movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-11 04:05:40 +03:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'master' into 172325-nixostest-override-python-pkgs-additional-param

Browse source
This commit is contained in:
Robert Hensing 2022-06-03 14:22:13 +02:00 committed by GitHub
commit 793180cf55
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1984 changed files with 32339 additions and 24364 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/PULL_REQUEST_TEMPLATE.md vendored
View file

@ -22,7 +22,7 @@ For new packages please briefly describe the package or provide a link to its ho
- made sure NixOS tests are [linked](https://nixos.org/manual/nixpkgs/unstable/#ssec-nixos-tests-linking) to the relevant packages
- [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
- [ ] Tested basic functionality of all binary files (usually in `./result/bin/`)
- [22.05 Release Notes (or backporting 21.11 Release notes)](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#generating-2205-release-notes)
- [22.11 Release Notes (or backporting 22.05 Release notes)](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#generating-2211-release-notes)
- [ ] (Package updates) Added a release notes entry if the change is major or breaking
- [ ] (Module updates) Added a release notes entry if the change is significant
- [ ] (Module addition) Added a release notes entry if adding a new NixOS module

1
.github/STALE-BOT.md vendored
View file

@ -1,6 +1,7 @@
# Stale bot information
- Thanks for your contribution!
- Our stale bot will never close an issue or PR.
- To remove the stale label, just leave a new comment.
- _How to find the right people to ping?_ → [`git blame`](https://git-scm.com/docs/git-blame) to the rescue! (or GitHub's history and blame buttons.)
- You can always ask for help on [our Discourse Forum](https://discourse.nixos.org/), [our Matrix room](https://matrix.to/#/#nix:nixos.org), or on the [#nixos IRC channel](https://web.libera.chat/#nixos).

3
.github/stale.yml vendored
View file

@ -5,6 +5,5 @@ exemptLabels:
- "1.severity: security"
- "2.status: never-stale"
staleLabel: "2.status: stale"
markComment: |
I marked this as stale due to inactivity. → [More info](https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md)
markComment: false
closeComment: false

18
CONTRIBUTING.md
View file

@ -97,6 +97,12 @@ git push origin $(git branch --show-current) --force-with-lease
Follow these steps to backport a change into a release branch in compliance with the [commit policy](https://nixos.org/nixpkgs/manual/#submitting-changes-stable-release-branches).
You can add a label such as `backport release-22.05` to a PR, so that merging it will
automatically create a backport (via [a GitHub Action](.github/workflows/backport.yml)).
This also works for PR's that have already been merged, and might take a couple of minutes to trigger.
You can also create the backport manually:
1. Take note of the commits in which the change was introduced into `master` branch.
2. Check out the target _release branch_, e.g. `release-21.11`. Do not use a _channel branch_ like `nixos-21.11` or `nixpkgs-21.11-darwin`.
3. Create a branch for your change, e.g. `git checkout -b backport`.
@ -113,17 +119,15 @@ Anything that does not cause user or downstream dependency regressions can be ba
- Services which require a client to be up-to-date regardless. (E.g. `spotify`, `steam`, or `discord`)
- Security critical applications (E.g. `firefox`)
## Generating 22.05 Release Notes
(This section also applies to backporting 21.11 release notes: substitute "rl-2205" for "rl-2111".)
## Generating 22.11 Release Notes
Documentation in nixpkgs is transitioning to a markdown-centric workflow. Release notes now require a translation step to convert from markdown to a compatible docbook document.
Steps for updating 22.05 Release notes:
Steps for updating 22.11 Release notes:
1. Edit `nixos/doc/manual/release-notes/rl-2205.section.md` with the desired changes
2. Run `./nixos/doc/manual/md-to-db.sh` to render `nixos/doc/manual/from_md/release-notes/rl-2205.section.xml`
3. Include changes to `rl-2205.section.md` and `rl-2205.section.xml` in the same commit.
1. Edit `nixos/doc/manual/release-notes/rl-2211.section.md` with the desired changes
2. Run `./nixos/doc/manual/md-to-db.sh` to render `nixos/doc/manual/from_md/release-notes/rl-2211.section.xml`
3. Include changes to `rl-2211.section.md` and `rl-2211.section.xml` in the same commit.
## Reviewing contributions

4
README.md
View file

@ -51,9 +51,9 @@ Nixpkgs and NixOS are built and tested by our continuous integration
system, [Hydra](https://hydra.nixos.org/).
* [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
* [Continuous package builds for the NixOS 21.11 release](https://hydra.nixos.org/jobset/nixos/release-21.11)
* [Continuous package builds for the NixOS 22.05 release](https://hydra.nixos.org/jobset/nixos/release-22.05)
* [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
* [Tests for the NixOS 21.11 release](https://hydra.nixos.org/job/nixos/release-21.11/tested#tabs-constituents)
* [Tests for the NixOS 22.05 release](https://hydra.nixos.org/job/nixos/release-22.05/tested#tabs-constituents)
Artifacts successfully built with Hydra are published to cache at
https://cache.nixos.org/. When successful build and test criteria are

4
doc/builders/packages/firefox.section.md
View file

@ -30,6 +30,10 @@ The `wrapFirefox` function allows to pass policies, preferences and extensions t
ExtensionRecommendations = false;
SkipOnboarding = true;
};
SecurityDevices = {
# Use a proxy module rather than `nixpkgs.config.firefox.smartcardSupport = true`
"PKCS#11 Proxy Module" = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
};
};
extraPrefs = ''

15
doc/languages-frameworks/coq.section.md
View file

@ -29,14 +29,19 @@ The recommended way of defining a derivation for a Coq library, is to use the `c
* `releaseRev` (optional, defaults to `(v: v)`), provides a default mapping from release names to revision hashes/branch names/tags,
* `displayVersion` (optional), provides a way to alter the computation of `name` from `pname`, by explaining how to display version numbers,
* `namePrefix` (optional, defaults to `[ "coq" ]`), provides a way to alter the computation of `name` from `pname`, by explaining which dependencies must occur in `name`,
* `extraNativeBuildInputs` (optional), by default `nativeBuildInputs` just contains `coq`, this allows to add more native build inputs, `nativeBuildInputs` are executables and `buildInputs` are libraries and dependencies,
* `extraBuildInputs` (optional), this allows to add more build inputs,
* `mlPlugin` (optional, defaults to `false`). Some extensions (plugins) might require OCaml and sometimes other OCaml packages. Standard dependencies can be added by setting the current option to `true`. For a finer grain control, the `coq.ocamlPackages` attribute can be used in `extraBuildInputs` to depend on the same package set Coq was built against.
* `useDune2ifVersion` (optional, default to `(x: false)` uses Dune2 to build the package if the provided predicate evaluates to true on the version, e.g. `useDune2if = versions.isGe "1.1"` will use dune if the version of the package is greater or equal to `"1.1"`,
* `nativeBuildInputs` (optional), is a list of executables that are required to build the current derivation, in addition to the default ones (namely `which`, `dune` and `ocaml` depending on whether `useDune2`, `useDune2ifVersion` and `mlPlugin` are set).
* `extraNativeBuildInputs` (optional, deprecated), an additional list of derivation to add to `nativeBuildInputs`,
* `overrideNativeBuildInputs` (optional) replaces the default list of derivation to which `nativeBuildInputs` and `extraNativeBuildInputs` adds extra elements,
* `buildInputs` (optional), is a list of libraries and dependencies that are required to build and run the current derivation, in addition to the default one `[ coq ]`,
* `extraBuildInputs` (optional, deprecated), an additional list of derivation to add to `buildInputs`,
* `overrideBuildInputs` (optional) replaces the default list of derivation to which `buildInputs` and `extraBuildInputs` adds extras elements,
* `propagatedBuildInputs` (optional) is passed as is to `mkDerivation`, we recommend to use this for Coq libraries and Coq plugin dependencies, as this makes sure the paths of the compiled libraries and plugins will always be added to the build environements of subsequent derivation, which is necessary for Coq packages to work correctly,
* `mlPlugin` (optional, defaults to `false`). Some extensions (plugins) might require OCaml and sometimes other OCaml packages. Standard dependencies can be added by setting the current option to `true`. For a finer grain control, the `coq.ocamlPackages` attribute can be used in `nativeBuildInputs`, `buildInputs`, and `propagatedBuildInputs` to depend on the same package set Coq was built against.
* `useDune2ifVersion` (optional, default to `(x: false)` uses Dune2 to build the package if the provided predicate evaluates to true on the version, e.g. `useDune2ifVersion = versions.isGe "1.1"` will use dune if the version of the package is greater or equal to `"1.1"`,
* `useDune2` (optional, defaults to `false`) uses Dune2 to build the package if set to true, the presence of this attribute overrides the behavior of the previous one.
* `opam-name` (optional, defaults to concatenating with a dash separator the components of `namePrefix` and `pname`), name of the Dune package to build.
* `enableParallelBuilding` (optional, defaults to `true`), since it is activated by default, we provide a way to disable it.
* `extraInstallFlags` (optional), allows to extend `installFlags` which initializes the variable `COQMF_COQLIB` so as to install in the proper subdirectory. Indeed Coq libraries should be installed in `$(out)/lib/coq/${coq.coq-version}/user-contrib/`. Such directories are automatically added to the `$COQPATH` environment variable by the hook defined in the Coq derivation.
* `extraInstallFlags` (optional), allows to extend `installFlags` which initializes the variables `DESTDIR` and `COQMF_COQLIB` so as to install in the proper subdirectory. Indeed Coq libraries should be installed in `$(out)/lib/coq/${coq.coq-version}/user-contrib/`. Such directories are automatically added to the `$COQPATH` environment variable by the hook defined in the Coq derivation.
* `setCOQBIN` (optional, defaults to `true`), by default, the environment variable `$COQBIN` is set to the current Coq's binary, but one can disable this behavior by setting it to `false`,
* `useMelquiondRemake` (optional, default to `null`) is an attribute set, which, if given, overloads the `preConfigurePhases`, `configureFlags`, `buildPhase`, and `installPhase` attributes of the derivation for a specific use in libraries using `remake` as set up by Guillaume Melquiond for `flocq`, `gappalib`, `interval`, and `coquelicot` (see the corresponding derivation for concrete examples of use of this option). For backward compatibility, the attribute `useMelquiondRemake.logpath` must be set to the logical root of the library (otherwise, one can pass `useMelquiondRemake = {}` to activate this without backward compatibility).
* `dropAttrs`, `keepAttrs`, `dropDerivationAttrs` are all optional and allow to tune which attribute is added or removed from the final call to `mkDerivation`.

66
doc/languages-frameworks/python.section.md
View file

@ -663,6 +663,70 @@ However, this is done in it's own phase, and not dependent on whether `doCheck =
This can also be useful in verifying that the package doesn't assume commonly
present packages (e.g. `setuptools`)
#### Using pythonRelaxDepsHook {#using-pythonrelaxdepshook}
It is common for upstream to specify a range of versions for its package
dependencies. This makes sense, since it ensures that the package will be built
with a subset of packages that is well tested. However, this commonly causes
issues when packaging in Nixpkgs, because the dependencies that this package
may need are too new or old for the package to build correctly. We also cannot
package multiple versions of the same package since this may cause conflicts
in `PYTHONPATH`.
One way to side step this issue is to relax the dependencies. This can be done
by either removing the package version range or by removing the package
declaration entirely. This can be done using the `pythonRelaxDepsHook` hook. For
example, given the following `requirements.txt` file:
```
pkg1<1.0
pkg2
pkg3>=1.0,<=2.0
```
we can do:
```
nativeBuildInputs = [ pythonRelaxDepsHook ];
pythonRelaxDeps = [ "pkg1" "pkg3" ];
pythonRemoveDeps = [ "pkg2" ];
```
which would result in the following `requirements.txt` file:
```
pkg1
pkg3
```
Another option is to pass `true`, that will relax/remove all dependencies, for
example:
```
nativeBuildInputs = [ pythonRelaxDepsHook ];
pythonRelaxDeps = true;
```
which would result in the following `requirements.txt` file:
```
pkg1
pkg2
pkg3
```
In general you should always use `pythonRelaxDeps`, because `pythonRemoveDeps`
will convert build errors in runtime errors. However `pythonRemoveDeps` may
still be useful in exceptional cases, and also to remove dependencies wrongly
declared by upstream (for example, declaring `black` as a runtime dependency
instead of a dev dependency).
Keep in mind that while the examples above are done with `requirements.txt`,
`pythonRelaxDepsHook` works by modifying the resulting wheel file, so it should
work in any of the formats supported by `buildPythonPackage` currently,
with the exception of `other` (see `format` in
[`buildPythonPackage` parameters](#buildpythonpackage-parameters) for more details).
### Develop local package {#develop-local-package}
As a Python developer you're likely aware of [development mode](http://setuptools.readthedocs.io/en/latest/setuptools.html#development-mode)
@ -1197,6 +1261,8 @@ are used in `buildPythonPackage`.
to run commands only after venv is first created.
- `wheelUnpackHook` to move a wheel to the correct folder so it can be installed
with the `pipInstallHook`.
- `pythonRelaxDepsHook` will relax Python dependencies restrictions for the package.
See [example usage](#using-pythonrelaxdepshook).
### Development mode {#development-mode}

28
doc/stdenv/meta.chapter.md
View file

@ -249,3 +249,31 @@ Unfree package that cannot be redistributed. You can build it yourself, but you
### `lib.licenses.unfreeRedistributableFirmware`, `"unfree-redistributable-firmware"` {#lib.licenses.unfreeredistributablefirmware-unfree-redistributable-firmware}
This package supplies unfree, redistributable firmware. This is a separate value from `unfree-redistributable` because not everybody cares whether firmware is free.
## Source provenance {#sec-meta-sourceProvenance}
The value of a package's `meta.sourceProvenance` attribute specifies the provenance of the package's derivation outputs.
If a package contains elements that are not built from the original source by a nixpkgs derivation, the `meta.sourceProvenance` attribute should be a list containing one or more value from `lib.sourceTypes` defined in [`nixpkgs/lib/source-types.nix`](https://github.com/NixOS/nixpkgs/blob/master/lib/source-types.nix).
Adding this information helps users who have needs related to build transparency and supply-chain security to gain some visibility into their installed software or set policy to allow or disallow installation based on source provenance.
The presence of a particular `sourceType` in a package's `meta.sourceProvenance` list indicates that the package contains some components falling into that category, though the *absence* of that `sourceType` does not *guarantee* the absence of that category of `sourceType` in the package's contents. A package with no `meta.sourceProvenance` set implies it has no *known* `sourceType`s other than `fromSource`.
The meaning of the `meta.sourceProvenance` attribute does not depend on the value of the `meta.license` attribute.
### `lib.sourceTypes.fromSource` {#lib.sourceTypes.fromSource}
Package elements which are produced by a nixpkgs derivation which builds them from source code.
### `lib.sourceTypes.binaryNativeCode` {#lib.sourceTypes.binaryNativeCode}
Native code to be executed on the target system's CPU, built by a third party. This includes packages which wrap a downloaded AppImage or Debian package.
### `lib.sourceTypes.binaryFirmware` {#lib.sourceTypes.binaryFirmware}
Code to be executed on a peripheral device or embedded controller, built by a third party.
### `lib.sourceTypes.binaryBytecode` {#lib.sourceTypes.binaryBytecode}
Code to run on a VM interpreter or JIT compiled into bytecode by a third party. This includes packages which download Java `.jar` files from another source.

2
doc/stdenv/multiple-output.chapter.md
View file

@ -77,7 +77,7 @@ There is a special handling of the `debug` output, described at [](#stdenv-separ
A commonly adopted convention in `nixpkgs` is that executables provided by the package are contained within its first output. This convention allows the dependent packages to reference the executables provided by packages in a uniform manner. For instance, provided with the knowledge that the `perl` package contains a `perl` executable it can be referenced as `${pkgs.perl}/bin/perl` within a Nix derivation that needs to execute a Perl script.
The `glibc` package is a deliberate single exception to the “binaries first” convention. The `glibc` has `libs` as its first output allowing the libraries provided by `glibc` to be referenced directly (e.g. `${stdenv.glibc}/lib/ld-linux-x86-64.so.2`). The executables provided by `glibc` can be accessed via its `bin` attribute (e.g. `${stdenv.glibc.bin}/bin/ldd`).
The `glibc` package is a deliberate single exception to the “binaries first” convention. The `glibc` has `libs` as its first output allowing the libraries provided by `glibc` to be referenced directly (e.g. `${glibc}/lib/ld-linux-x86-64.so.2`). The executables provided by `glibc` can be accessed via its `bin` attribute (e.g. `${lib.getBin stdenv.cc.libc}/bin/ldd`).
The reason for why `glibc` deviates from the convention is because referencing a library provided by `glibc` is a very common operation among Nix packages. For instance, third-party executables packaged by Nix are typically patched and relinked with the relevant version of `glibc` libraries from Nix packages (please see the documentation on [patchelf](https://github.com/NixOS/patchelf) for more details).

1
lib/default.nix
View file

@ -36,6 +36,7 @@ let
# constants
licenses = callLibs ./licenses.nix;
sourceTypes = callLibs ./source-types.nix;
systems = callLibs ./systems;
# serialization

2
lib/lists.nix
View file

@ -507,7 +507,7 @@ rec {
compareLists compare [ "a" ] []
=> 1
compareLists compare [ "a" "b" ] [ "a" "c" ]
=> 1
=> -1
*/
compareLists = cmp: a: b:
if a == []

19
lib/source-types.nix Normal file
View file

@ -0,0 +1,19 @@
{ lib }:
let
defaultSourceType = tname: {
shortName = tname;
isSource = false;
};
in lib.mapAttrs (tname: tset: defaultSourceType tname // tset) {
fromSource = {
isSource = true;
};
binaryNativeCode = {};
binaryBytecode = {};
binaryFirmware = {};
}

2
lib/systems/examples.nix
View file

@ -79,8 +79,6 @@ rec {
useLLVM = true;
};
scaleway-c1 = armv7l-hf-multiplatform // platforms.scaleway-c1;
pogoplug4 = {
config = "armv5tel-unknown-linux-gnueabi";
} // platforms.pogoplug4;

1
lib/systems/inspect.nix
View file

@ -11,7 +11,6 @@ rec {
isi686 = { cpu = cpuTypes.i686; };
isx86_32 = { cpu = { family = "x86"; bits = 32; }; };
isx86_64 = { cpu = { family = "x86"; bits = 64; }; };
isPowerPC = { cpu = cpuTypes.powerpc; };
isPower = { cpu = { family = "power"; }; };
isPower64 = { cpu = { family = "power"; bits = 64; }; };
isx86 = { cpu = { family = "x86"; }; };

7
lib/systems/platforms.nix
View file

@ -242,13 +242,6 @@ rec {
};
};
scaleway-c1 = armv7l-hf-multiplatform // {
gcc = {
cpu = "cortex-a9";
fpu = "vfpv3";
};
};
utilite = {
linux-kernel = {
name = "utilite";

94
maintainers/maintainer-list.nix
View file

@ -459,6 +459,12 @@
githubId = 20405311;
name = "Aksh Gupta";
};
alapshin = {
email = "alapshin@fastmail.com";
github = "alapshin";
githubId = 321946;
name = "Andrei Lapshin";
};
albakham = {
email = "dev@geber.ga";
github = "albakham";
@ -1164,6 +1170,12 @@
githubId = 706854;
name = "Etienne Laurin";
};
atry = {
name = "Bo Yang";
email = "atry@fb.com";
github = "Atry";
githubId = 601530;
};
attila-lendvai = {
name = "Attila Lendvai";
email = "attila@lendvai.name";
@ -3753,6 +3765,13 @@
githubId = 11006031;
name = "Leo Maroni";
};
emmabastas = {
email = "emma.bastas@protonmail.com";
matrix = "@emmabastas:matrix.org";
github = "emmabastas";
githubId = 22533224;
name = "Emma Bastås";
};
emmanuelrosa = {
email = "emmanuelrosa@protonmail.com";
matrix = "@emmanuelrosa:matrix.org";
@ -4525,6 +4544,12 @@
fingerprint = "0200 3EF8 8D2B CF2D 8F00 FFDC BBB3 E40E 5379 7FD9";
}];
};
GaetanLepage = {
email = "gaetan@glepage.com";
github = "GaetanLepage";
githubId = 33058747;
name = "Gaetan Lepage";
};
gal_bolle = {
email = "florent.becker@ens-lyon.org";
github = "FlorentBecker";
@ -5049,6 +5074,12 @@
githubId = 2405974;
name = "Sébastian Méric de Bellefon";
};
helium = {
email = "helium.dev@tuta.io";
github = "helium18";
githubId = 86223025;
name = "helium";
};
henkkalkwater = {
email = "chris+nixpkgs@netsoj.nl";
github = "HenkKalkwater";
@ -5492,6 +5523,12 @@
githubId = 37965;
name = "Léo Stefanesco";
};
infinidoge = {
name = "Infinidoge";
email = "infinidoge@inx.moe";
github = "Infinidoge";
githubId = 22727114;
};
infinisil = {
email = "contact@infinisil.com";
matrix = "@infinisil:matrix.org";
@ -6662,7 +6699,7 @@
};
khushraj = {
email = "khushraj.rathod@gmail.com";
github = "KhushrajRathod";
github = "khrj";
githubId = 44947946;
name = "Khushraj Rathod";
keys = [{
@ -7876,6 +7913,12 @@
githubId = 65531;
name = "Mario Rodas";
};
marsupialgutz = {
email = "mars@possums.xyz";
github = "marsupialgutz";
githubId = 33522919;
name = "Marshall Arruda";
};
martijnvermaat = {
email = "martijn@vermaat.name";
github = "martijnvermaat";
@ -7958,6 +8001,12 @@
githubId = 19036;
name = "Matthew Bauer";
};
matthiasbenaets = {
email = "matthias.benaets@gmail.com";
github = "MatthiasBenaets";
githubId = 89214559;
name = "Matthias Benaets";
};
matthiasbeyer = {
email = "mail@beyermatthias.de";
matrix = "@musicmatze:beyermatthi.as";
@ -8440,6 +8489,17 @@
fingerprint = "3196 83D3 9A1B 4DE1 3DC2 51FD FEA8 88C9 F5D6 4F62";
}];
};
minion3665 = {
name = "Skyler Grey";
email = "skyler3665@gmail.com";
matrix = "@minion3665:matrix.org";
github = "Minion3665";
githubId = 34243578;
keys = [{
longkeyid = "rsa4096/0x1AFD10256B3C714D";
fingerprint = "D520 AC8D 7C96 9212 5B2B BD3A 1AFD 1025 6B3C 714D";
}];
};
mir06 = {
email = "armin.leuprecht@uni-graz.at";
github = "mir06";
@ -9836,6 +9896,12 @@
githubId = 8641;
name = "Pierre Carrier";
};
pedrohlc = {
email = "root@pedrohlc.com";
github = "PedroHLC";
githubId = 1368952;
name = "Pedro Lara Campos";
};
penguwin = {
email = "penguwin@penguwin.eu";
github = "penguwin";
@ -10151,6 +10217,12 @@
githubId = 10473184;
name = "Jia Xiaodong";
};
polarmutex = {
email = "brian@brianryall.xyz";
github = "polarmutex";
githubId = 115141;
name = "Brian Ryall";
};
polendri = {
email = "paul@ijj.li";
github = "polendri";
@ -11373,7 +11445,7 @@
longkeyid = "rsa2048/0x8E8FF66E2AE8D970";
fingerprint = "30BB FF3F AB0B BB3E 0435 F83C 8E8F F66E 2AE8 D970";
}];
};
};
scode = {
email = "peter.schuller@infidyne.com";
github = "scode";
@ -12835,6 +12907,12 @@
fingerprint = "556A 403F B0A2 D423 F656 3424 8489 B911 F9ED 617B";
}];
};
tljuniper = {
email = "tljuniper1@gmail.com";
github = "tljuniper";
githubId = 48209000;
name = "Anna Gillert";
};
tmarkovski = {
email = "tmarkovski@gmail.com";
github = "tmarkovski";
@ -13992,6 +14070,12 @@
githubId = 7040031;
name = "Yannik Sander";
};
yureien = {
email = "contact@sohamsen.me";
github = "Yureien";
githubId = 17357089;
name = "Soham Sen";
};
yuriaisaka = {
email = "yuri.aisaka+nix@gmail.com";
github = "yuriaisaka";
@ -14635,4 +14719,10 @@
github = "snpschaaf";
githubId = 105843013;
};
jali-clarke = {
email = "jinnah.ali-clarke@outlook.com";
name = "Jinnah Ali-Clarke";
github = "jali-clarke";
githubId = 17733984;
};
}

2
maintainers/scripts/patchelf-hints.sh
View file

@ -61,7 +61,7 @@ for bin in $(find $binaryDist -executable -type f) :; do
uniq;
)
if test "$names" = "glibc"; then names="stdenv.glibc"; fi
if test "$names" = "glibc"; then names="glibc"; fi
if echo $names | grep -c "gcc" &> /dev/null; then names="stdenv.cc.cc"; fi
if test $lib != $libPath; then

10
maintainers/team-list.nix
View file

@ -355,6 +355,16 @@ with lib.maintainers; {
shortName = "Linux Kernel";
};
lumiguide = {
# Verify additions by approval of an already existing member of the team.
members = [
roelvandijk
lucus16
];
scope = "Group registration for LumiGuide employees who collectively maintain packages.";
shortName = "Lumiguide employees";
};
lumina = {
members = [
romildo

4
nixos/doc/manual/development/option-types.section.md
View file

@ -308,6 +308,10 @@ The option set can be defined directly
([Example: Directly defined submodule](#ex-submodule-direct)) or as reference
([Example: Submodule defined as a reference](#ex-submodule-reference)).
Note that even if your submodules options all have a default value,
you will still need to provide a default value (e.g. an empty attribute set)
if you want to allow users to leave it undefined.
::: {#ex-submodule-direct .example}
::: {.title}
**Example: Directly defined submodule**

13
nixos/doc/manual/development/writing-nixos-tests.section.md
View file

@ -332,6 +332,19 @@ repository):
'';
```
Similarly, the type checking of test scripts can be disabled in the following
way:
```nix
import ./make-test-python.nix {
skipTypeCheck = true;
nodes.machine =
{ config, pkgs, ... }:
{ configuration…
};
}
```
## Failing tests early {#ssec-failing-tests-early}
To fail tests early when certain invariables are no longer met (instead of waiting for the build to time out), the decorator `polling_condition` is provided. For example, if we are testing a program `foo` that should not quit after being started, we might write the following:

6
nixos/doc/manual/from_md/development/option-types.section.xml
View file

@ -617,6 +617,12 @@
(<link linkend="ex-submodule-reference">Example: Submodule defined
as a reference</link>).
</para>
<para>
Note that even if your submodules options all have a default
value, you will still need to provide a default value (e.g. an
empty attribute set) if you want to allow users to leave it
undefined.
</para>
<anchor xml:id="ex-submodule-direct" />
<para>
<emphasis role="strong">Example: Directly defined

13
nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml
View file

@ -589,6 +589,19 @@ import ./make-test-python.nix {
Python code…
# fmt: on
'';
</programlisting>
<para>
Similarly, the type checking of test scripts can be disabled in
the following way:
</para>
<programlisting language="bash">
import ./make-test-python.nix {
skipTypeCheck = true;
nodes.machine =
{ config, pkgs, ... }:
{ configuration…
};
}
</programlisting>
</section>
<section xml:id="ssec-failing-tests-early">

16
nixos/doc/manual/from_md/installation/upgrading.chapter.xml
View file

@ -12,7 +12,7 @@
<listitem>
<para>
<emphasis>Stable channels</emphasis>, such as
<link xlink:href="https://nixos.org/channels/nixos-21.11"><literal>nixos-21.11</literal></link>.
<link xlink:href="https://nixos.org/channels/nixos-22.05"><literal>nixos-22.05</literal></link>.
These only get conservative bug fixes and package upgrades. For
instance, a channel update may cause the Linux kernel on your
system to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix),
@ -33,7 +33,7 @@
<listitem>
<para>
<emphasis>Small channels</emphasis>, such as
<link xlink:href="https://nixos.org/channels/nixos-21.11-small"><literal>nixos-21.11-small</literal></link>
<link xlink:href="https://nixos.org/channels/nixos-22.05-small"><literal>nixos-22.05-small</literal></link>
or
<link xlink:href="https://nixos.org/channels/nixos-unstable-small"><literal>nixos-unstable-small</literal></link>.
These are identical to the stable and unstable channels
@ -60,8 +60,8 @@
<para>
When you first install NixOS, youre automatically subscribed to the
NixOS channel that corresponds to your installation source. For
instance, if you installed from a 21.11 ISO, you will be subscribed
to the <literal>nixos-21.11</literal> channel. To see which NixOS
instance, if you installed from a 22.05 ISO, you will be subscribed
to the <literal>nixos-22.05</literal> channel. To see which NixOS
channel youre subscribed to, run the following as root:
</para>
<programlisting>
@ -76,17 +76,17 @@ nixos https://nixos.org/channels/nixos-unstable
</programlisting>
<para>
(Be sure to include the <literal>nixos</literal> parameter at the
end.) For instance, to use the NixOS 21.11 stable channel:
end.) For instance, to use the NixOS 22.05 stable channel:
</para>
<programlisting>
# nix-channel --add https://nixos.org/channels/nixos-21.11 nixos
# nix-channel --add https://nixos.org/channels/nixos-22.05 nixos
</programlisting>
<para>
If you have a server, you may want to use the <quote>small</quote>
channel instead:
</para>
<programlisting>
# nix-channel --add https://nixos.org/channels/nixos-21.11-small nixos
# nix-channel --add https://nixos.org/channels/nixos-22.05-small nixos
</programlisting>
<para>
And if you want to live on the bleeding edge:
@ -146,7 +146,7 @@ system.autoUpgrade.allowReboot = true;
also specify a channel explicitly, e.g.
</para>
<programlisting language="bash">
system.autoUpgrade.channel = https://nixos.org/channels/nixos-21.11;
system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05;
</programlisting>
</section>
</chapter>

813
nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
View file

File diff suppressed because it is too large Load diff

39
nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
View file

@ -43,15 +43,16 @@
<itemizedlist spacing="compact">
<listitem>
<para>
Please remove this line when you add the first item since
docbook requires the section to be non-empty
<link xlink:href="https://github.com/jollheef/appvm">appvm</link>,
Nix based app VMs. Available as
<link xlink:href="options.html#opt-virtualisation.appvm.enable">virtualisation.appvm</link>.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-22.11-incompatibilities">
<title>Backward Incompatibilities</title>
<itemizedlist spacing="compact">
<itemizedlist>
<listitem>
<para>
The <literal>isCompatible</literal> predicate checking CPU
@ -69,6 +70,21 @@
compatible</emphasis>.
</para>
</listitem>
<listitem>
<para>
The <literal>isPowerPC</literal> predicate, found on
<literal>platform</literal> attrsets
(<literal>hostPlatform</literal>,
<literal>buildPlatform</literal>,
<literal>targetPlatform</literal>, etc) has been removed in
order to reduce confusion. The predicate was was defined such
that it matches only the 32-bit big-endian members of the
POWER/PowerPC family, despite having a name which would imply
a broader set of systems. If you were using this predicate,
you can replace <literal>foo.isPowerPC</literal> with
<literal>(with foo; isPower &amp;&amp; is32bit &amp;&amp; isBigEndian)</literal>.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-22.11-notable-changes">
@ -76,8 +92,21 @@
<itemizedlist spacing="compact">
<listitem>
<para>
Please remove this line when you add the first item since
docbook requires the section to be non-empty
A new module was added for the Saleae Logic device family,
providing the options
<literal>hardware.saleae-logic.enable</literal> and
<literal>hardware.saleae-logic.package</literal>.
</para>
</listitem>
<listitem>
<para>
Matrix Synapse now requires entries in the
<literal>state_group_edges</literal> table to be unique, in
order to prevent accidentally introducing duplicate
information (for example, because a database backup was
restored multiple times). If your Synapse database already has
duplicate rows in this table, this could fail with an error
and require manual remediation.
</para>
</listitem>
</itemizedlist>

16
nixos/doc/manual/installation/upgrading.chapter.md
View file

@ -6,7 +6,7 @@ expressions and associated binaries. The NixOS channels are updated
automatically from NixOS's Git repository after certain tests have
passed and all packages have been built. These channels are:
- *Stable channels*, such as [`nixos-21.11`](https://nixos.org/channels/nixos-21.11).
- *Stable channels*, such as [`nixos-22.05`](https://nixos.org/channels/nixos-22.05).
These only get conservative bug fixes and package upgrades. For
instance, a channel update may cause the Linux kernel on your system
to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), but not
@ -19,7 +19,7 @@ passed and all packages have been built. These channels are:
radical changes between channel updates. It's not recommended for
production systems.
- *Small channels*, such as [`nixos-21.11-small`](https://nixos.org/channels/nixos-21.11-small)
- *Small channels*, such as [`nixos-22.05-small`](https://nixos.org/channels/nixos-22.05-small)
or [`nixos-unstable-small`](https://nixos.org/channels/nixos-unstable-small).
These are identical to the stable and unstable channels described above,
except that they contain fewer binary packages. This means they get updated
@ -38,8 +38,8 @@ newest supported stable release.
When you first install NixOS, you're automatically subscribed to the
NixOS channel that corresponds to your installation source. For
instance, if you installed from a 21.11 ISO, you will be subscribed to
the `nixos-21.11` channel. To see which NixOS channel you're subscribed
instance, if you installed from a 22.05 ISO, you will be subscribed to
the `nixos-22.05` channel. To see which NixOS channel you're subscribed
to, run the following as root:
```ShellSession
@ -54,16 +54,16 @@ To switch to a different NixOS channel, do
```
(Be sure to include the `nixos` parameter at the end.) For instance, to
use the NixOS 21.11 stable channel:
use the NixOS 22.05 stable channel:
```ShellSession
# nix-channel --add https://nixos.org/channels/nixos-21.11 nixos
# nix-channel --add https://nixos.org/channels/nixos-22.05 nixos
```
If you have a server, you may want to use the "small" channel instead:
```ShellSession
# nix-channel --add https://nixos.org/channels/nixos-21.11-small nixos
# nix-channel --add https://nixos.org/channels/nixos-22.05-small nixos
```
And if you want to live on the bleeding edge:
@ -114,5 +114,5 @@ the new generation contains a different kernel, initrd or kernel
modules. You can also specify a channel explicitly, e.g.
```nix
system.autoUpgrade.channel = https://nixos.org/channels/nixos-21.11;
system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05;
```

261
nixos/doc/manual/release-notes/rl-2205.section.md
View file

@ -1,4 +1,4 @@
# Release 22.05 (“Quokka”, 2022.05/??) {#sec-release-22.05}
# Release 22.05 (“Quokka”, 2022.05/30) {#sec-release-22.05}
- Support is planned until the end of December 2022, handing over to 22.11.
@ -6,144 +6,170 @@
In addition to numerous new and upgraded packages, this release has the following highlights:
- The `firefox` browser on `x86_64-linux` is now making use of
profile-guided optimization resulting in a much more responsive
browsing experience.
- Nix has been updated from 2.3 to 2.8. This mainly brings experimental support
for Flakes, but also marks the `nix` command as experimental which now has to
be enabled via the configuration explicitly. For more information and
instructions for upgrades, see the
relase notes for [nix-2.4](https://nixos.org/manual/nix/stable/release-notes/rl-2.4.html),
[nix-2.5](https://nixos.org/manual/nix/stable/release-notes/rl-2.5.html),
[nix-2.6](https://nixos.org/manual/nix/stable/release-notes/rl-2.6.html),
[nix-2.7](https://nixos.org/manual/nix/stable/release-notes/rl-2.7.html) and
[nix-2.8](https://nixos.org/manual/nix/stable/release-notes/rl-2.8.html)
- `security.acme.defaults` has been added to simplify configuring
settings for many certificates at once. This also opens up the
the option to use DNS-01 validation when using `enableACME` on
web server virtual hosts (e.g. `services.nginx.virtualHosts.*.enableACME`).
- The `firefox` browser on `x86_64-linux` now makes use of profile-guided
optimisation, resulting in a much more responsive browsing experience.
- GNOME has been upgraded to 42. Please take a look at their [Release Notes](https://release.gnome.org/42/) for details. Notably, it replaces gedit with GNOME Text Editor, GNOME Terminal with GNOME Console (formerly Kings Cross), and GNOME Screenshot with a tool built into the Shell.
- GNOME has been upgraded to 42. Please take a look at their [Release
Notes](https://release.gnome.org/42/) for details. In particular, it replaces
gedit with GNOME Text Editor, GNOME Terminal with GNOME Console (formerly
King's Cross) and GNOME Screenshot by a tool integrated into the Shell.
- `stdenv.mkDerivation` now supports a self-referencing `finalAttrs:` parameter
containing the final `mkDerivation` arguments including overrides.
`drv.overrideAttrs` now supports two parameters `finalAttrs: previousAttrs:`.
This allows packaging configuration to be overridden in a consistent manner by
providing an alternative to `rec {}` syntax.
Additionally, `passthru` can now reference `finalAttrs.finalPackage` containing
the final package, including attributes such as the output paths and
`overrideAttrs`.
New language integrations can be simplified by overriding a "prototype"
package containing the language-specific logic. This removes the need for a
extra layer of overriding for the "generic builder" arguments, thus removing a
usability problem and source of error.
- PHP 8.1 is now available
- Mattermost has been updated to extended support release 6.3, as the previously packaged extended support release 5.37 is [reaching its end of life](https://docs.mattermost.com/upgrade/extended-support-release.html).
Migrations may take a while, see the [changelog](https://docs.mattermost.com/install/self-managed-changelog.html#release-v6-3-extended-support-release)
and [important upgrade notes](https://docs.mattermost.com/upgrade/important-upgrade-notes.html).
- PHP 8.1 is now available.
- systemd services can now set [systemd.services.\<name\>.reloadTriggers](#opt-systemd.services) instead of `reloadIfChanged` for a more granular distinction between reloads and restarts.
- Systemd has been upgraded to the version 250.
- Pulseaudio has been upgraded to version 15.0 and now optionally [supports additional Bluetooth audio codecs](https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/15.0/#supportforldacandaptxbluetoothcodecsplussbcxqsbcwithhigher-qualityparameters) like aptX or LDAC, with codec switching support being available in `pavucontrol`. This feature is disabled by default but can be enabled by using `hardware.pulseaudio.package = pkgs.pulseaudioFull;`.
Existing 3rd party modules that provided similar functionality, like `pulseaudio-modules-bt` or `pulseaudio-hsphfpd` are deprecated and have been removed.
- Pulseaudio has been updated to version 15.0 and now optionally
[supports additional Bluetooth audio codecs](https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/15.0/#supportforldacandaptxbluetoothcodecsplussbcxqsbcwithhigher-qualityparameters)
such as aptX or LDAC, with codec switching available in `pavucontrol`. This
feature is disabled by default, but can be enabled with the option
`hardware.pulseaudio.package = pkgs.pulseaudioFull;`. Existing third-party
modules that offered similar functions, such as `pulseaudio-modules-bt` or
`pulseaudio-hsphfpd`, are obsolete and have been removed.
- PostgreSQL now defaults to major version 14.
- The new [`postgresqlTestHook`](https://nixos.org/manual/nixpkgs/stable/#sec-postgresqlTestHook) runs a PostgreSQL server for the duration of package checks.
- [`kops`](https://kops.sigs.k8s.io) defaults to 1.23.2, which will enable [Instance Metadata Service Version 2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) and require tokens on new clusters with Kubernetes >= 1.22. This will increase security by default, but may break some types of workloads. The default behaviour for `spec.kubeDNS.nodeLocalDNS.forwardToKubeDNS` has changed from `true` to `false`. Cilium now has `disable-cnp-status-updates: true` by default. Set this to false if you rely on the CiliumNetworkPolicy status fields. Support for Kubernetes 1.17, the Lyft CNI, Weave CNI on Kubernetes >= 1.23, CentOS 7 and 8, Debian 9, RHEL 7, and Ubuntu 16.05 (Xenial) has been removed. See the [1.22 release notes](https://kops.sigs.k8s.io/releases/1.22-notes/) and [1.23 release notes](https://kops.sigs.k8s.io/releases/1.23-notes/) for more details, including other significant changes.
- Module authors can use `mkRenamedOptionModuleWith` to automate the deprecation cycle without annoying out-of-tree module authors and their users.
- The default GHC version has been updated from 8.10.7 to 9.0.2. `pkgs.haskellPackages` and `pkgs.ghc` will now use this version by default.
- The GNOME and Plasma installation CDs now use `pkgs.calamares` and `pkgs.calamares-nixos-extensions` to allow users to easily install and set up NixOS with a GUI.
- `security.acme.defaults` has been added to simplify the configuration of
settings for many certificates at once. This also opens up the option to use
DNS-01 validation when using `enableACME` web server virtual hosts (e.g.
`services.nginx.virtualHosts.*.enableACME`).
## New Services {#sec-release-22.05-new-services}
- [1password](https://1password.com/), command-lines and graphic interface for 1Password. Available as [programs._1password](#opt-programs._1password.enable) and [programs._1password-gui](#opt-programs._1password.enable).
- [aesmd](https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw), the Intel SGX Architectural Enclave Service Manager. Available as [services.aesmd](#opt-services.aesmd.enable).
- [rootless Docker](https://docs.docker.com/engine/security/rootless/), a `systemd --user` Docker service which runs without root permissions. Available as [virtualisation.docker.rootless.enable](options.html#opt-virtualisation.docker.rootless.enable).
- [matrix-conduit](https://conduit.rs/), a simple, fast and reliable chat server powered by matrix. Available as [services.matrix-conduit](option.html#opt-services.matrix-conduit.enable).
- [nethoscope](https://github.com/vvilhonen/nethoscope), listen to your network traffic. Available as [programs.nethoscope](#opt-programs.nethoscope.enable).
- [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html), a lightweight shipper for forwarding and centralizing log data. Available as [services.filebeat](#opt-services.filebeat.enable).
- [agate](https://github.com/mbrubeck/agate), a very simple server for the Gemini hypertext protocol. Available as [services.agate](#opt-services.agate.enable).
- [apfs](https://github.com/linux-apfs/linux-apfs-rw), a kernel module for mounting the Apple File System (APFS).
- [FRRouting](https://frrouting.org/), a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VRRP and others). Available as [services.frr](#opt-services.frr.babel.enable)
- [ArchiSteamFarm](https://github.com/JustArchiNET/ArchiSteamFarm), a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as [services.archisteamfarm](#opt-services.archisteamfarm.enable).
- [heisenbridge](https://github.com/hifi/heisenbridge), a bouncer-style Matrix IRC bridge. Available as [services.heisenbridge](options.html#opt-services.heisenbridge.enable).
- [BaGet](https://loic-sharma.github.io/BaGet/), a lightweight NuGet and symbol server. Available at [services.baget](#opt-services.baget.enable).
- [snowflake-proxy](https://snowflake.torproject.org/), a system to defeat internet censorship. Available as [services.snowflake-proxy](options.html#opt-services.snowflake-proxy.enable).
- [bird-lg](https://github.com/xddxdd/bird-lg-go), a BGP looking glass for Bird Routing. Available as [services.bird-lg](#opt-services.bird-lg.package).
- [r53-ddns](https://github.com/fleaz/r53-ddns), a small tool to run your own DDNS service via AWS Route53. Available as [services.r53-ddns](options.html#opt-services.r53-ddns.enable).
- [blocky](https://0xerr0r.github.io/blocky/), fast and lightweight DNS proxy as ad-blocker for local network with many features. Available as [services.blocky](#opt-services.blocky.enable).
- [ergochat](https://ergo.chat), a modern IRC with IRCv3 features. Available as [services.ergochat](options.html#opt-services.ergochat.enable).
- [cloudflare-dyndns](https://github.com/kissgyorgy/cloudflare-dyndns), CloudFlare Dynamic DNS client. Available as [services.cloudflare-dyndns](#opt-services.cloudflare-dyndns.enable).
- [Snipe-IT](https://snipeitapp.com), a free open source IT asset/license management system. Available as [services.snipe-it](options.html#opt-services.snipe-it.enable).
- [Corosync](https://corosync.github.io/corosync/) and [Pacemaker](https://clusterlabs.org/pacemaker/), A open-source high availability resource manager. Available as [services.corosync](#opt-services.corosync.enable) and [services.pacemaker](#opt-services.pacemaker.enable).
- [PowerDNS-Admin](https://github.com/ngoduykhanh/PowerDNS-Admin), a web interface for the PowerDNS server. Available at [services.powerdns-admin](options.html#opt-services.powerdns-admin.enable).
- [create_ap](https://github.com/lakinduakash/linux-wifi-hotspot), a module for creating wifi hotspots using the program linux-wifi-hotspot. Available as [services.create_ap](#opt-services.create_ap.enable).
- [pgadmin4](https://github.com/postgres/pgadmin4), an admin interface for the PostgreSQL database. Available at [services.pgadmin](options.html#opt-services.pgadmin.enable).
- [Envoy](https://www.envoyproxy.io/), a high-performance reverse proxy. Available as [services.envoy](#opt-services.envoy.enable).
- [input-remapper](https://github.com/sezanzeb/input-remapper), an easy to use tool to change the mapping of your input device buttons. Available at [services.input-remapper](options.html#opt-services.input-remapper.enable).
- [ergochat](https://ergo.chat), a modern IRC with IRCv3 features. Available as [services.ergochat](#opt-services.ergochat.enable).
- [InvoicePlane](https://invoiceplane.com), web application for managing and creating invoices. Available at [services.invoiceplane](options.html#opt-services.invoiceplane.enable).
- [ethercalc](https://github.com/audreyt/ethercalc), an online collaborative spreadsheet. Available as [services.ethercalc](#opt-services.ethercalc.enable).
- [maddy](https://maddy.email), a composable all-in-one mail server. Available as [services.maddy](options.html#opt-services.maddy.enable).
- [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html), a lightweight shipper for forwarding and centralizing log data. Available as [services.filebeat](#opt-services.filebeat.enable).
- [K40-Whisperer](https://www.scorchworks.com/K40whisperer/k40whisperer.html), a program to control cheap Chinese laser cutters. Available as [programs.k40-whisperer.enable](options.html#opt-programs.k4-whisperer.enable). Users must add themselves to the `k40` group to be able to access the device.
- [FRRouting](https://frrouting.org/), a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VRRP and others). Available as [services.frr](#opt-services.frr.babel.enable).
- [mozillavpn](https://github.com/mozilla-mobile/mozilla-vpn-client), the client for the [Mozilla VPN](https://vpn.mozilla.org/) service. Available as [services.mozillavpn](options.html#opt-services.mozillavpn).
- [Grafana Mimir](https://grafana.com/oss/mimir/), an open source, horizontally scalable, highly available, multi-tenant, long-term storage for Prometheus. Available as [services.mimir](#opt-services.mimir.enable).
- [mtr-exporter](https://github.com/mgumz/mtr-exporter), a Prometheus exporter for mtr metrics. Available as [services.mtr-exporter](options.html#opt-services.mtr-exporter.enable).
- [Haste](https://hastebin.com/about.md), a pastebin written in node.js. Available as [services.haste](#opt-services.haste-server.enable).
- [prometheus-pve-exporter](https://github.com/prometheus-pve/prometheus-pve-exporter), a tool that exposes information from the Proxmox VE API for use by Prometheus. Available as [services.prometheus.exporters.pve](options.html#opt-services.prometheus.exporters.pve).
- [headscale](https://github.com/juanfont/headscale), an Open Source implementation of the [Tailscale](https://tailscale.io) Control Server. Available as [services.headscale](#opt-services.headscale.enable).
- [netbox](https://github.com/netbox-community/netbox), infrastructure resource modeling (IRM) tool. Available as [services.netbox](options.html#opt-services.netbox.enable).
- [heisenbridge](https://github.com/hifi/heisenbridge), a bouncer-style Matrix IRC bridge. Available as [services.heisenbridge](#opt-services.heisenbridge.enable).
- [https-dns-proxy](https://github.com/aarond10/https_dns_proxy), DNS to DNS over HTTPS (DoH) proxy. Available as [services.https-dns-proxy](#opt-services.https-dns-proxy.enable).
- [input-remapper](https://github.com/sezanzeb/input-remapper), an easy to use tool to change the mapping of your input device buttons. Available at [services.input-remapper](#opt-services.input-remapper.enable).
- [InvoicePlane](https://invoiceplane.com), web application for managing and creating invoices. Available at [services.invoiceplane](#opt-services.invoiceplane.sites._name_.enable).
- [k3b](https://userbase.kde.org/K3b), the KDE disk burning application. Available as [programs.k3b](#opt-programs.k3b.enable).
- [K40-Whisperer](https://www.scorchworks.com/K40whisperer/k40whisperer.html), a program to control cheap Chinese laser cutters. Available as [programs.k40-whisperer.enable](#opt-programs.k40-whisperer.enable). Users must add themselves to the `k40` group to be able to access the device.
- [kanidm](https://kanidm.github.io/kanidm/stable/), an identity management server written in Rust. Available as [services.kanidm](#opt-services.kanidm.enableServer)
- [Maddy](https://maddy.email/), a free an open source mail server. Availabe as [services.maddy](#opt-services.maddy.enable).
- [matrix-conduit](https://conduit.rs/), a simple, fast and reliable chat server powered by matrix. Available as [services.matrix-conduit](option.html#opt-services.matrix-conduit.enable).
- [Moosefs](https://moosefs.com), fault tolerant petabyte distributed file system. Available as [moosefs](#opt-services.moosefs.master.enable).
- [mozillavpn](https://github.com/mozilla-mobile/mozilla-vpn-client), the client for the [Mozilla VPN](https://vpn.mozilla.org/) service. Available as [services.mozillavpn](#opt-services.mozillavpn.enable).
- [mtr-exporter](https://github.com/mgumz/mtr-exporter), a Prometheus exporter for mtr metrics. Available as [services.mtr-exporter](#opt-services.mtr-exporter.enable).
- [nbd](https://nbd.sourceforge.io/), a Network Block Device server. Available as [services.nbd](#opt-services.nbd.server.enable).
- [netbox](https://github.com/netbox-community/netbox), infrastructure resource modeling (IRM) tool. Available as [services.netbox](#opt-services.netbox.enable).
- [nethoscope](https://github.com/vvilhonen/nethoscope), listen to your network traffic. Available as [programs.nethoscope](#opt-programs.nethoscope.enable).
- [nifi](https://nifi.apache.org), an easy to use, powerful, and reliable system to process and distribute data. Available as [services.nifi](#opt-services.nifi.enable).
- [nix-ld](https://github.com/Mic92/nix-ld), Run unpatched dynamic binaries on NixOS. Available as [programs.nix-ld](#opt-programs.nix-ld.enable).
- [NNCP](http://www.nncpgo.org), NNCP (Node to Node copy) utilities and configuration, Available as [programs.nncp](#opt-programs.nncp.enable).
- [pgadmin4](https://github.com/postgres/pgadmin4), an admin interface for the PostgreSQL database. Available at [services.pgadmin](#opt-services.pgadmin.enable).
- [PowerDNS-Admin](https://github.com/ngoduykhanh/PowerDNS-Admin), a web interface for the PowerDNS server. Available at [services.powerdns-admin](#opt-services.powerdns-admin.enable).
- [prometheus-pve-exporter](https://github.com/prometheus-pve/prometheus-pve-exporter), a tool that exposes information from the Proxmox VE API for use by Prometheus. Available as [services.prometheus.exporters.pve](#opt-services.prometheus.exporters.pve.enable).
- [prosody-filer](https://github.com/ThomasLeister/prosody-filer), a server for handling XMPP HTTP Upload requests. Available at [services.prosody-filer](#opt-services.prosody-filer.enable).
- [Public Inbox](https://public-inbox.org), an "archives first" approach to mailing lists. Available as [services.public-inbox](#opt-services.public-inbox.enable).
- [r53-ddns](https://github.com/fleaz/r53-ddns), a small tool to run your own DDNS service via AWS Route53. Available as [services.r53-ddns](#opt-services.r53-ddns.enable).
- [rmfakecloud](https://ddvk.github.io/rmfakecloud/), a clone of the cloud sync the remarkable tablet. Available as [services.rmfakecloud](#opt-services.rmfakecloud.enable).
- [rootless Docker](https://docs.docker.com/engine/security/rootless/), a `systemd --user` Docker service which runs without root permissions. Available as [virtualisation.docker.rootless.enable](#opt-virtualisation.docker.rootless.enable).
- [rstudio-server](https://www.rstudio.com/products/rstudio/#rstudio-server), a browser-based version of the RStudio IDE for the R programming language. Available as [services.rstudio-server](#opt-services.rstudio-server.enable).
- [rtsp-simple-server](https://github.com/aler9/rtsp-simple-server), ready-to-use RTSP / RTMP / HLS server and proxy that allows to read, publish and proxy video and audio streams. Available as [services.rtsp-simple-server](#opt-services.rtsp-simple-server.enable).
- [Snipe-IT](https://snipeitapp.com), a free open source IT asset/license management system. Available as [services.snipe-it](#opt-services.snipe-it.enable).
- [snowflake-proxy](https://snowflake.torproject.org/), a system to defeat internet censorship. Available as [services.snowflake-proxy](#opt-services.snowflake-proxy.enable).
- [sslmate-agent](https://sslmate.com/), a daemon for managing SSL/TLS certificates on a server. Available as [services.sslmate-agent](services.sslmate-agent.enable).
- [starship](https://starship.rs), a minimal, blazing-fast, and infinitely customizable prompt for any shell. Available at [programs.startship](#opt-programs.starship.enable).
- [systembus-notify](https://github.com/rfjakob/systembus-notify), allow system level notifications to reach the users. Available as [services.systembus-notify](opt-services.systembus-notify.enable). Please keep in mind that this service should only be enabled on machines with fully trusted users, as any local user is able to DoS user sessions by spamming notifications.
- [teleport](https://goteleport.com), allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at [services.teleport](#opt-services.teleport.enable).
- [tetrd](https://tetrd.app), share your internet connection from your device to your PC and vice versa through a USB cable. Available at [services.tetrd](#opt-services.tetrd.enable).
- [uptermd](https://upterm.dev), an open-source solution for sharing terminal sessions instantly over the public internet via secure tunnels. Available at [services.uptermd](#opt-services.uptermd.enable).
- [agate](https://github.com/mbrubeck/agate), a very simple server for the Gemini hypertext protocol. Available as [services.agate](options.html#opt-services.agate.enable).
- [usbrelayd](https://github.com/darrylb123/usbrelay), an USB Relay MQTT daemon. Available as [services.usbrelayd](#opt-services.usbrelayd.enable).
- [ArchiSteamFarm](https://github.com/JustArchiNET/ArchiSteamFarm), a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as [services.archisteamfarm](options.html#opt-services.archisteamfarm.enable).
- [webdav-server-rs](https://github.com/miquels/webdav-server-rs), Webdav server in rust. Available as [services.webdav-server-rs](#opt-services.webdav-server-rs.enable).
- [teleport](https://goteleport.com), allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at [services.teleport](#opt-services.teleport.enable).
- [wg-netmanager](https://github.com/gin66/wg_netmanager), the Wireguard network manager. Available as [services.wg-netmanager](#opt-services.wg-netmanager.enable).
- [BaGet](https://loic-sharma.github.io/BaGet/), a lightweight NuGet and symbol server. Available at [services.baget](#opt-services.baget.enable).
- [moosefs](https://moosefs.com), fault tolerant petabyte distributed file system.
Available as [moosefs](#opt-services.moosefs.client.enable).
- [prosody-filer](https://github.com/ThomasLeister/prosody-filer), a server for handling XMPP HTTP Upload requests. Available at [services.prosody-filer](#opt-services.prosody-filer.enable).
- [systembus-notify](https://github.com/rfjakob/systembus-notify), allow system level notifications to reach the users. Available as [services.systembus-notify](opt-services.systembus-notify.enable). Please keep in mind that this service should only be enabled on machines with fully trusted users, as any local user is able to DoS user sessions by spamming notifications.
- [ethercalc](https://github.com/audreyt/ethercalc), an online collaborative
spreadsheet. Available as [services.ethercalc](options.html#opt-services.ethercalc.enable).
- [nbd](https://nbd.sourceforge.io/), a Network Block Device server. Available as [services.nbd](options.html#opt-services.nbd.server.enable).
- [nix-ld](https://github.com/Mic92/nix-ld), Run unpatched dynamic binaries on NixOS. Available as [programs.nix-ld](options.html#opt-programs.nix-ld.enable).
- [timetagger](https://timetagger.app), an open source time-tracker with an intuitive user experience and powerful reporting. [services.timetagger](options.html#opt-services.timetagger.enable).
- [rstudio-server](https://www.rstudio.com/products/rstudio/#rstudio-server), a browser-based version of the RStudio IDE for the R programming language. Available as [services.rstudio-server](options.html#opt-services.rstudio-server.enable).
- [headscale](https://github.com/juanfont/headscale), an Open Source implementation of the [Tailscale](https://tailscale.io) Control Server. Available as [services.headscale](options.html#opt-services.headscale.enable)
- [create_ap](https://github.com/lakinduakash/linux-wifi-hotspot), a module for creating wifi hotspots using the program linux-wifi-hotspot. Available as [services.create_ap](options.html#opt-services.create_ap.enable).
- [blocky](https://0xerr0r.github.io/blocky/), fast and lightweight DNS proxy as ad-blocker for local network with many features.
- [pacemaker](https://clusterlabs.org/pacemaker/) cluster resource manager
- [nifi](https://nifi.apache.org), an easy to use, powerful, and reliable system to process and distribute data. Available as [services.nifi](options.html#opt-services.nifi.enable).
- [kanidm](https://kanidm.github.io/kanidm/stable/), an identity management server written in Rust.
- [Zammad](https://zammad.org/), a web-based, open source user support/ticketing solution. Available as [services.zammad](#opt-services.zammad.enable).
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@ -169,7 +195,7 @@ In addition to numerous new and upgraded packages, this release has the followin
- The update of the haskell package set brings with it a new version of the `xmonad`
module, which will break your configuration if you use `launch` as entrypoint. The
example code the corresponding nixos module was adjusted, you way want to have a look at it.
example code the corresponding nixos module was adjusted, you may want to have a look at it.
- The `home-assistant` module now requires users that don't want their
configuration to be managed declaratively to set
@ -250,6 +276,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- `openldap` (and therefore the slapd LDAP server) were updated to version 2.6.2. The project introduced backwards-incompatible changes, namely the removal of the bdb, hdb, ndb, and shell backends in slapd. Therefore before updating, dump your database `slapcat -n 1` in LDIF format, and reimport it after updating your `services.openldap.settings`, which represents your `cn=config`.
Additionally with 2.5 the argon2 module was included in the standard distrubtion and renamed from `pw-argon2` to `argon2`. Remember to update your `olcModuleLoad` entry in `cn=config`.
- `openssh` has been update to 8.9p1, changing the FIDO security key middleware interface.
- `git` no longer hardcodes the path to openssh' ssh binary to reduce the amount of rebuilds. If you are using git with ssh remotes and do not have a ssh binary in your enviroment consider adding `openssh` to it or switching to `gitFull`.
@ -368,13 +396,13 @@ In addition to numerous new and upgraded packages, this release has the followin
};
extraConfigFiles = [
/run/keys/matrix-synapse/secrets.yaml
"/run/keys/matrix-synapse/secrets.yaml"
];
};
}
```
The secrets in your original config should be migrated into a YAML file that is included via `extraConfigFiles`.
The secrets in your original config should be migrated into a YAML file that is included via `extraConfigFiles`. The filename must be quoted to prevent nix from copying it to the (world readable) store.
Additionally a few option defaults have been synced up with upstream default values, for example the `max_upload_size` grew from `10M` to `50M`. For the same reason, the default
`media_store_path` was changed from `${dataDir}/media` to `${dataDir}/media_store` if `system.stateVersion` is at least `22.05`. Files will need to be manually moved to the new
@ -706,6 +734,13 @@ In addition to numerous new and upgraded packages, this release has the followin
* Legacy options have been mapped to the corresponding options under under [nix.settings](options.html#opt-nix.settings) and will be deprecated when NixOS 21.11 reaches end of life.
* [nix.buildMachines.publicHostKey](options.html#opt-nix.buildMachines.publicHostKey) has been added.
- [`kops`](https://kops.sigs.k8s.io) defaults to 1.23.2, which will enable [Instance Metadata Service Version 2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) and require tokens on new clusters with Kubernetes >= 1.22. This will increase security by default, but may break some types of workloads. The default behaviour for `spec.kubeDNS.nodeLocalDNS.forwardToKubeDNS` has changed from `true` to `false`. Cilium now has `disable-cnp-status-updates: true` by default. Set this to false if you rely on the CiliumNetworkPolicy status fields. Support for Kubernetes 1.17, the Lyft CNI, Weave CNI on Kubernetes >= 1.23, CentOS 7 and 8, Debian 9, RHEL 7, and Ubuntu 16.05 (Xenial) has been removed. See the [1.22 release notes](https://kops.sigs.k8s.io/releases/1.22-notes/) and [1.23 release notes](https://kops.sigs.k8s.io/releases/1.23-notes/) for more details, including other significant changes.
- Mattermost has been upgraded to extended support version 6.3 as the previously
packaged extended support version 5.37 is [reaching end of life](https://docs.mattermost.com/upgrade/extended-support-release.html).
Migration may take some time, see the [changelog](https://docs.mattermost.com/install/self-managed-changelog.html#release-v6-3-extended-support-release)
and [important upgrade notes](https://docs.mattermost.com/upgrade/important-upgrade-notes.html).
- The `writers.writePyPy2`/`writers.writePyPy3` and corresponding `writers.writePyPy2Bin`/`writers.writePyPy3Bin` convenience functions to create executable Python 2/3 scripts using the PyPy interpreter were added.
- Some improvements have been made to the `hadoop` module:
@ -730,6 +765,17 @@ In addition to numerous new and upgraded packages, this release has the followin
redis-cli save
cp /var/lib/redis/dump.rdb "/var/lib/redis-mastodon/dump.rdb"
```
- Peertube now uses services.redis.servers to start a new redis server, instead of using a global redis server.
This improves compatibility with other services that use redis.
Redis database is used for storage only cache and job queue. More information can be found here - [Peertube architecture](https://docs.joinpeertube.org/contribute-architecture).
If you do want to save the redis database, you can use the following commands before upgrade OS:
```bash
redis-cli save
sudo mkdir /var/lib/redis-peertube
sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb
```
- If you are using Wayland you can choose to use the Ozone Wayland support
in Chrome and several Electron apps by setting the environment variable
@ -797,7 +843,6 @@ In addition to numerous new and upgraded packages, this release has the followin
If you are using only a window manager without a desktop manager, you need to enable
`services.xserver.desktopManager.runXdgAutostartIfNone` or using the `dex` package to make `fcitx5` work.
- A new module was added for the Envoy reverse proxy, providing the options `services.envoy.enable` and `services.envoy.settings`.
- The option `services.duplicati.dataDir` has been added to allow changing the location of duplicati's files.
@ -843,9 +888,6 @@ In addition to numerous new and upgraded packages, this release has the followin
- The default value for `programs.spacefm.settings.graphical_su` got unset. It previously pointed to `gksu` which has been removed.
- A new module was added for the [Starship](https://starship.rs/) shell prompt,
providing the options `programs.starship.enable` and `programs.starship.settings`.
- The [Dino](https://dino.im) XMPP client was updated to 0.3, adding support for audio and video calls.
- `services.mattermost.plugins` has been added to allow the declarative installation of Mattermost plugins.
@ -905,6 +947,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- The `nss` package was split into `nss_esr` and `nss_latest`, with `nss` being an alias for `nss_esr`. This was done to ease maintenance of `nss` and dependent high-profile packages like `firefox`.
- The default `scribus` version is now 1.5, while version 1.4 is still available as `scribus_1_4` ([#172700](https://github.com/NixOS/nixpkgs/pull/172700)).
- The Nextcloud module now supports to create a Mysql database automatically
with `services.nextcloud.database.createLocally` enabled.
@ -915,8 +959,6 @@ In addition to numerous new and upgraded packages, this release has the followin
- Testing has been enabled for `aarch64-linux` in addition to `x86_64-linux`.
- The `spark3` package is now usable on `aarch64-darwin` as a result of [#158613](https://github.com/NixOS/nixpkgs/pull/158613) and [#158992](https://github.com/NixOS/nixpkgs/pull/158992).
- The `programs.nncp` options were added for generating host-global NNCP configuration.
- The option `services.snapserver.openFirewall` will no longer default to
`true` starting with NixOS 22.11. Enable it explicitly if you need to control
Snapserver remotely or connect streamig clients from other hosts.
@ -928,4 +970,21 @@ In addition to numerous new and upgraded packages, this release has the followin
by a `.network-`unit with a lower priority). In case of scripted networking, no behavior
was changed.
- The new [`postgresqlTestHook`](https://nixos.org/manual/nixpkgs/stable/#sec-postgresqlTestHook) runs a PostgreSQL server for the duration of package checks.
- `stdenv.mkDerivation` now supports a self-referencing `finalAttrs:` parameter
containing the final `mkDerivation` arguments including overrides.
`drv.overrideAttrs` now supports two parameters `finalAttrs: previousAttrs:`.
This allows packaging configuration to be overridden in a consistent manner by
providing an alternative to `rec {}` syntax.
Additionally, `passthru` can now reference `finalAttrs.finalPackage` containing
the final package, including attributes such as the output paths and
`overrideAttrs`.
New language integrations can be simplified by overriding a "prototype"
package containing the language-specific logic. This removes the need for a
extra layer of overriding for the "generic builder" arguments, thus removing a
usability problem and source of error.
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

9
nixos/doc/manual/release-notes/rl-2211.section.md
View file

@ -23,7 +23,7 @@ In addition to numerous new and upgraded packages, this release has the followin
## New Services {#sec-release-22.11-new-services}
- Please remove this line when you add the first item since docbook requires the section to be non-empty
- [appvm](https://github.com/jollheef/appvm), Nix based app VMs. Available as [virtualisation.appvm](options.html#opt-virtualisation.appvm.enable).
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@ -37,9 +37,14 @@ In addition to numerous new and upgraded packages, this release has the followin
`lib.systems.parse.isCompatible` still exists, but has changed semantically:
Architectures with differing endianness modes are *no longer considered compatible*.
- The `isPowerPC` predicate, found on `platform` attrsets (`hostPlatform`, `buildPlatform`, `targetPlatform`, etc) has been removed in order to reduce confusion. The predicate was was defined such that it matches only the 32-bit big-endian members of the POWER/PowerPC family, despite having a name which would imply a broader set of systems. If you were using this predicate, you can replace `foo.isPowerPC` with `(with foo; isPower && is32bit && isBigEndian)`.
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
## Other Notable Changes {#sec-release-22.11-notable-changes}
- Please remove this line when you add the first item since docbook requires the section to be non-empty
* A new module was added for the Saleae Logic device family, providing the options `hardware.saleae-logic.enable` and `hardware.saleae-logic.package`.
* Matrix Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation.
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

5
nixos/lib/eval-config.nix
View file

@ -50,11 +50,6 @@ let
# they way through, but has the last priority behind everything else.
nixpkgs.system = lib.mkDefault system;
# Stash the value of the `system` argument. When using `nesting.children`
# we want to have the same default value behavior (immediately above)
# without any interference from the user's configuration.
nixpkgs.initialSystem = system;
_module.args.pkgs = lib.mkIf (pkgs_ != null) (lib.mkForce pkgs_);
};
};

2
nixos/lib/test-driver/default.nix
View file

@ -35,6 +35,8 @@ python3Packages.buildPythonApplication rec {
checkPhase = ''
mypy --disallow-untyped-defs \
--no-implicit-optional \
--pretty \
--no-color-output \
--ignore-missing-imports ${src}/test_driver
pylint --errors-only --enable=unused-import ${src}/test_driver
black --check --diff ${src}/test_driver

0
nixos/lib/test-driver/test_driver/py.typed Normal file
View file

42
nixos/lib/test-script-prepend.py Normal file
View file

@ -0,0 +1,42 @@
# This file contains type hints that can be prepended to Nix test scripts so they can be type
# checked.
from test_driver.driver import Driver
from test_driver.vlan import VLan
from test_driver.machine import Machine
from test_driver.logger import Logger
from typing import Callable, Iterator, ContextManager, Optional, List, Dict, Any, Union
from typing_extensions import Protocol
from pathlib import Path
class RetryProtocol(Protocol):
def __call__(self, fn: Callable, timeout: int = 900) -> None:
raise Exception("This is just type information for the Nix test driver")
class PollingConditionProtocol(Protocol):
def __call__(
self,
fun_: Optional[Callable] = None,
*,
seconds_interval: float = 2.0,
description: Optional[str] = None,
) -> Union[Callable[[Callable], ContextManager], ContextManager]:
raise Exception("This is just type information for the Nix test driver")
start_all: Callable[[], None]
subtest: Callable[[str], ContextManager[None]]
retry: RetryProtocol
test_script: Callable[[], None]
machines: List[Machine]
vlans: List[VLan]
driver: Driver
log: Logger
create_machine: Callable[[Dict[str, Any]], Machine]
run_tests: Callable[[], None]
join_all: Callable[[], None]
serial_stdout_off: Callable[[], None]
serial_stdout_on: Callable[[], None]
polling_condition: PollingConditionProtocol

35
nixos/lib/testing-python.nix
View file

@ -50,6 +50,7 @@ rec {
, qemu_pkg ? pkgs.qemu_test
, enableOCR ? false
, skipLint ? false
, skipTypeCheck ? false
, passthru ? {}
, interactive ? false
, extraPythonPackages ? (_ :[])
@ -86,7 +87,7 @@ rec {
nodeHostNames = let
nodesList = map (c: c.config.system.name) (lib.attrValues nodes);
in nodesList ++ lib.optional (lib.length nodesList == 1) "machine";
in nodesList ++ lib.optional (lib.length nodesList == 1 && !lib.elem "machine" nodesList) "machine";
# TODO: This is an implementation error and needs fixing
# the testing famework cannot legitimately restrict hostnames further
@ -101,6 +102,9 @@ rec {
then testScript { inherit nodes; }
else testScript;
uniqueVlans = lib.unique (builtins.concatLists vlans);
vlanNames = map (i: "vlan${toString i}: VLan;") uniqueVlans;
machineNames = map (name: "${name}: Machine;") nodeHostNames;
in
if lib.length invalidNodeNames > 0 then
throw ''
@ -114,7 +118,7 @@ rec {
else lib.warnIf skipLint "Linting is disabled" (runCommand testDriverName
{
inherit testName;
nativeBuildInputs = [ makeWrapper ];
nativeBuildInputs = [ makeWrapper mypy ];
testScript = testScript';
preferLocalBuild = true;
passthru = passthru // {
@ -126,7 +130,25 @@ rec {
mkdir -p $out/bin
vmStartScripts=($(for i in ${toString vms}; do echo $i/bin/run-*-vm; done))
echo -n "$testScript" > $out/test-script
${lib.optionalString (!skipTypeCheck) ''
# prepend type hints so the test script can be type checked with mypy
cat "${./test-script-prepend.py}" >> testScriptWithTypes
echo "${builtins.toString machineNames}" >> testScriptWithTypes
echo "${builtins.toString vlanNames}" >> testScriptWithTypes
echo -n "$testScript" >> testScriptWithTypes
# set pythonpath so mypy knows where to find the imports. this requires the py.typed file.
export PYTHONPATH='${./test-driver}'
mypy --no-implicit-optional \
--pretty \
--no-color-output \
testScriptWithTypes
unset PYTHONPATH
''}
echo -n "$testScript" >> $out/test-script
ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-test-driver
${testDriver}/bin/generate-driver-symbols
@ -153,6 +175,7 @@ rec {
, testScript
, enableOCR ? false
, name ? "unnamed"
, skipTypeCheck ? false
# Skip linting (mainly intended for faster dev cycles)
, skipLint ? false
, passthru ? {}
@ -209,19 +232,19 @@ rec {
)];
};
in
lib.warnIf (t?machine) "In test `${name}': The `machine' attribute in NixOS tests (pkgs.nixosTest / make-test-pyton.nix / testing-python.nix / makeTest) is deprecated. Please use the equivalent `nodes.machine'."
lib.warnIf (t?machine) "In test `${name}': The `machine' attribute in NixOS tests (pkgs.nixosTest / make-test-python.nix / testing-python.nix / makeTest) is deprecated. Please use the equivalent `nodes.machine'."
build-vms.buildVirtualNetwork (
nodes // lib.optionalAttrs (machine != null) { inherit machine; }
);
driver = setupDriverForTest {
inherit testScript enableOCR skipLint passthru extraPythonPackages;
inherit testScript enableOCR skipTypeCheck skipLint passthru extraPythonPackages;
testName = name;
qemu_pkg = pkgs.qemu_test;
nodes = mkNodes pkgs.qemu_test;
};
driverInteractive = setupDriverForTest {
inherit testScript enableOCR skipLint passthru extraPythonPackages;
inherit testScript enableOCR skipTypeCheck skipLint passthru extraPythonPackages;
testName = name;
qemu_pkg = pkgs.qemu;
nodes = mkNodes pkgs.qemu;

29
nixos/modules/hardware/new-lg4ff.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, lib, config, ... }:
with lib;
let
cfg = config.hardware.new-lg4ff;
kernelPackages = config.boot.kernelPackages;
in {
options.hardware.new-lg4ff = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enables improved Linux module drivers for Logitech driving wheels.
This will replace the existing in-kernel hid-logitech modules.
Works most notably on the Logitech G25, G27, G29 and Driving Force (GT).
'';
};
};
config = lib.mkIf cfg.enable {
boot = {
extraModulePackages = [ kernelPackages.new-lg4ff ];
kernelModules = [ "hid-logitech-new" ];
};
};
meta.maintainers = with lib.maintainers; [ matthiasbenaets ];
}

25
nixos/modules/hardware/saleae-logic.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, lib, pkgs, ... }:
let
cfg = config.hardware.saleae-logic;
in
{
options.hardware.saleae-logic = {
enable = lib.mkEnableOption "udev rules for Saleae Logic devices";
package = lib.mkOption {
type = lib.types.package;
default = pkgs.saleae-logic-2;
defaultText = lib.literalExpression "pkgs.saleae-logic-2";
description = ''
Saleae Logic package to use.
'';
};
};
config = lib.mkIf cfg.enable {
services.udev.packages = [ cfg.package ];
};
meta.maintainers = with lib.maintainers; [ chivay ];
}

31
nixos/modules/hardware/video/nvidia.nix
View file

@ -163,8 +163,19 @@ in
'';
};
hardware.nvidia.forceFullCompositionPipeline = lib.mkOption {
default = false;
type = types.bool;
description = ''
Whether to force-enable the full composition pipeline.
This sometimes fixes screen tearing issues.
This has been reported to reduce the performance of some OpenGL applications and may produce issues in WebGL.
It also drastically increases the time the driver needs to clock down after load.
'';
};
hardware.nvidia.package = lib.mkOption {
type = lib.types.package;
type = types.package;
default = config.boot.kernelPackages.nvidiaPackages.stable;
defaultText = literalExpression "config.boot.kernelPackages.nvidiaPackages.stable";
description = ''
@ -255,13 +266,18 @@ in
''
BusID "${pCfg.nvidiaBusId}"
${optionalString syncCfg.allowExternalGpu "Option \"AllowExternalGpus\""}
${optionalString cfg.powerManagement.finegrained "Option \"NVreg_DynamicPowerManagement=0x02\""}
'';
screenSection =
''
Option "RandRRotation" "on"
${optionalString syncCfg.enable "Option \"AllowEmptyInitialConfiguration\""}
'';
'' + optionalString syncCfg.enable ''
Option "AllowEmptyInitialConfiguration"
'' + optionalString cfg.forceFullCompositionPipeline ''
Option "metamodes" "nvidia-auto-select +0+0 {ForceFullCompositionPipeline=On}"
Option "AllowIndirectGLXProtocol" "off"
Option "TripleBuffer" "on"
''
;
};
services.xserver.serverLayoutSection = optionalString syncCfg.enable ''
@ -367,7 +383,8 @@ in
RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia%c{3} c 195 %c{3}"
KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'"
KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm-tools c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 1'"
'' + optionalString cfg.powerManagement.finegrained ''
'' + optionalString cfg.powerManagement.finegrained (
optionalString (versionOlder config.boot.kernelPackages.kernel.version "5.5") ''
# Remove NVIDIA USB xHCI Host Controller devices, if present
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", ATTR{remove}="1"
@ -376,7 +393,7 @@ in
# Remove NVIDIA Audio devices, if present
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x040300", ATTR{remove}="1"
'' + ''
# Enable runtime PM for NVIDIA VGA/3D controller devices on driver bind
ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="auto"
ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="auto"
@ -384,7 +401,7 @@ in
# Disable runtime PM for NVIDIA VGA/3D controller devices on driver unbind
ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="on"
ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="on"
'';
'');
boot.extraModprobeConfig = mkIf cfg.powerManagement.finegrained ''
options nvidia "NVreg_DynamicPowerManagement=0x02"

2
nixos/modules/installer/cd-dvd/iso-image.nix
View file

@ -479,7 +479,7 @@ in
+ lib.optionalString (isx86_32 || isx86_64) "-Xbcj x86"
# Untested but should also reduce size for these platforms
+ lib.optionalString (isAarch32 || isAarch64) "-Xbcj arm"
+ lib.optionalString (isPowerPC) "-Xbcj powerpc"
+ lib.optionalString (isPower && is32bit && isBigEndian) "-Xbcj powerpc"
+ lib.optionalString (isSparc) "-Xbcj sparc";
description = ''
Compression settings to use for the squashfs nix store.

9
nixos/modules/misc/nixpkgs.nix
View file

@ -67,6 +67,7 @@ in
imports = [
./assertions.nix
./meta.nix
(mkRemovedOptionModule [ "nixpkgs" "initialSystem" ] "The NixOS options `nesting.clone` and `nesting.children` have been deleted, and replaced with named specialisation. Therefore `nixpgks.initialSystem` has no effect anymore.")
];
options.nixpkgs = {
@ -219,14 +220,6 @@ in
Ignored when <code>nixpkgs.pkgs</code> is set.
'';
};
initialSystem = mkOption {
type = types.str;
internal = true;
description = ''
Preserved value of <literal>system</literal> passed to <literal>eval-config.nix</literal>.
'';
};
};
config = {

2
nixos/modules/misc/version.nix
View file

@ -13,7 +13,7 @@ let
attrsToText = attrs:
concatStringsSep "\n" (
mapAttrsToList (n: v: ''${n}=${escapeIfNeccessary (toString v)}'') attrs
);
) + "\n";
osReleaseContents = {
NAME = "NixOS";

5
nixos/modules/module-list.nix
View file

@ -66,6 +66,7 @@
./hardware/network/ath-user-regd.nix
./hardware/network/b43.nix
./hardware/network/intel-2200bg.nix
./hardware/new-lg4ff.nix
./hardware/nitrokey.nix
./hardware/opengl.nix
./hardware/openrazer.nix
@ -73,6 +74,7 @@
./hardware/printers.nix
./hardware/raid/hpsa.nix
./hardware/rtl-sdr.nix
./hardware/saleae-logic.nix
./hardware/steam-hardware.nix
./hardware/system-76.nix
./hardware/tuxedo-keyboard.nix
@ -137,6 +139,7 @@
./programs/captive-browser.nix
./programs/ccache.nix
./programs/cdemu.nix
./programs/cfs-zen-tweaks.nix
./programs/chromium.nix
./programs/clickshare.nix
./programs/cnping.nix
@ -733,6 +736,7 @@
./services/networking/bitcoind.nix
./services/networking/autossh.nix
./services/networking/bird.nix
./services/networking/bird-lg.nix
./services/networking/bitlbee.nix
./services/networking/blockbook-frontend.nix
./services/networking/blocky.nix
@ -1234,6 +1238,7 @@
./tasks/powertop.nix
./testing/service-runner.nix
./virtualisation/anbox.nix
./virtualisation/appvm.nix
./virtualisation/build-vm.nix
./virtualisation/container-config.nix
./virtualisation/containerd.nix

18
nixos/modules/programs/atop.nix
View file

@ -136,6 +136,24 @@ in
packages = [ atop (lib.mkIf cfg.netatop.enable cfg.netatop.package) ];
services =
mkService cfg.atopService.enable "atop" [ atop ]
// lib.mkIf cfg.atopService.enable {
# always convert logs to newer version first
# XXX might trigger TimeoutStart but restarting atop.service will
# convert remainings logs and start eventually
atop.serviceConfig.ExecStartPre = pkgs.writeShellScript "atop-update-log-format" ''
set -e -u
for logfile in "$LOGPATH"/atop_*
do
${atop}/bin/atopconvert "$logfile" "$logfile".new
# only replace old file if version was upgraded to avoid
# false positives for atop-rotate.service
if ! ${pkgs.diffutils}/bin/cmp -s "$logfile" "$logfile".new
then
${pkgs.coreutils}/bin/mv -v -f "$logfile".new "$logfile"
fi
done
'';
}
// mkService cfg.atopacctService.enable "atopacct" [ atop ]
// mkService cfg.netatop.enable "netatop" [ cfg.netatop.package ]
// mkService cfg.atopgpu.enable "atopgpu" [ atop ];

28
nixos/modules/programs/cfs-zen-tweaks.nix Normal file
View file

@ -0,0 +1,28 @@
# CFS Zen Tweaks
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.programs.cfs-zen-tweaks;
in
{
meta = {
maintainers = with maintainers; [ mkg20001 ];
};
options = {
programs.cfs-zen-tweaks.enable = mkEnableOption "CFS Zen Tweaks";
};
config = mkIf cfg.enable {
systemd.packages = [ pkgs.cfs-zen-tweaks ];
systemd.services.set-cfs-tweak.wantedBy = [ "multi-user.target" "suspend.target" "hibernate.target" "hybrid-sleep.target" "suspend-then-hibernate.target" ];
};
}

10
nixos/modules/services/computing/slurm/slurm.nix
View file

@ -361,8 +361,13 @@ in
++ lib.optional cfg.enableSrunX11 slurm-spank-x11;
wantedBy = [ "multi-user.target" ];
after = [ "systemd-tmpfiles-clean.service" ];
requires = [ "network.target" ];
after = [
"systemd-tmpfiles-clean.service"
"munge.service"
"network-online.target"
"remote-fs.target"
];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "forking";
@ -371,6 +376,7 @@ in
PIDFile = "/run/slurmd.pid";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
LimitMEMLOCK = "infinity";
Delegate="Yes";
};
};

64
nixos/modules/services/games/asf.nix
View file

@ -13,6 +13,8 @@ let
# is in theory not needed as this is already the default for default builds
UpdateChannel = 0;
Headless = true;
} // lib.optionalAttrs (cfg.ipcPasswordFile != "") {
IPCPassword = "#ipcPassword#";
});
ipc-config = format.generate "IPC.config" cfg.ipcSettings;
@ -81,8 +83,7 @@ in
type = format.type;
description = ''
The ASF.json file, all the options are documented <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#global-config">here</link>.
Do note that `AutoRestart` and `UpdateChannel` is always to `false`
respectively `0` because NixOS takes care of updating everything.
Do note that `AutoRestart` and `UpdateChannel` is always to `false` respectively `0` because NixOS takes care of updating everything.
`Headless` is also always set to `true` because there is no way to provide inputs via a systemd service.
You should try to keep ASF up to date since upstream does not provide support for anything but the latest version and you're exposing yourself to all kinds of issues - as is outlined <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#updateperiod">here</link>.
'';
@ -92,6 +93,11 @@ respectively `0` because NixOS takes care of updating everything.
default = { };
};
ipcPasswordFile = mkOption {
type = types.path;
description = "Path to a file containig the password. The file must be readable by the <literal>asf</literal> user/group.";
};
ipcSettings = mkOption {
type = format.type;
description = ''
@ -115,14 +121,12 @@ respectively `0` because NixOS takes care of updating everything.
options = {
username = mkOption {
type = types.str;
description =
"Name of the user to log in. Default is attribute name.";
description = "Name of the user to log in. Default is attribute name.";
default = "";
};
passwordFile = mkOption {
type = types.path;
description =
"Path to a file containig the password. The file must be readable by the <literal>asf</literal> user/group.";
description = "Path to a file containig the password. The file must be readable by the <literal>asf</literal> user/group.";
};
enabled = mkOption {
type = types.bool;
@ -131,8 +135,7 @@ respectively `0` because NixOS takes care of updating everything.
};
settings = mkOption {
type = types.attrs;
description =
"Additional settings that are documented <link xlink:href=\"https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#bot-config\">here</link>.";
description = "Additional settings that are documented <link xlink:href=\"https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#bot-config\">here</link>.";
default = { };
};
};
@ -156,6 +159,7 @@ respectively `0` because NixOS takes care of updating everything.
users = {
users.asf = {
home = cfg.dataDir;
homeMode = "700";
isSystemUser = true;
group = "asf";
description = "Archis-Steam-Farm service user";
@ -176,8 +180,7 @@ respectively `0` because NixOS takes care of updating everything.
Group = "asf";
WorkingDirectory = cfg.dataDir;
Type = "simple";
ExecStart =
"${cfg.package}/bin/ArchiSteamFarm --path ${cfg.dataDir} --process-required --no-restart --service --no-config-migrate";
ExecStart = "${cfg.package}/bin/ArchiSteamFarm --path ${cfg.dataDir} --process-required --no-restart --service --no-config-migrate";
# mostly copied from the default systemd service
PrivateTmp = true;
@ -202,26 +205,35 @@ respectively `0` because NixOS takes care of updating everything.
}
];
preStart = ''
mkdir -p config
rm -f www
rm -f config/{*.json,*.config}
ln -s ${asf-config} config/ASF.json
${strings.optionalString (cfg.ipcSettings != {}) ''
ln -s ${ipc-config} config/IPC.config
''}
ln -s ${pkgs.runCommandLocal "ASF-bots" {} ''
mkdir -p $out/lib/asf/bots
preStart =
let
createBotsScript = pkgs.runCommandLocal "ASF-bots" { } ''
mkdir -p $out
# clean potential removed bots
rm -rf $out/*.json
for i in ${strings.concatStringsSep " " (lists.map (x: "${getName x},${x}") (attrsets.mapAttrsToList mkBot cfg.bots))}; do IFS=",";
set -- $i
ln -s $2 $out/lib/asf/bots/$1
ln -fs $2 $out/$1
done
''}/lib/asf/bots/* config/
'';
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
in
''
mkdir -p config
${strings.optionalString cfg.web-ui.enable ''
cp --no-preserve=mode ${asf-config} config/ASF.json
${replaceSecretBin} '#ipcPassword#' '${cfg.ipcPasswordFile}' config/ASF.json
${optionalString (cfg.ipcSettings != {}) ''
ln -fs ${ipc-config} config/IPC.config
''}
${optionalString (cfg.ipcSettings != {}) ''
ln -fs ${createBotsScript}/* config/
''}
rm -f www
${optionalString cfg.web-ui.enable ''
ln -s ${cfg.web-ui.package}/lib/dist www
''}
'';

19
nixos/modules/services/misc/dendrite.nix
View file

@ -74,6 +74,18 @@ in
<literal>dendrite</literal> is running.
'';
};
loadCredential = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [ "private_key:/path/to/my_private_key" ];
description = ''
This can be used to pass secrets to the systemd service without adding them to
the nix store.
To use the example setting, see the example of
<option>services.dendrite.settings.global.private_key</option>.
See the LoadCredential section of systemd.exec manual for more information.
'';
};
settings = lib.mkOption {
type = lib.types.submodule {
freeformType = settingsFormat.type;
@ -88,8 +100,10 @@ in
'';
};
private_key = lib.mkOption {
type = lib.types.path;
example = "${workingDir}/matrix_key.pem";
type = lib.types.either
lib.types.path
(lib.types.strMatching "^\\$CREDENTIALS_DIRECTORY/.+");
example = "$CREDENTIALS_DIRECTORY/private_key";
description = ''
The path to the signing private key file, used to sign
requests and events.
@ -256,6 +270,7 @@ in
RuntimeDirectoryMode = "0700";
LimitNOFILE = 65535;
EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
LoadCredential = cfg.loadCredential;
ExecStartPre = ''
${pkgs.envsubst}/bin/envsubst \
-i ${configurationYaml} \

3
nixos/modules/services/misc/jellyfin.nix
View file

@ -53,7 +53,10 @@ in
User = cfg.user;
Group = cfg.group;
StateDirectory = "jellyfin";
StateDirectoryMode = "0700";
CacheDirectory = "jellyfin";
CacheDirectoryMode = "0700";
UMask = "0077";
ExecStart = "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'";
Restart = "on-failure";

36
nixos/modules/services/misc/libreddit.nix
View file

@ -2,14 +2,13 @@
with lib;
let
let
cfg = config.services.libreddit;
args = concatStringsSep " " ([
"--port ${toString cfg.port}"
"--address ${cfg.address}"
] ++ optional cfg.redirect "--redirect-https");
]);
in
{
options = {
@ -30,12 +29,6 @@ in
description = "The port to listen on";
};
redirect = mkOption {
type = types.bool;
default = false;
description = "Enable the redirecting to HTTPS";
};
openFirewall = mkOption {
type = types.bool;
default = false;
@ -56,6 +49,31 @@ in
AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
Restart = "on-failure";
RestartSec = "2s";
# Hardening
CapabilityBoundingSet = if (cfg.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
# A private user cannot have process capabilities on the host's user
# namespace and thus CAP_NET_BIND_SERVICE has no effect.
PrivateUsers = (cfg.port >= 1024);
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
UMask = "0077";
};
};

80
nixos/modules/services/monitoring/grafana.nix
View file

@ -14,6 +14,7 @@ let
PATHS_PLUGINS = if builtins.isNull cfg.declarativePlugins then "${cfg.dataDir}/plugins" else declarativePlugins;
PATHS_LOGS = "${cfg.dataDir}/log";
SERVER_SERVE_FROM_SUBPATH = boolToString cfg.server.serveFromSubPath;
SERVER_PROTOCOL = cfg.protocol;
SERVER_HTTP_ADDR = cfg.addr;
SERVER_HTTP_PORT = cfg.port;
@ -41,9 +42,23 @@ let
USERS_AUTO_ASSIGN_ORG = boolToString cfg.users.autoAssignOrg;
USERS_AUTO_ASSIGN_ORG_ROLE = cfg.users.autoAssignOrgRole;
AUTH_DISABLE_LOGIN_FORM = boolToString cfg.auth.disableLoginForm;
AUTH_ANONYMOUS_ENABLED = boolToString cfg.auth.anonymous.enable;
AUTH_ANONYMOUS_ORG_NAME = cfg.auth.anonymous.org_name;
AUTH_ANONYMOUS_ORG_ROLE = cfg.auth.anonymous.org_role;
AUTH_AZUREAD_NAME = "Azure AD";
AUTH_AZUREAD_ENABLED = boolToString cfg.auth.azuread.enable;
AUTH_AZUREAD_ALLOW_SIGN_UP = boolToString cfg.auth.azuread.allowSignUp;
AUTH_AZUREAD_CLIENT_ID = cfg.auth.azuread.clientId;
AUTH_AZUREAD_SCOPES = "openid email profile";
AUTH_AZUREAD_AUTH_URL = "https://login.microsoftonline.com/${cfg.auth.azuread.tenantId}/oauth2/v2.0/authorize";
AUTH_AZUREAD_TOKEN_URL = "https://login.microsoftonline.com/${cfg.auth.azuread.tenantId}/oauth2/v2.0/token";
AUTH_AZUREAD_ALLOWED_DOMAINS = cfg.auth.azuread.allowedDomains;
AUTH_AZUREAD_ALLOWED_GROUPS = cfg.auth.azuread.allowedGroups;
AUTH_AZUREAD_ROLE_ATTRIBUTE_STRICT = false;
AUTH_GOOGLE_ENABLED = boolToString cfg.auth.google.enable;
AUTH_GOOGLE_ALLOW_SIGN_UP = boolToString cfg.auth.google.allowSignUp;
AUTH_GOOGLE_CLIENT_ID = cfg.auth.google.clientId;
@ -484,6 +499,14 @@ in {
};
};
server = {
serveFromSubPath = mkOption {
description = "Serve Grafana from subpath specified in rootUrl setting";
default = false;
type = types.bool;
};
};
smtp = {
enable = mkEnableOption "smtp";
host = mkOption {
@ -546,6 +569,12 @@ in {
};
auth = {
disableLoginForm = mkOption {
description = "Set to true to disable (hide) the login form, useful if you use OAuth";
default = false;
type = types.bool;
};
anonymous = {
enable = mkOption {
description = "Whether to allow anonymous access.";
@ -563,6 +592,53 @@ in {
type = types.str;
};
};
azuread = {
enable = mkOption {
description = "Whether to allow Azure AD OAuth.";
default = false;
type = types.bool;
};
allowSignUp = mkOption {
description = "Whether to allow sign up with Azure AD OAuth.";
default = false;
type = types.bool;
};
clientId = mkOption {
description = "Azure AD OAuth client ID.";
default = "";
type = types.str;
};
clientSecretFile = mkOption {
description = "Azure AD OAuth client secret.";
default = null;
type = types.nullOr types.path;
};
tenantId = mkOption {
description = ''
Tenant id used to create auth and token url. Default to "common"
, let user sign in with any tenant.
'';
default = "common";
type = types.str;
};
allowedDomains = mkOption {
description = ''
To limit access to authenticated users who are members of one or more groups,
set allowedGroups to a comma- or space-separated list of group object IDs.
You can find object IDs for a specific group on the Azure portal.
'';
default = "";
type = types.str;
};
allowedGroups = mkOption {
description = ''
Limits access to users who belong to specific domains.
Separate domains with space or comma.
'';
default = "";
type = types.str;
};
};
google = {
enable = mkOption {
description = "Whether to allow Google OAuth2.";
@ -652,6 +728,10 @@ in {
set -o errexit -o pipefail -o nounset -o errtrace
shopt -s inherit_errexit
${optionalString (cfg.auth.azuread.clientSecretFile != null) ''
GF_AUTH_AZUREAD_CLIENT_SECRET="$(<${escapeShellArg cfg.auth.azuread.clientSecretFile})"
export GF_AUTH_AZUREAD_CLIENT_SECRET
''}
${optionalString (cfg.auth.google.clientSecretFile != null) ''
GF_AUTH_GOOGLE_CLIENT_SECRET="$(<${escapeShellArg cfg.auth.google.clientSecretFile})"
export GF_AUTH_GOOGLE_CLIENT_SECRET

4
nixos/modules/services/monitoring/mimir.nix
View file

@ -28,6 +28,9 @@ in {
};
config = mkIf cfg.enable {
# for mimirtool
environment.systemPackages = [ pkgs.mimir ];
assertions = [{
assertion = (
(cfg.configuration == {} -> cfg.configFile != null) &&
@ -56,6 +59,7 @@ in {
ProtectSystem = "full";
DevicePolicy = "closed";
NoNewPrivileges = true;
WorkingDirectory = "/var/lib/mimir";
StateDirectory = "mimir";
};
};

2
nixos/modules/services/monitoring/prometheus/exporters/dmarc.nix
View file

@ -108,7 +108,7 @@ in {
-i ${pkgs.writeText "dmarc-exporter.json.template" json} \
-o ''${STATE_DIRECTORY}/dmarc-exporter.json
exec ${pkgs.prometheus-dmarc-exporter}/bin/prometheus-dmarc-exporter \
exec ${pkgs.dmarc-metrics-exporter}/bin/dmarc-metrics-exporter \
--configuration /var/lib/prometheus-dmarc-exporter/dmarc-exporter.json \
${optionalString cfg.debug "--debug"}
''}";

269
nixos/modules/services/networking/bird-lg.nix Normal file
View file

@ -0,0 +1,269 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.bird-lg;
in
{
options = {
services.bird-lg = {
package = mkOption {
type = types.package;
default = pkgs.bird-lg;
defaultText = literalExpression "pkgs.bird-lg";
description = "The Bird Looking Glass package to use.";
};
user = mkOption {
type = types.str;
default = "bird-lg";
description = "User to run the service.";
};
group = mkOption {
type = types.str;
default = "bird-lg";
description = "Group to run the service.";
};
frontend = {
enable = mkEnableOption "Bird Looking Glass Frontend Webserver";
listenAddress = mkOption {
type = types.str;
default = "127.0.0.1:5000";
description = "Address to listen on.";
};
proxyPort = mkOption {
type = types.port;
default = 8000;
description = "Port bird-lg-proxy is running on.";
};
domain = mkOption {
type = types.str;
default = "";
example = "dn42.lantian.pub";
description = "Server name domain suffixes.";
};
servers = mkOption {
type = types.listOf types.str;
default = [ ];
example = [ "gigsgigscloud" "hostdare" ];
description = "Server name prefixes.";
};
whois = mkOption {
type = types.str;
default = "whois.verisign-grs.com";
description = "Whois server for queries.";
};
dnsInterface = mkOption {
type = types.str;
default = "asn.cymru.com";
description = "DNS zone to query ASN information.";
};
bgpMapInfo = mkOption {
type = types.listOf types.str;
default = [ "asn" "as-name" "ASName" "descr" ];
description = "Information displayed in bgpmap.";
};
titleBrand = mkOption {
type = types.str;
default = "Bird-lg Go";
description = "Prefix of page titles in browser tabs.";
};
netSpecificMode = mkOption {
type = types.str;
default = "";
example = "dn42";
description = "Apply network-specific changes for some networks.";
};
protocolFilter = mkOption {
type = types.listOf types.str;
default = [ ];
example = [ "ospf" ];
description = "Information displayed in bgpmap.";
};
nameFilter = mkOption {
type = types.str;
default = "";
example = "^ospf";
description = "Protocol names to hide in summary tables (RE2 syntax),";
};
timeout = mkOption {
type = types.int;
default = 120;
description = "Time before request timed out, in seconds.";
};
navbar = {
brand = mkOption {
type = types.str;
default = "Bird-lg Go";
description = "Brand to show in the navigation bar .";
};
brandURL = mkOption {
type = types.str;
default = "/";
description = "URL of the brand to show in the navigation bar.";
};
allServers = mkOption {
type = types.str;
default = "ALL Servers";
description = "Text of 'All server' button in the navigation bar.";
};
allServersURL = mkOption {
type = types.str;
default = "all";
description = "URL of 'All servers' button.";
};
};
extraArgs = mkOption {
type = types.lines;
default = "";
description = "
Extra parameters documented <link xlink:href=\"https://github.com/xddxdd/bird-lg-go#frontend\">here</link>.
";
};
};
proxy = {
enable = mkEnableOption "Bird Looking Glass Proxy";
listenAddress = mkOption {
type = types.str;
default = "127.0.0.1:8000";
description = "Address to listen on.";
};
allowedIPs = mkOption {
type = types.listOf types.str;
default = [ ];
example = [ "192.168.25.52" "192.168.25.53" ];
description = "List of IPs to allow (default all allowed).";
};
birdSocket = mkOption {
type = types.str;
default = "/run/bird.ctl";
example = "/var/run/bird/bird.ctl";
description = "Bird control socket path.";
};
traceroute = {
binary = mkOption {
type = types.str;
default = "${pkgs.traceroute}/bin/traceroute";
defaultText = literalExpression ''"''${pkgs.traceroute}/bin/traceroute"'';
description = "Traceroute's binary path.";
};
rawOutput = mkOption {
type = types.bool;
default = false;
description = "Display traceroute output in raw format.";
};
};
extraArgs = mkOption {
type = types.lines;
default = "";
description = "
Extra parameters documented <link xlink:href=\"https://github.com/xddxdd/bird-lg-go#proxy\">here</link>.
";
};
};
};
};
###### implementation
config = {
systemd.services = {
bird-lg-frontend = mkIf cfg.frontend.enable {
enable = true;
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
description = "Bird Looking Glass Frontend Webserver";
serviceConfig = {
Type = "simple";
Restart = "on-failure";
ProtectSystem = "full";
ProtectHome = "yes";
MemoryDenyWriteExecute = "yes";
User = cfg.user;
Group = cfg.group;
};
script = ''
${cfg.package}/bin/frontend \
--servers ${concatStringsSep "," cfg.frontend.servers } \
--domain ${cfg.frontend.domain} \
--listen ${cfg.frontend.listenAddress} \
--proxy-port ${toString cfg.frontend.proxyPort} \
--whois ${cfg.frontend.whois} \
--dns-interface ${cfg.frontend.dnsInterface} \
--bgpmap-info ${concatStringsSep "," cfg.frontend.bgpMapInfo } \
--title-brand ${cfg.frontend.titleBrand} \
--navbar-brand ${cfg.frontend.navbar.brand} \
--navbar-brand-url ${cfg.frontend.navbar.brandURL} \
--navbar-all-servers ${cfg.frontend.navbar.allServers} \
--navbar-all-url ${cfg.frontend.navbar.allServersURL} \
--net-specific-mode ${cfg.frontend.netSpecificMode} \
--protocol-filter ${concatStringsSep "," cfg.frontend.protocolFilter } \
--name-filter ${cfg.frontend.nameFilter} \
--time-out ${toString cfg.frontend.timeout} \
${cfg.frontend.extraArgs}
'';
};
bird-lg-proxy = mkIf cfg.proxy.enable {
enable = true;
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
description = "Bird Looking Glass Proxy";
serviceConfig = {
Type = "simple";
Restart = "on-failure";
ProtectSystem = "full";
ProtectHome = "yes";
MemoryDenyWriteExecute = "yes";
User = cfg.user;
Group = cfg.group;
};
script = ''
${cfg.package}/bin/proxy \
--allowed ${concatStringsSep "," cfg.proxy.allowedIPs } \
--bird ${cfg.proxy.birdSocket} \
--listen ${cfg.proxy.listenAddress} \
--traceroute_bin ${cfg.proxy.traceroute.binary}
--traceroute_raw ${boolToString cfg.proxy.traceroute.rawOutput}
${cfg.proxy.extraArgs}
'';
};
};
users = mkIf (cfg.frontend.enable || cfg.proxy.enable) {
groups."bird-lg" = mkIf (cfg.group == "bird-lg") { };
users."bird-lg" = mkIf (cfg.user == "bird-lg") {
description = "Bird Looking Glass user";
extraGroups = lib.optionals (config.services.bird2.enable) [ "bird2" ];
group = cfg.group;
isSystemUser = true;
};
};
};
}

8
nixos/modules/services/networking/openconnect.nix
View file

@ -9,6 +9,12 @@ let
};
interfaceOptions = {
options = {
autoStart = mkOption {
default = true;
description = "Whether this VPN connection should be started automatically.";
type = types.bool;
};
gateway = mkOption {
description = "Gateway server to connect to.";
example = "gateway.example.com";
@ -95,7 +101,7 @@ let
description = "OpenConnect Interface - ${name}";
requires = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
wantedBy = optional icfg.autoStart "multi-user.target";
serviceConfig = {
Type = "simple";

28
nixos/modules/services/system/localtime.nix
View file

@ -3,47 +3,33 @@
with lib;
let
cfg = config.services.localtime;
cfg = config.services.localtimed;
in {
options = {
services.localtime = {
services.localtimed = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable <literal>localtime</literal>, simple daemon for keeping the system
timezone up-to-date based on the current location. It uses geoclue2 to
determine the current location and systemd-timedated to actually set
the timezone.
Enable <literal>localtimed</literal>, a simple daemon for keeping the
system timezone up-to-date based on the current location. It uses
geoclue2 to determine the current location.
'';
};
};
};
config = mkIf cfg.enable {
services.geoclue2 = {
enable = true;
appConfig.localtime = {
services.geoclue2.appConfig.localtimed = {
isAllowed = true;
isSystem = true;
};
};
# Install the polkit rules.
environment.systemPackages = [ pkgs.localtime ];
# Install the systemd unit.
systemd.packages = [ pkgs.localtime ];
users.users.localtimed = {
description = "localtime daemon";
isSystemUser = true;
group = "localtimed";
};
users.groups.localtimed = {};
systemd.services.localtime = {
wantedBy = [ "multi-user.target" ];
serviceConfig.Restart = "on-failure";
};
systemd.services.localtime.wantedBy = [ "multi-user.target" ];
};
}

9
nixos/modules/services/web-apps/hedgedoc.nix
View file

@ -197,6 +197,13 @@ in
Whether to allow note creation by accessing a nonexistent note URL.
'';
};
requireFreeURLAuthentication = mkOption {
type = types.bool;
default = false;
description = ''
Whether to require authentication for FreeURL mode style note creation.
'';
};
defaultPermission = mkOption {
type = types.enum [ "freely" "editable" "limited" "locked" "private" ];
default = "editable";
@ -431,7 +438,7 @@ in
Minio secret key.
'';
};
endpoint = mkOption {
endPoint = mkOption {
type = types.str;
description = ''
Minio endpoint.

4
nixos/modules/services/web-apps/nextcloud.nix
View file

@ -733,7 +733,7 @@ in {
'trusted_domains' => ${writePhpArrary ([ cfg.hostName ] ++ c.extraTrustedDomains)},
'trusted_proxies' => ${writePhpArrary (c.trustedProxies)},
${optionalString (c.defaultPhoneRegion != null) "'default_phone_region' => '${c.defaultPhoneRegion}',"}
${optionalString (nextcloudGreaterOrEqualThan "23") "'profile.enabled' => ${boolToString cfg.globalProfiles}"}
${optionalString (nextcloudGreaterOrEqualThan "23") "'profile.enabled' => ${boolToString cfg.globalProfiles},"}
${objectstoreConfig}
];
'';
@ -830,7 +830,7 @@ in {
${occ}/bin/nextcloud-occ config:system:delete trusted_domains
${optionalString (cfg.extraAppsEnable && cfg.extraApps != { }) ''
# Try to enable apps (don't fail when one of them cannot be enabled , eg. due to incompatible version)
# Try to enable apps
${occ}/bin/nextcloud-occ app:enable ${concatStringsSep " " (attrNames cfg.extraApps)}
''}

16
nixos/modules/services/web-apps/peertube.nix
View file

@ -209,7 +209,7 @@ in {
port = lib.mkOption {
type = lib.types.nullOr lib.types.port;
default = if cfg.redis.createLocally && cfg.redis.enableUnixSocket then null else 6379;
default = if cfg.redis.createLocally && cfg.redis.enableUnixSocket then null else 31638;
defaultText = lib.literalExpression ''
if config.${opt.redis.createLocally} && config.${opt.redis.enableUnixSocket}
then null
@ -344,7 +344,7 @@ in {
};
};
}
(lib.mkIf cfg.redis.enableUnixSocket { redis = { socket = "/run/redis/redis.sock"; }; })
(lib.mkIf cfg.redis.enableUnixSocket { redis = { socket = "/run/redis-peertube/redis.sock"; }; })
];
systemd.tmpfiles.rules = [
@ -441,13 +441,17 @@ in {
enable = true;
};
services.redis = lib.mkMerge [
services.redis.servers.peertube = lib.mkMerge [
(lib.mkIf cfg.redis.createLocally {
enable = true;
})
(lib.mkIf (cfg.redis.createLocally && !cfg.redis.enableUnixSocket) {
bind = "127.0.0.1";
port = cfg.redis.port;
})
(lib.mkIf (cfg.redis.createLocally && cfg.redis.enableUnixSocket) {
unixSocket = "/run/redis/redis.sock";
unixSocketPerm = 770;
unixSocket = "/run/redis-peertube/redis.sock";
unixSocketPerm = 660;
})
];
@ -465,7 +469,7 @@ in {
};
})
(lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package peertubeEnv peertubeCli pkgs.ffmpeg pkgs.nodejs-16_x pkgs.yarn ])
(lib.mkIf cfg.redis.enableUnixSocket {${config.services.peertube.user}.extraGroups = [ "redis" ];})
(lib.mkIf cfg.redis.enableUnixSocket {${config.services.peertube.user}.extraGroups = [ "redis-peertube" ];})
];
users.groups = lib.optionalAttrs (cfg.group == "peertube") {

80
nixos/modules/services/web-apps/timetagger.nix
View file

@ -1,80 +0,0 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkEnableOption mkIf mkOption types literalExpression;
cfg = config.services.timetagger;
in {
options = {
services.timetagger = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Tag your time, get the insight
<note><para>
This app does not do authentication.
You must setup authentication yourself or run it in an environment where
only allowed users have access.
</para></note>
'';
};
bindAddr = mkOption {
description = "Address to bind to.";
type = types.str;
default = "127.0.0.1";
};
port = mkOption {
description = "Port to bind to.";
type = types.port;
default = 8080;
};
package = mkOption {
description = ''
Use own package for starting timetagger web application.
The ${literalExpression ''pkgs.timetagger''} package only provides a
"run.py" script for the actual package
${literalExpression ''pkgs.python3Packages.timetagger''}.
If you want to provide a "run.py" script for starting timetagger
yourself, you can do so with this option.
If you do so, the 'bindAddr' and 'port' options are ignored.
'';
default = pkgs.timetagger.override { addr = cfg.bindAddr; port = cfg.port; };
defaultText = literalExpression ''
pkgs.timetagger.override {
addr = ${cfg.bindAddr};
port = ${cfg.port};
};
'';
type = types.package;
};
};
};
config = mkIf cfg.enable {
systemd.services.timetagger = {
description = "Timetagger service";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "timetagger";
Group = "timetagger";
StateDirectory = "timetagger";
ExecStart = "${cfg.package}/bin/timetagger";
Restart = "on-failure";
RestartSec = 1;
};
};
};
}

2
nixos/modules/services/web-servers/nginx/default.nix
View file

@ -932,7 +932,7 @@ in
# System Call Filtering
SystemCallArchitectures = "native";
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ]
++ optionals ((cfg.package != pkgs.tengine) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ];
++ optionals ((cfg.package != pkgs.tengine) && (cfg.package != pkgs.openresty) && (!lib.any (mod: (mod.disableIPC or false)) cfg.package.modules)) [ "~@ipc" ];
};
};

8
nixos/modules/services/x11/desktop-managers/phosh.nix
View file

@ -78,7 +78,13 @@ let
description = ''
Display scaling factor.
'';
type = types.nullOr types.ints.unsigned;
type = types.nullOr (
types.addCheck
(types.either types.int types.float)
(x : x > 0)
) // {
description = "null or positive integer or float";
};
default = null;
example = 2;
};

33
nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
View file

@ -204,7 +204,6 @@ def get_profiles() -> List[str]:
else:
return []
def main() -> None:
parser = argparse.ArgumentParser(description='Update NixOS-related systemd-boot files')
parser.add_argument('default_config', metavar='DEFAULT-CONFIG', help='The default NixOS config to boot')
@ -244,27 +243,29 @@ def main() -> None:
subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@"] + flags + ["install"])
else:
# Update bootloader to latest if needed
systemd_version = subprocess.check_output(["@systemd@/bin/bootctl", "--version"], universal_newlines=True).split()[2]
sdboot_status = subprocess.check_output(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "status"], universal_newlines=True)
available_out = subprocess.check_output(["@systemd@/bin/bootctl", "--version"], universal_newlines=True).split()[2]
installed_out = subprocess.check_output(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "status"], universal_newlines=True)
# See status_binaries() in systemd bootctl.c for code which generates this
m = re.search("^\W+File:.*/EFI/(BOOT|systemd)/.*\.efi \(systemd-boot ([\d.]+[^)]*)\)$",
sdboot_status, re.IGNORECASE | re.MULTILINE)
installed_match = re.search(r"^\W+File:.*/EFI/(?:BOOT|systemd)/.*\.efi \(systemd-boot ([\d.]+[^)]*)\)$",
installed_out, re.IGNORECASE | re.MULTILINE)
needs_install = False
available_match = re.search(r"^\((.*)\)$", available_out)
if m is None:
print("could not find any previously installed systemd-boot, installing.")
# Let systemd-boot attempt an installation if a previous one wasn't found
needs_install = True
else:
sdboot_version = f'({m.group(2)})'
if systemd_version != sdboot_version:
print("updating systemd-boot from %s to %s" % (sdboot_version, systemd_version))
needs_install = True
if installed_match is None:
raise Exception("could not find any previously installed systemd-boot")
if needs_install:
if available_match is None:
raise Exception("could not determine systemd-boot version")
installed_version = installed_match.group(1)
available_version = available_match.group(1)
if installed_version < available_version:
print("updating systemd-boot from %s to %s" % (installed_version, available_version))
subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "update"])
else:
print("leaving systemd-boot %s in place (%s is not newer)" % (installed_version, available_version))
mkdir_p("@efiSysMountPoint@/efi/nixos")
mkdir_p("@efiSysMountPoint@/loader/entries")

2
nixos/modules/system/boot/stage-1-init.sh
View file

@ -14,6 +14,8 @@ extraUtils="@extraUtils@"
export LD_LIBRARY_PATH=@extraUtils@/lib
export PATH=@extraUtils@/bin
ln -s @extraUtils@/bin /bin
# hardcoded in util-linux's mount helper search path `/run/wrappers/bin:/run/current-system/sw/bin:/sbin`
ln -s @extraUtils@/bin /sbin
# Copy the secrets to their needed location
if [ -d "@extraUtils@/secrets" ]; then

36
nixos/modules/system/boot/stage-1.nix
View file

@ -31,6 +31,9 @@ let
# mounting `/`, like `/` on a loopback).
fileSystems = filter utils.fsNeededForBoot config.system.build.fileSystems;
# Determine whether zfs-mount(8) is needed.
zfsRequiresMountHelper = any (fs: lib.elem "zfsutil" fs.options) fileSystems;
# A utility for enumerating the shared-library dependencies of a program
findLibs = pkgs.buildPackages.writeShellScriptBin "find-libs" ''
set -euo pipefail
@ -107,6 +110,22 @@ let
copy_bin_and_libs $BIN
done
${optionalString zfsRequiresMountHelper ''
# Filesystems using the "zfsutil" option are mounted regardless of the
# mount.zfs(8) helper, but it is required to ensure that ZFS properties
# are used as mount options.
#
# BusyBox does not use the ZFS helper in the first place.
# util-linux searches /sbin/ as last path for helpers (stage-1-init.sh
# must symlink it to the store PATH).
# Without helper program, both `mount`s silently fails back to internal
# code, using default options and effectively ignore security relevant
# ZFS properties such as `setuid=off` and `exec=off` (unless manually
# duplicated in `fileSystems.*.options`, defeating "zfsutil"'s purpose).
copy_bin_and_libs ${pkgs.util-linux}/bin/mount
copy_bin_and_libs ${pkgs.zfs}/bin/mount.zfs
''}
# Copy some util-linux stuff.
copy_bin_and_libs ${pkgs.util-linux}/sbin/blkid
@ -204,24 +223,29 @@ let
# Run patchelf to make the programs refer to the copied libraries.
find $out/bin $out/lib -type f | while read i; do
if ! test -L $i; then
nuke-refs -e $out $i
fi
done
find $out/bin -type f | while read i; do
if ! test -L $i; then
echo "patching $i..."
patchelf --set-interpreter $out/lib/ld*.so.? --set-rpath $out/lib $i || true
fi
done
find $out/lib -type f \! -name 'ld*.so.?' | while read i; do
echo "patching $i..."
patchelf --set-rpath $out/lib $i
done
if [ -z "${toString (pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform)}" ]; then
# Make sure that the patchelf'ed binaries still work.
echo "testing patched programs..."
$out/bin/ash -c 'echo hello world' | grep "hello world"
export LD_LIBRARY_PATH=$out/lib
${if zfsRequiresMountHelper then ''
$out/bin/mount -V 1>&1 | grep -q "mount from util-linux"
$out/bin/mount.zfs -h 2>&1 | grep -q "Usage: mount.zfs"
'' else ''
$out/bin/mount --help 2>&1 | grep -q "BusyBox"
''}
$out/bin/blkid -V 2>&1 | grep -q 'libblkid'
$out/bin/udevadm --version
$out/bin/dmsetup --version 2>&1 | tee -a log | grep -q "version:"
@ -260,8 +284,6 @@ let
} ''
mkdir -p $out
echo 'ENV{LD_LIBRARY_PATH}="${extraUtils}/lib"' > $out/00-env.rules
cp -v ${udev}/lib/udev/rules.d/60-cdrom_id.rules $out/
cp -v ${udev}/lib/udev/rules.d/60-persistent-storage.rules $out/
cp -v ${udev}/lib/udev/rules.d/75-net-description.rules $out/

49
nixos/modules/virtualisation/appvm.nix Normal file
View file

@ -0,0 +1,49 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.virtualisation.appvm;
in {
options = {
virtualisation.appvm = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
This enables AppVMs and related virtualisation settings.
'';
};
user = mkOption {
type = types.str;
description = ''
AppVM user login. Currenly only AppVMs are supported for a single user only.
'';
};
};
};
config = mkIf cfg.enable {
virtualisation.libvirtd = {
enable = true;
qemu.verbatimConfig = ''
namespaces = []
user = "${cfg.user}"
group = "users"
remember_owner = 0
'';
};
users.users."${cfg.user}" = {
packages = [ pkgs.appvm ];
extraGroups = [ "libvirtd" ];
};
};
}

51
nixos/modules/virtualisation/libvirtd.nix
View file

@ -11,10 +11,9 @@ let
auth_unix_rw = "polkit"
${cfg.extraConfig}
'';
ovmfFilePrefix = if pkgs.stdenv.isAarch64 then "AAVMF" else "OVMF";
qemuConfigFile = pkgs.writeText "qemu.conf" ''
${optionalString cfg.qemu.ovmf.enable ''
nvram = [ "/run/libvirt/nix-ovmf/${ovmfFilePrefix}_CODE.fd:/run/libvirt/nix-ovmf/${ovmfFilePrefix}_VARS.fd" ]
nvram = [ "/run/libvirt/nix-ovmf/AAVMF_CODE.fd:/run/libvirt/nix-ovmf/AAVMF_VARS.fd", "/run/libvirt/nix-ovmf/OVMF_CODE.fd:/run/libvirt/nix-ovmf/OVMF_VARS.fd" ]
''}
${optionalString (!cfg.qemu.runAsRoot) ''
user = "qemu-libvirtd"
@ -36,13 +35,20 @@ let
'';
};
# mkRemovedOptionModule does not work in submodules, do it manually
package = mkOption {
type = types.package;
default = pkgs.OVMF;
defaultText = literalExpression "pkgs.OVMF";
example = literalExpression "pkgs.OVMFFull";
type = types.nullOr types.package;
default = null;
internal = true;
};
packages = mkOption {
type = types.listOf types.package;
default = [ pkgs.OVMF.fd ];
defaultText = literalExpression "[ pkgs.OVMF.fd ]";
example = literalExpression "[ pkgs.OVMFFull.fd pkgs.pkgsCross.aarch64-multiplatform.OVMF.fd ]";
description = ''
OVMF package to use.
List of OVMF packages to use. Each listed package must contain files names FV/OVMF_CODE.fd and FV/OVMF_VARS.fd or FV/AAVMF_CODE.fd and FV/AAVMF_VARS.fd
'';
};
};
@ -141,9 +147,9 @@ in
(mkRenamedOptionModule
[ "virtualisation" "libvirtd" "qemuOvmf" ]
[ "virtualisation" "libvirtd" "qemu" "ovmf" "enable" ])
(mkRenamedOptionModule
(mkRemovedOptionModule
[ "virtualisation" "libvirtd" "qemuOvmfPackage" ]
[ "virtualisation" "libvirtd" "qemu" "ovmf" "package" ])
"If this option was set to `foo`, set the option `virtualisation.libvirtd.qemu.ovmf.packages' to `[foo.fd]` instead.")
(mkRenamedOptionModule
[ "virtualisation" "libvirtd" "qemuSwtpm" ]
[ "virtualisation" "libvirtd" "qemu" "swtpm" "enable" ])
@ -238,12 +244,15 @@ in
assertions = [
{
assertion = config.security.polkit.enable;
message = "The libvirtd module currently requires Polkit to be enabled ('security.polkit.enable = true').";
assertion = config.virtualisation.libvirtd.qemu.ovmf.package == null;
message = ''
The option virtualisation.libvirtd.qemu.ovmf.package is superseded by virtualisation.libvirtd.qemu.ovmf.packages.
If this option was set to `foo`, set the option `virtualisation.libvirtd.qemu.ovmf.packages' to `[foo.fd]` instead.
'';
}
{
assertion = builtins.elem "fd" cfg.qemu.ovmf.package.outputs;
message = "The option 'virtualisation.libvirtd.qemuOvmfPackage' needs a package that has an 'fd' output.";
assertion = config.security.polkit.enable;
message = "The libvirtd module currently requires Polkit to be enabled ('security.polkit.enable = true').";
}
];
@ -303,10 +312,18 @@ in
ln -s --force ${cfg.qemu.package}/$helper /run/${dirName}/nix-helpers/
done
${optionalString cfg.qemu.ovmf.enable ''
ln -s --force ${cfg.qemu.ovmf.package.fd}/FV/${ovmfFilePrefix}_CODE.fd /run/${dirName}/nix-ovmf/
ln -s --force ${cfg.qemu.ovmf.package.fd}/FV/${ovmfFilePrefix}_VARS.fd /run/${dirName}/nix-ovmf/
''}
${optionalString cfg.qemu.ovmf.enable (let
ovmfpackage = pkgs.buildEnv {
name = "qemu-ovmf";
paths = cfg.qemu.ovmf.packages;
};
in
''
ln -s --force ${ovmfpackage}/FV/AAVMF_CODE.fd /run/${dirName}/nix-ovmf/
ln -s --force ${ovmfpackage}/FV/OVMF_CODE.fd /run/${dirName}/nix-ovmf/
ln -s --force ${ovmfpackage}/FV/AAVMF_VARS.fd /run/${dirName}/nix-ovmf/
ln -s --force ${ovmfpackage}/FV/OVMF_VARS.fd /run/${dirName}/nix-ovmf/
'')}
'';
serviceConfig = {

4
nixos/modules/virtualisation/nixos-containers.nix
View file

@ -284,7 +284,7 @@ let
DeviceAllow = map (d: "${d.node} ${d.modifier}") cfg.allowedDevices;
};
system = config.nixpkgs.localSystem.system;
inherit (config.nixpkgs) localSystem;
kernelVersion = config.boot.kernelPackages.kernel.version;
bindMountOpts = { name, ... }: {
@ -478,12 +478,12 @@ in
type = lib.mkOptionType {
name = "Toplevel NixOS config";
merge = loc: defs: (import "${toString config.nixpkgs}/nixos/lib/eval-config.nix" {
inherit system;
modules =
let
extraConfig = {
_file = "module at ${__curPos.file}:${toString __curPos.line}";
config = {
nixpkgs = { inherit localSystem; };
boot.isContainer = true;
networking.hostName = mkDefault name;
networking.useDHCP = false;

1
nixos/modules/virtualisation/vmware-guest.nix
View file

@ -64,7 +64,6 @@ in
environment.etc.vmware-tools.source = "${open-vm-tools}/etc/vmware-tools/*";
services.xserver = mkIf (!cfg.headless) {
videoDrivers = mkOverride 50 [ "vmware" ];
modules = [ xf86inputvmmouse ];
config = ''

1
nixos/tests/all-tests.nix
View file

@ -171,6 +171,7 @@ in
frr = handleTest ./frr.nix {};
fsck = handleTest ./fsck.nix {};
ft2-clone = handleTest ./ft2-clone.nix {};
grafana-mimir = handleTest ./grafana-mimir.nix {};
gerrit = handleTest ./gerrit.nix {};
geth = handleTest ./geth.nix {};
ghostunnel = handleTest ./ghostunnel.nix {};

3
nixos/tests/containers-imperative.nix
View file

@ -18,8 +18,9 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: {
# container available within the VM, because we don't have network access.
virtualisation.additionalPaths = let
emptyContainer = import ../lib/eval-config.nix {
inherit (config.nixpkgs.localSystem) system;
modules = lib.singleton {
nixpkgs = { inherit (config.nixpkgs) localSystem; };
containers.foo.config = {
system.stateVersion = "18.03";
};

3
nixos/tests/dendrite.nix
View file

@ -17,10 +17,11 @@ import ./make-test-python.nix (
homeserver = { pkgs, ... }: {
services.dendrite = {
enable = true;
loadCredential = [ "test_private_key:${private_key}" ];
openRegistration = true;
settings = {
global.server_name = "test-dendrite-server.com";
global.private_key = private_key;
global.private_key = "$CREDENTIALS_DIRECTORY/test_private_key";
client_api.registration_disabled = false;
};
};

2
nixos/tests/gitolite.nix
View file

@ -107,7 +107,7 @@ in
with subtest("gitolite server starts"):
server.wait_for_unit("gitolite-init.service")
server.wait_for_unit("sshd.service")
client.succeed("ssh gitolite@server info")
client.succeed("ssh -n gitolite@server info")
with subtest("admin can clone and configure gitolite-admin.git"):
client.succeed(

50
nixos/tests/grafana-mimir.nix Normal file
View file

@ -0,0 +1,50 @@
import ./make-test-python.nix ({ pkgs, ... }: {
name = "grafana-mimir";
nodes = {
server = { ... }: {
environment.systemPackages = [ pkgs.jq ];
services.mimir.enable = true;
services.mimir.configuration = {
ingester.ring.replication_factor = 1;
};
services.telegraf.enable = true;
services.telegraf.extraConfig = {
agent.interval = "1s";
agent.flush_interval = "1s";
inputs.exec = {
commands = [
"${pkgs.coreutils}/bin/echo 'foo i=42i'"
];
data_format = "influx";
};
outputs = {
http = {
# test remote write
url = "http://localhost:8080/api/v1/push";
# Data format to output.
data_format = "prometheusremotewrite";
headers = {
Content-Type = "application/x-protobuf";
Content-Encoding = "snappy";
X-Scope-OrgID = "nixos";
X-Prometheus-Remote-Write-Version = "0.1.0";
};
};
};
};
};
};
testScript = ''
start_all()
server.wait_for_unit("mimir.service")
server.wait_for_unit("telegraf.service")
server.wait_for_open_port(8080)
server.wait_until_succeeds(
"curl -H 'X-Scope-OrgID: nixos' http://127.0.0.1:8080/prometheus/api/v1/label/host/values | jq -r '.data[0]' | grep server"
)
'';
})

14
nixos/tests/libreddit.nix
View file

@ -6,14 +6,16 @@ with lib;
name = "libreddit";
meta.maintainers = with maintainers; [ fab ];
nodes.machine =
{ pkgs, ... }:
{ services.libreddit.enable = true; };
nodes.machine = {
services.libreddit.enable = true;
# Test CAP_NET_BIND_SERVICE
services.libreddit.port = 80;
};
testScript = ''
machine.wait_for_unit("libreddit.service")
machine.wait_for_open_port("8080")
# The service wants to get data from https://www.reddit.com
machine.succeed("curl http://localhost:8080/")
machine.wait_for_open_port("80")
# Query a page that does not require Internet access
machine.succeed("curl --fail http://localhost:80/settings")
'';
})

2
nixos/tests/matrix/mjolnir.nix
View file

@ -43,7 +43,9 @@ import ../make-test-python.nix (
tls_certificate_path = "${cert}";
tls_private_key_path = "${key}";
enable_registration = true;
enable_registration_without_verification = true;
registration_shared_secret = "supersecret-registration";
enable_registration_without_verification = true;
listeners = [ {
# The default but tls=false

11
nixos/tests/meilisearch.nix
View file

@ -5,9 +5,10 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
apiUrl = "http://${listenAddress}:${toString listenPort}";
uid = "movies";
indexJSON = pkgs.writeText "index.json" (builtins.toJSON { inherit uid; });
moviesJSON = pkgs.runCommand "movies.json" {} ''
sed -n '1,5p;$p' ${pkgs.meilisearch.src}/datasets/movies/movies.json > $out
'';
moviesJSON = pkgs.fetchurl {
url = "https://github.com/meilisearch/meilisearch/raw/v0.23.1/datasets/movies/movies.json";
sha256 = "1r3srld63dpmg9yrmysm6xl175661j5cspi93mk5q2wf8xwn50c5";
};
in {
name = "meilisearch";
meta.maintainers = with lib.maintainers; [ Br1ght0ne ];
@ -34,7 +35,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
with subtest("create index"):
machine.succeed(
"curl -XPOST ${apiUrl}/indexes --data @${indexJSON}"
"curl -XPOST --header 'Content-Type: application/json' ${apiUrl}/indexes --data @${indexJSON}"
)
indexes = json.loads(machine.succeed("curl ${apiUrl}/indexes"))
assert len(indexes) == 1, "index wasn't created"
@ -42,7 +43,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
with subtest("add documents"):
response = json.loads(
machine.succeed(
"curl -XPOST ${apiUrl}/indexes/${uid}/documents --data @${moviesJSON}"
"curl -XPOST --header 'Content-Type: application/json' ${apiUrl}/indexes/${uid}/documents --data @${moviesJSON}"
)
)
update_id = response["updateId"]

31
nixos/tests/os-prober.nix
View file

@ -75,21 +75,30 @@ in {
# The test cannot access the network, so any packages
# nixos-rebuild needs must be included in the VM.
system.extraDependencies = with pkgs;
[ sudo
libxml2.bin
libxslt.bin
[
brotli
brotli.dev
brotli.lib
desktop-file-utils
docbook5
docbook_xsl_ns
unionfs-fuse
ntp
nixos-artwork.wallpapers.simple-dark-gray-bottom
perlPackages.XMLLibXML
perlPackages.ListCompare
shared-mime-info
texinfo
xorg.lndir
grub2
kmod.dev
libarchive
libarchive.dev
libxml2.bin
libxslt.bin
nixos-artwork.wallpapers.simple-dark-gray-bottom
ntp
perlPackages.ListCompare
perlPackages.XMLLibXML
python3Minimal
shared-mime-info
stdenv
sudo
texinfo
unionfs-fuse
xorg.lndir
# add curl so that rather than seeing the test attempt to download
# curl's tarball, we see what it's trying to download

7
nixos/tests/web-apps/peertube.nix
View file

@ -11,7 +11,7 @@ import ../make-test-python.nix ({pkgs, ...}:
{ address = "192.168.2.10"; prefixLength = 24; }
];
};
firewall.allowedTCPPorts = [ 5432 6379 ];
firewall.allowedTCPPorts = [ 5432 31638 ];
};
services.postgresql = {
@ -34,7 +34,7 @@ import ../make-test-python.nix ({pkgs, ...}:
enable = true;
bind = "0.0.0.0";
requirePass = "turrQfaQwnanGbcsdhxy";
port = 6379;
port = 31638;
};
};
@ -76,6 +76,7 @@ import ../make-test-python.nix ({pkgs, ...}:
redis = {
host = "192.168.2.10";
port = 31638;
passwordFile = "/etc/peertube/password-redis-db";
};
@ -113,7 +114,7 @@ import ../make-test-python.nix ({pkgs, ...}:
database.wait_for_unit("redis-peertube.service")
database.wait_for_open_port(5432)
database.wait_for_open_port(6379)
database.wait_for_open_port(31638)
server.wait_for_unit("peertube.service")
server.wait_for_open_port(9000)

3
pkgs/applications/audio/CHOWTapeModel/default.nix
View file

@ -74,5 +74,8 @@ stdenv.mkDerivation rec {
license = with licenses; [ gpl3Only ];
maintainers = with maintainers; [ magnetophon ];
platforms = platforms.linux;
# error: 'vvtanh' was not declared in this scope; did you mean 'tanh'?
# error: no matching function for call to 'juce::dsp::SIMDRegister<double>::SIMDRegister(xsimd::simd_batch_traits<xsimd::batch<double, 2> >::batch_bool_type)'
broken = stdenv.isAarch64; # since 2021-12-27 on hydra (update to 2.10): https://hydra.nixos.org/build/162558991
};
}

2
pkgs/applications/audio/baudline/default.nix
View file

@ -36,7 +36,7 @@ stdenv.mkDerivation rec {
cp -r . "$out/libexec/baudline/"
interpreter="$(echo ${stdenv.glibc.out}/lib/ld-linux*)"
interpreter="$(echo ${stdenv.cc.libc}/lib/ld-linux*)"
for prog in "$out"/libexec/baudline/baudline*; do
patchelf --interpreter "$interpreter" "$prog"
ln -sr "$prog" "$out/bin/"

3
pkgs/applications/audio/cardinal/default.nix
View file

@ -63,5 +63,8 @@ stdenv.mkDerivation rec {
license = lib.licenses.gpl3;
maintainers = [ lib.maintainers.magnetophon ];
platforms = lib.platforms.all;
# ../../utils/CarlaPluginUI.cpp:31:10: fatal error: 'Cocoa/Cocoa.h' file not found
# # import <Cocoa/Cocoa.h>
broken = stdenv.isDarwin;
};
}

13
pkgs/applications/audio/clementine/clementine-spotify-blob.patch
View file

@ -1,13 +0,0 @@
diff --git a/src/internet/spotify/spotifyservice.cpp b/src/internet/spotify/spotifyservice.cpp
index 88c7383..6e0893c 100644
--- a/src/internet/spotify/spotifyservice.cpp
+++ b/src/internet/spotify/spotifyservice.cpp
@@ -94,7 +94,7 @@ SpotifyService::SpotifyService(Application* app, InternetModel* parent)
system_blob_path_ = QCoreApplication::applicationDirPath() +
"/../PlugIns/clementine-spotifyblob";
#else
- system_blob_path_ = QCoreApplication::applicationDirPath() +
+ system_blob_path_ = qgetenv("CLEMENTINE_SPOTIFYBLOB") +
"/clementine-spotifyblob" CMAKE_EXECUTABLE_SUFFIX;
#endif

67
pkgs/applications/audio/clementine/default.nix
View file

@ -23,12 +23,10 @@
, libpulseaudio
, gvfs
, libcdio
, libechonest
, libspotify
, pcre
, projectm
, protobuf
, qca2
, qca-qt5
, pkg-config
, sparsehash
, config
@ -50,7 +48,8 @@ let
withMTP = config.clementine.mtp or true;
withCD = config.clementine.cd or true;
withCloud = config.clementine.cloud or true;
in mkDerivation {
pname = "clementine";
version = "unstable-2022-04-11";
src = fetchFromGitHub {
@ -60,10 +59,6 @@ let
sha256 = "06fcbs3wig3mh711iypyj49qm5246f7qhvgvv8brqfrd8cqyh6qf";
};
patches = [
./clementine-spotify-blob.patch
];
nativeBuildInputs = [
cmake
pkg-config
@ -87,13 +82,12 @@ let
gst_all_1.gst-plugins-bad
gst_all_1.gstreamer
gvfs
libechonest
liblastfm
libpulseaudio
pcre
projectm
protobuf
qca2
qca-qt5
qjson
qtbase
qtx11extras
@ -103,6 +97,8 @@ let
alsa-lib
]
# gst_plugins needed for setup-hooks
++ gst_plugins
++ lib.optionals (withIpod) [ libgpod libplist usbmuxd ]
++ lib.optionals (withMTP) [ libmtp ]
++ lib.optionals (withCD) [ libcdio ]
@ -117,14 +113,6 @@ let
-e 's,libprotobuf.a,protobuf,g'
'';
free = mkDerivation {
pname = "clementine-free";
inherit version;
inherit src patches nativeBuildInputs postPatch;
# gst_plugins needed for setup-hooks
buildInputs = buildInputs ++ gst_plugins;
preConfigure = ''
rm -rf ext/{,lib}clementine-spotifyblob
'';
@ -134,8 +122,6 @@ let
"-DSPOTIFY_BLOB=OFF"
];
passthru.unfree = unfree;
postInstall = ''
wrapProgram $out/bin/clementine \
--prefix GST_PLUGIN_SYSTEM_PATH_1_0 : "$GST_PLUGIN_SYSTEM_PATH_1_0"
@ -148,43 +134,4 @@ let
platforms = platforms.linux;
maintainers = [ maintainers.ttuegel ];
};
};
# Unfree Spotify blob for Clementine
unfree = mkDerivation {
pname = "clementine-blob";
inherit version;
# Use the same patches and sources as Clementine
inherit src nativeBuildInputs patches postPatch;
buildInputs = buildInputs ++ [ libspotify ];
# Only build and install the Spotify blob
preBuild = ''
cd ext/clementine-spotifyblob
'';
postInstall = ''
mkdir -p $out/libexec/clementine
mv $out/bin/clementine-spotifyblob $out/libexec/clementine
rmdir $out/bin
makeWrapper ${free}/bin/clementine $out/bin/clementine \
--set CLEMENTINE_SPOTIFYBLOB $out/libexec/clementine
mkdir -p $out/share
for dir in applications icons kde4; do
ln -s "${free}/share/$dir" "$out/share/$dir"
done
'';
meta = with lib; {
homepage = "https://www.clementine-player.org";
description = "Spotify integration for Clementine";
# The blob itself is Apache-licensed, although libspotify is unfree.
license = licenses.asl20;
platforms = platforms.linux;
maintainers = [ maintainers.ttuegel ];
};
};
in
free
}

1
pkgs/applications/audio/drumgizmo/default.nix
View file

@ -21,6 +21,7 @@ stdenv.mkDerivation rec {
];
meta = with lib; {
broken = (stdenv.isLinux && stdenv.isAarch64);
description = "An LV2 sample based drum plugin";
homepage = "https://www.drumgizmo.org";
license = licenses.lgpl3Plus;

1
pkgs/applications/audio/eq10q/default.nix
View file

@ -33,6 +33,7 @@ stdenv.mkDerivation rec {
'';
meta = {
broken = (stdenv.isLinux && stdenv.isAarch64);
description = "LV2 EQ plugins and more, with 64 bit processing";
longDescription = ''
Up to 10-Bands parametric equalizer with mono and stereo versions.

66
pkgs/applications/audio/famistudio/default.nix Normal file
View file

@ -0,0 +1,66 @@
{ lib
, stdenv
, fetchzip
, autoPatchelfHook
, makeWrapper
, alsa-lib
, gtk-sharp-2_0
, glib
, gtk2
, mono
, openal
}:
stdenv.mkDerivation rec {
pname = "famistudio";
version = "3.3.0";
src = fetchzip {
url = "https://github.com/BleuBleu/FamiStudio/releases/download/${version}/FamiStudio${lib.strings.concatStrings (lib.splitVersion version)}-LinuxAMD64.zip";
stripRoot = false;
sha256 = "1r7y7z3s3b0zm7lvdgr9z70iall1swzlr3npx7g5azz6vza00vva";
};
nativeBuildInputs = [ autoPatchelfHook makeWrapper ];
buildInputs = [ alsa-lib gtk-sharp-2_0 glib gtk2 mono openal ];
dontConfigure = true;
dontBuild = true;
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,lib/famistudio}
mv * $out/lib/famistudio
makeWrapper ${mono}/bin/mono $out/bin/famistudio \
--add-flags $out/lib/famistudio/FamiStudio.exe \
--prefix MONO_GAC_PREFIX : ${gtk-sharp-2_0} \
--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ glib gtk2 gtk-sharp-2_0 ]}
# Fails to find openal32.dll on its own, needs abit of help
rm $out/lib/famistudio/libopenal32.so
cat <<EOF >$out/lib/famistudio/OpenTK.dll.config
<configuration>
<dllmap dll="openal32.dll" target="${openal}/lib/libopenal.so"/>
</configuration>
EOF
runHook postInstall
'';
meta = with lib; {
homepage = "https://famistudio.org/";
description = "NES Music Editor";
longDescription = ''
FamiStudio is very simple music editor for the Nintendo Entertainment System
or Famicom. It is targeted at both chiptune artists and NES homebrewers.
'';
license = licenses.mit;
# Maybe possible to build from source but I'm not too familiar with C# packaging
sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
maintainers = with maintainers; [ OPNA2608 ];
platforms = [ "x86_64-linux" ];
};
}

4
pkgs/applications/audio/faust/faustlive.nix
View file

@ -5,12 +5,12 @@
stdenv.mkDerivation rec {
pname = "faustlive";
version = "2.5.8";
version = "2.5.10";
src = fetchFromGitHub {
owner = "grame-cncm";
repo = "faustlive";
rev = version;
sha256 = "sha256-dt5YlvaCZ6JiNGPwVXPrKzVGWxnhdyP4lnKgck7ZSF8=";
sha256 = "sha256-yLpIJr6A+NIX9RSGfQXT0O0USuRr0Ni9aUA+mbk31/o=";
fetchSubmodules = true;
};

1
pkgs/applications/audio/faustStk/default.nix
View file

@ -30,6 +30,7 @@ stdenv.mkDerivation rec {
done
'';
meta = with lib; {
broken = (stdenv.isLinux && stdenv.isAarch64);
description = "The physical modeling instruments included with faust, compiled as jack standalone and lv2 instruments";
homepage = "https://ccrma.stanford.edu/~rmichon/faustSTK/";
license = licenses.stk;

4
pkgs/applications/audio/jamesdsp/default.nix
View file

@ -1,4 +1,5 @@
{ lib
{ stdenv
, lib
, mkDerivation
, fetchFromGitHub
, pipewire
@ -86,6 +87,7 @@ in
];
meta = with lib;{
broken = (stdenv.isLinux && stdenv.isAarch64);
description = "An audio effect processor for PipeWire clients";
homepage = "https://github.com/Audio4Linux/JDSP4Linux";
license = licenses.gpl3Only;

3
pkgs/applications/audio/jellycli/default.nix
View file

@ -1,4 +1,4 @@
{ lib, fetchFromGitHub, buildGoModule, alsa-lib }:
{ stdenv, lib, fetchFromGitHub, buildGoModule, alsa-lib }:
buildGoModule rec {
pname = "jellycli";
@ -21,6 +21,7 @@ buildGoModule rec {
buildInputs = [ alsa-lib ];
meta = with lib; {
broken = (stdenv.isLinux && stdenv.isAarch64);
description = "Jellyfin terminal client";
longDescription = ''
Terminal music player, works with Jellyfin (>= 10.6) , Emby (>= 4.4), and

2
pkgs/applications/audio/kid3/default.nix
View file

@ -1,7 +1,6 @@
{ lib
, stdenv
, fetchurl
, automoc4
, chromaprint
, cmake
, docbook_xml_dtd_45
@ -44,7 +43,6 @@ stdenv.mkDerivation rec {
wrapQtAppsHook
];
buildInputs = [
automoc4
chromaprint
ffmpeg
flac

12
pkgs/applications/audio/meters_lv2/default.nix
View file

@ -14,8 +14,8 @@
stdenv.mkDerivation rec {
pname = "meters.lv2";
version = "0.9.10";
robtkVersion = "0.6.2";
version = "0.9.20";
robtkVersion = "0.7.5";
nativeBuildInputs = [ pkg-config ];
buildInputs = [ lv2 libGLU libGL gtk2 cairo pango fftwFloat libjack2 ];
@ -24,14 +24,14 @@ stdenv.mkDerivation rec {
owner = "x42";
repo = "meters.lv2";
rev = "v${version}";
sha256 = "sha256-u2KIsaia0rAteQoEh6BLNCiRHFufHYF95z6J/EMgeSE=";
sha256 = "sha256-eGXTbE83bJEDqTBltL6ZX9qa/OotCFmUxpE/aLqGELU=";
};
robtkSrc = fetchFromGitHub {
owner = "x42";
repo = "robtk";
rev = "v${robtkVersion}";
sha256 = "sha256-zeRMobfKW0+wJwYVem74tglitkI6DSoK75Auywcu4Tw=";
sha256 = "sha256-L1meipOco8esZl+Pgqgi/oYVbhimgh9n8p9Iqj3dZr0=";
};
postUnpack = ''
@ -39,6 +39,10 @@ stdenv.mkDerivation rec {
ln -s ${robtkSrc} $sourceRoot/robtk
'';
postPatch = ''
substituteInPlace Makefile --replace "-msse -msse2 -mfpmath=sse" ""
''; # remove x86-specific flags
meter_VERSION = version;
enableParallelBuilding = true;
makeFlags = [ "PREFIX=${placeholder "out"}" ];

87
pkgs/applications/audio/mmlgui/default.nix Normal file
View file

@ -0,0 +1,87 @@
{ stdenv
, lib
, fetchFromGitHub
, unstableGitUpdater
, pkg-config
, glfw
, libvgm
, libX11
, libXau
, libXdmcp
, Carbon
, Cocoa
, cppunit
}:
stdenv.mkDerivation rec {
pname = "mmlgui";
version = "unstable-2022-05-24";
src = fetchFromGitHub {
owner = "superctr";
repo = "mmlgui";
rev = "fe2b298c1eddae4cc38096f6c1ba1ccaed562cf1";
fetchSubmodules = true;
sha256 = "Q34zzZthdThMbduXcc/qMome89mAMrn1Vinr073u4zo=";
};
postPatch = ''
# Actually wants pkgconf but that seems abit broken:
# https://github.com/NixOS/nixpkgs/pull/147503#issuecomment-1055943897
# Removing a pkgconf-specific option makes it work with pkg-config
substituteInPlace libvgm.mak \
--replace '--with-path=/usr/local/lib/pkgconfig' ""
substituteInPlace Makefile \
--replace 'all: $(MMLGUI_BIN) test' 'all: $(MMLGUI_BIN)'
'';
nativeBuildInputs = [
pkg-config
];
buildInputs = [
glfw
libvgm
] ++ lib.optionals stdenv.hostPlatform.isLinux [
libX11
libXau
libXdmcp
] ++ lib.optionals stdenv.hostPlatform.isDarwin [
Carbon
Cocoa
];
checkInputs = [
cppunit
];
makeFlags = [
"RELEASE=1"
];
enableParallelBuilding = true;
doCheck = true;
installPhase = ''
runHook preInstall
install -Dm755 {,$out/}bin/mmlgui
mkdir -p $out/share/ctrmml
mv ctrmml/sample $out/share/ctrmml/
runHook postInstall
'';
passthru.updateScript = unstableGitUpdater {
url = "https://github.com/superctr/mmlgui.git";
};
meta = with lib; {
homepage = "https://github.com/superctr/mmlgui";
description = "MML (Music Macro Language) editor and compiler GUI, powered by the ctrmml framework";
license = licenses.gpl2Only;
maintainers = with maintainers; [ OPNA2608 ];
platforms = platforms.all;
};
}

4
pkgs/applications/audio/mopidy/default.nix
View file

@ -33,10 +33,6 @@ lib.makeScope newScope (self: with self; {
mopidy-soundcloud = callPackage ./soundcloud.nix { };
mopidy-spotify = callPackage ./spotify.nix { };
mopidy-spotify-tunigo = callPackage ./spotify-tunigo.nix { };
mopidy-tunein = callPackage ./tunein.nix { };
mopidy-youtube = callPackage ./youtube.nix { };

4
pkgs/applications/audio/mopidy/local.nix
View file

@ -1,4 +1,5 @@
{ lib
{ stdenv
, lib
, mopidy
, python3Packages
}:
@ -22,6 +23,7 @@ python3Packages.buildPythonApplication rec {
];
meta = with lib; {
broken = stdenv.isDarwin;
homepage = "https://github.com/mopidy/mopidy-local";
description = "Mopidy extension for playing music from your local music archive";
license = licenses.asl20;

23
pkgs/applications/audio/mopidy/spotify-tunigo.nix
View file

@ -1,23 +0,0 @@
{ lib, fetchFromGitHub, pythonPackages, mopidy, mopidy-spotify }:
pythonPackages.buildPythonApplication rec {
pname = "mopidy-spotify-tunigo";
version = "1.0.0";
src = fetchFromGitHub {
owner = "trygveaa";
repo = "mopidy-spotify-tunigo";
rev = "v${version}";
sha256 = "1jwk0b2iz4z09qynnhcr07w15lx6i1ra09s9lp48vslqcf2fp36x";
};
propagatedBuildInputs = [ mopidy mopidy-spotify pythonPackages.tunigo ];
doCheck = false;
meta = with lib; {
description = "Mopidy extension for providing the browse feature of Spotify";
license = licenses.asl20;
maintainers = [ maintainers.spwhitt ];
};
}

25
pkgs/applications/audio/mopidy/spotify.nix
View file

@ -1,25 +0,0 @@
{ lib, fetchFromGitHub, pythonPackages, mopidy }:
pythonPackages.buildPythonApplication rec {
pname = "mopidy-spotify";
version = "4.1.1";
src = fetchFromGitHub {
owner = "mopidy";
repo = "mopidy-spotify";
rev = "v${version}";
sha256 = "1qsac2yy26cdlsmxd523v8ayacs0s6jj9x79sngwap781i63zqrm";
};
propagatedBuildInputs = [ mopidy pythonPackages.pyspotify ];
doCheck = false;
meta = with lib; {
homepage = "https://www.mopidy.com/";
description = "Mopidy extension for playing music from Spotify";
license = licenses.asl20;
maintainers = with maintainers; [ rski ];
hydraPlatforms = [ ];
};
}

1
pkgs/applications/audio/muso/default.nix
View file

@ -29,6 +29,7 @@ rustPlatform.buildRustPackage rec {
cargoSha256 = "1hgdzyz005244f2mh97js9ga0a6s2hcd6iydz07f1hmhsh1j2bwy";
meta = with lib; {
broken = (stdenv.isLinux && stdenv.isAarch64) || stdenv.isDarwin;
description = "An automatic music sorter (based on ID3 tags)";
homepage = "https://github.com/quebin31/muso";
license = with licenses; [ gpl3Plus ];

4
pkgs/applications/audio/myxer/default.nix
View file

@ -1,4 +1,5 @@
{ lib
{ stdenv
, lib
, rustPlatform
, fetchFromGitHub
, pkg-config
@ -29,6 +30,7 @@ rustPlatform.buildRustPackage rec {
doCheck = false;
meta = with lib; {
broken = (stdenv.isLinux && stdenv.isAarch64);
description = "A modern Volume Mixer for PulseAudio";
homepage = "https://github.com/Aurailus/Myxer";
license = licenses.gpl3Only;

1
pkgs/applications/audio/nootka/unstable.nix
View file

@ -44,6 +44,7 @@ stdenv.mkDerivation rec {
];
meta = with lib; {
broken = (stdenv.isLinux && stdenv.isAarch64);
description = "Application for practicing playing musical scores and ear training";
homepage = "https://nootka.sourceforge.io/";
license = licenses.gpl3Plus;

1
pkgs/applications/audio/nova-filters/default.nix
View file

@ -22,6 +22,7 @@ stdenv.mkDerivation {
'';
meta = with lib; {
broken = (stdenv.isLinux && stdenv.isAarch64);
description = "LADSPA plugins based on filters of nova";
homepage = "http://klingt.org/~tim/nova-filters/";
license = licenses.gpl2Plus;

Some files were not shown because too many files have changed in this diff Show more