diff options
| author | Alyssa Ross <hi@alyssa.is> | 2024-05-21 11:19:54 +0200 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2024-05-21 11:19:54 +0200 |
| commit | 1f7ea1acad1207378e325dd0d6527a983d7192b5 (patch) | |
| tree | 38c0985697418e959e9c872b1afde54f9e6880f2 /nixpkgs/nixos/modules | |
| parent | a4ffc889571c7100467c7aa1ccae5a4d8373089f (diff) | |
| parent | 6c0b7a92c30122196a761b440ac0d46d3d9954f1 (diff) | |
| download | nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.tar nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.tar.gz nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.tar.bz2 nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.tar.lz nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.tar.xz nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.tar.zst nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.zip | |
Merge remote-tracking branch 'nixpkgs/nixos-unstable'
Diffstat (limited to 'nixpkgs/nixos/modules')
214 files changed, 3347 insertions, 1809 deletions
diff --git a/nixpkgs/nixos/modules/config/terminfo.nix b/nixpkgs/nixos/modules/config/terminfo.nix index 4b58605aa7f1..b538d749ffcb 100644 --- a/nixpkgs/nixos/modules/config/terminfo.nix +++ b/nixpkgs/nixos/modules/config/terminfo.nix @@ -31,7 +31,7 @@ with lib; # attrNames (filterAttrs # (_: drv: (builtins.tryEval (isDerivation drv && drv ? terminfo)).value) # pkgs) - environment.systemPackages = mkIf config.environment.enableAllTerminfo (map (x: x.terminfo) (with pkgs; [ + environment.systemPackages = mkIf config.environment.enableAllTerminfo (map (x: x.terminfo) (with pkgs.pkgsBuildBuild; [ alacritty contour foot diff --git a/nixpkgs/nixos/modules/config/xdg/terminal-exec.nix b/nixpkgs/nixos/modules/config/xdg/terminal-exec.nix new file mode 100644 index 000000000000..daf2055d2e90 --- /dev/null +++ b/nixpkgs/nixos/modules/config/xdg/terminal-exec.nix @@ -0,0 +1,54 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + cfg = config.xdg.terminal-exec; + inherit (lib) mkIf mkEnableOption mkOption mkPackageOption types; +in +{ + meta.maintainers = with lib.maintainers; [ Cryolitia ]; + + ###### interface + + options = { + xdg.terminal-exec = { + enable = mkEnableOption "xdg-terminal-exec, the [proposed](https://gitlab.freedesktop.org/xdg/xdg-specs/-/merge_requests/46) Default Terminal Execution Specification"; + package = mkPackageOption pkgs "xdg-terminal-exec" { }; + settings = mkOption { + type = with types; attrsOf (listOf str); + default = { }; + description = '' + Configuration options for the Default Terminal Execution Specification. + + The keys are the desktop environments that are matched (case-insensitively) against `$XDG_CURRENT_DESKTOP`, + or `default` which is used when the current desktop environment is not found in the configuration. + The values are a list of terminals' [desktop file IDs](https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s02.html#desktop-file-id) to try in order of decreasing priority. + ''; + example = { + default = [ "kitty.desktop" ]; + GNOME = [ "com.raggesilver.BlackBox.desktop" "org.gnome.Terminal.desktop" ]; + }; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + environment = { + systemPackages = [ cfg.package ]; + + etc = lib.mapAttrs' ( + desktop: terminals: + # map desktop name such as GNOME to `xdg/gnome-xdg-terminals.list`, default to `xdg/xdg-terminals.list` + lib.nameValuePair ( + "xdg/${if desktop == "default" then "" else "${lib.toLower desktop}-"}xdg-terminals.list" + ) { text = lib.concatLines terminals; } + ) cfg.settings; + }; + }; +} diff --git a/nixpkgs/nixos/modules/hardware/openrazer.nix b/nixpkgs/nixos/modules/hardware/openrazer.nix index 5ba6abfdb3d7..6f61254a60c1 100644 --- a/nixpkgs/nixos/modules/hardware/openrazer.nix +++ b/nixpkgs/nixos/modules/hardware/openrazer.nix @@ -19,7 +19,7 @@ let [Startup] sync_effects_enabled = ${toPyBoolStr cfg.syncEffectsEnabled} devices_off_on_screensaver = ${toPyBoolStr cfg.devicesOffOnScreensaver} - battery_notifier = ${toPyBoolStr (cfg.mouseBatteryNotifier || cfg.batteryNotifier.enable)} + battery_notifier = ${toPyBoolStr cfg.batteryNotifier.enable} battery_notifier_freq = ${builtins.toString cfg.batteryNotifier.frequency} battery_notifier_percent = ${builtins.toString cfg.batteryNotifier.percentage} @@ -80,14 +80,6 @@ in ''; }; - mouseBatteryNotifier = mkOption { - type = types.bool; - default = true; - description = '' - Mouse battery notifier. - ''; - }; - batteryNotifier = mkOption { description = '' Settings for device battery notifications. @@ -143,14 +135,11 @@ in }; }; - config = mkIf cfg.enable { - warnings = flatten [ - (optional cfg.mouseBatteryNotifier '' - The option openrazer.mouseBatteryNotifier is deprecated. - Please use openrazer.batteryNotifier instead to enable and configure battery notifications. - '') - ]; + imports = [ + (mkRenamedOptionModule [ "hardware" "openrazer" "mouseBatteryNotifier" ] [ "hardware" "openrazer" "batteryNotifier" "enable" ]) + ]; + config = mkIf cfg.enable { boot.extraModulePackages = [ kernelPackages.openrazer ]; boot.kernelModules = drivers; diff --git a/nixpkgs/nixos/modules/hardware/video/intel-gpu-tools.nix b/nixpkgs/nixos/modules/hardware/video/intel-gpu-tools.nix new file mode 100644 index 000000000000..b69fefcae118 --- /dev/null +++ b/nixpkgs/nixos/modules/hardware/video/intel-gpu-tools.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.hardware.intel-gpu-tools; +in +{ + options = { + hardware.intel-gpu-tools = { + enable = lib.mkEnableOption "a setcap wrapper for intel-gpu-tools"; + }; + }; + + config = lib.mkIf cfg.enable { + security.wrappers.intel_gpu_top = { + owner = "root"; + group = "root"; + source = "${pkgs.intel-gpu-tools}/bin/intel_gpu_top"; + capabilities = "cap_perfmon+ep"; + }; + }; + + meta = { + maintainers = with lib.maintainers; [ kira-bruneau ]; + }; +} diff --git a/nixpkgs/nixos/modules/misc/version.nix b/nixpkgs/nixos/modules/misc/version.nix index d582e0c162de..29e9498018ec 100644 --- a/nixpkgs/nixos/modules/misc/version.nix +++ b/nixpkgs/nixos/modules/misc/version.nix @@ -135,7 +135,7 @@ in }; version = lib.mkOption { - type = types.nullOr (types.strMatching "^[a-z0-9._-]+$"); + type = types.nullOr (types.strMatching "^[a-z0-9._-~^]+$"); default = null; description = '' Image version. diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index a3fcbca29bdf..95a7ef3d7cbe 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -45,6 +45,7 @@ ./config/xdg/portals/lxqt.nix ./config/xdg/portals/wlr.nix ./config/xdg/sounds.nix + ./config/xdg/terminal-exec.nix ./config/zram.nix ./hardware/acpilight.nix ./hardware/all-firmware.nix @@ -106,6 +107,7 @@ ./hardware/video/bumblebee.nix ./hardware/video/capture/mwprocapture.nix ./hardware/video/displaylink.nix + ./hardware/video/intel-gpu-tools.nix ./hardware/video/nvidia.nix ./hardware/video/switcheroo-control.nix ./hardware/video/uvcvideo/default.nix @@ -156,6 +158,7 @@ ./programs/bash/ls-colors.nix ./programs/bash/undistract-me.nix ./programs/bcc.nix + ./programs/benchexec.nix ./programs/browserpass.nix ./programs/calls.nix ./programs/captive-browser.nix @@ -165,6 +168,7 @@ ./programs/chromium.nix ./programs/clash-verge.nix ./programs/cnping.nix + ./programs/cpu-energy-meter.nix ./programs/command-not-found/command-not-found.nix ./programs/coolercontrol.nix ./programs/criu.nix @@ -248,6 +252,7 @@ ./programs/pantheon-tweaks.nix ./programs/partition-manager.nix ./programs/plotinus.nix + ./programs/pqos-wrapper.nix ./programs/projecteur.nix ./programs/proxychains.nix ./programs/qdmr.nix @@ -306,6 +311,7 @@ ./programs/xwayland.nix ./programs/yabar.nix ./programs/yazi.nix + ./programs/ydotool.nix ./programs/yubikey-touch-detector.nix ./programs/zmap.nix ./programs/zsh/oh-my-zsh.nix @@ -665,6 +671,7 @@ ./services/matrix/maubot.nix ./services/matrix/mautrix-facebook.nix ./services/matrix/mautrix-meta.nix + ./services/matrix/mautrix-signal.nix ./services/matrix/mautrix-telegram.nix ./services/matrix/mautrix-whatsapp.nix ./services/matrix/mjolnir.nix @@ -697,6 +704,7 @@ ./services/misc/cpuminer-cryptonight.nix ./services/misc/db-rest.nix ./services/misc/devmon.nix + ./services/misc/devpi-server.nix ./services/misc/dictd.nix ./services/misc/disnix.nix ./services/misc/docker-registry.nix @@ -774,6 +782,7 @@ ./services/misc/polaris.nix ./services/misc/portunus.nix ./services/misc/preload.nix + ./services/misc/private-gpt.nix ./services/misc/prowlarr.nix ./services/misc/pufferpanel.nix ./services/misc/pykms.nix @@ -1320,6 +1329,7 @@ ./services/web-apps/akkoma.nix ./services/web-apps/alps.nix ./services/web-apps/anuko-time-tracker.nix + ./services/web-apps/artalk.nix ./services/web-apps/atlassian/confluence.nix ./services/web-apps/atlassian/crowd.nix ./services/web-apps/atlassian/jira.nix @@ -1333,6 +1343,7 @@ ./services/web-apps/chatgpt-retrieval-plugin.nix ./services/web-apps/cloudlog.nix ./services/web-apps/code-server.nix + ./services/web-apps/commafeed.nix ./services/web-apps/convos.nix ./services/web-apps/crabfit.nix ./services/web-apps/davis.nix @@ -1426,6 +1437,7 @@ ./services/web-apps/windmill.nix ./services/web-apps/wordpress.nix ./services/web-apps/writefreely.nix + ./services/web-apps/your_spotify.nix ./services/web-apps/youtrack.nix ./services/web-apps/zabbix.nix ./services/web-apps/zitadel.nix diff --git a/nixpkgs/nixos/modules/profiles/perlless.nix b/nixpkgs/nixos/modules/profiles/perlless.nix index 90abd14f077e..010e4f8f2a28 100644 --- a/nixpkgs/nixos/modules/profiles/perlless.nix +++ b/nixpkgs/nixos/modules/profiles/perlless.nix @@ -26,6 +26,6 @@ # Check that the system does not contain a Nix store path that contains the # string "perl". - system.forbiddenDependenciesRegex = "perl"; + system.forbiddenDependenciesRegexes = ["perl"]; } diff --git a/nixpkgs/nixos/modules/programs/_1password-gui.nix b/nixpkgs/nixos/modules/programs/_1password-gui.nix index b21e8783f660..04f36cf0237a 100644 --- a/nixpkgs/nixos/modules/programs/_1password-gui.nix +++ b/nixpkgs/nixos/modules/programs/_1password-gui.nix @@ -1,7 +1,5 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs._1password-gui; @@ -9,25 +7,25 @@ let in { imports = [ - (mkRemovedOptionModule [ "programs" "_1password-gui" "gid" ] '' + (lib.mkRemovedOptionModule [ "programs" "_1password-gui" "gid" ] '' A preallocated GID will be used instead. '') ]; options = { programs._1password-gui = { - enable = mkEnableOption "the 1Password GUI application"; + enable = lib.mkEnableOption "the 1Password GUI application"; - polkitPolicyOwners = mkOption { - type = types.listOf types.str; + polkitPolicyOwners = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ ]; - example = literalExpression ''["user1" "user2" "user3"]''; + example = lib.literalExpression ''["user1" "user2" "user3"]''; description = '' A list of users who should be able to integrate 1Password with polkit-based authentication mechanisms. ''; }; - package = mkPackageOption pkgs "1Password GUI" { + package = lib.mkPackageOption pkgs "1Password GUI" { default = [ "_1password-gui" ]; }; }; @@ -39,7 +37,7 @@ in polkitPolicyOwners = cfg.polkitPolicyOwners; }; in - mkIf cfg.enable { + lib.mkIf cfg.enable { environment.systemPackages = [ package ]; users.groups.onepassword.gid = config.ids.gids.onepassword; diff --git a/nixpkgs/nixos/modules/programs/_1password.nix b/nixpkgs/nixos/modules/programs/_1password.nix index b87e9b776e85..5dff199341b9 100644 --- a/nixpkgs/nixos/modules/programs/_1password.nix +++ b/nixpkgs/nixos/modules/programs/_1password.nix @@ -1,7 +1,5 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs._1password; @@ -9,22 +7,22 @@ let in { imports = [ - (mkRemovedOptionModule [ "programs" "_1password" "gid" ] '' + (lib.mkRemovedOptionModule [ "programs" "_1password" "gid" ] '' A preallocated GID will be used instead. '') ]; options = { programs._1password = { - enable = mkEnableOption "the 1Password CLI tool"; + enable = lib.mkEnableOption "the 1Password CLI tool"; - package = mkPackageOption pkgs "1Password CLI" { + package = lib.mkPackageOption pkgs "1Password CLI" { default = [ "_1password" ]; }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; users.groups.onepassword-cli.gid = config.ids.gids.onepassword-cli; diff --git a/nixpkgs/nixos/modules/programs/adb.nix b/nixpkgs/nixos/modules/programs/adb.nix index d8c700bc36b6..62ab6ab4137a 100644 --- a/nixpkgs/nixos/modules/programs/adb.nix +++ b/nixpkgs/nixos/modules/programs/adb.nix @@ -1,16 +1,14 @@ { config, lib, pkgs, ... }: -with lib; - { - meta.maintainers = [ maintainers.mic92 ]; + meta.maintainers = [ lib.maintainers.mic92 ]; ###### interface options = { programs.adb = { - enable = mkOption { + enable = lib.mkOption { default = false; - type = types.bool; + type = lib.types.bool; description = '' Whether to configure system to use Android Debug Bridge (adb). To grant access to a user, it must be part of adbusers group: @@ -21,7 +19,7 @@ with lib; }; ###### implementation - config = mkIf config.programs.adb.enable { + config = lib.mkIf config.programs.adb.enable { services.udev.packages = [ pkgs.android-udev-rules ]; environment.systemPackages = [ pkgs.android-tools ]; users.groups.adbusers = {}; diff --git a/nixpkgs/nixos/modules/programs/alvr.nix b/nixpkgs/nixos/modules/programs/alvr.nix index e5de06f1157a..da66200cf075 100644 --- a/nixpkgs/nixos/modules/programs/alvr.nix +++ b/nixpkgs/nixos/modules/programs/alvr.nix @@ -1,19 +1,17 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.alvr; in { options = { programs.alvr = { - enable = mkEnableOption "ALVR, the VR desktop streamer"; + enable = lib.mkEnableOption "ALVR, the VR desktop streamer"; - package = mkPackageOption pkgs "alvr" { }; + package = lib.mkPackageOption pkgs "alvr" { }; - openFirewall = mkOption { - type = types.bool; + openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to open the default ports in the firewall for the ALVR server. @@ -22,14 +20,14 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; - networking.firewall = mkIf cfg.openFirewall { + networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = [ 9943 9944 ]; allowedUDPPorts = [ 9943 9944 ]; }; }; - meta.maintainers = with maintainers; [ passivelemon ]; + meta.maintainers = with lib.maintainers; [ passivelemon ]; } diff --git a/nixpkgs/nixos/modules/programs/appgate-sdp.nix b/nixpkgs/nixos/modules/programs/appgate-sdp.nix index 6d61c87eeb61..f4d4140571a6 100644 --- a/nixpkgs/nixos/modules/programs/appgate-sdp.nix +++ b/nixpkgs/nixos/modules/programs/appgate-sdp.nix @@ -1,15 +1,13 @@ { config, pkgs, lib, ... }: -with lib; - { options = { programs.appgate-sdp = { - enable = mkEnableOption "the AppGate SDP VPN client"; + enable = lib.mkEnableOption "the AppGate SDP VPN client"; }; }; - config = mkIf config.programs.appgate-sdp.enable { + config = lib.mkIf config.programs.appgate-sdp.enable { boot.kernelModules = [ "tun" ]; environment.systemPackages = [ pkgs.appgate-sdp ]; services.dbus.packages = [ pkgs.appgate-sdp ]; diff --git a/nixpkgs/nixos/modules/programs/atop.nix b/nixpkgs/nixos/modules/programs/atop.nix index 618b64114359..3738f926ca3d 100644 --- a/nixpkgs/nixos/modules/programs/atop.nix +++ b/nixpkgs/nixos/modules/programs/atop.nix @@ -2,8 +2,6 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.atop; in @@ -14,31 +12,31 @@ in programs.atop = rec { - enable = mkEnableOption "Atop, a tool for monitoring system resources"; + enable = lib.mkEnableOption "Atop, a tool for monitoring system resources"; - package = mkPackageOption pkgs "atop" { }; + package = lib.mkPackageOption pkgs "atop" { }; netatop = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to install and enable the netatop kernel module. Note: this sets the kernel taint flag "O" for loading out-of-tree modules. ''; }; - package = mkOption { - type = types.package; + package = lib.mkOption { + type = lib.types.package; default = config.boot.kernelPackages.netatop; - defaultText = literalExpression "config.boot.kernelPackages.netatop"; + defaultText = lib.literalExpression "config.boot.kernelPackages.netatop"; description = '' Which package to use for netatop. ''; }; }; - atopgpu.enable = mkOption { - type = types.bool; + atopgpu.enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to install and enable the atopgpud daemon to get information about @@ -46,8 +44,8 @@ in ''; }; - setuidWrapper.enable = mkOption { - type = types.bool; + setuidWrapper.enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to install a setuid wrapper for Atop. This is required to use some of @@ -56,24 +54,24 @@ in ''; }; - atopService.enable = mkOption { - type = types.bool; + atopService.enable = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to enable the atop service responsible for storing statistics for long-term analysis. ''; }; - atopRotateTimer.enable = mkOption { - type = types.bool; + atopRotateTimer.enable = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to enable the atop-rotate timer, which restarts the atop service daily to make sure the data files are rotate. ''; }; - atopacctService.enable = mkOption { - type = types.bool; + atopacctService.enable = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to enable the atopacct service which manages process accounting. @@ -81,8 +79,8 @@ in two refresh intervals. ''; }; - settings = mkOption { - type = types.attrs; + settings = lib.mkOption { + type = lib.types.attrs; default = { }; example = { flags = "a1f"; @@ -95,7 +93,7 @@ in }; }; - config = mkIf cfg.enable ( + config = lib.mkIf cfg.enable ( let atop = if cfg.atopgpu.enable then @@ -104,11 +102,11 @@ in cfg.package; in { - environment.etc = mkIf (cfg.settings != { }) { - atoprc.text = concatStrings - (mapAttrsToList + environment.etc = lib.mkIf (cfg.settings != { }) { + atoprc.text = lib.concatStrings + (lib.mapAttrsToList (n: v: '' - ${n} ${toString v} + ${n} ${builtins.toString v} '') cfg.settings); }; diff --git a/nixpkgs/nixos/modules/programs/ausweisapp.nix b/nixpkgs/nixos/modules/programs/ausweisapp.nix index 0359e58c554c..ebd6a3e13bf6 100644 --- a/nixpkgs/nixos/modules/programs/ausweisapp.nix +++ b/nixpkgs/nixos/modules/programs/ausweisapp.nix @@ -1,15 +1,13 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.ausweisapp; in { options.programs.ausweisapp = { - enable = mkEnableOption "AusweisApp"; + enable = lib.mkEnableOption "AusweisApp"; - openFirewall = mkOption { + openFirewall = lib.mkOption { description = '' Whether to open the required firewall ports for the Smartphone as Card Reader (SaC) functionality of AusweisApp. ''; @@ -18,7 +16,7 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ ausweisapp ]; networking.firewall.allowedUDPPorts = lib.optionals cfg.openFirewall [ 24727 ]; }; diff --git a/nixpkgs/nixos/modules/programs/autojump.nix b/nixpkgs/nixos/modules/programs/autojump.nix index ecfc2f658079..5011d7e14237 100644 --- a/nixpkgs/nixos/modules/programs/autojump.nix +++ b/nixpkgs/nixos/modules/programs/autojump.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.autojump; prg = config.programs; @@ -10,8 +8,8 @@ in options = { programs.autojump = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to enable autojump. @@ -22,12 +20,12 @@ in ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.pathsToLink = [ "/share/autojump" ]; environment.systemPackages = [ pkgs.autojump ]; programs.bash.interactiveShellInit = "source ${pkgs.autojump}/share/autojump/autojump.bash"; - programs.zsh.interactiveShellInit = mkIf prg.zsh.enable "source ${pkgs.autojump}/share/autojump/autojump.zsh"; - programs.fish.interactiveShellInit = mkIf prg.fish.enable "source ${pkgs.autojump}/share/autojump/autojump.fish"; + programs.zsh.interactiveShellInit = lib.mkIf prg.zsh.enable "source ${pkgs.autojump}/share/autojump/autojump.zsh"; + programs.fish.interactiveShellInit = lib.mkIf prg.fish.enable "source ${pkgs.autojump}/share/autojump/autojump.fish"; }; } diff --git a/nixpkgs/nixos/modules/programs/bandwhich.nix b/nixpkgs/nixos/modules/programs/bandwhich.nix index 2c78584f2d24..e2c55ca5bea4 100644 --- a/nixpkgs/nixos/modules/programs/bandwhich.nix +++ b/nixpkgs/nixos/modules/programs/bandwhich.nix @@ -1,15 +1,13 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.bandwhich; in { - meta.maintainers = with maintainers; [ Br1ght0ne ]; + meta.maintainers = with lib.maintainers; [ Br1ght0ne ]; options = { programs.bandwhich = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to add bandwhich to the global environment and configure a @@ -19,7 +17,7 @@ in { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ bandwhich ]; security.wrappers.bandwhich = { owner = "root"; diff --git a/nixpkgs/nixos/modules/programs/bash-my-aws.nix b/nixpkgs/nixos/modules/programs/bash-my-aws.nix index 15e429a75497..85618ad98f08 100644 --- a/nixpkgs/nixos/modules/programs/bash-my-aws.nix +++ b/nixpkgs/nixos/modules/programs/bash-my-aws.nix @@ -1,7 +1,5 @@ { config, pkgs, lib, ... }: -with lib; - let prg = config.programs; cfg = prg.bash-my-aws; @@ -13,11 +11,11 @@ in { options = { programs.bash-my-aws = { - enable = mkEnableOption "bash-my-aws"; + enable = lib.mkEnableOption "bash-my-aws"; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ bash-my-aws ]; programs.bash.interactiveShellInit = initScript; diff --git a/nixpkgs/nixos/modules/programs/bash/bash-completion.nix b/nixpkgs/nixos/modules/programs/bash/bash-completion.nix index b8e5b1bfa336..c973d36fdfbf 100644 --- a/nixpkgs/nixos/modules/programs/bash/bash-completion.nix +++ b/nixpkgs/nixos/modules/programs/bash/bash-completion.nix @@ -1,18 +1,16 @@ { config, lib, pkgs, ... }: -with lib; - let enable = config.programs.bash.enableCompletion; in { options = { - programs.bash.enableCompletion = mkEnableOption "Bash completion for all interactive bash shells" // { + programs.bash.enableCompletion = lib.mkEnableOption "Bash completion for all interactive bash shells" // { default = true; }; }; - config = mkIf enable { + config = lib.mkIf enable { programs.bash.promptPluginInit = '' # Check whether we're running a version of Bash that has support for # programmable completion. If we do, enable all modules installed in diff --git a/nixpkgs/nixos/modules/programs/bash/bash.nix b/nixpkgs/nixos/modules/programs/bash/bash.nix index 21ef8338d8dd..0f8c40da801b 100644 --- a/nixpkgs/nixos/modules/programs/bash/bash.nix +++ b/nixpkgs/nixos/modules/programs/bash/bash.nix @@ -3,24 +3,22 @@ { config, lib, pkgs, ... }: -with lib; - let cfge = config.environment; cfg = config.programs.bash; - bashAliases = concatStringsSep "\n" ( - mapAttrsFlatten (k: v: "alias -- ${k}=${escapeShellArg v}") - (filterAttrs (k: v: v != null) cfg.shellAliases) + bashAliases = builtins.concatStringsSep "\n" ( + lib.mapAttrsFlatten (k: v: "alias -- ${k}=${lib.escapeShellArg v}") + (lib.filterAttrs (k: v: v != null) cfg.shellAliases) ); in { imports = [ - (mkRemovedOptionModule [ "programs" "bash" "enable" ] "") + (lib.mkRemovedOptionModule [ "programs" "bash" "enable" ] "") ]; options = { @@ -28,7 +26,7 @@ in programs.bash = { /* - enable = mkOption { + enable = lib.mkOption { default = true; description = '' Whenever to configure Bash as an interactive shell. @@ -38,44 +36,44 @@ in set this variable if you have another shell configured with NixOS. ''; - type = types.bool; + type = lib.types.bool; }; */ - shellAliases = mkOption { + shellAliases = lib.mkOption { default = {}; description = '' Set of aliases for bash shell, which overrides {option}`environment.shellAliases`. See {option}`environment.shellAliases` for an option format description. ''; - type = with types; attrsOf (nullOr (either str path)); + type = with lib.types; attrsOf (nullOr (either str path)); }; - shellInit = mkOption { + shellInit = lib.mkOption { default = ""; description = '' Shell script code called during bash shell initialisation. ''; - type = types.lines; + type = lib.types.lines; }; - loginShellInit = mkOption { + loginShellInit = lib.mkOption { default = ""; description = '' Shell script code called during login bash shell initialisation. ''; - type = types.lines; + type = lib.types.lines; }; - interactiveShellInit = mkOption { + interactiveShellInit = lib.mkOption { default = ""; description = '' Shell script code called during interactive bash shell initialisation. ''; - type = types.lines; + type = lib.types.lines; }; - promptInit = mkOption { + promptInit = lib.mkOption { default = '' # Provide a nice prompt if the terminal supports it. if [ "$TERM" != "dumb" ] || [ -n "$INSIDE_EMACS" ]; then @@ -95,15 +93,15 @@ in description = '' Shell script code used to initialise the bash prompt. ''; - type = types.lines; + type = lib.types.lines; }; - promptPluginInit = mkOption { + promptPluginInit = lib.mkOption { default = ""; description = '' Shell script code used to initialise bash prompt plugins. ''; - type = types.lines; + type = lib.types.lines; internal = true; }; @@ -111,11 +109,11 @@ in }; - config = /* mkIf cfg.enable */ { + config = /* lib.mkIf cfg.enable */ { programs.bash = { - shellAliases = mapAttrs (name: mkDefault) cfge.shellAliases; + shellAliases = builtins.mapAttrs (name: lib.mkDefault) cfge.shellAliases; shellInit = '' if [ -z "$__NIXOS_SET_ENVIRONMENT_DONE" ]; then @@ -196,11 +194,11 @@ in # Configuration for readline in bash. We use "option default" # priority to allow user override using both .text and .source. - environment.etc.inputrc.source = mkOptionDefault ./inputrc; + environment.etc.inputrc.source = lib.mkOptionDefault ./inputrc; - users.defaultUserShell = mkDefault pkgs.bashInteractive; + users.defaultUserShell = lib.mkDefault pkgs.bashInteractive; - environment.pathsToLink = optionals cfg.enableCompletion [ + environment.pathsToLink = lib.optionals cfg.enableCompletion [ "/etc/bash_completion.d" "/share/bash-completion" ]; diff --git a/nixpkgs/nixos/modules/programs/bash/blesh.nix b/nixpkgs/nixos/modules/programs/bash/blesh.nix index ea342b0ce3ee..b5ca83a883bb 100644 --- a/nixpkgs/nixos/modules/programs/bash/blesh.nix +++ b/nixpkgs/nixos/modules/programs/bash/blesh.nix @@ -1,16 +1,15 @@ { lib, config, pkgs, ... }: -with lib; let cfg = config.programs.bash.blesh; in { options = { - programs.bash.blesh.enable = mkEnableOption "blesh, a full-featured line editor written in pure Bash"; + programs.bash.blesh.enable = lib.mkEnableOption "blesh, a full-featured line editor written in pure Bash"; }; - config = mkIf cfg.enable { - programs.bash.interactiveShellInit = mkBefore '' + config = lib.mkIf cfg.enable { + programs.bash.interactiveShellInit = lib.mkBefore '' source ${pkgs.blesh}/share/blesh/ble.sh ''; }; - meta.maintainers = with maintainers; [ laalsaas ]; + meta.maintainers = with lib.maintainers; [ laalsaas ]; } diff --git a/nixpkgs/nixos/modules/programs/bash/ls-colors.nix b/nixpkgs/nixos/modules/programs/bash/ls-colors.nix index 254ee14c477d..3ee00e93d4da 100644 --- a/nixpkgs/nixos/modules/programs/bash/ls-colors.nix +++ b/nixpkgs/nixos/modules/programs/bash/ls-colors.nix @@ -1,18 +1,16 @@ { config, lib, pkgs, ... }: -with lib; - let enable = config.programs.bash.enableLsColors; in { options = { - programs.bash.enableLsColors = mkEnableOption "extra colors in directory listings" // { + programs.bash.enableLsColors = lib.mkEnableOption "extra colors in directory listings" // { default = true; }; }; - config = mkIf enable { + config = lib.mkIf enable { programs.bash.promptPluginInit = '' eval "$(${pkgs.coreutils}/bin/dircolors -b)" ''; diff --git a/nixpkgs/nixos/modules/programs/bash/undistract-me.nix b/nixpkgs/nixos/modules/programs/bash/undistract-me.nix index 0e6465e048a1..af4f3a737dab 100644 --- a/nixpkgs/nixos/modules/programs/bash/undistract-me.nix +++ b/nixpkgs/nixos/modules/programs/bash/undistract-me.nix @@ -1,36 +1,34 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.bash.undistractMe; in { options = { programs.bash.undistractMe = { - enable = mkEnableOption "notifications when long-running terminal commands complete"; + enable = lib.mkEnableOption "notifications when long-running terminal commands complete"; - playSound = mkEnableOption "notification sounds when long-running terminal commands complete"; + playSound = lib.mkEnableOption "notification sounds when long-running terminal commands complete"; - timeout = mkOption { + timeout = lib.mkOption { default = 10; description = '' Number of seconds it would take for a command to be considered long-running. ''; - type = types.int; + type = lib.types.int; }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { programs.bash.promptPluginInit = '' - export LONG_RUNNING_COMMAND_TIMEOUT=${toString cfg.timeout} + export LONG_RUNNING_COMMAND_TIMEOUT=${builtins.toString cfg.timeout} export UDM_PLAY_SOUND=${if cfg.playSound then "1" else "0"} . "${pkgs.undistract-me}/etc/profile.d/undistract-me.sh" ''; }; meta = { - maintainers = with maintainers; [ kira-bruneau ]; + maintainers = with lib.maintainers; [ kira-bruneau ]; }; } diff --git a/nixpkgs/nixos/modules/programs/benchexec.nix b/nixpkgs/nixos/modules/programs/benchexec.nix new file mode 100644 index 000000000000..652670c117ea --- /dev/null +++ b/nixpkgs/nixos/modules/programs/benchexec.nix @@ -0,0 +1,98 @@ +{ lib +, pkgs +, config +, options +, ... +}: +let + cfg = config.programs.benchexec; + opt = options.programs.benchexec; + + filterUsers = x: + if builtins.isString x then config.users.users ? ${x} else + if builtins.isInt x then x else + throw "filterUsers expects string (username) or int (UID)"; + + uid = x: + if builtins.isString x then config.users.users.${x}.uid else + if builtins.isInt x then x else + throw "uid expects string (username) or int (UID)"; +in +{ + options.programs.benchexec = { + enable = lib.mkEnableOption "BenchExec"; + package = lib.options.mkPackageOption pkgs "benchexec" { }; + + users = lib.options.mkOption { + type = with lib.types; listOf (either str int); + description = '' + Users that intend to use BenchExec. + Provide usernames of users that are configured via {option}`${options.users.users}` as string, + and UIDs of "mutable users" as integers. + Control group delegation will be configured via systemd. + For more information, see <https://github.com/sosy-lab/benchexec/blob/3.18/doc/INSTALL.md#setting-up-cgroups>. + ''; + default = [ ]; + example = lib.literalExpression '' + [ + "alice" # username of a user configured via ${options.users.users} + 1007 # UID of a mutable user + ] + ''; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = (map + (user: { + assertion = config.users.users ? ${user}; + message = '' + The user '${user}' intends to use BenchExec (via `${opt.users}`), but is not configured via `${options.users.users}`. + ''; + }) + (builtins.filter builtins.isString cfg.users) + ) ++ (map + (id: { + assertion = config.users.mutableUsers; + message = '' + The user with UID '${id}' intends to use BenchExec (via `${opt.users}`), but mutable users are disabled via `${options.users.mutableUsers}`. + ''; + }) + (builtins.filter builtins.isInt cfg.users) + ) ++ [ + { + assertion = config.systemd.enableUnifiedCgroupHierarchy == true; + message = '' + The BenchExec module `${opt.enable}` only supports control groups 2 (`${options.systemd.enableUnifiedCgroupHierarchy} = true`). + ''; + } + ]; + + environment.systemPackages = [ cfg.package ]; + + # See <https://github.com/sosy-lab/benchexec/blob/3.18/doc/INSTALL.md#setting-up-cgroups>. + systemd.services = builtins.listToAttrs (map + (user: { + name = "user@${builtins.toString (uid user)}"; + value = { + serviceConfig.Delegate = "yes"; + overrideStrategy = "asDropin"; + }; + }) + (builtins.filter filterUsers cfg.users)); + + # See <https://github.com/sosy-lab/benchexec/blob/3.18/doc/INSTALL.md#requirements>. + virtualisation.lxc.lxcfs.enable = lib.mkDefault true; + + # See <https://github.com/sosy-lab/benchexec/blob/3.18/doc/INSTALL.md#requirements>. + programs = { + cpu-energy-meter.enable = lib.mkDefault true; + pqos-wrapper.enable = lib.mkDefault true; + }; + + # See <https://github.com/sosy-lab/benchexec/blob/3.18/doc/INSTALL.md#kernel-requirements>. + security.unprivilegedUsernsClone = true; + }; + + meta.maintainers = with lib.maintainers; [ lorenzleutgeb ]; +} diff --git a/nixpkgs/nixos/modules/programs/browserpass.nix b/nixpkgs/nixos/modules/programs/browserpass.nix index 2894e237e3d4..ab6be266ea8d 100644 --- a/nixpkgs/nixos/modules/programs/browserpass.nix +++ b/nixpkgs/nixos/modules/programs/browserpass.nix @@ -1,12 +1,10 @@ { config, lib, pkgs, ... }: -with lib; - { - options.programs.browserpass.enable = mkEnableOption "Browserpass native messaging host"; + options.programs.browserpass.enable = lib.mkEnableOption "Browserpass native messaging host"; - config = mkIf config.programs.browserpass.enable { + config = lib.mkIf config.programs.browserpass.enable { environment.etc = let appId = "com.github.browserpass.native.json"; source = part: "${pkgs.browserpass}/lib/browserpass/${part}/${appId}"; diff --git a/nixpkgs/nixos/modules/programs/calls.nix b/nixpkgs/nixos/modules/programs/calls.nix index 0cf05f8a2ea0..36a4c51ddf43 100644 --- a/nixpkgs/nixos/modules/programs/calls.nix +++ b/nixpkgs/nixos/modules/programs/calls.nix @@ -1,19 +1,17 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.calls; in { options = { programs.calls = { - enable = mkEnableOption '' + enable = lib.mkEnableOption '' GNOME calls: a phone dialer and call handler ''; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { programs.dconf.enable = true; environment.systemPackages = [ diff --git a/nixpkgs/nixos/modules/programs/cdemu.nix b/nixpkgs/nixos/modules/programs/cdemu.nix index 3ee8b2d8fcd6..1aac28af1d2c 100644 --- a/nixpkgs/nixos/modules/programs/cdemu.nix +++ b/nixpkgs/nixos/modules/programs/cdemu.nix @@ -1,36 +1,34 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.cdemu; in { options = { programs.cdemu = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' {command}`cdemu` for members of {option}`programs.cdemu.group`. ''; }; - group = mkOption { - type = types.str; + group = lib.mkOption { + type = lib.types.str; default = "cdrom"; description = '' Group that users must be in to use {command}`cdemu`. ''; }; - gui = mkOption { - type = types.bool; + gui = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to install the {command}`cdemu` GUI (gCDEmu). ''; }; - image-analyzer = mkOption { - type = types.bool; + image-analyzer = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to install the image analyzer. @@ -39,7 +37,7 @@ in { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { boot = { extraModulePackages = [ config.boot.kernelPackages.vhba ]; @@ -68,8 +66,8 @@ in { environment.systemPackages = [ pkgs.cdemu-daemon pkgs.cdemu-client ] - ++ optional cfg.gui pkgs.gcdemu - ++ optional cfg.image-analyzer pkgs.image-analyzer; + ++ lib.optional cfg.gui pkgs.gcdemu + ++ lib.optional cfg.image-analyzer pkgs.image-analyzer; }; } diff --git a/nixpkgs/nixos/modules/programs/cfs-zen-tweaks.nix b/nixpkgs/nixos/modules/programs/cfs-zen-tweaks.nix index 28d1ef5992d7..bc1626403935 100644 --- a/nixpkgs/nixos/modules/programs/cfs-zen-tweaks.nix +++ b/nixpkgs/nixos/modules/programs/cfs-zen-tweaks.nix @@ -2,8 +2,6 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.cfs-zen-tweaks; @@ -13,14 +11,14 @@ in { meta = { - maintainers = with maintainers; [ mkg20001 ]; + maintainers = with lib.maintainers; [ mkg20001 ]; }; options = { - programs.cfs-zen-tweaks.enable = mkEnableOption "CFS Zen Tweaks"; + programs.cfs-zen-tweaks.enable = lib.mkEnableOption "CFS Zen Tweaks"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { systemd.packages = [ pkgs.cfs-zen-tweaks ]; systemd.services.set-cfs-tweaks.wantedBy = [ diff --git a/nixpkgs/nixos/modules/programs/chromium.nix b/nixpkgs/nixos/modules/programs/chromium.nix index fa5abe957a90..4d248dbe0945 100644 --- a/nixpkgs/nixos/modules/programs/chromium.nix +++ b/nixpkgs/nixos/modules/programs/chromium.nix @@ -1,11 +1,9 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.chromium; - defaultProfile = filterAttrs (k: v: v != null) { + defaultProfile = lib.filterAttrs (k: v: v != null) { HomepageLocation = cfg.homepageLocation; DefaultSearchProviderEnabled = cfg.defaultSearchProviderEnabled; DefaultSearchProviderSearchURL = cfg.defaultSearchProviderSearchURL; @@ -19,14 +17,14 @@ in options = { programs.chromium = { - enable = mkEnableOption "{command}`chromium` policies"; + enable = lib.mkEnableOption "{command}`chromium` policies"; - enablePlasmaBrowserIntegration = mkEnableOption "Native Messaging Host for Plasma Browser Integration"; + enablePlasmaBrowserIntegration = lib.mkEnableOption "Native Messaging Host for Plasma Browser Integration"; - plasmaBrowserIntegrationPackage = mkPackageOption pkgs [ "plasma5Packages" "plasma-browser-integration" ] { }; + plasmaBrowserIntegrationPackage = lib.mkPackageOption pkgs [ "plasma5Packages" "plasma-browser-integration" ] { }; - extensions = mkOption { - type = with types; nullOr (listOf str); + extensions = lib.mkOption { + type = with lib.types; nullOr (listOf str); description = '' List of chromium extensions to install. For list of plugins ids see id in url of extensions on @@ -38,7 +36,7 @@ in for additional details. ''; default = null; - example = literalExpression '' + example = lib.literalExpression '' [ "chlffgpmiacpedhhbkiomidkjlcfhogd" # pushbullet "mbniclmhobmnbdlbpiphghaielnnpgdp" # lightshot @@ -48,36 +46,36 @@ in ''; }; - homepageLocation = mkOption { - type = types.nullOr types.str; + homepageLocation = lib.mkOption { + type = lib.types.nullOr lib.types.str; description = "Chromium default homepage"; default = null; example = "https://nixos.org"; }; - defaultSearchProviderEnabled = mkOption { - type = types.nullOr types.bool; + defaultSearchProviderEnabled = lib.mkOption { + type = lib.types.nullOr lib.types.bool; description = "Enable the default search provider."; default = null; example = true; }; - defaultSearchProviderSearchURL = mkOption { - type = types.nullOr types.str; + defaultSearchProviderSearchURL = lib.mkOption { + type = lib.types.nullOr lib.types.str; description = "Chromium default search provider url."; default = null; example = "https://encrypted.google.com/search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}"; }; - defaultSearchProviderSuggestURL = mkOption { - type = types.nullOr types.str; + defaultSearchProviderSuggestURL = lib.mkOption { + type = lib.types.nullOr lib.types.str; description = "Chromium default search provider url for suggestions."; default = null; example = "https://encrypted.google.com/complete/search?output=chrome&q={searchTerms}"; }; - extraOpts = mkOption { - type = types.attrs; + extraOpts = lib.mkOption { + type = lib.types.attrs; description = '' Extra chromium policy options. A list of available policies can be found in the Chrome Enterprise documentation: @@ -85,7 +83,7 @@ in Make sure the selected policy is supported on Linux and your browser version. ''; default = {}; - example = literalExpression '' + example = lib.literalExpression '' { "BrowserSignin" = 0; "SyncDisabled" = true; @@ -99,8 +97,8 @@ in ''; }; - initialPrefs = mkOption { - type = types.attrs; + initialPrefs = lib.mkOption { + type = lib.types.attrs; description = '' Initial preferences are used to configure the browser for the first run. Unlike {option}`programs.chromium.extraOpts`, initialPrefs can be changed by users in the browser settings. @@ -108,7 +106,7 @@ in <https://www.chromium.org/administrators/configuring-other-preferences/> ''; default = {}; - example = literalExpression '' + example = lib.literalExpression '' { "first_run_tabs" = [ "https://nixos.org/" diff --git a/nixpkgs/nixos/modules/programs/cnping.nix b/nixpkgs/nixos/modules/programs/cnping.nix index 77cbf4d82086..f4b5aa845b5f 100644 --- a/nixpkgs/nixos/modules/programs/cnping.nix +++ b/nixpkgs/nixos/modules/programs/cnping.nix @@ -1,18 +1,16 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.cnping; in { options = { programs.cnping = { - enable = mkEnableOption "a setcap wrapper for cnping"; + enable = lib.mkEnableOption "a setcap wrapper for cnping"; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { security.wrappers.cnping = { source = "${pkgs.cnping}/bin/cnping"; capabilities = "cap_net_raw+ep"; diff --git a/nixpkgs/nixos/modules/programs/command-not-found/command-not-found.nix b/nixpkgs/nixos/modules/programs/command-not-found/command-not-found.nix index 4d2a89b51584..a223e811728d 100644 --- a/nixpkgs/nixos/modules/programs/command-not-found/command-not-found.nix +++ b/nixpkgs/nixos/modules/programs/command-not-found/command-not-found.nix @@ -5,8 +5,6 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.command-not-found; commandNotFound = pkgs.substituteAll { @@ -23,8 +21,8 @@ in { options.programs.command-not-found = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether interactive shells should show which Nix package (if @@ -32,7 +30,7 @@ in ''; }; - dbPath = mkOption { + dbPath = lib.mkOption { default = "/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite" ; description = '' Absolute path to programs.sqlite. @@ -40,11 +38,11 @@ in By default this file will be provided by your channel (nixexprs.tar.xz). ''; - type = types.path; + type = lib.types.path; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { programs.bash.interactiveShellInit = '' # This function is called whenever a command is not found. diff --git a/nixpkgs/nixos/modules/programs/cpu-energy-meter.nix b/nixpkgs/nixos/modules/programs/cpu-energy-meter.nix new file mode 100644 index 000000000000..653ec067492d --- /dev/null +++ b/nixpkgs/nixos/modules/programs/cpu-energy-meter.nix @@ -0,0 +1,27 @@ +{ config +, lib +, pkgs +, ... +}: { + options.programs.cpu-energy-meter = { + enable = lib.mkEnableOption "CPU Energy Meter"; + package = lib.mkPackageOption pkgs "cpu-energy-meter" { }; + }; + + config = + let + cfg = config.programs.cpu-energy-meter; + in + lib.mkIf cfg.enable { + hardware.cpu.x86.msr.enable = true; + + security.wrappers.${cfg.package.meta.mainProgram} = { + owner = "nobody"; + group = config.hardware.cpu.x86.msr.group; + source = lib.getExe cfg.package; + capabilities = "cap_sys_rawio=ep"; + }; + }; + + meta.maintainers = with lib.maintainers; [ lorenzleutgeb ]; +} diff --git a/nixpkgs/nixos/modules/programs/criu.nix b/nixpkgs/nixos/modules/programs/criu.nix index 9414d0b27f0d..492a158923cb 100644 --- a/nixpkgs/nixos/modules/programs/criu.nix +++ b/nixpkgs/nixos/modules/programs/criu.nix @@ -1,14 +1,12 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.criu; in { options = { programs.criu = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Install {command}`criu` along with necessary kernel options. @@ -16,7 +14,7 @@ in { }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { system.requiredKernelConfig = with config.lib.kernelConfig; [ (isYes "CHECKPOINT_RESTORE") ]; diff --git a/nixpkgs/nixos/modules/programs/digitalbitbox/default.nix b/nixpkgs/nixos/modules/programs/digitalbitbox/default.nix index 10b5a88171fc..06d33966b4a0 100644 --- a/nixpkgs/nixos/modules/programs/digitalbitbox/default.nix +++ b/nixpkgs/nixos/modules/programs/digitalbitbox/default.nix @@ -1,29 +1,27 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.digitalbitbox; in { options.programs.digitalbitbox = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Installs the Digital Bitbox application and enables the complementary hardware module. ''; }; - package = mkPackageOption pkgs "digitalbitbox" { + package = lib.mkPackageOption pkgs "digitalbitbox" { extraDescription = '' This can be used to install a package with udev rules that differ from the defaults. ''; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; hardware.digitalbitbox = { enable = true; diff --git a/nixpkgs/nixos/modules/programs/dmrconfig.nix b/nixpkgs/nixos/modules/programs/dmrconfig.nix index 15338681e642..0078ca19f41a 100644 --- a/nixpkgs/nixos/modules/programs/dmrconfig.nix +++ b/nixpkgs/nixos/modules/programs/dmrconfig.nix @@ -1,19 +1,17 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.dmrconfig; in { - meta.maintainers = with maintainers; [ ]; + meta.maintainers = with lib.maintainers; [ ]; ###### interface options = { programs.dmrconfig = { - enable = mkOption { + enable = lib.mkOption { default = false; - type = types.bool; + type = lib.types.bool; description = '' Whether to configure system to enable use of dmrconfig. This enables the required udev rules and installs the program. @@ -21,12 +19,12 @@ in { relatedPackages = [ "dmrconfig" ]; }; - package = mkPackageOption pkgs "dmrconfig" { }; + package = lib.mkPackageOption pkgs "dmrconfig" { }; }; }; ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; services.udev.packages = [ cfg.package ]; }; diff --git a/nixpkgs/nixos/modules/programs/droidcam.nix b/nixpkgs/nixos/modules/programs/droidcam.nix index 9843a1f5be25..eef3997e6b80 100644 --- a/nixpkgs/nixos/modules/programs/droidcam.nix +++ b/nixpkgs/nixos/modules/programs/droidcam.nix @@ -1,10 +1,8 @@ { lib, pkgs, config, ... }: -with lib; - { options.programs.droidcam = { - enable = mkEnableOption "DroidCam client"; + enable = lib.mkEnableOption "DroidCam client"; }; config = lib.mkIf config.programs.droidcam.enable { diff --git a/nixpkgs/nixos/modules/programs/dublin-traceroute.nix b/nixpkgs/nixos/modules/programs/dublin-traceroute.nix index 6ff8a5bdefc3..de9446ad7377 100644 --- a/nixpkgs/nixos/modules/programs/dublin-traceroute.nix +++ b/nixpkgs/nixos/modules/programs/dublin-traceroute.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.dublin-traceroute; @@ -10,22 +8,22 @@ in { options = { programs.dublin-traceroute = { - enable = mkEnableOption '' + enable = lib.mkEnableOption '' dublin-traceroute, add it to the global environment and configure a setcap wrapper for it. ''; - package = mkPackageOption pkgs "dublin-traceroute" { }; + package = lib.mkPackageOption pkgs "dublin-traceroute" { }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; security.wrappers.dublin-traceroute = { owner = "root"; group = "root"; capabilities = "cap_net_raw+p"; - source = getExe cfg.package; + source = lib.getExe cfg.package; }; }; } diff --git a/nixpkgs/nixos/modules/programs/ecryptfs.nix b/nixpkgs/nixos/modules/programs/ecryptfs.nix index ced5eb26fb9a..8674f7ec80e0 100644 --- a/nixpkgs/nixos/modules/programs/ecryptfs.nix +++ b/nixpkgs/nixos/modules/programs/ecryptfs.nix @@ -1,16 +1,14 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.ecryptfs; in { options.programs.ecryptfs = { - enable = mkEnableOption "ecryptfs setuid mount wrappers"; + enable = lib.mkEnableOption "ecryptfs setuid mount wrappers"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { security.wrappers = { "mount.ecryptfs_private" = { diff --git a/nixpkgs/nixos/modules/programs/environment.nix b/nixpkgs/nixos/modules/programs/environment.nix index 8ac723f42f61..8a565b7bcac4 100644 --- a/nixpkgs/nixos/modules/programs/environment.nix +++ b/nixpkgs/nixos/modules/programs/environment.nix @@ -4,8 +4,6 @@ { config, lib, ... }: -with lib; - let cfg = config.environment; @@ -20,14 +18,14 @@ in { NIXPKGS_CONFIG = "/etc/nix/nixpkgs-config.nix"; # note: many programs exec() this directly, so default options for less must not # be specified here; do so in the default value of programs.less.envVariables instead - PAGER = mkDefault "less"; - EDITOR = mkDefault "nano"; + PAGER = lib.mkDefault "less"; + EDITOR = lib.mkDefault "nano"; }; # since we set PAGER to this above, make sure it's installed programs.less.enable = true; - environment.profiles = mkAfter + environment.profiles = lib.mkAfter [ "/nix/var/nix/profiles/default" "/run/current-system/sw" ]; @@ -53,7 +51,7 @@ in environment.extraInit = '' export NIX_USER_PROFILE_DIR="/nix/var/nix/profiles/per-user/$USER" - export NIX_PROFILES="${concatStringsSep " " (reverseList cfg.profiles)}" + export NIX_PROFILES="${builtins.concatStringsSep " " (lib.reverseList cfg.profiles)}" ''; }; diff --git a/nixpkgs/nixos/modules/programs/extra-container.nix b/nixpkgs/nixos/modules/programs/extra-container.nix index c10ccd769168..6dcfba7971da 100644 --- a/nixpkgs/nixos/modules/programs/extra-container.nix +++ b/nixpkgs/nixos/modules/programs/extra-container.nix @@ -1,16 +1,15 @@ { config, pkgs, lib, ... }: -with lib; let cfg = config.programs.extra-container; in { options = { - programs.extra-container.enable = mkEnableOption '' + programs.extra-container.enable = lib.mkEnableOption '' extra-container, a tool for running declarative NixOS containers without host system rebuilds ''; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.extra-container ]; boot.extraSystemdUnitPaths = [ "/etc/systemd-mutable/system" ]; }; diff --git a/nixpkgs/nixos/modules/programs/feedbackd.nix b/nixpkgs/nixos/modules/programs/feedbackd.nix index 9de604c34a7e..0c82c7840c8f 100644 --- a/nixpkgs/nixos/modules/programs/feedbackd.nix +++ b/nixpkgs/nixos/modules/programs/feedbackd.nix @@ -1,21 +1,19 @@ { pkgs, lib, config, ... }: -with lib; - let cfg = config.programs.feedbackd; in { options = { programs.feedbackd = { - enable = mkEnableOption '' + enable = lib.mkEnableOption '' the feedbackd D-BUS service and udev rules. Your user needs to be in the `feedbackd` group to trigger effects ''; - package = mkPackageOption pkgs "feedbackd" { }; + package = lib.mkPackageOption pkgs "feedbackd" { }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; services.dbus.packages = [ cfg.package ]; diff --git a/nixpkgs/nixos/modules/programs/firefox.nix b/nixpkgs/nixos/modules/programs/firefox.nix index 39b30be48de9..7e0dec57d2da 100644 --- a/nixpkgs/nixos/modules/programs/firefox.nix +++ b/nixpkgs/nixos/modules/programs/firefox.nix @@ -1,7 +1,5 @@ { pkgs, config, lib, ... }: -with lib; - let cfg = config.programs.firefox; @@ -62,13 +60,13 @@ let in { options.programs.firefox = { - enable = mkEnableOption "the Firefox web browser"; + enable = lib.mkEnableOption "the Firefox web browser"; - package = mkOption { - type = types.package; + package = lib.mkOption { + type = lib.types.package; default = pkgs.firefox; description = "Firefox package to use."; - defaultText = literalExpression "pkgs.firefox"; + defaultText = lib.literalExpression "pkgs.firefox"; relatedPackages = [ "firefox" "firefox-beta-bin" @@ -78,13 +76,13 @@ in ]; }; - wrapperConfig = mkOption { - type = types.attrs; + wrapperConfig = lib.mkOption { + type = lib.types.attrs; default = {}; description = "Arguments to pass to Firefox wrapper"; }; - policies = mkOption { + policies = lib.mkOption { type = policyFormat.type; default = { }; description = '' @@ -100,8 +98,8 @@ in ''; }; - preferences = mkOption { - type = with types; attrsOf (oneOf [ bool int str ]); + preferences = lib.mkOption { + type = with lib.types; attrsOf (oneOf [ bool int str ]); default = { }; description = '' Preferences to set from `about:config`. @@ -113,8 +111,8 @@ in ''; }; - preferencesStatus = mkOption { - type = types.enum [ "default" "locked" "user" "clear" ]; + preferencesStatus = lib.mkOption { + type = lib.types.enum [ "default" "locked" "user" "clear" ]; default = "locked"; description = '' The status of `firefox.preferences`. @@ -127,9 +125,9 @@ in ''; }; - languagePacks = mkOption { + languagePacks = lib.mkOption { # Available languages can be found in https://releases.mozilla.org/pub/firefox/releases/${cfg.package.version}/linux-x86_64/xpi/ - type = types.listOf (types.enum ([ + type = lib.types.listOf (lib.types.enum ([ "ach" "af" "an" @@ -235,8 +233,8 @@ in ''; }; - autoConfig = mkOption { - type = types.lines; + autoConfig = lib.mkOption { + type = lib.types.lines; default = ""; description = '' AutoConfig files can be used to set and lock preferences that are not covered @@ -247,19 +245,19 @@ in }; nativeMessagingHosts = ({ - packages = mkOption { - type = types.listOf types.package; + packages = lib.mkOption { + type = lib.types.listOf lib.types.package; default = []; description = '' Additional packages containing native messaging hosts that should be made available to Firefox extensions. ''; }; - }) // (mapAttrs (k: v: mkEnableOption "${v.name} support") nmhOptions); + }) // (builtins.mapAttrs (k: v: lib.mkEnableOption "${v.name} support") nmhOptions); }; config = let - forEachEnabledNmh = fn: flatten (mapAttrsToList (k: v: lib.optional cfg.nativeMessagingHosts.${k} (fn k v)) nmhOptions); - in mkIf cfg.enable { + forEachEnabledNmh = fn: lib.flatten (lib.mapAttrsToList (k: v: lib.optional cfg.nativeMessagingHosts.${k} (fn k v)) nmhOptions); + in lib.mkIf cfg.enable { warnings = forEachEnabledNmh (k: v: "The `programs.firefox.nativeMessagingHosts.${k}` option is deprecated, " + "please add `${v.package.pname}` to `programs.firefox.nativeMessagingHosts.packages` instead." @@ -278,18 +276,18 @@ in let policiesJSON = policyFormat.generate "firefox-policies.json" { inherit (cfg) policies; }; in - mkIf (cfg.policies != { }) { + lib.mkIf (cfg.policies != { }) { "firefox/policies/policies.json".source = "${policiesJSON}"; }; # Preferences are converted into a policy programs.firefox.policies = { DisableAppUpdate = true; - Preferences = (mapAttrs + Preferences = (builtins.mapAttrs (_: value: { Value = value; Status = cfg.preferencesStatus; }) cfg.preferences); - ExtensionSettings = listToAttrs (map - (lang: nameValuePair + ExtensionSettings = builtins.listToAttrs (builtins.map + (lang: lib.attrsets.nameValuePair "langpack-${lang}@firefox.mozilla.org" { installation_mode = "normal_installed"; @@ -300,5 +298,5 @@ in }; }; - meta.maintainers = with maintainers; [ danth ]; + meta.maintainers = with lib.maintainers; [ danth ]; } diff --git a/nixpkgs/nixos/modules/programs/firejail.nix b/nixpkgs/nixos/modules/programs/firejail.nix index 0510cf8c610d..90da93818274 100644 --- a/nixpkgs/nixos/modules/programs/firejail.nix +++ b/nixpkgs/nixos/modules/programs/firejail.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.firejail; @@ -21,13 +19,13 @@ let else { executable = value; desktop = null; profile = null; extraArgs = []; }; args = lib.escapeShellArgs ( opts.extraArgs - ++ (optional (opts.profile != null) "--profile=${toString opts.profile}") + ++ (lib.optional (opts.profile != null) "--profile=${builtins.toString opts.profile}") ); in '' cat <<_EOF >$out/bin/${command} #! ${pkgs.runtimeShell} -e - exec /run/wrappers/bin/firejail ${args} -- ${toString opts.executable} "\$@" + exec /run/wrappers/bin/firejail ${args} -- ${builtins.toString opts.executable} "\$@" _EOF chmod 0755 $out/bin/${command} @@ -40,30 +38,30 @@ let in { options.programs.firejail = { - enable = mkEnableOption "firejail, a sandboxing tool for Linux"; + enable = lib.mkEnableOption "firejail, a sandboxing tool for Linux"; - wrappedBinaries = mkOption { - type = types.attrsOf (types.either types.path (types.submodule { + wrappedBinaries = lib.mkOption { + type = lib.types.attrsOf (lib.types.either lib.types.path (lib.types.submodule { options = { - executable = mkOption { - type = types.path; + executable = lib.mkOption { + type = lib.types.path; description = "Executable to run sandboxed"; - example = literalExpression ''"''${lib.getBin pkgs.firefox}/bin/firefox"''; + example = lib.literalExpression ''"''${lib.getBin pkgs.firefox}/bin/firefox"''; }; - desktop = mkOption { - type = types.nullOr types.path; + desktop = lib.mkOption { + type = lib.types.nullOr lib.types.path; default = null; description = ".desktop file to modify. Only necessary if it uses the absolute path to the executable."; - example = literalExpression ''"''${pkgs.firefox}/share/applications/firefox.desktop"''; + example = lib.literalExpression ''"''${pkgs.firefox}/share/applications/firefox.desktop"''; }; - profile = mkOption { - type = types.nullOr types.path; + profile = lib.mkOption { + type = lib.types.nullOr lib.types.path; default = null; description = "Profile to use"; - example = literalExpression ''"''${pkgs.firejail}/etc/firejail/firefox.profile"''; + example = lib.literalExpression ''"''${pkgs.firejail}/etc/firejail/firefox.profile"''; }; - extraArgs = mkOption { - type = types.listOf types.str; + extraArgs = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; description = "Extra arguments to pass to firejail"; example = [ "--private=~/.firejail_home" ]; @@ -71,7 +69,7 @@ in { }; })); default = {}; - example = literalExpression '' + example = lib.literalExpression '' { firefox = { executable = "''${lib.getBin pkgs.firefox}/bin/firefox"; @@ -89,7 +87,7 @@ in { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { security.wrappers.firejail = { setuid = true; owner = "root"; @@ -100,5 +98,5 @@ in { environment.systemPackages = [ pkgs.firejail ] ++ [ wrappedBins ]; }; - meta.maintainers = with maintainers; [ peterhoeg ]; + meta.maintainers = with lib.maintainers; [ peterhoeg ]; } diff --git a/nixpkgs/nixos/modules/programs/fish.nix b/nixpkgs/nixos/modules/programs/fish.nix index 2102a07cd0bc..5a6fdb9b5ec5 100644 --- a/nixpkgs/nixos/modules/programs/fish.nix +++ b/nixpkgs/nixos/modules/programs/fish.nix @@ -1,21 +1,19 @@ { config, lib, pkgs, ... }: -with lib; - let cfge = config.environment; cfg = config.programs.fish; - fishAbbrs = concatStringsSep "\n" ( - mapAttrsFlatten (k: v: "abbr -ag ${k} ${escapeShellArg v}") + fishAbbrs = lib.concatStringsSep "\n" ( + lib.mapAttrsFlatten (k: v: "abbr -ag ${k} ${lib.escapeShellArg v}") cfg.shellAbbrs ); - fishAliases = concatStringsSep "\n" ( - mapAttrsFlatten (k: v: "alias ${k} ${escapeShellArg v}") - (filterAttrs (k: v: v != null) cfg.shellAliases) + fishAliases = lib.concatStringsSep "\n" ( + lib.mapAttrsFlatten (k: v: "alias ${k} ${lib.escapeShellArg v}") + (lib.filterAttrs (k: v: v != null) cfg.shellAliases) ); envShellInit = pkgs.writeText "shellInit" cfge.shellInit; @@ -47,16 +45,18 @@ in programs.fish = { - enable = mkOption { + enable = lib.mkOption { default = false; description = '' Whether to configure fish as an interactive shell. ''; - type = types.bool; + type = lib.types.bool; }; - useBabelfish = mkOption { - type = types.bool; + package = lib.mkPackageOption pkgs "fish" { }; + + useBabelfish = lib.mkOption { + type = lib.types.bool; default = false; description = '' If enabled, the configured environment will be translated to native fish using [babelfish](https://github.com/bouk/babelfish). @@ -64,31 +64,31 @@ in ''; }; - vendor.config.enable = mkOption { - type = types.bool; + vendor.config.enable = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether fish should source configuration snippets provided by other packages. ''; }; - vendor.completions.enable = mkOption { - type = types.bool; + vendor.completions.enable = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether fish should use completion files provided by other packages. ''; }; - vendor.functions.enable = mkOption { - type = types.bool; + vendor.functions.enable = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether fish should autoload fish functions provided by other packages. ''; }; - shellAbbrs = mkOption { + shellAbbrs = lib.mkOption { default = {}; example = { gco = "git checkout"; @@ -97,63 +97,63 @@ in description = '' Set of fish abbreviations. ''; - type = with types; attrsOf str; + type = with lib.types; attrsOf str; }; - shellAliases = mkOption { + shellAliases = lib.mkOption { default = {}; description = '' Set of aliases for fish shell, which overrides {option}`environment.shellAliases`. See {option}`environment.shellAliases` for an option format description. ''; - type = with types; attrsOf (nullOr (either str path)); + type = with lib.types; attrsOf (nullOr (either str path)); }; - shellInit = mkOption { + shellInit = lib.mkOption { default = ""; description = '' Shell script code called during fish shell initialisation. ''; - type = types.lines; + type = lib.types.lines; }; - loginShellInit = mkOption { + loginShellInit = lib.mkOption { default = ""; description = '' Shell script code called during fish login shell initialisation. ''; - type = types.lines; + type = lib.types.lines; }; - interactiveShellInit = mkOption { + interactiveShellInit = lib.mkOption { default = ""; description = '' Shell script code called during interactive fish shell initialisation. ''; - type = types.lines; + type = lib.types.lines; }; - promptInit = mkOption { + promptInit = lib.mkOption { default = ""; description = '' Shell script code used to initialise fish prompt. ''; - type = types.lines; + type = lib.types.lines; }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { - programs.fish.shellAliases = mapAttrs (name: mkDefault) cfge.shellAliases; + programs.fish.shellAliases = lib.mapAttrs (name: lib.mkDefault) cfge.shellAliases; # Required for man completions documentation.man.generateCaches = lib.mkDefault true; - environment = mkMerge [ - (mkIf cfg.useBabelfish + environment = lib.mkMerge [ + (lib.mkIf cfg.useBabelfish { etc."fish/setEnvironment.fish".source = babelfishTranslate config.system.build.setEnvironment "setEnvironment"; etc."fish/shellInit.fish".source = babelfishTranslate envShellInit "shellInit"; @@ -161,7 +161,7 @@ in etc."fish/interactiveShellInit.fish".source = babelfishTranslate envInteractiveShellInit "interactiveShellInit"; }) - (mkIf (!cfg.useBabelfish) + (lib.mkIf (!cfg.useBabelfish) { etc."fish/foreign-env/shellInit".source = envShellInit; etc."fish/foreign-env/loginShellInit".source = envLoginShellInit; @@ -244,8 +244,8 @@ in patchedGenerator = pkgs.stdenv.mkDerivation { name = "fish_patched-completion-generator"; srcs = [ - "${pkgs.fish}/share/fish/tools/create_manpage_completions.py" - "${pkgs.fish}/share/fish/tools/deroff.py" + "${cfg.package}/share/fish/tools/create_manpage_completions.py" + "${cfg.package}/share/fish/tools/deroff.py" ]; unpackCmd = "cp $curSrc $(basename $curSrc)"; sourceRoot = "."; @@ -264,7 +264,7 @@ in pathName = substring storeLength (stringLength package - storeLength) package; in (package.name or pathName) + "_fish-completions") ( { inherit package; } // - optionalAttrs (package ? meta.priority) { meta.priority = package.meta.priority; }) + lib.optionalAttrs (package ? meta.priority) { meta.priority = package.meta.priority; }) '' mkdir -p $out if [ -d $package/share/man ]; then @@ -275,24 +275,24 @@ in pkgs.buildEnv { name = "system_fish-completions"; ignoreCollisions = true; - paths = map generateCompletions config.environment.systemPackages; + paths = builtins.map generateCompletions config.environment.systemPackages; }; } # include programs that bring their own completions { pathsToLink = [] - ++ optional cfg.vendor.config.enable "/share/fish/vendor_conf.d" - ++ optional cfg.vendor.completions.enable "/share/fish/vendor_completions.d" - ++ optional cfg.vendor.functions.enable "/share/fish/vendor_functions.d"; + ++ lib.optional cfg.vendor.config.enable "/share/fish/vendor_conf.d" + ++ lib.optional cfg.vendor.completions.enable "/share/fish/vendor_completions.d" + ++ lib.optional cfg.vendor.functions.enable "/share/fish/vendor_functions.d"; } - { systemPackages = [ pkgs.fish ]; } + { systemPackages = [ cfg.package ]; } { shells = [ "/run/current-system/sw/bin/fish" - "${pkgs.fish}/bin/fish" + (lib.getExe cfg.package) ]; } ]; diff --git a/nixpkgs/nixos/modules/programs/flashrom.nix b/nixpkgs/nixos/modules/programs/flashrom.nix index 1b9b4493ef20..dd398497c2d0 100644 --- a/nixpkgs/nixos/modules/programs/flashrom.nix +++ b/nixpkgs/nixos/modules/programs/flashrom.nix @@ -1,14 +1,12 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.flashrom; in { options.programs.flashrom = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Installs flashrom and configures udev rules for programmers @@ -16,10 +14,10 @@ in group. ''; }; - package = mkPackageOption pkgs "flashrom" { }; + package = lib.mkPackageOption pkgs "flashrom" { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { services.udev.packages = [ cfg.package ]; environment.systemPackages = [ cfg.package ]; }; diff --git a/nixpkgs/nixos/modules/programs/flexoptix-app.nix b/nixpkgs/nixos/modules/programs/flexoptix-app.nix index 47a76da125f0..baa9e33882ca 100644 --- a/nixpkgs/nixos/modules/programs/flexoptix-app.nix +++ b/nixpkgs/nixos/modules/programs/flexoptix-app.nix @@ -1,19 +1,17 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.flexoptix-app; in { options = { programs.flexoptix-app = { - enable = mkEnableOption "FLEXOPTIX app + udev rules"; + enable = lib.mkEnableOption "FLEXOPTIX app + udev rules"; - package = mkPackageOption pkgs "flexoptix-app" { }; + package = lib.mkPackageOption pkgs "flexoptix-app" { }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; services.udev.packages = [ cfg.package ]; }; diff --git a/nixpkgs/nixos/modules/programs/freetds.nix b/nixpkgs/nixos/modules/programs/freetds.nix index 8b52fc37c5e0..77daaa8fd398 100644 --- a/nixpkgs/nixos/modules/programs/freetds.nix +++ b/nixpkgs/nixos/modules/programs/freetds.nix @@ -2,8 +2,6 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.environment.freetds; @@ -14,10 +12,10 @@ in options = { - environment.freetds = mkOption { - type = types.attrsOf types.str; + environment.freetds = lib.mkOption { + type = lib.types.attrsOf lib.types.str; default = {}; - example = literalExpression '' + example = lib.literalExpression '' { MYDATABASE = ''' host = 10.0.2.100 port = 1433 @@ -40,14 +38,14 @@ in ###### implementation - config = mkIf (length (attrNames cfg) > 0) { + config = lib.mkIf (builtins.length (builtins.attrNames cfg) > 0) { environment.variables.FREETDSCONF = "/etc/freetds.conf"; environment.variables.FREETDS = "/etc/freetds.conf"; environment.variables.SYBASE = "${pkgs.freetds}"; environment.etc."freetds.conf" = { text = - (concatStrings (mapAttrsToList (name: value: + (lib.concatStrings (lib.mapAttrsToList (name: value: '' [${name}] ${value} diff --git a/nixpkgs/nixos/modules/programs/fuse.nix b/nixpkgs/nixos/modules/programs/fuse.nix index c15896efbb51..7083194bd989 100644 --- a/nixpkgs/nixos/modules/programs/fuse.nix +++ b/nixpkgs/nixos/modules/programs/fuse.nix @@ -1,25 +1,23 @@ { config, lib, ... }: -with lib; - let cfg = config.programs.fuse; in { - meta.maintainers = with maintainers; [ primeos ]; + meta.maintainers = with lib.maintainers; [ primeos ]; options.programs.fuse = { - mountMax = mkOption { + mountMax = lib.mkOption { # In the C code it's an "int" (i.e. signed and at least 16 bit), but # negative numbers obviously make no sense: - type = types.ints.between 0 32767; # 2^15 - 1 + type = lib.types.ints.between 0 32767; # 2^15 - 1 default = 1000; description = '' Set the maximum number of FUSE mounts allowed to non-root users. ''; }; - userAllowOther = mkOption { - type = types.bool; + userAllowOther = lib.mkOption { + type = lib.types.bool; default = false; description = '' Allow non-root users to specify the allow_other or allow_root mount @@ -30,8 +28,8 @@ in { config = { environment.etc."fuse.conf".text = '' - ${optionalString (!cfg.userAllowOther) "#"}user_allow_other - mount_max = ${toString cfg.mountMax} + ${lib.optionalString (!cfg.userAllowOther) "#"}user_allow_other + mount_max = ${builtins.toString cfg.mountMax} ''; }; } diff --git a/nixpkgs/nixos/modules/programs/gamemode.nix b/nixpkgs/nixos/modules/programs/gamemode.nix index 878f785074f1..14892f9c6eac 100644 --- a/nixpkgs/nixos/modules/programs/gamemode.nix +++ b/nixpkgs/nixos/modules/programs/gamemode.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.gamemode; settingsFormat = pkgs.formats.ini { }; @@ -10,20 +8,20 @@ in { options = { programs.gamemode = { - enable = mkEnableOption "GameMode to optimise system performance on demand"; + enable = lib.mkEnableOption "GameMode to optimise system performance on demand"; - enableRenice = mkEnableOption "CAP_SYS_NICE on gamemoded to support lowering process niceness" // { + enableRenice = lib.mkEnableOption "CAP_SYS_NICE on gamemoded to support lowering process niceness" // { default = true; }; - settings = mkOption { + settings = lib.mkOption { type = settingsFormat.type; default = { }; description = '' System-wide configuration for GameMode (/etc/gamemode.ini). See gamemoded(8) man page for available settings. ''; - example = literalExpression '' + example = lib.literalExpression '' { general = { renice = 10; @@ -46,7 +44,7 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment = { systemPackages = [ pkgs.gamemode ]; etc."gamemode.ini".source = configFile; @@ -54,7 +52,7 @@ in security = { polkit.enable = true; - wrappers = mkIf cfg.enableRenice { + wrappers = lib.mkIf cfg.enableRenice { gamemoded = { owner = "root"; group = "root"; @@ -77,14 +75,14 @@ in # # This uses a link farm to make sure other wrapped executables # aren't included in PATH. - environment.PATH = mkForce (pkgs.linkFarm "pkexec" [ + environment.PATH = lib.mkForce (pkgs.linkFarm "pkexec" [ { name = "pkexec"; path = "${config.security.wrapperDir}/pkexec"; } ]); - serviceConfig.ExecStart = mkIf cfg.enableRenice [ + serviceConfig.ExecStart = lib.mkIf cfg.enableRenice [ "" # Tell systemd to clear the existing ExecStart list, to prevent appending to it. "${config.security.wrapperDir}/gamemoded" ]; @@ -95,6 +93,6 @@ in }; meta = { - maintainers = with maintainers; [ kira-bruneau ]; + maintainers = with lib.maintainers; [ kira-bruneau ]; }; } diff --git a/nixpkgs/nixos/modules/programs/gamescope.nix b/nixpkgs/nixos/modules/programs/gamescope.nix index af9ced471539..6a0b0a8fbddd 100644 --- a/nixpkgs/nixos/modules/programs/gamescope.nix +++ b/nixpkgs/nixos/modules/programs/gamescope.nix @@ -3,30 +3,30 @@ , pkgs , ... }: -with lib; let +let cfg = config.programs.gamescope; gamescope = let wrapperArgs = - optional (cfg.args != [ ]) - ''--add-flags "${toString cfg.args}"'' - ++ builtins.attrValues (mapAttrs (var: val: "--set-default ${var} ${val}") cfg.env); + lib.optional (cfg.args != [ ]) + ''--add-flags "${builtins.toString cfg.args}"'' + ++ builtins.attrValues (builtins.mapAttrs (var: val: "--set-default ${var} ${val}") cfg.env); in pkgs.runCommand "gamescope" { nativeBuildInputs = [ pkgs.makeBinaryWrapper ]; } '' mkdir -p $out/bin makeWrapper ${cfg.package}/bin/gamescope $out/bin/gamescope --inherit-argv0 \ - ${toString wrapperArgs} + ${builtins.toString wrapperArgs} ''; in { options.programs.gamescope = { - enable = mkEnableOption "gamescope, the SteamOS session compositing window manager"; + enable = lib.mkEnableOption "gamescope, the SteamOS session compositing window manager"; - package = mkPackageOption pkgs "gamescope" { }; + package = lib.mkPackageOption pkgs "gamescope" { }; - capSysNice = mkOption { - type = types.bool; + capSysNice = lib.mkOption { + type = lib.types.bool; default = false; description = '' Add cap_sys_nice capability to the GameScope @@ -34,8 +34,8 @@ in ''; }; - args = mkOption { - type = types.listOf types.str; + args = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ ]; example = [ "--rt" "--prefer-vk-device 8086:9bc4" ]; description = '' @@ -43,10 +43,10 @@ in ''; }; - env = mkOption { - type = types.attrsOf types.str; + env = lib.mkOption { + type = lib.types.attrsOf lib.types.str; default = { }; - example = literalExpression '' + example = lib.literalExpression '' # for Prime render offload on Nvidia laptops. # Also requires `hardware.nvidia.prime.offload.enable`. { @@ -61,8 +61,8 @@ in }; }; - config = mkIf cfg.enable { - security.wrappers = mkIf cfg.capSysNice { + config = lib.mkIf cfg.enable { + security.wrappers = lib.mkIf cfg.capSysNice { gamescope = { owner = "root"; group = "root"; @@ -71,8 +71,8 @@ in }; }; - environment.systemPackages = mkIf (!cfg.capSysNice) [ gamescope ]; + environment.systemPackages = lib.mkIf (!cfg.capSysNice) [ gamescope ]; }; - meta.maintainers = with maintainers; [ nrdxp ]; + meta.maintainers = with lib.maintainers; [ nrdxp ]; } diff --git a/nixpkgs/nixos/modules/programs/geary.nix b/nixpkgs/nixos/modules/programs/geary.nix index 6103ee7df859..cfd5bed78d97 100644 --- a/nixpkgs/nixos/modules/programs/geary.nix +++ b/nixpkgs/nixos/modules/programs/geary.nix @@ -1,20 +1,18 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.geary; in { meta = { - maintainers = teams.gnome.members; + maintainers = lib.teams.gnome.members; }; options = { - programs.geary.enable = mkEnableOption "Geary, a Mail client for GNOME"; + programs.geary.enable = lib.mkEnableOption "Geary, a Mail client for GNOME"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.gnome.geary ]; programs.dconf.enable = true; services.gnome.gnome-keyring.enable = true; diff --git a/nixpkgs/nixos/modules/programs/git.nix b/nixpkgs/nixos/modules/programs/git.nix index 2a5d52f2d191..e4f6ce937f04 100644 --- a/nixpkgs/nixos/modules/programs/git.nix +++ b/nixpkgs/nixos/modules/programs/git.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.git; in @@ -9,23 +7,23 @@ in { options = { programs.git = { - enable = mkEnableOption "git, a distributed version control system"; + enable = lib.mkEnableOption "git, a distributed version control system"; - package = mkPackageOption pkgs "git" { + package = lib.mkPackageOption pkgs "git" { example = "gitFull"; }; - config = mkOption { + config = lib.mkOption { type = - with types; + with lib.types; let gitini = attrsOf (attrsOf anything); in either gitini (listOf gitini) // { merge = loc: defs: let - config = foldl' - (acc: { value, ... }@x: acc // (if isList value then { + config = builtins.foldl' + (acc: { value, ... }@x: acc // (if builtins.isList value then { ordered = acc.ordered ++ value; } else { unordered = acc.unordered ++ [ x ]; @@ -55,25 +53,25 @@ in }; prompt = { - enable = mkEnableOption "automatically sourcing git-prompt.sh. This does not change $PS1; it simply provides relevant utility functions"; + enable = lib.mkEnableOption "automatically sourcing git-prompt.sh. This does not change $PS1; it simply provides relevant utility functions"; }; lfs = { - enable = mkEnableOption "git-lfs (Large File Storage)"; + enable = lib.mkEnableOption "git-lfs (Large File Storage)"; - package = mkPackageOption pkgs "git-lfs" { }; + package = lib.mkPackageOption pkgs "git-lfs" { }; }; }; }; - config = mkMerge [ - (mkIf cfg.enable { + config = lib.mkMerge [ + (lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; - environment.etc.gitconfig = mkIf (cfg.config != [ ]) { - text = concatMapStringsSep "\n" generators.toGitINI cfg.config; + environment.etc.gitconfig = lib.mkIf (cfg.config != [ ]) { + text = lib.concatMapStringsSep "\n" lib.generators.toGitINI cfg.config; }; }) - (mkIf (cfg.enable && cfg.lfs.enable) { + (lib.mkIf (cfg.enable && cfg.lfs.enable) { environment.systemPackages = [ cfg.lfs.package ]; programs.git.config = { filter.lfs = { @@ -84,12 +82,12 @@ in }; }; }) - (mkIf (cfg.enable && cfg.prompt.enable) { + (lib.mkIf (cfg.enable && cfg.prompt.enable) { environment.interactiveShellInit = '' source ${cfg.package}/share/bash-completion/completions/git-prompt.sh ''; }) ]; - meta.maintainers = with maintainers; [ figsoda ]; + meta.maintainers = with lib.maintainers; [ figsoda ]; } diff --git a/nixpkgs/nixos/modules/programs/gphoto2.nix b/nixpkgs/nixos/modules/programs/gphoto2.nix index d99259b54582..d9f09483f63c 100644 --- a/nixpkgs/nixos/modules/programs/gphoto2.nix +++ b/nixpkgs/nixos/modules/programs/gphoto2.nix @@ -1,16 +1,14 @@ { config, lib, pkgs, ... }: -with lib; - { - meta.maintainers = [ maintainers.league ]; + meta.maintainers = [ lib.maintainers.league ]; ###### interface options = { programs.gphoto2 = { - enable = mkOption { + enable = lib.mkOption { default = false; - type = types.bool; + type = lib.types.bool; description = '' Whether to configure system to use gphoto2. To grant digital camera access to a user, the user must @@ -22,7 +20,7 @@ with lib; }; ###### implementation - config = mkIf config.programs.gphoto2.enable { + config = lib.mkIf config.programs.gphoto2.enable { services.udev.packages = [ pkgs.libgphoto2 ]; environment.systemPackages = [ pkgs.gphoto2 ]; users.groups.camera = {}; diff --git a/nixpkgs/nixos/modules/programs/haguichi.nix b/nixpkgs/nixos/modules/programs/haguichi.nix index 4f48551cf1da..fd769ac8d0a0 100644 --- a/nixpkgs/nixos/modules/programs/haguichi.nix +++ b/nixpkgs/nixos/modules/programs/haguichi.nix @@ -1,13 +1,11 @@ { lib, pkgs, config, ... }: -with lib; - { options.programs.haguichi = { - enable = mkEnableOption "Haguichi, a Linux GUI frontend to the proprietary LogMeIn Hamachi"; + enable = lib.mkEnableOption "Haguichi, a Linux GUI frontend to the proprietary LogMeIn Hamachi"; }; - config = mkIf config.programs.haguichi.enable { + config = lib.mkIf config.programs.haguichi.enable { environment.systemPackages = with pkgs; [ haguichi ]; services.logmein-hamachi.enable = true; diff --git a/nixpkgs/nixos/modules/programs/hamster.nix b/nixpkgs/nixos/modules/programs/hamster.nix index 0bb56ad7ff36..90cfc0f86a24 100644 --- a/nixpkgs/nixos/modules/programs/hamster.nix +++ b/nixpkgs/nixos/modules/programs/hamster.nix @@ -1,12 +1,10 @@ { config, lib, pkgs, ... }: -with lib; - { meta.maintainers = pkgs.hamster.meta.maintainers; options.programs.hamster.enable = - mkEnableOption "hamster, a time tracking program"; + lib.mkEnableOption "hamster, a time tracking program"; config = lib.mkIf config.programs.hamster.enable { environment.systemPackages = [ pkgs.hamster ]; diff --git a/nixpkgs/nixos/modules/programs/htop.nix b/nixpkgs/nixos/modules/programs/htop.nix index bf3d85108170..1252b41e8b85 100644 --- a/nixpkgs/nixos/modules/programs/htop.nix +++ b/nixpkgs/nixos/modules/programs/htop.nix @@ -1,29 +1,27 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.htop; fmt = value: - if isList value then concatStringsSep " " (map fmt value) else - if isString value then value else - if isBool value then if value then "1" else "0" else - if isInt value then toString value else - throw "Unrecognized type ${typeOf value} in htop settings"; + if builtins.isList value then builtins.concatStringsSep " " (builtins.map fmt value) else + if builtins.isString value then value else + if builtins.isBool value then if value then "1" else "0" else + if builtins.isInt value then builtins.toString value else + throw "Unrecognized type ${builtins.typeOf value} in htop settings"; in { options.programs.htop = { - package = mkPackageOption pkgs "htop" { }; + package = lib.mkPackageOption pkgs "htop" { }; - enable = mkEnableOption "htop process monitor"; + enable = lib.mkEnableOption "htop process monitor"; - settings = mkOption { - type = with types; attrsOf (oneOf [ str int bool (listOf (oneOf [ str int bool ])) ]); + settings = lib.mkOption { + type = with lib.types; attrsOf (oneOf [ str int bool (listOf (oneOf [ str int bool ])) ]); default = {}; example = { hide_kernel_threads = true; @@ -38,7 +36,7 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; @@ -46,7 +44,7 @@ in environment.etc."htoprc".text = '' # Global htop configuration # To change set: programs.htop.settings.KEY = VALUE; - '' + concatStringsSep "\n" (mapAttrsToList (key: value: "${key}=${fmt value}") cfg.settings); + '' + builtins.concatStringsSep "\n" (lib.mapAttrsToList (key: value: "${key}=${fmt value}") cfg.settings); }; } diff --git a/nixpkgs/nixos/modules/programs/i3lock.nix b/nixpkgs/nixos/modules/programs/i3lock.nix index 8068ecaf08ca..ff616144e283 100644 --- a/nixpkgs/nixos/modules/programs/i3lock.nix +++ b/nixpkgs/nixos/modules/programs/i3lock.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.i3lock; @@ -12,8 +10,8 @@ in { options = { programs.i3lock = { - enable = mkEnableOption "i3lock"; - package = mkPackageOption pkgs "i3lock" { + enable = lib.mkEnableOption "i3lock"; + package = lib.mkPackageOption pkgs "i3lock" { example = "i3lock-color"; extraDescription = '' ::: {.note} @@ -21,8 +19,8 @@ in { ::: ''; }; - u2fSupport = mkOption { - type = types.bool; + u2fSupport = lib.mkOption { + type = lib.types.bool; default = false; example = true; description = '' @@ -36,11 +34,11 @@ in { ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; - security.wrappers.i3lock = mkIf cfg.u2fSupport { + security.wrappers.i3lock = lib.mkIf cfg.u2fSupport { setuid = true; owner = "root"; group = "root"; diff --git a/nixpkgs/nixos/modules/programs/iftop.nix b/nixpkgs/nixos/modules/programs/iftop.nix index c74714a9a6d6..d6e56c8fded6 100644 --- a/nixpkgs/nixos/modules/programs/iftop.nix +++ b/nixpkgs/nixos/modules/programs/iftop.nix @@ -1,14 +1,12 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.iftop; in { options = { - programs.iftop.enable = mkEnableOption "iftop + setcap wrapper"; + programs.iftop.enable = lib.mkEnableOption "iftop + setcap wrapper"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.iftop ]; security.wrappers.iftop = { owner = "root"; diff --git a/nixpkgs/nixos/modules/programs/iotop.nix b/nixpkgs/nixos/modules/programs/iotop.nix index b7c1c69f9ddd..ba8d028f6bb8 100644 --- a/nixpkgs/nixos/modules/programs/iotop.nix +++ b/nixpkgs/nixos/modules/programs/iotop.nix @@ -1,14 +1,12 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.iotop; in { options = { - programs.iotop.enable = mkEnableOption "iotop + setcap wrapper"; + programs.iotop.enable = lib.mkEnableOption "iotop + setcap wrapper"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { security.wrappers.iotop = { owner = "root"; group = "root"; diff --git a/nixpkgs/nixos/modules/programs/java.nix b/nixpkgs/nixos/modules/programs/java.nix index f201f67b42e4..784add809682 100644 --- a/nixpkgs/nixos/modules/programs/java.nix +++ b/nixpkgs/nixos/modules/programs/java.nix @@ -3,8 +3,6 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.java; in @@ -14,7 +12,7 @@ in programs.java = { - enable = mkEnableOption "java" // { + enable = lib.mkEnableOption "java" // { description = '' Install and setup the Java development kit. @@ -30,19 +28,19 @@ in ''; }; - package = mkPackageOption pkgs "jdk" { + package = lib.mkPackageOption pkgs "jdk" { example = "jre"; }; - binfmt = mkEnableOption "binfmt to execute java jar's and classes"; + binfmt = lib.mkEnableOption "binfmt to execute java jar's and classes"; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { - boot.binfmt.registrations = mkIf cfg.binfmt { + boot.binfmt.registrations = lib.mkIf cfg.binfmt { java-class = { recognitionType = "extension"; magicOrExtension = "class"; diff --git a/nixpkgs/nixos/modules/programs/joycond-cemuhook.nix b/nixpkgs/nixos/modules/programs/joycond-cemuhook.nix index ebb0198ee60c..6cdd198a7df2 100644 --- a/nixpkgs/nixos/modules/programs/joycond-cemuhook.nix +++ b/nixpkgs/nixos/modules/programs/joycond-cemuhook.nix @@ -1,8 +1,7 @@ { lib, pkgs, config, ... }: -with lib; { options.programs.joycond-cemuhook = { - enable = mkEnableOption "joycond-cemuhook, a program to enable support for cemuhook's UDP protocol for joycond devices."; + enable = lib.mkEnableOption "joycond-cemuhook, a program to enable support for cemuhook's UDP protocol for joycond devices."; }; config = lib.mkIf config.programs.joycond-cemuhook.enable { diff --git a/nixpkgs/nixos/modules/programs/k3b.nix b/nixpkgs/nixos/modules/programs/k3b.nix index 4d6385dab4f0..3e9435d3dc60 100644 --- a/nixpkgs/nixos/modules/programs/k3b.nix +++ b/nixpkgs/nixos/modules/programs/k3b.nix @@ -1,12 +1,10 @@ { config, pkgs, lib, ... }: -with lib; - { # interface options.programs.k3b = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to enable k3b, the KDE disk burning application. @@ -22,7 +20,7 @@ with lib; }; # implementation - config = mkIf config.programs.k3b.enable { + config = lib.mkIf config.programs.k3b.enable { environment.systemPackages = with pkgs; [ k3b diff --git a/nixpkgs/nixos/modules/programs/k40-whisperer.nix b/nixpkgs/nixos/modules/programs/k40-whisperer.nix index 156ded6c39fe..0f29c476cbb7 100644 --- a/nixpkgs/nixos/modules/programs/k40-whisperer.nix +++ b/nixpkgs/nixos/modules/programs/k40-whisperer.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.k40-whisperer; pkg = cfg.package.override { @@ -10,20 +8,20 @@ let in { options.programs.k40-whisperer = { - enable = mkEnableOption "K40-Whisperer"; + enable = lib.mkEnableOption "K40-Whisperer"; - group = mkOption { - type = types.str; + group = lib.mkOption { + type = lib.types.str; description = '' Group assigned to the device when connected. ''; default = "k40"; }; - package = mkPackageOption pkgs "k40-whisperer" { }; + package = lib.mkPackageOption pkgs "k40-whisperer" { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { users.groups.${cfg.group} = {}; environment.systemPackages = [ pkg ]; diff --git a/nixpkgs/nixos/modules/programs/kbdlight.nix b/nixpkgs/nixos/modules/programs/kbdlight.nix index 8a2a0057cf2d..934bb214c116 100644 --- a/nixpkgs/nixos/modules/programs/kbdlight.nix +++ b/nixpkgs/nixos/modules/programs/kbdlight.nix @@ -1,15 +1,13 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.kbdlight; in { - options.programs.kbdlight.enable = mkEnableOption "kbdlight"; + options.programs.kbdlight.enable = lib.mkEnableOption "kbdlight"; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.kbdlight ]; security.wrappers.kbdlight = { setuid = true; diff --git a/nixpkgs/nixos/modules/programs/kclock.nix b/nixpkgs/nixos/modules/programs/kclock.nix index c2299a3f1b03..b69f358ec1ff 100644 --- a/nixpkgs/nixos/modules/programs/kclock.nix +++ b/nixpkgs/nixos/modules/programs/kclock.nix @@ -1,12 +1,11 @@ { lib, pkgs, config, ... }: -with lib; let cfg = config.programs.kclock; kclockPkg = pkgs.libsForQt5.kclock; in { - options.programs.kclock = { enable = mkEnableOption "KClock"; }; + options.programs.kclock = { enable = lib.mkEnableOption "KClock"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { services.dbus.packages = [ kclockPkg ]; environment.systemPackages = [ kclockPkg ]; }; diff --git a/nixpkgs/nixos/modules/programs/kdeconnect.nix b/nixpkgs/nixos/modules/programs/kdeconnect.nix index 143128140596..76bba4010308 100644 --- a/nixpkgs/nixos/modules/programs/kdeconnect.nix +++ b/nixpkgs/nixos/modules/programs/kdeconnect.nix @@ -1,8 +1,7 @@ { config, pkgs, lib, ... }: -with lib; { options.programs.kdeconnect = { - enable = mkEnableOption '' + enable = lib.mkEnableOption '' kdeconnect. Note that it will open the TCP and UDP port from @@ -11,7 +10,7 @@ with lib; `gnomeExtensions.gsconnect` as an alternative implementation if you use Gnome ''; - package = mkPackageOption pkgs [ "plasma5Packages" "kdeconnect-kde" ] { + package = lib.mkPackageOption pkgs [ "plasma5Packages" "kdeconnect-kde" ] { example = "gnomeExtensions.gsconnect"; }; }; @@ -19,10 +18,9 @@ with lib; let cfg = config.programs.kdeconnect; in - mkIf cfg.enable { + lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package - pkgs.sshfs ]; networking.firewall = rec { allowedTCPPortRanges = [ { from = 1714; to = 1764; } ]; diff --git a/nixpkgs/nixos/modules/programs/less.nix b/nixpkgs/nixos/modules/programs/less.nix index 2cb762007511..c904fc2089aa 100644 --- a/nixpkgs/nixos/modules/programs/less.nix +++ b/nixpkgs/nixos/modules/programs/less.nix @@ -1,26 +1,24 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.less; configText = if (cfg.configFile != null) then (builtins.readFile cfg.configFile) else '' #command - ${concatStringsSep "\n" - (mapAttrsToList (command: action: "${command} ${action}") cfg.commands) + ${builtins.concatStringsSep "\n" + (lib.mapAttrsToList (command: action: "${command} ${action}") cfg.commands) } - ${optionalString cfg.clearDefaultCommands "#stop"} + ${lib.optionalString cfg.clearDefaultCommands "#stop"} #line-edit - ${concatStringsSep "\n" - (mapAttrsToList (command: action: "${command} ${action}") cfg.lineEditingKeys) + ${builtins.concatStringsSep "\n" + (lib.mapAttrsToList (command: action: "${command} ${action}") cfg.lineEditingKeys) } #env - ${concatStringsSep "\n" - (mapAttrsToList (variable: values: "${variable}=${values}") cfg.envVariables) + ${builtins.concatStringsSep "\n" + (lib.mapAttrsToList (variable: values: "${variable}=${values}") cfg.envVariables) } ''; @@ -35,12 +33,12 @@ in # note that environment.nix sets PAGER=less, and # therefore also enables this module - enable = mkEnableOption "less, a file pager"; + enable = lib.mkEnableOption "less, a file pager"; - configFile = mkOption { - type = types.nullOr types.path; + configFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; default = null; - example = literalExpression ''"''${pkgs.my-configs}/lesskey"''; + example = lib.literalExpression ''"''${pkgs.my-configs}/lesskey"''; description = '' Path to lesskey configuration file. @@ -50,8 +48,8 @@ in ''; }; - commands = mkOption { - type = types.attrsOf types.str; + commands = lib.mkOption { + type = lib.types.attrsOf lib.types.str; default = {}; example = { h = "noaction 5\\e("; @@ -60,8 +58,8 @@ in description = "Defines new command keys."; }; - clearDefaultCommands = mkOption { - type = types.bool; + clearDefaultCommands = lib.mkOption { + type = lib.types.bool; default = false; description = '' Clear all default commands. @@ -70,8 +68,8 @@ in ''; }; - lineEditingKeys = mkOption { - type = types.attrsOf types.str; + lineEditingKeys = lib.mkOption { + type = lib.types.attrsOf lib.types.str; default = {}; example = { e = "abort"; @@ -79,8 +77,8 @@ in description = "Defines new line-editing keys."; }; - envVariables = mkOption { - type = types.attrsOf types.str; + envVariables = lib.mkOption { + type = lib.types.attrsOf lib.types.str; default = { LESS = "-R"; }; @@ -90,17 +88,17 @@ in description = "Defines environment variables."; }; - lessopen = mkOption { - type = types.nullOr types.str; + lessopen = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = "|${pkgs.lesspipe}/bin/lesspipe.sh %s"; - defaultText = literalExpression ''"|''${pkgs.lesspipe}/bin/lesspipe.sh %s"''; + defaultText = lib.literalExpression ''"|''${pkgs.lesspipe}/bin/lesspipe.sh %s"''; description = '' Before less opens a file, it first gives your input preprocessor a chance to modify the way the contents of the file are displayed. ''; }; - lessclose = mkOption { - type = types.nullOr types.str; + lessclose = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = null; description = '' When less closes a file opened in such a way, it will call another program, called the input postprocessor, @@ -110,26 +108,26 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.less ]; environment.variables = { - LESSKEYIN_SYSTEM = toString lessKey; - } // optionalAttrs (cfg.lessopen != null) { + LESSKEYIN_SYSTEM = builtins.toString lessKey; + } // lib.optionalAttrs (cfg.lessopen != null) { LESSOPEN = cfg.lessopen; - } // optionalAttrs (cfg.lessclose != null) { + } // lib.optionalAttrs (cfg.lessclose != null) { LESSCLOSE = cfg.lessclose; }; - warnings = optional ( - cfg.clearDefaultCommands && (all (x: x != "quit") (attrValues cfg.commands)) + warnings = lib.optional ( + cfg.clearDefaultCommands && (builtins.all (x: x != "quit") (builtins.attrValues cfg.commands)) ) '' config.programs.less.clearDefaultCommands clears all default commands of less but there is no alternative binding for exiting. Consider adding a binding for 'quit'. ''; }; - meta.maintainers = with maintainers; [ johnazoidberg ]; + meta.maintainers = with lib.maintainers; [ johnazoidberg ]; } diff --git a/nixpkgs/nixos/modules/programs/liboping.nix b/nixpkgs/nixos/modules/programs/liboping.nix index 4433f9767d6e..5ff9ad74b158 100644 --- a/nixpkgs/nixos/modules/programs/liboping.nix +++ b/nixpkgs/nixos/modules/programs/liboping.nix @@ -1,16 +1,14 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.liboping; in { options.programs.liboping = { - enable = mkEnableOption "liboping"; + enable = lib.mkEnableOption "liboping"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ liboping ]; - security.wrappers = mkMerge (map ( + security.wrappers = lib.mkMerge (builtins.map ( exec: { "${exec}" = { owner = "root"; diff --git a/nixpkgs/nixos/modules/programs/light.nix b/nixpkgs/nixos/modules/programs/light.nix index b1584a1b3d28..29fcc98a8e0a 100644 --- a/nixpkgs/nixos/modules/programs/light.nix +++ b/nixpkgs/nixos/modules/programs/light.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.light; @@ -10,9 +8,9 @@ in options = { programs.light = { - enable = mkOption { + enable = lib.mkOption { default = false; - type = types.bool; + type = lib.types.bool; description = '' Whether to install Light backlight control command and udev rules granting access to members of the "video" group. @@ -20,8 +18,8 @@ in }; brightnessKeys = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to enable brightness control with keyboard keys. @@ -38,8 +36,8 @@ in ''; }; - step = mkOption { - type = types.int; + step = lib.mkOption { + type = lib.types.int; default = 10; description = '' The percentage value by which to increase/decrease brightness. @@ -51,14 +49,14 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.light ]; services.udev.packages = [ pkgs.light ]; - services.actkbd = mkIf cfg.brightnessKeys.enable { + services.actkbd = lib.mkIf cfg.brightnessKeys.enable { enable = true; bindings = let light = "${pkgs.light}/bin/light"; - step = toString cfg.brightnessKeys.step; + step = builtins.toString cfg.brightnessKeys.step; in [ { keys = [ 224 ]; diff --git a/nixpkgs/nixos/modules/programs/mdevctl.nix b/nixpkgs/nixos/modules/programs/mdevctl.nix index be33835639d2..a7e7d01dffdf 100644 --- a/nixpkgs/nixos/modules/programs/mdevctl.nix +++ b/nixpkgs/nixos/modules/programs/mdevctl.nix @@ -1,14 +1,13 @@ { config, pkgs, lib, ... }: -with lib; let cfg = config.programs.mdevctl; in { options.programs.mdevctl = { - enable = mkEnableOption "Mediated Device Management"; + enable = lib.mkEnableOption "Mediated Device Management"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ mdevctl ]; environment.etc."mdevctl.d/scripts.d/notifiers/.keep".text = ""; diff --git a/nixpkgs/nixos/modules/programs/mepo.nix b/nixpkgs/nixos/modules/programs/mepo.nix index 22596892ff5d..783d2ad14962 100644 --- a/nixpkgs/nixos/modules/programs/mepo.nix +++ b/nixpkgs/nixos/modules/programs/mepo.nix @@ -1,15 +1,14 @@ { pkgs, config, lib, ...}: -with lib; let cfg = config.programs.mepo; in { options.programs.mepo = { - enable = mkEnableOption "Mepo, a fast, simple and hackable OSM map viewer"; + enable = lib.mkEnableOption "Mepo, a fast, simple and hackable OSM map viewer"; locationBackends = { - gpsd = mkOption { - type = types.bool; + gpsd = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to enable location detection via gpsd. @@ -17,21 +16,21 @@ in ''; }; - geoclue = mkOption { - type = types.bool; + geoclue = lib.mkOption { + type = lib.types.bool; default = true; description = "Whether to enable location detection via geoclue"; }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ mepo ] ++ lib.optional cfg.locationBackends.geoclue geoclue2-with-demo-agent ++ lib.optional cfg.locationBackends.gpsd gpsd; - services.geoclue2 = mkIf cfg.locationBackends.geoclue { + services.geoclue2 = lib.mkIf cfg.locationBackends.geoclue { enable = true; appConfig.where-am-i = { isAllowed = true; @@ -42,5 +41,5 @@ in services.gpsd.enable = cfg.locationBackends.gpsd; }; - meta.maintainers = with maintainers; [ laalsaas ]; + meta.maintainers = with lib.maintainers; [ laalsaas ]; } diff --git a/nixpkgs/nixos/modules/programs/mininet.nix b/nixpkgs/nixos/modules/programs/mininet.nix index a9190ed98900..ab862b21fe02 100644 --- a/nixpkgs/nixos/modules/programs/mininet.nix +++ b/nixpkgs/nixos/modules/programs/mininet.nix @@ -2,15 +2,13 @@ # kernel must have NETNS/VETH/SCHED { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.mininet; in { - options.programs.mininet.enable = mkEnableOption "Mininet, an emulator for rapid prototyping of Software Defined Networks"; + options.programs.mininet.enable = lib.mkEnableOption "Mininet, an emulator for rapid prototyping of Software Defined Networks"; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { virtualisation.vswitch.enable = true; diff --git a/nixpkgs/nixos/modules/programs/msmtp.nix b/nixpkgs/nixos/modules/programs/msmtp.nix index 9c067bdc9695..8a04acb3b7ea 100644 --- a/nixpkgs/nixos/modules/programs/msmtp.nix +++ b/nixpkgs/nixos/modules/programs/msmtp.nix @@ -1,27 +1,25 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.msmtp; in { - meta.maintainers = with maintainers; [ pacien ]; + meta.maintainers = with lib.maintainers; [ pacien ]; options = { programs.msmtp = { - enable = mkEnableOption "msmtp - an SMTP client"; + enable = lib.mkEnableOption "msmtp - an SMTP client"; - setSendmail = mkOption { - type = types.bool; + setSendmail = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to set the system sendmail to msmtp's. ''; }; - defaults = mkOption { - type = types.attrs; + defaults = lib.mkOption { + type = lib.types.attrs; default = {}; example = { aliases = "/etc/aliases"; @@ -34,8 +32,8 @@ in { ''; }; - accounts = mkOption { - type = with types; attrsOf attrs; + accounts = lib.mkOption { + type = with lib.types; attrsOf attrs; default = {}; example = { "default" = { @@ -59,8 +57,8 @@ in { ''; }; - extraConfig = mkOption { - type = types.lines; + extraConfig = lib.mkOption { + type = lib.types.lines; default = ""; description = '' Extra lines to add to the msmtp configuration verbatim. @@ -70,10 +68,10 @@ in { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.msmtp ]; - services.mail.sendmailSetuidWrapper = mkIf cfg.setSendmail { + services.mail.sendmailSetuidWrapper = lib.mkIf cfg.setSendmail { program = "sendmail"; source = "${pkgs.msmtp}/bin/sendmail"; setuid = false; @@ -86,10 +84,10 @@ in { mkValueString = v: if v == true then "on" else if v == false then "off" - else generators.mkValueStringDefault {} v; + else lib.generators.mkValueStringDefault {} v; mkKeyValueString = k: v: "${k} ${mkValueString v}"; mkInnerSectionString = - attrs: concatStringsSep "\n" (mapAttrsToList mkKeyValueString attrs); + attrs: builtins.concatStringsSep "\n" (lib.mapAttrsToList mkKeyValueString attrs); mkAccountString = name: attrs: '' account ${name} ${mkInnerSectionString attrs} @@ -98,7 +96,7 @@ in { defaults ${mkInnerSectionString cfg.defaults} - ${concatStringsSep "\n" (mapAttrsToList mkAccountString cfg.accounts)} + ${builtins.concatStringsSep "\n" (lib.mapAttrsToList mkAccountString cfg.accounts)} ${cfg.extraConfig} ''; diff --git a/nixpkgs/nixos/modules/programs/mtr.nix b/nixpkgs/nixos/modules/programs/mtr.nix index 6a767df15f09..1a9deba98966 100644 --- a/nixpkgs/nixos/modules/programs/mtr.nix +++ b/nixpkgs/nixos/modules/programs/mtr.nix @@ -1,15 +1,13 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.mtr; in { options = { programs.mtr = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to add mtr to the global environment and configure a @@ -17,12 +15,12 @@ in { ''; }; - package = mkPackageOption pkgs "mtr" { }; + package = lib.mkPackageOption pkgs "mtr" { }; }; }; - config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ cfg.package ]; + config = lib.mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; security.wrappers.mtr-packet = { owner = "root"; diff --git a/nixpkgs/nixos/modules/programs/nbd.nix b/nixpkgs/nixos/modules/programs/nbd.nix index fea9bc1ff71a..1e319f027345 100644 --- a/nixpkgs/nixos/modules/programs/nbd.nix +++ b/nixpkgs/nixos/modules/programs/nbd.nix @@ -1,18 +1,16 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.nbd; in { options = { programs.nbd = { - enable = mkEnableOption "Network Block Device (nbd) support"; + enable = lib.mkEnableOption "Network Block Device (nbd) support"; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ nbd ]; boot.kernelModules = [ "nbd" ]; }; diff --git a/nixpkgs/nixos/modules/programs/neovim.nix b/nixpkgs/nixos/modules/programs/neovim.nix index 6f6829444a64..8fe6a664b675 100644 --- a/nixpkgs/nixos/modules/programs/neovim.nix +++ b/nixpkgs/nixos/modules/programs/neovim.nix @@ -1,14 +1,12 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.neovim; in { options.programs.neovim = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; example = true; description = '' @@ -21,8 +19,8 @@ in ''; }; - defaultEditor = mkOption { - type = types.bool; + defaultEditor = lib.mkOption { + type = lib.types.bool; default = false; description = '' When enabled, installs neovim and configures neovim to be the default editor @@ -30,44 +28,44 @@ in ''; }; - viAlias = mkOption { - type = types.bool; + viAlias = lib.mkOption { + type = lib.types.bool; default = false; description = '' Symlink {command}`vi` to {command}`nvim` binary. ''; }; - vimAlias = mkOption { - type = types.bool; + vimAlias = lib.mkOption { + type = lib.types.bool; default = false; description = '' Symlink {command}`vim` to {command}`nvim` binary. ''; }; - withRuby = mkOption { - type = types.bool; + withRuby = lib.mkOption { + type = lib.types.bool; default = true; description = "Enable Ruby provider."; }; - withPython3 = mkOption { - type = types.bool; + withPython3 = lib.mkOption { + type = lib.types.bool; default = true; description = "Enable Python 3 provider."; }; - withNodeJs = mkOption { - type = types.bool; + withNodeJs = lib.mkOption { + type = lib.types.bool; default = false; description = "Enable Node provider."; }; - configure = mkOption { - type = types.attrs; + configure = lib.mkOption { + type = lib.types.attrs; default = { }; - example = literalExpression '' + example = lib.literalExpression '' { customRC = ''' " here your custom configuration goes! @@ -86,31 +84,31 @@ in ''; }; - package = mkPackageOption pkgs "neovim-unwrapped" { }; + package = lib.mkPackageOption pkgs "neovim-unwrapped" { }; - finalPackage = mkOption { - type = types.package; + finalPackage = lib.mkOption { + type = lib.types.package; visible = false; readOnly = true; description = "Resulting customized neovim package."; }; - runtime = mkOption { + runtime = lib.mkOption { default = { }; - example = literalExpression '' + example = lib.literalExpression '' { "ftplugin/c.vim".text = "setlocal omnifunc=v:lua.vim.lsp.omnifunc"; } ''; description = '' Set of files that have to be linked in {file}`runtime`. ''; - type = with types; attrsOf (submodule ( + type = with lib.types; attrsOf (submodule ( { name, config, ... }: { options = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether this runtime directory should be generated. This @@ -118,49 +116,49 @@ in ''; }; - target = mkOption { - type = types.str; + target = lib.mkOption { + type = lib.types.str; description = '' Name of symlink. Defaults to the attribute name. ''; }; - text = mkOption { + text = lib.mkOption { default = null; - type = types.nullOr types.lines; + type = lib.types.nullOr lib.types.lines; description = "Text of the file."; }; - source = mkOption { + source = lib.mkOption { default = null; - type = types.nullOr types.path; + type = lib.types.nullOr lib.types.path; description = "Path of the source file."; }; }; - config.target = mkDefault name; + config.target = lib.mkDefault name; } )); }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.finalPackage ]; - environment.variables.EDITOR = mkIf cfg.defaultEditor (mkOverride 900 "nvim"); + environment.variables.EDITOR = lib.mkIf cfg.defaultEditor (lib.mkOverride 900 "nvim"); - environment.etc = listToAttrs (attrValues (mapAttrs + environment.etc = builtins.listToAttrs (builtins.attrValues (builtins.mapAttrs (name: value: { name = "xdg/nvim/${name}"; - value = removeAttrs + value = builtins.removeAttrs (value // { target = "xdg/nvim/${value.target}"; }) - (optionals (isNull value.source) [ "source" ]); + (lib.optionals (builtins.isNull value.source) [ "source" ]); }) cfg.runtime)); diff --git a/nixpkgs/nixos/modules/programs/nethoscope.nix b/nixpkgs/nixos/modules/programs/nethoscope.nix index 495548e9c656..7bc1f61b31ea 100644 --- a/nixpkgs/nixos/modules/programs/nethoscope.nix +++ b/nixpkgs/nixos/modules/programs/nethoscope.nix @@ -1,16 +1,14 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.nethoscope; in { - meta.maintainers = with maintainers; [ _0x4A6F ]; + meta.maintainers = with lib.maintainers; [ _0x4A6F ]; options = { programs.nethoscope = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to add nethoscope to the global environment and configure a @@ -20,7 +18,7 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ nethoscope ]; security.wrappers.nethoscope = { source = "${pkgs.nethoscope}/bin/nethoscope"; diff --git a/nixpkgs/nixos/modules/programs/nncp.nix b/nixpkgs/nixos/modules/programs/nncp.nix index aa2e7c7a6e5b..3feccef4cf11 100644 --- a/nixpkgs/nixos/modules/programs/nncp.nix +++ b/nixpkgs/nixos/modules/programs/nncp.nix @@ -1,6 +1,5 @@ { config, lib, pkgs, ... }: -with lib; let nncpCfgFile = "/run/nncp.hjson"; programCfg = config.programs.nncp; @@ -11,10 +10,10 @@ in { options.programs.nncp = { enable = - mkEnableOption "NNCP (Node to Node copy) utilities and configuration"; + lib.mkEnableOption "NNCP (Node to Node copy) utilities and configuration"; - group = mkOption { - type = types.str; + group = lib.mkOption { + type = lib.types.str; default = "uucp"; description = '' The group under which NNCP files shall be owned. @@ -23,10 +22,10 @@ in { ''; }; - package = mkPackageOption pkgs "nncp" { }; + package = lib.mkPackageOption pkgs "nncp" { }; - secrets = mkOption { - type = with types; listOf str; + secrets = lib.mkOption { + type = with lib.types; listOf str; example = [ "/run/keys/nncp.hjson" ]; description = '' A list of paths to NNCP configuration files that should not be @@ -35,7 +34,7 @@ in { ''; }; - settings = mkOption { + settings = lib.mkOption { type = settingsFormat.type; description = '' NNCP configuration, see @@ -52,7 +51,7 @@ in { }; - config = mkIf programCfg.enable { + config = lib.mkIf programCfg.enable { environment = { systemPackages = [ pkg ]; @@ -60,8 +59,8 @@ in { }; programs.nncp.settings = { - spool = mkDefault "/var/spool/nncp"; - log = mkDefault "/var/spool/nncp/log"; + spool = lib.mkDefault "/var/spool/nncp"; + log = lib.mkDefault "/var/spool/nncp/log"; }; systemd.tmpfiles.rules = [ @@ -77,7 +76,7 @@ in { script = '' umask u=rw nncpCfgDir=$(mktemp --directory nncp.XXX) - for f in ${jsonCfgFile} ${toString config.programs.nncp.secrets}; do + for f in ${jsonCfgFile} ${builtins.toString config.programs.nncp.secrets}; do tmpdir=$(mktemp --directory nncp.XXX) nncp-cfgdir -cfg $f -dump $tmpdir find $tmpdir -size 1c -delete diff --git a/nixpkgs/nixos/modules/programs/noisetorch.nix b/nixpkgs/nixos/modules/programs/noisetorch.nix index 70a0441bd767..5e37061d9a1d 100644 --- a/nixpkgs/nixos/modules/programs/noisetorch.nix +++ b/nixpkgs/nixos/modules/programs/noisetorch.nix @@ -1,17 +1,15 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.noisetorch; in { options.programs.noisetorch = { - enable = mkEnableOption "noisetorch (+ setcap wrapper), a virtual microphone device with noise suppression"; + enable = lib.mkEnableOption "noisetorch (+ setcap wrapper), a virtual microphone device with noise suppression"; - package = mkPackageOption pkgs "noisetorch" { }; + package = lib.mkPackageOption pkgs "noisetorch" { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { security.wrappers.noisetorch = { owner = "root"; group = "root"; diff --git a/nixpkgs/nixos/modules/programs/npm.nix b/nixpkgs/nixos/modules/programs/npm.nix index b379f0165bfe..470188b879b6 100644 --- a/nixpkgs/nixos/modules/programs/npm.nix +++ b/nixpkgs/nixos/modules/programs/npm.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.npm; in @@ -11,13 +9,13 @@ in options = { programs.npm = { - enable = mkEnableOption "{command}`npm` global config"; + enable = lib.mkEnableOption "{command}`npm` global config"; - package = mkPackageOption pkgs [ "nodePackages" "npm" ] { + package = lib.mkPackageOption pkgs [ "nodePackages" "npm" ] { example = "nodePackages_13_x.npm"; }; - npmrc = mkOption { + npmrc = lib.mkOption { type = lib.types.lines; description = '' The system-wide npm configuration. diff --git a/nixpkgs/nixos/modules/programs/oblogout.nix b/nixpkgs/nixos/modules/programs/oblogout.nix index a039b0623b52..f09fbdc06242 100644 --- a/nixpkgs/nixos/modules/programs/oblogout.nix +++ b/nixpkgs/nixos/modules/programs/oblogout.nix @@ -1,11 +1,9 @@ { config, lib, pkgs, ... }: -with lib; - { imports = [ - (mkRemovedOptionModule [ "programs" "oblogout" ] "programs.oblogout has been removed from NixOS. This is because the oblogout repository has been archived upstream.") + (lib.mkRemovedOptionModule [ "programs" "oblogout" ] "programs.oblogout has been removed from NixOS. This is because the oblogout repository has been archived upstream.") ]; } diff --git a/nixpkgs/nixos/modules/programs/openvpn3.nix b/nixpkgs/nixos/modules/programs/openvpn3.nix index 6415cccecb4f..10042b44471f 100644 --- a/nixpkgs/nixos/modules/programs/openvpn3.nix +++ b/nixpkgs/nixos/modules/programs/openvpn3.nix @@ -1,19 +1,17 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.openvpn3; in { options.programs.openvpn3 = { - enable = mkEnableOption "the openvpn3 client"; - package = mkOption { - type = types.package; + enable = lib.mkEnableOption "the openvpn3 client"; + package = lib.mkOption { + type = lib.types.package; default = pkgs.openvpn3.override { enableSystemdResolved = config.services.resolved.enable; }; - defaultText = literalExpression ''pkgs.openvpn3.override { + defaultText = lib.literalExpression ''pkgs.openvpn3.override { enableSystemdResolved = config.services.resolved.enable; }''; description = '' @@ -22,7 +20,7 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { services.dbus.packages = [ cfg.package ]; diff --git a/nixpkgs/nixos/modules/programs/pantheon-tweaks.nix b/nixpkgs/nixos/modules/programs/pantheon-tweaks.nix index 0b8a19ea22c0..b7258e2eb4bf 100644 --- a/nixpkgs/nixos/modules/programs/pantheon-tweaks.nix +++ b/nixpkgs/nixos/modules/programs/pantheon-tweaks.nix @@ -1,19 +1,17 @@ { config, lib, pkgs, ... }: -with lib; - { meta = { - maintainers = teams.pantheon.members; + maintainers = lib.teams.pantheon.members; }; ###### interface options = { - programs.pantheon-tweaks.enable = mkEnableOption "Pantheon Tweaks, an unofficial system settings panel for Pantheon"; + programs.pantheon-tweaks.enable = lib.mkEnableOption "Pantheon Tweaks, an unofficial system settings panel for Pantheon"; }; ###### implementation - config = mkIf config.programs.pantheon-tweaks.enable { + config = lib.mkIf config.programs.pantheon-tweaks.enable { services.xserver.desktopManager.pantheon.extraSwitchboardPlugs = [ pkgs.pantheon-tweaks ]; }; } diff --git a/nixpkgs/nixos/modules/programs/plotinus.nix b/nixpkgs/nixos/modules/programs/plotinus.nix index 41c75b69a2d2..835db049d862 100644 --- a/nixpkgs/nixos/modules/programs/plotinus.nix +++ b/nixpkgs/nixos/modules/programs/plotinus.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.plotinus; in @@ -15,21 +13,21 @@ in options = { programs.plotinus = { - enable = mkOption { + enable = lib.mkOption { default = false; description = '' Whether to enable the Plotinus GTK 3 plugin. Plotinus provides a popup (triggered by Ctrl-Shift-P) to search the menus of a compatible application. ''; - type = types.bool; + type = lib.types.bool; }; }; }; ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.sessionVariables.XDG_DATA_DIRS = [ "${pkgs.plotinus}/share/gsettings-schemas/${pkgs.plotinus.name}" ]; environment.variables.GTK3_MODULES = [ "${pkgs.plotinus}/lib/libplotinus.so" ]; }; diff --git a/nixpkgs/nixos/modules/programs/pqos-wrapper.nix b/nixpkgs/nixos/modules/programs/pqos-wrapper.nix new file mode 100644 index 000000000000..82023e67a2ae --- /dev/null +++ b/nixpkgs/nixos/modules/programs/pqos-wrapper.nix @@ -0,0 +1,27 @@ +{ config +, lib +, pkgs +, ... +}: +let + cfg = config.programs.pqos-wrapper; +in +{ + options.programs.pqos-wrapper = { + enable = lib.mkEnableOption "PQoS Wrapper for BenchExec"; + package = lib.mkPackageOption pkgs "pqos-wrapper" { }; + }; + + config = lib.mkIf cfg.enable { + hardware.cpu.x86.msr.enable = true; + + security.wrappers.${cfg.package.meta.mainProgram} = { + owner = "nobody"; + group = config.hardware.cpu.x86.msr.group; + source = lib.getExe cfg.package; + capabilities = "cap_sys_rawio=eip"; + }; + }; + + meta.maintainers = with lib.maintainers; [ lorenzleutgeb ]; +} diff --git a/nixpkgs/nixos/modules/programs/proxychains.nix b/nixpkgs/nixos/modules/programs/proxychains.nix index b15475dac075..86bbf16a64ce 100644 --- a/nixpkgs/nixos/modules/programs/proxychains.nix +++ b/nixpkgs/nixos/modules/programs/proxychains.nix @@ -1,15 +1,14 @@ { config, lib, pkgs, ... }: -with lib; let cfg = config.programs.proxychains; configFile = '' ${cfg.chain.type}_chain - ${optionalString (cfg.chain.type == "random") + ${lib.optionalString (cfg.chain.type == "random") "chain_len = ${builtins.toString cfg.chain.length}"} - ${optionalString cfg.proxyDNS "proxy_dns"} - ${optionalString cfg.quietMode "quiet_mode"} + ${lib.optionalString cfg.proxyDNS "proxy_dns"} + ${lib.optionalString cfg.quietMode "quiet_mode"} remote_dns_subnet ${builtins.toString cfg.remoteDNSSubnet} tcp_read_time_out ${builtins.toString cfg.tcpReadTimeOut} tcp_connect_time_out ${builtins.toString cfg.tcpConnectTimeOut} @@ -22,20 +21,20 @@ let proxyOptions = { options = { - enable = mkEnableOption "this proxy"; + enable = lib.mkEnableOption "this proxy"; - type = mkOption { - type = types.enum [ "http" "socks4" "socks5" ]; + type = lib.mkOption { + type = lib.types.enum [ "http" "socks4" "socks5" ]; description = "Proxy type."; }; - host = mkOption { - type = types.str; + host = lib.mkOption { + type = lib.types.str; description = "Proxy host or IP address."; }; - port = mkOption { - type = types.port; + port = lib.mkOption { + type = lib.types.port; description = "Proxy port"; }; }; @@ -49,15 +48,15 @@ in { programs.proxychains = { - enable = mkEnableOption "proxychains configuration"; + enable = lib.mkEnableOption "proxychains configuration"; - package = mkPackageOption pkgs "proxychains" { + package = lib.mkPackageOption pkgs "proxychains" { example = "proxychains-ng"; }; chain = { - type = mkOption { - type = types.enum [ "dynamic" "strict" "random" ]; + type = lib.mkOption { + type = lib.types.enum [ "dynamic" "strict" "random" ]; default = "strict"; description = '' `dynamic` - Each connection will be done via chained proxies @@ -75,8 +74,8 @@ in { (or proxy chain, see {option}`programs.proxychains.chain.length`) from the list. ''; }; - length = mkOption { - type = types.nullOr types.int; + length = lib.mkOption { + type = lib.types.nullOr lib.types.int; default = null; description = '' Chain length for random chain. @@ -84,47 +83,47 @@ in { }; }; - proxyDNS = mkOption { - type = types.bool; + proxyDNS = lib.mkOption { + type = lib.types.bool; default = true; description = "Proxy DNS requests - no leak for DNS data."; }; - quietMode = mkEnableOption "Quiet mode (no output from the library)"; + quietMode = lib.mkEnableOption "Quiet mode (no output from the library)"; - remoteDNSSubnet = mkOption { - type = types.enum [ 10 127 224 ]; + remoteDNSSubnet = lib.mkOption { + type = lib.types.enum [ 10 127 224 ]; default = 224; description = '' Set the class A subnet number to use for the internal remote DNS mapping, uses the reserved 224.x.x.x range by default. ''; }; - tcpReadTimeOut = mkOption { - type = types.int; + tcpReadTimeOut = lib.mkOption { + type = lib.types.int; default = 15000; description = "Connection read time-out in milliseconds."; }; - tcpConnectTimeOut = mkOption { - type = types.int; + tcpConnectTimeOut = lib.mkOption { + type = lib.types.int; default = 8000; description = "Connection time-out in milliseconds."; }; - localnet = mkOption { - type = types.str; + localnet = lib.mkOption { + type = lib.types.str; default = "127.0.0.0/255.0.0.0"; description = "By default enable localnet for loopback address ranges."; }; - proxies = mkOption { - type = types.attrsOf (types.submodule proxyOptions); + proxies = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule proxyOptions); description = '' Proxies to be used by proxychains. ''; - example = literalExpression '' + example = lib.literalExpression '' { myproxy = { type = "socks4"; host = "127.0.0.1"; @@ -140,11 +139,11 @@ in { ###### implementation - meta.maintainers = with maintainers; [ sorki ]; + meta.maintainers = with lib.maintainers; [ sorki ]; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { - assertions = singleton { + assertions = lib.singleton { assertion = cfg.chain.type != "random" && cfg.chain.length == null; message = '' Option `programs.proxychains.chain.length` @@ -152,9 +151,9 @@ in { ''; }; - programs.proxychains.proxies = mkIf config.services.tor.client.enable + programs.proxychains.proxies = lib.mkIf config.services.tor.client.enable { - torproxy = mkDefault { + torproxy = lib.mkDefault { enable = true; type = "socks4"; host = "127.0.0.1"; diff --git a/nixpkgs/nixos/modules/programs/qt5ct.nix b/nixpkgs/nixos/modules/programs/qt5ct.nix index 3ff47b355915..bc7b28b9c6e9 100644 --- a/nixpkgs/nixos/modules/programs/qt5ct.nix +++ b/nixpkgs/nixos/modules/programs/qt5ct.nix @@ -1,9 +1,7 @@ { lib, ... }: -with lib; - { imports = [ - (mkRemovedOptionModule [ "programs" "qt5ct" "enable" ] "Use qt5.platformTheme = \"qt5ct\" instead.") + (lib.mkRemovedOptionModule [ "programs" "qt5ct" "enable" ] "Use qt5.platformTheme = \"qt5ct\" instead.") ]; } diff --git a/nixpkgs/nixos/modules/programs/rust-motd.nix b/nixpkgs/nixos/modules/programs/rust-motd.nix index 93240fcdd85e..301b7cebb7f8 100644 --- a/nixpkgs/nixos/modules/programs/rust-motd.nix +++ b/nixpkgs/nixos/modules/programs/rust-motd.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.rust-motd; format = pkgs.formats.toml { }; @@ -24,10 +22,10 @@ let ''; in { options.programs.rust-motd = { - enable = mkEnableOption "rust-motd, a Message Of The Day (MOTD) generator"; - enableMotdInSSHD = mkOption { + enable = lib.mkEnableOption "rust-motd, a Message Of The Day (MOTD) generator"; + enableMotdInSSHD = lib.mkOption { default = true; - type = types.bool; + type = lib.types.bool; description = '' Whether to let `openssh` print the result when entering a new `ssh`-session. @@ -36,18 +34,18 @@ in { the latter option is incompatible with this module. ''; }; - refreshInterval = mkOption { + refreshInterval = lib.mkOption { default = "*:0/5"; - type = types.str; + type = lib.types.str; description = '' Interval in which the {manpage}`motd(5)` file is refreshed. For possible formats, please refer to {manpage}`systemd.time(7)`. ''; }; - order = mkOption { - type = types.listOf types.str; - default = attrNames cfg.settings; - defaultText = literalExpression "attrNames cfg.settings"; + order = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = builtins.attrNames cfg.settings; + defaultText = lib.literalExpression "attrNames cfg.settings"; description = '' The order of the sections in [](#opt-programs.rust-motd.settings). By default they are ordered alphabetically. @@ -79,8 +77,8 @@ in { makes sure that `uptime` is placed before `banner` in the motd. ''; }; - settings = mkOption { - type = types.attrsOf format.type; + settings = lib.mkOption { + type = lib.types.attrsOf format.type; description = '' Settings on what to generate. Please read the [upstream documentation](https://github.com/rust-motd/rust-motd/blob/main/README.md#configuration) @@ -88,14 +86,14 @@ in { ''; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { assertions = [ { assertion = config.users.motd == null; message = '' `programs.rust-motd` is incompatible with `users.motd`! ''; } - { assertion = sort (a: b: a < b) cfg.order == attrNames cfg.settings; + { assertion = builtins.sort (a: b: a < b) cfg.order == builtins.attrNames cfg.settings; message = '' Please ensure that every section from `programs.rust-motd.settings` is present in `programs.rust-motd.order`. @@ -138,12 +136,12 @@ in { wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = cfg.refreshInterval; }; - security.pam.services.sshd.text = mkIf cfg.enableMotdInSSHD (mkDefault (mkAfter '' + security.pam.services.sshd.text = lib.mkIf cfg.enableMotdInSSHD (lib.mkDefault (lib.mkAfter '' session optional ${pkgs.pam}/lib/security/pam_motd.so motd=/var/lib/rust-motd/motd '')); - services.openssh.extraConfig = mkIf (cfg.settings ? last_login && cfg.settings.last_login != {}) '' + services.openssh.extraConfig = lib.mkIf (cfg.settings ? last_login && cfg.settings.last_login != {}) '' PrintLastLog no ''; }; - meta.maintainers = with maintainers; [ ma27 ]; + meta.maintainers = with lib.maintainers; [ ma27 ]; } diff --git a/nixpkgs/nixos/modules/programs/sedutil.nix b/nixpkgs/nixos/modules/programs/sedutil.nix index c62ca24eaa01..978aaa5c82d5 100644 --- a/nixpkgs/nixos/modules/programs/sedutil.nix +++ b/nixpkgs/nixos/modules/programs/sedutil.nix @@ -1,14 +1,12 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.sedutil; in { - options.programs.sedutil.enable = mkEnableOption "sedutil, to manage self encrypting drives that conform to the Trusted Computing Group OPAL 2.0 SSC specification"; + options.programs.sedutil.enable = lib.mkEnableOption "sedutil, to manage self encrypting drives that conform to the Trusted Computing Group OPAL 2.0 SSC specification"; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { boot.kernelParams = [ "libata.allow_tpm=1" ]; diff --git a/nixpkgs/nixos/modules/programs/shadow.nix b/nixpkgs/nixos/modules/programs/shadow.nix index 2d20644ec51e..f09bfaa5393d 100644 --- a/nixpkgs/nixos/modules/programs/shadow.nix +++ b/nixpkgs/nixos/modules/programs/shadow.nix @@ -1,15 +1,14 @@ # Configuration for the pwdutils suite of tools: passwd, useradd, etc. { config, lib, utils, pkgs, ... }: -with lib; let cfg = config.security.loginDefs; in { - options = with types; { + options = with lib.types; { security.loginDefs = { - package = mkPackageOption pkgs "shadow" { }; + package = lib.mkPackageOption pkgs "shadow" { }; - chfnRestrict = mkOption { + chfnRestrict = lib.mkOption { description = '' Use chfn SUID to allow non-root users to change their account GECOS information. ''; @@ -17,7 +16,7 @@ in default = null; }; - settings = mkOption { + settings = lib.mkOption { description = '' Config options for the /etc/login.defs file, that defines the site-specific configuration for the shadow password suite. @@ -35,68 +34,68 @@ in by systemd for features like ConditionUser=@system and systemd-sysusers */ options = { - DEFAULT_HOME = mkOption { + DEFAULT_HOME = lib.mkOption { description = "Indicate if login is allowed if we can't cd to the home directory."; default = "yes"; type = enum [ "yes" "no" ]; }; - ENCRYPT_METHOD = mkOption { + ENCRYPT_METHOD = lib.mkOption { description = "This defines the system default encryption algorithm for encrypting passwords."; # The default crypt() method, keep in sync with the PAM default default = "YESCRYPT"; type = enum [ "YESCRYPT" "SHA512" "SHA256" "MD5" "DES"]; }; - SYS_UID_MIN = mkOption { + SYS_UID_MIN = lib.mkOption { description = "Range of user IDs used for the creation of system users by useradd or newusers."; default = 400; type = int; }; - SYS_UID_MAX = mkOption { + SYS_UID_MAX = lib.mkOption { description = "Range of user IDs used for the creation of system users by useradd or newusers."; default = 999; type = int; }; - UID_MIN = mkOption { + UID_MIN = lib.mkOption { description = "Range of user IDs used for the creation of regular users by useradd or newusers."; default = 1000; type = int; }; - UID_MAX = mkOption { + UID_MAX = lib.mkOption { description = "Range of user IDs used for the creation of regular users by useradd or newusers."; default = 29999; type = int; }; - SYS_GID_MIN = mkOption { + SYS_GID_MIN = lib.mkOption { description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers"; default = 400; type = int; }; - SYS_GID_MAX = mkOption { + SYS_GID_MAX = lib.mkOption { description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers"; default = 999; type = int; }; - GID_MIN = mkOption { + GID_MIN = lib.mkOption { description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers."; default = 1000; type = int; }; - GID_MAX = mkOption { + GID_MAX = lib.mkOption { description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers."; default = 29999; type = int; }; - TTYGROUP = mkOption { + TTYGROUP = lib.mkOption { description = '' The terminal permissions: the login tty will be owned by the TTYGROUP group, and the permissions will be set to TTYPERM''; @@ -104,7 +103,7 @@ in type = str; }; - TTYPERM = mkOption { + TTYPERM = lib.mkOption { description = '' The terminal permissions: the login tty will be owned by the TTYGROUP group, and the permissions will be set to TTYPERM''; @@ -113,7 +112,7 @@ in }; # Ensure privacy for newly created home directories. - UMASK = mkOption { + UMASK = lib.mkOption { description = "The file mode creation mask is initialized to this value."; default = "077"; type = str; @@ -124,7 +123,7 @@ in }; }; - users.defaultUserShell = mkOption { + users.defaultUserShell = lib.mkOption { description = '' This option defines the default shell assigned to user accounts. This can be either a full system path or a shell package. @@ -132,7 +131,7 @@ in This must not be a store path, since the path is used outside the store (in particular in /etc/passwd). ''; - example = literalExpression "pkgs.zsh"; + example = lib.literalExpression "pkgs.zsh"; type = either path shellPackage; }; }; @@ -160,18 +159,18 @@ in ]; security.loginDefs.settings.CHFN_RESTRICT = - mkIf (cfg.chfnRestrict != null) cfg.chfnRestrict; + lib.mkIf (cfg.chfnRestrict != null) cfg.chfnRestrict; - environment.systemPackages = optional config.users.mutableUsers cfg.package - ++ optional (types.shellPackage.check config.users.defaultUserShell) config.users.defaultUserShell - ++ optional (cfg.chfnRestrict != null) pkgs.util-linux; + environment.systemPackages = lib.optional config.users.mutableUsers cfg.package + ++ lib.optional (lib.types.shellPackage.check config.users.defaultUserShell) config.users.defaultUserShell + ++ lib.optional (cfg.chfnRestrict != null) pkgs.util-linux; environment.etc = # Create custom toKeyValue generator # see https://man7.org/linux/man-pages/man5/login.defs.5.html for config specification let - toKeyValue = generators.toKeyValue { - mkKeyValue = generators.mkKeyValueDefault { } " "; + toKeyValue = lib.generators.toKeyValue { + mkKeyValue = lib.generators.mkKeyValueDefault { } " "; }; in { @@ -231,7 +230,7 @@ in newuidmap = mkSetuidRoot "${cfg.package.out}/bin/newuidmap"; newgidmap = mkSetuidRoot "${cfg.package.out}/bin/newgidmap"; } - // optionalAttrs config.users.mutableUsers { + // lib.optionalAttrs config.users.mutableUsers { chsh = mkSetuidRoot "${cfg.package.out}/bin/chsh"; passwd = mkSetuidRoot "${cfg.package.out}/bin/passwd"; }; diff --git a/nixpkgs/nixos/modules/programs/sharing.nix b/nixpkgs/nixos/modules/programs/sharing.nix index 211dc9815166..0fe8100bbc56 100644 --- a/nixpkgs/nixos/modules/programs/sharing.nix +++ b/nixpkgs/nixos/modules/programs/sharing.nix @@ -1,8 +1,7 @@ { config, pkgs, lib, ... }: -with lib; { options.programs.sharing = { - enable = mkEnableOption '' + enable = lib.mkEnableOption '' sharing, a CLI tool for sharing files. Note that it will opens the 7478 port for TCP in the firewall, which is needed for it to function properly @@ -12,7 +11,7 @@ with lib; let cfg = config.programs.sharing; in - mkIf cfg.enable { + lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.sharing ]; networking.firewall.allowedTCPPorts = [ 7478 ]; }; diff --git a/nixpkgs/nixos/modules/programs/singularity.nix b/nixpkgs/nixos/modules/programs/singularity.nix index f4c0a6fe487e..bc989ad2dbaf 100644 --- a/nixpkgs/nixos/modules/programs/singularity.nix +++ b/nixpkgs/nixos/modules/programs/singularity.nix @@ -5,21 +5,20 @@ ... }: -with lib; let cfg = config.programs.singularity; in { options.programs.singularity = { - enable = mkEnableOption "singularity" // { + enable = lib.mkEnableOption "singularity" // { description = '' Whether to install Singularity/Apptainer with system-level overriding such as SUID support. ''; }; - package = mkPackageOption pkgs "singularity" { example = "apptainer"; }; - packageOverriden = mkOption { - type = types.nullOr types.package; + package = lib.mkPackageOption pkgs "singularity" { example = "apptainer"; }; + packageOverriden = lib.mkOption { + type = lib.types.nullOr lib.types.package; default = null; description = '' This option provides access to the overridden result of `programs.singularity.package`. @@ -42,8 +41,8 @@ in Use `lib.mkForce` to forcefully specify the overridden package. ''; }; - enableExternalLocalStateDir = mkOption { - type = types.bool; + enableExternalLocalStateDir = lib.mkOption { + type = lib.types.bool; default = true; example = false; description = '' @@ -54,22 +53,22 @@ in `/var/lib/''${projectName}/mnt/session`. ''; }; - enableFakeroot = mkOption { - type = types.bool; + enableFakeroot = lib.mkOption { + type = lib.types.bool; default = true; example = false; description = '' Whether to enable the `--fakeroot` support of Singularity/Apptainer. ''; }; - enableSuid = mkOption { - type = types.bool; + enableSuid = lib.mkOption { + type = lib.types.bool; # SingularityCE requires SETUID for most things. Apptainer prefers user # namespaces, e.g. `apptainer exec --nv` would fail if built # `--with-suid`: # > `FATAL: nvidia-container-cli not allowed in setuid mode` default = cfg.package.projectName != "apptainer"; - defaultText = literalExpression ''config.services.singularity.package.projectName != "apptainer"''; + defaultText = lib.literalExpression ''config.services.singularity.package.projectName != "apptainer"''; example = false; description = '' Whether to enable the SUID support of Singularity/Apptainer. @@ -77,28 +76,28 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { programs.singularity.packageOverriden = ( cfg.package.override ( - optionalAttrs cfg.enableExternalLocalStateDir { externalLocalStateDir = "/var/lib"; } - // optionalAttrs cfg.enableFakeroot { + lib.optionalAttrs cfg.enableExternalLocalStateDir { externalLocalStateDir = "/var/lib"; } + // lib.optionalAttrs cfg.enableFakeroot { newuidmapPath = "/run/wrappers/bin/newuidmap"; newgidmapPath = "/run/wrappers/bin/newgidmap"; } - // optionalAttrs cfg.enableSuid { + // lib.optionalAttrs cfg.enableSuid { enableSuid = true; starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid"; } ) ); environment.systemPackages = [ cfg.packageOverriden ]; - security.wrappers."${cfg.packageOverriden.projectName}-suid" = mkIf cfg.enableSuid { + security.wrappers."${cfg.packageOverriden.projectName}-suid" = lib.mkIf cfg.enableSuid { setuid = true; owner = "root"; group = "root"; source = "${cfg.packageOverriden}/libexec/${cfg.packageOverriden.projectName}/bin/starter-suid.orig"; }; - systemd.tmpfiles.rules = mkIf cfg.enableExternalLocalStateDir [ + systemd.tmpfiles.rules = lib.mkIf cfg.enableExternalLocalStateDir [ "d /var/lib/${cfg.packageOverriden.projectName}/mnt/session 0770 root root -" ]; }; diff --git a/nixpkgs/nixos/modules/programs/slock.nix b/nixpkgs/nixos/modules/programs/slock.nix index f39b4d5e9280..ce24f662f218 100644 --- a/nixpkgs/nixos/modules/programs/slock.nix +++ b/nixpkgs/nixos/modules/programs/slock.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.slock; @@ -9,18 +7,18 @@ in { options = { programs.slock = { - enable = mkOption { + enable = lib.mkOption { default = false; - type = types.bool; + type = lib.types.bool; description = '' Whether to install slock screen locker with setuid wrapper. ''; }; - package = mkPackageOption pkgs "slock" {}; + package = lib.mkPackageOption pkgs "slock" {}; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; security.wrappers.slock = { setuid = true; diff --git a/nixpkgs/nixos/modules/programs/soundmodem.nix b/nixpkgs/nixos/modules/programs/soundmodem.nix index ab992c63c608..5f57e24a4524 100644 --- a/nixpkgs/nixos/modules/programs/soundmodem.nix +++ b/nixpkgs/nixos/modules/programs/soundmodem.nix @@ -1,26 +1,24 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.soundmodem; in { options = { programs.soundmodem = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to add Soundmodem to the global environment and configure a wrapper for 'soundmodemconfig' for users in the 'soundmodem' group. ''; }; - package = mkPackageOption pkgs "soundmodem" { }; + package = lib.mkPackageOption pkgs "soundmodem" { }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; users.groups.soundmodem = { }; diff --git a/nixpkgs/nixos/modules/programs/spacefm.nix b/nixpkgs/nixos/modules/programs/spacefm.nix index fec14fca48e1..73d48cf6a3a8 100644 --- a/nixpkgs/nixos/modules/programs/spacefm.nix +++ b/nixpkgs/nixos/modules/programs/spacefm.nix @@ -2,8 +2,6 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.spacefm; in @@ -14,21 +12,21 @@ in programs.spacefm = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to install SpaceFM and create {file}`/etc/spacefm/spacefm.conf`. ''; }; - settings = mkOption { - type = types.attrs; + settings = lib.mkOption { + type = lib.types.attrs; default = { tmp_dir = "/tmp"; terminal_su = "${pkgs.sudo}/bin/sudo"; }; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' { tmp_dir = "/tmp"; terminal_su = "''${pkgs.sudo}/bin/sudo"; @@ -46,10 +44,10 @@ in ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.spaceFM ]; environment.etc."spacefm/spacefm.conf".text = - concatStrings (mapAttrsToList (n: v: "${n}=${toString v}\n") cfg.settings); + lib.concatStrings (lib.mapAttrsToList (n: v: "${n}=${builtins.toString v}\n") cfg.settings); }; } diff --git a/nixpkgs/nixos/modules/programs/ssh.nix b/nixpkgs/nixos/modules/programs/ssh.nix index 2d25c7a93662..0692dd46f7d0 100644 --- a/nixpkgs/nixos/modules/programs/ssh.nix +++ b/nixpkgs/nixos/modules/programs/ssh.nix @@ -2,8 +2,6 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.ssh; @@ -17,16 +15,16 @@ let exec ${cfg.askPassword} "$@" ''; - knownHosts = attrValues cfg.knownHosts; + knownHosts = builtins.attrValues cfg.knownHosts; - knownHostsText = (flip (concatMapStringsSep "\n") knownHosts + knownHostsText = (lib.flip (lib.concatMapStringsSep "\n") knownHosts (h: assert h.hostNames != []; - optionalString h.certAuthority "@cert-authority " + concatStringsSep "," h.hostNames + " " - + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile) + lib.optionalString h.certAuthority "@cert-authority " + builtins.concatStringsSep "," h.hostNames + " " + + (if h.publicKey != null then h.publicKey else builtins.readFile h.publicKeyFile) )) + "\n"; knownHostsFiles = [ "/etc/ssh/ssh_known_hosts" ] - ++ map pkgs.copyPathToStore cfg.knownHostsFiles; + ++ builtins.map pkgs.copyPathToStore cfg.knownHostsFiles; in { @@ -36,21 +34,21 @@ in programs.ssh = { - enableAskPassword = mkOption { - type = types.bool; + enableAskPassword = lib.mkOption { + type = lib.types.bool; default = config.services.xserver.enable; - defaultText = literalExpression "config.services.xserver.enable"; + defaultText = lib.literalExpression "config.services.xserver.enable"; description = "Whether to configure SSH_ASKPASS in the environment."; }; - askPassword = mkOption { - type = types.str; + askPassword = lib.mkOption { + type = lib.types.str; default = "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"; - defaultText = literalExpression ''"''${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"''; + defaultText = lib.literalExpression ''"''${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"''; description = "Program used by SSH to ask for passwords."; }; - forwardX11 = mkOption { + forwardX11 = lib.mkOption { type = with lib.types; nullOr bool; default = false; description = '' @@ -65,25 +63,25 @@ in ''; }; - setXAuthLocation = mkOption { - type = types.bool; + setXAuthLocation = lib.mkOption { + type = lib.types.bool; description = '' Whether to set the path to {command}`xauth` for X11-forwarded connections. This causes a dependency on X11 packages. ''; }; - pubkeyAcceptedKeyTypes = mkOption { - type = types.listOf types.str; + pubkeyAcceptedKeyTypes = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; example = [ "ssh-ed25519" "ssh-rsa" ]; description = '' - Specifies the key types that will be used for public key authentication. + Specifies the key lib.types that will be used for public key authentication. ''; }; - hostKeyAlgorithms = mkOption { - type = types.listOf types.str; + hostKeyAlgorithms = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; example = [ "ssh-ed25519" "ssh-rsa" ]; description = '' @@ -91,8 +89,8 @@ in ''; }; - extraConfig = mkOption { - type = types.lines; + extraConfig = lib.mkOption { + type = lib.types.lines; default = ""; description = '' Extra configuration text prepended to {file}`ssh_config`. Other generated @@ -102,8 +100,8 @@ in ''; }; - startAgent = mkOption { - type = types.bool; + startAgent = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to start the OpenSSH agent when you log in. The OpenSSH agent @@ -113,8 +111,8 @@ in ''; }; - agentTimeout = mkOption { - type = types.nullOr types.str; + agentTimeout = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = null; example = "1h"; description = '' @@ -122,34 +120,34 @@ in ''; }; - agentPKCS11Whitelist = mkOption { - type = types.nullOr types.str; + agentPKCS11Whitelist = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = null; - example = literalExpression ''"''${pkgs.opensc}/lib/opensc-pkcs11.so"''; + example = lib.literalExpression ''"''${pkgs.opensc}/lib/opensc-pkcs11.so"''; description = '' A pattern-list of acceptable paths for PKCS#11 shared libraries that may be used with the -s option to ssh-add. ''; }; - package = mkPackageOption pkgs "openssh" { }; + package = lib.mkPackageOption pkgs "openssh" { }; - knownHosts = mkOption { + knownHosts = lib.mkOption { default = {}; - type = types.attrsOf (types.submodule ({ name, config, options, ... }: { + type = lib.types.attrsOf (lib.types.submodule ({ name, config, options, ... }: { options = { - certAuthority = mkOption { - type = types.bool; + certAuthority = lib.mkOption { + type = lib.types.bool; default = false; description = '' This public key is an SSH certificate authority, rather than an individual host's key. ''; }; - hostNames = mkOption { - type = types.listOf types.str; + hostNames = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ name ] ++ config.extraHostNames; - defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}"; + defaultText = lib.literalExpression "[ ${name} ] ++ config.${options.extraHostNames}"; description = '' A list of host names and/or IP numbers used for accessing the host's ssh service. This list includes the name of the @@ -160,8 +158,8 @@ in `hostNames` list. ''; }; - extraHostNames = mkOption { - type = types.listOf types.str; + extraHostNames = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; description = '' A list of additional host names and/or IP numbers used for @@ -169,9 +167,9 @@ in `hostNames` is set explicitly. ''; }; - publicKey = mkOption { + publicKey = lib.mkOption { default = null; - type = types.nullOr types.str; + type = lib.types.nullOr lib.types.str; example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg=="; description = '' The public key data for the host. You can fetch a public key @@ -180,9 +178,9 @@ in the key type and the key itself. ''; }; - publicKeyFile = mkOption { + publicKeyFile = lib.mkOption { default = null; - type = types.nullOr types.path; + type = lib.types.nullOr lib.types.path; description = '' The path to the public key file for the host. The public key file is read at build time and saved in the Nix store. @@ -204,7 +202,7 @@ in `extraHostNames` to add additional host names without disabling this default. ''; - example = literalExpression '' + example = lib.literalExpression '' { myhost = { extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ]; @@ -219,16 +217,16 @@ in ''; }; - knownHostsFiles = mkOption { + knownHostsFiles = lib.mkOption { default = []; - type = with types; listOf path; + type = with lib.types; listOf path; description = '' Files containing SSH host keys to set as global known hosts. `/etc/ssh/ssh_known_hosts` (which is generated by {option}`programs.ssh.knownHosts`) is always included. ''; - example = literalExpression '' + example = lib.literalExpression '' [ ./known_hosts (writeText "github.keys" ''' @@ -240,8 +238,8 @@ in ''; }; - kexAlgorithms = mkOption { - type = types.nullOr (types.listOf types.str); + kexAlgorithms = lib.mkOption { + type = lib.types.nullOr (lib.types.listOf lib.types.str); default = null; example = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; description = '' @@ -249,8 +247,8 @@ in ''; }; - ciphers = mkOption { - type = types.nullOr (types.listOf types.str); + ciphers = lib.mkOption { + type = lib.types.nullOr (lib.types.listOf lib.types.str); default = null; example = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" ]; description = '' @@ -258,8 +256,8 @@ in ''; }; - macs = mkOption { - type = types.nullOr (types.listOf types.str); + macs = lib.mkOption { + type = lib.types.nullOr (lib.types.listOf lib.types.str); default = null; example = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha1" ]; description = '' @@ -274,13 +272,13 @@ in config = { programs.ssh.setXAuthLocation = - mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 == true || config.services.openssh.settings.X11Forwarding); + lib.mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 == true || config.services.openssh.settings.X11Forwarding); assertions = [ { assertion = cfg.forwardX11 == true -> cfg.setXAuthLocation; message = "cannot enable X11 forwarding without setting XAuth location"; } - ] ++ flip mapAttrsToList cfg.knownHosts (name: data: { + ] ++ lib.flip lib.mapAttrsToList cfg.knownHosts (name: data: { assertion = (data.publicKey == null && data.publicKeyFile != null) || (data.publicKey != null && data.publicKeyFile == null); message = "knownHost ${name} must contain either a publicKey or publicKeyFile"; @@ -296,22 +294,22 @@ in # Generated options from other settings Host * AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} - GlobalKnownHostsFile ${concatStringsSep " " knownHostsFiles} + GlobalKnownHostsFile ${builtins.concatStringsSep " " knownHostsFiles} - ${optionalString cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth"} + ${lib.optionalString cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth"} ${lib.optionalString (cfg.forwardX11 != null) "ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}"} - ${optionalString (cfg.pubkeyAcceptedKeyTypes != []) "PubkeyAcceptedKeyTypes ${concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"} - ${optionalString (cfg.hostKeyAlgorithms != []) "HostKeyAlgorithms ${concatStringsSep "," cfg.hostKeyAlgorithms}"} - ${optionalString (cfg.kexAlgorithms != null) "KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms}"} - ${optionalString (cfg.ciphers != null) "Ciphers ${concatStringsSep "," cfg.ciphers}"} - ${optionalString (cfg.macs != null) "MACs ${concatStringsSep "," cfg.macs}"} + ${lib.optionalString (cfg.pubkeyAcceptedKeyTypes != []) "PubkeyAcceptedKeyTypes ${builtins.concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"} + ${lib.optionalString (cfg.hostKeyAlgorithms != []) "HostKeyAlgorithms ${builtins.concatStringsSep "," cfg.hostKeyAlgorithms}"} + ${lib.optionalString (cfg.kexAlgorithms != null) "KexAlgorithms ${builtins.concatStringsSep "," cfg.kexAlgorithms}"} + ${lib.optionalString (cfg.ciphers != null) "Ciphers ${builtins.concatStringsSep "," cfg.ciphers}"} + ${lib.optionalString (cfg.macs != null) "MACs ${builtins.concatStringsSep "," cfg.macs}"} ''; environment.etc."ssh/ssh_known_hosts".text = knownHostsText; # FIXME: this should really be socket-activated for über-awesomeness. - systemd.user.services.ssh-agent = mkIf cfg.startAgent + systemd.user.services.ssh-agent = lib.mkIf cfg.startAgent { description = "SSH Agent"; wantedBy = [ "default.target" ]; unitConfig.ConditionUser = "!@system"; @@ -319,8 +317,8 @@ in { ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent"; ExecStart = "${cfg.package}/bin/ssh-agent " + - optionalString (cfg.agentTimeout != null) ("-t ${cfg.agentTimeout} ") + - optionalString (cfg.agentPKCS11Whitelist != null) ("-P ${cfg.agentPKCS11Whitelist} ") + + lib.optionalString (cfg.agentTimeout != null) ("-t ${cfg.agentTimeout} ") + + lib.optionalString (cfg.agentPKCS11Whitelist != null) ("-P ${cfg.agentPKCS11Whitelist} ") + "-a %t/ssh-agent"; StandardOutput = "null"; Type = "forking"; @@ -330,18 +328,18 @@ in # Allow ssh-agent to ask for confirmation. This requires the # unit to know about the user's $DISPLAY (via ‘systemctl # import-environment’). - environment.SSH_ASKPASS = optionalString cfg.enableAskPassword askPasswordWrapper; + environment.SSH_ASKPASS = lib.optionalString cfg.enableAskPassword askPasswordWrapper; environment.DISPLAY = "fake"; # required to make ssh-agent start $SSH_ASKPASS }; - environment.extraInit = optionalString cfg.startAgent + environment.extraInit = lib.optionalString cfg.startAgent '' if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent" fi ''; - environment.variables.SSH_ASKPASS = optionalString cfg.enableAskPassword cfg.askPassword; + environment.variables.SSH_ASKPASS = lib.optionalString cfg.enableAskPassword cfg.askPassword; }; } diff --git a/nixpkgs/nixos/modules/programs/steam.nix b/nixpkgs/nixos/modules/programs/steam.nix index 58aa0aa25b08..d76863aff83b 100644 --- a/nixpkgs/nixos/modules/programs/steam.nix +++ b/nixpkgs/nixos/modules/programs/steam.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.steam; gamescopeCfg = config.programs.gamescope; @@ -11,7 +9,7 @@ let in pkgs.writeShellScriptBin "steam-gamescope" '' ${builtins.concatStringsSep "\n" exports} - gamescope --steam ${toString cfg.gamescopeSession.args} -- steam -tenfoot -pipewire-dmabuf + gamescope --steam ${builtins.toString cfg.gamescopeSession.args} -- steam -tenfoot -pipewire-dmabuf ''; gamescopeSessionFile = @@ -24,13 +22,13 @@ let '').overrideAttrs (_: { passthru.providedSessions = [ "steam" ]; }); in { options.programs.steam = { - enable = mkEnableOption "steam"; + enable = lib.mkEnableOption "steam"; - package = mkOption { - type = types.package; + package = lib.mkOption { + type = lib.types.package; default = pkgs.steam; - defaultText = literalExpression "pkgs.steam"; - example = literalExpression '' + defaultText = lib.literalExpression "pkgs.steam"; + example = lib.literalExpression '' pkgs.steam-small.override { extraEnv = { MANGOHUD = true; @@ -44,8 +42,8 @@ in { ''; apply = steam: steam.override (prev: { extraEnv = (lib.optionalAttrs (cfg.extraCompatPackages != [ ]) { - STEAM_EXTRA_COMPAT_TOOLS_PATHS = makeSearchPathOutput "steamcompattool" "" cfg.extraCompatPackages; - }) // (optionalAttrs cfg.extest.enable { + STEAM_EXTRA_COMPAT_TOOLS_PATHS = lib.makeSearchPathOutput "steamcompattool" "" cfg.extraCompatPackages; + }) // (lib.optionalAttrs cfg.extest.enable { LD_PRELOAD = "${pkgs.pkgsi686Linux.extest}/lib/libextest.so"; }) // (prev.extraEnv or {}); extraLibraries = pkgs: let @@ -55,7 +53,7 @@ in { then [ package ] ++ extraPackages else [ package32 ] ++ extraPackages32; in prevLibs ++ additionalLibs; - } // optionalAttrs (cfg.gamescopeSession.enable && gamescopeCfg.capSysNice) + } // lib.optionalAttrs (cfg.gamescopeSession.enable && gamescopeCfg.capSysNice) { buildFHSEnv = pkgs.buildFHSEnv.override { # use the setuid wrapped bubblewrap @@ -71,10 +69,10 @@ in { ''; }; - extraCompatPackages = mkOption { - type = types.listOf types.package; + extraCompatPackages = lib.mkOption { + type = lib.types.listOf lib.types.package; default = [ ]; - example = literalExpression '' + example = lib.literalExpression '' with pkgs; [ proton-ge-bin ] @@ -88,46 +86,46 @@ in { ''; }; - remotePlay.openFirewall = mkOption { - type = types.bool; + remotePlay.openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = '' Open ports in the firewall for Steam Remote Play. ''; }; - dedicatedServer.openFirewall = mkOption { - type = types.bool; + dedicatedServer.openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = '' Open ports in the firewall for Source Dedicated Server. ''; }; - localNetworkGameTransfers.openFirewall = mkOption { - type = types.bool; + localNetworkGameTransfers.openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = '' Open ports in the firewall for Steam Local Network Game Transfers. ''; }; - gamescopeSession = mkOption { + gamescopeSession = lib.mkOption { description = "Run a GameScope driven Steam session from your display-manager"; default = {}; - type = types.submodule { + type = lib.types.submodule { options = { - enable = mkEnableOption "GameScope Session"; - args = mkOption { - type = types.listOf types.str; + enable = lib.mkEnableOption "GameScope Session"; + args = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ ]; description = '' Arguments to be passed to GameScope for the session. ''; }; - env = mkOption { - type = types.attrsOf types.str; + env = lib.mkOption { + type = lib.types.attrsOf lib.types.str; default = { }; description = '' Environmental variables to be passed to GameScope for the session. @@ -137,20 +135,20 @@ in { }; }; - extest.enable = mkEnableOption '' + extest.enable = lib.mkEnableOption '' Load the extest library into Steam, to translate X11 input events to uinput events (e.g. for using Steam Input on Wayland) ''; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { hardware.opengl = { # this fixes the "glXChooseVisual failed" bug, context: https://github.com/NixOS/nixpkgs/issues/47932 enable = true; driSupport = true; driSupport32Bit = true; }; - security.wrappers = mkIf (cfg.gamescopeSession.enable && gamescopeCfg.capSysNice) { + security.wrappers = lib.mkIf (cfg.gamescopeSession.enable && gamescopeCfg.capSysNice) { # needed or steam fails bwrap = { owner = "root"; @@ -160,8 +158,8 @@ in { }; }; - programs.gamescope.enable = mkDefault cfg.gamescopeSession.enable; - services.displayManager.sessionPackages = mkIf cfg.gamescopeSession.enable [ gamescopeSessionFile ]; + programs.gamescope.enable = lib.mkDefault cfg.gamescopeSession.enable; + services.displayManager.sessionPackages = lib.mkIf cfg.gamescopeSession.enable [ gamescopeSessionFile ]; # optionally enable 32bit pulseaudio support if pulseaudio is enabled hardware.pulseaudio.support32Bit = config.hardware.pulseaudio.enable; @@ -174,25 +172,25 @@ in { ] ++ lib.optional cfg.gamescopeSession.enable steam-gamescope; networking.firewall = lib.mkMerge [ - (mkIf (cfg.remotePlay.openFirewall || cfg.localNetworkGameTransfers.openFirewall) { + (lib.mkIf (cfg.remotePlay.openFirewall || cfg.localNetworkGameTransfers.openFirewall) { allowedUDPPorts = [ 27036 ]; # Peer discovery }) - (mkIf cfg.remotePlay.openFirewall { + (lib.mkIf cfg.remotePlay.openFirewall { allowedTCPPorts = [ 27036 ]; allowedUDPPortRanges = [ { from = 27031; to = 27035; } ]; }) - (mkIf cfg.dedicatedServer.openFirewall { + (lib.mkIf cfg.dedicatedServer.openFirewall { allowedTCPPorts = [ 27015 ]; # SRCDS Rcon port allowedUDPPorts = [ 27015 ]; # Gameplay traffic }) - (mkIf cfg.localNetworkGameTransfers.openFirewall { + (lib.mkIf cfg.localNetworkGameTransfers.openFirewall { allowedTCPPorts = [ 27040 ]; # Data transfers }) ]; }; - meta.maintainers = teams.steam; + meta.maintainers = lib.teams.steam.members; } diff --git a/nixpkgs/nixos/modules/programs/streamdeck-ui.nix b/nixpkgs/nixos/modules/programs/streamdeck-ui.nix index 6bec2abdfbec..a1366c42181c 100644 --- a/nixpkgs/nixos/modules/programs/streamdeck-ui.nix +++ b/nixpkgs/nixos/modules/programs/streamdeck-ui.nix @@ -1,34 +1,32 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.streamdeck-ui; in { options.programs.streamdeck-ui = { - enable = mkEnableOption "streamdeck-ui"; + enable = lib.mkEnableOption "streamdeck-ui"; - autoStart = mkOption { + autoStart = lib.mkOption { default = true; - type = types.bool; + type = lib.types.bool; description = "Whether streamdeck-ui should be started automatically."; }; - package = mkPackageOption pkgs "streamdeck-ui" { + package = lib.mkPackageOption pkgs "streamdeck-ui" { default = [ "streamdeck-ui" ]; }; }; - config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ + config = lib.mkIf cfg.enable { + environment.systemPackages = [ cfg.package - (mkIf cfg.autoStart (makeAutostartItem { name = "streamdeck-ui-noui"; package = cfg.package; })) + (lib.mkIf cfg.autoStart (pkgs.makeAutostartItem { name = "streamdeck-ui-noui"; package = cfg.package; })) ]; services.udev.packages = [ cfg.package ]; }; - meta.maintainers = with maintainers; [ majiir ]; + meta.maintainers = with lib.maintainers; [ majiir ]; } diff --git a/nixpkgs/nixos/modules/programs/sysdig.nix b/nixpkgs/nixos/modules/programs/sysdig.nix index cf2cbab5cf6e..47b95ef64e97 100644 --- a/nixpkgs/nixos/modules/programs/sysdig.nix +++ b/nixpkgs/nixos/modules/programs/sysdig.nix @@ -1,13 +1,11 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.sysdig; in { - options.programs.sysdig.enable = mkEnableOption "sysdig, a tracing tool"; + options.programs.sysdig.enable = lib.mkEnableOption "sysdig, a tracing tool"; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.sysdig ]; boot.extraModulePackages = [ config.boot.kernelPackages.sysdig ]; }; diff --git a/nixpkgs/nixos/modules/programs/system-config-printer.nix b/nixpkgs/nixos/modules/programs/system-config-printer.nix index 34592dd7064b..68b7897d64c2 100644 --- a/nixpkgs/nixos/modules/programs/system-config-printer.nix +++ b/nixpkgs/nixos/modules/programs/system-config-printer.nix @@ -1,7 +1,5 @@ { config, pkgs, lib, ... }: -with lib; - { ###### interface @@ -10,7 +8,7 @@ with lib; programs.system-config-printer = { - enable = mkEnableOption "system-config-printer, a Graphical user interface for CUPS administration"; + enable = lib.mkEnableOption "system-config-printer, a Graphical user interface for CUPS administration"; }; @@ -19,7 +17,7 @@ with lib; ###### implementation - config = mkIf config.programs.system-config-printer.enable { + config = lib.mkIf config.programs.system-config-printer.enable { environment.systemPackages = [ pkgs.system-config-printer diff --git a/nixpkgs/nixos/modules/programs/systemtap.nix b/nixpkgs/nixos/modules/programs/systemtap.nix index d23bd13fdd85..e61e255e5221 100644 --- a/nixpkgs/nixos/modules/programs/systemtap.nix +++ b/nixpkgs/nixos/modules/programs/systemtap.nix @@ -1,14 +1,12 @@ { config, lib, ... }: -with lib; - let cfg = config.programs.systemtap; in { options = { programs.systemtap = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Install {command}`systemtap` along with necessary kernel options. @@ -16,7 +14,7 @@ in { }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { system.requiredKernelConfig = with config.lib.kernelConfig; [ (isYes "DEBUG") ]; diff --git a/nixpkgs/nixos/modules/programs/thefuck.nix b/nixpkgs/nixos/modules/programs/thefuck.nix index ba2e39c013ae..0e65352a1f21 100644 --- a/nixpkgs/nixos/modules/programs/thefuck.nix +++ b/nixpkgs/nixos/modules/programs/thefuck.nix @@ -1,7 +1,5 @@ { config, pkgs, lib, ... }: -with lib; - let prg = config.programs; cfg = prg.thefuck; @@ -16,11 +14,11 @@ in { options = { programs.thefuck = { - enable = mkEnableOption "thefuck, an app which corrects your previous console command"; + enable = lib.mkEnableOption "thefuck, an app which corrects your previous console command"; - alias = mkOption { + alias = lib.mkOption { default = "fuck"; - type = types.str; + type = lib.types.str; description = '' `thefuck` needs an alias to be configured. @@ -30,11 +28,11 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ thefuck ]; programs.bash.interactiveShellInit = bashAndZshInitScript; - programs.zsh.interactiveShellInit = mkIf prg.zsh.enable bashAndZshInitScript; - programs.fish.interactiveShellInit = mkIf prg.fish.enable fishInitScript; + programs.zsh.interactiveShellInit = lib.mkIf prg.zsh.enable bashAndZshInitScript; + programs.fish.interactiveShellInit = lib.mkIf prg.fish.enable fishInitScript; }; } diff --git a/nixpkgs/nixos/modules/programs/thunar.nix b/nixpkgs/nixos/modules/programs/thunar.nix index 5ea2982dd93c..76fcc9d8298f 100644 --- a/nixpkgs/nixos/modules/programs/thunar.nix +++ b/nixpkgs/nixos/modules/programs/thunar.nix @@ -1,29 +1,27 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.thunar; in { meta = { - maintainers = teams.xfce.members; + maintainers = lib.teams.xfce.members; }; options = { programs.thunar = { - enable = mkEnableOption "Thunar, the Xfce file manager"; + enable = lib.mkEnableOption "Thunar, the Xfce file manager"; - plugins = mkOption { + plugins = lib.mkOption { default = []; - type = types.listOf types.package; + type = lib.types.listOf lib.types.package; description = "List of thunar plugins to install."; - example = literalExpression "with pkgs.xfce; [ thunar-archive-plugin thunar-volman ]"; + example = lib.literalExpression "with pkgs.xfce; [ thunar-archive-plugin thunar-volman ]"; }; }; }; - config = mkIf cfg.enable ( + config = lib.mkIf cfg.enable ( let package = pkgs.xfce.thunar.override { thunarPlugins = cfg.plugins; }; in { diff --git a/nixpkgs/nixos/modules/programs/traceroute.nix b/nixpkgs/nixos/modules/programs/traceroute.nix index 6e04057ac503..0864dbe79db6 100644 --- a/nixpkgs/nixos/modules/programs/traceroute.nix +++ b/nixpkgs/nixos/modules/programs/traceroute.nix @@ -1,14 +1,12 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.traceroute; in { options = { programs.traceroute = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to configure a setcap wrapper for traceroute. @@ -17,7 +15,7 @@ in { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { security.wrappers.traceroute = { owner = "root"; group = "root"; diff --git a/nixpkgs/nixos/modules/programs/turbovnc.nix b/nixpkgs/nixos/modules/programs/turbovnc.nix index fbb3a7bf22e9..c28b7f7d7991 100644 --- a/nixpkgs/nixos/modules/programs/turbovnc.nix +++ b/nixpkgs/nixos/modules/programs/turbovnc.nix @@ -2,8 +2,6 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.turbovnc; in @@ -12,8 +10,8 @@ in programs.turbovnc = { - ensureHeadlessSoftwareOpenGL = mkOption { - type = types.bool; + ensureHeadlessSoftwareOpenGL = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to set up NixOS such that TurboVNC's built-in software OpenGL @@ -36,7 +34,7 @@ in }; - config = mkIf cfg.ensureHeadlessSoftwareOpenGL { + config = lib.mkIf cfg.ensureHeadlessSoftwareOpenGL { # TurboVNC has builtin support for Mesa llvmpipe's `swrast` # software rendering to implement GLX (OpenGL on Xorg). diff --git a/nixpkgs/nixos/modules/programs/udevil.nix b/nixpkgs/nixos/modules/programs/udevil.nix index 44b9dd9234b3..e4c0daea72c1 100644 --- a/nixpkgs/nixos/modules/programs/udevil.nix +++ b/nixpkgs/nixos/modules/programs/udevil.nix @@ -1,14 +1,12 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.udevil; in { - options.programs.udevil.enable = mkEnableOption "udevil, to mount filesystems without password"; + options.programs.udevil.enable = lib.mkEnableOption "udevil, to mount filesystems without password"; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { security.wrappers.udevil = { setuid = true; owner = "root"; diff --git a/nixpkgs/nixos/modules/programs/usbtop.nix b/nixpkgs/nixos/modules/programs/usbtop.nix index 4f13ce5f6262..8b77b2bf51c4 100644 --- a/nixpkgs/nixos/modules/programs/usbtop.nix +++ b/nixpkgs/nixos/modules/programs/usbtop.nix @@ -1,15 +1,13 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.usbtop; in { options = { - programs.usbtop.enable = mkEnableOption "usbtop and required kernel module, to show estimated USB bandwidth"; + programs.usbtop.enable = lib.mkEnableOption "usbtop and required kernel module, to show estimated USB bandwidth"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ usbtop ]; diff --git a/nixpkgs/nixos/modules/programs/vim.nix b/nixpkgs/nixos/modules/programs/vim.nix index eb3499fd243f..8232340ddebb 100644 --- a/nixpkgs/nixos/modules/programs/vim.nix +++ b/nixpkgs/nixos/modules/programs/vim.nix @@ -1,13 +1,11 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.vim; in { options.programs.vim = { - defaultEditor = mkOption { - type = types.bool; + defaultEditor = lib.mkOption { + type = lib.types.bool; default = false; description = '' When enabled, installs vim and configures vim to be the default editor @@ -15,13 +13,13 @@ in { ''; }; - package = mkPackageOption pkgs "vim" { + package = lib.mkPackageOption pkgs "vim" { example = "vim-full"; }; }; - config = mkIf cfg.defaultEditor { + config = lib.mkIf cfg.defaultEditor { environment.systemPackages = [ cfg.package ]; - environment.variables = { EDITOR = mkOverride 900 "vim"; }; + environment.variables = { EDITOR = lib.mkOverride 900 "vim"; }; }; } diff --git a/nixpkgs/nixos/modules/programs/virt-manager.nix b/nixpkgs/nixos/modules/programs/virt-manager.nix index 095db7586a03..9b5fa22268ae 100644 --- a/nixpkgs/nixos/modules/programs/virt-manager.nix +++ b/nixpkgs/nixos/modules/programs/virt-manager.nix @@ -2,15 +2,27 @@ let cfg = config.programs.virt-manager; -in { +in +{ options.programs.virt-manager = { enable = lib.mkEnableOption "virt-manager, an UI for managing virtual machines in libvirt"; - package = lib.mkPackageOption pkgs "virt-manager" {}; + package = lib.mkPackageOption pkgs "virt-manager" { }; }; config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; - programs.dconf.enable = true; + programs.dconf = { + profiles.user.databases = [ + { + settings = { + "org/virt-manager/virt-manager/connections" = { + autoconnect = [ "qemu:///system" ]; + uris = [ "qemu:///system" ]; + }; + }; + } + ]; + }; }; } diff --git a/nixpkgs/nixos/modules/programs/wavemon.nix b/nixpkgs/nixos/modules/programs/wavemon.nix index e5ccacba75d4..86bc7cc09795 100644 --- a/nixpkgs/nixos/modules/programs/wavemon.nix +++ b/nixpkgs/nixos/modules/programs/wavemon.nix @@ -1,14 +1,12 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.wavemon; in { options = { programs.wavemon = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to add wavemon to the global environment and configure a @@ -18,7 +16,7 @@ in { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ wavemon ]; security.wrappers.wavemon = { owner = "root"; diff --git a/nixpkgs/nixos/modules/programs/wayland/hyprland.nix b/nixpkgs/nixos/modules/programs/wayland/hyprland.nix index e648eaa1b68e..c963429f2e2a 100644 --- a/nixpkgs/nixos/modules/programs/wayland/hyprland.nix +++ b/nixpkgs/nixos/modules/programs/wayland/hyprland.nix @@ -3,7 +3,7 @@ , pkgs , ... }: -with lib; let +let cfg = config.programs.hyprland; finalPortalPackage = cfg.portalPackage.override { @@ -12,7 +12,7 @@ with lib; let in { options.programs.hyprland = { - enable = mkEnableOption null // { + enable = lib.mkEnableOption null // { description = '' Whether to enable Hyprland, the dynamic tiling Wayland compositor that doesn't sacrifice on its looks. @@ -23,35 +23,26 @@ in ''; }; - package = mkPackageOption pkgs "hyprland" { }; + package = lib.mkPackageOption pkgs "hyprland" { }; - finalPackage = mkOption { - type = types.package; + finalPackage = lib.mkOption { + type = lib.types.package; readOnly = true; default = cfg.package.override { enableXWayland = cfg.xwayland.enable; }; - defaultText = literalExpression + defaultText = lib.literalExpression "`programs.hyprland.package` with applied configuration"; description = '' The Hyprland package after applying configuration. ''; }; - portalPackage = mkPackageOption pkgs "xdg-desktop-portal-hyprland" { }; + portalPackage = lib.mkPackageOption pkgs "xdg-desktop-portal-hyprland" { }; - xwayland.enable = mkEnableOption ("XWayland") // { default = true; }; + xwayland.enable = lib.mkEnableOption ("XWayland") // { default = true; }; - envVars.enable = mkEnableOption null // { - default = true; - example = false; - description = '' - Set environment variables for Hyprland to work properly. - Enabled by default. - ''; - }; - - systemd.setPath.enable = mkEnableOption null // { + systemd.setPath.enable = lib.mkEnableOption null // { default = true; example = false; description = '' @@ -62,15 +53,15 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.finalPackage ]; - fonts.enableDefaultPackages = mkDefault true; - hardware.opengl.enable = mkDefault true; + fonts.enableDefaultPackages = lib.mkDefault true; + hardware.opengl.enable = lib.mkDefault true; programs = { - dconf.enable = mkDefault true; - xwayland.enable = mkDefault cfg.xwayland.enable; + dconf.enable = lib.mkDefault true; + xwayland.enable = lib.mkDefault cfg.xwayland.enable; }; security.polkit.enable = true; @@ -78,37 +69,28 @@ in services.displayManager.sessionPackages = [ cfg.finalPackage ]; xdg.portal = { - enable = mkDefault true; + enable = lib.mkDefault true; extraPortals = [ finalPortalPackage ]; - configPackages = mkDefault [ cfg.finalPackage ]; - }; - - environment.sessionVariables = mkIf cfg.envVars.enable { - XDG_CURRENT_DESKTOP = "Hyprland"; - XDG_SESSION_DESKTOP = "Hyprland"; - XDG_SESSION_TYPE = "wayland"; - GDK_BACKEND = "wayland,x11"; - QT_QPA_PLATFORM = "wayland;xcb"; - _JAVA_AWT_WM_NONREPARENTING = "1"; # Fix for Java applications on tiling window managers + configPackages = lib.mkDefault [ cfg.finalPackage ]; }; - systemd = mkIf cfg.systemd.setPath.enable { + systemd = lib.mkIf cfg.systemd.setPath.enable { user.extraConfig = '' DefaultEnvironment="PATH=$PATH:/run/current-system/sw/bin:/etc/profiles/per-user/%u/bin:/run/wrappers/bin" ''; }; }; - imports = with lib; [ - (mkRemovedOptionModule + imports = [ + (lib.mkRemovedOptionModule [ "programs" "hyprland" "xwayland" "hidpi" ] "XWayland patches are deprecated. Refer to https://wiki.hyprland.org/Configuring/XWayland" ) - (mkRemovedOptionModule + (lib.mkRemovedOptionModule [ "programs" "hyprland" "enableNvidiaPatches" ] "Nvidia patches are no longer needed" ) - (mkRemovedOptionModule + (lib.mkRemovedOptionModule [ "programs" "hyprland" "nvidiaPatches" ] "Nvidia patches are no longer needed" ) diff --git a/nixpkgs/nixos/modules/programs/wayland/river.nix b/nixpkgs/nixos/modules/programs/wayland/river.nix index d0e309646b0e..6f8bafb15506 100644 --- a/nixpkgs/nixos/modules/programs/wayland/river.nix +++ b/nixpkgs/nixos/modules/programs/wayland/river.nix @@ -4,13 +4,13 @@ lib, ... }: -with lib; let +let cfg = config.programs.river; in { options.programs.river = { - enable = mkEnableOption "river, a dynamic tiling Wayland compositor"; + enable = lib.mkEnableOption "river, a dynamic tiling Wayland compositor"; - package = mkPackageOption pkgs "river" { + package = lib.mkPackageOption pkgs "river" { nullable = true; extraDescription = '' Set to `null` to not add any River package to your path. @@ -18,17 +18,17 @@ in { ''; }; - extraPackages = mkOption { - type = with types; listOf package; + extraPackages = lib.mkOption { + type = with lib.types; listOf package; default = with pkgs; [ swaylock foot dmenu ]; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' with pkgs; [ swaylock foot dmenu ]; ''; - example = literalExpression '' + example = lib.literalExpression '' with pkgs; [ termite rofi light ] @@ -42,15 +42,15 @@ in { }; config = - mkIf cfg.enable (mkMerge [ + lib.mkIf cfg.enable (lib.mkMerge [ { - environment.systemPackages = optional (cfg.package != null) cfg.package ++ cfg.extraPackages; + environment.systemPackages = lib.optional (cfg.package != null) cfg.package ++ cfg.extraPackages; # To make a river session available if a display manager like SDDM is enabled: - services.displayManager.sessionPackages = optionals (cfg.package != null) [ cfg.package ]; + services.displayManager.sessionPackages = lib.optionals (cfg.package != null) [ cfg.package ]; # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050913 - xdg.portal.config.river.default = mkDefault [ "wlr" "gtk" ]; + xdg.portal.config.river.default = lib.mkDefault [ "wlr" "gtk" ]; } (import ./wayland-session.nix { inherit lib pkgs; }) ]); diff --git a/nixpkgs/nixos/modules/programs/wayland/sway.nix b/nixpkgs/nixos/modules/programs/wayland/sway.nix index 348e1db7cdc1..cec634b6b033 100644 --- a/nixpkgs/nixos/modules/programs/wayland/sway.nix +++ b/nixpkgs/nixos/modules/programs/wayland/sway.nix @@ -1,15 +1,13 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.sway; - wrapperOptions = types.submodule { + wrapperOptions = lib.types.submodule { options = let - mkWrapperFeature = default: description: mkOption { - type = types.bool; + mkWrapperFeature = default: description: lib.mkOption { + type = lib.types.bool; inherit default; example = !default; description = "Whether to make use of the ${description}"; @@ -50,18 +48,18 @@ let }; in { options.programs.sway = { - enable = mkEnableOption '' + enable = lib.mkEnableOption '' Sway, the i3-compatible tiling Wayland compositor. You can manually launch Sway by executing "exec sway" on a TTY. Copy /etc/sway/config to ~/.config/sway/config to modify the default configuration. See <https://github.com/swaywm/sway/wiki> and "man 5 sway" for more information''; - package = mkOption { - type = with types; nullOr package; + package = lib.mkOption { + type = with lib.types; nullOr package; default = pkgs.sway; apply = p: if p == null then null else genFinalPackage p; - defaultText = literalExpression "pkgs.sway"; + defaultText = lib.literalExpression "pkgs.sway"; description = '' Sway package to use. If the package does not contain the override arguments `extraSessionCommands`, `extraOptions`, `withBaseWrapper`, `withGtkWrapper`, @@ -72,7 +70,7 @@ in { ''; }; - wrapperFeatures = mkOption { + wrapperFeatures = lib.mkOption { type = wrapperOptions; default = { }; example = { gtk = true; }; @@ -81,8 +79,8 @@ in { ''; }; - extraSessionCommands = mkOption { - type = types.lines; + extraSessionCommands = lib.mkOption { + type = lib.types.lines; default = ""; example = '' # SDL: @@ -102,8 +100,8 @@ in { ''; }; - extraOptions = mkOption { - type = types.listOf types.str; + extraOptions = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; example = [ "--verbose" @@ -116,15 +114,15 @@ in { ''; }; - extraPackages = mkOption { - type = with types; listOf package; + extraPackages = lib.mkOption { + type = with lib.types; listOf package; default = with pkgs; [ swaylock swayidle foot dmenu wmenu ]; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' with pkgs; [ swaylock swayidle foot dmenu wmenu ]; ''; - example = literalExpression '' + example = lib.literalExpression '' with pkgs; [ i3status i3status-rust termite rofi light @@ -140,8 +138,8 @@ in { }; - config = mkIf cfg.enable - (mkMerge [ + config = lib.mkIf cfg.enable + (lib.mkMerge [ { assertions = [ { @@ -154,27 +152,27 @@ in { ]; environment = { - systemPackages = optional (cfg.package != null) cfg.package ++ cfg.extraPackages; + systemPackages = lib.optional (cfg.package != null) cfg.package ++ cfg.extraPackages; # Needed for the default wallpaper: - pathsToLink = optionals (cfg.package != null) [ "/share/backgrounds/sway" ]; + pathsToLink = lib.optionals (cfg.package != null) [ "/share/backgrounds/sway" ]; etc = { "sway/config.d/nixos.conf".source = pkgs.writeText "nixos.conf" '' # Import the most important environment variables into the D-Bus and systemd # user environments (e.g. required for screen sharing and Pinentry prompts): exec dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK XDG_CURRENT_DESKTOP ''; - } // optionalAttrs (cfg.package != null) { - "sway/config".source = mkOptionDefault "${cfg.package}/etc/sway/config"; + } // lib.optionalAttrs (cfg.package != null) { + "sway/config".source = lib.mkOptionDefault "${cfg.package}/etc/sway/config"; }; }; programs.gnupg.agent.pinentryPackage = lib.mkDefault pkgs.pinentry-gnome3; # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050913 - xdg.portal.config.sway.default = mkDefault [ "wlr" "gtk" ]; + xdg.portal.config.sway.default = lib.mkDefault [ "wlr" "gtk" ]; # To make a Sway session available if a display manager like SDDM is enabled: - services.displayManager.sessionPackages = optionals (cfg.package != null) [ cfg.package ]; } + services.displayManager.sessionPackages = lib.optionals (cfg.package != null) [ cfg.package ]; } (import ./wayland-session.nix { inherit lib pkgs; }) ]); diff --git a/nixpkgs/nixos/modules/programs/wayland/waybar.nix b/nixpkgs/nixos/modules/programs/wayland/waybar.nix index ffe889504cd3..ab811994be07 100644 --- a/nixpkgs/nixos/modules/programs/wayland/waybar.nix +++ b/nixpkgs/nixos/modules/programs/wayland/waybar.nix @@ -1,17 +1,15 @@ { lib, pkgs, config, ... }: -with lib; - let cfg = config.programs.waybar; in { options.programs.waybar = { - enable = mkEnableOption "waybar, a highly customizable Wayland bar for Sway and Wlroots based compositors"; - package = mkPackageOption pkgs "waybar" { }; + enable = lib.mkEnableOption "waybar, a highly customizable Wayland bar for Sway and Wlroots based compositors"; + package = lib.mkPackageOption pkgs "waybar" { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; systemd.user.services.waybar = { description = "Waybar as systemd service"; @@ -21,5 +19,5 @@ in }; }; - meta.maintainers = [ maintainers.FlorianFranzen ]; + meta.maintainers = [ lib.maintainers.FlorianFranzen ]; } diff --git a/nixpkgs/nixos/modules/programs/wayland/wayland-session.nix b/nixpkgs/nixos/modules/programs/wayland/wayland-session.nix index da117ceae0ad..47ee0788e0f3 100644 --- a/nixpkgs/nixos/modules/programs/wayland/wayland-session.nix +++ b/nixpkgs/nixos/modules/programs/wayland/wayland-session.nix @@ -1,19 +1,19 @@ -{ lib, pkgs, ... }: with lib; { +{ lib, pkgs, ... }: { security = { polkit.enable = true; pam.services.swaylock = {}; }; - hardware.opengl.enable = mkDefault true; - fonts.enableDefaultPackages = mkDefault true; + hardware.opengl.enable = lib.mkDefault true; + fonts.enableDefaultPackages = lib.mkDefault true; programs = { - dconf.enable = mkDefault true; - xwayland.enable = mkDefault true; + dconf.enable = lib.mkDefault true; + xwayland.enable = lib.mkDefault true; }; xdg.portal = { - enable = mkDefault true; + enable = lib.mkDefault true; extraPortals = [ # For screen sharing diff --git a/nixpkgs/nixos/modules/programs/weylus.nix b/nixpkgs/nixos/modules/programs/weylus.nix index a47dccb95cd9..d76e2f81b2c9 100644 --- a/nixpkgs/nixos/modules/programs/weylus.nix +++ b/nixpkgs/nixos/modules/programs/weylus.nix @@ -1,15 +1,13 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.weylus; in { - options.programs.weylus = with types; { - enable = mkEnableOption "weylus, which turns your smart phone into a graphic tablet/touch screen for your computer"; + options.programs.weylus = with lib.types; { + enable = lib.mkEnableOption "weylus, which turns your smart phone into a graphic tablet/touch screen for your computer"; - openFirewall = mkOption { + openFirewall = lib.mkOption { type = bool; default = false; description = '' @@ -17,7 +15,7 @@ in ''; }; - users = mkOption { + users = lib.mkOption { type = listOf str; default = [ ]; description = '' @@ -26,10 +24,10 @@ in ''; }; - package = mkPackageOption pkgs "weylus" { }; + package = lib.mkPackageOption pkgs "weylus" { }; }; - config = mkIf cfg.enable { - networking.firewall = mkIf cfg.openFirewall { + config = lib.mkIf cfg.enable { + networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = [ 1701 9001 ]; }; diff --git a/nixpkgs/nixos/modules/programs/wireshark.nix b/nixpkgs/nixos/modules/programs/wireshark.nix index 2d947154e822..f5673e5940fe 100644 --- a/nixpkgs/nixos/modules/programs/wireshark.nix +++ b/nixpkgs/nixos/modules/programs/wireshark.nix @@ -1,28 +1,26 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.wireshark; wireshark = cfg.package; in { options = { programs.wireshark = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to add Wireshark to the global environment and configure a setcap wrapper for 'dumpcap' for users in the 'wireshark' group. ''; }; - package = mkPackageOption pkgs "wireshark-cli" { + package = lib.mkPackageOption pkgs "wireshark-cli" { example = "wireshark"; }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ wireshark ]; users.groups.wireshark = {}; diff --git a/nixpkgs/nixos/modules/programs/xastir.nix b/nixpkgs/nixos/modules/programs/xastir.nix index d9c687289ec2..96201eb5455d 100644 --- a/nixpkgs/nixos/modules/programs/xastir.nix +++ b/nixpkgs/nixos/modules/programs/xastir.nix @@ -1,17 +1,15 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.xastir; in { - meta.maintainers = with maintainers; [ melling ]; + meta.maintainers = with lib.maintainers; [ melling ]; options.programs.xastir = { - enable = mkEnableOption "Xastir Graphical APRS client"; + enable = lib.mkEnableOption "Xastir Graphical APRS client"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ xastir ]; security.wrappers.xastir = { source = "${pkgs.xastir}/bin/xastir"; diff --git a/nixpkgs/nixos/modules/programs/xfconf.nix b/nixpkgs/nixos/modules/programs/xfconf.nix index 8e854b40e513..f2fda3b692d3 100644 --- a/nixpkgs/nixos/modules/programs/xfconf.nix +++ b/nixpkgs/nixos/modules/programs/xfconf.nix @@ -1,21 +1,19 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.xfconf; in { meta = { - maintainers = teams.xfce.members; + maintainers = lib.teams.xfce.members; }; options = { programs.xfconf = { - enable = mkEnableOption "Xfconf, the Xfce configuration storage system"; + enable = lib.mkEnableOption "Xfconf, the Xfce configuration storage system"; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.xfce.xfconf ]; diff --git a/nixpkgs/nixos/modules/programs/xfs_quota.nix b/nixpkgs/nixos/modules/programs/xfs_quota.nix index 8f70cc2d9416..5ca05f4dc297 100644 --- a/nixpkgs/nixos/modules/programs/xfs_quota.nix +++ b/nixpkgs/nixos/modules/programs/xfs_quota.nix @@ -2,15 +2,13 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.xfs_quota; - limitOptions = opts: concatStringsSep " " [ - (optionalString (opts.sizeSoftLimit != null) "bsoft=${opts.sizeSoftLimit}") - (optionalString (opts.sizeHardLimit != null) "bhard=${opts.sizeHardLimit}") + limitOptions = opts: builtins.concatStringsSep " " [ + (lib.optionalString (opts.sizeSoftLimit != null) "bsoft=${opts.sizeSoftLimit}") + (lib.optionalString (opts.sizeHardLimit != null) "bhard=${opts.sizeHardLimit}") ]; in @@ -22,35 +20,35 @@ in options = { programs.xfs_quota = { - projects = mkOption { + projects = lib.mkOption { default = {}; - type = types.attrsOf (types.submodule { + type = lib.types.attrsOf (lib.types.submodule { options = { - id = mkOption { - type = types.int; + id = lib.mkOption { + type = lib.types.int; description = "Project ID."; }; - fileSystem = mkOption { - type = types.str; + fileSystem = lib.mkOption { + type = lib.types.str; description = "XFS filesystem hosting the xfs_quota project."; default = "/"; }; - path = mkOption { - type = types.str; + path = lib.mkOption { + type = lib.types.str; description = "Project directory."; }; - sizeSoftLimit = mkOption { - type = types.nullOr types.str; + sizeSoftLimit = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = null; example = "30g"; description = "Soft limit of the project size"; }; - sizeHardLimit = mkOption { - type = types.nullOr types.str; + sizeHardLimit = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = null; example = "50g"; description = "Hard limit of the project size."; @@ -75,18 +73,18 @@ in ###### implementation - config = mkIf (cfg.projects != {}) { + config = lib.mkIf (cfg.projects != {}) { environment.etc.projects.source = pkgs.writeText "etc-project" - (concatStringsSep "\n" (mapAttrsToList - (name: opts: "${toString opts.id}:${opts.path}") cfg.projects)); + (builtins.concatStringsSep "\n" (lib.mapAttrsToList + (name: opts: "${builtins.toString opts.id}:${opts.path}") cfg.projects)); environment.etc.projid.source = pkgs.writeText "etc-projid" - (concatStringsSep "\n" (mapAttrsToList - (name: opts: "${name}:${toString opts.id}") cfg.projects)); + (builtins.concatStringsSep "\n" (lib.mapAttrsToList + (name: opts: "${name}:${builtins.toString opts.id}") cfg.projects)); - systemd.services = mapAttrs' (name: opts: - nameValuePair "xfs_quota-${name}" { + systemd.services = lib.mapAttrs' (name: opts: + lib.nameValuePair "xfs_quota-${name}" { description = "Setup xfs_quota for project ${name}"; script = '' ${pkgs.xfsprogs.bin}/bin/xfs_quota -x -c 'project -s ${name}' ${opts.fileSystem} @@ -94,7 +92,7 @@ in ''; wantedBy = [ "multi-user.target" ]; - after = [ ((replaceStrings [ "/" ] [ "-" ] opts.fileSystem) + ".mount") ]; + after = [ ((builtins.replaceStrings [ "/" ] [ "-" ] opts.fileSystem) + ".mount") ]; restartTriggers = [ config.environment.etc.projects.source ]; diff --git a/nixpkgs/nixos/modules/programs/xonsh.nix b/nixpkgs/nixos/modules/programs/xonsh.nix index fefe6b456c96..eed5152ba69a 100644 --- a/nixpkgs/nixos/modules/programs/xonsh.nix +++ b/nixpkgs/nixos/modules/programs/xonsh.nix @@ -2,8 +2,6 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.xonsh; @@ -16,29 +14,29 @@ in programs.xonsh = { - enable = mkOption { + enable = lib.mkOption { default = false; description = '' Whether to configure xonsh as an interactive shell. ''; - type = types.bool; + type = lib.types.bool; }; - package = mkPackageOption pkgs "xonsh" { + package = lib.mkPackageOption pkgs "xonsh" { example = "xonsh.override { extraPackages = ps: [ ps.requests ]; }"; }; - config = mkOption { + config = lib.mkOption { default = ""; description = "Control file to customize your shell behavior."; - type = types.lines; + type = lib.types.lines; }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.etc."xonsh/xonshrc".text = '' # /etc/xonsh/xonshrc: DO NOT EDIT -- this file has been generated automatically. diff --git a/nixpkgs/nixos/modules/programs/xss-lock.nix b/nixpkgs/nixos/modules/programs/xss-lock.nix index 1bb73905599f..b818c52e1442 100644 --- a/nixpkgs/nixos/modules/programs/xss-lock.nix +++ b/nixpkgs/nixos/modules/programs/xss-lock.nix @@ -1,26 +1,24 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.xss-lock; in { options.programs.xss-lock = { - enable = mkEnableOption "xss-lock"; + enable = lib.mkEnableOption "xss-lock"; - lockerCommand = mkOption { + lockerCommand = lib.mkOption { default = "${pkgs.i3lock}/bin/i3lock"; - defaultText = literalExpression ''"''${pkgs.i3lock}/bin/i3lock"''; - example = literalExpression ''"''${pkgs.i3lock-fancy}/bin/i3lock-fancy"''; - type = types.separatedString " "; + defaultText = lib.literalExpression ''"''${pkgs.i3lock}/bin/i3lock"''; + example = lib.literalExpression ''"''${pkgs.i3lock-fancy}/bin/i3lock-fancy"''; + type = lib.types.separatedString " "; description = "Locker to be used with xsslock"; }; - extraOptions = mkOption { + extraOptions = lib.mkOption { default = [ ]; example = [ "--ignore-sleep" ]; - type = types.listOf types.str; + type = lib.types.listOf lib.types.str; description = '' Additional command-line arguments to pass to {command}`xss-lock`. @@ -28,19 +26,24 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { systemd.user.services.xss-lock = { description = "XSS Lock Daemon"; wantedBy = [ "graphical-session.target" ]; partOf = [ "graphical-session.target" ]; - serviceConfig.ExecStart = with lib; - strings.concatStringsSep " " ([ + serviceConfig.ExecStart = + builtins.concatStringsSep " " ([ "${pkgs.xss-lock}/bin/xss-lock" "--session \${XDG_SESSION_ID}" - ] ++ (map escapeShellArg cfg.extraOptions) ++ [ + ] ++ (builtins.map lib.escapeShellArg cfg.extraOptions) ++ [ "--" cfg.lockerCommand ]); serviceConfig.Restart = "always"; }; + + warnings = lib.mkIf (config.services.xserver.displayManager.startx.enable) [ + "xss-lock service only works if a displayManager is set; it doesn't work when services.xserver.displayManager.startx.enable = true" + ]; + }; } diff --git a/nixpkgs/nixos/modules/programs/xwayland.nix b/nixpkgs/nixos/modules/programs/xwayland.nix index 3a8080fa4c4d..3df3dbf3783f 100644 --- a/nixpkgs/nixos/modules/programs/xwayland.nix +++ b/nixpkgs/nixos/modules/programs/xwayland.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.xwayland; @@ -10,13 +8,13 @@ in { options.programs.xwayland = { - enable = mkEnableOption "Xwayland (an X server for interfacing X11 apps with the Wayland protocol)"; + enable = lib.mkEnableOption "Xwayland (an X server for interfacing X11 apps with the Wayland protocol)"; - defaultFontPath = mkOption { - type = types.str; - default = optionalString config.fonts.fontDir.enable + defaultFontPath = lib.mkOption { + type = lib.types.str; + default = lib.optionalString config.fonts.fontDir.enable "/run/current-system/sw/share/X11/fonts"; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' optionalString config.fonts.fontDir.enable "/run/current-system/sw/share/X11/fonts" ''; description = '' @@ -24,12 +22,12 @@ in ''; }; - package = mkOption { - type = types.path; + package = lib.mkOption { + type = lib.types.path; default = pkgs.xwayland.override (oldArgs: { inherit (cfg) defaultFontPath; }); - defaultText = literalExpression '' + defaultText = lib.literalExpression '' pkgs.xwayland.override (oldArgs: { inherit (config.programs.xwayland) defaultFontPath; }) @@ -39,7 +37,7 @@ in }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { # Needed by some applications for fonts and default settings environment.pathsToLink = [ "/share/X11" ]; diff --git a/nixpkgs/nixos/modules/programs/yabar.nix b/nixpkgs/nixos/modules/programs/yabar.nix index 6e117506a2dc..0457f8e76655 100644 --- a/nixpkgs/nixos/modules/programs/yabar.nix +++ b/nixpkgs/nixos/modules/programs/yabar.nix @@ -1,18 +1,16 @@ { lib, pkgs, config, ... }: -with lib; - let cfg = config.programs.yabar; - mapExtra = v: lib.concatStringsSep "\n" (mapAttrsToList ( - key: val: "${key} = ${if (isString val) then "\"${val}\"" else "${builtins.toString val}"};" + mapExtra = v: lib.concatStringsSep "\n" (lib.mapAttrsToList ( + key: val: "${key} = ${if (builtins.isString val) then "\"${val}\"" else "${builtins.toString val}"};" ) v); - listKeys = r: concatStringsSep "," (map (n: "\"${n}\"") (attrNames r)); + listKeys = r: builtins.concatStringsSep "," (builtins.map (n: "\"${n}\"") (builtins.attrNames r)); configFile = let - bars = mapAttrsToList ( + bars = lib.mapAttrsToList ( name: cfg: '' ${name}: { font: "${cfg.font}"; @@ -22,7 +20,7 @@ let block-list: [${listKeys cfg.indicators}] - ${concatStringsSep "\n" (mapAttrsToList ( + ${builtins.concatStringsSep "\n" (lib.mapAttrsToList ( name: cfg: '' ${name}: { exec: "${cfg.exec}"; @@ -36,21 +34,21 @@ let ) cfg.bars; in pkgs.writeText "yabar.conf" '' bar-list = [${listKeys cfg.bars}]; - ${concatStringsSep "\n" bars} + ${builtins.concatStringsSep "\n" bars} ''; in { options.programs.yabar = { - enable = mkEnableOption "yabar, a status bar for X window managers"; + enable = lib.mkEnableOption "yabar, a status bar for X window managers"; - package = mkOption { + package = lib.mkOption { default = pkgs.yabar-unstable; - defaultText = literalExpression "pkgs.yabar-unstable"; - example = literalExpression "pkgs.yabar"; - type = types.package; + defaultText = lib.literalExpression "pkgs.yabar-unstable"; + example = lib.literalExpression "pkgs.yabar"; + type = lib.types.package; # `yabar-stable` segfaults under certain conditions. - apply = x: if x == pkgs.yabar-unstable then x else flip warn x '' + apply = x: if x == pkgs.yabar-unstable then x else lib.flip lib.warn x '' It's not recommended to use `yabar' with `programs.yabar', the (old) stable release tends to segfault under certain circumstances: @@ -70,63 +68,63 @@ in ''; }; - bars = mkOption { + bars = lib.mkOption { default = {}; - type = types.attrsOf(types.submodule { + type = lib.types.attrsOf(lib.types.submodule { options = { - font = mkOption { + font = lib.mkOption { default = "sans bold 9"; example = "Droid Sans, FontAwesome Bold 9"; - type = types.str; + type = lib.types.str; description = '' The font that will be used to draw the status bar. ''; }; - position = mkOption { + position = lib.mkOption { default = "top"; example = "bottom"; - type = types.enum [ "top" "bottom" ]; + type = lib.types.enum [ "top" "bottom" ]; description = '' The position where the bar will be rendered. ''; }; - extra = mkOption { + extra = lib.mkOption { default = {}; - type = types.attrsOf types.str; + type = lib.types.attrsOf lib.types.str; description = '' An attribute set which contains further attributes of a bar. ''; }; - indicators = mkOption { + indicators = lib.mkOption { default = {}; - type = types.attrsOf(types.submodule { - options.exec = mkOption { + type = lib.types.attrsOf(lib.types.submodule { + options.exec = lib.mkOption { example = "YABAR_DATE"; - type = types.str; + type = lib.types.str; description = '' The type of the indicator to be executed. ''; }; - options.align = mkOption { + options.align = lib.mkOption { default = "left"; example = "right"; - type = types.enum [ "left" "center" "right" ]; + type = lib.types.enum [ "left" "center" "right" ]; description = '' Whether to align the indicator at the left or right of the bar. ''; }; - options.extra = mkOption { + options.extra = lib.mkOption { default = {}; - type = types.attrsOf (types.either types.str types.int); + type = lib.types.attrsOf (lib.types.either lib.types.str lib.types.int); description = '' An attribute set which contains further attributes of a indicator. @@ -147,7 +145,7 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { systemd.user.services.yabar = { description = "yabar service"; wantedBy = [ "graphical-session.target" ]; diff --git a/nixpkgs/nixos/modules/programs/yazi.nix b/nixpkgs/nixos/modules/programs/yazi.nix index 5905f2afb946..d9f38d8d8118 100644 --- a/nixpkgs/nixos/modules/programs/yazi.nix +++ b/nixpkgs/nixos/modules/programs/yazi.nix @@ -5,7 +5,7 @@ let settingsFormat = pkgs.formats.toml { }; - names = [ "yazi" "theme" "keymap" ]; + files = [ "yazi" "theme" "keymap" ]; in { options.programs.yazi = { @@ -15,7 +15,7 @@ in settings = lib.mkOption { type = with lib.types; submodule { - options = lib.listToAttrs (map + options = (lib.listToAttrs (map (name: lib.nameValuePair name (lib.mkOption { inherit (settingsFormat) type; default = { }; @@ -25,26 +25,65 @@ in See https://yazi-rs.github.io/docs/configuration/${name}/ for documentation. ''; })) - names); + files)); }; default = { }; description = '' Configuration included in `$YAZI_CONFIG_HOME`. ''; }; + + initLua = lib.mkOption { + type = with lib.types; nullOr path; + default = null; + description = '' + The init.lua for Yazi itself. + ''; + example = lib.literalExpression "./init.lua"; + }; + + plugins = lib.mkOption { + type = with lib.types; attrsOf (oneOf [ path package ]); + default = { }; + description = '' + Lua plugins. + + See https://yazi-rs.github.io/docs/plugins/overview/ for documentation. + ''; + example = lib.literalExpression '' + { + foo = ./foo; + bar = pkgs.bar; + } + ''; + }; + + flavors = lib.mkOption { + type = with lib.types; attrsOf (oneOf [ path package ]); + default = { }; + description = '' + Pre-made themes. + + See https://yazi-rs.github.io/docs/flavors/overview/ for documentation. + ''; + example = lib.literalExpression '' + { + foo = ./foo; + bar = pkgs.bar; + } + ''; + }; + }; config = lib.mkIf cfg.enable { - environment = { - systemPackages = [ cfg.package ]; - variables.YAZI_CONFIG_HOME = "/etc/yazi/"; - etc = lib.attrsets.mergeAttrsList (map - (name: lib.optionalAttrs (cfg.settings.${name} != { }) { - "yazi/${name}.toml".source = settingsFormat.generate "${name}.toml" cfg.settings.${name}; - }) - names); - }; + environment.systemPackages = [ + (cfg.package.override { + inherit (cfg) settings initLua plugins flavors; + }) + ]; }; + meta = { maintainers = with lib.maintainers; [ linsui ]; }; diff --git a/nixpkgs/nixos/modules/programs/ydotool.nix b/nixpkgs/nixos/modules/programs/ydotool.nix new file mode 100644 index 000000000000..f639e9283de4 --- /dev/null +++ b/nixpkgs/nixos/modules/programs/ydotool.nix @@ -0,0 +1,83 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.programs.ydotool; +in +{ + meta = { + maintainers = with lib.maintainers; [ quantenzitrone ]; + }; + + options.programs.ydotool = { + enable = lib.mkEnableOption '' + ydotoold system service and install ydotool. + Add yourself to the 'ydotool' group to be able to use it. + ''; + }; + + config = lib.mkIf cfg.enable { + users.groups.ydotool = { }; + + systemd.services.ydotoold = { + description = "ydotoold - backend for ydotool"; + wantedBy = [ "multi-user.target" ]; + partOf = [ "multi-user.target" ]; + serviceConfig = { + Group = "ydotool"; + RuntimeDirectory = "ydotoold"; + RuntimeDirectoryMode = "0750"; + ExecStart = "${lib.getExe' pkgs.ydotool "ydotoold"} --socket-path=/run/ydotoold/socket --socket-perm=0660"; + + # hardening + + ## allow access to uinput + DeviceAllow = [ "/dev/uinput" ]; + DevicePolicy = "closed"; + + ## allow creation of unix sockets + RestrictAddressFamilies = [ "AF_UNIX" ]; + + CapabilityBoundingSet = ""; + IPAddressDeny = "any"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateNetwork = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ProtectUser = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + UMask = "0077"; + + # -> systemd-analyze security score 0.7 SAFE 😀 + }; + }; + + environment.variables = { + YDOTOOL_SOCKET = "/run/ydotoold/socket"; + }; + environment.systemPackages = with pkgs; [ ydotool ]; + }; +} diff --git a/nixpkgs/nixos/modules/programs/zmap.nix b/nixpkgs/nixos/modules/programs/zmap.nix index 827d9bedca13..4f31d42c4add 100644 --- a/nixpkgs/nixos/modules/programs/zmap.nix +++ b/nixpkgs/nixos/modules/programs/zmap.nix @@ -1,15 +1,13 @@ { pkgs, config, lib, ... }: -with lib; - let cfg = config.programs.zmap; in { options.programs.zmap = { - enable = mkEnableOption "ZMap, a network scanner designed for Internet-wide network surveys"; + enable = lib.mkEnableOption "ZMap, a network scanner designed for Internet-wide network surveys"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.zmap ]; environment.etc."zmap/blacklist.conf".source = "${pkgs.zmap}/etc/zmap/blacklist.conf"; diff --git a/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix b/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix index f2a5a7560e40..2120cf1af07e 100644 --- a/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix +++ b/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.zsh.ohMyZsh; @@ -20,7 +18,7 @@ let custom = if cfg.custom != null then cfg.custom - else if length cfg.customPkgs == 0 then null + else if builtins.length cfg.customPkgs == 0 then null else pkgs.linkFarm "oh-my-zsh-custom" [ (mkLinkFarmEntry' "themes") (mkLinkFarmEntry "completions" "site-functions") @@ -30,60 +28,60 @@ let in { imports = [ - (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "enable" ] [ "programs" "zsh" "ohMyZsh" "enable" ]) - (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "theme" ] [ "programs" "zsh" "ohMyZsh" "theme" ]) - (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "custom" ] [ "programs" "zsh" "ohMyZsh" "custom" ]) - (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "plugins" ] [ "programs" "zsh" "ohMyZsh" "plugins" ]) + (lib.mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "enable" ] [ "programs" "zsh" "ohMyZsh" "enable" ]) + (lib.mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "theme" ] [ "programs" "zsh" "ohMyZsh" "theme" ]) + (lib.mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "custom" ] [ "programs" "zsh" "ohMyZsh" "custom" ]) + (lib.mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "plugins" ] [ "programs" "zsh" "ohMyZsh" "plugins" ]) ]; options = { programs.zsh.ohMyZsh = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Enable oh-my-zsh. ''; }; - package = mkPackageOption pkgs "oh-my-zsh" { }; + package = lib.mkPackageOption pkgs "oh-my-zsh" { }; - plugins = mkOption { + plugins = lib.mkOption { default = []; - type = types.listOf(types.str); + type = lib.types.listOf(lib.types.str); description = '' List of oh-my-zsh plugins ''; }; - custom = mkOption { + custom = lib.mkOption { default = null; - type = with types; nullOr str; + type = with lib.types; nullOr str; description = '' Path to a custom oh-my-zsh package to override config of oh-my-zsh. (Can't be used along with `customPkgs`). ''; }; - customPkgs = mkOption { + customPkgs = lib.mkOption { default = []; - type = types.listOf types.package; + type = lib.types.listOf lib.types.package; description = '' List of custom packages that should be loaded into `oh-my-zsh`. ''; }; - theme = mkOption { + theme = lib.mkOption { default = ""; - type = types.str; + type = lib.types.str; description = '' Name of the theme to be used by oh-my-zsh. ''; }; - cacheDir = mkOption { + cacheDir = lib.mkOption { default = "$HOME/.cache/oh-my-zsh"; - type = types.str; + type = lib.types.str; description = '' Cache directory to be used by `oh-my-zsh`. Without this option it would default to the read-only nix store. @@ -92,10 +90,10 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { # Prevent zsh from overwriting oh-my-zsh's prompt - programs.zsh.promptInit = mkDefault ""; + programs.zsh.promptInit = lib.mkDefault ""; environment.systemPackages = [ cfg.package ]; @@ -103,19 +101,19 @@ in # oh-my-zsh configuration generated by NixOS export ZSH=${cfg.package}/share/oh-my-zsh - ${optionalString (length(cfg.plugins) > 0) - "plugins=(${concatStringsSep " " cfg.plugins})" + ${lib.optionalString (builtins.length(cfg.plugins) > 0) + "plugins=(${builtins.concatStringsSep " " cfg.plugins})" } - ${optionalString (custom != null) + ${lib.optionalString (custom != null) "ZSH_CUSTOM=\"${custom}\"" } - ${optionalString (stringLength(cfg.theme) > 0) + ${lib.optionalString (builtins.stringLength(cfg.theme) > 0) "ZSH_THEME=\"${cfg.theme}\"" } - ${optionalString (cfg.cacheDir != null) '' + ${lib.optionalString (cfg.cacheDir != null) '' if [[ ! -d "${cfg.cacheDir}" ]]; then mkdir -p "${cfg.cacheDir}" fi diff --git a/nixpkgs/nixos/modules/programs/zsh/zsh-autoenv.nix b/nixpkgs/nixos/modules/programs/zsh/zsh-autoenv.nix index f07fb5c24d7b..8e0c19f1afea 100644 --- a/nixpkgs/nixos/modules/programs/zsh/zsh-autoenv.nix +++ b/nixpkgs/nixos/modules/programs/zsh/zsh-autoenv.nix @@ -1,18 +1,16 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.zsh.zsh-autoenv; in { options = { programs.zsh.zsh-autoenv = { - enable = mkEnableOption "zsh-autoenv"; - package = mkPackageOption pkgs "zsh-autoenv" { }; + enable = lib.mkEnableOption "zsh-autoenv"; + package = lib.mkPackageOption pkgs "zsh-autoenv" { }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { programs.zsh.interactiveShellInit = '' source ${cfg.package}/share/zsh-autoenv/autoenv.zsh ''; diff --git a/nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix b/nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix index 2e53e907d547..e046c2102500 100644 --- a/nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix +++ b/nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix @@ -1,28 +1,26 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.zsh.autosuggestions; in { imports = [ - (mkRenamedOptionModule [ "programs" "zsh" "enableAutosuggestions" ] [ "programs" "zsh" "autosuggestions" "enable" ]) + (lib.mkRenamedOptionModule [ "programs" "zsh" "enableAutosuggestions" ] [ "programs" "zsh" "autosuggestions" "enable" ]) ]; options.programs.zsh.autosuggestions = { - enable = mkEnableOption "zsh-autosuggestions"; + enable = lib.mkEnableOption "zsh-autosuggestions"; - highlightStyle = mkOption { - type = types.str; + highlightStyle = lib.mkOption { + type = lib.types.str; default = "fg=8"; # https://github.com/zsh-users/zsh-autosuggestions/tree/v0.4.3#suggestion-highlight-style description = "Highlight style for suggestions ({fore,back}ground color)"; example = "fg=cyan"; }; - strategy = mkOption { - type = types.listOf (types.enum [ "history" "completion" "match_prev_cmd" ]); + strategy = lib.mkOption { + type = lib.types.listOf (lib.types.enum [ "history" "completion" "match_prev_cmd" ]); default = [ "history" ]; description = '' `ZSH_AUTOSUGGEST_STRATEGY` is an array that specifies how suggestions should be generated. @@ -37,18 +35,18 @@ in ''; }; - async = mkOption { - type = types.bool; + async = lib.mkOption { + type = lib.types.bool; default = true; description = "Whether to fetch suggestions asynchronously"; example = false; }; - extraConfig = mkOption { - type = with types; attrsOf str; + extraConfig = lib.mkOption { + type = lib.types.attrsOf lib.types.str; default = {}; description = "Attribute set with additional configuration values"; - example = literalExpression '' + example = lib.literalExpression '' { "ZSH_AUTOSUGGEST_BUFFER_MAX_SIZE" = "20"; } @@ -57,16 +55,16 @@ in }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { programs.zsh.interactiveShellInit = '' source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh export ZSH_AUTOSUGGEST_HIGHLIGHT_STYLE="${cfg.highlightStyle}" - export ZSH_AUTOSUGGEST_STRATEGY=(${concatStringsSep " " cfg.strategy}) - ${optionalString (!cfg.async) "unset ZSH_AUTOSUGGEST_USE_ASYNC"} + export ZSH_AUTOSUGGEST_STRATEGY=(${builtins.concatStringsSep " " cfg.strategy}) + ${lib.optionalString (!cfg.async) "unset ZSH_AUTOSUGGEST_USE_ASYNC"} - ${concatStringsSep "\n" (mapAttrsToList (key: value: ''export ${key}="${value}"'') cfg.extraConfig)} + ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (key: value: ''export ${key}="${value}"'') cfg.extraConfig)} ''; }; diff --git a/nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix b/nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix index 46bc4fcb87f4..3f70c14048c7 100644 --- a/nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix +++ b/nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix @@ -1,27 +1,25 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.zsh.syntaxHighlighting; in { imports = [ - (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) - (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "enable" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) - (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "highlighters" ] [ "programs" "zsh" "syntaxHighlighting" "highlighters" ]) - (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "patterns" ] [ "programs" "zsh" "syntaxHighlighting" "patterns" ]) + (lib.mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) + (lib.mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "enable" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) + (lib.mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "highlighters" ] [ "programs" "zsh" "syntaxHighlighting" "highlighters" ]) + (lib.mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "patterns" ] [ "programs" "zsh" "syntaxHighlighting" "patterns" ]) ]; options = { programs.zsh.syntaxHighlighting = { - enable = mkEnableOption "zsh-syntax-highlighting"; + enable = lib.mkEnableOption "zsh-syntax-highlighting"; - highlighters = mkOption { + highlighters = lib.mkOption { default = [ "main" ]; # https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters.md - type = types.listOf(types.enum([ + type = lib.types.listOf(lib.types.enum([ "main" "brackets" "pattern" @@ -39,11 +37,11 @@ in ''; }; - patterns = mkOption { + patterns = lib.mkOption { default = {}; - type = types.attrsOf types.str; + type = lib.types.attrsOf lib.types.str; - example = literalExpression '' + example = lib.literalExpression '' { "rm -rf *" = "fg=white,bold,bg=red"; } @@ -56,11 +54,11 @@ in https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters/pattern.md ''; }; - styles = mkOption { + styles = lib.mkOption { default = {}; - type = types.attrsOf types.str; + type = lib.types.attrsOf lib.types.str; - example = literalExpression '' + example = lib.literalExpression '' { "alias" = "fg=magenta,bold"; } @@ -76,30 +74,30 @@ in }; }; - config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ zsh-syntax-highlighting ]; + config = lib.mkIf cfg.enable { + environment.systemPackages = [ pkgs.zsh-syntax-highlighting ]; assertions = [ { - assertion = length(attrNames cfg.patterns) > 0 -> elem "pattern" cfg.highlighters; + assertion = builtins.length(builtins.attrNames cfg.patterns) > 0 -> builtins.elem "pattern" cfg.highlighters; message = '' When highlighting patterns, "pattern" needs to be included in the list of highlighters. ''; } ]; - programs.zsh.interactiveShellInit = with pkgs; + programs.zsh.interactiveShellInit = lib.mkAfter (lib.concatStringsSep "\n" ([ - "source ${zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh" - ] ++ optional (length(cfg.highlighters) > 0) - "ZSH_HIGHLIGHT_HIGHLIGHTERS=(${concatStringsSep " " cfg.highlighters})" - ++ optionals (length(attrNames cfg.patterns) > 0) - (mapAttrsToList ( + "source ${pkgs.zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh" + ] ++ lib.optional (builtins.length(cfg.highlighters) > 0) + "ZSH_HIGHLIGHT_HIGHLIGHTERS=(${builtins.concatStringsSep " " cfg.highlighters})" + ++ lib.optionals (builtins.length(builtins.attrNames cfg.patterns) > 0) + (lib.mapAttrsToList ( pattern: design: "ZSH_HIGHLIGHT_PATTERNS+=('${pattern}' '${design}')" ) cfg.patterns) - ++ optionals (length(attrNames cfg.styles) > 0) - (mapAttrsToList ( + ++ lib.optionals (builtins.length(builtins.attrNames cfg.styles) > 0) + (lib.mapAttrsToList ( styles: design: "ZSH_HIGHLIGHT_STYLES[${styles}]='${design}'" ) cfg.styles) diff --git a/nixpkgs/nixos/modules/programs/zsh/zsh.nix b/nixpkgs/nixos/modules/programs/zsh/zsh.nix index d7e300b50136..35d2cf461056 100644 --- a/nixpkgs/nixos/modules/programs/zsh/zsh.nix +++ b/nixpkgs/nixos/modules/programs/zsh/zsh.nix @@ -2,8 +2,6 @@ { config, lib, options, pkgs, ... }: -with lib; - let cfge = config.environment; @@ -11,9 +9,9 @@ let cfg = config.programs.zsh; opt = options.programs.zsh; - zshAliases = concatStringsSep "\n" ( - mapAttrsFlatten (k: v: "alias -- ${k}=${escapeShellArg v}") - (filterAttrs (k: v: v != null) cfg.shellAliases) + zshAliases = builtins.concatStringsSep "\n" ( + lib.mapAttrsFlatten (k: v: "alias -- ${k}=${lib.escapeShellArg v}") + (lib.filterAttrs (k: v: v != null) cfg.shellAliases) ); zshStartupNotes = '' @@ -42,7 +40,7 @@ in programs.zsh = { - enable = mkOption { + enable = lib.mkOption { default = false; description = '' Whether to configure zsh as an interactive shell. To enable zsh for @@ -50,43 +48,43 @@ in option for that user. To enable zsh system-wide use the {option}`users.defaultUserShell` option. ''; - type = types.bool; + type = lib.types.bool; }; - shellAliases = mkOption { + shellAliases = lib.mkOption { default = { }; description = '' Set of aliases for zsh shell, which overrides {option}`environment.shellAliases`. See {option}`environment.shellAliases` for an option format description. ''; - type = with types; attrsOf (nullOr (either str path)); + type = with lib.types; attrsOf (nullOr (either str path)); }; - shellInit = mkOption { + shellInit = lib.mkOption { default = ""; description = '' Shell script code called during zsh shell initialisation. ''; - type = types.lines; + type = lib.types.lines; }; - loginShellInit = mkOption { + loginShellInit = lib.mkOption { default = ""; description = '' Shell script code called during zsh login shell initialisation. ''; - type = types.lines; + type = lib.types.lines; }; - interactiveShellInit = mkOption { + interactiveShellInit = lib.mkOption { default = ""; description = '' Shell script code called during interactive zsh shell initialisation. ''; - type = types.lines; + type = lib.types.lines; }; - promptInit = mkOption { + promptInit = lib.mkOption { default = '' # Note that to manually override this in ~/.zshrc you should run `prompt off` # before setting your PS1 and etc. Otherwise this will likely to interact with @@ -97,27 +95,27 @@ in description = '' Shell script code used to initialise the zsh prompt. ''; - type = types.lines; + type = lib.types.lines; }; - histSize = mkOption { + histSize = lib.mkOption { default = 2000; description = '' Change history size. ''; - type = types.int; + type = lib.types.int; }; - histFile = mkOption { + histFile = lib.mkOption { default = "$HOME/.zsh_history"; description = '' Change history file. ''; - type = types.str; + type = lib.types.str; }; - setOptions = mkOption { - type = types.listOf types.str; + setOptions = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ "HIST_IGNORE_DUPS" "SHARE_HISTORY" @@ -130,25 +128,25 @@ in ''; }; - enableCompletion = mkOption { + enableCompletion = lib.mkOption { default = true; description = '' Enable zsh completion for all interactive zsh shells. ''; - type = types.bool; + type = lib.types.bool; }; - enableBashCompletion = mkOption { + enableBashCompletion = lib.mkOption { default = false; description = '' Enable compatibility with bash's programmable completion system. ''; - type = types.bool; + type = lib.types.bool; }; - enableGlobalCompInit = mkOption { + enableGlobalCompInit = lib.mkOption { default = cfg.enableCompletion; - defaultText = literalExpression "config.${opt.enableCompletion}"; + defaultText = lib.literalExpression "config.${opt.enableCompletion}"; description = '' Enable execution of compinit call for all interactive zsh shells. @@ -156,24 +154,24 @@ in `fpath` and a custom `compinit` call in the local config is required. ''; - type = types.bool; + type = lib.types.bool; }; - enableLsColors = mkOption { + enableLsColors = lib.mkOption { default = true; description = '' Enable extra colors in directory listings (used by `ls` and `tree`). ''; - type = types.bool; + type = lib.types.bool; }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { - programs.zsh.shellAliases = mapAttrs (name: mkDefault) cfge.shellAliases; + programs.zsh.shellAliases = builtins.mapAttrs (name: lib.mkDefault) cfge.shellAliases; environment.etc.zshenv.text = '' @@ -239,9 +237,9 @@ in if [ -n "$__ETC_ZSHRC_SOURCED" -o -n "$NOSYSZSHRC" ]; then return; fi __ETC_ZSHRC_SOURCED=1 - ${optionalString (cfg.setOptions != []) '' + ${lib.optionalString (cfg.setOptions != []) '' # Set zsh options. - setopt ${concatStringsSep " " cfg.setOptions} + setopt ${builtins.concatStringsSep " " cfg.setOptions} ''} # Alternative method of determining short and full hostname. @@ -249,19 +247,19 @@ in # Setup command line history. # Don't export these, otherwise other shells (bash) will try to use same HISTFILE. - SAVEHIST=${toString cfg.histSize} - HISTSIZE=${toString cfg.histSize} + SAVEHIST=${builtins.toString cfg.histSize} + HISTSIZE=${builtins.toString cfg.histSize} HISTFILE=${cfg.histFile} # Configure sane keyboard defaults. . /etc/zinputrc - ${optionalString cfg.enableGlobalCompInit '' + ${lib.optionalString cfg.enableGlobalCompInit '' # Enable autocompletion. autoload -U compinit && compinit ''} - ${optionalString cfg.enableBashCompletion '' + ${lib.optionalString cfg.enableBashCompletion '' # Enable compatibility with bash's completion system. autoload -U bashcompinit && bashcompinit ''} @@ -271,7 +269,7 @@ in ${cfg.interactiveShellInit} - ${optionalString cfg.enableLsColors '' + ${lib.optionalString cfg.enableLsColors '' # Extra colors for directory listings. eval "$(${pkgs.coreutils}/bin/dircolors -b)" ''} @@ -302,11 +300,11 @@ in environment.etc.zinputrc.text = builtins.readFile ./zinputrc; environment.systemPackages = [ pkgs.zsh ] - ++ optional cfg.enableCompletion pkgs.nix-zsh-completions; + ++ lib.optional cfg.enableCompletion pkgs.nix-zsh-completions; - environment.pathsToLink = optional cfg.enableCompletion "/share/zsh"; + environment.pathsToLink = lib.optional cfg.enableCompletion "/share/zsh"; - #users.defaultUserShell = mkDefault "/run/current-system/sw/bin/zsh"; + #users.defaultUserShell = lib.mkDefault "/run/current-system/sw/bin/zsh"; environment.shells = [ diff --git a/nixpkgs/nixos/modules/security/systemd-confinement.nix b/nixpkgs/nixos/modules/security/systemd-confinement.nix index 0304749b8d10..041c90033886 100644 --- a/nixpkgs/nixos/modules/security/systemd-confinement.nix +++ b/nixpkgs/nixos/modules/security/systemd-confinement.nix @@ -79,13 +79,20 @@ in { description = '' The value `full-apivfs` (the default) sets up private {file}`/dev`, {file}`/proc`, - {file}`/sys` and {file}`/tmp` file systems in a separate user - name space. + {file}`/sys`, {file}`/tmp` and {file}`/var/tmp` file systems + in a separate user name space. If this is set to `chroot-only`, only the file system name space is set up along with the call to {manpage}`chroot(2)`. + In all cases, unless `serviceConfig.PrivateTmp=true` is set, + both {file}`/tmp` and {file}`/var/tmp` paths are added to `InaccessiblePaths=`. + This is to overcome options like `DynamicUser=true` + implying `PrivateTmp=true` without letting it being turned off. + Beware however that giving processes the `CAP_SYS_ADMIN` and `@mount` privileges + can let them undo the effects of `InaccessiblePaths=`. + ::: {.note} This doesn't cover network namespaces and is solely for file system level isolation. @@ -98,8 +105,12 @@ in { wantsAPIVFS = lib.mkDefault (config.confinement.mode == "full-apivfs"); in lib.mkIf config.confinement.enable { serviceConfig = { - RootDirectory = "/var/empty"; - TemporaryFileSystem = "/"; + ReadOnlyPaths = [ "+/" ]; + RuntimeDirectory = [ "confinement/${mkPathSafeName name}" ]; + RootDirectory = "/run/confinement/${mkPathSafeName name}"; + InaccessiblePaths = [ + "-+/run/confinement/${mkPathSafeName name}" + ]; PrivateMounts = lib.mkDefault true; # https://github.com/NixOS/nixpkgs/issues/14645 is a future attempt @@ -148,16 +159,6 @@ in { + " Please either define a separate service or find a way to run" + " commands other than ExecStart within the chroot."; } - { assertion = !cfg.serviceConfig.DynamicUser or false; - message = "${whatOpt "DynamicUser"}. Please create a dedicated user via" - + " the 'users.users' option instead as this combination is" - + " currently not supported."; - } - { assertion = cfg.serviceConfig ? ProtectSystem -> cfg.serviceConfig.ProtectSystem == false; - message = "${whatOpt "ProtectSystem"}. ProtectSystem is not compatible" - + " with service confinement as it fails to remount /usr within" - + " our chroot. Please disable the option."; - } ]) config.systemd.services); config.systemd.packages = lib.concatLists (lib.mapAttrsToList (name: cfg: let @@ -183,6 +184,13 @@ in { echo "BindReadOnlyPaths=$realprog:/bin/sh" >> "$serviceFile" ''} + # If DynamicUser= is enabled, PrivateTmp=true is implied (and cannot be turned off). + # so disable them unless PrivateTmp=true is explicitely set. + ${lib.optionalString (!cfg.serviceConfig.PrivateTmp) '' + echo "InaccessiblePaths=-+/tmp" >> "$serviceFile" + echo "InaccessiblePaths=-+/var/tmp" >> "$serviceFile" + ''} + while read storePath; do if [ -L "$storePath" ]; then # Currently, systemd can't cope with symlinks in Bind(ReadOnly)Paths, diff --git a/nixpkgs/nixos/modules/services/admin/pgadmin.nix b/nixpkgs/nixos/modules/services/admin/pgadmin.nix index ead0c3c6c9a3..b3dd3c78874c 100644 --- a/nixpkgs/nixos/modules/services/admin/pgadmin.nix +++ b/nixpkgs/nixos/modules/services/admin/pgadmin.nix @@ -152,7 +152,8 @@ in # Check here for password length to prevent pgadmin from starting # and presenting a hard to find error message # see https://github.com/NixOS/nixpkgs/issues/270624 - PW_LENGTH=$(wc -m < ${escapeShellArg cfg.initialPasswordFile}) + PW_FILE="$CREDENTIALS_DIRECTORY/initial_password" + PW_LENGTH=$(wc -m < "$PW_FILE") if [ $PW_LENGTH -lt ${toString cfg.minimumPasswordLength} ]; then echo "Password must be at least ${toString cfg.minimumPasswordLength} characters long" exit 1 @@ -162,7 +163,7 @@ in echo ${escapeShellArg cfg.initialEmail} # file might not contain newline. echo hack fixes that. - PW=$(cat ${escapeShellArg cfg.initialPasswordFile}) + PW=$(cat "$PW_FILE") # Password: echo "$PW" @@ -181,6 +182,8 @@ in LogsDirectory = "pgadmin"; StateDirectory = "pgadmin"; ExecStart = "${cfg.package}/bin/pgadmin4"; + LoadCredential = [ "initial_password:${cfg.initialPasswordFile}" ] + ++ optional cfg.emailServer.enable "email_password:${cfg.emailServer.passwordFile}"; }; }; @@ -193,7 +196,8 @@ in environment.etc."pgadmin/config_system.py" = { text = lib.optionalString cfg.emailServer.enable '' - with open("${cfg.emailServer.passwordFile}") as f: + import os + with open(os.path.join(os.environ['CREDENTIALS_DIRECTORY'], 'email_password')) as f: pw = f.read() MAIL_PASSWORD = pw '' + formatPy cfg.settings; diff --git a/nixpkgs/nixos/modules/services/audio/navidrome.nix b/nixpkgs/nixos/modules/services/audio/navidrome.nix index a5a7e805e3d6..ca1cd6ca43af 100644 --- a/nixpkgs/nixos/modules/services/audio/navidrome.nix +++ b/nixpkgs/nixos/modules/services/audio/navidrome.nix @@ -1,11 +1,17 @@ -{ config, lib, pkgs, ... }: - -with lib; +{ + config, + lib, + pkgs, + ... +}: let + inherit (lib) mkEnableOption mkPackageOption mkOption maintainers; + inherit (lib.types) bool str; cfg = config.services.navidrome; - settingsFormat = pkgs.formats.json {}; -in { + settingsFormat = pkgs.formats.json { }; +in +{ options = { services.navidrome = { @@ -13,9 +19,8 @@ in { package = mkPackageOption pkgs "navidrome" { }; - settings = mkOption rec { + settings = mkOption { type = settingsFormat.type; - apply = recursiveUpdate default; default = { Address = "127.0.0.1"; Port = 4533; @@ -23,62 +28,111 @@ in { example = { MusicFolder = "/mnt/music"; }; - description = '' - Configuration for Navidrome, see <https://www.navidrome.org/docs/usage/configuration-options/> for supported values. - ''; + description = "Configuration for Navidrome, see <https://www.navidrome.org/docs/usage/configuration-options/> for supported values."; + }; + + user = mkOption { + type = str; + default = "navidrome"; + description = "User under which Navidrome runs."; + }; + + group = mkOption { + type = str; + default = "navidrome"; + description = "Group under which Navidrome runs."; }; openFirewall = mkOption { - type = types.bool; + type = bool; default = false; description = "Whether to open the TCP port in the firewall"; }; }; }; - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [cfg.settings.Port]; + config = + let + inherit (lib) mkIf optional getExe; + WorkingDirectory = "/var/lib/navidrome"; + in + mkIf cfg.enable { + systemd = { + tmpfiles.settings.navidromeDirs = { + "${cfg.settings.DataFolder or WorkingDirectory}"."d" = { + mode = "700"; + inherit (cfg) user group; + }; + "${cfg.settings.CacheFolder or (WorkingDirectory + "/cache")}"."d" = { + mode = "700"; + inherit (cfg) user group; + }; + }; + services.navidrome = { + description = "Navidrome Media Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = '' + ${getExe cfg.package} --configfile ${settingsFormat.generate "navidrome.json" cfg.settings} + ''; + User = cfg.user; + Group = cfg.group; + StateDirectory = "navidrome"; + inherit WorkingDirectory; + RuntimeDirectory = "navidrome"; + RootDirectory = "/run/navidrome"; + ReadWritePaths = ""; + BindPaths = + optional (cfg.settings ? DataFolder) cfg.settings.DataFolder + ++ optional (cfg.settings ? CacheFolder) cfg.settings.CacheFolder; + BindReadOnlyPaths = [ + # navidrome uses online services to download additional album metadata / covers + "${ + config.environment.etc."ssl/certs/ca-certificates.crt".source + }:/etc/ssl/certs/ca-certificates.crt" + builtins.storeDir + "/etc" + ] ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder; + CapabilityBoundingSet = ""; + RestrictAddressFamilies = [ + "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + RestrictRealtime = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + UMask = "0066"; + ProtectHostname = true; + }; + }; + }; - systemd.services.navidrome = { - description = "Navidrome Media Server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - ExecStart = '' - ${cfg.package}/bin/navidrome --configfile ${settingsFormat.generate "navidrome.json" cfg.settings} - ''; - DynamicUser = true; - StateDirectory = "navidrome"; - WorkingDirectory = "/var/lib/navidrome"; - RuntimeDirectory = "navidrome"; - RootDirectory = "/run/navidrome"; - ReadWritePaths = ""; - BindPaths = lib.optional (cfg.settings ? DataFolder) cfg.settings.DataFolder; - BindReadOnlyPaths = [ - # navidrome uses online services to download additional album metadata / covers - "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt" - builtins.storeDir - "/etc" - ] ++ lib.optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder; - CapabilityBoundingSet = ""; - RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; - RestrictNamespaces = true; - PrivateDevices = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ "@system-service" "~@privileged" ]; - RestrictRealtime = true; - LockPersonality = true; - MemoryDenyWriteExecute = true; - UMask = "0066"; - ProtectHostname = true; + users.users = mkIf (cfg.user == "navidrome") { + navidrome = { + inherit (cfg) group; + isSystemUser = true; + }; }; + + users.groups = mkIf (cfg.group == "navidrome") { navidrome = { }; }; + + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.Port ]; }; - }; + meta.maintainers = with maintainers; [ nu-nu-ko ]; } diff --git a/nixpkgs/nixos/modules/services/backup/borgbackup.nix b/nixpkgs/nixos/modules/services/backup/borgbackup.nix index 570f8931bd9e..04f971008073 100644 --- a/nixpkgs/nixos/modules/services/backup/borgbackup.nix +++ b/nixpkgs/nixos/modules/services/backup/borgbackup.nix @@ -33,13 +33,24 @@ let } trap on_exit EXIT + borgWrapper () { + local result + borg "$@" && result=$? || result=$? + if [[ -z "${toString cfg.failOnWarnings}" ]] && [[ "$result" == 1 ]]; then + echo "ignoring warning return value 1" + return 0 + else + return "$result" + fi + } + archiveName="${optionalString (cfg.archiveBaseName != null) (cfg.archiveBaseName + "-")}$(date ${cfg.dateFormat})" archiveSuffix="${optionalString cfg.appendFailedSuffix ".failed"}" ${cfg.preHook} '' + optionalString cfg.doInit '' # Run borg init if the repo doesn't exist yet - if ! borg list $extraArgs > /dev/null; then - borg init $extraArgs \ + if ! borgWrapper list $extraArgs > /dev/null; then + borgWrapper init $extraArgs \ --encryption ${cfg.encryption.mode} \ $extraInitArgs ${cfg.postInit} @@ -48,7 +59,7 @@ let ( set -o pipefail ${optionalString (cfg.dumpCommand != null) ''${escapeShellArg cfg.dumpCommand} | \''} - borg create $extraArgs \ + borgWrapper create $extraArgs \ --compression ${cfg.compression} \ --exclude-from ${mkExcludeFile cfg} \ --patterns-from ${mkPatternsFile cfg} \ @@ -57,16 +68,16 @@ let ${if cfg.paths == null then "-" else escapeShellArgs cfg.paths} ) '' + optionalString cfg.appendFailedSuffix '' - borg rename $extraArgs \ + borgWrapper rename $extraArgs \ "::$archiveName$archiveSuffix" "$archiveName" '' + '' ${cfg.postCreate} '' + optionalString (cfg.prune.keep != { }) '' - borg prune $extraArgs \ + borgWrapper prune $extraArgs \ ${mkKeepArgs cfg} \ ${optionalString (cfg.prune.prefix != null) "--glob-archives ${escapeShellArg "${cfg.prune.prefix}*"}"} \ $extraPruneArgs - borg compact $extraArgs $extraCompactArgs + borgWrapper compact $extraArgs $extraCompactArgs ${cfg.postPrune} ''); @@ -488,6 +499,15 @@ in { default = true; }; + failOnWarnings = mkOption { + type = types.bool; + description = '' + Fail the whole backup job if any borg command returns a warning + (exit code 1), for example because a file changed during backup. + ''; + default = true; + }; + doInit = mkOption { type = types.bool; description = '' diff --git a/nixpkgs/nixos/modules/services/backup/restic.nix b/nixpkgs/nixos/modules/services/backup/restic.nix index 8b56636c7969..8be2649189b9 100644 --- a/nixpkgs/nixos/modules/services/backup/restic.nix +++ b/nixpkgs/nixos/modules/services/backup/restic.nix @@ -11,7 +11,7 @@ in description = '' Periodic backups to create with Restic. ''; - type = types.attrsOf (types.submodule ({ config, name, ... }: { + type = types.attrsOf (types.submodule ({ name, ... }: { options = { passwordFile = mkOption { type = types.str; @@ -206,12 +206,19 @@ in ]; }; + runCheck = mkOption { + type = types.bool; + default = (builtins.length config.services.restic.backups.${name}.checkOpts > 0); + defaultText = literalExpression ''builtins.length config.services.backups.${name}.checkOpts > 0''; + description = "Whether to run the `check` command with the provided `checkOpts` options."; + example = true; + }; + checkOpts = mkOption { type = types.listOf types.str; default = [ ]; description = '' - A list of options for 'restic check', which is run after - pruning. + A list of options for 'restic check'. ''; example = [ "--with-cache" @@ -298,7 +305,9 @@ in doBackup = (backup.dynamicFilesFrom != null) || (backup.paths != null && backup.paths != []); pruneCmd = optionals (builtins.length backup.pruneOpts > 0) [ (resticCmd + " forget --prune " + (concatStringsSep " " backup.pruneOpts)) - (resticCmd + " check " + (concatStringsSep " " backup.checkOpts)) + ]; + checkCmd = optionals backup.runCheck [ + (resticCmd + " check " + (concatStringsSep " " backup.checkOpts)) ]; # Helper functions for rclone remotes rcloneRemoteName = builtins.elemAt (splitString ":" backup.repository) 1; @@ -331,7 +340,7 @@ in serviceConfig = { Type = "oneshot"; ExecStart = (optionals doBackup [ "${resticCmd} backup ${concatStringsSep " " (backup.extraBackupArgs ++ excludeFlags)} --files-from=${filesFromTmpFile}" ]) - ++ pruneCmd; + ++ pruneCmd ++ checkCmd; User = backup.user; RuntimeDirectory = "restic-backups-${name}"; CacheDirectory = "restic-backups-${name}"; diff --git a/nixpkgs/nixos/modules/services/cluster/k3s/default.nix b/nixpkgs/nixos/modules/services/cluster/k3s/default.nix index 040cf7640de1..4d18d378d794 100644 --- a/nixpkgs/nixos/modules/services/cluster/k3s/default.nix +++ b/nixpkgs/nixos/modules/services/cluster/k3s/default.nix @@ -1,15 +1,25 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.services.k3s; - removeOption = config: instruction: - lib.mkRemovedOptionModule ([ "services" "k3s" ] ++ config) instruction; + removeOption = + config: instruction: + lib.mkRemovedOptionModule ( + [ + "services" + "k3s" + ] + ++ config + ) instruction; in { - imports = [ - (removeOption [ "docker" ] "k3s docker option is no longer supported.") - ]; + imports = [ (removeOption [ "docker" ] "k3s docker option is no longer supported.") ]; # interface options.services.k3s = { @@ -33,7 +43,10 @@ in - `serverAddr` is required. ''; default = "server"; - type = types.enum [ "server" "agent" ]; + type = types.enum [ + "server" + "agent" + ]; }; serverAddr = mkOption { @@ -125,7 +138,8 @@ in message = "serverAddr or configPath (with 'server' key) should be set if role is 'agent'"; } { - assertion = cfg.role == "agent" -> cfg.configPath != null || cfg.tokenFile != null || cfg.token != ""; + assertion = + cfg.role == "agent" -> cfg.configPath != null || cfg.tokenFile != null || cfg.token != ""; message = "token or tokenFile or configPath (with 'token' or 'token-file' keys) should be set if role is 'agent'"; } { @@ -142,8 +156,14 @@ in systemd.services.k3s = { description = "k3s service"; - after = [ "firewall.service" "network-online.target" ]; - wants = [ "firewall.service" "network-online.target" ]; + after = [ + "firewall.service" + "network-online.target" + ]; + wants = [ + "firewall.service" + "network-online.target" + ]; wantedBy = [ "multi-user.target" ]; path = optional config.boot.zfs.enabled config.boot.zfs.package; serviceConfig = { @@ -159,9 +179,7 @@ in TasksMax = "infinity"; EnvironmentFile = cfg.environmentFile; ExecStart = concatStringsSep " \\\n " ( - [ - "${cfg.package}/bin/k3s ${cfg.role}" - ] + [ "${cfg.package}/bin/k3s ${cfg.role}" ] ++ (optional cfg.clusterInit "--cluster-init") ++ (optional cfg.disableAgent "--disable-agent") ++ (optional (cfg.serverAddr != "") "--server ${cfg.serverAddr}") diff --git a/nixpkgs/nixos/modules/services/databases/postgresql.nix b/nixpkgs/nixos/modules/services/databases/postgresql.nix index 35d3ba0aa209..8a9d8c210b34 100644 --- a/nixpkgs/nixos/modules/services/databases/postgresql.nix +++ b/nixpkgs/nixos/modules/services/databases/postgresql.nix @@ -37,7 +37,7 @@ let # package = pkgs.postgresql_<major>; # }; # works. - base = if cfg.enableJIT then cfg.package.withJIT else cfg.package; + base = if cfg.enableJIT then cfg.package.withJIT else cfg.package.withoutJIT; in if cfg.extraPlugins == [] then base diff --git a/nixpkgs/nixos/modules/services/desktop-managers/plasma6.nix b/nixpkgs/nixos/modules/services/desktop-managers/plasma6.nix index 08507b4d370a..842b0716b928 100644 --- a/nixpkgs/nixos/modules/services/desktop-managers/plasma6.nix +++ b/nixpkgs/nixos/modules/services/desktop-managers/plasma6.nix @@ -286,6 +286,15 @@ in { kde-smartcard = lib.mkIf config.security.pam.p11.enable { p11Auth = true; }; }; + security.wrappers = { + kwin_wayland = { + owner = "root"; + group = "root"; + capabilities = "cap_sys_nice+ep"; + source = "${lib.getBin pkgs.kdePackages.kwin}/bin/kwin_wayland"; + }; + }; + programs.dconf.enable = true; programs.firefox.nativeMessagingHosts.packages = [kdePackages.plasma-browser-integration]; diff --git a/nixpkgs/nixos/modules/services/desktops/gnome/gnome-remote-desktop.nix b/nixpkgs/nixos/modules/services/desktops/gnome/gnome-remote-desktop.nix index b56027b6eb4b..d81a9edfa126 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome/gnome-remote-desktop.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome/gnome-remote-desktop.nix @@ -16,7 +16,21 @@ ###### implementation config = lib.mkIf config.services.gnome.gnome-remote-desktop.enable { services.pipewire.enable = true; + services.dbus.packages = [ pkgs.gnome.gnome-remote-desktop ]; + + environment.systemPackages = [ pkgs.gnome.gnome-remote-desktop ]; systemd.packages = [ pkgs.gnome.gnome-remote-desktop ]; + systemd.tmpfiles.packages = [ pkgs.gnome.gnome-remote-desktop ]; + + # TODO: if possible, switch to using provided g-r-d sysusers.d + users = { + users.gnome-remote-desktop = { + isSystemUser = true; + group = "gnome-remote-desktop"; + home = "/var/lib/gnome-remote-desktop"; + }; + groups.gnome-remote-desktop = { }; + }; }; } diff --git a/nixpkgs/nixos/modules/services/display-managers/default.nix b/nixpkgs/nixos/modules/services/display-managers/default.nix index 005ae8f1c8a5..feba4b163ccd 100644 --- a/nixpkgs/nixos/modules/services/display-managers/default.nix +++ b/nixpkgs/nixos/modules/services/display-managers/default.nix @@ -113,10 +113,10 @@ in type = lib.types.nullOr lib.types.str // { description = "session name"; check = d: - lib.assertMsg (d != null -> (lib.types.str.check d && lib.elem d config.services.displayManager.sessionData.sessionNames)) '' + lib.assertMsg (d != null -> (lib.types.str.check d && lib.elem d cfg.sessionData.sessionNames)) '' Default graphical session, '${d}', not found. Valid names for 'services.displayManager.defaultSession' are: - ${lib.concatStringsSep "\n " cfg.displayManager.sessionData.sessionNames} + ${lib.concatStringsSep "\n " cfg.sessionData.sessionNames} ''; }; default = null; @@ -187,7 +187,7 @@ in services.displayManager.sessionData = { desktops = installedSessions; - sessionNames = lib.concatMap (p: p.providedSessions) config.services.displayManager.sessionPackages; + sessionNames = lib.concatMap (p: p.providedSessions) cfg.sessionPackages; # We do not want to force users to set defaultSession when they have only single DE. autologinSession = if cfg.defaultSession != null then diff --git a/nixpkgs/nixos/modules/services/display-managers/greetd.nix b/nixpkgs/nixos/modules/services/display-managers/greetd.nix index c07b225fc4d9..118a3e1df378 100644 --- a/nixpkgs/nixos/modules/services/display-managers/greetd.nix +++ b/nixpkgs/nixos/modules/services/display-managers/greetd.nix @@ -27,6 +27,17 @@ in ''; }; + greeterManagesPlymouth = mkOption { + type = types.bool; + internal = true; + default = false; + description = '' + Don't configure the greetd service to wait for Plymouth to exit. + + Enable this if the greeter you're using can manage Plymouth itself to provide a smoother handoff. + ''; + }; + vt = mkOption { type = types.int; default = 1; @@ -72,8 +83,9 @@ in ]; After = [ "systemd-user-sessions.service" - "plymouth-quit-wait.service" "getty@${tty}.service" + ] ++ lib.optionals (!cfg.greeterManagesPlymouth) [ + "plymouth-quit-wait.service" ]; Conflicts = [ "getty@${tty}.service" diff --git a/nixpkgs/nixos/modules/services/display-managers/sddm.nix b/nixpkgs/nixos/modules/services/display-managers/sddm.nix index a6bfa213fe38..54356f7bb617 100644 --- a/nixpkgs/nixos/modules/services/display-managers/sddm.nix +++ b/nixpkgs/nixos/modules/services/display-managers/sddm.nix @@ -66,7 +66,14 @@ let HideShells = "/run/current-system/sw/bin/nologin"; }; - X11 = optionalAttrs xcfg.enable { + Wayland = { + EnableHiDPI = cfg.enableHidpi; + SessionDir = "${dmcfg.sessionData.desktops}/share/wayland-sessions"; + CompositorCommand = lib.optionalString cfg.wayland.enable cfg.wayland.compositorCommand; + }; + + } // optionalAttrs xcfg.enable { + X11 = { MinimumVT = if xcfg.tty != null then xcfg.tty else 7; ServerPath = toString xserverWrapper; XephyrPath = "${pkgs.xorg.xorgserver.out}/bin/Xephyr"; @@ -77,12 +84,6 @@ let DisplayStopCommand = toString Xstop; EnableHiDPI = cfg.enableHidpi; }; - - Wayland = { - EnableHiDPI = cfg.enableHidpi; - SessionDir = "${dmcfg.sessionData.desktops}/share/wayland-sessions"; - CompositorCommand = lib.optionalString cfg.wayland.enable cfg.wayland.compositorCommand; - }; } // optionalAttrs dmcfg.autoLogin.enable { Autologin = { User = dmcfg.autoLogin.user; diff --git a/nixpkgs/nixos/modules/services/hardware/kanata.nix b/nixpkgs/nixos/modules/services/hardware/kanata.nix index 333b2d2a88a5..46af3e36b985 100644 --- a/nixpkgs/nixos/modules/services/hardware/kanata.nix +++ b/nixpkgs/nixos/modules/services/hardware/kanata.nix @@ -5,6 +5,8 @@ with lib; let cfg = config.services.kanata; + upstreamDoc = "See [the upstream documentation](https://github.com/jtroo/kanata/blob/main/docs/config.adoc) and [example config files](https://github.com/jtroo/kanata/tree/main/cfg_samples) for more information."; + keyboard = { options = { devices = mkOption { @@ -22,28 +24,16 @@ let type = types.lines; example = '' (defsrc - grv 1 2 3 4 5 6 7 8 9 0 - = bspc - tab q w e r t y u i o p [ ] \ - caps a s d f g h j k l ; ' ret - lsft z x c v b n m , . / rsft - lctl lmet lalt spc ralt rmet rctl) - - (deflayer qwerty - grv 1 2 3 4 5 6 7 8 9 0 - = bspc - tab q w e r t y u i o p [ ] \ - @cap a s d f g h j k l ; ' ret - lsft z x c v b n m , . / rsft - lctl lmet lalt spc ralt rmet rctl) - - (defalias - ;; tap within 100ms for capslk, hold more than 100ms for lctl - cap (tap-hold 100 100 caps lctl)) + caps) + + (deflayermap (default-layer) + ;; tap caps lock as caps lock, hold caps lock as left control + caps (tap-hold 100 100 caps lctl)) ''; description = '' Configuration other than `defcfg`. - See [example config files](https://github.com/jtroo/kanata) - for more information. + ${upstreamDoc} ''; }; extraDefCfg = mkOption { @@ -55,8 +45,7 @@ let from the devices option) and `linux-continue-if-no-devs-found` (hardcoded to be yes). - See [example config files](https://github.com/jtroo/kanata) - for more information. + ${upstreamDoc} ''; }; extraArgs = mkOption { @@ -86,14 +75,20 @@ let in optionalString ((length devices) > 0) "linux-dev (${devicesString})"; - mkConfig = name: keyboard: pkgs.writeText "${mkName name}-config.kdb" '' - (defcfg - ${keyboard.extraDefCfg} - ${mkDevices keyboard.devices} - linux-continue-if-no-devs-found yes) - - ${keyboard.config} - ''; + mkConfig = name: keyboard: pkgs.writeTextFile { + name = "${mkName name}-config.kdb"; + text = '' + (defcfg + ${keyboard.extraDefCfg} + ${mkDevices keyboard.devices} + linux-continue-if-no-devs-found yes) + + ${keyboard.config} + ''; + checkPhase = '' + ${getExe cfg.package} --cfg "$target" --check --debug + ''; + }; mkService = name: keyboard: nameValuePair (mkName name) { wantedBy = [ "multi-user.target" ]; @@ -153,7 +148,7 @@ in options.services.kanata = { enable = mkEnableOption "kanata, a tool to improve keyboard comfort and usability with advanced customization"; package = mkPackageOption pkgs "kanata" { - example = "kanata-with-cmd"; + example = [ "kanata-with-cmd" ]; extraDescription = '' ::: {.note} If {option}`danger-enable-cmd` is enabled in any of the keyboards, the diff --git a/nixpkgs/nixos/modules/services/hardware/thermald.nix b/nixpkgs/nixos/modules/services/hardware/thermald.nix index 4f9202d13d90..fb7cf3735a7e 100644 --- a/nixpkgs/nixos/modules/services/hardware/thermald.nix +++ b/nixpkgs/nixos/modules/services/hardware/thermald.nix @@ -28,7 +28,13 @@ in configFile = mkOption { type = types.nullOr types.path; default = null; - description = "the thermald manual configuration file."; + description = '' + The thermald manual configuration file. + + Leave unspecified to run with the `--adaptive` flag instead which will have thermald use your computer's DPTF adaptive tables. + + See `man thermald` for more information. + ''; }; package = mkPackageOption pkgs "thermald" { }; @@ -49,9 +55,8 @@ in --no-daemon \ ${optionalString cfg.debug "--loglevel=debug"} \ ${optionalString cfg.ignoreCpuidCheck "--ignore-cpuid-check"} \ - ${optionalString (cfg.configFile != null) "--config-file ${cfg.configFile}"} \ - --dbus-enable \ - --adaptive + ${if cfg.configFile != null then "--config-file ${cfg.configFile}" else "--adaptive"} \ + --dbus-enable ''; }; }; diff --git a/nixpkgs/nixos/modules/services/hardware/udev.nix b/nixpkgs/nixos/modules/services/hardware/udev.nix index 3db661644281..62603d20e2d3 100644 --- a/nixpkgs/nixos/modules/services/hardware/udev.nix +++ b/nixpkgs/nixos/modules/services/hardware/udev.nix @@ -167,10 +167,16 @@ let mv etc/udev/hwdb.bin $out ''; - compressFirmware = firmware: if (config.boot.kernelPackages.kernelAtLeast "5.3" && (firmware.compressFirmware or true)) then - pkgs.compressFirmwareXz firmware - else - id firmware; + compressFirmware = firmware: + let + inherit (config.boot.kernelPackages) kernelAtLeast; + in + if ! (firmware.compressFirmware or true) then + firmware + else + if kernelAtLeast "5.19" then pkgs.compressFirmwareZstd firmware + else if kernelAtLeast "5.3" then pkgs.compressFirmwareXz firmware + else firmware; # Udev has a 512-character limit for ENV{PATH}, so create a symlink # tree to work around this. diff --git a/nixpkgs/nixos/modules/services/home-automation/ebusd.nix b/nixpkgs/nixos/modules/services/home-automation/ebusd.nix index d388022d7b50..ac9ec06639c1 100644 --- a/nixpkgs/nixos/modules/services/home-automation/ebusd.nix +++ b/nixpkgs/nixos/modules/services/home-automation/ebusd.nix @@ -4,41 +4,6 @@ with lib; let cfg = config.services.ebusd; - - package = pkgs.ebusd; - - arguments = [ - "${package}/bin/ebusd" - "--foreground" - "--updatecheck=off" - "--device=${cfg.device}" - "--port=${toString cfg.port}" - "--configpath=${cfg.configpath}" - "--scanconfig=${cfg.scanconfig}" - "--log=all:${cfg.logs.all}" - "--log=main:${cfg.logs.main}" - "--log=network:${cfg.logs.network}" - "--log=bus:${cfg.logs.bus}" - "--log=update:${cfg.logs.update}" - "--log=other:${cfg.logs.other}" - ] ++ lib.optionals cfg.readonly [ - "--readonly" - ] ++ lib.optionals cfg.mqtt.enable [ - "--mqtthost=${cfg.mqtt.host}" - "--mqttport=${toString cfg.mqtt.port}" - "--mqttuser=${cfg.mqtt.user}" - "--mqttpass=${cfg.mqtt.password}" - ] ++ lib.optionals cfg.mqtt.home-assistant [ - "--mqttint=${package}/etc/ebusd/mqtt-hassio.cfg" - "--mqttjson" - ] ++ lib.optionals cfg.mqtt.retain [ - "--mqttretain" - ] ++ cfg.extraArguments; - - usesDev = hasPrefix "/" cfg.device; - - command = concatStringsSep " " arguments; - in { meta.maintainers = with maintainers; [ nathan-gs ]; @@ -46,6 +11,8 @@ in options.services.ebusd = { enable = mkEnableOption "ebusd, a daemon for communication with eBUS heating systems"; + package = mkPackageOptionMD pkgs "ebusd" { }; + device = mkOption { type = types.str; default = ""; @@ -57,7 +24,8 @@ in ens:DEVICE for enhanced high speed serial device (only adapter v3 and newer with firmware since 20220731), DEVICE for serial device (normal speed, for all other serial adapters like adapter v2 as well as adapter v3 in non-enhanced mode), or [udp:]IP:PORT for network device. - https://github.com/john30/ebusd/wiki/2.-Run#device-options + + Source: <https://github.com/john30/ebusd/wiki/2.-Run#device-options> ''; }; @@ -81,7 +49,7 @@ in type = types.str; default = "https://cfg.ebusd.eu/"; description = '' - Read CSV config files from PATH (local folder or HTTPS URL) [https://cfg.ebusd.eu/] + Directory to read CSV config files from. This can be a local folder or a URL. ''; }; @@ -95,65 +63,21 @@ in ''; }; - logs = { - main = mkOption { - type = types.enum [ "none" "error" "notice" "info" "debug"]; - default = "info"; - description = '' - Only write log for matching AREAs (main|network|bus|update|other|all) below or equal to LEVEL (none|error|notice|info|debug) [all:notice]. - ''; - }; - - network = mkOption { - type = types.enum [ "none" "error" "notice" "info" "debug"]; - default = "info"; - description = '' - Only write log for matching AREAs (main|network|bus|update|other|all) below or equal to LEVEL (none|error|notice|info|debug) [all:notice]. - ''; - }; - - bus = mkOption { - type = types.enum [ "none" "error" "notice" "info" "debug"]; - default = "info"; - description = '' - Only write log for matching AREAs (main|network|bus|update|other|all) below or equal to LEVEL (none|error|notice|info|debug) [all:notice]. - ''; - }; - - update = mkOption { - type = types.enum [ "none" "error" "notice" "info" "debug"]; - default = "info"; - description = '' - Only write log for matching AREAs (main|network|bus|update|other|all) below or equal to LEVEL (none|error|notice|info|debug) [all:notice]. - ''; - }; - - other = mkOption { - type = types.enum [ "none" "error" "notice" "info" "debug"]; - default = "info"; - description = '' - Only write log for matching AREAs (main|network|bus|update|other|all) below or equal to LEVEL (none|error|notice|info|debug) [all:notice]. - ''; - }; - - all = mkOption { - type = types.enum [ "none" "error" "notice" "info" "debug"]; - default = "info"; - description = '' - Only write log for matching AREAs (main|network|bus|update|other|all) below or equal to LEVEL (none|error|notice|info|debug) [all:notice]. - ''; - }; - }; + logs = let + # "all" must come first so it can be overridden by more specific areas + areas = [ "all" "main" "network" "bus" "update" "other" ]; + levels = [ "none" "error" "notice" "info" "debug" ]; + in listToAttrs (map (area: nameValuePair area (mkOption { + type = types.enum levels; + default = "notice"; + example = "debug"; + description = '' + Only write log for matching `AREA`s (${concatStringsSep "|" areas}) below or equal to `LEVEL` (${concatStringsSep "|" levels}) + ''; + })) areas); mqtt = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - Adds support for MQTT - ''; - }; + enable = mkEnableOption "support for MQTT"; host = mkOption { type = types.str; @@ -179,13 +103,7 @@ in ''; }; - retain = mkOption { - type = types.bool; - default = false; - description = '' - Set the retain flag on all topics instead of only selected global ones - ''; - }; + retain = mkEnableOption "set the retain flag on all topics instead of only selected global ones"; user = mkOption { type = types.str; @@ -200,7 +118,6 @@ in The MQTT password. ''; }; - }; extraArguments = mkOption { @@ -210,25 +127,44 @@ in Extra arguments to the ebus daemon ''; }; - }; - config = mkIf (cfg.enable) { - + config = let + usesDev = hasPrefix "/" cfg.device; + in mkIf cfg.enable { systemd.services.ebusd = { description = "EBUSd Service"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { - ExecStart = command; + ExecStart = let + args = cli.toGNUCommandLineShell { } (foldr (a: b: a // b) { } [ + { + inherit (cfg) device port configpath scanconfig readonly; + foreground = true; + updatecheck = "off"; + log = mapAttrsToList (name: value: "${name}:${value}") cfg.logs; + mqttretain = cfg.mqtt.retain; + } + (optionalAttrs cfg.mqtt.enable { + mqtthost = cfg.mqtt.host; + mqttport = cfg.mqtt.port; + mqttuser = cfg.mqtt.user; + mqttpass = cfg.mqtt.password; + }) + (optionalAttrs cfg.mqtt.home-assistant { + mqttint = "${cfg.package}/etc/ebusd/mqtt-hassio.cfg"; + mqttjson = true; + }) + ]); + in "${cfg.package}/bin/ebusd ${args} ${escapeShellArgs cfg.extraArguments}"; + DynamicUser = true; Restart = "on-failure"; # Hardening CapabilityBoundingSet = ""; - DeviceAllow = lib.optionals usesDev [ - cfg.device - ] ; + DeviceAllow = optionals usesDev [ cfg.device ]; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = false; @@ -254,9 +190,7 @@ in RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; - SupplementaryGroups = [ - "dialout" - ]; + SupplementaryGroups = [ "dialout" ]; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service @pkey" @@ -265,6 +199,5 @@ in UMask = "0077"; }; }; - }; } diff --git a/nixpkgs/nixos/modules/services/logging/promtail.nix b/nixpkgs/nixos/modules/services/logging/promtail.nix index a34bc07b6ab2..9eccd34cef23 100644 --- a/nixpkgs/nixos/modules/services/logging/promtail.nix +++ b/nixpkgs/nixos/modules/services/logging/promtail.nix @@ -41,6 +41,10 @@ in { wantedBy = [ "multi-user.target" ]; stopIfChanged = false; + preStart = '' + ${lib.getExe pkgs.promtail} -config.file=${prettyJSON cfg.configuration} -check-syntax + ''; + serviceConfig = { Restart = "on-failure"; TimeoutStopSec = 10; diff --git a/nixpkgs/nixos/modules/services/mail/stalwart-mail.nix b/nixpkgs/nixos/modules/services/mail/stalwart-mail.nix index 9cc919fd117d..c69a2ca400ba 100644 --- a/nixpkgs/nixos/modules/services/mail/stalwart-mail.nix +++ b/nixpkgs/nixos/modules/services/mail/stalwart-mail.nix @@ -7,11 +7,28 @@ let configFormat = pkgs.formats.toml { }; configFile = configFormat.generate "stalwart-mail.toml" cfg.settings; dataDir = "/var/lib/stalwart-mail"; + stalwartAtLeast = versionAtLeast cfg.package.version; in { options.services.stalwart-mail = { enable = mkEnableOption "the Stalwart all-in-one email server"; - package = mkPackageOption pkgs "stalwart-mail" { }; + + package = mkOption { + type = types.package; + description = '' + Which package to use for the Stalwart mail server. + + ::: {.note} + Upgrading from version 0.6.0 to version 0.7.0 or higher requires manual + intervention. See <https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md> + for upgrade instructions. + ::: + ''; + default = pkgs.stalwart-mail_0_6; + defaultText = lib.literalExpression "pkgs.stalwart-mail_0_6"; + example = lib.literalExpression "pkgs.stalwart-mail"; + relatedPackages = [ "stalwart-mail_0_6" "stalwart-mail" ]; + }; settings = mkOption { inherit (configFormat) type; @@ -26,6 +43,18 @@ in { }; config = mkIf cfg.enable { + + warnings = lib.optionals (!stalwartAtLeast "0.7.0") [ + '' + Versions of stalwart-mail < 0.7.0 will get deprecated in NixOS 24.11. + Please set services.stalwart-mail.package to pkgs.stalwart-mail to + upgrade to the latest version. + Please note that upgrading to version >= 0.7 requires manual + intervention, see <https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md> + for upgrade instructions. + '' + ]; + # Default config: all local services.stalwart-mail.settings = { global.tracing.method = mkDefault "stdout"; @@ -38,6 +67,7 @@ in { store.blob.path = mkDefault "${dataDir}/data/blobs"; storage.data = mkDefault "db"; storage.fts = mkDefault "db"; + storage.lookup = mkDefault "db"; storage.blob = mkDefault "blob"; resolver.type = mkDefault "system"; resolver.public-suffix = mkDefault ["https://publicsuffix.org/list/public_suffix_list.dat"]; diff --git a/nixpkgs/nixos/modules/services/matrix/conduit.nix b/nixpkgs/nixos/modules/services/matrix/conduit.nix index 9b8a4f45c268..b1d9b0424295 100644 --- a/nixpkgs/nixos/modules/services/matrix/conduit.nix +++ b/nixpkgs/nixos/modules/services/matrix/conduit.nix @@ -9,7 +9,7 @@ let configFile = format.generate "conduit.toml" cfg.settings; in { - meta.maintainers = with maintainers; [ pstn piegames ]; + meta.maintainers = with maintainers; [ pstn ]; options.services.matrix-conduit = { enable = mkEnableOption "matrix-conduit"; diff --git a/nixpkgs/nixos/modules/services/matrix/mautrix-signal.nix b/nixpkgs/nixos/modules/services/matrix/mautrix-signal.nix new file mode 100644 index 000000000000..faca10551abb --- /dev/null +++ b/nixpkgs/nixos/modules/services/matrix/mautrix-signal.nix @@ -0,0 +1,249 @@ +{ lib +, config +, pkgs +, ... +}: +let + cfg = config.services.mautrix-signal; + dataDir = "/var/lib/mautrix-signal"; + registrationFile = "${dataDir}/signal-registration.yaml"; + settingsFile = "${dataDir}/config.yaml"; + settingsFileUnsubstituted = settingsFormat.generate "mautrix-signal-config-unsubstituted.json" cfg.settings; + settingsFormat = pkgs.formats.json { }; + appservicePort = 29328; + + # to be used with a list of lib.mkIf values + optOneOf = lib.lists.findFirst (value: value.condition) (lib.mkIf false null); + mkDefaults = lib.mapAttrsRecursive (n: v: lib.mkDefault v); + defaultConfig = { + homeserver.address = "http://localhost:8448"; + appservice = { + hostname = "[::]"; + port = appservicePort; + database.type = "sqlite3"; + database.uri = "file:${dataDir}/mautrix-signal.db?_txlock=immediate"; + id = "signal"; + bot = { + username = "signalbot"; + displayname = "Signal Bridge Bot"; + }; + as_token = ""; + hs_token = ""; + }; + bridge = { + username_template = "signal_{{.}}"; + displayname_template = "{{or .ProfileName .PhoneNumber \"Unknown user\"}}"; + double_puppet_server_map = { }; + login_shared_secret_map = { }; + command_prefix = "!signal"; + permissions."*" = "relay"; + relay.enabled = true; + }; + logging = { + min_level = "info"; + writers = lib.singleton { + type = "stdout"; + format = "pretty-colored"; + time_format = " "; + }; + }; + }; + +in +{ + options.services.mautrix-signal = { + enable = lib.mkEnableOption "mautrix-signal, a Matrix-Signal puppeting bridge."; + + settings = lib.mkOption { + apply = lib.recursiveUpdate defaultConfig; + type = settingsFormat.type; + default = defaultConfig; + description = '' + {file}`config.yaml` configuration as a Nix attribute set. + Configuration options should match those described in + [example-config.yaml](https://github.com/mautrix/signal/blob/master/example-config.yaml). + Secret tokens should be specified using {option}`environmentFile` + instead of this world-readable attribute set. + ''; + example = { + appservice = { + database = { + type = "postgres"; + uri = "postgresql:///mautrix_signal?host=/run/postgresql"; + }; + id = "signal"; + ephemeral_events = false; + }; + bridge = { + history_sync = { + request_full_sync = true; + }; + private_chat_portal_meta = true; + mute_bridging = true; + encryption = { + allow = true; + default = true; + require = true; + }; + provisioning = { + shared_secret = "disable"; + }; + permissions = { + "example.com" = "user"; + }; + }; + }; + }; + + environmentFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = '' + File containing environment variables to be passed to the mautrix-signal service. + If an environment variable `MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET` is set, + then its value will be used in the configuration file for the option + `login_shared_secret_map` without leaking it to the store, using the configured + `homeserver.domain` as key. + See [here](https://github.com/mautrix/signal/blob/main/example-config.yaml) + for the documentation of `login_shared_secret_map`. + ''; + }; + + serviceDependencies = lib.mkOption { + type = with lib.types; listOf str; + default = (lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit) + ++ (lib.optional config.services.matrix-conduit.enable "conduit.service"); + defaultText = lib.literalExpression '' + (optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit) + ++ (optional config.services.matrix-conduit.enable "conduit.service") + ''; + description = '' + List of systemd units to require and wait for when starting the application service. + ''; + }; + + registerToSynapse = lib.mkOption { + type = lib.types.bool; + default = config.services.matrix-synapse.enable; + defaultText = lib.literalExpression '' + config.services.matrix-synapse.enable + ''; + description = '' + Whether to add the bridge's app service registration file to + `services.matrix-synapse.settings.app_service_config_files`. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + + users.users.mautrix-signal = { + isSystemUser = true; + group = "mautrix-signal"; + home = dataDir; + description = "Mautrix-Signal bridge user"; + }; + + users.groups.mautrix-signal = { }; + + services.matrix-synapse = lib.mkIf cfg.registerToSynapse { + settings.app_service_config_files = [ registrationFile ]; + }; + systemd.services.matrix-synapse = lib.mkIf cfg.registerToSynapse { + serviceConfig.SupplementaryGroups = [ "mautrix-signal" ]; + }; + + # Note: this is defined here to avoid the docs depending on `config` + services.mautrix-signal.settings.homeserver = optOneOf (with config.services; [ + (lib.mkIf matrix-synapse.enable (mkDefaults { + domain = matrix-synapse.settings.server_name; + })) + (lib.mkIf matrix-conduit.enable (mkDefaults { + domain = matrix-conduit.settings.global.server_name; + address = "http://localhost:${toString matrix-conduit.settings.global.port}"; + })) + ]); + + systemd.services.mautrix-signal = { + description = "mautrix-signal, a Matrix-Signal puppeting bridge."; + + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ] ++ cfg.serviceDependencies; + after = [ "network-online.target" ] ++ cfg.serviceDependencies; + # ffmpeg is required for conversion of voice messages + path = [ pkgs.ffmpeg-headless ]; + + preStart = '' + # substitute the settings file by environment variables + # in this case read from EnvironmentFile + test -f '${settingsFile}' && rm -f '${settingsFile}' + old_umask=$(umask) + umask 0177 + ${pkgs.envsubst}/bin/envsubst \ + -o '${settingsFile}' \ + -i '${settingsFileUnsubstituted}' + umask $old_umask + + # generate the appservice's registration file if absent + if [ ! -f '${registrationFile}' ]; then + ${pkgs.mautrix-signal}/bin/mautrix-signal \ + --generate-registration \ + --config='${settingsFile}' \ + --registration='${registrationFile}' + fi + chmod 640 ${registrationFile} + + umask 0177 + # 1. Overwrite registration tokens in config + # 2. If environment variable MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET + # is set, set it as the login shared secret value for the configured + # homeserver domain. + ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token + | .[0].appservice.hs_token = .[1].hs_token + | .[0] + | if env.MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET then .bridge.login_shared_secret_map.[.homeserver.domain] = env.MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET else . end' \ + '${settingsFile}' '${registrationFile}' > '${settingsFile}.tmp' + mv '${settingsFile}.tmp' '${settingsFile}' + umask $old_umask + ''; + + serviceConfig = { + User = "mautrix-signal"; + Group = "mautrix-signal"; + EnvironmentFile = cfg.environmentFile; + StateDirectory = baseNameOf dataDir; + WorkingDirectory = dataDir; + ExecStart = '' + ${pkgs.mautrix-signal}/bin/mautrix-signal \ + --config='${settingsFile}' \ + --registration='${registrationFile}' + ''; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + Restart = "on-failure"; + RestartSec = "30s"; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ "@system-service" ]; + Type = "simple"; + UMask = 0027; + }; + restartTriggers = [ settingsFileUnsubstituted ]; + }; + }; + meta.maintainers = with lib.maintainers; [ niklaskorz ]; +} diff --git a/nixpkgs/nixos/modules/services/misc/bcg.nix b/nixpkgs/nixos/modules/services/misc/bcg.nix index 626a67f66d08..63c441833d95 100644 --- a/nixpkgs/nixos/modules/services/misc/bcg.nix +++ b/nixpkgs/nixos/modules/services/misc/bcg.nix @@ -149,20 +149,20 @@ in systemd.services.bcg = let envConfig = cfg.environmentFiles != []; finalConfig = if envConfig - then "$RUNTIME_DIRECTORY/bcg.config.yaml" + then "\${RUNTIME_DIRECTORY}/bcg.config.yaml" else configFile; in { description = "BigClown Gateway"; wantedBy = [ "multi-user.target" ]; wants = [ "network-online.target" ] ++ lib.optional config.services.mosquitto.enable "mosquitto.service"; after = [ "network-online.target" ]; - preStart = '' + preStart = mkIf envConfig '' umask 077 ${pkgs.envsubst}/bin/envsubst -i "${configFile}" -o "${finalConfig}" ''; serviceConfig = { EnvironmentFile = cfg.environmentFiles; - ExecStart="${cfg.package}/bin/bcg -c ${finalConfig} -v ${cfg.verbose}"; + ExecStart = "${cfg.package}/bin/bcg -c ${finalConfig} -v ${cfg.verbose}"; RuntimeDirectory = "bcg"; }; }; diff --git a/nixpkgs/nixos/modules/services/misc/devpi-server.nix b/nixpkgs/nixos/modules/services/misc/devpi-server.nix new file mode 100644 index 000000000000..0234db4bc2c5 --- /dev/null +++ b/nixpkgs/nixos/modules/services/misc/devpi-server.nix @@ -0,0 +1,128 @@ +{ + pkgs, + lib, + config, + ... +}: +with lib; +let + cfg = config.services.devpi-server; + + secretsFileName = "devpi-secret-file"; + + stateDirName = "devpi"; + + runtimeDir = "/run/${stateDirName}"; + serverDir = "/var/lib/${stateDirName}"; +in +{ + options.services.devpi-server = { + enable = mkEnableOption "Devpi Server"; + + package = mkPackageOption pkgs "devpi-server" { }; + + primaryUrl = mkOption { + type = types.str; + description = "Url for the primary node. Required option for replica nodes."; + }; + + replica = mkOption { + type = types.bool; + default = false; + description = '' + Run node as a replica. + Requires the secretFile option and the primaryUrl to be enabled. + ''; + }; + + secretFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Path to a shared secret file used for synchronization, + Required for all nodes in a replica/primary setup. + ''; + }; + + host = mkOption { + type = types.str; + default = "localhost"; + description = '' + domain/ip address to listen on + ''; + }; + + port = mkOption { + type = types.port; + default = 3141; + description = "The port on which Devpi Server will listen."; + }; + + openFirewall = mkEnableOption "opening the default ports in the firewall for Devpi Server"; + }; + + config = mkIf cfg.enable { + + systemd.services.devpi-server = { + enable = true; + description = "devpi PyPI-compatible server"; + documentation = [ "https://devpi.net/docs/devpi/devpi/stable/+d/index.html" ]; + wants = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + # Since at least devpi-server 6.10.0, devpi requires the secrets file to + # have 0600 permissions. + preStart = + '' + cp ${cfg.secretFile} ${runtimeDir}/${secretsFileName} + chmod 0600 ${runtimeDir}/*${secretsFileName} + + if [ -f ${serverDir}/.nodeinfo ]; then + # already initialized the package index, exit gracefully + exit 0 + fi + ${cfg.package}/bin/devpi-init --serverdir ${serverDir} '' + + strings.optionalString cfg.replica "--role=replica --master-url=${cfg.primaryUrl}"; + + serviceConfig = { + Restart = "always"; + ExecStart = + let + args = + [ + "--request-timeout=5" + "--serverdir=${serverDir}" + "--host=${cfg.host}" + "--port=${builtins.toString cfg.port}" + ] + ++ lib.optionals (! isNull cfg.secretFile) [ + "--secretfile=${runtimeDir}/${secretsFileName}" + ] + ++ ( + if cfg.replica then + [ + "--role=replica" + "--master-url=${cfg.primaryUrl}" + ] + else + [ "--role=master" ] + ); + in + "${cfg.package}/bin/devpi-server ${concatStringsSep " " args}"; + DynamicUser = true; + StateDirectory = stateDirName; + RuntimeDirectory = stateDirName; + PrivateDevices = true; + PrivateTmp = true; + ProtectHome = true; + ProtectSystem = "strict"; + }; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + }; + + meta.maintainers = [ cafkafk ]; + }; +} diff --git a/nixpkgs/nixos/modules/services/misc/heisenbridge.nix b/nixpkgs/nixos/modules/services/misc/heisenbridge.nix index de109e726633..54c298f1b560 100644 --- a/nixpkgs/nixos/modules/services/misc/heisenbridge.nix +++ b/nixpkgs/nixos/modules/services/misc/heisenbridge.nix @@ -210,5 +210,5 @@ in }; }; - meta.maintainers = [ lib.maintainers.piegames ]; + meta.maintainers = [ ]; } diff --git a/nixpkgs/nixos/modules/services/misc/llama-cpp.nix b/nixpkgs/nixos/modules/services/misc/llama-cpp.nix index c73cff027e22..2fa1a7b28e3b 100644 --- a/nixpkgs/nixos/modules/services/misc/llama-cpp.nix +++ b/nixpkgs/nixos/modules/services/misc/llama-cpp.nix @@ -92,7 +92,6 @@ in { SystemCallFilter = [ "@system-service" "~@privileged" - "~@resources" ]; SystemCallErrorNumber = "EPERM"; ProtectProc = "invisible"; diff --git a/nixpkgs/nixos/modules/services/misc/portunus.nix b/nixpkgs/nixos/modules/services/misc/portunus.nix index ab78479c96cd..bdb35da788e3 100644 --- a/nixpkgs/nixos/modules/services/misc/portunus.nix +++ b/nixpkgs/nixos/modules/services/misc/portunus.nix @@ -231,12 +231,14 @@ in }; systemd.services = { - dex.serviceConfig = mkIf cfg.dex.enable { - # `dex.service` is super locked down out of the box, but we need some - # place to write the SQLite database. This creates $STATE_DIRECTORY below - # /var/lib/private because DynamicUser=true, but it gets symlinked into - # /var/lib/dex inside the unit - StateDirectory = "dex"; + dex = mkIf cfg.dex.enable { + serviceConfig = { + # `dex.service` is super locked down out of the box, but we need some + # place to write the SQLite database. This creates $STATE_DIRECTORY below + # /var/lib/private because DynamicUser=true, but it gets symlinked into + # /var/lib/dex inside the unit + StateDirectory = "dex"; + }; }; portunus = { diff --git a/nixpkgs/nixos/modules/services/misc/private-gpt.nix b/nixpkgs/nixos/modules/services/misc/private-gpt.nix new file mode 100644 index 000000000000..9a3e5317cdb1 --- /dev/null +++ b/nixpkgs/nixos/modules/services/misc/private-gpt.nix @@ -0,0 +1,121 @@ +{ config +, lib +, pkgs +, ... +}: +let + inherit (lib) types; + + format = pkgs.formats.yaml { }; + cfg = config.services.private-gpt; +in +{ + options = { + services.private-gpt = { + enable = lib.mkEnableOption "private-gpt for local large language models"; + package = lib.mkPackageOption pkgs "private-gpt" { }; + + stateDir = lib.mkOption { + type = types.path; + default = "/var/lib/private-gpt"; + description = "State directory of private-gpt."; + }; + + settings = lib.mkOption { + type = format.type; + default = { + llm = { + mode = "ollama"; + tokenizer = ""; + }; + embedding = { + mode = "ollama"; + }; + ollama = { + llm_model = "llama3"; + embedding_model = "nomic-embed-text"; + api_base = "http://localhost:11434"; + embedding_api_base = "http://localhost:11434"; + keep_alive = "5m"; + tfs_z = 1; + top_k = 40; + top_p = 0.9; + repeat_last_n = 64; + repeat_penalty = 1.2; + request_timeout = 120; + }; + vectorstore = { + database = "qdrant"; + }; + qdrant = { + path = "/var/lib/private-gpt/vectorstore/qdrant"; + }; + data = { + local_data_folder = "/var/lib/private-gpt"; + }; + openai = { }; + azopenai = { }; + }; + description = '' + settings-local.yaml for private-gpt + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.private-gpt = { + description = "Interact with your documents using the power of GPT, 100% privately, no data leaks"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + preStart = + let + config = format.generate "settings-local.yaml" (cfg.settings // { server.env_name = "local"; }); + in + '' + mkdir -p ${cfg.stateDir}/{settings,huggingface,matplotlib,tiktoken_cache} + cp ${cfg.package.cl100k_base.tiktoken} ${cfg.stateDir}/tiktoken_cache/9b5ad71b2ce5302211f9c61530b329a4922fc6a4 + cp ${pkgs.python3Packages.private-gpt}/${pkgs.python3.sitePackages}/private_gpt/settings.yaml ${cfg.stateDir}/settings/settings.yaml + cp "${config}" "${cfg.stateDir}/settings/settings-local.yaml" + chmod 600 "${cfg.stateDir}/settings/settings-local.yaml" + ''; + + environment = { + PGPT_PROFILES = "local"; + PGPT_SETTINGS_FOLDER = "${cfg.stateDir}/settings"; + HF_HOME = "${cfg.stateDir}/huggingface"; + TRANSFORMERS_OFFLINE = "1"; + HF_DATASETS_OFFLINE = "1"; + MPLCONFIGDIR = "${cfg.stateDir}/matplotlib"; + }; + + serviceConfig = { + ExecStart = lib.getExe cfg.package; + WorkingDirectory = cfg.stateDir; + StateDirectory = "private-gpt"; + RuntimeDirectory = "private-gpt"; + RuntimeDirectoryMode = "0755"; + PrivateTmp = true; + DynamicUser = true; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateUsers = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProcSubset = "pid"; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + UMask = "0077"; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ drupol ]; +} diff --git a/nixpkgs/nixos/modules/services/misc/snapper.nix b/nixpkgs/nixos/modules/services/misc/snapper.nix index 3a3ed1b5c0f5..33207ac2b5bd 100644 --- a/nixpkgs/nixos/modules/services/misc/snapper.nix +++ b/nixpkgs/nixos/modules/services/misc/snapper.nix @@ -103,6 +103,18 @@ in ''; }; + persistentTimer = mkOption { + default = false; + type = types.bool; + example = true; + description = '' + Set the `persistentTimer` option for the + {manpage}`systemd.timer(5)` + which triggers the snapshot immediately if the last trigger + was missed (e.g. if the system was powered down). + ''; + }; + cleanupInterval = mkOption { type = types.str; default = "1d"; @@ -198,7 +210,14 @@ in inherit documentation; requires = [ "local-fs.target" ]; serviceConfig.ExecStart = "${pkgs.snapper}/lib/snapper/systemd-helper --timeline"; - startAt = cfg.snapshotInterval; + }; + + systemd.timers.snapper-timeline = { + wantedBy = [ "timers.target" ]; + timerConfig = { + Persistent = cfg.persistentTimer; + OnCalendar = cfg.snapshotInterval; + }; }; systemd.services.snapper-cleanup = { diff --git a/nixpkgs/nixos/modules/services/misc/tzupdate.nix b/nixpkgs/nixos/modules/services/misc/tzupdate.nix index eac1e1112a5a..be63bb179e42 100644 --- a/nixpkgs/nixos/modules/services/misc/tzupdate.nix +++ b/nixpkgs/nixos/modules/services/misc/tzupdate.nix @@ -41,5 +41,5 @@ in { }; }; - meta.maintainers = [ maintainers.michaelpj ]; + meta.maintainers = [ ]; } diff --git a/nixpkgs/nixos/modules/services/misc/wastebin.nix b/nixpkgs/nixos/modules/services/misc/wastebin.nix index 3d0af2862683..f24bf94fa52b 100644 --- a/nixpkgs/nixos/modules/services/misc/wastebin.nix +++ b/nixpkgs/nixos/modules/services/misc/wastebin.nix @@ -10,7 +10,7 @@ in options.services.wastebin = { - enable = mkEnableOption "Wastenbin pastebin service"; + enable = mkEnableOption "Wastebin, a pastebin service"; package = mkPackageOption pkgs "wastebin" { }; diff --git a/nixpkgs/nixos/modules/services/misc/zoneminder.nix b/nixpkgs/nixos/modules/services/misc/zoneminder.nix index 84c3a6710c0d..d09cd87febff 100644 --- a/nixpkgs/nixos/modules/services/misc/zoneminder.nix +++ b/nixpkgs/nixos/modules/services/misc/zoneminder.nix @@ -350,7 +350,7 @@ in { RestartSec = "10s"; CacheDirectory = dirs cacheDirs; RuntimeDirectory = dirName; - ReadWriteDirectories = lib.mkIf useCustomDir [ cfg.storageDir ]; + ReadWritePaths = lib.mkIf useCustomDir [ cfg.storageDir ]; StateDirectory = dirs (lib.optionals (!useCustomDir) libDirs); LogsDirectory = dirName; PrivateTmp = true; diff --git a/nixpkgs/nixos/modules/services/monitoring/arbtt.nix b/nixpkgs/nixos/modules/services/monitoring/arbtt.nix index 6dad6bdec328..cf9a236c079c 100644 --- a/nixpkgs/nixos/modules/services/monitoring/arbtt.nix +++ b/nixpkgs/nixos/modules/services/monitoring/arbtt.nix @@ -45,5 +45,5 @@ in { }; }; - meta.maintainers = [ maintainers.michaelpj ]; + meta.maintainers = [ ]; } diff --git a/nixpkgs/nixos/modules/services/monitoring/loki.nix b/nixpkgs/nixos/modules/services/monitoring/loki.nix index ba63f95e7f1a..de4f1bc7aa23 100644 --- a/nixpkgs/nixos/modules/services/monitoring/loki.nix +++ b/nixpkgs/nixos/modules/services/monitoring/loki.nix @@ -97,8 +97,20 @@ in { serviceConfig = let conf = if cfg.configFile == null - then prettyJSON cfg.configuration + then + # Config validation may fail when using extraFlags = [ "-config.expand-env=true" ]. + # To work around this, we simply skip it when extraFlags is not empty. + if cfg.extraFlags == [] + then validateConfig (prettyJSON cfg.configuration) + else prettyJSON cfg.configuration else cfg.configFile; + validateConfig = file: + pkgs.runCommand "validate-loki-conf" { + nativeBuildInputs = [ cfg.package ]; + } '' + loki -verify-config -config.file "${file}" + ln -s "${file}" "$out" + ''; in { ExecStart = "${cfg.package}/bin/loki --config.file=${conf} ${escapeShellArgs cfg.extraFlags}"; diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/bitcoin.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/bitcoin.nix index e44140b1f51a..e1b7dc91a0d7 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/bitcoin.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/bitcoin.nix @@ -7,6 +7,8 @@ in { port = 9332; extraOpts = { + package = lib.mkPackageOption pkgs "prometheus-bitcoin-exporter" { }; + rpcUser = mkOption { type = types.str; default = "bitcoinrpc"; @@ -65,7 +67,7 @@ in serviceOpts = { script = '' export BITCOIN_RPC_PASSWORD=$(cat ${cfg.rpcPasswordFile}) - exec ${pkgs.prometheus-bitcoin-exporter}/bin/bitcoind-monitor.py + exec ${cfg.package}/bin/bitcoind-monitor.py ''; environment = { diff --git a/nixpkgs/nixos/modules/services/networking/clatd.nix b/nixpkgs/nixos/modules/services/networking/clatd.nix index 76e0c130ca46..de6cde4e979c 100644 --- a/nixpkgs/nixos/modules/services/networking/clatd.nix +++ b/nixpkgs/nixos/modules/services/networking/clatd.nix @@ -43,7 +43,6 @@ in serviceConfig = { ExecStart = "${cfg.package}/bin/clatd -c ${configFile}"; - startLimitIntervalSec = 0; # Hardening CapabilityBoundingSet = [ diff --git a/nixpkgs/nixos/modules/services/networking/hostapd.nix b/nixpkgs/nixos/modules/services/networking/hostapd.nix index 1bef5a1f0a9e..b678656f2e04 100644 --- a/nixpkgs/nixos/modules/services/networking/hostapd.nix +++ b/nixpkgs/nixos/modules/services/networking/hostapd.nix @@ -687,7 +687,7 @@ in { authentication = { mode = mkOption { default = "wpa3-sae"; - type = types.enum ["none" "wpa2-sha256" "wpa3-sae-transition" "wpa3-sae"]; + type = types.enum ["none" "wpa2-sha1" "wpa2-sha256" "wpa3-sae-transition" "wpa3-sae"]; description = '' Selects the authentication mode for this AP. @@ -695,7 +695,9 @@ in { and create an open AP. Use {option}`settings` together with this option if you want to configure the authentication manually. Any password options will still be effective, if set. - - {var}`"wpa2-sha256"`: WPA2-Personal using SHA256 (IEEE 802.11i/RSN). Passwords are set + - {var}`"wpa2-sha1"`: Not recommended. WPA2-Personal using HMAC-SHA1. Passwords are set + using {option}`wpaPassword` or preferably by {option}`wpaPasswordFile` or {option}`wpaPskFile`. + - {var}`"wpa2-sha256"`: WPA2-Personal using HMAC-SHA256 (IEEE 802.11i/RSN). Passwords are set using {option}`wpaPassword` or preferably by {option}`wpaPasswordFile` or {option}`wpaPskFile`. - {var}`"wpa3-sae-transition"`: Use WPA3-Personal (SAE) if possible, otherwise fallback to WPA2-SHA256. Only use if necessary and switch to the newer WPA3-SAE when possible. @@ -812,7 +814,7 @@ in { Warning: These entries will get put into a world-readable file in the Nix store! Using {option}`saePasswordFile` instead is recommended. - Not used when {option}`mode` is {var}`"wpa2-sha256"`. + Not used when {option}`mode` is {var}`"wpa2-sha1"` or {var}`"wpa2-sha256"`. ''; type = types.listOf (types.submodule { options = { @@ -884,7 +886,7 @@ in { parameters doesn't matter: `<password>[|mac=<peer mac>][|vlanid=<VLAN ID>][|pk=<m:ECPrivateKey-base64>][|id=<identifier>]` - Not used when {option}`mode` is {var}`"wpa2-sha256"`. + Not used when {option}`mode` is {var}`"wpa2-sha1"` or {var}`"wpa2-sha256"`. ''; }; @@ -959,6 +961,9 @@ in { } // optionalAttrs (bssCfg.authentication.mode == "wpa3-sae-transition") { wpa = 2; wpa_key_mgmt = "WPA-PSK-SHA256 SAE"; + } // optionalAttrs (bssCfg.authentication.mode == "wpa2-sha1") { + wpa = 2; + wpa_key_mgmt = "WPA-PSK"; } // optionalAttrs (bssCfg.authentication.mode == "wpa2-sha256") { wpa = 2; wpa_key_mgmt = "WPA-PSK-SHA256"; @@ -1186,8 +1191,8 @@ in { message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE in transition mode requires defining both a wpa password option and a sae password option''; } { - assertion = auth.mode == "wpa2-sha256" -> countWpaPasswordDefinitions == 1; - message = ''hostapd radio ${radio} bss ${bss}: uses WPA2-SHA256 which requires defining a wpa password option''; + assertion = (auth.mode == "wpa2-sha1" || auth.mode == "wpa2-sha256") -> countWpaPasswordDefinitions == 1; + message = ''hostapd radio ${radio} bss ${bss}: uses WPA2-PSK which requires defining a wpa password option''; } ]) radioCfg.networks)) diff --git a/nixpkgs/nixos/modules/services/networking/jotta-cli.md b/nixpkgs/nixos/modules/services/networking/jotta-cli.md index fee002a4e604..335e5c8e3856 100644 --- a/nixpkgs/nixos/modules/services/networking/jotta-cli.md +++ b/nixpkgs/nixos/modules/services/networking/jotta-cli.md @@ -6,7 +6,7 @@ The [Jottacloud Command-line Tool](https://docs.jottacloud.com/en/articles/14368 ```nix { - user.services.jotta-cli.enable = true; + services.jotta-cli.enable = true; } ``` @@ -15,7 +15,7 @@ This adds `jotta-cli` to `environment.systemPackages` and starts a user service ## Example Configuration {#module-services-jotta-cli-example-configuration} ```nix -user.services.jotta-cli = { +services.jotta-cli = { enable = true; options = [ "slow" ]; package = pkgs.jotta-cli; diff --git a/nixpkgs/nixos/modules/services/networking/jotta-cli.nix b/nixpkgs/nixos/modules/services/networking/jotta-cli.nix index c7e6dad5453c..e0fa1ef332fe 100644 --- a/nixpkgs/nixos/modules/services/networking/jotta-cli.nix +++ b/nixpkgs/nixos/modules/services/networking/jotta-cli.nix @@ -2,10 +2,10 @@ with lib; -let cfg = config.user.services.jotta-cli; +let cfg = config.services.jotta-cli; in { options = { - user.services.jotta-cli = { + services.jotta-cli = { enable = mkEnableOption "Jottacloud Command-line Tool"; diff --git a/nixpkgs/nixos/modules/services/networking/networkmanager.nix b/nixpkgs/nixos/modules/services/networking/networkmanager.nix index e33bbb2af178..b7143cf520f9 100644 --- a/nixpkgs/nixos/modules/services/networking/networkmanager.nix +++ b/nixpkgs/nixos/modules/services/networking/networkmanager.nix @@ -470,7 +470,7 @@ in - [main] - no-auto-default=* - ''' - + extraConfig.main.no-auto-default = "*"; + + settings.main.no-auto-default = "*"; }; ``` '' diff --git a/nixpkgs/nixos/modules/services/networking/pixiecore.nix b/nixpkgs/nixos/modules/services/networking/pixiecore.nix index cfdb8014136e..111cb7e35504 100644 --- a/nixpkgs/nixos/modules/services/networking/pixiecore.nix +++ b/nixpkgs/nixos/modules/services/networking/pixiecore.nix @@ -82,8 +82,8 @@ in apiServer = mkOption { type = types.str; - example = "localhost:8080"; - description = "host:port to connect to the API. Ignored unless mode is set to 'api'"; + example = "http://localhost:8080"; + description = "URI to connect to the API. Ignored unless mode is set to 'api'"; }; extraArguments = mkOption { diff --git a/nixpkgs/nixos/modules/services/networking/radvd.nix b/nixpkgs/nixos/modules/services/networking/radvd.nix index 4e3e501d2f59..0143324a7815 100644 --- a/nixpkgs/nixos/modules/services/networking/radvd.nix +++ b/nixpkgs/nixos/modules/services/networking/radvd.nix @@ -33,6 +33,17 @@ in package = mkPackageOption pkgs "radvd" { }; + debugLevel = mkOption { + type = types.int; + default = 0; + example = 5; + description = '' + The debugging level is an integer in the range from 1 to 5, + from quiet to very verbose. A debugging level of 0 completely + turns off debugging. + ''; + }; + config = mkOption { type = types.lines; example = @@ -67,7 +78,7 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = - { ExecStart = "@${cfg.package}/bin/radvd radvd -n -u radvd -C ${confFile}"; + { ExecStart = "@${cfg.package}/bin/radvd radvd -n -u radvd -d ${toString cfg.debugLevel} -C ${confFile}"; Restart = "always"; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/rosenpass.nix b/nixpkgs/nixos/modules/services/networking/rosenpass.nix index 373a6c769079..66b6f960a81a 100644 --- a/nixpkgs/nixos/modules/services/networking/rosenpass.nix +++ b/nixpkgs/nixos/modules/services/networking/rosenpass.nix @@ -225,8 +225,10 @@ in # See <https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Specifiers> environment.CONFIG = "%t/${serviceConfig.RuntimeDirectory}/config.toml"; - preStart = "${getExe pkgs.envsubst} -i ${config} -o \"$CONFIG\""; - script = "rosenpass exchange-config \"$CONFIG\""; + script = '' + ${getExe pkgs.envsubst} -i ${config} -o "$CONFIG" + rosenpass exchange-config "$CONFIG" + ''; }; }; } diff --git a/nixpkgs/nixos/modules/services/networking/smokeping.nix b/nixpkgs/nixos/modules/services/networking/smokeping.nix index 38d6e4452c97..3fb3eac45cc8 100644 --- a/nixpkgs/nixos/modules/services/networking/smokeping.nix +++ b/nixpkgs/nixos/modules/services/networking/smokeping.nix @@ -47,6 +47,13 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "smokeping" "port" ] '' + The smokeping web service is now served by nginx. + In order to change the port, you need to change the nginx configuration under `services.nginx.virtualHosts.smokeping.listen.*.port`. + '') + ]; + options = { services.smokeping = { enable = mkEnableOption "smokeping service"; @@ -71,8 +78,8 @@ in }; cgiUrl = mkOption { type = types.str; - default = "http://${cfg.hostName}:${toString cfg.port}/smokeping.cgi"; - defaultText = literalExpression ''"http://''${hostName}:''${toString port}/smokeping.cgi"''; + default = "http://${cfg.hostName}/smokeping.cgi"; + defaultText = literalExpression ''"http://''${hostName}/smokeping.cgi"''; example = "https://somewhere.example.com/smokeping.cgi"; description = "URL to the smokeping cgi."; }; @@ -177,11 +184,6 @@ in which makes it bind to all interfaces. ''; }; - port = mkOption { - type = types.port; - default = 8081; - description = "TCP port to use for the web server."; - }; presentationConfig = mkOption { type = types.lines; default = '' @@ -312,17 +314,8 @@ in description = "smokeping daemon user"; home = smokepingHome; createHome = true; - # When `cfg.webService` is enabled, `thttpd` makes SmokePing available - # under `${cfg.host}:${cfg.port}/smokeping.fcgi` as per the `ln -s` below. - # We also want that going to `${cfg.host}:${cfg.port}` without `smokeping.fcgi` - # makes it easy for the user to find SmokePing. - # However `thttpd` does not seem to support easy redirections from `/` to `smokeping.fcgi` - # and only allows directory listings or `/` -> `index.html` resolution if the directory - # has `chmod 755` (see https://acme.com/software/thttpd/thttpd_man.html#PERMISSIONS, - # " directories should be 755 if you want to allow indexing"). - # Otherwise it shows `403 Forbidden` on `/`. - # Thus, we need to make `smokepingHome` (which is given to `thttpd -d` below) `755`. - homeMode = "755"; + # When `cfg.webService` is enabled, `nginx` requires read permissions on the home directory. + homeMode = "711"; }; users.groups.${cfg.user} = { }; systemd.services.smokeping = { @@ -342,21 +335,25 @@ in ${cfg.package}/bin/smokeping --static --config=${configPath} ''; }; - systemd.services.thttpd = mkIf cfg.webService { - requiredBy = [ "multi-user.target" ]; - requires = [ "smokeping.service" ]; - path = with pkgs; [ bash rrdtool smokeping thttpd ]; - serviceConfig = { - Restart = "always"; - ExecStart = lib.concatStringsSep " " (lib.concatLists [ - [ "${pkgs.thttpd}/bin/thttpd" ] - [ "-u ${cfg.user}" ] - [ ''-c "**.fcgi"'' ] - [ "-d ${smokepingHome}" ] - (lib.optional (cfg.host != null) "-h ${cfg.host}") - [ "-p ${builtins.toString cfg.port}" ] - [ "-D -nos" ] - ]); + + # use nginx to serve the smokeping web service + services.fcgiwrap.enable = mkIf cfg.webService true; + services.nginx = mkIf cfg.webService { + enable = true; + virtualHosts."smokeping" = { + serverName = mkDefault cfg.host; + locations."/" = { + root = smokepingHome; + index = "smokeping.fcgi"; + }; + locations."/smokeping.fcgi" = { + extraConfig = '' + include ${config.services.nginx.package}/conf/fastcgi_params; + fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; + fastcgi_param SCRIPT_FILENAME ${smokepingHome}/smokeping.fcgi; + fastcgi_param DOCUMENT_ROOT ${smokepingHome}; + ''; + }; }; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix index bc95679d5d3c..57ca2b85bed2 100644 --- a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix @@ -296,6 +296,17 @@ in ''; }; + authorizedKeysInHomedir = mkOption { + type = types.bool; + default = true; + description = '' + Enables the use of the `~/.ssh/authorized_keys` file. + + Otherwise, the only files trusted by default are those in `/etc/ssh/authorized_keys.d`, + *i.e.* SSH keys from [](#opt-users.users._name_.openssh.authorizedKeys.keys). + ''; + }; + authorizedKeysCommand = mkOption { type = types.str; default = "none"; @@ -637,7 +648,7 @@ in # https://github.com/NixOS/nixpkgs/pull/10155 # https://github.com/NixOS/nixpkgs/pull/41745 services.openssh.authorizedKeysFiles = - [ "%h/.ssh/authorized_keys" "/etc/ssh/authorized_keys.d/%u" ]; + lib.optional cfg.authorizedKeysInHomedir "%h/.ssh/authorized_keys" ++ [ "/etc/ssh/authorized_keys.d/%u" ]; services.openssh.settings.AuthorizedPrincipalsFile = mkIf (authPrincipalsFiles != {}) "/etc/ssh/authorized_principals.d/%u"; diff --git a/nixpkgs/nixos/modules/services/networking/sunshine.nix b/nixpkgs/nixos/modules/services/networking/sunshine.nix index 0749eaee95d8..ec78db1f3f8e 100644 --- a/nixpkgs/nixos/modules/services/networking/sunshine.nix +++ b/nixpkgs/nixos/modules/services/networking/sunshine.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, utils, ... }: let - inherit (lib) mkEnableOption mkPackageOption mkOption mkIf mkDefault types optionals getExe; + inherit (lib) mkEnableOption mkPackageOption mkOption literalExpression mkIf mkDefault types optionals getExe; inherit (utils) escapeSystemdExecArgs; cfg = config.services.sunshine; @@ -46,7 +46,7 @@ in See https://docs.lizardbyte.dev/projects/sunshine/en/latest/about/advanced_usage.html#configuration for syntax. ''; - example = '' + example = literalExpression '' { sunshine_name = "nixos"; } @@ -67,7 +67,7 @@ in description = '' Configuration for applications to be exposed to Moonlight. If this is set, no configuration is possible from the web UI, and must be by the `settings` option. ''; - example = '' + example = literalExpression '' { env = { PATH = "$(PATH):$(HOME)/.local/bin"; diff --git a/nixpkgs/nixos/modules/services/networking/tayga.nix b/nixpkgs/nixos/modules/services/networking/tayga.nix index 1a0df33fe883..9f118b243e90 100644 --- a/nixpkgs/nixos/modules/services/networking/tayga.nix +++ b/nixpkgs/nixos/modules/services/networking/tayga.nix @@ -16,6 +16,8 @@ let prefix ${strAddr cfg.ipv6.pool} dynamic-pool ${strAddr cfg.ipv4.pool} data-dir ${cfg.dataDir} + + ${concatStringsSep "\n" (mapAttrsToList (ipv4: ipv6: "map " + ipv4 + " " + ipv6) cfg.mappings)} ''; addrOpts = v: @@ -103,18 +105,38 @@ in dataDir = mkOption { type = types.path; default = "/var/lib/tayga"; - description = "Directory for persistent data"; + description = "Directory for persistent data."; }; tunDevice = mkOption { type = types.str; default = "nat64"; - description = "Name of the nat64 tun device"; + description = "Name of the nat64 tun device."; + }; + + mappings = mkOption { + type = types.attrsOf types.str; + default = {}; + description = "Static IPv4 -> IPv6 host mappings."; + example = literalExpression '' + { + "192.168.5.42" = "2001:db8:1:4444::1"; + "192.168.5.43" = "2001:db8:1:4444::2"; + "192.168.255.2" = "2001:db8:1:569::143"; + } + ''; }; }; }; config = mkIf cfg.enable { + assertions = [ + { + assertion = allUnique (attrValues cfg.mappings); + message = "Neither the IPv4 nor the IPv6 addresses must be entered twice in the mappings."; + } + ]; + networking.interfaces."${cfg.tunDevice}" = { virtual = true; virtualType = "tun"; diff --git a/nixpkgs/nixos/modules/services/networking/vsftpd.nix b/nixpkgs/nixos/modules/services/networking/vsftpd.nix index 25f950600b91..07b93e92a750 100644 --- a/nixpkgs/nixos/modules/services/networking/vsftpd.nix +++ b/nixpkgs/nixos/modules/services/networking/vsftpd.nix @@ -278,7 +278,7 @@ in } { assertion = (cfg.enableVirtualUsers -> cfg.userDbPath != null) - && (cfg.enableVirtualUsers -> cfg.localUsers != null); + && (cfg.enableVirtualUsers -> cfg.localUsers); message = "vsftpd: If enableVirtualUsers is true, you need to setup both the userDbPath and localUsers options."; }]; diff --git a/nixpkgs/nixos/modules/services/security/oauth2-proxy-nginx.nix b/nixpkgs/nixos/modules/services/security/oauth2-proxy-nginx.nix index c05bd304752d..07192e7287b0 100644 --- a/nixpkgs/nixos/modules/services/security/oauth2-proxy-nginx.nix +++ b/nixpkgs/nixos/modules/services/security/oauth2-proxy-nginx.nix @@ -64,11 +64,11 @@ in }; }; - config.services.oauth2-proxy = lib.mkIf (cfg.virtualHosts != [] && (lib.hasPrefix "127.0.0.1:" cfg.proxy)) { + config.services.oauth2-proxy = lib.mkIf (cfg.virtualHosts != {} && (lib.hasPrefix "127.0.0.1:" cfg.proxy)) { enable = true; }; - config.services.nginx = lib.mkIf (cfg.virtualHosts != [] && config.services.oauth2-proxy.enable) (lib.mkMerge ([ + config.services.nginx = lib.mkIf (cfg.virtualHosts != {} && config.services.oauth2-proxy.enable) (lib.mkMerge ([ { virtualHosts.${cfg.domain}.locations."/oauth2/" = { proxyPass = cfg.proxy; @@ -78,7 +78,7 @@ in ''; }; } - ] ++ lib.optional (cfg.virtualHosts != []) { + ] ++ lib.optional (cfg.virtualHosts != {}) { recommendedProxySettings = true; # needed because duplicate headers } ++ (lib.mapAttrsToList (vhost: conf: { virtualHosts.${vhost} = { diff --git a/nixpkgs/nixos/modules/services/security/oauth2-proxy.nix b/nixpkgs/nixos/modules/services/security/oauth2-proxy.nix index 075e64b743b1..3079a1d030c5 100644 --- a/nixpkgs/nixos/modules/services/security/oauth2-proxy.nix +++ b/nixpkgs/nixos/modules/services/security/oauth2-proxy.nix @@ -17,7 +17,7 @@ let inherit (cfg.github) org team; }; }; - google = cfg: { google = with cfg.google; optionalAttrs (groups != []) { + google = cfg: { google = with cfg.google; lib.optionalAttrs (groups != []) { admin-email = adminEmail; service-account = serviceAccountJSON; group = groups; @@ -577,20 +577,22 @@ in users.groups.oauth2-proxy = {}; - systemd.services.oauth2-proxy = { - description = "OAuth2 Proxy"; - path = [ cfg.package ]; - wantedBy = [ "multi-user.target" ]; - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; - - serviceConfig = { - User = "oauth2-proxy"; - Restart = "always"; - ExecStart = "${cfg.package}/bin/oauth2-proxy ${configString}"; - EnvironmentFile = lib.mkIf (cfg.keyFile != null) cfg.keyFile; + systemd.services.oauth2-proxy = + let needsKeycloak = lib.elem cfg.provider ["keycloak" "keycloak-oidc"] + && config.services.keycloak.enable; + in { + description = "OAuth2 Proxy"; + path = [ cfg.package ]; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ] ++ lib.optionals needsKeycloak [ "keycloak.service" ]; + after = [ "network-online.target" ] ++ lib.optionals needsKeycloak [ "keycloak.service" ]; + + serviceConfig = { + User = "oauth2-proxy"; + Restart = "always"; + ExecStart = "${cfg.package}/bin/oauth2-proxy ${configString}"; + EnvironmentFile = lib.mkIf (cfg.keyFile != null) cfg.keyFile; + }; }; - }; - }; } diff --git a/nixpkgs/nixos/modules/services/security/step-ca.nix b/nixpkgs/nixos/modules/services/security/step-ca.nix index c708cb2b8910..e9195fbd5160 100644 --- a/nixpkgs/nixos/modules/services/security/step-ca.nix +++ b/nixpkgs/nixos/modules/services/security/step-ca.nix @@ -107,7 +107,7 @@ in UMask = "0077"; Environment = "HOME=%S/step-ca"; WorkingDirectory = ""; # override upstream - ReadWriteDirectories = ""; # override upstream + ReadWritePaths = ""; # override upstream # LocalCredential handles file permission problems arising from the use of DynamicUser. LoadCredential = "intermediate_password:${cfg.intermediatePasswordFile}"; diff --git a/nixpkgs/nixos/modules/services/system/dbus.nix b/nixpkgs/nixos/modules/services/system/dbus.nix index 8dba0aca6433..26f4eba707f9 100644 --- a/nixpkgs/nixos/modules/services/system/dbus.nix +++ b/nixpkgs/nixos/modules/services/system/dbus.nix @@ -147,6 +147,10 @@ in }; systemd.services.dbus = { + aliases = [ + # hack aiding to prevent dbus from restarting when switching from dbus-broker back to dbus + "dbus-broker.service" + ]; # Don't restart dbus-daemon. Bad things tend to happen if we do. reloadIfChanged = true; restartTriggers = [ @@ -158,6 +162,10 @@ in }; systemd.user.services.dbus = { + aliases = [ + # hack aiding to prevent dbus from restarting when switching from dbus-broker back to dbus + "dbus-broker.service" + ]; # Don't restart dbus-daemon. Bad things tend to happen if we do. reloadIfChanged = true; restartTriggers = [ @@ -184,6 +192,8 @@ in # https://github.com/NixOS/nixpkgs/issues/108643 systemd.services.dbus-broker = { aliases = [ + # allow other services to just depend on dbus, + # but also a hack aiding to prevent dbus from restarting when switching from dbus-broker back to dbus "dbus.service" ]; unitConfig = { @@ -203,6 +213,8 @@ in systemd.user.services.dbus-broker = { aliases = [ + # allow other services to just depend on dbus, + # but also a hack aiding to prevent dbus from restarting when switching from dbus-broker back to dbus "dbus.service" ]; # Don't restart dbus. Bad things tend to happen if we do. diff --git a/nixpkgs/nixos/modules/services/web-apps/artalk.nix b/nixpkgs/nixos/modules/services/web-apps/artalk.nix new file mode 100644 index 000000000000..d3d06f1521b6 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/artalk.nix @@ -0,0 +1,131 @@ +{ + config, + lib, + pkgs, + utils, + ... +}: +let + cfg = config.services.artalk; + settingsFormat = pkgs.formats.json { }; +in +{ + + meta = { + maintainers = with lib.maintainers; [ moraxyc ]; + }; + + options = { + services.artalk = { + enable = lib.mkEnableOption "artalk, a comment system"; + configFile = lib.mkOption { + type = lib.types.str; + default = "/etc/artalk/config.yml"; + description = "Artalk config file path. If it is not exist, Artalk will generate one."; + }; + allowModify = lib.mkOption { + type = lib.types.bool; + default = true; + description = "allow Artalk store the settings to config file persistently"; + }; + workdir = lib.mkOption { + type = lib.types.str; + default = "/var/lib/artalk"; + description = "Artalk working directory"; + }; + user = lib.mkOption { + type = lib.types.str; + default = "artalk"; + description = "Artalk user name."; + }; + + group = lib.mkOption { + type = lib.types.str; + default = "artalk"; + description = "Artalk group name."; + }; + + package = lib.mkPackageOption pkgs "artalk" { }; + settings = lib.mkOption { + type = lib.types.submodule { + freeformType = settingsFormat.type; + options = { + host = lib.mkOption { + type = lib.types.str; + default = "0.0.0.0"; + description = '' + Artalk server listen host + ''; + }; + port = lib.mkOption { + type = lib.types.port; + default = 23366; + description = '' + Artalk server listen port + ''; + }; + }; + }; + default = { }; + description = '' + The artalk configuration. + + If you set allowModify to true, Artalk will be able to store the settings in the config file persistently. This section's content will update in the config file after the service restarts. + + Options containing secret data should be set to an attribute set + containing the attribute `_secret` - a string pointing to a file + containing the value the option should be set to. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + users.users.artalk = lib.optionalAttrs (cfg.user == "artalk") { + description = "artalk user"; + isSystemUser = true; + group = cfg.group; + }; + users.groups.artalk = lib.optionalAttrs (cfg.group == "artalk") { }; + + environment.systemPackages = [ cfg.package ]; + + systemd.services.artalk = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + preStart = + '' + umask 0077 + ${utils.genJqSecretsReplacementSnippet cfg.settings "/run/artalk/new"} + '' + + ( + if cfg.allowModify then + '' + [ -e "${cfg.configFile}" ] || ${lib.getExe cfg.package} gen config "${cfg.configFile}" + cat "${cfg.configFile}" | ${lib.getExe pkgs.yj} > "/run/artalk/old" + ${lib.getExe pkgs.jq} -s '.[0] * .[1]' "/run/artalk/old" "/run/artalk/new" > "/run/artalk/result" + cat "/run/artalk/result" | ${lib.getExe pkgs.yj} -r > "${cfg.configFile}" + rm /run/artalk/{old,new,result} + '' + else + '' + cat /run/artalk/new | ${lib.getExe pkgs.yj} -r > "${cfg.configFile}" + rm /run/artalk/new + '' + ); + serviceConfig = { + User = cfg.user; + Group = cfg.group; + Type = "simple"; + ExecStart = "${lib.getExe cfg.package} server --config ${cfg.configFile} --workdir ${cfg.workdir} --host ${cfg.settings.host} --port ${builtins.toString cfg.settings.port}"; + Restart = "on-failure"; + RestartSec = "5s"; + ConfigurationDirectory = [ "artalk" ]; + StateDirectory = [ "artalk" ]; + RuntimeDirectory = [ "artalk" ]; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + ProtectHome = "yes"; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-apps/commafeed.nix b/nixpkgs/nixos/modules/services/web-apps/commafeed.nix new file mode 100644 index 000000000000..354e3625bb99 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/commafeed.nix @@ -0,0 +1,114 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.services.commafeed; +in +{ + options.services.commafeed = { + enable = lib.mkEnableOption "CommaFeed"; + + package = lib.mkPackageOption pkgs "commafeed" { }; + + user = lib.mkOption { + type = lib.types.str; + description = "User under which CommaFeed runs."; + default = "commafeed"; + }; + + group = lib.mkOption { + type = lib.types.str; + description = "Group under which CommaFeed runs."; + default = "commafeed"; + }; + + stateDir = lib.mkOption { + type = lib.types.path; + description = "Directory holding all state for CommaFeed to run."; + default = "/var/lib/commafeed"; + }; + + environment = lib.mkOption { + type = lib.types.attrsOf ( + lib.types.oneOf [ + lib.types.bool + lib.types.int + lib.types.str + ] + ); + description = '' + Extra environment variables passed to CommaFeed, refer to + <https://github.com/Athou/commafeed/blob/master/commafeed-server/config.yml.example> + for supported values. The default user is `admin` and the default password is `admin`. + Correct configuration for H2 database is already provided. + ''; + default = { }; + example = { + CF_SERVER_APPLICATIONCONNECTORS_0_TYPE = "http"; + CF_SERVER_APPLICATIONCONNECTORS_0_PORT = 9090; + }; + }; + + environmentFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + description = '' + Environment file as defined in {manpage}`systemd.exec(5)`. + ''; + default = null; + example = "/var/lib/commafeed/commafeed.env"; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.commafeed = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = lib.mapAttrs ( + _: v: if lib.isBool v then lib.boolToString v else toString v + ) cfg.environment; + serviceConfig = { + ExecStart = "${lib.getExe cfg.package} server ${cfg.package}/share/config.yml"; + User = cfg.user; + Group = cfg.group; + StateDirectory = baseNameOf cfg.stateDir; + WorkingDirectory = cfg.stateDir; + # Hardening + CapabilityBoundingSet = [ "" ]; + DevicePolicy = "closed"; + DynamicUser = true; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0077"; + } // lib.optionalAttrs (cfg.environmentFile != null) { EnvironmentFile = cfg.environmentFile; }; + }; + }; + + meta.maintainers = [ lib.maintainers.raroh73 ]; +} diff --git a/nixpkgs/nixos/modules/services/web-apps/keycloak.nix b/nixpkgs/nixos/modules/services/web-apps/keycloak.nix index cf1282b3d4cf..6d472cf48cd0 100644 --- a/nixpkgs/nixos/modules/services/web-apps/keycloak.nix +++ b/nixpkgs/nixos/modules/services/web-apps/keycloak.nix @@ -466,7 +466,8 @@ in confFile = pkgs.writeText "keycloak.conf" (keycloakConfig filteredConfig); keycloakBuild = cfg.package.override { inherit confFile; - plugins = cfg.package.enabledPlugins ++ cfg.plugins; + plugins = cfg.package.enabledPlugins ++ cfg.plugins ++ + (with cfg.package.plugins; [quarkus-systemd-notify quarkus-systemd-notify-deployment]); }; in mkIf cfg.enable @@ -638,6 +639,8 @@ in RuntimeDirectory = "keycloak"; RuntimeDirectoryMode = "0700"; AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + Type = "notify"; # Requires quarkus-systemd-notify plugin + NotifyAccess = "all"; }; script = '' set -o errexit -o pipefail -o nounset -o errtrace @@ -663,7 +666,7 @@ in '' + '' export KEYCLOAK_ADMIN=admin export KEYCLOAK_ADMIN_PASSWORD=${escapeShellArg cfg.initialAdminPassword} - kc.sh start --optimized + kc.sh --verbose start --optimized ''; }; diff --git a/nixpkgs/nixos/modules/services/web-apps/miniflux.nix b/nixpkgs/nixos/modules/services/web-apps/miniflux.nix index d65d6db3cdaa..61243a63c582 100644 --- a/nixpkgs/nixos/modules/services/web-apps/miniflux.nix +++ b/nixpkgs/nixos/modules/services/web-apps/miniflux.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: -with lib; let + inherit (lib) mkEnableOption mkPackageOption mkOption types literalExpression mkIf mkDefault; cfg = config.services.miniflux; defaultAddress = "localhost:8080"; @@ -20,8 +20,8 @@ in package = mkPackageOption pkgs "miniflux" { }; - createDatabaseLocally = lib.mkOption { - type = lib.types.bool; + createDatabaseLocally = mkOption { + type = types.bool; default = true; description = '' Whether a PostgreSQL database should be automatically created and @@ -66,6 +66,7 @@ in DATABASE_URL = lib.mkIf cfg.createDatabaseLocally "user=miniflux host=/run/postgresql dbname=miniflux"; RUN_MIGRATIONS = 1; CREATE_ADMIN = 1; + WATCHDOG = 1; }; services.postgresql = lib.mkIf cfg.createDatabaseLocally { @@ -96,12 +97,18 @@ in ++ lib.optionals cfg.createDatabaseLocally [ "postgresql.service" "miniflux-dbsetup.service" ]; serviceConfig = { - ExecStart = "${cfg.package}/bin/miniflux"; + Type = "notify"; + ExecStart = lib.getExe cfg.package; User = "miniflux"; DynamicUser = true; RuntimeDirectory = "miniflux"; RuntimeDirectoryMode = "0750"; EnvironmentFile = cfg.adminCredentialsFile; + WatchdogSec = 60; + WatchdogSignal = "SIGKILL"; + Restart = "always"; + RestartSec = 5; + # Hardening CapabilityBoundingSet = [ "" ]; DeviceAllow = [ "" ]; diff --git a/nixpkgs/nixos/modules/services/web-apps/nextcloud.md b/nixpkgs/nixos/modules/services/web-apps/nextcloud.md index ec860d307b38..0b615deae44b 100644 --- a/nixpkgs/nixos/modules/services/web-apps/nextcloud.md +++ b/nixpkgs/nixos/modules/services/web-apps/nextcloud.md @@ -205,11 +205,6 @@ it complains loudly now. So nothing actionable here by default. Alternatively yo * set [](#opt-services.nextcloud.settings.log_type) to "file" to be able to view logs from the admin panel. -### Your web server is not properly set up to resolve `.well-known` URLs, failed on: `/.well-known/caldav` {#module-services-nextcloud-warning-wellknown-caldav} - -This warning appearing seems to be an upstream issue and is being sorted out -in [nextcloud/server#45033](https://github.com/nextcloud/server/issues/45033). - ## Maintainer information {#module-services-nextcloud-maintainer-info} As stated in the previous paragraph, we must provide a clean upgrade-path for Nextcloud diff --git a/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix b/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix index 21f76938f20c..91d03dc16077 100644 --- a/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix @@ -797,7 +797,7 @@ in { config = mkIf cfg.enable (mkMerge [ { warnings = let - latest = 28; + latest = 29; upgradeWarning = major: nixos: '' A legacy Nextcloud install (from before NixOS ${nixos}) may be installed. @@ -939,6 +939,7 @@ in { in { wantedBy = [ "multi-user.target" ]; + wants = [ "nextcloud-update-db.service" ]; before = [ "phpfpm-nextcloud.service" ]; after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service"; requires = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service"; @@ -997,7 +998,7 @@ in { after = [ "nextcloud-setup.service" ]; environment.NEXTCLOUD_CONFIG_DIR = "${datadir}/config"; serviceConfig = { - Type = "oneshot"; + Type = "exec"; User = "nextcloud"; ExecCondition = "${lib.getExe phpPackage} -f ${webroot}/occ status -e"; ExecStart = "${lib.getExe phpPackage} -f ${webroot}/cron.php"; @@ -1013,6 +1014,20 @@ in { }; startAt = cfg.autoUpdateApps.startAt; }; + nextcloud-update-db = { + after = [ "nextcloud-setup.service" ]; + environment.NEXTCLOUD_CONFIG_DIR = "${datadir}/config"; + script = '' + ${occ}/bin/nextcloud-occ db:add-missing-columns + ${occ}/bin/nextcloud-occ db:add-missing-indices + ${occ}/bin/nextcloud-occ db:add-missing-primary-keys + ''; + serviceConfig = { + Type = "exec"; + User = "nextcloud"; + ExecCondition = "${lib.getExe phpPackage} -f ${webroot}/occ status -e"; + }; + }; }; services.phpfpm = { @@ -1105,10 +1120,10 @@ in { extraConfig = '' absolute_redirect off; location = /.well-known/carddav { - return 301 /remote.php/dav; + return 301 /remote.php/dav/; } location = /.well-known/caldav { - return 301 /remote.php/dav; + return 301 /remote.php/dav/; } location ~ ^/\.well-known/(?!acme-challenge|pki-validation) { return 301 /index.php$request_uri; diff --git a/nixpkgs/nixos/modules/services/web-apps/plausible.nix b/nixpkgs/nixos/modules/services/web-apps/plausible.nix index 8e49e591f75c..1f909bbd67a3 100644 --- a/nixpkgs/nixos/modules/services/web-apps/plausible.nix +++ b/nixpkgs/nixos/modules/services/web-apps/plausible.nix @@ -276,8 +276,11 @@ in { ${lib.optionalString (cfg.mail.smtp.passwordFile != null) ''export SMTP_USER_PWD="$(< $CREDENTIALS_DIRECTORY/SMTP_USER_PWD )"''} - # setup - ${cfg.package}/createdb.sh + ${lib.optionalString cfg.database.postgres.setup '' + # setup + ${cfg.package}/createdb.sh + ''} + ${cfg.package}/migrate.sh export IP_GEOLOCATION_DB=${pkgs.dbip-country-lite}/share/dbip/dbip-country-lite.mmdb ${cfg.package}/bin/plausible eval "(Plausible.Release.prepare() ; Plausible.Auth.create_user(\"$ADMIN_USER_NAME\", \"$ADMIN_USER_EMAIL\", \"$ADMIN_USER_PWD\"))" @@ -326,6 +329,6 @@ in { ]; }; - meta.maintainers = with maintainers; [ ]; + meta.maintainers = with maintainers; [ xanderio ]; meta.doc = ./plausible.md; } diff --git a/nixpkgs/nixos/modules/services/web-apps/pretalx.nix b/nixpkgs/nixos/modules/services/web-apps/pretalx.nix index b062a8b7eeea..1411d11982c8 100644 --- a/nixpkgs/nixos/modules/services/web-apps/pretalx.nix +++ b/nixpkgs/nixos/modules/services/web-apps/pretalx.nix @@ -11,20 +11,25 @@ let configFile = format.generate "pretalx.cfg" cfg.settings; - extras = cfg.package.optional-dependencies.redis - ++ lib.optionals (cfg.settings.database.backend == "mysql") cfg.package.optional-dependencies.mysql - ++ lib.optionals (cfg.settings.database.backend == "postgresql") cfg.package.optional-dependencies.postgres; - - pythonEnv = cfg.package.python.buildEnv.override { - extraLibs = [ (cfg.package.python.pkgs.toPythonModule cfg.package) ] - ++ (with cfg.package.python.pkgs; [ gunicorn ] - ++ lib.optional cfg.celery.enable celery) ++ extras; + finalPackage = cfg.package.override { + inherit (cfg) plugins; + }; + + pythonEnv = finalPackage.python.buildEnv.override { + extraLibs = with finalPackage.python.pkgs; [ + (toPythonModule finalPackage) + gunicorn + ] + ++ finalPackage.optional-dependencies.redis + ++ lib.optionals cfg.celery.enable [ celery ] + ++ lib.optionals (cfg.settings.database.backend == "mysql") finalPackage.optional-dependencies.mysql + ++ lib.optionals (cfg.settings.database.backend == "postgresql") finalPackage.optional-dependencies.postgres; }; in { meta = with lib; { - maintainers = teams.c3d2.members; + maintainers = with maintainers; [ hexa] ++ teams.c3d2.members; }; options.services.pretalx = { @@ -44,6 +49,20 @@ in description = "User under which pretalx should run."; }; + plugins = lib.mkOption { + type = with lib.types; listOf package; + default = []; + example = lib.literalExpression '' + with config.services.pretalx.package.plugins; [ + pages + youtube + ]; + ''; + description = '' + Pretalx plugins to install into the Python environment. + ''; + }; + gunicorn.extraArgs = lib.mkOption { type = with lib.types; listOf str; default = [ @@ -329,10 +348,47 @@ in serviceConfig = { User = "pretalx"; Group = "pretalx"; - StateDirectory = [ "pretalx" "pretalx/media" ]; + StateDirectory = [ + "pretalx" + "pretalx/media" + ]; + StateDirectoryMode = "0750"; LogsDirectory = "pretalx"; WorkingDirectory = cfg.settings.filesystem.data; SupplementaryGroups = [ "redis-pretalx" ]; + AmbientCapabilities = ""; + CapabilityBoundingSet = [ "" ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProcSubset = "pid"; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "@chown" + ]; + UMask = "0027"; }; }; in { @@ -395,6 +451,8 @@ in wantedBy = [ "multi-user.target" ]; serviceConfig.ExecStart = "${lib.getExe' pythonEnv "celery"} -A pretalx.celery_app worker ${cfg.celery.extraArgs}"; }); + + nginx.serviceConfig.SupplementaryGroups = lib.mkIf cfg.nginx.enable [ "pretalx" ]; }; systemd.sockets.pretalx-web.socketConfig = { @@ -403,11 +461,9 @@ in }; users = { - groups."${cfg.group}" = {}; - users."${cfg.user}" = { + groups.${cfg.group} = {}; + users.${cfg.user} = { isSystemUser = true; - createHome = true; - home = cfg.settings.filesystem.data; inherit (cfg) group; }; }; diff --git a/nixpkgs/nixos/modules/services/web-apps/pretix.nix b/nixpkgs/nixos/modules/services/web-apps/pretix.nix index 22ee9769aa92..498face7456d 100644 --- a/nixpkgs/nixos/modules/services/web-apps/pretix.nix +++ b/nixpkgs/nixos/modules/services/web-apps/pretix.nix @@ -468,7 +468,7 @@ in StateDirectory = [ "pretix" ]; - StateDirectoryMode = "0755"; + StateDirectoryMode = "0750"; CacheDirectory = "pretix"; LogsDirectory = "pretix"; WorkingDirectory = cfg.settings.pretix.datadir; @@ -507,7 +507,7 @@ in "~@privileged" "@chown" ]; - UMask = "0022"; + UMask = "0027"; }; }; in { @@ -561,6 +561,8 @@ in wantedBy = [ "multi-user.target" ]; serviceConfig.ExecStart = "${getExe' pythonEnv "celery"} -A pretix.celery_app worker ${cfg.celery.extraArgs}"; }; + + nginx.serviceConfig.SupplementaryGroups = mkIf cfg.nginx.enable [ "pretix" ]; }; systemd.sockets.pretix-web.socketConfig = { @@ -569,11 +571,9 @@ in }; users = { - groups."${cfg.group}" = {}; - users."${cfg.user}" = { + groups.${cfg.group} = {}; + users.${cfg.user} = { isSystemUser = true; - createHome = true; - home = cfg.settings.pretix.datadir; inherit (cfg) group; }; }; diff --git a/nixpkgs/nixos/modules/services/web-apps/your_spotify.nix b/nixpkgs/nixos/modules/services/web-apps/your_spotify.nix new file mode 100644 index 000000000000..3eb2ffef4f93 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/your_spotify.nix @@ -0,0 +1,191 @@ +{ + pkgs, + config, + lib, + ... +}: let + inherit + (lib) + boolToString + concatMapAttrs + concatStrings + isBool + mapAttrsToList + mkEnableOption + mkIf + mkOption + mkPackageOption + optionalAttrs + types + mkDefault + ; + cfg = config.services.your_spotify; + + configEnv = concatMapAttrs (name: value: + optionalAttrs (value != null) { + ${name} = + if isBool value + then boolToString value + else toString value; + }) + cfg.settings; + + configFile = pkgs.writeText "your_spotify.env" (concatStrings (mapAttrsToList (name: value: "${name}=${value}\n") configEnv)); +in { + options.services.your_spotify = let + inherit (types) nullOr port str path package; + in { + enable = mkEnableOption "your_spotify"; + + enableLocalDB = mkEnableOption "a local mongodb instance"; + nginxVirtualHost = mkOption { + type = nullOr str; + default = null; + description = '' + If set creates an nginx virtual host for the client. + In most cases this should be the CLIENT_ENDPOINT without + protocol prefix. + ''; + }; + + package = mkPackageOption pkgs "your_spotify" {}; + + clientPackage = mkOption { + type = package; + description = "Client package to use."; + }; + + spotifySecretFile = mkOption { + type = path; + description = '' + A file containing the secret key of your Spotify application. + Refer to: [Creating the Spotify Application](https://github.com/Yooooomi/your_spotify#creating-the-spotify-application). + ''; + }; + + settings = mkOption { + description = '' + Your Spotify Configuration. Refer to [Your Spotify](https://github.com/Yooooomi/your_spotify) for definitions and values. + ''; + example = lib.literalExpression '' + { + CLIENT_ENDPOINT = "https://example.com"; + API_ENDPOINT = "https://api.example.com"; + SPOTIFY_PUBLIC = "spotify_client_id"; + } + ''; + type = types.submodule { + freeformType = types.attrsOf types.str; + options = { + CLIENT_ENDPOINT = mkOption { + type = str; + description = '' + The endpoint of your web application. + Has to include a protocol Prefix (e.g. `http://`) + ''; + example = "https://your_spotify.example.org"; + }; + API_ENDPOINT = mkOption { + type = str; + description = '' + The endpoint of your server + This api has to be reachable from the device you use the website from not from the server. + This means that for example you may need two nginx virtual hosts if you want to expose this on the + internet. + Has to include a protocol Prefix (e.g. `http://`) + ''; + example = "https://localhost:3000"; + }; + SPOTIFY_PUBLIC = mkOption { + type = str; + description = '' + The public client ID of your Spotify application. + Refer to: [Creating the Spotify Application](https://github.com/Yooooomi/your_spotify#creating-the-spotify-application) + ''; + }; + MONGO_ENDPOINT = mkOption { + type = str; + description = ''The endpoint of the Mongo database.''; + default = "mongodb://localhost:27017/your_spotify"; + }; + PORT = mkOption { + type = port; + description = "The port of the api server"; + default = 3000; + }; + }; + }; + }; + }; + + config = mkIf cfg.enable { + services.your_spotify.clientPackage = mkDefault (cfg.package.client.override {apiEndpoint = cfg.settings.API_ENDPOINT;}); + systemd.services.your_spotify = { + after = ["network.target"]; + script = '' + export SPOTIFY_SECRET=$(< "$CREDENTIALS_DIRECTORY/SPOTIFY_SECRET") + ${lib.getExe' cfg.package "your_spotify_migrate"} + exec ${lib.getExe cfg.package} + ''; + serviceConfig = { + User = "your_spotify"; + Group = "your_spotify"; + DynamicUser = true; + EnvironmentFile = [configFile]; + StateDirectory = "your_spotify"; + LimitNOFILE = "1048576"; + PrivateTmp = true; + PrivateDevices = true; + StateDirectoryMode = "0700"; + Restart = "always"; + + LoadCredential = ["SPOTIFY_SECRET:${cfg.spotifySecretFile}"]; + + # Hardening + CapabilityBoundingSet = ""; + LockPersonality = true; + #MemoryDenyWriteExecute = true; # Leads to coredump because V8 does JIT + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "@pkey" + ]; + UMask = "0077"; + }; + wantedBy = ["multi-user.target"]; + }; + services.nginx = mkIf (cfg.nginxVirtualHost != null) { + enable = true; + virtualHosts.${cfg.nginxVirtualHost} = { + root = cfg.clientPackage; + locations."/".extraConfig = '' + add_header Content-Security-Policy "frame-ancestors 'none';" ; + add_header X-Content-Type-Options "nosniff" ; + try_files = $uri $uri/ /index.html ; + ''; + }; + }; + services.mongodb = mkIf cfg.enableLocalDB { + enable = true; + }; + }; + meta.maintainers = with lib.maintainers; [patrickdag]; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix b/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix index 08ce50bff62c..064a0c71b586 100644 --- a/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix @@ -360,14 +360,15 @@ in serviceConfig = let runOptions = ''--config ${configPath} ${optionalString (cfg.adapter != null) "--adapter ${cfg.adapter}"}''; in { + # Override the `ExecStart` line from upstream's systemd unit file by our own: # https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart= # If the empty string is assigned to this option, the list of commands to start is reset, prior assignments of this option will have no effect. ExecStart = [ "" ''${cfg.package}/bin/caddy run ${runOptions} ${optionalString cfg.resume "--resume"}'' ]; # Validating the configuration before applying it ensures we’ll get a proper error that will be reported when switching to the configuration - ExecReload = [ "" ''${cfg.package}/bin/caddy reload ${runOptions} --force'' ]; + ExecReload = [ "" ] ++ lib.optional cfg.enableReload "${lib.getExe cfg.package} reload ${runOptions} --force"; User = cfg.user; Group = cfg.group; - ReadWriteDirectories = cfg.dataDir; + ReadWritePaths = [ cfg.dataDir ]; StateDirectory = mkIf (cfg.dataDir == "/var/lib/caddy") [ "caddy" ]; LogsDirectory = mkIf (cfg.logDir == "/var/log/caddy") [ "caddy" ]; Restart = "on-failure"; diff --git a/nixpkgs/nixos/modules/services/web-servers/garage.nix b/nixpkgs/nixos/modules/services/web-servers/garage.nix index 39ea8f21b126..d2a5109e266a 100644 --- a/nixpkgs/nixos/modules/services/web-servers/garage.nix +++ b/nixpkgs/nixos/modules/services/web-servers/garage.nix @@ -52,13 +52,6 @@ in type = types.path; description = "The main data storage, put this on your large storage (e.g. high capacity HDD)"; }; - - replication_mode = mkOption { - default = "none"; - type = types.enum ([ "none" "1" "2" "3" "2-dangerous" "3-dangerous" "3-degraded" 1 2 3 ]); - apply = v: toString v; - description = "Garage replication mode, defaults to none, see: <https://garagehq.deuxfleurs.fr/documentation/reference-manual/configuration/#replication-mode> for reference."; - }; }; }; description = "Garage configuration, see <https://garagehq.deuxfleurs.fr/documentation/reference-manual/configuration/> for reference."; @@ -71,6 +64,44 @@ in }; config = mkIf cfg.enable { + + assertions = [ + # We removed our module-level default for replication_mode. If a user upgraded + # to garage 1.0.0 while relying on the module-level default, they would be left + # with a config which evaluates and builds, but then garage refuses to start + # because either replication_factor or replication_mode is required. + # The replication_factor option also was `toString`'ed before, which is + # now not possible anymore, so we prompt the user to change it to a string + # if present. + # These assertions can be removed in NixOS 24.11, when all users have been + # warned once. + { + assertion = (cfg.settings ? replication_factor || cfg.settings ? replication_mode) || lib.versionOlder cfg.package "1.0.0"; + message = '' + Garage 1.0.0 requires an explicit replication factor to be set. + Please set replication_factor to 1 explicitly to preserve the previous behavior. + https://git.deuxfleurs.fr/Deuxfleurs/garage/src/tag/v1.0.0/doc/book/reference-manual/configuration.md#replication_factor + + ''; + } + { + assertion = lib.isString (cfg.settings.replication_mode or ""); + message = '' + The explicit `replication_mode` option in `services.garage.settings` + has been removed and is now handled by the freeform settings in order + to allow it being completely absent (for Garage 1.x). + That module option previously `toString`'ed the value it's configured + with, which is now no longer possible. + + You're still using a non-string here, please manually set it to + a string, or migrate to the separate setting keys introduced in 1.x. + + Refer to https://garagehq.deuxfleurs.fr/documentation/working-documents/migration-1/ + for the migration guide. + ''; + } + ]; + environment.etc."garage.toml" = { source = configFile; }; diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix index 08fab09e1e55..f9720c362935 100644 --- a/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix @@ -142,7 +142,11 @@ let default_type application/octet-stream; ''; - configFile = pkgs.writers.writeNginxConfig "nginx.conf" '' + configFile = ( + if cfg.validateConfigFile + then pkgs.writers.writeNginxConfig + else pkgs.writeText + ) "nginx.conf" '' pid /run/nginx/nginx.pid; error_log ${cfg.logError}; daemon off; @@ -352,7 +356,7 @@ let # The acme-challenge location doesn't need to be added if we are not using any automated # certificate provisioning and can also be omitted when we use a certificate obtained via a DNS-01 challenge - acmeName = if vhost.useACMEHost != null then vhost.useACMEHost else vhostName; + acmeName = if vhost.useACMEHost != null then vhost.useACMEHost else vhost.serverName; acmeLocation = optionalString ((vhost.enableACME || vhost.useACMEHost != null) && config.security.acme.certs.${acmeName}.dnsProvider == null) # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx) # We use ^~ here, so that we don't check any regexes (which could @@ -1082,6 +1086,9 @@ in ''; description = "Declarative vhost config"; }; + validateConfigFile = lib.mkEnableOption '' + Validate configuration with pkgs.writeNginxConfig. + '' // { default = true; }; }; }; diff --git a/nixpkgs/nixos/modules/services/web-servers/traefik.nix b/nixpkgs/nixos/modules/services/web-servers/traefik.nix index 9c53455bcf3d..1a65ce21112e 100644 --- a/nixpkgs/nixos/modules/services/web-servers/traefik.nix +++ b/nixpkgs/nixos/modules/services/web-servers/traefik.nix @@ -170,7 +170,7 @@ in { PrivateDevices = true; ProtectHome = true; ProtectSystem = "full"; - ReadWriteDirectories = cfg.dataDir; + ReadWritePaths = [ cfg.dataDir ]; RuntimeDirectory = "traefik"; }; }; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/cinnamon.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/cinnamon.nix index 482527d1e8ad..2e0eef67c0b3 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/cinnamon.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/cinnamon.nix @@ -157,6 +157,7 @@ in # packages nemo-with-extensions + gnome-online-accounts-gtk cinnamon-control-center cinnamon-settings-daemon libgnomekbd diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix index ce300431d47c..fe50d930b5af 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix @@ -343,10 +343,6 @@ in services.avahi.enable = mkDefault true; - xdg.portal.extraPortals = [ - pkgs.gnome.gnome-shell - ]; - services.geoclue2.enable = mkDefault true; services.geoclue2.enableDemoAgent = false; # GNOME has its own geoclue agent diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix index beae07b70dbf..19235be4aa8d 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix @@ -84,6 +84,7 @@ in programs.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); services.gnome.at-spi2-core.enable = true; + services.gnome.glib-networking.enable = true; services.gnome.gnome-keyring.enable = true; services.udev.packages = [ pkgs.mate.mate-settings-daemon ]; services.gvfs.enable = true; diff --git a/nixpkgs/nixos/modules/services/x11/window-managers/clfswm.nix b/nixpkgs/nixos/modules/services/x11/window-managers/clfswm.nix index 5500c77a038b..09b49962f2ad 100644 --- a/nixpkgs/nixos/modules/services/x11/window-managers/clfswm.nix +++ b/nixpkgs/nixos/modules/services/x11/window-managers/clfswm.nix @@ -10,7 +10,7 @@ in options = { services.xserver.windowManager.clfswm = { enable = mkEnableOption "clfswm"; - package = mkPackageOption pkgs [ "lispPackages" "clfswm" ] { }; + package = mkPackageOption pkgs [ "sbclPackages" "clfswm" ] { }; }; }; diff --git a/nixpkgs/nixos/modules/services/x11/window-managers/qtile.nix b/nixpkgs/nixos/modules/services/x11/window-managers/qtile.nix index 78152283a0a5..700ead836600 100644 --- a/nixpkgs/nixos/modules/services/x11/window-managers/qtile.nix +++ b/nixpkgs/nixos/modules/services/x11/window-managers/qtile.nix @@ -4,7 +4,6 @@ with lib; let cfg = config.services.xserver.windowManager.qtile; - pyEnv = pkgs.python3.withPackages (p: [ (cfg.package.unwrapped or cfg.package) ] ++ (cfg.extraPackages p)); in { @@ -48,13 +47,24 @@ in ]; ''; }; + + finalPackage = mkOption { + type = types.package; + visible = false; + readOnly = true; + description = "The resulting Qtile package, bundled with extra packages"; + }; }; config = mkIf cfg.enable { + services.xserver.windowManager.qtile.finalPackage = pkgs.python3.withPackages (p: + [ (cfg.package.unwrapped or cfg.package) ] ++ (cfg.extraPackages p) + ); + services.xserver.windowManager.session = [{ name = "qtile"; start = '' - ${pyEnv}/bin/qtile start -b ${cfg.backend} \ + ${cfg.finalPackage}/bin/qtile start -b ${cfg.backend} \ ${optionalString (cfg.configFile != null) "--config \"${cfg.configFile}\""} & waitPID=$! diff --git a/nixpkgs/nixos/modules/services/x11/xserver.nix b/nixpkgs/nixos/modules/services/x11/xserver.nix index e13c27374670..5a86d055c271 100644 --- a/nixpkgs/nixos/modules/services/x11/xserver.nix +++ b/nixpkgs/nixos/modules/services/x11/xserver.nix @@ -728,9 +728,6 @@ in rm -f /tmp/.X0-lock ''; - # TODO: move declaring the systemd service to its own mkIf - script = mkIf (config.systemd.services.display-manager.enable == true) "${config.services.displayManager.execCmd}"; - # Stop restarting if the display manager stops (crashes) 2 times # in one minute. Starting X typically takes 3-4s. startLimitIntervalSec = 30; diff --git a/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl b/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl index ba45231465fb..cabc1dcc2d65 100755 --- a/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl +++ b/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl @@ -472,6 +472,9 @@ sub handle_modified_unit { ## no critic(Subroutines::ProhibitManyArgs, Subroutin $units_to_reload->{$unit} = 1; record_unit($reload_list_file, $unit); } + elsif ($unit eq "dbus.service" || $unit eq "dbus-broker.service") { + # dbus service should only ever be reloaded, not started/stoped/restarted as that would break the system. + } elsif (!parse_systemd_bool(\%new_unit_info, "Service", "X-RestartIfChanged", 1) || parse_systemd_bool(\%new_unit_info, "Unit", "RefuseManualStop", 0) || parse_systemd_bool(\%new_unit_info, "Unit", "X-OnlyManualStart", 0)) { $units_to_skip->{$unit} = 1; } else { diff --git a/nixpkgs/nixos/modules/system/activation/switchable-system.nix b/nixpkgs/nixos/modules/system/activation/switchable-system.nix index d5bd8cc1dc11..d70fefd0920b 100644 --- a/nixpkgs/nixos/modules/system/activation/switchable-system.nix +++ b/nixpkgs/nixos/modules/system/activation/switchable-system.nix @@ -4,52 +4,93 @@ let perlWrapped = pkgs.perl.withPackages (p: with p; [ ConfigIniFiles FileSlurp ]); + description = extra: '' + Whether to include the capability to switch configurations. + + Disabling this makes the system unable to be reconfigured via `nixos-rebuild`. + + ${extra} + ''; + in { - options = { - system.switch.enable = lib.mkOption { + options.system.switch = { + enable = lib.mkOption { type = lib.types.bool; default = true; - description = '' - Whether to include the capability to switch configurations. - - Disabling this makes the system unable to be reconfigured via `nixos-rebuild`. - + description = description '' This is good for image based appliances where updates are handled outside the image. Reducing features makes the image lighter and slightly more secure. ''; }; - }; - config = lib.mkIf config.system.switch.enable { - system.activatableSystemBuilderCommands = '' - mkdir $out/bin - substitute ${./switch-to-configuration.pl} $out/bin/switch-to-configuration \ - --subst-var out \ - --subst-var-by toplevel ''${!toplevelVar} \ - --subst-var-by coreutils "${pkgs.coreutils}" \ - --subst-var-by distroId ${lib.escapeShellArg config.system.nixos.distroId} \ - --subst-var-by installBootLoader ${lib.escapeShellArg config.system.build.installBootLoader} \ - --subst-var-by localeArchive "${config.i18n.glibcLocales}/lib/locale/locale-archive" \ - --subst-var-by perl "${perlWrapped}" \ - --subst-var-by shell "${pkgs.bash}/bin/sh" \ - --subst-var-by su "${pkgs.shadow.su}/bin/su" \ - --subst-var-by systemd "${config.systemd.package}" \ - --subst-var-by utillinux "${pkgs.util-linux}" \ - ; - - chmod +x $out/bin/switch-to-configuration - ${lib.optionalString (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) '' - if ! output=$(${perlWrapped}/bin/perl -c $out/bin/switch-to-configuration 2>&1); then - echo "switch-to-configuration syntax is not valid:" - echo "$output" - exit 1 - fi - ''} - ''; + enableNg = lib.mkOption { + type = lib.types.bool; + default = false; + description = description '' + Whether to use `switch-to-configuration-ng`, an experimental + re-implementation of `switch-to-configuration` with the goal of + replacing the original. + ''; + }; }; + config = lib.mkMerge [ + { + assertions = [{ + assertion = with config.system.switch; enable -> !enableNg; + message = "Only one of system.switch.enable and system.switch.enableNg may be enabled at a time"; + }]; + } + (lib.mkIf config.system.switch.enable { + system.activatableSystemBuilderCommands = '' + mkdir $out/bin + substitute ${./switch-to-configuration.pl} $out/bin/switch-to-configuration \ + --subst-var out \ + --subst-var-by toplevel ''${!toplevelVar} \ + --subst-var-by coreutils "${pkgs.coreutils}" \ + --subst-var-by distroId ${lib.escapeShellArg config.system.nixos.distroId} \ + --subst-var-by installBootLoader ${lib.escapeShellArg config.system.build.installBootLoader} \ + --subst-var-by localeArchive "${config.i18n.glibcLocales}/lib/locale/locale-archive" \ + --subst-var-by perl "${perlWrapped}" \ + --subst-var-by shell "${pkgs.bash}/bin/sh" \ + --subst-var-by su "${pkgs.shadow.su}/bin/su" \ + --subst-var-by systemd "${config.systemd.package}" \ + --subst-var-by utillinux "${pkgs.util-linux}" \ + ; + + chmod +x $out/bin/switch-to-configuration + ${lib.optionalString (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) '' + if ! output=$(${perlWrapped}/bin/perl -c $out/bin/switch-to-configuration 2>&1); then + echo "switch-to-configuration syntax is not valid:" + echo "$output" + exit 1 + fi + ''} + ''; + }) + (lib.mkIf config.system.switch.enableNg { + # Use a subshell so we can source makeWrapper's setup hook without + # affecting the rest of activatableSystemBuilderCommands. + system.activatableSystemBuilderCommands = '' + ( + source ${pkgs.buildPackages.makeWrapper}/nix-support/setup-hook + + mkdir $out/bin + ln -sf ${lib.getExe pkgs.switch-to-configuration-ng} $out/bin/switch-to-configuration + wrapProgram $out/bin/switch-to-configuration \ + --set OUT $out \ + --set TOPLEVEL ''${!toplevelVar} \ + --set DISTRO_ID ${lib.escapeShellArg config.system.nixos.distroId} \ + --set INSTALL_BOOTLOADER ${lib.escapeShellArg config.system.build.installBootLoader} \ + --set LOCALE_ARCHIVE ${config.i18n.glibcLocales}/lib/locale/locale-archive \ + --set SYSTEMD ${config.systemd.package} + ) + ''; + }) + ]; + } diff --git a/nixpkgs/nixos/modules/system/activation/test.nix b/nixpkgs/nixos/modules/system/activation/test.nix index 8cf000451c6e..fd251d528957 100644 --- a/nixpkgs/nixos/modules/system/activation/test.nix +++ b/nixpkgs/nixos/modules/system/activation/test.nix @@ -5,7 +5,7 @@ }: let node-forbiddenDependencies-fail = nixos ({ ... }: { - system.forbiddenDependenciesRegex = "-dev$"; + system.forbiddenDependenciesRegexes = ["-dev$"]; environment.etc."dev-dependency" = { text = "${expect.dev}"; }; @@ -14,7 +14,7 @@ let boot.loader.grub.enable = false; }); node-forbiddenDependencies-succeed = nixos ({ ... }: { - system.forbiddenDependenciesRegex = "-dev$"; + system.forbiddenDependenciesRegexes = ["-dev$"]; system.extraDependencies = [ expect.dev ]; documentation.enable = false; fileSystems."/".device = "ignore-root-device"; diff --git a/nixpkgs/nixos/modules/system/activation/top-level.nix b/nixpkgs/nixos/modules/system/activation/top-level.nix index 4cf3012646fa..ed0ece19f2fa 100644 --- a/nixpkgs/nixos/modules/system/activation/top-level.nix +++ b/nixpkgs/nixos/modules/system/activation/top-level.nix @@ -86,6 +86,7 @@ in ../build.nix (mkRemovedOptionModule [ "nesting" "clone" ] "Use `specialisation.«name» = { inheritParentConfig = true; configuration = { ... }; }` instead.") (mkRemovedOptionModule [ "nesting" "children" ] "Use `specialisation.«name».configuration = { ... }` instead.") + (mkRenamedOptionModule [ "system" "forbiddenDependenciesRegex" ] [ "system" "forbiddenDependenciesRegexes" ]) ]; options = { @@ -160,12 +161,12 @@ in ''; }; - system.forbiddenDependenciesRegex = mkOption { - default = ""; - example = "-dev$"; - type = types.str; + system.forbiddenDependenciesRegexes = mkOption { + default = []; + example = ["-dev$"]; + type = types.listOf types.str; description = '' - A POSIX Extended Regular Expression that matches store paths that + POSIX Extended Regular Expressions that match store paths that should not appear in the system closure, with the exception of {option}`system.extraDependencies`, which is not checked. ''; }; @@ -289,15 +290,14 @@ in "$out/configuration.nix" '' + optionalString - (config.system.forbiddenDependenciesRegex != "") - '' - if [[ $forbiddenDependenciesRegex != "" && -n $closureInfo ]]; then - if forbiddenPaths="$(grep -E -- "$forbiddenDependenciesRegex" $closureInfo/store-paths)"; then + (config.system.forbiddenDependenciesRegexes != []) (lib.concatStringsSep "\n" (map (regex: '' + if [[ ${regex} != "" && -n $closureInfo ]]; then + if forbiddenPaths="$(grep -E -- "${regex}" $closureInfo/store-paths)"; then echo -e "System closure $out contains the following disallowed paths:\n$forbiddenPaths" exit 1 fi fi - ''; + '') config.system.forbiddenDependenciesRegexes)); system.systemBuilderArgs = { @@ -319,8 +319,7 @@ in # option, as opposed to `system.extraDependencies`. passedChecks = concatStringsSep " " config.system.checks; } - // lib.optionalAttrs (config.system.forbiddenDependenciesRegex != "") { - inherit (config.system) forbiddenDependenciesRegex; + // lib.optionalAttrs (config.system.forbiddenDependenciesRegexes != []) { closureInfo = pkgs.closureInfo { rootPaths = [ # override to avoid infinite recursion (and to allow using extraDependencies to add forbidden dependencies) (config.system.build.toplevel.overrideAttrs (_: { extraDependencies = []; closureInfo = null; })) diff --git a/nixpkgs/nixos/modules/system/boot/binfmt.nix b/nixpkgs/nixos/modules/system/boot/binfmt.nix index 3605ce56910e..1d702442f7f6 100644 --- a/nixpkgs/nixos/modules/system/boot/binfmt.nix +++ b/nixpkgs/nixos/modules/system/boot/binfmt.nix @@ -280,7 +280,7 @@ in { }; config = { - boot.binfmt.registrations = builtins.listToAttrs (map (system: { + boot.binfmt.registrations = builtins.listToAttrs (map (system: assert system != pkgs.stdenv.hostPlatform.system; { name = system; value = { config, ... }: let interpreter = getEmulator system; diff --git a/nixpkgs/nixos/modules/system/boot/networkd.nix b/nixpkgs/nixos/modules/system/boot/networkd.nix index bb899c8d8999..7f53efbf83f5 100644 --- a/nixpkgs/nixos/modules/system/boot/networkd.nix +++ b/nixpkgs/nixos/modules/system/boot/networkd.nix @@ -17,11 +17,13 @@ let "ManageForeignRoutingPolicyRules" "ManageForeignRoutes" "RouteTable" + "IPv6PrivacyExtensions" ]) (assertValueOneOf "SpeedMeter" boolValues) (assertInt "SpeedMeterIntervalSec") (assertValueOneOf "ManageForeignRoutingPolicyRules" boolValues) (assertValueOneOf "ManageForeignRoutes" boolValues) + (assertValueOneOf "IPv6PrivacyExtensions" (boolValues ++ ["prefer-public" "kernel"])) ]; sectionDHCPv4 = checkUnitConfig "DHCPv4" [ diff --git a/nixpkgs/nixos/modules/system/boot/systemd/initrd.nix b/nixpkgs/nixos/modules/system/boot/systemd/initrd.nix index cc32b2a15e7c..6107a2594baf 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd/initrd.nix @@ -473,8 +473,8 @@ in { "${cfg.package.util-linux}/bin/umount" "${cfg.package.util-linux}/bin/sulogin" - # required for script services - "${pkgs.runtimeShell}" + # required for script services, and some tools like xfs still want the sh symlink + "${pkgs.bash}/bin" # so NSS can look up usernames "${pkgs.glibc}/lib/libnss_files.so.2" diff --git a/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix b/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix index 2c749d45d7a1..b75817a011cb 100644 --- a/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix @@ -441,21 +441,45 @@ in {manpage}`systemd.time(7)`. ''; }; + + randomizedDelaySec = mkOption { + default = "6h"; + type = types.str; + example = "12h"; + description = '' + Add a randomized delay before each ZFS trim. + The delay will be chosen between zero and this value. + This value must be a time span in the format specified by + {manpage}`systemd.time(7)` + ''; + }; }; services.zfs.autoScrub = { enable = mkEnableOption "periodic scrubbing of ZFS pools"; interval = mkOption { - default = "Sun, 02:00"; + default = "monthly"; type = types.str; - example = "daily"; + example = "quarterly"; description = '' Systemd calendar expression when to scrub ZFS pools. See {manpage}`systemd.time(7)`. ''; }; + randomizedDelaySec = mkOption { + default = "6h"; + type = types.str; + example = "12h"; + description = '' + Add a randomized delay before each ZFS autoscrub. + The delay will be chosen between zero and this value. + This value must be a time span in the format specified by + {manpage}`systemd.time(7)` + ''; + }; + pools = mkOption { default = []; type = types.listOf types.str; @@ -862,6 +886,7 @@ in timerConfig = { OnCalendar = cfgScrub.interval; Persistent = "yes"; + RandomizedDelaySec = cfgScrub.randomizedDelaySec; }; }; }) @@ -879,7 +904,10 @@ in serviceConfig.ExecStart = "${pkgs.runtimeShell} -c 'for pool in $(zpool list -H -o name); do zpool trim $pool; done || true' "; }; - systemd.timers.zpool-trim.timerConfig.Persistent = "yes"; + systemd.timers.zpool-trim.timerConfig = { + Persistent = "yes"; + RandomizedDelaySec = cfgTrim.randomizedDelaySec; + }; }) ]; } diff --git a/nixpkgs/nixos/modules/testing/test-instrumentation.nix b/nixpkgs/nixos/modules/testing/test-instrumentation.nix index 28abbe66adaf..2b365bc55585 100644 --- a/nixpkgs/nixos/modules/testing/test-instrumentation.nix +++ b/nixpkgs/nixos/modules/testing/test-instrumentation.nix @@ -218,6 +218,8 @@ in services.displayManager.logToJournal = true; + services.logrotate.enable = mkOverride 150 false; + # Make sure we use the Guest Agent from the QEMU package for testing # to reduce the closure size required for the tests. services.qemuGuest.package = pkgs.qemu_test.ga; diff --git a/nixpkgs/nixos/modules/virtualisation/containers.nix b/nixpkgs/nixos/modules/virtualisation/containers.nix index 65620dd3935b..c3639f660dfe 100644 --- a/nixpkgs/nixos/modules/virtualisation/containers.nix +++ b/nixpkgs/nixos/modules/virtualisation/containers.nix @@ -53,13 +53,6 @@ in storage.settings = mkOption { type = toml.type; - default = { - storage = { - driver = "overlay"; - graphroot = "/var/lib/containers/storage"; - runroot = "/run/containers/storage"; - }; - }; description = "storage.conf configuration"; }; @@ -124,6 +117,12 @@ in }; }; + virtualisation.containers.storage.settings.storage = { + driver = lib.mkDefault "overlay"; + graphroot = lib.mkDefault "/var/lib/containers/storage"; + runroot = lib.mkDefault "/run/containers/storage"; + }; + environment.etc = { "containers/containers.conf".source = toml.generate "containers.conf" cfg.containersConf.settings; diff --git a/nixpkgs/nixos/modules/virtualisation/incus.nix b/nixpkgs/nixos/modules/virtualisation/incus.nix index 4d04853d20a5..87568390bd3b 100644 --- a/nixpkgs/nixos/modules/virtualisation/incus.nix +++ b/nixpkgs/nixos/modules/virtualisation/incus.nix @@ -105,6 +105,37 @@ let path = "${pkgs.OVMFFull.fd}/FV/${ovmf-prefix}_VARS.fd"; } ]; + + environment = lib.mkMerge [ + { + INCUS_LXC_TEMPLATE_CONFIG = "${pkgs.lxcfs}/share/lxc/config"; + INCUS_OVMF_PATH = ovmf; + INCUS_USBIDS_PATH = "${pkgs.hwdata}/share/hwdata/usb.ids"; + PATH = lib.mkForce serverBinPath; + } + (lib.mkIf (cfg.ui.enable) { "INCUS_UI" = cfg.ui.package; }) + ]; + + incus-startup = pkgs.writeShellScript "incus-startup" '' + case "$1" in + start) + systemctl is-active incus.service -q && exit 0 + exec incusd activateifneeded + ;; + + stop) + systemctl is-active incus.service -q || exit 0 + exec incusd shutdown + ;; + + *) + echo "unknown argument \`$1'" >&2 + exit 1 + ;; + esac + + exit 0 + ''; in { meta = { @@ -137,6 +168,14 @@ in description = "The incus client package to use. This package is added to PATH."; }; + softDaemonRestart = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Allow for incus.service to be stopped without affecting running instances. + ''; + }; + preseed = lib.mkOption { type = lib.types.nullOr (lib.types.submodule { freeformType = preseedFormat.type; }); @@ -282,6 +321,8 @@ in systemd.services.incus = { description = "Incus Container and Virtual Machine Management Daemon"; + inherit environment; + wantedBy = lib.mkIf (!cfg.socketActivation) [ "multi-user.target" ]; after = [ "network-online.target" @@ -296,20 +337,10 @@ in wants = [ "network-online.target" ]; - environment = lib.mkMerge [ - { - INCUS_LXC_TEMPLATE_CONFIG = "${pkgs.lxcfs}/share/lxc/config"; - INCUS_OVMF_PATH = ovmf; - INCUS_USBIDS_PATH = "${pkgs.hwdata}/share/hwdata/usb.ids"; - PATH = lib.mkForce serverBinPath; - } - (lib.mkIf (cfg.ui.enable) { "INCUS_UI" = cfg.ui.package; }) - ]; - serviceConfig = { ExecStart = "${cfg.package}/bin/incusd --group incus-admin"; ExecStartPost = "${cfg.package}/bin/incusd waitready --timeout=${cfg.startTimeout}"; - ExecStop = "${cfg.package}/bin/incus admin shutdown"; + ExecStop = lib.optionalString (!cfg.softDaemonRestart) "${cfg.package}/bin/incus admin shutdown"; KillMode = "process"; # when stopping, leave the containers alone Delegate = "yes"; @@ -324,6 +355,27 @@ in }; }; + systemd.services.incus-startup = lib.mkIf cfg.softDaemonRestart { + description = "Incus Instances Startup/Shutdown"; + + inherit environment; + + after = [ + "incus.service" + "incus.socket" + ]; + requires = [ "incus.socket" ]; + + serviceConfig = { + ExecStart = "${incus-startup} start"; + ExecStop = "${incus-startup} stop"; + RemainAfterExit = true; + TimeoutStartSec = "600s"; + TimeoutStopSec = "600s"; + Type = "oneshot"; + }; + }; + systemd.sockets.incus = { description = "Incus UNIX socket"; wantedBy = [ "sockets.target" ]; diff --git a/nixpkgs/nixos/modules/virtualisation/lxc-image-metadata.nix b/nixpkgs/nixos/modules/virtualisation/lxc-image-metadata.nix index 2c0568b4c468..38d955798f3e 100644 --- a/nixpkgs/nixos/modules/virtualisation/lxc-image-metadata.nix +++ b/nixpkgs/nixos/modules/virtualisation/lxc-image-metadata.nix @@ -87,10 +87,10 @@ in { contents = [ { source = toYAML "metadata.yaml" { - architecture = builtins.elemAt (builtins.match "^([a-z0-9_]+).+" (toString pkgs.system)) 0; + architecture = builtins.elemAt (builtins.match "^([a-z0-9_]+).+" (toString pkgs.stdenv.hostPlatform.system)) 0; creation_date = 1; properties = { - description = "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} ${pkgs.system}"; + description = "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} ${pkgs.stdenv.hostPlatform.system}"; os = "${config.system.nixos.distroId}"; release = "${config.system.nixos.codeName}"; }; diff --git a/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix b/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix index c30f4577fdd8..3b81cfaf2b8c 100644 --- a/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix @@ -912,7 +912,7 @@ in "ppc64-linux" = "tpm-spapr"; "armv7-linux" = "tpm-tis-device"; "aarch64-linux" = "tpm-tis-device"; - }.${pkgs.hostPlatform.system} or (throw "Unsupported system for TPM2 emulation in QEMU")); + }.${pkgs.stdenv.hostPlatform.system} or (throw "Unsupported system for TPM2 emulation in QEMU")); defaultText = '' Based on the guest platform Linux system: |