colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'staging-next' into staging

Browse Source 
Minor conflicts; I hope I didn't mess up:
	pkgs/development/tools/misc/binutils/default.nix
	pkgs/games/openjk/default.nix
This commit is contained in:
Vladimír Čunát 2022-04-14 09:50:48 +02:00
commit d5d94127fd
No known key found for this signature in database
GPG Key ID: E747DF1F9575A3AA
425 changed files with 11759 additions and 6081 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/stdenv/stdenv.chapter.md
View File

@ -1043,7 +1043,7 @@ You can also specify a `runtimeDependencies` variable which lists dependencies t
In certain situations you may want to run the main command (`autoPatchelf`) of the setup hook on a file or a set of directories instead of unconditionally patching all outputs. This can be done by setting the `dontAutoPatchelf` environment variable to a non-empty value.
By default `autoPatchelf` will fail as soon as any ELF file requires a dependency which cannot be resolved via the given build inputs. In some situations you might prefer to just leave missing dependencies unpatched and continue to patch the rest. This can be achieved by setting the `autoPatchelfIgnoreMissingDeps` environment variable to a non-empty value.
By default `autoPatchelf` will fail as soon as any ELF file requires a dependency which cannot be resolved via the given build inputs. In some situations you might prefer to just leave missing dependencies unpatched and continue to patch the rest. This can be achieved by setting the `autoPatchelfIgnoreMissingDeps` environment variable to a non-empty value. `autoPatchelfIgnoreMissingDeps` can be set to a list like `autoPatchelfIgnoreMissingDeps = [ "libcuda.so.1" "libcudart.so.1" ];` or to simply `[ "*" ]` to ignore all missing dependencies.
The `autoPatchelf` command also recognizes a `--no-recurse` command line flag, which prevents it from recursing into subdirectories.

24
maintainers/maintainer-list.nix
View File

@ -4714,6 +4714,12 @@
githubId = 343415;
name = "Greg Roodt";
};
grnnja = {
email = "grnnja@gmail.com";
github = "grnnja";
githubId = 31556469;
name = "Prem Netsuwan";
};
gruve-p = {
email = "groestlcoin@gmail.com";
github = "gruve-p";
@ -9945,6 +9951,12 @@
fingerprint = "2CD2 B030 BD22 32EF DF5A 008A 3618 20A4 5DB4 1E9A";
}];
};
podocarp = {
email = "xdjiaxd@gmail.com";
github = "podocarp";
githubId = 10473184;
name = "Jia Xiaodong";
};
polendri = {
email = "paul@ijj.li";
github = "polendri";
@ -10204,6 +10216,12 @@
githubId = 115877;
name = "Kenny Shen";
};
quag = {
email = "quaggy@gmail.com";
github = "quag";
githubId = 35086;
name = "Jonathan Wright";
};
queezle = {
email = "git@queezle.net";
github = "qzle";
@ -11528,6 +11546,12 @@
githubId = 2770647;
name = "Simon Vandel Sillesen";
};
sir4ur0n = {
email = "sir4ur0n@users.noreply.github.com";
github = "sir4ur0n";
githubId = 1204125;
name = "sir4ur0n";
};
siraben = {
email = "bensiraphob@gmail.com";
matrix = "@siraben:matrix.org";

47
nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
View File

@ -381,6 +381,14 @@
cluster resource manager
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://nifi.apache.org">nifi</link>, an
easy to use, powerful, and reliable system to process and
distribute data. Available as
<link xlink:href="options.html#opt-services.nifi.enable">services.nifi</link>.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-22.05-incompatibilities">
@ -518,6 +526,13 @@
}
</programlisting>
</listitem>
<listitem>
<para>
<literal>services.prometheus.alertManagerTimeout</literal> has
been removed as it has been deprecated upstream and has no
effect.
</para>
</listitem>
<listitem>
<para>
The DHCP server (<literal>services.dhcpd4</literal>,
@ -551,6 +566,17 @@
work.
</para>
</listitem>
<listitem>
<para>
<literal>services.paperless-ng</literal> was renamed to
<literal>services.paperless</literal>. Accordingly, the
<literal>paperless-ng-manage</literal> script (located in
<literal>dataDir</literal>) was renamed to
<literal>paperless-manage</literal>.
<literal>services.paperless</literal> now uses
<literal>paperless-ngx</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>matrix-synapse</literal> service
@ -1689,6 +1715,13 @@
<literal>true</literal>.
</para>
</listitem>
<listitem>
<para>
A module for declarative configuration of openconnect VPN
profiles was added under
<literal>networking.openconnect</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>element-desktop</literal> package now has an
@ -1787,6 +1820,15 @@
should now be used instead.
</para>
</listitem>
<listitem>
<para>
<literal>security.pam.ussh</literal> has been added, which
allows authorizing PAM sessions based on SSH
<emphasis>certificates</emphasis> held within an SSH agent,
using
<link xlink:href="https://github.com/uber/pam-ussh">pam-ussh</link>.
</para>
</listitem>
<listitem>
<para>
The <literal>zrepl</literal> package has been updated from
@ -1882,7 +1924,10 @@
<para>
<literal>services.xserver.desktopManager.xfce</literal> now
includes Xfces screen locker,
<literal>xfce4-screensaver</literal>.
<literal>xfce4-screensaver</literal> that is enabled by
default. You can disable it by setting
<literal>false</literal> to
<link linkend="opt-services.xserver.desktopManager.xfce.enableScreensaver">services.xserver.desktopManager.xfce.enableScreensaver</link>.
</para>
</listitem>
<listitem>

12
nixos/doc/manual/release-notes/rl-2205.section.md
View File

@ -109,6 +109,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- [pacemaker](https://clusterlabs.org/pacemaker/) cluster resource manager
- [nifi](https://nifi.apache.org), an easy to use, powerful, and reliable system to process and distribute data. Available as [services.nifi](options.html#opt-services.nifi.enable).
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
## Backward Incompatibilities {#sec-release-22.05-incompatibilities}
@ -173,6 +175,8 @@ In addition to numerous new and upgraded packages, this release has the followin
}
```
- `services.prometheus.alertManagerTimeout` has been removed as it has been deprecated upstream and has no effect.
- The DHCP server (`services.dhcpd4`, `services.dhcpd6`) has been hardened.
The service is now using the systemd's `DynamicUser` mechanism to run as an unprivileged dynamically-allocated user with limited capabilities.
The dhcpd state files are now always stored in `/var/lib/dhcpd{4,6}` and the `services.dhcpd4.stateDir` and `service.dhcpd6.stateDir` options have been removed.
@ -182,6 +186,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- `services.ipfs.extraFlags` is now escaped with `utils.escapeSystemdExecArgs`. If you rely on systemd interpolating `extraFlags` in the service `ExecStart`, this will no longer work.
- `services.paperless-ng` was renamed to `services.paperless`. Accordingly, the `paperless-ng-manage` script (located in `dataDir`) was renamed to `paperless-manage`. `services.paperless` now uses `paperless-ngx`.
- The `matrix-synapse` service (`services.matrix-synapse`) has been converted to use the `settings` option defined in RFC42.
This means that options that are part of your `homeserver.yaml` configuration, and that were specified at the top-level of the
module (`services.matrix-synapse`) now need to be moved into `services.matrix-synapse.settings`. And while not all options you
@ -583,6 +589,8 @@ In addition to numerous new and upgraded packages, this release has the followin
using `fetchgit` or `fetchhg` if the argument `fetchSubmodules`
is set to `true`.
- A module for declarative configuration of openconnect VPN profiles was added under `networking.openconnect`.
- The `element-desktop` package now has an `useKeytar` option (defaults to `true`),
which allows disabling `keytar` and in turn `libsecret` usage
(which binds to native credential managers / keychain libraries).
@ -613,6 +621,8 @@ In addition to numerous new and upgraded packages, this release has the followin
and [services.logrotate.extraConfig](#opt-services.logrotate.extraConfig) will work, but issue deprecation
warnings and [services.logrotate.settings](#opt-services.logrotate.settings) should now be used instead.
- `security.pam.ussh` has been added, which allows authorizing PAM sessions based on SSH _certificates_ held within an SSH agent, using [pam-ussh](https://github.com/uber/pam-ussh).
- The `zrepl` package has been updated from 0.4.0 to 0.5:
- The RPC protocol version was bumped; all zrepl daemons in a setup must be updated and restarted before replication can resume.
@ -642,7 +652,7 @@ In addition to numerous new and upgraded packages, this release has the followin
- xfsprogs was update to version 5.15, which enables inobtcount and bigtime by default on filesystem creation. Support for these features was added in kernel 5.10 and deemed stable in kernel 5.15.
If you want to be able to mount XFS filesystems created with this release of xfsprogs on kernel releases older than 5.10, you need to format them with `mkfs.xfs -m bigtime=0 -m inobtcount=0`.
- `services.xserver.desktopManager.xfce` now includes Xfce's screen locker, `xfce4-screensaver`.
- `services.xserver.desktopManager.xfce` now includes Xfce's screen locker, `xfce4-screensaver` that is enabled by default. You can disable it by setting `false` to [services.xserver.desktopManager.xfce.enableScreensaver](#opt-services.xserver.desktopManager.xfce.enableScreensaver).
- The `hadoop` package has added support for `aarch64-linux` and `aarch64-darwin` as of 3.3.1 ([#158613](https://github.com/NixOS/nixpkgs/pull/158613)).

16
nixos/lib/utils.nix
View File

@ -194,6 +194,22 @@ rec {
(( ! $inherit_errexit_enabled )) && shopt -u inherit_errexit
'';
/* Remove packages of packagesToRemove from packages, based on their names.
Relies on package names and has quadratic complexity so use with caution!
Type:
removePackagesByName :: [package] -> [package] -> [package]
Example:
removePackagesByName [ nautilus file-roller ] [ file-roller totem ]
=> [ nautilus ]
*/
removePackagesByName = packages: packagesToRemove:
let
namesToRemove = map lib.getName packagesToRemove;
in
lib.filter (x: !(builtins.elem (lib.getName x) namesToRemove)) packages;
systemdUtils = {
lib = import ./systemd-lib.nix { inherit lib config pkgs; };
unitOptions = import ./systemd-unit-options.nix { inherit lib systemdUtils; };

26
nixos/modules/config/terminfo.nix
View File

@ -1,9 +1,33 @@
# This module manages the terminfo database
# and its integration in the system.
{ config, ... }:
{ config, lib, pkgs, ... }:
with lib;
{
options.environment.enableAllTerminfo = with lib; mkOption {
default = false;
type = types.bool;
description = ''
Whether to install all terminfo outputs
'';
};
config = {
# can be generated with: filter (drv: (builtins.tryEval (drv ? terminfo)).value) (attrValues pkgs)
environment.systemPackages = mkIf config.environment.enableAllTerminfo (map (x: x.terminfo) (with pkgs; [
alacritty
foot
kitty
mtm
rxvt-unicode-unwrapped
rxvt-unicode-unwrapped-emoji
termite
wezterm
]));
environment.pathsToLink = [
"/share/terminfo"
];

4
nixos/modules/module-list.nix
View File

@ -597,7 +597,7 @@
./services/misc/osrm.nix
./services/misc/owncast.nix
./services/misc/packagekit.nix
./services/misc/paperless-ng.nix
./services/misc/paperless.nix
./services/misc/parsoid.nix
./services/misc/plex.nix
./services/misc/plikd.nix
@ -853,6 +853,7 @@
./services/networking/ofono.nix
./services/networking/oidentd.nix
./services/networking/onedrive.nix
./services/networking/openconnect.nix
./services/networking/openvpn.nix
./services/networking/ostinato.nix
./services/networking/owamp.nix
@ -1054,6 +1055,7 @@
./services/web-apps/netbox.nix
./services/web-apps/nextcloud.nix
./services/web-apps/nexus.nix
./services/web-apps/nifi.nix
./services/web-apps/node-red.nix
./services/web-apps/pict-rs.nix
./services/web-apps/peertube.nix

109
nixos/modules/security/pam.nix
View File

@ -61,6 +61,19 @@ let
'';
};
usshAuth = mkOption {
default = false;
type = types.bool;
description = ''
If set, users with an SSH certificate containing an authorized principal
in their SSH agent are able to log in. Specific options are controlled
using the <option>security.pam.ussh</option> options.
Note that the <option>security.pam.ussh.enable</option> must also be
set for this option to take effect.
'';
};
yubicoAuth = mkOption {
default = config.security.pam.yubico.enable;
defaultText = literalExpression "config.security.pam.yubico.enable";
@ -475,6 +488,9 @@ let
optionalString cfg.usbAuth ''
auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so
'' +
(let ussh = config.security.pam.ussh; in optionalString (config.security.pam.ussh.enable && cfg.usshAuth) ''
auth ${ussh.control} ${pkgs.pam_ussh}/lib/security/pam_ussh.so ${optionalString (ussh.caFile != null) "ca_file=${ussh.caFile}"} ${optionalString (ussh.authorizedPrincipals != null) "authorized_principals=${ussh.authorizedPrincipals}"} ${optionalString (ussh.authorizedPrincipalsFile != null) "authorized_principals_file=${ussh.authorizedPrincipalsFile}"} ${optionalString (ussh.group != null) "group=${ussh.group}"}
'') +
(let oath = config.security.pam.oath; in optionalString cfg.oathAuth ''
auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}
'') +
@ -927,6 +943,96 @@ in
};
};
security.pam.ussh = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Enables Uber's USSH PAM (<literal>pam-ussh</literal>) module.
This is similar to <literal>pam-ssh-agent</literal>, except that
the presence of a CA-signed SSH key with a valid principal is checked
instead.
Note that this module must both be enabled using this option and on a
per-PAM-service level as well (using <literal>usshAuth</literal>).
More information can be found <link
xlink:href="https://github.com/uber/pam-ussh">here</link>.
'';
};
caFile = mkOption {
default = null;
type = with types; nullOr path;
description = ''
By default <literal>pam-ussh</literal> reads the trusted user CA keys
from <filename>/etc/ssh/trusted_user_ca</filename>.
This should be set the same as your <literal>TrustedUserCAKeys</literal>
option for sshd.
'';
};
authorizedPrincipals = mkOption {
default = null;
type = with types; nullOr commas;
description = ''
Comma-separated list of authorized principals to permit; if the user
presents a certificate with one of these principals, then they will be
authorized.
Note that <literal>pam-ussh</literal> also requires that the certificate
contain a principal matching the user's username. The principals from
this list are in addition to those principals.
Mutually exclusive with <literal>authorizedPrincipalsFile</literal>.
'';
};
authorizedPrincipalsFile = mkOption {
default = null;
type = with types; nullOr path;
description = ''
Path to a list of principals; if the user presents a certificate with
one of these principals, then they will be authorized.
Note that <literal>pam-ussh</literal> also requires that the certificate
contain a principal matching the user's username. The principals from
this file are in addition to those principals.
Mutually exclusive with <literal>authorizedPrincipals</literal>.
'';
};
group = mkOption {
default = null;
type = with types; nullOr str;
description = ''
If set, then the authenticating user must be a member of this group
to use this module.
'';
};
control = mkOption {
default = "sufficient";
type = types.enum [ "required" "requisite" "sufficient" "optional" ];
description = ''
This option sets pam "control".
If you want to have multi factor authentication, use "required".
If you want to use the SSH certificate instead of the regular password,
use "sufficient".
Read
<citerefentry>
<refentrytitle>pam.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>
for better understanding of this option.
'';
};
};
security.pam.yubico = {
enable = mkOption {
default = false;
@ -1111,6 +1217,9 @@ in
optionalString (isEnabled (cfg: cfg.usbAuth)) ''
mr ${pkgs.pam_usb}/lib/security/pam_usb.so,
'' +
optionalString (isEnabled (cfg: cfg.usshAuth)) ''
mr ${pkgs.pam_ussh}/lib/security/pam_ussh.so,
'' +
optionalString (isEnabled (cfg: cfg.oathAuth)) ''
"mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,
'' +

2
nixos/modules/security/sudo.nix
View File

@ -245,7 +245,7 @@ in
environment.systemPackages = [ sudo ];
security.pam.services.sudo = { sshAgentAuth = true; };
security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };
environment.etc.sudoers =
{ source =

66
nixos/modules/services/databases/cockroachdb.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, utils, ... }:
with lib;
@ -6,46 +6,44 @@ let
cfg = config.services.cockroachdb;
crdb = cfg.package;
escape = builtins.replaceStrings ["%"] ["%%"];
ifNotNull = v: s: optionalString (v != null) s;
startupCommand = lib.concatStringsSep " "
[ # Basic startup
"${crdb}/bin/cockroach start"
startupCommand = utils.escapeSystemdExecArgs
([
# Basic startup
"${crdb}/bin/cockroach"
"start"
"--logtostderr"
"--store=/var/lib/cockroachdb"
(ifNotNull cfg.locality "--locality='${cfg.locality}'")
# WebUI settings
"--http-addr='${cfg.http.address}:${toString cfg.http.port}'"
"--http-addr=${cfg.http.address}:${toString cfg.http.port}"
# Cluster listen address
"--listen-addr='${cfg.listen.address}:${toString cfg.listen.port}'"
"--listen-addr=${cfg.listen.address}:${toString cfg.listen.port}"
# Cluster configuration
(ifNotNull cfg.join "--join=${cfg.join}")
# Cache and memory settings. Must be escaped.
"--cache='${escape cfg.cache}'"
"--max-sql-memory='${escape cfg.maxSqlMemory}'"
# Cache and memory settings.
"--cache=${cfg.cache}"
"--max-sql-memory=${cfg.maxSqlMemory}"
# Certificate/security settings.
(if cfg.insecure then "--insecure" else "--certs-dir=${cfg.certsDir}")
];
]
++ lib.optional (cfg.join != null) "--join=${cfg.join}"
++ lib.optional (cfg.locality != null) "--locality=${cfg.locality}"
++ cfg.extraArgs);
addressOption = descr: defaultPort: {
address = mkOption {
type = types.str;
default = "localhost";
description = "Address to bind to for ${descr}";
};
port = mkOption {
type = types.port;
default = defaultPort;
description = "Port to bind to for ${descr}";
};
addressOption = descr: defaultPort: {
address = mkOption {
type = types.str;
default = "localhost";
description = "Address to bind to for ${descr}";
};
port = mkOption {
type = types.port;
default = defaultPort;
description = "Port to bind to for ${descr}";
};
};
in
{
@ -159,6 +157,16 @@ in
only contain open source features and open source code).
'';
};
extraArgs = mkOption {
type = types.listOf types.str;
default = [];
example = [ "--advertise-addr" "[fe80::f6f2:::]" ];
description = ''
Extra CLI arguments passed to <command>cockroach start</command>.
For the full list of supported argumemnts, check <link xlink:href="https://www.cockroachlabs.com/docs/stable/cockroach-start.html#flags"/>
'';
};
};
};

123
nixos/modules/services/hardware/udev.nix
View File

@ -23,17 +23,16 @@ let
nixosRules = ''
# Miscellaneous devices.
KERNEL=="kvm", MODE="0666"
KERNEL=="kqemu", MODE="0666"
# Needed for gpm.
SUBSYSTEM=="input", KERNEL=="mice", TAG+="systemd"
'';
# Perform substitutions in all udev rules files.
udevRules = pkgs.runCommand "udev-rules"
udevRulesFor = { name, udevPackages, udevPath, udev, systemd, binPackages, initrdBin ? null }: pkgs.runCommand name
{ preferLocalBuild = true;
allowSubstitutes = false;
packages = unique (map toString cfg.packages);
packages = unique (map toString udevPackages);
}
''
mkdir -p $out
@ -61,6 +60,9 @@ let
--replace \"/bin/mount \"${pkgs.util-linux}/bin/mount \
--replace /usr/bin/readlink ${pkgs.coreutils}/bin/readlink \
--replace /usr/bin/basename ${pkgs.coreutils}/bin/basename
${optionalString (initrdBin != null) ''
substituteInPlace $i --replace '/run/current-system/systemd' "${removeSuffix "/bin" initrdBin}"
''}
done
echo -n "Checking that all programs called by relative paths in udev rules exist in ${udev}/lib/udev... "
@ -85,8 +87,9 @@ let
for i in $import_progs $run_progs; do
# if the path refers to /run/current-system/systemd, replace with config.systemd.package
if [[ $i == /run/current-system/systemd* ]]; then
i="${config.systemd.package}/''${i#/run/current-system/systemd/}"
i="${systemd}/''${i#/run/current-system/systemd/}"
fi
if [[ ! -x $i ]]; then
echo "FAIL"
echo "$i is called in udev rules but is not executable or does not exist"
@ -103,7 +106,7 @@ let
echo "Consider fixing the following udev rules:"
echo "$filesToFixup" | while read localFile; do
remoteFile="origin unknown"
for i in ${toString cfg.packages}; do
for i in ${toString binPackages}; do
for j in "$i"/*/udev/rules.d/*; do
[ -e "$out/$(basename "$j")" ] || continue
[ "$(basename "$j")" = "$(basename "$localFile")" ] || continue
@ -126,7 +129,7 @@ let
${optionalString (!config.boot.hardwareScan) ''
ln -s /dev/null $out/80-drivers.rules
''}
''; # */
'';
hwdbBin = pkgs.runCommand "hwdb.bin"
{ preferLocalBuild = true;
@ -202,20 +205,6 @@ in
'';
};
initrdRules = mkOption {
default = "";
example = ''
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:1D:60:B9:6D:4F", KERNEL=="eth*", NAME="my_fast_network_card"
'';
type = types.lines;
description = ''
<command>udev</command> rules to include in the initrd
<emphasis>only</emphasis>. They'll be written into file
<filename>99-local.rules</filename>. Thus they are read and applied
after the essential initrd rules.
'';
};
extraRules = mkOption {
default = "";
example = ''
@ -283,6 +272,52 @@ in
'';
};
boot.initrd.services.udev = {
packages = mkOption {
type = types.listOf types.path;
default = [];
visible = false;
description = ''
<emphasis>This will only be used when systemd is used in stage 1.</emphasis>
List of packages containing <command>udev</command> rules that will be copied to stage 1.
All files found in
<filename><replaceable>pkg</replaceable>/etc/udev/rules.d</filename> and
<filename><replaceable>pkg</replaceable>/lib/udev/rules.d</filename>
will be included.
'';
};
binPackages = mkOption {
type = types.listOf types.path;
default = [];
visible = false;
description = ''
<emphasis>This will only be used when systemd is used in stage 1.</emphasis>
Packages to search for binaries that are referenced by the udev rules in stage 1.
This list always contains /bin of the initrd.
'';
apply = map getBin;
};
rules = mkOption {
default = "";
example = ''
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:1D:60:B9:6D:4F", KERNEL=="eth*", NAME="my_fast_network_card"
'';
type = types.lines;
description = ''
<command>udev</command> rules to include in the initrd
<emphasis>only</emphasis>. They'll be written into file
<filename>99-local.rules</filename>. Thus they are read and applied
after the essential initrd rules.
'';
};
};
};
@ -298,16 +333,54 @@ in
boot.kernelParams = mkIf (!config.networking.usePredictableInterfaceNames) [ "net.ifnames=0" ];
boot.initrd.extraUdevRulesCommands = optionalString (cfg.initrdRules != "")
boot.initrd.extraUdevRulesCommands = optionalString (!config.boot.initrd.systemd.enable && config.boot.initrd.services.udev.rules != "")
''
cat <<'EOF' > $out/99-local.rules
${cfg.initrdRules}
${config.boot.initrd.services.udev.rules}
EOF
'';
boot.initrd.systemd.additionalUpstreamUnits = [
# TODO: "initrd-udevadm-cleanup-db.service" is commented out because of https://github.com/systemd/systemd/issues/12953
"systemd-udevd-control.socket"
"systemd-udevd-kernel.socket"
"systemd-udevd.service"
"systemd-udev-settle.service"
"systemd-udev-trigger.service"
];
boot.initrd.systemd.storePaths = [
"${config.boot.initrd.systemd.package}/lib/systemd/systemd-udevd"
"${config.boot.initrd.systemd.package}/lib/udev"
] ++ map (x: "${x}/bin") config.boot.initrd.services.udev.binPackages;
# Generate the udev rules for the initrd
boot.initrd.systemd.contents = {
"/etc/udev/rules.d".source = udevRulesFor {
name = "initrd-udev-rules";
initrdBin = config.boot.initrd.systemd.contents."/bin".source;
udevPackages = config.boot.initrd.services.udev.packages;
udevPath = config.boot.initrd.systemd.contents."/bin".source;
udev = config.boot.initrd.systemd.package;
systemd = config.boot.initrd.systemd.package;
binPackages = config.boot.initrd.services.udev.binPackages ++ [ config.boot.initrd.systemd.contents."/bin".source ];
};
};
# Insert custom rules
boot.initrd.services.udev.packages = mkIf (config.boot.initrd.services.udev.rules != "") (pkgs.writeTextFile {
name = "initrd-udev-rules";
destination = "/etc/udev/rules.d/99-local.rules";
text = config.boot.initrd.services.udev.rules;
});
environment.etc =
{
"udev/rules.d".source = udevRules;
"udev/rules.d".source = udevRulesFor {
name = "udev-rules";
udevPackages = cfg.packages;
systemd = config.systemd.package;
binPackages = cfg.packages;
inherit udevPath udev;
};
"udev/hwdb.bin".source = hwdbBin;
};
@ -338,4 +411,8 @@ in
};
};
imports = [
(mkRenamedOptionModule [ "services" "udev" "initrdRules" ] [ "boot" "initrd" "services" "udev" "rules" ])
];
}

1
nixos/modules/services/mail/mailman.nix
View File

@ -192,7 +192,6 @@ in {
log_dir = "/var/log/mailman";
lock_dir = "$var_dir/lock";
etc_dir = "/etc";
ext_dir = "$etc_dir/mailman.d";
pid_file = "/run/mailman/master.pid";
};

100
nixos/modules/services/misc/paperless-ng.nix → nixos/modules/services/misc/paperless.nix
View File

@ -2,11 +2,13 @@
with lib;
let
cfg = config.services.paperless-ng;
cfg = config.services.paperless;
defaultUser = "paperless";
hasCustomRedis = hasAttr "PAPERLESS_REDIS" cfg.extraConfig;
# Don't start a redis instance if the user sets a custom redis connection
enableRedis = !hasAttr "PAPERLESS_REDIS" cfg.extraConfig;
redisServer = config.services.redis.servers.paperless;
env = {
PAPERLESS_DATA_DIR = cfg.dataDir;
@ -15,15 +17,15 @@ let
GUNICORN_CMD_ARGS = "--bind=${cfg.address}:${toString cfg.port}";
} // (
lib.mapAttrs (_: toString) cfg.extraConfig
) // (optionalAttrs (!hasCustomRedis) {
PAPERLESS_REDIS = "unix://${config.services.redis.servers.paperless-ng.unixSocket}";
) // (optionalAttrs enableRedis {
PAPERLESS_REDIS = "unix://${redisServer.unixSocket}";
});
manage = let
setupEnv = lib.concatStringsSep "\n" (mapAttrsToList (name: val: "export ${name}=\"${val}\"") env);
in pkgs.writeShellScript "manage" ''
${setupEnv}
exec ${cfg.package}/bin/paperless-ng "$@"
exec ${cfg.package}/bin/paperless-ngx "$@"
'';
# Secure the services
@ -36,7 +38,7 @@ let
"-/etc/hosts"
"-/etc/localtime"
"-/run/postgresql"
] ++ (optional (!hasCustomRedis) config.services.redis.servers.paperless-ng.unixSocket);
] ++ (optional enableRedis redisServer.unixSocket);
BindPaths = [
cfg.consumptionDir
cfg.dataDir
@ -53,7 +55,6 @@ let
PrivateNetwork = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
# Breaks if the home dir of the user is in /home
# Also does not add much value in combination with the TemporaryFileSystem.
@ -66,11 +67,15 @@ let
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
# Don't restrict ProcSubset because django-q requires read access to /proc/stat
# to query CPU and memory information.
# Note that /proc only contains processes of user `paperless`, so this is safe.
# ProcSubset = "pid";
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SupplementaryGroups = optional (!hasCustomRedis) config.services.redis.servers.paperless-ng.user;
SupplementaryGroups = optional enableRedis redisServer.user;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ];
# Does not work well with the temporary root
@ -81,26 +86,22 @@ in
meta.maintainers = with maintainers; [ earvstedt Flakebi ];
imports = [
(mkRemovedOptionModule [ "services" "paperless"] ''
The paperless module has been removed as the upstream project died.
Users should migrate to the paperless-ng module (services.paperless-ng).
More information can be found in the NixOS 21.11 release notes.
'')
(mkRenamedOptionModule [ "services" "paperless-ng" ] [ "services" "paperless" ])
];
options.services.paperless-ng = {
options.services.paperless = {
enable = mkOption {
type = lib.types.bool;
default = false;
description = ''
Enable Paperless-ng.
Enable Paperless.
When started, the Paperless database is automatically created if it doesn't
exist and updated if the Paperless package has changed.
Both tasks are achieved by running a Django migration.
A script to manage the Paperless instance (by wrapping Django's manage.py) is linked to
<literal>''${dataDir}/paperless-ng-manage</literal>.
<literal>''${dataDir}/paperless-manage</literal>.
'';
};
@ -133,13 +134,13 @@ in
passwordFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/run/keys/paperless-ng-password";
example = "/run/keys/paperless-password";
description = ''
A file containing the superuser password.
A superuser is required to access the web interface.
If unset, you can create a superuser manually by running
<literal>''${dataDir}/paperless-ng-manage createsuperuser</literal>.
<literal>''${dataDir}/paperless-manage createsuperuser</literal>.
The default superuser name is <literal>admin</literal>. To change it, set
option <option>extraConfig.PAPERLESS_ADMIN_USER</option>.
@ -168,9 +169,9 @@ in
type = types.attrs;
default = {};
description = ''
Extra paperless-ng config options.
Extra paperless config options.
See <link xlink:href="https://paperless-ng.readthedocs.io/en/latest/configuration.html">the documentation</link>
See <link xlink:href="https://paperless-ngx.readthedocs.io/en/latest/configuration.html">the documentation</link>
for available options.
'';
example = literalExpression ''
@ -188,15 +189,14 @@ in
package = mkOption {
type = types.package;
default = pkgs.paperless-ng;
defaultText = literalExpression "pkgs.paperless-ng";
default = pkgs.paperless-ngx;
defaultText = literalExpression "pkgs.paperless-ngx";
description = "The Paperless package to use.";
};
};
config = mkIf cfg.enable {
# Enable redis if no special url is set
services.redis.servers.paperless-ng.enable = mkIf (!hasCustomRedis) true;
services.redis.servers.paperless.enable = mkIf enableRedis true;
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
@ -208,11 +208,11 @@ in
)
];
systemd.services.paperless-ng-server = {
description = "Paperless document server";
systemd.services.paperless-scheduler = {
description = "Paperless scheduler";
serviceConfig = defaultServiceConfig // {
User = cfg.user;
ExecStart = "${cfg.package}/bin/paperless-ng qcluster";
ExecStart = "${cfg.package}/bin/paperless-ngx qcluster";
Restart = "on-failure";
# The `mbind` syscall is needed for running the classifier.
SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "mbind" ];
@ -221,15 +221,15 @@ in
};
environment = env;
wantedBy = [ "multi-user.target" ];
wants = [ "paperless-ng-consumer.service" "paperless-ng-web.service" ];
wants = [ "paperless-consumer.service" "paperless-web.service" ];
preStart = ''
ln -sf ${manage} ${cfg.dataDir}/paperless-ng-manage
ln -sf ${manage} ${cfg.dataDir}/paperless-manage
# Auto-migrate on first run or if the package has changed
versionFile="${cfg.dataDir}/src-version"
if [[ $(cat "$versionFile" 2>/dev/null) != ${cfg.package} ]]; then
${cfg.package}/bin/paperless-ng migrate
${cfg.package}/bin/paperless-ngx migrate
echo ${cfg.package} > "$versionFile"
fi
''
@ -240,20 +240,18 @@ in
superuserStateFile="${cfg.dataDir}/superuser-state"
if [[ $(cat "$superuserStateFile" 2>/dev/null) != $superuserState ]]; then
${cfg.package}/bin/paperless-ng manage_superuser
${cfg.package}/bin/paperless-ngx manage_superuser
echo "$superuserState" > "$superuserStateFile"
fi
'';
} // optionalAttrs (!hasCustomRedis) {
after = [ "redis-paperless-ng.service" ];
} // optionalAttrs enableRedis {
after = [ "redis-paperless.service" ];
};
# Password copying can't be implemented as a privileged preStart script
# in 'paperless-ng-server' because 'defaultServiceConfig' limits the filesystem
# paths accessible by the service.
systemd.services.paperless-ng-copy-password = mkIf (cfg.passwordFile != null) {
requiredBy = [ "paperless-ng-server.service" ];
before = [ "paperless-ng-server.service" ];
# Reading the user-provided password file requires root access
systemd.services.paperless-copy-password = mkIf (cfg.passwordFile != null) {
requiredBy = [ "paperless-scheduler.service" ];
before = [ "paperless-scheduler.service" ];
serviceConfig = {
ExecStart = ''
${pkgs.coreutils}/bin/install --mode 600 --owner '${cfg.user}' --compare \
@ -263,27 +261,27 @@ in
};
};
systemd.services.paperless-ng-consumer = {
systemd.services.paperless-consumer = {
description = "Paperless document consumer";
serviceConfig = defaultServiceConfig // {
User = cfg.user;
ExecStart = "${cfg.package}/bin/paperless-ng document_consumer";
ExecStart = "${cfg.package}/bin/paperless-ngx document_consumer";
Restart = "on-failure";
};
environment = env;
# Bind to `paperless-ng-server` so that the consumer never runs
# Bind to `paperless-scheduler` so that the consumer never runs
# during migrations
bindsTo = [ "paperless-ng-server.service" ];
after = [ "paperless-ng-server.service" ];
bindsTo = [ "paperless-scheduler.service" ];
after = [ "paperless-scheduler.service" ];
};
systemd.services.paperless-ng-web = {
systemd.services.paperless-web = {
description = "Paperless web server";
serviceConfig = defaultServiceConfig // {
User = cfg.user;
ExecStart = ''
${pkgs.python3Packages.gunicorn}/bin/gunicorn \
-c ${cfg.package}/lib/paperless-ng/gunicorn.conf.py paperless.asgi:application
-c ${cfg.package}/lib/paperless-ngx/gunicorn.conf.py paperless.asgi:application
'';
Restart = "on-failure";
@ -296,15 +294,15 @@ in
};
environment = env // {
PATH = mkForce cfg.package.path;
PYTHONPATH = "${cfg.package.pythonPath}:${cfg.package}/lib/paperless-ng/src";
PYTHONPATH = "${cfg.package.pythonPath}:${cfg.package}/lib/paperless-ngx/src";
};
# Allow the web interface to access the private /tmp directory of the server.
# This is required to support uploading files via the web interface.
unitConfig.JoinsNamespaceOf = "paperless-ng-server.service";
# Bind to `paperless-ng-server` so that the web server never runs
unitConfig.JoinsNamespaceOf = "paperless-scheduler.service";
# Bind to `paperless-scheduler` so that the web server never runs
# during migrations
bindsTo = [ "paperless-ng-server.service" ];
after = [ "paperless-ng-server.service" ];
bindsTo = [ "paperless-scheduler.service" ];
after = [ "paperless-scheduler.service" ];
};
users = optionalAttrs (cfg.user == defaultUser) {

11
nixos/modules/services/monitoring/prometheus/default.nix
View File

@ -74,7 +74,6 @@ let
}"
"--web.listen-address=${cfg.listenAddress}:${builtins.toString cfg.port}"
"--alertmanager.notification-queue-capacity=${toString cfg.alertmanagerNotificationQueueCapacity}"
"--alertmanager.timeout=${toString cfg.alertmanagerTimeout}s"
] ++ optional (cfg.webExternalUrl != null) "--web.external-url=${cfg.webExternalUrl}"
++ optional (cfg.retentionTime != null) "--storage.tsdb.retention.time=${cfg.retentionTime}";
@ -1563,6 +1562,8 @@ in
(mkRenamedOptionModule [ "services" "prometheus2" ] [ "services" "prometheus" ])
(mkRemovedOptionModule [ "services" "prometheus" "environmentFile" ]
"It has been removed since it was causing issues (https://github.com/NixOS/nixpkgs/issues/126083) and Prometheus now has native support for secret files, i.e. `basic_auth.password_file` and `authorization.credentials_file`.")
(mkRemovedOptionModule [ "services" "prometheus" "alertmanagerTimeout" ]
"Deprecated upstream and no longer had any effect")
];
options.services.prometheus = {
@ -1719,14 +1720,6 @@ in
'';
};
alertmanagerTimeout = mkOption {
type = types.int;
default = 10;
description = ''
Alert manager HTTP API timeout (in seconds).
'';
};
webExternalUrl = mkOption {
type = types.nullOr types.str;
default = null;

137
nixos/modules/services/networking/openconnect.nix Normal file
View File

@ -0,0 +1,137 @@
{ config, lib, options, pkgs, ... }:
with lib;
let
cfg = config.networking.openconnect;
openconnect = cfg.package;
pkcs11 = types.strMatching "pkcs11:.+" // {
name = "pkcs11";
description = "PKCS#11 URI";
};
interfaceOptions = {
options = {
gateway = mkOption {
description = "Gateway server to connect to.";
example = "gateway.example.com";
type = types.str;
};
protocol = mkOption {
description = "Protocol to use.";
example = "anyconnect";
type =
types.enum [ "anyconnect" "array" "nc" "pulse" "gp" "f5" "fortinet" ];
};
user = mkOption {
description = "Username to authenticate with.";
example = "example-user";
type = types.nullOr types.str;
};
# Note: It does not make sense to provide a way to declaratively
# set an authentication cookie, because they have to be requested
# for every new connection and would only work once.
passwordFile = mkOption {
description = ''
File containing the password to authenticate with. This
is passed to <code>openconnect</code> via the
<code>--passwd-on-stdin</code> option.
'';
default = null;
example = "/var/lib/secrets/openconnect-passwd";
type = types.nullOr types.path;
};
certificate = mkOption {
description = "Certificate to authenticate with.";
default = null;
example = "/var/lib/secrets/openconnect_certificate.pem";
type = with types; nullOr (either path pkcs11);
};
privateKey = mkOption {
description = "Private key to authenticate with.";
example = "/var/lib/secrets/openconnect_private_key.pem";
default = null;
type = with types; nullOr (either path pkcs11);
};
extraOptions = mkOption {
description = ''
Extra config to be appended to the interface config. It should
contain long-format options as would be accepted on the command
line by <code>openconnect</code>
(see https://www.infradead.org/openconnect/manual.html).
Non-key-value options like <code>deflate</code> can be used by
declaring them as booleans, i. e. <code>deflate = true;</code>.
'';
default = { };
example = {
compression = "stateless";
no-http-keepalive = true;
no-dtls = true;
};
type = with types; attrsOf (either str bool);
};
};
};
generateExtraConfig = extra_cfg:
strings.concatStringsSep "\n" (attrsets.mapAttrsToList
(name: value: if (value == true) then name else "${name}=${value}")
(attrsets.filterAttrs (_: value: value != false) extra_cfg));
generateConfig = name: icfg:
pkgs.writeText "config" ''
interface=${name}
${optionalString (icfg.user != null) "user=${icfg.user}"}
${optionalString (icfg.passwordFile != null) "passwd-on-stdin"}
${optionalString (icfg.certificate != null)
"certificate=${icfg.certificate}"}
${optionalString (icfg.privateKey != null) "sslkey=${icfg.privateKey}"}
${generateExtraConfig icfg.extraOptions}
'';
generateUnit = name: icfg: {
description = "OpenConnect Interface - ${name}";
requires = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${openconnect}/bin/openconnect --config=${
generateConfig name icfg
} ${icfg.gateway}";
StandardInput = "file:${icfg.passwordFile}";
ProtectHome = true;
};
};
in {
options.networking.openconnect = {
package = mkPackageOption pkgs "openconnect" { };
interfaces = mkOption {
description = "OpenConnect interfaces.";
default = { };
example = {
openconnect0 = {
gateway = "gateway.example.com";
protocol = "anyconnect";
user = "example-user";
passwordFile = "/var/lib/secrets/openconnect-passwd";
};
};
type = with types; attrsOf (submodule interfaceOptions);
};
};
config = {
systemd.services = mapAttrs' (name: value: {
name = "openconnect-${name}";
value = generateUnit name value;
}) cfg.interfaces;
};
meta.maintainers = with maintainers; [ alyaeanyx ];
}

43
nixos/modules/services/networking/shellhub-agent.nix
View File

@ -1,31 +1,37 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.shellhub-agent;
in {
in
{
###### interface
options = {
services.shellhub-agent = {
enable = mkOption {
type = types.bool;
default = false;
enable = mkEnableOption "ShellHub Agent daemon";
package = mkPackageOption pkgs "shellhub-agent" { };
preferredHostname = mkOption {
type = types.str;
default = "";
description = ''
Whether to enable the ShellHub Agent daemon, which allows
secure remote logins.
Set the device preferred hostname. This provides a hint to
the server to use this as hostname if it is available.
'';
};
package = mkOption {
type = types.package;
default = pkgs.shellhub-agent;
defaultText = literalExpression "pkgs.shellhub-agent";
keepAliveInterval = mkOption {
type = types.int;
default = 30;
description = ''
Which ShellHub Agent package to use.
Determine the interval to send the keep alive message to
the server. This has a direct impact of the bandwidth
used by the device.
'';
};
@ -74,9 +80,13 @@ in {
"time-sync.target"
];
environment.SERVER_ADDRESS = cfg.server;
environment.PRIVATE_KEY = cfg.privateKey;
environment.TENANT_ID = cfg.tenantId;
environment = {
SHELLHUB_SERVER_ADDRESS = cfg.server;
SHELLHUB_PRIVATE_KEY = cfg.privateKey;
SHELLHUB_TENANT_ID = cfg.tenantId;
SHELLHUB_KEEPALIVE_INTERVAL = toString cfg.keepAliveInterval;
SHELLHUB_PREFERRED_HOSTNAME = cfg.preferredHostname;
};
serviceConfig = {
# The service starts sessions for different users.
@ -85,7 +95,6 @@ in {
ExecStart = "${cfg.package}/bin/agent";
};
};
environment.systemPackages = [ cfg.package ];
};
}

12
nixos/modules/services/web-apps/discourse.nix
View File

@ -609,6 +609,7 @@ in
connection_reaper_interval = 30;
relative_url_root = null;
message_bus_max_backlog_size = 100;
message_bus_clear_every = 50;
secret_key_base = cfg.secretKeyBaseFile;
fallback_assets_path = null;
@ -655,7 +656,12 @@ in
long_polling_interval = null;
};
services.redis.enable = lib.mkDefault (cfg.redis.host == "localhost");
services.redis.servers.discourse =
lib.mkIf (lib.elem cfg.redis.host [ "localhost" "127.0.0.1" ]) {
enable = true;
bind = cfg.redis.host;
port = cfg.backendSettings.redis_port;
};
services.postgresql = lib.mkIf databaseActuallyCreateLocally {
enable = true;
@ -696,12 +702,12 @@ in
systemd.services.discourse = {
wantedBy = [ "multi-user.target" ];
after = [
"redis.service"
"redis-discourse.service"
"postgresql.service"
"discourse-postgresql.service"
];
bindsTo = [
"redis.service"
"redis-discourse.service"
] ++ lib.optionals (cfg.database.host == null) [
"postgresql.service"
"discourse-postgresql.service"

318
nixos/modules/services/web-apps/nifi.nix Normal file
View File

@ -0,0 +1,318 @@
{ lib, pkgs, config, options, ... }:
let
cfg = config.services.nifi;
opt = options.services.nifi;
env = {
NIFI_OVERRIDE_NIFIENV = "true";
NIFI_HOME = "/var/lib/nifi";
NIFI_PID_DIR = "/run/nifi";
NIFI_LOG_DIR = "/var/log/nifi";
};
envFile = pkgs.writeText "nifi.env" (lib.concatMapStrings (s: s + "\n") (
(lib.concatLists (lib.mapAttrsToList (name: value:
if value != null then [
"${name}=\"${toString value}\""
] else []
) env))));
nifiEnv = pkgs.writeShellScriptBin "nifi-env" ''
set -a
source "${envFile}"
eval -- "\$@"
'';
in {
options = {
services.nifi = {
enable = lib.mkEnableOption "Apache NiFi";
package = lib.mkOption {
type = lib.types.package;
default = pkgs.nifi;
defaultText = lib.literalExpression "pkgs.nifi";
description = "Apache NiFi package to use.";
};
user = lib.mkOption {
type = lib.types.str;
default = "nifi";
description = "User account where Apache NiFi runs.";
};
group = lib.mkOption {
type = lib.types.str;
default = "nifi";
description = "Group account where Apache NiFi runs.";
};
enableHTTPS = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Enable HTTPS protocol. Don`t use in production.";
};
listenHost = lib.mkOption {
type = lib.types.str;
default = if cfg.enableHTTPS then "0.0.0.0" else "127.0.0.1";
defaultText = lib.literalExpression ''
if config.${opt.enableHTTPS}
then "0.0.0.0"
else "127.0.0.1"
'';
description = "Bind to an ip for Apache NiFi web-ui.";
};
listenPort = lib.mkOption {
type = lib.types.int;
default = if cfg.enableHTTPS then 8443 else 8080;
defaultText = lib.literalExpression ''
if config.${opt.enableHTTPS}
then "8443"
else "8000"
'';
description = "Bind to a port for Apache NiFi web-ui.";
};
proxyHost = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = if cfg.enableHTTPS then "0.0.0.0" else null;
defaultText = lib.literalExpression ''
if config.${opt.enableHTTPS}
then "0.0.0.0"
else null
'';
description = "Allow requests from a specific host.";
};
proxyPort = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = if cfg.enableHTTPS then 8443 else null;
defaultText = lib.literalExpression ''
if config.${opt.enableHTTPS}
then "8443"
else null
'';
description = "Allow requests from a specific port.";
};
initUser = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Initial user account for Apache NiFi. Username must be at least 4 characters.";
};
initPasswordFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
example = "/run/keys/nifi/password-nifi";
description = "nitial password for Apache NiFi. Password must be at least 12 characters.";
};
initJavaHeapSize = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
example = 1024;
description = "Set the initial heap size for the JVM in MB.";
};
maxJavaHeapSize = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = null;
example = 2048;
description = "Set the initial heap size for the JVM in MB.";
};
};
};
config = lib.mkIf cfg.enable {
assertions = [
{ assertion = cfg.initUser!=null || cfg.initPasswordFile==null;
message = ''
<option>services.nifi.initUser</option> needs to be set if <option>services.nifi.initPasswordFile</option> enabled.
'';
}
{ assertion = cfg.initUser==null || cfg.initPasswordFile!=null;
message = ''
<option>services.nifi.initPasswordFile</option> needs to be set if <option>services.nifi.initUser</option> enabled.
'';
}
{ assertion = cfg.proxyHost==null || cfg.proxyPort!=null;
message = ''
<option>services.nifi.proxyPort</option> needs to be set if <option>services.nifi.proxyHost</option> value specified.
'';
}
{ assertion = cfg.proxyHost!=null || cfg.proxyPort==null;
message = ''
<option>services.nifi.proxyHost</option> needs to be set if <option>services.nifi.proxyPort</option> value specified.
'';
}
{ assertion = cfg.initJavaHeapSize==null || cfg.maxJavaHeapSize!=null;
message = ''
<option>services.nifi.maxJavaHeapSize</option> needs to be set if <option>services.nifi.initJavaHeapSize</option> value specified.
'';
}
{ assertion = cfg.initJavaHeapSize!=null || cfg.maxJavaHeapSize==null;
message = ''
<option>services.nifi.initJavaHeapSize</option> needs to be set if <option>services.nifi.maxJavaHeapSize</option> value specified.
'';
}
];
warnings = lib.optional (cfg.enableHTTPS==false) ''
Please do not disable HTTPS mode in production. In this mode, access to the nifi is opened without authentication.
'';
systemd.tmpfiles.rules = [
"d '/var/lib/nifi/conf' 0750 ${cfg.user} ${cfg.group}"
"L+ '/var/lib/nifi/lib' - - - - ${cfg.package}/lib"
];
systemd.services.nifi = {
description = "Apache NiFi";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = env;
path = [ pkgs.gawk ];
serviceConfig = {
Type = "forking";
PIDFile = "/run/nifi/nifi.pid";
ExecStartPre = pkgs.writeScript "nifi-pre-start.sh" ''
#!/bin/sh
umask 077
test -f '/var/lib/nifi/conf/authorizers.xml' || (cp '${cfg.package}/share/nifi/conf/authorizers.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/authorizers.xml')
test -f '/var/lib/nifi/conf/bootstrap.conf' || (cp '${cfg.package}/share/nifi/conf/bootstrap.conf' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/bootstrap.conf')
test -f '/var/lib/nifi/conf/bootstrap-hashicorp-vault.conf' || (cp '${cfg.package}/share/nifi/conf/bootstrap-hashicorp-vault.conf' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/bootstrap-hashicorp-vault.conf')
test -f '/var/lib/nifi/conf/bootstrap-notification-services.xml' || (cp '${cfg.package}/share/nifi/conf/bootstrap-notification-services.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/bootstrap-notification-services.xml')
test -f '/var/lib/nifi/conf/logback.xml' || (cp '${cfg.package}/share/nifi/conf/logback.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/logback.xml')
test -f '/var/lib/nifi/conf/login-identity-providers.xml' || (cp '${cfg.package}/share/nifi/conf/login-identity-providers.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/login-identity-providers.xml')
test -f '/var/lib/nifi/conf/nifi.properties' || (cp '${cfg.package}/share/nifi/conf/nifi.properties' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/nifi.properties')
test -f '/var/lib/nifi/conf/stateless-logback.xml' || (cp '${cfg.package}/share/nifi/conf/stateless-logback.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/stateless-logback.xml')
test -f '/var/lib/nifi/conf/stateless.properties' || (cp '${cfg.package}/share/nifi/conf/stateless.properties' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/stateless.properties')
test -f '/var/lib/nifi/conf/state-management.xml' || (cp '${cfg.package}/share/nifi/conf/state-management.xml' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/state-management.xml')
test -f '/var/lib/nifi/conf/zookeeper.properties' || (cp '${cfg.package}/share/nifi/conf/zookeeper.properties' '/var/lib/nifi/conf/' && chmod 0640 '/var/lib/nifi/conf/zookeeper.properties')
test -d '/var/lib/nifi/docs/html' || (mkdir -p /var/lib/nifi/docs && cp -r '${cfg.package}/share/nifi/docs/html' '/var/lib/nifi/docs/html')
${lib.optionalString ((cfg.initUser != null) && (cfg.initPasswordFile != null)) ''
awk -F'[<|>]' '/property name="Username"/ {if ($3!="") f=1} END{exit !f}' /var/lib/nifi/conf/login-identity-providers.xml || ${cfg.package}/bin/nifi.sh set-single-user-credentials ${cfg.initUser} $(cat ${cfg.initPasswordFile})
''}
${lib.optionalString (cfg.enableHTTPS == false) ''
sed -i /var/lib/nifi/conf/nifi.properties \
-e 's|nifi.remote.input.secure=.*|nifi.remote.input.secure=false|g' \
-e 's|nifi.web.http.host=.*|nifi.web.http.host=${cfg.listenHost}|g' \
-e 's|nifi.web.http.port=.*|nifi.web.http.port=${(toString cfg.listenPort)}|g' \
-e 's|nifi.web.https.host=.*|nifi.web.https.host=|g' \
-e 's|nifi.web.https.port=.*|nifi.web.https.port=|g' \
-e 's|nifi.security.keystore=.*|nifi.security.keystore=|g' \
-e 's|nifi.security.keystoreType=.*|nifi.security.keystoreType=|g' \
-e 's|nifi.security.truststore=.*|nifi.security.truststore=|g' \
-e 's|nifi.security.truststoreType=.*|nifi.security.truststoreType=|g' \
-e '/nifi.security.keystorePasswd/s|^|#|' \
-e '/nifi.security.keyPasswd/s|^|#|' \
-e '/nifi.security.truststorePasswd/s|^|#|'
''}
${lib.optionalString (cfg.enableHTTPS == true) ''
sed -i /var/lib/nifi/conf/nifi.properties \
-e 's|nifi.remote.input.secure=.*|nifi.remote.input.secure=true|g' \
-e 's|nifi.web.http.host=.*|nifi.web.http.host=|g' \
-e 's|nifi.web.http.port=.*|nifi.web.http.port=|g' \
-e 's|nifi.web.https.host=.*|nifi.web.https.host=${cfg.listenHost}|g' \
-e 's|nifi.web.https.port=.*|nifi.web.https.port=${(toString cfg.listenPort)}|g' \
-e 's|nifi.security.keystore=.*|nifi.security.keystore=./conf/keystore.p12|g' \
-e 's|nifi.security.keystoreType=.*|nifi.security.keystoreType=PKCS12|g' \
-e 's|nifi.security.truststore=.*|nifi.security.truststore=./conf/truststore.p12|g' \
-e 's|nifi.security.truststoreType=.*|nifi.security.truststoreType=PKCS12|g' \
-e '/nifi.security.keystorePasswd/s|^#\+||' \
-e '/nifi.security.keyPasswd/s|^#\+||' \
-e '/nifi.security.truststorePasswd/s|^#\+||'
''}
${lib.optionalString ((cfg.enableHTTPS == true) && (cfg.proxyHost != null) && (cfg.proxyPort != null)) ''
sed -i /var/lib/nifi/conf/nifi.properties \
-e 's|nifi.web.proxy.host=.*|nifi.web.proxy.host=${cfg.proxyHost}:${(toString cfg.proxyPort)}|g'
''}
${lib.optionalString ((cfg.enableHTTPS == false) || (cfg.proxyHost == null) && (cfg.proxyPort == null)) ''
sed -i /var/lib/nifi/conf/nifi.properties \
-e 's|nifi.web.proxy.host=.*|nifi.web.proxy.host=|g'
''}
${lib.optionalString ((cfg.initJavaHeapSize != null) && (cfg.maxJavaHeapSize != null))''
sed -i /var/lib/nifi/conf/bootstrap.conf \
-e 's|java.arg.2=.*|java.arg.2=-Xms${(toString cfg.initJavaHeapSize)}m|g' \
-e 's|java.arg.3=.*|java.arg.3=-Xmx${(toString cfg.maxJavaHeapSize)}m|g'
''}
${lib.optionalString ((cfg.initJavaHeapSize == null) && (cfg.maxJavaHeapSize == null))''
sed -i /var/lib/nifi/conf/bootstrap.conf \
-e 's|java.arg.2=.*|java.arg.2=-Xms512m|g' \
-e 's|java.arg.3=.*|java.arg.3=-Xmx512m|g'
''}
'';
ExecStart = "${cfg.package}/bin/nifi.sh start";
ExecStop = "${cfg.package}/bin/nifi.sh stop";
# User and group
User = cfg.user;
Group = cfg.group;
# Runtime directory and mode
RuntimeDirectory = "nifi";
RuntimeDirectoryMode = "0750";
# State directory and mode
StateDirectory = "nifi";
StateDirectoryMode = "0750";
# Logs directory and mode
LogsDirectory = "nifi";
LogsDirectoryMode = "0750";
# Proc filesystem
ProcSubset = "pid";
ProtectProc = "invisible";
# Access write directories
ReadWritePaths = [ cfg.initPasswordFile ];
UMask = "0027";
# Capabilities
CapabilityBoundingSet = "";
# Security
NoNewPrivileges = true;
# Sandboxing
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateIPC = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
RestrictNamespaces = true;
LockPersonality = true;
MemoryDenyWriteExecute = false;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @memlock @mount @obsolete @resources @privileged @setuid" "@chown" ];
};
};
users.users = lib.mkMerge [
(lib.mkIf (cfg.user == "nifi") {
nifi = {
group = cfg.group;
isSystemUser = true;
home = cfg.package;
};
})
(lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package nifiEnv ])
];
users.groups = lib.optionalAttrs (cfg.group == "nifi") {
nifi = { };
};
};
}

33
nixos/modules/services/web-servers/nginx/default.nix
View File

@ -255,20 +255,22 @@ let
else defaultListen;
listenString = { addr, port, ssl, extraParameters ? [], ... }:
"listen ${addr}:${toString port} "
+ optionalString ssl "ssl "
+ optionalString (ssl && vhost.http2) "http2 "
+ optionalString vhost.default "default_server "
+ optionalString (extraParameters != []) (concatStringsSep " " extraParameters)
+ ";"
+ (if ssl && vhost.http3 then ''
(if ssl && vhost.http3 then "
# UDP listener for **QUIC+HTTP/3
listen ${addr}:${toString port} http3 reuseport;
# Advertise that HTTP/3 is available
add_header Alt-Svc 'h3=":443"';
# Sent when QUIC was used
add_header QUIC-Status $quic;
'' else "");
listen ${addr}:${toString port} http3 "
+ optionalString vhost.default "default_server "
+ optionalString vhost.reuseport "reuseport "
+ optionalString (extraParameters != []) (concatStringsSep " " extraParameters)
+ ";" else "")
+ "
listen ${addr}:${toString port} "
+ optionalString (ssl && vhost.http2) "http2 "
+ optionalString ssl "ssl "
+ optionalString vhost.default "default_server "
+ optionalString vhost.reuseport "reuseport "
+ optionalString (extraParameters != []) (concatStringsSep " " extraParameters)
+ ";";
redirectListen = filter (x: !x.ssl) defaultListen;
@ -321,6 +323,11 @@ let
ssl_conf_command Options KTLS;
''}
${optionalString (hasSSL && vhost.http3) ''
# Advertise that HTTP/3 is available
add_header Alt-Svc 'h3=":443"; ma=86400' always;
''}
${mkBasicAuth vhostName vhost}
${mkLocations vhost.locations}

15
nixos/modules/services/web-servers/nginx/vhost-options.nix
View File

@ -20,7 +20,7 @@ with lib;
serverAliases = mkOption {
type = types.listOf types.str;
default = [];
example = ["www.example.org" "example.org"];
example = [ "www.example.org" "example.org" ];
description = ''
Additional names of virtual hosts served by this virtual host configuration.
'';
@ -31,11 +31,11 @@ with lib;
addr = mkOption { type = str; description = "IP address."; };
port = mkOption { type = int; description = "Port number."; default = 80; };
ssl = mkOption { type = bool; description = "Enable SSL."; default = false; };
extraParameters = mkOption { type = listOf str; description = "Extra parameters of this listen directive."; default = []; example = [ "reuseport" "deferred" ]; };
extraParameters = mkOption { type = listOf str; description = "Extra parameters of this listen directive."; default = []; example = [ "backlog=1024" "deferred" ]; };
}; });
default = [];
example = [
{ addr = "195.154.1.1"; port = 443; ssl = true;}
{ addr = "195.154.1.1"; port = 443; ssl = true; }
{ addr = "192.154.1.1"; port = 80; }
];
description = ''
@ -207,6 +207,15 @@ with lib;
'';
};
reuseport = mkOption {
type = types.bool;
default = false;
description = ''
Create an individual listening socket .
It is required to specify only once on one of the hosts.
'';
};
root = mkOption {
type = types.nullOr types.path;
default = null;

6
nixos/modules/services/x11/desktop-managers/cinnamon.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, utils, ... }:
with lib;
@ -196,7 +196,7 @@ in
programs.evince.enable = mkDefault true;
programs.file-roller.enable = mkDefault true;
environment.systemPackages = (with pkgs // pkgs.gnome // pkgs.cinnamon; pkgs.gnome.removePackagesByName [
environment.systemPackages = with pkgs // pkgs.gnome // pkgs.cinnamon; utils.removePackagesByName [
# cinnamon team apps
bulky
blueberry
@ -212,7 +212,7 @@ in
# external apps shipped with linux-mint
hexchat
gnome-calculator
] config.environment.cinnamon.excludePackages);
] config.environment.cinnamon.excludePackages;
})
];
}

15
nixos/modules/services/x11/desktop-managers/gnome.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, utils, ... }:
with lib;
@ -42,7 +42,8 @@ let
chmod -R a+w $out/share/gsettings-schemas/nixos-gsettings-overrides
cat - > $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas/nixos-defaults.gschema.override <<- EOF
[org.gnome.desktop.background]
picture-uri='file://${pkgs.nixos-artwork.wallpapers.simple-dark-gray.gnomeFilePath}'
picture-uri='file://${pkgs.nixos-artwork.wallpapers.simple-blue.gnomeFilePath}'
picture-uri-dark='file://${pkgs.nixos-artwork.wallpapers.simple-dark-gray.gnomeFilePath}'
[org.gnome.desktop.screensaver]
picture-uri='file://${pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom.gnomeFilePath}'
@ -455,7 +456,7 @@ in
(mkIf serviceCfg.core-utilities.enable {
environment.systemPackages =
with pkgs.gnome;
removePackagesByName
utils.removePackagesByName
([
baobab
cheese
@ -515,7 +516,7 @@ in
})
(mkIf serviceCfg.games.enable {
environment.systemPackages = (with pkgs.gnome; removePackagesByName [
environment.systemPackages = with pkgs.gnome; utils.removePackagesByName [
aisleriot
atomix
five-or-more
@ -536,12 +537,12 @@ in
quadrapassel
swell-foop
tali
] config.environment.gnome.excludePackages);
] config.environment.gnome.excludePackages;
})
# Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/-/blob/3.38.0/elements/core/meta-gnome-core-developer-tools.bst
(mkIf serviceCfg.core-developer-tools.enable {
environment.systemPackages = (with pkgs.gnome; removePackagesByName [
environment.systemPackages = with pkgs.gnome; utils.removePackagesByName [
dconf-editor
devhelp
pkgs.gnome-builder
@ -550,7 +551,7 @@ in
# in default configurations.
# https://github.com/NixOS/nixpkgs/issues/60908
/* gnome-boxes */
] config.environment.gnome.excludePackages);
] config.environment.gnome.excludePackages;
services.sysprof.enable = notExcluded pkgs.sysprof;
})

4
nixos/modules/services/x11/desktop-managers/lxqt.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, utils, ... }:
with lib;
@ -51,7 +51,7 @@ in
environment.systemPackages =
pkgs.lxqt.preRequisitePackages ++
pkgs.lxqt.corePackages ++
(pkgs.gnome.removePackagesByName
(utils.removePackagesByName
pkgs.lxqt.optionalPackages
config.environment.lxqt.excludePackages);

4
nixos/modules/services/x11/desktop-managers/mate.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, utils, ... }:
with lib;
@ -47,7 +47,7 @@ in
# Debugging
environment.sessionVariables.MATE_SESSION_DEBUG = mkIf cfg.debug "1";
environment.systemPackages = pkgs.gnome.removePackagesByName
environment.systemPackages = utils.removePackagesByName
(pkgs.mate.basePackages ++
pkgs.mate.extraPackages ++
[

6
nixos/modules/services/x11/desktop-managers/pantheon.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, utils, pkgs, ... }:
with lib;
@ -214,7 +214,7 @@ in
elementary-settings-daemon
pantheon-agent-geoclue2
pantheon-agent-polkit
]) ++ (gnome.removePackagesByName [
]) ++ (utils.removePackagesByName [
gnome.gnome-font-viewer
gnome.gnome-settings-daemon338
] config.environment.pantheon.excludePackages);
@ -272,7 +272,7 @@ in
})
(mkIf serviceCfg.apps.enable {
environment.systemPackages = with pkgs.pantheon; pkgs.gnome.removePackagesByName ([
environment.systemPackages = with pkgs.pantheon; utils.removePackagesByName ([
elementary-calculator
elementary-calendar
elementary-camera

11
nixos/modules/services/x11/desktop-managers/xfce.nix
View File

@ -66,6 +66,12 @@ in
default = true;
description = "Enable the XFWM (default) window manager.";
};
enableScreensaver = mkOption {
type = types.bool;
default = true;
description = "Enable the XFCE screensaver.";
};
};
};
@ -99,7 +105,6 @@ in
ristretto
xfce4-appfinder
xfce4-notifyd
xfce4-screensaver
xfce4-screenshooter
xfce4-session
xfce4-settings
@ -123,7 +128,7 @@ in
] ++ optionals (!cfg.noDesktop) [
xfce4-panel
xfdesktop
];
] ++ optional cfg.enableScreensaver xfce4-screensaver;
environment.pathsToLink = [
"/share/xfce4"
@ -169,6 +174,6 @@ in
xfce4-notifyd
];
security.pam.services.xfce4-screensaver.unixAuth = true;
security.pam.services.xfce4-screensaver.unixAuth = cfg.enableScreensaver;
};
}

13
nixos/modules/services/x11/xserver.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, utils, pkgs, ... }:
with lib;
@ -181,6 +181,13 @@ in
'';
};
excludePackages = mkOption {
default = [];
example = literalExpression "[ pkgs.xterm ]";
type = types.listOf types.package;
description = "Which X11 packages to exclude from the default environment";
};
exportConfiguration = mkOption {
type = types.bool;
default = false;
@ -655,7 +662,7 @@ in
${cfgPath}.source = xorg.xf86inputevdev.out + "/share" + cfgPath;
});
environment.systemPackages =
environment.systemPackages = utils.removePackagesByName
[ xorg.xorgserver.out
xorg.xrandr
xorg.xrdb
@ -671,7 +678,7 @@ in
pkgs.xdg-utils
xorg.xf86inputevdev.out # get evdev.4 man page
pkgs.nixos-icons # needed for gnome and pantheon about dialog, nixos-manual and maybe more
]
] config.services.xserver.excludePackages
++ optional (elem "virtualbox" cfg.videoDrivers) xorg.xrefresh;
environment.pathsToLink = [ "/share/X11" ];

12
nixos/modules/system/activation/top-level.nix
View File

@ -55,11 +55,15 @@ let
substituteInPlace $out/dry-activate --subst-var out
chmod u+x $out/activate $out/dry-activate
unset activationScript dryActivationScript
${pkgs.stdenv.shellDryRun} $out/activate
${pkgs.stdenv.shellDryRun} $out/dry-activate
cp ${config.system.build.bootStage2} $out/init
substituteInPlace $out/init --subst-var-by systemConfig $out
${if config.boot.initrd.systemd.enable then ''
cp ${config.system.build.bootStage2} $out/prepare-root
substituteInPlace $out/prepare-root --subst-var-by systemConfig $out
ln -s "$systemd/lib/systemd/systemd" $out/init
'' else ''
cp ${config.system.build.bootStage2} $out/init
substituteInPlace $out/init --subst-var-by systemConfig $out
''}
ln -s ${config.system.build.etc}/etc $out/etc
ln -s ${config.system.path} $out/sw

136
nixos/modules/system/boot/networkd.nix
View File

@ -10,6 +10,36 @@ let
check = {
global = {
sectionNetwork = checkUnitConfig "Network" [
(assertOnlyFields [
"SpeedMeter"
"SpeedMeterIntervalSec"
"ManageForeignRoutingPolicyRules"
"ManageForeignRoutes"
"RouteTable"
])
(assertValueOneOf "SpeedMeter" boolValues)
(assertInt "SpeedMeterIntervalSec")
(assertValueOneOf "ManageForeignRoutingPolicyRules" boolValues)
(assertValueOneOf "ManageForeignRoutes" boolValues)
];
sectionDHCPv4 = checkUnitConfig "DHCPv4" [
(assertOnlyFields [
"DUIDType"
"DUIDRawData"
])
];
sectionDHCPv6 = checkUnitConfig "DHCPv6" [
(assertOnlyFields [
"DUIDType"
"DUIDRawData"
])
];
};
link = {
sectionLink = checkUnitConfig "Link" [
@ -871,6 +901,44 @@ let
};
};
networkdOptions = {
networkConfig = mkOption {
default = {};
example = { SpeedMeter = true; ManageForeignRoutingPolicyRules = false; };
type = types.addCheck (types.attrsOf unitOption) check.global.sectionNetwork;
description = ''
Each attribute in this set specifies an option in the
<literal>[Network]</literal> section of the networkd config.
See <citerefentry><refentrytitle>networkd.conf</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
'';
};
dhcpV4Config = mkOption {
default = {};
example = { DUIDType = "vendor"; };
type = types.addCheck (types.attrsOf unitOption) check.global.sectionDHCPv4;
description = ''
Each attribute in this set specifies an option in the
<literal>[DHCPv4]</literal> section of the networkd config.
See <citerefentry><refentrytitle>networkd.conf</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
'';
};
dhcpV6Config = mkOption {
default = {};
example = { DUIDType = "vendor"; };
type = types.addCheck (types.attrsOf unitOption) check.global.sectionDHCPv6;
description = ''
Each attribute in this set specifies an option in the
<literal>[DHCPv6]</literal> section of the networkd config.
See <citerefentry><refentrytitle>networkd.conf</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
'';
};
};
linkOptions = commonNetworkOptions // {
# overwrite enable option from above
enable = mkOption {
@ -1519,6 +1587,39 @@ let
};
};
networkdConfig = { config, ... }: {
options = {
routeTables = mkOption {
default = {};
example = { foo = 27; };
type = with types; attrsOf int;
description = ''
Defines route table names as an attrset of name to number.
See <citerefentry><refentrytitle>networkd.conf</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
'';
};
addRouteTablesToIPRoute2 = mkOption {
default = true;
example = false;
type = types.bool;
description = ''
If true and routeTables are set, then the specified route tables
will also be installed into /etc/iproute2/rt_tables.
'';
};
};
config = {
networkConfig = optionalAttrs (config.routeTables != { }) {
RouteTable = mapAttrsToList
(name: number: "${name}:${toString number}")
config.routeTables;
};
};
};
commonMatchText = def: optionalString (def.matchConfig != { }) ''
[Match]
${attrsToSection def.matchConfig}
@ -1600,6 +1701,20 @@ let
+ def.extraConfig;
};
renderConfig = def:
{ text = ''
[Network]
${attrsToSection def.networkConfig}
''
+ optionalString (def.dhcpV4Config != { }) ''
[DHCPv4]
${attrsToSection def.dhcpV4Config}
''
+ optionalString (def.dhcpV6Config != { }) ''
[DHCPv6]
${attrsToSection def.dhcpV6Config}
''; };
networkToUnit = name: def:
{ inherit (def) enable;
text = commonMatchText def
@ -1732,6 +1847,12 @@ in
description = "Definition of systemd networks.";
};
systemd.network.config = mkOption {
default = {};
type = with types; submodule [ { options = networkdOptions; } networkdConfig ];
description = "Definition of global systemd network config.";
};
systemd.network.units = mkOption {
description = "Definition of networkd units.";
default = {};
@ -1823,7 +1944,9 @@ in
systemd.services.systemd-networkd = {
wantedBy = [ "multi-user.target" ];
aliases = [ "dbus-org.freedesktop.network1.service" ];
restartTriggers = map (x: x.source) (attrValues unitFiles);
restartTriggers = map (x: x.source) (attrValues unitFiles) ++ [
config.environment.etc."systemd/networkd.conf".source
];
};
systemd.services.systemd-networkd-wait-online = {
@ -1846,6 +1969,17 @@ in
};
};
environment.etc."systemd/networkd.conf" = renderConfig cfg.config;
networking.iproute2 = mkIf (cfg.config.addRouteTablesToIPRoute2 && cfg.config.routeTables != { }) {
enable = mkDefault true;
rttablesExtraConfig = ''
# Extra tables defined in NixOS systemd.networkd.config.routeTables.
${concatStringsSep "\n" (mapAttrsToList (name: number: "${toString number} ${name}") cfg.config.routeTables)}
'';
};
services.resolved.enable = mkDefault true;
})
];

100
nixos/modules/system/boot/stage-2-init.sh
View File

@ -5,28 +5,30 @@ systemConfig=@systemConfig@
export HOME=/root PATH="@path@"
# Process the kernel command line.
for o in $(</proc/cmdline); do
case $o in
boot.debugtrace)
# Show each command.
set -x
;;
esac
done
if [ "${IN_NIXOS_SYSTEMD_STAGE1:-}" != true ]; then
# Process the kernel command line.
for o in $(</proc/cmdline); do
case $o in
boot.debugtrace)
# Show each command.
set -x
;;
esac
done
# Print a greeting.
echo
echo -e "\e[1;32m<<< NixOS Stage 2 >>>\e[0m"
echo
# Print a greeting.
echo
echo -e "\e[1;32m<<< NixOS Stage 2 >>>\e[0m"
echo
# Normally, stage 1 mounts the root filesystem read/writable.
# However, in some environments, stage 2 is executed directly, and the
# root is read-only. So make it writable here.
if [ -z "$container" ]; then
mount -n -o remount,rw none /
# Normally, stage 1 mounts the root filesystem read/writable.
# However, in some environments, stage 2 is executed directly, and the
# root is read-only. So make it writable here.
if [ -z "$container" ]; then
mount -n -o remount,rw none /
fi
fi
@ -39,6 +41,12 @@ if [ ! -e /proc/1 ]; then
local options="$3"
local fsType="$4"
# We must not overwrite this mount because it's bind-mounted
# from stage 1's /run
if [ "${IN_NIXOS_SYSTEMD_STAGE1:-}" = true ] && [ "${mountPoint}" = /run ]; then
return
fi
install -m 0755 -d "$mountPoint"
mount -n -t "$fsType" -o "$options" "$device" "$mountPoint"
}
@ -46,7 +54,11 @@ if [ ! -e /proc/1 ]; then
fi
echo "booting system configuration $systemConfig" > /dev/kmsg
if [ "${IN_NIXOS_SYSTEMD_STAGE1:-}" = true ]; then
echo "booting system configuration ${systemConfig}"
else
echo "booting system configuration $systemConfig" > /dev/kmsg
fi
# Make /nix/store a read-only bind mount to enforce immutability of
@ -68,24 +80,26 @@ if [ -n "@readOnlyStore@" ]; then
fi
# Use /etc/resolv.conf supplied by systemd-nspawn, if applicable.
if [ -n "@useHostResolvConf@" ] && [ -e /etc/resolv.conf ]; then
resolvconf -m 1000 -a host </etc/resolv.conf
fi
if [ "${IN_NIXOS_SYSTEMD_STAGE1:-}" != true ]; then
# Use /etc/resolv.conf supplied by systemd-nspawn, if applicable.
if [ -n "@useHostResolvConf@" ] && [ -e /etc/resolv.conf ]; then
resolvconf -m 1000 -a host </etc/resolv.conf
fi
# Log the script output to /dev/kmsg or /run/log/stage-2-init.log.
# Only at this point are all the necessary prerequisites ready for these commands.
exec {logOutFd}>&1 {logErrFd}>&2
if test -w /dev/kmsg; then
exec > >(tee -i /proc/self/fd/"$logOutFd" | while read -r line; do
if test -n "$line"; then
echo "<7>stage-2-init: $line" > /dev/kmsg
fi
done) 2>&1
else
mkdir -p /run/log
exec > >(tee -i /run/log/stage-2-init.log) 2>&1
# Log the script output to /dev/kmsg or /run/log/stage-2-init.log.
# Only at this point are all the necessary prerequisites ready for these commands.
exec {logOutFd}>&1 {logErrFd}>&2
if test -w /dev/kmsg; then
exec > >(tee -i /proc/self/fd/"$logOutFd" | while read -r line; do
if test -n "$line"; then
echo "<7>stage-2-init: $line" > /dev/kmsg
fi
done) 2>&1
else
mkdir -p /run/log
exec > >(tee -i /run/log/stage-2-init.log) 2>&1
fi
fi
@ -116,11 +130,15 @@ ln -sfn "$systemConfig" /run/booted-system
: >> /etc/machine-id
# Reset the logging file descriptors.
exec 1>&$logOutFd 2>&$logErrFd
exec {logOutFd}>&- {logErrFd}>&-
# No need to restore the stdout/stderr streams we never redirected and
# especially no need to start systemd
if [ "${IN_NIXOS_SYSTEMD_STAGE1:-}" != true ]; then
# Reset the logging file descriptors.
exec 1>&$logOutFd 2>&$logErrFd
exec {logOutFd}>&- {logErrFd}>&-
# Start systemd in a clean environment.
echo "starting systemd..."
exec @systemdExecutable@ "$@"
# Start systemd in a clean environment.
echo "starting systemd..."
exec @systemdExecutable@ "$@"
fi

8
nixos/modules/system/boot/systemd.nix
View File

@ -573,14 +573,6 @@ in
})
(filterAttrs (name: service: service.enable && service.startAt != []) cfg.services);
# Generate timer units for all services that have a startAt value.
systemd.user.timers =
mapAttrs (name: service:
{ wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = service.startAt;
})
(filterAttrs (name: service: service.startAt != []) cfg.user.services);
# Some overrides to upstream units.
systemd.services."systemd-backlight@".restartIfChanged = false;
systemd.services."systemd-fsck@".restartIfChanged = false;

89
nixos/modules/system/boot/systemd/initrd.nix
View File

@ -34,7 +34,6 @@ let
"initrd-switch-root.service"
"initrd-switch-root.target"
"initrd.target"
"initrd-udevadm-cleanup-db.service"
"kexec.target"
"kmod-static-nodes.service"
"local-fs-pre.target"
@ -71,12 +70,6 @@ let
"systemd-sysctl.service"
"systemd-tmpfiles-setup-dev.service"
"systemd-tmpfiles-setup.service"
"systemd-udevd-control.socket"
"systemd-udevd-kernel.socket"
"systemd-udevd.service"
"systemd-udev-settle.service"
"systemd-udev-trigger.service"
"systemd-vconsole-setup.service"
"timers.target"
"umount.target"
@ -125,7 +118,7 @@ let
};
initrdBinEnv = pkgs.buildEnv {
name = "initrd-emergency-env";
name = "initrd-bin-env";
paths = map getBin cfg.initrdBin;
pathsToLink = ["/bin" "/sbin"];
postBuild = concatStringsSep "\n" (mapAttrsToList (n: v: "ln -s '${v}' $out/bin/'${n}'") cfg.extraBin);
@ -355,8 +348,9 @@ in {
boot.initrd.availableKernelModules = [ "autofs4" ]; # systemd needs this for some features
boot.initrd.systemd = {
initrdBin = [pkgs.bash pkgs.coreutils pkgs.kmod cfg.package] ++ config.system.fsPackages;
initrdBin = [pkgs.bash pkgs.coreutils cfg.package.kmod cfg.package] ++ config.system.fsPackages;
extraBin = {
less = "${pkgs.less}/bin/less";
mount = "${cfg.package.util-linux}/bin/mount";
umount = "${cfg.package.util-linux}/bin/umount";
};
@ -367,7 +361,7 @@ in {
"/etc/systemd/system.conf".text = ''
[Manager]
DefaultEnvironment=PATH=/bin:/sbin
DefaultEnvironment=PATH=/bin:/sbin ${optionalString (isBool cfg.emergencyAccess && cfg.emergencyAccess) "SYSTEMD_SULOGIN_FORCE=1"}
'';
"/etc/fstab".source = fstab;
@ -384,6 +378,11 @@ in {
"/etc/sysctl.d/nixos.conf".text = "kernel.modprobe = /sbin/modprobe";
"/etc/modprobe.d/systemd.conf".source = "${cfg.package}/lib/modprobe.d/systemd.conf";
"/etc/modprobe.d/ubuntu.conf".source = pkgs.runCommand "initrd-kmod-blacklist-ubuntu" { } ''
${pkgs.buildPackages.perl}/bin/perl -0pe 's/## file: iwlwifi.conf(.+?)##/##/s;' $src > $out
'';
"/etc/modprobe.d/debian.conf".source = pkgs.kmod-debian-aliases;
};
storePaths = [
@ -394,15 +393,15 @@ in {
"${cfg.package}/lib/systemd/systemd-journald"
"${cfg.package}/lib/systemd/systemd-makefs"
"${cfg.package}/lib/systemd/systemd-modules-load"
"${cfg.package}/lib/systemd/systemd-random-seed"
"${cfg.package}/lib/systemd/systemd-remount-fs"
"${cfg.package}/lib/systemd/systemd-shutdown"
"${cfg.package}/lib/systemd/systemd-sulogin-shell"
"${cfg.package}/lib/systemd/systemd-sysctl"
"${cfg.package}/lib/systemd/systemd-udevd"
"${cfg.package}/lib/systemd/systemd-vconsole-setup"
# additional systemd directories
"${cfg.package}/lib/systemd/system-generators"
"${cfg.package}/lib/udev"
# utilities needed by systemd
"${cfg.package.util-linux}/bin/mount"
@ -410,7 +409,7 @@ in {
"${cfg.package.util-linux}/bin/sulogin"
# so NSS can look up usernames
"${pkgs.glibc}/lib/libnss_files.so"
"${pkgs.glibc}/lib/libnss_files.so.2"
] ++ jobScripts;
targets.initrd.aliases = ["default.target"];
@ -428,9 +427,6 @@ in {
(v: let n = escapeSystemdPath v.where;
in nameValuePair "${n}.automount" (automountToUnit n v)) cfg.automounts);
services.emergency = mkIf (isBool cfg.emergencyAccess && cfg.emergencyAccess) {
environment.SYSTEMD_SULOGIN_FORCE = "1";
};
# The unit in /run/systemd/generator shadows the unit in
# /etc/systemd/system, but will still apply drop-ins from
# /etc/systemd/system/foo.service.d/
@ -445,6 +441,67 @@ in {
'')];
services."systemd-makefs@".unitConfig.IgnoreOnIsolate = true;
services."systemd-growfs@".unitConfig.IgnoreOnIsolate = true;
services.initrd-nixos-activation = {
after = [ "initrd-fs.target" ];
requiredBy = [ "initrd.target" ];
unitConfig.AssertPathExists = "/etc/initrd-release";
serviceConfig.Type = "oneshot";
description = "NixOS Activation";
script = /* bash */ ''
set -uo pipefail
export PATH="/bin:${cfg.package.util-linux}/bin"
# Figure out what closure to boot
closure=
for o in $(< /proc/cmdline); do
case $o in
init=*)
IFS== read -r -a initParam <<< "$o"
closure="$(dirname "''${initParam[1]}")"
;;
esac
done
# Sanity check
if [ -z "''${closure:-}" ]; then
echo 'No init= parameter on the kernel command line' >&2
exit 1
fi
# If we are not booting a NixOS closure (e.g. init=/bin/sh),
# we don't know what root to prepare so we don't do anything
if ! [ -x "/sysroot$closure/prepare-root" ]; then
echo "NEW_INIT=''${initParam[1]}" > /etc/switch-root.conf
echo "$closure does not look like a NixOS installation - not activating"
exit 0
fi
echo 'NEW_INIT=' > /etc/switch-root.conf
# We need to propagate /run for things like /run/booted-system
# and /run/current-system.
mkdir -p /sysroot/run
mount --bind /run /sysroot/run
# Initialize the system
export IN_NIXOS_SYSTEMD_STAGE1=true
exec chroot /sysroot $closure/prepare-root
'';
};
# This will either call systemctl with the new init as the last parameter (which
# is the case when not booting a NixOS system) or with an empty string, causing
# systemd to bypass its verification code that checks whether the next file is a systemd
# and using its compiled-in value
services.initrd-switch-root.serviceConfig = {
EnvironmentFile = "-/etc/switch-root.conf";
ExecStart = [
""
''systemctl --no-block switch-root /sysroot "''${NEW_INIT}"''
];
};
};
};
}

8
nixos/modules/virtualisation/qemu-vm.nix
View File

@ -853,8 +853,12 @@ in
(mkIf (pkgs.stdenv.isAarch32 || pkgs.stdenv.isAarch64) [
"-device virtio-gpu-pci" "-device usb-ehci,id=usb0" "-device usb-kbd" "-device usb-tablet"
])
(mkIf (!cfg.useBootLoader) [
"-kernel \${NIXPKGS_QEMU_KERNEL_${config.system.name}:-${config.system.build.toplevel}/kernel}"
(let
alphaNumericChars = lowerChars ++ upperChars ++ (map toString (range 0 9));
# Replace all non-alphanumeric characters with underscores
sanitizeShellIdent = s: concatMapStrings (c: if builtins.elem c alphaNumericChars then c else "_") (stringToCharacters s);
in mkIf (!cfg.useBootLoader) [
"-kernel \${NIXPKGS_QEMU_KERNEL_${sanitizeShellIdent config.system.name}:-${config.system.build.toplevel}/kernel}"
"-initrd ${config.system.build.toplevel}/initrd"
''-append "$(cat ${config.system.build.toplevel}/kernel-params) init=${config.system.build.toplevel}/init regInfo=${regInfo}/registration ${consoles} $QEMU_KERNEL_PARAMS"''
])

31
nixos/tests/all-terminfo.nix Normal file
View File

@ -0,0 +1,31 @@
import ./make-test-python.nix ({ pkgs, ... }: rec {
name = "all-terminfo";
meta = with pkgs.lib.maintainers; {
maintainers = [ jkarlson ];
};
nodes.machine = { pkgs, config, lib, ... }:
let
infoFilter = name: drv:
let
o = builtins.tryEval drv;
in
o.success && lib.isDerivation o.value && o.value ? outputs && builtins.elem "terminfo" o.value.outputs;
terminfos = lib.filterAttrs infoFilter pkgs;
excludedTerminfos = lib.filterAttrs (_: drv: !(builtins.elem drv.terminfo config.environment.systemPackages)) terminfos;
includedOuts = lib.filterAttrs (_: drv: builtins.elem drv.out config.environment.systemPackages) terminfos;
in
{
environment = {
enableAllTerminfo = true;
etc."terminfo-missing".text = builtins.concatStringsSep "\n" (builtins.attrNames excludedTerminfos);
etc."terminfo-extra-outs".text = builtins.concatStringsSep "\n" (builtins.attrNames includedOuts);
};
};
testScript =
''
machine.fail("grep . /etc/terminfo-missing >&2")
machine.fail("grep . /etc/terminfo-extra-outs >&2")
'';
})

5
nixos/tests/all-tests.nix
View File

@ -35,6 +35,7 @@ in
agate = handleTest ./web-servers/agate.nix {};
agda = handleTest ./agda.nix {};
airsonic = handleTest ./airsonic.nix {};
allTerminfo = handleTest ./all-terminfo.nix {};
amazon-init-shell = handleTest ./amazon-init-shell.nix {};
apfs = handleTest ./apfs.nix {};
apparmor = handleTest ./apparmor.nix {};
@ -362,6 +363,7 @@ in
nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {};
nginx-sso = handleTest ./nginx-sso.nix {};
nginx-variants = handleTest ./nginx-variants.nix {};
nifi = handleTestOn ["x86_64-linux"] ./web-apps/nifi.nix {};
nitter = handleTest ./nitter.nix {};
nix-ld = handleTest ./nix-ld {};
nix-serve = handleTest ./nix-serve.nix {};
@ -398,9 +400,10 @@ in
pam-file-contents = handleTest ./pam/pam-file-contents.nix {};
pam-oath-login = handleTest ./pam/pam-oath-login.nix {};
pam-u2f = handleTest ./pam/pam-u2f.nix {};
pam-ussh = handleTest ./pam/pam-ussh.nix {};
pantalaimon = handleTest ./matrix/pantalaimon.nix {};
pantheon = handleTest ./pantheon.nix {};
paperless-ng = handleTest ./paperless-ng.nix {};
paperless = handleTest ./paperless.nix {};
parsedmarc = handleTest ./parsedmarc {};
pdns-recursor = handleTest ./pdns-recursor.nix {};
peerflix = handleTest ./peerflix.nix {};

2
nixos/tests/networking.nix
View File

@ -878,7 +878,7 @@ let
linkConfig.Name = "custom_name";
};
}
else { services.udev.initrdRules = ''
else { boot.initrd.services.udev.rules = ''
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="52:54:00:12:01:01", KERNEL=="eth*", NAME="custom_name"
'';
});

70
nixos/tests/pam/pam-ussh.nix Normal file
View File

@ -0,0 +1,70 @@
import ../make-test-python.nix ({ pkgs, lib, ... }:
let
testOnlySSHCredentials = pkgs.runCommand "pam-ussh-test-ca" {
nativeBuildInputs = [ pkgs.openssh ];
} ''
mkdir $out
ssh-keygen -t ed25519 -N "" -f $out/ca
ssh-keygen -t ed25519 -N "" -f $out/alice
ssh-keygen -s $out/ca -I "alice user key" -n "alice,root" -V 19700101:forever $out/alice.pub
ssh-keygen -t ed25519 -N "" -f $out/bob
ssh-keygen -s $out/ca -I "bob user key" -n "bob" -V 19700101:forever $out/bob.pub
'';
makeTestScript = user: pkgs.writeShellScript "pam-ussh-${user}-test-script" ''
set -euo pipefail
eval $(${pkgs.openssh}/bin/ssh-agent)
mkdir -p $HOME/.ssh
chmod 700 $HOME/.ssh
cp ${testOnlySSHCredentials}/${user}{,.pub,-cert.pub} $HOME/.ssh
chmod 600 $HOME/.ssh/${user}
chmod 644 $HOME/.ssh/${user}{,-cert}.pub
set -x
${pkgs.openssh}/bin/ssh-add $HOME/.ssh/${user}
${pkgs.openssh}/bin/ssh-add -l &>2
exec sudo id -u -n
'';
in {
name = "pam-ussh";
meta.maintainers = with lib.maintainers; [ lukegb ];
machine =
{ ... }:
{
users.users.alice = { isNormalUser = true; extraGroups = [ "wheel" ]; };
users.users.bob = { isNormalUser = true; extraGroups = [ "wheel" ]; };
security.pam.ussh = {
enable = true;
authorizedPrincipals = "root";
caFile = "${testOnlySSHCredentials}/ca.pub";
};
security.sudo = {
enable = true;
extraConfig = ''
Defaults lecture="never"
'';
};
};
testScript =
''
with subtest("alice should be allowed to escalate to root"):
machine.succeed(
'su -c "${makeTestScript "alice"}" -l alice | grep root'
)
with subtest("bob should not be allowed to escalate to root"):
machine.fail(
'su -c "${makeTestScript "bob"}" -l bob | grep root'
)
'';
})

23
nixos/tests/paperless-ng.nix → nixos/tests/paperless.nix
View File

@ -1,30 +1,32 @@
import ./make-test-python.nix ({ lib, ... }: {
name = "paperless-ng";
name = "paperless";
meta.maintainers = with lib.maintainers; [ earvstedt Flakebi ];
nodes.machine = { pkgs, ... }: {
environment.systemPackages = with pkgs; [ imagemagick jq ];
services.paperless-ng = {
services.paperless = {
enable = true;
passwordFile = builtins.toFile "password" "admin";
};
};
testScript = ''
machine.wait_for_unit("paperless-ng-consumer.service")
import json
with subtest("Create test doc"):
machine.wait_for_unit("paperless-consumer.service")
with subtest("Add a document via the file system"):
machine.succeed(
"convert -size 400x40 xc:white -font 'DejaVu-Sans' -pointsize 20 -fill black "
"-annotate +5+20 'hello world 16-10-2005' /var/lib/paperless/consume/doc.png"
)
with subtest("Web interface gets ready"):
machine.wait_for_unit("paperless-ng-web.service")
machine.wait_for_unit("paperless-web.service")
# Wait until server accepts connections
machine.wait_until_succeeds("curl -fs localhost:28981")
with subtest("Create web test doc"):
with subtest("Add a document via the web interface"):
machine.succeed(
"convert -size 400x40 xc:white -font 'DejaVu-Sans' -pointsize 20 -fill black "
"-annotate +5+20 'hello web 16-10-2005' /tmp/webdoc.png"
@ -35,11 +37,8 @@ import ./make-test-python.nix ({ lib, ... }: {
machine.wait_until_succeeds(
"(($(curl -u admin:admin -fs localhost:28981/api/documents/ | jq .count) == 2))"
)
assert "2005-10-16" in machine.succeed(
"curl -u admin:admin -fs localhost:28981/api/documents/ | jq '.results | .[0] | .created'"
)
assert "2005-10-16" in machine.succeed(
"curl -u admin:admin -fs localhost:28981/api/documents/ | jq '.results | .[1] | .created'"
)
docs = json.loads(machine.succeed("curl -u admin:admin -fs localhost:28981/api/documents/"))['results']
assert "2005-10-16" in docs[0]['created']
assert "2005-10-16" in docs[1]['created']
'';
})

29
nixos/tests/systemd-initrd-simple.nix
View File

@ -14,14 +14,31 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: {
testScript = ''
import subprocess
oldAvail = machine.succeed("df --output=avail / | sed 1d")
machine.shutdown()
with subtest("handover to stage-2 systemd works"):
machine.wait_for_unit("multi-user.target")
machine.succeed("systemd-analyze | grep -q '(initrd)'") # direct handover
machine.succeed("touch /testfile") # / is writable
machine.fail("touch /nix/store/testfile") # /nix/store is not writable
# Special filesystems are mounted by systemd
machine.succeed("[ -e /run/booted-system ]") # /run
machine.succeed("[ -e /sys/class ]") # /sys
machine.succeed("[ -e /dev/null ]") # /dev
machine.succeed("[ -e /proc/1 ]") # /proc
# stage-2-init mounted more special filesystems
machine.succeed("[ -e /dev/shm ]") # /dev/shm
machine.succeed("[ -e /dev/pts/ptmx ]") # /dev/pts
machine.succeed("[ -e /run/keys ]") # /run/keys
subprocess.check_call(["qemu-img", "resize", "vm-state-machine/machine.qcow2", "+1G"])
machine.start()
newAvail = machine.succeed("df --output=avail / | sed 1d")
with subtest("growfs works"):
oldAvail = machine.succeed("df --output=avail / | sed 1d")
machine.shutdown()
assert int(oldAvail) < int(newAvail), "File system did not grow"
subprocess.check_call(["qemu-img", "resize", "vm-state-machine/machine.qcow2", "+1G"])
machine.start()
newAvail = machine.succeed("df --output=avail / | sed 1d")
assert int(oldAvail) < int(newAvail), "File system did not grow"
'';
})

10
nixos/tests/systemd-networkd.nix
View File

@ -8,6 +8,9 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: {
environment.systemPackages = with pkgs; [ wireguard-tools ];
systemd.network = {
enable = true;
config = {
routeTables.custom = 23;
};
netdevs = {
"90-wg0" = {
netdevConfig = { Kind = "wireguard"; Name = "wg0"; };
@ -39,6 +42,7 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: {
address = [ "10.0.0.${nodeId}/32" ];
routes = [
{ routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; }; }
{ routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; Table = "custom"; }; }
];
};
"30-eth1" = {
@ -87,6 +91,12 @@ testScript = ''
node1.wait_for_unit("systemd-networkd-wait-online.service")
node2.wait_for_unit("systemd-networkd-wait-online.service")
# ================================
# Networkd Config
# ================================
node1.succeed("grep RouteTable=custom:23 /etc/systemd/networkd.conf")
node1.succeed("sudo ip route show table custom | grep '10.0.0.0/24 via 10.0.0.1 dev wg0 proto static'")
# ================================
# Wireguard
# ================================

30
nixos/tests/web-apps/nifi.nix Normal file
View File

@ -0,0 +1,30 @@
import ../make-test-python.nix ({pkgs, ...}:
{
name = "nifi";
meta.maintainers = with pkgs.lib.maintainers; [ izorkin ];
nodes = {
nifi = { pkgs, ... }: {
virtualisation = {
memorySize = 2048;
diskSize = 4096;
};
services.nifi = {
enable = true;
enableHTTPS = false;
};
};
};
testScript = ''
nifi.start()
nifi.wait_for_unit("nifi.service")
nifi.wait_for_open_port(8080)
# Check if NiFi is running
nifi.succeed("curl --fail http://127.0.0.1:8080/nifi/login 2> /dev/null | grep 'NiFi Login'")
nifi.shutdown()
'';
})

4
pkgs/applications/audio/faustPhysicalModeling/default.nix
View File

@ -1,13 +1,13 @@
{ stdenv, lib, fetchFromGitHub, faust2jaqt, faust2lv2 }:
stdenv.mkDerivation rec {
pname = "faustPhysicalModeling";
version = "2.37.3";
version = "2.40.0";
src = fetchFromGitHub {
owner = "grame-cncm";
repo = "faust";
rev = version;
sha256 = "sha256-h6L+qRkN2chnI4821WrjD3uRFw3J0sUYVLL8w57vR1U=";
sha256 = "sha256-t3I3j5s2ACHfub+fxxaTwu+5ptEwH0JQpVdmHYOzbCA=";
};
buildInputs = [ faust2jaqt faust2lv2 ];

4
pkgs/applications/audio/jmusicbot/default.nix
View File

@ -2,11 +2,11 @@
stdenv.mkDerivation rec {
pname = "JMusicBot";
version = "0.3.6";
version = "0.3.8";
src = fetchurl {
url = "https://github.com/jagrosh/MusicBot/releases/download/${version}/JMusicBot-${version}.jar";
sha256 = "sha256-Hc3dsOADC+jVZScY19OYDkHimntMjdw/BoB3EUS/d0k=";
sha256 = "sha256-wzmrh9moY6oo3RqOy9Zl1X70BZlvbJkQmz8BaBIFtIM=";
};
dontUnpack = true;

4
pkgs/applications/audio/lollypop/default.nix
View File

@ -25,7 +25,7 @@
python3.pkgs.buildPythonApplication rec {
pname = "lollypop";
version = "1.4.26";
version = "1.4.31";
format = "other";
doCheck = false;
@ -34,7 +34,7 @@ python3.pkgs.buildPythonApplication rec {
url = "https://gitlab.gnome.org/World/lollypop";
rev = "refs/tags/${version}";
fetchSubmodules = true;
sha256 = "sha256-Q/z9oET06DimMRZl03TgjEeheoVHtIkH+Z69qWZetcI=";
sha256 = "sha256-kWqTDhk7QDmN0yr6x8ER5oHkUAkP3i5yOabnNXSHSqA=";
};
nativeBuildInputs = [

4
pkgs/applications/audio/ocenaudio/default.nix
View File

@ -11,11 +11,11 @@
stdenv.mkDerivation rec {
pname = "ocenaudio";
version = "3.11.7";
version = "3.11.10";
src = fetchurl {
url = "https://www.ocenaudio.com/downloads/index.php/ocenaudio_debian9_64.deb?version=${version}";
sha256 = "sha256-fTeDRo7gCM1jXTQGm9MsmKu4KvTGDUogF3VSZWk91RM=";
sha256 = "sha256-Ah6Ni5EbFdIQ/wN7uGeMrSP5ybQfI4iy9gI1VT5LztU=";
};
nativeBuildInputs = [

79
pkgs/applications/audio/odin2/default.nix Normal file
View File

@ -0,0 +1,79 @@
{ stdenv
, lib
, fetchFromGitHub
, cmake
, pkg-config
, alsa-lib
, freetype
, libjack2
, lv2
, libX11
, libXcursor
, libXext
, libXinerama
, libXrandr
, libGL
, gcc-unwrapped
}:
stdenv.mkDerivation rec {
pname = "odin2";
version = "unstable-2022-02-23";
src = fetchFromGitHub {
owner = "baconpaul";
repo = "odin2";
rev = "ed02d06cfb5db8a118d291c00bd2e4cd6e262cde";
fetchSubmodules = true;
sha256 = "sha256-VkZ+mqCmqWQafdN0nQxJdPxbiaZ37/0jOhLvVbnGLvQ=";
};
nativeBuildInputs = [
cmake
pkg-config
];
buildInputs = [
alsa-lib
freetype
libjack2
lv2
libX11
libXcursor
libXext
libXinerama
libXrandr
libGL
];
# JUCE dlopen's these at runtime, crashes without them
NIX_LDFLAGS = (toString [
"-lX11"
"-lXext"
"-lXcursor"
"-lXinerama"
"-lXrandr"
]);
cmakeFlags = [
"-DCMAKE_AR=${gcc-unwrapped}/bin/gcc-ar"
"-DCMAKE_RANLIB=${gcc-unwrapped}/bin/gcc-ranlib"
"-DCMAKE_NM=${gcc-unwrapped}/bin/gcc-nm"
];
installPhase = ''
mkdir -p $out/bin $out/lib/vst3
cd Odin2_artefacts/Release
cp -r VST3/Odin2.vst3 $out/lib/vst3
cp -r Standalone/Odin2 $out/bin
'';
meta = with lib; {
description = "Odin 2 Synthesizer Plugin";
homepage = "https://thewavewarden.com/odin2";
license = licenses.gpl3;
platforms = [ "x86_64-linux" ];
maintainers = with maintainers; [ magnetophon ];
};
}

50
pkgs/applications/audio/pipecontrol/default.nix Normal file
View File

@ -0,0 +1,50 @@
{ lib
, stdenv
, fetchFromGitHub
, pipewire
, cmake
, extra-cmake-modules
, gnumake
, wrapQtAppsHook
, qtbase
, qttools
, kirigami2
, kcoreaddons
, ki18n
, qtquickcontrols2
}:
stdenv.mkDerivation rec {
pname = "pipecontrol";
version = "0.2.2";
src = fetchFromGitHub {
owner = "portaloffreedom";
repo = pname;
rev = "v${version}";
sha256 = "sha256-BeubRDx82MQX1gB7GnGJlQ2FyYX1S83C3gqPZgIjgoM=";
};
nativeBuildInputs = [
cmake
extra-cmake-modules
wrapQtAppsHook
qttools
];
buildInputs = [
pipewire
qtbase
kirigami2
kcoreaddons
ki18n
qtquickcontrols2
];
meta = with lib; {
description = "Pipewire control GUI program in Qt (Kirigami2)";
homepage = "https://github.com/portaloffreedom/pipecontrol";
license = licenses.gpl3Only;
maintainers = with maintainers; [ tilcreator ];
};
}

6
pkgs/applications/audio/plexamp/default.nix
View File

@ -2,12 +2,12 @@
let
pname = "plexamp";
version = "4.1.0";
version = "4.2.0";
src = fetchurl {
url = "https://plexamp.plex.tv/plexamp.plex.tv/desktop/Plexamp-${version}.AppImage";
name="${pname}-${version}.AppImage";
sha512 = "N+WkH6n7MWfRd2rsk/2b/rABL6pcjpKa1iBZSHslIOEc5fYWjGAxjwwTU0RgSaqptS1DyPeCUeWuphWPZJsQgw==";
sha512 = "yIdZoKTJJEpUzEqvixQ7JJBxzrtCRov31dGBDOjMiK/oA2q00Xo6XVDvAhYuIn6ocZqK+I5jHfmf4qYaRePDvg==";
};
appimageContents = appimageTools.extractType2 {
@ -33,7 +33,7 @@ in appimageTools.wrapType2 {
meta = with lib; {
description = "A beautiful Plex music player for audiophiles, curators, and hipsters";
homepage = "https://plexamp.com/";
changelog = "https://forums.plex.tv/t/plexamp-release-notes/221280/42";
changelog = "https://forums.plex.tv/t/plexamp-release-notes/221280/43";
license = licenses.unfree;
maintainers = with maintainers; [ killercup synthetica ];
platforms = [ "x86_64-linux" ];

27
pkgs/applications/audio/sonixd/default.nix Normal file
View File

@ -0,0 +1,27 @@
{ lib
, fetchurl
, appimageTools
}:
appimageTools.wrapType2 rec {
pname = "sonixd";
version = "0.14.0";
src = fetchurl {
url = "https://github.com/jeffvli/sonixd/releases/download/v${version}/Sonixd-${version}-linux-x86_64.AppImage";
sha256 = "sha256-q+26Ut5wN9gFDBdqirR+he/ppu/b1wiqq23WkcRAQd4=";
};
extraInstallCommands = ''
mv $out/bin/sonixd-${version} $out/bin/sonixd
'';
meta = with lib; {
description = "Full-featured Subsonic/Jellyfin compatible desktop music player";
homepage = "https://github.com/jeffvli/sonixd";
license = licenses.gpl3Only;
maintainers = with maintainers; [ onny ];
platforms = [ "x86_64-linux" ];
};
}

4
pkgs/applications/audio/x42-plugins/default.nix
View File

@ -3,12 +3,12 @@
, libGLU, lv2, gtk2, cairo, pango, fftwFloat, zita-convolver }:
stdenv.mkDerivation rec {
version = "20220107";
version = "20220327";
pname = "x42-plugins";
src = fetchurl {
url = "https://gareus.org/misc/x42-plugins/${pname}-${version}.tar.xz";
sha256 = "sha256-+lzgkRQHe6moid3h6az/iqt2XL5vbyM0BjSTwMBvd3I=";
sha256 = "sha256-IhuPqTlCbCxExT5B9Au42RQQl4sDEvz6+HhsuT02KVs=";
};
nativeBuildInputs = [ pkg-config ];

6
pkgs/applications/blockchains/lightning-loop/default.nix
View File

@ -5,16 +5,16 @@
buildGoModule rec {
pname = "lightning-loop";
version = "0.17.0-beta";
version = "0.18.0-beta";
src = fetchFromGitHub {
owner = "lightninglabs";
repo = "loop";
rev = "v${version}";
sha256 = "0hjawagn1dfgj67i52bvf3phvm9f9708z3jqs6cvyz0w7vp107py";
sha256 = "1kg5nlvb4lb3cjn84wcylhq0l73d2n6rg4n1srnxmgs96v41y78f";
};
vendorSha256 = "1fpc73hwdn3baz5ykrykvqdr5861gj9p6liy8qll5525kdv560f6";
vendorSha256 = "0q3wbjfaqdj29sjlhx6fhc0p4d12aa31s6ia36jalcvf659ybb0l";
subPackages = [ "cmd/loop" "cmd/loopd" ];

4
pkgs/applications/editors/cudatext/default.nix
View File

@ -38,13 +38,13 @@ let
in
stdenv.mkDerivation rec {
pname = "cudatext";
version = "1.160.0";
version = "1.160.2";
src = fetchFromGitHub {
owner = "Alexey-T";
repo = "CudaText";
rev = version;
sha256 = "sha256-42V6RFa+mAXyaUuKeDQa9Voi1MjnzcVl+cOA65VabxM=";
sha256 = "sha256-moKuiW5kd0jdAk0lBLX8ZWeT/locxGAvM4oOqvMGsr4=";
};
postPatch = ''

4
pkgs/applications/editors/cudatext/deps.json
View File

@ -26,8 +26,8 @@
},
"EControl": {
"owner": "Alexey-T",
"rev": "2022.03.28",
"sha256": "sha256-jh3lqisiPNMxCapP6O5oJdUL3PLQ3JyomtgWix+bML0="
"rev": "2022.04.08",
"sha256": "sha256-pPlb8rr5loYVzKw/7R2kogSAosmViwGM3cehVwf4EYY="
},
"ATSynEdit_Ex": {
"owner": "Alexey-T",

22
pkgs/applications/editors/jupyter-kernels/wolfram/default.nix Normal file
View File

@ -0,0 +1,22 @@
{ callPackage
, wolfram-engine
}:
# To test:
# $(nix-build -E 'with import ./. {}; jupyter.override { definitions = { wolfram = wolfram-for-jupyter-kernel.definition; }; }')/bin/jupyter-notebook
let kernel = callPackage ./kernel.nix {};
in {
definition = {
displayName = "Wolfram Language ${wolfram-engine.version}";
argv = [
"${wolfram-engine}/bin/wolfram"
"-script"
"${kernel}/share/Wolfram/WolframLanguageForJupyter/Resources/KernelForWolframLanguageForJupyter.wl"
"{connection_file}"
"ScriptInstall" # suppresses prompt
];
language = "Wolfram Language";
logo32 = "${wolfram-engine}/share/icons/hicolor/32x32/apps/wolfram-wolframlanguage.png";
logo64 = "${wolfram-engine}/share/icons/hicolor/64x64/apps/wolfram-wolframlanguage.png";
};
}

32
pkgs/applications/editors/jupyter-kernels/wolfram/kernel.nix Normal file
View File

@ -0,0 +1,32 @@
{ stdenv, lib, fetchFromGitHub }:
stdenv.mkDerivation rec {
pname = "wolfram-for-jupyter-kernel";
version = "0.9.2";
src = fetchFromGitHub {
owner = "WolframResearch";
repo = "WolframLanguageForJupyter";
rev = "v${version}";
sha256 = "19d9dvr0bv7iy0x8mk4f576ha7z7h7id39nyrggwf9cp7gymxf47";
};
dontConfigure = true;
installPhase = ''
patchShebangs ./configure-jupyter.wls
mkdir -p $out/share/Wolfram
cp -r {WolframLanguageForJupyter,images,extras,LICENSE} $out/share/Wolfram
'';
# no tests
doCheck = false;
meta = with lib; {
description = "A Jupyter kernel for Wolfram Language.";
homepage = "https://github.com/WolframResearch/WolframLanguageForJupyter";
license = licenses.mit;
maintainers = with maintainers; [ fbeffa ];
platforms = platforms.all;
};
}

8
pkgs/applications/editors/lapce/default.nix
View File

@ -21,18 +21,16 @@
rustPlatform.buildRustPackage rec {
pname = "lapce";
version = "0.0.10";
version = "0.0.12";
src = fetchFromGitHub {
owner = "lapce";
repo = pname;
rev = "v${version}";
sha256 = "tOVFm4DFQurFU4DtpPwxXQLbTGCZnrV1FfYKtvkRxRE=";
sha256 = "sha256-ZFQjQ5+G0b0Fgg3+du/drt+62rC/TCNR5MIdJXAkTrE=";
};
cargoPatches = [ ./fix-version.patch ];
cargoSha256 = "BwB3KgmI5XnZ5uHv6f+kGKBzpyxPWcoKvF7qw90eorI=";
cargoSha256 = "sha256-sMTootPsenaWzLLFImo6HWC1pcm2uFupPhVWsUJp1Ak=";
nativeBuildInputs = [
cmake

31
pkgs/applications/editors/lapce/fix-version.patch
View File

@ -1,31 +0,0 @@
diff --git a/Cargo.lock b/Cargo.lock
index bc9a0f8..45a74ad 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2165,7 +2165,7 @@ dependencies = [
[[package]]
name = "lapce"
-version = "0.0.9"
+version = "0.0.10"
dependencies = [
"lapce-core",
"lapce-proxy",
@@ -2173,7 +2173,7 @@ dependencies = [
[[package]]
name = "lapce-core"
-version = "0.0.9"
+version = "0.0.10"
dependencies = [
"Inflector",
"alacritty_terminal 0.15.0",
@@ -2233,7 +2233,7 @@ dependencies = [
[[package]]
name = "lapce-proxy"
-version = "0.0.9"
+version = "0.0.10"
dependencies = [
"alacritty_terminal 0.16.0-rc2",
"anyhow",

616
pkgs/applications/editors/vim/plugins/generated.nix
View File

File diff suppressed because it is too large Load Diff

1
pkgs/applications/editors/vim/plugins/vim-plugin-names
View File

@ -956,6 +956,7 @@ https://github.com/tpope/vim-vinegar/,,
https://github.com/triglav/vim-visual-increment/,,
https://github.com/mg979/vim-visual-multi/,,
https://github.com/thinca/vim-visualstar/,,
https://github.com/ngemily/vim-vp4/,HEAD,
https://github.com/hrsh7th/vim-vsnip/,,
https://github.com/hrsh7th/vim-vsnip-integ/,,
https://github.com/posva/vim-vue/,,

28
pkgs/applications/emulators/basiliskii/default.nix Normal file
View File

@ -0,0 +1,28 @@
{ stdenv, lib, fetchFromGitHub, autoconf, automake, pkg-config, SDL2, gtk2 }:
stdenv.mkDerivation {
pname = "basiliskii";
version = "unstable-2022-04-05";
src = fetchFromGitHub {
owner = "kanjitalk755";
repo = "macemu";
rev = "d4baa318e49a29d7ea5fc71a637191d6c470546f";
sha256 = "jBKTC2fIPJ6mSkMABNxcd2ujXJ+duCXw291iz5ZmiVg=";
};
sourceRoot = "source/BasiliskII/src/Unix";
patches = [ ./remove-redhat-6-workaround-for-scsi-sg.h.patch ];
nativeBuildInputs = [ autoconf automake pkg-config ];
buildInputs = [ SDL2 gtk2 ];
preConfigure = ''
NO_CONFIGURE=1 ./autogen.sh
'';
configureFlags = [ "--enable-sdl-video" "--enable-sdl-audio" "--with-bincue" ];
meta = with lib; {
description = "68k Macintosh emulator";
homepage = "https://basilisk.cebix.net/";
license = licenses.gpl2;
maintainers = with maintainers; [ quag ];
platforms = platforms.linux;
};
}

10
pkgs/applications/emulators/basiliskii/remove-redhat-6-workaround-for-scsi-sg.h.patch Normal file
View File

@ -0,0 +1,10 @@
diff --git a/Linux/scsi_linux.cpp b/Linux/scsi_linux.cpp
--- a/Linux/scsi_linux.cpp
+++ b/Linux/scsi_linux.cpp
@@ -22,5 +22,5 @@
#include <sys/ioctl.h>
#include <linux/param.h>
-#include <linux/../scsi/sg.h> // workaround for broken RedHat 6.0 /usr/include/scsi
+#include <scsi/sg.h>
#include <unistd.h>
#include <errno.h>

4
pkgs/applications/emulators/flycast/default.nix
View File

@ -15,13 +15,13 @@
stdenv.mkDerivation rec {
pname = "flycast";
version = "1.2";
version = "1.3";
src = fetchFromGitHub {
owner = "flyinghead";
repo = "flycast";
rev = "v${version}";
sha256 = "sha256-MzHAGK++oukIs84OR/l6gBwCJssdi8Iyte5Rtro2+Q0=";
sha256 = "sha256-FAHm8Fu/yv2rJvWCY+g50TYH4zOT6rO7F+jTL2T6EOU=";
fetchSubmodules = true;
};

13
pkgs/applications/graphics/ImageMagick/7.0.nix
View File

@ -45,13 +45,13 @@ in
stdenv.mkDerivation rec {
pname = "imagemagick";
version = "7.1.0-26";
version = "7.1.0-29";
src = fetchFromGitHub {
owner = "ImageMagick";
repo = "ImageMagick";
rev = version;
hash = "sha256-q1CL64cfyb5fN9aVYJfls+v0XRFd4jH+B8n+UJqPE1I=";
hash = "sha256-46fJMOIGnK5aNIcG7+8mJdZDcSFyFmhmkLcuVlnupSU=";
};
outputs = [ "out" "dev" "doc" ]; # bin/ isn't really big
@ -64,9 +64,7 @@ stdenv.mkDerivation rec {
++ (if arch != null then [ "--with-gcc-arch=${arch}" ] else [ "--without-gcc-arch" ])
++ lib.optional (librsvg != null) "--with-rsvg"
++ lib.optional (liblqr1 != null) "--with-lqr"
# libjxl is broken on aarch64 (see meta.broken in libjxl) for now,
# let's disable it for now to unbreak the imagemagick build.
++ lib.optional (libjxl != null && !stdenv.isAarch64) "--with-jxl"
++ lib.optional (libjxl != null ) "--with-jxl"
++ lib.optionals (ghostscript != null)
[
"--with-gs-font-dir=${ghostscript}/share/ghostscript/fonts"
@ -92,11 +90,8 @@ stdenv.mkDerivation rec {
libxml2
libheif
djvulibre
libjxl
]
# libjxl is broken on aarch64 (see meta.broken in libjxl) for now,
# let's disable it for now to unbreak the imagemagick build.
++ lib.optionals (!stdenv.isAarch64)
[ libjxl ]
++ lib.optionals (!stdenv.hostPlatform.isMinGW)
[ openexr librsvg openjpeg ]
++ lib.optionals stdenv.isDarwin [

57
pkgs/applications/graphics/cloudcompare/default.nix
View File

@ -1,13 +1,16 @@
{ lib
, mkDerivation
, fetchFromGitHub
, fetchpatch
, cmake
, dxflib
, boost
, cgal_5
, eigen
, flann
, gdal
, gmp
, LASzip
, libLAS
, mpfr
, pdal
, pcl
, qtbase
@ -15,36 +18,43 @@
, qttools
, tbb
, xercesc
, wrapGAppsHook
}:
mkDerivation rec {
pname = "cloudcompare";
# Released version(v2.11.3) doesn't work with packaged PCL.
version = "unstable-2021-10-14";
version = "2.12.0";
src = fetchFromGitHub {
owner = "CloudCompare";
repo = "CloudCompare";
rev = "1f65ba63756e23291ae91ff52d04da468ade8249";
sha256 = "x1bDjFjXIl3r+yo1soWvRB+4KGP50/WBoGlrH013JQo=";
# As of writing includes (https://github.com/CloudCompare/CloudCompare/blob/a1c589c006fc325e8b560c77340809b9c7e7247a/.gitmodules):
# * libE57Format
# * PoissonRecon
# * CCCoreLib
rev = "v${version}";
sha256 = "sha256-hu3ckVocExi9lvxelHAwKb/MZacH4CcCE+vIzElgP/A=";
fetchSubmodules = true;
};
patches = [
# fix issues compiling on aarch64. remove once upgraded past 2.12.0
(fetchpatch {
url = "https://github.com/CloudCompare/CloudCompare/commit/7e71861fdbd6ea704add5ba69343f47d8fc3d5ae.patch";
sha256 = "sha256-CRUPjxtKUbsqOyYsjKF+dRZ+E3rqrv5mS3ZaOay2wk8=";
})
];
nativeBuildInputs = [
cmake
eigen # header-only
wrapGAppsHook
];
buildInputs = [
dxflib
boost
cgal_5
flann
gdal
gmp
LASzip
libLAS
mpfr
pdal
pcl
qtbase
@ -72,9 +82,32 @@ mkDerivation rec {
"-DPLUGIN_IO_QPHOTOSCAN=ON"
"-DPLUGIN_IO_QRDB=OFF" # Riegl rdblib is proprietary; not packaged in nixpkgs
"-DCCCORELIB_USE_CGAL=ON" # enables Delauney triangulation support
"-DPLUGIN_STANDARD_QPCL=ON" # Adds PCD import and export support
"-DPLUGIN_STANDARD_QANIMATION=ON"
"-DPLUGIN_STANDARD_QBROOM=ON"
"-DPLUGIN_STANDARD_QCANUPO=ON"
"-DPLUGIN_STANDARD_QCOMPASS=ON"
"-DPLUGIN_STANDARD_QCSF=ON"
"-DPLUGIN_STANDARD_QFACETS=ON"
"-DPLUGIN_STANDARD_QHOUGH_NORMALS=ON"
"-DEIGEN_ROOT_DIR=${eigen}/include/eigen3" # needed for hough normals
"-DPLUGIN_STANDARD_QHPR=ON"
"-DPLUGIN_STANDARD_QM3C2=ON"
"-DPLUGIN_STANDARD_QMPLANE=ON"
"-DPLUGIN_STANDARD_QPOISSON_RECON=ON"
"-DPLUGIN_STANDARD_QRANSAC_SD=ON"
"-DPLUGIN_STANDARD_QSRA=ON"
"-DPLUGIN_STANDARD_QCLOUDLAYERS=ON"
];
dontWrapGApps = true;
# fix file dialogs crashing on non-NixOS (and avoid double wrapping)
preFixup = ''
qtWrapperArgs+=("''${gappsWrapperArgs[@]}")
'';
meta = with lib; {
description = "3D point cloud and mesh processing software";
homepage = "https://cloudcompare.org";

4
pkgs/applications/graphics/drawio/default.nix
View File

@ -11,11 +11,11 @@
stdenv.mkDerivation rec {
pname = "drawio";
version = "17.2.4";
version = "17.4.2";
src = fetchurl {
url = "https://github.com/jgraph/drawio-desktop/releases/download/v${version}/drawio-x86_64-${version}.rpm";
sha256 = "sha256-dKl7DxNneoQEL+QhZmpfQCd15RoeDRnkZt3sv8t2KM4=";
sha256 = "294f99d9060bc394490b20d2ddab75ed5c0166d7960850f065eb8897ef31a2e3";
};
nativeBuildInputs = [

4
pkgs/applications/graphics/geeqie/default.nix
View File

@ -6,13 +6,13 @@
stdenv.mkDerivation rec {
pname = "geeqie";
version = "1.7.2";
version = "1.7.3";
src = fetchFromGitHub {
owner = "BestImageViewer";
repo = "geeqie";
rev = "v${version}";
sha256 = "sha256-Abr7trlms6bxOAqE6xNKRv51TBGNilNdBhUZUg7OTKY=";
sha256 = "sha256-O+yz/uNxueR+naEJG8EZ+k/JutRjJ5wwbB9DYb8YNLw=";
};
patches = [

95
pkgs/applications/graphics/unigine-tropics/default.nix Normal file
View File

@ -0,0 +1,95 @@
{ lib
, stdenv
, fetchurl
, makeWrapper
, autoPatchelfHook
, libX11
, libXext
, libXrandr
, libXinerama
, libglvnd
, openal
, glibc
, makeDesktopItem
, copyDesktopItems
, imagemagick
}:
let
version = "1.3";
in
stdenv.mkDerivation {
pname = "unigine-tropics";
inherit version;
src = fetchurl {
url = "http://m12-assets.unigine.com/d/Unigine_Tropics-${version}.run";
sha256 = "0icasdp46fjnic7gk83pknjx0gpap9j202dm0llcfg5zin5kbq7x";
};
libPath = lib.makeLibraryPath [
libglvnd
openal
glibc
];
installPhase = ''
bash $src --target $name
install -D -m 0755 $name/bin/libUnigine_x86.so $out/lib/unigine/tropics/bin/libUnigine_x86.so
install -D -m 0755 $name/bin/Tropics $out/lib/unigine/tropics/bin/Tropics
install -D -m 0755 $name/1024x768_windowed.sh $out/bin/Tropics
cp -R $name/data $out/lib/unigine/tropics
wrapProgram $out/bin/Tropics \
--prefix LD_LIBRARY_PATH : $libPath:$out/lib/unigine/tropics/bin \
--run "cd $out/lib/unigine/tropics"
convert -size 256x256 xc:Transparent -fill gradient:'dodgerblue-white' -stroke Transparent -draw "roundrectangle 0,0 256,256 50,50" $name/icon.png
convert $name/icon.png -fill white -stroke white -draw "polygon 69.2564,84.1261 117.9,84.1261 117.9,206.56 138.1,206.56 138.1,84.1261 186.744,84.1261 186.744,65.9877 69.2564,65.9877 69.2564,84.1261" $name/icon.png
for RES in 16 24 32 48 64 128 256
do
mkdir -p $out/share/icons/hicolor/"$RES"x"$RES"/apps
convert $name/icon.png -resize "$RES"x"$RES" $out/share/icons/hicolor/"$RES"x"$RES"/apps/Tropics.png
done
convert $name/icon.png -resize 128x128 $out/share/icons/Tropics.png
runHook postInstall
'';
desktopItems = [
(makeDesktopItem {
name = "Tropics";
exec = "Tropics";
genericName = "A GPU Stress test tool from the UNIGINE";
icon = "Tropics";
desktopName = "Tropics Benchmark";
})
];
nativeBuildInputs = [
autoPatchelfHook
makeWrapper
imagemagick
copyDesktopItems
];
buildInputs = [
stdenv.cc.cc
libX11
libXext
libXrandr
libXinerama
];
dontUnpack = true;
meta = {
description = "The Unigine Heaven GPU benchmarking tool";
homepage = "https://benchmark.unigine.com/tropics";
license = lib.licenses.unfree;
maintainers = [ lib.maintainers.BarinovMaxim ];
platforms = [ "x86_64-linux" "i686-linux" ];
};
}

1
pkgs/applications/misc/ArchiSteamFarm/default.nix
View File

@ -11,6 +11,7 @@
buildDotnetModule rec {
pname = "archisteamfarm";
# nixpkgs-update: no auto update
version = "5.2.2.4";
src = fetchFromGitHub {

8
pkgs/applications/misc/charm/default.nix
View File

@ -2,18 +2,16 @@
buildGoModule rec {
pname = "charm";
version = "0.10.3";
version = "0.11.0";
src = fetchFromGitHub {
owner = "charmbracelet";
repo = "charm";
rev = "v${version}";
sha256 = "sha256-7WdSIpmpN8Zz2k5PveYZoCueQo5sLxLLZvZdzxRlkaE=";
sha256 = "sha256-98TUiFy4X7lMUostkgZikk6r6wzBPF0pqWthrS9nU+U=";
};
vendorSha256 = "sha256-5cqZxh2uvmJV7DtAGzQwt//heF3kF9mjyB0KAs8nWZY=";
doCheck = false;
vendorSha256 = "sha256-enkt7BUAntbB75LR12NB0vW6z9dTPzk0bGdRrn3JHm4=";
ldflags = [ "-s" "-w" "-X=main.Version=${version}" ];

24
pkgs/applications/misc/electrum-grs/default.nix
View File

@ -9,7 +9,7 @@
}:
let
version = "4.1.5";
version = "4.2.0";
libsecp256k1_name =
if stdenv.isLinux then "libsecp256k1.so.0"
@ -20,19 +20,6 @@ let
if stdenv.isLinux then "libzbar.so.0"
else "libzbar${stdenv.hostPlatform.extensions.sharedLibrary}";
py = python3.override {
packageOverrides = self: super: {
aiorpcx = super.aiorpcx.overridePythonAttrs (oldAttrs: rec {
version = "0.18.7";
src = oldAttrs.src.override {
inherit version;
sha256 = "1rswrspv27x33xa5bnhrkjqzhv0sknv5kd7pl1vidw9d2z4rx2l0";
};
});
};
};
in
python3.pkgs.buildPythonApplication {
@ -43,17 +30,12 @@ python3.pkgs.buildPythonApplication {
owner = "Groestlcoin";
repo = "electrum-grs";
rev = "refs/tags/v${version}";
sha256 = "0wvbjj80r1zxpz24adkicxsdjnv3nciga6rl1wfmky463w03rca2";
sha256 = "15n6snrs1kgdqkhp4wgs0bxxdz6mzl8dvf8h7s0jzc6r4b74vv3n";
};
postPatch = ''
substituteInPlace contrib/requirements/requirements.txt \
--replace "dnspython>=2.0,<2.1" "dnspython>=2.0"
'';
nativeBuildInputs = lib.optionals enableQt [ wrapQtAppsHook ];
propagatedBuildInputs = with py.pkgs; [
propagatedBuildInputs = with python3.pkgs; [
aiohttp
aiohttp-socks
aiorpcx

4
pkgs/applications/misc/gremlin-console/default.nix
View File

@ -2,10 +2,10 @@
stdenv.mkDerivation rec {
pname = "gremlin-console";
version = "3.5.2";
version = "3.5.3";
src = fetchzip {
url = "https://downloads.apache.org/tinkerpop/${version}/apache-tinkerpop-gremlin-console-${version}-bin.zip";
sha256 = "sha256-PCr8lDQzypgozKCzD8FV4X4ls5lYZRMey1vfcFzo+Uc=";
sha256 = "sha256-pcxJYK+hBFlJ8CmuHGcI+U3x3nE/f9Nu37Nkd3C2Hy8=";
};
nativeBuildInputs = [ makeWrapper ];

14
pkgs/applications/misc/gsctl/default.nix
View File

@ -1,4 +1,4 @@
{ lib, buildGoModule, fetchFromGitHub }:
{ lib, buildGoModule, fetchFromGitHub, kubectl, stdenv }:
buildGoModule rec {
pname = "gsctl";
@ -13,10 +13,16 @@ buildGoModule rec {
vendorSha256 = "sha256-NeRABlKUpD2ZHRid/vu34Dh9uHZ+7IXWFPX8jkexUog=";
ldflags =
[ "-s" "-w" "-X github.com/giantswarm/gsctl/buildinfo.Version=${version}" ];
ldflags = [
"-s" "-w"
"-X github.com/giantswarm/gsctl/buildinfo.Version=${version}"
];
doCheck = false;
checkInputs = [
kubectl
];
doCheck = !stdenv.isDarwin;
meta = with lib; {
description = "The Giant Swarm command line interface";

12
pkgs/applications/misc/hugo/default.nix
View File

@ -2,16 +2,16 @@
buildGoModule rec {
pname = "hugo";
version = "0.92.2";
version = "0.96.0";
src = fetchFromGitHub {
owner = "gohugoio";
repo = pname;
rev = "v${version}";
sha256 = "sha256-kwqN/9H/ZI2eL09K/9bOMBWW9bow8LtKpbfxyfxIucA=";
sha256 = "sha256-3O+ZdOloh5gILPQssztt7s/MwRgDOnpJItwLn7FXnPU=";
};
vendorSha256 = "sha256-7dJUl0IxsLj0ds2jqtChNCQEBiK9PahG159IhyFxwdM=";
vendorSha256 = "sha256-TgE/ToHBg2QBgtk0gPZTV/icIbQN14RpVAbL/8b+W0U=";
doCheck = false;
@ -27,9 +27,9 @@ buildGoModule rec {
$out/bin/hugo gen man
installManPage man/*
installShellCompletion --cmd hugo \
--bash <($out/bin/hugo gen autocomplete --type=bash) \
--fish <($out/bin/hugo gen autocomplete --type=fish) \
--zsh <($out/bin/hugo gen autocomplete --type=zsh)
--bash <($out/bin/hugo completion bash) \
--fish <($out/bin/hugo completion fish) \
--zsh <($out/bin/hugo completion zsh)
'';
meta = with lib; {

4
pkgs/applications/misc/otpclient/default.nix
View File

@ -15,13 +15,13 @@
stdenv.mkDerivation rec {
pname = "otpclient";
version = "2.4.9.1";
version = "2.5.1";
src = fetchFromGitHub {
owner = "paolostivanin";
repo = pname;
rev = "v${version}";
sha256 = "sha256-QcdPyuwbGK12Kul+gGTfRGmXfghr0qugpBEcrgATOT4=";
sha256 = "sha256-VUrLbGaDfPE+Ak20ZCJDmO/sgBzdf4S+SqvyQ7F6SQU=";
};
buildInputs = [ gtk3 jansson libgcrypt libzip libpng libcotp zbar ];

56
pkgs/applications/misc/sioyek/default.nix Normal file
View File

@ -0,0 +1,56 @@
{ lib
, stdenv
, installShellFiles
, fetchFromGitHub
, gumbo
, harfbuzz
, jbig2dec
, mupdf
, openjpeg
, qt3d
, qtbase
, qmake
, wrapQtAppsHook
}:
stdenv.mkDerivation rec {
pname = "sioyek";
version = "1.2.0";
src = fetchFromGitHub {
owner = "ahrm";
repo = pname;
rev = "v${version}";
sha256 = "sha256-G4iZi6xTJjWZN0T3lO0jPquxJ3p8Mc0ewmjJEKcGJ34=";
};
buildInputs = [ gumbo harfbuzz jbig2dec mupdf openjpeg qt3d qtbase ];
nativeBuildInputs = [ installShellFiles wrapQtAppsHook qmake ];
postPatch = ''
substituteInPlace pdf_viewer_build_config.pro \
--replace "-lmupdf-threads" "-lfreetype -lgumbo -ljbig2dec -lopenjp2 -ljpeg"
substituteInPlace pdf_viewer/main.cpp \
--replace "/usr/share/sioyek" "$out/share" \
--replace "/etc/sioyek" "$out/etc"
'';
qmakeFlags = "DEFINES+=\"LINUX_STANDARD_PATHS\" pdf_viewer_build_config.pro";
postInstall = ''
install -Dm644 tutorial.pdf $out/share/tutorial.pdf
cp -r pdf_viewer/shaders $out/share/
install -Dm644 -t $out/etc/ pdf_viewer/{keys,prefs}.config
installManPage resources/sioyek.1
'';
meta = with lib; {
description = "Sioyek is a PDF viewer designed for reading research papers and technical books.";
homepage = "https://sioyek.info/";
changelog = "https://github.com/ahrm/sioyek/releases";
license = licenses.gpl3Only;
platforms = platforms.linux;
maintainers = [ maintainers.podocarp ];
};
}

6
pkgs/applications/misc/toipe/default.nix
View File

@ -2,14 +2,14 @@
rustPlatform.buildRustPackage rec {
pname = "toipe";
version = "0.3.1";
version = "0.4.0";
src = fetchCrate {
inherit pname version;
sha256 = "sha256-/vO5ABMldw3soh7mscjhN5TAZOcs+iMTaMxcdMmV0Xo=";
sha256 = "sha256-lAvFCvNm55SjRmrhIkMBiM0nSlAG+jUEKLlLaGs1RkY=";
};
cargoSha256 = "sha256-AsRQ8kvDy1cH4/kaFAoU7en3dzDiG1T+O+4r6PKa0hM=";
cargoSha256 = "sha256-WmWH/x69H17uHQEB0+GRUtApJnSEkoeFLLweP8NoBrk=";
meta = with lib; {
description = "Trusty terminal typing tester";

4
pkgs/applications/misc/xmrig/default.nix
View File

@ -4,13 +4,13 @@
stdenv.mkDerivation rec {
pname = "xmrig";
version = "6.16.4";
version = "6.17.0";
src = fetchFromGitHub {
owner = "xmrig";
repo = "xmrig";
rev = "v${version}";
sha256 = "sha256-hfdKhTUGoVN4DIURO+e3MOSpsL6GWxOV3LItd0nA51Y=";
sha256 = "sha256-K8mN3Wzlay2Qgoo70mu3Bh4lXUXNDpXYt17aNnwWkIc=";
};
nativeBuildInputs = [ cmake ];

4
pkgs/applications/misc/zettlr/default.nix
View File

@ -10,11 +10,11 @@
# Based on https://gist.github.com/msteen/96cb7df66a359b827497c5269ccbbf94 and joplin-desktop nixpkgs.
let
pname = "zettlr";
version = "2.2.4";
version = "2.2.5";
name = "${pname}-${version}";
src = fetchurl {
url = "https://github.com/Zettlr/Zettlr/releases/download/v${version}/Zettlr-${version}-x86_64.appimage";
sha256 = "sha256-lzXciToyUsHl8WV0IvdP6R2pYegL7/G04YPLb6gbCgQ=";
sha256 = "sha256-KP3lt0CweT1f/BR3IpnjwCqNvhFbrpz9KLg6K8OMs+I=";
};
appimageContents = appimageTools.extractType2 {
inherit name src;

4
pkgs/applications/networking/appgate-sdp/default.nix
View File

@ -87,11 +87,11 @@ let
in
stdenv.mkDerivation rec {
pname = "appgate-sdp";
version = "5.5.3";
version = "5.5.4";
src = fetchurl {
url = "https://bin.appgate-sdp.com/${versions.majorMinor version}/client/appgate-sdp_${version}_amd64.deb";
sha256 = "sha256-qSo4JX/Jj+JkeetZIMw88MK7SzOgT8aNbQby2kJ91oo=";
sha256 = "sha256-7qfgUYD7uPb+ZEierREVfnHoGz0/b/J+hcsX/duDFWU=";
};
# just patch interpreter

3
pkgs/applications/networking/browsers/brave/default.nix
View File

@ -37,6 +37,7 @@
, pango
, pipewire
, udev
, wayland
, xorg
, zlib
, xdg-utils
@ -82,6 +83,7 @@ rpath = lib.makeLibraryPath [
pango
pipewire
udev
wayland
xdg-utils
xorg.libxcb
zlib
@ -160,6 +162,7 @@ stdenv.mkDerivation rec {
preFixup = ''
# Add command line args to wrapGApp.
gappsWrapperArgs+=(--add-flags ${lib.escapeShellArg commandLineArgs})
gappsWrapperArgs+=(--add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform=wayland}}")
'';
installCheckPhase = ''

6
pkgs/applications/networking/browsers/chromium/get-commit-message.py
View File

@ -38,9 +38,9 @@ for entry in feed.entries:
else:
print('chromium: TODO -> ' + version + '\n')
print(url)
if fixes := re.search(r'This update includes .+ security fixes\.', content).group(0):
zero_days = re.search(r'Google is aware( of reports)? th(e|at) .+ in the wild\.', content)
if zero_days:
if fixes := re.search(r'This update includes .+ security fix(es)?\.', content):
fixes = fixes.group(0)
if zero_days := re.search(r'Google is aware( of reports)? th(e|at) .+ in the wild\.', content):
fixes += " " + zero_days.group(0)
print('\n' + '\n'.join(textwrap.wrap(fixes, width=72)))
if cve_list := re.findall(r'CVE-[^: ]+', content):

34
pkgs/applications/networking/browsers/chromium/upstream-info.json
View File

@ -1,8 +1,8 @@
{
"stable": {
"version": "100.0.4896.75",
"sha256": "1h60l1g340gvm4lz2lps6dqpvahpzn24hz47y2qvc6mavx9d6ki4",
"sha256bin64": "0nrrkgwcnqg4l8x1nk1rdxnv9xa0c24ync1yls7s9rc34wkk8sc5",
"version": "100.0.4896.88",
"sha256": "0l628x41krsjgzff9996k5wkbcvcjqf4128z32hpj1pkg23719f5",
"sha256bin64": "1wqzs3f70ayi9vy3ncm5mild22xvhwn4d2lcfra31wwnzxi1nqxm",
"deps": {
"gn": {
"version": "2022-01-21",
@ -19,9 +19,9 @@
}
},
"beta": {
"version": "101.0.4951.15",
"sha256": "1gm70mz6gzildh1g082q4dg5q9namm9kvxfj5qrdcj67gvz5m66y",
"sha256bin64": "0z2rx7mw9wg5ly8wmxkflk8f9gifq4cxqvi224v9dr11qqj8gwm2",
"version": "101.0.4951.26",
"sha256": "1wpdi5l0bic0z9ydvx5vj35z6fh21b3n8dsxyvcbm0rq4fca5zcg",
"sha256bin64": "13mx2jxq5pjzp6dxvnzkfs83krhvpbw0pim7z4c7hhyphjc4fhzr",
"deps": {
"gn": {
"version": "2022-03-14",
@ -32,22 +32,22 @@
}
},
"dev": {
"version": "102.0.4972.0",
"sha256": "1aihdym7h8sd52wiybnrgjrd618f3yby4bpbkc26xyrl8gviz31d",
"sha256bin64": "0mb67cfr397aclkiy0v9xqga07c166qdylq257k2kmhj7df1gcvn",
"version": "102.0.4997.0",
"sha256": "05y9b426wcarq18faw5i79qrfqy158dinvba5d7lwrcjnbqyfr1f",
"sha256bin64": "0846y3dbs7vghrb8s2s57a2lk7a0x2dha5q0d915qrn29g5x9c6p",
"deps": {
"gn": {
"version": "2022-03-29",
"version": "2022-04-07",
"url": "https://gn.googlesource.com/gn",
"rev": "e39d5251c25155b9dfdb96adeab31b795095fd3b",
"sha256": "1clr0f847rmwwpmsl9zv4q6rw1shn09my775666v480szpahj9pk"
"rev": "ae110f8b525009255ba1f9ae96982176d3bfad3d",
"sha256": "131y1v2m59hn7s00zc9p7rhfi956p744mp96g2i80f0i020dyl6w"
}
}
},
"ungoogled-chromium": {
"version": "100.0.4896.75",
"sha256": "1h60l1g340gvm4lz2lps6dqpvahpzn24hz47y2qvc6mavx9d6ki4",
"sha256bin64": "0nrrkgwcnqg4l8x1nk1rdxnv9xa0c24ync1yls7s9rc34wkk8sc5",
"version": "100.0.4896.88",
"sha256": "0l628x41krsjgzff9996k5wkbcvcjqf4128z32hpj1pkg23719f5",
"sha256bin64": "1wqzs3f70ayi9vy3ncm5mild22xvhwn4d2lcfra31wwnzxi1nqxm",
"deps": {
"gn": {
"version": "2022-01-21",
@ -56,8 +56,8 @@
"sha256": "1dzdvcn2r5c9giknvasf3y5y4901kav7igivjvrpww66ywsj8fzr"
},
"ungoogled-patches": {
"rev": "100.0.4896.75-1",
"sha256": "0s31dclgk3x9302wr5yij77361bqam2sfki39p651gwysfizb73n"
"rev": "100.0.4896.88-1",
"sha256": "0f0c5mrjvk6lg59p4x6lg2az4f83y7zzikv5hlmqzpgydivk7c13"
}
}
}

786
pkgs/applications/networking/browsers/firefox-bin/devedition_sources.nix
View File

File diff suppressed because it is too large Load Diff

786
pkgs/applications/networking/browsers/firefox-bin/release_sources.nix
View File

File diff suppressed because it is too large Load Diff

4
pkgs/applications/networking/browsers/firefox/packages.nix
View File

@ -7,10 +7,10 @@ in
rec {
firefox = common rec {
pname = "firefox";
version = "99.0";
version = "99.0.1";
src = fetchurl {
url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
sha512 = "08f6d5a668140c4275aba6df463ed3af596043dfe5f27573583afbc1e9f6b27ebca79a52ce2c9598261c631b400b5378744e9e70f51ef9c4098b419e9904aa7c";
sha512 = "0006b773ef1057a6e0b959d4f39849ad4a79272b38d565da98062b9aaf0effd2b729349c1f9fa10fccf7d2462d2c536b02c167ae6ad4556d6e519c6d22c25a7f";
};
meta = {

4
pkgs/applications/networking/browsers/palemoon/default.nix
View File

@ -46,12 +46,12 @@ assert with lib.strings; (
stdenv.mkDerivation rec {
pname = "palemoon";
version = "29.4.5.1";
version = "29.4.6";
src = fetchzip {
name = "${pname}-${version}";
url = "http://archive.palemoon.org/source/${pname}-${version}.source.tar.xz";
sha256 = "sha256-IC7E88dECAz2diVLEEdjMltpNMBhPTlPvbz05BniBMI=";
sha256 = "sha256-6bI3AnIhp0x3BCgTvmbOXDBGrJXg3cN+AmwI8XCKD8g=";
};
nativeBuildInputs = [

8
pkgs/applications/networking/browsers/qutebrowser/default.nix
View File

@ -1,10 +1,12 @@
{ stdenv, lib, fetchurl, fetchzip, python3
, mkDerivationWith, wrapQtAppsHook, wrapGAppsHook, qtbase, qtwebengine, glib-networking
, asciidoc, docbook_xml_dtd_45, docbook_xsl, libxml2, pipewire_0_2
, asciidoc, docbook_xml_dtd_45, docbook_xsl, libxml2
, libxslt, gst_all_1 ? null
, withPdfReader ? true
, withMediaPlayback ? true
, backend ? "webengine"
, pipewireSupport ? stdenv.isLinux
, pipewire_0_2
}:
assert withMediaPlayback -> gst_all_1 != null;
@ -77,7 +79,7 @@ in mkDerivationWith python3Packages.buildPythonApplication rec {
postPatch = ''
substituteInPlace qutebrowser/misc/quitter.py --subst-var-by qutebrowser "$out/bin/qutebrowser"
sed -i "s,/usr/share/,$out/share/,g" qutebrowser/utils/standarddir.py
sed -i "s,/usr,$out,g" qutebrowser/utils/standarddir.py
'' + lib.optionalString withPdfReader ''
sed -i "s,/usr/share/pdf.js,${pdfjs},g" qutebrowser/browser/pdfjs.py
'';
@ -121,7 +123,7 @@ in mkDerivationWith python3Packages.buildPythonApplication rec {
"''${qtWrapperArgs[@]}"
--add-flags '--backend ${backend}'
--set QUTE_QTWEBENGINE_VERSION_OVERRIDE "${lib.getVersion qtwebengine}"
${lib.optionalString (!stdenv.isDarwin && backend == "webengine") ''--prefix LD_LIBRARY_PATH : ${libPath}''}
${lib.optionalString (pipewireSupport && backend == "webengine") ''--prefix LD_LIBRARY_PATH : ${libPath}''}
)
'';

21
pkgs/applications/networking/cloudflared/default.nix
View File

@ -1,22 +1,33 @@
{ lib, buildGoModule, fetchFromGitHub }:
{ lib, buildGoModule, fetchFromGitHub, stdenv }:
buildGoModule rec {
pname = "cloudflared";
version = "2022.4.0";
version = "2022.4.1";
src = fetchFromGitHub {
owner = "cloudflare";
repo = "cloudflared";
rev = version;
hash = "sha256-+40OK2q4WdvlLhoPfZH6q+pghgS7ZLmaZl2VbZK4rdA=";
hash = "sha256-dgvXbWtLP6sXBlqcx/xpw9LIbcE4VlYZQO5rrS34+9I=";
};
vendorSha256 = null;
doCheck = false;
ldflags = [ "-X main.Version=${version}" ];
preCheck = ''
# Workaround for: sshgen_test.go:74: mkdir /homeless-shelter/.cloudflared: no such file or directory
export HOME="$(mktemp -d)";
# Workaround for: protocol_test.go:11:
# lookup protocol-v2.argotunnel.com on [::1]:53: read udp [::1]:51876->[::1]:53: read: connection refused
substituteInPlace "edgediscovery/protocol_test.go" \
--replace "TestProtocolPercentage" "SkipProtocolPercentage"
'';
doCheck = !stdenv.isDarwin;
meta = with lib; {
description = "CloudFlare Tunnel daemon (and DNS-over-HTTPS client)";
homepage = "https://www.cloudflare.com/products/tunnel";

6
pkgs/applications/networking/cluster/argocd-autopilot/default.nix
View File

@ -2,16 +2,16 @@
buildGoModule rec {
pname = "argocd-autopilot";
version = "0.3.1";
version = "0.3.2";
src = fetchFromGitHub {
owner = "argoproj-labs";
repo = "argocd-autopilot";
rev = "v${version}";
sha256 = "sha256-L8+sb0lGPuc6smOFwijRGFS+oSCxEqB5c1tG55MPlgE=";
sha256 = "sha256-9si2zqYhmAqzhdUWMkfQ/yLeyNcZSAWypvZTbDDrPvA=";
};
vendorSha256 = "sha256-sxPTOao3scTmiVKFyGeWPMzXQz/d0HSVmUYocNGm1vA=";
vendorSha256 = "sha256-UfZCGG24JjPoc5nbX9vPeFCP8YGMNF5oUrdwTC6RpKI=";
proxyVendor = true;

4
pkgs/applications/networking/cluster/arkade/default.nix
View File

@ -6,13 +6,13 @@
buildGoModule rec {
pname = "arkade";
version = "0.8.20";
version = "0.8.22";
src = fetchFromGitHub {
owner = "alexellis";
repo = "arkade";
rev = version;
sha256 = "sha256-DIXvsYYckNlxFzeJqk3TYRQIAtafAfylyDc/a20kl+0=";
sha256 = "sha256-mn/UX2xNMthCtXYFUXqiiPnMltwO2Hk/qveudEYAOZ0=";
};
CGO_ENABLED = 0;

13
pkgs/applications/networking/cluster/atlantis/default.nix
View File

@ -2,21 +2,24 @@
buildGoModule rec {
pname = "atlantis";
version = "0.16.1";
version = "0.19.2";
src = fetchFromGitHub {
owner = "runatlantis";
repo = "atlantis";
rev = "v${version}";
sha256 = "sha256-D549pInoK8ispgcn8LYdix19Hp7wO6w2/d2Y1L/9Px8=";
sha256 = "sha256-cd2dhrqJl/VRhOYB1g9OpOnPV92EQm8f3rRGZGVN+IY=";
};
vendorSha256 = null;
doCheck = false;
vendorSha256 = "sha256-ux+Hw/TjeiY9VYhIQxaltZGk5CkxAab8R7kAsTaMUGc=";
subPackages = [ "." ];
doInstallCheck = true;
installCheckPhase = ''
$out/bin/atlantis version | grep ${version} > /dev/null
'';
meta = with lib; {
homepage = "https://github.com/runatlantis/atlantis";
description = "Terraform Pull Request Automation";

6
pkgs/applications/networking/cluster/cmctl/default.nix
View File

@ -2,16 +2,16 @@
buildGoModule rec {
pname = "cmctl";
version = "1.7.2";
version = "1.8.0";
src = fetchFromGitHub {
owner = "cert-manager";
repo = "cert-manager";
rev = "v${version}";
sha256 = "sha256-Hx6MG5GCZyOX0tfpg1bfUT0BOI3p7Mws1VCz2PuUuw8=";
sha256 = "sha256-h7GyzjVrfyMHY7yuNmmsym6KGKCQr5R71gjPBTUeMCg=";
};
vendorSha256 = "sha256-4zhdpedOmLl/i1G0QCto4ACxguWRZLzOm5HfMBMtvPY=";
vendorSha256 = "sha256-UYw9WdQ6VwzuuiOsa1yovkLZG7NmLYSW51p8UhmQMeI=";
subPackages = [ "cmd/ctl" ];

31
pkgs/applications/networking/cluster/k3s/default.nix
View File

@ -46,12 +46,12 @@ with lib;
# Those pieces of software we entirely ignore upstream's handling of, and just
# make sure they're in the path if desired.
let
k3sVersion = "1.23.4+k3s1"; # k3s git tag
k3sCommit = "43b1cb48200d8f6af85c16ed944d68fcc96b6506"; # k3s git commit at the above version
k3sRepoSha256 = "1sn7rd5hqfqvwj036blk0skmq6r8igbmiqk1dnpaqnkkddpzdgmc";
k3sVendorSha256 = "sha256-1/kQvNqFUWwch1JH+twWzBdjNYseoZyVObB1+s9WPM4=";
k3sVersion = "1.23.5+k3s1"; # k3s git tag
k3sCommit = "313aaca547f030752788dce696fdf8c9568bc035"; # k3s git commit at the above version
k3sRepoSha256 = "0vk72609cyyh64irp14jp2zspnxw34jm710cbwgklx0ch6kiz88d";
k3sVendorSha256 = "sha256-d7kQsJi/eQbaTUDglp3gFpc5Im6CyD9coKeM3kMrbjI=";
k3sServerVendorSha256 = "sha256-2KIFff43jfqWdxX61aWofrjmc5mMkr5aEJRFdGpLyU8=";
k3sServerVendorSha256 = "sha256-E3USXNuXY0lzZH+t3O7BOQ8rKNNQ6avOMItgOEi1cEg=";
# taken from ./manifests/traefik.yaml, extracted from '.spec.chart' https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/download#L9
# The 'patch' and 'minor' versions are currently hardcoded as single digits only, so ignore the trailing two digits. Weird, I know.
@ -68,8 +68,8 @@ let
# taken from go.mod, the 'github.com/containerd/containerd' line
# run `grep github.com/containerd/containerd go.mod | head -n1 | awk '{print $4}'`
containerdVersion = "1.5.9-k3s1";
containerdSha256 = "09wfy20z3c9fnla353pibpsb10xzl0f4xwp8qdjh3fwa1q2626gg";
containerdVersion = "1.5.10-k3s1";
containerdSha256 = "1ff2sfaqpjimq7w0lprci6ibyi6v65ap6b9sr6b0j12gqr2sqwa5";
# run `grep github.com/kubernetes-sigs/cri-tools go.mod | head -n1 | awk '{print $4}'` in the k3s repo at the tag
criCtlVersion = "1.22.0-k3s1";
@ -228,9 +228,24 @@ buildGoModule rec {
patches = [
./patches/0001-scrips-download-strip-downloading-just-package-CRD.patch
./patches/0002-Don-t-build-a-static-binary-in-package-cli.patch
];
postPatch = ''
# Nix prefers dynamically linked binaries over static binary.
substituteInPlace scripts/package-cli \
--replace '"$LDFLAGS $STATIC" -o' \
'"$LDFLAGS" -o' \
--replace "STATIC=\"-extldflags \'-static\'\"" \
""
# Upstream codegen fails with trimpath set. Removes "trimpath" for 'go generate':
substituteInPlace scripts/package-cli \
--replace '"''${GO}" generate' \
'GOFLAGS="" "''${GO}" generate'
'';
# Important utilities used by the kubelet, see
# https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-237202494
# Note the list in that issue is stale and some aren't relevant for k3s.

37
pkgs/applications/networking/cluster/k3s/patches/0002-Don-t-build-a-static-binary-in-package-cli.patch
View File

@ -1,37 +0,0 @@
From 49c000c7c5dd7a502a2be4c638d2c32b65673c00 Mon Sep 17 00:00:00 2001
From: Euan Kemp <euank@euank.com>
Date: Sun, 6 Feb 2022 23:13:00 -0800
Subject: [PATCH] Don't build a static binary in package-cli
since nixpkgs prefers dynamically linked binaries.
Also remove "trimpath" for the 'go generate' step because the codegen
they use doesn't work with trimpath set.
---
scripts/package-cli | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/scripts/package-cli b/scripts/package-cli
index 28927327b7..95dbb469f1 100755
--- a/scripts/package-cli
+++ b/scripts/package-cli
@@ -48,14 +48,13 @@ fi
CMD_NAME=dist/artifacts/k3s${BIN_SUFFIX}
-"${GO}" generate
+GOFLAGS="" "${GO}" generate
LDFLAGS="
-X github.com/rancher/k3s/pkg/version.Version=$VERSION
-X github.com/rancher/k3s/pkg/version.GitCommit=${COMMIT:0:8}
-w -s
"
-STATIC="-extldflags '-static'"
-CGO_ENABLED=0 "${GO}" build -ldflags "$LDFLAGS $STATIC" -o ${CMD_NAME} ./cmd/k3s/main.go
+CGO_ENABLED=0 "${GO}" build -ldflags "$LDFLAGS" -o ${CMD_NAME} ./cmd/k3s/main.go
stat ${CMD_NAME}
--
2.34.1

24
pkgs/applications/networking/cluster/starboard/default.nix
View File

@ -2,36 +2,42 @@
buildGoModule rec {
pname = "starboard";
version = "0.14.1";
version = "0.15.3";
src = fetchFromGitHub {
owner = "aquasecurity";
repo = pname;
rev = "v${version}";
sha256 = "sha256-sB7C0IKadgpQ2h6HuH4D6ku/GXnFfFS+fGCW/RBSc10=";
sha256 = "sha256-EBjAB0uSMAyiVr6KxqrT/F+GIkntmOKNPHL1D0RBdG0=";
# populate values that require us to use git. By doing this in postFetch we
# can delete .git afterwards and maintain better reproducibility of the src.
leaveDotGit = true;
postFetch = ''
cd "$out"
commit="$(git rev-parse HEAD)"
source_date_epoch=$(git log --date=format:'%Y-%m-%dT%H:%M:%SZ' -1 --pretty=%ad)
substituteInPlace "$out/cmd/starboard/main.go" \
--replace 'commit = "none"' "commit = \"$commit\"" \
--replace 'date = "unknown"' "date = \"$source_date_epoch\""
git rev-parse HEAD > $out/COMMIT
# 0000-00-00T00:00:00Z
date -u -d "@$(git log -1 --pretty=%ct)" "+%Y-%m-%dT%H:%M:%SZ" > $out/SOURCE_DATE_EPOCH
find "$out" -name .git -print0 | xargs -0 rm -rf
'';
};
vendorSha256 = "sha256-R7tF724y5WNIByE+9nRoNSZDZzfLtPfK/9tSBkARaN0=";
vendorSha256 = "sha256-BxXH+dJyAQRGAq25CljUImxYIT+nCQpmUPUjHOYF0kc=";
nativeBuildInputs = [ installShellFiles ];
subPackages = [ "cmd/starboard" ];
ldflags = [
"-s" "-w" "-X main.version=v${version}"
"-s"
"-w"
"-X main.version=v${version}"
];
# ldflags based on metadata from git and source
preBuild = ''
ldflags+=" -X main.gitCommit=$(cat COMMIT)"
ldflags+=" -X main.buildDate=$(cat SOURCE_DATE_EPOCH)"
'';
preCheck = ''
# Remove test that requires networking
rm pkg/plugin/aqua/client/client_integration_test.go

53
pkgs/applications/networking/cluster/terraform-providers/providers.json
View File

@ -40,10 +40,10 @@
"owner": "aliyun",
"provider-source-address": "registry.terraform.io/aliyun/alicloud",
"repo": "terraform-provider-alicloud",
"rev": "v1.162.0",
"sha256": "sha256-xqZv15Tst+7o9HhNu6/bW+a4z7FTkra+MfS8jKrfeNs=",
"vendorSha256": "sha256-RbOf/S0rkbhW0s+/YOqu+BQuE0V4aS2x36Xf+hgBkqY=",
"version": "1.162.0"
"rev": "v1.163.0",
"sha256": "sha256-lSg8jAzQfRc++U6zAhkfbVf/+hIW/1Nov35o6M8mRrw=",
"vendorSha256": "sha256-8dAk23ISxYuYKj5s0W6g93RBW1++NuZEPva5MaNBSyw=",
"version": "1.163.0"
},
"ansible": {
"owner": "nbering",
@ -76,10 +76,10 @@
"owner": "vmware",
"provider-source-address": "registry.terraform.io/vmware/avi",
"repo": "terraform-provider-avi",
"rev": "v21.1.3",
"sha256": "160l9864p73283hc27qaabd3lrh7lm8fyh6k9xlal5isfd9vrm5p",
"vendorSha256": "1hw1xp20nhs4p1q9l887m82456fg5977pm66165gdkczwrq2zr6v",
"version": "21.1.3"
"rev": "v21.1.4",
"sha256": "sha256-6H56TRA3I0CQ9/d8JdP5JNL0u3lpS8YhCvdSM5bxYp8=",
"vendorSha256": "sha256-b0MwGmgugZdmVk7ZVBSCivDQ4n+tLABymH/igo/S1Wc=",
"version": "21.1.4"
},
"aviatrix": {
"owner": "AviatrixSystems",
@ -148,10 +148,10 @@
"owner": "DrFaust92",
"provider-source-address": "registry.terraform.io/DrFaust92/bitbucket",
"repo": "terraform-provider-bitbucket",
"rev": "v2.13.1",
"sha256": "sha256-P/6scAuRMRrACHmEdWjn+W37ptVmVgtj+iTXQDrG+WM=",
"vendorSha256": "sha256-o1CZ4VuGCPALqSIz8KSm1zCwd3r9bR13CRvP7XpVBAM=",
"version": "2.13.1"
"rev": "v2.14.0",
"sha256": "sha256-tF1Q55mxwPU6dziiNzdacNtHvemd9ciQHE2E6een1WY=",
"vendorSha256": "sha256-L8QYz1xgw8ZQjrU33uP18XxNUjImPYATZ02h46G4aXs=",
"version": "2.14.0"
},
"brightbox": {
"owner": "brightbox",
@ -194,10 +194,10 @@
"owner": "cloudflare",
"provider-source-address": "registry.terraform.io/cloudflare/cloudflare",
"repo": "terraform-provider-cloudflare",
"rev": "v3.12.0",
"sha256": "sha256-y2qq0asEnhnOjthLBFxyQjf1N5KNlXXK0eXjT1/vCXg=",
"rev": "v3.12.1",
"sha256": "sha256-8l6+hyjW+N3N5OGj/cviH97EFqouSrnJULk/SXrYCTk=",
"vendorSha256": "sha256-v6fUzYwrYt4rk5LT0LyNd8e9X79r3dwtd3s1QIV/w/s=",
"version": "3.12.0"
"version": "3.12.1"
},
"cloudfoundry": {
"owner": "cloudfoundry-community",
@ -471,6 +471,15 @@
"vendorSha256": "sha256-HrsjhaMlzs+uel5tBlxJD69Kkjl+4qVisWWREANBx40=",
"version": "5.0.2"
},
"htpasswd": {
"owner": "loafoe",
"provider-source-address": "registry.terraform.io/loafoe/htpasswd",
"repo": "terraform-provider-htpasswd",
"rev": "v1.0.1",
"sha256": "sha256-RUkPIsKVMooGy2hYsNFkctMFdJ8MEbtbMB9Qak6HJgQ=",
"vendorSha256": "sha256-4P3IX7KGDqcWVYRiD6tXoEjF/phI89rz5QdR09xtnAo=",
"version": "1.0.1"
},
"http": {
"owner": "hashicorp",
"provider-source-address": "registry.terraform.io/hashicorp/http",
@ -754,10 +763,10 @@
"owner": "vmware",
"provider-source-address": "registry.terraform.io/vmware/nsxt",
"repo": "terraform-provider-nsxt",
"rev": "v3.2.5",
"sha256": "0j5kspfmqxdnvk3sfb476rckkn9fdgpw5haf495901a114wynr2l",
"rev": "v3.2.6",
"sha256": "sha256-1uQMjzqMJ1NQVVCXy5aHrrZ4vDK5s1JqUnLyYf1qLVw=",
"vendorSha256": null,
"version": "3.2.5"
"version": "3.2.6"
},
"null": {
"owner": "hashicorp",
@ -791,10 +800,10 @@
"owner": "okta",
"provider-source-address": "registry.terraform.io/okta/okta",
"repo": "terraform-provider-okta",
"rev": "v3.22.1",
"sha256": "sha256-G1KJJSxJmzFlIUWOs+7htcgp61oWCu+ryCKaIHzxhzw=",
"vendorSha256": "sha256-n7ih8QtapA+xno1twlM2b2XGEesdJdJIPD+QWpmJDVA=",
"version": "3.22.1"
"rev": "v3.23.0",
"sha256": "sha256-azqWTQA4FW79U+GrdCBO4BWA5c+Cce3ELANS2Os5bSs=",
"vendorSha256": "sha256-S4HVfl/PbgpgWFedkWM+EGyYAL5P0cdkLMYL+y+aX8w=",
"version": "3.23.0"
},
"oktaasa": {
"owner": "oktadeveloper",

15
pkgs/applications/networking/cluster/werf/default.nix
View File

@ -2,6 +2,7 @@
, stdenv
, buildGoModule
, fetchFromGitHub
, installShellFiles
, pkg-config
, gpgme
, glibc
@ -11,18 +12,18 @@
buildGoModule rec {
pname = "werf";
version = "1.2.78";
version = "1.2.87";
src = fetchFromGitHub {
owner = "werf";
repo = "werf";
rev = "v${version}";
sha256 = "sha256-ehrzb7WvkYL8oj2RSzKc1KDagV0zg6vMzgpT2sPyhcI=";
sha256 = "sha256-DMP//gh79WuQ8VY4sV6lQlwR+k+rwqODf/pagOBP+4U=";
};
vendorSha256 = "sha256-w8ZeAQbZIVOBoRa9fJhXgTeYRCYpkh/U4pwb5u6A9mQ=";
vendorSha256 = "sha256-OrvGDNj48W1tVAs3tdtAuesHnh8fHRsGd6KL0Uaf9Zg=";
proxyVendor = true;
nativeBuildInputs = [ pkg-config ];
nativeBuildInputs = [ installShellFiles pkg-config ];
buildInputs = [ gpgme ]
++ lib.optionals stdenv.isLinux [ glibc.static lvm2 btrfs-progs ];
@ -44,6 +45,12 @@ buildGoModule rec {
subPackages = [ "cmd/werf" ];
postInstall = ''
installShellCompletion --cmd werf \
--bash <($out/bin/werf completion --shell=bash) \
--zsh <($out/bin/werf completion --shell=zsh)
'';
meta = with lib; {
homepage = "https://github.com/werf/werf";
description = "GitOps delivery tool";

2
pkgs/applications/networking/instant-messengers/element/element-desktop-package.json
View File

@ -2,7 +2,7 @@
"name": "element-desktop",
"productName": "Element",
"main": "lib/electron-main.js",
"version": "1.10.8",
"version": "1.10.9",
"description": "A feature-rich client for Matrix.org",
"author": "Element",
"repository": {

8
pkgs/applications/networking/instant-messengers/element/pin.json
View File

@ -1,6 +1,6 @@
{
"version": "1.10.8",
"desktopSrcHash": "S9MQIn773BzCH4dsTkD1DpIThDzoIGr4Heaie2Qs0jY=",
"desktopYarnHash": "1imx43qbpj08l6d0fji31kcxqshcpr0ch8dzfbbgxyjvblq2p8ln",
"webHash": "02i6l3armzr19kki3hgshhzkdpb3001nilh4h10hr3xw5z711ppr"
"version": "1.10.9",
"desktopSrcHash": "vbVnkb/sVW+c7JGIT8Fcjtwe7i10aY0mBoiNeAD8tvY=",
"desktopYarnHash": "0jm0i1yyfkg1ll11pb3qif1vdxx6rp0yl9kd8jg9nhsg2jzw66pr",
"webHash": "0yp29h2cmi18y8g8scqx3zmc1l80q28gid709ysqqb349gy1kls8"
}

2
pkgs/applications/networking/instant-messengers/kaidan/default.nix
View File

@ -12,6 +12,7 @@
, knotifications
, zxing-cpp
, qxmpp
, sonnet
, gst_all_1
}:
@ -38,6 +39,7 @@ mkDerivation rec {
knotifications
zxing-cpp
qxmpp
sonnet
gstreamer
gst-plugins-bad
gst-plugins-base

Some files were not shown because too many files have changed in this diff Show More