Merge master into staging-next
This commit is contained in:
commit
8ce4686310
@ -2140,6 +2140,12 @@
|
||||
githubId = 3956062;
|
||||
name = "Simon Lackerbauer";
|
||||
};
|
||||
cirno-999 = {
|
||||
email = "reverene@protonmail.com";
|
||||
github = "cirno-999";
|
||||
githubId = 73712874;
|
||||
name = "cirno-999";
|
||||
};
|
||||
citadelcore = {
|
||||
email = "alex@arctarus.co.uk";
|
||||
github = "citadelcore";
|
||||
@ -7072,6 +7078,12 @@
|
||||
fingerprint = "BA3A 5886 AE6D 526E 20B4 57D6 6A37 DF94 8318 8492";
|
||||
}];
|
||||
};
|
||||
lux = {
|
||||
email = "lux@lux.name";
|
||||
githubId = 1208273;
|
||||
matrix = "@lux:ontheblueplanet.com";
|
||||
name = "Lux";
|
||||
};
|
||||
luz = {
|
||||
email = "luz666@daum.net";
|
||||
github = "Luz";
|
||||
|
@ -14,7 +14,17 @@
|
||||
</itemizedlist>
|
||||
<section xml:id="sec-release-22.05-highlights">
|
||||
<title>Highlights</title>
|
||||
<itemizedlist spacing="compact">
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>security.acme.defaults</literal> has been added to
|
||||
simplify configuring settings for many certificates at once.
|
||||
This also opens up the the option to use DNS-01 validation
|
||||
when using <literal>enableACME</literal> on web server virtual
|
||||
hosts (e.g.
|
||||
<literal>services.nginx.virtualHosts.*.enableACME</literal>).
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
PHP 8.1 is now available
|
||||
@ -33,6 +43,14 @@
|
||||
<link linkend="opt-services.aesmd.enable">services.aesmd</link>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://docs.docker.com/engine/security/rootless/">rootless
|
||||
Docker</link>, a <literal>systemd --user</literal> Docker
|
||||
service which runs without root permissions. Available as
|
||||
<link xlink:href="options.html#opt-virtualisation.docker.rootless.enable">virtualisation.docker.rootless.enable</link>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html">filebeat</link>,
|
||||
@ -189,6 +207,20 @@
|
||||
using this default will print a warning when rebuilt.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>security.acme</literal> certificates will now
|
||||
correctly check for CA revokation before reaching their
|
||||
minimum age.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Removing domains from
|
||||
<literal>security.acme.certs._name_.extraDomainNames</literal>
|
||||
will now correctly remove those domains during rebuild/renew.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The option
|
||||
|
@ -6,11 +6,17 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||
|
||||
## Highlights {#sec-release-22.05-highlights}
|
||||
|
||||
- `security.acme.defaults` has been added to simplify configuring
|
||||
settings for many certificates at once. This also opens up the
|
||||
the option to use DNS-01 validation when using `enableACME` on
|
||||
web server virtual hosts (e.g. `services.nginx.virtualHosts.*.enableACME`).
|
||||
|
||||
- PHP 8.1 is now available
|
||||
|
||||
## New Services {#sec-release-22.05-new-services}
|
||||
|
||||
- [aesmd](https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw), the Intel SGX Architectural Enclave Service Manager. Available as [services.aesmd](#opt-services.aesmd.enable).
|
||||
- [rootless Docker](https://docs.docker.com/engine/security/rootless/), a `systemd --user` Docker service which runs without root permissions. Available as [virtualisation.docker.rootless.enable](options.html#opt-virtualisation.docker.rootless.enable).
|
||||
|
||||
- [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html), a lightweight shipper for forwarding and centralizing log data. Available as [services.filebeat](#opt-services.filebeat.enable).
|
||||
|
||||
@ -75,6 +81,12 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||
- The `services.unifi.openPorts` option default value of `true` is now deprecated and will be changed to `false` in 22.11.
|
||||
Configurations using this default will print a warning when rebuilt.
|
||||
|
||||
- `security.acme` certificates will now correctly check for CA
|
||||
revokation before reaching their minimum age.
|
||||
|
||||
- Removing domains from `security.acme.certs._name_.extraDomainNames`
|
||||
will now correctly remove those domains during rebuild/renew.
|
||||
|
||||
- The option
|
||||
[services.ssh.enableAskPassword](#opt-services.ssh.enableAskPassword) was
|
||||
added, decoupling the setting of `SSH_ASKPASS` from
|
||||
|
@ -1187,6 +1187,7 @@
|
||||
./virtualisation/oci-containers.nix
|
||||
./virtualisation/cri-o.nix
|
||||
./virtualisation/docker.nix
|
||||
./virtualisation/docker-rootless.nix
|
||||
./virtualisation/ecs-agent.nix
|
||||
./virtualisation/libvirtd.nix
|
||||
./virtualisation/lxc.nix
|
||||
|
@ -3,6 +3,7 @@ with lib;
|
||||
let
|
||||
cfg = config.security.acme;
|
||||
opt = options.security.acme;
|
||||
user = if cfg.useRoot then "root" else "acme";
|
||||
|
||||
# Used to calculate timer accuracy for coalescing
|
||||
numCerts = length (builtins.attrNames cfg.certs);
|
||||
@ -23,7 +24,7 @@ let
|
||||
# security.acme.certs.<cert>.group on some of the services.
|
||||
commonServiceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "acme";
|
||||
User = user;
|
||||
Group = mkDefault "acme";
|
||||
UMask = 0022;
|
||||
StateDirectoryMode = 750;
|
||||
@ -101,12 +102,12 @@ let
|
||||
# is configurable on a per-cert basis.
|
||||
userMigrationService = let
|
||||
script = with builtins; ''
|
||||
chown -R acme .lego/accounts
|
||||
chown -R ${user} .lego/accounts
|
||||
'' + (concatStringsSep "\n" (mapAttrsToList (cert: data: ''
|
||||
for fixpath in ${escapeShellArg cert} .lego/${escapeShellArg cert}; do
|
||||
if [ -d "$fixpath" ]; then
|
||||
chmod -R u=rwX,g=rX,o= "$fixpath"
|
||||
chown -R acme:${data.group} "$fixpath"
|
||||
chown -R ${user}:${data.group} "$fixpath"
|
||||
fi
|
||||
done
|
||||
'') certConfigs));
|
||||
@ -128,7 +129,7 @@ let
|
||||
};
|
||||
|
||||
certToConfig = cert: data: let
|
||||
acmeServer = if data.server != null then data.server else cfg.server;
|
||||
acmeServer = data.server;
|
||||
useDns = data.dnsProvider != null;
|
||||
destPath = "/var/lib/acme/${cert}";
|
||||
selfsignedDeps = optionals (cfg.preliminarySelfsigned) [ "acme-selfsigned-${cert}.service" ];
|
||||
@ -156,6 +157,7 @@ let
|
||||
${toString data.ocspMustStaple} ${data.keyType}
|
||||
'';
|
||||
certDir = mkHash hashData;
|
||||
# TODO remove domainHash usage entirely. Waiting on go-acme/lego#1532
|
||||
domainHash = mkHash "${concatStringsSep " " extraDomains} ${data.domain}";
|
||||
accountHash = (mkAccountHash acmeServer data);
|
||||
accountDir = accountDirRoot + accountHash;
|
||||
@ -210,7 +212,7 @@ let
|
||||
description = "Renew ACME Certificate for ${cert}";
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
OnCalendar = cfg.renewInterval;
|
||||
OnCalendar = data.renewInterval;
|
||||
Unit = "acme-${cert}.service";
|
||||
Persistent = "yes";
|
||||
|
||||
@ -267,7 +269,7 @@ let
|
||||
cat key.pem fullchain.pem > full.pem
|
||||
|
||||
# Group might change between runs, re-apply it
|
||||
chown 'acme:${data.group}' *
|
||||
chown '${user}:${data.group}' *
|
||||
|
||||
# Default permissions make the files unreadable by group + anon
|
||||
# Need to be readable by group
|
||||
@ -322,7 +324,7 @@ let
|
||||
fi
|
||||
'');
|
||||
} // optionalAttrs (data.listenHTTP != null && toInt (elemAt (splitString ":" data.listenHTTP) 1) < 1024) {
|
||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
||||
};
|
||||
|
||||
# Working directory will be /tmp
|
||||
@ -355,7 +357,7 @@ let
|
||||
expiration_s=$[expiration_date - now]
|
||||
expiration_days=$[expiration_s / (3600 * 24)] # rounds down
|
||||
|
||||
[[ $expiration_days -gt ${toString cfg.validMinDays} ]]
|
||||
[[ $expiration_days -gt ${toString data.validMinDays} ]]
|
||||
}
|
||||
|
||||
${optionalString (data.webroot != null) ''
|
||||
@ -372,37 +374,40 @@ let
|
||||
|
||||
echo '${domainHash}' > domainhash.txt
|
||||
|
||||
# Check if we can renew
|
||||
if [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' -a -n "$(ls -1 accounts)" ]; then
|
||||
# Check if we can renew.
|
||||
# We can only renew if the list of domains has not changed.
|
||||
if cmp -s domainhash.txt certificates/domainhash.txt && [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' -a -n "$(ls -1 accounts)" ]; then
|
||||
|
||||
# When domains are updated, there's no need to do a full
|
||||
# Lego run, but it's likely renew won't work if days is too low.
|
||||
if [ -e certificates/domainhash.txt ] && cmp -s domainhash.txt certificates/domainhash.txt; then
|
||||
# Even if a cert is not expired, it may be revoked by the CA.
|
||||
# Try to renew, and silently fail if the cert is not expired.
|
||||
# Avoids #85794 and resolves #129838
|
||||
if ! lego ${renewOpts} --days ${toString data.validMinDays}; then
|
||||
if is_expiration_skippable out/full.pem; then
|
||||
echo 1>&2 "nixos-acme: skipping renewal because expiration isn't within the coming ${toString cfg.validMinDays} days"
|
||||
echo 1>&2 "nixos-acme: Ignoring failed renewal because expiration isn't within the coming ${toString data.validMinDays} days"
|
||||
else
|
||||
echo 1>&2 "nixos-acme: renewing now, because certificate expires within the configured ${toString cfg.validMinDays} days"
|
||||
lego ${renewOpts} --days ${toString cfg.validMinDays}
|
||||
# High number to avoid Systemd reserved codes.
|
||||
exit 11
|
||||
fi
|
||||
else
|
||||
echo 1>&2 "certificate domain(s) have changed; will renew now"
|
||||
# Any number > 90 works, but this one is over 9000 ;-)
|
||||
lego ${renewOpts} --days 9001
|
||||
fi
|
||||
|
||||
# Otherwise do a full run
|
||||
else
|
||||
lego ${runOpts}
|
||||
elif ! lego ${runOpts}; then
|
||||
# Produce a nice error for those doing their first nixos-rebuild with these certs
|
||||
echo Failed to fetch certificates. \
|
||||
This may mean your DNS records are set up incorrectly. \
|
||||
${optionalString (cfg.preliminarySelfsigned) "Selfsigned certs are in place and dependant services will still start."}
|
||||
# Exit 10 so that users can potentially amend SuccessExitStatus to ignore this error.
|
||||
# High number to avoid Systemd reserved codes.
|
||||
exit 10
|
||||
fi
|
||||
|
||||
mv domainhash.txt certificates/
|
||||
|
||||
# Group might change between runs, re-apply it
|
||||
chown 'acme:${data.group}' certificates/*
|
||||
chown '${user}:${data.group}' certificates/*
|
||||
|
||||
# Copy all certs to the "real" certs directory
|
||||
CERT='certificates/${keyName}.crt'
|
||||
if [ -e "$CERT" ] && ! cmp -s "$CERT" out/fullchain.pem; then
|
||||
if ! cmp -s 'certificates/${keyName}.crt' out/fullchain.pem; then
|
||||
touch out/renewed
|
||||
echo Installing new certificate
|
||||
cp -vp 'certificates/${keyName}.crt' out/fullchain.pem
|
||||
@ -421,7 +426,194 @@ let
|
||||
|
||||
certConfigs = mapAttrs certToConfig cfg.certs;
|
||||
|
||||
certOpts = { name, ... }: {
|
||||
# These options can be specified within
|
||||
# security.acme.defaults or security.acme.certs.<name>
|
||||
inheritableModule = isDefaults: { config, ... }: let
|
||||
defaultAndText = name: default: {
|
||||
# When ! isDefaults then this is the option declaration for the
|
||||
# security.acme.certs.<name> path, which has the extra inheritDefaults
|
||||
# option, which if disabled means that we can't inherit it
|
||||
default = if isDefaults || ! config.inheritDefaults then default else cfg.defaults.${name};
|
||||
# The docs however don't need to depend on inheritDefaults, they should
|
||||
# stay constant. Though notably it wouldn't matter much, because to get
|
||||
# the option information, a submodule with name `<name>` is evaluated
|
||||
# without any definitions.
|
||||
defaultText = if isDefaults then default else literalExpression "config.security.acme.defaults.${name}";
|
||||
};
|
||||
in {
|
||||
options = {
|
||||
validMinDays = mkOption {
|
||||
type = types.int;
|
||||
inherit (defaultAndText "validMinDays" 30) default defaultText;
|
||||
description = "Minimum remaining validity before renewal in days.";
|
||||
};
|
||||
|
||||
renewInterval = mkOption {
|
||||
type = types.str;
|
||||
inherit (defaultAndText "renewInterval" "daily") default defaultText;
|
||||
description = ''
|
||||
Systemd calendar expression when to check for renewal. See
|
||||
<citerefentry><refentrytitle>systemd.time</refentrytitle>
|
||||
<manvolnum>7</manvolnum></citerefentry>.
|
||||
'';
|
||||
};
|
||||
|
||||
enableDebugLogs = mkEnableOption "debug logging for this certificate" // {
|
||||
inherit (defaultAndText "enableDebugLogs" true) default defaultText;
|
||||
};
|
||||
|
||||
webroot = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
inherit (defaultAndText "webroot" null) default defaultText;
|
||||
example = "/var/lib/acme/acme-challenge";
|
||||
description = ''
|
||||
Where the webroot of the HTTP vhost is located.
|
||||
<filename>.well-known/acme-challenge/</filename> directory
|
||||
will be created below the webroot if it doesn't exist.
|
||||
<literal>http://example.org/.well-known/acme-challenge/</literal> must also
|
||||
be available (notice unencrypted HTTP).
|
||||
'';
|
||||
};
|
||||
|
||||
server = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
inherit (defaultAndText "server" null) default defaultText;
|
||||
description = ''
|
||||
ACME Directory Resource URI. Defaults to Let's Encrypt's
|
||||
production endpoint,
|
||||
<link xlink:href="https://acme-v02.api.letsencrypt.org/directory"/>, if unset.
|
||||
'';
|
||||
};
|
||||
|
||||
email = mkOption {
|
||||
type = types.str;
|
||||
inherit (defaultAndText "email" null) default defaultText;
|
||||
description = ''
|
||||
Email address for account creation and correspondence from the CA.
|
||||
It is recommended to use the same email for all certs to avoid account
|
||||
creation limits.
|
||||
'';
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
inherit (defaultAndText "group" "acme") default defaultText;
|
||||
description = "Group running the ACME client.";
|
||||
};
|
||||
|
||||
reloadServices = mkOption {
|
||||
type = types.listOf types.str;
|
||||
inherit (defaultAndText "reloadServices" []) default defaultText;
|
||||
description = ''
|
||||
The list of systemd services to call <code>systemctl try-reload-or-restart</code>
|
||||
on.
|
||||
'';
|
||||
};
|
||||
|
||||
postRun = mkOption {
|
||||
type = types.lines;
|
||||
inherit (defaultAndText "postRun" "") default defaultText;
|
||||
example = "cp full.pem backup.pem";
|
||||
description = ''
|
||||
Commands to run after new certificates go live. Note that
|
||||
these commands run as the root user.
|
||||
|
||||
Executed in the same directory with the new certificate.
|
||||
'';
|
||||
};
|
||||
|
||||
keyType = mkOption {
|
||||
type = types.str;
|
||||
inherit (defaultAndText "keyType" "ec256") default defaultText;
|
||||
description = ''
|
||||
Key type to use for private keys.
|
||||
For an up to date list of supported values check the --key-type option
|
||||
at <link xlink:href="https://go-acme.github.io/lego/usage/cli/#usage"/>.
|
||||
'';
|
||||
};
|
||||
|
||||
dnsProvider = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
inherit (defaultAndText "dnsProvider" null) default defaultText;
|
||||
example = "route53";
|
||||
description = ''
|
||||
DNS Challenge provider. For a list of supported providers, see the "code"
|
||||
field of the DNS providers listed at <link xlink:href="https://go-acme.github.io/lego/dns/"/>.
|
||||
'';
|
||||
};
|
||||
|
||||
dnsResolver = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
inherit (defaultAndText "dnsResolver" null) default defaultText;
|
||||
example = "1.1.1.1:53";
|
||||
description = ''
|
||||
Set the resolver to use for performing recursive DNS queries. Supported:
|
||||
host:port. The default is to use the system resolvers, or Google's DNS
|
||||
resolvers if the system's cannot be determined.
|
||||
'';
|
||||
};
|
||||
|
||||
credentialsFile = mkOption {
|
||||
type = types.path;
|
||||
inherit (defaultAndText "credentialsFile" null) default defaultText;
|
||||
description = ''
|
||||
Path to an EnvironmentFile for the cert's service containing any required and
|
||||
optional environment variables for your selected dnsProvider.
|
||||
To find out what values you need to set, consult the documentation at
|
||||
<link xlink:href="https://go-acme.github.io/lego/dns/"/> for the corresponding dnsProvider.
|
||||
'';
|
||||
example = "/var/src/secrets/example.org-route53-api-token";
|
||||
};
|
||||
|
||||
dnsPropagationCheck = mkOption {
|
||||
type = types.bool;
|
||||
inherit (defaultAndText "dnsPropagationCheck" true) default defaultText;
|
||||
description = ''
|
||||
Toggles lego DNS propagation check, which is used alongside DNS-01
|
||||
challenge to ensure the DNS entries required are available.
|
||||
'';
|
||||
};
|
||||
|
||||
ocspMustStaple = mkOption {
|
||||
type = types.bool;
|
||||
inherit (defaultAndText "ocspMustStaple" false) default defaultText;
|
||||
description = ''
|
||||
Turns on the OCSP Must-Staple TLS extension.
|
||||
Make sure you know what you're doing! See:
|
||||
<itemizedlist>
|
||||
<listitem><para><link xlink:href="https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/" /></para></listitem>
|
||||
<listitem><para><link xlink:href="https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html" /></para></listitem>
|
||||
</itemizedlist>
|
||||
'';
|
||||
};
|
||||
|
||||
extraLegoFlags = mkOption {
|
||||
type = types.listOf types.str;
|
||||
inherit (defaultAndText "extraLegoFlags" []) default defaultText;
|
||||
description = ''
|
||||
Additional global flags to pass to all lego commands.
|
||||
'';
|
||||
};
|
||||
|
||||
extraLegoRenewFlags = mkOption {
|
||||
type = types.listOf types.str;
|
||||
inherit (defaultAndText "extraLegoRenewFlags" []) default defaultText;
|
||||
description = ''
|
||||
Additional flags to pass to lego renew.
|
||||
'';
|
||||
};
|
||||
|
||||
extraLegoRunFlags = mkOption {
|
||||
type = types.listOf types.str;
|
||||
inherit (defaultAndText "extraLegoRunFlags" []) default defaultText;
|
||||
description = ''
|
||||
Additional flags to pass to lego run.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
certOpts = { name, config, ... }: {
|
||||
options = {
|
||||
# user option has been removed
|
||||
user = mkOption {
|
||||
@ -441,40 +633,11 @@ let
|
||||
default = "_mkMergedOptionModule";
|
||||
};
|
||||
|
||||
enableDebugLogs = mkEnableOption "debug logging for this certificate" // { default = cfg.enableDebugLogs; };
|
||||
|
||||
webroot = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "/var/lib/acme/acme-challenge";
|
||||
description = ''
|
||||
Where the webroot of the HTTP vhost is located.
|
||||
<filename>.well-known/acme-challenge/</filename> directory
|
||||
will be created below the webroot if it doesn't exist.
|
||||
<literal>http://example.org/.well-known/acme-challenge/</literal> must also
|
||||
be available (notice unencrypted HTTP).
|
||||
'';
|
||||
};
|
||||
|
||||
listenHTTP = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = ":1360";
|
||||
description = ''
|
||||
Interface and port to listen on to solve HTTP challenges
|
||||
in the form [INTERFACE]:PORT.
|
||||
If you use a port other than 80, you must proxy port 80 to this port.
|
||||
'';
|
||||
};
|
||||
|
||||
server = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
ACME Directory Resource URI. Defaults to Let's Encrypt's
|
||||
production endpoint,
|
||||
<link xlink:href="https://acme-v02.api.letsencrypt.org/directory"/>, if unset.
|
||||
'';
|
||||
directory = mkOption {
|
||||
type = types.str;
|
||||
readOnly = true;
|
||||
default = "/var/lib/acme/${name}";
|
||||
description = "Directory where certificate and other state is stored.";
|
||||
};
|
||||
|
||||
domain = mkOption {
|
||||
@ -483,47 +646,6 @@ let
|
||||
description = "Domain to fetch certificate for (defaults to the entry name).";
|
||||
};
|
||||
|
||||
email = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = cfg.email;
|
||||
defaultText = literalExpression "config.${opt.email}";
|
||||
description = "Contact email address for the CA to be able to reach you.";
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "acme";
|
||||
description = "Group running the ACME client.";
|
||||
};
|
||||
|
||||
reloadServices = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
description = ''
|
||||
The list of systemd services to call <code>systemctl try-reload-or-restart</code>
|
||||
on.
|
||||
'';
|
||||
};
|
||||
|
||||
postRun = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
example = "cp full.pem backup.pem";
|
||||
description = ''
|
||||
Commands to run after new certificates go live. Note that
|
||||
these commands run as the root user.
|
||||
|
||||
Executed in the same directory with the new certificate.
|
||||
'';
|
||||
};
|
||||
|
||||
directory = mkOption {
|
||||
type = types.str;
|
||||
readOnly = true;
|
||||
default = "/var/lib/acme/${name}";
|
||||
description = "Directory where certificate and other state is stored.";
|
||||
};
|
||||
|
||||
extraDomainNames = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
@ -538,92 +660,25 @@ let
|
||||
'';
|
||||
};
|
||||
|
||||
keyType = mkOption {
|
||||
type = types.str;
|
||||
default = "ec256";
|
||||
description = ''
|
||||
Key type to use for private keys.
|
||||
For an up to date list of supported values check the --key-type option
|
||||
at <link xlink:href="https://go-acme.github.io/lego/usage/cli/#usage"/>.
|
||||
'';
|
||||
};
|
||||
|
||||
dnsProvider = mkOption {
|
||||
# This setting must be different for each configured certificate, otherwise
|
||||
# two or more renewals may fail to bind to the address. Hence, it is not in
|
||||
# the inheritableOpts.
|
||||
listenHTTP = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "route53";
|
||||
example = ":1360";
|
||||
description = ''
|
||||
DNS Challenge provider. For a list of supported providers, see the "code"
|
||||
field of the DNS providers listed at <link xlink:href="https://go-acme.github.io/lego/dns/"/>.
|
||||
Interface and port to listen on to solve HTTP challenges
|
||||
in the form [INTERFACE]:PORT.
|
||||
If you use a port other than 80, you must proxy port 80 to this port.
|
||||
'';
|
||||
};
|
||||
|
||||
dnsResolver = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "1.1.1.1:53";
|
||||
description = ''
|
||||
Set the resolver to use for performing recursive DNS queries. Supported:
|
||||
host:port. The default is to use the system resolvers, or Google's DNS
|
||||
resolvers if the system's cannot be determined.
|
||||
'';
|
||||
};
|
||||
|
||||
credentialsFile = mkOption {
|
||||
type = types.path;
|
||||
description = ''
|
||||
Path to an EnvironmentFile for the cert's service containing any required and
|
||||
optional environment variables for your selected dnsProvider.
|
||||
To find out what values you need to set, consult the documentation at
|
||||
<link xlink:href="https://go-acme.github.io/lego/dns/"/> for the corresponding dnsProvider.
|
||||
'';
|
||||
example = "/var/src/secrets/example.org-route53-api-token";
|
||||
};
|
||||
|
||||
dnsPropagationCheck = mkOption {
|
||||
type = types.bool;
|
||||
inheritDefaults = mkOption {
|
||||
default = true;
|
||||
description = ''
|
||||
Toggles lego DNS propagation check, which is used alongside DNS-01
|
||||
challenge to ensure the DNS entries required are available.
|
||||
'';
|
||||
};
|
||||
|
||||
ocspMustStaple = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Turns on the OCSP Must-Staple TLS extension.
|
||||
Make sure you know what you're doing! See:
|
||||
<itemizedlist>
|
||||
<listitem><para><link xlink:href="https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/" /></para></listitem>
|
||||
<listitem><para><link xlink:href="https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html" /></para></listitem>
|
||||
</itemizedlist>
|
||||
'';
|
||||
};
|
||||
|
||||
extraLegoFlags = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
description = ''
|
||||
Additional global flags to pass to all lego commands.
|
||||
'';
|
||||
};
|
||||
|
||||
extraLegoRenewFlags = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
description = ''
|
||||
Additional flags to pass to lego renew.
|
||||
'';
|
||||
};
|
||||
|
||||
extraLegoRunFlags = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
description = ''
|
||||
Additional flags to pass to lego run.
|
||||
'';
|
||||
example = true;
|
||||
description = "Whether to inherit values set in `security.acme.defaults` or not.";
|
||||
type = lib.types.bool;
|
||||
};
|
||||
};
|
||||
};
|
||||
@ -632,41 +687,6 @@ in {
|
||||
|
||||
options = {
|
||||
security.acme = {
|
||||
|
||||
enableDebugLogs = mkEnableOption "debug logging for all certificates by default" // { default = true; };
|
||||
|
||||
validMinDays = mkOption {
|
||||
type = types.int;
|
||||
default = 30;
|
||||
description = "Minimum remaining validity before renewal in days.";
|
||||
};
|
||||
|
||||
email = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = "Contact email address for the CA to be able to reach you.";
|
||||
};
|
||||
|
||||
renewInterval = mkOption {
|
||||
type = types.str;
|
||||
default = "daily";
|
||||
description = ''
|
||||
Systemd calendar expression when to check for renewal. See
|
||||
<citerefentry><refentrytitle>systemd.time</refentrytitle>
|
||||
<manvolnum>7</manvolnum></citerefentry>.
|
||||
'';
|
||||
};
|
||||
|
||||
server = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
ACME Directory Resource URI. Defaults to Let's Encrypt's
|
||||
production endpoint,
|
||||
<link xlink:href="https://acme-v02.api.letsencrypt.org/directory"/>, if unset.
|
||||
'';
|
||||
};
|
||||
|
||||
preliminarySelfsigned = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
@ -689,9 +709,31 @@ in {
|
||||
'';
|
||||
};
|
||||
|
||||
useRoot = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to use the root user when generating certs. This is not recommended
|
||||
for security + compatiblity reasons. If a service requires root owned certificates
|
||||
consider following the guide on "Using ACME with services demanding root
|
||||
owned certificates" in the NixOS manual, and only using this as a fallback
|
||||
or for testing.
|
||||
'';
|
||||
};
|
||||
|
||||
defaults = mkOption {
|
||||
type = types.submodule (inheritableModule true);
|
||||
description = ''
|
||||
Default values inheritable by all configured certs. You can
|
||||
use this to define options shared by all your certs. These defaults
|
||||
can also be ignored on a per-cert basis using the
|
||||
`security.acme.certs.''${cert}.inheritDefaults' option.
|
||||
'';
|
||||
};
|
||||
|
||||
certs = mkOption {
|
||||
default = { };
|
||||
type = with types; attrsOf (submodule certOpts);
|
||||
type = with types; attrsOf (submodule [ (inheritableModule false) certOpts ]);
|
||||
description = ''
|
||||
Attribute set of certificates to get signed and renewed. Creates
|
||||
<literal>acme-''${cert}.{service,timer}</literal> systemd units for
|
||||
@ -722,12 +764,16 @@ in {
|
||||
|
||||
To use the let's encrypt staging server, use security.acme.server =
|
||||
"https://acme-staging-v02.api.letsencrypt.org/directory".
|
||||
''
|
||||
)
|
||||
'')
|
||||
(mkRemovedOptionModule [ "security" "acme" "directory" ] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.")
|
||||
(mkRemovedOptionModule [ "security" "acme" "preDelay" ] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
|
||||
(mkRemovedOptionModule [ "security" "acme" "activationDelay" ] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
|
||||
(mkChangedOptionModule [ "security" "acme" "validMin" ] [ "security" "acme" "validMinDays" ] (config: config.security.acme.validMin / (24 * 3600)))
|
||||
(mkChangedOptionModule [ "security" "acme" "validMin" ] [ "security" "acme" "defaults" "validMinDays" ] (config: config.security.acme.validMin / (24 * 3600)))
|
||||
(mkChangedOptionModule [ "security" "acme" "validMinDays" ] [ "security" "acme" "defaults" "validMinDays" ] (config: config.security.acme.validMinDays))
|
||||
(mkChangedOptionModule [ "security" "acme" "renewInterval" ] [ "security" "acme" "defaults" "renewInterval" ] (config: config.security.acme.renewInterval))
|
||||
(mkChangedOptionModule [ "security" "acme" "email" ] [ "security" "acme" "defaults" "email" ] (config: config.security.acme.email))
|
||||
(mkChangedOptionModule [ "security" "acme" "server" ] [ "security" "acme" "defaults" "server" ] (config: config.security.acme.server))
|
||||
(mkChangedOptionModule [ "security" "acme" "enableDebugLogs" ] [ "security" "acme" "defaults" "enableDebugLogs" ] (config: config.security.acme.enableDebugLogs))
|
||||
];
|
||||
|
||||
config = mkMerge [
|
||||
@ -842,8 +888,8 @@ in {
|
||||
# Create some targets which can be depended on to be "active" after cert renewals
|
||||
finishedTargets = mapAttrs' (cert: conf: nameValuePair "acme-finished-${cert}" {
|
||||
wantedBy = [ "default.target" ];
|
||||
requires = [ "acme-${cert}.service" ] ++ conf.selfsignedDeps;
|
||||
after = [ "acme-${cert}.service" ] ++ conf.selfsignedDeps;
|
||||
requires = [ "acme-${cert}.service" ];
|
||||
after = [ "acme-${cert}.service" ];
|
||||
}) certConfigs;
|
||||
|
||||
# Create targets to limit the number of simultaneous account creations
|
||||
|
@ -7,8 +7,9 @@
|
||||
<para>
|
||||
NixOS supports automatic domain validation & certificate retrieval and
|
||||
renewal using the ACME protocol. Any provider can be used, but by default
|
||||
NixOS uses Let's Encrypt. The alternative ACME client <literal>lego</literal>
|
||||
is used under the hood.
|
||||
NixOS uses Let's Encrypt. The alternative ACME client
|
||||
<link xlink:href="https://go-acme.github.io/lego/">lego</link> is used under
|
||||
the hood.
|
||||
</para>
|
||||
<para>
|
||||
Automatic cert validation and configuration for Apache and Nginx virtual
|
||||
@ -29,7 +30,7 @@
|
||||
<para>
|
||||
You must also set an email address to be used when creating accounts with
|
||||
Let's Encrypt. You can set this for all certs with
|
||||
<literal><xref linkend="opt-security.acme.email" /></literal>
|
||||
<literal><xref linkend="opt-security.acme.defaults.email" /></literal>
|
||||
and/or on a per-cert basis with
|
||||
<literal><xref linkend="opt-security.acme.certs._name_.email" /></literal>.
|
||||
This address is only used for registration and renewal reminders,
|
||||
@ -38,7 +39,7 @@
|
||||
|
||||
<para>
|
||||
Alternatively, you can use a different ACME server by changing the
|
||||
<literal><xref linkend="opt-security.acme.server" /></literal> option
|
||||
<literal><xref linkend="opt-security.acme.defaults.server" /></literal> option
|
||||
to a provider of your choosing, or just change the server for one cert with
|
||||
<literal><xref linkend="opt-security.acme.certs._name_.server" /></literal>.
|
||||
</para>
|
||||
@ -60,12 +61,12 @@
|
||||
= true;</literal> in a virtualHost config. We first create self-signed
|
||||
placeholder certificates in place of the real ACME certs. The placeholder
|
||||
certs are overwritten when the ACME certs arrive. For
|
||||
<literal>foo.example.com</literal> the config would look like.
|
||||
<literal>foo.example.com</literal> the config would look like this:
|
||||
</para>
|
||||
|
||||
<programlisting>
|
||||
<xref linkend="opt-security.acme.acceptTerms" /> = true;
|
||||
<xref linkend="opt-security.acme.email" /> = "admin+acme@example.com";
|
||||
<xref linkend="opt-security.acme.defaults.email" /> = "admin+acme@example.com";
|
||||
services.nginx = {
|
||||
<link linkend="opt-services.nginx.enable">enable</link> = true;
|
||||
<link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = {
|
||||
@ -114,7 +115,7 @@ services.nginx = {
|
||||
|
||||
<programlisting>
|
||||
<xref linkend="opt-security.acme.acceptTerms" /> = true;
|
||||
<xref linkend="opt-security.acme.email" /> = "admin+acme@example.com";
|
||||
<xref linkend="opt-security.acme.defaults.email" /> = "admin+acme@example.com";
|
||||
|
||||
# /var/lib/acme/.challenges must be writable by the ACME user
|
||||
# and readable by the Nginx user. The easiest way to achieve
|
||||
@ -218,7 +219,7 @@ services.bind = {
|
||||
|
||||
# Now we can configure ACME
|
||||
<xref linkend="opt-security.acme.acceptTerms" /> = true;
|
||||
<xref linkend="opt-security.acme.email" /> = "admin+acme@example.com";
|
||||
<xref linkend="opt-security.acme.defaults.email" /> = "admin+acme@example.com";
|
||||
<xref linkend="opt-security.acme.certs" />."example.com" = {
|
||||
<link linkend="opt-security.acme.certs._name_.domain">domain</link> = "*.example.com";
|
||||
<link linkend="opt-security.acme.certs._name_.dnsProvider">dnsProvider</link> = "rfc2136";
|
||||
@ -231,25 +232,39 @@ services.bind = {
|
||||
<para>
|
||||
The <filename>dnskeys.conf</filename> and <filename>certs.secret</filename>
|
||||
must be kept secure and thus you should not keep their contents in your
|
||||
Nix config. Instead, generate them one time with these commands:
|
||||
Nix config. Instead, generate them one time with a systemd service:
|
||||
</para>
|
||||
|
||||
<programlisting>
|
||||
mkdir -p /var/lib/secrets
|
||||
tsig-keygen rfc2136key.example.com > /var/lib/secrets/dnskeys.conf
|
||||
chown named:root /var/lib/secrets/dnskeys.conf
|
||||
chmod 400 /var/lib/secrets/dnskeys.conf
|
||||
systemd.services.dns-rfc2136-conf = {
|
||||
requiredBy = ["acme-example.com.service", "bind.service"];
|
||||
before = ["acme-example.com.service", "bind.service"];
|
||||
unitConfig = {
|
||||
ConditionPathExists = "!/var/lib/secrets/dnskeys.conf";
|
||||
};
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
UMask = 0077;
|
||||
};
|
||||
path = [ pkgs.bind ];
|
||||
script = ''
|
||||
mkdir -p /var/lib/secrets
|
||||
tsig-keygen rfc2136key.example.com > /var/lib/secrets/dnskeys.conf
|
||||
chown named:root /var/lib/secrets/dnskeys.conf
|
||||
chmod 400 /var/lib/secrets/dnskeys.conf
|
||||
|
||||
# Copy the secret value from the dnskeys.conf, and put it in
|
||||
# RFC2136_TSIG_SECRET below
|
||||
# Copy the secret value from the dnskeys.conf, and put it in
|
||||
# RFC2136_TSIG_SECRET below
|
||||
|
||||
cat > /var/lib/secrets/certs.secret << EOF
|
||||
RFC2136_NAMESERVER='127.0.0.1:53'
|
||||
RFC2136_TSIG_ALGORITHM='hmac-sha256.'
|
||||
RFC2136_TSIG_KEY='rfc2136key.example.com'
|
||||
RFC2136_TSIG_SECRET='your secret key'
|
||||
EOF
|
||||
chmod 400 /var/lib/secrets/certs.secret
|
||||
cat > /var/lib/secrets/certs.secret << EOF
|
||||
RFC2136_NAMESERVER='127.0.0.1:53'
|
||||
RFC2136_TSIG_ALGORITHM='hmac-sha256.'
|
||||
RFC2136_TSIG_KEY='rfc2136key.example.com'
|
||||
RFC2136_TSIG_SECRET='your secret key'
|
||||
EOF
|
||||
chmod 400 /var/lib/secrets/certs.secret
|
||||
'';
|
||||
};
|
||||
</programlisting>
|
||||
|
||||
<para>
|
||||
@ -258,6 +273,106 @@ chmod 400 /var/lib/secrets/certs.secret
|
||||
journalctl -fu acme-example.com.service</literal> and watching its log output.
|
||||
</para>
|
||||
</section>
|
||||
|
||||
<section xml:id="module-security-acme-config-dns-with-vhosts">
|
||||
<title>Using DNS validation with web server virtual hosts</title>
|
||||
|
||||
<para>
|
||||
It is possible to use DNS-01 validation with all certificates,
|
||||
including those automatically configured via the Nginx/Apache
|
||||
<literal><link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link></literal>
|
||||
option. This configuration pattern is fully
|
||||
supported and part of the module's test suite for Nginx + Apache.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
You must follow the guide above on configuring DNS-01 validation
|
||||
first, however instead of setting the options for one certificate
|
||||
(e.g. <xref linkend="opt-security.acme.certs._name_.dnsProvider" />)
|
||||
you will set them as defaults
|
||||
(e.g. <xref linkend="opt-security.acme.defaults.dnsProvider" />).
|
||||
</para>
|
||||
|
||||
<programlisting>
|
||||
# Configure ACME appropriately
|
||||
<xref linkend="opt-security.acme.acceptTerms" /> = true;
|
||||
<xref linkend="opt-security.acme.defaults.email" /> = "admin+acme@example.com";
|
||||
<xref linkend="opt-security.acme.defaults" /> = {
|
||||
<link linkend="opt-security.acme.defaults.dnsProvider">dnsProvider</link> = "rfc2136";
|
||||
<link linkend="opt-security.acme.defaults.credentialsFile">credentialsFile</link> = "/var/lib/secrets/certs.secret";
|
||||
# We don't need to wait for propagation since this is a local DNS server
|
||||
<link linkend="opt-security.acme.defaults.dnsPropagationCheck">dnsPropagationCheck</link> = false;
|
||||
};
|
||||
|
||||
# For each virtual host you would like to use DNS-01 validation with,
|
||||
# set acmeRoot = null
|
||||
services.nginx = {
|
||||
<link linkend="opt-services.nginx.enable">enable</link> = true;
|
||||
<link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = {
|
||||
"foo.example.com" = {
|
||||
<link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true;
|
||||
<link linkend="opt-services.nginx.virtualHosts._name_.acmeRoot">acmeRoot</link> = null;
|
||||
};
|
||||
};
|
||||
}
|
||||
</programlisting>
|
||||
|
||||
<para>
|
||||
And that's it! Next time your configuration is rebuilt, or when
|
||||
you add a new virtualHost, it will be DNS-01 validated.
|
||||
</para>
|
||||
</section>
|
||||
|
||||
<section xml:id="module-security-acme-root-owned">
|
||||
<title>Using ACME with services demanding root owned certificates</title>
|
||||
|
||||
<para>
|
||||
Some services refuse to start if the configured certificate files
|
||||
are not owned by root. PostgreSQL and OpenSMTPD are examples of these.
|
||||
There is no way to change the user the ACME module uses (it will always be
|
||||
<literal>acme</literal>), however you can use systemd's
|
||||
<literal>LoadCredential</literal> feature to resolve this elegantly.
|
||||
Below is an example configuration for OpenSMTPD, but this pattern
|
||||
can be applied to any service.
|
||||
</para>
|
||||
|
||||
<programlisting>
|
||||
# Configure ACME however you like (DNS or HTTP validation), adding
|
||||
# the following configuration for the relevant certificate.
|
||||
# Note: You cannot use `systemctl reload` here as that would mean
|
||||
# the LoadCredential configuration below would be skipped and
|
||||
# the service would continue to use old certificates.
|
||||
security.acme.certs."mail.example.com".postRun = ''
|
||||
systemctl restart opensmtpd
|
||||
'';
|
||||
|
||||
# Now you must augment OpenSMTPD's systemd service to load
|
||||
# the certificate files.
|
||||
<link linkend="opt-systemd.services._name_.requires">systemd.services.opensmtpd.requires</link> = ["acme-finished-mail.example.com.target"];
|
||||
<link linkend="opt-systemd.services._name_.serviceConfig">systemd.services.opensmtpd.serviceConfig.LoadCredential</link> = let
|
||||
certDir = config.security.acme.certs."mail.example.com".directory;
|
||||
in [
|
||||
"cert.pem:${certDir}/cert.pem"
|
||||
"key.pem:${certDir}/key.pem"
|
||||
];
|
||||
|
||||
# Finally, configure OpenSMTPD to use these certs.
|
||||
services.opensmtpd = let
|
||||
credsDir = "/run/credentials/opensmtpd.service";
|
||||
in {
|
||||
enable = true;
|
||||
setSendmail = false;
|
||||
serverConfiguration = ''
|
||||
pki mail.example.com cert "${credsDir}/cert.pem"
|
||||
pki mail.example.com key "${credsDir}/key.pem"
|
||||
listen on localhost tls pki mail.example.com
|
||||
action act1 relay host smtp://127.0.0.1:10027
|
||||
match for local action act1
|
||||
'';
|
||||
};
|
||||
</programlisting>
|
||||
</section>
|
||||
|
||||
<section xml:id="module-security-acme-regenerate">
|
||||
<title>Regenerating certificates</title>
|
||||
|
||||
|
@ -1,5 +1,7 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
format = pkgs.formats.json { };
|
||||
cfg = config.services.influxdb2;
|
||||
@ -9,12 +11,14 @@ in
|
||||
options = {
|
||||
services.influxdb2 = {
|
||||
enable = mkEnableOption "the influxdb2 server";
|
||||
|
||||
package = mkOption {
|
||||
default = pkgs.influxdb2-server;
|
||||
defaultText = literalExpression "pkgs.influxdb2";
|
||||
description = "influxdb2 derivation to use.";
|
||||
type = types.package;
|
||||
};
|
||||
|
||||
settings = mkOption {
|
||||
default = { };
|
||||
description = ''configuration options for influxdb2, see <link xlink:href="https://docs.influxdata.com/influxdb/v2.0/reference/config-options"/> for details.'';
|
||||
@ -28,18 +32,20 @@ in
|
||||
assertion = !(builtins.hasAttr "bolt-path" cfg.settings) && !(builtins.hasAttr "engine-path" cfg.settings);
|
||||
message = "services.influxdb2.config: bolt-path and engine-path should not be set as they are managed by systemd";
|
||||
}];
|
||||
|
||||
systemd.services.influxdb2 = {
|
||||
description = "InfluxDB is an open-source, distributed, time series database";
|
||||
documentation = [ "https://docs.influxdata.com/influxdb/" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
environment = {
|
||||
INFLUXD_CONFIG_PATH = "${configFile}";
|
||||
INFLUXD_CONFIG_PATH = configFile;
|
||||
};
|
||||
serviceConfig = {
|
||||
ExecStart = "${cfg.package}/bin/influxd --bolt-path \${STATE_DIRECTORY}/influxd.bolt --engine-path \${STATE_DIRECTORY}/engine";
|
||||
StateDirectory = "influxdb2";
|
||||
DynamicUser = true;
|
||||
User = "influxdb2";
|
||||
Group = "influxdb2";
|
||||
CapabilityBoundingSet = "";
|
||||
SystemCallFilter = "@system-service";
|
||||
LimitNOFILE = 65536;
|
||||
@ -47,6 +53,13 @@ in
|
||||
Restart = "on-failure";
|
||||
};
|
||||
};
|
||||
|
||||
users.extraUsers.influxdb2 = {
|
||||
isSystemUser = true;
|
||||
group = "influxdb2";
|
||||
};
|
||||
|
||||
users.extraGroups.influxdb2 = {};
|
||||
};
|
||||
|
||||
meta.maintainers = with lib.maintainers; [ nickcao ];
|
||||
|
@ -28,38 +28,45 @@ let
|
||||
}
|
||||
'';
|
||||
|
||||
dhcpdService = postfix: cfg: optionalAttrs cfg.enable {
|
||||
"dhcpd${postfix}" = {
|
||||
description = "DHCPv${postfix} server";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
dhcpdService = postfix: cfg:
|
||||
let
|
||||
configFile =
|
||||
if cfg.configFile != null
|
||||
then cfg.configFile
|
||||
else writeConfig cfg;
|
||||
leaseFile = "/var/lib/dhcpd${postfix}/dhcpd.leases";
|
||||
args = [
|
||||
"@${pkgs.dhcp}/sbin/dhcpd" "dhcpd${postfix}" "-${postfix}"
|
||||
"-pf" "/run/dhcpd${postfix}/dhcpd.pid"
|
||||
"-cf" configFile
|
||||
"-lf" leaseFile
|
||||
] ++ cfg.extraFlags
|
||||
++ cfg.interfaces;
|
||||
in
|
||||
optionalAttrs cfg.enable {
|
||||
"dhcpd${postfix}" = {
|
||||
description = "DHCPv${postfix} server";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
|
||||
preStart = ''
|
||||
mkdir -m 755 -p ${cfg.stateDir}
|
||||
chown dhcpd:nogroup ${cfg.stateDir}
|
||||
touch ${cfg.stateDir}/dhcpd.leases
|
||||
'';
|
||||
|
||||
serviceConfig =
|
||||
let
|
||||
configFile = if cfg.configFile != null then cfg.configFile else writeConfig cfg;
|
||||
args = [ "@${pkgs.dhcp}/sbin/dhcpd" "dhcpd${postfix}" "-${postfix}"
|
||||
"-pf" "/run/dhcpd${postfix}/dhcpd.pid"
|
||||
"-cf" "${configFile}"
|
||||
"-lf" "${cfg.stateDir}/dhcpd.leases"
|
||||
"-user" "dhcpd" "-group" "nogroup"
|
||||
] ++ cfg.extraFlags
|
||||
++ cfg.interfaces;
|
||||
|
||||
in {
|
||||
ExecStart = concatMapStringsSep " " escapeShellArg args;
|
||||
Type = "forking";
|
||||
Restart = "always";
|
||||
RuntimeDirectory = [ "dhcpd${postfix}" ];
|
||||
PIDFile = "/run/dhcpd${postfix}/dhcpd.pid";
|
||||
preStart = "touch ${leaseFile}";
|
||||
serviceConfig = {
|
||||
ExecStart = concatMapStringsSep " " escapeShellArg args;
|
||||
Type = "forking";
|
||||
Restart = "always";
|
||||
DynamicUser = true;
|
||||
User = "dhcpd";
|
||||
Group = "dhcpd";
|
||||
AmbientCapabilities = [
|
||||
"CAP_NET_RAW" # to send ICMP messages
|
||||
"CAP_NET_BIND_SERVICE" # to bind on DHCP port (67)
|
||||
];
|
||||
StateDirectory = "dhcpd${postfix}";
|
||||
RuntimeDirectory = "dhcpd${postfix}";
|
||||
PIDFile = "/run/dhcpd${postfix}/dhcpd.pid";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
machineOpts = { ... }: {
|
||||
|
||||
@ -102,15 +109,6 @@ let
|
||||
'';
|
||||
};
|
||||
|
||||
stateDir = mkOption {
|
||||
type = types.path;
|
||||
# We use /var/lib/dhcp for DHCPv4 to save backwards compatibility.
|
||||
default = "/var/lib/dhcp${if postfix == "4" then "" else postfix}";
|
||||
description = ''
|
||||
State directory for the DHCP server.
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
@ -194,7 +192,13 @@ in
|
||||
|
||||
imports = [
|
||||
(mkRenamedOptionModule [ "services" "dhcpd" ] [ "services" "dhcpd4" ])
|
||||
];
|
||||
] ++ flip map [ "4" "6" ] (postfix:
|
||||
mkRemovedOptionModule [ "services" "dhcpd${postfix}" "stateDir" ] ''
|
||||
The DHCP server state directory is now managed with the systemd's DynamicUser mechanism.
|
||||
This means the directory is named after the service (dhcpd${postfix}), created under
|
||||
/var/lib/private/ and symlinked to /var/lib/.
|
||||
''
|
||||
);
|
||||
|
||||
###### interface
|
||||
|
||||
@ -210,15 +214,6 @@ in
|
||||
|
||||
config = mkIf (cfg4.enable || cfg6.enable) {
|
||||
|
||||
users = {
|
||||
users.dhcpd = {
|
||||
isSystemUser = true;
|
||||
group = "dhcpd";
|
||||
description = "DHCP daemon user";
|
||||
};
|
||||
groups.dhcpd = {};
|
||||
};
|
||||
|
||||
systemd.services = dhcpdService "4" cfg4 // dhcpdService "6" cfg6;
|
||||
|
||||
};
|
||||
|
@ -72,7 +72,7 @@ services.prosody = {
|
||||
a TLS certificate for the three endponits:
|
||||
<programlisting>
|
||||
security.acme = {
|
||||
<link linkend="opt-security.acme.email">email</link> = "root@example.org";
|
||||
<link linkend="opt-security.acme.defaults.email">email</link> = "root@example.org";
|
||||
<link linkend="opt-security.acme.acceptTerms">acceptTerms</link> = true;
|
||||
<link linkend="opt-security.acme.certs">certs</link> = {
|
||||
"example.org" = {
|
||||
|
@ -25,7 +25,7 @@ services.discourse = {
|
||||
};
|
||||
<link linkend="opt-services.discourse.secretKeyBaseFile">secretKeyBaseFile</link> = "/path/to/secret_key_base_file";
|
||||
};
|
||||
<link linkend="opt-security.acme.email">security.acme.email</link> = "me@example.com";
|
||||
<link linkend="opt-security.acme.defaults.email">security.acme.email</link> = "me@example.com";
|
||||
<link linkend="opt-security.acme.acceptTerms">security.acme.acceptTerms</link> = true;
|
||||
</programlisting>
|
||||
</para>
|
||||
|
@ -20,7 +20,7 @@
|
||||
};
|
||||
<link linkend="opt-services.jitsi-videobridge.openFirewall">services.jitsi-videobridge.openFirewall</link> = true;
|
||||
<link linkend="opt-networking.firewall.allowedTCPPorts">networking.firewall.allowedTCPPorts</link> = [ 80 443 ];
|
||||
<link linkend="opt-security.acme.email">security.acme.email</link> = "me@example.com";
|
||||
<link linkend="opt-security.acme.defaults.email">security.acme.email</link> = "me@example.com";
|
||||
<link linkend="opt-security.acme.acceptTerms">security.acme.acceptTerms</link> = true;
|
||||
}</programlisting>
|
||||
</para>
|
||||
@ -46,7 +46,7 @@
|
||||
};
|
||||
<link linkend="opt-services.jitsi-videobridge.openFirewall">services.jitsi-videobridge.openFirewall</link> = true;
|
||||
<link linkend="opt-networking.firewall.allowedTCPPorts">networking.firewall.allowedTCPPorts</link> = [ 80 443 ];
|
||||
<link linkend="opt-security.acme.email">security.acme.email</link> = "me@example.com";
|
||||
<link linkend="opt-security.acme.defaults.email">security.acme.email</link> = "me@example.com";
|
||||
<link linkend="opt-security.acme.acceptTerms">security.acme.acceptTerms</link> = true;
|
||||
}</programlisting>
|
||||
</para>
|
||||
|
@ -154,7 +154,7 @@ let
|
||||
sslServerKey = if useACME then "${sslCertDir}/key.pem" else hostOpts.sslServerKey;
|
||||
sslServerChain = if useACME then "${sslCertDir}/chain.pem" else hostOpts.sslServerChain;
|
||||
|
||||
acmeChallenge = optionalString useACME ''
|
||||
acmeChallenge = optionalString (useACME && hostOpts.acmeRoot != null) ''
|
||||
Alias /.well-known/acme-challenge/ "${hostOpts.acmeRoot}/.well-known/acme-challenge/"
|
||||
<Directory "${hostOpts.acmeRoot}">
|
||||
AllowOverride None
|
||||
@ -677,9 +677,16 @@ in
|
||||
};
|
||||
|
||||
security.acme.certs = let
|
||||
acmePairs = map (hostOpts: nameValuePair hostOpts.hostName {
|
||||
acmePairs = map (hostOpts: let
|
||||
hasRoot = hostOpts.acmeRoot != null;
|
||||
in nameValuePair hostOpts.hostName {
|
||||
group = mkDefault cfg.group;
|
||||
webroot = hostOpts.acmeRoot;
|
||||
# if acmeRoot is null inherit config.security.acme
|
||||
# Since config.security.acme.certs.<cert>.webroot's own default value
|
||||
# should take precedence set priority higher than mkOptionDefault
|
||||
webroot = mkOverride (if hasRoot then 1000 else 2000) hostOpts.acmeRoot;
|
||||
# Also nudge dnsProvider to null in case it is inherited
|
||||
dnsProvider = mkOverride (if hasRoot then 1000 else 2000) null;
|
||||
extraDomainNames = hostOpts.serverAliases;
|
||||
# Use the vhost-specific email address if provided, otherwise let
|
||||
# security.acme.email or security.acme.certs.<cert>.email be used.
|
||||
|
@ -128,9 +128,12 @@ in
|
||||
};
|
||||
|
||||
acmeRoot = mkOption {
|
||||
type = types.str;
|
||||
type = types.nullOr types.str;
|
||||
default = "/var/lib/acme/acme-challenge";
|
||||
description = "Directory for the acme challenge which is PUBLIC, don't put certs or keys in here";
|
||||
description = ''
|
||||
Directory for the acme challenge which is PUBLIC, don't put certs or keys in here.
|
||||
Set to null to inherit from config.security.acme.
|
||||
'';
|
||||
};
|
||||
|
||||
sslServerCert = mkOption {
|
||||
|
@ -278,7 +278,7 @@ let
|
||||
acmeLocation = optionalString (vhost.enableACME || vhost.useACMEHost != null) ''
|
||||
location /.well-known/acme-challenge {
|
||||
${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"}
|
||||
root ${vhost.acmeRoot};
|
||||
${optionalString (vhost.acmeRoot != null) "root ${vhost.acmeRoot};"}
|
||||
auth_basic off;
|
||||
}
|
||||
${optionalString (vhost.acmeFallbackHost != null) ''
|
||||
@ -948,9 +948,16 @@ in
|
||||
};
|
||||
|
||||
security.acme.certs = let
|
||||
acmePairs = map (vhostConfig: nameValuePair vhostConfig.serverName {
|
||||
acmePairs = map (vhostConfig: let
|
||||
hasRoot = vhostConfig.acmeRoot != null;
|
||||
in nameValuePair vhostConfig.serverName {
|
||||
group = mkDefault cfg.group;
|
||||
webroot = vhostConfig.acmeRoot;
|
||||
# if acmeRoot is null inherit config.security.acme
|
||||
# Since config.security.acme.certs.<cert>.webroot's own default value
|
||||
# should take precedence set priority higher than mkOptionDefault
|
||||
webroot = mkOverride (if hasRoot then 1000 else 2000) vhostConfig.acmeRoot;
|
||||
# Also nudge dnsProvider to null in case it is inherited
|
||||
dnsProvider = mkOverride (if hasRoot then 1000 else 2000) null;
|
||||
extraDomainNames = vhostConfig.serverAliases;
|
||||
# Filter for enableACME-only vhosts. Don't want to create dud certs
|
||||
}) (filter (vhostConfig: vhostConfig.useACMEHost == null) acmeEnabledVhosts);
|
||||
|
@ -3,7 +3,7 @@
|
||||
# has additional options that affect the web server as a whole, like
|
||||
# the user/group to run under.)
|
||||
|
||||
{ lib, ... }:
|
||||
{ config, lib, ... }:
|
||||
|
||||
with lib;
|
||||
{
|
||||
@ -85,9 +85,12 @@ with lib;
|
||||
};
|
||||
|
||||
acmeRoot = mkOption {
|
||||
type = types.str;
|
||||
type = types.nullOr types.str;
|
||||
default = "/var/lib/acme/acme-challenge";
|
||||
description = "Directory for the acme challenge which is PUBLIC, don't put certs or keys in here";
|
||||
description = ''
|
||||
Directory for the acme challenge which is PUBLIC, don't put certs or keys in here.
|
||||
Set to null to inherit from config.security.acme.
|
||||
'';
|
||||
};
|
||||
|
||||
acmeFallbackHost = mkOption {
|
||||
|
98
nixos/modules/virtualisation/docker-rootless.nix
Normal file
98
nixos/modules/virtualisation/docker-rootless.nix
Normal file
@ -0,0 +1,98 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
cfg = config.virtualisation.docker.rootless;
|
||||
proxy_env = config.networking.proxy.envVars;
|
||||
settingsFormat = pkgs.formats.json {};
|
||||
daemonSettingsFile = settingsFormat.generate "daemon.json" cfg.daemon.settings;
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
###### interface
|
||||
|
||||
options.virtualisation.docker.rootless = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
This option enables docker in a rootless mode, a daemon that manages
|
||||
linux containers. To interact with the daemon, one needs to set
|
||||
<command>DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock</command>.
|
||||
'';
|
||||
};
|
||||
|
||||
setSocketVariable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Point <command>DOCKER_HOST</command> to rootless Docker instance for
|
||||
normal users by default.
|
||||
'';
|
||||
};
|
||||
|
||||
daemon.settings = mkOption {
|
||||
type = settingsFormat.type;
|
||||
default = { };
|
||||
example = {
|
||||
ipv6 = true;
|
||||
"fixed-cidr-v6" = "fd00::/80";
|
||||
};
|
||||
description = ''
|
||||
Configuration for docker daemon. The attributes are serialized to JSON used as daemon.conf.
|
||||
See https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file
|
||||
'';
|
||||
};
|
||||
|
||||
package = mkOption {
|
||||
default = pkgs.docker;
|
||||
defaultText = literalExpression "pkgs.docker";
|
||||
type = types.package;
|
||||
example = literalExpression "pkgs.docker-edge";
|
||||
description = ''
|
||||
Docker package to be used in the module.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
###### implementation
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
|
||||
environment.extraInit = optionalString cfg.setSocketVariable ''
|
||||
if [ -z "$DOCKER_HOST" -a -n "$XDG_RUNTIME_DIR" ]; then
|
||||
export DOCKER_HOST="unix://$XDG_RUNTIME_DIR/docker.sock"
|
||||
fi
|
||||
'';
|
||||
|
||||
# Taken from https://github.com/moby/moby/blob/master/contrib/dockerd-rootless-setuptool.sh
|
||||
systemd.user.services.docker = {
|
||||
wantedBy = [ "default.target" ];
|
||||
description = "Docker Application Container Engine (Rootless)";
|
||||
# needs newuidmap from pkgs.shadow
|
||||
path = [ "/run/wrappers" ];
|
||||
environment = proxy_env;
|
||||
unitConfig.StartLimitInterval = "60s";
|
||||
serviceConfig = {
|
||||
Type = "notify";
|
||||
ExecStart = "${cfg.package}/bin/dockerd-rootless --config-file=${daemonSettingsFile}";
|
||||
ExecReload = "${pkgs.procps}/bin/kill -s HUP $MAINPID";
|
||||
TimeoutSec = 0;
|
||||
RestartSec = 2;
|
||||
Restart = "always";
|
||||
StartLimitBurst = 3;
|
||||
LimitNOFILE = "infinity";
|
||||
LimitNPROC = "infinity";
|
||||
LimitCORE = "infinity";
|
||||
Delegate = true;
|
||||
NotifyAccess = "all";
|
||||
KillMode = "mixed";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
}
|
@ -1,9 +1,9 @@
|
||||
let
|
||||
import ./make-test-python.nix ({ pkgs, lib, ... }: let
|
||||
commonConfig = ./common/acme/client;
|
||||
|
||||
dnsServerIP = nodes: nodes.dnsserver.config.networking.primaryIPAddress;
|
||||
|
||||
dnsScript = {pkgs, nodes}: let
|
||||
dnsScript = nodes: let
|
||||
dnsAddress = dnsServerIP nodes;
|
||||
in pkgs.writeShellScript "dns-hook.sh" ''
|
||||
set -euo pipefail
|
||||
@ -15,30 +15,137 @@ let
|
||||
fi
|
||||
'';
|
||||
|
||||
documentRoot = pkgs: pkgs.runCommand "docroot" {} ''
|
||||
dnsConfig = nodes: {
|
||||
dnsProvider = "exec";
|
||||
dnsPropagationCheck = false;
|
||||
credentialsFile = pkgs.writeText "wildcard.env" ''
|
||||
EXEC_PATH=${dnsScript nodes}
|
||||
EXEC_POLLING_INTERVAL=1
|
||||
EXEC_PROPAGATION_TIMEOUT=1
|
||||
EXEC_SEQUENCE_INTERVAL=1
|
||||
'';
|
||||
};
|
||||
|
||||
documentRoot = pkgs.runCommand "docroot" {} ''
|
||||
mkdir -p "$out"
|
||||
echo hello world > "$out/index.html"
|
||||
'';
|
||||
|
||||
vhostBase = pkgs: {
|
||||
vhostBase = {
|
||||
forceSSL = true;
|
||||
locations."/".root = documentRoot pkgs;
|
||||
locations."/".root = documentRoot;
|
||||
};
|
||||
|
||||
in import ./make-test-python.nix ({ lib, ... }: {
|
||||
vhostBaseHttpd = {
|
||||
forceSSL = true;
|
||||
inherit documentRoot;
|
||||
};
|
||||
|
||||
# Base specialisation config for testing general ACME features
|
||||
webserverBasicConfig = {
|
||||
services.nginx.enable = true;
|
||||
services.nginx.virtualHosts."a.example.test" = vhostBase // {
|
||||
enableACME = true;
|
||||
};
|
||||
};
|
||||
|
||||
# Generate specialisations for testing a web server
|
||||
mkServerConfigs = { server, group, vhostBaseData, extraConfig ? {} }: let
|
||||
baseConfig = { nodes, config, specialConfig ? {} }: lib.mkMerge [
|
||||
{
|
||||
security.acme = {
|
||||
defaults = (dnsConfig nodes) // {
|
||||
inherit group;
|
||||
};
|
||||
# One manual wildcard cert
|
||||
certs."example.test" = {
|
||||
domain = "*.example.test";
|
||||
};
|
||||
};
|
||||
|
||||
services."${server}" = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
# Run-of-the-mill vhost using HTTP-01 validation
|
||||
"${server}-http.example.test" = vhostBaseData // {
|
||||
serverAliases = [ "${server}-http-alias.example.test" ];
|
||||
enableACME = true;
|
||||
};
|
||||
|
||||
# Another which inherits the DNS-01 config
|
||||
"${server}-dns.example.test" = vhostBaseData // {
|
||||
serverAliases = [ "${server}-dns-alias.example.test" ];
|
||||
enableACME = true;
|
||||
# Set acmeRoot to null instead of using the default of "/var/lib/acme/acme-challenge"
|
||||
# webroot + dnsProvider are mutually exclusive.
|
||||
acmeRoot = null;
|
||||
};
|
||||
|
||||
# One using the wildcard certificate
|
||||
"${server}-wildcard.example.test" = vhostBaseData // {
|
||||
serverAliases = [ "${server}-wildcard-alias.example.test" ];
|
||||
useACMEHost = "example.test";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Used to determine if service reload was triggered
|
||||
systemd.targets."test-renew-${server}" = {
|
||||
wants = [ "acme-${server}-http.example.test.service" ];
|
||||
after = [ "acme-${server}-http.example.test.service" "${server}-config-reload.service" ];
|
||||
};
|
||||
}
|
||||
specialConfig
|
||||
extraConfig
|
||||
];
|
||||
in {
|
||||
"${server}".configuration = { nodes, config, ... }: baseConfig {
|
||||
inherit nodes config;
|
||||
};
|
||||
|
||||
# Test that server reloads when an alias is removed (and subsequently test removal works in acme)
|
||||
"${server}-remove-alias".configuration = { nodes, config, ... }: baseConfig {
|
||||
inherit nodes config;
|
||||
specialConfig = {
|
||||
# Remove an alias, but create a standalone vhost in its place for testing.
|
||||
# This configuration results in certificate errors as useACMEHost does not imply
|
||||
# append extraDomains, and thus we can validate the SAN is removed.
|
||||
services."${server}" = {
|
||||
virtualHosts."${server}-http.example.test".serverAliases = lib.mkForce [];
|
||||
virtualHosts."${server}-http-alias.example.test" = vhostBaseData // {
|
||||
useACMEHost = "${server}-http.example.test";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Test that the server reloads when only the acme configuration is changed.
|
||||
"${server}-change-acme-conf".configuration = { nodes, config, ... }: baseConfig {
|
||||
inherit nodes config;
|
||||
specialConfig = {
|
||||
security.acme.certs."${server}-http.example.test" = {
|
||||
keyType = "ec384";
|
||||
# Also test that postRun is exec'd as root
|
||||
postRun = "id | grep root";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
in {
|
||||
name = "acme";
|
||||
meta.maintainers = lib.teams.acme.members;
|
||||
|
||||
nodes = {
|
||||
# The fake ACME server which will respond to client requests
|
||||
acme = { nodes, lib, ... }: {
|
||||
acme = { nodes, ... }: {
|
||||
imports = [ ./common/acme/server ];
|
||||
networking.nameservers = lib.mkForce [ (dnsServerIP nodes) ];
|
||||
};
|
||||
|
||||
# A fake DNS server which can be configured with records as desired
|
||||
# Used to test DNS-01 challenge
|
||||
dnsserver = { nodes, pkgs, ... }: {
|
||||
dnsserver = { nodes, ... }: {
|
||||
networking.firewall.allowedTCPPorts = [ 8055 53 ];
|
||||
networking.firewall.allowedUDPPorts = [ 53 ];
|
||||
systemd.services.pebble-challtestsrv = {
|
||||
@ -54,7 +161,7 @@ in import ./make-test-python.nix ({ lib, ... }: {
|
||||
};
|
||||
|
||||
# A web server which will be the node requesting certs
|
||||
webserver = { pkgs, nodes, lib, config, ... }: {
|
||||
webserver = { nodes, config, ... }: {
|
||||
imports = [ commonConfig ];
|
||||
networking.nameservers = lib.mkForce [ (dnsServerIP nodes) ];
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
@ -63,130 +170,142 @@ in import ./make-test-python.nix ({ lib, ... }: {
|
||||
environment.systemPackages = [ pkgs.openssl ];
|
||||
|
||||
# Set log level to info so that we can see when the service is reloaded
|
||||
services.nginx.enable = true;
|
||||
services.nginx.logError = "stderr info";
|
||||
|
||||
# First tests configure a basic cert and run a bunch of openssl checks
|
||||
services.nginx.virtualHosts."a.example.test" = (vhostBase pkgs) // {
|
||||
enableACME = true;
|
||||
};
|
||||
specialisation = {
|
||||
# First derivation used to test general ACME features
|
||||
general.configuration = { ... }: let
|
||||
caDomain = nodes.acme.config.test-support.acme.caDomain;
|
||||
email = config.security.acme.defaults.email;
|
||||
# Exit 99 to make it easier to track if this is the reason a renew failed
|
||||
accountCreateTester = ''
|
||||
test -e accounts/${caDomain}/${email}/account.json || exit 99
|
||||
'';
|
||||
in lib.mkMerge [
|
||||
webserverBasicConfig
|
||||
{
|
||||
# Used to test that account creation is collated into one service.
|
||||
# These should not run until after acme-finished-a.example.test.target
|
||||
systemd.services."b.example.test".preStart = accountCreateTester;
|
||||
systemd.services."c.example.test".preStart = accountCreateTester;
|
||||
|
||||
# Used to determine if service reload was triggered
|
||||
systemd.targets.test-renew-nginx = {
|
||||
wants = [ "acme-a.example.test.service" ];
|
||||
after = [ "acme-a.example.test.service" "nginx-config-reload.service" ];
|
||||
};
|
||||
services.nginx.virtualHosts."b.example.test" = vhostBase // {
|
||||
enableACME = true;
|
||||
};
|
||||
services.nginx.virtualHosts."c.example.test" = vhostBase // {
|
||||
enableACME = true;
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
# Test that account creation is collated into one service
|
||||
specialisation.account-creation.configuration = { nodes, pkgs, lib, ... }: let
|
||||
email = "newhostmaster@example.test";
|
||||
caDomain = nodes.acme.config.test-support.acme.caDomain;
|
||||
# Exit 99 to make it easier to track if this is the reason a renew failed
|
||||
testScript = ''
|
||||
test -e accounts/${caDomain}/${email}/account.json || exit 99
|
||||
'';
|
||||
# Test OCSP Stapling
|
||||
ocsp-stapling.configuration = { ... }: lib.mkMerge [
|
||||
webserverBasicConfig
|
||||
{
|
||||
security.acme.certs."a.example.test".ocspMustStaple = true;
|
||||
services.nginx.virtualHosts."a.example.test" = {
|
||||
extraConfig = ''
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
'';
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
# Validate service relationships by adding a slow start service to nginx' wants.
|
||||
# Reproducer for https://github.com/NixOS/nixpkgs/issues/81842
|
||||
slow-startup.configuration = { ... }: lib.mkMerge [
|
||||
webserverBasicConfig
|
||||
{
|
||||
systemd.services.my-slow-service = {
|
||||
wantedBy = [ "multi-user.target" "nginx.service" ];
|
||||
before = [ "nginx.service" ];
|
||||
preStart = "sleep 5";
|
||||
script = "${pkgs.python3}/bin/python -m http.server";
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."slow.example.test" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".proxyPass = "http://localhost:8000";
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
# Test lego internal server (listenHTTP option)
|
||||
# Also tests useRoot option
|
||||
lego-server.configuration = { ... }: {
|
||||
security.acme.useRoot = true;
|
||||
security.acme.certs."lego.example.test" = {
|
||||
listenHTTP = ":80";
|
||||
group = "nginx";
|
||||
};
|
||||
services.nginx.enable = true;
|
||||
services.nginx.virtualHosts."lego.example.test" = {
|
||||
useACMEHost = "lego.example.test";
|
||||
onlySSL = true;
|
||||
};
|
||||
};
|
||||
|
||||
# Test compatiblity with Caddy
|
||||
# It only supports useACMEHost, hence not using mkServerConfigs
|
||||
} // (let
|
||||
baseCaddyConfig = { nodes, config, ... }: {
|
||||
security.acme = {
|
||||
defaults = (dnsConfig nodes) // {
|
||||
group = config.services.caddy.group;
|
||||
};
|
||||
# One manual wildcard cert
|
||||
certs."example.test" = {
|
||||
domain = "*.example.test";
|
||||
};
|
||||
};
|
||||
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
virtualHosts."a.exmaple.test" = {
|
||||
useACMEHost = "example.test";
|
||||
extraConfig = ''
|
||||
root * ${documentRoot}
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
in {
|
||||
security.acme.email = lib.mkForce email;
|
||||
systemd.services."b.example.test".preStart = testScript;
|
||||
systemd.services."c.example.test".preStart = testScript;
|
||||
caddy.configuration = baseCaddyConfig;
|
||||
|
||||
services.nginx.virtualHosts."b.example.test" = (vhostBase pkgs) // {
|
||||
enableACME = true;
|
||||
};
|
||||
services.nginx.virtualHosts."c.example.test" = (vhostBase pkgs) // {
|
||||
enableACME = true;
|
||||
};
|
||||
};
|
||||
# Test that the server reloads when only the acme configuration is changed.
|
||||
"caddy-change-acme-conf".configuration = { nodes, config, ... }: lib.mkMerge [
|
||||
(baseCaddyConfig {
|
||||
inherit nodes config;
|
||||
})
|
||||
{
|
||||
security.acme.certs."example.test" = {
|
||||
keyType = "ec384";
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
# Cert config changes will not cause the nginx configuration to change.
|
||||
# This tests that the reload service is correctly triggered.
|
||||
# It also tests that postRun is exec'd as root
|
||||
specialisation.cert-change.configuration = { pkgs, ... }: {
|
||||
security.acme.certs."a.example.test".keyType = "ec384";
|
||||
security.acme.certs."a.example.test".postRun = ''
|
||||
set -euo pipefail
|
||||
touch /home/test
|
||||
chown root:root /home/test
|
||||
echo testing > /home/test
|
||||
'';
|
||||
};
|
||||
# Test compatibility with Nginx
|
||||
}) // (mkServerConfigs {
|
||||
server = "nginx";
|
||||
group = "nginx";
|
||||
vhostBaseData = vhostBase;
|
||||
})
|
||||
|
||||
# Now adding an alias to ensure that the certs are updated
|
||||
specialisation.nginx-aliases.configuration = { pkgs, ... }: {
|
||||
services.nginx.virtualHosts."a.example.test" = {
|
||||
serverAliases = [ "b.example.test" ];
|
||||
};
|
||||
};
|
||||
|
||||
# Test OCSP Stapling
|
||||
specialisation.ocsp-stapling.configuration = { pkgs, ... }: {
|
||||
security.acme.certs."a.example.test" = {
|
||||
ocspMustStaple = true;
|
||||
};
|
||||
services.nginx.virtualHosts."a.example.com" = {
|
||||
extraConfig = ''
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
# Test using Apache HTTPD
|
||||
specialisation.httpd-aliases.configuration = { pkgs, config, lib, ... }: {
|
||||
services.nginx.enable = lib.mkForce false;
|
||||
services.httpd.enable = true;
|
||||
services.httpd.adminAddr = config.security.acme.email;
|
||||
services.httpd.virtualHosts."c.example.test" = {
|
||||
serverAliases = [ "d.example.test" ];
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
documentRoot = documentRoot pkgs;
|
||||
};
|
||||
|
||||
# Used to determine if service reload was triggered
|
||||
systemd.targets.test-renew-httpd = {
|
||||
wants = [ "acme-c.example.test.service" ];
|
||||
after = [ "acme-c.example.test.service" "httpd-config-reload.service" ];
|
||||
};
|
||||
};
|
||||
|
||||
# Validation via DNS-01 challenge
|
||||
specialisation.dns-01.configuration = { pkgs, config, nodes, ... }: {
|
||||
security.acme.certs."example.test" = {
|
||||
domain = "*.example.test";
|
||||
group = config.services.nginx.group;
|
||||
dnsProvider = "exec";
|
||||
dnsPropagationCheck = false;
|
||||
credentialsFile = pkgs.writeText "wildcard.env" ''
|
||||
EXEC_PATH=${dnsScript { inherit pkgs nodes; }}
|
||||
'';
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."dns.example.test" = (vhostBase pkgs) // {
|
||||
useACMEHost = "example.test";
|
||||
};
|
||||
};
|
||||
|
||||
# Validate service relationships by adding a slow start service to nginx' wants.
|
||||
# Reproducer for https://github.com/NixOS/nixpkgs/issues/81842
|
||||
specialisation.slow-startup.configuration = { pkgs, config, nodes, lib, ... }: {
|
||||
systemd.services.my-slow-service = {
|
||||
wantedBy = [ "multi-user.target" "nginx.service" ];
|
||||
before = [ "nginx.service" ];
|
||||
preStart = "sleep 5";
|
||||
script = "${pkgs.python3}/bin/python -m http.server";
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."slow.example.com" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".proxyPass = "http://localhost:8000";
|
||||
};
|
||||
};
|
||||
# Test compatibility with Apache HTTPD
|
||||
// (mkServerConfigs {
|
||||
server = "httpd";
|
||||
group = "wwwrun";
|
||||
vhostBaseData = vhostBaseHttpd;
|
||||
extraConfig = {
|
||||
services.httpd.adminAddr = config.security.acme.defaults.email;
|
||||
};
|
||||
});
|
||||
};
|
||||
|
||||
# The client will be used to curl the webserver to validate configuration
|
||||
client = {nodes, lib, pkgs, ...}: {
|
||||
client = { nodes, ... }: {
|
||||
imports = [ commonConfig ];
|
||||
networking.nameservers = lib.mkForce [ (dnsServerIP nodes) ];
|
||||
|
||||
@ -195,7 +314,7 @@ in import ./make-test-python.nix ({ lib, ... }: {
|
||||
};
|
||||
};
|
||||
|
||||
testScript = {nodes, ...}:
|
||||
testScript = { nodes, ... }:
|
||||
let
|
||||
caDomain = nodes.acme.config.test-support.acme.caDomain;
|
||||
newServerSystem = nodes.webserver.config.system.build.toplevel;
|
||||
@ -204,23 +323,26 @@ in import ./make-test-python.nix ({ lib, ... }: {
|
||||
# Note, wait_for_unit does not work for oneshot services that do not have RemainAfterExit=true,
|
||||
# this is because a oneshot goes from inactive => activating => inactive, and never
|
||||
# reaches the active state. Targets do not have this issue.
|
||||
|
||||
''
|
||||
import time
|
||||
|
||||
|
||||
has_switched = False
|
||||
|
||||
|
||||
def switch_to(node, name):
|
||||
global has_switched
|
||||
if has_switched:
|
||||
node.succeed(
|
||||
"${switchToNewServer}"
|
||||
)
|
||||
has_switched = True
|
||||
# On first switch, this will create a symlink to the current system so that we can
|
||||
# quickly switch between derivations
|
||||
root_specs = "/tmp/specialisation"
|
||||
node.execute(
|
||||
f"test -e {root_specs}"
|
||||
f" || ln -s $(readlink /run/current-system)/specialisation {root_specs}"
|
||||
)
|
||||
|
||||
switcher_path = f"/run/current-system/specialisation/{name}/bin/switch-to-configuration"
|
||||
rc, _ = node.execute(f"test -e '{switcher_path}'")
|
||||
if rc > 0:
|
||||
switcher_path = f"/tmp/specialisation/{name}/bin/switch-to-configuration"
|
||||
|
||||
node.succeed(
|
||||
f"/run/current-system/specialisation/{name}/bin/switch-to-configuration test"
|
||||
f"{switcher_path} test"
|
||||
)
|
||||
|
||||
|
||||
@ -310,8 +432,7 @@ in import ./make-test-python.nix ({ lib, ... }: {
|
||||
return download_ca_certs(node, retries - 1)
|
||||
|
||||
|
||||
client.start()
|
||||
dnsserver.start()
|
||||
start_all()
|
||||
|
||||
dnsserver.wait_for_unit("pebble-challtestsrv.service")
|
||||
client.wait_for_unit("default.target")
|
||||
@ -320,19 +441,30 @@ in import ./make-test-python.nix ({ lib, ... }: {
|
||||
'curl --data \'{"host": "${caDomain}", "addresses": ["${nodes.acme.config.networking.primaryIPAddress}"]}\' http://${dnsServerIP nodes}:8055/add-a'
|
||||
)
|
||||
|
||||
acme.start()
|
||||
webserver.start()
|
||||
|
||||
acme.wait_for_unit("network-online.target")
|
||||
acme.wait_for_unit("pebble.service")
|
||||
|
||||
download_ca_certs(client)
|
||||
|
||||
with subtest("Can request certificate with HTTPS-01 challenge"):
|
||||
# Perform general tests first
|
||||
switch_to(webserver, "general")
|
||||
|
||||
with subtest("Can request certificate with HTTP-01 challenge"):
|
||||
webserver.wait_for_unit("acme-finished-a.example.test.target")
|
||||
check_fullchain(webserver, "a.example.test")
|
||||
check_issuer(webserver, "a.example.test", "pebble")
|
||||
webserver.wait_for_unit("nginx.service")
|
||||
check_connection(client, "a.example.test")
|
||||
|
||||
with subtest("Runs 1 cert for account creation before others"):
|
||||
webserver.wait_for_unit("acme-finished-b.example.test.target")
|
||||
webserver.wait_for_unit("acme-finished-c.example.test.target")
|
||||
check_connection(client, "b.example.test")
|
||||
check_connection(client, "c.example.test")
|
||||
|
||||
with subtest("Certificates and accounts have safe + valid permissions"):
|
||||
group = "${nodes.webserver.config.security.acme.certs."a.example.test".group}"
|
||||
# Nginx will set the group appropriately when enableACME is used
|
||||
group = "nginx"
|
||||
webserver.succeed(
|
||||
f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test/*.pem | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5"
|
||||
)
|
||||
@ -346,12 +478,6 @@ in import ./make-test-python.nix ({ lib, ... }: {
|
||||
f"test $(find /var/lib/acme/accounts -type f -exec stat -L -c '%a %U %G' {{}} \\; | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0"
|
||||
)
|
||||
|
||||
with subtest("Certs are accepted by web server"):
|
||||
webserver.succeed("systemctl start nginx.service")
|
||||
check_fullchain(webserver, "a.example.test")
|
||||
check_issuer(webserver, "a.example.test", "pebble")
|
||||
check_connection(client, "a.example.test")
|
||||
|
||||
# Selfsigned certs tests happen late so we aren't fighting the system init triggering cert renewal
|
||||
with subtest("Can generate valid selfsigned certs"):
|
||||
webserver.succeed("systemctl clean acme-a.example.test.service --what=state")
|
||||
@ -365,77 +491,107 @@ in import ./make-test-python.nix ({ lib, ... }: {
|
||||
# Will succeed if nginx can load the certs
|
||||
webserver.succeed("systemctl start nginx-config-reload.service")
|
||||
|
||||
with subtest("Can reload nginx when timer triggers renewal"):
|
||||
webserver.succeed("systemctl start test-renew-nginx.target")
|
||||
check_issuer(webserver, "a.example.test", "pebble")
|
||||
check_connection(client, "a.example.test")
|
||||
|
||||
with subtest("Runs 1 cert for account creation before others"):
|
||||
switch_to(webserver, "account-creation")
|
||||
webserver.wait_for_unit("acme-finished-a.example.test.target")
|
||||
check_connection(client, "a.example.test")
|
||||
webserver.wait_for_unit("acme-finished-b.example.test.target")
|
||||
webserver.wait_for_unit("acme-finished-c.example.test.target")
|
||||
check_connection(client, "b.example.test")
|
||||
check_connection(client, "c.example.test")
|
||||
|
||||
with subtest("Can reload web server when cert configuration changes"):
|
||||
switch_to(webserver, "cert-change")
|
||||
webserver.wait_for_unit("acme-finished-a.example.test.target")
|
||||
check_connection_key_bits(client, "a.example.test", "384")
|
||||
webserver.succeed("grep testing /home/test")
|
||||
# Clean to remove the testing file (and anything else messy we did)
|
||||
webserver.succeed("systemctl clean acme-a.example.test.service --what=state")
|
||||
|
||||
with subtest("Correctly implements OCSP stapling"):
|
||||
switch_to(webserver, "ocsp-stapling")
|
||||
webserver.wait_for_unit("acme-finished-a.example.test.target")
|
||||
check_stapling(client, "a.example.test")
|
||||
|
||||
with subtest("Can request certificate with HTTPS-01 when nginx startup is delayed"):
|
||||
switch_to(webserver, "slow-startup")
|
||||
webserver.wait_for_unit("acme-finished-slow.example.com.target")
|
||||
check_issuer(webserver, "slow.example.com", "pebble")
|
||||
check_connection(client, "slow.example.com")
|
||||
|
||||
with subtest("Can request certificate for vhost + aliases (nginx)"):
|
||||
# Check the key hash before and after adding an alias. It should not change.
|
||||
# The previous test reverts the ed384 change
|
||||
webserver.wait_for_unit("acme-finished-a.example.test.target")
|
||||
switch_to(webserver, "nginx-aliases")
|
||||
webserver.wait_for_unit("acme-finished-a.example.test.target")
|
||||
check_issuer(webserver, "a.example.test", "pebble")
|
||||
with subtest("Can request certificate with HTTP-01 using lego's internal web server"):
|
||||
switch_to(webserver, "lego-server")
|
||||
webserver.wait_for_unit("acme-finished-lego.example.test.target")
|
||||
webserver.wait_for_unit("nginx.service")
|
||||
webserver.succeed("echo HENLO && systemctl cat nginx.service")
|
||||
webserver.succeed("test \"$(stat -c '%U' /var/lib/acme/* | uniq)\" = \"root\"")
|
||||
check_connection(client, "a.example.test")
|
||||
check_connection(client, "b.example.test")
|
||||
check_connection(client, "lego.example.test")
|
||||
|
||||
with subtest("Can request certificates for vhost + aliases (apache-httpd)"):
|
||||
try:
|
||||
switch_to(webserver, "httpd-aliases")
|
||||
webserver.wait_for_unit("acme-finished-c.example.test.target")
|
||||
except Exception as err:
|
||||
_, output = webserver.execute(
|
||||
"cat /var/log/httpd/*.log && ls -al /var/lib/acme/acme-challenge"
|
||||
)
|
||||
print(output)
|
||||
raise err
|
||||
check_issuer(webserver, "c.example.test", "pebble")
|
||||
check_connection(client, "c.example.test")
|
||||
check_connection(client, "d.example.test")
|
||||
with subtest("Can request certificate with HTTP-01 when nginx startup is delayed"):
|
||||
webserver.execute("systemctl stop nginx")
|
||||
switch_to(webserver, "slow-startup")
|
||||
webserver.wait_for_unit("acme-finished-slow.example.test.target")
|
||||
check_issuer(webserver, "slow.example.test", "pebble")
|
||||
webserver.wait_for_unit("nginx.service")
|
||||
check_connection(client, "slow.example.test")
|
||||
|
||||
with subtest("Can reload httpd when timer triggers renewal"):
|
||||
# Switch to selfsigned first
|
||||
webserver.succeed("systemctl clean acme-c.example.test.service --what=state")
|
||||
webserver.succeed("systemctl start acme-selfsigned-c.example.test.service")
|
||||
check_issuer(webserver, "c.example.test", "minica")
|
||||
webserver.succeed("systemctl start httpd-config-reload.service")
|
||||
webserver.succeed("systemctl start test-renew-httpd.target")
|
||||
check_issuer(webserver, "c.example.test", "pebble")
|
||||
check_connection(client, "c.example.test")
|
||||
|
||||
with subtest("Can request wildcard certificates using DNS-01 challenge"):
|
||||
switch_to(webserver, "dns-01")
|
||||
with subtest("Works with caddy"):
|
||||
switch_to(webserver, "caddy")
|
||||
webserver.wait_for_unit("acme-finished-example.test.target")
|
||||
check_issuer(webserver, "example.test", "pebble")
|
||||
check_connection(client, "dns.example.test")
|
||||
webserver.wait_for_unit("caddy.service")
|
||||
# FIXME reloading caddy is not sufficient to load new certs.
|
||||
# Restart it manually until this is fixed.
|
||||
webserver.succeed("systemctl restart caddy.service")
|
||||
check_connection(client, "a.example.test")
|
||||
|
||||
with subtest("security.acme changes reflect on caddy"):
|
||||
switch_to(webserver, "caddy-change-acme-conf")
|
||||
webserver.wait_for_unit("acme-finished-example.test.target")
|
||||
webserver.wait_for_unit("caddy.service")
|
||||
# FIXME reloading caddy is not sufficient to load new certs.
|
||||
# Restart it manually until this is fixed.
|
||||
webserver.succeed("systemctl restart caddy.service")
|
||||
check_connection_key_bits(client, "a.example.test", "384")
|
||||
|
||||
domains = ["http", "dns", "wildcard"]
|
||||
for server, logsrc in [
|
||||
("nginx", "journalctl -n 30 -u nginx.service"),
|
||||
("httpd", "tail -n 30 /var/log/httpd/*.log"),
|
||||
]:
|
||||
wait_for_server = lambda: webserver.wait_for_unit(f"{server}.service")
|
||||
with subtest(f"Works with {server}"):
|
||||
try:
|
||||
switch_to(webserver, server)
|
||||
# Skip wildcard domain for this check ([:-1])
|
||||
for domain in domains[:-1]:
|
||||
webserver.wait_for_unit(
|
||||
f"acme-finished-{server}-{domain}.example.test.target"
|
||||
)
|
||||
except Exception as err:
|
||||
_, output = webserver.execute(
|
||||
f"{logsrc} && ls -al /var/lib/acme/acme-challenge"
|
||||
)
|
||||
print(output)
|
||||
raise err
|
||||
|
||||
wait_for_server()
|
||||
|
||||
for domain in domains[:-1]:
|
||||
check_issuer(webserver, f"{server}-{domain}.example.test", "pebble")
|
||||
for domain in domains:
|
||||
check_connection(client, f"{server}-{domain}.example.test")
|
||||
check_connection(client, f"{server}-{domain}-alias.example.test")
|
||||
|
||||
test_domain = f"{server}-{domains[0]}.example.test"
|
||||
|
||||
with subtest(f"Can reload {server} when timer triggers renewal"):
|
||||
# Switch to selfsigned first
|
||||
webserver.succeed(f"systemctl clean acme-{test_domain}.service --what=state")
|
||||
webserver.succeed(f"systemctl start acme-selfsigned-{test_domain}.service")
|
||||
check_issuer(webserver, test_domain, "minica")
|
||||
webserver.succeed(f"systemctl start {server}-config-reload.service")
|
||||
webserver.succeed(f"systemctl start test-renew-{server}.target")
|
||||
check_issuer(webserver, test_domain, "pebble")
|
||||
check_connection(client, test_domain)
|
||||
|
||||
with subtest("Can remove an alias from a domain + cert is updated"):
|
||||
test_alias = f"{server}-{domains[0]}-alias.example.test"
|
||||
switch_to(webserver, f"{server}-remove-alias")
|
||||
webserver.wait_for_unit(f"acme-finished-{test_domain}.target")
|
||||
wait_for_server()
|
||||
check_connection(client, test_domain)
|
||||
rc, _ = client.execute(
|
||||
f"openssl s_client -CAfile /tmp/ca.crt -connect {test_alias}:443"
|
||||
" </dev/null 2>/dev/null | openssl x509 -noout -text"
|
||||
f" | grep DNS: | grep {test_alias}"
|
||||
)
|
||||
assert rc > 0, "Removed extraDomainName was not removed from the cert"
|
||||
|
||||
with subtest("security.acme changes reflect on web server"):
|
||||
# Switch back to normal server config first, reset everything.
|
||||
switch_to(webserver, server)
|
||||
wait_for_server()
|
||||
switch_to(webserver, f"{server}-change-acme-conf")
|
||||
webserver.wait_for_unit(f"acme-finished-{test_domain}.target")
|
||||
wait_for_server()
|
||||
check_connection_key_bits(client, test_domain, "384")
|
||||
'';
|
||||
})
|
||||
|
@ -105,6 +105,7 @@ in
|
||||
dnscrypt-wrapper = handleTestOn ["x86_64-linux"] ./dnscrypt-wrapper {};
|
||||
doas = handleTest ./doas.nix {};
|
||||
docker = handleTestOn ["x86_64-linux"] ./docker.nix {};
|
||||
docker-rootless = handleTestOn ["x86_64-linux"] ./docker-rootless.nix {};
|
||||
docker-edge = handleTestOn ["x86_64-linux"] ./docker-edge.nix {};
|
||||
docker-registry = handleTest ./docker-registry.nix {};
|
||||
docker-tools = handleTestOn ["x86_64-linux"] ./docker-tools.nix {};
|
||||
|
@ -5,9 +5,11 @@ let
|
||||
|
||||
in {
|
||||
security.acme = {
|
||||
server = "https://${caDomain}/dir";
|
||||
email = "hostmaster@example.test";
|
||||
acceptTerms = true;
|
||||
defaults = {
|
||||
server = "https://${caDomain}/dir";
|
||||
email = "hostmaster@example.test";
|
||||
};
|
||||
};
|
||||
|
||||
security.pki.certificateFiles = [ caCert ];
|
||||
|
@ -120,6 +120,11 @@ in {
|
||||
enable = true;
|
||||
description = "Pebble ACME server";
|
||||
wantedBy = [ "network.target" ];
|
||||
environment = {
|
||||
# We're not testing lego, we're just testing our configuration.
|
||||
# No need to sleep.
|
||||
PEBBLE_VA_NOSLEEP = "1";
|
||||
};
|
||||
|
||||
serviceConfig = {
|
||||
RuntimeDirectory = "pebble";
|
||||
|
41
nixos/tests/docker-rootless.nix
Normal file
41
nixos/tests/docker-rootless.nix
Normal file
@ -0,0 +1,41 @@
|
||||
# This test runs docker and checks if simple container starts
|
||||
|
||||
import ./make-test-python.nix ({ lib, pkgs, ...} : {
|
||||
name = "docker-rootless";
|
||||
meta = with pkgs.lib.maintainers; {
|
||||
maintainers = [ abbradar ];
|
||||
};
|
||||
|
||||
nodes = {
|
||||
machine = { pkgs, ... }: {
|
||||
virtualisation.docker.rootless.enable = true;
|
||||
|
||||
users.users.alice = {
|
||||
uid = 1000;
|
||||
isNormalUser = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
testScript = { nodes, ... }:
|
||||
let
|
||||
user = nodes.machine.config.users.users.alice;
|
||||
sudo = lib.concatStringsSep " " [
|
||||
"XDG_RUNTIME_DIR=/run/user/${toString user.uid}"
|
||||
"DOCKER_HOST=unix:///run/user/${toString user.uid}/docker.sock"
|
||||
"sudo" "--preserve-env=XDG_RUNTIME_DIR,DOCKER_HOST" "-u" "alice"
|
||||
];
|
||||
in ''
|
||||
machine.wait_for_unit("multi-user.target")
|
||||
|
||||
machine.succeed("loginctl enable-linger alice")
|
||||
machine.wait_until_succeeds("${sudo} systemctl --user is-active docker.service")
|
||||
|
||||
machine.succeed("tar cv --files-from /dev/null | ${sudo} docker import - scratchimg")
|
||||
machine.succeed(
|
||||
"${sudo} docker run -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
|
||||
)
|
||||
machine.succeed("${sudo} docker ps | grep sleeping")
|
||||
machine.succeed("${sudo} docker stop sleeping")
|
||||
'';
|
||||
})
|
@ -9,6 +9,8 @@ lib.makeScope newScope (self: with self; {
|
||||
|
||||
mopidy-iris = callPackage ./iris.nix { };
|
||||
|
||||
mopidy-jellyfin = callPackage ./jellyfin.nix { };
|
||||
|
||||
mopidy-local = callPackage ./local.nix { };
|
||||
|
||||
mopidy-moped = callPackage ./moped.nix { };
|
||||
|
25
pkgs/applications/audio/mopidy/jellyfin.nix
Normal file
25
pkgs/applications/audio/mopidy/jellyfin.nix
Normal file
@ -0,0 +1,25 @@
|
||||
{ lib, python3Packages, mopidy }:
|
||||
|
||||
python3Packages.buildPythonApplication rec {
|
||||
pname = "mopidy-jellyfin";
|
||||
version = "1.0.2";
|
||||
|
||||
src = python3Packages.fetchPypi {
|
||||
inherit version;
|
||||
pname = "Mopidy-Jellyfin";
|
||||
sha256 = "0j7v5xx3c401r5dw1sqm1n2263chjga1d3ml85rg79hjhhhacy75";
|
||||
};
|
||||
|
||||
propagatedBuildInputs = [ mopidy python3Packages.unidecode python3Packages.websocket-client ];
|
||||
|
||||
# no tests implemented
|
||||
doCheck = false;
|
||||
pythonImportsCheck = [ "mopidy_jellyfin" ];
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "https://github.com/jellyfin/mopidy-jellyfin";
|
||||
description = "Mopidy extension for playing audio files from Jellyfin";
|
||||
license = licenses.asl20;
|
||||
maintainers = [ maintainers.pstn ];
|
||||
};
|
||||
}
|
@ -9,6 +9,8 @@
|
||||
, copyDesktopItems
|
||||
, fontconfig
|
||||
, libpng
|
||||
, pipewire
|
||||
, makeWrapper
|
||||
, autoPatchelfHook
|
||||
}:
|
||||
|
||||
@ -38,6 +40,7 @@ stdenv.mkDerivation rec {
|
||||
fontconfig
|
||||
libva
|
||||
gst_all_1.gst-plugins-base
|
||||
pipewire
|
||||
# autoPatchelfHook complains if these are missing, even on wayland
|
||||
xorg.libXft
|
||||
xorg.libXinerama
|
||||
@ -47,12 +50,22 @@ stdenv.mkDerivation rec {
|
||||
xorg.libXtst
|
||||
];
|
||||
|
||||
nativeBuildInputs = [ copyDesktopItems autoPatchelfHook ];
|
||||
nativeBuildInputs = [ copyDesktopItems autoPatchelfHook makeWrapper ];
|
||||
|
||||
postFixup = let
|
||||
GST_PLUGIN_PATH = lib.makeSearchPathOutput "lib" "lib/gstreamer-1.0" [
|
||||
gst_all_1.gst-plugins-base
|
||||
pipewire
|
||||
];
|
||||
in ''
|
||||
wrapProgram $out/bin/weylus --prefix GST_PLUGIN_PATH : ${GST_PLUGIN_PATH}
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
description = "Use your tablet as graphic tablet/touch screen on your computer";
|
||||
homepage = "https://github.com/H-M-H/Weylus";
|
||||
license = with licenses; [ agpl3Only ];
|
||||
maintainers = with maintainers; [ lom ];
|
||||
platforms = [ "x86_64-linux" ];
|
||||
};
|
||||
}
|
||||
|
@ -1,12 +1,17 @@
|
||||
{lib, stdenvNoCC, haskellPackages, fetchurl, writers}:
|
||||
|
||||
let
|
||||
hledger-lib = haskellPackages.hledger-lib_1_24_1;
|
||||
in
|
||||
|
||||
stdenvNoCC.mkDerivation rec {
|
||||
pname = "hledger-check-fancyassertions";
|
||||
version = "1.23";
|
||||
inherit (hledger-lib) version;
|
||||
|
||||
src = fetchurl {
|
||||
name = "hledger-check-fancyassertion-${version}.hs";
|
||||
url = "https://raw.githubusercontent.com/simonmichael/hledger/hledger-lib-${version}/bin/hledger-check-fancyassertions.hs";
|
||||
sha256 = "08p2din1j7l4c29ipn68k8vvs3ys004iy8a3zf318lzby4h04h0n";
|
||||
sha256 = "0naggvivc6szsc8haa52a6lm079ikz5qfva0ljnqx0f1zlkxv984";
|
||||
};
|
||||
|
||||
dontUnpack = true;
|
||||
@ -15,11 +20,13 @@ stdenvNoCC.mkDerivation rec {
|
||||
executable = writers.writeHaskell
|
||||
"hledger-check-fancyassertions"
|
||||
{
|
||||
libraries = with haskellPackages; [
|
||||
base base-compat base-compat-batteries filepath hledger-lib_1_24
|
||||
libraries = [
|
||||
hledger-lib
|
||||
] ++ (with haskellPackages; [
|
||||
base base-compat base-compat-batteries filepath
|
||||
megaparsec microlens optparse-applicative string-qq text time
|
||||
transformers
|
||||
];
|
||||
]);
|
||||
inherit (haskellPackages) ghc;
|
||||
}
|
||||
src;
|
||||
|
@ -15,7 +15,7 @@ rec {
|
||||
, go-md2man, go, containerd_1_4, runc, docker-proxy, tini, libtool
|
||||
, sqlite, iproute2, lvm2, systemd, docker-buildx, docker-compose_2
|
||||
, btrfs-progs, iptables, e2fsprogs, xz, util-linux, xfsprogs, git
|
||||
, procps, libseccomp
|
||||
, procps, libseccomp, rootlesskit, slirp4netns, fuse-overlayfs
|
||||
, nixosTests
|
||||
, clientOnly ? !stdenv.isLinux, symlinkJoin
|
||||
}:
|
||||
@ -77,6 +77,8 @@ rec {
|
||||
|
||||
extraPath = optionals (stdenv.isLinux) (makeBinPath [ iproute2 iptables e2fsprogs xz xfsprogs procps util-linux git ]);
|
||||
|
||||
extraUserPath = optionals (stdenv.isLinux && !clientOnly) (makeBinPath [ rootlesskit slirp4netns fuse-overlayfs ]);
|
||||
|
||||
postPatch = ''
|
||||
patchShebangs hack/make.sh hack/make/
|
||||
'';
|
||||
@ -109,6 +111,11 @@ rec {
|
||||
install -Dm644 ./contrib/init/systemd/docker.service $out/etc/systemd/system/docker.service
|
||||
substituteInPlace $out/etc/systemd/system/docker.service --replace /usr/bin/dockerd $out/bin/dockerd
|
||||
install -Dm644 ./contrib/init/systemd/docker.socket $out/etc/systemd/system/docker.socket
|
||||
|
||||
# rootless Docker
|
||||
install -Dm755 ./contrib/dockerd-rootless.sh $out/libexec/docker/dockerd-rootless.sh
|
||||
makeWrapper $out/libexec/docker/dockerd-rootless.sh $out/bin/dockerd-rootless \
|
||||
--prefix PATH : "$out/libexec/docker:$extraPath:$extraUserPath"
|
||||
'';
|
||||
|
||||
DOCKER_BUILDTAGS = []
|
||||
@ -184,6 +191,7 @@ rec {
|
||||
'' + optionalString (!clientOnly) ''
|
||||
# symlink docker daemon to docker cli derivation
|
||||
ln -s ${moby}/bin/dockerd $out/bin/dockerd
|
||||
ln -s ${moby}/bin/dockerd-rootless $out/bin/dockerd-rootless
|
||||
|
||||
# systemd
|
||||
mkdir -p $out/etc/systemd/system
|
||||
|
@ -1,6 +1,6 @@
|
||||
{
|
||||
"commit": "45e72928a9053df2938492a535a1b4351251d82f",
|
||||
"url": "https://github.com/commercialhaskell/all-cabal-hashes/archive/45e72928a9053df2938492a535a1b4351251d82f.tar.gz",
|
||||
"sha256": "1a87yf9bly5ayldgrkakyipxfkk7h9ifqb4dpd8l1f9zb1csdg1x",
|
||||
"msg": "Update from Hackage at 2021-12-09T20:50:23Z"
|
||||
"commit": "01a23b49c333c95167338433cd375e24fc60d66d",
|
||||
"url": "https://github.com/commercialhaskell/all-cabal-hashes/archive/01a23b49c333c95167338433cd375e24fc60d66d.tar.gz",
|
||||
"sha256": "0mf1pqlg5cj0p0si1vgf5mp5an89yhq0il6v7n58smcqbfdynds5",
|
||||
"msg": "Update from Hackage at 2021-12-21T13:58:08Z"
|
||||
}
|
||||
|
@ -124,10 +124,6 @@ self: super: {
|
||||
buildDepends = [ pkgs.qt5.wrapQtAppsHook ];
|
||||
}) super.qtah-cpp-qt5;
|
||||
|
||||
# Missing test data
|
||||
# https://github.com/aleksey-makarov/melf/issues/1
|
||||
melf = dontCheck super.melf;
|
||||
|
||||
# The Haddock phase fails for one reason or another.
|
||||
deepseq-magic = dontHaddock super.deepseq-magic;
|
||||
feldspar-signal = dontHaddock super.feldspar-signal; # https://github.com/markus-git/feldspar-signal/issues/1
|
||||
@ -863,7 +859,7 @@ self: super: {
|
||||
super.hledger-lib;
|
||||
|
||||
# hledger-lib 1.24 depends on doctest >= 0.18
|
||||
hledger-lib_1_24 = super.hledger-lib_1_24.override {
|
||||
hledger-lib_1_24_1 = super.hledger-lib_1_24_1.override {
|
||||
doctest = self.doctest_0_18_2;
|
||||
};
|
||||
|
||||
@ -1232,12 +1228,8 @@ self: super: {
|
||||
})
|
||||
] super.polysemy;
|
||||
|
||||
# polysemy-plugin 0.2.5.0 has constraint ghc-tcplugins-extra (==0.3.*)
|
||||
# This upstream issue is relevant:
|
||||
# https://github.com/polysemy-research/polysemy/issues/322
|
||||
polysemy-plugin = super.polysemy-plugin.override {
|
||||
ghc-tcplugins-extra = self.ghc-tcplugins-extra_0_3_2;
|
||||
};
|
||||
# 2021-12-26: Too strict bounds on doctest
|
||||
polysemy-plugin = doJailbreak super.polysemy-plugin;
|
||||
|
||||
# Test suite requires running a database server. Testing is done upstream.
|
||||
hasql-notifications = dontCheck super.hasql-notifications;
|
||||
@ -1517,9 +1509,6 @@ self: super: {
|
||||
# Due to tests restricting base in 0.8.0.0 release
|
||||
http-media = doJailbreak super.http-media;
|
||||
|
||||
# 2020-11-19: Jailbreaking until: https://github.com/snapframework/heist/pull/124
|
||||
heist = doJailbreak super.heist;
|
||||
|
||||
hinit = generateOptparseApplicativeCompletion "hi" (super.hinit.override { haskeline = self.haskeline_0_8_2; });
|
||||
|
||||
# 2020-11-19: Jailbreaking until: https://github.com/snapframework/snap/pull/219
|
||||
@ -2111,17 +2100,24 @@ self: super: {
|
||||
gogol-core = appendPatch ./patches/gogol-core-144.patch super.gogol-core;
|
||||
|
||||
# Jailbreak isn't sufficient, but this is ok as it's a leaf package.
|
||||
hadolint = super.hadolint.overrideScope (self: super: {
|
||||
hadolint = overrideCabal (drv: {
|
||||
# Test suite depends on ordering of unordered-containers returned values
|
||||
# which was upgraded in LTS 18.19
|
||||
# https://github.com/hadolint/hadolint/issues/753
|
||||
testFlags = [
|
||||
"--skip" "/Hadolint.Formatter.Sarif/Formatter: Sarif/print empty results/"
|
||||
] ++ drv.testFlags or [];
|
||||
}) (super.hadolint.overrideScope (self: super: {
|
||||
language-docker = self.language-docker_10_4_0;
|
||||
hspec = dontCheck self.hspec_2_9_4;
|
||||
hspec-core = dontCheck self.hspec-core_2_9_4;
|
||||
hspec-discover = dontCheck self.hspec-discover_2_9_4;
|
||||
colourista = doJailbreak super.colourista;
|
||||
});
|
||||
}));
|
||||
|
||||
# These should be updated in lockstep
|
||||
hledger_1_24 = super.hledger_1_24.override {
|
||||
hledger-lib = self.hledger-lib_1_24;
|
||||
hledger_1_24_1 = super.hledger_1_24_1.override {
|
||||
hledger-lib = self.hledger-lib_1_24_1;
|
||||
};
|
||||
|
||||
# Needs brick > 0.64
|
||||
@ -2135,11 +2131,127 @@ self: super: {
|
||||
# test suite requires stack to run, https://github.com/dino-/photoname/issues/24
|
||||
photoname = dontCheck super.photoname;
|
||||
|
||||
# Too strict bounds on recursive-zipper
|
||||
# https://github.com/ChrisPenner/jet/issues/1
|
||||
jet = doJailbreak super.jet;
|
||||
# Upgrade of unordered-containers in Stackage causes ordering-sensitive test to fail
|
||||
# https://github.com/chrisdone/lucid/issues/123
|
||||
# https://github.com/commercialhaskell/stackage/issues/6366
|
||||
lucid = assert super.lucid.version == "2.9.12.1"; overrideCabal (drv: {
|
||||
testFlags = [
|
||||
"--skip" "/attributes-with/mixed/"
|
||||
] ++ drv.testFlags or [];
|
||||
}) super.lucid;
|
||||
# Basically the entire doctest suite of swagger2 fails for the same reason
|
||||
swagger2 = assert super.swagger2.version == "2.6"; overrideCabal (drv: {
|
||||
testTarget = "spec";
|
||||
}) super.swagger2;
|
||||
# https://github.com/kapralVV/Unique/issues/9
|
||||
Unique = assert super.Unique.version == "0.4.7.9"; overrideCabal (drv: {
|
||||
testFlags = [
|
||||
"--skip" "/Data.List.UniqueUnsorted.removeDuplicates/removeDuplicates: simple test/"
|
||||
"--skip" "/Data.List.UniqueUnsorted.repeatedBy,repeated,unique/unique: simple test/"
|
||||
"--skip" "/Data.List.UniqueUnsorted.repeatedBy,repeated,unique/repeatedBy: simple test/"
|
||||
] ++ drv.testFlags or [];
|
||||
}) super.Unique;
|
||||
# https://github.com/AndrewRademacher/aeson-casing/issues/8
|
||||
aeson-casing = assert super.aeson-casing.version == "0.2.0.0"; overrideCabal (drv: {
|
||||
testFlags = [
|
||||
"-p" "! /encode train/"
|
||||
] ++ drv.testFlags or [];
|
||||
}) super.aeson-casing;
|
||||
# https://github.com/Soostone/katip/issues/134
|
||||
katip = assert super.katip.version == "0.8.7.0"; overrideCabal (drv: {
|
||||
testFlags = [
|
||||
"-p" "!/Text-golden/&&!/respects payloadKeys for each constituent payload/"
|
||||
] ++ drv.testFlags or [];
|
||||
}) super.katip;
|
||||
# 2020-11-19: Jailbreaking until: https://github.com/snapframework/heist/pull/124
|
||||
# 2021-12-22: https://github.com/snapframework/heist/issues/131
|
||||
heist = assert super.heist.version == "1.1.0.1"; overrideCabal (drv: {
|
||||
testFlags = [
|
||||
"-t" "!*/compiled/ns*"
|
||||
] ++ drv.testFlags or [];
|
||||
}) (doJailbreak super.heist);
|
||||
# https://github.com/hercules-ci/hercules-ci-agent/issues/352
|
||||
hercules-ci-api-agent = assert super.hercules-ci-api-agent.version == "0.4.1.0"; overrideCabal (drv: {
|
||||
testFlags = [
|
||||
"--skip" "/hercules-ci-api/Hercules.API.Agent.Evaluate.EvaluateEvent.DerivationInfo/DerivationInfo/ToJSON/encodes v2 correctly/"
|
||||
] ++ drv.testFlags or [];
|
||||
}) (doJailbreak super.hercules-ci-api-agent);
|
||||
# https://github.com/emc2/HUnit-Plus/issues/26
|
||||
HUnit-Plus = dontCheck super.HUnit-Plus;
|
||||
# https://github.com/ewestern/haskell-postgis/issues/7
|
||||
haskell-postgis = overrideCabal (drv: {
|
||||
testFlags = [
|
||||
"--skip" "/Geo/Hexable/Encodes a linestring/"
|
||||
] ++ drv.testFlags or [];
|
||||
}) super.haskell-postgis;
|
||||
# https://github.com/ChrisPenner/json-to-haskell/issues/5
|
||||
json-to-haskell = overrideCabal (drv: {
|
||||
testFlags = [
|
||||
"--match" "/should sanitize weird field and record names/"
|
||||
] ++ drv.testFlags or [];
|
||||
}) super.json-to-haskell;
|
||||
# https://github.com/fieldstrength/aeson-deriving/issues/5
|
||||
aeson-deriving = dontCheck super.aeson-deriving;
|
||||
# https://github.com/morpheusgraphql/morpheus-graphql/issues/660
|
||||
morpheus-graphql-core = overrideCabal (drv: {
|
||||
testFlags = [
|
||||
"-p" "!/field.unexpected-value/&&!/field.missing-field/&&!/argument.unexpected-value/&&!/argument.missing-field/"
|
||||
] ++ drv.testFlags or [];
|
||||
}) super.morpheus-graphql-core;
|
||||
morpheus-graphql = overrideCabal (drv: {
|
||||
testFlags = [
|
||||
"-p" "!/Test Rendering/"
|
||||
] ++ drv.testFlags or [];
|
||||
}) super.morpheus-graphql;
|
||||
# https://github.com/SupercedeTech/dropbox-client/issues/1
|
||||
dropbox = overrideCabal (drv: {
|
||||
testFlags = [
|
||||
"--skip" "/Dropbox/Dropbox aeson aeson/encodes list folder correctly/"
|
||||
] ++ drv.testFlags or [];
|
||||
}) super.dropbox;
|
||||
# https://github.com/alonsodomin/haskell-schema/issues/11
|
||||
hschema-aeson = overrideCabal (drv: {
|
||||
testFlags = [
|
||||
"--skip" "/toJsonSerializer/should generate valid JSON/"
|
||||
] ++ drv.testFlags or [];
|
||||
}) super.hschema-aeson;
|
||||
# https://gitlab.com/k0001/xmlbf/-/issues/32
|
||||
xmlbf = overrideCabal (drv: {
|
||||
testFlags = [
|
||||
"-p" "!/xml: <x b=\"\" a=\"y\"><\\/x>/&&!/xml: <x b=\"z\" a=\"y\"><\\/x>/"
|
||||
] ++ drv.testFlags or [];
|
||||
}) super.xmlbf;
|
||||
# https://github.com/ssadler/aeson-quick/issues/3
|
||||
aeson-quick = overrideCabal (drv: {
|
||||
testFlags = [
|
||||
"-p" "!/asLens.set/&&!/complex.set/&&!/multipleKeys.set/"
|
||||
] ++ drv.testFlags or [];
|
||||
}) super.aeson-quick;
|
||||
# https://github.com/minio/minio-hs/issues/165
|
||||
minio-hs = overrideCabal (drv: {
|
||||
testFlags = [
|
||||
"-p" "!/Test mkSelectRequest/"
|
||||
] ++ drv.testFlags or [];
|
||||
}) super.minio-hs;
|
||||
|
||||
# Use latest version until next Stackage LTS snapshot
|
||||
Agda = doDistribute self.Agda_2_6_2_1;
|
||||
# golden files expect an old version of hpack, so tests fail intermittently
|
||||
# TODO: maybe disable golden test suite altogether? this will happen again as
|
||||
# hpack emits its version into the generated files…
|
||||
hpack-dhall = assert super.hpack-dhall.version == "0.5.3"; dontCheck super.hpack-dhall;
|
||||
|
||||
# Invalid CPP in test suite: https://github.com/cdornan/memory-cd/issues/1
|
||||
memory-cd = dontCheck super.memory-cd;
|
||||
|
||||
# https://github.com/andreymulik/sdp/issues/3
|
||||
sdp = disableLibraryProfiling super.sdp;
|
||||
sdp-binary = disableLibraryProfiling super.sdp-binary;
|
||||
sdp-deepseq = disableLibraryProfiling super.sdp-deepseq;
|
||||
sdp-hashable = disableLibraryProfiling super.sdp-hashable;
|
||||
sdp-io = disableLibraryProfiling super.sdp-io;
|
||||
sdp-quickcheck = disableLibraryProfiling super.sdp-quickcheck;
|
||||
sdp4bytestring = disableLibraryProfiling super.sdp4bytestring;
|
||||
sdp4text = disableLibraryProfiling super.sdp4text;
|
||||
sdp4unordered = disableLibraryProfiling super.sdp4unordered;
|
||||
sdp4vector = disableLibraryProfiling super.sdp4vector;
|
||||
|
||||
} // import ./configuration-tensorflow.nix {inherit pkgs haskellLib;} self super
|
||||
|
@ -117,7 +117,7 @@ self: super: {
|
||||
retry = dontCheck super.retry;
|
||||
|
||||
# Hlint needs >= 3.3.4 for ghc 9 support.
|
||||
hlint = super.hlint_3_3_4;
|
||||
hlint = doDistribute super.hlint_3_3_5;
|
||||
|
||||
# 2021-09-18: ghc-api-compat and ghc-lib-* need >= 9.0.x versions for hls and hlint
|
||||
ghc-api-compat = doDistribute super.ghc-api-compat_9_0_1;
|
||||
@ -128,16 +128,6 @@ self: super: {
|
||||
# 2021-09-18: Need semialign >= 1.2 for correct bounds
|
||||
semialign = super.semialign_1_2_0_1;
|
||||
|
||||
# 2021-09-18: GHC 9 compat release is missing
|
||||
# Issue: https://github.com/obsidiansystems/dependent-sum/issues/65
|
||||
dependent-sum-template = dontCheck (appendPatch
|
||||
(pkgs.fetchpatch {
|
||||
url = "https://github.com/obsidiansystems/dependent-sum/commit/8cf4c7fbc3bfa2be475a17bb7c94a1e1e9a830b5.patch";
|
||||
sha256 = "02wyy0ciicq2x8lw4xxz3x5i4a550mxfidhm2ihh60ni6am498ff";
|
||||
stripLen = 2;
|
||||
extraPrefix = "";
|
||||
}) super.dependent-sum-template);
|
||||
|
||||
# 2021-09-18: cabal2nix does not detect the need for ghc-api-compat.
|
||||
hiedb = overrideCabal (old: {
|
||||
libraryHaskellDepends = old.libraryHaskellDepends ++ [self.ghc-api-compat];
|
||||
|
@ -101,6 +101,19 @@ self: super: {
|
||||
genvalidity-property = self.genvalidity-property_1_0_0_0;
|
||||
genvalidity-hspec = self.genvalidity-hspec_1_0_0_0;
|
||||
ghc-byteorder = doJailbreak super.ghc-byteorder;
|
||||
ghc-exactprint = overrideCabal (drv: {
|
||||
# HACK: ghc-exactprint 1.3.0 is not buildable for GHC < 9.2,
|
||||
# but hackage2nix evaluates the cabal file with GHC 8.10.*,
|
||||
# causing the build-depends to be skipped. Since the dependency
|
||||
# list hasn't changed much since 0.6.4, we can just reuse the
|
||||
# normal expression.
|
||||
inherit (self.ghc-exactprint_1_3_0) src version;
|
||||
revision = null; editedCabalFile = null;
|
||||
libraryHaskellDepends = [
|
||||
self.fail
|
||||
self.ordered-containers
|
||||
] ++ drv.libraryHaskellDepends or [];
|
||||
}) super.ghc-exactprint;
|
||||
ghc-lib = self.ghc-lib_9_2_1_20211101;
|
||||
ghc-lib-parser = self.ghc-lib-parser_9_2_1_20211101;
|
||||
ghc-lib-parser-ex = self.ghc-lib-parser-ex_9_2_0_1;
|
||||
@ -124,6 +137,7 @@ self: super: {
|
||||
quickcheck-instances = super.quickcheck-instances_0_3_27;
|
||||
regex-posix = doJailbreak super.regex-posix;
|
||||
resolv = doJailbreak super.resolv;
|
||||
retrie = doDistribute self.retrie_1_2_0_0;
|
||||
semialign = super.semialign_1_2_0_1;
|
||||
singleton-bool = doJailbreak super.singleton-bool;
|
||||
scientific = doJailbreak super.scientific;
|
||||
@ -210,20 +224,20 @@ self: super: {
|
||||
text-short = dontCheck super.text-short_0_1_4;
|
||||
|
||||
# Use hlint from git for GHC 9.2.1 support
|
||||
hlint = overrideCabal {
|
||||
version = "unstable-2021-12-12";
|
||||
src = pkgs.fetchFromGitHub {
|
||||
owner = "ndmitchell";
|
||||
repo = "hlint";
|
||||
rev = "77a9702e10b772a7695c08682cd4f450fd0e9e46";
|
||||
sha256 = "0hpp3iw7m7w2abr8vb86gdz3x6c8lj119zxln933k90ia7bmk8jc";
|
||||
};
|
||||
revision = null;
|
||||
editedCabalFile = null;
|
||||
} (super.hlint_3_3_4.overrideScope (self: super: {
|
||||
ghc-lib-parser = self.ghc-lib-parser_9_2_1_20211101;
|
||||
ghc-lib-parser-ex = self.ghc-lib-parser-ex_9_2_0_1;
|
||||
}));
|
||||
hlint = doDistribute (
|
||||
overrideSrc {
|
||||
version = "unstable-2021-12-12";
|
||||
src = pkgs.fetchFromGitHub {
|
||||
owner = "ndmitchell";
|
||||
repo = "hlint";
|
||||
rev = "77a9702e10b772a7695c08682cd4f450fd0e9e46";
|
||||
sha256 = "0hpp3iw7m7w2abr8vb86gdz3x6c8lj119zxln933k90ia7bmk8jc";
|
||||
};
|
||||
} (super.hlint_3_3_5.overrideScope (self: super: {
|
||||
ghc-lib-parser = self.ghc-lib-parser_9_2_1_20211101;
|
||||
ghc-lib-parser-ex = self.ghc-lib-parser-ex_9_2_0_1;
|
||||
}))
|
||||
);
|
||||
|
||||
# https://github.com/sjakobi/bsb-http-chunked/issues/38
|
||||
bsb-http-chunked = dontCheck super.bsb-http-chunked;
|
||||
|
@ -222,6 +222,7 @@ broken-packages:
|
||||
- assumpta
|
||||
- ast-monad
|
||||
- astrds
|
||||
- astro
|
||||
- async-combinators
|
||||
- async-dejafu
|
||||
- asynchronous-exceptions
|
||||
@ -1557,6 +1558,7 @@ broken-packages:
|
||||
- fused-effects-mwc-random
|
||||
- fused-effects-resumable
|
||||
- fusion
|
||||
- futhark-manifest
|
||||
- futun
|
||||
- future
|
||||
- fuzzy-time-gen
|
||||
@ -1675,6 +1677,7 @@ broken-packages:
|
||||
- gi-gtksheet
|
||||
- gi-handy
|
||||
- gi-json
|
||||
- gingersnap
|
||||
- ginsu
|
||||
- gipeda
|
||||
- giphy-api
|
||||
@ -3187,6 +3190,7 @@ broken-packages:
|
||||
- monad-ste
|
||||
- monad-stlike-io
|
||||
- monad-task
|
||||
- monad-throw-exit
|
||||
- monad-timing
|
||||
- monad-tx
|
||||
- monad-unify
|
||||
@ -3499,6 +3503,8 @@ broken-packages:
|
||||
- opentelemetry-http-client
|
||||
- opentheory-char
|
||||
- opentok
|
||||
- opentracing-jaeger
|
||||
- opentracing-zipkin-v1
|
||||
- opentype
|
||||
- OpenVGRaw
|
||||
- Operads
|
||||
@ -3540,6 +3546,7 @@ broken-packages:
|
||||
- overloaded
|
||||
- overloaded-records
|
||||
- overture
|
||||
- owoify-hs
|
||||
- pack
|
||||
- package-description-remote
|
||||
- package-o-tron
|
||||
@ -3570,6 +3577,7 @@ broken-packages:
|
||||
- pandoc-pyplot
|
||||
- pandoc-unlit
|
||||
- pandoc-utils
|
||||
- pandora-io
|
||||
- pang-a-lambda
|
||||
- pangraph
|
||||
- pan-os-syslog
|
||||
@ -3596,6 +3604,7 @@ broken-packages:
|
||||
- pareto
|
||||
- parochial
|
||||
- Parry
|
||||
- parse
|
||||
- parseargs
|
||||
- parsec2
|
||||
- parsec3
|
||||
@ -3791,8 +3800,9 @@ broken-packages:
|
||||
- polydata-core
|
||||
- polynom
|
||||
- polynomial
|
||||
- polysemy-mocks
|
||||
- polysemy-plugin
|
||||
- polysemy-check
|
||||
- polysemy-http
|
||||
- polysemy-process
|
||||
- polysemy-zoo
|
||||
- polytypeable
|
||||
- pomaps
|
||||
@ -3843,6 +3853,7 @@ broken-packages:
|
||||
- PPrinter
|
||||
- pqc
|
||||
- praglude
|
||||
- prairie
|
||||
- preamble
|
||||
- precis
|
||||
- precursor
|
||||
@ -4370,6 +4381,7 @@ broken-packages:
|
||||
- servant-static-th
|
||||
- servant-streaming
|
||||
- servant-to-elm
|
||||
- servant-tracing
|
||||
- servant-yaml
|
||||
- servant-zeppelin
|
||||
- server-generic
|
||||
@ -4782,6 +4794,7 @@ broken-packages:
|
||||
- syb-with-class-instances-text
|
||||
- sydtest-aeson
|
||||
- sydtest-hedis
|
||||
- sydtest-hspec
|
||||
- sydtest-mongo
|
||||
- sydtest-persistent-postgresql
|
||||
- sydtest-rabbitmq
|
||||
|
@ -67,8 +67,6 @@ core-packages:
|
||||
# tracked in stackage.yaml. Adding conflicting overrides with stackage here will
|
||||
# not work.
|
||||
default-package-overrides:
|
||||
# This was only intended for ghc-7.0.4, and has very old deps, one hidden behind a flag
|
||||
- MissingH ==1.4.2.0
|
||||
# gi-gdkx11-4.x requires gtk-4.x, which is still under development and
|
||||
# not yet available in Nixpkgs
|
||||
- gi-gdkx11 < 4
|
||||
@ -126,6 +124,12 @@ default-package-overrides:
|
||||
- rel8 < 1.2.1.0
|
||||
# 0.14.0.0 drops support for every GHC < 9.0.1
|
||||
- brittany < 0.14
|
||||
# 1.2.0.0: “Dropped support for GHC <9.2 (might readd it later)”
|
||||
- retrie < 1.2.0.0
|
||||
# Compat with polysemy in Stackage LTS 18
|
||||
- polysemy-resume < 0.1.0.2
|
||||
- polysemy-conc < 0.5
|
||||
- polysemy-mocks < 0.2
|
||||
|
||||
extra-packages:
|
||||
- base16-bytestring < 1 # required for cabal-install etc.
|
||||
@ -138,7 +142,6 @@ extra-packages:
|
||||
- dhall == 1.29.0 # required for ats-pkg
|
||||
- dhall == 1.38.1 # required for spago
|
||||
- Diff < 0.4 # required by liquidhaskell-0.8.10.2: https://github.com/ucsd-progsys/liquidhaskell/issues/1729
|
||||
- ghc-tcplugins-extra ==0.3.2 # required for polysemy-plugin 0.2.5.0
|
||||
- haddock == 2.23.* # required on GHC < 8.10.x
|
||||
- haddock-api == 2.23.* # required on GHC < 8.10.x
|
||||
- haddock-library ==1.7.* # required by stylish-cabal-0.5.0.0
|
||||
@ -279,6 +282,7 @@ package-maintainers:
|
||||
- Unique
|
||||
maralorn:
|
||||
- cabal-fmt
|
||||
- ema
|
||||
- generic-optics
|
||||
- ghcup
|
||||
- ghcid
|
||||
|
@ -1,4 +1,4 @@
|
||||
# Stackage LTS 18.18
|
||||
# Stackage LTS 18.19
|
||||
# This file is auto-generated by
|
||||
# maintainers/scripts/haskell/update-stackage.sh
|
||||
default-package-overrides:
|
||||
@ -33,7 +33,7 @@ default-package-overrides:
|
||||
- aeson-with ==0.1.2.0
|
||||
- aeson-yak ==0.1.1.3
|
||||
- aeson-yaml ==1.1.0.1
|
||||
- Agda ==2.6.2
|
||||
- Agda ==2.6.2.1
|
||||
- agda2lagda ==0.2021.6.1
|
||||
- al ==0.1.4.2
|
||||
- alarmclock ==0.7.0.5
|
||||
@ -142,10 +142,10 @@ default-package-overrides:
|
||||
- amqp ==0.22.0
|
||||
- amqp-utils ==0.6.3.2
|
||||
- annotated-wl-pprint ==0.7.0
|
||||
- ansi-terminal ==0.11
|
||||
- ansi-terminal ==0.11.1
|
||||
- ansi-wl-pprint ==0.6.9
|
||||
- ANum ==0.2.0.2
|
||||
- apecs ==0.9.3
|
||||
- apecs ==0.9.4
|
||||
- apecs-gloss ==0.2.4
|
||||
- apecs-physics ==0.4.5
|
||||
- api-field-json-th ==0.1.0.2
|
||||
@ -263,7 +263,7 @@ default-package-overrides:
|
||||
- bits ==0.5.3
|
||||
- bitset-word8 ==0.1.1.2
|
||||
- bits-extra ==0.0.2.0
|
||||
- bitvec ==1.1.1.0
|
||||
- bitvec ==1.1.2.0
|
||||
- bitwise-enum ==1.0.1.0
|
||||
- blake2 ==0.3.0
|
||||
- blanks ==0.5.0
|
||||
@ -301,10 +301,10 @@ default-package-overrides:
|
||||
- btrfs ==0.2.0.0
|
||||
- buffer-builder ==0.2.4.7
|
||||
- buffer-pipe ==0.0
|
||||
- bugsnag-haskell ==0.0.4.1
|
||||
- bugsnag-haskell ==0.0.4.2
|
||||
- bugsnag-hs ==0.2.0.7
|
||||
- bugzilla-redhat ==0.3.3
|
||||
- burrito ==1.2.0.3
|
||||
- burrito ==1.2.0.4
|
||||
- butcher ==1.3.3.2
|
||||
- buttplug-hs-core ==0.1.0.1
|
||||
- bv ==0.5
|
||||
@ -320,7 +320,7 @@ default-package-overrides:
|
||||
- bytestring-conversion ==0.3.1
|
||||
- bytestring-lexing ==0.5.0.8
|
||||
- bytestring-mmap ==0.2.2
|
||||
- bytestring-strict-builder ==0.4.5.4
|
||||
- bytestring-strict-builder ==0.4.5.5
|
||||
- bytestring-to-vector ==0.3.0.1
|
||||
- bytestring-tree-builder ==0.2.7.9
|
||||
- bz2 ==1.0.1.0
|
||||
@ -358,7 +358,7 @@ default-package-overrides:
|
||||
- cassava-megaparsec ==2.0.4
|
||||
- cast ==0.1.0.2
|
||||
- category ==0.2.5.0
|
||||
- cayley-client ==0.4.16
|
||||
- cayley-client ==0.4.17
|
||||
- cborg ==0.2.6.0
|
||||
- cborg-json ==0.2.3.0
|
||||
- cdar-mBound ==0.1.0.4
|
||||
@ -399,7 +399,7 @@ default-package-overrides:
|
||||
- clash-ghc ==1.4.6
|
||||
- clash-lib ==1.4.6
|
||||
- clash-prelude ==1.4.6
|
||||
- classy-prelude ==1.5.0
|
||||
- classy-prelude ==1.5.0.2
|
||||
- classy-prelude-conduit ==1.5.0
|
||||
- clay ==0.13.3
|
||||
- clientsession ==0.9.1.2
|
||||
@ -442,7 +442,7 @@ default-package-overrides:
|
||||
- concise ==0.1.0.1
|
||||
- concurrency ==1.11.0.2
|
||||
- concurrent-extra ==0.7.0.12
|
||||
- concurrent-output ==1.10.12
|
||||
- concurrent-output ==1.10.14
|
||||
- concurrent-split ==0.0.1.1
|
||||
- concurrent-supply ==0.1.8
|
||||
- cond ==0.4.1.1
|
||||
@ -455,7 +455,7 @@ default-package-overrides:
|
||||
- conduit-parse ==0.2.1.0
|
||||
- conduit-zstd ==0.0.2.0
|
||||
- conferer ==1.1.0.0
|
||||
- conferer-aeson ==1.1.0.1
|
||||
- conferer-aeson ==1.1.0.2
|
||||
- conferer-hspec ==1.1.0.0
|
||||
- conferer-warp ==1.1.0.0
|
||||
- config-ini ==0.2.4.0
|
||||
@ -490,7 +490,7 @@ default-package-overrides:
|
||||
- crackNum ==3.1
|
||||
- crc32c ==0.0.0
|
||||
- credential-store ==0.1.2
|
||||
- criterion ==1.5.11.0
|
||||
- criterion ==1.5.12.0
|
||||
- criterion-measurement ==0.1.3.0
|
||||
- cron ==0.7.0
|
||||
- crypto-api ==0.13.3
|
||||
@ -523,8 +523,8 @@ default-package-overrides:
|
||||
- curl ==1.3.8
|
||||
- currencies ==0.2.0.0
|
||||
- currency ==0.2.0.0
|
||||
- cursor ==0.3.0.0
|
||||
- cursor-brick ==0.1.0.0
|
||||
- cursor ==0.3.2.0
|
||||
- cursor-brick ==0.1.0.1
|
||||
- cursor-fuzzy-time ==0.0.0.0
|
||||
- cursor-gen ==0.3.0.0
|
||||
- cutter ==0.0
|
||||
@ -548,7 +548,7 @@ default-package-overrides:
|
||||
- data-default-instances-old-locale ==0.0.1
|
||||
- data-diverse ==4.7.0.0
|
||||
- datadog ==0.2.5.0
|
||||
- data-dword ==0.3.2
|
||||
- data-dword ==0.3.2.1
|
||||
- data-endian ==0.1.1
|
||||
- data-fix ==0.3.2
|
||||
- data-forest ==0.1.0.9
|
||||
@ -584,7 +584,7 @@ default-package-overrides:
|
||||
- dense-linear-algebra ==0.1.0.0
|
||||
- dependent-map ==0.4.0.0
|
||||
- dependent-sum ==0.7.1.0
|
||||
- dependent-sum-template ==0.1.0.3
|
||||
- dependent-sum-template ==0.1.1.1
|
||||
- depq ==0.4.2
|
||||
- deque ==0.4.4
|
||||
- deriveJsonNoPrefix ==0.1.0.1
|
||||
@ -595,7 +595,7 @@ default-package-overrides:
|
||||
- dhall ==1.39.0
|
||||
- dhall-bash ==1.0.37
|
||||
- dhall-json ==1.7.7
|
||||
- dhall-lsp-server ==1.0.16
|
||||
- dhall-lsp-server ==1.0.17
|
||||
- dhall-yaml ==1.2.7
|
||||
- diagrams-solve ==0.1.3
|
||||
- dialogflow-fulfillment ==0.1.1.4
|
||||
@ -614,7 +614,6 @@ default-package-overrides:
|
||||
- distributed-closure ==0.4.2.0
|
||||
- distribution-opensuse ==1.1.1
|
||||
- distributive ==0.6.2.1
|
||||
- dl-fedora ==0.9.2
|
||||
- dlist ==1.0
|
||||
- dlist-instances ==0.1.1.1
|
||||
- dlist-nonempty ==0.1.1
|
||||
@ -658,7 +657,7 @@ default-package-overrides:
|
||||
- edit-distance ==0.2.2.1
|
||||
- edit-distance-vector ==1.0.0.4
|
||||
- editor-open ==0.6.0.0
|
||||
- egison ==4.1.2
|
||||
- egison ==4.1.3
|
||||
- egison-pattern-src ==0.2.1.2
|
||||
- egison-pattern-src-th-mode ==0.2.1.2
|
||||
- either ==5.0.1.1
|
||||
@ -721,7 +720,7 @@ default-package-overrides:
|
||||
- exception-hierarchy ==0.1.0.4
|
||||
- exception-mtl ==0.4.0.1
|
||||
- exceptions ==0.10.4
|
||||
- exception-transformers ==0.4.0.10
|
||||
- exception-transformers ==0.4.0.11
|
||||
- exception-via ==0.1.0.0
|
||||
- executable-path ==0.0.3.1
|
||||
- exit-codes ==1.0.0
|
||||
@ -760,7 +759,7 @@ default-package-overrides:
|
||||
- file-embed-lzma ==0
|
||||
- filelock ==0.1.1.5
|
||||
- filemanip ==0.3.6.3
|
||||
- filepath-bytestring ==1.4.2.1.8
|
||||
- filepath-bytestring ==1.4.2.1.9
|
||||
- file-path-th ==0.1.0.0
|
||||
- filepattern ==0.1.2
|
||||
- fileplow ==0.1.0.0
|
||||
@ -785,7 +784,7 @@ default-package-overrides:
|
||||
- flexible-defaults ==0.0.3
|
||||
- FloatingHex ==0.5
|
||||
- floatshow ==0.2.4
|
||||
- flow ==1.0.22
|
||||
- flow ==1.0.23
|
||||
- flush-queue ==1.0.0
|
||||
- fmlist ==0.9.4
|
||||
- fmt ==0.6.3.0
|
||||
@ -886,7 +885,7 @@ default-package-overrides:
|
||||
- ghc-byteorder ==4.11.0.0.10
|
||||
- ghc-check ==0.5.0.6
|
||||
- ghc-core ==0.5.6
|
||||
- ghc-events ==0.17.0
|
||||
- ghc-events ==0.17.0.1
|
||||
- ghc-exactprint ==0.6.4
|
||||
- ghcid ==0.8.7
|
||||
- ghci-hexcalc ==0.1.1.0
|
||||
@ -900,11 +899,11 @@ default-package-overrides:
|
||||
- ghc-source-gen ==0.4.2.0
|
||||
- ghc-syntax-highlighter ==0.0.6.0
|
||||
- ghc-tcplugins-extra ==0.4.2
|
||||
- ghc-trace-events ==0.1.2.3
|
||||
- ghc-trace-events ==0.1.2.4
|
||||
- ghc-typelits-extra ==0.4.3
|
||||
- ghc-typelits-knownnat ==0.7.6
|
||||
- ghc-typelits-natnormalise ==0.7.6
|
||||
- ghc-typelits-presburger ==0.6.1.0
|
||||
- ghc-typelits-presburger ==0.6.2.0
|
||||
- ghost-buster ==0.1.1.0
|
||||
- gi-atk ==2.0.23
|
||||
- gi-cairo ==1.0.25
|
||||
@ -919,7 +918,7 @@ default-package-overrides:
|
||||
- gi-gobject ==2.0.26
|
||||
- gi-graphene ==1.0.3
|
||||
- gi-gtk ==3.0.37
|
||||
- gi-gtk-hs ==0.3.11
|
||||
- gi-gtk-hs ==0.3.12
|
||||
- gi-harfbuzz ==0.0.4
|
||||
- ginger ==0.10.1.0
|
||||
- gingersnap ==0.3.1.0
|
||||
@ -945,7 +944,7 @@ default-package-overrides:
|
||||
- goldplate ==0.2.0
|
||||
- google-isbn ==1.0.3
|
||||
- gopher-proxy ==0.1.1.2
|
||||
- gothic ==0.1.7
|
||||
- gothic ==0.1.8
|
||||
- gpolyline ==0.1.0.1
|
||||
- graph-core ==0.3.0.0
|
||||
- graphite ==0.10.0.1
|
||||
@ -1011,7 +1010,7 @@ default-package-overrides:
|
||||
- hasql-transaction ==1.0.1
|
||||
- hasty-hamiltonian ==1.3.4
|
||||
- HaTeX ==3.22.3.0
|
||||
- HaXml ==1.25.7
|
||||
- HaXml ==1.25.8
|
||||
- haxr ==3000.11.4.1
|
||||
- HCodecs ==0.5.2
|
||||
- hdaemonize ==0.5.6
|
||||
@ -1046,7 +1045,7 @@ default-package-overrides:
|
||||
- highlighting-kate ==0.6.4
|
||||
- hinfo ==0.0.3.0
|
||||
- hinotify ==0.4.1
|
||||
- hint ==0.9.0.4
|
||||
- hint ==0.9.0.5
|
||||
- hjsmin ==0.2.0.4
|
||||
- hkd-default ==1.1.0.0
|
||||
- hkgr ==0.3
|
||||
@ -1072,7 +1071,7 @@ default-package-overrides:
|
||||
- hnock ==0.4.0
|
||||
- hoauth2 ==1.16.0
|
||||
- hoogle ==5.0.18.2
|
||||
- hOpenPGP ==2.9.5
|
||||
- hOpenPGP ==2.9.7
|
||||
- hopenpgp-tools ==0.23.6
|
||||
- hopenssl ==2.2.4
|
||||
- hopfli ==0.2.2.1
|
||||
@ -1082,7 +1081,7 @@ default-package-overrides:
|
||||
- hourglass ==0.2.12
|
||||
- hourglass-orphans ==0.1.0.0
|
||||
- hp2pretty ==0.10
|
||||
- hpack ==0.34.5
|
||||
- hpack ==0.34.6
|
||||
- hpack-dhall ==0.5.3
|
||||
- hpc-codecov ==0.3.0.0
|
||||
- hpc-lcov ==1.0.1
|
||||
@ -1158,12 +1157,12 @@ default-package-overrides:
|
||||
- http-common ==0.8.3.4
|
||||
- http-conduit ==2.3.8
|
||||
- http-date ==0.0.11
|
||||
- http-directory ==0.1.8
|
||||
- http-directory ==0.1.9
|
||||
- http-download ==0.2.0.0
|
||||
- httpd-shed ==0.4.1.1
|
||||
- http-link-header ==1.2.1
|
||||
- http-media ==0.8.0.0
|
||||
- http-query ==0.1.0.1
|
||||
- http-query ==0.1.1
|
||||
- http-reverse-proxy ==0.6.0
|
||||
- http-streams ==0.8.9.4
|
||||
- http-types ==0.12.3
|
||||
@ -1214,7 +1213,7 @@ default-package-overrides:
|
||||
- ieee754 ==0.8.0
|
||||
- if ==0.1.0.0
|
||||
- iff ==0.0.6
|
||||
- ihaskell ==0.10.2.1
|
||||
- ihaskell ==0.10.2.2
|
||||
- ihs ==0.1.0.3
|
||||
- ilist ==0.4.0.1
|
||||
- imagesize-conduit ==1.1
|
||||
@ -1233,7 +1232,7 @@ default-package-overrides:
|
||||
- indexed-traversable-instances ==0.1
|
||||
- infer-license ==0.2.0
|
||||
- inflections ==0.4.0.6
|
||||
- influxdb ==1.9.2.1
|
||||
- influxdb ==1.9.2.2
|
||||
- ini ==0.4.1
|
||||
- inj ==1.0
|
||||
- inline-c ==0.9.1.5
|
||||
@ -1246,7 +1245,7 @@ default-package-overrides:
|
||||
- instance-control ==0.1.2.0
|
||||
- int-cast ==0.2.0.0
|
||||
- integer-logarithms ==1.0.3.1
|
||||
- integer-roots ==1.0.1.0
|
||||
- integer-roots ==1.0.2.0
|
||||
- integration ==0.2.1
|
||||
- intern ==0.9.4
|
||||
- interpolate ==0.2.1
|
||||
@ -1272,7 +1271,7 @@ default-package-overrides:
|
||||
- iproute ==1.7.12
|
||||
- IPv6Addr ==2.0.3
|
||||
- ipynb ==0.1.0.2
|
||||
- ipython-kernel ==0.10.2.1
|
||||
- ipython-kernel ==0.10.2.2
|
||||
- irc ==0.6.1.0
|
||||
- irc-client ==1.1.2.2
|
||||
- irc-conduit ==0.3.0.5
|
||||
@ -1310,11 +1309,11 @@ default-package-overrides:
|
||||
- JuicyPixels-scale-dct ==0.1.2
|
||||
- junit-xml ==0.1.0.2
|
||||
- justified-containers ==0.3.0.0
|
||||
- jwt ==0.10.0
|
||||
- jwt ==0.10.1
|
||||
- kan-extensions ==5.2.3
|
||||
- kanji ==3.4.1
|
||||
- katip ==0.8.7.0
|
||||
- katip-logstash ==0.1.0.0
|
||||
- katip-logstash ==0.1.0.2
|
||||
- kawhi ==0.3.0
|
||||
- kazura-queue ==0.1.0.4
|
||||
- kdt ==0.2.4
|
||||
@ -1345,7 +1344,7 @@ default-package-overrides:
|
||||
- language-javascript ==0.7.1.0
|
||||
- language-protobuf ==1.0.1
|
||||
- language-python ==0.5.8
|
||||
- language-thrift ==0.12.0.0
|
||||
- language-thrift ==0.12.0.1
|
||||
- lapack ==0.3.2
|
||||
- lapack-carray ==0.0.3
|
||||
- lapack-comfort-array ==0.0.1
|
||||
@ -1378,7 +1377,7 @@ default-package-overrides:
|
||||
- lens-regex-pcre ==1.1.0.0
|
||||
- lenz ==0.4.2.0
|
||||
- leveldb-haskell ==0.6.5
|
||||
- libBF ==0.6.2
|
||||
- libBF ==0.6.3
|
||||
- libffi ==0.1
|
||||
- libgit ==0.3.1
|
||||
- libgraph ==1.14
|
||||
@ -1404,7 +1403,7 @@ default-package-overrides:
|
||||
- list-predicate ==0.1.0.1
|
||||
- listsafe ==0.1.0.1
|
||||
- list-singleton ==1.0.0.5
|
||||
- list-t ==1.0.5
|
||||
- list-t ==1.0.5.1
|
||||
- list-transformer ==1.0.7
|
||||
- ListTree ==0.2.3
|
||||
- literatex ==0.1.0.2
|
||||
@ -1423,7 +1422,7 @@ default-package-overrides:
|
||||
- logging-facade ==0.3.1
|
||||
- logging-facade-syslog ==1
|
||||
- logict ==0.7.1.0
|
||||
- logstash ==0.1.0.1
|
||||
- logstash ==0.1.0.3
|
||||
- loop ==0.3.0
|
||||
- lrucache ==1.2.0.1
|
||||
- lrucaching ==0.3.3
|
||||
@ -1445,7 +1444,7 @@ default-package-overrides:
|
||||
- mainland-pretty ==0.7.1
|
||||
- main-tester ==0.2.0.1
|
||||
- makefile ==1.1.0.0
|
||||
- managed ==1.0.8
|
||||
- managed ==1.0.9
|
||||
- MapWith ==0.2.0.0
|
||||
- markdown ==0.1.17.5
|
||||
- markdown-unlit ==0.5.1
|
||||
@ -1582,7 +1581,7 @@ default-package-overrides:
|
||||
- murmur3 ==1.0.5
|
||||
- murmur-hash ==0.1.0.10
|
||||
- MusicBrainz ==0.4.1
|
||||
- mustache ==2.3.1
|
||||
- mustache ==2.3.2
|
||||
- mutable-containers ==0.3.4
|
||||
- mwc-probability ==2.3.1
|
||||
- mwc-random ==0.15.0.2
|
||||
@ -1664,7 +1663,7 @@ default-package-overrides:
|
||||
- ObjectName ==1.1.0.2
|
||||
- o-clock ==1.2.1
|
||||
- odbc ==0.2.5
|
||||
- oeis2 ==1.0.5
|
||||
- oeis2 ==1.0.6
|
||||
- ofx ==0.4.4.0
|
||||
- old-locale ==1.0.0.7
|
||||
- old-time ==1.1.0.3
|
||||
@ -1779,7 +1778,7 @@ default-package-overrides:
|
||||
- pipes-attoparsec ==0.5.1.5
|
||||
- pipes-binary ==0.4.3
|
||||
- pipes-bytestring ==2.1.7
|
||||
- pipes-concurrency ==2.0.12
|
||||
- pipes-concurrency ==2.0.14
|
||||
- pipes-csv ==1.4.3
|
||||
- pipes-extras ==1.0.15
|
||||
- pipes-fastx ==0.3.0.0
|
||||
@ -1823,7 +1822,7 @@ default-package-overrides:
|
||||
- postgrest ==7.0.1
|
||||
- post-mess-age ==0.2.1.0
|
||||
- pptable ==0.3.0.0
|
||||
- pqueue ==1.4.1.3
|
||||
- pqueue ==1.4.1.4
|
||||
- prairie ==0.0.1.0
|
||||
- prefix-units ==0.2.0
|
||||
- prelude-compat ==0.0.0.2
|
||||
@ -1854,7 +1853,7 @@ default-package-overrides:
|
||||
- probability ==0.2.7
|
||||
- process-extras ==0.7.4
|
||||
- product-isomorphic ==0.0.3.3
|
||||
- product-profunctors ==0.11.0.2
|
||||
- product-profunctors ==0.11.0.3
|
||||
- profiterole ==0.1
|
||||
- profunctors ==5.6.2
|
||||
- projectroot ==0.2.0.1
|
||||
@ -1876,7 +1875,7 @@ default-package-overrides:
|
||||
- protolude ==0.3.0
|
||||
- proxied ==0.3.1
|
||||
- psqueues ==0.2.7.3
|
||||
- ptr-poker ==0.1.1.4
|
||||
- ptr-poker ==0.1.2.3
|
||||
- publicsuffix ==0.20200526
|
||||
- pulse-simple ==0.1.14
|
||||
- pureMD5 ==2.1.4
|
||||
@ -1945,7 +1944,7 @@ default-package-overrides:
|
||||
- read-env-var ==1.0.0.0
|
||||
- reanimate ==1.1.4.0
|
||||
- reanimate-svg ==0.13.0.1
|
||||
- rebase ==1.13.1
|
||||
- rebase ==1.13.2
|
||||
- record-dot-preprocessor ==0.2.13
|
||||
- record-hasfield ==1.0
|
||||
- records-sop ==0.1.1.0
|
||||
@ -1961,8 +1960,8 @@ default-package-overrides:
|
||||
- reform-hamlet ==0.0.5.3
|
||||
- reform-happstack ==0.2.5.4
|
||||
- RefSerialize ==0.4.0
|
||||
- ref-tf ==0.5
|
||||
- regex ==1.1.0.0
|
||||
- ref-tf ==0.5.0.1
|
||||
- regex ==1.1.0.1
|
||||
- regex-applicative ==0.3.4
|
||||
- regex-applicative-text ==0.1.0.1
|
||||
- regex-base ==0.94.0.2
|
||||
@ -1973,15 +1972,15 @@ default-package-overrides:
|
||||
- regex-posix ==0.96.0.1
|
||||
- regex-posix-clib ==2.7
|
||||
- regex-tdfa ==1.3.1.1
|
||||
- regex-with-pcre ==1.1.0.0
|
||||
- registry ==0.2.0.3
|
||||
- regex-with-pcre ==1.1.0.1
|
||||
- registry ==0.2.1.0
|
||||
- reinterpret-cast ==0.1.0
|
||||
- relapse ==1.0.0.0
|
||||
- relational-query ==0.12.3.0
|
||||
- relational-query-HDBC ==0.7.2.0
|
||||
- relational-record ==0.2.2.0
|
||||
- relational-schemas ==0.1.8.0
|
||||
- reliable-io ==0.0.1
|
||||
- reliable-io ==0.0.2
|
||||
- relude ==0.7.0.0
|
||||
- renderable ==0.2.0.1
|
||||
- replace-attoparsec ==1.4.5.0
|
||||
@ -1989,7 +1988,7 @@ default-package-overrides:
|
||||
- repline ==0.4.0.0
|
||||
- req ==3.9.0
|
||||
- req-conduit ==1.0.1
|
||||
- rerebase ==1.13.1
|
||||
- rerebase ==1.13.2
|
||||
- rescue ==0.4.2.1
|
||||
- resistor-cube ==0.0.1.2
|
||||
- resolv ==0.1.2.0
|
||||
@ -2030,7 +2029,7 @@ default-package-overrides:
|
||||
- safe-exceptions ==0.1.7.2
|
||||
- safe-foldable ==0.1.0.0
|
||||
- safeio ==0.0.5.0
|
||||
- safe-json ==1.1.1.1
|
||||
- safe-json ==1.1.2.0
|
||||
- safe-money ==0.9.1
|
||||
- SafeSemaphore ==0.10.1
|
||||
- safe-tensor ==0.2.1.1
|
||||
@ -2107,7 +2106,7 @@ default-package-overrides:
|
||||
- servant-machines ==0.15.1
|
||||
- servant-multipart ==0.12.1
|
||||
- servant-multipart-api ==0.12.1
|
||||
- servant-openapi3 ==2.0.1.2
|
||||
- servant-openapi3 ==2.0.1.3
|
||||
- servant-pipes ==0.15.3
|
||||
- servant-rawm ==1.0.0.0
|
||||
- servant-server ==0.18.3
|
||||
@ -2195,7 +2194,7 @@ default-package-overrides:
|
||||
- sourcemap ==0.1.6.1
|
||||
- sox ==0.2.3.1
|
||||
- soxlib ==0.0.3.1
|
||||
- spacecookie ==1.0.0.0
|
||||
- spacecookie ==1.0.0.1
|
||||
- sparse-linear-algebra ==0.3.1
|
||||
- sparse-tensor ==0.2.1.5
|
||||
- spatial-math ==0.5.0.1
|
||||
@ -2237,7 +2236,7 @@ default-package-overrides:
|
||||
- stm-split ==0.0.2.1
|
||||
- stopwatch ==0.1.0.6
|
||||
- storable-complex ==0.2.3.0
|
||||
- storable-endian ==0.2.6
|
||||
- storable-endian ==0.2.6.1
|
||||
- storable-record ==0.0.5
|
||||
- storable-tuple ==0.0.3.3
|
||||
- storablevector ==0.2.13.1
|
||||
@ -2249,7 +2248,7 @@ default-package-overrides:
|
||||
- streaming ==0.2.3.0
|
||||
- streaming-attoparsec ==1.0.0.1
|
||||
- streaming-bytestring ==0.2.1
|
||||
- streaming-commons ==0.2.2.2
|
||||
- streaming-commons ==0.2.2.3
|
||||
- streamly ==0.7.3
|
||||
- streams ==3.3
|
||||
- streamt ==0.5.0.0
|
||||
@ -2314,7 +2313,7 @@ default-package-overrides:
|
||||
- tar ==0.5.1.1
|
||||
- tar-conduit ==0.3.2
|
||||
- tardis ==0.4.3.0
|
||||
- tasty ==1.4.2
|
||||
- tasty ==1.4.2.1
|
||||
- tasty-ant-xml ==1.1.8
|
||||
- tasty-bench ==0.2.5
|
||||
- tasty-dejafu ==2.0.0.8
|
||||
@ -2331,7 +2330,7 @@ default-package-overrides:
|
||||
- tasty-leancheck ==0.0.2
|
||||
- tasty-lua ==0.2.3.2
|
||||
- tasty-program ==1.0.5
|
||||
- tasty-quickcheck ==0.10.1.2
|
||||
- tasty-quickcheck ==0.10.2
|
||||
- tasty-rerun ==1.1.18
|
||||
- tasty-silver ==3.2.3
|
||||
- tasty-smallcheck ==0.8.2
|
||||
@ -2358,7 +2357,7 @@ default-package-overrides:
|
||||
- test-framework-smallcheck ==0.2
|
||||
- test-fun ==0.1.0.0
|
||||
- testing-type-modifiers ==0.1.0.1
|
||||
- texmath ==0.12.3.2
|
||||
- texmath ==0.12.3.3
|
||||
- text-ansi ==0.1.1
|
||||
- text-binary ==0.2.1.1
|
||||
- text-builder ==0.6.6.3
|
||||
@ -2394,7 +2393,7 @@ default-package-overrides:
|
||||
- th-expand-syns ==0.4.8.0
|
||||
- th-extras ==0.0.0.5
|
||||
- th-lift ==0.8.2
|
||||
- th-lift-instances ==0.1.18
|
||||
- th-lift-instances ==0.1.19
|
||||
- th-nowq ==0.1.0.5
|
||||
- th-orphans ==0.13.12
|
||||
- th-printf ==0.7
|
||||
@ -2430,7 +2429,7 @@ default-package-overrides:
|
||||
- tinylog ==0.15.0
|
||||
- titlecase ==1.0.1
|
||||
- tldr ==0.9.2
|
||||
- tls ==1.5.5
|
||||
- tls ==1.5.6
|
||||
- tls-debug ==0.4.8
|
||||
- tls-session-manager ==0.0.4
|
||||
- tlynx ==0.5.1.1
|
||||
@ -2465,7 +2464,7 @@ default-package-overrides:
|
||||
- turtle ==1.5.23
|
||||
- typecheck-plugin-nat-simple ==0.1.0.2
|
||||
- TypeCompose ==0.9.14
|
||||
- typed-process ==0.2.7.0
|
||||
- typed-process ==0.2.8.0
|
||||
- typed-uuid ==0.1.0.0
|
||||
- type-equality ==1
|
||||
- type-errors ==0.2.0.0
|
||||
@ -2477,7 +2476,7 @@ default-package-overrides:
|
||||
- type-level-numbers ==0.1.1.1
|
||||
- typelits-witnesses ==0.4.0.0
|
||||
- type-map ==0.1.6.0
|
||||
- type-natural ==1.1.0.0
|
||||
- type-natural ==1.1.0.1
|
||||
- typenums ==0.1.4
|
||||
- type-of-html ==1.6.2.0
|
||||
- type-of-html-static ==0.1.0.2
|
||||
@ -2487,7 +2486,7 @@ default-package-overrides:
|
||||
- tzdata ==0.2.20201021.0
|
||||
- ua-parser ==0.7.6.0
|
||||
- uglymemo ==0.1.0.1
|
||||
- unagi-chan ==0.4.1.3
|
||||
- unagi-chan ==0.4.1.4
|
||||
- unbounded-delays ==0.1.1.1
|
||||
- unboxed-ref ==0.4.0.0
|
||||
- unboxing-vector ==0.2.0.0
|
||||
@ -2528,7 +2527,7 @@ default-package-overrides:
|
||||
- unliftio-pool ==0.2.1.1
|
||||
- unliftio-streams ==0.1.1.1
|
||||
- unlit ==0.4.0.0
|
||||
- unordered-containers ==0.2.15.0
|
||||
- unordered-containers ==0.2.16.0
|
||||
- unsafe ==0.0
|
||||
- urbit-hob ==0.3.3
|
||||
- uri-bytestring ==0.3.3.1
|
||||
@ -2553,7 +2552,7 @@ default-package-overrides:
|
||||
- validity-persistent ==0.0.0.0
|
||||
- validity-primitive ==0.0.0.1
|
||||
- validity-scientific ==0.2.0.3
|
||||
- validity-text ==0.3.1.1
|
||||
- validity-text ==0.3.1.2
|
||||
- validity-time ==0.4.0.0
|
||||
- validity-unordered-containers ==0.2.0.3
|
||||
- validity-uuid ==0.1.0.3
|
||||
@ -2577,7 +2576,7 @@ default-package-overrides:
|
||||
- vector-split ==1.0.0.2
|
||||
- vector-th-unbox ==0.2.2
|
||||
- verbosity ==0.4.0.0
|
||||
- versions ==5.0.0
|
||||
- versions ==5.0.1
|
||||
- vformat ==0.14.1.0
|
||||
- vformat-aeson ==0.1.0.1
|
||||
- vformat-time ==0.1.0.0
|
||||
@ -2594,7 +2593,7 @@ default-package-overrides:
|
||||
- wai-extra ==3.1.7
|
||||
- wai-feature-flags ==0.1.0.2
|
||||
- wai-handler-launch ==3.0.3.1
|
||||
- wai-logger ==2.3.6
|
||||
- wai-logger ==2.3.7
|
||||
- wai-middleware-auth ==0.2.5.1
|
||||
- wai-middleware-caching ==0.1.0.2
|
||||
- wai-middleware-clacks ==0.1.0.1
|
||||
@ -2624,12 +2623,12 @@ default-package-overrides:
|
||||
- weigh ==0.0.16
|
||||
- wide-word ==0.1.1.2
|
||||
- wikicfp-scraper ==0.1.0.12
|
||||
- wild-bind ==0.1.2.7
|
||||
- wild-bind-x11 ==0.2.0.13
|
||||
- wild-bind ==0.1.2.8
|
||||
- wild-bind-x11 ==0.2.0.14
|
||||
- Win32 ==2.6.2.1
|
||||
- Win32-notify ==0.3.0.3
|
||||
- windns ==0.1.0.1
|
||||
- witch ==0.3.4.0
|
||||
- witch ==0.3.4.1
|
||||
- witherable ==0.4.2
|
||||
- within ==0.2.0.1
|
||||
- with-location ==0.1.0
|
||||
@ -2650,9 +2649,9 @@ default-package-overrides:
|
||||
- writer-cps-mtl ==0.1.1.6
|
||||
- writer-cps-transformers ==0.5.6.1
|
||||
- wss-client ==0.3.0.0
|
||||
- wuss ==1.1.18
|
||||
- wuss ==1.1.19
|
||||
- X11 ==1.10.2
|
||||
- X11-xft ==0.3.1
|
||||
- X11-xft ==0.3.4
|
||||
- x11-xim ==0.0.9.0
|
||||
- x509 ==1.7.5
|
||||
- x509-store ==1.6.7
|
||||
|
@ -650,7 +650,6 @@ dont-distribute-packages:
|
||||
- cakyrespa
|
||||
- cal3d-examples
|
||||
- cal3d-opengl
|
||||
- calamity-commands
|
||||
- calc
|
||||
- calculator
|
||||
- caldims
|
||||
@ -930,6 +929,7 @@ dont-distribute-packages:
|
||||
- delta
|
||||
- delta-h
|
||||
- dep-t-advice
|
||||
- dep-t-dynamic
|
||||
- dependent-literals-plugin
|
||||
- dependent-state
|
||||
- dephd
|
||||
@ -1087,6 +1087,7 @@ dont-distribute-packages:
|
||||
- falling-turnip
|
||||
- fallingblocks
|
||||
- family-tree
|
||||
- fast-bech32
|
||||
- fastirc
|
||||
- fault-tree
|
||||
- fbrnch
|
||||
@ -1514,6 +1515,7 @@ dont-distribute-packages:
|
||||
- hedgehog-gen-json
|
||||
- hedis-pile
|
||||
- heist-aeson
|
||||
- helic
|
||||
- helics
|
||||
- helics-wai
|
||||
- helium
|
||||
@ -2250,6 +2252,7 @@ dont-distribute-packages:
|
||||
- numhask-range
|
||||
- numhask-test
|
||||
- nymphaea
|
||||
- oath
|
||||
- obd
|
||||
- obdd
|
||||
- oberon0
|
||||
@ -2375,18 +2378,9 @@ dont-distribute-packages:
|
||||
- polh-lexicon
|
||||
- polydata
|
||||
- polysemy-RandomFu
|
||||
- polysemy-check
|
||||
- polysemy-conc
|
||||
- polysemy-http
|
||||
- polysemy-log
|
||||
- polysemy-log-co
|
||||
- polysemy-log-di
|
||||
- polysemy-methodology-co-log
|
||||
- polysemy-optics
|
||||
- polysemy-process
|
||||
- polysemy-readline
|
||||
- polysemy-resume
|
||||
- polysemy-webserver
|
||||
- polyseq
|
||||
- polytypeable-utils
|
||||
- pomodoro
|
||||
@ -3080,6 +3074,7 @@ dont-distribute-packages:
|
||||
- typed-encoding-encoding
|
||||
- typed-spreadsheet
|
||||
- typed-streams
|
||||
- typelet
|
||||
- typelevel
|
||||
- typelevel-rewrite-rules
|
||||
- typescript-docs
|
||||
|
@ -718,9 +718,13 @@ self: super: builtins.intersectAttrs super {
|
||||
postgresql-pure = dontCheck super.postgresql-pure;
|
||||
|
||||
retrie = overrideCabal (drv: {
|
||||
testToolDepends = [ pkgs.git pkgs.mercurial ];
|
||||
testToolDepends = [ pkgs.git pkgs.mercurial ] ++ drv.testToolDepends or [];
|
||||
}) super.retrie;
|
||||
|
||||
retrie_1_2_0_0 = overrideCabal (drv: {
|
||||
testToolDepends = [ pkgs.git pkgs.mercurial ] ++ drv.testToolDepends or [];
|
||||
}) super.retrie_1_2_0_0;
|
||||
|
||||
nix-output-monitor = overrideCabal {
|
||||
# Can't ran the golden-tests with nix, because they call nix
|
||||
testTarget = "unit-tests";
|
||||
@ -1037,4 +1041,11 @@ self: super: builtins.intersectAttrs super {
|
||||
})
|
||||
] ++ (drv.patches or []);
|
||||
}) super.graphviz;
|
||||
|
||||
# Test case tries to contact the network
|
||||
http-api-data-qq = overrideCabal (drv: {
|
||||
testFlags = [
|
||||
"-p" "!/Can be used with http-client/"
|
||||
] ++ drv.testFlags or [];
|
||||
}) super.http-api-data-qq;
|
||||
}
|
||||
|
3061
pkgs/development/haskell-modules/hackage-packages.nix
generated
3061
pkgs/development/haskell-modules/hackage-packages.nix
generated
File diff suppressed because it is too large
Load Diff
@ -1,5 +1,6 @@
|
||||
{ stdenv
|
||||
, lib
|
||||
, buildPackages
|
||||
, fetchFromGitLab
|
||||
, removeReferencesTo
|
||||
, python3
|
||||
@ -171,12 +172,17 @@ let
|
||||
|
||||
postInstall = ''
|
||||
mkdir $out/nix-support
|
||||
pushd $lib/share/pipewire
|
||||
for f in *.conf; do
|
||||
echo "Generating JSON from $f"
|
||||
$out/bin/spa-json-dump "$f" > "$out/nix-support/$f.json"
|
||||
done
|
||||
popd
|
||||
${if (stdenv.hostPlatform == stdenv.buildPlatform) then ''
|
||||
pushd $lib/share/pipewire
|
||||
for f in *.conf; do
|
||||
echo "Generating JSON from $f"
|
||||
|
||||
$out/bin/spa-json-dump "$f" > "$out/nix-support/$f.json"
|
||||
done
|
||||
popd
|
||||
'' else ''
|
||||
cp ${buildPackages.pipewire}/nix-support/*.json "$out/nix-support"
|
||||
''}
|
||||
|
||||
moveToOutput "share/systemd/user/pipewire-pulse.*" "$pulse"
|
||||
moveToOutput "lib/systemd/user/pipewire-pulse.*" "$pulse"
|
||||
|
@ -2,13 +2,13 @@
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "qtstyleplugin-kvantum-qt4";
|
||||
version = "0.20.1";
|
||||
version = "0.20.2";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "tsujan";
|
||||
repo = "Kvantum";
|
||||
rev = "V${version}";
|
||||
sha256 = "sha256-sY2slI9ZVuEurBIEaJMxUiKiUNXx+h7UEwEZKKr7R2Y=";
|
||||
sha256 = "sha256-aIhLrGKb8iPl8N483+EOaCrTua96Qvl2lc2UXRiqvJA=";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ qmake4Hook ];
|
||||
|
@ -2,11 +2,11 @@
|
||||
|
||||
buildPythonPackage rec {
|
||||
pname = "deep-translator";
|
||||
version = "1.5.5";
|
||||
version = "1.6.0";
|
||||
|
||||
src = fetchPypi {
|
||||
inherit pname version;
|
||||
sha256 = "sha256-XARhzRsquvKcdhPcooGIEmhGN7QJOCubcvOrZB0nhxU=";
|
||||
sha256 = "sha256-B/SnLSaCRVhQvSU2hmdKPswM2N73nHAzQfVNBMgCofI=";
|
||||
};
|
||||
|
||||
propagatedBuildInputs = [
|
||||
|
@ -3,11 +3,11 @@
|
||||
|
||||
buildPythonPackage rec {
|
||||
pname = "django_compressor";
|
||||
version = "2.4.1";
|
||||
version = "3.1";
|
||||
|
||||
src = fetchPypi {
|
||||
inherit pname version;
|
||||
sha256 = "3358077605c146fdcca5f9eaffb50aa5dbe15f238f8854679115ebf31c0415e0";
|
||||
sha256 = "c4a87bf65f9a534cfaf1c321a000a229c24e50c6d62ba6ab089482db42e819d9";
|
||||
};
|
||||
postPatch = ''
|
||||
substituteInPlace setup.py \
|
||||
|
@ -8,7 +8,7 @@
|
||||
|
||||
buildPythonPackage rec {
|
||||
pname = "flux-led";
|
||||
version = "0.27.13";
|
||||
version = "0.27.17";
|
||||
format = "setuptools";
|
||||
|
||||
disabled = pythonOlder "3.7";
|
||||
@ -17,7 +17,7 @@ buildPythonPackage rec {
|
||||
owner = "Danielhiversen";
|
||||
repo = "flux_led";
|
||||
rev = version;
|
||||
sha256 = "sha256-lOfEEMHuhTfti7NYeZpXc+jeYQMJd/EnvT1oHByaCbw=";
|
||||
sha256 = "sha256-cb1QbGeOudxLOxU4aEVWYOzCrZ+xFl8F5qHVJdOhPlg=";
|
||||
};
|
||||
|
||||
propagatedBuildInputs = [
|
||||
|
@ -10,12 +10,12 @@
|
||||
|
||||
buildPythonPackage rec {
|
||||
pname = "jupyterlab";
|
||||
version = "3.2.4";
|
||||
version = "3.2.5";
|
||||
disabled = pythonOlder "3.5";
|
||||
|
||||
src = fetchPypi {
|
||||
inherit pname version;
|
||||
sha256 = "f692e0d95338d60f72dde660f16f3955a087775c59ec541ddb25952e3f97e9b1";
|
||||
sha256 = "31b28f473b0f5826d2020583973c385526f0559b5b26efac6b8035ac1562874a";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ jupyter-packaging ];
|
||||
|
45
pkgs/development/python-modules/nitransforms/default.nix
Normal file
45
pkgs/development/python-modules/nitransforms/default.nix
Normal file
@ -0,0 +1,45 @@
|
||||
{ lib
|
||||
, buildPythonPackage
|
||||
, fetchPypi
|
||||
, pythonOlder
|
||||
, h5py
|
||||
, nibabel
|
||||
, numpy
|
||||
, setuptools-scm
|
||||
, toml
|
||||
}:
|
||||
|
||||
buildPythonPackage rec {
|
||||
pname = "nitransforms";
|
||||
version = "21.0.0";
|
||||
disabled = pythonOlder "3.7";
|
||||
|
||||
src = fetchPypi {
|
||||
inherit pname version;
|
||||
sha256 = "njJqHqXVxldyGfmdM8GmgKdgIT4kMYLzcM5+ayR2EDo=";
|
||||
};
|
||||
|
||||
buildInputs = [ setuptools-scm toml ];
|
||||
propagatedBuildInputs = [ h5py nibabel numpy ];
|
||||
|
||||
doCheck = false;
|
||||
# relies on data repo (https://github.com/nipreps-data/nitransforms-tests);
|
||||
# probably too heavy
|
||||
pythonImportsCheck = [
|
||||
"nitransforms"
|
||||
"nitransforms.base"
|
||||
"nitransforms.io"
|
||||
"nitransforms.io.base"
|
||||
"nitransforms.linear"
|
||||
"nitransforms.manip"
|
||||
"nitransforms.nonlinear"
|
||||
"nitransforms.patched"
|
||||
];
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "https://nitransforms.readthedocs.io";
|
||||
description = "Geometric transformations for images and surfaces";
|
||||
license = licenses.mit;
|
||||
maintainers = with maintainers; [ bcdarwin ];
|
||||
};
|
||||
}
|
@ -17,7 +17,7 @@
|
||||
|
||||
buildPythonPackage rec {
|
||||
pname = "openai";
|
||||
version = "0.11.4";
|
||||
version = "0.11.5";
|
||||
|
||||
disabled = pythonOlder "3.7.1";
|
||||
|
||||
@ -26,7 +26,7 @@ buildPythonPackage rec {
|
||||
owner = "openai";
|
||||
repo = "openai-python";
|
||||
rev = "v${version}";
|
||||
sha256 = "O2O4+GkyMyAxJqMNgiyPKoSXeJk0HGAst02QV6c9mJs=";
|
||||
sha256 = "sha256-6eL3/vDWyIOVjRQo4OO3OgyUG3t8dKPtxzMMTxPCglM=";
|
||||
};
|
||||
|
||||
propagatedBuildInputs = [
|
||||
|
@ -17,7 +17,7 @@ let
|
||||
in
|
||||
buildPythonPackage rec {
|
||||
pname = "panel";
|
||||
version = "0.12.5";
|
||||
version = "0.12.6";
|
||||
|
||||
# Don't forget to also update the node packages
|
||||
# 1. retrieve the package.json file
|
||||
@ -25,7 +25,7 @@ buildPythonPackage rec {
|
||||
# 3. node2nix
|
||||
src = fetchPypi {
|
||||
inherit pname version;
|
||||
sha256 = "351481f2a2176359b28effa64c9d9fce487d6758514109cab96f9ed84787ae99";
|
||||
sha256 = "97e158e8eb941f88d71929407f9455c903b5e18d89969db8ce8af66036f46b53";
|
||||
};
|
||||
|
||||
# Since 0.10.0 panel attempts to fetch from the web.
|
||||
|
@ -6,12 +6,12 @@
|
||||
|
||||
buildPythonPackage rec {
|
||||
pname = "phonenumbers";
|
||||
version = "8.12.39";
|
||||
version = "8.12.40";
|
||||
format = "setuptools";
|
||||
|
||||
src = fetchPypi {
|
||||
inherit pname version;
|
||||
sha256 = "0f7745e1f108654db347d885e814cbb5f225b8c5f5ce336024b193c79291ddaa";
|
||||
sha256 = "00f2955a456b458f9b6ab0d24329049c3e7358c44dfc1979fe4908ced40f1eb8";
|
||||
};
|
||||
|
||||
checkInputs = [
|
||||
|
@ -11,7 +11,7 @@
|
||||
|
||||
buildPythonPackage rec {
|
||||
pname = "pycarwings2";
|
||||
version = "2.12";
|
||||
version = "2.13";
|
||||
format = "setuptools";
|
||||
|
||||
disabled = pythonOlder "3.5";
|
||||
@ -20,8 +20,8 @@ buildPythonPackage rec {
|
||||
owner = "filcole";
|
||||
repo = pname;
|
||||
# release not tagged: https://github.com/filcole/pycarwings2/issues/33
|
||||
rev = "0dc9e7e74cb119614c72c7f955801a366f303c56";
|
||||
sha256 = "sha256-3lyAgLuaNrCDvRT2yYkgaDiLPKW9Hbg05cQlMIBUs6o=";
|
||||
rev = "v${version}";
|
||||
sha256 = "04k1la7wix6sp668nqpwdhd3057b2bzcz7h2b9a57cxlifl8pjxf";
|
||||
};
|
||||
|
||||
propagatedBuildInputs = [
|
||||
|
@ -1,16 +1,14 @@
|
||||
{ lib, substituteAll, buildPythonPackage, fetchFromGitHub
|
||||
{ lib, substituteAll, buildPythonPackage, fetchPypi
|
||||
, pandoc, texlive
|
||||
}:
|
||||
|
||||
buildPythonPackage rec {
|
||||
pname = "pypandoc";
|
||||
version = "1.7.0";
|
||||
version = "1.7.2";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "NicklasTegner";
|
||||
repo = pname;
|
||||
rev = "v${version}";
|
||||
sha256 = "00r88qcvc9jpi8jvd6rpizz9gm33aq8hc3mf8lrarrjiq2fsxmk9";
|
||||
src = fetchPypi {
|
||||
inherit pname version;
|
||||
sha256 = "1wk8jxnysb7sa55zhxx5brylv00ivamqbk1b4lbzi58ziij08p03";
|
||||
};
|
||||
|
||||
patches = [
|
||||
|
48
pkgs/games/nanosaur/default.nix
Normal file
48
pkgs/games/nanosaur/default.nix
Normal file
@ -0,0 +1,48 @@
|
||||
{ lib, stdenv, fetchFromGitHub, SDL2, cmake, makeWrapper }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "nanosaur";
|
||||
version = "unstable-2021-12-03";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "jorio";
|
||||
repo = pname;
|
||||
rev = "b567a3e6d7fd1cbc43800cfaa1bd82f31c6d9fae";
|
||||
sha256 = "sha256-P/o6uSwUV6O8u8XNXN9YyA8XlgEUkqGj3SC+oD2/GKQ=";
|
||||
fetchSubmodules = true;
|
||||
};
|
||||
|
||||
buildInputs = [
|
||||
SDL2
|
||||
cmake
|
||||
makeWrapper
|
||||
];
|
||||
|
||||
configurePhase = ''
|
||||
cmake -S . -B build -DCMAKE_BUILD_TYPE=Release
|
||||
'';
|
||||
|
||||
buildPhase = ''
|
||||
cmake --build build
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
mv build $out
|
||||
makeWrapper $out/Nanosaur $out/bin/Nanosaur --run "cd $out"
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
description = "A port of Nanosaur, a 1998 Macintosh game by Pangea Software, for modern operating systems";
|
||||
longDescription = ''
|
||||
Nanosaur is a 1998 Macintosh game by Pangea Software.
|
||||
In it, you’re a cybernetic dinosaur from the future who’s sent back in time 20 minutes before a giant asteroid hits the Earth.
|
||||
And you get to shoot at T-Rexes with nukes.
|
||||
'';
|
||||
homepage = "https://github.com/jorio/Nanosaur";
|
||||
license = with licenses; [
|
||||
cc-by-sa-40
|
||||
];
|
||||
maintainers = with maintainers; [ lux ];
|
||||
platforms = platforms.linux;
|
||||
};
|
||||
}
|
@ -2,13 +2,13 @@
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "vkquake";
|
||||
version = "1.12.1";
|
||||
version = "1.12.2";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "Novum";
|
||||
repo = "vkQuake";
|
||||
rev = version;
|
||||
sha256 = "sha256-D6JtYhR+bkYYm4yuipNrsonziDGiDWICEohy4Mgdr+0=";
|
||||
sha256 = "sha256-+AUSsqarDW40JKgDUIF3G9RNOKqQLuQHOGF23L8anPQ=";
|
||||
};
|
||||
|
||||
sourceRoot = "source/Quake";
|
||||
|
@ -3,21 +3,23 @@
|
||||
, fetchFromGitHub
|
||||
, cmake
|
||||
, wrapQtAppsHook
|
||||
, SDL2
|
||||
, qtbase
|
||||
, qtmultimedia
|
||||
, boost17x
|
||||
, libpulseaudio
|
||||
, pkg-config
|
||||
, libusb1
|
||||
, zstd
|
||||
, libressl
|
||||
, alsa-lib
|
||||
, rapidjson
|
||||
, aacHleDecoding ? true
|
||||
, fdk_aac
|
||||
, ffmpeg-full
|
||||
, enableSdl2 ? true, SDL2
|
||||
, enableQt ? true, qtbase, qtmultimedia
|
||||
, enableQtTranslation ? enableQt, qttools
|
||||
, enableWebService ? true
|
||||
, enableCubeb ? true, libpulseaudio
|
||||
, enableFfmpegAudioDecoder ? true
|
||||
, enableFfmpegVideoDumper ? true
|
||||
, ffmpeg
|
||||
, useDiscordRichPresence ? true, rapidjson
|
||||
, enableFdk ? false, fdk_aac
|
||||
}:
|
||||
assert lib.assertMsg (!enableFfmpegAudioDecoder || !enableFdk) "Can't enable both enableFfmpegAudioDecoder and enableFdk";
|
||||
|
||||
stdenv.mkDerivation {
|
||||
pname = "citra";
|
||||
@ -31,36 +33,43 @@ stdenv.mkDerivation {
|
||||
fetchSubmodules = true;
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ cmake wrapQtAppsHook pkg-config ];
|
||||
nativeBuildInputs = [
|
||||
cmake
|
||||
pkg-config
|
||||
]
|
||||
++ lib.optionals enableQt [ wrapQtAppsHook ];
|
||||
|
||||
buildInputs = [
|
||||
SDL2
|
||||
qtbase
|
||||
qtmultimedia
|
||||
libpulseaudio
|
||||
boost17x
|
||||
libusb1
|
||||
alsa-lib
|
||||
rapidjson # for discord-rpc
|
||||
] ++ lib.optional aacHleDecoding [ fdk_aac ffmpeg-full ];
|
||||
]
|
||||
++ lib.optionals enableSdl2 [ SDL2 ]
|
||||
++ lib.optionals enableQt [ qtbase qtmultimedia ]
|
||||
++ lib.optionals enableQtTranslation [ qttools ]
|
||||
++ lib.optionals enableCubeb [ libpulseaudio ]
|
||||
++ lib.optionals (enableFfmpegAudioDecoder || enableFfmpegVideoDumper) [ ffmpeg ]
|
||||
++ lib.optionals useDiscordRichPresence [ rapidjson ]
|
||||
++ lib.optionals enableFdk [ fdk_aac ];
|
||||
|
||||
cmakeFlags = [
|
||||
"-DUSE_SYSTEM_BOOST=ON"
|
||||
"-DUSE_DISCORD_PRESENCE=ON"
|
||||
] ++ lib.optionals aacHleDecoding [
|
||||
"-DENABLE_FFMPEG_AUDIO_DECODER=ON"
|
||||
"-DCITRA_USE_BUNDLED_FFMPEG=OFF"
|
||||
];
|
||||
]
|
||||
++ lib.optionals (!enableSdl2) [ "-DENABLE_SDL2=OFF" ]
|
||||
++ lib.optionals (!enableQt) [ "-DENABLE_QT=OFF" ]
|
||||
++ lib.optionals enableQtTranslation [ "-DENABLE_QT_TRANSLATION=ON" ]
|
||||
++ lib.optionals (!enableWebService) [ "-DENABLE_WEB_SERVICE=OFF" ]
|
||||
++ lib.optionals (!enableCubeb) [ "-DENABLE_CUBEB=OFF" ]
|
||||
++ lib.optionals enableFfmpegAudioDecoder [ "-DENABLE_FFMPEG_AUDIO_DECODER=ON"]
|
||||
++ lib.optionals enableFfmpegVideoDumper [ "-DENABLE_FFMPEG_VIDEO_DUMPER=ON" ]
|
||||
++ lib.optionals useDiscordRichPresence [ "-DUSE_DISCORD_PRESENCE=ON" ]
|
||||
++ lib.optionals enableFdk [ "-DENABLE_FDK=ON" ];
|
||||
|
||||
postPatch = ''
|
||||
# we already know the submodules are present
|
||||
# We already know the submodules are present
|
||||
substituteInPlace CMakeLists.txt \
|
||||
--replace "check_submodules_present()" ""
|
||||
|
||||
# Trick configure system.
|
||||
sed -n 's,^ *path = \(.*\),\1,p' .gitmodules | while read path; do
|
||||
mkdir "$path/.git"
|
||||
done
|
||||
|
||||
# Devendoring
|
||||
rm -rf externals/zstd externals/libressl
|
||||
cp -r ${zstd.src} externals/zstd
|
||||
tar xf ${libressl.src} -C externals/
|
||||
@ -69,6 +78,7 @@ stdenv.mkDerivation {
|
||||
'';
|
||||
|
||||
# Todo: cubeb audio backend (the default one) doesn't work on the SDL interface.
|
||||
# This seems to be a problem with libpulseaudio, other applications have similar problems (e.g Duckstation).
|
||||
# Note that the two interfaces have two separate configuration files.
|
||||
|
||||
meta = with lib; {
|
||||
|
@ -2818,6 +2818,18 @@ final: prev:
|
||||
meta.homepage = "https://github.com/JuliaEditorSupport/julia-vim/";
|
||||
};
|
||||
|
||||
kanagawa-nvim = buildVimPluginFrom2Nix {
|
||||
pname = "kanagawa.nvim";
|
||||
version = "2021-12-25";
|
||||
src = fetchFromGitHub {
|
||||
owner = "rebelot";
|
||||
repo = "kanagawa.nvim";
|
||||
rev = "10bccb5e8e8530725c8059df2e6852fb01842d1c";
|
||||
sha256 = "15jji03qvpbyfk1bpc9b31rbkklfzdnhmnld4cr5ydjmz1fd5fzb";
|
||||
};
|
||||
meta.homepage = "https://github.com/rebelot/kanagawa.nvim/";
|
||||
};
|
||||
|
||||
kommentary = buildVimPluginFrom2Nix {
|
||||
pname = "kommentary";
|
||||
version = "2021-12-03";
|
||||
|
@ -642,6 +642,7 @@ rbong/vim-flog
|
||||
rcarriga/nvim-dap-ui
|
||||
rcarriga/nvim-notify
|
||||
rcarriga/vim-ultest
|
||||
rebelot/kanagawa.nvim
|
||||
rhysd/clever-f.vim
|
||||
rhysd/committia.vim
|
||||
rhysd/conflict-marker.vim
|
||||
|
@ -8,6 +8,8 @@
|
||||
, esbuild
|
||||
, pkg-config
|
||||
, libsecret
|
||||
, stdenv
|
||||
, darwin
|
||||
, setDefaultServerPath ? true
|
||||
}:
|
||||
|
||||
@ -40,6 +42,9 @@ let
|
||||
jq moreutils esbuild
|
||||
# Required by `keytar`, which is a dependency of `vsce`.
|
||||
pkg-config libsecret
|
||||
] ++ lib.optionals stdenv.isDarwin [
|
||||
darwin.apple_sdk.frameworks.AppKit
|
||||
darwin.apple_sdk.frameworks.Security
|
||||
];
|
||||
|
||||
# Follows https://github.com/rust-analyzer/rust-analyzer/blob/41949748a6123fd6061eb984a47f4fe780525e63/xtask/src/dist.rs#L39-L65
|
||||
|
@ -5,13 +5,13 @@
|
||||
|
||||
stdenvNoCC.mkDerivation rec {
|
||||
pname = "sof-firmware";
|
||||
version = "1.9.3";
|
||||
version = "2.0";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "thesofproject";
|
||||
repo = "sof-bin";
|
||||
rev = "v${version}";
|
||||
sha256 = "sha256-mQGwc0nwjku9ZxcFy8H4QiBLETkAeyqYvFzBHtK8/DY=";
|
||||
sha256 = "sha256-pDxNcDe/l1foFYuHB0w3YZidKIeH6h0IuwRmMzeMteE=";
|
||||
};
|
||||
|
||||
dontFixup = true; # binaries must not be stripped or patchelfed
|
||||
|
53
pkgs/tools/archivers/torrent7z/default.nix
Normal file
53
pkgs/tools/archivers/torrent7z/default.nix
Normal file
@ -0,0 +1,53 @@
|
||||
{ lib, stdenv, fetchFromGitHub, fetchpatch, ncurses }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "torrent7z";
|
||||
version = "1.3";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "BubblesInTheTub";
|
||||
repo = pname;
|
||||
rev = version;
|
||||
sha256 = "Y2tr0+z9uij4Ifi6FfWRN24BwcDXUZKVLkLtKUiVjU4=";
|
||||
};
|
||||
|
||||
patches = [
|
||||
(fetchpatch {
|
||||
name = "fix-gcc10-compilation.patch"; # Fix compilation on GCC 10. This patch is included on the latest commit
|
||||
url =
|
||||
"https://github.com/paulyc/torrent7z/commit/5958f42a364c430b3ed4ac68911bbbea1f967fc4.patch";
|
||||
sha256 = "vJOv1sG9XwTvvxQiWew0H5ALoUb9wIAouzTsTvKHuPI=";
|
||||
})
|
||||
];
|
||||
|
||||
buildInputs = [ ncurses ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
postPatch = ''
|
||||
# Remove non-free RAR source code
|
||||
# (see DOC/License.txt, https://fedoraproject.org/wiki/Licensing:Unrar)
|
||||
rm -r linux_src/p7zip_4.65/CPP/7zip/Compress/Rar*
|
||||
find . -name makefile'*' -exec sed -i '/Rar/d' {} +
|
||||
'';
|
||||
|
||||
preConfigure = ''
|
||||
mkdir linux_src/p7zip_4.65/bin
|
||||
cd linux_src/p7zip_4.65/CPP/7zip/Bundles/Alone
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out/bin
|
||||
cp ../../../../bin/t7z $out/bin
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "https://github.com/BubblesInTheTub/torrent7z";
|
||||
description = "A fork of torrent7z, viz a derivative of 7zip that produces invariant .7z archives for torrenting";
|
||||
platforms = platforms.linux;
|
||||
maintainers = with maintainers; [ cirno-999 ];
|
||||
mainProgram = "t7z";
|
||||
# RAR code is under non-free UnRAR license, but we remove it
|
||||
license = licenses.gpl3Only;
|
||||
};
|
||||
}
|
@ -24,12 +24,12 @@ let
|
||||
|
||||
in stdenv.mkDerivation rec {
|
||||
pname = "ghidra";
|
||||
version = "10.1";
|
||||
versiondate = "20211210";
|
||||
version = "10.1.1";
|
||||
versiondate = "20211221";
|
||||
|
||||
src = fetchzip {
|
||||
url = "https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_${version}_build/ghidra_${version}_PUBLIC_${versiondate}.zip";
|
||||
sha256 = "0b4wn2nwxp96dpg3xpabqh74xxv0fhwmqq04wgfjgdh6bavqk86b";
|
||||
sha256 = "1aib24hjfavy31vq0pasbzix9lpqrb90m3hp4n0iakg6ck8jcl5r";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [
|
||||
|
@ -14,11 +14,11 @@
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "crowdin-cli";
|
||||
version = "3.7.2";
|
||||
version = "3.7.4";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://github.com/crowdin/${pname}/releases/download/${version}/${pname}.zip";
|
||||
sha256 = "sha256-7p+Di4GcztwzybJTcFXlun15NFYbJN8eGmJ0y9bify0=";
|
||||
sha256 = "sha256-zsd95dkKzuhqtWFwc84tjZ05MnzE25UvfF459gfp+lA=";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ installShellFiles makeWrapper unzip ];
|
||||
|
@ -11,7 +11,11 @@ stdenv.mkDerivation rec {
|
||||
|
||||
outputs = [ "out" "man" ];
|
||||
|
||||
makeFlags = [ "TREE=\$(out)" "MANTREE=\$(TREE)/share/man" ];
|
||||
makeFlags = [
|
||||
"TREE=\$(out)"
|
||||
"MANTREE=\$(TREE)/share/man"
|
||||
"CC=${stdenv.cc.targetPrefix}cc"
|
||||
];
|
||||
|
||||
preBuild = ''
|
||||
sed -e "s@/bin/mv@$(type -P mv)@" -i replace.h
|
||||
|
@ -10270,6 +10270,8 @@ with pkgs;
|
||||
|
||||
touchegg = callPackage ../tools/inputmethods/touchegg { };
|
||||
|
||||
torrent7z = callPackage ../tools/archivers/torrent7z { };
|
||||
|
||||
torsocks = callPackage ../tools/security/tor/torsocks.nix { };
|
||||
|
||||
toss = callPackage ../tools/networking/toss { };
|
||||
@ -27169,6 +27171,7 @@ with pkgs;
|
||||
inherit (mopidyPackages)
|
||||
mopidy
|
||||
mopidy-iris
|
||||
mopidy-jellyfin
|
||||
mopidy-local
|
||||
mopidy-moped
|
||||
mopidy-mopify
|
||||
@ -30705,6 +30708,8 @@ with pkgs;
|
||||
|
||||
naev = callPackage ../games/naev { };
|
||||
|
||||
nanosaur = callPackage ../games/nanosaur { };
|
||||
|
||||
nethack = callPackage ../games/nethack { };
|
||||
|
||||
nethack-qt = callPackage ../games/nethack {
|
||||
|
@ -6312,6 +6312,13 @@ let
|
||||
url = "mirror://cpan/authors/id/R/RI/RIBASUSHI/DBIx-Class-0.082842.tar.gz";
|
||||
sha256 = "1rh7idjjbibc1zmiaaarask434lh0lx7f2xyfwmy37k9fa0xcpmh";
|
||||
};
|
||||
patches = [
|
||||
# https://github.com/Perl5/DBIx-Class/pull/141
|
||||
(fetchpatch {
|
||||
url = "https://github.com/Perl5/DBIx-Class/commit/fb896701d23fa4da622b5b1b2afbbba3da2dd8f3.patch";
|
||||
sha256 = "sha256-MSbV9UfHu90NCdC5IFwuy/vpSDw4atfellYh7Ydvkm4=";
|
||||
})
|
||||
];
|
||||
buildInputs = [ DBDSQLite TestDeep TestException TestWarn ];
|
||||
propagatedBuildInputs = [ ClassAccessorGrouped ClassC3Componentised ConfigAny ContextPreserve DBI DataDumperConcise DataPage DevelGlobalDestruction ModuleFind PathClass SQLAbstractClassic ScopeGuard SubName namespaceclean ];
|
||||
meta = {
|
||||
|
@ -5296,6 +5296,8 @@ in {
|
||||
|
||||
nitpick = callPackage ../applications/version-management/nitpick { };
|
||||
|
||||
nitransforms = callPackage ../development/python-modules/nitransforms { };
|
||||
|
||||
nix-kernel = callPackage ../development/python-modules/nix-kernel {
|
||||
inherit (pkgs) nix;
|
||||
};
|
||||
|
@ -52,6 +52,7 @@ let
|
||||
ghc884
|
||||
ghc8107
|
||||
ghc901
|
||||
ghc921
|
||||
];
|
||||
|
||||
# packagePlatforms applied to `haskell.packages.*`
|
||||
@ -304,20 +305,28 @@ let
|
||||
# and to confirm that critical packages for the
|
||||
# package sets (like Cabal, jailbreak-cabal) are
|
||||
# working as expected.
|
||||
cabal-install = released ++ [ compilerNames.ghc921 ];
|
||||
Cabal_3_6_2_0 = released ++ [ compilerNames.ghc921 ];
|
||||
cabal2nix = released ++ [ compilerNames.ghc921 ];
|
||||
cabal2nix-unstable = released ++ [ compilerNames.ghc921 ];
|
||||
funcmp = released ++ [ compilerNames.ghc921 ];
|
||||
haskell-language-server = released;
|
||||
hoogle = released ++ [ compilerNames.ghc921 ];
|
||||
hlint = released ++ [ compilerNames.ghc921 ];
|
||||
hsdns = released ++ [ compilerNames.ghc921 ];
|
||||
jailbreak-cabal = released ++ [ compilerNames.ghc921 ];
|
||||
language-nix = released ++ [ compilerNames.ghc921 ];
|
||||
nix-paths = released ++ [ compilerNames.ghc921 ];
|
||||
titlecase = released ++ [ compilerNames.ghc921 ];
|
||||
ghc-api-compat = released;
|
||||
cabal-install = released;
|
||||
Cabal_3_6_2_0 = released;
|
||||
cabal2nix = released;
|
||||
cabal2nix-unstable = released;
|
||||
funcmp = released;
|
||||
haskell-language-server = [
|
||||
compilerNames.ghc884
|
||||
compilerNames.ghc8107
|
||||
compilerNames.ghc901
|
||||
];
|
||||
hoogle = released;
|
||||
hlint = released;
|
||||
hsdns = released;
|
||||
jailbreak-cabal = released;
|
||||
language-nix = released;
|
||||
nix-paths = released;
|
||||
titlecase = released;
|
||||
ghc-api-compat = [
|
||||
compilerNames.ghc884
|
||||
compilerNames.ghc8107
|
||||
compilerNames.ghc901
|
||||
];
|
||||
})
|
||||
{
|
||||
mergeable = pkgs.releaseTools.aggregate {
|
||||
|
Loading…
Reference in New Issue
Block a user