movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 21:50:33 +03:00
Code Activity

Merge branch 'master' into pr/bcachefs

Browse source
This commit is contained in:
Jörg Thalheim 2024-01-07 11:40:30 +01:00 committed by GitHub
commit db59d03371
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7621 changed files with 201446 additions and 91861 deletions
Download patch file Download diff file Expand all files Collapse all files

28
nixos/doc/manual/administration/nixos-state.section.md Normal file
View file

@ -0,0 +1,28 @@
# NixOS {#sec-nixos-state}
## `/nix` {#sec-state-nix}
NixOS needs the entirety of `/nix` to be persistent, as it includes:
- `/nix/store`, which contains all the system's executables, libraries, and supporting data;
- `/nix/var/nix`, which contains:
- the Nix daemon's database;
- roots whose transitive closure is preserved when garbage-collecting the Nix store;
- system-wide and per-user profiles.
## `/boot` {#sec-state-boot}
`/boot` should also be persistent, as it contains:
- the kernel and initrd which the bootloader loads,
- the bootloader's configuration, including the kernel's command-line which
determines the store path to use as system environment.
## Users and groups {#sec-state-users}
- `/var/lib/nixos` should persist: it holds state needed to generate stable
uids and gids for declaratively-managed users and groups, etc.
- `users.mutableUsers` should be false, *or* the following files under `/etc`
should all persist:
- {manpage}`passwd(5)` and {manpage}`group(5)`,
- {manpage}`shadow(5)` and {manpage}`gshadow(5)`,
- {manpage}`subuid(5)` and {manpage}`subgid(5)`.

1
nixos/doc/manual/administration/running.md
View file

@ -8,6 +8,7 @@ rebooting.chapter.md
user-sessions.chapter.md
control-groups.chapter.md
logging.chapter.md
system-state.chapter.md
cleaning-store.chapter.md
containers.chapter.md
troubleshooting.chapter.md

17
nixos/doc/manual/administration/system-state.chapter.md Normal file
View file

@ -0,0 +1,17 @@
# Necessary system state {#ch-system-state}
Normally — on systems with a persistent `rootfs` — system services can persist state to
the filesystem without administrator intervention.
However, it is possible and not-uncommon to create [impermanent systems], whose
`rootfs` is either a `tmpfs` or reset during boot. While NixOS itself supports
this kind of configuration, special care needs to be taken.
[impermanent systems]: https://nixos.wiki/wiki/Impermanence
```{=include=} sections
nixos-state.section.md
systemd-state.section.md
zfs-state.section.md
```

52
nixos/doc/manual/administration/systemd-state.section.md Normal file
View file

@ -0,0 +1,52 @@
# systemd {#sec-systemd-state}
## `machine-id(5)` {#sec-machine-id}
`systemd` uses per-machine identifier — {manpage}`machine-id(5)` — which must be
unique and persistent; otherwise, the system journal may fail to list earlier
boots, etc.
`systemd` generates a random `machine-id(5)` during boot if it does not already exist,
and persists it in `/etc/machine-id`. As such, it suffices to make that file persistent.
Alternatively, it is possible to generate a random `machine-id(5)`; while the
specification allows for *any* hex-encoded 128b value, systemd itself uses
[UUIDv4], *i.e.* random UUIDs, and it is thus preferable to do so as well, in
case some software assumes `machine-id(5)` to be a UUIDv4. Those can be
generated with `uuidgen -r | tr -d -` (`tr` being used to remove the dashes).
Such a `machine-id(5)` can be set by writing it to `/etc/machine-id` or through
the kernel's command-line, though NixOS' systemd maintainers [discourage] the
latter approach.
[UUIDv4]: https://en.wikipedia.org/wiki/Universally_unique_identifier#Version_4_(random)
[discourage]: https://github.com/NixOS/nixpkgs/pull/268995
## `/var/lib/systemd` {#sec-var-systemd}
Moreover, `systemd` expects its state directory — `/var/lib/systemd` — to persist, for:
- {manpage}`systemd-random-seed(8)`, which loads a 256b “seed” into the kernel's RNG
at boot time, and saves a fresh one during shutdown;
- {manpage}`systemd.timer(5)` with `Persistent=yes`, which are then run after boot if
the timer would have triggered during the time the system was shut down;
- {manpage}`systemd-coredump(8)` to store core dumps there by default;
(see {manpage}`coredump.conf(5)`)
- {manpage}`systemd-timesyncd(8)`;
- {manpage}`systemd-backlight(8)` and {manpage}`systemd-rfkill(8)` persist hardware-related
state;
- possibly other things, this list is not meant to be exhaustive.
In any case, making `/var/lib/systemd` persistent is recommended.
## `/var/log/journal/{machine-id}` {#sec-var-journal}
Lastly, {manpage}`systemd-journald(8)` writes the system's journal in binary
form to `/var/log/journal/{machine-id}`; if (locally) persisting the entire log
is desired, it is recommended to make all of `/var/log/journal` persistent.
If not, one can set `Storage=volatile` in {manpage}`journald.conf(5)`
([`services.journald.storage = "volatile";`](#opt-services.journald.storage)),
which disables journal persistence and causes it to be written to
`/run/log/journal`.

16
nixos/doc/manual/administration/zfs-state.section.md Normal file
View file

@ -0,0 +1,16 @@
# ZFS {#sec-zfs-state}
When using ZFS, `/etc/zfs/zpool.cache` should be persistent (or a symlink to a persistent
location) as it is the default value for the `cachefile` [property](man:zpoolprops(7)).
This cachefile is used on system startup to discover ZFS pools, so ZFS pools
holding the `rootfs` and/or early-boot datasets such as `/nix` can be set to
`cachefile=none`.
In principle, if there are no other pools attached to the system, `zpool.cache`
does not need to be persisted; it is however *strongly recommended* to persist
it, in case additional pools are added later on, temporarily or permanently:
While mishandling the cachefile does not lead to data loss by itself, it may
cause zpools not to be imported during boot, and services may then write to a
location where a dataset was expected to be mounted.

7
nixos/doc/manual/development/option-types.section.md
View file

@ -13,6 +13,13 @@ merging is handled.
`types.bool`
: A boolean, its values can be `true` or `false`.
All definitions must have the same value, after priorities. An error is thrown in case of a conflict.
`types.boolByOr`
: A boolean, its values can be `true` or `false`.
The result is `true` if _any_ of multiple definitions is `true`.
In other words, definitions are merged with the logical _OR_ operator.
`types.path`

8
nixos/doc/manual/installation/changing-config.chapter.md
View file

@ -55,6 +55,14 @@ which causes the new configuration (and previous ones created using
This can be useful to separate test configurations from "stable"
configurations.
A repl, or read-eval-print loop, is also available. You can inspect your configuration and use the Nix language with
```ShellSession
# nixos-rebuild repl
```
Your configuration is loaded into the `config` variable. Use tab for autocompletion, use the `:r` command to reload the configuration files. See `:?` or [`nix repl` in the Nix manual](https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-repl.html) to learn more.
Finally, you can do
```ShellSession

1
nixos/doc/manual/release-notes/release-notes.md
View file

@ -3,6 +3,7 @@
This section lists the release notes for each stable version of NixOS and current unstable revision.
```{=include=} sections
rl-2405.section.md
rl-2311.section.md
rl-2305.section.md
rl-2211.section.md

2
nixos/doc/manual/release-notes/rl-2111.section.md
View file

@ -100,7 +100,7 @@ In addition to numerous new and upgraded packages, this release has the followin
- [opensnitch](https://github.com/evilsocket/opensnitch), an application firewall. Available as [services.opensnitch](#opt-services.opensnitch.enable).
- [snapraid](https://www.snapraid.it/), a backup program for disk arrays.
Available as [snapraid](#opt-snapraid.enable).
Available as [snapraid](#opt-services.snapraid.enable).
- [Hockeypuck](https://github.com/hockeypuck/hockeypuck), a OpenPGP Key Server. Available as [services.hockeypuck](#opt-services.hockeypuck.enable).

88
nixos/doc/manual/release-notes/rl-2311.section.md
View file

@ -20,7 +20,7 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2
- [Breaking Changes](#sec-release-23.11-nixos-breaking-changes)
- [New Services](#sec-release-23.11-nixos-new-services)
- [Other Notable Changes](#sec-release-23.11-nixos-notable-changes)
- [Nixpkgs Library Changes](#sec-release-23.11-nixpkgs-lib)
- [Nixpkgs Library](#sec-release-23.11-nixpkgs-lib)
- [Breaking Changes](#sec-release-23.11-lib-breaking)
- [Additions and Improvements](#sec-release-23.11-lib-additions-improvements)
- [Deprecations](#sec-release-23.11-lib-deprecations)
@ -1313,18 +1313,26 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2
- When using [split parity files](https://www.snapraid.it/manual#7.1) in `snapraid`,
the snapraid-sync systemd service will no longer fail to run.
- `wpa_supplicant`'s configuration file cannot be read by non-root users, and
secrets (such as Pre-Shared Keys) can safely be passed via
`networking.wireless.environmentFile`.
The configuration file could previously be read, when `userControlled.enable` (non-default),
by users who are in both `wheel` and `userControlled.group` (defaults to `wheel`)
## Nixpkgs Library {#sec-release-23.11-nixpkgs-lib}
### Breaking Changes {#sec-release-23.11-lib-breaking}
- [`lib.lists.foldl'`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.foldl-prime)
- [`lib.lists.foldl'`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.foldl-prime)
now always evaluates the initial accumulator argument first. If you depend on
the lazier behavior, consider using
[`lib.lists.foldl`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.foldl)
[`lib.lists.foldl`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.foldl)
or
[`builtins.foldl'`](https://nixos.org/manual/nix/stable/language/builtins.html#builtins-foldl')
instead.
- [`lib.attrsets.foldlAttrs`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.attrsets.foldlAttrs)
- [`lib.attrsets.foldlAttrs`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.attrsets.foldlAttrs)
now always evaluates the initial accumulator argument first.
- Now that the internal NixOS transition to Markdown documentation is complete,
`lib.options.literalDocBook` has been removed after deprecation in 22.11.
@ -1332,7 +1340,7 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2
### Additions and Improvements {#sec-release-23.11-lib-additions-improvements}
- [`lib.fileset`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-fileset):
- [`lib.fileset`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-fileset):
A new sub-library to select local files to use for sources, designed to be
easy and safe to use.
@ -1341,7 +1349,7 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2
post](https://www.tweag.io/blog/2023-11-28-file-sets/) or [the
tutorial](https://nix.dev/tutorials/file-sets).
- [`lib.gvariant`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-gvariant):
- [`lib.gvariant`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-gvariant):
A partial and basic implementation of GVariant formatted strings. See
[GVariant Format
Strings](https://docs.gtk.org/glib/gvariant-format-strings.html) for details.
@ -1351,58 +1359,58 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2
change in backwards incompatible ways without prior notice.
:::
- [`lib.asserts`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-asserts):
- [`lib.asserts`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-asserts):
New function:
[`assertEachOneOf`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.asserts.assertEachOneOf).
- [`lib.attrsets`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-attrsets):
[`assertEachOneOf`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.asserts.assertEachOneOf).
- [`lib.attrsets`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-attrsets):
New function:
[`attrsToList`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.attrsets.attrsToList).
- [`lib.customisation`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-customisation):
[`attrsToList`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.attrsets.attrsToList).
- [`lib.customisation`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-customisation):
New function:
[`makeScopeWithSplicing'`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.customisation.makeScopeWithSplicing-prime).
- [`lib.fixedPoints`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-fixedPoints):
[`makeScopeWithSplicing'`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.customisation.makeScopeWithSplicing-prime).
- [`lib.fixedPoints`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-fixedPoints):
Documentation improvements for
[`lib.fixedPoints.fix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.fixedPoints.fix).
[`lib.fixedPoints.fix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.fixedPoints.fix).
- `lib.generators`: New functions:
[`mkDconfKeyValue`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.generators.mkDconfKeyValue),
[`toDconfINI`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.generators.toDconfINI).
[`mkDconfKeyValue`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.generators.mkDconfKeyValue),
[`toDconfINI`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.generators.toDconfINI).
`lib.generators.toKeyValue` now supports the `indent` attribute in its first
argument.
- [`lib.lists`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-lists):
- [`lib.lists`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-lists):
New functions:
[`findFirstIndex`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.findFirstIndex),
[`hasPrefix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.hasPrefix),
[`removePrefix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.removePrefix),
[`commonPrefix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.commonPrefix),
[`allUnique`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.allUnique).
[`findFirstIndex`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.findFirstIndex),
[`hasPrefix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.hasPrefix),
[`removePrefix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.removePrefix),
[`commonPrefix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.commonPrefix),
[`allUnique`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.allUnique).
Documentation improvements for
[`lib.lists.foldl'`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.lists.foldl-prime).
- [`lib.meta`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-meta):
[`lib.lists.foldl'`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.foldl-prime).
- [`lib.meta`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-meta):
Documentation of functions now gets rendered
- [`lib.path`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-path):
- [`lib.path`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-path):
New functions:
[`hasPrefix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.path.hasPrefix),
[`removePrefix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.path.removePrefix),
[`splitRoot`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.path.splitRoot),
[`subpath.components`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.path.subpath.components).
- [`lib.strings`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-strings):
[`hasPrefix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.path.hasPrefix),
[`removePrefix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.path.removePrefix),
[`splitRoot`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.path.splitRoot),
[`subpath.components`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.path.subpath.components).
- [`lib.strings`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-strings):
New functions:
[`replicate`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.strings.replicate),
[`cmakeOptionType`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.strings.cmakeOptionType),
[`cmakeBool`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.strings.cmakeBool),
[`cmakeFeature`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.strings.cmakeFeature).
- [`lib.trivial`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-trivial):
[`replicate`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.strings.replicate),
[`cmakeOptionType`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.strings.cmakeOptionType),
[`cmakeBool`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.strings.cmakeBool),
[`cmakeFeature`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.strings.cmakeFeature).
- [`lib.trivial`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-trivial):
New function:
[`mirrorFunctionArgs`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.trivial.mirrorFunctionArgs).
[`mirrorFunctionArgs`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.trivial.mirrorFunctionArgs).
- `lib.systems`: New function:
[`equals`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.systems.equals).
- [`lib.options`](https://nixos.org/manual/nixpkgs/unstable#sec-functions-library-options):
[`equals`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.systems.equals).
- [`lib.options`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-options):
Improved documentation for
[`mkPackageOption`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.options.mkPackageOption).
[`mkPackageOption`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.options.mkPackageOption).
[`mkPackageOption`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.options.mkPackageOption).
[`mkPackageOption`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.options.mkPackageOption).
now also supports the `pkgsText` attribute.
Module system:

104
nixos/doc/manual/release-notes/rl-2405.section.md
View file

@ -12,6 +12,12 @@ In addition to numerous new and upgraded packages, this release has the followin
- `linuxPackages_testing_bcachefs` is now fully deprecated by `linuxPackages_testing`, and is therefore no longer available.
- NixOS now installs a stub ELF loader that prints an informative error message when users attempt to run binaries not made for NixOS.
- This can be disabled through the `environment.stub-ld.enable` option.
- If you use `programs.nix-ld.enable`, no changes are needed. The stub will be disabled automatically.
- Julia environments can now be built with arbitrary packages from the ecosystem using the `.withPackages` function. For example: `julia.withPackages ["Plots"]`.
## New Services {#sec-release-24.05-new-services}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@ -20,18 +26,75 @@ In addition to numerous new and upgraded packages, this release has the followin
- [maubot](https://github.com/maubot/maubot), a plugin-based Matrix bot framework. Available as [services.maubot](#opt-services.maubot.enable).
- [GNS3](https://www.gns3.com/), a network software emulator. Available as [services.gns3-server](#opt-services.gns3-server.enable).
- [rspamd-trainer](https://gitlab.com/onlime/rspamd-trainer), script triggered by a helper which reads mails from a specific mail inbox and feeds them into rspamd for spam/ham training.
- [ollama](https://ollama.ai), server for running large language models locally.
- [Anki Sync Server](https://docs.ankiweb.net/sync-server.html), the official sync server built into recent versions of Anki. Available as [services.anki-sync-server](#opt-services.anki-sync-server.enable).
The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been marked deprecated and will be dropped after 24.05 due to lack of maintenance of the anki-sync-server softwares.
- [ping_exporter](https://github.com/czerwonk/ping_exporter), a Prometheus exporter for ICMP echo requests. Available as [services.prometheus.exporters.ping](#opt-services.prometheus.exporters.ping.enable).
- [Clevis](https://github.com/latchset/clevis), a pluggable framework for automated decryption, used to unlock encrypted devices in initrd. Available as [boot.initrd.clevis.enable](#opt-boot.initrd.clevis.enable).
- [TuxClocker](https://github.com/Lurkki14/tuxclocker), a hardware control and monitoring program. Available as [programs.tuxclocker](#opt-programs.tuxclocker.enable).
## Backward Incompatibilities {#sec-release-24.05-incompatibilities}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- The `power.ups` module now generates `upsd.conf`, `upsd.users` and `upsmon.conf` automatically from a set of new configuration options. This breaks compatibility with existing `power.ups` setups where these files were created manually. Back up these files before upgrading NixOS.
- `k9s` was updated to v0.30. There have been various breaking changes in the config file format,
check out the changelog of [v0.29](https://github.com/derailed/k9s/releases/tag/v0.29.0) and
[v0.30](https://github.com/derailed/k9s/releases/tag/v0.30.0) for details. It is recommended
to back up your current configuration and let k9s recreate the new base configuration.
- `idris2` was updated to v0.7.0. This version introduces breaking changes. Check out the [changelog](https://github.com/idris-lang/Idris2/blob/v0.7.0/CHANGELOG.md#v070) for details.
- `nitter` requires a `guest_accounts.jsonl` to be provided as a path or loaded into the default location at `/var/lib/nitter/guest_accounts.jsonl`. See [Guest Account Branch Deployment](https://github.com/zedeus/nitter/wiki/Guest-Account-Branch-Deployment) for details.
- Invidious has changed its default database username from `kemal` to `invidious`. Setups involving an externally provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857)
- `paperless`' `services.paperless.extraConfig` setting has been removed and converted to the freeform type and option named `services.paperless.settings`.
- `mkosi` was updated to v19. Parts of the user interface have changed. Consult the
[release notes](https://github.com/systemd/mkosi/releases/tag/v19) for a list of changes.
- The `kanata` package has been updated to v1.5.0, which includes [breaking changes](https://github.com/jtroo/kanata/releases/tag/v1.5.0).
- The latest available version of Nextcloud is v28 (available as `pkgs.nextcloud28`). The installation logic is as follows:
- If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**)
- If [`system.stateVersion`](#opt-system.stateVersion) is >=24.05, `pkgs.nextcloud28` will be installed by default.
- If [`system.stateVersion`](#opt-system.stateVersion) is >=23.11, `pkgs.nextcloud27` will be installed by default.
- Please note that an upgrade from v26 (or older) to v28 directly is not possible. Please upgrade to `nextcloud27` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud27;`](options.html#opt-services.nextcloud.package).
- `services.resolved.fallbackDns` can now be used to disable the upstream fallback servers entirely by setting it to an empty list. To get the previous behaviour of the upstream defaults set it to null, the new default, instead.
- `services.avahi.nssmdns` got split into `services.avahi.nssmdns4` and `services.avahi.nssmdns6` which enable the mDNS NSS switch for IPv4 and IPv6 respectively.
Since most mDNS responders only register IPv4 addresses, most users want to keep the IPv6 support disabled to avoid long timeouts.
- `networking.iproute2.enable` now does not set `environment.etc."iproute2/rt_tables".text`.
Setting `environment.etc."iproute2/{CONFIG_FILE_NAME}".text` will override the whole configuration file instead of appending it to the upstream configuration file.
`CONFIG_FILE_NAME` includes `bpf_pinning`, `ematch_map`, `group`, `nl_protos`, `rt_dsfield`, `rt_protos`, `rt_realms`, `rt_scopes`, and `rt_tables`.
- The executable file names for `firefox-devedition`, `firefox-beta`, `firefox-esr` now matches their package names, which is consistent with the `firefox-*-bin` packages. The desktop entries are also updated so that you can have multiple editions of firefox in your app launcher.
- The `systemd.oomd` module behavior is changed as:
- Raise ManagedOOMMemoryPressureLimit from 50% to 80%. This should make systemd-oomd kill things less often, and fix issues like [this](https://pagure.io/fedora-workstation/issue/358).
Reference: [commit](https://src.fedoraproject.org/rpms/systemd/c/806c95e1c70af18f81d499b24cd7acfa4c36ffd6?branch=806c95e1c70af18f81d499b24cd7acfa4c36ffd6)
- Remove swap policy. This helps prevent killing processes when user's swap is small.
- Expand the memory pressure policy to system.slice, user-.slice, and all user owned slices. Reference: [commit](https://src.fedoraproject.org/rpms/systemd/c/7665e1796f915dedbf8e014f0a78f4f576d609bb)
- `systemd.oomd.enableUserServices` is renamed to `systemd.oomd.enableUserSlices`.
## Other Notable Changes {#sec-release-24.05-notable-changes}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@ -40,20 +103,61 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
- Cinnamon has been updated to 6.0. Please beware that the [Wayland session](https://blog.linuxmint.com/?p=4591) is still experimental in this release.
- `services.postgresql.extraPlugins` changed its type from just a list of packages to also a function that returns such a list.
For example a config line like ``services.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ];`` is recommended to be changed to ``services.postgresql.extraPlugins = ps: with ps; [ postgis ];``;
- Programs written in [Nim](https://nim-lang.org/) are built with libraries selected by lockfiles.
The `nimPackages` and `nim2Packages` sets have been removed.
See https://nixos.org/manual/nixpkgs/unstable#nim for more information.
- [Portunus](https://github.com/majewsky/portunus) has been updated to major version 2.
This version of Portunus supports strong password hashes, but the legacy hash SHA-256 is also still supported to ensure a smooth migration of existing user accounts.
After upgrading, follow the instructions on the [upstream release notes](https://github.com/majewsky/portunus/releases/tag/v2.0.0) to upgrade all user accounts to strong password hashes.
Support for weak password hashes will be removed in NixOS 24.11.
- `libass` now uses the native CoreText backend on Darwin, which may fix subtitle rendering issues with `mpv`, `ffmpeg`, etc.
- [Lilypond](https://lilypond.org/index.html) and [Denemo](https://www.denemo.org) are now compiled with Guile 3.0.
- The following options of the Nextcloud module were moved into [`services.nextcloud.extraOptions`](#opt-services.nextcloud.extraOptions) and renamed to match the name from Nextcloud's `config.php`:
- `logLevel` -> [`loglevel`](#opt-services.nextcloud.extraOptions.loglevel),
- `logType` -> [`log_type`](#opt-services.nextcloud.extraOptions.log_type),
- `defaultPhoneRegion` -> [`default_phone_region`](#opt-services.nextcloud.extraOptions.default_phone_region),
- `overwriteProtocol` -> [`overwriteprotocol`](#opt-services.nextcloud.extraOptions.overwriteprotocol),
- `skeletonDirectory` -> [`skeletondirectory`](#opt-services.nextcloud.extraOptions.skeletondirectory),
- `globalProfiles` -> [`profile.enabled`](#opt-services.nextcloud.extraOptions._profile.enabled_),
- `extraTrustedDomains` -> [`trusted_domains`](#opt-services.nextcloud.extraOptions.trusted_domains) and
- `trustedProxies` -> [`trusted_proxies`](#opt-services.nextcloud.extraOptions.trusted_proxies).
- The option [`services.nextcloud.config.dbport`] of the Nextcloud module was removed to match upstream.
The port can be specified in [`services.nextcloud.config.dbhost`](#opt-services.nextcloud.config.dbhost).
- The Yama LSM is now enabled by default in the kernel, which prevents ptracing
non-child processes. This means you will not be able to attach gdb to an
existing process, but will need to start that process from gdb (so it is a
child). Or you can set `boot.kernel.sysctl."kernel.yama.ptrace_scope"` to 0.
- [Nginx virtual hosts](#opt-services.nginx.virtualHosts) using `forceSSL` or
`globalRedirect` can now have redirect codes other than 301 through
`redirectCode`.
- The source of the `mockgen` package has changed to the [go.uber.org/mock](https://github.com/uber-go/mock) fork because [the original repository is no longer maintained](https://github.com/golang/mock#gomock).
- [](#opt-boot.kernel.sysctl._net.core.wmem_max_) changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as [](#opt-boot.kernel.sysctl._net.core.rmem_max_) since 22.11.
- `services.zfs.zed.enableMail` now uses the global `sendmail` wrapper defined by an email module
(such as msmtp or Postfix). It no longer requires using a special ZFS build with email support.
- Gitea 1.21 upgrade has several breaking changes, including:
- Custom themes and other assets that were previously stored in `custom/public/*` now belong in `custom/public/assets/*`
- New instances of Gitea using MySQL now ignore the `[database].CHARSET` config option and always use the `utf8mb4` charset, existing instances should migrate via the `gitea doctor convert` CLI command.
- The `hardware.pulseaudio` module now sets permission of pulse user home directory to 755 when running in "systemWide" mode. It fixes [issue 114399](https://github.com/NixOS/nixpkgs/issues/114399).
- The `btrbk` module now automatically selects and provides required compression
program depending on the configured `stream_compress` option. Since this
replaces the need for the `extraPackages` option, this option will be
deprecated in future releases.
- QtMultimedia has changed its default backend to `QT_MEDIA_BACKEND=ffmpeg` (previously `gstreamer` on Linux or `darwin` on MacOS).
The previous native backends remain available but are now minimally maintained. Refer to [upstream documentation](https://doc.qt.io/qt-6/qtmultimedia-index.html#ffmpeg-as-the-default-backend) for further details about each platform.

9
nixos/lib/make-disk-image.nix
View file

@ -522,11 +522,16 @@ let format' = format; in let
chmod 0644 $efiVars
'';
createHydraBuildProducts = ''
mkdir -p $out/nix-support
echo "file ${format}-image $out/${filename}" >> $out/nix-support/hydra-build-products
'';
buildImage = pkgs.vmTools.runInLinuxVM (
pkgs.runCommand name {
preVM = prepareImage + lib.optionalString touchEFIVars createEFIVars;
buildInputs = with pkgs; [ util-linux e2fsprogs dosfstools ];
postVM = moveOrConvertImage + postVM;
postVM = moveOrConvertImage + createHydraBuildProducts + postVM;
QEMU_OPTS =
concatStringsSep " " (lib.optional useEFIBoot "-drive if=pflash,format=raw,unit=0,readonly=on,file=${efiFirmware}"
++ lib.optionals touchEFIVars [
@ -616,5 +621,5 @@ let format' = format; in let
in
if onlyNixStore then
pkgs.runCommand name {}
(prepareImage + moveOrConvertImage + postVM)
(prepareImage + moveOrConvertImage + createHydraBuildProducts + postVM)
else buildImage

32
nixos/lib/test-driver/test_driver/machine.py
View file

@ -447,8 +447,7 @@ class Machine:
"""
def check_active(_: Any) -> bool:
info = self.get_unit_info(unit, user)
state = info["ActiveState"]
state = self.get_unit_property(unit, "ActiveState", user)
if state == "failed":
raise Exception(f'unit "{unit}" reached state "{state}"')
@ -491,6 +490,35 @@ class Machine:
if line_pattern.match(line)
)
def get_unit_property(
self,
unit: str,
property: str,
user: Optional[str] = None,
) -> str:
status, lines = self.systemctl(
f'--no-pager show "{unit}" --property="{property}"',
user,
)
if status != 0:
raise Exception(
f'retrieving systemctl property "{property}" for unit "{unit}"'
+ ("" if user is None else f' under user "{user}"')
+ f" failed with exit code {status}"
)
invalid_output_message = (
f'systemctl show --property "{property}" "{unit}"'
f"produced invalid output: {lines}"
)
line_pattern = re.compile(r"^([^=]+)=(.*)$")
match = line_pattern.match(lines)
assert match is not None, invalid_output_message
assert match[1] == property, invalid_output_message
return match[2]
def systemctl(self, q: str, user: Optional[str] = None) -> Tuple[int, str]:
"""
Runs `systemctl` commands with optional support for

54
nixos/maintainers/scripts/ec2/create-amis.sh
View file

@ -27,31 +27,37 @@ var ${bucket:=nixos-amis}
var ${service_role_name:=vmimport}
# Output of the command:
# > aws ec2 describe-regions --all-regions --query "Regions[].{Name:RegionName}" --output text | sort
# $ nix-shell -I nixpkgs=. -p awscli --run 'aws ec2 describe-regions --region us-east-1 --all-regions --query "Regions[].{Name:RegionName}" --output text | sort | sed -e s/^/\ \ /'
var ${regions:=
af-south-1
ap-east-1
ap-northeast-1
ap-northeast-2
ap-northeast-3
ap-south-1
ap-southeast-1
ap-southeast-2
ap-southeast-3
ca-central-1
eu-central-1
eu-north-1
eu-south-1
eu-west-1
eu-west-2
eu-west-3
me-south-1
sa-east-1
us-east-1
us-east-2
us-west-1
us-west-2
}
af-south-1
ap-east-1
ap-northeast-1
ap-northeast-2
ap-northeast-3
ap-south-1
ap-south-2
ap-southeast-1
ap-southeast-2
ap-southeast-3
ap-southeast-4
ca-central-1
eu-central-1
eu-central-2
eu-north-1
eu-south-1
eu-south-2
eu-west-1
eu-west-2
eu-west-3
il-central-1
me-central-1
me-south-1
sa-east-1
us-east-1
us-east-2
us-west-1
us-west-2
}
regions=($regions)

5
nixos/modules/config/iproute2.nix
View file

@ -18,10 +18,9 @@ in
};
config = mkIf cfg.enable {
environment.etc."iproute2/rt_tables" = {
environment.etc."iproute2/rt_tables.d/nixos.conf" = {
mode = "0644";
text = (fileContents "${pkgs.iproute2}/lib/iproute2/rt_tables")
+ (optionalString (cfg.rttablesExtraConfig != "") "\n\n${cfg.rttablesExtraConfig}");
text = cfg.rttablesExtraConfig;
};
};
}

101
nixos/modules/config/ldap.nix
View file

@ -226,18 +226,6 @@ in
"ldap.conf" = ldapConfig;
};
system.activationScripts = mkIf (!cfg.daemon.enable) {
ldap = stringAfter [ "etc" "groups" "users" ] ''
if test -f "${cfg.bind.passwordFile}" ; then
umask 0077
conf="$(mktemp)"
printf 'bindpw %s\n' "$(cat ${cfg.bind.passwordFile})" |
cat ${ldapConfig.source} - >"$conf"
mv -fT "$conf" /etc/ldap.conf
fi
'';
};
system.nssModules = mkIf cfg.nsswitch (singleton (
if cfg.daemon.enable then nss_pam_ldapd else nss_ldap
));
@ -258,42 +246,63 @@ in
};
};
systemd.services = mkIf cfg.daemon.enable {
nslcd = {
wantedBy = [ "multi-user.target" ];
preStart = ''
umask 0077
conf="$(mktemp)"
{
cat ${nslcdConfig}
test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.passwordFile}' ||
printf 'bindpw %s\n' "$(cat '${cfg.bind.passwordFile}')"
test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpwFile}' ||
printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpwFile}')"
} >"$conf"
mv -fT "$conf" /run/nslcd/nslcd.conf
'';
restartTriggers = [
nslcdConfig
cfg.bind.passwordFile
cfg.daemon.rootpwmodpwFile
];
serviceConfig = {
ExecStart = "${nslcdWrapped}/bin/nslcd";
Type = "forking";
Restart = "always";
User = "nslcd";
Group = "nslcd";
RuntimeDirectory = [ "nslcd" ];
PIDFile = "/run/nslcd/nslcd.pid";
AmbientCapabilities = "CAP_SYS_RESOURCE";
systemd.services = mkMerge [
(mkIf (!cfg.daemon.enable) {
ldap-password = {
wantedBy = [ "sysinit.target" ];
before = [ "sysinit.target" "shutdown.target" ];
conflicts = [ "shutdown.target" ];
unitConfig.DefaultDependencies = false;
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
script = ''
if test -f "${cfg.bind.passwordFile}" ; then
umask 0077
conf="$(mktemp)"
printf 'bindpw %s\n' "$(cat ${cfg.bind.passwordFile})" |
cat ${ldapConfig.source} - >"$conf"
mv -fT "$conf" /etc/ldap.conf
fi
'';
};
};
})
};
(mkIf cfg.daemon.enable {
nslcd = {
wantedBy = [ "multi-user.target" ];
preStart = ''
umask 0077
conf="$(mktemp)"
{
cat ${nslcdConfig}
test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.passwordFile}' ||
printf 'bindpw %s\n' "$(cat '${cfg.bind.passwordFile}')"
test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpwFile}' ||
printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpwFile}')"
} >"$conf"
mv -fT "$conf" /run/nslcd/nslcd.conf
'';
restartTriggers = [
nslcdConfig
cfg.bind.passwordFile
cfg.daemon.rootpwmodpwFile
];
serviceConfig = {
ExecStart = "${nslcdWrapped}/bin/nslcd";
Type = "forking";
Restart = "always";
User = "nslcd";
Group = "nslcd";
RuntimeDirectory = [ "nslcd" ];
PIDFile = "/run/nslcd/nslcd.pid";
AmbientCapabilities = "CAP_SYS_RESOURCE";
};
};
})
];
};

58
nixos/modules/config/ldso.nix Normal file
View file

@ -0,0 +1,58 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) last splitString mkOption types mdDoc optionals;
libDir = pkgs.stdenv.hostPlatform.libDir;
ldsoBasename = builtins.unsafeDiscardStringContext (last (splitString "/" pkgs.stdenv.cc.bintools.dynamicLinker));
pkgs32 = pkgs.pkgsi686Linux;
libDir32 = pkgs32.stdenv.hostPlatform.libDir;
ldsoBasename32 = builtins.unsafeDiscardStringContext (last (splitString "/" pkgs32.stdenv.cc.bintools.dynamicLinker));
in {
options = {
environment.ldso = mkOption {
type = types.nullOr types.path;
default = null;
description = mdDoc ''
The executable to link into the normal FHS location of the ELF loader.
'';
};
environment.ldso32 = mkOption {
type = types.nullOr types.path;
default = null;
description = mdDoc ''
The executable to link into the normal FHS location of the 32-bit ELF loader.
This currently only works on x86_64 architectures.
'';
};
};
config = {
assertions = [
{ assertion = isNull config.environment.ldso32 || pkgs.stdenv.isx86_64;
message = "Option environment.ldso32 currently only works on x86_64.";
}
];
systemd.tmpfiles.rules = (
if isNull config.environment.ldso then [
"r /${libDir}/${ldsoBasename} - - - - -"
] else [
"d /${libDir} 0755 root root - -"
"L+ /${libDir}/${ldsoBasename} - - - - ${config.environment.ldso}"
]
) ++ optionals pkgs.stdenv.isx86_64 (
if isNull config.environment.ldso32 then [
"r /${libDir32}/${ldsoBasename32} - - - - -"
] else [
"d /${libDir32} 0755 root root - -"
"L+ /${libDir32}/${ldsoBasename32} - - - - ${config.environment.ldso32}"
]
);
};
meta.maintainers = with lib.maintainers; [ tejing ];
}

1
nixos/modules/config/nix-channel.nix
View file

@ -12,7 +12,6 @@ let
mkDefault
mkIf
mkOption
stringAfter
types
;

8
nixos/modules/config/nix.nix
View file

@ -109,13 +109,17 @@ let
if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then ''
echo "Ignoring validation for cross-compilation"
''
else ''
else
let
showCommand = if isNixAtLeast "2.20pre" then "config show" else "show-config";
in
''
echo "Validating generated nix.conf"
ln -s $out ./nix.conf
set -e
set +o pipefail
NIX_CONF_DIR=$PWD \
${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net"} \
${cfg.package}/bin/nix ${showCommand} ${optionalString (isNixAtLeast "2.3pre") "--no-net"} \
${optionalString (isNixAtLeast "2.4pre") "--option experimental-features nix-command"} \
|& sed -e 's/^warning:/error:/' \
| (! grep '${if cfg.checkAllErrors then "^error:" else "^error: unknown setting"}')

5
nixos/modules/config/no-x-libs.nix
View file

@ -34,6 +34,7 @@ with lib;
ffmpeg_5 = super.ffmpeg_5.override { ffmpegVariant = "headless"; };
# dep of graphviz, libXpm is optional for Xpm support
gd = super.gd.override { withXorg = false; };
ghostscript = super.ghostscript.override { cupsSupport = false; x11Support = false; };
gobject-introspection = super.gobject-introspection.override { x11Support = false; };
gpsd = super.gpsd.override { guiSupport = false; };
graphviz = super.graphviz-nox;
@ -44,6 +45,7 @@ with lib;
};
imagemagick = super.imagemagick.override { libX11Support = false; libXtSupport = false; };
imagemagickBig = super.imagemagickBig.override { libX11Support = false; libXtSupport = false; };
intel-vaapi-driver = super.intel-vaapi-driver.override { enableGui = false; };
libdevil = super.libdevil-nox;
libextractor = super.libextractor.override { gtkSupport = false; };
libva = super.libva-minimal;
@ -51,6 +53,7 @@ with lib;
mc = super.mc.override { x11Support = false; };
mpv-unwrapped = super.mpv-unwrapped.override { sdl2Support = false; x11Support = false; waylandSupport = false; };
msmtp = super.msmtp.override { withKeyring = false; };
mupdf = super.mupdf.override { enableGL = false; enableX11 = false; };
neofetch = super.neofetch.override { x11Support = false; };
networkmanager-fortisslvpn = super.networkmanager-fortisslvpn.override { withGnome = false; };
networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; };
@ -71,7 +74,7 @@ with lib;
qemu = super.qemu.override { gtkSupport = false; spiceSupport = false; sdlSupport = false; };
qrencode = super.qrencode.overrideAttrs (_: { doCheck = false; });
qt5 = super.qt5.overrideScope (const (super': {
qtbase = super'.qtbase.override { withGtk3 = false; };
qtbase = super'.qtbase.override { withGtk3 = false; withQttranslation = false; };
}));
stoken = super.stoken.override { withGTK3 = false; };
# translateManpages -> perlPackages.po4a -> texlive-combined-basic -> texlive-core-big -> libX11

22
nixos/modules/config/pulseaudio.nix
View file

@ -8,8 +8,6 @@ let
cfg = config.hardware.pulseaudio;
alsaCfg = config.sound;
systemWide = cfg.enable && cfg.systemWide;
nonSystemWide = cfg.enable && !cfg.systemWide;
hasZeroconf = let z = cfg.zeroconf; in z.publish.enable || z.discovery.enable;
overriddenPackage = cfg.package.override
@ -217,16 +215,10 @@ in {
};
config = mkMerge [
config = lib.mkIf cfg.enable (mkMerge [
{
environment.etc = {
"pulse/client.conf".source = clientConf;
};
environment.etc."pulse/client.conf".source = clientConf;
hardware.pulseaudio.configFile = mkDefault "${getBin overriddenPackage}/etc/pulse/default.pa";
}
(mkIf cfg.enable {
environment.systemPackages = [ overriddenPackage ];
sound.enable = true;
@ -242,6 +234,8 @@ in {
"libao.conf".source = writeText "libao.conf" "default_driver=pulse";
};
hardware.pulseaudio.configFile = mkDefault "${getBin overriddenPackage}/etc/pulse/default.pa";
# Disable flat volumes to enable relative ones
hardware.pulseaudio.daemon.config.flat-volumes = mkDefault "no";
@ -255,7 +249,7 @@ in {
# PulseAudio is packaged with udev rules to handle various audio device quirks
services.udev.packages = [ overriddenPackage ];
})
}
(mkIf (cfg.extraModules != []) {
hardware.pulseaudio.daemon.config.dl-search-path = let
@ -277,7 +271,7 @@ in {
services.avahi.publish.userServices = true;
})
(mkIf nonSystemWide {
(mkIf (!cfg.systemWide) {
environment.etc = {
"pulse/default.pa".source = myConfigFile;
};
@ -297,7 +291,7 @@ in {
};
})
(mkIf systemWide {
(mkIf cfg.systemWide {
users.users.pulse = {
# For some reason, PulseAudio wants UID == GID.
uid = assert uid == gid; uid;
@ -328,6 +322,6 @@ in {
environment.variables.PULSE_COOKIE = "${stateDir}/.config/pulse/cookie";
})
];
]);
}

56
nixos/modules/config/stub-ld.nix Normal file
View file

@ -0,0 +1,56 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) optionalString mkOption types mdDoc mkIf mkDefault;
cfg = config.environment.stub-ld;
message = ''
NixOS cannot run dynamically linked executables intended for generic
linux environments out of the box. For more information, see:
https://nix.dev/permalink/stub-ld
'';
stub-ld-for = pkgsArg: messageArg: pkgsArg.pkgsStatic.runCommandCC "stub-ld" {
nativeBuildInputs = [ pkgsArg.unixtools.xxd ];
inherit messageArg;
} ''
printf "%s" "$messageArg" | xxd -i -n message >main.c
cat <<EOF >>main.c
#include <stdio.h>
int main(int argc, char * argv[]) {
fprintf(stderr, "Could not start dynamically linked executable: %s\n", argv[0]);
fwrite(message, sizeof(unsigned char), message_len, stderr);
return 127; // matches behavior of bash and zsh without a loader. fish uses 139
}
EOF
$CC -Os main.c -o $out
'';
pkgs32 = pkgs.pkgsi686Linux;
stub-ld = stub-ld-for pkgs message;
stub-ld32 = stub-ld-for pkgs32 message;
in {
options = {
environment.stub-ld = {
enable = mkOption {
type = types.bool;
default = true;
example = false;
description = mdDoc ''
Install a stub ELF loader to print an informative error message
in the event that a user attempts to run an ELF binary not
compiled for NixOS.
'';
};
};
};
config = mkIf cfg.enable {
environment.ldso = mkDefault stub-ld;
environment.ldso32 = mkIf pkgs.stdenv.isx86_64 (mkDefault stub-ld32);
};
meta.maintainers = with lib.maintainers; [ tejing ];
}

3
nixos/modules/config/swap.nix
View file

@ -258,7 +258,8 @@ in
# avoid this race condition.
after = [ "systemd-modules-load.service" ];
wantedBy = [ "${realDevice'}.swap" ];
before = [ "${realDevice'}.swap" ];
before = [ "${realDevice'}.swap" "shutdown.target"];
conflicts = [ "shutdown.target" ];
path = [ pkgs.util-linux pkgs.e2fsprogs ]
++ optional sw.randomEncryption.enable pkgs.cryptsetup;

30
nixos/modules/config/sysctl.nix
View file

@ -21,18 +21,28 @@ in
options = {
boot.kernel.sysctl = mkOption {
type = types.submodule {
type = let
highestValueType = types.ints.unsigned // {
merge = loc: defs:
foldl
(a: b: if b.value == null then null else lib.max a b.value)
0
(filterOverrides defs);
};
in types.submodule {
freeformType = types.attrsOf sysctlOption;
options."net.core.rmem_max" = mkOption {
type = types.nullOr types.ints.unsigned // {
merge = loc: defs:
foldl
(a: b: if b.value == null then null else lib.max a b.value)
0
(filterOverrides defs);
options = {
"net.core.rmem_max" = mkOption {
type = types.nullOr highestValueType;
default = null;
description = lib.mdDoc "The maximum receive socket buffer size in bytes. In case of conflicting values, the highest will be used.";
};
"net.core.wmem_max" = mkOption {
type = types.nullOr highestValueType;
default = null;
description = lib.mdDoc "The maximum send socket buffer size in bytes. In case of conflicting values, the highest will be used.";
};
default = null;
description = lib.mdDoc "The maximum socket receive buffer size. In case of conflicting values, the highest will be used.";
};
};
default = {};

2
nixos/modules/config/users-groups.nix
View file

@ -475,7 +475,7 @@ let
sdInitrdUidsAreUnique = idsAreUnique (filterAttrs (n: u: u.uid != null) config.boot.initrd.systemd.users) "uid";
sdInitrdGidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) config.boot.initrd.systemd.groups) "gid";
groupNames = lib.mapAttrsToList (n: g: g.name) cfg.groups;
usersWithoutExistingGroup = lib.filterAttrs (n: u: !lib.elem u.group groupNames) cfg.users;
usersWithoutExistingGroup = lib.filterAttrs (n: u: u.group != "" && !lib.elem u.group groupNames) cfg.users;
spec = pkgs.writeText "users-groups.json" (builtins.toJSON {
inherit (cfg) mutableUsers;

5
nixos/modules/hardware/all-firmware.nix
View file

@ -48,10 +48,7 @@ in {
alsa-firmware
sof-firmware
libreelec-dvb-firmware
] ++ optional pkgs.stdenv.hostPlatform.isAarch raspberrypiWirelessFirmware
++ optionals (versionOlder config.boot.kernelPackages.kernel.version "4.13") [
rtl8723bs-firmware
];
] ++ optional pkgs.stdenv.hostPlatform.isAarch raspberrypiWirelessFirmware;
})
(mkIf cfg.enableAllFirmware {
assertions = [{

1
nixos/modules/hardware/keyboard/qmk.nix
View file

@ -12,5 +12,6 @@ in
config = mkIf cfg.enable {
services.udev.packages = [ pkgs.qmk-udev-rules ];
users.groups.plugdev = {};
};
}

7
nixos/modules/hardware/video/amdgpu-pro.nix
View file

@ -39,9 +39,10 @@ in
hardware.firmware = [ package.fw ];
system.activationScripts.setup-amdgpu-pro = ''
ln -sfn ${package}/opt/amdgpu{,-pro} /run
'';
systemd.tmpfiles.settings.amdgpu-pro = {
"/run/amdgpu"."L+".argument = "${package}/opt/amdgpu";
"/run/amdgpu-pro"."L+".argument = "${package}/opt/amdgpu-pro";
};
system.requiredKernelConfig = with config.lib.kernelConfig; [
(isYes "DEVICE_PRIVATE")

72
nixos/modules/hardware/video/nvidia.nix
View file

@ -47,7 +47,8 @@ in {
TRUNK_LINK_FAILURE_MODE=0;
NVSWITCH_FAILURE_MODE=0;
ABORT_CUDA_JOBS_ON_FM_EXIT=1;
TOPOLOGY_FILE_PATH=nvidia_x11.fabricmanager + "/share/nvidia-fabricmanager/nvidia/nvswitch";
TOPOLOGY_FILE_PATH="${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch";
DATABASE_PATH="${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch";
};
defaultText = lib.literalExpression ''
{
@ -69,7 +70,8 @@ in {
TRUNK_LINK_FAILURE_MODE=0;
NVSWITCH_FAILURE_MODE=0;
ABORT_CUDA_JOBS_ON_FM_EXIT=1;
TOPOLOGY_FILE_PATH=nvidia_x11.fabricmanager + "/share/nvidia-fabricmanager/nvidia/nvswitch";
TOPOLOGY_FILE_PATH="''${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch";
DATABASE_PATH="''${nvidia_x11.fabricmanager}/share/nvidia-fabricmanager/nvidia/nvswitch";
}
'';
description = lib.mdDoc ''
@ -584,24 +586,50 @@ in {
boot.extraModulePackages = [
nvidia_x11.bin
];
systemd.services.nvidia-fabricmanager = {
enable = true;
description = "Start NVIDIA NVLink Management";
wantedBy = [ "multi-user.target" ];
unitConfig.After = [ "network-online.target" ];
unitConfig.Requires = [ "network-online.target" ];
serviceConfig = {
Type = "forking";
TimeoutStartSec = 240;
ExecStart = let
nv-fab-conf = settingsFormat.generate "fabricmanager.conf" cfg.datacenter.settings;
in
nvidia_x11.fabricmanager + "/bin/nv-fabricmanager -c " + nv-fab-conf;
LimitCORE="infinity";
};
};
environment.systemPackages =
lib.optional cfg.datacenter.enable nvidia_x11.fabricmanager;
})
]);
systemd = {
tmpfiles.rules =
lib.optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia)
"L+ /run/nvidia-docker/extras/bin/nvidia-persistenced - - - - ${nvidia_x11.persistenced}/origBin/nvidia-persistenced";
services = lib.mkMerge [
({
nvidia-fabricmanager = {
enable = true;
description = "Start NVIDIA NVLink Management";
wantedBy = [ "multi-user.target" ];
unitConfig.After = [ "network-online.target" ];
unitConfig.Requires = [ "network-online.target" ];
serviceConfig = {
Type = "forking";
TimeoutStartSec = 240;
ExecStart = let
nv-fab-conf = settingsFormat.generate "fabricmanager.conf" cfg.datacenter.settings;
in
"${lib.getExe nvidia_x11.fabricmanager} -c ${nv-fab-conf}";
LimitCORE="infinity";
};
};
})
(lib.mkIf cfg.nvidiaPersistenced {
"nvidia-persistenced" = {
description = "NVIDIA Persistence Daemon";
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "forking";
Restart = "always";
PIDFile = "/var/run/nvidia-persistenced/nvidia-persistenced.pid";
ExecStart = "${lib.getExe nvidia_x11.persistenced} --verbose";
ExecStopPost = "${pkgs.coreutils}/bin/rm -rf /var/run/nvidia-persistenced";
};
};
})
];
};
environment.systemPackages =
lib.optional cfg.datacenter.enable nvidia_x11.fabricmanager
++ lib.optional cfg.nvidiaPersistenced nvidia_x11.persistenced;
})
]);
}

13
nixos/modules/i18n/input-method/fcitx5.nix
View file

@ -19,6 +19,14 @@ in
Enabled Fcitx5 addons.
'';
};
waylandFrontend = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Use the Wayland input method frontend.
See [Using Fcitx 5 on Wayland](https://fcitx-im.org/wiki/Using_Fcitx_5_on_Wayland).
'';
};
quickPhrase = mkOption {
type = with types; attrsOf str;
default = { };
@ -118,10 +126,11 @@ in
];
environment.variables = {
GTK_IM_MODULE = "fcitx";
QT_IM_MODULE = "fcitx";
XMODIFIERS = "@im=fcitx";
QT_PLUGIN_PATH = [ "${fcitx5Package}/${pkgs.qt6.qtbase.qtPluginPrefix}" ];
} // lib.optionalAttrs (!cfg.waylandFrontend) {
GTK_IM_MODULE = "fcitx";
QT_IM_MODULE = "fcitx";
} // lib.optionalAttrs cfg.ignoreUserConfig {
SKIP_FCITX_USER_PATH = "1";
};

80
nixos/modules/image/repart-image.nix Normal file
View file

@ -0,0 +1,80 @@
# This is an expression meant to be called from `./repart.nix`, it is NOT a
# NixOS module that can be imported.
{ lib
, runCommand
, python3
, black
, ruff
, mypy
, systemd
, fakeroot
, util-linux
, dosfstools
, mtools
, e2fsprogs
, squashfsTools
, erofs-utils
, btrfs-progs
, xfsprogs
# arguments
, name
, fileSystems
, partitions
, split
, seed
, definitionsDirectory
}:
let
amendRepartDefinitions = runCommand "amend-repart-definitions.py"
{
# TODO: ruff does not splice properly in nativeBuildInputs
depsBuildBuild = [ ruff ];
nativeBuildInputs = [ python3 black mypy ];
} ''
install ${./amend-repart-definitions.py} $out
patchShebangs --build $out
black --check --diff $out
ruff --line-length 88 $out
mypy --strict $out
'';
fileSystemToolMapping = {
"vfat" = [ dosfstools mtools ];
"ext4" = [ e2fsprogs.bin ];
"squashfs" = [ squashfsTools ];
"erofs" = [ erofs-utils ];
"btrfs" = [ btrfs-progs ];
"xfs" = [ xfsprogs ];
};
fileSystemTools = builtins.concatMap (f: fileSystemToolMapping."${f}") fileSystems;
in
runCommand name
{
nativeBuildInputs = [
systemd
fakeroot
util-linux
] ++ fileSystemTools;
} ''
amendedRepartDefinitions=$(${amendRepartDefinitions} ${partitions} ${definitionsDirectory})
mkdir -p $out
cd $out
unshare --map-root-user fakeroot systemd-repart \
--dry-run=no \
--empty=create \
--size=auto \
--seed="${seed}" \
--definitions="$amendedRepartDefinitions" \
--split="${lib.boolToString split}" \
--json=pretty \
image.raw \
| tee repart-output.json
''

62
nixos/modules/image/repart.nix
View file

@ -90,8 +90,10 @@ in
};
package = lib.mkPackageOption pkgs "systemd-repart" {
default = "systemd";
example = "pkgs.systemdMinimal.override { withCryptsetup = true; }";
# We use buildPackages so that repart images are built with the build
# platform's systemd, allowing for cross-compiled systems to work.
default = [ "buildPackages" "systemd" ];
example = "pkgs.buildPackages.systemdMinimal.override { withCryptsetup = true; }";
};
partitions = lib.mkOption {
@ -131,22 +133,10 @@ in
system.build.image =
let
fileSystemToolMapping = with pkgs; {
"vfat" = [ dosfstools mtools ];
"ext4" = [ e2fsprogs.bin ];
"squashfs" = [ squashfsTools ];
"erofs" = [ erofs-utils ];
"btrfs" = [ btrfs-progs ];
"xfs" = [ xfsprogs ];
};
fileSystems = lib.filter
(f: f != null)
(lib.mapAttrsToList (_n: v: v.repartConfig.Format or null) cfg.partitions);
fileSystemTools = builtins.concatMap (f: fileSystemToolMapping."${f}") fileSystems;
makeClosure = paths: pkgs.closureInfo { rootPaths = paths; };
# Add the closure of the provided Nix store paths to cfg.partitions so
@ -157,23 +147,8 @@ in
{ closure = "${makeClosure partitionConfig.storePaths}/store-paths"; }
);
finalPartitions = lib.mapAttrs addClosure cfg.partitions;
amendRepartDefinitions = pkgs.runCommand "amend-repart-definitions.py"
{
nativeBuildInputs = with pkgs; [ black ruff mypy ];
buildInputs = [ pkgs.python3 ];
} ''
install ${./amend-repart-definitions.py} $out
patchShebangs --host $out
black --check --diff $out
ruff --line-length 88 $out
mypy --strict $out
'';
format = pkgs.formats.ini { };
definitionsDirectory = utils.systemdUtils.lib.definitions
@ -183,30 +158,11 @@ in
partitions = pkgs.writeText "partitions.json" (builtins.toJSON finalPartitions);
in
pkgs.runCommand cfg.name
{
nativeBuildInputs = [
cfg.package
pkgs.fakeroot
pkgs.util-linux
] ++ fileSystemTools;
} ''
amendedRepartDefinitions=$(${amendRepartDefinitions} ${partitions} ${definitionsDirectory})
mkdir -p $out
cd $out
unshare --map-root-user fakeroot systemd-repart \
--dry-run=no \
--empty=create \
--size=auto \
--seed="${cfg.seed}" \
--definitions="$amendedRepartDefinitions" \
--split="${lib.boolToString cfg.split}" \
--json=pretty \
image.raw \
| tee repart-output.json
'';
pkgs.callPackage ./repart-image.nix {
systemd = cfg.package;
inherit (cfg) name split seed;
inherit fileSystems definitionsDirectory partitions;
};
meta.maintainers = with lib.maintainers; [ nikstur ];

3
nixos/modules/installer/tools/tools.nix
View file

@ -231,7 +231,8 @@ in
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system.
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.

8
nixos/modules/misc/documentation.nix
View file

@ -77,7 +77,11 @@ let
libPath = filter (pkgs.path + "/lib");
pkgsLibPath = filter (pkgs.path + "/pkgs/pkgs-lib");
nixosPath = filter (pkgs.path + "/nixos");
modules = map (p: ''"${removePrefix "${modulesPath}/" (toString p)}"'') docModules.lazy;
modules =
"[ "
+ concatMapStringsSep " " (p: ''"${removePrefix "${modulesPath}/" (toString p)}"'') docModules.lazy
+ " ]";
passAsFile = [ "modules" ];
} ''
export NIX_STORE_DIR=$TMPDIR/store
export NIX_STATE_DIR=$TMPDIR/state
@ -87,7 +91,7 @@ let
--argstr libPath "$libPath" \
--argstr pkgsLibPath "$pkgsLibPath" \
--argstr nixosPath "$nixosPath" \
--arg modules "[ $modules ]" \
--arg modules "import $modulesPath" \
--argstr stateVersion "${options.system.stateVersion.default}" \
--argstr release "${config.system.nixos.release}" \
$nixosPath/lib/eval-cacheable-options.nix > $out \

4
nixos/modules/misc/ids.nix
View file

@ -288,7 +288,7 @@ in
telegraf = 256;
gitlab-runner = 257;
postgrey = 258;
hound = 259;
# hound = 259; # unused, removed 2023-11-21
leaps = 260;
ipfs = 261;
# stanchion = 262; # unused, removed 2020-10-14
@ -599,7 +599,7 @@ in
#telegraf = 256; # unused
gitlab-runner = 257;
postgrey = 258;
hound = 259;
# hound = 259; # unused, removed 2023-11-21
leaps = 260;
ipfs = 261;
# stanchion = 262; # unused, removed 2020-10-14

161
nixos/modules/misc/mandoc.nix
View file

@ -5,25 +5,39 @@ let
cfg = config.documentation.man.mandoc;
in {
toMandocOutput = output: (
lib.mapAttrsToList
(
name: value:
if lib.isString value || lib.isPath value then "output ${name} ${value}"
else if lib.isInt value then "output ${name} ${builtins.toString value}"
else if lib.isBool value then lib.optionalString value "output ${name}"
else if value == null then ""
else throw "Unrecognized value type ${builtins.typeOf value} of key ${name} in mandoc output settings"
)
output
);
in
{
meta.maintainers = [ lib.maintainers.sternenseemann ];
options = {
documentation.man.mandoc = {
enable = lib.mkEnableOption (lib.mdDoc "mandoc as the default man page viewer");
enable = lib.mkEnableOption "mandoc as the default man page viewer";
manPath = lib.mkOption {
type = with lib.types; listOf str;
default = [ "share/man" ];
example = lib.literalExpression "[ \"share/man\" \"share/man/fr\" ]";
description = lib.mdDoc ''
Change the manpath, i. e. the directories where
{manpage}`man(1)`
description = ''
Change the paths included in the MANPATH environment variable,
i. e. the directories where {manpage}`man(1)`
looks for section-specific directories of man pages.
You only need to change this setting if you want extra man pages
(e. g. in non-english languages). All values must be strings that
are a valid path from the target prefix (without including it).
The first value given takes priority.
The first value given takes priority. Note that this will not
add manpath directives to {manpage}`man.conf(5)`.
'';
};
@ -31,11 +45,122 @@ in {
type = lib.types.package;
default = pkgs.mandoc;
defaultText = lib.literalExpression "pkgs.mandoc";
description = lib.mdDoc ''
description = ''
The `mandoc` derivation to use. Useful to override
configuration options used for the package.
'';
};
settings = lib.mkOption {
description = "Configuration for {manpage}`man.conf(5)`";
default = { };
type = lib.types.submodule {
options = {
manpath = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
example = lib.literalExpression "[ \"/run/current-system/sw/share/man\" ]";
description = ''
Override the default search path for {manpage}`man(1)`,
{manpage}`apropos(1)`, and {manpage}`makewhatis(8)`. It can be
used multiple times to specify multiple paths, with the order
determining the manual page search order.
This is not recommended in favor of
{option}`documentation.man.mandoc.manPath`, but if it's needed to
specify the manpath in this way, set
{option}`documentation.man.mandoc.manPath` to an empty list (`[]`).
'';
};
output.fragment = lib.mkEnableOption ''
Omit the <!DOCTYPE> declaration and the <html>, <head>, and <body>
elements and only emit the subtree below the <body> element in HTML
output of {manpage}`mandoc(1)`. The style argument will be ignored.
This is useful when embedding manual content within existing documents.
'';
output.includes = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
example = lib.literalExpression "../src/%I.html";
description = ''
A string of relative path used as a template for the output path of
linked header files (usually via the In macro) in HTML output.
Instances of `%I` are replaced with the include filename. The
default is not to present a hyperlink.
'';
};
output.indent = lib.mkOption {
type = with lib.types; nullOr int;
default = null;
description = ''
Number of blank characters at the left margin for normal text,
default of `5` for {manpage}`mdoc(7)` and `7` for
{manpage}`man(7)`. Increasing this is not recommended; it may
result in degraded formatting, for example overfull lines or ugly
line breaks. When output is to a pager on a terminal that is less
than 66 columns wide, the default is reduced to three columns.
'';
};
output.man = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
example = lib.literalExpression "../html%S/%N.%S.html";
description = ''
A template for linked manuals (usually via the Xr macro) in HTML
output. Instances of %N and %S are replaced with the linked
manual's name and section, respectively. If no section is included,
section 1 is assumed. The default is not to present a hyperlink.
If two formats are given and a file %N.%S exists in the current
directory, the first format is used; otherwise, the second format is used.
'';
};
output.paper = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
description = ''
This option is for generating PostScript and PDF output. The paper
size name may be one of `a3`, `a4`, `a5`, `legal`, or `letter`.
You may also manually specify dimensions as `NNxNN`, width by
height in millimetres. If an unknown value is encountered, letter
is used. Output pages default to letter sized and are rendered in
the Times font family, 11-point. Margins are calculated as 1/9 the
page length and width. Line-height is 1.4m.
'';
};
output.style = lib.mkOption {
type = with lib.types; nullOr path;
default = null;
description = ''
Path to the file used for an external style-sheet. This must be a
valid absolute or relative URI.
'';
};
output.toc = lib.mkEnableOption ''
In HTML output of {manpage}`mandoc(1)`, If an input file contains
at least two non-standard sections, print a table of contents near
the beginning of the output.
'';
output.width = lib.mkOption {
type = with lib.types; nullOr int;
default = null;
description = ''
The ASCII and UTF-8 output width, default is `78`. When output is a
pager on a terminal that is less than 79 columns wide, the
default is reduced to one less than the terminal width. In any case,
lines that are output in literal mode are never wrapped and may
exceed the output width.
'';
};
};
};
};
extraConfig = lib.mkOption {
type = lib.types.lines;
default = "";
description = ''
Extra configuration to write to {manpage}`man.conf(5)`.
'';
};
};
};
@ -43,21 +168,29 @@ in {
environment = {
systemPackages = [ cfg.package ];
# tell mandoc about man pages
etc."man.conf".text = lib.concatMapStrings (path: ''
manpath /run/current-system/sw/${path}
'') cfg.manPath;
etc."man.conf".text = lib.concatStringsSep "\n" (
(map (path: "manpath ${path}") cfg.settings.manpath)
++ (toMandocOutput cfg.settings.output)
++ [ cfg.extraConfig ]
);
# create mandoc.db for whatis(1), apropos(1) and man(1) -k
# TODO(@sternenseemman): fix symlinked directories not getting indexed,
# see: https://inbox.vuxu.org/mandoc-tech/20210906171231.GF83680@athene.usta.de/T/#e85f773c1781e3fef85562b2794f9cad7b2909a3c
extraSetup = lib.mkIf config.documentation.man.generateCaches ''
${makewhatis} -T utf8 ${
for man_path in ${
lib.concatMapStringsSep " " (path:
"$out/" + lib.escapeShellArg path
) cfg.manPath
}
) cfg.manPath} ${lib.concatMapStringsSep " " (path:
lib.escapeShellArg path) cfg.settings.manpath
}
do
[[ -d "$man_path" ]] && ${makewhatis} -T utf8 $man_path
done
'';
# tell mandoc the paths containing man pages
profileRelativeSessionVariables."MANPATH" = map (path: if builtins.substring 0 1 path != "/" then "/${path}" else path) cfg.manPath;
};
};
}

14
nixos/modules/module-list.nix
View file

@ -12,6 +12,7 @@
./config/iproute2.nix
./config/krb5/default.nix
./config/ldap.nix
./config/ldso.nix
./config/locale.nix
./config/malloc.nix
./config/mysql.nix
@ -28,6 +29,7 @@
./config/resolvconf.nix
./config/shells-environment.nix
./config/stevenblack.nix
./config/stub-ld.nix
./config/swap.nix
./config/sysctl.nix
./config/system-environment.nix
@ -276,6 +278,7 @@
./programs/wayland/waybar.nix
./programs/wayland/wayfire.nix
./programs/weylus.nix
./programs/winbox.nix
./programs/wireshark.nix
./programs/xastir.nix
./programs/wshowkeys.nix
@ -341,6 +344,7 @@
./services/audio/mopidy.nix
./services/audio/mpd.nix
./services/audio/mpdscribble.nix
./services/audio/mympd.nix
./services/audio/navidrome.nix
./services/audio/networkaudiod.nix
./services/audio/roon-bridge.nix
@ -364,6 +368,7 @@
./services/backup/mysql-backup.nix
./services/backup/postgresql-backup.nix
./services/backup/postgresql-wal-receiver.nix
./services/backup/snapraid.nix
./services/backup/restic-rest-server.nix
./services/backup/restic.nix
./services/backup/rsnapshot.nix
@ -615,6 +620,7 @@
./services/mail/public-inbox.nix
./services/mail/roundcube.nix
./services/mail/rspamd.nix
./services/mail/rspamd-trainer.nix
./services/mail/rss2email.nix
./services/mail/schleuder.nix
./services/mail/spamassassin.nix
@ -717,6 +723,7 @@
./services/misc/nzbget.nix
./services/misc/nzbhydra2.nix
./services/misc/octoprint.nix
./services/misc/ollama.nix
./services/misc/ombi.nix
./services/misc/osrm.nix
./services/misc/owncast.nix
@ -766,6 +773,7 @@
./services/misc/tautulli.nix
./services/misc/tiddlywiki.nix
./services/misc/tp-auto-kbbl.nix
./services/misc/tuxclocker.nix
./services/misc/tzupdate.nix
./services/misc/uhub.nix
./services/misc/weechat.nix
@ -941,6 +949,7 @@
./services/networking/ghostunnel.nix
./services/networking/git-daemon.nix
./services/networking/globalprotect-vpn.nix
./services/networking/gns3-server.nix
./services/networking/gnunet.nix
./services/networking/go-autoconfig.nix
./services/networking/go-neb.nix
@ -971,6 +980,7 @@
./services/networking/iwd.nix
./services/networking/jibri/default.nix
./services/networking/jicofo.nix
./services/networking/jigasi.nix
./services/networking/jitsi-videobridge.nix
./services/networking/jool.nix
./services/networking/kea.nix
@ -1253,6 +1263,7 @@
./services/web-apps/changedetection-io.nix
./services/web-apps/chatgpt-retrieval-plugin.nix
./services/web-apps/cloudlog.nix
./services/web-apps/code-server.nix
./services/web-apps/convos.nix
./services/web-apps/dex.nix
./services/web-apps/discourse.nix
@ -1334,6 +1345,7 @@
./services/web-apps/vikunja.nix
./services/web-apps/whitebophir.nix
./services/web-apps/wiki-js.nix
./services/web-apps/windmill.nix
./services/web-apps/wordpress.nix
./services/web-apps/writefreely.nix
./services/web-apps/youtrack.nix
@ -1359,6 +1371,7 @@
./services/web-servers/molly-brown.nix
./services/web-servers/nginx/default.nix
./services/web-servers/nginx/gitweb.nix
./services/web-servers/nginx/tailscale-auth.nix
./services/web-servers/phpfpm/default.nix
./services/web-servers/pomerium.nix
./services/web-servers/rustus.nix
@ -1504,7 +1517,6 @@
./tasks/network-interfaces.nix
./tasks/powertop.nix
./tasks/scsi-link-power-management.nix
./tasks/snapraid.nix
./tasks/stratis.nix
./tasks/swraid.nix
./tasks/trackpoint.nix

2
nixos/modules/profiles/installation-device.nix
View file

@ -105,6 +105,8 @@ with lib;
];
boot.swraid.enable = true;
# remove warning about unset mail
boot.swraid.mdadmConf = "PROGRAM ${pkgs.coreutils}/bin/true";
# Show all debug messages from the kernel but don't log refused packets
# because we have the firewall enabled. This makes installs from the

2
nixos/modules/profiles/minimal.nix
View file

@ -21,6 +21,8 @@ with lib;
# Perl is a default package.
environment.defaultPackages = mkDefault [ ];
environment.stub-ld.enable = false;
# The lessopen package pulls in Perl.
programs.less.lessopen = mkDefault null;

5
nixos/modules/programs/atop.nix
View file

@ -137,6 +137,7 @@ in
atop.preStart = ''
set -e -u
shopt -s nullglob
rm -f "$LOGPATH"/atop_*.new
for logfile in "$LOGPATH"/atop_*
do
${atop}/bin/atopconvert "$logfile" "$logfile".new
@ -144,9 +145,9 @@ in
# false positives for atop-rotate.service
if ! ${pkgs.diffutils}/bin/cmp -s "$logfile" "$logfile".new
then
${pkgs.coreutils}/bin/mv -v -f "$logfile".new "$logfile"
mv -v -f "$logfile".new "$logfile"
else
${pkgs.coreutils}/bin/rm -f "$logfile".new
rm -f "$logfile".new
fi
done
'';

9
nixos/modules/programs/direnv.nix
View file

@ -49,7 +49,14 @@ in {
default = true;
};
package = lib.mkPackageOption pkgs "nix-direnv" {};
package = lib.mkOption {
default = pkgs.nix-direnv.override { nix = config.nix.package; };
defaultText = "pkgs.nix-direnv";
type = lib.types.package;
description = lib.mdDoc ''
The nix-direnv package to use
'';
};
};
};

2
nixos/modules/programs/firejail.nix
View file

@ -53,7 +53,7 @@ in {
desktop = mkOption {
type = types.nullOr types.path;
default = null;
description = lib.mkDoc ".desktop file to modify. Only necessary if it uses the absolute path to the executable.";
description = lib.mdDoc ".desktop file to modify. Only necessary if it uses the absolute path to the executable.";
example = literalExpression ''"''${pkgs.firefox}/share/applications/firefox.desktop"'';
};
profile = mkOption {

2
nixos/modules/programs/gamemode.nix
View file

@ -18,7 +18,7 @@ in
settings = mkOption {
type = settingsFormat.type;
default = {};
default = { };
description = lib.mdDoc ''
System-wide configuration for GameMode (/etc/gamemode.ini).
See gamemoded(8) man page for available settings.

2
nixos/modules/programs/gpaste.nix
View file

@ -32,5 +32,7 @@ with lib;
systemd.packages = [ pkgs.gnome.gpaste ];
# gnome-control-center crashes in Keyboard Shortcuts pane without the GSettings schemas.
services.xserver.desktopManager.gnome.sessionPath = [ pkgs.gnome.gpaste ];
# gpaste-reloaded applet doesn't work without the typelib
services.xserver.desktopManager.cinnamon.sessionPath = [ pkgs.gnome.gpaste ];
};
}

11
nixos/modules/programs/hyprland.nix
View file

@ -30,7 +30,6 @@ in
readOnly = true;
default = cfg.package.override {
enableXWayland = cfg.xwayland.enable;
enableNvidiaPatches = cfg.enableNvidiaPatches;
};
defaultText = literalExpression
"`programs.hyprland.package` with applied configuration";
@ -42,8 +41,6 @@ in
portalPackage = mkPackageOption pkgs "xdg-desktop-portal-hyprland" { };
xwayland.enable = mkEnableOption (mdDoc "XWayland") // { default = true; };
enableNvidiaPatches = mkEnableOption (mdDoc "patching wlroots for better Nvidia support");
};
config = mkIf cfg.enable {
@ -73,9 +70,13 @@ in
[ "programs" "hyprland" "xwayland" "hidpi" ]
"XWayland patches are deprecated. Refer to https://wiki.hyprland.org/Configuring/XWayland"
)
(mkRenamedOptionModule
[ "programs" "hyprland" "nvidiaPatches" ]
(mkRemovedOptionModule
[ "programs" "hyprland" "enableNvidiaPatches" ]
"Nvidia patches are no longer needed"
)
(mkRemovedOptionModule
[ "programs" "hyprland" "nvidiaPatches" ]
"Nvidia patches are no longer needed"
)
];
}

35
nixos/modules/programs/mininet.nix
View file

@ -6,39 +6,6 @@ with lib;
let
cfg = config.programs.mininet;
telnet = pkgs.runCommand "inetutils-telnet"
{ }
''
mkdir -p $out/bin
ln -s ${pkgs.inetutils}/bin/telnet $out/bin
'';
generatedPath = with pkgs; makeSearchPath "bin" [
iperf
ethtool
iproute2
socat
# mn errors out without a telnet binary
# pkgs.inetutils brings an undesired ifconfig into PATH see #43105
nettools
telnet
];
pyEnv = pkgs.python3.withPackages (ps: [ ps.mininet-python ]);
mnexecWrapped = pkgs.runCommand "mnexec-wrapper"
{ nativeBuildInputs = [ pkgs.makeWrapper pkgs.python3Packages.wrapPython ]; }
''
makeWrapper ${pkgs.mininet}/bin/mnexec \
$out/bin/mnexec \
--prefix PATH : "${generatedPath}"
makeWrapper ${pyEnv}/bin/mn \
$out/bin/mn \
--prefix PYTHONPATH : "${pyEnv}/${pyEnv.sitePackages}" \
--prefix PATH : "${generatedPath}"
'';
in
{
options.programs.mininet.enable = mkEnableOption (lib.mdDoc "Mininet");
@ -47,6 +14,6 @@ in
virtualisation.vswitch.enable = true;
environment.systemPackages = [ mnexecWrapped ];
environment.systemPackages = [ pkgs.mininet ];
};
}

24
nixos/modules/programs/mosh.nix
View file

@ -1,7 +1,5 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.programs.mosh;
@ -9,28 +7,26 @@ let
in
{
options.programs.mosh = {
enable = mkOption {
description = lib.mdDoc ''
Whether to enable mosh. Note, this will open ports in your firewall!
'';
default = false;
type = lib.types.bool;
enable = lib.mkEnableOption "mosh";
openFirewall = lib.mkEnableOption "" // {
description = "Whether to automatically open the necessary ports in the firewall.";
default = true;
};
withUtempter = mkOption {
withUtempter = lib.mkEnableOption "" // {
description = lib.mdDoc ''
Whether to enable libutempter for mosh.
This is required so that mosh can write to /var/run/utmp (which can be queried with `who` to display currently connected user sessions).
Note, this will add a guid wrapper for the group utmp!
'';
default = true;
type = lib.types.bool;
};
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [ mosh ];
networking.firewall.allowedUDPPortRanges = [ { from = 60000; to = 61000; } ];
security.wrappers = mkIf cfg.withUtempter {
config = lib.mkIf cfg.enable {
environment.systemPackages = [ pkgs.mosh ];
networking.firewall.allowedUDPPortRanges = lib.optional cfg.openFirewall { from = 60000; to = 61000; };
security.wrappers = lib.mkIf cfg.withUtempter {
utempter = {
source = "${pkgs.libutempter}/lib/utempter/utempter";
owner = "root";

2
nixos/modules/programs/nix-ld.nix
View file

@ -47,7 +47,7 @@ in
};
config = lib.mkIf config.programs.nix-ld.enable {
systemd.tmpfiles.packages = [ cfg.package ];
environment.ldso = "${cfg.package}/libexec/nix-ld";
environment.systemPackages = [ nix-ld-libraries ];

20
nixos/modules/programs/ssh.nix
View file

@ -8,14 +8,12 @@ let
cfg = config.programs.ssh;
askPassword = cfg.askPassword;
askPasswordWrapper = pkgs.writeScript "ssh-askpass-wrapper"
''
#! ${pkgs.runtimeShell} -e
export DISPLAY="$(systemctl --user show-environment | ${pkgs.gnused}/bin/sed 's/^DISPLAY=\(.*\)/\1/; t; d')"
export WAYLAND_DISPLAY="$(systemctl --user show-environment | ${pkgs.gnused}/bin/sed 's/^WAYLAND_DISPLAY=\(.*\)/\1/; t; d')"
exec ${askPassword} "$@"
exec ${cfg.askPassword} "$@"
'';
knownHosts = attrValues cfg.knownHosts;
@ -52,10 +50,11 @@ in
};
forwardX11 = mkOption {
type = types.bool;
type = with lib.types; nullOr bool;
default = false;
description = lib.mdDoc ''
Whether to request X11 forwarding on outgoing connections by default.
If set to null, the option is not set at all.
This is useful for running graphical programs on the remote machine and have them display to your local X11 server.
Historically, this value has depended on the value used by the local sshd daemon, but there really isn't a relation between the two.
Note: there are some security risks to forwarding an X11 connection.
@ -274,10 +273,10 @@ in
config = {
programs.ssh.setXAuthLocation =
mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 || config.services.openssh.settings.X11Forwarding);
mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 == true || config.services.openssh.settings.X11Forwarding);
assertions =
[ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation;
[ { assertion = cfg.forwardX11 == true -> cfg.setXAuthLocation;
message = "cannot enable X11 forwarding without setting XAuth location";
}
] ++ flip mapAttrsToList cfg.knownHosts (name: data: {
@ -298,11 +297,8 @@ in
AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
GlobalKnownHostsFile ${concatStringsSep " " knownHostsFiles}
${optionalString cfg.setXAuthLocation ''
XAuthLocation ${pkgs.xorg.xauth}/bin/xauth
''}
ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}
${optionalString cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth"}
${lib.optionalString (cfg.forwardX11 != null) "ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}"}
${optionalString (cfg.pubkeyAcceptedKeyTypes != []) "PubkeyAcceptedKeyTypes ${concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"}
${optionalString (cfg.hostKeyAlgorithms != []) "HostKeyAlgorithms ${concatStringsSep "," cfg.hostKeyAlgorithms}"}
@ -344,7 +340,7 @@ in
fi
'';
environment.variables.SSH_ASKPASS = optionalString cfg.enableAskPassword askPassword;
environment.variables.SSH_ASKPASS = optionalString cfg.enableAskPassword cfg.askPassword;
};
}

24
nixos/modules/programs/starship.nix
View file

@ -44,21 +44,39 @@ in
config = mkIf cfg.enable {
programs.bash.${initOption} = ''
if [[ $TERM != "dumb" ]]; then
export STARSHIP_CONFIG=${settingsFile}
# don't set STARSHIP_CONFIG automatically if there's a user-specified
# config file. starship appears to use a hardcoded config location
# rather than one inside an XDG folder:
# https://github.com/starship/starship/blob/686bda1706e5b409129e6694639477a0f8a3f01b/src/configure.rs#L651
if [[ ! -f "$HOME/.config/starship.toml" ]]; then
export STARSHIP_CONFIG=${settingsFile}
fi
eval "$(${pkgs.starship}/bin/starship init bash)"
fi
'';
programs.fish.${initOption} = ''
if test "$TERM" != "dumb"
set -x STARSHIP_CONFIG ${settingsFile}
# don't set STARSHIP_CONFIG automatically if there's a user-specified
# config file. starship appears to use a hardcoded config location
# rather than one inside an XDG folder:
# https://github.com/starship/starship/blob/686bda1706e5b409129e6694639477a0f8a3f01b/src/configure.rs#L651
if not test -f "$HOME/.config/starship.toml";
set -x STARSHIP_CONFIG ${settingsFile}
end
eval (${pkgs.starship}/bin/starship init fish)
end
'';
programs.zsh.${initOption} = ''
if [[ $TERM != "dumb" ]]; then
export STARSHIP_CONFIG=${settingsFile}
# don't set STARSHIP_CONFIG automatically if there's a user-specified
# config file. starship appears to use a hardcoded config location
# rather than one inside an XDG folder:
# https://github.com/starship/starship/blob/686bda1706e5b409129e6694639477a0f8a3f01b/src/configure.rs#L651
if [[ ! -f "$HOME/.config/starship.toml" ]]; then
export STARSHIP_CONFIG=${settingsFile}
fi
eval "$(${pkgs.starship}/bin/starship init zsh)"
fi
'';

3
nixos/modules/programs/wayland/river.nix
View file

@ -48,6 +48,9 @@ in {
# To make a river session available if a display manager like SDDM is enabled:
services.xserver.displayManager.sessionPackages = optionals (cfg.package != null) [ cfg.package ];
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050913
xdg.portal.config.river.default = mkDefault [ "wlr" "gtk" ];
}
(import ./wayland-session.nix { inherit lib pkgs; })
]);

43
nixos/modules/programs/wayland/sway.nix
View file

@ -26,13 +26,28 @@ let
};
};
defaultSwayPackage = pkgs.sway.override {
extraSessionCommands = cfg.extraSessionCommands;
extraOptions = cfg.extraOptions;
withBaseWrapper = cfg.wrapperFeatures.base;
withGtkWrapper = cfg.wrapperFeatures.gtk;
isNixOS = true;
};
genFinalPackage = pkg:
let
expectedArgs = lib.naturalSort [
"extraSessionCommands"
"extraOptions"
"withBaseWrapper"
"withGtkWrapper"
"isNixOS"
];
existedArgs = with lib;
naturalSort
(intersectLists expectedArgs (attrNames (functionArgs pkg.override)));
in if existedArgs != expectedArgs then
pkg
else
pkg.override {
extraSessionCommands = cfg.extraSessionCommands;
extraOptions = cfg.extraOptions;
withBaseWrapper = cfg.wrapperFeatures.base;
withGtkWrapper = cfg.wrapperFeatures.gtk;
isNixOS = true;
};
in {
options.programs.sway = {
enable = mkEnableOption (lib.mdDoc ''
@ -44,14 +59,16 @@ in {
package = mkOption {
type = with types; nullOr package;
default = defaultSwayPackage;
default = pkgs.sway;
apply = p: if p == null then null else genFinalPackage p;
defaultText = literalExpression "pkgs.sway";
description = lib.mdDoc ''
Sway package to use. Will override the options
'wrapperFeatures', 'extraSessionCommands', and 'extraOptions'.
Set to `null` to not add any Sway package to your
path. This should be done if you want to use the Home Manager Sway
module to install Sway.
Sway package to use. If the package does not contain the override arguments
`extraSessionCommands`, `extraOptions`, `withBaseWrapper`, `withGtkWrapper`,
`isNixOS`, then the module options {option}`wrapperFeatures`,
{option}`wrapperFeatures` and {option}`wrapperFeatures` will have no effect.
Set to `null` to not add any Sway package to your path. This should be done if
you want to use the Home Manager Sway module to install Sway.
'';
};

24
nixos/modules/programs/winbox.nix Normal file
View file

@ -0,0 +1,24 @@
{ config, lib, pkgs, ... }:
let
cfg = config.programs.winbox;
in
{
options.programs.winbox = {
enable = lib.mkEnableOption ("MikroTik Winbox");
package = lib.mkPackageOption pkgs "winbox" { };
openFirewall = lib.mkOption {
description = ''
Whether to open ports for the MikroTik Neighbor Discovery protocol. Required for Winbox neighbor discovery.
'';
default = false;
type = lib.types.bool;
};
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
networking.firewall.allowedUDPPorts = lib.optionals cfg.openFirewall [ 5678 ];
};
}

16
nixos/modules/security/acme/default.md
View file

@ -45,7 +45,7 @@ placeholder certificates in place of the real ACME certs. The placeholder
certs are overwritten when the ACME certs arrive. For
`foo.example.com` the config would look like this:
```
```nix
security.acme.acceptTerms = true;
security.acme.defaults.email = "admin+acme@example.com";
services.nginx = {
@ -88,7 +88,7 @@ This example uses a vhost called `certs.example.com`, with
the intent that you will generate certs for all your vhosts and redirect
everyone to HTTPS.
```
```nix
security.acme.acceptTerms = true;
security.acme.defaults.email = "admin+acme@example.com";
@ -136,7 +136,7 @@ services.httpd = {
Now you need to configure ACME to generate a certificate.
```
```nix
security.acme.certs."foo.example.com" = {
webroot = "/var/lib/acme/.challenges";
email = "foo@example.com";
@ -167,7 +167,7 @@ see the [lego docs](https://go-acme.github.io/lego/dns/)
for provider/server specific configuration values. For the sake of these
docs, we will provide a fully self-hosted example using bind.
```
```nix
services.bind = {
enable = true;
extraConfig = ''
@ -199,7 +199,7 @@ The {file}`dnskeys.conf` and {file}`certs.secret`
must be kept secure and thus you should not keep their contents in your
Nix config. Instead, generate them one time with a systemd service:
```
```nix
systemd.services.dns-rfc2136-conf = {
requiredBy = ["acme-example.com.service" "bind.service"];
before = ["acme-example.com.service" "bind.service"];
@ -250,7 +250,7 @@ first, however instead of setting the options for one certificate
you will set them as defaults
(e.g. [](#opt-security.acme.defaults.dnsProvider)).
```
```nix
# Configure ACME appropriately
security.acme.acceptTerms = true;
security.acme.defaults.email = "admin+acme@example.com";
@ -287,7 +287,7 @@ There is no way to change the user the ACME module uses (it will always be
Below is an example configuration for OpenSMTPD, but this pattern
can be applied to any service.
```
```nix
# Configure ACME however you like (DNS or HTTP validation), adding
# the following configuration for the relevant certificate.
# Note: You cannot use `systemctl reload` here as that would mean
@ -340,7 +340,7 @@ to be regenerated. In this scenario lego will produce the error `JWS verificatio
The solution is to simply delete the associated accounts file and
re-run the affected service(s).
```
```shell
# Find the accounts folder for the certificate
systemctl cat acme-example.com.service | grep -Po 'accounts/[^:]*'
export accountdir="$(!!)"

3
nixos/modules/security/apparmor.nix
View file

@ -164,7 +164,8 @@ in
"local-fs.target"
"systemd-journald-audit.socket"
];
before = [ "sysinit.target" ];
before = [ "sysinit.target" "shutdown.target" ];
conflicts = [ "shutdown.target" ];
wantedBy = [ "multi-user.target" ];
unitConfig = {
Description="Load AppArmor policies";

4
nixos/modules/security/auditd.nix
View file

@ -13,6 +13,8 @@ with lib;
systemd.services.auditd = {
description = "Linux Audit daemon";
wantedBy = [ "basic.target" ];
before = [ "shutdown.target" ];
conflicts = [ "shutdown.target" ];
unitConfig = {
ConditionVirtualization = "!container";
@ -23,7 +25,7 @@ with lib;
path = [ pkgs.audit ];
serviceConfig = {
ExecStartPre="${pkgs.coreutils}/bin/mkdir -p /var/log/audit";
ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/log/audit";
ExecStart = "${pkgs.audit}/bin/auditd -l -n -s nochange";
};
};

6
nixos/modules/security/duosec.nix
View file

@ -195,7 +195,8 @@ in
systemd.services.login-duo = lib.mkIf cfg.ssh.enable {
wantedBy = [ "sysinit.target" ];
before = [ "sysinit.target" ];
before = [ "sysinit.target" "shutdown.target" ];
conflicts = [ "shutdown.target" ];
unitConfig.DefaultDependencies = false;
script = ''
if test -f "${cfg.secretKeyFile}"; then
@ -216,7 +217,8 @@ in
systemd.services.pam-duo = lib.mkIf cfg.ssh.enable {
wantedBy = [ "sysinit.target" ];
before = [ "sysinit.target" ];
before = [ "sysinit.target" "shutdown.target" ];
conflicts = [ "shutdown.target" ];
unitConfig.DefaultDependencies = false;
script = ''
if test -f "${cfg.secretKeyFile}"; then

40
nixos/modules/security/ipa.nix
View file

@ -181,25 +181,33 @@ in {
'';
};
system.activationScripts.ipa = stringAfter ["etc"] ''
# libcurl requires a hard copy of the certificate
if ! ${pkgs.diffutils}/bin/diff ${cfg.certificate} /etc/ipa/ca.crt > /dev/null 2>&1; then
rm -f /etc/ipa/ca.crt
cp ${cfg.certificate} /etc/ipa/ca.crt
fi
systemd.services."ipa-activation" = {
wantedBy = [ "sysinit.target" ];
before = [ "sysinit.target" "shutdown.target" ];
conflicts = [ "shutdown.target" ];
unitConfig.DefaultDependencies = false;
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
script = ''
# libcurl requires a hard copy of the certificate
if ! ${pkgs.diffutils}/bin/diff ${cfg.certificate} /etc/ipa/ca.crt > /dev/null 2>&1; then
rm -f /etc/ipa/ca.crt
cp ${cfg.certificate} /etc/ipa/ca.crt
fi
if [ ! -f /etc/krb5.keytab ]; then
cat <<EOF
if [ ! -f /etc/krb5.keytab ]; then
cat <<EOF
In order to complete FreeIPA integration, please join the domain by completing the following steps:
1. Authenticate as an IPA user authorized to join new hosts, e.g. kinit admin@${cfg.realm}
2. Join the domain and obtain the keytab file: ipa-join
3. Install the keytab file: sudo install -m 600 krb5.keytab /etc/
4. Restart sssd systemd service: sudo systemctl restart sssd
In order to complete FreeIPA integration, please join the domain by completing the following steps:
1. Authenticate as an IPA user authorized to join new hosts, e.g. kinit admin@${cfg.realm}
2. Join the domain and obtain the keytab file: ipa-join
3. Install the keytab file: sudo install -m 600 krb5.keytab /etc/
4. Restart sssd systemd service: sudo systemctl restart sssd
EOF
fi
'';
EOF
fi
'';
};
services.sssd.config = ''
[domain/${cfg.domain}]

2
nixos/modules/security/sudo-rs.nix
View file

@ -6,8 +6,6 @@ let
cfg = config.security.sudo-rs;
inherit (config.security.pam) enableSSHAgentAuth;
toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";

4
nixos/modules/security/wrappers/default.nix
View file

@ -278,7 +278,9 @@ in
systemd.services.suid-sgid-wrappers = {
description = "Create SUID/SGID Wrappers";
wantedBy = [ "sysinit.target" ];
before = [ "sysinit.target" ];
before = [ "sysinit.target" "shutdown.target" ];
conflicts = [ "shutdown.target" ];
after = [ "systemd-sysusers.service" ];
unitConfig.DefaultDependencies = false;
unitConfig.RequiresMountsFor = [ "/nix/store" "/run/wrappers" ];
serviceConfig.Type = "oneshot";

4
nixos/modules/security/wrappers/wrapper.nix
View file

@ -1,8 +1,8 @@
{ stdenv, unsecvars, linuxHeaders, sourceProg, debug ? false }:
# For testing:
# $ nix-build -E 'with import <nixpkgs> {}; pkgs.callPackage ./wrapper.nix { parentWrapperDir = "/run/wrappers"; debug = true; }'
# $ nix-build -E 'with import <nixpkgs> {}; pkgs.callPackage ./wrapper.nix { sourceProg = "${pkgs.hello}/bin/hello"; debug = true; }'
stdenv.mkDerivation {
name = "security-wrapper";
name = "security-wrapper-${baseNameOf sourceProg}";
buildInputs = [ linuxHeaders ];
dontUnpack = true;
CFLAGS = [

7
nixos/modules/services/admin/pgadmin.nix
View file

@ -3,7 +3,6 @@
with lib;
let
pkg = pkgs.pgadmin4;
cfg = config.services.pgadmin;
_base = with types; [ int bool str ];
@ -36,6 +35,8 @@ in
default = 5050;
};
package = mkPackageOptionMD pkgs "pgadmin4" { };
initialEmail = mkOption {
description = lib.mdDoc "Initial email for the pgAdmin account";
type = types.str;
@ -150,7 +151,7 @@ in
echo "$PW"
# Retype password:
echo "$PW"
) | ${pkg}/bin/pgadmin4-setup
) | ${cfg.package}/bin/pgadmin4-setup
'';
restartTriggers = [
@ -162,7 +163,7 @@ in
DynamicUser = true;
LogsDirectory = "pgadmin";
StateDirectory = "pgadmin";
ExecStart = "${pkg}/bin/pgadmin4";
ExecStart = "${cfg.package}/bin/pgadmin4";
};
};

2
nixos/modules/services/audio/mopidy.nix
View file

@ -76,7 +76,7 @@ in {
systemd.services.mopidy = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "sound.target" ];
after = [ "network-online.target" "sound.target" ];
description = "mopidy music player daemon";
serviceConfig = {
ExecStart = "${mopidyEnv}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)}";

129
nixos/modules/services/audio/mympd.nix Normal file
View file

@ -0,0 +1,129 @@
{ pkgs, config, lib, ... }:
let
cfg = config.services.mympd;
in {
options = {
services.mympd = {
enable = lib.mkEnableOption (lib.mdDoc "MyMPD server");
package = lib.mkPackageOption pkgs "mympd" {};
openFirewall = lib.mkOption {
type = lib.types.bool;
default = false;
description = lib.mdDoc ''
Open ports needed for the functionality of the program.
'';
};
extraGroups = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [ "music" ];
description = lib.mdDoc ''
Additional groups for the systemd service.
'';
};
settings = lib.mkOption {
type = lib.types.submodule {
freeformType = with lib.types; attrsOf (nullOr (oneOf [ str bool int ]));
options = {
http_port = lib.mkOption {
type = lib.types.port;
description = lib.mdDoc ''
The HTTP port where mympd's web interface will be available.
The HTTPS/SSL port can be configured via {option}`config`.
'';
example = "8080";
};
ssl = lib.mkOption {
type = lib.types.bool;
description = lib.mdDoc ''
Whether to enable listening on the SSL port.
Refer to <https://jcorporation.github.io/myMPD/configuration/configuration-files#ssl-options>
for more information.
'';
default = false;
};
};
};
description = lib.mdDoc ''
Manages the configuration files declaratively. For all the configuration
options, see <https://jcorporation.github.io/myMPD/configuration/configuration-files>.
Each key represents the "File" column from the upstream configuration table, and the
value is the content of that file.
'';
};
};
};
config = lib.mkIf cfg.enable {
systemd.services.mympd = {
# upstream service config: https://github.com/jcorporation/myMPD/blob/master/contrib/initscripts/mympd.service.in
after = [ "mpd.service" ];
wantedBy = [ "multi-user.target" ];
preStart = with lib; ''
config_dir="/var/lib/mympd/config"
mkdir -p "$config_dir"
${pipe cfg.settings [
(mapAttrsToList (name: value: ''
echo -n "${if isBool value then boolToString value else toString value}" > "$config_dir/${name}"
''))
(concatStringsSep "\n")
]}
'';
unitConfig = {
Description = "myMPD server daemon";
Documentation = "man:mympd(1)";
};
serviceConfig = {
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
DynamicUser = true;
ExecStart = lib.getExe cfg.package;
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictRealtime = true;
StateDirectory = "mympd";
CacheDirectory = "mympd";
RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_UNIX";
RestrictNamespaces = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
SupplementaryGroups = cfg.extraGroups;
};
};
networking.firewall = lib.mkMerge [
(lib.mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.settings.http_port ];
})
(lib.mkIf (cfg.openFirewall && cfg.settings.ssl && cfg.settings.ssl_port != null) {
allowedTCPPorts = [ cfg.settings.ssl_port ];
})
];
};
meta.maintainers = [ lib.maintainers.eliandoran ];
}

1
nixos/modules/services/audio/wyoming/faster-whisper.nix
View file

@ -121,6 +121,7 @@ in
in mkIf (cfg.servers != {}) {
systemd.services = mapAttrs' (server: options:
nameValuePair "wyoming-faster-whisper-${server}" {
inherit (options) enable;
description = "Wyoming faster-whisper server instance ${server}";
after = [
"network-online.target"

1
nixos/modules/services/audio/wyoming/piper.nix
View file

@ -116,6 +116,7 @@ in
in mkIf (cfg.servers != {}) {
systemd.services = mapAttrs' (server: options:
nameValuePair "wyoming-piper-${server}" {
inherit (options) enable;
description = "Wyoming Piper server instance ${server}";
after = [
"network-online.target"

56
nixos/modules/services/backup/borgbackup.nix
View file

@ -143,20 +143,15 @@ let
};
# Paths listed in ReadWritePaths must exist before service is started
mkActivationScript = name: cfg:
mkTmpfiles = name: cfg:
let
install = "install -o ${cfg.user} -g ${cfg.group}";
in
nameValuePair "borgbackup-job-${name}" (stringAfter [ "users" ] (''
# Ensure that the home directory already exists
# We can't assert createHome == true because that's not the case for root
cd "${config.users.users.${cfg.user}.home}"
# Create each directory separately to prevent root owned parent dirs
${install} -d .config .config/borg
${install} -d .cache .cache/borg
'' + optionalString (isLocalPath cfg.repo && !cfg.removableDevice) ''
${install} -d ${escapeShellArg cfg.repo}
''));
settings = { inherit (cfg) user group; };
in lib.nameValuePair "borgbackup-job-${name}" ({
"${config.users.users."${cfg.user}".home}/.config/borg".d = settings;
"${config.users.users."${cfg.user}".home}/.cache/borg".d = settings;
} // optionalAttrs (isLocalPath cfg.repo && !cfg.removableDevice) {
"${cfg.repo}".d = settings;
});
mkPassAssertion = name: cfg: {
assertion = with cfg.encryption;
@ -602,53 +597,56 @@ in {
};
extraArgs = mkOption {
type = types.str;
type = with types; coercedTo (listOf str) escapeShellArgs str;
description = lib.mdDoc ''
Additional arguments for all {command}`borg` calls the
service has. Handle with care.
'';
default = "";
example = "--remote-path=/path/to/borg";
default = [ ];
example = [ "--remote-path=/path/to/borg" ];
};
extraInitArgs = mkOption {
type = types.str;
type = with types; coercedTo (listOf str) escapeShellArgs str;
description = lib.mdDoc ''
Additional arguments for {command}`borg init`.
Can also be set at runtime using `$extraInitArgs`.
'';
default = "";
example = "--append-only";
default = [ ];
example = [ "--append-only" ];
};
extraCreateArgs = mkOption {
type = types.str;
type = with types; coercedTo (listOf str) escapeShellArgs str;
description = lib.mdDoc ''
Additional arguments for {command}`borg create`.
Can also be set at runtime using `$extraCreateArgs`.
'';
default = "";
example = "--stats --checkpoint-interval 600";
default = [ ];
example = [
"--stats"
"--checkpoint-interval 600"
];
};
extraPruneArgs = mkOption {
type = types.str;
type = with types; coercedTo (listOf str) escapeShellArgs str;
description = lib.mdDoc ''
Additional arguments for {command}`borg prune`.
Can also be set at runtime using `$extraPruneArgs`.
'';
default = "";
example = "--save-space";
default = [ ];
example = [ "--save-space" ];
};
extraCompactArgs = mkOption {
type = types.str;
type = with types; coercedTo (listOf str) escapeShellArgs str;
description = lib.mdDoc ''
Additional arguments for {command}`borg compact`.
Can also be set at runtime using `$extraCompactArgs`.
'';
default = "";
example = "--cleanup-commits";
default = [ ];
example = [ "--cleanup-commits" ];
};
};
}
@ -757,7 +755,7 @@ in {
++ mapAttrsToList mkSourceAssertions jobs
++ mapAttrsToList mkRemovableDeviceAssertions jobs;
system.activationScripts = mapAttrs' mkActivationScript jobs;
systemd.tmpfiles.settings = mapAttrs' mkTmpfiles jobs;
systemd.services =
# A job named "foo" is mapped to systemd.services.borgbackup-job-foo

54
nixos/modules/services/backup/btrbk.nix
View file

@ -6,14 +6,17 @@ let
concatMapStringsSep
concatStringsSep
filterAttrs
flatten
getAttr
isAttrs
literalExpression
mapAttrs'
mapAttrsToList
mkIf
mkOption
optional
optionalString
sort
sortOn
types
;
@ -37,7 +40,7 @@ let
genConfig = set:
let
pairs = mapAttrsToList (name: value: { inherit name value; }) set;
sortedPairs = sort (a: b: prioOf a < prioOf b) pairs;
sortedPairs = sortOn prioOf pairs;
in
concatMap genPair sortedPairs;
genSection = sec: secName: value:
@ -84,6 +87,18 @@ let
'';
};
streamCompressMap = {
gzip = pkgs.gzip;
pigz = pkgs.pigz;
bzip2 = pkgs.bzip2;
pbzip2 = pkgs.pbzip2;
bzip3 = pkgs.bzip3;
xz = pkgs.xz;
lzo = pkgs.lzo;
lz4 = pkgs.lz4;
zstd = pkgs.zstd;
};
cfg = config.services.btrbk;
sshEnabled = cfg.sshAccess != [ ];
serviceEnabled = cfg.instances != { };
@ -94,7 +109,14 @@ in
options = {
services.btrbk = {
extraPackages = mkOption {
description = lib.mdDoc "Extra packages for btrbk, like compression utilities for `stream_compress`";
description = lib.mdDoc ''
Extra packages for btrbk, like compression utilities for `stream_compress`.
**Note**: This option will get deprecated in future releases.
Required compression programs will get automatically provided to btrbk
depending on configured compression method in
`services.btrbk.instances.<name>.settings` option.
'';
type = types.listOf types.package;
default = [ ];
example = literalExpression "[ pkgs.xz ]";
@ -124,7 +146,19 @@ in
'';
};
settings = mkOption {
type = let t = types.attrsOf (types.either types.str (t // { description = "instances of this type recursively"; })); in t;
type = types.submodule {
freeformType = let t = types.attrsOf (types.either types.str (t // { description = "instances of this type recursively"; })); in t;
options = {
stream_compress = mkOption {
description = lib.mdDoc ''
Compress the btrfs send stream before transferring it from/to remote locations using a
compression command.
'';
type = types.enum ["gzip" "pigz" "bzip2" "pbzip2" "bzip3" "xz" "lzo" "lz4" "zstd" "no"];
default = "no";
};
};
};
default = { };
example = {
snapshot_preserve_min = "2d";
@ -169,6 +203,11 @@ in
};
config = mkIf (sshEnabled || serviceEnabled) {
warnings = optional (cfg.extraPackages != []) ''
extraPackages option will be deprecated in future releases. Programs required for compression are now automatically selected depending on services.btrbk.instances.<name>.settings.stream_compress option.
'';
environment.systemPackages = [ pkgs.btrbk ] ++ cfg.extraPackages;
security.sudo.extraRules = mkIf (sudo_doas == "sudo") [ sudoRule ];
@ -232,12 +271,15 @@ in
cfg.instances;
systemd.services = mapAttrs'
(
name: _: {
name: instance: {
name = "btrbk-${name}";
value = {
description = "Takes BTRFS snapshots and maintains retention policies.";
unitConfig.Documentation = "man:btrbk(1)";
path = [ "/run/wrappers" ] ++ cfg.extraPackages;
path = [ "/run/wrappers" ]
++ cfg.extraPackages
++ optional (instance.settings.stream_compress != "no")
(getAttr instance.settings.stream_compress streamCompressMap);
serviceConfig = {
User = "btrbk";
Group = "btrbk";

3
nixos/modules/services/backup/restic.nix
View file

@ -384,10 +384,11 @@ in
${lib.optionalString (backup.environmentFile != null) "source ${backup.environmentFile}"}
# set same environment variables as the systemd service
${lib.pipe config.systemd.services."restic-backups-${name}".environment [
(lib.filterAttrs (_: v: v != null))
(lib.filterAttrs (n: v: v != null && n != "PATH"))
(lib.mapAttrsToList (n: v: "${n}=${v}"))
(lib.concatStringsSep "\n")
]}
PATH=${config.systemd.services."restic-backups-${name}".environment.PATH}:$PATH
exec ${resticCmd} $@
'') (lib.filterAttrs (_: v: v.createWrapper) config.services.restic.backups);

9
nixos/modules/tasks/snapraid.nix → nixos/modules/services/backup/snapraid.nix
View file

@ -2,10 +2,15 @@
with lib;
let cfg = config.snapraid;
let cfg = config.services.snapraid;
in
{
options.snapraid = with types; {
imports = [
# Should have never been on the top-level.
(mkRenamedOptionModule [ "snapraid" ] [ "services" "snapraid" ])
];
options.services.snapraid = with types; {
enable = mkEnableOption (lib.mdDoc "SnapRAID");
dataDisks = mkOption {
default = { };

9
nixos/modules/services/cluster/kubernetes/flannel.nix
View file

@ -13,6 +13,13 @@ in
###### interface
options.services.kubernetes.flannel = {
enable = mkEnableOption (lib.mdDoc "flannel networking");
openFirewallPorts = mkOption {
description = lib.mdDoc ''
Whether to open the Flannel UDP ports in the firewall on all interfaces.'';
type = types.bool;
default = true;
};
};
###### implementation
@ -38,7 +45,7 @@ in
};
networking = {
firewall.allowedUDPPorts = [
firewall.allowedUDPPorts = mkIf cfg.openFirewallPorts [
8285 # flannel udp
8472 # flannel vxlan
];

2
nixos/modules/services/cluster/kubernetes/pki.nix
View file

@ -212,7 +212,7 @@ in
services.certmgr = {
enable = true;
package = pkgs.certmgr-selfsigned;
package = pkgs.certmgr;
svcManager = "command";
specs =
let

16
nixos/modules/services/cluster/spark/default.nix
View file

@ -69,8 +69,8 @@ with lib;
confDir = mkOption {
type = types.path;
description = lib.mdDoc "Spark configuration directory. Spark will use the configuration files (spark-defaults.conf, spark-env.sh, log4j.properties, etc) from this directory.";
default = "${cfg.package}/lib/${cfg.package.untarDir}/conf";
defaultText = literalExpression ''"''${package}/lib/''${package.untarDir}/conf"'';
default = "${cfg.package}/conf";
defaultText = literalExpression ''"''${package}/conf"'';
};
logDir = mkOption {
type = types.path;
@ -111,9 +111,9 @@ with lib;
Type = "forking";
User = "spark";
Group = "spark";
WorkingDirectory = "${cfg.package}/lib/${cfg.package.untarDir}";
ExecStart = "${cfg.package}/lib/${cfg.package.untarDir}/sbin/start-master.sh";
ExecStop = "${cfg.package}/lib/${cfg.package.untarDir}/sbin/stop-master.sh";
WorkingDirectory = "${cfg.package}/";
ExecStart = "${cfg.package}/sbin/start-master.sh";
ExecStop = "${cfg.package}/sbin/stop-master.sh";
TimeoutSec = 300;
StartLimitBurst=10;
Restart = "always";
@ -134,9 +134,9 @@ with lib;
serviceConfig = {
Type = "forking";
User = "spark";
WorkingDirectory = "${cfg.package}/lib/${cfg.package.untarDir}";
ExecStart = "${cfg.package}/lib/${cfg.package.untarDir}/sbin/start-worker.sh spark://${cfg.worker.master}";
ExecStop = "${cfg.package}/lib/${cfg.package.untarDir}/sbin/stop-worker.sh";
WorkingDirectory = "${cfg.package}/";
ExecStart = "${cfg.package}/sbin/start-worker.sh spark://${cfg.worker.master}";
ExecStop = "${cfg.package}/sbin/stop-worker.sh";
TimeoutSec = 300;
StartLimitBurst=10;
Restart = "always";

2
nixos/modules/services/continuous-integration/buildbot/master.nix
View file

@ -305,5 +305,5 @@ in {
'')
];
meta.maintainers = with lib.maintainers; [ mic92 lopsided98 ];
meta.maintainers = lib.teams.buildbot.members;
}

2
nixos/modules/services/continuous-integration/buildbot/worker.nix
View file

@ -188,6 +188,6 @@ in {
};
};
meta.maintainers = with lib.maintainers; [ ];
meta.maintainers = lib.teams.buildbot.members;
}

8
nixos/modules/services/continuous-integration/buildkite-agents.nix
View file

@ -35,6 +35,12 @@ let
type = lib.types.str;
};
extraGroups = lib.mkOption {
default = [ "keys" ];
description = lib.mdDoc "Groups the user for this buildkite agent should belong to";
type = lib.types.listOf lib.types.str;
};
runtimePackages = lib.mkOption {
default = [ pkgs.bash pkgs.gnutar pkgs.gzip pkgs.git pkgs.nix ];
defaultText = lib.literalExpression "[ pkgs.bash pkgs.gnutar pkgs.gzip pkgs.git pkgs.nix ]";
@ -150,7 +156,7 @@ in
home = cfg.dataDir;
createHome = true;
description = "Buildkite agent user";
extraGroups = [ "keys" ];
extraGroups = cfg.extraGroups;
isSystemUser = true;
group = "buildkite-agent-${name}";
};

1
nixos/modules/services/continuous-integration/jenkins/default.nix
View file

@ -236,6 +236,7 @@ in {
serviceConfig = {
User = cfg.user;
StateDirectory = mkIf (hasPrefix "/var/lib/jenkins" cfg.home) "jenkins";
};
};
};

13
nixos/modules/services/databases/aerospike.nix
View file

@ -108,6 +108,11 @@ in
};
users.groups.aerospike.gid = config.ids.gids.aerospike;
boot.kernel.sysctl = {
"net.core.rmem_max" = mkDefault 15728640;
"net.core.wmem_max" = mkDefault 5242880;
};
systemd.services.aerospike = rec {
description = "Aerospike server";
@ -131,14 +136,6 @@ in
echo "kernel.shmmax too low, setting to 1GB"
${pkgs.procps}/bin/sysctl -w kernel.shmmax=1073741824
fi
if [ $(echo "$(cat /proc/sys/net/core/rmem_max) < 15728640" | ${pkgs.bc}/bin/bc) == "1" ]; then
echo "increasing socket buffer limit (/proc/sys/net/core/rmem_max): $(cat /proc/sys/net/core/rmem_max) -> 15728640"
echo 15728640 > /proc/sys/net/core/rmem_max
fi
if [ $(echo "$(cat /proc/sys/net/core/wmem_max) < 5242880" | ${pkgs.bc}/bin/bc) == "1" ]; then
echo "increasing socket buffer limit (/proc/sys/net/core/wmem_max): $(cat /proc/sys/net/core/wmem_max) -> 5242880"
echo 5242880 > /proc/sys/net/core/wmem_max
fi
install -d -m0700 -o ${serviceConfig.User} -g ${serviceConfig.Group} "${cfg.workDir}"
install -d -m0700 -o ${serviceConfig.User} -g ${serviceConfig.Group} "${cfg.workDir}/smd"
install -d -m0700 -o ${serviceConfig.User} -g ${serviceConfig.Group} "${cfg.workDir}/udf"

2
nixos/modules/services/databases/postgresql.md
View file

@ -258,7 +258,7 @@ postgresql_15.pkgs.pg_partman postgresql_15.pkgs.pgroonga
To add plugins via NixOS configuration, set `services.postgresql.extraPlugins`:
```
services.postgresql.package = pkgs.postgresql_12;
services.postgresql.extraPlugins = with pkgs.postgresql_12.pkgs; [
services.postgresql.extraPlugins = ps: with ps; [
pg_repack
postgis
];

13
nixos/modules/services/databases/postgresql.nix
View file

@ -18,7 +18,7 @@ let
in
if cfg.extraPlugins == []
then base
else base.withPackages (_: cfg.extraPlugins);
else base.withPackages cfg.extraPlugins;
toStr = value:
if true == value then "yes"
@ -391,12 +391,11 @@ in
};
extraPlugins = mkOption {
type = types.listOf types.path;
default = [];
example = literalExpression "with pkgs.postgresql_15.pkgs; [ postgis pg_repack ]";
type = with types; coercedTo (listOf path) (path: _ignorePg: path) (functionTo (listOf path));
default = _: [];
example = literalExpression "ps: with ps; [ postgis pg_repack ]";
description = lib.mdDoc ''
List of PostgreSQL plugins. PostgreSQL version for each plugin should
match version for `services.postgresql.package` value.
List of PostgreSQL plugins.
'';
};
@ -405,7 +404,7 @@ in
default = {};
description = lib.mdDoc ''
PostgreSQL configuration. Refer to
<https://www.postgresql.org/docs/15/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE>
<https://www.postgresql.org/docs/current/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE>
for an overview of `postgresql.conf`.
::: {.note}

1
nixos/modules/services/desktops/flatpak.nix
View file

@ -35,6 +35,7 @@ in {
services.dbus.packages = [ pkgs.flatpak ];
systemd.packages = [ pkgs.flatpak ];
systemd.tmpfiles.packages = [ pkgs.flatpak ];
environment.profiles = [
"$HOME/.local/share/flatpak/exports"

182
nixos/modules/services/desktops/pipewire/pipewire.nix
View file

@ -4,6 +4,8 @@
with lib;
let
json = pkgs.formats.json {};
mapToFiles = location: config: concatMapAttrs (name: value: { "pipewire/${location}.conf.d/${name}.conf".source = json.generate "${name}" value;}) config;
cfg = config.services.pipewire;
enable32BitAlsaPlugins = cfg.alsa.support32Bit
&& pkgs.stdenv.isx86_64
@ -72,15 +74,140 @@ in {
https://github.com/PipeWire/pipewire/blob/master/NEWS
'';
};
extraConfig = {
pipewire = mkOption {
type = lib.types.attrsOf json.type;
default = {};
example = {
"10-clock-rate" = {
"context.properties" = {
"default.clock.rate" = 44100;
};
};
"11-no-upmixing" = {
"stream.properties" = {
"channelmix.upmix" = false;
};
};
};
description = lib.mdDoc ''
Additional configuration for the PipeWire server.
Every item in this attrset becomes a separate drop-in file in `/etc/pipewire/pipewire.conf.d`.
See `man pipewire.conf` for details, and [the PipeWire wiki][wiki] for examples.
See also:
- [PipeWire wiki - virtual devices][wiki-virtual-device] for creating virtual devices or remapping channels
- [PipeWire wiki - filter-chain][wiki-filter-chain] for creating more complex processing pipelines
- [PipeWire wiki - network][wiki-network] for streaming audio over a network
[wiki]: https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Config-PipeWire
[wiki-virtual-device]: https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Virtual-Devices
[wiki-filter-chain]: https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Filter-Chain
[wiki-network]: https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Network
'';
};
client = mkOption {
type = lib.types.attrsOf json.type;
default = {};
example = {
"10-no-resample" = {
"stream.properties" = {
"resample.disable" = true;
};
};
};
description = lib.mdDoc ''
Additional configuration for the PipeWire client library, used by most applications.
Every item in this attrset becomes a separate drop-in file in `/etc/pipewire/client.conf.d`.
See the [PipeWire wiki][wiki] for examples.
[wiki]: https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Config-client
'';
};
client-rt = mkOption {
type = lib.types.attrsOf json.type;
default = {};
example = {
"10-alsa-linear-volume" = {
"alsa.properties" = {
"alsa.volume-method" = "linear";
};
};
};
description = lib.mdDoc ''
Additional configuration for the PipeWire client library, used by real-time applications and legacy ALSA clients.
Every item in this attrset becomes a separate drop-in file in `/etc/pipewire/client-rt.conf.d`.
See the [PipeWire wiki][wiki] for examples of general configuration, and [PipeWire wiki - ALSA][wiki-alsa] for ALSA clients.
[wiki]: https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Config-client
[wiki-alsa]: https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Config-ALSA
'';
};
jack = mkOption {
type = lib.types.attrsOf json.type;
default = {};
example = {
"20-hide-midi" = {
"jack.properties" = {
"jack.show-midi" = false;
};
};
};
description = lib.mdDoc ''
Additional configuration for the PipeWire JACK server and client library.
Every item in this attrset becomes a separate drop-in file in `/etc/pipewire/jack.conf.d`.
See the [PipeWire wiki][wiki] for examples.
[wiki]: https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Config-JACK
'';
};
pipewire-pulse = mkOption {
type = lib.types.attrsOf json.type;
default = {};
example = {
"15-force-s16-info" = {
"pulse.rules" = [{
matches = [
{ "application.process.binary" = "my-broken-app"; }
];
actions = {
quirks = [ "force-s16-info" ];
};
}];
};
};
description = lib.mdDoc ''
Additional configuration for the PipeWire PulseAudio server.
Every item in this attrset becomes a separate drop-in file in `/etc/pipewire/pipewire-pulse.conf.d`.
See `man pipewire-pulse.conf` for details, and [the PipeWire wiki][wiki] for examples.
See also:
- [PipeWire wiki - PulseAudio tricks guide][wiki-tricks] for more examples.
[wiki]: https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Config-PulseAudio
[wiki-tricks]: https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Guide-PulseAudio-Tricks
'';
};
};
};
};
imports = [
(lib.mkRemovedOptionModule ["services" "pipewire" "config"] ''
Overriding default Pipewire configuration through NixOS options never worked correctly and is no longer supported.
Please create drop-in files in /etc/pipewire/pipewire.conf.d/ to make the desired setting changes instead.
Overriding default PipeWire configuration through NixOS options never worked correctly and is no longer supported.
Please create drop-in configuration files via `services.pipewire.extraConfig` instead.
'')
(lib.mkRemovedOptionModule ["services" "pipewire" "media-session"] ''
pipewire-media-session is no longer supported upstream and has been removed.
Please switch to `services.pipewire.wireplumber` instead.
@ -133,26 +260,35 @@ in {
services.udev.packages = [ cfg.package ];
# If any paths are updated here they must also be updated in the package test.
environment.etc."alsa/conf.d/49-pipewire-modules.conf" = mkIf cfg.alsa.enable {
text = ''
pcm_type.pipewire {
libs.native = ${cfg.package}/lib/alsa-lib/libasound_module_pcm_pipewire.so ;
${optionalString enable32BitAlsaPlugins
"libs.32Bit = ${pkgs.pkgsi686Linux.pipewire}/lib/alsa-lib/libasound_module_pcm_pipewire.so ;"}
}
ctl_type.pipewire {
libs.native = ${cfg.package}/lib/alsa-lib/libasound_module_ctl_pipewire.so ;
${optionalString enable32BitAlsaPlugins
"libs.32Bit = ${pkgs.pkgsi686Linux.pipewire}/lib/alsa-lib/libasound_module_ctl_pipewire.so ;"}
}
'';
};
environment.etc."alsa/conf.d/50-pipewire.conf" = mkIf cfg.alsa.enable {
source = "${cfg.package}/share/alsa/alsa.conf.d/50-pipewire.conf";
};
environment.etc."alsa/conf.d/99-pipewire-default.conf" = mkIf cfg.alsa.enable {
source = "${cfg.package}/share/alsa/alsa.conf.d/99-pipewire-default.conf";
};
environment.etc = {
"alsa/conf.d/49-pipewire-modules.conf" = mkIf cfg.alsa.enable {
text = ''
pcm_type.pipewire {
libs.native = ${cfg.package}/lib/alsa-lib/libasound_module_pcm_pipewire.so ;
${optionalString enable32BitAlsaPlugins
"libs.32Bit = ${pkgs.pkgsi686Linux.pipewire}/lib/alsa-lib/libasound_module_pcm_pipewire.so ;"}
}
ctl_type.pipewire {
libs.native = ${cfg.package}/lib/alsa-lib/libasound_module_ctl_pipewire.so ;
${optionalString enable32BitAlsaPlugins
"libs.32Bit = ${pkgs.pkgsi686Linux.pipewire}/lib/alsa-lib/libasound_module_ctl_pipewire.so ;"}
}
'';
};
"alsa/conf.d/50-pipewire.conf" = mkIf cfg.alsa.enable {
source = "${cfg.package}/share/alsa/alsa.conf.d/50-pipewire.conf";
};
"alsa/conf.d/99-pipewire-default.conf" = mkIf cfg.alsa.enable {
source = "${cfg.package}/share/alsa/alsa.conf.d/99-pipewire-default.conf";
};
}
// mapToFiles "pipewire" cfg.extraConfig.pipewire
// mapToFiles "client" cfg.extraConfig.client
// mapToFiles "client-rt" cfg.extraConfig.client-rt
// mapToFiles "jack" cfg.extraConfig.jack
// mapToFiles "pipewire-pulse" cfg.extraConfig.pipewire-pulse;
environment.sessionVariables.LD_LIBRARY_PATH =
lib.mkIf cfg.jack.enable [ "${cfg.package.jack}/lib" ];

13
nixos/modules/services/development/livebook.md
View file

@ -18,7 +18,7 @@ which runs the server.
port = 20123;
# See note below about security
environmentFile = pkgs.writeText "livebook.env" ''
LIVEBOOK_PASSWORD = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
LIVEBOOK_PASSWORD = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
'';
};
}
@ -37,3 +37,14 @@ A better approach would be to put the password in some secure
user-readable location and set `environmentFile = /home/user/secure/livebook.env`.
:::
### Extra dependencies {#module-services-livebook-extra-dependencies}
By default, the Livebook service is run with minimum dependencies, but
some features require additional packages. For example, the machine
learning Kinos require `gcc` and `gnumake`. To add these, use
`extraPackages`:
```
services.livebook.extraPackages = with pkgs; [ gcc gnumake ];
```

15
nixos/modules/services/development/livebook.nix
View file

@ -12,6 +12,8 @@ in
# future, this can be changed to a system service.
enableUserService = mkEnableOption "a user service for Livebook";
package = mkPackageOption pkgs "livebook" { };
environmentFile = mkOption {
type = types.path;
description = lib.mdDoc ''
@ -63,6 +65,15 @@ in
}
'';
};
extraPackages = mkOption {
type = with types; listOf package;
default = [ ];
description = lib.mdDoc ''
Extra packages to make available to the Livebook service.
'';
example = literalExpression "with pkgs; [ gcc gnumake ]";
};
};
config = mkIf cfg.enableUserService {
@ -79,9 +90,9 @@ in
sname = cfg.erlang_node_short_name;
} // cfg.options);
in
"${pkgs.livebook}/bin/livebook server ${args}";
"${cfg.package}/bin/livebook server ${args}";
};
path = [ pkgs.bash ];
path = [ pkgs.bash ] ++ cfg.extraPackages;
wantedBy = [ "default.target" ];
};
};

55
nixos/modules/services/development/zammad.nix
View file

@ -21,6 +21,7 @@ let
NODE_ENV = "production";
RAILS_SERVE_STATIC_FILES = "true";
RAILS_LOG_TO_STDOUT = "true";
REDIS_URL = "redis://${cfg.redis.host}:${toString cfg.redis.port}";
};
databaseConfig = settingsFormat.generate "database.yml" cfg.database.settings;
in
@ -65,6 +66,36 @@ in
description = lib.mdDoc "Websocket service port.";
};
redis = {
createLocally = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc "Whether to create a local redis automatically.";
};
name = mkOption {
type = types.str;
default = "zammad";
description = lib.mdDoc ''
Name of the redis server. Only used if `createLocally` is set to true.
'';
};
host = mkOption {
type = types.str;
default = "localhost";
description = lib.mdDoc ''
Redis server address.
'';
};
port = mkOption {
type = types.port;
default = 6379;
description = lib.mdDoc "Port of the redis server.";
};
};
database = {
type = mkOption {
type = types.enum [ "PostgreSQL" "MySQL" ];
@ -206,6 +237,10 @@ in
assertion = cfg.database.createLocally -> cfg.database.passwordFile == null;
message = "a password cannot be specified if services.zammad.database.createLocally is set to true";
}
{
assertion = cfg.redis.createLocally -> cfg.redis.host == "localhost";
message = "the redis host must be localhost if services.zammad.redis.createLocally is set to true";
}
];
services.mysql = optionalAttrs (cfg.database.createLocally && cfg.database.type == "MySQL") {
@ -231,6 +266,13 @@ in
];
};
services.redis = optionalAttrs cfg.redis.createLocally {
servers."${cfg.redis.name}" = {
enable = true;
port = cfg.redis.port;
};
};
systemd.services.zammad-web = {
inherit environment;
serviceConfig = serviceConfig // {
@ -240,6 +282,8 @@ in
after = [
"network.target"
"postgresql.service"
] ++ optionals cfg.redis.createLocally [
"redis-${cfg.redis.name}.service"
];
requires = [
"postgresql.service"
@ -303,16 +347,15 @@ in
script = "./script/websocket-server.rb -b ${cfg.host} -p ${toString cfg.websocketPort} start";
};
systemd.services.zammad-scheduler = {
inherit environment;
serviceConfig = serviceConfig // { Type = "forking"; };
systemd.services.zammad-worker = {
inherit serviceConfig environment;
after = [ "zammad-web.service" ];
requires = [ "zammad-web.service" ];
description = "Zammad scheduler";
description = "Zammad background worker";
wantedBy = [ "multi-user.target" ];
script = "./script/scheduler.rb start";
script = "./script/background-worker.rb start";
};
};
meta.maintainers = with lib.maintainers; [ garbas taeer ];
meta.maintainers = with lib.maintainers; [ taeer netali ];
}

12
nixos/modules/services/display-managers/greetd.nix
View file

@ -4,7 +4,7 @@ with lib;
let
cfg = config.services.greetd;
tty = "tty${toString cfg.vt}";
settingsFormat = pkgs.formats.toml {};
settingsFormat = pkgs.formats.toml { };
in
{
options.services.greetd = {
@ -27,7 +27,7 @@ in
'';
};
vt = mkOption {
vt = mkOption {
type = types.int;
default = 1;
description = lib.mdDoc ''
@ -97,12 +97,18 @@ in
systemd.defaultUnit = "graphical.target";
# Create directories potentially required by supported greeters
# See https://github.com/NixOS/nixpkgs/issues/248323
systemd.tmpfiles.rules = [
"d '/var/cache/tuigreet' - greeter greeter - -"
];
users.users.greeter = {
isSystemUser = true;
group = "greeter";
};
users.groups.greeter = {};
users.groups.greeter = { };
};
meta.maintainers = with maintainers; [ queezle ];

2
nixos/modules/services/games/teeworlds.nix
View file

@ -100,7 +100,7 @@ in
serviceConfig = {
DynamicUser = true;
ExecStart = "${pkgs.teeworlds}/bin/teeworlds_srv -f ${teeworldsConf}";
ExecStart = "${pkgs.teeworlds-server}/bin/teeworlds_srv -f ${teeworldsConf}";
# Hardening
CapabilityBoundingSet = false;

8
nixos/modules/services/hardware/kanata.nix
View file

@ -78,7 +78,13 @@ let
mkName = name: "kanata-${name}";
mkDevices = devices:
optionalString ((length devices) > 0) "linux-dev ${concatStringsSep ":" devices}";
let
devicesString = pipe devices [
(map (device: "\"" + device + "\""))
(concatStringsSep " ")
];
in
optionalString ((length devices) > 0) "linux-dev (${devicesString})";
mkConfig = name: keyboard: pkgs.writeText "${mkName name}-config.kdb" ''
(defcfg

6
nixos/modules/services/hardware/keyd.nix
View file

@ -143,7 +143,7 @@ in
RuntimeDirectory = "keyd";
# Hardening
CapabilityBoundingSet = "";
CapabilityBoundingSet = [ "CAP_SYS_NICE" ];
DeviceAllow = [
"char-input rw"
"/dev/uinput rw"
@ -152,7 +152,7 @@ in
PrivateNetwork = true;
ProtectHome = true;
ProtectHostname = true;
PrivateUsers = true;
PrivateUsers = false;
PrivateMounts = true;
PrivateTmp = true;
RestrictNamespaces = true;
@ -165,9 +165,9 @@ in
LockPersonality = true;
ProtectProc = "invisible";
SystemCallFilter = [
"nice"
"@system-service"
"~@privileged"
"~@resources"
];
RestrictAddressFamilies = [ "AF_UNIX" ];
RestrictSUIDSGID = true;

19
nixos/modules/services/hardware/power-profiles-daemon.nix
View file

@ -1,10 +1,7 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.power-profiles-daemon;
package = pkgs.power-profiles-daemon;
in
{
@ -15,8 +12,8 @@ in
services.power-profiles-daemon = {
enable = mkOption {
type = types.bool;
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = lib.mdDoc ''
Whether to enable power-profiles-daemon, a DBus daemon that allows
@ -24,6 +21,8 @@ in
'';
};
package = lib.mkPackageOption pkgs "power-profiles-daemon" { };
};
};
@ -31,7 +30,7 @@ in
###### implementation
config = mkIf cfg.enable {
config = lib.mkIf cfg.enable {
assertions = [
{ assertion = !config.services.tlp.enable;
@ -42,13 +41,13 @@ in
}
];
environment.systemPackages = [ package ];
environment.systemPackages = [ cfg.package ];
services.dbus.packages = [ package ];
services.dbus.packages = [ cfg.package ];
services.udev.packages = [ package ];
services.udev.packages = [ cfg.package ];
systemd.packages = [ package ];
systemd.packages = [ cfg.package ];
};

9
nixos/modules/services/hardware/sane.nix
View file

@ -4,7 +4,7 @@ with lib;
let
pkg = pkgs.sane-backends.override {
pkg = config.hardware.sane.backends-package.override {
scanSnapDriversUnfree = config.hardware.sane.drivers.scanSnap.enable;
scanSnapDriversPackage = config.hardware.sane.drivers.scanSnap.package;
};
@ -57,6 +57,13 @@ in
'';
};
hardware.sane.backends-package = mkOption {
type = types.package;
default = pkgs.sane-backends;
defaultText = literalExpression "pkgs.sane-backends";
description = lib.mdDoc "Backends driver package to use.";
};
hardware.sane.snapshot = mkOption {
type = types.bool;
default = false;

7
nixos/modules/services/hardware/thermald.nix
View file

@ -19,6 +19,12 @@ in
'';
};
ignoreCpuidCheck = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether to ignore the cpuid check to allow running on unsupported platforms";
};
configFile = mkOption {
type = types.nullOr types.path;
default = null;
@ -42,6 +48,7 @@ in
${cfg.package}/sbin/thermald \
--no-daemon \
${optionalString cfg.debug "--loglevel=debug"} \
${optionalString cfg.ignoreCpuidCheck "--ignore-cpuid-check"} \
${optionalString (cfg.configFile != null) "--config-file ${cfg.configFile}"} \
--dbus-enable \
--adaptive

6
nixos/modules/services/hardware/udev.nix
View file

@ -112,7 +112,8 @@ let
echo "OK"
filesToFixup="$(for i in "$out"/*; do
grep -l '\B\(/usr\)\?/s\?bin' "$i" || :
# list all files referring to (/usr)/bin paths, but allow references to /bin/sh.
grep -P -l '\B(?!\/bin\/sh\b)(\/usr)?\/bin(?:\/.*)?' "$i" || :
done)"
if [ -n "$filesToFixup" ]; then
@ -222,6 +223,9 @@ in
description = lib.mdDoc ''
Packages added to the {env}`PATH` environment variable when
executing programs from Udev rules.
coreutils, gnu{sed,grep}, util-linux and config.systemd.package are
automatically included.
'';
};

95
nixos/modules/services/hardware/vdr.nix
View file

@ -1,18 +1,15 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.vdr;
libDir = "/var/lib/vdr";
in {
###### interface
inherit (lib)
mkEnableOption mkPackageOption mkOption types mkIf optional mdDoc;
in
{
options = {
services.vdr = {
enable = mkEnableOption (lib.mdDoc "VDR. Please put config into ${libDir}");
enable = mkEnableOption (mdDoc "Start VDR");
package = mkPackageOption pkgs "vdr" {
example = "wrapVdr.override { plugins = with pkgs.vdrPlugins; [ hello ]; }";
@ -21,58 +18,84 @@ in {
videoDir = mkOption {
type = types.path;
default = "/srv/vdr/video";
description = lib.mdDoc "Recording directory";
description = mdDoc "Recording directory";
};
extraArguments = mkOption {
type = types.listOf types.str;
default = [];
description = lib.mdDoc "Additional command line arguments to pass to VDR.";
default = [ ];
description = mdDoc "Additional command line arguments to pass to VDR.";
};
enableLirc = mkEnableOption (lib.mdDoc "LIRC");
enableLirc = mkEnableOption (mdDoc "LIRC");
user = mkOption {
type = types.str;
default = "vdr";
description = mdDoc ''
User under which the VDR service runs.
'';
};
group = mkOption {
type = types.str;
default = "vdr";
description = mdDoc ''
Group under which the VDRvdr service runs.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
config = mkIf cfg.enable (mkMerge [{
systemd.tmpfiles.rules = [
"d ${cfg.videoDir} 0755 vdr vdr -"
"Z ${cfg.videoDir} - vdr vdr -"
"d ${cfg.videoDir} 0755 ${cfg.user} ${cfg.group} -"
"Z ${cfg.videoDir} - ${cfg.user} ${cfg.group} -"
];
systemd.services.vdr = {
description = "VDR";
wantedBy = [ "multi-user.target" ];
wants = optional cfg.enableLirc "lircd.service";
after = [ "network.target" ]
++ optional cfg.enableLirc "lircd.service";
serviceConfig = {
ExecStart = ''
${cfg.package}/bin/vdr \
--video="${cfg.videoDir}" \
--config="${libDir}" \
${escapeShellArgs cfg.extraArguments}
'';
User = "vdr";
ExecStart =
let
args = [
"--video=${cfg.videoDir}"
]
++ optional cfg.enableLirc "--lirc=${config.passthru.lirc.socket}"
++ cfg.extraArguments;
in
"${cfg.package}/bin/vdr ${lib.escapeShellArgs args}";
User = cfg.user;
Group = cfg.group;
CacheDirectory = "vdr";
StateDirectory = "vdr";
RuntimeDirectory = "vdr";
Restart = "on-failure";
};
};
users.users.vdr = {
group = "vdr";
home = libDir;
isSystemUser = true;
environment.systemPackages = [ cfg.package ];
users.users = mkIf (cfg.user == "vdr") {
vdr = {
inherit (cfg) group;
home = "/run/vdr";
isSystemUser = true;
extraGroups = [
"video"
"audio"
]
++ optional cfg.enableLirc "lirc";
};
};
users.groups.vdr = {};
}
users.groups = mkIf (cfg.group == "vdr") { vdr = { }; };
(mkIf cfg.enableLirc {
services.lirc.enable = true;
users.users.vdr.extraGroups = [ "lirc" ];
services.vdr.extraArguments = [
"--lirc=${config.passthru.lirc.socket}"
];
})]);
};
}

15
nixos/modules/services/home-automation/home-assistant.nix
View file

@ -11,14 +11,12 @@ let
# options shown in settings.
# We post-process the result to add support for YAML functions, like secrets or includes, see e.g.
# https://www.home-assistant.io/docs/configuration/secrets/
filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [ null ])) cfg.config or {};
filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [ null ])) (lib.recursiveUpdate customLovelaceModulesResources (cfg.config or {}));
configFile = pkgs.runCommandLocal "configuration.yaml" { } ''
cp ${format.generate "configuration.yaml" filteredConfig} $out
sed -i -e "s/'\!\([a-z_]\+\) \(.*\)'/\!\1 \2/;s/^\!\!/\!/;" $out
'';
lovelaceConfig = if (cfg.lovelaceConfig == null) then {}
else (lib.recursiveUpdate customLovelaceModulesResources cfg.lovelaceConfig);
lovelaceConfigFile = format.generate "ui-lovelace.yaml" lovelaceConfig;
lovelaceConfigFile = format.generate "ui-lovelace.yaml" cfg.lovelaceConfig;
# Components advertised by the home-assistant package
availableComponents = cfg.package.availableComponents;
@ -77,7 +75,7 @@ let
# Create parts of the lovelace config that reference lovelave modules as resources
customLovelaceModulesResources = {
lovelace.resources = map (card: {
url = "/local/nixos-lovelace-modules/${card.entrypoint or card.pname}.js?${card.version}";
url = "/local/nixos-lovelace-modules/${card.entrypoint or (card.pname + ".js")}?${card.version}";
type = "module";
}) cfg.customLovelaceModules;
};
@ -159,7 +157,7 @@ in {
default = [];
example = literalExpression ''
with pkgs.home-assistant-custom-components; [
prometheus-sensor
prometheus_sensor
];
'';
description = lib.mdDoc ''
@ -470,8 +468,8 @@ in {
mkdir -p "${cfg.configDir}/custom_components"
# remove components symlinked in from below the /nix/store
components="$(find "${cfg.configDir}/custom_components" -maxdepth 1 -type l)"
for component in "$components"; do
readarray -d "" components < <(find "${cfg.configDir}/custom_components" -maxdepth 1 -type l -print0)
for component in "''${components[@]}"; do
if [[ "$(readlink "$component")" =~ ^${escapeShellArg builtins.storeDir} ]]; then
rm "$component"
fi
@ -525,7 +523,6 @@ in {
"bluetooth_tracker"
"bthome"
"default_config"
"eq3btsmart"
"eufylife_ble"
"esphome"
"fjaraskupan"

14
nixos/modules/services/logging/logcheck.nix
View file

@ -220,10 +220,16 @@ in
logcheck = {};
};
system.activationScripts.logcheck = ''
mkdir -m 700 -p /var/{lib,lock}/logcheck
chown ${cfg.user} /var/{lib,lock}/logcheck
'';
systemd.tmpfiles.settings.logcheck = {
"/var/lib/logcheck".d = {
mode = "700";
inherit (cfg) user;
};
"/var/lock/logcheck".d = {
mode = "700";
inherit (cfg) user;
};
};
services.cron.systemCronJobs =
let withTime = name: {timeArgs, ...}: timeArgs != null;

6
nixos/modules/services/logging/vector.nix
View file

@ -51,13 +51,17 @@ in
{
ExecStart = "${getExe cfg.package} --config ${validateConfig conf}";
DynamicUser = true;
Restart = "no";
Restart = "always";
StateDirectory = "vector";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
# This group is required for accessing journald.
SupplementaryGroups = mkIf cfg.journaldAccess "systemd-journal";
};
unitConfig = {
StartLimitIntervalSec = 10;
StartLimitBurst = 5;
};
};
};
}

15
nixos/modules/services/mail/postfix.nix
View file

@ -747,7 +747,7 @@ in
${concatStringsSep "\n" (mapAttrsToList (to: from: ''
ln -sf ${from} /var/lib/postfix/conf/${to}
${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to}
${pkgs.postfix}/bin/postalias -o -p /var/lib/postfix/conf/${to}
'') cfg.aliasFiles)}
${concatStringsSep "\n" (mapAttrsToList (to: from: ''
ln -sf ${from} /var/lib/postfix/conf/${to}
@ -779,6 +779,19 @@ in
ExecStart = "${pkgs.postfix}/bin/postfix start";
ExecStop = "${pkgs.postfix}/bin/postfix stop";
ExecReload = "${pkgs.postfix}/bin/postfix reload";
# Hardening
PrivateTmp = true;
PrivateDevices = true;
ProtectSystem = "full";
CapabilityBoundingSet = [ "~CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE" ];
MemoryDenyWriteExecute = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
};
};

76
nixos/modules/services/mail/rspamd-trainer.nix Normal file
View file

@ -0,0 +1,76 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.rspamd-trainer;
format = pkgs.formats.toml { };
in {
options.services.rspamd-trainer = {
enable = mkEnableOption (mdDoc "Spam/ham trainer for rspamd");
settings = mkOption {
default = { };
description = mdDoc ''
IMAP authentication configuration for rspamd-trainer. For supplying
the IMAP password, use the `secrets` option.
'';
type = types.submodule {
freeformType = format.type;
};
example = literalExpression ''
{
HOST = "localhost";
USERNAME = "spam@example.com";
INBOXPREFIX = "INBOX/";
}
'';
};
secrets = lib.mkOption {
type = with types; listOf path;
description = lib.mdDoc ''
A list of files containing the various secrets. Should be in the
format expected by systemd's `EnvironmentFile` directory. For the
IMAP account password use `PASSWORD = mypassword`.
'';
default = [ ];
};
};
config = mkIf cfg.enable {
systemd = {
services.rspamd-trainer = {
description = "Spam/ham trainer for rspamd";
serviceConfig = {
ExecStart = "${pkgs.rspamd-trainer}/bin/rspamd-trainer";
WorkingDirectory = "/var/lib/rspamd-trainer";
StateDirectory = [ "rspamd-trainer/log" ];
Type = "oneshot";
DynamicUser = true;
EnvironmentFile = [
( format.generate "rspamd-trainer-env" cfg.settings )
cfg.secrets
];
};
};
timers."rspamd-trainer" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "10m";
OnUnitActiveSec = "10m";
Unit = "rspamd-trainer.service";
};
};
};
};
meta.maintainers = with lib.maintainers; [ onny ];
}

9
nixos/modules/services/matrix/matrix-sliding-sync.nix
View file

@ -1,10 +1,14 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.matrix-synapse.sliding-sync;
cfg = config.services.matrix-sliding-sync;
in
{
options.services.matrix-synapse.sliding-sync = {
imports = [
(lib.mkRenamedOptionModule [ "services" "matrix-synapse" "sliding-sync" ] [ "services" "matrix-sliding-sync" ])
];
options.services.matrix-sliding-sync = {
enable = lib.mkEnableOption (lib.mdDoc "sliding sync");
package = lib.mkPackageOption pkgs "matrix-sliding-sync" { };
@ -83,6 +87,7 @@ in
systemd.services.matrix-sliding-sync = rec {
after =
lib.optional cfg.createDatabase "postgresql.service"
++ lib.optional config.services.dendrite.enable "dendrite.service"
++ lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit;
wants = after;
wantedBy = [ "multi-user.target" ];

Some files were not shown because too many files have changed in this diff Show more