swendel/nixpkgs
1
0
Fork 0
mirror of https://github.com/SebastianWendel/nixpkgs.git synced 2024-09-26 23:20:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge commit 'da421bc' into p/texlive-2016

Browse source 
... to allow renaming the directory.
This commit is contained in:
Vladimír Čunát 2016-09-04 14:52:04 +02:00
parent d401df0d24 da421bc75f
commit 171f7d974d
4322 changed files with 86188 additions and 999209 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.github/PULL_REQUEST_TEMPLATE.md vendored
View file

@ -4,8 +4,8 @@
###### Things done
- [ ] Tested using sandboxing
([nix.useSandbox](http://nixos.org/nixos/manual/options.html#opt-nix.useSandbox) on NixOS,
or option `build-use-sandbox` in [`nix.conf`](http://nixos.org/nix/manual/#sec-conf-file)
([nix.useChroot](http://nixos.org/nixos/manual/options.html#opt-nix.useChroot) on NixOS,
or option `build-use-chroot` in [`nix.conf`](http://nixos.org/nix/manual/#sec-conf-file)
on non-NixOS)
- Built on platform(s)
- [ ] NixOS

22
.travis.yml
View file

@ -1,14 +1,22 @@
language: nix
matrix:
allow_failures:
- os: osx
include:
- os: linux
language: generic
sudo: false
script:
- ./maintainers/scripts/travis-nox-review-pr.sh nixpkgs-verify nixpkgs-manual nixpkgs-tarball
- ./maintainers/scripts/travis-nox-review-pr.sh nixos-options nixos-manual
- os: linux
sudo: required
dist: trusty
before_script:
- sudo mount -o remount,exec,size=2G,mode=755 /run/user
script: ./maintainers/scripts/travis-nox-review-pr.sh nox pr
- os: osx
language: generic
osx_image: xcode7.3
before_install: ./maintainers/scripts/travis-nox-review-pr.sh nix
install: ./maintainers/scripts/travis-nox-review-pr.sh nox
script: ./maintainers/scripts/travis-nox-review-pr.sh build
script: ./maintainers/scripts/travis-nox-review-pr.sh nox pr
git:
depth: 1
env:
global:
- GITHUB_TOKEN=5edaaf1017f691ed34e7f80878f8f5fbd071603f

3
README.md
View file

@ -1,6 +1,7 @@
[<img src="http://nixos.org/logo/nixos-hires.png" width="500px" alt="logo" />](https://nixos.org/nixos)
[![Build Status](https://travis-ci.org/NixOS/nixpkgs.svg?branch=master)](https://travis-ci.org/NixOS/nixpkgs)
[![Code Triagers Badge](https://www.codetriage.com/nixos/nixpkgs/badges/users.svg)](https://www.codetriage.com/nixos/nixpkgs)
[![Issue Stats](http://www.issuestats.com/github/nixos/nixpkgs/badge/pr?style=flat)](http://www.issuestats.com/github/nixos/nixpkgs)
[![Issue Stats](http://www.issuestats.com/github/nixos/nixpkgs/badge/issue?style=flat)](http://www.issuestats.com/github/nixos/nixpkgs)
@ -31,7 +32,7 @@ For pull-requests, please rebase onto nixpkgs `master`.
* [Documentation (Nix Expression Language chapter)](https://nixos.org/nix/manual/#ch-expression-language)
* [Manual (How to write packages for Nix)](https://nixos.org/nixpkgs/manual/)
* [Manual (NixOS)](https://nixos.org/nixos/manual/)
* [Nix Wiki](https://nixos.org/wiki/)
* [Nix Wiki](https://nixos.org/wiki/) (deprecated, see milestone ["Move the Wiki!"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Move+the+wiki%21%22))
* [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
* [Continuous package builds for 16.03 release](https://hydra.nixos.org/jobset/nixos/release-16.03)
* [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)

2
default.nix
View file

@ -6,4 +6,4 @@ if ! builtins ? nixVersion || builtins.compareVersions requiredVersion builtins.
else
import ./pkgs/top-level
import ./pkgs/top-level/impure.nix

29
doc/coding-conventions.xml
View file

@ -251,16 +251,13 @@ bound to the variable name <varname>e2fsprogs</varname> in
<listitem><para>The version part of the <literal>name</literal>
attribute <emphasis>must</emphasis> start with a digit (following a
dash) — e.g., <literal>"hello-0.3-pre-r3910"</literal> instead of
<literal>"hello-svn-r3910"</literal>, as the latter would be seen as
a package named <literal>hello-svn</literal> by
<command>nix-env</command>.</para></listitem>
dash) — e.g., <literal>"hello-0.3.1rc2"</literal>.</para></listitem>
<listitem><para>If package is fetched from git's commit then
<listitem><para>If a package is not a release but a commit from a repository, then
the version part of the name <emphasis>must</emphasis> be the date of that
(fetched) commit. The date must be in <literal>"YYYY-MM-DD"</literal> format.
Also add <literal>"git"</literal> to the name - e.g.,
<literal>"pkgname-git-2014-09-23"</literal>.</para></listitem>
Also append <literal>"unstable"</literal> to the name - e.g.,
<literal>"pkgname-unstable-2014-09-23"</literal>.</para></listitem>
<listitem><para>Dashes in the package name should be preserved
in new variable names, rather than converted to underscores
@ -662,4 +659,22 @@ src = fetchFromGitHub {
</itemizedlist>
</para>
</section>
<section xml:id="sec-patches"><title>Patches</title>
<para>Only patches that are unique to <literal>nixpkgs</literal> should be
included in <literal>nixpkgs</literal> source.</para>
<para>Patches available online should be retrieved using
<literal>fetchpatch</literal>.</para>
<para>
<programlisting>
patches = [
(fetchpatch {
name = "fix-check-for-using-shared-freetype-lib.patch";
url = "http://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=8f5d285";
sha256 = "1f0k043rng7f0rfl9hhb89qzvvksqmkrikmm38p61yfx51l325xr";
})
];
</programlisting>
</para>
</section>
</chapter>

34
doc/default.nix
View file

@ -1,14 +1,14 @@
with import ./.. { };
with lib;
let
sources = sourceFilesBySuffices ./. [".xml"];
pkgs = import ./.. { };
lib = pkgs.lib;
sources = lib.sourceFilesBySuffices ./. [".xml"];
sources-langs = ./languages-frameworks;
in
stdenv.mkDerivation {
pkgs.stdenv.mkDerivation {
name = "nixpkgs-manual";
buildInputs = [ pandoc libxml2 libxslt ];
buildInputs = with pkgs; [ pandoc libxml2 libxslt zip ];
xsltFlags = ''
--param section.autolabel 1
@ -26,7 +26,7 @@ stdenv.mkDerivation {
extraHeader = ''xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" '';
in ''
{
pandoc '${inputFile}' -w docbook ${optionalString useChapters "--chapters"} \
pandoc '${inputFile}' -w docbook ${lib.optionalString useChapters "--chapters"} \
--smart \
| sed -e 's|<ulink url=|<link xlink:href=|' \
-e 's|</ulink>|</link>|' \
@ -57,33 +57,43 @@ stdenv.mkDerivation {
outputFile = "./languages-frameworks/haskell.xml";
}
+ toDocbook {
inputFile = ./../pkgs/development/idris-modules/README.md;
inputFile = ../pkgs/development/idris-modules/README.md;
outputFile = "languages-frameworks/idris.xml";
}
+ toDocbook {
inputFile = ./../pkgs/development/r-modules/README.md;
inputFile = ../pkgs/development/r-modules/README.md;
outputFile = "languages-frameworks/r.xml";
}
+ ''
echo ${nixpkgsVersion} > .version
echo ${lib.nixpkgsVersion} > .version
# validate against relaxng schema
xmllint --nonet --xinclude --noxincludenode manual.xml --output manual-full.xml
${jing}/bin/jing ${docbook5}/xml/rng/docbook/docbook.rng manual-full.xml
${pkgs.jing}/bin/jing ${pkgs.docbook5}/xml/rng/docbook/docbook.rng manual-full.xml
dst=$out/share/doc/nixpkgs
mkdir -p $dst
xsltproc $xsltFlags --nonet --xinclude \
--output $dst/manual.html \
${docbook5_xsl}/xml/xsl/docbook/xhtml/docbook.xsl \
${pkgs.docbook5_xsl}/xml/xsl/docbook/xhtml/docbook.xsl \
./manual.xml
cp ${./style.css} $dst/style.css
mkdir -p $dst/images/callouts
cp "${docbook5_xsl}/xml/xsl/docbook/images/callouts/"*.gif $dst/images/callouts/
cp "${pkgs.docbook5_xsl}/xml/xsl/docbook/images/callouts/"*.gif $dst/images/callouts/
mkdir -p $out/nix-support
echo "doc manual $dst manual.html" >> $out/nix-support/hydra-build-products
xsltproc $xsltFlags --nonet --xinclude \
--output $dst/epub/ \
${pkgs.docbook5_xsl}/xml/xsl/docbook/epub/docbook.xsl \
./manual.xml
cp -r $dst/images $dst/epub/OEBPS
echo "application/epub+zip" > mimetype
zip -0Xq "$dst/Nixpkgs Contributors Guide - NixOS community.epub" mimetype
zip -Xr9D "$dst/Nixpkgs Contributors Guide - NixOS community.epub" $dst/epub/*
'';
}

52
doc/functions.xml
View file

@ -89,27 +89,27 @@ in ...</programlisting>
<title>&lt;pkg&gt;.overrideDerivation</title>
<warning>
<para>Do not use this function in Nixpkgs. Because it breaks
package abstraction and doesnt provide error checking for
function arguments, it is only intended for ad-hoc customisation
(such as in <filename>~/.nixpkgs/config.nix</filename>).
</para>
<para>
Additionally, <varname>overrideDerivation</varname> forces an evaluation
of the Derivation which can be quite a performance penalty if there are many
overrides used.
<para>Do not use this function in Nixpkgs as it evaluates a Derivation
before modifying it, which breaks package abstraction and removes
error-checking of function arguments. In addition, this
evaluation-per-function application incurs a performance penalty,
which can become a problem if many overrides are used.
It is only intended for ad-hoc customisation, such as in
<filename>~/.nixpkgs/config.nix</filename>.
</para>
</warning>
<para>
The function <varname>overrideDerivation</varname> is usually available for all the
derivations in the nixpkgs expression (<varname>pkgs</varname>).
The function <varname>overrideDerivation</varname> creates a new derivation
based on an existing one by overriding the original's attributes with
the attribute set produced by the specified function.
This function is available on all
derivations defined using the <varname>makeOverridable</varname> function.
Most standard derivation-producing functions, such as
<varname>stdenv.mkDerivation</varname>, are defined using this
function, which means most packages in the nixpkgs expression,
<varname>pkgs</varname>, have this function.
</para>
<para>
It is used to create a new derivation by overriding the attributes of
the original derivation according to the given function.
</para>
<para>
Example usage:
@ -125,9 +125,9 @@ in ...</programlisting>
</para>
<para>
In the above example, the name, src and patches of the derivation
will be overridden, while all other attributes will be retained from the
original derivation.
In the above example, the <varname>name</varname>, <varname>src</varname>,
and <varname>patches</varname> of the derivation will be overridden, while
all other attributes will be retained from the original derivation.
</para>
<para>
@ -135,6 +135,20 @@ in ...</programlisting>
the original derivation.
</para>
<note>
<para>
A package's attributes are evaluated *before* being modified by
the <varname>overrideDerivation</varname> function.
For example, the <varname>name</varname> attribute reference
in <varname>url = "mirror://gnu/hello/${name}.tar.gz";</varname>
is filled-in *before* the <varname>overrideDerivation</varname> function
modifies the attribute set. This means that overriding the
<varname>name</varname> attribute, in this example, *will not* change the
value of the <varname>url</varname> attribute. Instead, we need to override
both the <varname>name</varname> *and* <varname>url</varname> attributes.
</para>
</note>
</section>
<section xml:id="sec-lib-makeOverridable">

21
doc/languages-frameworks/go.xml
View file

@ -86,13 +86,6 @@ the following arguments are of special significance to the function:
"rev": "a83829b6f1293c91addabc89d0571c246397bbf4",
"sha256": "1m4dsmk90sbi17571h6pld44zxz7jc4lrnl4f27dpd1l8g5xvjhh"
}
},
{
"include": "../../libs.json", <co xml:id='ex-goDeps-4' />
"packages": [ <co xml:id='ex-goDeps-5' />
"github.com/docopt/docopt-go",
"golang.org/x/crypto",
]
}
]
</programlisting>
@ -122,20 +115,6 @@ the following arguments are of special significance to the function:
</para>
</callout>
<callout arearefs='ex-goDeps-4'>
<para>
<varname>include</varname> could be used to reuse <varname>goDeps</varname> between Go programs.
There is a common libs set in <varname>&lt;nixpkgs/pkgs/development/go-modules/libs.json&gt;</varname>
with pinned versions of many packages that you can reuse.
</para>
</callout>
<callout arearefs='ex-goDeps-5'>
<para>
<varname>packages</varname> enumerates all Go packages that will be imported from included file.
</para>
</callout>
</calloutlist>
</para>

2
doc/languages-frameworks/haskell.md
View file

@ -740,7 +740,7 @@ to the `stack.yaml` like the following:
enable: true
packages: [ zlib ]
Stack's Nix support knows to add `${zlib}/lib` and `${zlib}/include` as an
Stack's Nix support knows to add `${zlib.out}/lib` and `${zlib.dev}/include` as an
`--extra-lib-dirs` and `extra-include-dirs`, respectively. Alternatively, you
can achieve the same effect by hand. First of all, run

112
doc/languages-frameworks/python.md
View file

@ -291,8 +291,8 @@ pyfftw = buildPythonPackage rec {
# Tests cannot import pyfftw. pyfftw works fine though.
doCheck = false;
LDFLAGS="-L${pkgs.fftw}/lib -L${pkgs.fftwFloat}/lib -L${pkgs.fftwLongDouble}/lib"
CFLAGS="-I${pkgs.fftw}/include -I${pkgs.fftwFloat}/include -I${pkgs.fftwLongDouble}/include"
LDFLAGS="-L${pkgs.fftw.dev}/lib -L${pkgs.fftwFloat.out}/lib -L${pkgs.fftwLongDouble.out}/lib"
CFLAGS="-I${pkgs.fftw.dev}/include -I${pkgs.fftwFloat.dev}/include -I${pkgs.fftwLongDouble.dev}/include"
'';
meta = {
@ -503,9 +503,12 @@ and can be used as:
The `buildPythonPackage` mainly does four things:
* In the `buildPhase`, it calls `${python.interpreter} setup.py bdist_wheel` to build a wheel binary zipfile.
* In the `buildPhase`, it calls `${python.interpreter} setup.py bdist_wheel` to
build a wheel binary zipfile.
* In the `installPhase`, it installs the wheel file using `pip install *.whl`.
* In the `postFixup` phase, the `wrapPythonPrograms` bash function is called to wrap all programs in the `$out/bin/*` directory to include `$PYTHONPATH` and `$PATH` environment variables.
* In the `postFixup` phase, the `wrapPythonPrograms` bash function is called to
wrap all programs in the `$out/bin/*` directory to include `$PATH`
environment variable and add dependent libraries to script's `sys.path`.
* In the `installCheck` phase, `${python.interpreter} setup.py test` is ran.
As in Perl, dependencies on other Python packages can be specified in the
@ -566,7 +569,7 @@ running `nix-shell` with the following `shell.nix`
with import <nixpkgs> {};
(python3.buildEnv.override {
extraLibs = with python3Packages; [ numpy requests ];
extraLibs = with python3Packages; [ numpy requests2 ];
}).env
will drop you into a shell where Python will have the
@ -605,7 +608,7 @@ attribute. The `shell.nix` file from the previous section can thus be also writt
with import <nixpkgs> {};
(python33.withPackages (ps: [ps.numpy ps.requests])).env
(python33.withPackages (ps: [ps.numpy ps.requests2])).env
In contrast to `python.buildEnv`, `python.withPackages` does not support the more advanced options
such as `ignoreCollisions = true` or `postBuild`. If you need them, you have to use `python.buildEnv`.
@ -629,7 +632,7 @@ Given a `default.nix`:
src = ./.; }
Running `nix-shell` with no arguments should give you
the environment in which the package would be build with
the environment in which the package would be built with
`nix-build`.
Shortcut to setup environments with C headers/libraries and python packages:
@ -649,6 +652,56 @@ community to help save time. No tool is preferred at the moment.
## FAQ
### How can I install a working Python environment?
As explained in the user's guide installing individual Python packages
imperatively with `nix-env -i` or declaratively in `environment.systemPackages`
is not supported. However, it is possible to install a Python environment with packages (`python.buildEnv`).
In the following examples we create an environment with Python 3.5, `numpy` and `ipython`.
As you might imagine there is one limitation here, and that's you can install
only one environment at a time. You will notice the complaints about collisions
when you try to install a second environment.
#### Environment defined in separate `.nix` file
Create a file, e.g. `build.nix`, with the following expression
```nix
with import <nixpkgs> {};
with python35Packages;
python.withPackages (ps: with ps; [ numpy ipython ])
```
and install it in your profile with
```
nix-env -if build.nix
```
Now you can use the Python interpreter, as well as the extra packages that you added to the environment.
#### Environment defined in `~/.nixpkgs/config.nix`
If you prefer to, you could also add the environment as a package override to the Nixpkgs set.
```
packageOverrides = pkgs: with pkgs; with python35Packages; {
myEnv = python.withPackages (ps: with ps; [ numpy ipython ]);
};
```
and install it in your profile with
```
nix-env -iA nixos.blogEnv
```
Note that I'm using the attribute path here.
#### Environment defined in `/etc/nixos/configuration.nix`
For the sake of completeness, here's another example how to install the environment system-wide.
```nix
environment.systemPackages = with pkgs; [
(python35Packages.python.withPackages (ps: callPackage ../packages/common-python-packages.nix { pythonPackages = ps; }))
];
```
### How to solve circular dependencies?
Consider the packages `A` and `B` that depend on each other. When packaging `B`,
@ -662,8 +715,8 @@ Python attribute sets are created for each interpreter version. We will therefor
In the following example we change the name of the package `pandas` to `foo`.
```
newpkgs = pkgs.overridePackages(self: super: rec {
python35Packages = super.python35Packages.override {
self = python35Packages // { pandas = python35Packages.pandas.override{name="foo";};};
python35Packages = (super.python35Packages.override { self = python35Packages;})
// { pandas = super.python35Packages.pandas.override {name = "foo";};
};
});
```
@ -674,8 +727,8 @@ with import <nixpkgs> {};
(let
newpkgs = pkgs.overridePackages(self: super: rec {
python35Packages = super.python35Packages.override {
self = python35Packages // { pandas = python35Packages.pandas.override{name="foo";};};
python35Packages = (super.python35Packages.override { self = python35Packages;})
// { pandas = super.python35Packages.pandas.override {name = "foo";};
};
});
in newpkgs.python35.withPackages (ps: [ps.blaze])
@ -690,7 +743,7 @@ with import <nixpkgs> {};
newpkgs = pkgs.overridePackages(self: super: rec {
python35Packages = super.python35Packages.override {
self = python35Packages // { scipy = python35Packages.scipy_0_16;};
self = python35Packages // { scipy = python35Packages.scipy_0_17;};
};
});
in newpkgs.python35.withPackages (ps: [ps.blaze])
@ -698,6 +751,41 @@ in newpkgs.python35.withPackages (ps: [ps.blaze])
```
The requested package `blaze` depends upon `pandas` which itself depends on `scipy`.
A similar example but now using `django`
```
with import <nixpkgs> {};
(let
newpkgs = pkgs.overridePackages(self: super: rec {
python27Packages = (super.python27Packages.override {self = python27Packages;})
// { django = super.python27Packages.django_1_9; };
});
in newpkgs.python27.withPackages (ps: [ps.django_guardian ])
).env
```
### `python setup.py bdist_wheel` cannot create .whl
Executing `python setup.py bdist_wheel` in a `nix-shell `fails with
```
ValueError: ZIP does not support timestamps before 1980
```
This is because files are included that depend on items in the Nix store which have a timestamp of, that is, it corresponds to January the 1st, 1970 at 00:00:00. And as the error informs you, ZIP does not support that.
The command `bdist_wheel` takes into account `SOURCE_DATE_EPOCH`, and `nix-shell` sets this to 1. By setting it to a value corresponding to 1980 or later, or by unsetting it, it is possible to build wheels.
Use 1980 as timestamp:
```
nix-shell --run "SOURCE_DATE_EPOCH=315532800 python3 setup.py bdist_wheel"
```
or the current time:
```
nix-shell --run "SOURCE_DATE_EPOCH=$(date +%s) python3 setup.py bdist_wheel"
```
or unset:
"""
nix-shell --run "unset SOURCE_DATE_EPOCH; python3 setup.py bdist_wheel"
"""
### `install_data` / `data_files` problems

14
doc/old/update-upstream-data.txt
View file

@ -1,14 +0,0 @@
Semi-automatic source information updating using "update-upstream-data.sh" script and "src-{,info-}for-*.nix"
1. Recognizing when a pre-existing package uses this mechanism.
Packages using this automatical update mechanism have src-info-for-default.nix and src-for-default.nix next to default.nix. src-info-for-default.nix describes getting the freshest source from upstream web site; src-for-default.nix is a generated file with the current data about used source. Both files define a simple attrSet.
src-info-for-default.nix (for a file grabbed via http) contains at least downloadPage attribute - it is the page we need to look at to find out the latest version. It also contains baseName that is used for automatical generation of package name containing version. It can contain extra data for trickier cases.
src-for-default.nix will contain advertisedUrl (raw URL chosen on the site; its change prompts regeneration of source data), url for fetchurl, hash, version retrieved from the download URL and suggested package name.
2. Updating a package
nixpkgs/pkgs/build-support/upstream-updater directory contains some scripts. The worker script is called update-upstream-data.sh. This script requires main expression name (e.g. default.nix). It can optionally accpet a second parameter, URL which will be used instead of getting one by parsing the downloadPage (version extraction, mirror URL creation etc. will still be run). After running the script, check src-for-default.nix (or replace default.nix with expression name, if there are seceral expressions in the directory) for new version information.

256
doc/stdenv.xml
View file

@ -557,8 +557,8 @@ script) if it exists.</para>
<varlistentry>
<term><varname>configureFlags</varname></term>
<listitem><para>Additional arguments passed to the configure
script.</para></listitem>
<listitem><para>A list of strings passed as additional arguments to the
configure script.</para></listitem>
</varlistentry>
<varlistentry>
@ -658,7 +658,7 @@ nothing.</para>
<varlistentry>
<term><varname>makeFlags</varname></term>
<listitem><para>Additional flags passed to
<listitem><para>A list of strings passed as additional flags to
<command>make</command>. These flags are also used by the default
install and check phase. For setting make flags specific to the
build phase, use <varname>buildFlags</varname> (see
@ -685,7 +685,7 @@ makeFlagsArray=(CFLAGS="-O0 -g" LDFLAGS="-lfoo -lbar")
<varlistentry>
<term><varname>buildFlags</varname> / <varname>buildFlagsArray</varname></term>
<listitem><para>Additional flags passed to
<listitem><para>A list of strings passed as additional flags to
<command>make</command>. Like <varname>makeFlags</varname> and
<varname>makeFlagsArray</varname>, but only used by the build
phase.</para></listitem>
@ -753,7 +753,7 @@ doCheck = true;</programlisting>
<varlistentry>
<term><varname>checkFlags</varname> / <varname>checkFlagsArray</varname></term>
<listitem><para>Additional flags passed to
<listitem><para>A list of strings passed as additional flags to
<command>make</command>. Like <varname>makeFlags</varname> and
<varname>makeFlagsArray</varname>, but only used by the check
phase.</para></listitem>
@ -808,7 +808,7 @@ installTargets = "install-bin install-doc";</programlisting>
<varlistentry>
<term><varname>installFlags</varname> / <varname>installFlagsArray</varname></term>
<listitem><para>Additional flags passed to
<listitem><para>A list of strings passed as additional flags to
<command>make</command>. Like <varname>makeFlags</varname> and
<varname>makeFlagsArray</varname>, but only used by the install
phase.</para></listitem>
@ -1196,10 +1196,24 @@ echo @foo@
<term><function>stripHash</function>
<replaceable>path</replaceable></term>
<listitem><para>Strips the directory and hash part of a store
path, and prints (on standard output) only the name part. For
instance, <literal>stripHash
/nix/store/68afga4khv0w...-coreutils-6.12</literal> print
<literal>coreutils-6.12</literal>.</para></listitem>
path, storing the name part in the environment variable
<literal>strippedName</literal>. For example:
<programlisting>
stripHash "/nix/store/9s9r019176g7cvn2nvcw41gsp862y6b4-coreutils-8.24"
# prints coreutils-8.24
echo $strippedName
</programlisting>
If you wish to store the result in another variable, then the
following idiom may be useful:
<programlisting>
name="/nix/store/9s9r019176g7cvn2nvcw41gsp862y6b4-coreutils-8.24"
someVar=$(stripHash $name; echo $strippedName)
</programlisting>
</para></listitem>
</varlistentry>
@ -1305,6 +1319,25 @@ echo @foo@
<envar>GST_PLUGIN_SYSTEM_PATH</envar> environment variable.</para></listitem>
</varlistentry>
<varlistentry>
<term>paxctl</term>
<listitem><para>Defines the <varname>paxmark</varname> helper for
setting per-executable PaX flags on Linux (where it is available by
default; on all other platforms, <varname>paxmark</varname> is a no-op).
For example, to disable secure memory protections on the executable
<replaceable>foo</replaceable>:
<programlisting>
postFixup = ''
paxmark m $out/bin/<replaceable>foo</replaceable>
'';
</programlisting>
The <literal>m</literal> flag is the most common flag and is typically
required for applications that employ JIT compilation or otherwise need to
execute code generated at run-time. Disabling PaX protections should be
considered a last resort: if possible, problematic features should be
disabled or patched to work with PaX.</para></listitem>
</varlistentry>
</variablelist>
</para>
@ -1327,6 +1360,209 @@ in the default system locations.</para>
</section>
<section xml:id="sec-hardening-in-nixpkgs"><title>Hardening in Nixpkgs</title>
<para>There are flags available to harden packages at compile or link-time.
These can be toggled using the <varname>stdenv.mkDerivation</varname> parameters
<varname>hardeningDisable</varname> and <varname>hardeningEnable</varname>.
</para>
<para>The following flags are enabled by default and might require disabling
if the program to package is incompatible.
</para>
<variablelist>
<varlistentry>
<term><varname>format</varname></term>
<listitem><para>Adds the <option>-Wformat -Wformat-security
-Werror=format-security</option> compiler options. At present,
this warns about calls to <varname>printf</varname> and
<varname>scanf</varname> functions where the format string is
not a string literal and there are no format arguments, as in
<literal>printf(foo);</literal>. This may be a security hole
if the format string came from untrusted input and contains
<literal>%n</literal>.</para>
<para>This needs to be turned off or fixed for errors similar to:</para>
<programlisting>
/tmp/nix-build-zynaddsubfx-2.5.2.drv-0/zynaddsubfx-2.5.2/src/UI/guimain.cpp:571:28: error: format not a string literal and no format arguments [-Werror=format-security]
printf(help_message);
^
cc1plus: some warnings being treated as errors
</programlisting></listitem>
</varlistentry>
<varlistentry>
<term><varname>stackprotector</varname></term>
<listitem>
<para>Adds the <option>-fstack-protector-strong
--param ssp-buffer-size=4</option>
compiler options. This adds safety checks against stack overwrites
rendering many potential code injection attacks into aborting situations.
In the best case this turns code injection vulnerabilities into denial
of service or into non-issues (depending on the application).</para>
<para>This needs to be turned off or fixed for errors similar to:</para>
<programlisting>
bin/blib.a(bios_console.o): In function `bios_handle_cup':
/tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail'
</programlisting></listitem>
</varlistentry>
<varlistentry>
<term><varname>fortify</varname></term>
<listitem>
<para>Adds the <option>-O2 -D_FORTIFY_SOURCE=2</option> compiler
options. During code generation the compiler knows a great deal of
information about buffer sizes (where possible), and attempts to replace
insecure unlimited length buffer function calls with length-limited ones.
This is especially useful for old, crufty code. Additionally, format
strings in writable memory that contain '%n' are blocked. If an application
depends on such a format string, it will need to be worked around.
</para>
<para>Addtionally, some warnings are enabled which might trigger build
failures if compiler warnings are treated as errors in the package build.
In this case, set <option>NIX_CFLAGS_COMPILE</option> to
<option>-Wno-error=warning-type</option>.</para>
<para>This needs to be turned off or fixed for errors similar to:</para>
<programlisting>
malloc.c:404:15: error: return type is an incomplete type
malloc.c:410:19: error: storage size of 'ms' isn't known
</programlisting>
<programlisting>
strdup.h:22:1: error: expected identifier or '(' before '__extension__'
</programlisting>
<programlisting>
strsep.c:65:23: error: register name not specified for 'delim'
</programlisting>
<programlisting>
installwatch.c:3751:5: error: conflicting types for '__open_2'
</programlisting>
<programlisting>
fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments
</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>pic</varname></term>
<listitem>
<para>Adds the <option>-fPIC</option> compiler options. This options adds
support for position independant code in shared libraries and thus making
ASLR possible.</para>
<para>Most notably, the Linux kernel, kernel modules and other code
not running in an operating system environment like boot loaders won't
build with PIC enabled. The compiler will is most cases complain that
PIC is not supported for a specific build.
</para>
<para>This needs to be turned off or fixed for assembler errors similar to:</para>
<programlisting>
ccbLfRgg.s: Assembler messages:
ccbLfRgg.s:33: Error: missing or invalid displacement expression `private_key_len@GOTOFF'
</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>strictoverflow</varname></term>
<listitem>
<para>Signed integer overflow is undefined behaviour according to the C
standard. If it happens, it is an error in the program as it should check
for overflow before it can happen, not afterwards. GCC provides built-in
functions to perform arithmetic with overflow checking, which are correct
and faster than any custom implementation. As a workaround, the option
<option>-fno-strict-overflow</option> makes gcc behave as if signed
integer overflows were defined.
</para>
<para>This flag should not trigger any build or runtime errors.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>relro</varname></term>
<listitem>
<para>Adds the <option>-z relro</option> linker option. During program
load, several ELF memory sections need to be written to by the linker,
but can be turned read-only before turning over control to the program.
This prevents some GOT (and .dtors) overwrite attacks, but at least the
part of the GOT used by the dynamic linker (.got.plt) is still vulnerable.
</para>
<para>This flag can break dynamic shared object loading. For instance, the
module systems of Xorg and OpenCV are incompatible with this flag. In almost
all cases the <varname>bindnow</varname> flag must also be disabled and
incompatible programs typically fail with similar errors at runtime.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>bindnow</varname></term>
<listitem>
<para>Adds the <option>-z bindnow</option> linker option. During program
load, all dynamic symbols are resolved, allowing for the complete GOT to
be marked read-only (due to <varname>relro</varname>). This prevents GOT
overwrite attacks. For very large applications, this can incur some
performance loss during initial load while symbols are resolved, but this
shouldn't be an issue for daemons.
</para>
<para>This flag can break dynamic shared object loading. For instance, the
module systems of Xorg and PHP are incompatible with this flag. Programs
incompatible with this flag often fail at runtime due to missing symbols,
like:</para>
<programlisting>
intel_drv.so: undefined symbol: vgaHWFreeHWRec
</programlisting>
</listitem>
</varlistentry>
</variablelist>
<para>The following flags are disabled by default and should be enabled
for packages that take untrusted input, like network services.
</para>
<variablelist>
<varlistentry>
<term><varname>pie</varname></term>
<listitem>
<para>Adds the <option>-fPIE</option> compiler and <option>-pie</option>
linker options. Position Independent Executables are needed to take
advantage of Address Space Layout Randomization, supported by modern
kernel versions. While ASLR can already be enforced for data areas in
the stack and heap (brk and mmap), the code areas must be compiled as
position-independent. Shared libraries already do this with the
<varname>pic</varname> flag, so they gain ASLR automatically, but binary
.text regions need to be build with <varname>pie</varname> to gain ASLR.
When this happens, ROP attacks are much harder since there are no static
locations to bounce off of during a memory corruption attack.
</para>
</listitem>
</varlistentry>
</variablelist>
<para>For more in-depth information on these hardening flags and hardening in
general, refer to the
<link xlink:href="https://wiki.debian.org/Hardening">Debian Wiki</link>,
<link xlink:href="https://wiki.ubuntu.com/Security/Features">Ubuntu Wiki</link>,
<link xlink:href="https://wiki.gentoo.org/wiki/Project:Hardened">Gentoo Wiki</link>,
and the <link xlink:href="https://wiki.archlinux.org/index.php/DeveloperWiki:Security">
Arch Wiki</link>.
</para>
</section>
</chapter>

1
lib/attrsets.nix
View file

@ -457,7 +457,6 @@ rec {
/*** deprecated stuff ***/
deepSeqAttrs = throw "removed 2016-02-29 because unused and broken";
zipWithNames = zipAttrsWithNames;
zip = builtins.trace
"lib.zip is deprecated, use lib.zipAttrsWith instead" zipAttrsWith;

28
lib/debug.nix
View file

@ -19,6 +19,10 @@ rec {
traceXMLVal = x: trace (builtins.toXML x) x;
traceXMLValMarked = str: x: trace (str + builtins.toXML x) x;
# strict trace functions (traced structure is fully evaluated and printed)
traceSeq = x: y: trace (builtins.deepSeq x x) y;
traceValSeq = v: traceVal (builtins.deepSeq v v);
# this can help debug your code as well - designed to not produce thousands of lines
traceShowVal = x : trace (showVal x) x;
traceShowValMarked = str: x: trace (str + showVal x) x;
@ -69,27 +73,9 @@ rec {
# usage: { testX = allTrue [ true ]; }
testAllTrue = expr : { inherit expr; expected = map (x: true) expr; };
# evaluate everything once so that errors will occur earlier
# hacky: traverse attrs by adding a dummy
# ignores functions (should this behavior change?) See strictf
#
# Note: This should be a primop! Something like seq of haskell would be nice to
# have as well. It's used fore debugging only anyway
strict = x :
let
traverse = x :
if isString x then true
else if isAttrs x then
if x ? outPath then true
else all id (mapAttrsFlatten (n: traverse) x)
else if isList x then
all id (map traverse x)
else if isBool x then true
else if isFunction x then true
else if isInt x then true
else if x == null then true
else true; # a (store) path?
in if traverse x then x else throw "else never reached";
strict = v:
trace "Warning: strict is deprecated and will be removed in the next release"
(builtins.seq v v);
# example: (traceCallXml "myfun" id 3) will output something like
# calling myfun arg 1: 3 result: 3

13
lib/licenses.nix
View file

@ -188,13 +188,24 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
fdl13 = spdx {
spdxId = "GFDL-1.3";
fullName = "GNU Free Documentation License v1.2";
fullName = "GNU Free Documentation License v1.3";
};
free = {
fullName = "Unspecified free software license";
};
g4sl = {
fullName = "Geant4 Software License";
url = https://geant4.web.cern.ch/geant4/license/LICENSE.html;
};
geogebra = {
fullName = "GeoGebra Non-Commercial License Agreement";
url = https://www.geogebra.org/license;
free = false;
};
gpl1 = spdx {
spdxId = "GPL-1.0";
fullName = "GNU General Public License v1.0 only";

90
lib/lists.nix
View file

@ -89,7 +89,7 @@ rec {
*/
flatten = x:
if isList x
then foldl' (x: y: x ++ (flatten y)) [] x
then concatMap (y: flatten y) x
else [x];
/* Remove elements equal to 'e' from a list. Useful for buildInputs.
@ -218,12 +218,12 @@ rec {
partition (x: x > 2) [ 5 1 2 3 4 ]
=> { right = [ 5 3 4 ]; wrong = [ 1 2 ]; }
*/
partition = pred:
partition = builtins.partition or (pred:
fold (h: t:
if pred h
then { right = [h] ++ t.right; wrong = t.wrong; }
else { right = t.right; wrong = [h] ++ t.wrong; }
) { right = []; wrong = []; };
) { right = []; wrong = []; });
/* Merges two lists of the same size together. If the sizes aren't the same
the merging stops at the shortest. How both lists are merged is defined
@ -256,6 +256,86 @@ rec {
reverseList = xs:
let l = length xs; in genList (n: elemAt xs (l - n - 1)) l;
/* Depth-First Search (DFS) for lists `list != []`.
`before a b == true` means that `b` depends on `a` (there's an
edge from `b` to `a`).
Examples:
listDfs true hasPrefix [ "/home/user" "other" "/" "/home" ]
== { minimal = "/"; # minimal element
visited = [ "/home/user" ]; # seen elements (in reverse order)
rest = [ "/home" "other" ]; # everything else
}
listDfs true hasPrefix [ "/home/user" "other" "/" "/home" "/" ]
== { cycle = "/"; # cycle encountered at this element
loops = [ "/" ]; # and continues to these elements
visited = [ "/" "/home/user" ]; # elements leading to the cycle (in reverse order)
rest = [ "/home" "other" ]; # everything else
*/
listDfs = stopOnCycles: before: list:
let
dfs' = us: visited: rest:
let
c = filter (x: before x us) visited;
b = partition (x: before x us) rest;
in if stopOnCycles && (length c > 0)
then { cycle = us; loops = c; inherit visited rest; }
else if length b.right == 0
then # nothing is before us
{ minimal = us; inherit visited rest; }
else # grab the first one before us and continue
dfs' (head b.right)
([ us ] ++ visited)
(tail b.right ++ b.wrong);
in dfs' (head list) [] (tail list);
/* Sort a list based on a partial ordering using DFS. This
implementation is O(N^2), if your ordering is linear, use `sort`
instead.
`before a b == true` means that `b` should be after `a`
in the result.
Examples:
toposort hasPrefix [ "/home/user" "other" "/" "/home" ]
== { result = [ "/" "/home" "/home/user" "other" ]; }
toposort hasPrefix [ "/home/user" "other" "/" "/home" "/" ]
== { cycle = [ "/home/user" "/" "/" ]; # path leading to a cycle
loops = [ "/" ]; } # loops back to these elements
toposort hasPrefix [ "other" "/home/user" "/home" "/" ]
== { result = [ "other" "/" "/home" "/home/user" ]; }
toposort (a: b: a < b) [ 3 2 1 ] == { result = [ 1 2 3 ]; }
*/
toposort = before: list:
let
dfsthis = listDfs true before list;
toporest = toposort before (dfsthis.visited ++ dfsthis.rest);
in
if length list < 2
then # finish
{ result = list; }
else if dfsthis ? "cycle"
then # there's a cycle, starting from the current vertex, return it
{ cycle = reverseList ([ dfsthis.cycle ] ++ dfsthis.visited);
inherit (dfsthis) loops; }
else if toporest ? "cycle"
then # there's a cycle somewhere else in the graph, return it
toporest
# Slow, but short. Can be made a bit faster with an explicit stack.
else # there are no cycles
{ result = [ dfsthis.minimal ] ++ toporest.result; };
/* Sort a list based on a comparator function which compares two
elements and returns true if the first argument is strictly below
the second argument. The returned list is sorted in an increasing
@ -374,8 +454,4 @@ rec {
*/
subtractLists = e: filter (x: !(elem x e));
/*** deprecated stuff ***/
deepSeqList = throw "removed 2016-02-29 because unused and broken";
}

31
lib/maintainers.nix
View file

@ -15,6 +15,7 @@
adev = "Adrien Devresse <adev@adev.name>";
Adjective-Object = "Maxwell Huang-Hobbs <mhuan13@gmail.com>";
adnelson = "Allen Nelson <ithinkican@gmail.com>";
adolfogc = "Adolfo E. García Castro <adolfo.garcia.cr@gmail.com>";
aespinosa = "Allan Espinosa <allan.espinosa@outlook.com>";
aflatter = "Alexander Flatter <flatter@fastmail.fm>";
aforemny = "Alexander Foremny <alexanderforemny@googlemail.com>";
@ -38,6 +39,7 @@
aristid = "Aristid Breitkreuz <aristidb@gmail.com>";
arobyn = "Alexei Robyn <shados@shados.net>";
artuuge = "Artur E. Ruuge <artuuge@gmail.com>";
ashalkhakov = "Artyom Shalkhakov <artyom.shalkhakov@gmail.com>";
asppsa = "Alastair Pharo <asppsa@gmail.com>";
astsmtl = "Alexander Tsamutali <astsmtl@yandex.ru>";
aszlig = "aszlig <aszlig@redmoonstudios.org>";
@ -70,6 +72,7 @@
c0dehero = "CodeHero <codehero@nerdpol.ch>";
calrama = "Moritz Maxeiner <moritz@ucworks.org>";
campadrenalin = "Philip Horger <campadrenalin@gmail.com>";
carlsverre = "Carl Sverre <accounts@carlsverre.com>";
cdepillabout = "Dennis Gosnell <cdep.illabout@gmail.com>";
cfouche = "Chaddaï Fouché <chaddai.fouche@gmail.com>";
chaoflow = "Florian Friesdorf <flo@chaoflow.net>";
@ -78,6 +81,7 @@
chris-martin = "Chris Martin <ch.martin@gmail.com>";
chrisjefferson = "Christopher Jefferson <chris@bubblescope.net>";
christopherpoole = "Christopher Mark Poole <mail@christopherpoole.net>";
cko = "Christine Koppelt <christine.koppelt@gmail.com>";
cleverca22 = "Michael Bishop <cleverca22@gmail.com>";
cmcdragonkai = "Roger Qiu <roger.qiu@matrix.ai>";
coconnor = "Corey O'Connor <coreyoconnor@gmail.com>";
@ -96,6 +100,7 @@
davidak = "David Kleuker <post@davidak.de>";
davidrusu = "David Rusu <davidrusu.me@gmail.com>";
dbohdan = "Danyil Bohdan <danyil.bohdan@gmail.com>";
dbrock = "Daniel Brockman <daniel@brockman.se>";
deepfire = "Kosyrev Serge <_deepfire@feelingofgreen.ru>";
demin-dmitriy = "Dmitriy Demin <demindf@gmail.com>";
DerGuteMoritz = "Moritz Heidkamp <moritz@twoticketsplease.de>";
@ -107,6 +112,7 @@
dmalikov = "Dmitry Malikov <malikov.d.y@gmail.com>";
dochang = "Desmond O. Chang <dochang@gmail.com>";
doublec = "Chris Double <chris.double@double.co.nz>";
drets = "Dmytro Rets <dmitryrets@gmail.com>";
drewkett = "Andrew Burkett <burkett.andrew@gmail.com>";
ebzzry = "Rommel Martinez <ebzzry@gmail.com>";
ederoyd46 = "Matthew Brown <matt@ederoyd.co.uk>";
@ -123,7 +129,7 @@
ericbmerritt = "Eric Merritt <eric@afiniate.com>";
ericsagnes = "Eric Sagnes <eric.sagnes@gmail.com>";
erikryb = "Erik Rybakken <erik.rybakken@math.ntnu.no>";
ertes = "Ertugrul Söylemez <ertesx@gmx.de>";
ertes = "Ertugrul Söylemez <esz@posteo.de>";
exi = "Reno Reckling <nixos@reckling.org>";
exlevan = "Alexey Levan <exlevan@gmail.com>";
expipiplus1 = "Joe Hermaszewski <nix@monoid.al>";
@ -160,6 +166,7 @@
guibert = "David Guibert <david.guibert@gmail.com>";
havvy = "Ryan Scheel <ryan.havvy@gmail.com>";
hbunke = "Hendrik Bunke <bunke.hendrik@gmail.com>";
hce = "Hans-Christian Esperer <hc@hcesperer.org>";
henrytill = "Henry Till <henrytill@gmail.com>";
hiberno = "Christian Lask <hiberno@hiberno.net>";
hinton = "Tom Hinton <t@larkery.com>";
@ -183,6 +190,7 @@
joamaki = "Jussi Maki <joamaki@gmail.com>";
joelmo = "Joel Moberg <joel.moberg@gmail.com>";
joelteon = "Joel Taylor <me@joelt.io>";
joko = "Ioannis Koutras <ioannis.koutras@gmail.com>";
jpbernardy = "Jean-Philippe Bernardy <jeanphilippe.bernardy@gmail.com>";
jraygauthier = "Raymond Gauthier <jraygauthier@gmail.com>";
juliendehos = "Julien Dehos <dehos@lisic.univ-littoral.fr>";
@ -229,18 +237,21 @@
markus1189 = "Markus Hauck <markus1189@gmail.com>";
markWot = "Markus Wotringer <markus@wotringer.de>";
martijnvermaat = "Martijn Vermaat <martijn@vermaat.name>";
martingms = "Martin Gammelsæter <martin@mg.am>";
matejc = "Matej Cotman <cotman.matej@gmail.com>";
mathnerd314 = "Mathnerd314 <mathnerd314.gph+hs@gmail.com>";
matthiasbeyer = "Matthias Beyer <mail@beyermatthias.de>";
maurer = "Matthew Maurer <matthew.r.maurer+nix@gmail.com>";
mbakke = "Marius Bakke <ymse@tuta.io>";
mbakke = "Marius Bakke <mbakke@fastmail.com>";
matthewbauer = "Matthew Bauer <mjbauer95@gmail.com>";
mbe = "Brandon Edens <brandonedens@gmail.com>";
mboes = "Mathieu Boespflug <mboes@tweag.net>";
mcmtroffaes = "Matthias C. M. Troffaes <matthias.troffaes@gmail.com>";
meditans = "Carlo Nucera <meditans@gmail.com>";
meisternu = "Matt Miemiec <meister@krutt.org>";
mic92 = "Jörg Thalheim <joerg@higgsboson.tk>";
michaelpj = "Michael Peyton Jones <michaelpj@gmail.com>";
michalrus = "Michal Rus <m@michalrus.com>";
michelk = "Michel Kuhlmann <michel@kuhlmanns.info>";
mimadrid = "Miguel Madrid <mimadrid@ucm.es>";
mingchuan = "Ming Chuan <ming@culpring.com>";
@ -252,7 +263,9 @@
moretea = "Maarten Hoogendoorn <maarten@moretea.nl>";
mornfall = "Petr Ročkai <me@mornfall.net>";
MostAwesomeDude = "Corbin Simpson <cds@corbinsimpson.com>";
mounium = "Katona László <muoniurn@gmail.com>";
MP2E = "Cray Elliott <MP2E@archlinux.us>";
mpscholten = "Marc Scholten <marc@mpscholten.de>";
msackman = "Matthew Sackman <matthew@wellquite.org>";
mschristiansen = "Mikkel Christiansen <mikkel@rheosystems.com>";
msteen = "Matthijs Steen <emailmatthijs@gmail.com>";
@ -260,7 +273,9 @@
mudri = "James Wood <lamudri@gmail.com>";
muflax = "Stefan Dorn <mail@muflax.com>";
myrl = "Myrl Hex <myrl.0xf@gmail.com>";
nand0p = "Fernando Jose Pando <nando@hex7.com>";
nathan-gs = "Nathan Bijnens <nathan@nathan.gs>";
Nate-Devv = "Nathan Moore <natedevv@gmail.com>";
nckx = "Tobias Geerinckx-Rice <tobias.geerinckx.rice@gmail.com>";
nequissimus = "Tim Steinbach <tim@nequissimus.com>";
nfjinjing = "Jinjing Wang <nfjinjing@gmail.com>";
@ -274,6 +289,7 @@
odi = "Oliver Dunkl <oliver.dunkl@gmail.com>";
offline = "Jaka Hudoklin <jakahudoklin@gmail.com>";
olcai = "Erik Timan <dev@timan.info>";
olejorgenb = "Ole Jørgen Brønner <olejorgenb@yahoo.no>";
orbitz = "Malcolm Matalka <mmatalka@gmail.com>";
osener = "Ozan Sener <ozan@ozansener.com>";
otwieracz = "Slawomir Gonet <slawek@otwiera.cz>";
@ -302,6 +318,7 @@
pmiddend = "Philipp Middendorf <pmidden@secure.mailbox.org>";
prikhi = "Pavan Rikhi <pavan.rikhi@gmail.com>";
profpatsch = "Profpatsch <mail@profpatsch.de>";
proglodyte = "Proglodyte <proglodyte23@gmail.com>";
pshendry = "Paul Hendry <paul@pshendry.com>";
psibi = "Sibi <sibi@psibi.in>";
pSub = "Pascal Wittmann <mail@pascal-wittmann.de>";
@ -309,6 +326,8 @@
pxc = "Patrick Callahan <patrick.callahan@latitudeengineering.com>";
qknight = "Joachim Schiele <js@lastlog.de>";
ragge = "Ragnar Dahlen <r.dahlen@gmail.com>";
ralith = "Benjamin Saunders <ben.e.saunders@gmail.com>";
ramkromberg = "Ram Kromberg <ramkromberg@mail.com>";
rardiol = "Ricardo Ardissone <ricardo.ardissone@gmail.com>";
rasendubi = "Alexey Shmalko <rasen.dubi@gmail.com>";
raskin = "Michael Raskin <7c6f434c@mail.ru>";
@ -325,6 +344,7 @@
robberer = "Longrin Wischnewski <robberer@freakmail.de>";
robbinch = "Robbin C. <robbinch33@gmail.com>";
robgssp = "Rob Glossop <robgssp@gmail.com>";
roblabla = "Robin Lambertz <robinlambertz+dev@gmail.com>";
roconnor = "Russell O'Connor <roconnor@theorem.ca>";
romildo = "José Romildo Malaquias <malaquias@gmail.com>";
rszibele = "Richard Szibele <richard_szibele@hotmail.com>";
@ -333,8 +353,10 @@
rvlander = "Gaëtan André <rvlander@gaetanandre.eu>";
ryanartecona = "Ryan Artecona <ryanartecona@gmail.com>";
ryantm = "Ryan Mulligan <ryan@ryantm.com>";
ryansydnor = "Ryan Sydnor <ryan.t.sydnor@gmail.com>";
rycee = "Robert Helgesson <robert@rycee.net>";
ryneeverett = "Ryne Everett <ryneeverett@gmail.com>";
s1lvester = "Markus Silvester <s1lvester@bockhacker.me>";
samuelrivas = "Samuel Rivas <samuelrivas@gmail.com>";
sander = "Sander van der Burg <s.vanderburg@tudelft.nl>";
schmitthenner = "Fabian Schmitthenner <development@schmitthenner.eu>";
@ -346,6 +368,7 @@
sheganinans = "Aistis Raulinaitis <sheganinans@gmail.com>";
shell = "Shell Turner <cam.turn@gmail.com>";
shlevy = "Shea Levy <shea@shealevy.com>";
siddharthist = "Langston Barrett <langston.barrett@gmail.com>";
simonvandel = "Simon Vandel Sillesen <simon.vandel@gmail.com>";
sjagoe = "Simon Jagoe <simon@simonjagoe.com>";
sjmackenzie = "Stewart Mackenzie <setori88@gmail.com>";
@ -354,6 +377,7 @@
skrzyp = "Jakub Skrzypnik <jot.skrzyp@gmail.com>";
sleexyz = "Sean Lee <freshdried@gmail.com>";
smironov = "Sergey Mironov <ierton@gmail.com>";
solson = "Scott Olson <scott@solson.me>";
spacefrogg = "Michael Raitza <spacefrogg-nixos@meterriblecrew.net>";
spencerjanssen = "Spencer Janssen <spencerjanssen@gmail.com>";
spinus = "Tomasz Czyż <tomasz.czyz@gmail.com>";
@ -362,6 +386,7 @@
SShrike = "Severen Redwood <severen@shrike.me>";
stephenmw = "Stephen Weinberg <stephen@q5comm.com>";
steveej = "Stefan Junker <mail@stefanjunker.de>";
swarren83 = "Shawn Warren <shawn.w.warren@gmail.com>";
swistak35 = "Rafał Łasocha <me@swistak35.com>";
szczyp = "Szczyp <qb@szczyp.com>";
sztupi = "Attila Sztupak <attila.sztupak@gmail.com>";
@ -412,10 +437,12 @@
wscott = "Wayne Scott <wsc9tt@gmail.com>";
wyvie = "Elijah Rum <elijahrum@gmail.com>";
yarr = "Dmitry V. <savraz@gmail.com>";
yurrriq = "Eric Bailey <eric@ericb.me>";
z77z = "Marco Maggesi <maggesi@math.unifi.it>";
zagy = "Christian Zagrodnick <cz@flyingcircus.io>";
zef = "Zef Hemel <zef@zef.me>";
zimbatm = "zimbatm <zimbatm@zimbatm.com>";
zohl = "Al Zohali <zohl@fmap.me>";
zoomulator = "Kim Simmons <zoomulator@gmail.com>";
amiloradovsky = "Andrew Miloradovsky <miloradovsky@gmail.com>";
}

24
lib/modules.nix
View file

@ -105,8 +105,12 @@ rec {
/* Massage a module into canonical form, that is, a set consisting
of options, config and imports attributes. */
unifyModuleSyntax = file: key: m:
let metaSet = if m ? meta
then { meta = m.meta; }
else {};
in
if m ? config || m ? options then
let badAttrs = removeAttrs m ["imports" "options" "config" "key" "_file"]; in
let badAttrs = removeAttrs m ["imports" "options" "config" "key" "_file" "meta"]; in
if badAttrs != {} then
throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by assignments to the top-level attributes `config' or `options'."
else
@ -114,14 +118,14 @@ rec {
key = toString m.key or key;
imports = m.imports or [];
options = m.options or {};
config = m.config or {};
config = mkMerge [ (m.config or {}) metaSet ];
}
else
{ file = m._file or file;
key = toString m.key or key;
imports = m.require or [] ++ m.imports or [];
options = {};
config = removeAttrs m ["key" "_file" "require" "imports"];
config = mkMerge [ (removeAttrs m ["key" "_file" "require" "imports"]) metaSet ];
};
applyIfFunction = key: f: args@{ config, options, lib, ... }: if isFunction f then
@ -503,19 +507,25 @@ rec {
/* Return a module that causes a warning to be shown if the
specified option is defined. For example,
mkRemovedOptionModule [ "boot" "loader" "grub" "bootDevice" ]
mkRemovedOptionModule [ "boot" "loader" "grub" "bootDevice" ] "<replacement instructions>"
causes a warning if the user defines boot.loader.grub.bootDevice.
replacementInstructions is a string that provides instructions on
how to achieve the same functionality without the removed option,
or alternatively a reasoning why the functionality is not needed.
replacementInstructions SHOULD be provided!
*/
mkRemovedOptionModule = optionName:
mkRemovedOptionModule = optionName: replacementInstructions:
{ options, ... }:
{ options = setAttrByPath optionName (mkOption {
visible = false;
});
config.warnings =
let opt = getAttrFromPath optionName options; in
optional opt.isDefined
"The option definition `${showOption optionName}' in ${showFiles opt.files} no longer has any effect; please remove it.";
optional opt.isDefined ''
The option definition `${showOption optionName}' in ${showFiles opt.files} no longer has any effect; please remove it.
${replacementInstructions}'';
};
/* Return a module that causes a warning to be shown if the

19
lib/sources.nix
View file

@ -20,7 +20,9 @@ rec {
lib.hasSuffix "~" baseName ||
# Filter out generates files.
lib.hasSuffix ".o" baseName ||
lib.hasSuffix ".so" baseName
lib.hasSuffix ".so" baseName ||
# Filter out nix-build result symlinks
(type == "symlink" && lib.hasPrefix "result" baseName)
);
in src: builtins.filterSource filter src;
@ -44,21 +46,22 @@ rec {
packedRefsName = toString path + "/packed-refs";
in if lib.pathExists fileName
then
let fileContent = readFile fileName;
let fileContent = lib.fileContents fileName;
# Sometimes git stores the commitId directly in the file but
# sometimes it stores something like: «ref: refs/heads/branch-name»
matchRef = match "^ref: (.*)\n$" fileContent;
matchRef = match "^ref: (.*)$" fileContent;
in if isNull matchRef
then lib.removeSuffix "\n" fileContent
then fileContent
else readCommitFromFile path (lib.head matchRef)
# Sometimes, the file isn't there at all and has been packed away in the
# packed-refs file, so we have to grep through it:
else if lib.pathExists packedRefsName
then
let packedRefs = lib.splitString "\n" (readFile packedRefsName);
matchRule = match ("^(.*) " + file + "$");
matchedRefs = lib.flatten (lib.filter (m: ! (isNull m)) (map matchRule packedRefs));
in lib.head matchedRefs
let fileContent = readFile packedRefsName;
matchRef = match (".*\n([^\n ]*) " + file + "\n.*") fileContent;
in if isNull matchRef
then throw ("Could not find " + file + " in " + packedRefsName)
else lib.head matchRef
else throw ("Not a .git directory: " + path);
in lib.flip readCommitFromFile "HEAD";
}

44
lib/strings.nix
View file

@ -156,12 +156,12 @@ rec {
hasSuffix "foo" "barfoo"
=> true
*/
hasSuffix = suff: str:
hasSuffix = suffix: content:
let
lenStr = stringLength str;
lenSuff = stringLength suff;
in lenStr >= lenSuff &&
substring (lenStr - lenSuff) lenStr str == suff;
lenContent = stringLength content;
lenSuffix = stringLength suffix;
in lenContent >= lenSuffix &&
substring (lenContent - lenSuffix) lenContent content == suffix;
/* Convert a string to a list of characters (i.e. singleton strings).
This allows you to, e.g., map a function over each character. However,
@ -203,20 +203,19 @@ rec {
*/
escape = list: replaceChars list (map (c: "\\${c}") list);
/* Escape all characters that have special meaning in the Bourne shell.
/* Quote string to be used safely within the Bourne shell.
Example:
escapeShellArg "so([<>])me"
=> "so\\(\\[\\<\\>\\]\\)me"
escapeShellArg "esc'ape\nme"
=> "'esc'\\''ape\nme'"
*/
escapeShellArg = arg:
lib.escape (stringToCharacters "\\ ';$`()|<>\t*[]") (toString arg);
escapeShellArg = arg: "'${replaceStrings ["'"] ["'\\''"] (toString arg)}'";
/* Escape all arguments to be passed to the Bourne shell.
/* Quote all arguments to be safely passed to the Bourne shell.
Example:
escapeShellArgs ["one" "two three"]
=> "one two\\ three"
escapeShellArgs ["one" "two three" "four'five"]
=> "'one' 'two three' 'four'\\''five'"
*/
escapeShellArgs = concatMapStringsSep " " escapeShellArg;
@ -249,7 +248,7 @@ rec {
/* Converts an ASCII string to upper-case.
Example:
toLower "home"
toUpper "home"
=> "HOME"
*/
toUpper = replaceChars lowerChars upperChars;
@ -373,7 +372,12 @@ rec {
getVersion pkgs.youtube-dl
=> "2016.01.01"
*/
getVersion = x: (builtins.parseDrvName (x.name or x)).version;
getVersion = x:
let
parse = drv: (builtins.parseDrvName drv).version;
in if isString x
then parse x
else x.version or (parse x.name);
/* Extract name with version from URL. Ask for separator which is
supposed to start extension.
@ -480,4 +484,14 @@ rec {
absolutePaths = builtins.map (path: builtins.toPath (root + "/" + path)) relativePaths;
in
absolutePaths;
/* Read the contents of a file removing the trailing \n
Example:
$ echo "1.0" > ./version
fileContents ./version
=> "1.0"
*/
fileContents = file: removeSuffix "\n" (builtins.readFile file);
}

2
lib/tests/release.nix
View file

@ -1,6 +1,6 @@
{ nixpkgs }:
with import ./../.. { };
with import ../.. { };
with lib;
stdenv.mkDerivation {

23
lib/trivial.nix
View file

@ -62,14 +62,16 @@ rec {
isInt add sub lessThan
seq deepSeq genericClosure;
inherit (import ./strings.nix) fileContents;
# Return the Nixpkgs version number.
nixpkgsVersion =
let suffixFile = ../.version-suffix; in
readFile ../.version
+ (if pathExists suffixFile then readFile suffixFile else "pre-git");
fileContents ../.version
+ (if pathExists suffixFile then fileContents suffixFile else "pre-git");
# Whether we're being called by nix-shell.
inNixShell = builtins.getEnv "IN_NIX_SHELL" == "1";
inNixShell = builtins.getEnv "IN_NIX_SHELL" != "";
# Return minimum/maximum of two numbers.
min = x: y: if x < y then x else y;
@ -96,4 +98,19 @@ rec {
*/
importJSON = path:
builtins.fromJSON (builtins.readFile path);
/* See https://github.com/NixOS/nix/issues/749. Eventually we'd like these
to expand to Nix builtins that carry metadata so that Nix can filter out
the INFO messages without parsing the message string.
Usage:
{
foo = lib.warn "foo is deprecated" oldFoo;
}
TODO: figure out a clever way to integrate location information from
something like __unsafeGetAttrPos.
*/
warn = msg: builtins.trace "WARNING: ${msg}";
info = msg: builtins.trace "INFO: ${msg}";
}

19
maintainers/scripts/fetch-kde-qt.sh
View file

@ -1,9 +1,18 @@
#! /usr/bin/env nix-shell
#! nix-shell -i bash -p coreutils findutils gnused nix wget
SRCS=
if [ -d "$1" ]; then
SRCS="$(pwd)/$1/srcs.nix"
. "$1/fetch.sh"
else
SRCS="$(pwd)/$(dirname $1)/srcs.nix"
. "$1"
fi
tmp=$(mktemp -d)
pushd $tmp >/dev/null
wget -nH -r -c --no-parent "$@" >/dev/null
wget -nH -r -c --no-parent "${WGET_ARGS[@]}" >/dev/null
csv=$(mktemp)
find . -type f | while read src; do
@ -15,8 +24,8 @@ find . -type f | while read src; do
echo "$name,$version,$src,$filename" >>$csv
done
cat <<EOF
# DO NOT EDIT! This file is generated automatically by fetchsrcs.sh
cat >"$SRCS" <<EOF
# DO NOT EDIT! This file is generated automatically by fetch-kde-qt.sh
{ fetchurl, mirror }:
{
@ -29,7 +38,7 @@ gawk -F , "{ print \$1 }" $csv | sort | uniq | while read name; do
filename=$(gawk -F , "/^$name,$latestVersion,/ { print \$4 }" $csv)
url="${src:2}"
sha256=$(nix-hash --type sha256 --base32 --flat "$src")
cat <<EOF
cat >>"$SRCS" <<EOF
$name = {
version = "$latestVersion";
src = fetchurl {
@ -41,7 +50,7 @@ gawk -F , "{ print \$1 }" $csv | sort | uniq | while read name; do
EOF
done
echo "}"
echo "}" >>"$SRCS"
popd >/dev/null
rm -fr $tmp >/dev/null

3
maintainers/scripts/generate-kde-applications.sh
View file

@ -1,3 +0,0 @@
#!/bin/sh
./fetch-kde-qt.sh http://download.kde.org/stable/applications/16.04.2/ -A '*.tar.xz'

3
maintainers/scripts/generate-kde-frameworks.sh
View file

@ -1,3 +0,0 @@
#!/bin/sh
./fetch-kde-qt.sh http://download.kde.org/stable/frameworks/5.22/ -A '*.tar.xz'

3
maintainers/scripts/generate-kde-plasma.sh
View file

@ -1,3 +0,0 @@
#!/bin/sh
./fetch-kde-qt.sh http://download.kde.org/stable/plasma/5.6.5/ -A '*.tar.xz'

3
maintainers/scripts/generate-qt.sh
View file

@ -1,3 +0,0 @@
#!/bin/sh
./fetch-kde-qt.sh http://download.qt.io/official_releases/qt/5.6/5.6.1/submodules/ -A '*.tar.xz'

11
maintainers/scripts/nix-generate-from-cpan.pl
View file

@ -395,15 +395,20 @@ my $meta = read_meta($pkg_path);
DEBUG( "metadata: ", encode_json( $meta->as_struct ) ) if defined $meta;
my @runtime_deps = sort( uniq( get_deps( $cb, $meta, "runtime" ) ) );
INFO("runtime deps: @runtime_deps");
my @build_deps = sort( uniq(
get_deps( $cb, $meta, "configure" ),
get_deps( $cb, $meta, "build" ),
get_deps( $cb, $meta, "test" )
) );
INFO("build deps: @build_deps");
my @runtime_deps = sort( uniq( get_deps( $cb, $meta, "runtime" ) ) );
INFO("runtime deps: @runtime_deps");
# Filter out runtime dependencies since those are already handled.
my %in_runtime_deps = map { $_ => 1 } @runtime_deps;
@build_deps = grep { not $in_runtime_deps{$_} } @build_deps;
INFO("build deps: @build_deps");
my $homepage = $meta ? $meta->resources->{homepage} : undef;
INFO("homepage: $homepage") if defined $homepage;

1
maintainers/scripts/nixpkgs-lint.nix
View file

@ -18,5 +18,6 @@ stdenv.mkDerivation {
meta = {
maintainers = [ stdenv.lib.maintainers.eelco ];
description = "A utility for Nixpkgs contributors to check Nixpkgs for common errors";
platforms = stdenv.lib.platforms.unix;
};
}

110
maintainers/scripts/travis-nox-review-pr.sh
View file

@ -1,58 +1,76 @@
#! /usr/bin/env bash
set -e
export NIX_CURL_FLAGS=-sS
while test -n "$1"; do
if [[ $1 == nix ]]; then
echo "=== Installing Nix..."
# Install Nix
bash <(curl -sS https://nixos.org/nix/install)
source $HOME/.nix-profile/etc/profile.d/nix.sh
# tell Travis to use folding
echo -en "travis_fold:start:$1\r"
# Make sure we can use hydra's binary cache
sudo mkdir /etc/nix
sudo sh -c 'echo "build-max-jobs = 4" > /etc/nix/nix.conf'
case $1 in
# Verify evaluation
echo "=== Verifying that nixpkgs evaluates..."
nix-env -f. -qa --json >/dev/null
elif [[ $1 == nox ]]; then
source $HOME/.nix-profile/etc/profile.d/nix.sh
echo "=== Installing nox..."
nix-build -A nox '<nixpkgs>' --show-trace
elif [[ $1 == build ]]; then
source $HOME/.nix-profile/etc/profile.d/nix.sh
nixpkgs-verify)
echo "=== Verifying that nixpkgs evaluates..."
if [[ $TRAVIS_OS_NAME == "osx" ]]; then
echo "Skipping NixOS things on darwin"
else
# Nix builds in /tmp and we need exec support
sudo mount -o remount,exec /run
sudo mount -o remount,exec /run/user
sudo mount
nix-env --file $TRAVIS_BUILD_DIR --query --available --json > /dev/null
;;
echo "=== Checking NixOS options"
nix-build nixos/release.nix -A options --show-trace
nixos-options)
echo "=== Checking NixOS options"
echo "=== Checking tarball creation"
nix-build pkgs/top-level/release.nix -A tarball --show-trace
fi
nix-build $TRAVIS_BUILD_DIR/nixos/release.nix --attr options --show-trace
;;
if [[ $TRAVIS_PULL_REQUEST == false ]]; then
echo "=== Not a pull request"
else
echo "=== Checking PR"
nixos-manual)
echo "=== Checking NixOS manuals"
if ! nix-shell -p nox --run "nox-review pr ${TRAVIS_PULL_REQUEST}"; then
if sudo dmesg | egrep 'Out of memory|Killed process' > /tmp/oom-log; then
echo "=== The build failed due to running out of memory:"
cat /tmp/oom-log
echo "=== Please disregard the result of this Travis build."
nix-build $TRAVIS_BUILD_DIR/nixos/release.nix --attr manual --show-trace
;;
nixpkgs-manual)
echo "=== Checking nixpkgs manuals"
nix-build $TRAVIS_BUILD_DIR/pkgs/top-level/release.nix --attr manual --show-trace
;;
nixpkgs-tarball)
echo "=== Checking nixpkgs tarball creation"
nix-build $TRAVIS_BUILD_DIR/pkgs/top-level/release.nix --attr tarball --show-trace
;;
nixpkgs-lint)
echo "=== Checking nixpkgs lint"
nix-shell --packages nixpkgs-lint --run "nixpkgs-lint -f $TRAVIS_BUILD_DIR"
;;
nox)
echo "=== Fetching Nox from binary cache"
# build nox silently so it's not in the log
nix-build "<nixpkgs>" -A nox -A stdenv
;;
pr)
if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then
echo "=== No pull request found"
else
echo "=== Building pull request #$TRAVIS_PULL_REQUEST"
token=""
if [ -n "$GITHUB_TOKEN" ]; then
token="--token $GITHUB_TOKEN"
fi
nix-shell --packages nox --run "nox-review pr --slug $TRAVIS_REPO_SLUG $token $TRAVIS_PULL_REQUEST"
fi
exit 1
fi
fi
else
echo "$0: Unknown option $1" >&2
false
fi
;;
*)
echo "Skipping unknown option $1"
;;
esac
echo -en "travis_fold:end:$1\r"
shift
done

6
nixos/doc/manual/administration/imperative-containers.xml
View file

@ -7,7 +7,11 @@
<title>Imperative Container Management</title>
<para>Well cover imperative container management using
<command>nixos-container</command> first. You create a container with
<command>nixos-container</command> first.
Be aware that container management is currently only possible
as <literal>root</literal>.</para>
<para>You create a container with
identifier <literal>foo</literal> as follows:
<screen>

8
nixos/doc/manual/configuration/configuration.xml
View file

@ -24,13 +24,9 @@ effect after you run <command>nixos-rebuild</command>.</para>
<xi:include href="networking.xml" />
<xi:include href="linux-kernel.xml" />
<!-- FIXME: auto-include NixOS module docs -->
<xi:include href="postgresql.xml" />
<xi:include href="gitlab.xml" />
<xi:include href="taskserver.xml" />
<xi:include href="acme.xml" />
<xi:include href="input-methods.xml" />
<xi:include href="modules.xml" xpointer="xpointer(//section[@id='modules']/*)" />
<!-- Apache; libvirtd virtualisation -->
</part>

73
nixos/doc/manual/default.nix
View file

@ -1,27 +1,27 @@
{ pkgs, options, version, revision, extraSources ? [] }:
{ pkgs, options, config, version, revision, extraSources ? [] }:
with pkgs;
with pkgs.lib;
let
lib = pkgs.lib;
# Remove invisible and internal options.
optionsList = filter (opt: opt.visible && !opt.internal) (optionAttrSetToDocList options);
optionsList = lib.filter (opt: opt.visible && !opt.internal) (lib.optionAttrSetToDocList options);
# Replace functions by the string <function>
substFunction = x:
if builtins.isAttrs x then mapAttrs (name: substFunction) x
if builtins.isAttrs x then lib.mapAttrs (name: substFunction) x
else if builtins.isList x then map substFunction x
else if builtins.isFunction x then "<function>"
else x;
# Clean up declaration sites to not refer to the NixOS source tree.
optionsList' = flip map optionsList (opt: opt // {
optionsList' = lib.flip map optionsList (opt: opt // {
declarations = map stripAnyPrefixes opt.declarations;
}
// optionalAttrs (opt ? example) { example = substFunction opt.example; }
// optionalAttrs (opt ? default) { default = substFunction opt.default; }
// optionalAttrs (opt ? type) { type = substFunction opt.type; });
// lib.optionalAttrs (opt ? example) { example = substFunction opt.example; }
// lib.optionalAttrs (opt ? default) { default = substFunction opt.default; }
// lib.optionalAttrs (opt ? type) { type = substFunction opt.type; });
# We need to strip references to /nix/store/* from options,
# including any `extraSources` if some modules came from elsewhere,
@ -30,7 +30,7 @@ let
# E.g. if some `options` came from modules in ${pkgs.customModules}/nix,
# you'd need to include `extraSources = [ pkgs.customModules ]`
prefixesToStrip = map (p: "${toString p}/") ([ ../../.. ] ++ extraSources);
stripAnyPrefixes = flip (fold removePrefix) prefixesToStrip;
stripAnyPrefixes = lib.flip (lib.fold lib.removePrefix) prefixesToStrip;
# Convert the list of options into an XML file.
optionsXML = builtins.toFile "options.xml" (builtins.toXML optionsList');
@ -49,17 +49,21 @@ let
-o $out ${./options-to-docbook.xsl} $optionsXML
'';
sources = sourceFilesBySuffices ./. [".xml"];
sources = lib.sourceFilesBySuffices ./. [".xml"];
modulesDoc = builtins.toFile "modules.xml" ''
<section xmlns:xi="http://www.w3.org/2001/XInclude" id="modules">
${(lib.concatMapStrings (path: ''
<xi:include href="${path}" />
'') (lib.catAttrs "value" config.meta.doc))}
</section>
'';
copySources =
''
cp -prd $sources/* . # */
chmod -R u+w .
cp ${../../modules/services/databases/postgresql.xml} configuration/postgresql.xml
cp ${../../modules/services/misc/gitlab.xml} configuration/gitlab.xml
cp ${../../modules/services/misc/taskserver/doc.xml} configuration/taskserver.xml
cp ${../../modules/security/acme.xml} configuration/acme.xml
cp ${../../modules/i18n/input-method/default.xml} configuration/input-methods.xml
ln -s ${modulesDoc} configuration/modules.xml
ln -s ${optionsDocBook} options-db.xml
echo "${version}" > version
'';
@ -122,7 +126,7 @@ let
<targetset>
<targetsetinfo>
Allows for cross-referencing olinks between the manpages
and the HTML/PDF manuals.
and manual.
</targetsetinfo>
<document targetdoc="manual">&manualtargets;</document>
@ -143,7 +147,7 @@ in rec {
mkdir -p $dst
cp ${builtins.toFile "options.json" (builtins.unsafeDiscardStringContext (builtins.toJSON
(listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList'))))
(builtins.listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList'))))
} $dst/options.json
mkdir -p $out/nix-support
@ -193,25 +197,42 @@ in rec {
allowedReferences = ["out"];
};
manualPDF = stdenv.mkDerivation {
name = "nixos-manual-pdf";
manualEpub = stdenv.mkDerivation {
name = "nixos-manual-epub";
inherit sources;
buildInputs = [ libxml2 libxslt dblatex dblatex.tex ];
buildInputs = [ libxml2 libxslt zip ];
buildCommand = ''
${copySources}
# Check the validity of the manual sources.
xmllint --noout --nonet --xinclude --noxincludenode \
--relaxng ${docbook5}/xml/rng/docbook/docbook.rng \
manual.xml
# Generate the epub manual.
dst=$out/share/doc/nixos
mkdir -p $dst
xmllint --xinclude manual.xml | dblatex -o $dst/manual.pdf - \
-P target.database.document="${olinkDB}/olinkdb.xml" \
-P doc.collab.show=0 \
-P latex.output.revhistory=0
xsltproc \
${manualXsltprocOptions} \
--stringparam target.database.document "${olinkDB}/olinkdb.xml" \
--nonet --xinclude --output $dst/epub/ \
${docbook5_xsl}/xml/xsl/docbook/epub/docbook.xsl ./manual.xml
mkdir -p $dst/epub/OEBPS/images/callouts
cp -r ${docbook5_xsl}/xml/xsl/docbook/images/callouts/*.gif $dst/epub/OEBPS/images/callouts
echo "application/epub+zip" > mimetype
manual="$dst/nixos-manual.epub"
zip -0Xq "$manual" mimetype
cd $dst/epub && zip -Xr9D "$manual" *
rm -rf $dst/epub
mkdir -p $out/nix-support
echo "doc-pdf manual $dst/manual.pdf" >> $out/nix-support/hydra-build-products
echo "doc-epub manual $manual" >> $out/nix-support/hydra-build-products
'';
};

62
nixos/doc/manual/development/meta-attributes.xml Normal file
View file

@ -0,0 +1,62 @@
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-meta-attributes">
<title>Meta Attributes</title>
<para>Like Nix packages, NixOS modules can declare meta-attributes to provide
extra information. Module meta attributes are defined in the
<filename
xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/meta.nix">meta.nix</filename>
special module.</para>
<para><literal>meta</literal> is a top level attribute like
<literal>options</literal> and <literal>config</literal>. Available
meta-attributes are <literal>maintainers</literal> and
<literal>doc</literal>.</para>
<para>Each of the meta-attributes must be defined at most once per module
file.</para>
<programlisting>
{ config, lib, pkgs, ... }:
{
options = {
...
};
config = {
...
};
meta = {
maintainers = with lib.maintainers; [ ericsagnes ]; <co
xml:id='modules-meta-1' />
doc = ./default.xml; <co xml:id='modules-meta-2' />
};
}
</programlisting>
<calloutlist>
<callout arearefs='modules-meta-1'>
<para>
<varname>maintainers</varname> contains a list of the module maintainers.
</para>
</callout>
<callout arearefs='modules-meta-2'>
<para>
<varname>doc</varname> points to a valid DocBook file containing the module
documentation. Its contents is automatically added to <xref
linkend="ch-configuration"/>.
Changes to a module documentation have to be checked to not break
building the NixOS manual:
</para>
<programlisting>$ nix-build nixos/release.nix -A manual</programlisting>
</callout>
</calloutlist>
</section>

1
nixos/doc/manual/development/writing-modules.xml
View file

@ -177,5 +177,6 @@ in {
<xi:include href="option-declarations.xml" />
<xi:include href="option-def.xml" />
<xi:include href="meta-attributes.xml" />
</chapter>

89
nixos/doc/manual/installation/installing-virtualbox-guest.xml Normal file
View file

@ -0,0 +1,89 @@
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-instaling-virtualbox-guest">
<title>Installing in a Virtualbox guest</title>
<para>
Installing NixOS into a Virtualbox guest is convenient for users who want to
try NixOS without installing it on bare metal. If you want to use a pre-made
Virtualbox appliance, it is available at <link
xlink:href="https://nixos.org/nixos/download.html">the downloads page</link>.
If you want to set up a Virtualbox guest manually, follow these instructions:
</para>
<orderedlist>
<listitem><para>Add a New Machine in Virtualbox with OS Type "Linux / Other
Linux"</para></listitem>
<listitem><para>Base Memory Size: 768 MB or higher.</para></listitem>
<listitem><para>New Hard Disk of 8 GB or higher.</para></listitem>
<listitem><para>Mount the CD-ROM with the NixOS ISO (by clicking on
CD/DVD-ROM)</para></listitem>
<listitem><para>Click on Settings / System / Processor and enable
PAE/NX</para></listitem>
<listitem><para>Click on Settings / System / Acceleration and enable
"VT-x/AMD-V" acceleration</para></listitem>
<listitem><para>Save the settings, start the virtual machine, and continue
installation like normal</para></listitem>
</orderedlist>
<para>
There are a few modifications you should make in configuration.nix. Enable
the virtualbox guest service in the main block:
</para>
<programlisting>
virtualisation.virtualbox.guest.enable = true;
</programlisting>
<para>
Enable booting:
</para>
<programlisting>
boot.loader.grub.device = "/dev/sda";
</programlisting>
<para>
Also remove the fsck that runs at startup. It will always fail to run,
stopping your boot until you press <literal>*</literal>.
</para>
<programlisting>
boot.initrd.checkJournalingFS = false;
</programlisting>
<para>
Shared folders can be given a name and a path in the host system in the
VirtualBox settings (Machine / Settings / Shared Folders, then click on the
"Add" icon). Add the following to the
<literal>/etc/nixos/configuration.nix</literal> to auto-mount them:
</para>
<programlisting>
{ config, pkgs, ...} :
{
...
fileSystems."/virtualboxshare" = {
fsType = "vboxsf";
device = "nameofthesharedfolder";
options = [ "rw" ];
};
}
</programlisting>
<para>
The folder will be available directly under the root directory.
</para>
</section>

3
nixos/doc/manual/installation/installing.xml
View file

@ -22,7 +22,7 @@
(with empty password).</para></listitem>
<listitem><para>If you downloaded the graphical ISO image, you can
run <command>start display-manager</command> to start KDE. If you
run <command>systemctl start display-manager</command> to start KDE. If you
want to continue on the terminal, you can use
<command>loadkeys</command> to switch to your preferred keyboard layout.
(We even provide neo2 via <command>loadkeys de neo</command>!)</para></listitem>
@ -271,5 +271,6 @@ drive (here <filename>/dev/sda</filename>). <xref linkend="ex-config"
<xi:include href="installing-uefi.xml" />
<xi:include href="installing-usb.xml" />
<xi:include href="installing-pxe.xml" />
<xi:include href="installing-virtualbox-guest.xml" />
</chapter>

33
nixos/doc/manual/man-nixos-install.xml
View file

@ -25,6 +25,19 @@
<arg choice='plain'><option>--root</option></arg>
<replaceable>root</replaceable>
</arg>
<arg>
<arg choice='plain'><option>--closure</option></arg>
<replaceable>closure</replaceable>
</arg>
<arg>
<arg choice='plain'><option>--no-channel-copy</option></arg>
</arg>
<arg>
<arg choice='plain'><option>--no-root-passwd</option></arg>
</arg>
<arg>
<arg choice='plain'><option>--no-bootloader</option></arg>
</arg>
<arg>
<group choice='req'>
<arg choice='plain'><option>--max-jobs</option></arg>
@ -71,12 +84,13 @@ the following steps:
<filename>/mnt/etc/nixos/configuration.nix</filename>.</para></listitem>
<listitem><para>It installs the GRUB boot loader on the device
specified in the option <option>boot.loader.grub.device</option>,
specified in the option <option>boot.loader.grub.device</option>
(unless <option>--no-bootloader</option> is specified),
and generates a GRUB configuration file that boots into the NixOS
configuration just installed.</para></listitem>
<listitem><para>It prompts you for a password for the root
account.</para></listitem>
<listitem><para>It prompts you for a password for the root account
(unless <option>--no-root-passwd</option> is specified).</para></listitem>
</itemizedlist>
@ -103,6 +117,19 @@ it.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--closure</option></term>
<listitem>
<para>If this option is provided, <command>nixos-install</command> will install the specified closure
rather than attempt to build one from <filename>/mnt/etc/nixos/configuration.nix</filename>.</para>
<para>The closure must be an appropriately configured NixOS system, with boot loader and partition
configuration that fits the target host. Such a closure is typically obtained with a command such as
<command>nix-build -I nixos-config=./configuration.nix '&lt;nixos&gt;' -A system --no-out-link</command>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-I</option></term>
<listitem>

11
nixos/doc/manual/man-nixos-rebuild.xml
View file

@ -29,7 +29,7 @@
</group>
<sbr />
<arg><option>--upgrade</option></arg>
<arg><option>--install-grub</option></arg>
<arg><option>--install-bootloader</option></arg>
<arg><option>--no-build-nix</option></arg>
<arg><option>--fast</option></arg>
<arg><option>--rollback</option></arg>
@ -212,12 +212,11 @@ $ ./result/bin/run-*-vm
</varlistentry>
<varlistentry>
<term><option>--install-grub</option></term>
<term><option>--install-bootloader</option></term>
<listitem>
<para>Causes the GRUB boot loader to be (re)installed on the
device specified by the
<varname>boot.loader.grub.device</varname> configuration
option.</para>
<para>Causes the boot loader to be (re)installed on the
device specified by the relevant configuration options.
</para>
</listitem>
</varlistentry>

97
nixos/doc/manual/man-nixos-version.xml Normal file
View file

@ -0,0 +1,97 @@
<refentry xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude">
<refmeta>
<refentrytitle><command>nixos-version</command></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="source">NixOS</refmiscinfo>
</refmeta>
<refnamediv>
<refname><command>nixos-version</command></refname>
<refpurpose>show the NixOS version</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>nixos-version</command>
<arg><option>--hash</option></arg>
<arg><option>--revision</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><title>Description</title>
<para>This command shows the version of the currently active NixOS
configuration. For example:
<screen>$ nixos-version
16.03.1011.6317da4 (Emu)
</screen>
The version consists of the following elements:
<variablelist>
<varlistentry>
<term><literal>16.03</literal></term>
<listitem><para>The NixOS release, indicating the year and month
in which it was released (e.g. March 2016).</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>1011</literal></term>
<listitem><para>The number of commits in the Nixpkgs Git
repository between the start of the release branch and the commit
from which this version was built. This ensures that NixOS
versions are monotonically increasing. It is
<literal>git</literal> when the current NixOS configuration was
built from a checkout of the Nixpkgs Git repository rather than
from a NixOS channel.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>6317da4</literal></term>
<listitem><para>The first 7 characters of the commit in the
Nixpkgs Git repository from which this version was
built.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>Emu</literal></term>
<listitem><para>The code name of the NixOS release. The first
letter of the code name indicates that this is the N'th stable
NixOS release; for example, Emu is the fifth
release.</para></listitem>
</varlistentry>
</variablelist>
</para>
</refsection>
<refsection><title>Options</title>
<para>This command accepts the following options:</para>
<variablelist>
<varlistentry>
<term><option>--hash</option></term>
<term><option>--revision</option></term>
<listitem>
<para>Show the full SHA1 hash of the Git commit from which this
configuration was built, e.g.
<screen>$ nixos-version --hash
6317da40006f6bc2480c6781999c52d88dde2acf
</screen>
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
</refentry>

1
nixos/doc/manual/man-pages.xml
View file

@ -27,5 +27,6 @@
<xi:include href="man-nixos-install.xml" />
<xi:include href="man-nixos-option.xml" />
<xi:include href="man-nixos-rebuild.xml" />
<xi:include href="man-nixos-version.xml" />
</reference>

35
nixos/doc/manual/release-notes/rl-1603.xml
View file

@ -385,6 +385,41 @@ services.syncthing = {
the github issue</link>.
</para>
</listitem>
<listitem>
<para>
The <literal>services.xserver.startGnuPGAgent</literal> option has been removed.
GnuPG 2.1.x changed the way the gpg-agent works, and that new approach no
longer requires (or even supports) the "start everything as a child of the
agent" scheme we've implemented in NixOS for older versions.
To configure the gpg-agent for your X session, add the following code to
<filename>~/.bashrc</filename> or some file thats sourced when your shell is started:
<programlisting>
GPG_TTY=$(tty)
export GPG_TTY
</programlisting>
If you want to use gpg-agent for SSH, too, add the following to your session
initialization (e.g. <literal>displayManager.sessionCommands</literal>)
<programlisting>
gpg-connect-agent /bye
unset SSH_AGENT_PID
export SSH_AUTH_SOCK="''${HOME}/.gnupg/S.gpg-agent.ssh"
</programlisting>
and make sure that
<programlisting>
enable-ssh-support
</programlisting>
is included in your <filename>~/.gnupg/gpg-agent.conf</filename>.
You will need to use <command>ssh-add</command> to re-add your ssh keys.
If gpgs automatic transformation of the private keys to the new format fails,
you will need to re-import your private keyring as well:
<programlisting>
gpg --import ~/.gnupg/secring.gpg
</programlisting>
The <command>gpg-agent(1)</command> man page has more details about this subject,
i.e. in the "EXAMPLES" section.
</para>
</listitem>
</itemizedlist>

38
nixos/doc/manual/release-notes/rl-1609.xml
View file

@ -33,21 +33,53 @@ has the following highlights: </para>
following incompatible changes:</para>
<itemizedlist>
<listitem>
<para>Shell aliases for systemd sub-commands
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were dropped</link>:
<command>start</command>, <command>stop</command>,
<command>restart</command>, <command>status</command>.</para>
</listitem>
<listitem>
<para>Redis now binds to 127.0.0.1 only instead of listening to all network interfaces. This is the default
behavior of Redis 3.2</para>
</listitem>
<listitem>
<para>Gitlab's maintainence script gitlab-runner was removed and split up into the more clearer
gitlab-run and gitlab-rake scripts because gitlab-runner is a component of Gitlab CI.</para>
</listitem>
<listitem>
<para><literal>services.xserver.libinput.accelProfile</literal> default
changed from <literal>flat</literal> to <literal>adaptive</literal>,
as per <link xlink:href="https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79">
official documentation</link>.</para>
</listitem>
<listitem>
<para><literal>fonts.fontconfig.ultimate.rendering</literal> was removed
because our presets were obsolete for some time. New presets are hardcoded
into freetype; one selects a preset via <literal>fonts.fontconfig.ultimate.preset</literal>.
You can customize those presets via ordinary environment variables, using
<literal>environment.variables</literal>.</para>
</listitem>
</itemizedlist>
<para>Other notable improvements:</para>
<itemizedlist>
<listitem>
<para>todo</para>
</listitem>
<listitem><para>Revamped grsecurity/PaX support. There is now only a single
general-purpose distribution kernel and the configuration interface has been
streamlined. Desktop users should be able to simply set
<programlisting>security.grsecurity.enable = true</programlisting> to get
a reasonably secure system without having to sacrifice too much
functionality. See <xref linkend="sec-grsecurity" /> for documentation
</para></listitem>
</itemizedlist>

48
nixos/lib/make-disk-image.nix
View file

@ -12,6 +12,9 @@
# directly.
partitioned ? true
# Whether to invoke switch-to-configuration boot during image creation
, installBootLoader ? true
, # The root file system type.
fsType ? "ext4"
@ -64,40 +67,24 @@ pkgs.vmTools.runInLinuxVM (
mkdir /mnt
mount $rootDisk /mnt
# The initrd expects these directories to exist.
mkdir /mnt/dev /mnt/proc /mnt/sys
mount -o bind /proc /mnt/proc
mount -o bind /dev /mnt/dev
mount -o bind /sys /mnt/sys
# Copy all paths in the closure to the filesystem.
storePaths=$(perl ${pkgs.pathsFromGraph} /tmp/xchg/closure)
mkdir -p /mnt/nix/store
echo "copying everything (will take a while)..."
set -f
cp -prd $storePaths /mnt/nix/store/
# Register the paths in the Nix database.
printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \
chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group ""
${config.nix.package.out}/bin/nix-store --load-db --option build-users-group ""
# Add missing size/hash fields to the database. FIXME:
# exportReferencesGraph should provide these directly.
chroot /mnt ${config.nix.package.out}/bin/nix-store --verify --check-contents
${config.nix.package.out}/bin/nix-store --verify --check-contents --option build-users-group ""
# Create the system profile to allow nixos-rebuild to work.
chroot /mnt ${config.nix.package.out}/bin/nix-env --option build-users-group "" \
-p /nix/var/nix/profiles/system --set ${config.system.build.toplevel}
# In case the bootloader tries to write to /dev/sda…
ln -s vda /dev/xvda
ln -s vda /dev/sda
# `nixos-rebuild' requires an /etc/NIXOS.
mkdir -p /mnt/etc
touch /mnt/etc/NIXOS
# `switch-to-configuration' requires a /bin/sh
mkdir -p /mnt/bin
ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh
# Install the closure onto the image
USER=root ${config.system.build.nixos-install}/bin/nixos-install \
--closure ${config.system.build.toplevel} \
--no-channel-copy \
--no-root-passwd \
${optionalString (!installBootLoader) "--no-bootloader"}
# Install a configuration.nix.
mkdir -p /mnt/etc/nixos
@ -105,12 +92,9 @@ pkgs.vmTools.runInLinuxVM (
cp ${configFile} /mnt/etc/nixos/configuration.nix
''}
# Generate the GRUB menu.
ln -s vda /dev/xvda
ln -s vda /dev/sda
chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot
# Remove /etc/machine-id so that each machine cloning this image will get its own id
rm -f /mnt/etc/machine-id
umount /mnt/proc /mnt/dev /mnt/sys
umount /mnt
# Do a fsck to make sure resize2fs works.

10
nixos/lib/testing.nix
View file

@ -29,7 +29,7 @@ rec {
cp ${./test-driver/Logger.pm} $libDir/Logger.pm
wrapProgram $out/bin/nixos-test-driver \
--prefix PATH : "${qemu_kvm}/bin:${vde2}/bin:${netpbm}/bin:${coreutils}/bin" \
--prefix PATH : "${lib.makeBinPath [ qemu_kvm vde2 netpbm coreutils ]}" \
--prefix PERL5LIB : "${with perlPackages; lib.makePerlPath [ TermReadLineGnu XMLWriter IOTty FileSlurp ]}:$out/lib/perl5/site_perl"
'';
};
@ -113,14 +113,14 @@ rec {
--add-flags "$vms" \
${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \
--run "testScript=\"\$(cat $out/test-script)\"" \
--set testScript '"$testScript"' \
--set VLANS '"${toString vlans}"'
--set testScript '$testScript' \
--set VLANS '${toString vlans}'
ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms
wrapProgram $out/bin/nixos-run-vms \
--add-flags "$vms" \
${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \
--set tests '"startAll; joinAll;"' \
--set VLANS '"${toString vlans}"' \
--set tests 'startAll; joinAll;' \
--set VLANS '${toString vlans}' \
${lib.optionalString (builtins.length vms == 1) "--set USE_SERIAL 1"}
''; # "

11
nixos/lib/utils.nix
View file

@ -2,6 +2,15 @@ pkgs: with pkgs.lib;
rec {
# Check whenever fileSystem is needed for boot
fsNeededForBoot = fs: fs.neededForBoot
|| elem fs.mountPoint [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ];
# Check whenever `b` depends on `a` as a fileSystem
# FIXME: it's incorrect to simply use hasPrefix here: "/dev/a" is not a parent of "/dev/ab"
fsBefore = a: b: ((any (x: elem x [ "bind" "move" ]) b.options) && (a.mountPoint == b.device))
|| (hasPrefix a.mountPoint b.mountPoint);
# Escape a path according to the systemd rules, e.g. /dev/xyzzy
# becomes dev-xyzzy. FIXME: slow.
escapeSystemdPath = s:
@ -12,6 +21,8 @@ rec {
toShellPath = shell:
if types.shellPackage.check shell then
"/run/current-system/sw${shell.shellPath}"
else if types.package.check shell then
throw "${shell} is not a shell package"
else
shell;
}

121
nixos/maintainers/scripts/ec2/create-amis.sh
View file

@ -13,8 +13,11 @@ echo "NixOS version is $version ($major)"
rm -f ec2-amis.nix
types="hvm pv"
stores="ebs s3"
regions="eu-west-1 eu-central-1 us-east-1 us-west-1 us-west-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"
for type in hvm pv; do
for type in $types; do
link=$stateDir/$type
imageFile=$link/nixos.qcow2
system=x86_64-linux
@ -31,7 +34,7 @@ for type in hvm pv; do
--arg configuration "{ imports = [ <nixpkgs/nixos/maintainers/scripts/ec2/amazon-image.nix> ]; ec2.hvm = $hvmFlag; }"
fi
for store in ebs s3; do
for store in $stores; do
bucket=nixos-amis
bucketDir="$version-$type-$store"
@ -39,7 +42,7 @@ for type in hvm pv; do
prevAmi=
prevRegion=
for region in eu-west-1 eu-central-1 us-east-1 us-west-1 us-west-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 sa-east-1; do
for region in $regions; do
name=nixos-$version-$arch-$type-$store
description="NixOS $system $version ($type-$store)"
@ -51,10 +54,11 @@ for type in hvm pv; do
echo "doing $name in $region..."
if [ -n "$prevAmi" ]; then
ami=$(ec2-copy-image \
ami=$(aws ec2 copy-image \
--region "$region" \
--source-region "$prevRegion" --source-ami-id "$prevAmi" \
--name "$name" --description "$description" | cut -f 2)
--source-region "$prevRegion" --source-image-id "$prevAmi" \
--name "$name" --description "$description" | json -q .ImageId)
if [ "$ami" = null ]; then break; fi
else
if [ $store = s3 ]; then
@ -85,12 +89,12 @@ for type in hvm pv; do
ec2-upload-bundle \
-m $imageDir/$type.raw.manifest.xml \
-b "$bucket/$bucketDir" \
-a "$EC2_ACCESS_KEY" -s "$EC2_SECRET_KEY" \
-a "$AWS_ACCESS_KEY_ID" -s "$AWS_SECRET_ACCESS_KEY" \
--location EU
touch $imageDir/uploaded
fi
extraFlags="$bucket/$bucketDir/$type.raw.manifest.xml"
extraFlags="--image-location $bucket/$bucketDir/$type.raw.manifest.xml"
else
@ -115,7 +119,8 @@ for type in hvm pv; do
if [ -z "$snapId" -a -z "$volId" -a -z "$taskId" ]; then
echo "importing $vhdFile..."
taskId=$(ec2-import-volume $vhdFile --no-upload -f vhd \
-o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY" \
-O "$AWS_ACCESS_KEY_ID" -W "$AWS_SECRET_ACCESS_KEY" \
-o "$AWS_ACCESS_KEY_ID" -w "$AWS_SECRET_ACCESS_KEY" \
--region "$region" -z "${region}a" \
--bucket "$bucket" --prefix "$bucketDir/" \
| tee /dev/stderr \
@ -125,15 +130,16 @@ for type in hvm pv; do
if [ -z "$snapId" -a -z "$volId" ]; then
ec2-resume-import $vhdFile -t "$taskId" --region "$region" \
-o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY"
-O "$AWS_ACCESS_KEY_ID" -W "$AWS_SECRET_ACCESS_KEY" \
-o "$AWS_ACCESS_KEY_ID" -w "$AWS_SECRET_ACCESS_KEY"
fi
# Wait for the volume creation to finish.
if [ -z "$snapId" -a -z "$volId" ]; then
echo "waiting for import to finish..."
while true; do
volId=$(ec2-describe-conversion-tasks "$taskId" --region "$region" | sed 's/.*VolumeId.*\(vol-[0-9a-f]\+\).*/\1/ ; t ; d')
if [ -n "$volId" ]; then break; fi
volId=$(aws ec2 describe-conversion-tasks --conversion-task-ids "$taskId" --region "$region" | jq -r .ConversionTasks[0].ImportVolume.Volume.Id)
if [ "$volId" != null ]; then break; fi
sleep 10
done
@ -143,22 +149,24 @@ for type in hvm pv; do
# Delete the import task.
if [ -n "$volId" -a -n "$taskId" ]; then
echo "removing import task..."
ec2-delete-disk-image -t "$taskId" --region "$region" -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY" || true
ec2-delete-disk-image -t "$taskId" --region "$region" \
-O "$AWS_ACCESS_KEY_ID" -W "$AWS_SECRET_ACCESS_KEY" \
-o "$AWS_ACCESS_KEY_ID" -w "$AWS_SECRET_ACCESS_KEY" || true
rm -f $stateDir/$region.$type.task-id
fi
# Create a snapshot.
if [ -z "$snapId" ]; then
echo "creating snapshot..."
snapId=$(ec2-create-snapshot "$volId" --region "$region" | cut -f 2)
snapId=$(aws ec2 create-snapshot --volume-id "$volId" --region "$region" --description "$description" | jq -r .SnapshotId)
if [ "$snapId" = null ]; then exit 1; fi
echo -n "$snapId" > $stateDir/$region.$type.snap-id
ec2-create-tags "$snapId" -t "Name=$description" --region "$region"
fi
# Wait for the snapshot to finish.
echo "waiting for snapshot to finish..."
while true; do
status=$(ec2-describe-snapshots "$snapId" --region "$region" | head -n1 | cut -f 4)
status=$(aws ec2 describe-snapshots --snapshot-ids "$snapId" --region "$region" | jq -r .Snapshots[0].State)
if [ "$status" = completed ]; then break; fi
sleep 10
done
@ -166,35 +174,50 @@ for type in hvm pv; do
# Delete the volume.
if [ -n "$volId" ]; then
echo "deleting volume..."
ec2-delete-volume "$volId" --region "$region" || true
aws ec2 delete-volume --volume-id "$volId" --region "$region" || true
rm -f $stateDir/$region.$type.vol-id
fi
extraFlags="-b /dev/sda1=$snapId:$vhdFileLogicalGigaBytes:true:gp2"
blockDeviceMappings="DeviceName=/dev/sda1,Ebs={SnapshotId=$snapId,VolumeSize=$vhdFileLogicalGigaBytes,DeleteOnTermination=true,VolumeType=gp2}"
extraFlags=""
if [ $type = pv ]; then
extraFlags+=" --root-device-name=/dev/sda1"
extraFlags+=" --root-device-name /dev/sda1"
else
extraFlags+=" --root-device-name /dev/sda1"
extraFlags+=" --sriov-net-support simple"
extraFlags+=" --ena-support"
fi
extraFlags+=" -b /dev/sdb=ephemeral0 -b /dev/sdc=ephemeral1 -b /dev/sdd=ephemeral2 -b /dev/sde=ephemeral3"
blockDeviceMappings+=" DeviceName=/dev/sdb,VirtualName=ephemeral0"
blockDeviceMappings+=" DeviceName=/dev/sdc,VirtualName=ephemeral1"
blockDeviceMappings+=" DeviceName=/dev/sdd,VirtualName=ephemeral2"
blockDeviceMappings+=" DeviceName=/dev/sde,VirtualName=ephemeral3"
fi
if [ $type = hvm ]; then
extraFlags+=" --sriov-net-support simple"
extraFlags+=" --ena-support"
fi
# Register the AMI.
if [ $type = pv ]; then
kernel=$(ec2-describe-images -o amazon --filter "manifest-location=*pv-grub-hd0_1.04-$arch*" --region "$region" | cut -f 2)
[ -n "$kernel" ]
kernel=$(aws ec2 describe-images --owner amazon --filters "Name=name,Values=pv-grub-hd0_1.04-$arch.gz" | jq -r .Images[0].ImageId)
if [ "$kernel" = null ]; then break; fi
echo "using PV-GRUB kernel $kernel"
extraFlags+=" --virtualization-type paravirtual --kernel $kernel"
else
extraFlags+=" --virtualization-type hvm"
fi
ami=$(ec2-register \
-n "$name" \
-d "$description" \
ami=$(aws ec2 register-image \
--name "$name" \
--description "$description" \
--region "$region" \
--architecture "$arch" \
$extraFlags | cut -f 2)
--block-device-mappings $blockDeviceMappings \
$extraFlags | jq -r .ImageId)
if [ "$ami" = null ]; then break; fi
fi
echo -n "$ami" > $amiFile
@ -204,23 +227,45 @@ for type in hvm pv; do
ami=$(cat $amiFile)
fi
if [ -z "$NO_WAIT" -o -z "$prevAmi" ]; then
echo "waiting for AMI..."
while true; do
status=$(ec2-describe-images "$ami" --region "$region" | head -n1 | cut -f 5)
if [ "$status" = available ]; then break; fi
sleep 10
done
ec2-modify-image-attribute \
--region "$region" "$ami" -l -a all
fi
echo "region = $region, type = $type, store = $store, ami = $ami"
if [ -z "$prevAmi" ]; then
prevAmi="$ami"
prevRegion="$region"
fi
done
done
done
for type in $types; do
link=$stateDir/$type
system=x86_64-linux
arch=x86_64
for store in $stores; do
for region in $regions; do
name=nixos-$version-$arch-$type-$store
amiFile=$stateDir/$region.$type.$store.ami-id
ami=$(cat $amiFile)
echo "region = $region, type = $type, store = $store, ami = $ami"
echo -n "waiting for AMI..."
while true; do
status=$(aws ec2 describe-images --image-ids "$ami" --region "$region" | jq -r .Images[0].State)
if [ "$status" = available ]; then break; fi
sleep 10
echo -n '.'
done
echo
# Make the image public.
aws ec2 modify-image-attribute \
--image-id "$ami" --region "$region" --launch-permission 'Add={Group=all}'
echo " \"$major\".$region.$type-$store = \"$ami\";" >> ec2-amis.nix
done

203
nixos/modules/config/fonts/fontconfig-ultimate.nix
View file

@ -3,6 +3,95 @@
with lib;
let fcBool = x: if x then "<bool>true</bool>" else "<bool>false</bool>";
cfg = config.fonts.fontconfig.ultimate;
latestVersion = pkgs.fontconfig.configVersion;
# fontconfig ultimate main configuration file
# priority 52
fontconfigUltimateConf = pkgs.writeText "fc-52-fontconfig-ultimate.conf" ''
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
${optionalString (!cfg.allowBitmaps) ''
<!-- Reject bitmap fonts -->
<selectfont>
<rejectfont>
<pattern>
<patelt name="scalable"><bool>false</bool></patelt>
</pattern>
</rejectfont>
</selectfont>
''}
${optionalString cfg.allowType1 ''
<!-- Reject Type 1 fonts -->
<selectfont>
<rejectfont>
<pattern>
<patelt name="fontformat">
<string>Type 1</string>
</patelt>
</pattern>
</rejectfont>
</selectfont>
''}
<!-- Use embedded bitmaps in fonts like Calibri? -->
<match target="font">
<edit name="embeddedbitmap" mode="assign">
${fcBool cfg.useEmbeddedBitmaps}
</edit>
</match>
<!-- Force autohint always -->
<match target="font">
<edit name="force_autohint" mode="assign">
${fcBool cfg.forceAutohint}
</edit>
</match>
<!-- Render some monospace TTF fonts as bitmaps -->
<match target="pattern">
<edit name="bitmap_monospace" mode="assign">
${fcBool cfg.renderMonoTTFAsBitmap}
</edit>
</match>
</fontconfig>
'';
# The configuration to be included in /etc/font/
confPkg = pkgs.runCommand "font-ultimate-conf" {} ''
support_folder=$out/etc/fonts/conf.d
latest_folder=$out/etc/fonts/${latestVersion}/conf.d
mkdir -p $support_folder
mkdir -p $latest_folder
# 52-fontconfig-ultimate.conf
ln -s ${fontconfigUltimateConf} \
$support_folder/52-fontconfig-ultimate.conf
ln -s ${fontconfigUltimateConf} \
$latest_folder/52-fontconfig-ultimate.conf
# fontconfig ultimate substitutions
${optionalString (cfg.substitutions != "none") ''
ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/presets/${cfg.substitutions}/*.conf \
$support_folder
ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/presets/${cfg.substitutions}/*.conf \
$latest_folder
''}
# fontconfig ultimate various configuration files
ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/conf.d/*.conf \
$support_folder
ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/conf.d/*.conf \
$latest_folder
'';
in
{
@ -64,9 +153,7 @@ in
};
substitutions = mkOption {
type = types.str // {
check = flip elem ["none" "free" "combi" "ms"];
};
type = types.nullOr (types.enum ["free" "combi" "ms"]);
default = "free";
description = ''
Font substitutions to replace common Type 1 fonts with nicer
@ -77,35 +164,12 @@ in
'';
};
rendering = mkOption {
type = types.attrs;
default = pkgs.fontconfig-ultimate.rendering.ultimate;
preset = mkOption {
type = types.enum ["ultimate1" "ultimate2" "ultimate3" "ultimate4" "ultimate5" "osx" "windowsxp"];
default = "ultimate3";
description = ''
FreeType rendering settings presets. The default is
<literal>pkgs.fontconfig-ultimate.rendering.ultimate</literal>.
The other available styles are:
<literal>ultimate-lighter</literal>,
<literal>ultimate-darker</literal>,
<literal>ultimate-lightest</literal>,
<literal>ultimate-darkest</literal>,
<literal>default</literal> (the original Infinality default),
<literal>osx</literal>,
<literal>ipad</literal>,
<literal>ubuntu</literal>,
<literal>linux</literal>,
<literal>winxplight</literal>,
<literal>win7light</literal>,
<literal>winxp</literal>,
<literal>win7</literal>,
<literal>vanilla</literal>,
<literal>classic</literal>,
<literal>nudge</literal>,
<literal>push</literal>,
<literal>shove</literal>,
<literal>sharpened</literal>,
<literal>infinality</literal>. Any of the presets may be
customized by editing the attributes. To disable, set this option
to the empty attribute set <literal>{}</literal>.
FreeType rendering settings preset. Any of the presets may be
customized by setting environment variables.
'';
};
};
@ -114,80 +178,11 @@ in
};
config = mkIf (config.fonts.fontconfig.enable && cfg.enable) {
config =
let ultimate = config.fonts.fontconfig.ultimate;
fontconfigUltimateConf = ''
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
fonts.fontconfig.confPackages = [ confPkg ];
environment.variables."INFINALITY_FT" = cfg.preset;
${optionalString (!ultimate.allowBitmaps) ''
<!-- Reject bitmap fonts -->
<selectfont>
<rejectfont>
<pattern>
<patelt name="scalable"><bool>false</bool></patelt>
</pattern>
</rejectfont>
</selectfont>
''}
${optionalString ultimate.allowType1 ''
<!-- Reject Type 1 fonts -->
<selectfont>
<rejectfont>
<pattern>
<patelt name="fontformat">
<string>Type 1</string>
</patelt>
</pattern>
</rejectfont>
</selectfont>
''}
<!-- Use embedded bitmaps in fonts like Calibri? -->
<match target="font">
<edit name="embeddedbitmap" mode="assign">
${fcBool ultimate.useEmbeddedBitmaps}
</edit>
</match>
<!-- Force autohint always -->
<match target="font">
<edit name="force_autohint" mode="assign">
${fcBool ultimate.forceAutohint}
</edit>
</match>
<!-- Render some monospace TTF fonts as bitmaps -->
<match target="pattern">
<edit name="bitmap_monospace" mode="assign">
${fcBool ultimate.renderMonoTTFAsBitmap}
</edit>
</match>
${optionalString (ultimate.substitutions != "none") ''
<!-- Type 1 font substitutions -->
<include ignore_missing="yes">${pkgs.fontconfig-ultimate.confd}/etc/fonts/presets/${ultimate.substitutions}</include>
''}
<include ignore_missing="yes">${pkgs.fontconfig-ultimate.confd}/etc/fonts/conf.d</include>
</fontconfig>
'';
in mkIf (config.fonts.fontconfig.enable && ultimate.enable) {
environment.etc."fonts/conf.d/52-fontconfig-ultimate.conf" = {
text = fontconfigUltimateConf;
};
environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/52-fontconfig-ultimate.conf" = {
text = fontconfigUltimateConf;
};
environment.variables = ultimate.rendering;
};
};
}

353
nixos/modules/config/fonts/fontconfig.nix
View file

@ -1,7 +1,207 @@
/*
NixOS support 2 fontconfig versions, "support" and "latest".
- "latest" refers to default fontconfig package (pkgs.fontconfig).
configuration files are linked to /etc/fonts/VERSION/conf.d/
- "support" refers to supportPkg (pkgs."fontconfig_${supportVersion}").
configuration files are linked to /etc/fonts/conf.d/
This module generates a package containing configuration files and link it in /etc/fonts.
Fontconfig reads files in folder name / file name order, so the number prepended to the configuration file name decide the order of parsing.
Low number means high priority.
*/
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.fonts.fontconfig;
fcBool = x: "<bool>" + (if x then "true" else "false") + "</bool>";
# back-supported fontconfig version and package
# version is used for font cache generation
supportVersion = "210";
supportPkg = pkgs."fontconfig_${supportVersion}";
# latest fontconfig version and package
# version is used for configuration folder name, /etc/fonts/VERSION/
# note: format differs from supportVersion and can not be used with makeCacheConf
latestVersion = pkgs.fontconfig.configVersion;
latestPkg = pkgs.fontconfig;
# supported version fonts.conf
supportFontsConf = pkgs.makeFontsConf { fontconfig = supportPkg; fontDirectories = config.fonts.fonts; };
# configuration file to read fontconfig cache
# version dependent
# priority 0
cacheConfSupport = makeCacheConf { version = supportVersion; };
cacheConfLatest = makeCacheConf {};
# generate the font cache setting file for a fontconfig version
# use latest when no version is passed
makeCacheConf = { version ? null }:
let
fcPackage = if builtins.isNull version
then "fontconfig"
else "fontconfig_${version}";
makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; };
cache = makeCache pkgs."${fcPackage}";
cache32 = makeCache pkgs.pkgsi686Linux."${fcPackage}";
in
pkgs.writeText "fc-00-nixos-cache.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Font directories -->
${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)}
<!-- Pre-generated font caches -->
<cachedir>${cache}</cachedir>
${optionalString (pkgs.stdenv.isx86_64 && cfg.cache32Bit) ''
<cachedir>${cache32}</cachedir>
''}
</fontconfig>
'';
# rendering settings configuration file
# priority 10
renderConf = pkgs.writeText "fc-10-nixos-rendering.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Default rendering settings -->
<match target="font">
<edit mode="assign" name="hinting">
${fcBool cfg.hinting.enable}
</edit>
<edit mode="assign" name="autohint">
${fcBool cfg.hinting.autohint}
</edit>
<edit mode="assign" name="hintstyle">
<const>hint${cfg.hinting.style}</const>
</edit>
<edit mode="assign" name="antialias">
${fcBool cfg.antialias}
</edit>
<edit mode="assign" name="rgba">
<const>${cfg.subpixel.rgba}</const>
</edit>
<edit mode="assign" name="lcdfilter">
<const>lcd${cfg.subpixel.lcdfilter}</const>
</edit>
</match>
${optionalString (cfg.dpi != 0) ''
<match target="pattern">
<edit name="dpi" mode="assign">
<double>${toString cfg.dpi}</double>
</edit>
</match>
''}
</fontconfig>
'';
# local configuration file
# priority 51
localConf = pkgs.writeText "fc-local.conf" cfg.localConf;
# default fonts configuration file
# priority 52
defaultFontsConf =
let genDefault = fonts: name:
optionalString (fonts != []) ''
<alias>
<family>${name}</family>
<prefer>
${concatStringsSep ""
(map (font: ''
<family>${font}</family>
'') fonts)}
</prefer>
</alias>
'';
in
pkgs.writeText "fc-52-nixos-default-fonts.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Default fonts -->
${genDefault cfg.defaultFonts.sansSerif "sans-serif"}
${genDefault cfg.defaultFonts.serif "serif"}
${genDefault cfg.defaultFonts.monospace "monospace"}
</fontconfig>
'';
# fontconfig configuration package
confPkg = pkgs.runCommand "fontconfig-conf" {} ''
support_folder=$out/etc/fonts
latest_folder=$out/etc/fonts/${latestVersion}
mkdir -p $support_folder/conf.d
mkdir -p $latest_folder/conf.d
# fonts.conf
ln -s ${supportFontsConf} $support_folder/fonts.conf
ln -s ${latestPkg.out}/etc/fonts/fonts.conf \
$latest_folder/fonts.conf
# fontconfig default config files
ln -s ${supportPkg.out}/etc/fonts/conf.d/*.conf \
$support_folder/conf.d/
ln -s ${latestPkg.out}/etc/fonts/conf.d/*.conf \
$latest_folder/conf.d/
# update latest 51-local.conf path to look at the latest local.conf
rm $latest_folder/conf.d/51-local.conf
substitute ${latestPkg.out}/etc/fonts/conf.d/51-local.conf \
$latest_folder/conf.d/51-local.conf \
--replace local.conf /etc/fonts/${latestVersion}/local.conf
# 00-nixos-cache.conf
ln -s ${cacheConfSupport} \
$support_folder/conf.d/00-nixos-cache.conf
ln -s ${cacheConfLatest} $latest_folder/conf.d/00-nixos-cache.conf
# 10-nixos-rendering.conf
ln -s ${renderConf} $support_folder/conf.d/10-nixos-rendering.conf
ln -s ${renderConf} $latest_folder/conf.d/10-nixos-rendering.conf
# 50-user.conf
${optionalString (! cfg.includeUserConf) ''
rm $support_folder/conf.d/50-user.conf
rm $latest_folder/conf.d/50-user.conf
''}
# local.conf (indirect priority 51)
${optionalString (cfg.localConf != "") ''
ln -s ${localConf} $support_folder/local.conf
ln -s ${localConf} $latest_folder/local.conf
''}
# 52-nixos-default-fonts.conf
ln -s ${defaultFontsConf} $support_folder/conf.d/52-nixos-default-fonts.conf
ln -s ${defaultFontsConf} $latest_folder/conf.d/52-nixos-default-fonts.conf
'';
# Package with configuration files
# this merge all the packages in the fonts.fontconfig.confPackages list
fontconfigEtc = pkgs.buildEnv {
name = "fontconfig-etc";
paths = cfg.confPackages;
ignoreCollisions = true;
};
in
{
options = {
@ -21,6 +221,15 @@ with lib;
'';
};
confPackages = mkOption {
internal = true;
type = with types; listOf path;
default = [ ];
description = ''
Fontconfig configuration packages.
'';
};
antialias = mkOption {
type = types.bool;
default = true;
@ -36,6 +245,15 @@ with lib;
'';
};
localConf = mkOption {
type = types.lines;
default = "";
description = ''
System-wide customization file contents, has higher priority than
<literal>defaultFonts</literal> settings.
'';
};
defaultFonts = {
monospace = mkOption {
type = types.listOf types.str;
@ -142,136 +360,11 @@ with lib;
};
};
config = mkIf cfg.enable {
fonts.fontconfig.confPackages = [ confPkg ];
config =
let fontconfig = config.fonts.fontconfig;
fcBool = x: "<bool>" + (if x then "true" else "false") + "</bool>";
renderConf = ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Default rendering settings -->
<match target="font">
<edit mode="assign" name="hinting">
${fcBool fontconfig.hinting.enable}
</edit>
<edit mode="assign" name="autohint">
${fcBool fontconfig.hinting.autohint}
</edit>
<edit mode="assign" name="hintstyle">
<const>hint${fontconfig.hinting.style}</const>
</edit>
<edit mode="assign" name="antialias">
${fcBool fontconfig.antialias}
</edit>
<edit mode="assign" name="rgba">
<const>${fontconfig.subpixel.rgba}</const>
</edit>
<edit mode="assign" name="lcdfilter">
<const>lcd${fontconfig.subpixel.lcdfilter}</const>
</edit>
</match>
${optionalString (fontconfig.dpi != 0) ''
<match target="pattern">
<edit name="dpi" mode="assign">
<double>${toString fontconfig.dpi}</double>
</edit>
</match>
''}
</fontconfig>
'';
genericAliasConf = ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Default fonts -->
${optionalString (fontconfig.defaultFonts.sansSerif != []) ''
<alias>
<family>sans-serif</family>
<prefer>
${concatStringsSep "\n"
(map (font: "<family>${font}</family>")
fontconfig.defaultFonts.sansSerif)}
</prefer>
</alias>
''}
${optionalString (fontconfig.defaultFonts.serif != []) ''
<alias>
<family>serif</family>
<prefer>
${concatStringsSep "\n"
(map (font: "<family>${font}</family>")
fontconfig.defaultFonts.serif)}
</prefer>
</alias>
''}
${optionalString (fontconfig.defaultFonts.monospace != []) ''
<alias>
<family>monospace</family>
<prefer>
${concatStringsSep "\n"
(map (font: "<family>${font}</family>")
fontconfig.defaultFonts.monospace)}
</prefer>
</alias>
''}
</fontconfig>
'';
in mkIf fontconfig.enable {
# Fontconfig 2.10 backward compatibility
# Bring in the default (upstream) fontconfig configuration, only for fontconfig 2.10
environment.etc."fonts/fonts.conf".source =
pkgs.makeFontsConf { fontconfig = pkgs.fontconfig_210; fontDirectories = config.fonts.fonts; };
environment.etc."fonts/conf.d/10-nixos-rendering.conf".text = renderConf;
environment.etc."fonts/conf.d/60-nixos-generic-alias.conf".text = genericAliasConf;
# Versioned fontconfig > 2.10. Take shared fonts.conf from fontconfig.
# Otherwise specify only font directories.
environment.etc."fonts/${pkgs.fontconfig.configVersion}/fonts.conf".source =
"${pkgs.fontconfig.out}/etc/fonts/fonts.conf";
environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/00-nixos.conf".text =
let
cache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; };
in ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Font directories -->
${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)}
<!-- Pre-generated font caches -->
<cachedir>${cache pkgs.fontconfig}</cachedir>
${optionalString (pkgs.stdenv.isx86_64 && config.fonts.fontconfig.cache32Bit) ''
<cachedir>${cache pkgs.pkgsi686Linux.fontconfig}</cachedir>
''}
</fontconfig>
'';
environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/10-nixos-rendering.conf".text = renderConf;
environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/60-nixos-generic-alias.conf".text = genericAliasConf;
environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/99-user.conf" = {
enable = fontconfig.includeUserConf;
text = ''
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
<include ignore_missing="yes" prefix="xdg">fontconfig/conf.d</include>
<include ignore_missing="yes" prefix="xdg">fontconfig/fonts.conf</include>
</fontconfig>
'';
};
environment.systemPackages = [ pkgs.fontconfig ];
};
environment.systemPackages = [ pkgs.fontconfig ];
environment.etc.fonts.source = "${fontconfigEtc}/etc/fonts/";
};
}

1
nixos/modules/config/gnu.nix
View file

@ -37,6 +37,7 @@ with lib;
services.openssh.enable = false;
services.lshd.enable = true;
programs.ssh.startAgent = false;
services.xserver.startGnuPGAgent = true;
# TODO: GNU dico.
# TODO: GNU Inetutils' inetd.

9
nixos/modules/config/i18n.nix
View file

@ -41,6 +41,15 @@ in
'';
};
consolePackages = mkOption {
type = types.listOf types.package;
default = with pkgs.kbdKeymaps; [ dvp neo ];
description = ''
List of additional packages that provide console fonts, keymaps and
other resources.
'';
};
consoleFont = mkOption {
type = types.str;
default = "Lat2-Terminus16";

12
nixos/modules/config/ldap.nix
View file

@ -62,6 +62,18 @@ in
description = "Whether to enable authentication against an LDAP server.";
};
loginPam = mkOption {
type = types.bool;
default = true;
description = "Whether to include authentication against LDAP in login PAM";
};
nsswitch = mkOption {
type = types.bool;
default = true;
description = "Whether to include lookup against LDAP in NSS";
};
server = mkOption {
example = "ldap://ldap.example.org/";
description = "The URL of the LDAP server.";

2
nixos/modules/config/nsswitch.nix
View file

@ -8,7 +8,7 @@ let
inherit (config.services.avahi) nssmdns;
inherit (config.services.samba) nsswins;
ldap = config.users.ldap.enable;
ldap = (config.users.ldap.enable && config.users.ldap.nsswitch);
in

99
nixos/modules/config/pulseaudio.nix
View file

@ -9,11 +9,36 @@ let
systemWide = cfg.enable && cfg.systemWide;
nonSystemWide = cfg.enable && !cfg.systemWide;
hasZeroconf = let z = cfg.zeroconf; in z.publish.enable || z.discovery.enable;
overriddenPackage = cfg.package.override
(optionalAttrs hasZeroconf { zeroconfSupport = true; });
binary = "${getBin overriddenPackage}/bin/pulseaudio";
binaryNoDaemon = "${binary} --daemonize=no";
# Forces 32bit pulseaudio and alsaPlugins to be built/supported for apps
# using 32bit alsa on 64bit linux.
enable32BitAlsaPlugins = cfg.support32Bit && stdenv.isx86_64 && (pkgs_i686.alsaLib != null && pkgs_i686.libpulseaudio != null);
myConfigFile =
let
addModuleIf = cond: mod: optionalString cond "load-module ${mod}";
allAnon = optional cfg.tcp.anonymousClients.allowAll "auth-anonymous=1";
ipAnon = let a = cfg.tcp.anonymousClients.allowedIpRanges;
in optional (a != []) ''auth-ip-acl=${concatStringsSep ";" a}'';
in writeTextFile {
name = "default.pa";
text = ''
.include ${cfg.configFile}
${addModuleIf cfg.zeroconf.publish.enable "module-zeroconf-publish"}
${addModuleIf cfg.zeroconf.discovery.enable "module-zeroconf-discover"}
${addModuleIf cfg.tcp.enable (concatStringsSep " "
([ "module-native-protocol-tcp" ] ++ allAnon ++ ipAnon))}
${cfg.extraConfig}
'';
};
ids = config.ids;
uid = ids.uids.pulseaudio;
@ -26,7 +51,8 @@ let
# are built with PulseAudio support (like KDE).
clientConf = writeText "client.conf" ''
autospawn=${if nonSystemWide then "yes" else "no"}
${optionalString nonSystemWide "daemon-binary=${cfg.package.out}/bin/pulseaudio"}
${optionalString nonSystemWide "daemon-binary=${binary}"}
${cfg.extraClientConf}
'';
# Write an /etc/asound.conf that causes all ALSA applications to
@ -43,7 +69,7 @@ let
hint.description "Default Audio Device (via PulseAudio)"
}
ctl_type.pulse {
libs.native = ${alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so ;
libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so ;
${lib.optionalString enable32BitAlsaPlugins
"libs.32Bit = ${pkgs_i686.alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so ;"}
}
@ -88,14 +114,31 @@ in {
};
configFile = mkOption {
type = types.path;
type = types.nullOr types.path;
description = ''
The path to the configuration the PulseAudio server
The path to the default configuration options the PulseAudio server
should use. By default, the "default.pa" configuration
from the PulseAudio distribution is used.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Literal string to append to <literal>configFile</literal>
and the config file generated by the pulseaudio module.
'';
};
extraClientConf = mkOption {
type = types.lines;
default = "";
description = ''
Extra configuration appended to pulse/client.conf file.
'';
};
package = mkOption {
type = types.package;
default = pulseaudioLight;
@ -118,6 +161,31 @@ in {
'';
};
};
zeroconf = {
discovery.enable =
mkEnableOption "discovery of pulseaudio sinks in the local network";
publish.enable =
mkEnableOption "publishing the pulseaudio sink in the local network";
};
# TODO: enable by default?
tcp = {
enable = mkEnableOption "tcp streaming support";
anonymousClients = {
allowAll = mkEnableOption "all anonymous clients to stream to the server";
allowedIpRanges = mkOption {
type = types.listOf types.str;
default = [];
example = literalExample ''[ "127.0.0.1" "192.168.1.0/24" ]'';
description = ''
A list of IP subnets that are allowed to stream to the server.
'';
};
};
};
};
};
@ -130,11 +198,11 @@ in {
source = clientConf;
};
hardware.pulseaudio.configFile = mkDefault "${getBin cfg.package}/etc/pulse/default.pa";
hardware.pulseaudio.configFile = mkDefault "${getBin overriddenPackage}/etc/pulse/default.pa";
}
(mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
environment.systemPackages = [ overriddenPackage ];
environment.etc = singleton {
target = "asound.conf";
@ -143,12 +211,21 @@ in {
# Allow PulseAudio to get realtime priority using rtkit.
security.rtkit.enable = true;
})
(mkIf hasZeroconf {
services.avahi.enable = true;
})
(mkIf cfg.zeroconf.publish.enable {
services.avahi.publish.enable = true;
services.avahi.publish.userServices = true;
})
(mkIf nonSystemWide {
environment.etc = singleton {
target = "pulse/default.pa";
source = cfg.configFile;
source = myConfigFile;
};
systemd.user = {
@ -158,9 +235,12 @@ in {
wantedBy = [ "default.target" ];
serviceConfig = {
Type = "notify";
ExecStart = "${getBin cfg.package}/bin/pulseaudio --daemonize=no";
ExecStart = binaryNoDaemon;
Restart = "on-failure";
RestartSec = "500ms";
};
environment = { DISPLAY = ":${toString config.services.xserver.display}"; };
restartIfChanged = true;
};
sockets.pulseaudio = {
@ -195,8 +275,9 @@ in {
environment.PULSE_RUNTIME_PATH = stateDir;
serviceConfig = {
Type = "notify";
ExecStart = "${getBin cfg.package}/bin/pulseaudio --daemonize=no --log-level=${cfg.daemon.logLevel} --system -n --file=${cfg.configFile}";
ExecStart = "${binaryNoDaemon} --log-level=${cfg.daemon.logLevel} --system -n --file=${myConfigFile}";
Restart = "on-failure";
RestartSec = "500ms";
};
};
})

9
nixos/modules/config/swap.nix
View file

@ -30,8 +30,7 @@ let
description = ''
If this option is set, device is interpreted as the
path of a swapfile that will be created automatically
with the indicated size (in megabytes) if it doesn't
exist.
with the indicated size (in megabytes).
'';
};
@ -132,9 +131,13 @@ in
script =
''
${optionalString (sw.size != null) ''
if [ ! -e "${sw.device}" ]; then
currentSize=$(( $(stat -c "%s" "${sw.device}" 2>/dev/null || echo 0) / 1024 / 1024 ))
if [ "${toString sw.size}" != "$currentSize" ]; then
fallocate -l ${toString sw.size}M "${sw.device}" ||
dd if=/dev/zero of="${sw.device}" bs=1M count=${toString sw.size}
if [ "${toString sw.size}" -lt "$currentSize" ]; then
truncate --size "${toString sw.size}M" "${sw.device}"
fi
chmod 0600 ${sw.device}
${optionalString (!sw.randomEncryption) "mkswap ${sw.realDevice}"}
fi

1
nixos/modules/config/system-path.nix
View file

@ -34,7 +34,6 @@ let
config.programs.ssh.package
pkgs.perl
pkgs.procps
pkgs.rsync
pkgs.strace
pkgs.su
pkgs.time

8
nixos/modules/config/update-users-groups.pl
View file

@ -52,8 +52,8 @@ foreach my $g (@{$spec->{groups}}) {
$gidsUsed{$g->{gid}} = 1 if defined $g->{gid};
}
foreach my $u (@{$spec->{groups}}) {
$uidsUsed{$u->{u}} = 1 if defined $u->{uid};
foreach my $u (@{$spec->{users}}) {
$uidsUsed{$u->{uid}} = 1 if defined $u->{uid};
}
# Read the current /etc/group.
@ -103,7 +103,7 @@ foreach my $g (@{$spec->{groups}}) {
if (defined $existing) {
$g->{gid} = $existing->{gid} if !defined $g->{gid};
if ($g->{gid} != $existing->{gid}) {
warn "warning: not applying GID change of group $name\n";
warn "warning: not applying GID change of group $name ($existing->{gid} -> $g->{gid})\n";
$g->{gid} = $existing->{gid};
}
$g->{password} = $existing->{password}; # do we want this?
@ -163,7 +163,7 @@ foreach my $u (@{$spec->{users}}) {
if (defined $existing) {
$u->{uid} = $existing->{uid} if !defined $u->{uid};
if ($u->{uid} != $existing->{uid}) {
warn "warning: not applying UID change of user $name\n";
warn "warning: not applying UID change of user $name ($existing->{uid} -> $u->{uid})\n";
$u->{uid} = $existing->{uid};
}
} else {

8
nixos/modules/config/users-groups.nix
View file

@ -121,7 +121,13 @@ let
default = pkgs.nologin;
defaultText = "pkgs.nologin";
example = literalExample "pkgs.bashInteractive";
description = "The path to the user's shell.";
description = ''
The path to the user's shell. Can use shell derivations,
like <literal>pkgs.bashInteractive</literal>. Dont
forget to enable your shell in
<literal>programs</literal> if necessary,
like <code>programs.zsh.enable = true;</code>.
'';
};
subUidRanges = mkOption {

2
nixos/modules/config/zram.nix
View file

@ -8,7 +8,7 @@ let
devices = map (nr: "zram${toString nr}") (range 0 (cfg.numDevices - 1));
modprobe = "${config.system.sbin.modprobe}/sbin/modprobe";
modprobe = "${pkgs.kmod}/bin/modprobe";
in

9
nixos/modules/hardware/video/amdgpu.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, lib, ... }:
with lib;
{
config = mkIf (elem "amdgpu" config.services.xserver.videoDrivers) {
boot.blacklistedKernelModules = [ "radeon" ];
};
}

1
nixos/modules/hardware/video/bumblebee.nix
View file

@ -75,7 +75,6 @@ in
serviceConfig = {
ExecStart = "${bumblebee}/bin/bumblebeed --use-syslog -g ${cfg.group} --driver ${cfg.driver}";
};
environment.MODULE_DIR="/run/current-system/kernel-modules/lib/modules/";
};
};
}

1
nixos/modules/hardware/video/webcam/facetimehd.nix
View file

@ -36,7 +36,6 @@ in
# and load it back on resume
powerManagement.resumeCommands = ''
export MODULE_DIR=/run/current-system/kernel-modules/lib/modules
${pkgs.kmod}/bin/modprobe -v facetimehd
'';

5
nixos/modules/i18n/input-method/default.nix
View file

@ -62,4 +62,9 @@ in
environment.systemPackages = [ cfg.package gtk2_cache gtk3_cache ];
};
meta = {
maintainers = with lib.maintainers; [ ericsagnes ];
doc = ./default.xml;
};
}

2
nixos/modules/i18n/input-method/default.xml
View file

@ -88,6 +88,8 @@ i18n.inputMethod = {
methods among Traditional Chinese Unix users.</para></listitem>
<listitem><para>Hangul (<literal>fcitx-engines.hangul</literal>): Korean input
method.</para></listitem>
<listitem><para>Unikey (<literal>fcitx-engines.unikey</literal>): Vietnamese input
method.</para></listitem>
<listitem><para>m17n (<literal>fcitx-engines.m17n</literal>): m17n is an input
method that uses input methods and corresponding icons in the m17n
database.</para></listitem>

2
nixos/modules/i18n/input-method/fcitx.nix
View file

@ -4,7 +4,7 @@ with lib;
let
cfg = config.i18n.inputMethod.fcitx;
fcitxPackage = pkgs.fcitx-with-plugins.override { plugins = cfg.engines; };
fcitxPackage = pkgs.fcitx.override { plugins = cfg.engines; };
fcitxEngine = types.package // {
name = "fcitx-engine";
check = x: (lib.types.package.check x) && (attrByPath ["meta" "isFcitxEngine"] false x);

25
nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix
View file

@ -19,18 +19,37 @@ in
"it cannot be cross compiled";
};
# Needed by RPi firmware
nixpkgs.config.allowUnfree = true;
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=tty0"];
boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=ttyO0,115200n8" "console=tty0"];
boot.consoleLogLevel = 7;
# FIXME: this probably should be in installation-device.nix
users.extraUsers.root.initialHashedPassword = "";
sdImage = {
populateBootCommands = ''
populateBootCommands = let
configTxt = pkgs.writeText "config.txt" ''
[pi2]
kernel=u-boot-rpi2.bin
[pi3]
kernel=u-boot-rpi3.bin
enable_uart=1
'';
in ''
for f in bootcode.bin fixup.dat start.elf; do
cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/$f boot/
done
cp ${pkgs.ubootRaspberryPi2}/u-boot.bin boot/u-boot-rpi2.bin
cp ${pkgs.ubootRaspberryPi3}/u-boot.bin boot/u-boot-rpi3.bin
cp ${configTxt} boot/config.txt
${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./boot
'';
'';
};
}

1
nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix
View file

@ -26,6 +26,7 @@ in
boot.loader.generic-extlinux-compatible.enable = true;
boot.kernelPackages = pkgs.linuxPackages_rpi;
boot.consoleLogLevel = 7;
# FIXME: this probably should be in installation-device.nix
users.extraUsers.root.initialHashedPassword = "";

85
nixos/modules/installer/tools/nixos-install.sh
View file

@ -24,6 +24,7 @@ fi
# Parse the command line for the -I flag
extraBuildFlags=()
chrootCommand=(/run/current-system/sw/bin/bash)
buildUsersGroup="nixbld"
while [ "$#" -gt 0 ]; do
i="$1"; shift 1
@ -40,6 +41,19 @@ while [ "$#" -gt 0 ]; do
--root)
mountPoint="$1"; shift 1
;;
--closure)
closure="$1"; shift 1
buildUsersGroup=""
;;
--no-channel-copy)
noChannelCopy=1
;;
--no-root-passwd)
noRootPasswd=1
;;
--no-bootloader)
noBootLoader=1
;;
--show-trace)
extraBuildFlags+=("$i")
;;
@ -88,15 +102,13 @@ mount -t tmpfs -o "mode=0755" none $mountPoint/run
mount -t tmpfs -o "mode=0755" none $mountPoint/var/setuid-wrappers
rm -rf $mountPoint/var/run
ln -s /run $mountPoint/var/run
rm -f $mountPoint/etc/{resolv.conf,hosts}
cp -Lf /etc/resolv.conf /etc/hosts $mountPoint/etc/
for f in /etc/resolv.conf /etc/hosts; do rm -f $mountPoint/$f; [ -f "$f" ] && cp -Lf $f $mountPoint/etc/; done
for f in /etc/passwd /etc/group; do touch $mountPoint/$f; [ -f "$f" ] && mount --rbind -o ro $f $mountPoint/$f; done
if [ -e "$SSL_CERT_FILE" ]; then
cp -Lf "$SSL_CERT_FILE" "$mountPoint/tmp/ca-cert.crt"
export SSL_CERT_FILE=/tmp/ca-cert.crt
# For Nix 1.7
export CURL_CA_BUNDLE=/tmp/ca-cert.crt
fi
cp -Lf "@cacert@" "$mountPoint/tmp/ca-cert.crt"
export SSL_CERT_FILE=/tmp/ca-cert.crt
# For Nix 1.7
export CURL_CA_BUNDLE=/tmp/ca-cert.crt
if [ -n "$runChroot" ]; then
if ! [ -L $mountPoint/nix/var/nix/profiles/system ]; then
@ -113,7 +125,7 @@ if test -z "$NIXOS_CONFIG"; then
NIXOS_CONFIG=/etc/nixos/configuration.nix
fi
if ! test -e "$mountPoint/$NIXOS_CONFIG"; then
if [ ! -e "$mountPoint/$NIXOS_CONFIG" ] && [ -z "$closure" ]; then
echo "configuration file $mountPoint/$NIXOS_CONFIG doesn't exist"
exit 1
fi
@ -124,14 +136,13 @@ fi
mkdir -m 0755 -p \
$mountPoint/nix/var/nix/gcroots \
$mountPoint/nix/var/nix/temproots \
$mountPoint/nix/var/nix/manifests \
$mountPoint/nix/var/nix/userpool \
$mountPoint/nix/var/nix/profiles \
$mountPoint/nix/var/nix/db \
$mountPoint/nix/var/log/nix/drvs
mkdir -m 1775 -p $mountPoint/nix/store
chown root:nixbld $mountPoint/nix/store
chown @root_uid@:@nixbld_gid@ $mountPoint/nix/store
# There is no daemon in the chroot.
@ -144,18 +155,13 @@ export LC_ALL=
export LC_TIME=
# Create a temporary Nix config file that causes the nixbld users to
# be used.
echo "build-users-group = nixbld" > $mountPoint/tmp/nix.conf # FIXME: remove in Nix 1.8
binary_caches=$(@perl@/bin/perl -I @nix@/lib/perl5/site_perl/*/* -e 'use Nix::Config; Nix::Config::readConfig; print $Nix::Config::config{"binary-caches"};')
if test -n "$binary_caches"; then
echo "binary-caches = $binary_caches" >> $mountPoint/tmp/nix.conf
fi
export NIX_CONF_DIR=/tmp
# Builds will use users that are members of this group
extraBuildFlags+=(--option "build-users-group" "$buildUsersGroup")
touch $mountPoint/etc/passwd $mountPoint/etc/group
mount --bind -o ro /etc/passwd $mountPoint/etc/passwd
mount --bind -o ro /etc/group $mountPoint/etc/group
# Inherit binary caches from the host
binary_caches="$(@perl@/bin/perl -I @nix@/lib/perl5/site_perl/*/* -e 'use Nix::Config; Nix::Config::readConfig; print $Nix::Config::config{"binary-caches"};')"
extraBuildFlags+=(--option "binary-caches" "$binary_caches")
# Copy Nix to the Nix store on the target device, unless it's already there.
@ -164,7 +170,7 @@ if ! NIX_DB_DIR=$mountPoint/nix/var/nix/db nix-store --check-validity @nix@ 2> /
for i in $(@perl@/bin/perl @pathsFromGraph@ @nixClosure@); do
echo " $i"
chattr -R -i $mountPoint/$i 2> /dev/null || true # clear immutable bit
rsync -a $i $mountPoint/nix/store/
@rsync@/bin/rsync -a $i $mountPoint/nix/store/
done
# Register the paths in the Nix closure as valid. This is necessary
@ -194,24 +200,22 @@ p=@nix@/libexec/nix/substituters
export NIX_SUBSTITUTERS=$p/copy-from-other-stores.pl:$p/download-from-binary-cache.pl
# Make manifests available in the chroot.
rm -f $mountPoint/nix/var/nix/manifests/*
for i in /nix/var/nix/manifests/*.nixmanifest; do
chroot $mountPoint @nix@/bin/nix-store -r "$(readlink -f "$i")" > /dev/null
cp -pd "$i" $mountPoint/nix/var/nix/manifests/
done
# Get the absolute path to the NixOS/Nixpkgs sources.
nixpkgs="$(readlink -f $(nix-instantiate --find-file nixpkgs))"
if [ -z "$closure" ]; then
# Get the absolute path to the NixOS/Nixpkgs sources.
nixpkgs="$(readlink -f $(nix-instantiate --find-file nixpkgs))"
nixEnvAction="-f <nixpkgs/nixos> --set -A system"
else
nixpkgs=""
nixEnvAction="--set $closure"
fi
# Build the specified Nix expression in the target store and install
# it into the system configuration profile.
echo "building the system configuration..."
NIX_PATH="nixpkgs=/tmp/root/$nixpkgs:nixos-config=$NIXOS_CONFIG" NIXOS_CONFIG= \
chroot $mountPoint @nix@/bin/nix-env \
"${extraBuildFlags[@]}" -p /nix/var/nix/profiles/system -f '<nixpkgs/nixos>' --set -A system
"${extraBuildFlags[@]}" -p /nix/var/nix/profiles/system $nixEnvAction
# Copy the NixOS/Nixpkgs sources to the target as the initial contents
@ -220,7 +224,7 @@ mkdir -m 0755 -p $mountPoint/nix/var/nix/profiles
mkdir -m 1777 -p $mountPoint/nix/var/nix/profiles/per-user
mkdir -m 0755 -p $mountPoint/nix/var/nix/profiles/per-user/root
srcs=$(nix-env "${extraBuildFlags[@]}" -p /nix/var/nix/profiles/per-user/root/channels -q nixos --no-name --out-path 2>/dev/null || echo -n "")
if test -n "$srcs"; then
if [ -z "$noChannelCopy" ] && [ -n "$srcs" ]; then
echo "copying NixOS/Nixpkgs sources..."
chroot $mountPoint @nix@/bin/nix-env \
"${extraBuildFlags[@]}" -p /nix/var/nix/profiles/per-user/root/channels -i "$srcs" --quiet
@ -230,7 +234,7 @@ ln -sfn /nix/var/nix/profiles/per-user/root/channels $mountPoint/root/.nix-defex
# Get rid of the /etc bind mounts.
umount $mountPoint/etc/passwd $mountPoint/etc/group
for f in /etc/passwd /etc/group; do [ -f "$f" ] && umount $mountPoint/$f; done
# Grub needs an mtab.
@ -246,16 +250,17 @@ touch $mountPoint/etc/NIXOS
# a menu default pointing at the kernel/initrd/etc of the new
# configuration.
echo "finalising the installation..."
NIXOS_INSTALL_GRUB=1 chroot $mountPoint \
/nix/var/nix/profiles/system/bin/switch-to-configuration boot
if [ -z "$noBootLoader" ]; then
NIXOS_INSTALL_BOOTLOADER=1 chroot $mountPoint \
/nix/var/nix/profiles/system/bin/switch-to-configuration boot
fi
# Run the activation script.
chroot $mountPoint /nix/var/nix/profiles/system/activate
# Ask the user to set a root password.
if [ "$(chroot $mountPoint /run/current-system/sw/bin/sh -l -c "nix-instantiate --eval '<nixpkgs/nixos>' -A config.users.mutableUsers")" = true ] && [ -t 0 ] ; then
if [ -z "$noRootPasswd" ] && [ -x $mountPoint/var/setuid-wrappers/passwd ] && [ -t 0 ]; then
echo "setting root password..."
chroot $mountPoint /var/setuid-wrappers/passwd
fi

10
nixos/modules/installer/tools/nixos-rebuild.sh
View file

@ -33,7 +33,11 @@ while [ "$#" -gt 0 ]; do
action="$i"
;;
--install-grub)
export NIXOS_INSTALL_GRUB=1
echo "$0: --install-grub deprecated, use --install-bootloader instead" >&2
export NIXOS_INSTALL_BOOTLOADER=1
;;
--install-bootloader)
export NIXOS_INSTALL_BOOTLOADER=1
;;
--no-build-nix)
buildNix=
@ -214,9 +218,9 @@ fi
# Re-execute nixos-rebuild from the Nixpkgs tree.
if [ -z "$_NIXOS_REBUILD_REEXEC" -a -n "$canRun" ]; then
if p=$(nix-instantiate --find-file nixpkgs/nixos/modules/installer/tools/nixos-rebuild.sh "${extraBuildFlags[@]}"); then
if p=$(nix-build --no-out-link --expr 'with import <nixpkgs/nixos> {}; config.system.build.nixos-rebuild' "${extraBuildFlags[@]}"); then
export _NIXOS_REBUILD_REEXEC=1
exec $SHELL -e $p "${origArgs[@]}"
exec $p/bin/nixos-rebuild "${origArgs[@]}"
exit 1
fi
fi

4
nixos/modules/installer/tools/nixos-version.sh
View file

@ -1,6 +1,10 @@
#! @shell@
case "$1" in
-h|--help)
exec man nixos-version
exit 1
;;
--hash|--revision)
echo "@nixosRevision@"
;;

5
nixos/modules/installer/tools/tools.nix
View file

@ -21,8 +21,11 @@ let
name = "nixos-install";
src = ./nixos-install.sh;
inherit (pkgs) perl pathsFromGraph;
inherit (pkgs) perl pathsFromGraph rsync;
nix = config.nix.package.out;
cacert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
root_uid = config.ids.uids.root;
nixbld_gid = config.ids.gids.nixbld;
nixClosure = pkgs.runCommand "closure"
{ exportReferencesGraph = ["refs" config.nix.package.out]; }

14
nixos/modules/misc/ids.nix
View file

@ -269,6 +269,12 @@
mosquitto = 246;
toxvpn = 247;
squeezelite = 248;
turnserver = 249;
smokeping = 250;
gocd-agent = 251;
gocd-server = 252;
terraria = 253;
mattermost = 254;
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -369,7 +375,7 @@
quassel = 89;
amule = 90;
minidlna = 91;
#elasticsearch = 92; # unused
elasticsearch = 92;
#tcpcryptd = 93; # unused
connman = 94;
firebird = 95;
@ -508,6 +514,12 @@
mosquitto = 246;
#toxvpn = 247; # unused
#squeezelite = 248; #unused
turnserver = 249;
smokeping = 250;
gocd-agent = 251;
gocd-server = 252;
terraria = 253;
mattermost = 254;
# When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal

8
nixos/modules/misc/meta.nix
View file

@ -39,7 +39,7 @@ in
default = [];
example = [ lib.maintainers.all ];
description = ''
List of maintainers of each module. This option should be defined at
List of maintainers of each module. This option should be defined at
most once per module.
'';
};
@ -49,7 +49,7 @@ in
internal = true;
example = "./meta.xml";
description = ''
Documentation prologe for the set of options of each module. This
Documentation prologe for the set of options of each module. This
option should be defined at most once per module.
'';
};
@ -57,7 +57,5 @@ in
};
};
config = {
meta.maintainers = singleton lib.maintainers.pierron;
};
meta.maintainers = singleton lib.maintainers.pierron;
}

5
nixos/modules/misc/nixpkgs.nix
View file

@ -21,6 +21,11 @@ let
packageOverrides = pkgs:
optCall lhs.packageOverrides pkgs //
optCall (attrByPath ["packageOverrides"] ({}) rhs) pkgs;
} //
optionalAttrs (lhs ? perlPackageOverrides) {
perlPackageOverrides = pkgs:
optCall lhs.perlPackageOverrides pkgs //
optCall (attrByPath ["perlPackageOverrides"] ({}) rhs) pkgs;
};
configType = mkOptionType {

41
nixos/modules/misc/version.nix
View file

@ -35,57 +35,44 @@ in
nixosLabel = mkOption {
type = types.str;
description = ''
NixOS version name to be used in the names of generated
outputs and boot labels.
If you ever wanted to influence the labels in your GRUB menu,
this is option is for you.
Can be set directly or with <envar>NIXOS_LABEL</envar>
environment variable for <command>nixos-rebuild</command>,
e.g.:
<screen>
#!/bin/sh
today=`date +%Y%m%d`
branch=`(cd nixpkgs ; git branch 2>/dev/null | sed -n '/^\* / { s|^\* ||; p; }')`
revision=`(cd nixpkgs ; git rev-parse HEAD)`
export NIXOS_LABEL="$today.$branch-''${revision:0:7}"
nixos-rebuild switch</screen>
Label to be used in the names of generated outputs and boot
labels.
'';
};
nixosVersion = mkOption {
internal = true;
type = types.str;
description = "NixOS version.";
description = "The full NixOS version (e.g. <literal>16.03.1160.f2d4ee1</literal>).";
};
nixosRelease = mkOption {
readOnly = true;
type = types.str;
default = readFile releaseFile;
description = "NixOS release.";
default = fileContents releaseFile;
description = "The NixOS release (e.g. <literal>16.03</literal>).";
};
nixosVersionSuffix = mkOption {
internal = true;
type = types.str;
default = if pathExists suffixFile then readFile suffixFile else "pre-git";
description = "NixOS version suffix.";
default = if pathExists suffixFile then fileContents suffixFile else "pre-git";
description = "The NixOS version suffix (e.g. <literal>1160.f2d4ee1</literal>).";
};
nixosRevision = mkOption {
internal = true;
type = types.str;
default = if pathExists revisionFile then readFile revisionFile else "master";
description = "NixOS Git revision hash.";
default = if pathIsDirectory gitRepo then commitIdFromGitRepo gitRepo
else if pathExists revisionFile then fileContents revisionFile
else "master";
description = "The Git revision from which this NixOS configuration was built.";
};
nixosCodeName = mkOption {
readOnly = true;
type = types.str;
description = "NixOS release code name.";
description = "The NixOS release code name (e.g. <literal>Emu</literal>).";
};
defaultChannel = mkOption {
@ -102,8 +89,8 @@ in
system = {
# These defaults are set here rather than up there so that
# changing them would not rebuild the manual
nixosLabel = mkDefault (maybeEnv "NIXOS_LABEL" cfg.nixosVersion);
nixosVersion = mkDefault (maybeEnv "NIXOS_VERSION" (cfg.nixosRelease + cfg.nixosVersionSuffix));
nixosLabel = mkDefault cfg.nixosVersion;
nixosVersion = mkDefault (cfg.nixosRelease + cfg.nixosVersionSuffix);
nixosRevision = mkIf (pathIsDirectory gitRepo) (mkDefault gitCommitId);
nixosVersionSuffix = mkIf (pathIsDirectory gitRepo) (mkDefault (".git." + gitCommitId));

29
nixos/modules/module-list.nix
View file

@ -37,9 +37,10 @@
./hardware/network/rtl8192c.nix
./hardware/opengl.nix
./hardware/pcmcia.nix
./hardware/video/amdgpu.nix
./hardware/video/ati.nix
./hardware/video/bumblebee.nix
./hardware/video/nvidia.nix
./hardware/video/ati.nix
./hardware/video/webcam/facetimehd.nix
./i18n/input-method/default.nix
./i18n/input-method/fcitx.nix
@ -62,8 +63,7 @@
./programs/bash/bash.nix
./programs/blcr.nix
./programs/cdemu.nix
# see https://github.com/NixOS/nixos-channel-scripts/issues/4
#./programs/command-not-found/command-not-found.nix
./programs/command-not-found/command-not-found.nix
./programs/dconf.nix
./programs/environment.nix
./programs/freetds.nix
@ -76,13 +76,14 @@
./programs/screen.nix
./programs/shadow.nix
./programs/shell.nix
./programs/spacefm.nix
./programs/ssh.nix
./programs/ssmtp.nix
./programs/tmux.nix
./programs/unity3d.nix
./programs/venus.nix
./programs/wvdial.nix
./programs/xfs_quota.nix
./programs/xonsh.nix
./programs/zsh/zsh.nix
./rename.nix
./security/acme.nix
@ -90,6 +91,7 @@
./security/apparmor-suid.nix
./security/audit.nix
./security/ca.nix
./security/chromium-suid-sandbox.nix
./security/duosec.nix
./security/grsecurity.nix
./security/hidepid.nix
@ -128,6 +130,8 @@
./services/computing/slurm/slurm.nix
./services/continuous-integration/buildkite-agent.nix
./services/continuous-integration/hydra/default.nix
./services/continuous-integration/gocd-agent/default.nix
./services/continuous-integration/gocd-server/default.nix
./services/continuous-integration/jenkins/default.nix
./services/continuous-integration/jenkins/job-builder.nix
./services/continuous-integration/jenkins/slave.nix
@ -164,10 +168,12 @@
./services/desktops/profile-sync-daemon.nix
./services/desktops/telepathy.nix
./services/development/hoogle.nix
./services/editors/emacs.nix
./services/games/factorio.nix
./services/games/ghost-one.nix
./services/games/minecraft-server.nix
./services/games/minetest-server.nix
./services/games/terraria.nix
./services/hardware/acpid.nix
./services/hardware/actkbd.nix
./services/hardware/amd-hybrid-graphics.nix
@ -247,6 +253,7 @@
./services/misc/nix-ssh-serve.nix
./services/misc/nzbget.nix
./services/misc/octoprint.nix
./services/misc/packagekit.nix
./services/misc/parsoid.nix
./services/misc/phd.nix
./services/misc/plex.nix
@ -256,6 +263,7 @@
./services/misc/ripple-data-api.nix
./services/misc/rogue.nix
./services/misc/siproxd.nix
./services/misc/sonarr.nix
./services/misc/spice-vdagentd.nix
./services/misc/subsonic.nix
./services/misc/sundtek.nix
@ -317,6 +325,7 @@
./services/networking/cntlm.nix
./services/networking/connman.nix
./services/networking/consul.nix
./services/networking/coturn.nix
./services/networking/ddclient.nix
./services/networking/dhcpcd.nix
./services/networking/dhcpd.nix
@ -326,12 +335,14 @@
./services/networking/docker-registry-server.nix
./services/networking/ejabberd.nix
./services/networking/fan.nix
./services/networking/ferm.nix
./services/networking/firefox/sync-server.nix
./services/networking/firewall.nix
./services/networking/flashpolicyd.nix
./services/networking/freenet.nix
./services/networking/gale.nix
./services/networking/gateone.nix
./services/networking/gdomap.nix
./services/networking/git-daemon.nix
./services/networking/gnunet.nix
./services/networking/gogoclient.nix
@ -365,6 +376,7 @@
./services/networking/ntopng.nix
./services/networking/ntpd.nix
./services/networking/nylon.nix
./services/networking/offlineimap.nix
./services/networking/oidentd.nix
./services/networking/openfire.nix
./services/networking/openntpd.nix
@ -389,6 +401,7 @@
./services/networking/shairport-sync.nix
./services/networking/shout.nix
./services/networking/sniproxy.nix
./services/networking/smokeping.nix
./services/networking/softether.nix
./services/networking/spiped.nix
./services/networking/sslh.nix
@ -414,6 +427,7 @@
./services/networking/wicd.nix
./services/networking/wpa_supplicant.nix
./services/networking/xinetd.nix
./services/networking/xl2tpd.nix
./services/networking/zerobin.nix
./services/networking/zerotierone.nix
./services/networking/znc.nix
@ -452,7 +466,9 @@
./services/ttys/agetty.nix
./services/ttys/gpm.nix
./services/ttys/kmscon.nix
./services/web-apps/mattermost.nix
./services/web-apps/pump.io.nix
./services/web-apps/tt-rss.nix
./services/web-servers/apache-httpd/default.nix
./services/web-servers/caddy.nix
./services/web-servers/fcgiwrap.nix
@ -460,8 +476,9 @@
./services/web-servers/lighttpd/cgit.nix
./services/web-servers/lighttpd/default.nix
./services/web-servers/lighttpd/gitweb.nix
./services/web-servers/lighttpd/inginious.nix
./services/web-servers/nginx/default.nix
./services/web-servers/phpfpm.nix
./services/web-servers/phpfpm/default.nix
./services/web-servers/shellinabox.nix
./services/web-servers/tomcat.nix
./services/web-servers/uwsgi.nix
@ -469,6 +486,7 @@
./services/web-servers/winstone.nix
./services/web-servers/zope2.nix
./services/x11/colord.nix
./services/x11/compton.nix
./services/x11/unclutter.nix
./services/x11/desktop-managers/default.nix
./services/x11/display-managers/auto.nix
@ -519,6 +537,7 @@
./system/boot/luksroot.nix
./system/boot/modprobe.nix
./system/boot/networkd.nix
./system/boot/plymouth.nix
./system/boot/resolved.nix
./system/boot/shutdown.nix
./system/boot/stage-1.nix

2
nixos/modules/profiles/installation-device.nix
View file

@ -42,7 +42,7 @@ with lib;
The "root" account has an empty password. ${
optionalString config.services.xserver.enable
"Type `start display-manager' to\nstart the graphical user interface."}
"Type `systemctl start display-manager' to\nstart the graphical user interface."}
'';
# Allow sshd to be started manually through "start sshd".

1
nixos/modules/programs/bash/inputrc
View file

@ -6,6 +6,7 @@ set meta-flag on
set input-meta on
set convert-meta off
set output-meta on
set colored-stats on
#set mark-symlinked-directories on

5
nixos/modules/programs/shadow.nix
View file

@ -103,10 +103,9 @@ in
};
security.setuidPrograms = [ "su" "chfn" ]
++ [ "newuidmap" "newgidmap" ] # new in shadow 4.2.x
++ lib.optionals config.users.mutableUsers
[ "passwd" "sg" "newgrp"
"newuidmap" "newgidmap" # new in shadow 4.2.x
];
[ "passwd" "sg" "newgrp" ];
};

55
nixos/modules/programs/spacefm.nix Normal file
View file

@ -0,0 +1,55 @@
# Global configuration for spacefm.
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.programs.spacefm;
in
{
###### interface
options = {
programs.spacefm = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to install SpaceFM and create <filename>/etc/spacefm/spacefm.conf</filename>.
'';
};
settings = mkOption {
type = types.attrs;
default = {
tmp_dir = "/tmp";
terminal_su = "${pkgs.sudo}/bin/sudo";
graphical_su = "${pkgs.gksu}/bin/gksu";
};
example = literalExample ''{
tmp_dir = "/tmp";
terminal_su = "''${pkgs.sudo}/bin/sudo";
graphical_su = "''${pkgs.gksu}/bin/gksu";
}'';
description = ''
The system-wide spacefm configuration.
Parameters to be written to <filename>/etc/spacefm/spacefm.conf</filename>.
Refer to the <link xlink:href="https://ignorantguru.github.io/spacefm/spacefm-manual-en.html#programfiles-etc">relevant entry</link> in the SpaceFM manual.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.spaceFM ];
environment.etc."spacefm/spacefm.conf".text =
concatStrings (mapAttrsToList (n: v: "${n}=${toString v}\n") cfg.settings);
};
}

13
nixos/modules/programs/ssmtp.nix
View file

@ -100,6 +100,12 @@ in
Password used for SMTP auth. (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)
'';
};
setSendmail = mkOption {
type = types.bool;
default = true;
description = "Whether to set the system sendmail to ssmtp's.";
};
};
@ -122,6 +128,13 @@ in
'';
environment.systemPackages = [pkgs.ssmtp];
services.mail.sendmailSetuidWrapper = mkIf cfg.setSendmail {
program = "sendmail";
source = "${pkgs.ssmtp}/bin/sendmail";
setuid = false;
setgid = false;
};
};

9
nixos/modules/programs/tmux.nix
View file

@ -27,7 +27,7 @@ let
set -g status-keys ${cfg.keyMode}
set -g mode-keys ${cfg.keyMode}
${if cfg.keyMode == "vi" then ''
${if cfg.keyMode == "vi" && cfg.customPaneNavigationAndResize then ''
bind h select-pane -L
bind j select-pane -D
bind k select-pane -U
@ -86,6 +86,13 @@ in {
description = "Use 24 hour clock.";
};
customPaneNavigationAndResize = mkOption {
default = false;
example = true;
type = types.bool;
description = "Override the hjkl and HJKL bindings for pane navigation and resizing in VI mode.";
};
escapeTime = mkOption {
default = 500;
example = 0;

25
nixos/modules/programs/unity3d.nix
View file

@ -1,25 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.programs.unity3d;
in {
options = {
programs.unity3d.enable = mkEnableOption "Unity3D, a game development tool";
};
config = mkIf cfg.enable {
security.setuidOwners = [{
program = "unity-chrome-sandbox";
source = "${pkgs.unity3d.sandbox}/bin/unity-chrome-sandbox";
owner = "root";
#group = "root";
setuid = true;
#setgid = true;
}];
environment.systemPackages = [ pkgs.unity3d ];
};
}

62
nixos/modules/programs/xonsh.nix Normal file
View file

@ -0,0 +1,62 @@
# This module defines global configuration for the xonsh.
{ config, lib, pkgs, ... }:
with lib;
let
cfge = config.environment;
cfg = config.programs.xonsh;
in
{
options = {
programs.xonsh = {
enable = mkOption {
default = false;
description = ''
Whether to configure xnosh as an interactive shell.
'';
type = types.bool;
};
package = mkOption {
type = types.package;
example = literalExample "pkgs.xonsh.override { configFile = \"/path/to/xonshrc\"; }";
description = ''
xonsh package to use.
'';
};
config = mkOption {
default = "";
description = "Control file to customize your shell behavior.";
type = types.lines;
};
};
};
config = mkIf cfg.enable {
environment.etc."xonshrc".text = cfg.config;
environment.systemPackages = [ pkgs.xonsh ];
environment.shells =
[ "/run/current-system/sw/bin/xonsh"
"/var/run/current-system/sw/bin/xonsh"
"${pkgs.xonsh}/bin/xonsh"
];
};
}

2
nixos/modules/programs/zsh/zsh.nix
View file

@ -116,6 +116,8 @@ in
done
${if cfg.enableCompletion then "autoload -U compinit && compinit" else ""}
HELPDIR="${pkgs.zsh}/share/zsh/$ZSH_VERSION/help"
'';
};

72
nixos/modules/rename.nix
View file

@ -29,7 +29,7 @@ with lib;
(mkRenamedOptionModule [ "jobs" ] [ "systemd" "services" ])
(mkRenamedOptionModule [ "services" "gitlab" "stateDir" ] [ "services" "gitlab" "statePath" ])
(mkRemovedOptionModule [ "services" "gitlab" "satelliteDir" ])
(mkRemovedOptionModule [ "services" "gitlab" "satelliteDir" ] "")
# Old Grub-related options.
(mkRenamedOptionModule [ "boot" "initrd" "extraKernelModules" ] [ "boot" "initrd" "kernelModules" ])
@ -112,41 +112,47 @@ with lib;
(mkRenamedOptionModule [ "services" "iodined" "domain" ] [ "services" "iodine" "server" "domain" ])
(mkRenamedOptionModule [ "services" "iodined" "ip" ] [ "services" "iodine" "server" "ip" ])
(mkRenamedOptionModule [ "services" "iodined" "extraConfig" ] [ "services" "iodine" "server" "extraConfig" ])
(mkRemovedOptionModule [ "services" "iodined" "client" ])
(mkRemovedOptionModule [ "services" "iodined" "client" ] "")
# Grsecurity
(mkRemovedOptionModule [ "security" "grsecurity" "kernelPatch" ])
(mkRemovedOptionModule [ "security" "grsecurity" "config" "mode" ])
(mkRemovedOptionModule [ "security" "grsecurity" "config" "priority" ])
(mkRemovedOptionModule [ "security" "grsecurity" "config" "system" ])
(mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationConfig" ])
(mkRemovedOptionModule [ "security" "grsecurity" "config" "hardwareVirtualisation" ])
(mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationSoftware" ])
(mkRemovedOptionModule [ "security" "grsecurity" "config" "sysctl" ])
(mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootChmod" ])
(mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootCaps" ])
(mkRemovedOptionModule [ "security" "grsecurity" "config" "denyUSB" ])
(mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProc" ])
(mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProcWithGroup" ])
(mkRemovedOptionModule [ "security" "grsecurity" "config" "unrestrictProcGid" ])
(mkRemovedOptionModule [ "security" "grsecurity" "config" "disableRBAC" ])
(mkRemovedOptionModule [ "security" "grsecurity" "config" "disableSimultConnect" ])
(mkRemovedOptionModule [ "security" "grsecurity" "config" "verboseVersion" ])
(mkRemovedOptionModule [ "security" "grsecurity" "config" "kernelExtraConfig" ])
(mkRemovedOptionModule [ "security" "grsecurity" "kernelPatch" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "mode" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "priority" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "system" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationConfig" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "hardwareVirtualisation" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationSoftware" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "sysctl" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootChmod" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootCaps" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "denyUSB" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProc" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProcWithGroup" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "unrestrictProcGid" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "disableRBAC" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "disableSimultConnect" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "verboseVersion" ] "")
(mkRemovedOptionModule [ "security" "grsecurity" "config" "kernelExtraConfig" ] "")
# Unity3D
(mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ])
# fontconfig-ultimate
(mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "rendering" ] [ "fonts" "fontconfig" "ultimate" "preset" ])
# Options that are obsolete and have no replacement.
(mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ])
(mkRemovedOptionModule [ "programs" "bash" "enable" ])
(mkRemovedOptionModule [ "services" "samba" "defaultShare" ])
(mkRemovedOptionModule [ "services" "syslog-ng" "serviceName" ])
(mkRemovedOptionModule [ "services" "syslog-ng" "listenToJournal" ])
(mkRemovedOptionModule [ "ec2" "metadata" ])
(mkRemovedOptionModule [ "services" "openvpn" "enable" ])
(mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ])
(mkRemovedOptionModule [ "services" "printing" "cupsdConf" ])
(mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ])
(mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ])
(mkRemovedOptionModule [ "services" "dovecot2" "package" ])
(mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "")
(mkRemovedOptionModule [ "programs" "bash" "enable" ] "")
(mkRemovedOptionModule [ "services" "samba" "defaultShare" ] "")
(mkRemovedOptionModule [ "services" "syslog-ng" "serviceName" ] "")
(mkRemovedOptionModule [ "services" "syslog-ng" "listenToJournal" ] "")
(mkRemovedOptionModule [ "ec2" "metadata" ] "")
(mkRemovedOptionModule [ "services" "openvpn" "enable" ] "")
(mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ] "")
(mkRemovedOptionModule [ "services" "printing" "cupsdConf" ] "")
(mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ]
"See the 16.03 release notes for more information.")
(mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "")
(mkRemovedOptionModule [ "services" "dovecot2" "package" ] "")
];
}

7
nixos/modules/security/acme.nix
View file

@ -290,9 +290,10 @@ in
systemd.targets."acme-certificates" = {};
})
{ meta.maintainers = with lib.maintainers; [ abbradar fpletz globin ];
meta.doc = ./acme.xml;
}
];
meta = {
maintainers = with lib.maintainers; [ abbradar fpletz globin ];
doc = ./acme.xml;
};
}

32
nixos/modules/security/chromium-suid-sandbox.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.security.chromiumSuidSandbox;
sandbox = pkgs.chromium.sandbox;
in
{
options.security.chromiumSuidSandbox.enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to install the Chromium SUID sandbox which is an executable that
Chromium may use in order to achieve sandboxing.
If you get the error "The SUID sandbox helper binary was found, but is not
configured correctly.", turning this on might help.
Also, if the URL chrome://sandbox tells you that "You are not adequately
sandboxed!", turning this on might resolve the issue.
Finally, if you have <option>security.grsecurity</option> enabled and you
use Chromium, you probably need this.
'';
};
config = mkIf cfg.enable {
environment.systemPackages = [ sandbox ];
security.setuidPrograms = [ sandbox.passthru.sandboxExecutableName ];
};
}

51
nixos/modules/security/grsecurity.nix
View file

@ -12,13 +12,22 @@ let
(fs: (fs.neededForBoot
|| elem fs.mountPoint [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ])
&& fs.fsType == "zfs")
(attrValues config.fileSystems) != [];
config.system.build.fileSystems != [];
# Ascertain whether NixOS container support is required
containerSupportRequired =
config.boot.enableContainers && config.containers != {};
in
{
meta = {
maintainers = with maintainers; [ joachifm ];
doc = ./grsecurity.xml;
};
options.security.grsecurity = {
enable = mkEnableOption "Grsecurity/PaX";
enable = mkEnableOption "grsecurity/PaX";
lockTunables = mkOption {
type = types.bool;
@ -27,9 +36,21 @@ in
description = ''
Whether to automatically lock grsecurity tunables
(<option>boot.kernel.sysctl."kernel.grsecurity.*"</option>). Disable
this to allow configuration of grsecurity features while the system is
running. The lock can be manually engaged by activating the
<literal>grsec-lock</literal> service unit.
this to allow runtime configuration of grsecurity features. Activate
the <literal>grsec-lock</literal> service unit to prevent further
configuration until the next reboot.
'';
};
disableEfiRuntimeServices = mkOption {
type = types.bool;
example = false;
default = true;
description = ''
Whether to disable access to EFI runtime services. Enabling EFI runtime
services creates a venue for code injection attacks on the kernel and
should be disabled if at all possible. Changing this option enters into
effect upon reboot.
'';
};
@ -41,25 +62,23 @@ in
# required kernel config
boot.kernelPackages = mkDefault pkgs.linuxPackages_grsec_nixos;
boot.kernelParams = optional cfg.disableEfiRuntimeServices "noefi";
system.requiredKernelConfig = with config.lib.kernelConfig;
[ (isEnabled "GRKERNSEC")
(isEnabled "PAX")
(isYES "GRKERNSEC_SYSCTL")
(isYES "GRKERNSEC_SYSCTL_DISTRO")
(isNO "GRKERNSEC_NO_RBAC")
];
# Crashing on an overflow in kernel land is user unfriendly and may prevent
# the system from booting, which is too severe for our use case.
boot.kernelParams = [ "pax_size_overflow_report_only" ];
# Install PaX related utillities into the system profile. Eventually, we
# also want to include gradm here.
environment.systemPackages = with pkgs; [ paxctl pax-utils ];
# Install PaX related utillities into the system profile.
environment.systemPackages = with pkgs; [ gradm paxctl pax-utils ];
# Install rules for the grsec device node
services.udev.packages = [ pkgs.gradm ];
# This service unit is responsible for locking the Grsecurity tunables. The
# This service unit is responsible for locking the grsecurity tunables. The
# unit is always defined, but only activated on bootup if lockTunables is
# toggled. When lockTunables is toggled, failure to activate the unit will
# enter emergency mode. The intent is to make it difficult to silently
@ -97,7 +116,7 @@ in
# Configure system tunables
boot.kernel.sysctl = {
# Removed under grsecurity
# Read-only under grsecurity
"kernel.kptr_restrict" = mkForce null;
} // optionalAttrs config.nix.useSandbox {
# chroot(2) restrictions that conflict with sandboxed Nix builds
@ -105,11 +124,13 @@ in
"kernel.grsecurity.chroot_deny_chroot" = mkForce 0;
"kernel.grsecurity.chroot_deny_mount" = mkForce 0;
"kernel.grsecurity.chroot_deny_pivot" = mkForce 0;
} // optionalAttrs config.boot.enableContainers {
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
} // optionalAttrs containerSupportRequired {
# chroot(2) restrictions that conflict with NixOS lightweight containers
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
"kernel.grsecurity.chroot_deny_mount" = mkForce 0;
"kernel.grsecurity.chroot_restrict_nice" = mkForce 0;
"kernel.grsecurity.chroot_caps" = mkForce 0;
};
assertions = [

345
nixos/modules/security/grsecurity.xml Normal file
View file

@ -0,0 +1,345 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-grsecurity">
<title>Grsecurity/PaX</title>
<para>
Grsecurity/PaX is a set of patches against the Linux kernel that make it
harder to exploit bugs. The patchset includes protections such as
enforcement of non-executable memory, address space layout randomization,
and chroot jail hardening. These and other
<link xlink:href="https://grsecurity.net/features.php">features</link>
render entire classes of exploits inert without additional efforts on the
part of the adversary.
</para>
<para>
The NixOS grsecurity/PaX module is designed with casual users in mind and is
intended to be compatible with normal desktop usage, without unnecessarily
compromising security. The following sections describe the configuration
and administration of a grsecurity/PaX enabled NixOS system. For
more comprehensive coverage, please refer to the
<link xlink:href="https://en.wikibooks.org/wiki/Grsecurity">grsecurity wikibook</link>
and the
<link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch
Linux wiki page on grsecurity</link>.
<note><para>grsecurity/PaX is only available for the latest linux -stable
kernel; patches against older kernels are available from upstream only for
a fee.</para></note>
<note><para>We standardise on a desktop oriented configuration primarily due
to lack of resources. The grsecurity/PaX configuration state space is huge
and each configuration requires quite a bit of testing to ensure that the
resulting packages work as advertised. Defining additional package sets
would likely result in a large number of functionally broken packages, to
nobody's benefit.</para></note>.
</para>
<sect1 xml:id="sec-grsec-enable"><title>Enabling grsecurity/PaX</title>
<para>
To make use of grsecurity/PaX on NixOS, add the following to your
<filename>configuration.nix</filename>:
<programlisting>
security.grsecurity.enable = true;
</programlisting>
followed by
<programlisting>
# nixos-rebuild boot
# reboot
</programlisting>
For most users, further configuration should be unnecessary. All users
are encouraged to look over <xref linkend="sec-grsec-security" /> before
using the system, however. If you experience problems, please refer to
<xref linkend="sec-grsec-issues" />.
</para>
<para>
Once booted into the new system, you can optionally use
<command>paxtest</command> to exercise various PaX features:
<screen><![CDATA[
# nix-shell -p paxtest --command 'paxtest blackhat'
Executable anonymous mapping : Killed
Executable bss : Killed
# ... remaining output truncated for brevity
]]></screen>
</para>
</sect1>
<sect1 xml:id="sec-grsec-declarative-tuning"><title>Declarative tuning</title>
<para>
The default configuration mode is strictly declarative. Some features
simply cannot be changed at all after boot, while others are locked once the
system is up and running. Moreover, changes to the configuration enter
into effect only upon booting into the new system.
</para>
<para>
The NixOS module exposes a limited number of options for tuning the behavior
of grsecurity/PaX. These are options thought to be of particular interest
to most users. For experts, further tuning is possible via
<option>boot.kernelParams</option> (see
<xref linkend="sec-grsec-kernel-params" />) and
<option>boot.kernel.sysctl."kernel.grsecurity.*"</option> (the wikibook
contains an <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Sysctl_Options">
exhaustive listing of grsecurity sysctl tunables</link>).
</para>
</sect1>
<sect1 xml:id="sec-grsec-manual-tuning"><title>Manual tuning</title>
<para>
To permit manual tuning of grsecurity runtime parameters, set:
<programlisting>
security.grsecurity.lockTunables = false;
</programlisting>
Once booted into this system, grsecurity features that have a corresponding
sysctl tunable can be changed without rebooting, either by switching into
a new system profile or via the <command>sysctl</command> utility.
</para>
<para>
To lock all grsecurity tunables until the next boot, do:
<screen>
# systemctl start grsec-lock
</screen>
</para>
</sect1>
<sect1 xml:id="sec-grsec-security"><title>Security considerations</title>
<para>
The NixOS kernel is built using upstream's recommended settings for a
desktop deployment that generally favours security over performance. This
section details deviations from upstream's recommendations that may
compromise operational security.
<warning><para>There may be additional problems not covered here!</para>
</warning>.
</para>
<itemizedlist>
<listitem><para>
The following hardening features are disabled in the NixOS kernel:
<itemizedlist>
<listitem><para>Kernel symbol hiding: rendered useless by redistributing
kernel objects.</para></listitem>
<listitem><para>Randomization of kernel structures: rendered useless by
redistributing kernel objects.</para></listitem>
<listitem><para>TCP simultaneous OPEN connection is permitted: breaking
strict TCP conformance is inappropriate for a general purpose kernel.
The trade-off is that an attacker may be able to deny outgoing
connections if they are able to guess the source port allocated by your
OS for that connection <emphasis>and</emphasis> also manage to initiate
a TCP simultaneous OPEN on that port before the connection is actually
established.</para></listitem>
<listitem><para><filename class="directory">/sys</filename> hardening:
breaks systemd.</para></listitem>
<listitem><para>Trusted path execution: a desirable feature, but
requires some more work to operate smoothly on NixOS.</para></listitem>
</itemizedlist>
</para></listitem>
<listitem><para>
The NixOS module conditionally weakens <command>chroot</command>
restrictions to accommodate NixOS lightweight containers and sandboxed Nix
builds. This is problematic if the deployment also runs a privileged
network facing process that <emphasis>relies</emphasis> on
<command>chroot</command> for isolation.
</para></listitem>
<listitem><para>
The NixOS kernel is patched to allow usermode helpers from anywhere in the
Nix store. A usermode helper is an executable called by the kernel in
certain circumstances, e.g., <command>modprobe</command>. Vanilla
grsecurity only allows usermode helpers from paths typically owned by the
super user. The NixOS kernel allows an attacker to inject malicious code
into the Nix store which could then be executed by the kernel as a
usermode helper.
</para></listitem>
<listitem><para>
The following features are disabled because they overlap with
vanilla kernel mechanisms:
<itemizedlist>
<listitem><para><filename class="directory">/proc</filename> hardening:
use <option>security.hideProcessInformation</option> instead. This
trades weaker protection for greater compatibility.
</para></listitem>
<listitem><para><command>dmesg</command> restrictions:
use <option>boot.kernel.sysctl."kernel.dmesg_restrict"</option> instead
</para></listitem>
</itemizedlist>
</para></listitem>
</itemizedlist>
</sect1>
<sect1 xml:id="sec-grsec-custom-kernel"><title>Using a custom grsecurity/PaX kernel</title>
<para>
The NixOS kernel is likely to be either too permissive or too restrictive
for many deployment scenarios. In addition to producing a kernel more
suitable for a particular deployment, a custom kernel may improve security
by depriving an attacker the ability to study the kernel object code, adding
yet more guesswork to successfully carry out certain exploits.
</para>
<para>
To use a custom kernel with upstream's recommended settings for server
deployments:
<programlisting>
boot.kernelPackages =
let
kernel = pkgs.linux_grsec_nixos.override {
extraConfig = ''
GRKERNSEC y
PAX y
GRKERNSEC_CONFIG_AUTO y
GRKERNSEC_CONFIG_SERVER y
GRKERNSEC_CONFIG_SECURITY y
'';
};
self = pkgs.linuxPackagesFor kernel self;
in self;
</programlisting>
The wikibook provides an exhaustive listing of
<link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">kernel configuration options</link>.
</para>
<para>
The NixOS module makes several assumptions about the kernel and so may be
incompatible with your customised kernel. Most of these assumptions are
encoded as assertions &#x2014; mismatches should ideally result in a build
failure. Currently, the only way to work around incompatibilities is to
eschew the NixOS module and do all configuration yourself.
</para>
</sect1>
<sect1 xml:id="sec-grsec-pax-flags"><title>Per-executable PaX flags</title>
<para>
Manual tuning of per-file PaX flags for executables in the Nix store is
impossible on a properly configured system. If a package in Nixpkgs fails
due to PaX, that is a bug in the package recipe and should be reported to
the maintainer (including relevant <command>dmesg</command> output).
</para>
<para>
For executables installed outside of the Nix store, PaX flags can be set
using the <command>paxctl</command> utility:
<programlisting>
paxctl -czem <replaceable>foo</replaceable>
</programlisting>
<warning>
<para><command>paxctl</command> overwrites files in-place.</para>
</warning>
Equivalently, on file systems that support extended attributes:
<programlisting>
setfattr -n user.pax.flags -v em <replaceable>foo</replaceable>
</programlisting>
<!-- TODO: PaX flags via RBAC policy -->
</para>
</sect1>
<sect1 xml:id="sec-grsec-issues"><title>Issues and work-arounds</title>
<itemizedlist>
<listitem><para>User namespaces require <literal>CAP_SYS_ADMIN</literal>:
consequently, unprivileged namespaces are unsupported. Applications that
rely on namespaces for sandboxing must use a privileged helper. For chromium
there is <option>security.chromiumSuidSandbox.enable</option>.</para></listitem>
<listitem><para>Access to EFI runtime services is disabled by default:
this plugs a potential code injection attack vector; use
<option>security.grsecurity.disableEfiRuntimeServices</option> to override
this behavior.</para></listitem>
<listitem><para>Virtualization: KVM is the preferred virtualization
solution. Xen, Virtualbox, and VMWare are
<emphasis>unsupported</emphasis> and most likely require a custom kernel.
</para></listitem>
<listitem><para>
Attaching <command>gdb</command> to a running process is disallowed by
default: unprivileged users can only ptrace processes that are children of
the ptracing process. To relax this restriction, set
<programlisting>
boot.kernel.sysctl."kernel.grsecurity.harden_ptrace" = 0;
</programlisting>
</para></listitem>
<listitem><para>
Overflows in boot critical code (e.g., the root filesystem module) can
render the system unbootable. Work around by setting
<programlisting>
boot.kernel.kernelParams = [ "pax_size_overflow_report_only" ];
</programlisting>
</para></listitem>
<listitem><para>
The <citerefentry><refentrytitle>modify_ldt
</refentrytitle><manvolnum>2</manvolnum></citerefentry> syscall is disabled
by default. This restriction can interfere with programs designed to run
legacy 16-bit or segmented 32-bit code. To support applications that rely
on this syscall, set
<programlisting>
boot.kernel.sysctl."kernel.modify_ldt" = 1;
</programlisting>
</para></listitem>
</itemizedlist>
</sect1>
<sect1 xml:id="sec-grsec-kernel-params"><title>Grsecurity/PaX kernel parameters</title>
<para>
The NixOS kernel supports the following kernel command line parameters:
<itemizedlist>
<listitem><para>
<literal>pax_nouderef</literal>: disable UDEREF (separate kernel and
user address spaces).
</para></listitem>
<listitem><para>
<literal>pax_weakuderef</literal>: enable a faster but
weaker variant of UDEREF on 64-bit processors with PCID support
(check <code>grep pcid /proc/cpuinfo</code>).
</para></listitem>
<listitem><para>
<literal>pax_sanitize_slab={off|fast|full}</literal>: control kernel
slab object sanitization
</para></listitem>
<listitem><para>
<literal>pax_size_overflow_report_only</literal>: log size overflow
violations but leave the violating task running
</para></listitem>
</itemizedlist>
</para>
</sect1>
</chapter>

19
nixos/modules/security/hidepid.nix
View file

@ -20,23 +20,6 @@ with lib;
config = mkIf config.security.hideProcessInformation {
users.groups.proc.gid = config.ids.gids.proc;
systemd.services.hidepid = {
wantedBy = [ "local-fs.target" ];
after = [ "systemd-remount-fs.service" ];
before = [ "local-fs-pre.target" "local-fs.target" "shutdown.target" ];
wants = [ "local-fs-pre.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = ''${pkgs.utillinux}/bin/mount -o remount,hidepid=2,gid=${toString config.ids.gids.proc} /proc'';
ExecStop = ''${pkgs.utillinux}/bin/mount -o remount,hidepid=0,gid=0 /proc'';
};
unitConfig = {
DefaultDependencies = false;
Conflicts = "shutdown.target";
};
};
fileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];
};
}

9
nixos/modules/security/pam.nix
View file

@ -221,7 +221,7 @@ let
(''
# Account management.
account sufficient pam_unix.so
${optionalString config.users.ldap.enable
${optionalString use_ldap
"account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString config.krb5.enable
"account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
@ -261,7 +261,7 @@ let
"auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
"auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
${optionalString config.users.ldap.enable
${optionalString use_ldap
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
${optionalString config.krb5.enable ''
auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
@ -276,7 +276,7 @@ let
"password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
${optionalString cfg.pamMount
"password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
${optionalString config.users.ldap.enable
${optionalString use_ldap
"password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString config.krb5.enable
"password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"}
@ -296,7 +296,7 @@ let
"session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
${optionalString config.security.pam.enableEcryptfs
"session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
${optionalString config.users.ldap.enable
${optionalString use_ldap
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString config.krb5.enable
"session optional ${pam_krb5}/lib/security/pam_krb5.so"}
@ -322,6 +322,7 @@ let
inherit (pkgs) pam_krb5 pam_ccreds;
use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam);
pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap;
# Create a limits.conf(5) file.

1
nixos/modules/services/audio/mopidy.nix
View file

@ -47,6 +47,7 @@ in {
};
configuration = mkOption {
default = "";
type = types.lines;
description = ''
The configuration that Mopidy should use.

2
nixos/modules/services/backup/crashplan.nix
View file

@ -28,7 +28,7 @@ with lib;
description = "CrashPlan Backup Engine";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
after = [ "network.target" "local-fs.target" ];
preStart = ''
ensureDir() {

12
nixos/modules/services/continuous-integration/buildkite-agent.nix
View file

@ -77,15 +77,11 @@ in
preStart = ''
${pkgs.coreutils}/bin/mkdir -m 0700 -p /var/lib/buildkite-agent/.ssh
if ! [ -f /var/lib/buildkite-agent/.ssh/id_rsa ]; then
echo "${cfg.openssh.privateKey}" > /var/lib/buildkite-agent/.ssh/id_rsa
${pkgs.coreutils}/bin/chmod 600 /var/lib/buildkite-agent/.ssh/id_rsa
fi
echo "${cfg.openssh.privateKey}" > /var/lib/buildkite-agent/.ssh/id_rsa
${pkgs.coreutils}/bin/chmod 600 /var/lib/buildkite-agent/.ssh/id_rsa
if ! [ -f /var/lib/buildkite-agent/.ssh/id_rsa.pub ]; then
echo "${cfg.openssh.publicKey}" > /var/lib/buildkite-agent/.ssh/id_rsa.pub
${pkgs.coreutils}/bin/chmod 600 /var/lib/buildkite-agent/.ssh/id_rsa.pub
fi
echo "${cfg.openssh.publicKey}" > /var/lib/buildkite-agent/.ssh/id_rsa.pub
${pkgs.coreutils}/bin/chmod 600 /var/lib/buildkite-agent/.ssh/id_rsa.pub
'';
serviceConfig =

205
nixos/modules/services/continuous-integration/gocd-agent/default.nix Normal file
View file

@ -0,0 +1,205 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.gocd-agent;
in {
options = {
services.gocd-agent = {
enable = mkEnableOption "gocd-agent";
user = mkOption {
default = "gocd-agent";
type = types.str;
description = ''
User the Go.CD agent should execute under.
'';
};
group = mkOption {
default = "gocd-agent";
type = types.str;
description = ''
If the default user "gocd-agent" is configured then this is the primary
group of that user.
'';
};
extraGroups = mkOption {
type = types.listOf types.str;
default = [ ];
example = [ "wheel" "docker" ];
description = ''
List of extra groups that the "gocd-agent" user should be a part of.
'';
};
packages = mkOption {
default = [ pkgs.stdenv pkgs.jre pkgs.git config.programs.ssh.package pkgs.nix ];
type = types.listOf types.package;
description = ''
Packages to add to PATH for the Go.CD agent process.
'';
};
agentConfig = mkOption {
default = "";
type = types.str;
example = ''
agent.auto.register.resources=ant,java
agent.auto.register.environments=QA,Performance
agent.auto.register.hostname=Agent01
'';
description = ''
Agent registration configuration.
'';
};
goServer = mkOption {
default = "https://127.0.0.1:8154/go";
type = types.str;
description = ''
URL of the GoCD Server to attach the Go.CD Agent to.
'';
};
workDir = mkOption {
default = "/var/lib/go-agent";
type = types.str;
description = ''
Specifies the working directory in which the Go.CD agent java archive resides.
'';
};
initialJavaHeapSize = mkOption {
default = "128m";
type = types.str;
description = ''
Specifies the initial java heap memory size for the Go.CD agent java process.
'';
};
maxJavaHeapMemory = mkOption {
default = "256m";
type = types.str;
description = ''
Specifies the java maximum heap memory size for the Go.CD agent java process.
'';
};
startupOptions = mkOption {
default = [
"-Xms${cfg.initialJavaHeapSize}"
"-Xmx${cfg.maxJavaHeapMemory}"
"-Djava.io.tmpdir=/tmp"
"-Dcruise.console.publish.interval=10"
"-Djava.security.egd=file:/dev/./urandom"
];
description = ''
Specifies startup command line arguments to pass to Go.CD agent
java process. Example contains debug and gcLog arguments.
'';
};
extraOptions = mkOption {
default = [ ];
example = [
"-X debug"
"-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006"
"-verbose:gc"
"-Xloggc:go-agent-gc.log"
"-XX:+PrintGCTimeStamps"
"-XX:+PrintTenuringDistribution"
"-XX:+PrintGCDetails"
"-XX:+PrintGC"
];
description = ''
Specifies additional command line arguments to pass to Go.CD agent
java process. Example contains debug and gcLog arguments.
'';
};
environment = mkOption {
default = { };
type = with types; attrsOf str;
description = ''
Additional environment variables to be passed to the Go.CD agent process.
As a base environment, Go.CD agent receives NIX_PATH from
<option>environment.sessionVariables</option>, NIX_REMOTE is set to
"daemon".
'';
};
};
};
config = mkIf cfg.enable {
users.extraGroups = optional (cfg.group == "gocd-agent") {
name = "gocd-agent";
gid = config.ids.gids.gocd-agent;
};
users.extraUsers = optional (cfg.user == "gocd-agent") {
name = "gocd-agent";
description = "gocd-agent user";
createHome = true;
home = cfg.workDir;
group = cfg.group;
extraGroups = cfg.extraGroups;
useDefaultShell = true;
uid = config.ids.uids.gocd-agent;
};
systemd.services.gocd-agent = {
description = "GoCD Agent";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment =
let
selectedSessionVars =
lib.filterAttrs (n: v: builtins.elem n [ "NIX_PATH" ])
config.environment.sessionVariables;
in
selectedSessionVars //
{
NIX_REMOTE = "daemon";
AGENT_WORK_DIR = cfg.workDir;
AGENT_STARTUP_ARGS = ''${concatStringsSep " " cfg.startupOptions}'';
LOG_DIR = cfg.workDir;
LOG_FILE = "${cfg.workDir}/go-agent-start.log";
} //
cfg.environment;
path = cfg.packages;
script = ''
MPATH="''${PATH}";
source /etc/profile
export PATH="''${MPATH}:''${PATH}";
if ! test -f ~/.nixpkgs/config.nix; then
mkdir -p ~/.nixpkgs/
echo "{ allowUnfree = true; }" > ~/.nixpkgs/config.nix
fi
mkdir -p config
rm -f config/autoregister.properties
ln -s "${pkgs.writeText "autoregister.properties" cfg.agentConfig}" config/autoregister.properties
${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt
${pkgs.jre}/bin/java ${concatStringsSep " " cfg.startupOptions} \
${concatStringsSep " " cfg.extraOptions} \
-jar ${pkgs.gocd-agent}/go-agent/agent-bootstrapper.jar \
-serverUrl ${cfg.goServer}
'';
serviceConfig = {
User = cfg.user;
WorkingDirectory = cfg.workDir;
RestartSec = 30;
Restart = "on-failure";
};
};
};
}

183
nixos/modules/services/continuous-integration/gocd-server/default.nix Normal file
View file

@ -0,0 +1,183 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.gocd-server;
in {
options = {
services.gocd-server = {
enable = mkEnableOption "gocd-server";
user = mkOption {
default = "gocd-server";
type = types.str;
description = ''
User the Go.CD server should execute under.
'';
};
group = mkOption {
default = "gocd-server";
type = types.str;
description = ''
If the default user "gocd-server" is configured then this is the primary group of that user.
'';
};
extraGroups = mkOption {
default = [ ];
example = [ "wheel" "docker" ];
description = ''
List of extra groups that the "gocd-server" user should be a part of.
'';
};
listenAddress = mkOption {
default = "0.0.0.0";
example = "localhost";
type = types.str;
description = ''
Specifies the bind address on which the Go.CD server HTTP interface listens.
'';
};
port = mkOption {
default = 8153;
type = types.int;
description = ''
Specifies port number on which the Go.CD server HTTP interface listens.
'';
};
sslPort = mkOption {
default = 8154;
type = types.int;
description = ''
Specifies port number on which the Go.CD server HTTPS interface listens.
'';
};
workDir = mkOption {
default = "/var/lib/go-server";
type = types.str;
description = ''
Specifies the working directory in which the Go.CD server java archive resides.
'';
};
packages = mkOption {
default = [ pkgs.stdenv pkgs.jre pkgs.git config.programs.ssh.package pkgs.nix ];
type = types.listOf types.package;
description = ''
Packages to add to PATH for the Go.CD server's process.
'';
};
initialJavaHeapSize = mkOption {
default = "512m";
type = types.str;
description = ''
Specifies the initial java heap memory size for the Go.CD server's java process.
'';
};
maxJavaHeapMemory = mkOption {
default = "1024m";
type = types.str;
description = ''
Specifies the java maximum heap memory size for the Go.CD server's java process.
'';
};
extraOptions = mkOption {
default = [
"-Xms${cfg.initialJavaHeapSize}"
"-Xmx${cfg.maxJavaHeapMemory}"
"-Dcruise.listen.host=${cfg.listenAddress}"
"-Duser.language=en"
"-Djruby.rack.request.size.threshold.bytes=30000000"
"-Duser.country=US"
"-Dcruise.config.dir=${cfg.workDir}/conf"
"-Dcruise.config.file=${cfg.workDir}/conf/cruise-config.xml"
"-Dcruise.server.port=${toString cfg.port}"
"-Dcruise.server.ssl.port=${toString cfg.sslPort}"
];
example = [
"-X debug"
"-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005"
"-verbose:gc"
"-Xloggc:go-server-gc.log"
"-XX:+PrintGCTimeStamps"
"-XX:+PrintTenuringDistribution"
"-XX:+PrintGCDetails"
"-XX:+PrintGC"
];
description = ''
Specifies additional command line arguments to pass to Go.CD server's
java process. Example contains debug and gcLog arguments.
'';
};
environment = mkOption {
default = { };
type = with types; attrsOf str;
description = ''
Additional environment variables to be passed to the gocd-server process.
As a base environment, gocd-server receives NIX_PATH from
<option>environment.sessionVariables</option>, NIX_REMOTE is set to
"daemon".
'';
};
};
};
config = mkIf cfg.enable {
users.extraGroups = optional (cfg.group == "gocd-server") {
name = "gocd-server";
gid = config.ids.gids.gocd-server;
};
users.extraUsers = optional (cfg.user == "gocd-server") {
name = "gocd-server";
description = "gocd-server user";
createHome = true;
home = cfg.workDir;
group = cfg.group;
extraGroups = cfg.extraGroups;
useDefaultShell = true;
uid = config.ids.uids.gocd-server;
};
systemd.services.gocd-server = {
description = "GoCD Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment =
let
selectedSessionVars =
lib.filterAttrs (n: v: builtins.elem n [ "NIX_PATH" ])
config.environment.sessionVariables;
in
selectedSessionVars //
{ NIX_REMOTE = "daemon";
} //
cfg.environment;
path = cfg.packages;
script = ''
${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt
${pkgs.jre}/bin/java -server ${concatStringsSep " " cfg.extraOptions} \
-jar ${pkgs.gocd-server}/go-server/go.jar
'';
serviceConfig = {
User = cfg.user;
Group = cfg.group;
WorkingDirectory = cfg.workDir;
};
};
};
}

9
nixos/modules/services/continuous-integration/hydra/default.nix
View file

@ -166,7 +166,7 @@ in
buildMachinesFiles = mkOption {
type = types.listOf types.path;
default = [];
default = [ "/etc/nix/machines" ];
example = [ "/etc/nix/machines" "/var/lib/hydra/provisioner/machines" ];
description = "List of files containing build machines.";
};
@ -193,7 +193,9 @@ in
config = mkIf cfg.enable {
users.extraGroups.hydra = { };
users.extraGroups.hydra = {
gid = config.ids.gids.hydra;
};
users.extraUsers.hydra =
{ description = "Hydra";
@ -201,6 +203,7 @@ in
createHome = true;
home = baseDir;
useDefaultShell = true;
uid = config.ids.uids.hydra;
};
users.extraUsers.hydra-queue-runner =
@ -208,12 +211,14 @@ in
group = "hydra";
useDefaultShell = true;
home = "${baseDir}/queue-runner"; # really only to keep SSH happy
uid = config.ids.uids.hydra-queue-runner;
};
users.extraUsers.hydra-www =
{ description = "Hydra web server";
group = "hydra";
useDefaultShell = true;
uid = config.ids.uids.hydra-www;
};
nix.trustedUsers = [ "hydra-queue-runner" ];

2
nixos/modules/services/continuous-integration/jenkins/default.nix
View file

@ -154,7 +154,7 @@ in {
'';
script = ''
${pkgs.jdk}/bin/java -jar ${pkgs.jenkins} --httpListenAddress=${cfg.listenAddress} \
${pkgs.jdk}/bin/java -jar ${pkgs.jenkins}/webapps/jenkins.war --httpListenAddress=${cfg.listenAddress} \
--httpPort=${toString cfg.port} \
--prefix=${cfg.prefix} \
${concatStringsSep " " cfg.extraOptions}

449
nixos/modules/services/databases/cassandra.nix Normal file
View file

@ -0,0 +1,449 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.cassandra;
cassandraPackage = cfg.package.override {
jre = cfg.jre;
};
cassandraUser = {
name = cfg.user;
home = "/var/lib/cassandra";
description = "Cassandra role user";
};
cassandraRackDcProperties = ''
dc=${cfg.dc}
rack=${cfg.rack}
'';
cassandraConf = ''
cluster_name: ${cfg.clusterName}
num_tokens: 256
auto_bootstrap: ${if cfg.autoBootstrap then "true" else "false"}
hinted_handoff_enabled: ${if cfg.hintedHandOff then "true" else "false"}
hinted_handoff_throttle_in_kb: ${builtins.toString cfg.hintedHandOffThrottle}
max_hints_delivery_threads: 2
max_hint_window_in_ms: 10800000 # 3 hours
authenticator: ${cfg.authenticator}
authorizer: ${cfg.authorizer}
permissions_validity_in_ms: 2000
partitioner: org.apache.cassandra.dht.Murmur3Partitioner
data_file_directories:
${builtins.concatStringsSep "\n" (map (v: " - "+v) cfg.dataDirs)}
commitlog_directory: ${cfg.commitLogDirectory}
disk_failure_policy: stop
key_cache_size_in_mb:
key_cache_save_period: 14400
row_cache_size_in_mb: 0
row_cache_save_period: 0
saved_caches_directory: ${cfg.savedCachesDirectory}
commitlog_sync: ${cfg.commitLogSync}
commitlog_sync_period_in_ms: ${builtins.toString cfg.commitLogSyncPeriod}
commitlog_segment_size_in_mb: 32
seed_provider:
- class_name: org.apache.cassandra.locator.SimpleSeedProvider
parameters:
- seeds: "${builtins.concatStringsSep "," cfg.seeds}"
concurrent_reads: ${builtins.toString cfg.concurrentReads}
concurrent_writes: ${builtins.toString cfg.concurrentWrites}
memtable_flush_queue_size: 4
trickle_fsync: false
trickle_fsync_interval_in_kb: 10240
storage_port: 7000
ssl_storage_port: 7001
listen_address: ${cfg.listenAddress}
start_native_transport: true
native_transport_port: 9042
start_rpc: true
rpc_address: ${cfg.rpcAddress}
rpc_port: 9160
rpc_keepalive: true
rpc_server_type: sync
thrift_framed_transport_size_in_mb: 15
incremental_backups: ${if cfg.incrementalBackups then "true" else "false"}
snapshot_before_compaction: false
auto_snapshot: true
column_index_size_in_kb: 64
in_memory_compaction_limit_in_mb: 64
multithreaded_compaction: false
compaction_throughput_mb_per_sec: 16
compaction_preheat_key_cache: true
read_request_timeout_in_ms: 10000
range_request_timeout_in_ms: 10000
write_request_timeout_in_ms: 10000
cas_contention_timeout_in_ms: 1000
truncate_request_timeout_in_ms: 60000
request_timeout_in_ms: 10000
cross_node_timeout: false
endpoint_snitch: ${cfg.snitch}
dynamic_snitch_update_interval_in_ms: 100
dynamic_snitch_reset_interval_in_ms: 600000
dynamic_snitch_badness_threshold: 0.1
request_scheduler: org.apache.cassandra.scheduler.NoScheduler
server_encryption_options:
internode_encryption: ${cfg.internodeEncryption}
keystore: ${cfg.keyStorePath}
keystore_password: ${cfg.keyStorePassword}
truststore: ${cfg.trustStorePath}
truststore_password: ${cfg.trustStorePassword}
client_encryption_options:
enabled: ${if cfg.clientEncryption then "true" else "false"}
keystore: ${cfg.keyStorePath}
keystore_password: ${cfg.keyStorePassword}
internode_compression: all
inter_dc_tcp_nodelay: false
preheat_kernel_page_cache: false
streaming_socket_timeout_in_ms: ${toString cfg.streamingSocketTimoutInMS}
'';
cassandraLog = ''
log4j.rootLogger=${cfg.logLevel},stdout
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%5p [%t] %d{HH:mm:ss,SSS} %m%n
'';
cassandraConfFile = pkgs.writeText "cassandra.yaml" cassandraConf;
cassandraLogFile = pkgs.writeText "log4j-server.properties" cassandraLog;
cassandraRackFile = pkgs.writeText "cassandra-rackdc.properties" cassandraRackDcProperties;
cassandraEnvironment = {
CASSANDRA_HOME = cassandraPackage;
JAVA_HOME = cfg.jre;
CASSANDRA_CONF = "/etc/cassandra";
};
in {
###### interface
options.services.cassandra = {
enable = mkOption {
description = "Whether to enable cassandra.";
default = false;
type = types.bool;
};
package = mkOption {
description = "Cassandra package to use.";
default = pkgs.cassandra;
defaultText = "pkgs.cassandra";
type = types.package;
};
jre = mkOption {
description = "JRE package to run cassandra service.";
default = pkgs.jre;
defaultText = "pkgs.jre";
type = types.package;
};
user = mkOption {
description = "User that runs cassandra service.";
default = "cassandra";
type = types.string;
};
group = mkOption {
description = "Group that runs cassandra service.";
default = "cassandra";
type = types.string;
};
envFile = mkOption {
description = "path to cassandra-env.sh";
default = "${cassandraPackage}/conf/cassandra-env.sh";
defaultText = "\${cassandraPackage}/conf/cassandra-env.sh";
type = types.path;
};
clusterName = mkOption {
description = "set cluster name";
default = "cassandra";
example = "prod-cluster0";
type = types.string;
};
commitLogDirectory = mkOption {
description = "directory for commit logs";
default = "/var/lib/cassandra/commit_log";
type = types.string;
};
savedCachesDirectory = mkOption {
description = "directory for saved caches";
default = "/var/lib/cassandra/saved_caches";
type = types.string;
};
hintedHandOff = mkOption {
description = "enable hinted handoff";
default = true;
type = types.bool;
};
hintedHandOffThrottle = mkOption {
description = "hinted hand off throttle rate in kb";
default = 1024;
type = types.int;
};
commitLogSync = mkOption {
description = "commitlog sync method";
default = "periodic";
type = types.str;
example = "batch";
};
commitLogSyncPeriod = mkOption {
description = "commitlog sync period in ms ";
default = 10000;
type = types.int;
};
envScript = mkOption {
default = "${cassandraPackage}/conf/cassandra-env.sh";
defaultText = "\${cassandraPackage}/conf/cassandra-env.sh";
type = types.path;
description = "Supply your own cassandra-env.sh rather than using the default";
};
extraParams = mkOption {
description = "add additional lines to cassandra-env.sh";
default = [];
example = [''JVM_OPTS="$JVM_OPTS -Dcassandra.available_processors=1"''];
type = types.listOf types.str;
};
dataDirs = mkOption {
type = types.listOf types.path;
default = [ "/var/lib/cassandra/data" ];
description = "Data directories for cassandra";
};
logLevel = mkOption {
type = types.str;
default = "INFO";
description = "default logging level for log4j";
};
internodeEncryption = mkOption {
description = "enable internode encryption";
default = "none";
example = "all";
type = types.str;
};
clientEncryption = mkOption {
description = "enable client encryption";
default = false;
type = types.bool;
};
trustStorePath = mkOption {
description = "path to truststore";
default = ".conf/truststore";
type = types.str;
};
keyStorePath = mkOption {
description = "path to keystore";
default = ".conf/keystore";
type = types.str;
};
keyStorePassword = mkOption {
description = "password to keystore";
default = "cassandra";
type = types.str;
};
trustStorePassword = mkOption {
description = "password to truststore";
default = "cassandra";
type = types.str;
};
seeds = mkOption {
description = "password to truststore";
default = [ "127.0.0.1" ];
type = types.listOf types.str;
};
concurrentWrites = mkOption {
description = "number of concurrent writes allowed";
default = 32;
type = types.int;
};
concurrentReads = mkOption {
description = "number of concurrent reads allowed";
default = 32;
type = types.int;
};
listenAddress = mkOption {
description = "listen address";
default = "localhost";
type = types.str;
};
rpcAddress = mkOption {
description = "rpc listener address";
default = "localhost";
type = types.str;
};
incrementalBackups = mkOption {
description = "enable incremental backups";
default = false;
type = types.bool;
};
snitch = mkOption {
description = "snitch to use for topology discovery";
default = "GossipingPropertyFileSnitch";
example = "Ec2Snitch";
type = types.str;
};
dc = mkOption {
description = "datacenter for use in topology configuration";
default = "DC1";
example = "DC1";
type = types.str;
};
rack = mkOption {
description = "rack for use in topology configuration";
default = "RAC1";
example = "RAC1";
type = types.str;
};
authorizer = mkOption {
description = "
Authorization backend, implementing IAuthorizer; used to limit access/provide permissions
";
default = "AllowAllAuthorizer";
example = "CassandraAuthorizer";
type = types.str;
};
authenticator = mkOption {
description = "
Authentication backend, implementing IAuthenticator; used to identify users
";
default = "AllowAllAuthenticator";
example = "PasswordAuthenticator";
type = types.str;
};
autoBootstrap = mkOption {
description = "It makes new (non-seed) nodes automatically migrate the right data to themselves.";
default = true;
example = true;
type = types.bool;
};
streamingSocketTimoutInMS = mkOption {
description = "Enable or disable socket timeout for streaming operations";
default = 3600000; #CASSANDRA-8611
example = 120;
type = types.int;
};
repairStartAt = mkOption {
default = "Sun";
type = types.string;
description = ''
Defines realtime (i.e. wallclock) timers with calendar event
expressions. For more details re: systemd OnCalendar at
https://www.freedesktop.org/software/systemd/man/systemd.time.html#Displaying%20Time%20Spans
'';
example = ["weekly" "daily" "08:05:40" "mon,fri *-1/2-1,3 *:30:45"];
};
repairRandomizedDelayInSec = mkOption {
default = 0;
type = types.int;
description = ''Delay the timer by a randomly selected, evenly distributed
amount of time between 0 and the specified time value. re: systemd timer
RandomizedDelaySec for more details
'';
};
repairPostStop = mkOption {
default = null;
type = types.nullOr types.string;
description = ''
Run a script when repair is over. One can use it to send statsd events, email, etc.
'';
};
repairPostStart = mkOption {
default = null;
type = types.nullOr types.string;
description = ''
Run a script when repair starts. One can use it to send statsd events, email, etc.
It has same semantics as systemd ExecStopPost; So, if it fails, unit is consisdered
failed.
'';
};
};
###### implementation
config = mkIf cfg.enable {
environment.etc."cassandra/cassandra-rackdc.properties" = {
source = cassandraRackFile;
};
environment.etc."cassandra/cassandra.yaml" = {
source = cassandraConfFile;
};
environment.etc."cassandra/log4j-server.properties" = {
source = cassandraLogFile;
};
environment.etc."cassandra/cassandra-env.sh" = {
text = ''
${builtins.readFile cfg.envFile}
${concatStringsSep "\n" cfg.extraParams}
'';
};
systemd.services.cassandra = {
description = "Cassandra Daemon";
wantedBy = [ "multi-user.target" ];
after = [ "network-interfaces.target" ];
environment = cassandraEnvironment;
restartTriggers = [ cassandraConfFile cassandraLogFile cassandraRackFile ];
serviceConfig = {
User = cfg.user;
PermissionsStartOnly = true;
LimitAS = "infinity";
LimitNOFILE = "100000";
LimitNPROC = "32768";
LimitMEMLOCK = "infinity";
};
script = ''
${cassandraPackage}/bin/cassandra -f
'';
path = [
cfg.jre
cassandraPackage
pkgs.coreutils
];
preStart = ''
mkdir -m 0700 -p /etc/cassandra/triggers
mkdir -m 0700 -p /var/lib/cassandra /var/log/cassandra
chown ${cfg.user} /var/lib/cassandra /var/log/cassandra /etc/cassandra/triggers
'';
postStart = ''
sleep 2
while ! nodetool status >/dev/null 2>&1; do
sleep 2
done
nodetool status
'';
};
environment.systemPackages = [ cassandraPackage ];
networking.firewall.allowedTCPPorts = [
7000
7001
9042
9160
];
users.extraUsers.cassandra =
if config.ids.uids ? "cassandra"
then { uid = config.ids.uids.cassandra; } // cassandraUser
else cassandraUser ;
boot.kernel.sysctl."vm.swappiness" = pkgs.lib.mkOptionDefault 0;
systemd.timers."cassandra-repair" = {
timerConfig = {
OnCalendar = "${toString cfg.repairStartAt}";
RandomizedDelaySec = cfg.repairRandomizedDelayInSec;
};
};
systemd.services."cassandra-repair" = {
description = "Cassandra repair daemon";
environment = cassandraEnvironment;
script = "${cassandraPackage}/bin/nodetool repair -pr";
postStop = mkIf (cfg.repairPostStop != null) cfg.repairPostStop;
postStart = mkIf (cfg.repairPostStart != null) cfg.repairPostStart;
serviceConfig = {
User = cfg.user;
};
};
};
}

Some files were not shown because too many files have changed in this diff Show more