://spark.apache.org/docs/latest/core-migration-guide.html#upgrading-from-core-24-to-30) is available.
- Activation scripts can now opt int to be run when running `nixos-rebuild dry-activate` and detect the dry activation by reading `$NIXOS_ACTION`.
This allows activation scripts to output what they would change if the activation was really run.
The users/modules activation script supports this and outputs some of is actions.
- Pantheon desktop has been updated to version 6. Due to changes of screen locker, if locking doesn't work for you, please try `gsettings set org.gnome.desktop.lockdown disable-lock-screen false`.
## New Services {#sec-release-21.11-new-services}
- [btrbk](https://digint.ch/btrbk/index.html), a backup tool for btrfs subvolumes, taking advantage of btrfs specific capabilities to create atomic snapshots and transfer them incrementally to your backup locations. Available as [services.btrbk](options.html#opt-services.brtbk.instances).
@ -58,7 +62,7 @@ pt-services.clipcat.enable).
- [isso](https://posativ.org/isso/), a commenting server similar to Disqus.
Available as [isso](#opt-services.isso.enable)
* [navidrome](https://www.navidrome.org/), a personal music streaming server with
- [navidrome](https://www.navidrome.org/), a personal music streaming server with
subsonic-compatible api. Available as [navidrome](#opt-services.navidrome.enable).
- [fluidd](https://docs.fluidd.xyz/), a Klipper web interface for managing 3d printers using moonraker. Available as [fluidd](#opt-services.fluidd.enable).
@ -78,8 +82,14 @@ subsonic-compatible api. Available as [navidrome](#opt-services.navidrome.enable
or sends them to a downstream service for further analysis.
Documented in [its manual entry](#module-services-parsedmarc).
- [spark](https://spark.apache.org/), a unified analytics engine for large-scale data processing.
- [touchegg](https://github.com/JoseExposito/touchegg), a multi-touch gesture recognizer. Available as [services.touchegg](#opt-services.touchegg.enable).
## Backward Incompatibilities {#sec-release-21.11-incompatibilities}
- The `security.wrappers` option now requires to always specify an owner, group and whether the setuid/setgid bit should be set.
This is motivated by the fact that before NixOS 21.11, specifying either setuid or setgid but not owner/group resulted in wrappers owned by nobody/nogroup, which is unsafe.
- The `paperless` module and package have been removed. All users should migrate to the
successor `paperless-ng` instead. The Paperless project [has been
@ -309,6 +319,8 @@ To be able to access the web UI this port needs to be opened in the firewall.
However, if [`services.fail2ban.enable`](options.html#opt-services.fail2ban.enable) is `true`, the `fail2ban` will override the verbosity to `"VERBOSE"`, so that `fail2ban` can observe the failed login attempts from the SSH logs.
- The [`services.xserver.extraLayouts`](options.html#opt-services.xserver.extraLayouts) no longer cause additional rebuilds when a layout is added or modified.
- Sway: The terminal emulator `rxvt-unicode` is no longer installed by default via `programs.sway.extraPackages`. The current default configuration uses `alacritty` (and soon `foot`) so this is only an issue when using a customized configuration and not installing `rxvt-unicode` explicitly.
- `python3` now defaults to Python 3.9. Python 3.9 introduces many deprecation warnings, please look at the [What's New In Python 3.9 post](https://docs.python.org/3/whatsnew/3.9.html) for more information.
@ -321,6 +333,10 @@ To be able to access the web UI this port needs to be opened in the firewall.
Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05.
- The dokuwiki module provides a new interface which allows to use different webservers with the new option [`services.dokuwiki.webserver`](options.html#opt-services.dokuwiki.webserver). Currently `caddy` and `nginx` are supported. The definitions of dokuwiki sites should now be set in [`services.dokuwiki.sites`](options.html#opt-services.dokuwiki.sites).
Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05.
- The order of NSS (host) modules has been brought in line with upstream
recommendations:

6
nixos/modules/config/console.nix
View File

@ -116,7 +116,11 @@ in
{ console.keyMap = with config.services.xserver;
mkIf cfg.useXkbConfig
(pkgs.runCommand "xkb-console-keymap" { preferLocalBuild = true; } ''
'${pkgs.ckbcomp}/bin/ckbcomp' -model '${xkbModel}' -layout '${layout}' \
'${pkgs.ckbcomp}/bin/ckbcomp' \
${optionalString (config.environment.sessionVariables ? XKB_CONFIG_ROOT)
"-I${config.environment.sessionVariables.XKB_CONFIG_ROOT}"
} \
-model '${xkbModel}' -layout '${layout}' \
-option '${xkbOptions}' -variant '${xkbVariant}' > "$out"
'');
}

14
nixos/modules/misc/ids.nix
View File

@ -137,9 +137,9 @@ in
#mongodb = 98; #dynamically allocated as of 2021-09-03
#openldap = 99; # dynamically allocated as of PR#94610
#users = 100; # unused
cgminer = 101;
# cgminer = 101; #dynamically allocated as of 2021-09-17
munin = 102;
logcheck = 103;
#logcheck = 103; #dynamically allocated as of 2021-09-17
#nix-ssh = 104; #dynamically allocated as of 2021-09-03
dictd = 105;
couchdb = 106;
@ -212,10 +212,10 @@ in
sddm = 175;
tss = 176;
#memcached = 177; removed 2018-01-03
ntp = 179;
#ntp = 179; # dynamically allocated as of 2021-09-17
zabbix = 180;
#redis = 181; removed 2018-01-03
unifi = 183;
#unifi = 183; dynamically allocated as of 2021-09-17
uptimed = 184;
zope2 = 185;
ripple-data-api = 186;
@ -244,7 +244,7 @@ in
#kibana = 211;# dynamically allocated as of 2021-09-03
xtreemfs = 212;
calibre-server = 213;
heapster = 214;
#heapster = 214; #dynamically allocated as of 2021-09-17
bepasty = 215;
# pumpio = 216; # unused, removed 2018-02-24
nm-openvpn = 217;
@ -258,11 +258,11 @@ in
rspamd = 225;
# rmilter = 226; # unused, removed 2019-08-22
cfdyndns = 227;
gammu-smsd = 228;
# gammu-smsd = 228; #dynamically allocated as of 2021-09-17
pdnsd = 229;
octoprint = 230;
avahi-autoipd = 231;
nntp-proxy = 232;
# nntp-proxy = 232; #dynamically allocated as of 2021-09-17
mjpg-streamer = 233;
#radicale = 234;# dynamically allocated as of 2021-09-03
hydra-queue-runner = 235;

2
nixos/modules/module-list.nix
View File

@ -297,6 +297,7 @@
./services/cluster/kubernetes/pki.nix
./services/cluster/kubernetes/proxy.nix
./services/cluster/kubernetes/scheduler.nix
./services/cluster/spark/default.nix
./services/computing/boinc/client.nix
./services/computing/foldingathome/client.nix
./services/computing/slurm/slurm.nix
@ -1054,6 +1055,7 @@
./services/x11/gdk-pixbuf.nix
./services/x11/imwheel.nix
./services/x11/redshift.nix
./services/x11/touchegg.nix
./services/x11/urserver.nix
./services/x11/urxvtd.nix
./services/x11/window-managers/awesome.nix

4
nixos/modules/programs/bandwhich.nix
View File

@ -22,8 +22,10 @@ in {
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [ bandwhich ];
security.wrappers.bandwhich = {
source = "${pkgs.bandwhich}/bin/bandwhich";
owner = "root";
group = "root";
capabilities = "cap_net_raw,cap_net_admin+ep";
source = "${pkgs.bandwhich}/bin/bandwhich";
};
};
}

4
nixos/modules/programs/captive-browser.nix
View File

@ -105,11 +105,15 @@ in
);
security.wrappers.udhcpc = {
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${pkgs.busybox}/bin/udhcpc";
};
security.wrappers.captive-browser = {
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = pkgs.writeShellScript "captive-browser" ''
export PREV_CONFIG_HOME="$XDG_CONFIG_HOME"

2
nixos/modules/programs/ccache.nix
View File

@ -28,7 +28,9 @@ in {
# "nix-ccache --show-stats" and "nix-ccache --clear"
security.wrappers.nix-ccache = {
owner = "nobody";
group = "nixbld";
setuid = false;
setgid = true;
source = pkgs.writeScript "nix-ccache.pl" ''
#!${pkgs.perl}/bin/perl

7
nixos/modules/programs/firejail.nix
View File

@ -81,7 +81,12 @@ in {
};
config = mkIf cfg.enable {
security.wrappers.firejail.source = "${lib.getBin pkgs.firejail}/bin/firejail";
security.wrappers.firejail =
{ setuid = true;
owner = "root";
group = "root";
source = "${lib.getBin pkgs.firejail}/bin/firejail";
};
environment.systemPackages = [ pkgs.firejail ] ++ [ wrappedBins ];
};

2
nixos/modules/programs/gamemode.nix
View File

@ -56,6 +56,8 @@ in
polkit.enable = true;
wrappers = mkIf cfg.enableRenice {
gamemoded = {
owner = "root";
group = "root";
source = "${pkgs.gamemode}/bin/gamemoded";
capabilities = "cap_sys_nice+ep";
};

4
nixos/modules/programs/iftop.nix
View File

@ -11,8 +11,10 @@ in {
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.iftop ];
security.wrappers.iftop = {
source = "${pkgs.iftop}/bin/iftop";
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${pkgs.iftop}/bin/iftop";
};
};
}

4
nixos/modules/programs/iotop.nix
View File

@ -10,8 +10,10 @@ in {
};
config = mkIf cfg.enable {
security.wrappers.iotop = {
source = "${pkgs.iotop}/bin/iotop";
owner = "root";
group = "root";
capabilities = "cap_net_admin+p";
source = "${pkgs.iotop}/bin/iotop";
};
};
}

7
nixos/modules/programs/kbdlight.nix
View File

@ -11,6 +11,11 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.kbdlight ];
security.wrappers.kbdlight.source = "${pkgs.kbdlight.out}/bin/kbdlight";
security.wrappers.kbdlight =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.kbdlight.out}/bin/kbdlight";
};
};
}

4
nixos/modules/programs/liboping.nix
View File

@ -13,8 +13,10 @@ in {
security.wrappers = mkMerge (map (
exec: {
"${exec}" = {
source = "${pkgs.liboping}/bin/${exec}";
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${pkgs.liboping}/bin/${exec}";
};
}
) [ "oping" "noping" ]);

2
nixos/modules/programs/msmtp.nix
View File

@ -78,6 +78,8 @@ in {
source = "${pkgs.msmtp}/bin/sendmail";
setuid = false;
setgid = false;
owner = "root";
group = "root";
};
environment.etc."msmtprc".text = let

4
nixos/modules/programs/mtr.nix
View File

@ -31,8 +31,10 @@ in {
environment.systemPackages = with pkgs; [ cfg.package ];
security.wrappers.mtr-packet = {
source = "${cfg.package}/bin/mtr-packet";
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${cfg.package}/bin/mtr-packet";
};
};
}

4
nixos/modules/programs/noisetorch.nix
View File

@ -18,8 +18,10 @@ in {
config = mkIf cfg.enable {
security.wrappers.noisetorch = {
source = "${cfg.package}/bin/noisetorch";
owner = "root";
group = "root";
capabilities = "cap_sys_resource=+ep";
source = "${cfg.package}/bin/noisetorch";
};
};
}

21
nixos/modules/programs/shadow.nix
View File

@ -43,6 +43,13 @@ let
'';
mkSetuidRoot = source:
{ setuid = true;
owner = "root";
group = "root";
inherit source;
};
in
{
@ -109,14 +116,14 @@ in
};
security.wrappers = {
su.source = "${pkgs.shadow.su}/bin/su";
sg.source = "${pkgs.shadow.out}/bin/sg";
newgrp.source = "${pkgs.shadow.out}/bin/newgrp";
newuidmap.source = "${pkgs.shadow.out}/bin/newuidmap";
newgidmap.source = "${pkgs.shadow.out}/bin/newgidmap";
su = mkSetuidRoot "${pkgs.shadow.su}/bin/su";
sg = mkSetuidRoot "${pkgs.shadow.out}/bin/sg";
newgrp = mkSetuidRoot "${pkgs.shadow.out}/bin/newgrp";
newuidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newuidmap";
newgidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newgidmap";
} // lib.optionalAttrs config.users.mutableUsers {
chsh.source = "${pkgs.shadow.out}/bin/chsh";
passwd.source = "${pkgs.shadow.out}/bin/passwd";
chsh = mkSetuidRoot "${pkgs.shadow.out}/bin/chsh";
passwd = mkSetuidRoot "${pkgs.shadow.out}/bin/passwd";
};
};
}

7
nixos/modules/programs/singularity.nix
View File

@ -16,7 +16,12 @@ in {
config = mkIf cfg.enable {
environment.systemPackages = [ singularity ];
security.wrappers.singularity-suid.source = "${singularity}/libexec/singularity/bin/starter-suid.orig";
security.wrappers.singularity-suid =
{ setuid = true;
owner = "root";
group = "root";
source = "${singularity}/libexec/singularity/bin/starter-suid.orig";
};
systemd.tmpfiles.rules = [
"d /var/singularity/mnt/session 0770 root root -"
"d /var/singularity/mnt/final 0770 root root -"

7
nixos/modules/programs/slock.nix
View File

@ -21,6 +21,11 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.slock ];
security.wrappers.slock.source = "${pkgs.slock.out}/bin/slock";
security.wrappers.slock =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.slock.out}/bin/slock";
};
};
}

2
nixos/modules/programs/ssmtp.nix
View File

@ -181,6 +181,8 @@ in
source = "${pkgs.ssmtp}/bin/sendmail";
setuid = false;
setgid = false;
owner = "root";
group = "root";
};
};

4
nixos/modules/programs/traceroute.nix
View File

@ -19,8 +19,10 @@ in {
config = mkIf cfg.enable {
security.wrappers.traceroute = {
source = "${pkgs.traceroute}/bin/traceroute";
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${pkgs.traceroute}/bin/traceroute";
};
};
}

7
nixos/modules/programs/udevil.nix
View File

@ -9,6 +9,11 @@ in {
options.programs.udevil.enable = mkEnableOption "udevil";
config = mkIf cfg.enable {
security.wrappers.udevil.source = "${lib.getBin pkgs.udevil}/bin/udevil";
security.wrappers.udevil =
{ setuid = true;
owner = "root";
group = "root";
source = "${lib.getBin pkgs.udevil}/bin/udevil";
};
};
}

4
nixos/modules/programs/wavemon.nix
View File

@ -21,8 +21,10 @@ in {
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [ wavemon ];
security.wrappers.wavemon = {
source = "${pkgs.wavemon}/bin/wavemon";
owner = "root";
group = "root";
capabilities = "cap_net_admin+ep";
source = "${pkgs.wavemon}/bin/wavemon";
};
};
}

7
nixos/modules/programs/wshowkeys.nix
View File

@ -17,6 +17,11 @@ in {
};
config = mkIf cfg.enable {
security.wrappers.wshowkeys.source = "${pkgs.wshowkeys}/bin/wshowkeys";
security.wrappers.wshowkeys =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.wshowkeys}/bin/wshowkeys";
};
};
}

7
nixos/modules/security/chromium-suid-sandbox.nix
View File

@ -28,6 +28,11 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ sandbox ];
security.wrappers.${sandbox.passthru.sandboxExecutableName}.source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
security.wrappers.${sandbox.passthru.sandboxExecutableName} =
{ setuid = true;
owner = "root";
group = "root";
source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
};
};
}

9
nixos/modules/security/doas.nix
View File

@ -241,9 +241,12 @@ in
}
];
security.wrappers = {
doas.source = "${doas}/bin/doas";
};
security.wrappers.doas =
{ setuid = true;
owner = "root";
group = "root";
source = "${doas}/bin/doas";
};
environment.systemPackages = [
doas

7
nixos/modules/security/duosec.nix
View File

@ -186,7 +186,12 @@ in
config = mkIf (cfg.ssh.enable || cfg.pam.enable) {
environment.systemPackages = [ pkgs.duo-unix ];
security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";
security.wrappers.login_duo =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.duo-unix.out}/bin/login_duo";
};
system.activationScripts = {
login_duo = mkIf cfg.ssh.enable ''

5
nixos/modules/security/pam.nix
View File

@ -869,9 +869,10 @@ in
security.wrappers = {
unix_chkpwd = {
source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
owner = "root";
setuid = true;
owner = "root";
group = "root";
source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
};
};

14
nixos/modules/security/pam_usb.nix
View File

@ -32,8 +32,18 @@ in
# Make sure pmount and pumount are setuid wrapped.
security.wrappers = {
pmount.source = "${pkgs.pmount.out}/bin/pmount";
pumount.source = "${pkgs.pmount.out}/bin/pumount";
pmount =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.pmount.out}/bin/pmount";
};
pumount =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.pmount.out}/bin/pumount";
};
};
environment.systemPackages = [ pkgs.pmount ];

14
nixos/modules/security/polkit.nix
View File

@ -83,8 +83,18 @@ in
security.pam.services.polkit-1 = {};
security.wrappers = {
pkexec.source = "${pkgs.polkit.bin}/bin/pkexec";
polkit-agent-helper-1.source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
pkexec =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.polkit.bin}/bin/pkexec";
};
polkit-agent-helper-1 =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
};
};
systemd.tmpfiles.rules = [

282
nixos/modules/security/wrappers/default.nix
View File

@ -5,85 +5,140 @@ let
parentWrapperDir = dirOf wrapperDir;
programs =
(lib.mapAttrsToList
(n: v: (if v ? program then v else v // {program=n;}))
wrappers);
securityWrapper = pkgs.callPackage ./wrapper.nix {
inherit parentWrapperDir;
};
fileModeType =
let
# taken from the chmod(1) man page
symbolic = "[ugoa]*([-+=]([rwxXst]*|[ugo]))+|[-+=][0-7]+";
numeric = "[-+=]?[0-7]{0,4}";
mode = "((${symbolic})(,${symbolic})*)|(${numeric})";
in
lib.types.strMatching mode
// { description = "file mode string"; };
wrapperType = lib.types.submodule ({ name, config, ... }: {
options.source = lib.mkOption
{ type = lib.types.path;
description = "The absolute path to the program to be wrapped.";
};
options.program = lib.mkOption
{ type = with lib.types; nullOr str;
default = name;
description = ''
The name of the wrapper program. Defaults to the attribute name.
'';
};
options.owner = lib.mkOption
{ type = lib.types.str;
description = "The owner of the wrapper program.";
};
options.group = lib.mkOption
{ type = lib.types.str;
description = "The group of the wrapper program.";
};
options.permissions = lib.mkOption
{ type = fileModeType;
default = "u+rx,g+x,o+x";
example = "a+rx";
description = ''
The permissions of the wrapper program. The format is that of a
symbolic or numeric file mode understood by <command>chmod</command>.
'';
};
options.capabilities = lib.mkOption
{ type = lib.types.commas;
default = "";
description = ''
A comma-separated list of capabilities to be given to the wrapper
program. For capabilities supported by the system check the
<citerefentry>
<refentrytitle>capabilities</refentrytitle>
<manvolnum>7</manvolnum>
</citerefentry>
manual page.
<note><para>
<literal>cap_setpcap</literal>, which is required for the wrapper
program to be able to raise caps into the Ambient set is NOT raised
to the Ambient set so that the real program cannot modify its own
capabilities!! This may be too restrictive for cases in which the
real program needs cap_setpcap but it at least leans on the side
security paranoid vs. too relaxed.
</para></note>
'';
};
options.setuid = lib.mkOption
{ type = lib.types.bool;
default = false;
description = "Whether to add the setuid bit the wrapper program.";
};
options.setgid = lib.mkOption
{ type = lib.types.bool;
default = false;
description = "Whether to add the setgid bit the wrapper program.";
};
});
###### Activation script for the setcap wrappers
mkSetcapProgram =
{ program
, capabilities
, source
, owner ? "nobody"
, group ? "nogroup"
, permissions ? "u+rx,g+x,o+x"
, owner
, group
, permissions
, ...
}:
assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3");
''
cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program}
echo -n "${source}" > $wrapperDir/${program}.real
cp ${securityWrapper}/bin/security-wrapper "$wrapperDir/${program}"
echo -n "${source}" > "$wrapperDir/${program}.real"
# Prevent races
chmod 0000 $wrapperDir/${program}
chown ${owner}.${group} $wrapperDir/${program}
chmod 0000 "$wrapperDir/${program}"
chown ${owner}.${group} "$wrapperDir/${program}"
# Set desired capabilities on the file plus cap_setpcap so
# the wrapper program can elevate the capabilities set on
# its file into the Ambient set.
${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $wrapperDir/${program}
${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" "$wrapperDir/${program}"
# Set the executable bit
chmod ${permissions} $wrapperDir/${program}
chmod ${permissions} "$wrapperDir/${program}"
'';
###### Activation script for the setuid wrappers
mkSetuidProgram =
{ program
, source
, owner ? "nobody"
, group ? "nogroup"
, setuid ? false
, setgid ? false
, permissions ? "u+rx,g+x,o+x"
, owner
, group
, setuid
, setgid
, permissions
, ...
}:
''
cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program}
echo -n "${source}" > $wrapperDir/${program}.real
cp ${securityWrapper}/bin/security-wrapper "$wrapperDir/${program}"
echo -n "${source}" > "$wrapperDir/${program}.real"
# Prevent races
chmod 0000 $wrapperDir/${program}
chown ${owner}.${group} $wrapperDir/${program}
chmod 0000 "$wrapperDir/${program}"
chown ${owner}.${group} "$wrapperDir/${program}"
chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program}
chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" "$wrapperDir/${program}"
'';
mkWrappedPrograms =
builtins.map
(s: if (s ? capabilities)
then mkSetcapProgram
({ owner = "root";
group = "root";
} // s)
else if
(s ? setuid && s.setuid) ||
(s ? setgid && s.setgid) ||
(s ? permissions)
then mkSetuidProgram s
else mkSetuidProgram
({ owner = "root";
group = "root";
setuid = true;
setgid = false;
permissions = "u+rx,g+x,o+x";
} // s)
) programs;
(opts:
if opts.capabilities != ""
then mkSetcapProgram opts
else mkSetuidProgram opts
) (lib.attrValues wrappers);
in
{
imports = [
@ -95,45 +150,42 @@ in
options = {
security.wrappers = lib.mkOption {
type = lib.types.attrs;
type = lib.types.attrsOf wrapperType;
default = {};
example = lib.literalExample
''
{ sendmail.source = "/nix/store/.../bin/sendmail";
ping = {
source = "${pkgs.iputils.out}/bin/ping";
owner = "nobody";
group = "nogroup";
capabilities = "cap_net_raw+ep";
};
{
# a setuid root program
doas =
{ setuid = true;
owner = "root";
group = "root";
source = "''${pkgs.doas}/bin/doas";
};
# a setgid program
locate =
{ setgid = true;
owner = "root";
group = "mlocate";
source = "''${pkgs.locate}/bin/locate";
};
# a program with the CAP_NET_RAW capability
ping =
{ owner = "root";
group = "root";
capabilities = "cap_net_raw+ep";
source = "''${pkgs.iputils.out}/bin/ping";
};
}
'';
description = ''
This option allows the ownership and permissions on the setuid
wrappers for specific programs to be overridden from the
default (setuid root, but not setgid root).
<note>
<para>The sub-attribute <literal>source</literal> is mandatory,
it must be the absolute path to the program to be wrapped.
</para>
<para>The sub-attribute <literal>program</literal> is optional and
can give the wrapper program a new name. The default name is the same
as the attribute name itself.</para>
<para>Additionally, this option can set capabilities on a
wrapper program that propagates those capabilities down to the
wrapped, real program.</para>
<para>NOTE: cap_setpcap, which is required for the wrapper
program to be able to raise caps into the Ambient set is NOT
raised to the Ambient set so that the real program cannot
modify its own capabilities!! This may be too restrictive for
cases in which the real program needs cap_setpcap but it at
least leans on the side security paranoid vs. too
relaxed.</para>
</note>
This option effectively allows adding setuid/setgid bits, capabilities,
changing file ownership and permissions of a program without directly
modifying it. This works by creating a wrapper program under the
<option>security.wrapperDir</option> directory, which is then added to
the shell <literal>PATH</literal>.
'';
};
@ -151,13 +203,31 @@ in
###### implementation
config = {
security.wrappers = {
# These are mount related wrappers that require the +s permission.
fusermount.source = "${pkgs.fuse}/bin/fusermount";
fusermount3.source = "${pkgs.fuse3}/bin/fusermount3";
mount.source = "${lib.getBin pkgs.util-linux}/bin/mount";
umount.source = "${lib.getBin pkgs.util-linux}/bin/umount";
};
assertions = lib.mapAttrsToList
(name: opts:
{ assertion = opts.setuid || opts.setgid -> opts.capabilities == "";
message = ''
The security.wrappers.${name} wrapper is not valid:
setuid/setgid and capabilities are mutually exclusive.
'';
}
) wrappers;
security.wrappers =
let
mkSetuidRoot = source:
{ setuid = true;
owner = "root";
group = "root";
inherit source;
};
in
{ # These are mount related wrappers that require the +s permission.
fusermount = mkSetuidRoot "${pkgs.fuse}/bin/fusermount";
fusermount3 = mkSetuidRoot "${pkgs.fuse3}/bin/fusermount3";
mount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/mount";
umount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/umount";
};
boot.specialFileSystems.${parentWrapperDir} = {
fsType = "tmpfs";
@ -179,19 +249,15 @@ in
]}"
'';
###### setcap activation script
###### wrappers activation script
system.activationScripts.wrappers =
lib.stringAfter [ "specialfs" "users" ]
''
# Look in the system path and in the default profile for
# programs to be wrapped.
WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
chmod 755 "${parentWrapperDir}"
# We want to place the tmpdirs for the wrappers to the parent dir.
wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX)
chmod a+rx $wrapperDir
chmod a+rx "$wrapperDir"
${lib.concatStringsSep "\n" mkWrappedPrograms}
@ -199,16 +265,44 @@ in
# Atomically replace the symlink
# See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
old=$(readlink -f ${wrapperDir})
if [ -e ${wrapperDir}-tmp ]; then
rm --force --recursive ${wrapperDir}-tmp
if [ -e "${wrapperDir}-tmp" ]; then
rm --force --recursive "${wrapperDir}-tmp"
fi
ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp
mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir}
rm --force --recursive $old
ln --symbolic --force --no-dereference "$wrapperDir" "${wrapperDir}-tmp"
mv --no-target-directory "${wrapperDir}-tmp" "${wrapperDir}"
rm --force --recursive "$old"
else
# For initial setup
ln --symbolic $wrapperDir ${wrapperDir}
ln --symbolic "$wrapperDir" "${wrapperDir}"
fi
'';
###### wrappers consistency checks
system.extraDependencies = lib.singleton (pkgs.runCommandLocal
"ensure-all-wrappers-paths-exist" { }
''
# make sure we produce output
mkdir -p $out
echo -n "Checking that Nix store paths of all wrapped programs exist... "
declare -A wrappers
${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v:
"wrappers['${n}']='${v.source}'") wrappers)}
for name in "''${!wrappers[@]}"; do
path="''${wrappers[$name]}"
if [[ "$path" =~ /nix/store ]] && [ ! -e "$path" ]; then
test -t 1 && echo -ne '\033[1;31m'
echo "FAIL"
echo "The path $path does not exist!"
echo 'Please, check the value of `security.wrappers."'$name'".source`.'
test -t 1 && echo -ne '\033[0m'
exit 1
fi
done
echo "OK"
'');
};
}

162
nixos/modules/services/cluster/spark/default.nix Normal file
View File

@ -0,0 +1,162 @@
{config, pkgs, lib, ...}:
let
cfg = config.services.spark;
in
with lib;
{
options = {
services.spark = {
master = {
enable = mkEnableOption "Spark master service";
bind = mkOption {
type = types.str;
description = "Address the spark master binds to.";
default = "127.0.0.1";
example = "0.0.0.0";
};
restartIfChanged = mkOption {
type = types.bool;
description = ''
Automatically restart master service on config change.
This can be set to false to defer restarts on clusters running critical applications.
Please consider the security implications of inadvertently running an older version,
and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.
'';
default = true;
};
extraEnvironment = mkOption {
type = types.attrsOf types.str;
description = "Extra environment variables to pass to spark master. See spark-standalone documentation.";
default = {};
example = {
SPARK_MASTER_WEBUI_PORT = 8181;
SPARK_MASTER_OPTS = "-Dspark.deploy.defaultCores=5";
};
};
};
worker = {
enable = mkEnableOption "Spark worker service";
workDir = mkOption {
type = types.path;
description = "Spark worker work dir.";
default = "/var/lib/spark";
};
master = mkOption {
type = types.str;
description = "Address of the spark master.";
default = "127.0.0.1:7077";
};
restartIfChanged = mkOption {
type = types.bool;
description = ''
Automatically restart worker service on config change.
This can be set to false to defer restarts on clusters running critical applications.
Please consider the security implications of inadvertently running an older version,
and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.
'';
default = true;
};
extraEnvironment = mkOption {
type = types.attrsOf types.str;
description = "Extra environment variables to pass to spark worker.";
default = {};
example = {
SPARK_WORKER_CORES = 5;
SPARK_WORKER_MEMORY = "2g";
};
};
};
confDir = mkOption {
type = types.path;
description = "Spark configuration directory. Spark will use the configuration files (spark-defaults.conf, spark-env.sh, log4j.properties, etc) from this directory.";
default = "${cfg.package}/lib/${cfg.package.untarDir}/conf";
defaultText = literalExample "\${cfg.package}/lib/\${cfg.package.untarDir}/conf";
};
logDir = mkOption {
type = types.path;
description = "Spark log directory.";
default = "/var/log/spark";
};
package = mkOption {
type = types.package;
description = "Spark package.";
default = pkgs.spark;
defaultText = "pkgs.spark";
example = literalExample ''pkgs.spark.overrideAttrs (super: rec {
pname = "spark";
version = "2.4.4";
src = pkgs.fetchzip {
url = "mirror://apache/spark/"''${pname}-''${version}/''${pname}-''${version}-bin-without-hadoop.tgz";
sha256 = "1a9w5k0207fysgpxx6db3a00fs5hdc2ncx99x4ccy2s0v5ndc66g";
};
})'';
};
};
};
config = lib.mkIf (cfg.worker.enable || cfg.master.enable) {
environment.systemPackages = [ cfg.package ];
systemd = {
services = {
spark-master = lib.mkIf cfg.master.enable {
path = with pkgs; [ procps openssh nettools ];
description = "spark master service.";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
restartIfChanged = cfg.master.restartIfChanged;
environment = cfg.master.extraEnvironment // {
SPARK_MASTER_HOST = cfg.master.bind;
SPARK_CONF_DIR = cfg.confDir;
SPARK_LOG_DIR = cfg.logDir;
};
serviceConfig = {
Type = "forking";
User = "spark";
Group = "spark";
WorkingDirectory = "${cfg.package}/lib/${cfg.package.untarDir}";
ExecStart = "${cfg.package}/lib/${cfg.package.untarDir}/sbin/start-master.sh";
ExecStop = "${cfg.package}/lib/${cfg.package.untarDir}/sbin/stop-master.sh";
TimeoutSec = 300;
StartLimitBurst=10;
Restart = "always";
};
};
spark-worker = lib.mkIf cfg.worker.enable {
path = with pkgs; [ procps openssh nettools rsync ];
description = "spark master service.";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
restartIfChanged = cfg.worker.restartIfChanged;
environment = cfg.worker.extraEnvironment // {
SPARK_MASTER = cfg.worker.master;
SPARK_CONF_DIR = cfg.confDir;
SPARK_LOG_DIR = cfg.logDir;
SPARK_WORKER_DIR = cfg.worker.workDir;
};
serviceConfig = {
Type = "forking";
User = "spark";
WorkingDirectory = "${cfg.package}/lib/${cfg.package.untarDir}";
ExecStart = "${cfg.package}/lib/${cfg.package.untarDir}/sbin/start-worker.sh spark://${cfg.worker.master}";
ExecStop = "${cfg.package}/lib/${cfg.package.untarDir}/sbin/stop-worker.sh";
TimeoutSec = 300;
StartLimitBurst=10;
Restart = "always";
};
};
};
tmpfiles.rules = [
"d '${cfg.worker.workDir}' - spark spark - -"
"d '${cfg.logDir}' - spark spark - -"
];
};
users = {
users.spark = {
description = "spark user.";
group = "spark";
isSystemUser = true;
};
groups.spark = { };
};
};
}

4
nixos/modules/services/desktops/gnome/gnome-keyring.nix
View File

@ -52,8 +52,10 @@ with lib;
security.pam.services.login.enableGnomeKeyring = true;
security.wrappers.gnome-keyring-daemon = {
source = "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon";
owner = "root";
group = "root";
capabilities = "cap_ipc_lock=ep";
source = "${pkgs.gnome.gnome-keyring}/bin/gnome-keyring-daemon";
};
};

6
nixos/modules/services/logging/logcheck.nix
View File

@ -215,12 +215,16 @@ in
users.users = optionalAttrs (cfg.user == "logcheck") {
logcheck = {
uid = config.ids.uids.logcheck;
group = "logcheck";
isSystemUser = true;
shell = "/bin/sh";
description = "Logcheck user account";
extraGroups = cfg.extraGroups;
};
};
users.groups = optionalAttrs (cfg.user == "logcheck") {
logcheck = {};
};
system.activationScripts.logcheck = ''
mkdir -m 700 -p /var/{lib,lock}/logcheck

7
nixos/modules/services/mail/exim.nix
View File

@ -104,7 +104,12 @@ in
gid = config.ids.gids.exim;
};
security.wrappers.exim.source = "${cfg.package}/bin/exim";
security.wrappers.exim =
{ setuid = true;
owner = "root";
group = "root";
source = "${cfg.package}/bin/exim";
};
systemd.services.exim = {
description = "Exim Mail Daemon";

3
nixos/modules/services/mail/mail.nix
View File

@ -1,4 +1,4 @@
{ config, lib, ... }:
{ config, options, lib, ... }:
with lib;
@ -11,6 +11,7 @@ with lib;
services.mail = {
sendmailSetuidWrapper = mkOption {
type = types.nullOr options.security.wrappers.type.nestedTypes.elemType;
default = null;
internal = true;
description = ''

5
nixos/modules/services/mail/opensmtpd.nix
View File

@ -103,12 +103,15 @@ in {
};
security.wrappers.smtpctl = {
owner = "nobody";
group = "smtpq";
setuid = false;
setgid = true;
source = "${cfg.package}/bin/smtpctl";
};
services.mail.sendmailSetuidWrapper = mkIf cfg.setSendmail security.wrappers.smtpctl;
services.mail.sendmailSetuidWrapper = mkIf cfg.setSendmail
security.wrappers.smtpctl // { program = "sendmail"; };
systemd.tmpfiles.rules = [
"d /var/spool/smtpd 711 root - - -"

4
nixos/modules/services/mail/postfix.nix
View File

@ -673,6 +673,7 @@ in
services.mail.sendmailSetuidWrapper = mkIf config.services.postfix.setSendmail {
program = "sendmail";
source = "${pkgs.postfix}/bin/sendmail";
owner = "nobody";
group = setgidGroup;
setuid = false;
setgid = true;
@ -681,6 +682,7 @@ in
security.wrappers.mailq = {
program = "mailq";
source = "${pkgs.postfix}/bin/mailq";
owner = "nobody";
group = setgidGroup;
setuid = false;
setgid = true;
@ -689,6 +691,7 @@ in
security.wrappers.postqueue = {
program = "postqueue";
source = "${pkgs.postfix}/bin/postqueue";
owner = "nobody";
group = setgidGroup;
setuid = false;
setgid = true;
@ -697,6 +700,7 @@ in
security.wrappers.postdrop = {
program = "postdrop";
source = "${pkgs.postfix}/bin/postdrop";
owner = "nobody";
group = setgidGroup;
setuid = false;
setgid = true;

8
nixos/modules/services/misc/cgminer.nix
View File

@ -86,7 +86,7 @@ in
config = mkOption {
default = {};
type = (types.either types.bool types.int);
type = types.attrsOf (types.either types.bool types.int);
description = "Additional config";
example = {
auto-fan = true;
@ -110,10 +110,14 @@ in
users.users = optionalAttrs (cfg.user == "cgminer") {
cgminer = {
uid = config.ids.uids.cgminer;
isSystemUser = true;
group = "cgminer";
description = "Cgminer user";
};
};
users.groups = optionalAttrs (cfg.user == "cgminer") {
cgminer = {};
};
environment.systemPackages = [ cfg.package ];

4
nixos/modules/services/misc/gammu-smsd.nix
View File

@ -202,8 +202,8 @@ in {
config = mkIf cfg.enable {
users.users.${cfg.user} = {
description = "gammu-smsd user";
uid = config.ids.uids.gammu-smsd;
extraGroups = [ "${cfg.device.group}" ];
isSystemUser = true;
group = cfg.device.group;
};
environment.systemPackages = with cfg.backend; [ gammuPackage ]

1
nixos/modules/services/misc/gpsd.nix
View File

@ -88,6 +88,7 @@ in
users.users.gpsd =
{ inherit uid;
group = "gpsd";
description = "gpsd daemon user";
home = "/var/empty";
};

4
nixos/modules/services/misc/mame.nix
View File

@ -45,8 +45,10 @@ in
environment.systemPackages = [ pkgs.mame ];
security.wrappers."${mame}" = {
source = "${pkgs.mame}/bin/${mame}";
owner = "root";
group = "root";
capabilities = "cap_net_admin,cap_net_raw+eip";
source = "${pkgs.mame}/bin/${mame}";
};
systemd.services.mame = {

7
nixos/modules/services/misc/weechat.nix
View File

@ -52,7 +52,12 @@ in
wants = [ "network.target" ];
};
security.wrappers.screen.source = "${pkgs.screen}/bin/screen";
security.wrappers.screen =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.screen}/bin/screen";
};
};
meta.doc = ./weechat.xml;

4
nixos/modules/services/monitoring/heapster.nix
View File

@ -50,8 +50,10 @@ in {
};
users.users.heapster = {
uid = config.ids.uids.heapster;
isSystemUser = true;
group = "heapster";
description = "Heapster user";
};
users.groups.heapster = {};
};
}

7
nixos/modules/services/monitoring/incron.nix
View File

@ -71,7 +71,12 @@ in
environment.systemPackages = [ pkgs.incron ];
security.wrappers.incrontab.source = "${pkgs.incron}/bin/incrontab";
security.wrappers.incrontab =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.incron}/bin/incrontab";
};
# incron won't read symlinks
environment.etc."incron.d/system" = {

7
nixos/modules/services/monitoring/zabbix-proxy.nix
View File

@ -262,7 +262,12 @@ in
};
security.wrappers = {
fping.source = "${pkgs.fping}/bin/fping";
fping =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.fping}/bin/fping";
};
};
systemd.services.zabbix-proxy = {

14
nixos/modules/services/networking/nntp-proxy.nix
View File

@ -6,8 +6,6 @@ let
inherit (pkgs) nntp-proxy;
proxyUser = "nntp-proxy";
cfg = config.services.nntp-proxy;
configBool = b: if b then "TRUE" else "FALSE";
@ -210,16 +208,18 @@ in
config = mkIf cfg.enable {
users.users.${proxyUser} =
{ uid = config.ids.uids.nntp-proxy;
description = "NNTP-Proxy daemon user";
};
users.users.nntp-proxy = {
isSystemUser = true;
group = "nntp-proxy";
description = "NNTP-Proxy daemon user";
};
users.groups.nntp-proxy = {};
systemd.services.nntp-proxy = {
description = "NNTP proxy";
after = [ "network.target" "nss-lookup.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = { User="${proxyUser}"; };
serviceConfig = { User="nntp-proxy"; };
serviceConfig.ExecStart = "${nntp-proxy}/bin/nntp-proxy ${confFile}";
preStart = ''
if [ ! \( -f ${cfg.sslCert} -a -f ${cfg.sslKey} \) ]; then

12
nixos/modules/services/networking/ntp/ntpd.nix
View File

@ -10,8 +10,6 @@ let
stateDir = "/var/lib/ntp";
ntpUser = "ntp";
configFile = pkgs.writeText "ntp.conf" ''
driftfile ${stateDir}/ntp.drift
@ -27,7 +25,7 @@ let
${cfg.extraConfig}
'';
ntpFlags = "-c ${configFile} -u ${ntpUser}:nogroup ${toString cfg.extraFlags}";
ntpFlags = "-c ${configFile} -u ntp:ntp ${toString cfg.extraFlags}";
in
@ -119,11 +117,13 @@ in
systemd.services.systemd-timedated.environment = { SYSTEMD_TIMEDATED_NTP_SERVICES = "ntpd.service"; };
users.users.${ntpUser} =
{ uid = config.ids.uids.ntp;
users.users.ntp =
{ isSystemUser = true;
group = "ntp";
description = "NTP daemon user";
home = stateDir;
};
users.groups.ntp = {};
systemd.services.ntpd =
{ description = "NTP Daemon";
@ -135,7 +135,7 @@ in
preStart =
''
mkdir -m 0755 -p ${stateDir}
chown ${ntpUser} ${stateDir}
chown ntp ${stateDir}
'';
serviceConfig = {

4
nixos/modules/services/networking/ntp/openntpd.nix
View File

@ -61,10 +61,12 @@ in
environment.etc."ntpd.conf".text = configFile;
users.users.ntp = {
uid = config.ids.uids.ntp;
isSystemUser = true;
group = "ntp";
description = "OpenNTP daemon user";
home = "/var/empty";
};
users.groups.ntp = {};
systemd.services.openntpd = {
description = "OpenNTP Server";

14
nixos/modules/services/networking/smokeping.nix
View File

@ -278,8 +278,18 @@ in
}
];
security.wrappers = {
fping.source = "${pkgs.fping}/bin/fping";
fping6.source = "${pkgs.fping}/bin/fping6";
fping =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.fping}/bin/fping";
};
fping6 =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.fping}/bin/fping6";
};
};
environment.systemPackages = [ pkgs.fping ];
users.users.${cfg.user} = {

4
nixos/modules/services/networking/unifi.nix
View File

@ -115,10 +115,12 @@ in
config = mkIf cfg.enable {
users.users.unifi = {
uid = config.ids.uids.unifi;
isSystemUser = true;
group = "unifi";
description = "UniFi controller daemon user";
home = "${stateDir}";
};
users.groups.unifi = {};
networking.firewall = mkIf cfg.openPorts {
# https://help.ubnt.com/hc/en-us/articles/218506997

2
nixos/modules/services/networking/x2goserver.nix
View File

@ -88,12 +88,14 @@ in {
source = "${pkgs.x2goserver}/lib/x2go/libx2go-server-db-sqlite3-wrapper.pl";
owner = "x2go";
group = "x2go";
setuid = false;
setgid = true;
};
security.wrappers.x2goprintWrapper = {
source = "${pkgs.x2goserver}/bin/x2goprint";
owner = "x2go";
group = "x2go";
setuid = false;
setgid = true;
};

7
nixos/modules/services/scheduling/cron.nix
View File

@ -93,7 +93,12 @@ in
{ services.cron.enable = mkDefault (allFiles != []); }
(mkIf (config.services.cron.enable) {
security.wrappers.crontab.source = "${cronNixosPkg}/bin/crontab";
security.wrappers.crontab =
{ setuid = true;
owner = "root";
group = "root";
source = "${cronNixosPkg}/bin/crontab";
};
environment.systemPackages = [ cronNixosPkg ];
environment.etc.crontab =
{ source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; }

3
nixos/modules/services/scheduling/fcron.nix
View File

@ -136,10 +136,13 @@ in
owner = "fcron";
group = "fcron";
setgid = true;
setuid = false;
};
fcronsighup = {
source = "${pkgs.fcron}/bin/fcronsighup";
owner = "root";
group = "fcron";
setuid = true;
};
};
systemd.services.fcron = {

4
nixos/modules/services/video/replay-sorcery.nix
View File

@ -44,8 +44,10 @@ in
security.wrappers = mkIf cfg.enableSysAdminCapability {
replay-sorcery = {
source = "${pkgs.replay-sorcery}/bin/replay-sorcery";
owner = "root";
group = "root";
capabilities = "cap_sys_admin+ep";
source = "${pkgs.replay-sorcery}/bin/replay-sorcery";
};
};

611
nixos/modules/services/web-apps/dokuwiki.nix
View File

@ -1,16 +1,21 @@
{ config, lib, pkgs, ... }:
{ config, pkgs, lib, ... }:
let
inherit (lib) mkDefault mkEnableOption mkForce mkIf mkMerge mkOption types maintainers recursiveUpdate;
inherit (lib) any attrValues concatMapStrings concatMapStringsSep flatten literalExample;
inherit (lib) filterAttrs mapAttrs mapAttrs' mapAttrsToList nameValuePair optional optionalAttrs optionalString;
inherit (lib) mkEnableOption mkForce mkIf mkMerge mkOption optionalAttrs recursiveUpdate types maintainers;
inherit (lib) concatMapStringsSep flatten mapAttrs mapAttrs' mapAttrsToList nameValuePair concatMapStringSep;
eachSite = config.services.dokuwiki;
cfg = migrateOldAttrs config.services.dokuwiki;
eachSite = cfg.sites;
user = "dokuwiki";
group = config.services.nginx.group;
webserver = config.services.${cfg.webserver};
stateDir = hostName: "/var/lib/dokuwiki/${hostName}/data";
dokuwikiAclAuthConfig = cfg: pkgs.writeText "acl.auth.php" ''
# Migrate config.services.dokuwiki.<hostName> to config.services.dokuwiki.sites.<hostName>
oldSites = filterAttrs (o: _: o != "sites" && o != "webserver");
migrateOldAttrs = cfg: cfg // { sites = cfg.sites // oldSites cfg; };
dokuwikiAclAuthConfig = hostName: cfg: pkgs.writeText "acl.auth-${hostName}.php" ''
# acl.auth.php
# <?php exit()?>
#
@ -19,7 +24,7 @@ let
${toString cfg.acl}
'';
dokuwikiLocalConfig = cfg: pkgs.writeText "local.php" ''
dokuwikiLocalConfig = hostName: cfg: pkgs.writeText "local-${hostName}.php" ''
<?php
$conf['savedir'] = '${cfg.stateDir}';
$conf['superuser'] = '${toString cfg.superUser}';
@ -28,11 +33,12 @@ let
${toString cfg.extraConfig}
'';
dokuwikiPluginsLocalConfig = cfg: pkgs.writeText "plugins.local.php" ''
dokuwikiPluginsLocalConfig = hostName: cfg: pkgs.writeText "plugins.local-${hostName}.php" ''
<?php
${cfg.pluginsConfig}
'';
pkg = hostName: cfg: pkgs.stdenv.mkDerivation rec {
pname = "dokuwiki-${hostName}";
version = src.version;
@ -43,13 +49,13 @@ let
cp -r * $out/
# symlink the dokuwiki config
ln -s ${dokuwikiLocalConfig cfg} $out/share/dokuwiki/local.php
ln -s ${dokuwikiLocalConfig hostName cfg} $out/share/dokuwiki/local.php
# symlink plugins config
ln -s ${dokuwikiPluginsLocalConfig cfg} $out/share/dokuwiki/plugins.local.php
ln -s ${dokuwikiPluginsLocalConfig hostName cfg} $out/share/dokuwiki/plugins.local.php
# symlink acl
ln -s ${dokuwikiAclAuthConfig cfg} $out/share/dokuwiki/acl.auth.php
ln -s ${dokuwikiAclAuthConfig hostName cfg} $out/share/dokuwiki/acl.auth.php
# symlink additional plugin(s) and templates(s)
${concatMapStringsSep "\n" (template: "ln -s ${template} $out/share/dokuwiki/lib/tpl/${template.name}") cfg.templates}
@ -57,332 +63,385 @@ let
'';
};
siteOpts = { config, lib, name, ...}: {
options = {
enable = mkEnableOption "DokuWiki web application.";
siteOpts = { config, lib, name, ... }:
{
options = {
package = mkOption {
type = types.package;
default = pkgs.dokuwiki;
description = "Which DokuWiki package to use.";
};
package = mkOption {
type = types.package;
default = pkgs.dokuwiki;
description = "Which dokuwiki package to use.";
};
stateDir = mkOption {
type = types.path;
default = "/var/lib/dokuwiki/${name}/data";
description = "Location of the DokuWiki state directory.";
};
hostName = mkOption {
type = types.str;
default = "localhost";
description = "FQDN for the instance.";
};
acl = mkOption {
type = types.nullOr types.lines;
default = null;
example = "* @ALL 8";
description = ''
Access Control Lists: see <link xlink:href="https://www.dokuwiki.org/acl"/>
Mutually exclusive with services.dokuwiki.aclFile
Set this to a value other than null to take precedence over aclFile option.
stateDir = mkOption {
type = types.path;
default = "/var/lib/dokuwiki/${name}/data";
description = "Location of the dokuwiki state directory.";
};
acl = mkOption {
type = types.nullOr types.lines;
default = null;
example = "* @ALL 8";
description = ''
Access Control Lists: see <link xlink:href="https://www.dokuwiki.org/acl"/>
Mutually exclusive with services.dokuwiki.aclFile
Set this to a value other than null to take precedence over aclFile option.
Warning: Consider using aclFile instead if you do not
want to store the ACL in the world-readable Nix store.
'';
};
aclFile = mkOption {
type = with types; nullOr str;
default = if (config.aclUse && config.acl == null) then "/var/lib/dokuwiki/${name}/acl.auth.php" else null;
description = ''
Location of the dokuwiki acl rules. Mutually exclusive with services.dokuwiki.acl
Mutually exclusive with services.dokuwiki.acl which is preferred.
Consult documentation <link xlink:href="https://www.dokuwiki.org/acl"/> for further instructions.
Example: <link xlink:href="https://github.com/splitbrain/dokuwiki/blob/master/conf/acl.auth.php.dist"/>
'';
example = "/var/lib/dokuwiki/${name}/acl.auth.php";
};
aclUse = mkOption {
type = types.bool;
default = true;
description = ''
Necessary for users to log in into the system.
Also limits anonymous users. When disabled,
everyone is able to create and edit content.
'';
};
pluginsConfig = mkOption {
type = types.lines;
default = ''
$plugins['authad'] = 0;
$plugins['authldap'] = 0;
$plugins['authmysql'] = 0;
$plugins['authpgsql'] = 0;
'';
description = ''
List of the dokuwiki (un)loaded plugins.
'';
};
superUser = mkOption {
type = types.nullOr types.str;
default = "@admin";
description = ''
You can set either a username, a list of usernames (admin1,admin2),
or the name of a group by prepending an @ char to the groupname
Consult documentation <link xlink:href="https://www.dokuwiki.org/config:superuser"/> for further instructions.
'';
};
usersFile = mkOption {
type = with types; nullOr str;
default = if config.aclUse then "/var/lib/dokuwiki/${name}/users.auth.php" else null;
description = ''
Location of the dokuwiki users file. List of users. Format:
login:passwordhash:Real Name:email:groups,comma,separated
Create passwordHash easily by using:$ mkpasswd -5 password `pwgen 8 1`
Example: <link xlink:href="https://github.com/splitbrain/dokuwiki/blob/master/conf/users.auth.php.dist"/>
Warning: Consider using aclFile instead if you do not
want to store the ACL in the world-readable Nix store.
'';
example = "/var/lib/dokuwiki/${name}/users.auth.php";
};
disableActions = mkOption {
type = types.nullOr types.str;
default = "";
example = "search,register";
description = ''
Disable individual action modes. Refer to
<link xlink:href="https://www.dokuwiki.org/config:action_modes"/>
for details on supported values.
'';
};
extraConfig = mkOption {
type = types.nullOr types.lines;
default = null;
example = ''
$conf['title'] = 'My Wiki';
$conf['userewrite'] = 1;
'';
description = ''
DokuWiki configuration. Refer to
<link xlink:href="https://www.dokuwiki.org/config"/>
for details on supported values.
'';
};
plugins = mkOption {
type = types.listOf types.path;
default = [];
description = ''
List of path(s) to respective plugin(s) which are copied from the 'plugin' directory.
<note><para>These plugins need to be packaged before use, see example.</para></note>
'';
example = ''
# Let's package the icalevents plugin
plugin-icalevents = pkgs.stdenv.mkDerivation {
name = "icalevents";
# Download the plugin from the dokuwiki site
src = pkgs.fetchurl {
url = "https://github.com/real-or-random/dokuwiki-plugin-icalevents/releases/download/2017-06-16/dokuwiki-plugin-icalevents-2017-06-16.zip";
sha256 = "e40ed7dd6bbe7fe3363bbbecb4de481d5e42385b5a0f62f6a6ce6bf3a1f9dfa8";
};
sourceRoot = ".";
# We need unzip to build this package
nativeBuildInputs = [ pkgs.unzip ];
# Installing simply means copying all files to the output directory
installPhase = "mkdir -p $out; cp -R * $out/";
};
# And then pass this theme to the plugin list like this:
plugins = [ plugin-icalevents ];
'';
};
templates = mkOption {
type = types.listOf types.path;
default = [];
description = ''
List of path(s) to respective template(s) which are copied from the 'tpl' directory.
<note><para>These templates need to be packaged before use, see example.</para></note>
'';
example = ''
# Let's package the bootstrap3 theme
template-bootstrap3 = pkgs.stdenv.mkDerivation {
name = "bootstrap3";
# Download the theme from the dokuwiki site
src = pkgs.fetchurl {
url = "https://github.com/giterlizzi/dokuwiki-template-bootstrap3/archive/v2019-05-22.zip";
sha256 = "4de5ff31d54dd61bbccaf092c9e74c1af3a4c53e07aa59f60457a8f00cfb23a6";
};
# We need unzip to build this package
nativeBuildInputs = [ pkgs.unzip ];
# Installing simply means copying all files to the output directory
installPhase = "mkdir -p $out; cp -R * $out/";
};
# And then pass this theme to the template list like this:
templates = [ template-bootstrap3 ];
'';
};
poolConfig = mkOption {
type = with types; attrsOf (oneOf [ str int bool ]);
default = {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
};
description = ''
Options for the dokuwiki PHP pool. See the documentation on <literal>php-fpm.conf</literal>
for details on configuration directives.
'';
aclFile = mkOption {
type = with types; nullOr str;
default = if (config.aclUse && config.acl == null) then "/var/lib/dokuwiki/${name}/acl.auth.php" else null;
description = ''
Location of the dokuwiki acl rules. Mutually exclusive with services.dokuwiki.acl
Mutually exclusive with services.dokuwiki.acl which is preferred.
Consult documentation <link xlink:href="https://www.dokuwiki.org/acl"/> for further instructions.
Example: <link xlink:href="https://github.com/splitbrain/dokuwiki/blob/master/conf/acl.auth.php.dist"/>
'';
example = "/var/lib/dokuwiki/${name}/acl.auth.php";
};
aclUse = mkOption {
type = types.bool;
default = true;
description = ''
Necessary for users to log in into the system.
Also limits anonymous users. When disabled,
everyone is able to create and edit content.
'';
};
pluginsConfig = mkOption {
type = types.lines;
default = ''
$plugins['authad'] = 0;
$plugins['authldap'] = 0;
$plugins['authmysql'] = 0;
$plugins['authpgsql'] = 0;
'';
description = ''
List of the dokuwiki (un)loaded plugins.
'';
};
superUser = mkOption {
type = types.nullOr types.str;
default = "@admin";
description = ''
You can set either a username, a list of usernames (admin1,admin2),
or the name of a group by prepending an @ char to the groupname
Consult documentation <link xlink:href="https://www.dokuwiki.org/config:superuser"/> for further instructions.
'';
};
usersFile = mkOption {
type = with types; nullOr str;
default = if config.aclUse then "/var/lib/dokuwiki/${name}/users.auth.php" else null;
description = ''
Location of the dokuwiki users file. List of users. Format:
login:passwordhash:Real Name:email:groups,comma,separated
Create passwordHash easily by using:$ mkpasswd -5 password `pwgen 8 1`
Example: <link xlink:href="https://github.com/splitbrain/dokuwiki/blob/master/conf/users.auth.php.dist"/>
'';
example = "/var/lib/dokuwiki/${name}/users.auth.php";
};
disableActions = mkOption {
type = types.nullOr types.str;
default = "";
example = "search,register";
description = ''
Disable individual action modes. Refer to
<link xlink:href="https://www.dokuwiki.org/config:action_modes"/>
for details on supported values.
'';
};
plugins = mkOption {
type = types.listOf types.path;
default = [];
description = ''
List of path(s) to respective plugin(s) which are copied from the 'plugin' directory.
<note><para>These plugins need to be packaged before use, see example.</para></note>
'';
example = ''
# Let's package the icalevents plugin
plugin-icalevents = pkgs.stdenv.mkDerivation {
name = "icalevents";
# Download the plugin from the dokuwiki site
src = pkgs.fetchurl {
url = "https://github.com/real-or-random/dokuwiki-plugin-icalevents/releases/download/2017-06-16/dokuwiki-plugin-icalevents-2017-06-16.zip";
sha256 = "e40ed7dd6bbe7fe3363bbbecb4de481d5e42385b5a0f62f6a6ce6bf3a1f9dfa8";
};
sourceRoot = ".";
# We need unzip to build this package
buildInputs = [ pkgs.unzip ];
# Installing simply means copying all files to the output directory
installPhase = "mkdir -p $out; cp -R * $out/";
};
# And then pass this theme to the plugin list like this:
plugins = [ plugin-icalevents ];
'';
};
templates = mkOption {
type = types.listOf types.path;
default = [];
description = ''
List of path(s) to respective template(s) which are copied from the 'tpl' directory.
<note><para>These templates need to be packaged before use, see example.</para></note>
'';
example = ''
# Let's package the bootstrap3 theme
template-bootstrap3 = pkgs.stdenv.mkDerivation {
name = "bootstrap3";
# Download the theme from the dokuwiki site
src = pkgs.fetchurl {
url = "https://github.com/giterlizzi/dokuwiki-template-bootstrap3/archive/v2019-05-22.zip";
sha256 = "4de5ff31d54dd61bbccaf092c9e74c1af3a4c53e07aa59f60457a8f00cfb23a6";
};
# We need unzip to build this package
buildInputs = [ pkgs.unzip ];
# Installing simply means copying all files to the output directory
installPhase = "mkdir -p $out; cp -R * $out/";
};
# And then pass this theme to the template list like this:
templates = [ template-bootstrap3 ];
'';
};
poolConfig = mkOption {
type = with types; attrsOf (oneOf [ str int bool ]);
default = {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
};
description = ''
Options for the DokuWiki PHP pool. See the documentation on <literal>php-fpm.conf</literal>
for details on configuration directives.
'';
};
extraConfig = mkOption {
type = types.nullOr types.lines;
default = null;
example = ''
$conf['title'] = 'My Wiki';
$conf['userewrite'] = 1;
'';
description = ''
DokuWiki configuration. Refer to
<link xlink:href="https://www.dokuwiki.org/config"/>
for details on supported values.
'';
};
};
nginx = mkOption {
type = types.submodule (
recursiveUpdate
(import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) {}
);
default = {};
example = {
serverAliases = [
"wiki.\${config.networking.domain}"
];
# To enable encryption and let let's encrypt take care of certificate
forceSSL = true;
enableACME = true;
};
description = ''
With this option, you can customize the nginx virtualHost settings.
'';
};
};
};
in
{
# interface
options = {
services.dokuwiki = mkOption {
type = types.attrsOf (types.submodule siteOpts);
type = types.submodule {
# Used to support old interface
freeformType = types.attrsOf (types.submodule siteOpts);
# New interface
options.sites = mkOption {
type = types.attrsOf (types.submodule siteOpts);
default = {};
description = "Specification of one or more DokuWiki sites to serve";
};
options.webserver = mkOption {
type = types.enum [ "nginx" "caddy" ];
default = "nginx";
description = ''
Whether to use nginx or caddy for virtual host management.
Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.&lt;name&gt;</literal>.
See <xref linkend="opt-services.nginx.virtualHosts"/> for further information.
Further apache2 configuration can be done by adapting <literal>services.httpd.virtualHosts.&lt;name&gt;</literal>.
See <xref linkend="opt-services.httpd.virtualHosts"/> for further information.
'';
};
};
default = {};
description = "Sepcification of one or more dokuwiki sites to serve.";
description = "DokuWiki configuration";
};
};
# implementation
config = mkIf (eachSite != {}) {
warnings = mapAttrsToList (hostName: cfg: mkIf (cfg.superUser == null) "Not setting services.dokuwiki.${hostName} superUser will impair your ability to administer DokuWiki") eachSite;
config = mkIf (eachSite != {}) (mkMerge [{
assertions = flatten (mapAttrsToList (hostName: cfg:
[{
assertion = cfg.aclUse -> (cfg.acl != null || cfg.aclFile != null);
message = "Either services.dokuwiki.${hostName}.acl or services.dokuwiki.${hostName}.aclFile is mandatory if aclUse true";
message = "Either services.dokuwiki.sites.${hostName}.acl or services.dokuwiki.sites.${hostName}.aclFile is mandatory if aclUse true";
}
{
assertion = cfg.usersFile != null -> cfg.aclUse != false;
message = "services.dokuwiki.${hostName}.aclUse must must be true if usersFile is not null";
message = "services.dokuwiki.sites.${hostName}.aclUse must must be true if usersFile is not null";
}
]) eachSite);
warnings = mapAttrsToList (hostName: _: ''services.dokuwiki."${hostName}" is deprecated use services.dokuwiki.sites."${hostName}"'') (oldSites cfg);
services.phpfpm.pools = mapAttrs' (hostName: cfg: (
nameValuePair "dokuwiki-${hostName}" {
inherit user;
inherit group;
group = webserver.group;
phpEnv = {
DOKUWIKI_LOCAL_CONFIG = "${dokuwikiLocalConfig cfg}";
DOKUWIKI_PLUGINS_LOCAL_CONFIG = "${dokuwikiPluginsLocalConfig cfg}";
DOKUWIKI_LOCAL_CONFIG = "${dokuwikiLocalConfig hostName cfg}";
DOKUWIKI_PLUGINS_LOCAL_CONFIG = "${dokuwikiPluginsLocalConfig hostName cfg}";
} // optionalAttrs (cfg.usersFile != null) {
DOKUWIKI_USERS_AUTH_CONFIG = "${cfg.usersFile}";
} //optionalAttrs (cfg.aclUse) {
DOKUWIKI_ACL_AUTH_CONFIG = if (cfg.acl != null) then "${dokuwikiAclAuthConfig cfg}" else "${toString cfg.aclFile}";
DOKUWIKI_ACL_AUTH_CONFIG = if (cfg.acl != null) then "${dokuwikiAclAuthConfig hostName cfg}" else "${toString cfg.aclFile}";
};
settings = {
"listen.mode" = "0660";
"listen.owner" = user;
"listen.group" = group;
"listen.owner" = webserver.user;
"listen.group" = webserver.group;
} // cfg.poolConfig;
})) eachSite;
}
)) eachSite;
}
{
systemd.tmpfiles.rules = flatten (mapAttrsToList (hostName: cfg: [
"d ${stateDir hostName}/attic 0750 ${user} ${webserver.group} - -"
"d ${stateDir hostName}/cache 0750 ${user} ${webserver.group} - -"
"d ${stateDir hostName}/index 0750 ${user} ${webserver.group} - -"
"d ${stateDir hostName}/locks 0750 ${user} ${webserver.group} - -"
"d ${stateDir hostName}/media 0750 ${user} ${webserver.group} - -"
"d ${stateDir hostName}/media_attic 0750 ${user} ${webserver.group} - -"
"d ${stateDir hostName}/media_meta 0750 ${user} ${webserver.group} - -"
"d ${stateDir hostName}/meta 0750 ${user} ${webserver.group} - -"
"d ${stateDir hostName}/pages 0750 ${user} ${webserver.group} - -"
"d ${stateDir hostName}/tmp 0750 ${user} ${webserver.group} - -"
] ++ lib.optional (cfg.aclFile != null) "C ${cfg.aclFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/acl.auth.php.dist"
++ lib.optional (cfg.usersFile != null) "C ${cfg.usersFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/users.auth.php.dist"
) eachSite);
users.users.${user} = {
group = webserver.group;
isSystemUser = true;
};
}
(mkIf (cfg.webserver == "nginx") {
services.nginx = {
enable = true;
virtualHosts = mapAttrs (hostName: cfg: mkMerge [ cfg.nginx {
root = mkForce "${pkg hostName cfg}/share/dokuwiki";
extraConfig = lib.optionalString (cfg.nginx.addSSL || cfg.nginx.forceSSL || cfg.nginx.onlySSL || cfg.nginx.enableACME) "fastcgi_param HTTPS on;";
virtualHosts = mapAttrs (hostName: cfg: {
serverName = mkDefault hostName;
root = "${pkg hostName cfg}/share/dokuwiki";
locations."~ /(conf/|bin/|inc/|install.php)" = {
extraConfig = "deny all;";
};
locations = {
"~ /(conf/|bin/|inc/|install.php)" = {
extraConfig = "deny all;";
};
locations."~ ^/data/" = {
root = "${cfg.stateDir}";
extraConfig = "internal;";
};
"~ ^/data/" = {
root = "${stateDir hostName}";
extraConfig = "internal;";
};
locations."~ ^/lib.*\\.(js|css|gif|png|ico|jpg|jpeg)$" = {
extraConfig = "expires 365d;";
};
"~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = {
extraConfig = "expires 365d;";
};
locations."/" = {
priority = 1;
index = "doku.php";
extraConfig = "try_files $uri $uri/ @dokuwiki;";
};
"/" = {
priority = 1;
index = "doku.php";
extraConfig = ''try_files $uri $uri/ @dokuwiki;'';
};
locations."@dokuwiki" = {
extraConfig = ''
"@dokuwiki" = {
extraConfig = ''
# rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
rewrite ^/(.*) /doku.php?id=$1&$args last;
'';
};
'';
};
locations."~ \\.php$" = {
extraConfig = ''
"~ \\.php$" = {
extraConfig = ''
try_files $uri $uri/ /doku.php;
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REDIRECT_STATUS 200;
fastcgi_pass unix:${config.services.phpfpm.pools."dokuwiki-${hostName}".socket};
${lib.optionalString (cfg.nginx.addSSL || cfg.nginx.forceSSL || cfg.nginx.onlySSL || cfg.nginx.enableACME) "fastcgi_param HTTPS on;"}
'';
'';
};
};
}]) eachSite;
}) eachSite;
};
})
systemd.tmpfiles.rules = flatten (mapAttrsToList (hostName: cfg: [
"d ${cfg.stateDir}/attic 0750 ${user} ${group} - -"
"d ${cfg.stateDir}/cache 0750 ${user} ${group} - -"
"d ${cfg.stateDir}/index 0750 ${user} ${group} - -"
"d ${cfg.stateDir}/locks 0750 ${user} ${group} - -"
"d ${cfg.stateDir}/media 0750 ${user} ${group} - -"
"d ${cfg.stateDir}/media_attic 0750 ${user} ${group} - -"
"d ${cfg.stateDir}/media_meta 0750 ${user} ${group} - -"
"d ${cfg.stateDir}/meta 0750 ${user} ${group} - -"
"d ${cfg.stateDir}/pages 0750 ${user} ${group} - -"
"d ${cfg.stateDir}/tmp 0750 ${user} ${group} - -"
] ++ lib.optional (cfg.aclFile != null) "C ${cfg.aclFile} 0640 ${user} ${group} - ${pkg hostName cfg}/share/dokuwiki/conf/acl.auth.php.dist"
++ lib.optional (cfg.usersFile != null) "C ${cfg.usersFile} 0640 ${user} ${group} - ${pkg hostName cfg}/share/dokuwiki/conf/users.auth.php.dist"
) eachSite);
(mkIf (cfg.webserver == "caddy") {
services.caddy = {
enable = true;
virtualHosts = mapAttrs' (hostName: cfg: (
nameValuePair "http://${hostName}" {
extraConfig = ''
root * ${pkg hostName cfg}/share/dokuwiki
file_server
users.users.${user} = {
group = group;
isSystemUser = true;
encode zstd gzip
php_fastcgi unix/${config.services.phpfpm.pools."dokuwiki-${hostName}".socket}
@restrict_files {
path /data/* /conf/* /bin/* /inc/* /vendor/* /install.php
}
respond @restrict_files 404
@allow_media {
path_regexp path ^/_media/(.*)$
}
rewrite @allow_media /lib/exe/fetch.php?media=/{http.regexp.path.1}
@allow_detail {
path /_detail*
}
rewrite @allow_detail /lib/exe/detail.php?media={path}
@allow_export {
path /_export*
path_regexp export /([^/]+)/(.*)
}
rewrite @allow_export /doku.php?do=export_{http.regexp.export.1}&id={http.regexp.export.2}
try_files {path} {path}/ /doku.php?id={path}&{query}
'';
}
)) eachSite;
};
};
})
meta.maintainers = with maintainers; [ _1000101 ];
]);
meta.maintainers = with maintainers; [
_1000101
onny
];
}

5
nixos/modules/services/x11/desktop-managers/cde.nix
View File

@ -49,9 +49,10 @@ in {
users.groups.mail = {};
security.wrappers = {
dtmail = {
source = "${pkgs.cdesktopenv}/bin/dtmail";
group = "mail";
setgid = true;
owner = "nobody";
group = "mail";
source = "${pkgs.cdesktopenv}/bin/dtmail";
};
};

21
nixos/modules/services/x11/desktop-managers/enlightenment.nix
View File

@ -65,9 +65,24 @@ in
# Wrappers for programs installed by enlightenment that should be setuid
security.wrappers = {
enlightenment_ckpasswd.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd";
enlightenment_sys.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys";
enlightenment_system.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system";
enlightenment_ckpasswd =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd";
};
enlightenment_sys =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys";
};
enlightenment_system =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system";
};
};
environment.etc."X11/xkb".source = xcfg.xkbDir;

26
nixos/modules/services/x11/desktop-managers/pantheon.nix
View File

@ -134,6 +134,9 @@ in
services.accounts-daemon.enable = true;
services.bamf.enable = true;
services.colord.enable = mkDefault true;
services.fwupd.enable = mkDefault true;
services.touchegg.enable = mkDefault true;
services.touchegg.package = pkgs.pantheon.touchegg;
services.tumbler.enable = mkDefault true;
services.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true));
services.dbus.packages = with pkgs.pantheon; [
@ -162,12 +165,11 @@ in
isAllowed = true;
isSystem = true;
};
# Use gnome-settings-daemon fork
services.udev.packages = [
pkgs.pantheon.elementary-settings-daemon
pkgs.gnome.gnome-settings-daemon338
];
systemd.packages = [
pkgs.pantheon.elementary-settings-daemon
pkgs.gnome.gnome-settings-daemon338
];
programs.dconf.enable = true;
networking.networkmanager.enable = mkDefault true;
@ -180,7 +182,6 @@ in
gnome.adwaita-icon-theme
gtk3.out
hicolor-icon-theme
lightlocker
onboard
qgnomeplatform
shared-mime-info
@ -208,15 +209,13 @@ in
# Services
elementary-capnet-assist
elementary-dpms-helper
elementary-notifications
elementary-settings-daemon
pantheon-agent-geoclue2
pantheon-agent-polkit
]) ++ (gnome.removePackagesByName [
gnome.geary
gnome.epiphany
gnome.gnome-font-viewer
gnome.gnome-settings-daemon338
] config.environment.pantheon.excludePackages);
programs.evince.enable = mkDefault true;
@ -224,9 +223,12 @@ in
# Settings from elementary-default-settings
environment.sessionVariables.GTK_CSD = "1";
environment.sessionVariables.GTK3_MODULES = [ "pantheon-filechooser-module" ];
environment.etc."gtk-3.0/settings.ini".source = "${pkgs.pantheon.elementary-default-settings}/etc/gtk-3.0/settings.ini";
xdg.portal.extraPortals = [
pkgs.pantheon.elementary-files
];
# Override GSettings schemas
environment.sessionVariables.NIX_GSETTINGS_OVERRIDES_DIR = "${nixos-gsettings-desktop-schemas}/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas";
@ -254,6 +256,8 @@ in
# Default Fonts
fonts.fonts = with pkgs; [
inter
open-dyslexic
open-sans
roboto-mono
];
@ -271,14 +275,16 @@ in
elementary-camera
elementary-code
elementary-files
elementary-mail
elementary-music
elementary-photos
elementary-screenshot-tool
elementary-screenshot
elementary-terminal
elementary-videos
epiphany
] config.environment.pantheon.excludePackages);
# needed by screenshot-tool
# needed by screenshot
fonts.fonts = [
pkgs.pantheon.elementary-redacted-script
];

2
nixos/modules/services/x11/desktop-managers/pantheon.xml
View File

@ -22,7 +22,7 @@
<programlisting>
<xref linkend="opt-services.pantheon.apps.enable"/> = false;
</programlisting>
You can also use <xref linkend="opt-environment.pantheon.excludePackages"/> to remove any other app (like <package>geary</package>).
You can also use <xref linkend="opt-environment.pantheon.excludePackages"/> to remove any other app (like <package>elementary-mail</package>).
</para>
</section>
<section xml:id="sec-pantheon-wingpanel-switchboard">

24
nixos/modules/services/x11/desktop-managers/plasma5.nix
View File

@ -197,12 +197,24 @@ in
};
security.wrappers = {
kcheckpass.source = "${lib.getBin libsForQt5.kscreenlocker}/libexec/kcheckpass";
start_kdeinit.source = "${lib.getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit";
kwin_wayland = {
source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland";
capabilities = "cap_sys_nice+ep";
};
kcheckpass =
{ setuid = true;
owner = "root";
group = "root";
source = "${lib.getBin libsForQt5.kscreenlocker}/libexec/kcheckpass";
};
start_kdeinit =
{ setuid = true;
owner = "root";
group = "root";
source = "${lib.getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit";
};
kwin_wayland =
{ owner = "root";
group = "root";
capabilities = "cap_sys_nice+ep";
source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland";
};
};
# DDC support

52
nixos/modules/services/x11/extra-layouts.nix
View File

@ -79,6 +79,10 @@ let
};
};
xkb_patched = pkgs.xorg.xkeyboardconfig_custom {
layouts = config.services.xserver.extraLayouts;
};
in
{
@ -114,58 +118,14 @@ in
config = mkIf (layouts != { }) {
# We don't override xkeyboard_config directly to
# reduce the amount of packages to be recompiled.
# Only the following packages are necessary to set
# a custom layout anyway:
nixpkgs.overlays = lib.singleton (self: super: {
xkb_patched = self.xorg.xkeyboardconfig_custom {
layouts = config.services.xserver.extraLayouts;
};
xorg = super.xorg // {
xorgserver = super.xorg.xorgserver.overrideAttrs (old: {
configureFlags = old.configureFlags ++ [
"--with-xkb-bin-directory=${self.xorg.xkbcomp}/bin"
"--with-xkb-path=${self.xkb_patched}/share/X11/xkb"
];
});
setxkbmap = super.xorg.setxkbmap.overrideAttrs (old: {
postInstall =
''
mkdir -p $out/share
ln -sfn ${self.xkb_patched}/etc/X11 $out/share/X11
'';
});
xkbcomp = super.xorg.xkbcomp.overrideAttrs (old: {
configureFlags = [ "--with-xkb-config-root=${self.xkb_patched}/share/X11/xkb" ];
});
};
ckbcomp = super.ckbcomp.override {
xkeyboard_config = self.xkb_patched;
};
xkbvalidate = super.xkbvalidate.override {
libxkbcommon = self.libxkbcommon.override {
xkeyboard_config = self.xkb_patched;
};
};
});
environment.sessionVariables = {
# runtime override supported by multiple libraries e. g. libxkbcommon
# https://xkbcommon.org/doc/current/group__include-path.html
XKB_CONFIG_ROOT = "${pkgs.xkb_patched}/etc/X11/xkb";
XKB_CONFIG_ROOT = "${xkb_patched}/etc/X11/xkb";
};
services.xserver = {
xkbDir = "${pkgs.xkb_patched}/etc/X11/xkb";
xkbDir = "${xkb_patched}/etc/X11/xkb";
exportConfiguration = config.services.xserver.displayManager.startx.enable
|| config.services.xserver.displayManager.sx.enable;
};

38
nixos/modules/services/x11/touchegg.nix Normal file
View File

@ -0,0 +1,38 @@
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.services.touchegg;
in {
meta = {
maintainers = teams.pantheon.members;
};
###### interface
options.services.touchegg = {
enable = mkEnableOption "touchegg, a multi-touch gesture recognizer";
package = mkOption {
type = types.package;
default = pkgs.touchegg;
defaultText = "pkgs.touchegg";
description = "touchegg derivation to use.";
};
};
###### implementation
config = mkIf cfg.enable {
systemd.services.touchegg = {
description = "Touchegg Daemon";
serviceConfig = {
Type = "simple";
ExecStart = "${cfg.package}/bin/touchegg --daemon";
Restart = "on-failure";
};
wantedBy = [ "multi-user.target" ];
};
environment.systemPackages = [ cfg.package ];
};
}

3
nixos/modules/services/x11/xserver.nix
View File

@ -738,6 +738,9 @@ in
nativeBuildInputs = with pkgs.buildPackages; [ xkbvalidate ];
preferLocalBuild = true;
} ''
${optionalString (config.environment.sessionVariables ? XKB_CONFIG_ROOT)
"export XKB_CONFIG_ROOT=${config.environment.sessionVariables.XKB_CONFIG_ROOT}"
}
xkbvalidate "$xkbModel" "$layout" "$xkbVariant" "$xkbOptions"
touch "$out"
'');

1
nixos/modules/system/activation/activation-script.nix
View File

@ -263,6 +263,7 @@ in
script = config.system.userActivationScripts.script;
unitConfig.ConditionUser = "!@system";
serviceConfig.Type = "oneshot";
wantedBy = [ "default.target" ];
};
};
};

14
nixos/modules/tasks/filesystems/ecryptfs.nix
View File

@ -7,8 +7,18 @@ with lib;
config = mkIf (any (fs: fs == "ecryptfs") config.boot.supportedFilesystems) {
system.fsPackages = [ pkgs.ecryptfs ];
security.wrappers = {
"mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
"umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
"mount.ecryptfs_private" =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
};
"umount.ecryptfs_private" =
{ setuid = true;
owner = "root";
group = "root";
source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
};
};
};
}

9
nixos/modules/tasks/network-interfaces.nix
View File

@ -1133,11 +1133,16 @@ in
# kernel because we need the ambient capability
security.wrappers = if (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") then {
ping = {
source = "${pkgs.iputils.out}/bin/ping";
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${pkgs.iputils.out}/bin/ping";
};
} else {
ping.source = "${pkgs.iputils.out}/bin/ping";
setuid = true;
owner = "root";
group = "root";
source = "${pkgs.iputils.out}/bin/ping";
};
security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter ''
/run/wrappers/bin/ping {

3
nixos/modules/virtualisation/libvirtd.nix
View File

@ -183,6 +183,9 @@ in {
};
security.wrappers.qemu-bridge-helper = {
setuid = true;
owner = "root";
group = "root";
source = "/run/${dirName}/nix-helpers/qemu-bridge-helper";
};

6
nixos/modules/virtualisation/spice-usb-redirection.nix
View File

@ -14,9 +14,11 @@
config = lib.mkIf config.virtualisation.spiceUSBRedirection.enable {
environment.systemPackages = [ pkgs.spice-gtk ]; # For polkit actions
security.wrappers.spice-client-glib-usb-acl-helper ={
source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";
security.wrappers.spice-client-glib-usb-acl-helper = {
owner = "root";
group = "root";
capabilities = "cap_fowner+ep";
source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";
};
};

1
nixos/tests/all-tests.nix
View File

@ -461,6 +461,7 @@ in
unit-php = handleTest ./web-servers/unit-php.nix {};
upnp = handleTest ./upnp.nix {};
usbguard = handleTest ./usbguard.nix {};
user-activation-scripts = handleTest ./user-activation-scripts.nix {};
uwsgi = handleTest ./uwsgi.nix {};
v2ray = handleTest ./v2ray.nix {};
vault = handleTest ./vault.nix {};

85
nixos/tests/dokuwiki.nix
View File

@ -33,44 +33,79 @@ let
in {
name = "dokuwiki";
meta = with pkgs.lib; {
maintainers = with maintainers; [ _1000101 ];
maintainers = with maintainers; [
_1000101
onny
];
};
machine = { ... }: {
services.dokuwiki."site1.local" = {
aclUse = false;
superUser = "admin";
nodes = {
dokuwiki_nginx = {...}: {
services.dokuwiki = {
sites = {
"site1.local" = {
aclUse = false;
superUser = "admin";
};
"site2.local" = {
usersFile = "/var/lib/dokuwiki/site2.local/users.auth.php";
superUser = "admin";
templates = [ template-bootstrap3 ];
plugins = [ plugin-icalevents ];
};
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
networking.hosts."127.0.0.1" = [ "site1.local" "site2.local" ];
};
services.dokuwiki."site2.local" = {
usersFile = "/var/lib/dokuwiki/site2.local/users.auth.php";
superUser = "admin";
templates = [ template-bootstrap3 ];
plugins = [ plugin-icalevents ];
dokuwiki_caddy = {...}: {
services.dokuwiki = {
webserver = "caddy";
sites = {
"site1.local" = {
aclUse = false;
superUser = "admin";
};
"site2.local" = {
usersFile = "/var/lib/dokuwiki/site2.local/users.auth.php";
superUser = "admin";
templates = [ template-bootstrap3 ];
plugins = [ plugin-icalevents ];
};
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
networking.hosts."127.0.0.1" = [ "site1.local" "site2.local" ];
};
networking.hosts."127.0.0.1" = [ "site1.local" "site2.local" ];
};
testScript = ''
site_names = ["site1.local", "site2.local"]
start_all()
machine.wait_for_unit("phpfpm-dokuwiki-site1.local.service")
machine.wait_for_unit("phpfpm-dokuwiki-site2.local.service")
dokuwiki_nginx.wait_for_unit("nginx")
dokuwiki_caddy.wait_for_unit("caddy")
machine.wait_for_unit("nginx.service")
site_names = ["site1.local", "site2.local"]
machine.wait_for_open_port(80)
for machine in (dokuwiki_nginx, dokuwiki_caddy):
for site_name in site_names:
machine.wait_for_unit(f"phpfpm-dokuwiki-{site_name}")
machine.succeed("curl -sSfL http://site1.local/ | grep 'DokuWiki'")
machine.fail("curl -sSfL 'http://site1.local/doku.php?do=login' | grep 'Login'")
machine.succeed("curl -sSfL http://site1.local/ | grep 'DokuWiki'")
machine.fail("curl -sSfL 'http://site1.local/doku.php?do=login' | grep 'Login'")
machine.succeed("curl -sSfL http://site2.local/ | grep 'DokuWiki'")
machine.succeed("curl -sSfL 'http://site2.local/doku.php?do=login' | grep 'Login'")
machine.succeed("curl -sSfL http://site2.local/ | grep 'DokuWiki'")
machine.succeed("curl -sSfL 'http://site2.local/doku.php?do=login' | grep 'Login'")
machine.succeed(
"echo 'admin:$2y$10$ijdBQMzSVV20SrKtCna8gue36vnsbVm2wItAXvdm876sshI4uwy6S:Admin:admin@example.test:user' >> /var/lib/dokuwiki/site2.local/users.auth.php",
"curl -sSfL -d 'u=admin&p=password' --cookie-jar cjar 'http://site2.local/doku.php?do=login'",
"curl -sSfL --cookie cjar --cookie-jar cjar 'http://site2.local/doku.php?do=login' | grep 'Logged in as: <bdi>Admin</bdi>'",
)
machine.succeed(
"echo 'admin:$2y$10$ijdBQMzSVV20SrKtCna8gue36vnsbVm2wItAXvdm876sshI4uwy6S:Admin:admin@example.test:user' >> /var/lib/dokuwiki/site2.local/users.auth.php",
"curl -sSfL -d 'u=admin&p=password' --cookie-jar cjar 'http://site2.local/doku.php?do=login'",
"curl -sSfL --cookie cjar --cookie-jar cjar 'http://site2.local/doku.php?do=login' | grep 'Logged in as: <bdi>Admin</bdi>'",
)
'';
})

4
nixos/tests/pantheon.nix
View File

@ -45,8 +45,8 @@ import ./make-test-python.nix ({ pkgs, ...} :
with subtest("Check if pantheon session components actually start"):
machine.wait_until_succeeds("pgrep gala")
machine.wait_for_window("gala")
machine.wait_until_succeeds("pgrep wingpanel")
machine.wait_for_window("wingpanel")
machine.wait_until_succeeds("pgrep -f io.elementary.wingpanel")
machine.wait_for_window("io.elementary.wingpanel")
machine.wait_until_succeeds("pgrep plank")
machine.wait_for_window("plank")

28
nixos/tests/spark/default.nix Normal file
View File

@ -0,0 +1,28 @@
import ../make-test-python.nix ({...}: {
name = "spark";
nodes = {
worker = { nodes, pkgs, ... }: {
virtualisation.memorySize = 1024;
services.spark.worker = {
enable = true;
master = "master:7077";
};
};
master = { config, pkgs, ... }: {
services.spark.master = {
enable = true;
bind = "0.0.0.0";
};
networking.firewall.allowedTCPPorts = [ 22 7077 8080 ];
};
};
testScript = ''
master.wait_for_unit("spark-master.service")
worker.wait_for_unit("spark-worker.service")
worker.copy_from_host( "${./spark_sample.py}", "/spark_sample.py" )
assert "<title>Spark Master at spark://" in worker.succeed("curl -sSfkL http://master:8080/")
worker.succeed("spark-submit --master spark://master:7077 --executor-memory 512m --executor-cores 1 /spark_sample.py")
'';
})

40
nixos/tests/spark/spark_sample.py Normal file
View File

@ -0,0 +1,40 @@
from pyspark.sql import Row, SparkSession
from pyspark.sql import functions as F
from pyspark.sql.functions import udf
from pyspark.sql.types import *
from pyspark.sql.functions import explode
def explode_col(weight):
return int(weight//10) * [10.0] + ([] if weight%10==0 else [weight%10])
spark = SparkSession.builder.getOrCreate()
dataSchema = [
StructField("feature_1", FloatType()),
StructField("feature_2", FloatType()),
StructField("bias_weight", FloatType())
]
data = [
Row(0.1, 0.2, 10.32),
Row(0.32, 1.43, 12.8),
Row(1.28, 1.12, 0.23)
]
df = spark.createDataFrame(spark.sparkContext.parallelize(data), StructType(dataSchema))
normalizing_constant = 100
sum_bias_weight = df.select(F.sum('bias_weight')).collect()[0][0]
normalizing_factor = normalizing_constant / sum_bias_weight
df = df.withColumn('normalized_bias_weight', df.bias_weight * normalizing_factor)
df = df.drop('bias_weight')
df = df.withColumnRenamed('normalized_bias_weight', 'bias_weight')
my_udf = udf(lambda x: explode_col(x), ArrayType(FloatType()))
df1 = df.withColumn('explode_val', my_udf(df.bias_weight))
df1 = df1.withColumn("explode_val_1", explode(df1.explode_val)).drop("explode_val")
df1 = df1.drop('bias_weight').withColumnRenamed('explode_val_1', 'bias_weight')
df1.show()
assert(df1.count() == 12)

33
nixos/tests/user-activation-scripts.nix Normal file
View File

@ -0,0 +1,33 @@
import ./make-test-python.nix ({ lib, ... }: {
name = "user-activation-scripts";
meta = with lib.maintainers; { maintainers = [ chkno ]; };
machine = {
system.userActivationScripts.foo = "mktemp ~/user-activation-ran.XXXXXX";
users.users.alice = {
initialPassword = "pass1";
isNormalUser = true;
};
};
testScript = ''
def verify_user_activation_run_count(n):
machine.succeed(
'[[ "$(find /home/alice/ -name user-activation-ran.\\* | wc -l)" == %s ]]' % n
)
machine.wait_for_unit("multi-user.target")
machine.wait_for_unit("getty@tty1.service")
machine.wait_until_tty_matches(1, "login: ")
machine.send_chars("alice\n")
machine.wait_until_tty_matches(1, "Password: ")
machine.send_chars("pass1\n")
machine.send_chars("touch login-ok\n")
machine.wait_for_file("/home/alice/login-ok")
verify_user_activation_run_count(1)
machine.succeed("/run/current-system/bin/switch-to-configuration test")
verify_user_activation_run_count(2)
'';
})

0
pkgs/applications/radio/pyradio/default.nix → pkgs/applications/audio/pyradio/default.nix
View File

4
pkgs/applications/audio/sidplayfp/default.nix
View File

@ -16,13 +16,13 @@
stdenv.mkDerivation rec {
pname = "sidplayfp";
version = "2.2.1";
version = "2.2.2";
src = fetchFromGitHub {
owner = "libsidplayfp";
repo = "sidplayfp";
rev = "v${version}";
sha256 = "sha256-IlPZmZpWxMaArkRnqu6JCGxiHU7JczRxiySqzAopfxc=";
sha256 = "sha256-DBZZf3A0AYkeQxQvHGyHHbsQ2EDuxsZnZPbxkWTNcHA=";
};
nativeBuildInputs = [ autoreconfHook perl pkg-config ];

18
pkgs/applications/editors/emacs/elisp-packages/ement/default.nix
View File

@ -9,7 +9,14 @@
trivialBuild {
pname = "ement";
version = "unstable-2021-09-08";
version = "unstable-2021-09-16";
src = fetchFromGitHub {
owner = "alphapapa";
repo = "ement.el";
rev = "c07e914f077199c95b0e7941a421675c95d4687e";
sha256 = "sha256-kYVb2NrHYC87mY/hFUMAjb4TLJ9A2L2RrHoiAXvRaGg=";
};
packageRequires = [
plz
@ -17,12 +24,9 @@ trivialBuild {
ts
];
src = fetchFromGitHub {
owner = "alphapapa";
repo = "ement.el";
rev = "468aa9b0526aaa054f059c63797aa3d9ea13611d";
sha256 = "sha256-0FCAu253iTSf9qcsmoJxKlzfd5eYc8eJXUxG6+0eg/I=";
};
patches = [
./handle-nil-images.patch
];
meta = {
description = "Ement.el is a Matrix client for Emacs";

28
pkgs/applications/editors/emacs/elisp-packages/ement/handle-nil-images.patch Normal file
View File

@ -0,0 +1,28 @@
diff --git a/ement.el b/ement.el
index c9596a7..1b33045 100644
--- a/ement.el
+++ b/ement.el
@@ -682,14 +682,15 @@ can cause undesirable underlining."
"Return a copy of IMAGE set to MAX-WIDTH and MAX-HEIGHT.
IMAGE should be one as created by, e.g. `create-image'."
;; It would be nice if the image library had some simple functions to do this sort of thing.
- (let ((new-image (cl-copy-list image)))
- (when (fboundp 'imagemagick-types)
- ;; Only do this when ImageMagick is supported.
- ;; FIXME: When requiring Emacs 27+, remove this (I guess?).
- (setf (image-property new-image :type) 'imagemagick))
- (setf (image-property new-image :max-width) max-width
- (image-property new-image :max-height) max-height)
- new-image))
+ (when image
+ (let ((new-image (cl-copy-list image)))
+ (when (fboundp 'imagemagick-types)
+ ;; Only do this when ImageMagick is supported.
+ ;; FIXME: When requiring Emacs 27+, remove this (I guess?).
+ (setf (image-property new-image :type) 'imagemagick))
+ (setf (image-property new-image :max-width) max-width
+ (image-property new-image :max-height) max-height)
+ new-image)))
;;;;; Reading/writing sessions

4
pkgs/applications/misc/gpxsee/default.nix
View File

@ -2,13 +2,13 @@
mkDerivation rec {
pname = "gpxsee";
version = "9.5";
version = "9.6";
src = fetchFromGitHub {
owner = "tumic0";
repo = "GPXSee";
rev = version;
sha256 = "sha256-KYw3RXdL/iiE2zFbrDzRWe8jdLYbF6gvOFAGyWgd3GM=";
sha256 = "sha256-Yj8lR8zgIV+gshea7rzLbMF84n1nyN3DytiIkr3B274=";
};
patches = (substituteAll {

3
pkgs/applications/networking/browsers/chromium/common.nix
View File

@ -88,6 +88,8 @@ let
gnSystemLibraries = lib.optionals (!chromiumVersionAtLeast "93") [
"ffmpeg"
"snappy"
] ++ lib.optionals (!chromiumVersionAtLeast "95") [
"zlib"
] ++ [
"flac"
"libjpeg"
@ -95,7 +97,6 @@ let
"libwebp"
"libxslt"
"opus"
"zlib"
];
opusWithCustomModes = libopus.override {

12
pkgs/applications/networking/browsers/chromium/upstream-info.json
View File

@ -18,9 +18,9 @@
}
},
"beta": {
"version": "94.0.4606.41",
"sha256": "0kdi8rbly002abg9jwkmv6xmfcv7g0rm68lbdsnhr0biy7wvadij",
"sha256bin64": "0ayhppzwc4ia36hpakqg9rh3cggw33c7d2zkfaias3zm14k86ga2",
"version": "94.0.4606.50",
"sha256": "1aqy9bvypx66bvn5p15g94p47yfbal8mixs1d0j82pznqnqgph1z",
"sha256bin64": "07hq4qnbgq6m43zhipgy84yhiiy1fs6ffjkgsi8ixhr9b5pipzpv",
"deps": {
"gn": {
"version": "2021-08-11",
@ -31,9 +31,9 @@
}
},
"dev": {
"version": "95.0.4636.4",
"sha256": "1rhkmja9p2a8cxnjsrs0ipzajxwgp3c8q3903rp8ns1g579c4g3j",
"sha256bin64": "0l89iqi95fa10m3jdhbvfdjf4x88gscx6imkhy2x2ax669d19606",
"version": "95.0.4638.10",
"sha256": "0pgd5k24yly9fqpzigc5qqx6lvn6m95fjp7294cgmk0132icx71j",
"sha256bin64": "1gfaal3yxmi1n2nvfp39xp82g8vykzm0fjbdk0c1wh4gvlq2xx85",
"deps": {
"gn": {
"version": "2021-08-11",

15
pkgs/applications/networking/browsers/palemoon/default.nix
View File

@ -1,6 +1,6 @@
{ stdenv
, lib
, fetchFromGitHub
, fetchzip
, writeScript
, alsa-lib
, autoconf213
@ -52,15 +52,12 @@ let
in
stdenv.mkDerivation rec {
pname = "palemoon";
version = "29.4.0.2";
version = "29.4.1";
src = fetchFromGitHub {
githubBase = "repo.palemoon.org";
owner = "MoonchildProductions";
repo = "Pale-Moon";
rev = "${version}_Release";
sha256 = "086f517xkk4smx57klyyvx4m3g6r5f1667w990zhpapbh997hfri";
fetchSubmodules = true;
src = fetchzip {
url = "http://archive.palemoon.org/source/palemoon-${version}-source.tar.xz";
stripRoot = false;
sha256 = "0kb9yn1q8rrmnlsyvxvv2gdgyyf12g6rxlyh82lmc0gysvd4qd2c";
};
passthru.updateScript = writeScript "update-${pname}" ''

4
pkgs/applications/networking/cluster/bosh-cli/default.nix
View File

@ -8,13 +8,13 @@
buildGoModule rec {
pname = "bosh-cli";
version = "6.4.6";
version = "6.4.7";
src = fetchFromGitHub {
owner = "cloudfoundry";
repo = pname;
rev = "v${version}";
sha256 = "sha256-MNM8gyi7L00OSf2EIEQFAlH7oMrcZSubf6tWcgJJMeQ=";
sha256 = "sha256-uLzYRfH2wJB/ucYtZGjKi0K5FaiP3CyA85gJ8Ji3WHE=";
};
vendorSha256 = null;

6
pkgs/applications/networking/cluster/minikube/default.nix
View File

@ -11,9 +11,9 @@
buildGoModule rec {
pname = "minikube";
version = "1.22.0";
version = "1.23.0";
vendorSha256 = "sha256-zAXEwGJ3dnqN/+3k189zqppdiNHPyJ+mdZvDNEWQLsA=";
vendorSha256 = "sha256-KhUmyQn97rXX49EFqUrR7UEm0J5gIdogUJMVW1Wjrdw=";
doCheck = false;
@ -21,7 +21,7 @@ buildGoModule rec {
owner = "kubernetes";
repo = "minikube";
rev = "v${version}";
sha256 = "sha256-wL/HsdV6MZcsR3Y8pGZ5WYUMJ7j+VyJGpLeLIXm5MJM=";
sha256 = "sha256-Cf77qaAsavkSpSoBJz3kcPzL2SL7X9O9lCTYcm1tFFQ=";
};
nativeBuildInputs = [ installShellFiles pkg-config which ];

109
pkgs/applications/networking/cluster/spark/default.nix
View File

@ -1,56 +1,75 @@
{ lib, stdenv, fetchzip, makeWrapper, jre, pythonPackages, coreutils, hadoop
{ lib, stdenv, fetchzip, makeWrapper, jdk8, python3Packages, extraPythonPackages ? [], coreutils, hadoop
, RSupport? true, R
}:
with lib;
stdenv.mkDerivation rec {
let
spark = { pname, version, src }:
stdenv.mkDerivation rec {
inherit pname version src;
nativeBuildInputs = [ makeWrapper ];
buildInputs = [ jdk8 python3Packages.python ]
++ extraPythonPackages
++ optional RSupport R;
pname = "spark";
version = "2.4.4";
untarDir = "${pname}-${version}";
installPhase = ''
mkdir -p $out/{lib/${untarDir}/conf,bin,/share/java}
mv * $out/lib/${untarDir}
src = fetchzip {
url = "mirror://apache/spark/${pname}-${version}/${pname}-${version}-bin-without-hadoop.tgz";
sha256 = "1a9w5k0207fysgpxx6db3a00fs5hdc2ncx99x4ccy2s0v5ndc66g";
cp $out/lib/${untarDir}/conf/log4j.properties{.template,}
cat > $out/lib/${untarDir}/conf/spark-env.sh <<- EOF
export JAVA_HOME="${jdk8}"
export SPARK_HOME="$out/lib/${untarDir}"
export SPARK_DIST_CLASSPATH=$(${hadoop}/bin/hadoop classpath)
export PYSPARK_PYTHON="${python3Packages.python}/bin/${python3Packages.python.executable}"
export PYTHONPATH="\$PYTHONPATH:$PYTHONPATH"
${optionalString RSupport ''
export SPARKR_R_SHELL="${R}/bin/R"
export PATH="\$PATH:${R}/bin"''}
EOF
for n in $(find $out/lib/${untarDir}/bin -type f ! -name "*.*"); do
makeWrapper "$n" "$out/bin/$(basename $n)"
substituteInPlace "$n" --replace dirname ${coreutils.out}/bin/dirname
done
for n in $(find $out/lib/${untarDir}/sbin -type f); do
# Spark deprecated scripts with "slave" in the name.
# This line adds forward compatibility with the nixos spark module for
# older versions of spark that don't have the new "worker" scripts.
ln -s "$n" $(echo "$n" | sed -r 's/slave(s?).sh$/worker\1.sh/g') || true
done
ln -s $out/lib/${untarDir}/lib/spark-assembly-*.jar $out/share/java
'';
meta = {
description = "Apache Spark is a fast and general engine for large-scale data processing";
homepage = "http://spark.apache.org";
license = lib.licenses.asl20;
platforms = lib.platforms.all;
maintainers = with maintainers; [ thoughtpolice offline kamilchm illustris ];
repositories.git = "git://git.apache.org/spark.git";
};
};
in {
spark3 = spark rec {
pname = "spark";
version = "3.1.2";
src = fetchzip {
url = "mirror://apache/spark/${pname}-${version}/${pname}-${version}-bin-without-hadoop.tgz";
sha256 = "1bgh2y6jm7wqy6yc40rx68xkki31i3jiri2yixb1bm0i9pvsj9yf";
};
};
spark2 = spark rec {
pname = "spark";
version = "2.4.8";
nativeBuildInputs = [ makeWrapper ];
buildInputs = [ jre pythonPackages.python pythonPackages.numpy ]
++ optional RSupport R;
untarDir = "${pname}-${version}-bin-without-hadoop";
installPhase = ''
mkdir -p $out/{lib/${untarDir}/conf,bin,/share/java}
mv * $out/lib/${untarDir}
sed -e 's/INFO, console/WARN, console/' < \
$out/lib/${untarDir}/conf/log4j.properties.template > \
$out/lib/${untarDir}/conf/log4j.properties
cat > $out/lib/${untarDir}/conf/spark-env.sh <<- EOF
export JAVA_HOME="${jre}"
export SPARK_HOME="$out/lib/${untarDir}"
export SPARK_DIST_CLASSPATH=$(${hadoop}/bin/hadoop classpath)
export PYSPARK_PYTHON="${pythonPackages.python}/bin/${pythonPackages.python.executable}"
export PYTHONPATH="\$PYTHONPATH:$PYTHONPATH"
${optionalString RSupport
''export SPARKR_R_SHELL="${R}/bin/R"
export PATH=$PATH:"${R}/bin/R"''}
EOF
for n in $(find $out/lib/${untarDir}/bin -type f ! -name "*.*"); do
makeWrapper "$n" "$out/bin/$(basename $n)"
substituteInPlace "$n" --replace dirname ${coreutils.out}/bin/dirname
done
ln -s $out/lib/${untarDir}/lib/spark-assembly-*.jar $out/share/java
'';
meta = {
description = "Apache Spark is a fast and general engine for large-scale data processing";
homepage = "http://spark.apache.org";
license = lib.licenses.asl20;
platforms = lib.platforms.all;
maintainers = with maintainers; [ thoughtpolice offline kamilchm ];
repositories.git = "git://git.apache.org/spark.git";
src = fetchzip {
url = "mirror://apache/spark/${pname}-${version}/${pname}-${version}-bin-without-hadoop.tgz";
sha256 = "1mkyq0gz9fiav25vr0dba5ivp0wh0mh7kswwnx8pvsmb6wbwyfxv";
};
};
}

4
pkgs/applications/networking/instant-messengers/ferdi/default.nix
View File

@ -17,10 +17,10 @@ in
mkFranzDerivation' rec {
pname = "ferdi";
name = "Ferdi";
version = "5.6.0";
version = "5.6.2";
src = fetchurl {
url = "https://github.com/getferdi/ferdi/releases/download/v${version}/ferdi_${version}_amd64.deb";
sha256 = "sha256-yaAYNQAvbtArw9qAtbTDD11a9nH2OQEPE8QLg1E79Yc=";
sha256 = "sha256-8rB7SnaIaeCXAaKELNO1CnxpV8TyeKRCVamwpATeia4=";
};
extraBuildInputs = [ xorg.libxshmfence ];
meta = with lib; {

4
pkgs/applications/networking/instant-messengers/signal-desktop/default.nix
View File

@ -25,7 +25,7 @@ let
else "");
in stdenv.mkDerivation rec {
pname = "signal-desktop";
version = "5.17.1"; # Please backport all updates to the stable channel.
version = "5.17.2"; # Please backport all updates to the stable channel.
# All releases have a limited lifetime and "expire" 90 days after the release.
# When releases "expire" the application becomes unusable until an update is
# applied. The expiration date for the current release can be extracted with:
@ -35,7 +35,7 @@ in stdenv.mkDerivation rec {
src = fetchurl {
url = "https://updates.signal.org/desktop/apt/pool/main/s/signal-desktop/signal-desktop_${version}_amd64.deb";
sha256 = "sha256-gJ5jDMdEx2YSmPtNfv2gKKAgPfRJcb3Aabti/DgHaIU=";
sha256 = "1fmn2i6k3zh3d37234yxbawzf85fa66xybcli7xffli39czxbcj3";
};
nativeBuildInputs = [

4
pkgs/applications/science/biology/bowtie/default.nix
View File

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "bowtie";
version = "1.3.0";
version = "1.3.1";
src = fetchFromGitHub {
owner = "BenLangmead";
repo = pname;
rev = "v${version}";
sha256 = "0da2kzyfsn6xv8mlqsv2vv7k8g0c9d2vgqzq8yqk888yljdzcrjp";
sha256 = "sha256-mWItmrTMPst/NnzSpxxTHcBztDqHPCza9yOsZPwp7G4=";
};
buildInputs = [ zlib ];

4
pkgs/applications/system/monitor/default.nix
View File

@ -19,13 +19,13 @@
stdenv.mkDerivation rec {
pname = "monitor";
version = "0.8.1";
version = "0.9.5";
src = fetchFromGitHub {
owner = "stsdc";
repo = "monitor";
rev = version;
sha256 = "111g2f3y5lmz91m755jz0x8yx5cx9ym484gch8wcv80dmr7ilb1y";
sha256 = "sha256-eTsPn2Z1++KsZnnBnZ2s9fKK2HguPw+JqaRRkxQDiAk=";
fetchSubmodules = true;
};

14
pkgs/applications/video/streamlink/default.nix
View File

@ -2,6 +2,7 @@
, python3Packages
, rtmpdump
, ffmpeg
, fetchpatch
}:
python3Packages.buildPythonApplication rec {
@ -33,11 +34,14 @@ python3Packages.buildPythonApplication rec {
ffmpeg
];
# note that upstream currently uses requests 2.25.1 in Windows builds
postPatch = ''
substituteInPlace setup.py \
--replace 'requests>=2.26.0,<3.0' 'requests'
'';
patches = [
# Patch failing tests to expect correct Accept-Encoding as generated by Requests
(fetchpatch {
url = "https://github.com/streamlink/streamlink/commit/ae747a113199c119bced4613d33edcc67a222bb9.patch";
includes = [ "tests/test_stream_json.py" ];
sha256 = "sha256-KEgyWdh5DNgNktmLSvKQowUQO9p9Q7zP4NbCQJPNgKw=";
})
];
meta = with lib; {
homepage = "https://streamlink.github.io/";

14
pkgs/applications/virtualization/catatonit/default.nix
View File

@ -1,24 +1,16 @@
{ lib, stdenv, fetchFromGitHub, fetchpatch, autoreconfHook, glibc, nixosTests }:
{ lib, stdenv, fetchFromGitHub, autoreconfHook, glibc, nixosTests }:
stdenv.mkDerivation rec {
pname = "catatonit";
version = "0.1.5";
version = "0.1.6";
src = fetchFromGitHub {
owner = "openSUSE";
repo = pname;
rev = "v${version}";
sha256 = "ciJ1MI7jr5P2PgxIykQ+BiwNUO8lQHGt0+U8CNbc5bI=";
sha256 = "sha256-hokG6o7toZxU984EvIlne33Aa2EZVZ3qu1jTZMm5nt4=";
};
patches = [
# Fix compilation with musl
(fetchpatch {
url = "https://github.com/openSUSE/catatonit/commit/75014b1c3099245b7d0f44f24d7f6dc4888a45fd.patch";
sha256 = "sha256-9VMNUT1U90ocjvE7EXYfLxuodDwTXXHYg89qqa5Jq0g=";
})
];
nativeBuildInputs = [ autoreconfHook ];
buildInputs = lib.optionals (!stdenv.hostPlatform.isMusl) [ glibc glibc.static ];

6
pkgs/applications/virtualization/lima/default.nix
View File

@ -8,16 +8,16 @@
buildGoModule rec {
pname = "lima";
version = "0.6.3";
version = "0.6.4";
src = fetchFromGitHub {
owner = "lima-vm";
repo = pname;
rev = "v${version}";
sha256 = "sha256-3Bc8F8L4ac0YoUp2zoQYPsj7hcXKf8SVkE7q6q0MNSs=";
sha256 = "sha256-u4XLWDJ35jEKKr98eEoUUsT3gawM/qNqXPXrhlQlugg=";
};
vendorSha256 = "sha256-vYeHv6sSiO6fY+oXR8bFFs/NAhivtnkc15pXEu+reZQ=";
vendorSha256 = "sha256-ivKudP0SlArfD+wXHmqNRmW8UGu0o2SJqURrjPhK2hs=";
nativeBuildInputs = [ makeWrapper installShellFiles ];

76
pkgs/desktops/gnome/core/epiphany/dark-style.patch Normal file
View File

@ -0,0 +1,76 @@
diff --git a/meson.build b/meson.build
index de9cbfa850..647f617605 100644
--- a/meson.build
+++ b/meson.build
@@ -92,6 +92,7 @@ iso_codes_dep = dependency('iso-codes', version: '>= 0.35')
json_glib_dep = dependency('json-glib-1.0', version: '>= 1.6')
libarchive_dep = dependency('libarchive')
libdazzle_dep = dependency('libdazzle-1.0', version: '>= 3.37.1')
+libgranite_dep = dependency('granite', version: '>= 6.0.0')
libhandy_dep = dependency('libhandy-1', version: '>= 1.1.0')
libsecret_dep = dependency('libsecret-1', version: '>= 0.19.0')
libsoup_dep = dependency('libsoup-2.4', version: '>= 2.48.0')
diff --git a/src/ephy-shell.c b/src/ephy-shell.c
index 650531da86..b9d1355e86 100644
--- a/src/ephy-shell.c
+++ b/src/ephy-shell.c
@@ -50,6 +50,7 @@
#include <glib/gi18n.h>
#include <gtk/gtk.h>
+#include <granite.h>
#include <handy.h>
struct _EphyShell {
@@ -483,6 +484,20 @@ run_in_background_set_mapping (const GValue *value,
return g_variant_new_boolean (g_variant_get_boolean (var));
}
+static void
+ephy_shell_set_prefers_color_scheme (EphyShell *shell)
+{
+ GtkSettings* gtk_settings = gtk_settings_get_default ();
+ GraniteSettings* granite_settings = granite_settings_get_default ();
+
+ g_object_set (
+ gtk_settings,
+ "gtk-application-prefer-dark-theme",
+ granite_settings_get_prefers_color_scheme (granite_settings) == GRANITE_SETTINGS_COLOR_SCHEME_DARK,
+ NULL
+ );
+}
+
static void
ephy_shell_startup (GApplication *application)
{
@@ -490,11 +505,18 @@ ephy_shell_startup (GApplication *application)
EphyShell *shell = EPHY_SHELL (application);
EphyEmbedShellMode mode;
GAction *action;
+ GraniteSettings* granite_settings = granite_settings_get_default ();
G_APPLICATION_CLASS (ephy_shell_parent_class)->startup (application);
hdy_init ();
+ ephy_shell_set_prefers_color_scheme (shell);
+
+ g_signal_connect (granite_settings, "notify::prefers-color-scheme",
+ G_CALLBACK (ephy_shell_set_prefers_color_scheme), shell
+ );
+
/* If we are under Pantheon set the icon-theme and cursor-theme accordingly. */
if (is_desktop_pantheon ()) {
GtkSettings *settings = gtk_settings_get_default ();
diff --git a/src/meson.build b/src/meson.build
index 5bf3eb92ec..d17b1b6d93 100644
--- a/src/meson.build
+++ b/src/meson.build
@@ -74,6 +74,7 @@ libephymain_deps = [
gdk_dep,
gvdb_dep,
libarchive_dep,
+ libgranite_dep,
libhandy_dep
]

13
pkgs/desktops/gnome/core/epiphany/default.nix
View File

@ -9,6 +9,7 @@
, icu
, wrapGAppsHook
, gnome
, pantheon
, libportal
, libxml2
, libxslt
@ -33,6 +34,7 @@
, libdazzle
, libhandy
, buildPackages
, withPantheon ? false
}:
stdenv.mkDerivation rec {
@ -44,6 +46,13 @@ stdenv.mkDerivation rec {
sha256 = "2tE4ufLVXeJxEo/KOLYfU/2YDFh9KeG6a1CP/zsZ9WQ=";
};
patches = lib.optionals withPantheon [
# https://github.com/elementary/browser
# FIXME: Update the patches when https://github.com/elementary/browser/pull/41 merged
./dark-style.patch
./navigation-buttons.patch
];
nativeBuildInputs = [
desktop-file-utils
gettext
@ -87,7 +96,7 @@ stdenv.mkDerivation rec {
p11-kit
sqlite
webkitgtk
];
] ++ lib.optional withPantheon pantheon.granite;
# Tests need an X display
mesonFlags = [
@ -108,7 +117,7 @@ stdenv.mkDerivation rec {
meta = with lib; {
homepage = "https://wiki.gnome.org/Apps/Epiphany";
description = "WebKit based web browser for GNOME";
maintainers = teams.gnome.members;
maintainers = teams.gnome.members ++ teams.pantheon.members;
license = licenses.gpl3Plus;
platforms = platforms.linux;
};

12
pkgs/desktops/gnome/core/epiphany/navigation-buttons.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git a/src/resources/gtk/action-bar-start.ui b/src/resources/gtk/action-bar-start.ui
index e604b9601f..2bfe244d53 100644
--- a/src/resources/gtk/action-bar-start.ui
+++ b/src/resources/gtk/action-bar-start.ui
@@ -7,7 +7,6 @@
<property name="visible">True</property>
<property name="orientation">horizontal</property>
<style>
- <class name="linked"/>
<class name="navigation-box"/>
</style>
<child>

135
pkgs/desktops/gnome/core/gnome-settings-daemon/3.38/default.nix Normal file
View File

@ -0,0 +1,135 @@
{ lib, stdenv
, fetchpatch
, substituteAll
, fetchurl
, meson
, ninja
, pkg-config
, gnome
, perl
, gettext
, gtk3
, glib
, libnotify
, libgnomekbd
, lcms2
, libpulseaudio
, alsa-lib
, libcanberra-gtk3
, upower
, colord
, libgweather
, polkit
, gsettings-desktop-schemas
, geoclue2
, systemd
, libgudev
, libwacom
, libxslt
, libxml2
, modemmanager
, networkmanager
, gnome-desktop
, geocode-glib
, docbook_xsl
, wrapGAppsHook
, python3
, tzdata
, nss
, gcr
, gnome-session-ctl
, pantheon
}:
stdenv.mkDerivation rec {
pname = "gnome-settings-daemon";
version = "3.38.2";
src = fetchurl {
url = "mirror://gnome/sources/gnome-settings-daemon/${lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
sha256 = "136p3prdqvc0lvrcqs4h7crpnfqnimqklpzjivq5w4g1rhbdbhrj";
};
patches = [
# https://gitlab.gnome.org/GNOME/gnome-settings-daemon/-/merge_requests/202
(fetchpatch {
url = "https://gitlab.gnome.org/GNOME/gnome-settings-daemon/commit/aae1e774dd9de22fe3520cf9eb2bfbf7216f5eb0.patch";
sha256 = "O4m0rOW8Zrgu3Q0p0OA8b951VC0FjYbOUk9MLzB9icI=";
})
(substituteAll {
src = ./fix-paths.patch;
inherit tzdata;
})
# Adjust to libgweather changes.
# https://gitlab.gnome.org/GNOME/gnome-settings-daemon/-/merge_requests/217
(fetchpatch {
url = "https://gitlab.gnome.org/GNOME/gnome-settings-daemon/commit/82d88014dfca2df7e081712870e1fb017c16b808.patch";
sha256 = "H5k/v+M2bRaswt5nrDJFNn4gS4BdB0UfzdjUCT4yLKg=";
})
];
nativeBuildInputs = [
meson
ninja
pkg-config
perl
gettext
libxml2
libxslt
docbook_xsl
wrapGAppsHook
python3
];
buildInputs = [
gtk3
glib
gsettings-desktop-schemas
modemmanager
networkmanager
libnotify
libgnomekbd # for org.gnome.libgnomekbd.keyboard schema
gnome-desktop
lcms2
libpulseaudio
alsa-lib
libcanberra-gtk3
upower
colord
libgweather
nss
polkit
geocode-glib
geoclue2
systemd
libgudev
libwacom
gcr
];
mesonFlags = [
"-Dudev_dir=${placeholder "out"}/lib/udev"
"-Dgnome_session_ctl_path=${gnome-session-ctl}/libexec/gnome-session-ctl"
];
# Default for release buildtype but passed manually because
# we're using plain
NIX_CFLAGS_COMPILE = "-DG_DISABLE_CAST_CHECKS";
postPatch = ''
for f in gnome-settings-daemon/codegen.py plugins/power/gsd-power-constants-update.pl meson_post_install.py; do
chmod +x $f
patchShebangs $f
done
'';
meta = with lib; {
description = "GNOME Settings Daemon";
homepage = "https://gitlab.gnome.org/GNOME/gnome-settings-daemon/";
license = licenses.gpl2Plus;
maintainers = pantheon.maintainers;
platforms = platforms.linux;
};
}

0
pkgs/desktops/pantheon/services/elementary-settings-daemon/fix-paths.patch → pkgs/desktops/gnome/core/gnome-settings-daemon/3.38/fix-paths.patch
View File

Some files were not shown because too many files have changed in this diff Show More