movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 21:50:33 +03:00
Code Activity

Merge branch 'master' into postgresql-tests

Browse source
This commit is contained in:
Tomasz Czyż 2017-04-07 10:28:58 +01:00 committed by GitHub
commit e57cf5efd1
3308 changed files with 98258 additions and 59550 deletions
Download patch file Download diff file Expand all files Collapse all files

3
nixos/default.nix
View file

@ -37,7 +37,4 @@ in
vm = vmConfig.system.build.vm;
vmWithBootLoader = vmWithBootLoaderConfig.system.build.vm;
# The following are used by nixos-rebuild.
nixFallback = pkgs.nixUnstable.out;
}

4
nixos/doc/manual/configuration/luks-file-systems.xml
View file

@ -37,6 +37,10 @@ boot.initrd.luks.devices.crypted.device = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-
fileSystems."/".device = "/dev/mapper/crypted";
</programlisting>
Should grub be used as bootloader, and <filename>/boot</filename> is located
on an encrypted partition, it is necessary to add the following grub option:
<programlisting>boot.loader.grub.enableCryptodisk = true;</programlisting>
</para>
</section>

2
nixos/doc/manual/configuration/modularity.xml
View file

@ -37,7 +37,7 @@ latter might look like this:
{ services.xserver.enable = true;
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.kde5.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
}
</programlisting>

6
nixos/doc/manual/configuration/network-manager.xml
View file

@ -27,7 +27,11 @@ users.extraUsers.youruser.extraGroups = [ "networkmanager" ];
<para>NetworkManager is controlled using either <command>nmcli</command> or
<command>nmtui</command> (curses-based terminal user interface). See their
manual pages for details on their usage. Some desktop environments (GNOME, KDE)
have their own configuration tools for NetworkManager.</para>
have their own configuration tools for NetworkManager. On XFCE, there is no
configuration tool for NetworkManager by default: by adding
<code>networkmanagerapplet</code> to the list of system packages, the graphical
applet will be installed and will launch automatically when XFCE is starting
(and will show in the status tray).</para>
<note><para><code>networking.networkmanager</code> and
<code>networking.wireless</code> (WPA Supplicant) cannot be enabled at the same

5
nixos/doc/manual/configuration/user-mgmt.xml
View file

@ -36,7 +36,10 @@ to set a password, which is retained across invocations of
and /etc/group will be congruent to your NixOS configuration. For instance,
if you remove a user from users.extraUsers and run nixos-rebuild, the user
account will cease to exist. Also, imperative commands for managing users
and groups, such as useradd, are no longer available.</para>
and groups, such as useradd, are no longer available. Passwords may still be
assigned by setting the user's <literal>hashedPassword</literal> option. A
hashed password can be generated using <command>mkpasswd -m sha-512</command>
after installing the <literal>mkpasswd</literal> package.</para>
<para>A user ID (uid) is assigned automatically. You can also specify
a uid manually by adding

8
nixos/doc/manual/configuration/x-windows.xml
View file

@ -25,19 +25,23 @@ Otherwise, you can only log into a plain undecorated
<command>xterm</command> window. Thus you should pick one or more of
the following lines:
<programlisting>
services.xserver.desktopManager.kde5.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
services.xserver.desktopManager.xfce.enable = true;
services.xserver.desktopManager.gnome3.enable = true;
services.xserver.windowManager.xmonad.enable = true;
services.xserver.windowManager.twm.enable = true;
services.xserver.windowManager.icewm.enable = true;
services.xserver.windowManager.i3.enable = true;
</programlisting>
</para>
<para>NixOSs default <emphasis>display manager</emphasis> (the
program that provides a graphical login prompt and manages the X
server) is SLiM. You can select KDEs <command>sddm</command> instead:
server) is SLiM. You can select an alternative one by picking one
of the following lines:
<programlisting>
services.xserver.displayManager.sddm.enable = true;
services.xserver.displayManager.lightdm.enable = true;
</programlisting>
</para>

42
nixos/doc/manual/configuration/xfce.xml
View file

@ -9,10 +9,10 @@
<para>
To enable the Xfce Desktop Environment, set
<programlisting>
services.xserver.desktopManager = {
xfce.enable = true;
default = "xfce";
};
services.xserver.desktopManager = {
xfce.enable = true;
default = "xfce";
};
</programlisting>
</para>
@ -20,13 +20,13 @@
Optionally, <emphasis>compton</emphasis>
can be enabled for nice graphical effects, some example settings:
<programlisting>
services.compton = {
enable = true;
fade = true;
inactiveOpacity = "0.9";
shadow = true;
fadeDelta = 4;
};
services.compton = {
enable = true;
fade = true;
inactiveOpacity = "0.9";
shadow = true;
fadeDelta = 4;
};
</programlisting>
</para>
@ -34,16 +34,16 @@
Some Xfce programs are not installed automatically.
To install them manually (system wide), put them into your
<literal>environment.systemPackages</literal>.
</para>
</para>
<para>
NixOSs default <emphasis>display manager</emphasis>is SLiM.
(DM is the program that provides a graphical login prompt
and manages the X server.)
You can, for example, select KDEs
NixOSs default <emphasis>display manager</emphasis> is SLiM.
(DM is the program that provides a graphical login prompt
and manages the X server.)
You can, for example, select KDEs
<command>sddm</command> instead:
<programlisting>
services.xserver.displayManager.sddm.enable = true;
services.xserver.displayManager.sddm.enable = true;
</programlisting>
</para>
@ -55,7 +55,7 @@
<emphasis>Thunar</emphasis>
volume support, put
<programlisting>
services.xserver.desktopManager.xfce.enable = true;
services.xserver.desktopManager.xfce.enable = true;
</programlisting>
into your <emphasis>configuration.nix</emphasis>.
</para>
@ -84,10 +84,10 @@
Thunar and/or the desktop takes time to show up.
Thunar will spit out this kind of message on start
(look at journalctl --user -b).
(look at <command>journalctl --user -b</command>).
<programlisting>
Thunar:2410): GVFS-RemoteVolumeMonitor-WARNING **: remote volume monitor with dbus name org.gtk.Private.UDisks2VolumeMonitor is not supported
Thunar:2410): GVFS-RemoteVolumeMonitor-WARNING **: remote volume monitor with dbus name org.gtk.Private.UDisks2VolumeMonitor is not supported
</programlisting>
This is caused by some needed GNOME services not running.
@ -95,7 +95,7 @@
the Advanced tab of the Session and Startup settings panel.
Alternatively, you can run this command to do the same thing.
<programlisting>
$ xfconf-query -c xfce4-session -p /compat/LaunchGNOME -s true
$ xfconf-query -c xfce4-session -p /compat/LaunchGNOME -s true
</programlisting>
A log-out and re-log will be needed for this to take effect.
</para>

4
nixos/doc/manual/development/option-declarations.xml
View file

@ -135,8 +135,8 @@ services.xserver.displayManager.enable = mkOption {
type = with types; nullOr (enum [ "slim" ]);
};</screen></example>
<example xml:id='ex-option-declaration-eot-backend-sdm'><title>Extending
<literal>services.foo.backend</literal> in the <literal>sdm</literal>
<example xml:id='ex-option-declaration-eot-backend-sddm'><title>Extending
<literal>services.foo.backend</literal> in the <literal>sddm</literal>
module</title>
<screen>
services.xserver.displayManager.enable = mkOption {

75
nixos/doc/manual/development/replace-modules.xml Normal file
View file

@ -0,0 +1,75 @@
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-replace-modules">
<title>Replace Modules</title>
<para>Modules that are imported can also be disabled. The option
declarations and config implementation of a disabled module will be
ignored, allowing another to take it's place. This can be used to
import a set of modules from another channel while keeping the rest
of the system on a stable release.</para>
<para><literal>disabledModules</literal> is a top level attribute like
<literal>imports</literal>, <literal>options</literal> and
<literal>config</literal>. It contains a list of modules that will
be disabled. This can either be the full path to the module or a
string with the filename relative to the modules path
(eg. &lt;nixpkgs/nixos/modules&gt; for nixos).
</para>
<para>This example will replace the existing postgresql module with
the version defined in the nixos-unstable channel while keeping the
rest of the modules and packages from the original nixos channel.
This only overrides the module definition, this won't use postgresql
from nixos-unstable unless explicitly configured to do so.</para>
<programlisting>
{ config, lib, pkgs, ... }:
{
disabledModules = [ "services/databases/postgresql.nix" ];
imports =
[ # Use postgresql service from nixos-unstable channel.
# sudo nix-channel --add http://nixos.org/channels/nixos-unstable nixos-unstable
&lt;nixos-unstable/nixos/modules/services/databases/postgresql.nix&gt;
];
services.postgresql.enable = true;
}
</programlisting>
<para>This example shows how to define a custom module as a
replacement for an existing module. Importing this module will
disable the original module without having to know it's
implementation details.</para>
<programlisting>
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.programs.man;
in
{
disabledModules = [ "services/programs/man.nix" ];
options = {
programs.man.enable = mkOption {
type = types.bool;
default = true;
description = "Whether to enable manual pages.";
};
};
config = mkIf cfg.enabled {
warnings = [ "disabled manpages for production deployments." ];
};
}
</programlisting>
</section>

22
nixos/doc/manual/development/sources.xml
View file

@ -8,7 +8,7 @@
<para>By default, NixOSs <command>nixos-rebuild</command> command
uses the NixOS and Nixpkgs sources provided by the
<literal>nixos-unstable</literal> channel (kept in
<literal>nixos</literal> channel (kept in
<filename>/nix/var/nix/profiles/per-user/root/channels/nixos</filename>).
To modify NixOS, however, you should check out the latest sources from
Git. This is as follows:
@ -27,8 +27,8 @@ a subdirectory of the Nixpkgs repository.) The remote
<literal>channels</literal> refers to a read-only repository that
tracks the Nixpkgs/NixOS channels (see <xref linkend="sec-upgrading"/>
for more information about channels). Thus, the Git branch
<literal>channels/nixos-14.12</literal> will contain the latest built
and tested version available in the <literal>nixos-14.12</literal>
<literal>channels/nixos-17.03</literal> will contain the latest built
and tested version available in the <literal>nixos-17.03</literal>
channel.</para>
<para>Its often inconvenient to develop directly on the master
@ -39,9 +39,9 @@ branch based on your current NixOS version:
<screen>
$ nixos-version
14.04.273.ea1952b (Baboon)
17.09pre104379.6e0b727 (Hummingbird)
$ git checkout -b local ea1952b
$ git checkout -b local 6e0b727
</screen>
Or, to base your local branch on the latest version available in a
@ -49,17 +49,17 @@ NixOS channel:
<screen>
$ git remote update channels
$ git checkout -b local channels/nixos-14.12
$ git checkout -b local channels/nixos-17.03
</screen>
(Replace <literal>nixos-14.12</literal> with the name of the channel
(Replace <literal>nixos-17.03</literal> with the name of the channel
you want to use.) You can use <command>git merge</command> or
<command>git rebase</command> to keep your local branch in sync with
the channel, e.g.
<screen>
$ git remote update channels
$ git merge channels/nixos-14.12
$ git merge channels/nixos-17.03
</screen>
You can use <command>git cherry-pick</command> to copy commits from
@ -87,7 +87,11 @@ $ ln -s <replaceable>/my/sources</replaceable>/nixpkgs ~/.nix-defexpr/nixpkgs
You may want to delete the symlink
<filename>~/.nix-defexpr/channels_root</filename> to prevent roots
NixOS channel from clashing with your own tree.</para>
NixOS channel from clashing with your own tree (this may break the
command-not-found utility though). If you want to go back to the default
state, you may just remove the <filename>~/.nix-defexpr</filename>
directory completely, log out and log in again and it should have been
recreated with a link to the root channels.</para>
<!-- FIXME: not sure what this means.
<para>You should not pass the base directory

1
nixos/doc/manual/development/writing-modules.xml
View file

@ -179,5 +179,6 @@ in {
<xi:include href="option-types.xml" />
<xi:include href="option-def.xml" />
<xi:include href="meta-attributes.xml" />
<xi:include href="replace-modules.xml" />
</chapter>

2
nixos/doc/manual/installation/changing-config.xml
View file

@ -7,7 +7,7 @@
<para>The file <filename>/etc/nixos/configuration.nix</filename>
contains the current configuration of your machine. Whenever youve
changed something to that file, you should do
<link linkend="ch-configuration">changed something</link> in that file, you should do
<screen>
# nixos-rebuild switch</screen>

3
nixos/doc/manual/installation/installing-uefi.xml
View file

@ -26,7 +26,8 @@ changes:
<literal>vfat</literal> filesystem.</para>
</listitem>
<listitem>
<para>You must set <option>boot.loader.systemd-boot.enable</option> to
<para>Instead of <option>boot.loader.grub.device</option>,
you must set <option>boot.loader.systemd-boot.enable</option> to
<literal>true</literal>. <command>nixos-generate-config</command>
should do this automatically for new configurations when booted in
UEFI mode.</para>

4
nixos/doc/manual/installation/installing-usb.xml
View file

@ -11,7 +11,9 @@ a USB stick. You can use the <command>dd</command> utility to write the image:
<command>dd if=<replaceable>path-to-image</replaceable>
of=<replaceable>/dev/sdb</replaceable></command>. Be careful about specifying the
correct drive; you can use the <command>lsblk</command> command to get a list of
block devices.</para>
block devices. If you're on OS X you can run <command>diskutil list</command>
to see the list of devices; the device you'll use for the USB must be ejected
before writing the image.</para>
<para>The <command>dd</command> utility will write the image verbatim to the drive,
making it the recommended option for both UEFI and non-UEFI installations. For

22
nixos/doc/manual/installation/upgrading.xml
View file

@ -15,12 +15,12 @@ been built. These channels are:
<itemizedlist>
<listitem>
<para><emphasis>Stable channels</emphasis>, such as <literal
xlink:href="https://nixos.org/channels/nixos-14.12">nixos-14.12</literal>.
xlink:href="https://nixos.org/channels/nixos-17.03">nixos-17.03</literal>.
These only get conservative bug fixes and package upgrades. For
instance, a channel update may cause the Linux kernel on your
system to be upgraded from 3.4.66 to 3.4.67 (a minor bug fix), but
not from 3.4.<replaceable>x</replaceable> to
3.11.<replaceable>x</replaceable> (a major change that has the
system to be upgraded from 4.9.16 to 4.9.17 (a minor bug fix), but
not from 4.9.<replaceable>x</replaceable> to
4.11.<replaceable>x</replaceable> (a major change that has the
potential to break things). Stable channels are generally
maintained until the next stable branch is created.</para>
<para></para>
@ -34,7 +34,7 @@ been built. These channels are:
</listitem>
<listitem>
<para><emphasis>Small channels</emphasis>, such as <literal
xlink:href="https://nixos.org/channels/nixos-14.12-small">nixos-14.12-small</literal>
xlink:href="https://nixos.org/channels/nixos-17.03-small">nixos-17.03-small</literal>
or <literal
xlink:href="https://nixos.org/channels/nixos-unstable-small">nixos-unstable-small</literal>. These
are identical to the stable and unstable channels described above,
@ -55,8 +55,8 @@ appliances.)</para>
<para>When you first install NixOS, youre automatically subscribed to
the NixOS channel that corresponds to your installation source. For
instance, if you installed from a 14.12 ISO, you will be subscribed to
the <literal>nixos-14.12</literal> channel. To see which NixOS
instance, if you installed from a 17.03 ISO, you will be subscribed to
the <literal>nixos-17.03</literal> channel. To see which NixOS
channel youre subscribed to, run the following as root:
<screen>
@ -71,16 +71,16 @@ To switch to a different NixOS channel, do
</screen>
(Be sure to include the <literal>nixos</literal> parameter at the
end.) For instance, to use the NixOS 14.12 stable channel:
end.) For instance, to use the NixOS 17.03 stable channel:
<screen>
# nix-channel --add https://nixos.org/channels/nixos-14.12 nixos
# nix-channel --add https://nixos.org/channels/nixos-17.03 nixos
</screen>
If you have a server, you may want to use the “small” channel instead:
<screen>
# nix-channel --add https://nixos.org/channels/nixos-14.12-small nixos
# nix-channel --add https://nixos.org/channels/nixos-17.03-small nixos
</screen>
And if you want to live on the bleeding edge:
@ -130,7 +130,7 @@ runs, see <command>systemctl list-timers</command>.) You can also
specify a channel explicitly, e.g.
<programlisting>
system.autoUpgrade.channel = https://nixos.org/channels/nixos-15.09;
system.autoUpgrade.channel = https://nixos.org/channels/nixos-17.03;
</programlisting>
</para>

1
nixos/doc/manual/release-notes/release-notes.xml
View file

@ -9,6 +9,7 @@
<para>This section lists the release notes for each stable version of NixOS
and current unstable revision.</para>
<xi:include href="rl-1709.xml" />
<xi:include href="rl-1703.xml" />
<xi:include href="rl-1609.xml" />
<xi:include href="rl-1603.xml" />

324
nixos/doc/manual/release-notes/rl-1703.xml
View file

@ -4,7 +4,15 @@
version="5.0"
xml:id="sec-release-17.03">
<title>Release 17.03 (“XXX”, 2017/03/??)</title>
<title>Release 17.03 (“Gorilla”, 2017/03/31)</title>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-17.03-highlights">
<title>Highlights</title>
<para>In addition to numerous new and upgraded packages, this release
has the following highlights: </para>
@ -15,16 +23,159 @@ has the following highlights: </para>
xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">Nixpkgs
manual</link> for more information.</para>
</listitem>
<listitem>
<para>This release is based on Glibc 2.25, GCC 5.4.0 and systemd
232. The default Linux kernel is 4.9 and Nix is at 1.11.8.</para>
</listitem>
<listitem>
<para>The default desktop environment now is KDE's Plasma 5. KDE 4 has been removed</para>
</listitem>
<listitem>
<para>The setuid wrapper functionality now supports setting
capabilities.</para>
</listitem>
<listitem>
<para>X.org server uses branch 1.19. Due to ABI incompatibilities,
<literal>ati_unfree</literal> keeps forcing 1.17
and <literal>amdgpu-pro</literal> starts forcing 1.18.</para>
</listitem>
<listitem>
<para>
Cross compilation has been rewritten. See the nixpkgs manual for
details. The most obvious breaking change is that in derivations there is no
<literal>.nativeDrv</literal> nor <literal>.crossDrv</literal> are now
cross by default, not native.
</para>
</listitem>
<listitem>
<para>The <literal>overridePackages</literal> function has been rewritten
to be replaced by <link
xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
overlays</link></para>
</listitem>
<listitem>
<para>Packages in nixpkgs can be marked as insecure through listed
vulnerabilities. See the <link
xlink:href="https://nixos.org/nixpkgs/manual/#sec-allow-insecure">Nixpkgs
manual</link> for more information.</para>
</listitem>
<listitem>
<para>PHP now defaults to PHP 7.1</para>
</listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-17.03-new-services">
<title>New Services</title>
<para>The following new services were added since the last release:</para>
<itemizedlist>
<listitem>
<para></para>
</listitem>
<listitem><para><literal>hardware/ckb.nix</literal></para></listitem>
<listitem><para><literal>hardware/mcelog.nix</literal></para></listitem>
<listitem><para><literal>hardware/usb-wwan.nix</literal></para></listitem>
<listitem><para><literal>hardware/video/capture/mwprocapture.nix</literal></para></listitem>
<listitem><para><literal>programs/adb.nix</literal></para></listitem>
<listitem><para><literal>programs/chromium.nix</literal></para></listitem>
<listitem><para><literal>programs/gphoto2.nix</literal></para></listitem>
<listitem><para><literal>programs/java.nix</literal></para></listitem>
<listitem><para><literal>programs/mtr.nix</literal></para></listitem>
<listitem><para><literal>programs/oblogout.nix</literal></para></listitem>
<listitem><para><literal>programs/vim.nix</literal></para></listitem>
<listitem><para><literal>programs/wireshark.nix</literal></para></listitem>
<listitem><para><literal>security/dhparams.nix</literal></para></listitem>
<listitem><para><literal>services/audio/ympd.nix</literal></para></listitem>
<listitem><para><literal>services/computing/boinc/client.nix</literal></para></listitem>
<listitem><para><literal>services/continuous-integration/buildbot/master.nix</literal></para></listitem>
<listitem><para><literal>services/continuous-integration/buildbot/worker.nix</literal></para></listitem>
<listitem><para><literal>services/continuous-integration/gitlab-runner.nix</literal></para></listitem>
<listitem><para><literal>services/databases/riak-cs.nix</literal></para></listitem>
<listitem><para><literal>services/databases/stanchion.nix</literal></para></listitem>
<listitem><para><literal>services/desktops/gnome3/gnome-terminal-server.nix</literal></para></listitem>
<listitem><para><literal>services/editors/infinoted.nix</literal></para></listitem>
<listitem><para><literal>services/hardware/illum.nix</literal></para></listitem>
<listitem><para><literal>services/hardware/trezord.nix</literal></para></listitem>
<listitem><para><literal>services/logging/journalbeat.nix</literal></para></listitem>
<listitem><para><literal>services/mail/offlineimap.nix</literal></para></listitem>
<listitem><para><literal>services/mail/postgrey.nix</literal></para></listitem>
<listitem><para><literal>services/misc/couchpotato.nix</literal></para></listitem>
<listitem><para><literal>services/misc/docker-registry.nix</literal></para></listitem>
<listitem><para><literal>services/misc/errbot.nix</literal></para></listitem>
<listitem><para><literal>services/misc/geoip-updater.nix</literal></para></listitem>
<listitem><para><literal>services/misc/gogs.nix</literal></para></listitem>
<listitem><para><literal>services/misc/leaps.nix</literal></para></listitem>
<listitem><para><literal>services/misc/nix-optimise.nix</literal></para></listitem>
<listitem><para><literal>services/misc/ssm-agent.nix</literal></para></listitem>
<listitem><para><literal>services/misc/sssd.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/arbtt.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/netdata.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/default.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/alertmanager.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/blackbox-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/json-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/nginx-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/node-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/snmp-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/unifi-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/varnish-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/sysstat.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/telegraf.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/vnstat.nix</literal></para></listitem>
<listitem><para><literal>services/network-filesystems/cachefilesd.nix</literal></para></listitem>
<listitem><para><literal>services/network-filesystems/glusterfs.nix</literal></para></listitem>
<listitem><para><literal>services/network-filesystems/ipfs.nix</literal></para></listitem>
<listitem><para><literal>services/networking/dante.nix</literal></para></listitem>
<listitem><para><literal>services/networking/dnscrypt-wrapper.nix</literal></para></listitem>
<listitem><para><literal>services/networking/fakeroute.nix</literal></para></listitem>
<listitem><para><literal>services/networking/flannel.nix</literal></para></listitem>
<listitem><para><literal>services/networking/htpdate.nix</literal></para></listitem>
<listitem><para><literal>services/networking/miredo.nix</literal></para></listitem>
<listitem><para><literal>services/networking/nftables.nix</literal></para></listitem>
<listitem><para><literal>services/networking/powerdns.nix</literal></para></listitem>
<listitem><para><literal>services/networking/pdns-recursor.nix</literal></para></listitem>
<listitem><para><literal>services/networking/quagga.nix</literal></para></listitem>
<listitem><para><literal>services/networking/redsocks.nix</literal></para></listitem>
<listitem><para><literal>services/networking/wireguard.nix</literal></para></listitem>
<listitem><para><literal>services/system/cgmanager.nix</literal></para></listitem>
<listitem><para><literal>services/torrent/opentracker.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/atlassian/confluence.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/atlassian/crowd.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/atlassian/jira.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/frab.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/nixbot.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/selfoss.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/quassel-webserver.nix</literal></para></listitem>
<listitem><para><literal>services/x11/unclutter-xfixes.nix</literal></para></listitem>
<listitem><para><literal>services/x11/urxvtd.nix</literal></para></listitem>
<listitem><para><literal>system/boot/systemd-nspawn.nix</literal></para></listitem>
<listitem><para><literal>virtualisation/ecs-agent.nix</literal></para></listitem>
<listitem><para><literal>virtualisation/lxcfs.nix</literal></para></listitem>
<listitem><para><literal>virtualisation/openstack/keystone.nix</literal></para></listitem>
<listitem><para><literal>virtualisation/openstack/glance.nix</literal></para></listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-17.03-incompatibilities">
<title>Backward Incompatibilities</title>
<para>When upgrading from a previous release, please be aware of the
following incompatible changes:</para>
@ -32,10 +183,8 @@ following incompatible changes:</para>
<itemizedlist>
<listitem>
<para>
Cross compilation has been rewritten. See the nixpkgs manual for
details. The most obvious breaking change is that derivations absent a
<literal>.nativeDrv</literal> or <literal>.crossDrv</literal> are now
cross by default, not native.
Derivations have no <literal>.nativeDrv</literal> nor <literal>.crossDrv</literal>
and are now cross by default, not native.
</para>
</listitem>
@ -72,15 +221,6 @@ following incompatible changes:</para>
</para>
</listitem>
<listitem>
<para>
The Yama LSM is now enabled by default in the kernel,
which prevents ptracing non-child processes.
This means you will not be able to attach gdb to an existing process,
but will need to start that process from gdb (so it is a child).
</para>
</listitem>
<listitem>
<para>
The <literal>stripHash</literal> bash function in <literal>stdenv</literal>
@ -160,7 +300,7 @@ following incompatible changes:</para>
<para><literal>overridePackages</literal> function no longer exists.
It is replaced by <link
xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
overlays</link>. For example, the following code:
overlays</link>. For example, the following code:
<programlisting>
let
@ -202,10 +342,72 @@ following incompatible changes:</para>
</para>
</listitem>
<listitem>
<para>
Iputils no longer provide ping6 and traceroute6. The functionality of
these tools has been integrated into ping and traceroute respectively. To
enforce an address family the new flags <literal>-4</literal> and
<literal>-6</literal> have been added. One notable incompatibility is that
specifying an interface (for link-local IPv6 for instance) is no longer done
with the <literal>-I</literal> flag, but by encoding the interface into the
address (<literal>ping fe80::1%eth0</literal>).
</para>
</listitem>
<listitem>
<para>
The socket handling of the <literal>services.rmilter</literal> module
has been fixed and refactored. As rmilter doesn't support binding to
more than one socket, the options <literal>bindUnixSockets</literal>
and <literal>bindInetSockets</literal> have been replaced by
<literal>services.rmilter.bindSocket.*</literal>. The default is still
a unix socket in <literal>/run/rmilter/rmilter.sock</literal>. Refer to
the options documentation for more information.
</para>
</listitem>
<listitem>
<para>
The <literal>fetch*</literal> functions no longer support md5,
please use sha256 instead.
</para>
</listitem>
<listitem>
<para>
The dnscrypt-proxy module interface has been streamlined around the
<option>extraArgs</option> option. Where possible, legacy option
declarations are mapped to <option>extraArgs</option> but will emit
warnings. The <option>resolverList</option> has been outright
removed: to use an unlisted resolver, use the
<option>customResolver</option> option.
</para>
</listitem>
<listitem>
<para>
torbrowser now stores local state under
<filename>~/.local/share/tor-browser</filename> by default. Any
browser profile data from the old location,
<filename>~/.torbrowser4</filename>, must be migrated manually.
</para>
</listitem>
<listitem>
<para>
The ihaskell, monetdb, offlineimap and sitecopy services have been removed.
</para>
</listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-17.03-notable-changes">
<para>Other notable improvements:</para>
<title>Other Notable Changes</title>
<itemizedlist>
@ -226,7 +428,87 @@ following incompatible changes:</para>
</para>
</listitem>
<listitem>
<para>Python 2.6 interpreter and package set have been removed.</para>
</listitem>
<listitem>
<para>
The Python 2.7 interpreter does not use modules anymore. Instead, all
CPython interpreters now include the whole standard library except for `tkinter`,
which is available in the Python package set.
</para>
</listitem>
<listitem>
<para>
Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly.
Minor modifications had to be made to the interpreters in order to generate
deterministic bytecode. This has security implications and is relevant for
those using Python in a <literal>nix-shell</literal>. See the Nixpkgs manual
for details.
</para>
</listitem>
<listitem>
<para>
The Python package sets now use a fixed-point combinator and the sets are
available as attributes of the interpreters.
</para>
</listitem>
<listitem>
<para>
The Python function <literal>buildPythonPackage</literal> has been improved and can be
used to build from Setuptools source, Flit source, and precompiled Wheels.
</para>
</listitem>
<listitem>
<para>
When adding new or updating current Python libraries, the expressions should be put
in separate files in <literal>pkgs/development/python-modules</literal> and
called from <literal>python-packages.nix</literal>.
</para>
</listitem>
<listitem>
<para>
The dnscrypt-proxy service supports synchronizing the list of public
resolvers without working DNS resolution. This fixes issues caused by the
resolver list becoming outdated. It also improves the viability of
DNSCrypt only configurations.
</para>
</listitem>
<listitem>
<para>
Containers using bridged networking no longer lose their connection after
changes to the host networking.
</para>
</listitem>
<listitem>
<para>
ZFS supports pool auto scrubbing.
</para>
</listitem>
<listitem>
<para>
The bind DNS utilities (e.g. dig) have been split into their own output and
are now also available in <literal>pkgs.dnsutils</literal> and it is no longer
necessary to pull in all of <literal>bind</literal> to use them.
</para>
</listitem>
<listitem>
<para>
Per-user configuration was moved from <filename>~/.nixpkgs</filename> to
<filename>~/.config/nixpkgs</filename>. The former is still valid for
<filename>config.nix</filename> for backwards compatibility.
</para>
</listitem>
</itemizedlist>
</section>
</section>

71
nixos/doc/manual/release-notes/rl-1709.xml Normal file
View file

@ -0,0 +1,71 @@
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-17.09">
<title>Release 17.09 (“Hummingbird”, 2017/09/??)</title>
<para>In addition to numerous new and upgraded packages, this release
has the following highlights: </para>
<itemizedlist>
<listitem>
<para>
The user handling now keeps track of deallocated UIDs/GIDs. When a user
or group is revived, this allows it to be allocated the UID/GID it had before.
A consequence is that UIDs and GIDs are no longer reused.
</para>
</listitem>
</itemizedlist>
<para>The following new services were added since the last release:</para>
<itemizedlist>
<listitem>
<para></para>
</listitem>
</itemizedlist>
<para>When upgrading from a previous release, please be aware of the
following incompatible changes:</para>
<itemizedlist>
<listitem>
<para>
</para>
</listitem>
</itemizedlist>
<para>Other notable improvements:</para>
<itemizedlist>
<listitem>
<para>
Modules can now be disabled by using <link
xlink:href="https://nixos.org/nixpkgs/manual/#sec-replace-modules">
disabledModules</link>, allowing another to take it's place. This can be
used to import a set of modules from another channel while keeping the
rest of the system on a stable release.
</para>
</listitem>
<listitem>
<para>
Updated to FreeType 2.7.1, including a new TrueType engine.
The new engine replaces the Infinality engine which was the default in
NixOS. The default font rendering settings are now provided by
fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults
are less invasive and provide rendering that is more consistent with
other systems and hopefully with each font designer's intent. Some
system-wide configuration has been removed from the Fontconfig NixOS
module where user Fontconfig settings are available.
</para>
</listitem>
</itemizedlist>
</section>

53
nixos/lib/make-disk-image.nix
View file

@ -7,6 +7,12 @@
, # The size of the disk, in megabytes.
diskSize
# The files and directories to be placed in the target file system.
# This is a list of attribute sets {source, target} where `source'
# is the file system object (regular file or directory) to be
# grafted in the file system at path `target'.
, contents ? []
, # Whether the disk should be partitioned (with a single partition
# containing the root filesystem) or contain the root filesystem
# directly.
@ -45,7 +51,14 @@ pkgs.vmTools.runInLinuxVM (
${pkgs.vmTools.qemu}/bin/qemu-img create -f ${format} $diskImage "${toString diskSize}M"
mv closure xchg/
'';
buildInputs = [ pkgs.utillinux pkgs.perl pkgs.e2fsprogs pkgs.parted ];
buildInputs = with pkgs; [ utillinux perl e2fsprogs parted rsync ];
# I'm preserving the line below because I'm going to search for it across nixpkgs to consolidate
# image building logic. The comment right below this now appears in 4 different places in nixpkgs :)
# !!! should use XML.
sources = map (x: x.source) contents;
targets = map (x: x.target) contents;
exportReferencesGraph =
[ "closure" config.system.build.toplevel ];
inherit postVM;
@ -98,11 +111,45 @@ pkgs.vmTools.runInLinuxVM (
# Remove /etc/machine-id so that each machine cloning this image will get its own id
rm -f /mnt/etc/machine-id
# Copy arbitrary other files into the image
# Semi-shamelessly copied from make-etc.sh. I (@copumpkin) shall factor this stuff out as part of
# https://github.com/NixOS/nixpkgs/issues/23052.
set -f
sources_=($sources)
targets_=($targets)
set +f
for ((i = 0; i < ''${#targets_[@]}; i++)); do
source="''${sources_[$i]}"
target="''${targets_[$i]}"
if [[ "$source" =~ '*' ]]; then
# If the source name contains '*', perform globbing.
mkdir -p /mnt/$target
for fn in $source; do
rsync -a --no-o --no-g "$fn" /mnt/$target/
done
else
mkdir -p /mnt/$(dirname $target)
if ! [ -e /mnt/$target ]; then
rsync -a --no-o --no-g $source /mnt/$target
else
echo "duplicate entry $target -> $source"
exit 1
fi
fi
done
umount /mnt
# Make sure resize2fs works
# Make sure resize2fs works. Note that resize2fs has stricter criteria for resizing than a normal
# mount, so the `-c 0` and `-i 0` don't affect it. Setting it to `now` doesn't produce deterministic
# output, of course, but we can fix that when/if we start making images deterministic.
${optionalString (fsType == "ext4") ''
tune2fs -c 0 -i 0 $rootDisk
tune2fs -T now -c 0 -i 0 $rootDisk
''}
''
)

5
nixos/lib/test-driver/Machine.pm
View file

@ -508,7 +508,7 @@ sub screenshot {
sub getTTYText {
my ($self, $tty) = @_;
my ($status, $out) = $self->execute("fold -w 80 /dev/vcs${tty}");
my ($status, $out) = $self->execute("fold -w\$(stty -F /dev/tty${tty} size | awk '{print \$2}') /dev/vcs${tty}");
return $out;
}
@ -607,7 +607,8 @@ sub waitForWindow {
sub copyFileFromHost {
my ($self, $from, $to) = @_;
my $s = `cat $from` or die;
$self->mustSucceed("echo '$s' > $to"); # !!! escaping
$s =~ s/'/'\\''/g;
$self->mustSucceed("echo '$s' > $to");
}

6
nixos/lib/testing.nix
View file

@ -108,16 +108,16 @@ rec {
mkdir -p $out/bin
echo "$testScript" > $out/test-script
ln -s ${testDriver}/bin/nixos-test-driver $out/bin/
vms="$(for i in ${toString vms}; do echo $i/bin/run-*-vm; done)"
vms=($(for i in ${toString vms}; do echo $i/bin/run-*-vm; done))
wrapProgram $out/bin/nixos-test-driver \
--add-flags "$vms" \
--add-flags "''${vms[*]}" \
${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \
--run "testScript=\"\$(cat $out/test-script)\"" \
--set testScript '$testScript' \
--set VLANS '${toString vlans}'
ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms
wrapProgram $out/bin/nixos-run-vms \
--add-flags "$vms" \
--add-flags "''${vms[*]}" \
${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \
--set tests 'startAll; joinAll;' \
--set VLANS '${toString vlans}' \

23
nixos/maintainers/scripts/ec2/amazon-image.nix
View file

@ -2,15 +2,34 @@
with lib;
{
let
cfg = config.amazonImage;
in {
imports =
[ ../../../modules/installer/cd-dvd/channel.nix
../../../modules/virtualisation/amazon-image.nix
];
system.build.amazonImage = import ../../../lib/make-disk-image.nix {
options.amazonImage = {
contents = mkOption {
example = literalExample ''
[ { source = pkgs.memtest86 + "/memtest.bin";
target = "boot/memtest.bin";
}
]
'';
default = [];
description = ''
This option lists files to be copied to fixed locations in the
generated image. Glob patterns work.
'';
};
};
config.system.build.amazonImage = import ../../../lib/make-disk-image.nix {
inherit lib config;
inherit (cfg) contents;
pkgs = import ../../../.. { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package
partitioned = config.ec2.hvm;
diskSize = if config.ec2.hvm then 2048 else 8192;

17
nixos/maintainers/scripts/ec2/create-amis.sh
View file

@ -3,23 +3,22 @@
# To start with do: nix-shell -p awscli --run "aws configure"
set -e
set -o pipefail
#set -x
stateDir=${TMPDIR:-/tmp}/ec2-image
echo "keeping state in $stateDir"
mkdir -p $stateDir
version=$(nix-instantiate --eval --strict '<nixpkgs>' -A lib.nixpkgsVersion | sed s/'"'//g)
major=${version:0:5}
echo "NixOS version is $version ($major)"
stateDir=/var/tmp/ec2-image-$version
echo "keeping state in $stateDir"
mkdir -p $stateDir
rm -f ec2-amis.nix
types="hvm pv"
types="hvm"
stores="ebs s3"
regions="eu-west-1 eu-west-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"
regions="eu-west-1 eu-west-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2 ca-central-1 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"
for type in $types; do
link=$stateDir/$type
@ -206,7 +205,7 @@ for type in $types; do
# Register the AMI.
if [ $type = pv ]; then
kernel=$(aws ec2 describe-images --owner amazon --filters "Name=name,Values=pv-grub-hd0_1.04-$arch.gz" | jq -r .Images[0].ImageId)
kernel=$(aws ec2 describe-images --owner amazon --filters "Name=name,Values=pv-grub-hd0_1.05-$arch.gz" | jq -r .Images[0].ImageId)
if [ "$kernel" = null ]; then break; fi
echo "using PV-GRUB kernel $kernel"
extraFlags+=" --virtualization-type paravirtual --kernel $kernel"

24
nixos/maintainers/scripts/openstack/nova-image.nix Normal file
View file

@ -0,0 +1,24 @@
{ config, lib, pkgs, ... }:
with lib;
{
imports =
[ ../../../modules/installer/cd-dvd/channel.nix
../../../modules/virtualisation/nova-config.nix
];
system.build.novaImage = import ../../../lib/make-disk-image.nix {
inherit lib config;
pkgs = import ../../../.. { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package
diskSize = 8192;
format = "qcow2";
configFile = pkgs.writeText "configuration.nix"
''
{
imports = [ <nixpkgs/nixos/modules/virtualisation/nova-config.nix> ];
}
'';
};
}

270
nixos/modules/config/fonts/fontconfig-penultimate.nix Normal file
View file

@ -0,0 +1,270 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.fonts.fontconfig;
fcBool = x: "<bool>" + (if x then "true" else "false") + "</bool>";
# back-supported fontconfig version and package
# version is used for font cache generation
supportVersion = "210";
supportPkg = pkgs."fontconfig_${supportVersion}";
# latest fontconfig version and package
# version is used for configuration folder name, /etc/fonts/VERSION/
# note: format differs from supportVersion and can not be used with makeCacheConf
latestVersion = pkgs.fontconfig.configVersion;
latestPkg = pkgs.fontconfig;
# supported version fonts.conf
supportFontsConf = pkgs.makeFontsConf { fontconfig = supportPkg; fontDirectories = config.fonts.fonts; };
# configuration file to read fontconfig cache
# version dependent
# priority 0
cacheConfSupport = makeCacheConf { version = supportVersion; };
cacheConfLatest = makeCacheConf {};
# generate the font cache setting file for a fontconfig version
# use latest when no version is passed
makeCacheConf = { version ? null }:
let
fcPackage = if builtins.isNull version
then "fontconfig"
else "fontconfig_${version}";
makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; };
cache = makeCache pkgs."${fcPackage}";
cache32 = makeCache pkgs.pkgsi686Linux."${fcPackage}";
in
pkgs.writeText "fc-00-nixos-cache.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Font directories -->
${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)}
<!-- Pre-generated font caches -->
<cachedir>${cache}</cachedir>
${optionalString (pkgs.stdenv.isx86_64 && cfg.cache32Bit) ''
<cachedir>${cache32}</cachedir>
''}
</fontconfig>
'';
# The configuration to be included in /etc/font/
penultimateConf = pkgs.runCommand "font-penultimate-conf" {} ''
support_folder=$out/etc/fonts/conf.d
latest_folder=$out/etc/fonts/${latestVersion}/conf.d
mkdir -p $support_folder
mkdir -p $latest_folder
ln -s ${supportFontsConf} $support_folder/../fonts.conf
ln -s ${latestPkg.out}/etc/fonts/fonts.conf \
$latest_folder/../fonts.conf
# fontconfig-penultimate various configuration files
ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \
$support_folder
ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \
$latest_folder
ln -s ${cacheConfSupport} $support_folder/00-nixos-cache.conf
ln -s ${cacheConfLatest} $latest_folder/00-nixos-cache.conf
rm $support_folder/10-antialias.conf $latest_folder/10-antialias.conf
ln -s ${antialiasConf} $support_folder/10-antialias.conf
ln -s ${antialiasConf} $latest_folder/10-antialias.conf
rm $support_folder/10-hinting.conf $latest_folder/10-hinting.conf
ln -s ${hintingConf} $support_folder/10-hinting.conf
ln -s ${hintingConf} $latest_folder/10-hinting.conf
${optionalString cfg.useEmbeddedBitmaps ''
rm $support_folder/10-no-embedded-bitmaps.conf
rm $latest_folder/10-no-embedded-bitmaps.conf
''}
rm $support_folder/10-subpixel.conf $latest_folder/10-subpixel.conf
ln -s ${subpixelConf} $support_folder/10-subpixel.conf
ln -s ${subpixelConf} $latest_folder/10-subpixel.conf
${optionalString (cfg.dpi != 0) ''
ln -s ${dpiConf} $support_folder/11-dpi.conf
ln -s ${dpiConf} $latest_folder/11-dpi.conf
''}
${optionalString (!cfg.includeUserConf) ''
rm $support_folder/50-user.conf
rm $latest_folder/50-user.conf
''}
# 51-local.conf
rm $latest_folder/51-local.conf
substitute \
${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/51-local.conf \
$latest_folder/51-local.conf \
--replace local.conf /etc/fonts/${latestVersion}/local.conf
ln -s ${defaultFontsConf} $support_folder/52-default-fonts.conf
ln -s ${defaultFontsConf} $latest_folder/52-default-fonts.conf
${optionalString cfg.allowBitmaps ''
rm $support_folder/53-no-bitmaps.conf
rm $latest_folder/53-no-bitmaps.conf
''}
${optionalString (!cfg.allowType1) ''
ln -s ${rejectType1} $support_folder/53-no-type1.conf
ln -s ${rejectType1} $latest_folder/53-no-type1.conf
''}
'';
hintingConf = pkgs.writeText "fc-10-hinting.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Default rendering settings -->
<match target="pattern">
<edit mode="append" name="hinting">
${fcBool cfg.hinting.enable}
</edit>
<edit mode="append" name="autohint">
${fcBool cfg.hinting.autohint}
</edit>
<edit mode="append" name="hintstyle">
<const>hintslight</const>
</edit>
</match>
</fontconfig>
'';
antialiasConf = pkgs.writeText "fc-10-antialias.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Default rendering settings -->
<match target="pattern">
<edit mode="append" name="antialias">
${fcBool cfg.antialias}
</edit>
</match>
</fontconfig>
'';
subpixelConf = pkgs.writeText "fc-10-subpixel.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Default rendering settings -->
<match target="pattern">
<edit mode="append" name="rgba">
<const>${cfg.subpixel.rgba}</const>
</edit>
<edit mode="append" name="lcdfilter">
<const>lcd${cfg.subpixel.lcdfilter}</const>
</edit>
</match>
</fontconfig>
'';
dpiConf = pkgs.writeText "fc-11-dpi.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<match target="pattern">
<edit name="dpi" mode="assign">
<double>${toString cfg.dpi}</double>
</edit>
</match>
</fontconfig>
'';
defaultFontsConf =
let genDefault = fonts: name:
optionalString (fonts != []) ''
<alias>
<family>${name}</family>
<prefer>
${concatStringsSep ""
(map (font: ''
<family>${font}</family>
'') fonts)}
</prefer>
</alias>
'';
in
pkgs.writeText "fc-52-nixos-default-fonts.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Default fonts -->
${genDefault cfg.defaultFonts.sansSerif "sans-serif"}
${genDefault cfg.defaultFonts.serif "serif"}
${genDefault cfg.defaultFonts.monospace "monospace"}
</fontconfig>
'';
rejectType1 = pkgs.writeText "fc-53-no-type1.conf" ''
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
<!-- Reject Type 1 fonts -->
<selectfont>
<rejectfont>
<pattern>
<patelt name="fontformat"><string>Type 1</string></patelt>
</pattern>
</rejectfont>
</selectfont>
</fontconfig>
'';
in
{
options = {
fonts = {
fontconfig = {
penultimate = {
enable = mkOption {
type = types.bool;
default = true;
description = ''
Enable fontconfig-penultimate settings to supplement the
NixOS defaults by providing per-font rendering defaults and
metric aliases.
'';
};
};
};
};
};
config = mkIf (config.fonts.fontconfig.enable && cfg.enable) {
fonts.fontconfig.confPackages = [ penultimateConf ];
};
}

112
nixos/modules/config/fonts/fontconfig-ultimate.nix
View file

@ -8,61 +8,6 @@ let fcBool = x: if x then "<bool>true</bool>" else "<bool>false</bool>";
latestVersion = pkgs.fontconfig.configVersion;
# fontconfig ultimate main configuration file
# priority 52
fontconfigUltimateConf = pkgs.writeText "fc-52-fontconfig-ultimate.conf" ''
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
${optionalString (!cfg.allowBitmaps) ''
<!-- Reject bitmap fonts -->
<selectfont>
<rejectfont>
<pattern>
<patelt name="scalable"><bool>false</bool></patelt>
</pattern>
</rejectfont>
</selectfont>
''}
${optionalString cfg.allowType1 ''
<!-- Reject Type 1 fonts -->
<selectfont>
<rejectfont>
<pattern>
<patelt name="fontformat">
<string>Type 1</string>
</patelt>
</pattern>
</rejectfont>
</selectfont>
''}
<!-- Use embedded bitmaps in fonts like Calibri? -->
<match target="font">
<edit name="embeddedbitmap" mode="assign">
${fcBool cfg.useEmbeddedBitmaps}
</edit>
</match>
<!-- Force autohint always -->
<match target="font">
<edit name="force_autohint" mode="assign">
${fcBool cfg.forceAutohint}
</edit>
</match>
<!-- Render some monospace TTF fonts as bitmaps -->
<match target="pattern">
<edit name="bitmap_monospace" mode="assign">
${fcBool cfg.renderMonoTTFAsBitmap}
</edit>
</match>
</fontconfig>
'';
# The configuration to be included in /etc/font/
confPkg = pkgs.runCommand "font-ultimate-conf" {} ''
support_folder=$out/etc/fonts/conf.d
@ -71,12 +16,6 @@ let fcBool = x: if x then "<bool>true</bool>" else "<bool>false</bool>";
mkdir -p $support_folder
mkdir -p $latest_folder
# 52-fontconfig-ultimate.conf
ln -s ${fontconfigUltimateConf} \
$support_folder/52-fontconfig-ultimate.conf
ln -s ${fontconfigUltimateConf} \
$latest_folder/52-fontconfig-ultimate.conf
# fontconfig ultimate substitutions
${optionalString (cfg.substitutions != "none") ''
ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/presets/${cfg.substitutions}/*.conf \
@ -104,7 +43,7 @@ in
ultimate = {
enable = mkOption {
type = types.bool;
default = true;
default = false;
description = ''
Enable fontconfig-ultimate settings (formerly known as
Infinality). Besides the customizable settings in this NixOS
@ -113,45 +52,6 @@ in
'';
};
allowBitmaps = mkOption {
type = types.bool;
default = true;
description = ''
Allow bitmap fonts. Set to <literal>false</literal> to ban all
bitmap fonts.
'';
};
allowType1 = mkOption {
type = types.bool;
default = false;
description = ''
Allow Type-1 fonts. Default is <literal>false</literal> because of
poor rendering.
'';
};
useEmbeddedBitmaps = mkOption {
type = types.bool;
default = false;
description = ''Use embedded bitmaps in fonts like Calibri.'';
};
forceAutohint = mkOption {
type = types.bool;
default = false;
description = ''
Force use of the TrueType Autohinter. Useful for debugging or
free-software purists.
'';
};
renderMonoTTFAsBitmap = mkOption {
type = types.bool;
default = false;
description = ''Render some monospace TTF fonts as bitmaps.'';
};
substitutions = mkOption {
type = types.nullOr (types.enum ["free" "combi" "ms"]);
default = "free";
@ -163,15 +63,6 @@ in
<literal>none</literal> disables the substitutions.
'';
};
preset = mkOption {
type = types.enum ["ultimate1" "ultimate2" "ultimate3" "ultimate4" "ultimate5" "osx" "windowsxp"];
default = "ultimate3";
description = ''
FreeType rendering settings preset. Any of the presets may be
customized by setting environment variables.
'';
};
};
};
};
@ -181,7 +72,6 @@ in
config = mkIf (config.fonts.fontconfig.enable && cfg.enable) {
fonts.fontconfig.confPackages = [ confPkg ];
environment.variables."INFINALITY_FT" = cfg.preset;
};

169
nixos/modules/config/fonts/fontconfig.nix
View file

@ -41,11 +41,11 @@ let cfg = config.fonts.fontconfig;
# priority 0
cacheConfSupport = makeCacheConf { version = supportVersion; };
cacheConfLatest = makeCacheConf {};
# generate the font cache setting file for a fontconfig version
# use latest when no version is passed
makeCacheConf = { version ? null }:
let
let
fcPackage = if builtins.isNull version
then "fontconfig"
else "fontconfig_${version}";
@ -75,23 +75,23 @@ let cfg = config.fonts.fontconfig;
<fontconfig>
<!-- Default rendering settings -->
<match target="font">
<edit mode="assign" name="hinting">
<match target="pattern">
<edit mode="append" name="hinting">
${fcBool cfg.hinting.enable}
</edit>
<edit mode="assign" name="autohint">
<edit mode="append" name="autohint">
${fcBool cfg.hinting.autohint}
</edit>
<edit mode="assign" name="hintstyle">
<const>hint${cfg.hinting.style}</const>
<edit mode="append" name="hintstyle">
<const>hintslight</const>
</edit>
<edit mode="assign" name="antialias">
<edit mode="append" name="antialias">
${fcBool cfg.antialias}
</edit>
<edit mode="assign" name="rgba">
<edit mode="append" name="rgba">
<const>${cfg.subpixel.rgba}</const>
</edit>
<edit mode="assign" name="lcdfilter">
<edit mode="append" name="lcdfilter">
<const>lcd${cfg.subpixel.lcdfilter}</const>
</edit>
</match>
@ -113,7 +113,7 @@ let cfg = config.fonts.fontconfig;
# default fonts configuration file
# priority 52
defaultFontsConf =
defaultFontsConf =
let genDefault = fonts: name:
optionalString (fonts != []) ''
<alias>
@ -142,7 +142,54 @@ let cfg = config.fonts.fontconfig;
</fontconfig>
'';
# fontconfig configuration package
# bitmap font options
# priority 53
rejectBitmaps = pkgs.writeText "fc-53-nixos-bitmaps.conf" ''
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
${optionalString (!cfg.allowBitmaps) ''
<!-- Reject bitmap fonts -->
<selectfont>
<rejectfont>
<pattern>
<patelt name="scalable"><bool>false</bool></patelt>
</pattern>
</rejectfont>
</selectfont>
''}
<!-- Use embedded bitmaps in fonts like Calibri? -->
<match target="font">
<edit name="embeddedbitmap" mode="assign">
${fcBool cfg.useEmbeddedBitmaps}
</edit>
</match>
</fontconfig>
'';
# reject Type 1 fonts
# priority 53
rejectType1 = pkgs.writeText "fc-53-nixos-reject-type1.conf" ''
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
<!-- Reject Type 1 fonts -->
<selectfont>
<rejectfont>
<pattern>
<patelt name="fontformat"><string>Type 1</string></patelt>
</pattern>
</rejectfont>
</selectfont>
</fontconfig>
'';
# fontconfig configuration package
confPkg = pkgs.runCommand "fontconfig-conf" {} ''
support_folder=$out/etc/fonts
latest_folder=$out/etc/fonts/${latestVersion}
@ -166,7 +213,7 @@ let cfg = config.fonts.fontconfig;
substitute ${latestPkg.out}/etc/fonts/conf.d/51-local.conf \
$latest_folder/conf.d/51-local.conf \
--replace local.conf /etc/fonts/${latestVersion}/local.conf
--replace local.conf /etc/fonts/${latestVersion}/local.conf
# 00-nixos-cache.conf
ln -s ${cacheConfSupport} \
@ -192,6 +239,16 @@ let cfg = config.fonts.fontconfig;
# 52-nixos-default-fonts.conf
ln -s ${defaultFontsConf} $support_folder/conf.d/52-nixos-default-fonts.conf
ln -s ${defaultFontsConf} $latest_folder/conf.d/52-nixos-default-fonts.conf
# 53-nixos-bitmaps.conf
ln -s ${rejectBitmaps} $support_folder/conf.d/53-nixos-bitmaps.conf
ln -s ${rejectBitmaps} $latest_folder/conf.d/53-nixos-bitmaps.conf
${optionalString (! cfg.allowType1) ''
# 53-nixos-reject-type1.conf
ln -s ${rejectType1} $support_folder/conf.d/53-nixos-reject-type1.conf
ln -s ${rejectType1} $latest_folder/conf.d/53-nixos-reject-type1.conf
''}
'';
# Package with configuration files
@ -233,7 +290,11 @@ in
antialias = mkOption {
type = types.bool;
default = true;
description = "Enable font antialiasing.";
description = ''
Enable font antialiasing. At high resolution (> 200 DPI),
antialiasing has no visible effect; users of such displays may want
to disable this option.
'';
};
dpi = mkOption {
@ -249,7 +310,7 @@ in
type = types.lines;
default = "";
description = ''
System-wide customization file contents, has higher priority than
System-wide customization file contents, has higher priority than
<literal>defaultFonts</literal> settings.
'';
};
@ -287,26 +348,21 @@ in
enable = mkOption {
type = types.bool;
default = true;
description = "Enable TrueType hinting.";
description = ''
Enable font hinting. Hinting aligns glyphs to pixel boundaries to
improve rendering sharpness at low resolution. At high resolution
(> 200 dpi) hinting will do nothing (at best); users of such
displays may want to disable this option.
'';
};
autohint = mkOption {
type = types.bool;
default = true;
default = false;
description = ''
Enable the autohinter, which provides hinting for otherwise
un-hinted fonts. The results are usually lower quality than
correctly-hinted fonts.
'';
};
style = mkOption {
type = types.enum ["none" "slight" "medium" "full"];
default = "full";
description = ''
TrueType hinting style, one of <literal>none</literal>,
<literal>slight</literal>, <literal>medium</literal>, or
<literal>full</literal>.
Enable the autohinter in place of the default interpreter.
The results are usually lower quality than correctly-hinted
fonts, but better than unhinted fonts.
'';
};
};
@ -327,7 +383,15 @@ in
default = "rgb";
type = types.enum ["rgb" "bgr" "vrgb" "vbgr" "none"];
description = ''
Subpixel order.
Subpixel order. The overwhelming majority of displays are
<literal>rgb</literal> in their normal orientation. Select
<literal>vrgb</literal> for mounting such a display 90 degrees
clockwise from its normal orientation or <literal>vbgr</literal>
for mounting 90 degrees counter-clockwise. Select
<literal>bgr</literal> in the unlikely event of mounting 180
degrees from the normal orientation. Reverse these directions in
the improbable event that the display's native subpixel order is
<literal>bgr</literal>.
'';
};
@ -335,7 +399,9 @@ in
default = "default";
type = types.enum ["none" "default" "light" "legacy"];
description = ''
FreeType LCD filter.
FreeType LCD filter. At high resolution (> 200 DPI), LCD filtering
has no visible effect; users of such displays may want to select
<literal>none</literal>.
'';
};
@ -349,16 +415,43 @@ in
'';
};
allowBitmaps = mkOption {
type = types.bool;
default = true;
description = ''
Allow bitmap fonts. Set to <literal>false</literal> to ban all
bitmap fonts.
'';
};
allowType1 = mkOption {
type = types.bool;
default = false;
description = ''
Allow Type-1 fonts. Default is <literal>false</literal> because of
poor rendering.
'';
};
useEmbeddedBitmaps = mkOption {
type = types.bool;
default = false;
description = ''Use embedded bitmaps in fonts like Calibri.'';
};
};
};
};
config = mkIf cfg.enable {
fonts.fontconfig.confPackages = [ confPkg ];
environment.systemPackages = [ pkgs.fontconfig ];
environment.etc.fonts.source = "${fontconfigEtc}/etc/fonts/";
};
config = mkMerge [
(mkIf cfg.enable {
environment.systemPackages = [ pkgs.fontconfig ];
environment.etc.fonts.source = "${fontconfigEtc}/etc/fonts/";
})
(mkIf (cfg.enable && !cfg.penultimate.enable) {
fonts.fontconfig.confPackages = [ confPkg ];
})
];
}

9
nixos/modules/config/networking.nix
View file

@ -178,10 +178,10 @@ in
environment.etc =
{ # /etc/services: TCP/UDP port assignments.
"services".source = pkgs.iana_etc + "/etc/services";
"services".source = pkgs.iana-etc + "/etc/services";
# /etc/protocols: IP protocol numbers.
"protocols".source = pkgs.iana_etc + "/etc/protocols";
"protocols".source = pkgs.iana-etc + "/etc/protocols";
# /etc/rpc: RPC program numbers.
"rpc".source = pkgs.glibc.out + "/etc/rpc";
@ -251,11 +251,6 @@ in
# Install the proxy environment variables
environment.sessionVariables = cfg.proxy.envVars;
# The ip-up target is kept for backwards compatibility.
# New services should use systemd upstream targets:
# See https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
systemd.targets.ip-up.description = "Services Requiring IP Connectivity (deprecated)";
# This is needed when /etc/resolv.conf is being overriden by networkd
# and other configurations. If the file is destroyed by an environment
# activation then it must be rebuilt so that applications which interface

2
nixos/modules/config/pulseaudio.nix
View file

@ -274,6 +274,8 @@ in {
RestartSec = "500ms";
};
};
environment.variables.PULSE_COOKIE = "${stateDir}/.config/pulse/cookie";
})
];

2
nixos/modules/config/shells-environment.nix
View file

@ -168,7 +168,7 @@ in
${cfg.extraInit}
# The setuid wrappers override other bin directories.
# The setuid/setcap wrappers override other bin directories.
export PATH="${config.security.wrapperDir}:$PATH"
# ~/bin if it exists overrides other bin directories.

4
nixos/modules/config/sysctl.nix
View file

@ -64,5 +64,9 @@ in
# Removed under grsecurity.
boot.kernel.sysctl."kernel.kptr_restrict" =
if (config.boot.kernelPackages.kernel.features.grsecurity or false) then null else 1;
# Disable YAMA by default to allow easy debugging.
boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkDefault 0;
};
}

72
nixos/modules/config/update-users-groups.pl
View file

@ -6,6 +6,21 @@ use JSON;
make_path("/var/lib/nixos", { mode => 0755 });
# Keep track of deleted uids and gids.
my $uidMapFile = "/var/lib/nixos/uid-map";
my $uidMap = -e $uidMapFile ? decode_json(read_file($uidMapFile)) : {};
my $gidMapFile = "/var/lib/nixos/gid-map";
my $gidMap = -e $gidMapFile ? decode_json(read_file($gidMapFile)) : {};
sub updateFile {
my ($path, $contents, $perms) = @_;
write_file("$path.tmp", { binmode => ':utf8', perms => $perms // 0644 }, $contents);
rename("$path.tmp", $path) or die;
}
sub hashPassword {
my ($password) = @_;
my $salt = "";
@ -18,10 +33,10 @@ sub hashPassword {
# Functions for allocating free GIDs/UIDs. FIXME: respect ID ranges in
# /etc/login.defs.
sub allocId {
my ($used, $idMin, $idMax, $up, $getid) = @_;
my ($used, $prevUsed, $idMin, $idMax, $up, $getid) = @_;
my $id = $up ? $idMin : $idMax;
while ($id >= $idMin && $id <= $idMax) {
if (!$used->{$id} && !defined &$getid($id)) {
if (!$used->{$id} && !$prevUsed->{$id} && !defined &$getid($id)) {
$used->{$id} = 1;
return $id;
}
@ -31,23 +46,36 @@ sub allocId {
die "$0: out of free UIDs or GIDs\n";
}
my (%gidsUsed, %uidsUsed);
my (%gidsUsed, %uidsUsed, %gidsPrevUsed, %uidsPrevUsed);
sub allocGid {
return allocId(\%gidsUsed, 400, 499, 0, sub { my ($gid) = @_; getgrgid($gid) });
my ($name) = @_;
my $prevGid = $gidMap->{$name};
if (defined $prevGid && !defined $gidsUsed{$prevGid}) {
print STDERR "reviving group '$name' with GID $prevGid\n";
$gidsUsed{$prevGid} = 1;
return $prevGid;
}
return allocId(\%gidsUsed, \%gidsPrevUsed, 400, 499, 0, sub { my ($gid) = @_; getgrgid($gid) });
}
sub allocUid {
my ($isSystemUser) = @_;
my ($name, $isSystemUser) = @_;
my ($min, $max, $up) = $isSystemUser ? (400, 499, 0) : (1000, 29999, 1);
return allocId(\%uidsUsed, $min, $max, $up, sub { my ($uid) = @_; getpwuid($uid) });
my $prevUid = $uidMap->{$name};
if (defined $prevUid && $prevUid >= $min && $prevUid <= $max && !defined $uidsUsed{$prevUid}) {
print STDERR "reviving user '$name' with UID $prevUid\n";
$uidsUsed{$prevUid} = 1;
return $prevUid;
}
return allocId(\%uidsUsed, \%uidsPrevUsed, $min, $max, $up, sub { my ($uid) = @_; getpwuid($uid) });
}
# Read the declared users/groups.
my $spec = decode_json(read_file($ARGV[0]));
# Don't allocate UIDs/GIDs that are already in use.
# Don't allocate UIDs/GIDs that are manually assigned.
foreach my $g (@{$spec->{groups}}) {
$gidsUsed{$g->{gid}} = 1 if defined $g->{gid};
}
@ -56,6 +84,11 @@ foreach my $u (@{$spec->{users}}) {
$uidsUsed{$u->{uid}} = 1 if defined $u->{uid};
}
# Likewise for previously used but deleted UIDs/GIDs.
$uidsPrevUsed{$_} = 1 foreach values %{$uidMap};
$gidsPrevUsed{$_} = 1 foreach values %{$gidMap};
# Read the current /etc/group.
sub parseGroup {
chomp;
@ -114,16 +147,18 @@ foreach my $g (@{$spec->{groups}}) {
}
}
} else {
$g->{gid} = allocGid if !defined $g->{gid};
$g->{gid} = allocGid($name) if !defined $g->{gid};
$g->{password} = "x";
}
$g->{members} = join ",", sort(keys(%members));
$groupsOut{$name} = $g;
$gidMap->{$name} = $g->{gid};
}
# Update the persistent list of declarative groups.
write_file($declGroupsFile, { binmode => ':utf8' }, join(" ", sort(keys %groupsOut)));
updateFile($declGroupsFile, join(" ", sort(keys %groupsOut)));
# Merge in the existing /etc/group.
foreach my $name (keys %groupsCur) {
@ -140,8 +175,8 @@ foreach my $name (keys %groupsCur) {
# Rewrite /etc/group. FIXME: acquire lock.
my @lines = map { join(":", $_->{name}, $_->{password}, $_->{gid}, $_->{members}) . "\n" }
(sort { $a->{gid} <=> $b->{gid} } values(%groupsOut));
write_file("/etc/group.tmp", { binmode => ':utf8' }, @lines);
rename("/etc/group.tmp", "/etc/group") or die;
updateFile($gidMapFile, encode_json($gidMap));
updateFile("/etc/group", \@lines);
system("nscd --invalidate group");
# Generate a new /etc/passwd containing the declared users.
@ -167,7 +202,7 @@ foreach my $u (@{$spec->{users}}) {
$u->{uid} = $existing->{uid};
}
} else {
$u->{uid} = allocUid($u->{isSystemUser}) if !defined $u->{uid};
$u->{uid} = allocUid($name, $u->{isSystemUser}) if !defined $u->{uid};
if (defined $u->{initialPassword}) {
$u->{hashedPassword} = hashPassword($u->{initialPassword});
@ -177,7 +212,7 @@ foreach my $u (@{$spec->{users}}) {
}
# Create a home directory.
if ($u->{createHome} && ! -e $u->{home}) {
if ($u->{createHome}) {
make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home};
chown $u->{uid}, $u->{gid}, $u->{home};
}
@ -195,10 +230,12 @@ foreach my $u (@{$spec->{users}}) {
$u->{fakePassword} = $existing->{fakePassword} // "x";
$usersOut{$name} = $u;
$uidMap->{$name} = $u->{uid};
}
# Update the persistent list of declarative users.
write_file($declUsersFile, { binmode => ':utf8' }, join(" ", sort(keys %usersOut)));
updateFile($declUsersFile, join(" ", sort(keys %usersOut)));
# Merge in the existing /etc/passwd.
foreach my $name (keys %usersCur) {
@ -214,8 +251,8 @@ foreach my $name (keys %usersCur) {
# Rewrite /etc/passwd. FIXME: acquire lock.
@lines = map { join(":", $_->{name}, $_->{fakePassword}, $_->{uid}, $_->{gid}, $_->{description}, $_->{home}, $_->{shell}) . "\n" }
(sort { $a->{uid} <=> $b->{uid} } (values %usersOut));
write_file("/etc/passwd.tmp", { binmode => ':utf8' }, @lines);
rename("/etc/passwd.tmp", "/etc/passwd") or die;
updateFile($uidMapFile, encode_json($uidMap));
updateFile("/etc/passwd", \@lines);
system("nscd --invalidate passwd");
@ -242,5 +279,4 @@ foreach my $u (values %usersOut) {
push @shadowNew, join(":", $u->{name}, $hashedPassword, "1::::::") . "\n";
}
write_file("/etc/shadow.tmp", { binmode => ':utf8', perms => 0600 }, @shadowNew);
rename("/etc/shadow.tmp", "/etc/shadow") or die;
updateFile("/etc/shadow", \@shadowNew, 0600);

1
nixos/modules/hardware/all-firmware.nix
View file

@ -26,6 +26,7 @@ with lib;
firmwareLinuxNonfree
intel2200BGFirmware
rtl8723bs-firmware
rtl8192su-firmware
];
};

3
nixos/modules/hardware/cpu/amd-microcode.nix
View file

@ -22,7 +22,8 @@ with lib;
###### implementation
config = mkIf config.hardware.cpu.amd.updateMicrocode {
boot.initrd.prepend = [ "${pkgs.microcodeAmd}/amd-ucode.img" ];
# Microcode updates must be the first item prepended in the initrd
boot.initrd.prepend = mkOrder 1 [ "${pkgs.microcodeAmd}/amd-ucode.img" ];
};
}

3
nixos/modules/hardware/cpu/intel-microcode.nix
View file

@ -22,7 +22,8 @@ with lib;
###### implementation
config = mkIf config.hardware.cpu.intel.updateMicrocode {
boot.initrd.prepend = [ "${pkgs.microcodeIntel}/intel-ucode.img" ];
# Microcode updates must be the first item prepended in the initrd
boot.initrd.prepend = mkOrder 1 [ "${pkgs.microcodeIntel}/intel-ucode.img" ];
};
}

37
nixos/modules/hardware/mcelog.nix Normal file
View file

@ -0,0 +1,37 @@
{ config, lib, pkgs, ... }:
with lib;
{
meta.maintainers = [ maintainers.grahamc ];
options = {
hardware.mcelog = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable the Machine Check Exception logger.
'';
};
};
};
config = mkIf config.hardware.mcelog.enable {
systemd.services.mcelog = {
description = "Machine Check Exception Logging Daemon";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.mcelog}/bin/mcelog --daemon --foreground";
SuccessExitStatus = [ 0 15 ];
ProtectHome = true;
PrivateNetwork = true;
PrivateTmp = true;
};
};
};
}

30
nixos/modules/hardware/sensor/iio.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, lib, pkgs, ... }:
with lib;
{
###### interface
options = {
hardware.sensor.iio = {
enable = mkOption {
description = "Enable this option to support IIO sensors.";
type = types.bool;
default = false;
};
};
};
###### implementation
config = mkIf config.hardware.sensor.iio.enable {
boot.initrd.availableKernelModules = [ "hid-sensor-hub" ];
environment.systemPackages = with pkgs; [ iio-sensor-proxy ];
services.dbus.packages = with pkgs; [ iio-sensor-proxy ];
services.udev.packages = with pkgs; [ iio-sensor-proxy ];
systemd.packages = with pkgs; [ iio-sensor-proxy ];
};
}

26
nixos/modules/hardware/usb-wwan.nix Normal file
View file

@ -0,0 +1,26 @@
{ config, lib, pkgs, ... }:
with lib;
{
###### interface
options = {
hardware.usbWwan = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable this option to support USB WWAN adapters.
'';
};
};
};
###### implementation
config = mkIf config.hardware.usbWwan.enable {
services.udev.packages = with pkgs; [ usb-modeswitch-data ];
};
}

4
nixos/modules/hardware/video/bumblebee.nix
View file

@ -13,7 +13,7 @@ let
useDisplayDevice = cfg.connectDisplay;
};
useBbswitch = cfg.pmMethod == "bbswitch";
useBbswitch = cfg.pmMethod == "bbswitch" || cfg.pmMethod == "auto" && useNvidia;
primus = pkgs.primus.override {
inherit useNvidia;
@ -65,7 +65,7 @@ in
pmMethod = mkOption {
default = "auto";
type = types.enum [ "auto" "bbswitch" "nouveau" "switcheroo" "none" ];
type = types.enum [ "auto" "bbswitch" "switcheroo" "none" ];
description = ''
Set preferred power management method for unused card.
'';

61
nixos/modules/hardware/video/capture/mwprocapture.nix Normal file
View file

@ -0,0 +1,61 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.mwProCapture;
kernelPackages = config.boot.kernelPackages;
in
{
options.hardware.mwProCapture.enable = mkEnableOption "Magewell Pro Capture family kernel module";
config = mkIf cfg.enable {
assertions = singleton {
assertion = versionAtLeast kernelPackages.kernel.version "3.2";
message = "Magewell Pro Capture family module is not supported for kernels older than 3.2";
};
boot.kernelModules = [ "ProCapture" ];
environment.systemPackages = [ kernelPackages.mwprocapture ];
boot.extraModulePackages = [ kernelPackages.mwprocapture ];
boot.extraModprobeConfig = ''
# Set the png picture to be displayed when no input signal is detected.
options ProCapture nosignal_file=${kernelPackages.mwprocapture}/res/NoSignal.png
# Set the png picture to be displayed when an unsupported input signal is detected.
options ProCapture unsupported_file=${kernelPackages.mwprocapture}/res/Unsupported.png
# Set the png picture to be displayed when an loking input signal is detected.
options ProCapture locking_file=${kernelPackages.mwprocapture}/res/Locking.png
# Message signaled interrupts switch
#options ProCapture disable_msi=0
# Set the debug level
#options ProCapture debug_level=0
# Force init switch eeprom
#options ProCapture init_switch_eeprom=0
# Min frame interval for VIDIOC_ENUM_FRAMEINTERVALS (default: 166666(100ns))
#options ProCapture enum_frameinterval_min=166666
# VIDIOC_ENUM_FRAMESIZES type (1: DISCRETE; 2: STEPWISE; otherwise: CONTINUOUS )
#options ProCapture enum_framesizes_type=0
# Parameters for internal usage
#options ProCapture internal_params=""
'';
};
}

4
nixos/modules/hardware/video/nvidia.nix
View file

@ -49,6 +49,10 @@ in
Option "RandRRotation" "on"
'';
environment.etc."nvidia/nvidia-application-profiles-rc" = mkIf nvidia_x11.useProfiles {
source = "${nvidia_x11.bin}/share/nvidia/nvidia-application-profiles-rc";
};
hardware.opengl.package = nvidiaPackage nvidia_x11 pkgs;
hardware.opengl.package32 = nvidiaPackage nvidia_libs32 pkgs_i686;

2
nixos/modules/i18n/input-method/ibus.nix
View file

@ -44,7 +44,7 @@ in
panel = mkOption {
type = with types; nullOr path;
default = null;
example = literalExample "''${pkgs.kde5.plasma-desktop}/lib/libexec/kimpanel-ibus-panel";
example = literalExample "''${pkgs.plasma5.plasma-desktop}/lib/libexec/kimpanel-ibus-panel";
description = "Replace the IBus panel with another panel.";
};
};

13
nixos/modules/installer/cd-dvd/channel.nix
View file

@ -6,6 +6,16 @@
with lib;
let
# Do not include these things:
# - The '.git' directory
# - Result symlinks from nix-build ('result', 'result-2', 'result-bin', ...)
# - VIM/Emacs swap/backup files ('.swp', '.swo', '.foo.swp', 'foo~', ...)
filterFn = path: type: let basename = baseNameOf (toString path); in
if type == "directory" then basename != ".git"
else if type == "symlink" then builtins.match "^result(|-.*)$" basename == null
else builtins.match "^((|\..*)\.sw[a-z]|.*~)$" basename == null;
nixpkgs = builtins.filterSource filterFn pkgs.path;
# We need a copy of the Nix expressions for Nixpkgs and NixOS on the
# CD. These are installed into the "nixos" channel of the root
@ -15,12 +25,11 @@ let
{ }
''
mkdir -p $out
cp -prd ${pkgs.path} $out/nixos
cp -prd ${nixpkgs} $out/nixos
chmod -R u+w $out/nixos
if [ ! -e $out/nixos/nixpkgs ]; then
ln -s . $out/nixos/nixpkgs
fi
rm -rf $out/nixos/.git
echo -n ${config.system.nixosVersionSuffix} > $out/nixos/.version-suffix
'';

4
nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix
View file

@ -18,7 +18,7 @@ with lib;
autoLogin = true;
};
desktopManager.kde5 = {
desktopManager.plasma5 = {
enable = true;
enableQt4Support = false;
};
@ -66,7 +66,7 @@ with lib;
in ''
mkdir -p /root/Desktop
ln -sfT ${desktopFile} /root/Desktop/nixos-manual.desktop
ln -sfT ${pkgs.kde5.konsole}/share/applications/org.kde.konsole.desktop /root/Desktop/org.kde.konsole.desktop
ln -sfT ${pkgs.konsole}/share/applications/org.kde.konsole.desktop /root/Desktop/org.kde.konsole.desktop
ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop /root/Desktop/gparted.desktop
'';

3
nixos/modules/installer/cd-dvd/iso-image.nix
View file

@ -172,7 +172,6 @@ in
isoImage.includeSystemBuildDependencies = mkOption {
default = false;
example = true;
description = ''
Set this option to include all the needed sources etc in the
image. It significantly increases image size. Use that when
@ -280,7 +279,7 @@ in
options = [ "allow_other" "cow" "nonempty" "chroot=/mnt-root" "max_files=32768" "hide_meta_files" "dirs=/nix/.rw-store=rw:/nix/.ro-store=ro" ];
};
boot.initrd.availableKernelModules = [ "squashfs" "iso9660" "usb-storage" ];
boot.initrd.availableKernelModules = [ "squashfs" "iso9660" "usb-storage" "uas" ];
boot.blacklistedKernelModules = [ "nouveau" ];

4
nixos/modules/installer/cd-dvd/sd-image-aarch64.nix
View file

@ -52,9 +52,7 @@ in
enable_uart=1
'';
in ''
for f in bootcode.bin fixup.dat start.elf; do
cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/$f boot/
done
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/boot/)
cp ${patchedUboot}/u-boot.bin boot/u-boot-rpi3.bin
cp ${configTxt} boot/config.txt
${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./boot

6
nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix
View file

@ -28,7 +28,7 @@ in
boot.loader.generic-extlinux-compatible.enable = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=ttyO0,115200n8" "console=tty0"];
boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=ttyO0,115200n8" "console=ttySAC2,115200n8" "console=tty0"];
# FIXME: this probably should be in installation-device.nix
users.extraUsers.root.initialHashedPassword = "";
@ -44,9 +44,7 @@ in
enable_uart=1
'';
in ''
for f in bootcode.bin fixup.dat start.elf; do
cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/$f boot/
done
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/boot/)
cp ${pkgs.ubootRaspberryPi2}/u-boot.bin boot/u-boot-rpi2.bin
cp ${pkgs.ubootRaspberryPi3_32bit}/u-boot.bin boot/u-boot-rpi3.bin
cp ${configTxt} boot/config.txt

4
nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix
View file

@ -34,9 +34,7 @@ in
sdImage = {
populateBootCommands = ''
for f in bootcode.bin fixup.dat start.elf; do
cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/$f boot/
done
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/boot/)
cp ${pkgs.ubootRaspberryPi}/u-boot.bin boot/u-boot-rpi.bin
echo 'kernel u-boot-rpi.bin' > boot/config.txt
${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./boot

2
nixos/modules/installer/scan/detected.nix
View file

@ -1,4 +1,4 @@
# List all devices which are detected by nixos-hardware-scan.
# List all devices which are detected by nixos-generate-config.
# Common devices are enabled by default.
{ config, lib, pkgs, ... }:

2
nixos/modules/installer/scan/not-detected.nix
View file

@ -1,4 +1,4 @@
# List all devices which are _not_ detected by nixos-hardware-scan.
# List all devices which are _not_ detected by nixos-generate-config.
# Common devices are enabled by default.
{ config, lib, pkgs, ... }:

2
nixos/modules/installer/tools/auto-upgrade.nix
View file

@ -48,7 +48,7 @@ let cfg = config.system.autoUpgrade; in
description = ''
Specification (in the format described by
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>5</manvolnum></citerefentry>) of the time at
<manvolnum>7</manvolnum></citerefentry>) of the time at
which the update will occur.
'';
};

6
nixos/modules/installer/tools/nix-fallback-paths.nix
View file

@ -1,5 +1,5 @@
{
x86_64-linux = "/nix/store/qdkzm17csr24snk247a1s0c47ikq5sl6-nix-1.11.6";
i686-linux = "/nix/store/hiwp53747lxlniqy5wpbql5izjrs8z0z-nix-1.11.6";
x86_64-darwin = "/nix/store/hca2hqcvwncf23hiqyqgwbsdy8vvl9xv-nix-1.11.6";
x86_64-linux = "/nix/store/j6q3pb75q1sbk0xsa5x6a629ph98ycdl-nix-1.11.8";
i686-linux = "/nix/store/4m6ps568l988bbr1p2k3w9raq3rblppi-nix-1.11.8";
x86_64-darwin = "/nix/store/cc5q944yn3j2hrs8k0kxx9r2mk9mni8a-nix-1.11.8";
}

3
nixos/modules/installer/tools/nixos-generate-config.pl
View file

@ -347,7 +347,6 @@ foreach my $fs (read_file("/proc/self/mountinfo")) {
# Skip special filesystems.
next if in($mountPoint, "/proc") || in($mountPoint, "/dev") || in($mountPoint, "/sys") || in($mountPoint, "/run") || $mountPoint eq "/var/lib/nfs/rpc_pipefs";
next if $mountPoint eq "/var/setuid-wrappers";
# Skip the optional fields.
my $n = 6; $n++ while $fields[$n] ne "-"; $n++;
@ -608,7 +607,7 @@ $bootLoaderConfig
# Enable the KDE Desktop Environment.
# services.xserver.displayManager.sddm.enable = true;
# services.xserver.desktopManager.kde5.enable = true;
# services.xserver.desktopManager.plasma5.enable = true;
# Define a user account. Don't forget to set a password with passwd.
# users.extraUsers.guest = {

4
nixos/modules/installer/tools/nixos-install.sh
View file

@ -259,9 +259,9 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate
# Ask the user to set a root password.
if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /var/setuid-wrappers/passwd ] && [ -t 0 ]; then
if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/bin/passwd ] && [ -t 0 ]; then
echo "setting root password..."
chroot $mountPoint /var/setuid-wrappers/passwd
chroot $mountPoint /run/wrappers/bin/passwd
fi

40
nixos/modules/installer/tools/nixos-rebuild.sh
View file

@ -15,6 +15,7 @@ origArgs=("$@")
extraBuildFlags=()
action=
buildNix=1
fast=
rollback=
upgrade=
repair=
@ -52,13 +53,13 @@ while [ "$#" -gt 0 ]; do
repair=1
extraBuildFlags+=("$i")
;;
--show-trace|--no-build-hook|--keep-failed|-K|--keep-going|-k|--verbose|-v|-vv|-vvv|-vvvv|-vvvvv|--fallback|--repair|--no-build-output|-Q)
extraBuildFlags+=("$i")
;;
--max-jobs|-j|--cores|-I)
j="$1"; shift 1
extraBuildFlags+=("$i" "$j")
;;
--show-trace|--no-build-hook|--keep-failed|-K|--keep-going|-k|--verbose|-v|-vv|-vvv|-vvvv|-vvvvv|--fallback|--repair|--no-build-output|-Q|-j*)
extraBuildFlags+=("$i")
;;
--option)
j="$1"; shift 1
k="$1"; shift 1
@ -66,6 +67,7 @@ while [ "$#" -gt 0 ]; do
;;
--fast)
buildNix=
fast=1
extraBuildFlags+=(--show-trace)
;;
--profile-name|-p)
@ -217,7 +219,7 @@ if [ -z "$_NIXOS_REBUILD_REEXEC" ]; then
fi
# Re-execute nixos-rebuild from the Nixpkgs tree.
if [ -z "$_NIXOS_REBUILD_REEXEC" -a -n "$canRun" ]; then
if [ -z "$_NIXOS_REBUILD_REEXEC" -a -n "$canRun" -a -z "$fast" ]; then
if p=$(nix-build --no-out-link --expr 'with import <nixpkgs/nixos> {}; config.system.build.nixos-rebuild' "${extraBuildFlags[@]}"); then
export _NIXOS_REBUILD_REEXEC=1
exec $p/bin/nixos-rebuild "${origArgs[@]}"
@ -276,24 +278,22 @@ if [ -n "$buildNix" ]; then
echo "building Nix..." >&2
nixDrv=
if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A config.nix.package.out "${extraBuildFlags[@]}")"; then
if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A nixFallback "${extraBuildFlags[@]}")"; then
if ! nixDrv="$(nix-instantiate '<nixpkgs>' --add-root $tmpDir/nix.drv --indirect -A nix "${extraBuildFlags[@]}")"; then
nixStorePath="$(prebuiltNix "$(uname -m)")"
if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \
--option extra-binary-caches https://cache.nixos.org/; then
if ! nixDrv="$(nix-instantiate '<nixpkgs>' --add-root $tmpDir/nix.drv --indirect -A nix "${extraBuildFlags[@]}")"; then
nixStorePath="$(prebuiltNix "$(uname -m)")"
if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \
--option extra-binary-caches https://cache.nixos.org/; then
echo "warning: don't know how to get latest Nix" >&2
fi
# Older version of nix-store -r don't support --add-root.
[ -e $tmpDir/nix ] || ln -sf $nixStorePath $tmpDir/nix
if [ -n "$buildHost" ]; then
remoteNixStorePath="$(prebuiltNix "$(buildHostCmd uname -m)")"
remoteNix="$remoteNixStorePath/bin"
if ! buildHostCmd nix-store -r $remoteNixStorePath \
--option extra-binary-caches https://cache.nixos.org/ >/dev/null; then
remoteNix=
echo "warning: don't know how to get latest Nix" >&2
fi
# Older version of nix-store -r don't support --add-root.
[ -e $tmpDir/nix ] || ln -sf $nixStorePath $tmpDir/nix
if [ -n "$buildHost" ]; then
remoteNixStorePath="$(prebuiltNix "$(buildHostCmd uname -m)")"
remoteNix="$remoteNixStorePath/bin"
if ! buildHostCmd nix-store -r $remoteNixStorePath \
--option extra-binary-caches https://cache.nixos.org/ >/dev/null; then
remoteNix=
echo "warning: don't know how to get latest Nix" >&2
fi
fi
fi
fi
fi

8
nixos/modules/misc/ids.nix
View file

@ -64,7 +64,7 @@
cups = 36;
foldingathome = 37;
sabnzbd = 38;
kdm = 39;
#kdm = 39; # dropped in 17.03
ghostone = 40;
git = 41;
fourstore = 42;
@ -287,6 +287,8 @@
pdns-recursor = 269;
kresd = 270;
rpc = 271;
geoip = 272;
fcron = 273;
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -333,7 +335,7 @@
#cups = 36; # unused
#foldingathome = 37; # unused
#sabnzd = 38; # unused
#kdm = 39; # unused
#kdm = 39; # unused, even before 17.03
ghostone = 40;
git = 41;
fourstore = 42;
@ -543,6 +545,8 @@
gogs = 268;
kresd = 270;
#rpc = 271; # unused
#geoip = 272; # unused
fcron = 273;
# When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal

19
nixos/modules/misc/locate.nix
View file

@ -103,15 +103,16 @@ in {
config = mkIf cfg.enable {
users.extraGroups = mkIf isMLocate { mlocate = {}; };
security.setuidOwners = mkIf isMLocate
[ { group = "mlocate";
owner = "root";
permissions = "u+rx,g+x,o+x";
setgid = true;
setuid = false;
program = "locate";
}
];
security.wrappers = mkIf isMLocate {
locate = {
group = "mlocate";
owner = "root";
permissions = "u+rx,g+x,o+x";
setgid = true;
setuid = false;
source = "${cfg.locate}/bin/locate";
};
};
nixpkgs.config = { locate.dbfile = cfg.output; };

7
nixos/modules/misc/version.nix
View file

@ -95,7 +95,7 @@ in
nixosVersionSuffix = mkIf (pathIsDirectory gitRepo) (mkDefault (".git." + gitCommitId));
# Note: code names must only increase in alphabetical order.
nixosCodeName = "Gorilla";
nixosCodeName = "Hummingbird";
};
# Generate /etc/os-release. See
@ -106,9 +106,12 @@ in
NAME=NixOS
ID=nixos
VERSION="${config.system.nixosVersion} (${config.system.nixosCodeName})"
VERSION_CODENAME=${toLower config.system.nixosCodeName}
VERSION_ID="${config.system.nixosVersion}"
PRETTY_NAME="NixOS ${config.system.nixosVersion} (${config.system.nixosCodeName})"
HOME_URL="http://nixos.org/"
HOME_URL="https://nixos.org/"
SUPPORT_URL="https://nixos.org/nixos/support.html"
BUG_REPORT_URL="https://github.com/NixOS/nixpkgs/issues"
'';
};

26
nixos/modules/module-list.nix
View file

@ -1,8 +1,9 @@
[
./config/debug-info.nix
./config/fonts/corefonts.nix
./config/fonts/fontconfig-ultimate.nix
./config/fonts/fontconfig.nix
./config/fonts/fontconfig-penultimate.nix
./config/fonts/fontconfig-ultimate.nix
./config/fonts/fontdir.nix
./config/fonts/fonts.nix
./config/fonts/ghostscript.nix
@ -29,7 +30,9 @@
./hardware/ckb.nix
./hardware/cpu/amd-microcode.nix
./hardware/cpu/intel-microcode.nix
./hardware/sensor/iio.nix
./hardware/ksm.nix
./hardware/mcelog.nix
./hardware/network/b43.nix
./hardware/network/intel-2100bg.nix
./hardware/network/intel-2200bg.nix
@ -38,9 +41,11 @@
./hardware/network/rtl8192c.nix
./hardware/opengl.nix
./hardware/pcmcia.nix
./hardware/usb-wwan.nix
./hardware/video/amdgpu.nix
./hardware/video/amdgpu-pro.nix
./hardware/video/ati.nix
./hardware/video/capture/mwprocapture.nix
./hardware/video/bumblebee.nix
./hardware/video/displaylink.nix
./hardware/video/nvidia.nix
@ -80,6 +85,7 @@
./programs/light.nix
./programs/man.nix
./programs/mosh.nix
./programs/mtr.nix
./programs/nano.nix
./programs/oblogout.nix
./programs/screen.nix
@ -91,6 +97,7 @@
./programs/tmux.nix
./programs/venus.nix
./programs/vim.nix
./programs/wireshark.nix
./programs/wvdial.nix
./programs/xfs_quota.nix
./programs/xonsh.nix
@ -102,6 +109,7 @@
./security/audit.nix
./security/ca.nix
./security/chromium-suid-sandbox.nix
./security/dhparams.nix
./security/duosec.nix
./security/grsecurity.nix
./security/hidepid.nix
@ -113,7 +121,7 @@
./security/prey.nix
./security/rngd.nix
./security/rtkit.nix
./security/setuid-wrappers.nix
./security/wrappers/default.nix
./security/sudo.nix
./services/amqp/activemq/default.nix
./services/amqp/rabbitmq.nix
@ -130,7 +138,6 @@
./services/backup/mysql-backup.nix
./services/backup/postgresql-backup.nix
./services/backup/rsnapshot.nix
./services/backup/sitecopy-backup.nix
./services/backup/tarsnap.nix
./services/backup/znapzend.nix
./services/cluster/fleet.nix
@ -259,12 +266,15 @@
./services/misc/felix.nix
./services/misc/folding-at-home.nix
./services/misc/gammu-smsd.nix
./services/misc/geoip-updater.nix
#./services/misc/gitit.nix
./services/misc/gitlab.nix
./services/misc/gitolite.nix
./services/misc/gogs.nix
./services/misc/gpsd.nix
#./services/misc/ihaskell.nix
./services/misc/irkerd.nix
./services/misc/jackett.nix
./services/misc/leaps.nix
./services/misc/mantisbt.nix
./services/misc/mathics.nix
@ -285,6 +295,7 @@
./services/misc/parsoid.nix
./services/misc/phd.nix
./services/misc/plex.nix
./services/misc/radarr.nix
./services/misc/redmine.nix
./services/misc/rippled.nix
./services/misc/ripple-rest.nix
@ -293,6 +304,7 @@
./services/misc/siproxd.nix
./services/misc/sonarr.nix
./services/misc/spice-vdagentd.nix
./services/misc/ssm-agent.nix
./services/misc/sssd.nix
./services/misc/subsonic.nix
./services/misc/sundtek.nix
@ -320,10 +332,12 @@
./services/monitoring/prometheus/default.nix
./services/monitoring/prometheus/alertmanager.nix
./services/monitoring/prometheus/blackbox-exporter.nix
./services/monitoring/prometheus/fritzbox-exporter.nix
./services/monitoring/prometheus/json-exporter.nix
./services/monitoring/prometheus/nginx-exporter.nix
./services/monitoring/prometheus/node-exporter.nix
./services/monitoring/prometheus/snmp-exporter.nix
./services/monitoring/prometheus/unifi-exporter.nix
./services/monitoring/prometheus/varnish-exporter.nix
./services/monitoring/riemann.nix
./services/monitoring/riemann-dash.nix
@ -420,6 +434,7 @@
./services/networking/namecoind.nix
./services/networking/nat.nix
./services/networking/networkmanager.nix
./services/networking/nftables.nix
./services/networking/ngircd.nix
./services/networking/nix-serve.nix
./services/networking/nntp-proxy.nix
@ -440,7 +455,7 @@
./services/networking/prayer.nix
./services/networking/privoxy.nix
./services/networking/prosody.nix
./services/networking/quagga.nix
# ./services/networking/quagga.nix
./services/networking/quassel.nix
./services/networking/racoon.nix
./services/networking/radicale.nix
@ -514,6 +529,7 @@
./services/system/cgmanager.nix
./services/system/cloud-init.nix
./services/system/dbus.nix
./services/system/earlyoom.nix
./services/system/kerberos.nix
./services/system/nscd.nix
./services/system/uptimed.nix
@ -559,10 +575,10 @@
./services/x11/display-managers/auto.nix
./services/x11/display-managers/default.nix
./services/x11/display-managers/gdm.nix
./services/x11/display-managers/kdm.nix
./services/x11/display-managers/lightdm.nix
./services/x11/display-managers/sddm.nix
./services/x11/display-managers/slim.nix
./services/x11/display-managers/xpra.nix
./services/x11/hardware/libinput.nix
./services/x11/hardware/multitouch.nix
./services/x11/hardware/synaptics.nix

6
nixos/modules/profiles/graphical.nix
View file

@ -1,5 +1,5 @@
# This module defines a NixOS configuration that contains X11 and
# KDE 4. It's used by the graphical installation CD.
# This module defines a NixOS configuration with the Plasma 5 desktop.
# It's used by the graphical installation CD.
{ config, pkgs, ... }:
@ -7,7 +7,7 @@
services.xserver = {
enable = true;
displayManager.sddm.enable = true;
desktopManager.kde5.enable = true;
desktopManager.plasma5.enable = true;
synaptics.enable = true; # for touchpad support on many laptops
};

1
nixos/modules/programs/adb.nix
View file

@ -10,7 +10,6 @@ with lib;
programs.adb = {
enable = mkOption {
default = false;
example = true;
type = types.bool;
description = ''
Whether to configure system to use Android Debug Bridge (adb).

1
nixos/modules/programs/gphoto2.nix
View file

@ -10,7 +10,6 @@ with lib;
programs.gphoto2 = {
enable = mkOption {
default = false;
example = true;
type = types.bool;
description = ''
Whether to configure system to use gphoto2.

2
nixos/modules/programs/kbdlight.nix
View file

@ -11,6 +11,6 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.kbdlight ];
security.setuidPrograms = [ "kbdlight" ];
security.wrappers.kbdlight.source = "${pkgs.kbdlight.out}/bin/kbdlight";
};
}

2
nixos/modules/programs/light.nix
View file

@ -21,6 +21,6 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.light ];
security.setuidPrograms = [ "light" ];
security.wrappers.light.source = "${pkgs.light.out}/bin/light";
};
}

1
nixos/modules/programs/mosh.nix
View file

@ -14,7 +14,6 @@ in
Whether to enable mosh. Note, this will open ports in your firewall!
'';
default = false;
example = true;
type = lib.types.bool;
};
};

27
nixos/modules/programs/mtr.nix Normal file
View file

@ -0,0 +1,27 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.programs.mtr;
in {
options = {
programs.mtr = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to add mtr to the global environment and configure a
setcap wrapper for it.
'';
};
};
};
config = mkIf cfg.enable {
security.wrappers.mtr = {
source = "${pkgs.mtr}/bin/mtr";
capabilities = "cap_net_raw+p";
};
};
}

16
nixos/modules/programs/shadow.nix
View file

@ -101,11 +101,15 @@ in
chpasswd = { rootOK = true; };
};
security.setuidPrograms = [ "su" "chfn" ]
++ [ "newuidmap" "newgidmap" ] # new in shadow 4.2.x
++ lib.optionals config.users.mutableUsers
[ "passwd" "sg" "newgrp" ];
security.wrappers = {
su.source = "${pkgs.shadow.su}/bin/su";
chfn.source = "${pkgs.shadow.out}/bin/chfn";
newuidmap.source = "${pkgs.shadow.out}/bin/newuidmap";
newgidmap.source = "${pkgs.shadow.out}/bin/newgidmap";
} // (if config.users.mutableUsers then {
passwd.source = "${pkgs.shadow.out}/bin/passwd";
sg.source = "${pkgs.shadow.out}/bin/sg";
newgrp.source = "${pkgs.shadow.out}/bin/newgrp";
} else {});
};
}

3
nixos/modules/programs/ssmtp.nix
View file

@ -22,7 +22,6 @@ in
directDelivery = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
Use the trivial Mail Transfer Agent (MTA)
<command>ssmtp</command> package to allow programs to send
@ -65,7 +64,6 @@ in
useTLS = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
Whether TLS should be used to connect to the default mail
server.
@ -75,7 +73,6 @@ in
useSTARTTLS = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
Whether the STARTTLS should be used to connect to the default
mail server. (This is needed for TLS-capable mail servers

5
nixos/modules/programs/tmux.nix
View file

@ -65,7 +65,6 @@ in {
aggressiveResize = mkOption {
default = false;
example = true;
type = types.bool;
description = ''
Resize the window to the size of the smallest session for which it is the current window.
@ -81,14 +80,12 @@ in {
clock24 = mkOption {
default = false;
example = true;
type = types.bool;
description = "Use 24 hour clock.";
};
customPaneNavigationAndResize = mkOption {
default = false;
example = true;
type = types.bool;
description = "Override the hjkl and HJKL bindings for pane navigation and resizing in VI mode.";
};
@ -124,14 +121,12 @@ in {
newSession = mkOption {
default = false;
example = true;
type = types.bool;
description = "Automatically spawn a session if trying to attach and none are running.";
};
reverseSplit = mkOption {
default = false;
example = true;
type = types.bool;
description = "Reverse the window split shortcuts.";
};

2
nixos/modules/programs/venus.nix
View file

@ -45,7 +45,7 @@ in
description = ''
Specification (in the format described by
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>5</manvolnum></citerefentry>) of the time at
<manvolnum>7</manvolnum></citerefentry>) of the time at
which the Venus will collect feeds.
'';
};

1
nixos/modules/programs/vim.nix
View file

@ -9,7 +9,6 @@ in {
defaultEditor = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
When enabled, installs vim and configures vim to be the default editor
using the EDITOR environment variable.

42
nixos/modules/programs/wireshark.nix Normal file
View file

@ -0,0 +1,42 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.programs.wireshark;
wireshark = cfg.package;
in {
options = {
programs.wireshark = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to add Wireshark to the global environment and configure a
setcap wrapper for 'dumpcap' for users in the 'wireshark' group.
'';
};
package = mkOption {
type = types.package;
default = pkgs.wireshark-cli;
defaultText = "pkgs.wireshark-cli";
description = ''
Which Wireshark package to install in the global environment.
'';
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ wireshark ];
users.extraGroups.wireshark = {};
security.wrappers.dumpcap = {
source = "${wireshark}/bin/dumpcap";
capabilities = "cap_net_raw+p";
owner = "root";
group = "wireshark";
permissions = "u+rx,g+x";
};
};
}

28
nixos/modules/rename.nix
View file

@ -10,7 +10,6 @@ with lib;
(mkRenamedOptionModule [ "fonts" "enableFontConfig" ] [ "fonts" "fontconfig" "enable" ])
(mkRenamedOptionModule [ "fonts" "extraFonts" ] [ "fonts" "fonts" ])
(mkRenamedOptionModule [ "security" "extraSetuidPrograms" ] [ "security" "setuidPrograms" ])
(mkRenamedOptionModule [ "networking" "enableWLAN" ] [ "networking" "wireless" "enable" ])
(mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "networking" "enableRalinkFirmware" ])
@ -33,6 +32,12 @@ with lib;
(mkRenamedOptionModule [ "services" "clamav" "updater" "config" ] [ "services" "clamav" "updater" "extraConfig" ])
(mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead")
(mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead")
(mkRemovedOptionModule [ "services" "rmilter" "bindInetSockets" ] "Use services.rmilter.bindSocket.* instead")
(mkRemovedOptionModule [ "services" "rmilter" "bindUnixSockets" ] "Use services.rmilter.bindSocket.* instead")
# Old Grub-related options.
(mkRenamedOptionModule [ "boot" "initrd" "extraKernelModules" ] [ "boot" "initrd" "kernelModules" ])
(mkRenamedOptionModule [ "boot" "extraKernelParams" ] [ "boot" "kernelParams" ])
@ -101,9 +106,6 @@ with lib;
(mkRenamedOptionModule [ "services" "xserver" "windowManager" "xbmc" ] [ "services" "xserver" "desktopManager" "kodi" ])
(mkRenamedOptionModule [ "services" "xserver" "desktopManager" "xbmc" ] [ "services" "xserver" "desktopManager" "kodi" ])
# DNSCrypt-proxy
(mkRenamedOptionModule [ "services" "dnscrypt-proxy" "port" ] [ "services" "dnscrypt-proxy" "localPort" ])
(mkRenamedOptionModule [ "services" "hostapd" "extraCfg" ] [ "services" "hostapd" "extraConfig" ])
# Enlightenment
@ -139,9 +141,6 @@ with lib;
# Unity3D
(mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ])
# fontconfig-ultimate
(mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "rendering" ] [ "fonts" "fontconfig" "ultimate" "preset" ])
# murmur
(mkRenamedOptionModule [ "services" "murmur" "welcome" ] [ "services" "murmur" "welcometext" ])
@ -176,6 +175,16 @@ with lib;
(mkRenamedOptionModule [ "services" "nfs" "lockdPort" ] [ "services" "nfs" "server" "lockdPort" ])
(mkRenamedOptionModule [ "services" "nfs" "statdPort" ] [ "services" "nfs" "server" "statdPort" ])
# KDE Plasma 5
(mkRenamedOptionModule [ "services" "xserver" "desktopManager" "kde5" ] [ "services" "xserver" "desktopManager" "plasma5" ])
# Fontconfig
(mkRenamedOptionModule [ "config" "fonts" "fontconfig" "ultimate" "allowBitmaps" ] [ "config" "fonts" "fontconfig" "allowBitmaps" ])
(mkRenamedOptionModule [ "config" "fonts" "fontconfig" "ultimate" "allowType1" ] [ "config" "fonts" "fontconfig" "allowType1" ])
(mkRenamedOptionModule [ "config" "fonts" "fontconfig" "ultimate" "useEmbeddedBitmaps" ] [ "config" "fonts" "fontconfig" "useEmbeddedBitmaps" ])
(mkRenamedOptionModule [ "config" "fonts" "fontconfig" "ultimate" "forceAutohint" ] [ "config" "fonts" "fontconfig" "forceAutohint" ])
(mkRenamedOptionModule [ "config" "fonts" "fontconfig" "ultimate" "renderMonoTTFAsBitmap" ] [ "config" "fonts" "fontconfig" "renderMonoTTFAsBitmap" ])
# Options that are obsolete and have no replacement.
(mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "")
(mkRemovedOptionModule [ "programs" "bash" "enable" ] "")
@ -190,5 +199,10 @@ with lib;
"See the 16.09 release notes for more information.")
(mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "")
(mkRemovedOptionModule [ "services" "dovecot2" "package" ] "")
(mkRemovedOptionModule [ "fonts" "fontconfig" "hinting" "style" ] "")
(mkRemovedOptionModule [ "services" "xserver" "displayManager" "sddm" "themes" ]
"Set the option `services.xserver.displayManager.sddm.package' instead.")
(mkRemovedOptionModule [ "fonts" "fontconfig" "forceAutohint" ] "")
(mkRemovedOptionModule [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ] "")
];
}

6
nixos/modules/security/acme.nix
View file

@ -110,7 +110,7 @@ in
description = ''
Systemd calendar expression when to check for renewal. See
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>5</manvolnum></citerefentry>.
<manvolnum>7</manvolnum></citerefentry>.
'';
};
@ -129,7 +129,7 @@ in
certs = mkOption {
default = { };
type = with types; loaOf (submodule certOpts);
type = with types; attrsOf (submodule certOpts);
description = ''
Attribute set of certificates to get signed and renewed.
'';
@ -178,7 +178,7 @@ in
path = [ pkgs.simp_le ];
preStart = ''
mkdir -p '${cfg.directory}'
chown '${data.user}:${data.group}' '${cfg.directory}'
chown -R '${data.user}:${data.group}' '${cfg.directory}'
if [ ! -d '${cpath}' ]; then
mkdir '${cpath}'
fi

3
nixos/modules/security/apparmor-suid.nix
View file

@ -19,7 +19,7 @@ with lib;
config = mkIf (cfg.confineSUIDApplications) {
security.apparmor.profiles = [ (pkgs.writeText "ping" ''
#include <tunables/global>
/var/setuid-wrappers/ping {
/run/wrappers/bin/ping {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
@ -33,7 +33,6 @@ with lib;
${pkgs.attr.out}/lib/libattr.so* mr,
${pkgs.iputils}/bin/ping mixr,
/var/setuid-wrappers/ping.real r,
#/etc/modules.conf r,

2
nixos/modules/security/chromium-suid-sandbox.nix
View file

@ -27,6 +27,6 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ sandbox ];
security.setuidPrograms = [ sandbox.passthru.sandboxExecutableName ];
security.wrappers."${sandbox.passthru.sandboxExecutableName}".source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
};
}

107
nixos/modules/security/dhparams.nix Normal file
View file

@ -0,0 +1,107 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.security.dhparams;
in
{
options = {
security.dhparams = {
params = mkOption {
description =
''
Diffie-Hellman parameters to generate.
The value is the size (in bits) of the DH params to generate. The
generated DH params path can be found in
<filename><replaceable>security.dhparams.path</replaceable>/<replaceable>name</replaceable>.pem</filename>.
Note: The name of the DH params is taken as being the name of the
service it serves: the params will be generated before the said
service is started.
Warning: If you are removing all dhparams from this list, you have
to leave security.dhparams.enable for at least one activation in
order to have them be cleaned up. This also means if you rollback to
a version without any dhparams the existing ones won't be cleaned
up.
'';
type = with types; attrsOf int;
default = {};
example = { nginx = 3072; };
};
path = mkOption {
description =
''
Path to the directory in which Diffie-Hellman parameters will be
stored.
'';
type = types.str;
default = "/var/lib/dhparams";
};
enable = mkOption {
description =
''
Whether to generate new DH params and clean up old DH params.
'';
default = false;
type = types.bool;
};
};
};
config = mkIf cfg.enable {
systemd.services = {
dhparams-init = {
description = "Cleanup old Diffie-Hellman parameters";
wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set
serviceConfig.Type = "oneshot";
script =
# Create directory
''
if [ ! -d ${cfg.path} ]; then
mkdir -p ${cfg.path}
fi
'' +
# Remove old dhparams
''
for file in ${cfg.path}/*; do
if [ ! -f "$file" ]; then
continue
fi
'' + concatStrings (mapAttrsToList (name: value:
''
if [ "$file" == "${cfg.path}/${name}.pem" ] && \
${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString value} bit)" > /dev/null; then
continue
fi
''
) cfg.params) +
''
rm $file
done
# TODO: Ideally this would be removing the *former* cfg.path, though this
# does not seem really important as changes to it are quite unlikely
rmdir --ignore-fail-on-non-empty ${cfg.path}
'';
};
} //
mapAttrs' (name: value: nameValuePair "dhparams-gen-${name}" {
description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet";
after = [ "dhparams-init.service" ];
before = [ "${name}.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
script =
''
mkdir -p ${cfg.path}
if [ ! -f ${cfg.path}/${name}.pem ]; then
${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString value}
fi
'';
}) cfg.params;
};
}

3
nixos/modules/security/duosec.nix
View file

@ -187,7 +187,8 @@ in
];
environment.systemPackages = [ pkgs.duo-unix ];
security.setuidPrograms = [ "login_duo" ];
security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";
environment.etc = loginCfgFile ++ pamCfgFile;
/* If PAM *and* SSH are enabled, then don't do anything special.

3
nixos/modules/security/grsecurity.nix
View file

@ -21,7 +21,6 @@ in
enable = mkOption {
type = types.bool;
example = true;
default = false;
description = ''
Enable grsecurity/PaX.
@ -30,7 +29,6 @@ in
lockTunables = mkOption {
type = types.bool;
example = false;
default = true;
description = ''
Whether to automatically lock grsecurity tunables
@ -43,7 +41,6 @@ in
disableEfiRuntimeServices = mkOption {
type = types.bool;
example = false;
default = true;
description = ''
Whether to disable access to EFI runtime services. Enabling EFI runtime

6
nixos/modules/security/grsecurity.xml
View file

@ -214,8 +214,8 @@
GRKERNSEC_CONFIG_SERVER y
GRKERNSEC_CONFIG_SECURITY y
'';
};
}
};
};
</programlisting>
</para>
@ -312,7 +312,7 @@
Overflows in boot critical code (e.g., the root filesystem module) can
render the system unbootable. Work around by setting
<programlisting>
boot.kernel.kernelParams = [ "pax_size_overflow_report_only" ];
boot.kernelParams = [ "pax_size_overflow_report_only" ];
</programlisting>
</para></listitem>

42
nixos/modules/security/pam.nix
View file

@ -212,6 +212,17 @@ let
'';
};
enableKwallet = mkOption {
default = false;
type = types.bool;
description = ''
If enabled, pam_wallet will attempt to automatically unlock the
user's default KDE wallet upon login. If the user has no wallet named
"kdewallet", or the login password does not match their wallet
password, KDE will prompt separately after login.
'';
};
text = mkOption {
type = types.nullOr types.lines;
description = "Contents of the PAM service file.";
@ -253,6 +264,8 @@ let
"auth sufficient ${pkgs.pam_u2f}/lib/security/pam_u2f.so"}
${optionalString cfg.usbAuth
"auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
"auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
'' +
# Modules in this block require having the password set in PAM_AUTHTOK.
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run
@ -260,19 +273,20 @@ let
# prompts the user for password so we run it once with 'required' at an
# earlier point and it will run again with 'sufficient' further down.
# We use try_first_pass the second time to avoid prompting password twice
(optionalString (cfg.unixAuth && (config.security.pam.enableEcryptfs || cfg.pamMount)) ''
(optionalString (cfg.unixAuth && (config.security.pam.enableEcryptfs || cfg.pamMount || cfg.enableKwallet)) ''
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth
${optionalString config.security.pam.enableEcryptfs
"auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
${optionalString cfg.pamMount
"auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
${optionalString cfg.enableKwallet
("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
" kwalletd=${pkgs.libsForQt5.kwallet}/bin/kwalletd5")}
'') + ''
${optionalString cfg.unixAuth
"auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}
${optionalString cfg.otpwAuth
"auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
"auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
${optionalString use_ldap
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
${optionalString config.services.sssd.enable
@ -334,6 +348,9 @@ let
"session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
${optionalString (cfg.enableAppArmor && config.security.apparmor.enable)
"session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"}
${optionalString (cfg.enableKwallet)
("session optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
" kwalletd=${pkgs.libsForQt5.kwallet}/bin/kwalletd5")}
'');
};
@ -472,19 +489,20 @@ in
++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
security.setuidPrograms =
optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ];
security.wrappers = {
unix_chkpwd = {
source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
owner = "root";
setuid = true;
};
} // (if config.security.pam.enableEcryptfs then {
"mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
"umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
} else {});
environment.etc =
mapAttrsToList (n: v: makePAMService v) config.security.pam.services;
security.setuidOwners = [ {
program = "unix_chkpwd";
source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
owner = "root";
setuid = true;
} ];
security.pam.services =
{ other.text =
''

8
nixos/modules/security/pam_usb.nix
View file

@ -32,10 +32,12 @@ in
config = mkIf (cfg.enable || anyUsbAuth) {
# pmount need to have a set-uid bit to make pam_usb works in user
# environment. (like su, sudo)
# Make sure pmount and pumount are setuid wrapped.
security.wrappers = {
pmount.source = "${pkgs.pmount.out}/bin/pmount";
pumount.source = "${pkgs.pmount.out}/bin/pumount";
};
security.setuidPrograms = [ "pmount" "pumount" ];
environment.systemPackages = [ pkgs.pmount ];
};

16
nixos/modules/security/polkit.nix
View file

@ -64,7 +64,7 @@ in
systemd.packages = [ pkgs.polkit.out ];
systemd.services.polkit.restartTriggers = [ config.system.path ];
systemd.services.polkit.unitConfig.X-StopIfChanged = false;
systemd.services.polkit.stopIfChanged = false;
# The polkit daemon reads action/rule files
environment.pathsToLink = [ "/share/polkit-1" ];
@ -83,16 +83,10 @@ in
security.pam.services.polkit-1 = {};
security.setuidPrograms = [ "pkexec" ];
security.setuidOwners = [
{ program = "polkit-agent-helper-1";
owner = "root";
group = "root";
setuid = true;
source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
}
];
security.wrappers = {
pkexec.source = "${pkgs.polkit.bin}/bin/pkexec";
"polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
};
system.activationScripts.polkit =
''

81
nixos/modules/security/setuid-wrapper.c
View file

@ -1,81 +0,0 @@
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <dirent.h>
#include <assert.h>
#include <string.h>
#include <errno.h>
/* Make sure assertions are not compiled out. */
#undef NDEBUG
extern char **environ;
static char * wrapperDir = WRAPPER_DIR;
int main(int argc, char * * argv)
{
char self[PATH_MAX];
int len = readlink("/proc/self/exe", self, sizeof(self) - 1);
assert (len > 0);
self[len] = 0;
/* Make sure that we are being executed from the right location,
i.e., `wrapperDir'. This is to prevent someone from
creating hard link `X' from some other location, along with a
false `X.real' file, to allow arbitrary programs from being
executed setuid. */
assert ((strncmp(self, wrapperDir, strlen(wrapperDir)) == 0) &&
(self[strlen(wrapperDir)] == '/'));
/* Make *really* *really* sure that we were executed as `self',
and not, say, as some other setuid program. That is, our
effective uid/gid should match the uid/gid of `self'. */
//printf("%d %d\n", geteuid(), getegid());
struct stat st;
assert (lstat(self, &st) != -1);
//printf("%d %d\n", st.st_uid, st.st_gid);
assert ((st.st_mode & S_ISUID) == 0 ||
(st.st_uid == geteuid()));
assert ((st.st_mode & S_ISGID) == 0 ||
st.st_gid == getegid());
/* And, of course, we shouldn't be writable. */
assert (!(st.st_mode & (S_IWGRP | S_IWOTH)));
/* Read the path of the real (wrapped) program from <self>.real. */
char realFN[PATH_MAX + 10];
int realFNSize = snprintf (realFN, sizeof(realFN), "%s.real", self);
assert (realFNSize < sizeof(realFN));
int fdSelf = open(realFN, O_RDONLY);
assert (fdSelf != -1);
char real[PATH_MAX];
len = read(fdSelf, real, PATH_MAX);
assert (len != -1);
assert (len < sizeof (real));
assert (len > 0);
real[len] = 0;
close(fdSelf);
//printf("real = %s, len = %d\n", real, len);
execve(real, argv, environ);
fprintf(stderr, "%s: cannot run `%s': %s\n",
argv[0], real, strerror(errno));
exit(1);
}

146
nixos/modules/security/setuid-wrappers.nix
View file

@ -1,146 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
inherit (config.security) wrapperDir;
setuidWrapper = pkgs.stdenv.mkDerivation {
name = "setuid-wrapper";
unpackPhase = "true";
installPhase = ''
mkdir -p $out/bin
cp ${./setuid-wrapper.c} setuid-wrapper.c
gcc -Wall -O2 -DWRAPPER_DIR=\"/run/setuid-wrapper-dirs\" \
setuid-wrapper.c -o $out/bin/setuid-wrapper
'';
};
in
{
###### interface
options = {
security.setuidPrograms = mkOption {
type = types.listOf types.str;
default = [];
example = ["passwd"];
description = ''
The Nix store cannot contain setuid/setgid programs directly.
For this reason, NixOS can automatically generate wrapper
programs that have the necessary privileges. This option
lists the names of programs in the system environment for
which setuid root wrappers should be created.
'';
};
security.setuidOwners = mkOption {
type = types.listOf types.attrs;
default = [];
example =
[ { program = "sendmail";
owner = "nobody";
group = "postdrop";
setuid = false;
setgid = true;
permissions = "u+rx,g+x,o+x";
}
];
description = ''
This option allows the ownership and permissions on the setuid
wrappers for specific programs to be overridden from the
default (setuid root, but not setgid root).
'';
};
security.wrapperDir = mkOption {
internal = true;
type = types.path;
default = "/var/setuid-wrappers";
description = ''
This option defines the path to the setuid wrappers. It
should generally not be overriden. Some packages in Nixpkgs
expect that <option>wrapperDir</option> is
<filename>/var/setuid-wrappers</filename>.
'';
};
};
###### implementation
config = {
security.setuidPrograms = [ "fusermount" ];
system.activationScripts.setuid =
let
setuidPrograms =
(map (x: { program = x; owner = "root"; group = "root"; setuid = true; })
config.security.setuidPrograms)
++ config.security.setuidOwners;
makeSetuidWrapper =
{ program
, source ? ""
, owner ? "nobody"
, group ? "nogroup"
, setuid ? false
, setgid ? false
, permissions ? "u+rx,g+x,o+x"
}:
''
if ! source=${if source != "" then source else "$(readlink -f $(PATH=$SETUID_PATH type -tP ${program}))"}; then
# If we can't find the program, fall back to the
# system profile.
source=/nix/var/nix/profiles/default/bin/${program}
fi
cp ${setuidWrapper}/bin/setuid-wrapper $wrapperDir/${program}
echo -n "$source" > $wrapperDir/${program}.real
chmod 0000 $wrapperDir/${program} # to prevent races
chown ${owner}.${group} $wrapperDir/${program}
chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program}
'';
in stringAfter [ "users" ]
''
# Look in the system path and in the default profile for
# programs to be wrapped.
SETUID_PATH=${config.system.path}/bin:${config.system.path}/sbin
mkdir -p /run/setuid-wrapper-dirs
wrapperDir=$(mktemp --directory --tmpdir=/run/setuid-wrapper-dirs setuid-wrappers.XXXXXXXXXX)
chmod a+rx $wrapperDir
${concatMapStrings makeSetuidWrapper setuidPrograms}
if [ -L ${wrapperDir} ]; then
# Atomically replace the symlink
# See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
old=$(readlink ${wrapperDir})
ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp
mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir}
rm --force --recursive $old
elif [ -d ${wrapperDir} ]; then
# Compatibility with old state, just remove the folder and symlink
rm -f ${wrapperDir}/*
# if it happens to be a tmpfs
${pkgs.utillinux}/bin/umount ${wrapperDir} || true
rm -d ${wrapperDir}
ln -d --symbolic $wrapperDir ${wrapperDir}
else
# For initial setup
ln --symbolic $wrapperDir ${wrapperDir}
fi
'';
};
}

5
nixos/modules/security/sudo.nix
View file

@ -81,7 +81,10 @@ in
${cfg.extraConfig}
'';
security.setuidPrograms = [ "sudo" "sudoedit" ];
security.wrappers = {
sudo.source = "${pkgs.sudo.out}/bin/sudo";
sudoedit.source = "${pkgs.sudo.out}/bin/sudoedit";
};
environment.systemPackages = [ sudo ];

228
nixos/modules/security/wrappers/default.nix Normal file
View file

@ -0,0 +1,228 @@
{ config, lib, pkgs, ... }:
let
inherit (config.security) wrapperDir wrappers;
parentWrapperDir = dirOf wrapperDir;
programs =
(lib.mapAttrsToList
(n: v: (if v ? "program" then v else v // {program=n;}))
wrappers);
securityWrapper = pkgs.stdenv.mkDerivation {
name = "security-wrapper";
phases = [ "installPhase" "fixupPhase" ];
buildInputs = [ pkgs.libcap pkgs.libcap_ng pkgs.linuxHeaders ];
hardeningEnable = [ "pie" ];
installPhase = ''
mkdir -p $out/bin
gcc -Wall -O2 -DWRAPPER_DIR=\"${parentWrapperDir}\" \
-lcap-ng -lcap ${./wrapper.c} -o $out/bin/security-wrapper
'';
};
###### Activation script for the setcap wrappers
mkSetcapProgram =
{ program
, capabilities
, source
, owner ? "nobody"
, group ? "nogroup"
, permissions ? "u+rx,g+x,o+x"
, ...
}:
assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3");
''
cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program}
echo -n "${source}" > $wrapperDir/${program}.real
# Prevent races
chmod 0000 $wrapperDir/${program}
chown ${owner}.${group} $wrapperDir/${program}
# Set desired capabilities on the file plus cap_setpcap so
# the wrapper program can elevate the capabilities set on
# its file into the Ambient set.
${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $wrapperDir/${program}
# Set the executable bit
chmod ${permissions} $wrapperDir/${program}
'';
###### Activation script for the setuid wrappers
mkSetuidProgram =
{ program
, source
, owner ? "nobody"
, group ? "nogroup"
, setuid ? false
, setgid ? false
, permissions ? "u+rx,g+x,o+x"
, ...
}:
''
cp ${securityWrapper}/bin/security-wrapper $wrapperDir/${program}
echo -n "${source}" > $wrapperDir/${program}.real
# Prevent races
chmod 0000 $wrapperDir/${program}
chown ${owner}.${group} $wrapperDir/${program}
chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program}
'';
mkWrappedPrograms =
builtins.map
(s: if (s ? "capabilities")
then mkSetcapProgram
({ owner = "root";
group = "root";
} // s)
else if
(s ? "setuid" && s.setuid == true) ||
(s ? "setguid" && s.setguid == true) ||
(s ? "permissions")
then mkSetuidProgram s
else mkSetuidProgram
({ owner = "root";
group = "root";
setuid = true;
setgid = false;
permissions = "u+rx,g+x,o+x";
} // s)
) programs;
in
{
###### interface
options = {
security.wrappers = lib.mkOption {
type = lib.types.attrs;
default = {};
example = lib.literalExample
''
{ sendmail.source = "/nix/store/.../bin/sendmail";
ping = {
source = "${pkgs.iputils.out}/bin/ping";
owner = "nobody";
group = "nogroup";
capabilities = "cap_net_raw+ep";
};
}
'';
description = ''
This option allows the ownership and permissions on the setuid
wrappers for specific programs to be overridden from the
default (setuid root, but not setgid root).
<note>
<para>The sub-attribute <literal>source</literal> is mandatory,
it must be the absolute path to the program to be wrapped.
</para>
<para>The sub-attribute <literal>program</literal> is optional and
can give the wrapper program a new name. The default name is the same
as the attribute name itself.</para>
<para>Additionally, this option can set capabilities on a
wrapper program that propagates those capabilities down to the
wrapped, real program.</para>
<para>NOTE: cap_setpcap, which is required for the wrapper
program to be able to raise caps into the Ambient set is NOT
raised to the Ambient set so that the real program cannot
modify its own capabilities!! This may be too restrictive for
cases in which the real program needs cap_setpcap but it at
least leans on the side security paranoid vs. too
relaxed.</para>
</note>
'';
};
security.wrapperDir = lib.mkOption {
type = lib.types.path;
default = "/run/wrappers/bin";
internal = true;
description = ''
This option defines the path to the wrapper programs. It
should not be overriden.
'';
};
};
###### implementation
config = {
security.wrappers.fusermount.source = "${pkgs.fuse}/bin/fusermount";
boot.specialFileSystems.${parentWrapperDir} = {
fsType = "tmpfs";
options = [ "nodev" ];
};
# Make sure our wrapperDir exports to the PATH env variable when
# initializing the shell
environment.extraInit = ''
# Wrappers override other bin directories.
export PATH="${wrapperDir}:$PATH"
'';
###### setcap activation script
system.activationScripts.wrappers =
lib.stringAfter [ "users" ]
''
# Look in the system path and in the default profile for
# programs to be wrapped.
WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
# Remove the old /var/setuid-wrappers path from the system...
#
# TODO: this is only necessary for upgrades 16.09 => 17.x;
# this conditional removal block needs to be removed after
# the release.
if [ -d /var/setuid-wrappers ]; then
rm -rf /var/setuid-wrappers
ln -s /run/wrappers/bin /var/setuid-wrappers
fi
# Remove the old /run/setuid-wrappers-dir path from the
# system as well...
#
# TODO: this is only necessary for upgrades 16.09 => 17.x;
# this conditional removal block needs to be removed after
# the release.
if [ -d /run/setuid-wrapper-dirs ]; then
rm -rf /run/setuid-wrapper-dirs
ln -s /run/wrappers/bin /run/setuid-wrapper-dirs
fi
# TODO: this is only necessary for upgrades 16.09 => 17.x;
# this conditional removal block needs to be removed after
# the release.
if readlink -f /run/booted-system | grep nixos-17 > /dev/null; then
rm -rf /run/setuid-wrapper-dirs
rm -rf /var/setuid-wrappers
fi
# We want to place the tmpdirs for the wrappers to the parent dir.
wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX)
chmod a+rx $wrapperDir
${lib.concatStringsSep "\n" mkWrappedPrograms}
if [ -L ${wrapperDir} ]; then
# Atomically replace the symlink
# See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
old=$(readlink -f ${wrapperDir})
ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp
mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir}
rm --force --recursive $old
else
# For initial setup
ln --symbolic $wrapperDir ${wrapperDir}
fi
'';
};
}

239
nixos/modules/security/wrappers/wrapper.c Normal file
View file

@ -0,0 +1,239 @@
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <dirent.h>
#include <assert.h>
#include <errno.h>
#include <linux/capability.h>
#include <sys/capability.h>
#include <linux/prctl.h>
#include <sys/prctl.h>
#include <cap-ng.h>
// Make sure assertions are not compiled out, we use them to codify
// invariants about this program and we want it to fail fast and
// loudly if they are violated.
#undef NDEBUG
extern char **environ;
// The WRAPPER_DIR macro is supplied at compile time so that it cannot
// be changed at runtime
static char * wrapperDir = WRAPPER_DIR;
// Wrapper debug variable name
static char * wrapperDebug = "WRAPPER_DEBUG";
// Update the capabilities of the running process to include the given
// capability in the Ambient set.
static void set_ambient_cap(cap_value_t cap)
{
capng_get_caps_process();
if (capng_update(CAPNG_ADD, CAPNG_INHERITABLE, (unsigned long) cap))
{
perror("cannot raise the capability into the Inheritable set\n");
exit(1);
}
capng_apply(CAPNG_SELECT_CAPS);
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long) cap, 0, 0))
{
perror("cannot raise the capability into the Ambient set\n");
exit(1);
}
}
// Given the path to this program, fetch its configured capability set
// (as set by `setcap ... /path/to/file`) and raise those capabilities
// into the Ambient set.
static int make_caps_ambient(const char *selfPath)
{
cap_t caps = cap_get_file(selfPath);
if(!caps)
{
if(getenv(wrapperDebug))
fprintf(stderr, "no caps set or could not retrieve the caps for this file, not doing anything...");
return 1;
}
// We use `cap_to_text` and iteration over the tokenized result
// string because, as of libcap's current release, there is no
// facility for retrieving an array of `cap_value_t`'s that can be
// given to `prctl` in order to lift that capability into the
// Ambient set.
//
// Some discussion was had around shot-gunning all of the
// capabilities we know about into the Ambient set but that has a
// security smell and I deemed the risk of the current
// implementation crashing the program to be lower than the risk
// of a privilege escalation security hole being introduced by
// raising all capabilities, even ones we didn't intend for the
// program, into the Ambient set.
//
// `cap_t` which is returned by `cap_get_*` is an opaque type and
// even if we could retrieve the bitmasks (which, as far as I can
// tell we cannot) in order to get the `cap_value_t`
// representation for each capability we would have to take the
// total number of capabilities supported and iterate over the
// sequence of integers up-to that maximum total, testing each one
// against the bitmask ((bitmask >> n) & 1) to see if it's set and
// aggregating each "capability integer n" that is set in the
// bitmask.
//
// That, combined with the fact that we can't easily get the
// bitmask anyway seemed much more brittle than fetching the
// `cap_t`, transforming it into a textual representation,
// tokenizing the string, and using `cap_from_name` on the token
// to get the `cap_value_t` that we need for `prctl`. There is
// indeed risk involved if the output string format of
// `cap_to_text` ever changes but at this time the combination of
// factors involving the below list have led me to the conclusion
// that the best implementation at this time is reading then
// parsing with *lots of documentation* about why we're doing it
// this way.
//
// 1. No explicit API for fetching an array of `cap_value_t`'s or
// for transforming a `cap_t` into such a representation
// 2. The risk of a crash is lower than lifting all capabilities
// into the Ambient set
// 3. libcap is depended on heavily in the Linux ecosystem so
// there is a high chance that the output representation of
// `cap_to_text` will not change which reduces our risk that
// this parsing step will cause a crash
//
// The preferred method, should it ever be available in the
// future, would be to use libcap API's to transform the result
// from a `cap_get_*` into an array of `cap_value_t`'s that can
// then be given to prctl.
//
// - Parnell
ssize_t capLen;
char* capstr = cap_to_text(caps, &capLen);
cap_free(caps);
// TODO: For now, we assume that cap_to_text always starts its
// result string with " =" and that the first capability is listed
// immediately after that. We should verify this.
assert(capLen >= 2);
capstr += 2;
char* saveptr = NULL;
for(char* tok = strtok_r(capstr, ",", &saveptr); tok; tok = strtok_r(NULL, ",", &saveptr))
{
cap_value_t capnum;
if (cap_from_name(tok, &capnum))
{
if(getenv(wrapperDebug))
fprintf(stderr, "cap_from_name failed, skipping: %s", tok);
}
else if (capnum == CAP_SETPCAP)
{
// Check for the cap_setpcap capability, we set this on the
// wrapper so it can elevate the capabilities to the Ambient
// set but we do not want to propagate it down into the
// wrapped program.
//
// TODO: what happens if that's the behavior you want
// though???? I'm preferring a strict vs. loose policy here.
if(getenv(wrapperDebug))
fprintf(stderr, "cap_setpcap in set, skipping it\n");
}
else
{
set_ambient_cap(capnum);
if(getenv(wrapperDebug))
fprintf(stderr, "raised %s into the Ambient capability set\n", tok);
}
}
cap_free(capstr);
return 0;
}
int main(int argc, char * * argv)
{
// I *think* it's safe to assume that a path from a symbolic link
// should safely fit within the PATH_MAX system limit. Though I'm
// not positive it's safe...
char selfPath[PATH_MAX];
int selfPathSize = readlink("/proc/self/exe", selfPath, sizeof(selfPath));
assert(selfPathSize > 0);
// Assert we have room for the zero byte, this ensures the path
// isn't being truncated because it's too big for the buffer.
//
// A better way to handle this might be to use something like the
// whereami library (https://github.com/gpakosz/whereami) or a
// loop that resizes the buffer and re-reads the link if the
// contents are being truncated.
assert(selfPathSize < sizeof(selfPath));
// Set the zero byte since readlink doesn't do that for us.
selfPath[selfPathSize] = '\0';
// Make sure that we are being executed from the right location,
// i.e., `safeWrapperDir'. This is to prevent someone from creating
// hard link `X' from some other location, along with a false
// `X.real' file, to allow arbitrary programs from being executed
// with elevated capabilities.
int len = strlen(wrapperDir);
if (len > 0 && '/' == wrapperDir[len - 1])
--len;
assert(!strncmp(selfPath, wrapperDir, len));
assert('/' == wrapperDir[0]);
assert('/' == selfPath[len]);
// Make *really* *really* sure that we were executed as
// `selfPath', and not, say, as some other setuid program. That
// is, our effective uid/gid should match the uid/gid of
// `selfPath'.
struct stat st;
assert(lstat(selfPath, &st) != -1);
assert(!(st.st_mode & S_ISUID) || (st.st_uid == geteuid()));
assert(!(st.st_mode & S_ISGID) || (st.st_gid == getegid()));
// And, of course, we shouldn't be writable.
assert(!(st.st_mode & (S_IWGRP | S_IWOTH)));
// Read the path of the real (wrapped) program from <self>.real.
char realFN[PATH_MAX + 10];
int realFNSize = snprintf (realFN, sizeof(realFN), "%s.real", selfPath);
assert (realFNSize < sizeof(realFN));
int fdSelf = open(realFN, O_RDONLY);
assert (fdSelf != -1);
char sourceProg[PATH_MAX];
len = read(fdSelf, sourceProg, PATH_MAX);
assert (len != -1);
assert (len < sizeof(sourceProg));
assert (len > 0);
sourceProg[len] = 0;
close(fdSelf);
// Read the capabilities set on the wrapper and raise them in to
// the Ambient set so the program we're wrapping receives the
// capabilities too!
make_caps_ambient(selfPath);
execve(sourceProg, argv, environ);
fprintf(stderr, "%s: cannot run `%s': %s\n",
argv[0], sourceProg, strerror(errno));
exit(1);
}

19
nixos/modules/services/audio/mpd.nix
View file

@ -4,6 +4,8 @@ with lib;
let
name = "mpd";
uid = config.ids.uids.mpd;
gid = config.ids.gids.mpd;
cfg = config.services.mpd;
@ -54,13 +56,14 @@ in {
description = ''
Extra directives added to to the end of MPD's configuration file,
mpd.conf. Basic configuration like file location and uid/gid
is added automatically to the beginning of the file.
is added automatically to the beginning of the file. For available
options see <literal>man 5 mpd.conf</literal>'.
'';
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/mpd";
default = "/var/lib/${name}";
description = ''
The directory where MPD stores its state, tag cache,
playlists etc.
@ -69,13 +72,13 @@ in {
user = mkOption {
type = types.str;
default = "mpd";
default = name;
description = "User account under which MPD runs.";
};
group = mkOption {
type = types.str;
default = "mpd";
default = name;
description = "Group account under which MPD runs.";
};
@ -131,17 +134,17 @@ in {
};
};
users.extraUsers = optionalAttrs (cfg.user == "mpd") (singleton {
users.extraUsers = optionalAttrs (cfg.user == name) (singleton {
inherit uid;
name = "mpd";
inherit name;
group = cfg.group;
extraGroups = [ "audio" ];
description = "Music Player Daemon user";
home = "${cfg.dataDir}";
});
users.extraGroups = optionalAttrs (cfg.group == "mpd") (singleton {
name = "mpd";
users.extraGroups = optionalAttrs (cfg.group == name) (singleton {
inherit name;
gid = gid;
});
};

1
nixos/modules/services/backup/rsnapshot.nix
View file

@ -26,7 +26,6 @@ in
enableManualRsnapshot = mkOption {
description = "Whether to enable manual usage of the rsnapshot command with this module.";
default = true;
example = false;
type = types.bool;
};

106
nixos/modules/services/backup/sitecopy-backup.nix
View file

@ -1,106 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
inherit (pkgs) sitecopy;
stateDir = "/var/spool/sitecopy";
sitecopyCron = backup : ''
${if backup ? period then backup.period else config.services.sitecopy.period} root ${sitecopy}/bin/sitecopy --storepath=${stateDir} --rcfile=${stateDir}/${backup.name}.conf --update ${backup.name} >> /var/log/sitecopy.log 2>&1
'';
in
{
options = {
services.sitecopy = {
enable = mkOption {
default = false;
description = ''
Whether to enable <command>sitecopy</command> backups of specified
directories.
'';
};
period = mkOption {
default = "15 04 * * *";
description = ''
This option defines (in the format used by <command>cron</command>)
when the <command>sitecopy</command> backups are to be run.
The default is to update at 04:15 (at night) every day.
'';
};
backups = mkOption {
example = [
{ name = "test";
local = "/tmp/backup";
remote = "/staff-groups/ewi/st/strategoxt/backup/test";
server = "webdata.tudelft.nl";
protocol = "webdav";
https = true ;
symlinks = "maintain" ;
}
];
default = [];
description = ''
List of attribute sets describing the backups.
Username/password are extracted from
<filename>${stateDir}/sitecopy.secrets</filename> at activation
time. The secrets file lines should have the following structure:
<screen>
server username password
</screen>
'';
};
};
};
config = mkIf config.services.sitecopy.enable {
environment.systemPackages = [ sitecopy ];
services.cron.systemCronJobs = map sitecopyCron config.services.sitecopy.backups;
system.activationScripts.sitecopyBackup = stringAfter [ "stdio" "users" ]
''
mkdir -m 0700 -p ${stateDir}
chown root ${stateDir}
touch ${stateDir}/sitecopy.secrets
chown root ${stateDir}/sitecopy.secrets
${lib.concatStrings (map ( b: ''
unset secrets
unset secret
secrets=`grep '^${b.server}' ${stateDir}/sitecopy.secrets | head -1`
secret=($secrets)
cat > ${stateDir}/${b.name}.conf << EOF
site ${b.name}
server ${b.server}
protocol ${b.protocol}
username ''${secret[1]}
password ''${secret[2]}
local ${b.local}
remote ${b.remote}
symlinks ${b.symlinks}
${if b.https then "http secure" else ""}
EOF
chmod 0600 ${stateDir}/${b.name}.conf
if ! test -e ${stateDir}/${b.name} ; then
echo " * Initializing sitecopy '${b.name}'"
${sitecopy}/bin/sitecopy --storepath=${stateDir} --rcfile=${stateDir}/${b.name}.conf --initialize ${b.name}
else
echo " * Sitecopy '${b.name}' already initialized"
fi
'' ) config.services.sitecopy.backups
)}
'';
};
}

3
nixos/modules/services/cluster/kubernetes.nix
View file

@ -76,6 +76,7 @@ in {
description = "Kubernetes package to use.";
type = types.package;
default = pkgs.kubernetes;
defaultText = "pkgs.kubernetes";
};
verbose = mkOption {
@ -775,7 +776,7 @@ in {
--bind-address=${cfg.proxy.address} \
${optionalString cfg.verbose "--v=6"} \
${optionalString cfg.verbose "--log-flush-frequency=1s"} \
${cfg.controllerManager.extraOpts}
${cfg.proxy.extraOpts}
'';
WorkingDirectory = cfg.dataDir;
};

2
nixos/modules/services/computing/boinc/client.nix
View file

@ -12,7 +12,6 @@ in
enable = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
Whether to enable the BOINC distributed computing client. If this
option is set to true, the boinc_client daemon will be run as a
@ -41,7 +40,6 @@ in
allowRemoteGuiRpc = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
If set to true, any remote host can connect to and control this BOINC
client (subject to password authentication). If instead set to false,

29
nixos/modules/services/continuous-integration/buildbot/master.nix
View file

@ -28,7 +28,7 @@ let
${cfg.extraConfig}
''
else pkgs.writeText "master.cfg" cfg.masterCfg;
else cfg.masterCfg;
in {
options = {
@ -66,13 +66,10 @@ in {
};
masterCfg = mkOption {
type = types.str;
description = ''
Optionally pass raw master.cfg file as string.
Other options in this configuration will be ignored.
'';
type = types.nullOr types.path;
description = "Optionally pass master.cfg path. Other options in this configuration will be ignored.";
default = null;
example = "BuildmasterConfig = c = {}";
example = "/etc/nixos/buildbot/master.cfg";
};
schedulers = mkOption {
@ -88,7 +85,7 @@ in {
type = types.listOf types.str;
description = "List of Builders.";
default = [
"util.BuilderConfig(name='runtests',workernames=['default-worker'],factory=factory)"
"util.BuilderConfig(name='runtests',workernames=['example-worker'],factory=factory)"
];
};
@ -121,7 +118,7 @@ in {
extraGroups = mkOption {
type = types.listOf types.str;
default = [ "nixbld" ];
default = [];
description = "List of extra groups that the buildbot user should be a part of.";
};
@ -183,16 +180,14 @@ in {
package = mkOption {
type = types.package;
default = pkgs.buildbot-ui;
description = ''
Package to use for buildbot.
<literal>buildbot-full</literal> is required in order to use local workers.
'';
example = pkgs.buildbot-full;
defaultText = "pkgs.buildbot-ui";
description = "Package to use for buildbot.";
example = literalExample "pkgs.buildbot-full";
};
packages = mkOption {
default = [ ];
example = [ pkgs.git ];
example = literalExample "[ pkgs.git ]";
type = types.listOf types.package;
description = "Packages to add to PATH for the buildbot process.";
};
@ -222,11 +217,11 @@ in {
path = cfg.packages;
serviceConfig = {
Type = "forking";
Type = "simple";
User = cfg.user;
Group = cfg.group;
WorkingDirectory = cfg.home;
ExecStart = "${cfg.package}/bin/buildbot start ${cfg.buildbotDir}";
ExecStart = "${cfg.package}/bin/buildbot start --nodaemon ${cfg.buildbotDir}";
};
preStart = ''

16
nixos/modules/services/continuous-integration/buildbot/worker.nix
View file

@ -31,7 +31,7 @@ in {
extraGroups = mkOption {
type = types.listOf types.str;
default = [ "nixbld" ];
default = [];
description = "List of extra groups that the Buildbot Worker user should be a part of.";
};
@ -68,13 +68,14 @@ in {
package = mkOption {
type = types.package;
default = pkgs.buildbot-worker;
defaultText = "pkgs.buildbot-worker";
description = "Package to use for buildbot worker.";
example = pkgs.buildbot-worker;
example = literalExample "pkgs.buildbot-worker";
};
packages = mkOption {
default = [ ];
example = [ pkgs.git ];
example = literalExample "[ pkgs.git ]";
type = types.listOf types.package;
description = "Packages to add to PATH for the buildbot process.";
};
@ -100,24 +101,21 @@ in {
systemd.services.buildbot-worker = {
description = "Buildbot Worker.";
after = [ "network.target" ];
after = [ "network.target" "buildbot-master.service" ];
wantedBy = [ "multi-user.target" ];
wants = [ "buildbot-master.service" ];
path = cfg.packages;
preStart = ''
# NOTE: ensure master has time to start in case running on localhost
${pkgs.coreutils}/bin/sleep 4
${pkgs.coreutils}/bin/mkdir -vp ${cfg.buildbotDir}
${cfg.package}/bin/buildbot-worker create-worker ${cfg.buildbotDir} ${cfg.masterUrl} ${cfg.workerUser} ${cfg.workerPass}
'';
serviceConfig = {
Type = "forking";
Type = "simple";
User = cfg.user;
Group = cfg.group;
WorkingDirectory = cfg.home;
ExecStart = "${cfg.package}/bin/buildbot-worker start ${cfg.buildbotDir}";
ExecStart = "${cfg.package}/bin/buildbot-worker start --nodaemon ${cfg.buildbotDir}";
};
};

13
nixos/modules/services/continuous-integration/gitlab-runner.nix
View file

@ -20,6 +20,14 @@ in
description = "The working directory used";
};
package = mkOption {
description = "Gitlab Runner package to use";
default = pkgs.gitlab-runner;
defaultText = "pkgs.gitlab-runner";
type = types.package;
example = literalExample "pkgs.gitlab-runner_1_11";
};
};
config = mkIf cfg.enable {
@ -29,7 +37,7 @@ in
requires = [ "docker.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = ''${pkgs.gitlab-runner.bin}/bin/gitlab-runner run \
ExecStart = ''${cfg.package.bin}/bin/gitlab-runner run \
--working-directory ${cfg.workDir} \
--config ${configFile} \
--service gitlab-runner \
@ -38,6 +46,9 @@ in
};
};
# Make the gitlab-runner command availabe so users can query the runner
environment.systemPackages = [ cfg.package ];
users.extraUsers.gitlab-runner = {
group = "gitlab-runner";
extraGroups = [ "docker" ];

26
nixos/modules/services/continuous-integration/jenkins/job-builder.nix
View file

@ -29,6 +29,22 @@ in {
'';
};
accessUser = mkOption {
default = "";
type = types.str;
description = ''
User id in Jenkins used to reload config.
'';
};
accessToken = mkOption {
default = "";
type = types.str;
description = ''
User token in Jenkins used to reload config.
'';
};
yamlJobs = mkOption {
default = "";
type = types.lines;
@ -110,6 +126,11 @@ in {
# Stamp file is placed in $JENKINS_HOME/jobs/$JOB_NAME/ to indicate
# ownership. Enables tracking and removal of stale jobs.
ownerStamp = ".config-xml-managed-by-nixos-jenkins-job-builder";
reloadScript = ''
echo "Asking Jenkins to reload config"
CRUMB=$(curl -s 'http://${cfg.accessUser}:${cfg.accessToken}@${jenkinsCfg.listenAddress}:${toString jenkinsCfg.port}${jenkinsCfg.prefix}/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
curl --silent -X POST -H "$CRUMB" http://${cfg.accessUser}:${cfg.accessToken}@${jenkinsCfg.listenAddress}:${toString jenkinsCfg.port}${jenkinsCfg.prefix}/reload
'';
in
''
rm -rf ${jobBuilderOutputDir}
@ -142,10 +163,7 @@ in {
echo "Deleting stale job \"$jobname\""
rm -rf "$jobdir"
done
echo "Asking Jenkins to reload config"
curl --silent -X POST http://${jenkinsCfg.listenAddress}:${toString jenkinsCfg.port}${jenkinsCfg.prefix}/reload
'';
'' + (if cfg.accessUser != "" then reloadScript else "");
serviceConfig = {
User = jenkinsCfg.user;
RuntimeDirectory = "jenkins-job-builder";

1
nixos/modules/services/databases/cassandra.nix
View file

@ -310,7 +310,6 @@ in {
autoBootstrap = mkOption {
description = "It makes new (non-seed) nodes automatically migrate the right data to themselves.";
default = true;
example = true;
type = types.bool;
};
streamingSocketTimoutInMS = mkOption {

30
nixos/modules/services/databases/couchdb.nix
View file

@ -4,20 +4,29 @@ with lib;
let
cfg = config.services.couchdb;
configFile = pkgs.writeText "couchdb.ini"
useVersion2 = strings.versionAtLeast (strings.getVersion cfg.package) "2.0";
configFile = pkgs.writeText "couchdb.ini" (
''
[couchdb]
database_dir = ${cfg.databaseDir}
uri_file = ${cfg.uriFile}
view_index_dir = ${cfg.viewIndexDir}
'' + (if useVersion2 then
''
[chttpd]
'' else
''
[httpd]
'') +
''
port = ${toString cfg.port}
bind_address = ${cfg.bindAddress}
[log]
file = ${cfg.logFile}
'';
'');
executable = if useVersion2 then "${cfg.package}/bin/couchdb"
else ''${cfg.package}/bin/couchdb -a ${configFile} -a ${pkgs.writeText "couchdb-extra.ini" cfg.extraConfig} -a ${cfg.configFile}'';
in {
@ -130,7 +139,6 @@ in {
configFile = mkOption {
type = types.string;
default = "/var/lib/couchdb/couchdb.ini";
description = ''
Configuration file for persisting runtime changes. File
needs to be readable and writable from couchdb user/group.
@ -147,6 +155,9 @@ in {
environment.systemPackages = [ cfg.package ];
services.couchdb.configFile = mkDefault
(if useVersion2 then "/var/lib/couchdb/local.ini" else "/var/lib/couchdb/couchdb.ini");
systemd.services.couchdb = {
description = "CouchDB Server";
wantedBy = [ "multi-user.target" ];
@ -170,11 +181,20 @@ in {
fi
'';
environment = mkIf useVersion2 {
# we are actually specifying 4 configuration files:
# 1. the preinstalled default.ini
# 2. the module configuration
# 3. the extraConfig from the module options
# 4. the locally writable config file, which couchdb itself writes to
ERL_FLAGS= ''-couch_ini ${cfg.package}/etc/default.ini ${configFile} ${pkgs.writeText "couchdb-extra.ini" cfg.extraConfig} ${cfg.configFile}'';
};
serviceConfig = {
PermissionsStartOnly = true;
User = cfg.user;
Group = cfg.group;
ExecStart = "${cfg.package}/bin/couchdb -a ${configFile} -a ${pkgs.writeText "couchdb-extra.ini" cfg.extraConfig} -a ${cfg.configFile}";
ExecStart = executable;
};
};

17
nixos/modules/services/databases/neo4j.nix
View file

@ -27,12 +27,17 @@ let
''}
dbms.shell.enabled=true
${cfg.extraServerConfig}
'';
wrapperConfig = pkgs.writeText "neo4j-wrapper.conf" ''
# Default JVM parameters from neo4j.conf
dbms.jvm.additional=-XX:+UseG1GC
dbms.jvm.additional=-XX:-OmitStackTraceInFastThrow
dbms.jvm.additional=-XX:+AlwaysPreTouch
dbms.jvm.additional=-XX:+UnlockExperimentalVMOptions
dbms.jvm.additional=-XX:+TrustFinalNonStaticFields
dbms.jvm.additional=-XX:+DisableExplicitGC
dbms.jvm.additional=-Djdk.tls.ephemeralDHKeySize=2048
dbms.jvm.additional=-Dunsupported.dbms.udc.source=tarball
dbms.jvm.additional=-XX:+UseConcMarkSweepGC
dbms.jvm.additional=-XX:+CMSClassUnloadingEnabled
'';
in {
@ -123,16 +128,16 @@ in {
ExecStart = "${cfg.package}/bin/neo4j console";
User = "neo4j";
PermissionsStartOnly = true;
LimitNOFILE = 40000;
};
preStart = ''
mkdir -m 0700 -p ${cfg.dataDir}/{data/graph.db,conf,logs}
ln -fs ${serverConfig} ${cfg.dataDir}/conf/neo4j.conf
ln -fs ${wrapperConfig} ${cfg.dataDir}/conf/neo4j-wrapper.conf
if [ "$(id -u)" = 0 ]; then chown -R neo4j ${cfg.dataDir}; fi
'';
};
environment.systemPackages = [ pkgs.neo4j ];
environment.systemPackages = [ cfg.package ];
users.extraUsers = singleton {
name = "neo4j";

Some files were not shown because too many files have changed in this diff Show more