diff options
| author | Alyssa Ross <hi@alyssa.is> | 2024-05-21 11:19:54 +0200 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2024-05-21 11:19:54 +0200 |
| commit | 1f7ea1acad1207378e325dd0d6527a983d7192b5 (patch) | |
| tree | 38c0985697418e959e9c872b1afde54f9e6880f2 /nixpkgs/nixos | |
| parent | a4ffc889571c7100467c7aa1ccae5a4d8373089f (diff) | |
| parent | 6c0b7a92c30122196a761b440ac0d46d3d9954f1 (diff) | |
| download | nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.tar nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.tar.gz nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.tar.bz2 nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.tar.lz nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.tar.xz nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.tar.zst nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.zip | |
Merge remote-tracking branch 'nixpkgs/nixos-unstable'
Diffstat (limited to 'nixpkgs/nixos')
306 files changed, 5427 insertions, 2828 deletions
diff --git a/nixpkgs/nixos/doc/manual/configuration/abstractions.section.md b/nixpkgs/nixos/doc/manual/configuration/abstractions.section.md index 06356c472ba9..3ff8ac885b65 100644 --- a/nixpkgs/nixos/doc/manual/configuration/abstractions.section.md +++ b/nixpkgs/nixos/doc/manual/configuration/abstractions.section.md @@ -10,14 +10,12 @@ If you find yourself repeating yourself over and over, it’s time to abstract. adminAddr = "alice@example.org"; forceSSL = true; enableACME = true; - enablePHP = true; }; "wiki.example.org" = { documentRoot = "/webroot/wiki.example.org"; adminAddr = "alice@example.org"; forceSSL = true; enableACME = true; - enablePHP = true; }; }; } diff --git a/nixpkgs/nixos/doc/manual/development/option-declarations.section.md b/nixpkgs/nixos/doc/manual/development/option-declarations.section.md index 325f4d11cb08..ee4540d0cf6f 100644 --- a/nixpkgs/nixos/doc/manual/development/option-declarations.section.md +++ b/nixpkgs/nixos/doc/manual/development/option-declarations.section.md @@ -173,7 +173,7 @@ lib.mkOption { ## Extensible Option Types {#sec-option-declarations-eot} -Extensible option types is a feature that allow to extend certain types +Extensible option types is a feature that allows to extend certain types declaration through multiple module files. This feature only work with a restricted set of types, namely `enum` and `submodules` and any composed forms of them. diff --git a/nixpkgs/nixos/doc/manual/development/settings-options.section.md b/nixpkgs/nixos/doc/manual/development/settings-options.section.md index 806eee563790..cedc82d32f89 100644 --- a/nixpkgs/nixos/doc/manual/development/settings-options.section.md +++ b/nixpkgs/nixos/doc/manual/development/settings-options.section.md @@ -146,6 +146,27 @@ have a predefined type and string generator already declared under : Outputs the given attribute set as an Elixir map, instead of the default Elixir keyword list +`pkgs.formats.php { finalVariable }` []{#pkgs-formats-php} + +: A function taking an attribute set with values + + `finalVariable` + + : The variable that will store generated expression (usually `config`). If set to `null`, generated expression will contain `return`. + + It returns a set with PHP-Config-specific attributes `type`, `lib`, and + `generate` as specified [below](#pkgs-formats-result). + + The `lib` attribute contains functions to be used in settings, for + generating special PHP values: + + `mkRaw phpCode` + + : Outputs the given string as raw PHP code + + `mkMixedArray list set` + + : Creates PHP array that contains both indexed and associative values. For example, `lib.mkMixedArray [ "hello" "world" ] { "nix" = "is-great"; }` returns `['hello', 'world', 'nix' => 'is-great']` []{#pkgs-formats-result} These functions all return an attribute set with these values: diff --git a/nixpkgs/nixos/doc/manual/installation/installing-from-other-distro.section.md b/nixpkgs/nixos/doc/manual/installation/installing-from-other-distro.section.md index 10ac2be4e161..38f0e5301472 100644 --- a/nixpkgs/nixos/doc/manual/installation/installing-from-other-distro.section.md +++ b/nixpkgs/nixos/doc/manual/installation/installing-from-other-distro.section.md @@ -42,9 +42,11 @@ The first steps to all these are the same: will be safer to use the `nixos-*` channels instead: ```ShellSession - $ nix-channel --add https://nixos.org/channels/nixos-version nixpkgs + $ nix-channel --add https://nixos.org/channels/nixos-<version> nixpkgs ``` + Where `<version>` corresponds to the latest version available on [channels.nixos.org](https://channels.nixos.org/). + You may want to throw in a `nix-channel --update` for good measure. 1. Install the NixOS installation tools: diff --git a/nixpkgs/nixos/doc/manual/installation/installing-virtualbox-guest.section.md b/nixpkgs/nixos/doc/manual/installation/installing-virtualbox-guest.section.md index 4b9ae0a9c55f..415119bd8c89 100644 --- a/nixpkgs/nixos/doc/manual/installation/installing-virtualbox-guest.section.md +++ b/nixpkgs/nixos/doc/manual/installation/installing-virtualbox-guest.section.md @@ -3,8 +3,8 @@ Installing NixOS into a VirtualBox guest is convenient for users who want to try NixOS without installing it on bare metal. If you want to use a pre-made VirtualBox appliance, it is available at [the downloads -page](https://nixos.org/nixos/download.html). If you want to set up a -VirtualBox guest manually, follow these instructions: +page](https://nixos.org/download/#nixos-virtualbox). If you want to set +up a VirtualBox guest manually, follow these instructions: 1. Add a New Machine in VirtualBox with OS Type "Linux / Other Linux" diff --git a/nixpkgs/nixos/doc/manual/installation/upgrading.chapter.md b/nixpkgs/nixos/doc/manual/installation/upgrading.chapter.md index 09338bf8723d..11fc65502f95 100644 --- a/nixpkgs/nixos/doc/manual/installation/upgrading.chapter.md +++ b/nixpkgs/nixos/doc/manual/installation/upgrading.chapter.md @@ -33,8 +33,8 @@ To see what channels are available, go to <https://channels.nixos.org>. contains the channel's latest version and includes ISO images and VirtualBox appliances.) Please note that during the release process, channels that are not yet released will be present here as well. See the -Getting NixOS page <https://nixos.org/nixos/download.html> to find the -newest supported stable release. +Getting NixOS page <https://nixos.org/download/> to find the newest +supported stable release. When you first install NixOS, you're automatically subscribed to the NixOS channel that corresponds to your installation source. For diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2405.section.md b/nixpkgs/nixos/doc/manual/release-notes/rl-2405.section.md index e3880d3deec5..f937de4d611e 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2405.section.md @@ -16,7 +16,7 @@ In addition to numerous new and upgraded packages, this release has the followin - `linuxPackages_testing_bcachefs` is now fully deprecated by `linuxPackages_latest`, and is therefore no longer available. -- (TODO not sure what path to use here) The default kernel package has been updated from 6.1 to 6.6. All supported kernels remain available. +- The default kernel package has been updated from 6.1 to 6.6. All supported kernels remain available. - NixOS now installs a stub ELF loader that prints an informative error message when users attempt to run binaries not made for NixOS. - This can be disabled through the `environment.stub-ld.enable` option. @@ -53,6 +53,10 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi - `system.etc.overlay.enable` option was added. If enabled, `/etc` is mounted via an overlayfs instead of being created by a custom perl script. +- For each supporting version of the Linux kernel firmware blobs + are compressed with zstd. For firmware blobs this means an increase of 4.4% in size, however + a significantly higher decompression speed. + - NixOS AMIs are now uploaded regularly to a new AWS Account. Instructions on how to use them can be found on <https://nixos.github.io/amis>. We are working on integration the data into the NixOS homepage. @@ -88,19 +92,24 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi - [Handheld Daemon](https://github.com/hhd-dev/hhd), support for gaming handhelds like the Legion Go, ROG Ally, and GPD Win. Available as [services.handheld-daemon](#opt-services.handheld-daemon.enable). +- [BenchExec](https://github.com/sosy-lab/benchexec), a framework for reliable benchmarking and resource measurement, available as [programs.benchexec](#opt-programs.benchexec.enable), + As well as related programs + [CPU Energy Meter](https://github.com/sosy-lab/cpu-energy-meter), available as [programs.cpu-energy-meter](#opt-programs.cpu-energy-meter.enable), and + [PQoS Wrapper](https://gitlab.com/sosy-lab/software/pqos-wrapper), available as [programs.pqos-wrapper](#opt-programs.pqos-wrapper.enable). + - [Guix](https://guix.gnu.org), a functional package manager inspired by Nix. Available as [services.guix](#opt-services.guix.enable). - [PhotonVision](https://photonvision.org/), a free, fast, and easy-to-use computer vision solution for the FIRST® Robotics Competition. -- [clatd](https://github.com/toreanderson/clatd), a a CLAT / SIIT-DC Edge Relay implementation for Linux. +- [clatd](https://github.com/toreanderson/clatd), a CLAT / SIIT-DC Edge Relay implementation for Linux. -- [pyLoad](https://pyload.net/), a FOSS download manager written in Python. Available as [services.pyload](#opt-services.pyload.enable) +- [pyLoad](https://pyload.net/), a FOSS download manager written in Python. Available as [services.pyload](#opt-services.pyload.enable). - [maubot](https://github.com/maubot/maubot), a plugin-based Matrix bot framework. Available as [services.maubot](#opt-services.maubot.enable). -- [ryzen-monitor-ng](https://github.com/mann1x/ryzen_monitor_ng), a desktop AMD CPU power monitor and controller, similar to Ryzen Master but for Linux. Available as [programs.ryzen-monitor-ng](#opt-programs.ryzen-monitor-ng.enable) +- [ryzen-monitor-ng](https://github.com/mann1x/ryzen_monitor_ng), a desktop AMD CPU power monitor and controller, similar to Ryzen Master but for Linux. Available as [programs.ryzen-monitor-ng](#opt-programs.ryzen-monitor-ng.enable). -- [ryzen-smu](https://gitlab.com/leogx9r/ryzen_smu), Linux kernel driver to expose the SMU (System Management Unit) for certain AMD Ryzen Processors. Includes the userspace program `monitor_cpu`. Available at [hardward.cpu.amd.ryzen-smu](#opt-hardware.cpu.amd.ryzen-smu.enable) +- [ryzen-smu](https://gitlab.com/leogx9r/ryzen_smu), Linux kernel driver to expose the SMU (System Management Unit) for certain AMD Ryzen Processors. Includes the userspace program `monitor_cpu`. Available at [hardward.cpu.amd.ryzen-smu](#opt-hardware.cpu.amd.ryzen-smu.enable). - `systemd`'s `gateway`, `upload`, and `remote` services, which provide ways of sending journals across the network. Enable using [services.journald.gateway](#opt-services.journald.gateway.enable), [services.journald.upload](#opt-services.journald.upload.enable), and [services.journald.remote](#opt-services.journald.remote.enable). @@ -124,16 +133,18 @@ Use `services.pipewire.extraConfig` or `services.pipewire.configPackages` for Pi - [Python Matter Server](https://github.com/home-assistant-libs/python-matter-server), a Matter Controller Server exposing websocket connections for use with other services, notably Home Assistant. - Available as [services.matter-server](#opt-services.matter-server.enable) + Available as [services.matter-server](#opt-services.matter-server.enable). - [db-rest](https://github.com/derhuerst/db-rest), a wrapper around Deutsche Bahn's internal API for public transport data. Available as [services.db-rest](#opt-services.db-rest.enable). +- [mautrix-signal](https://github.com/mautrix/signal), a Matrix-Signal puppeting bridge. Available as [services.mautrix-signal](#opt-services.mautrix-signal.enable). + - [Anki Sync Server](https://docs.ankiweb.net/sync-server.html), the official sync server built into recent versions of Anki. Available as [services.anki-sync-server](#opt-services.anki-sync-server.enable). The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been marked deprecated and will be dropped after 24.05 due to lack of maintenance of the anki-sync-server software. -- [mautrix-meta](https://github.com/mautrix/meta), a Matrix <-> Facebook and Matrix <-> Instagram hybrid puppeting/relaybot bridge. Available as services.mautrix-meta +- [mautrix-meta](https://github.com/mautrix/meta), a Matrix <-> Facebook and Matrix <-> Instagram hybrid puppeting/relaybot bridge. Available as services.mautrix-meta. -- [Jottacloud Command-line Tool](https://docs.jottacloud.com/en/articles/1436834-jottacloud-command-line-tool), a CLI for the [Jottacloud](https://jottacloud.com/) cloud storage provider. Available as [user.services.jotta-cli](#opt-user.services.jotta-cli.enable). +- [Jottacloud Command-line Tool](https://docs.jottacloud.com/en/articles/1436834-jottacloud-command-line-tool), a CLI for the [Jottacloud](https://jottacloud.com/) cloud storage provider. Available as [services.jotta-cli](#opt-services.jotta-cli.enable). - [transfer-sh](https://github.com/dutchcoders/transfer.sh), a tool that supports easy and fast file sharing from the command-line. Available as [services.transfer-sh](#opt-services.transfer-sh.enable). @@ -153,8 +164,12 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - [go-camo](https://github.com/cactus/go-camo), a secure image proxy server. Available as [services.go-camo](#opt-services.go-camo.enable). +- [CommaFeed](https://github.com/Athou/commafeed), a Google Reader inspired self-hosted RSS reader. Available as [services.commafeed](#opt-services.commafeed.enable). + - [Monado](https://monado.freedesktop.org/), an open source XR runtime. Available as [services.monado](#opt-services.monado.enable). +- [intel-gpu-tools](https://drm.pages.freedesktop.org/igt-gpu-tools), tools for development and testing of the Intel DRM driver. Available as [hardware.intel-gpu-tools](#opt-hardware.intel-gpu-tools.enable). + - [Pretix](https://pretix.eu/about/en/), an open source ticketing software for events. Available as [services.pretix](#opt-services.pretix.enable). - [microsocks](https://github.com/rofl0r/microsocks), a tiny, portable SOCKS5 server with very moderate resource usage. Available as [services.microsocks](#opt-services.microsocks.enable). @@ -175,7 +190,11 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - [nh](https://github.com/viperML/nh), yet another Nix CLI helper. Available as [programs.nh](#opt-programs.nh.enable). -- [ALVR](https://github.com/alvr-org/alvr), a VR desktop streamer. Available as [programs.alvr](#opt-programs.alvr.enable) +- [ALVR](https://github.com/alvr-org/alvr), a VR desktop streamer. Available as [programs.alvr](#opt-programs.alvr.enable). + +- [xdg-terminal-exec](https://github.com/Vladimir-csp/xdg-terminal-exec), the proposed Default Terminal Execution Specification. + +- [your_spotify](https://github.com/Yooooomi/your_spotify), a self hosted Spotify tracking dashboard. Available as [services.your_spotify](#opt-services.your_spotify.enable) - [RustDesk](https://rustdesk.com), a full-featured open source remote control alternative for self-hosting and security with minimal configuration. Alternative to TeamViewer. Available as [services.rustdesk-server](#opt-services.rustdesk-server.enable). @@ -183,27 +202,33 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - [davis](https://github.com/tchapi/davis), a simple CardDav and CalDav server inspired by Baïkal. Available as [services.davis](#opt-services.davis.enable). -- [Firefly-iii](https://www.firefly-iii.org), a free and open source personal finance manager. Available as [services.firefly-iii](#opt-services.firefly-iii.enable) +- [Firefly-iii](https://www.firefly-iii.org), a free and open source personal finance manager. Available as [services.firefly-iii](#opt-services.firefly-iii.enable). - [systemd-lock-handler](https://git.sr.ht/~whynothugo/systemd-lock-handler/), a bridge between logind D-Bus events and systemd targets. Available as [services.systemd-lock-handler.enable](#opt-services.systemd-lock-handler.enable). - [wastebin](https://github.com/matze/wastebin), a pastebin server written in rust. Available as [services.wastebin](#opt-services.wastebin.enable). -- [Mealie](https://nightly.mealie.io/), a self-hosted recipe manager and meal planner with a RestAPI backend and a reactive frontend application built in NuxtJS for a pleasant user experience for the whole family. Available as [services.mealie](#opt-services.mealie.enable) +- [Mealie](https://nightly.mealie.io/), a self-hosted recipe manager and meal planner with a RestAPI backend and a reactive frontend application built in NuxtJS for a pleasant user experience for the whole family. Available as [services.mealie](#opt-services.mealie.enable). - [Sunshine](https://app.lizardbyte.dev/Sunshine), a self-hosted game stream host for Moonlight. Available as [services.sunshine](#opt-services.sunshine.enable). -- [Uni-Sync](https://github.com/EightB1ts/uni-sync), a synchronization tool for Lian Li Uni Controllers. Available as [hardware.uni-sync](#opt-hardware.uni-sync.enable) +- [Uni-Sync](https://github.com/EightB1ts/uni-sync), a synchronization tool for Lian Li Uni Controllers. Available as [hardware.uni-sync](#opt-hardware.uni-sync.enable). - [prometheus-nats-exporter](https://github.com/nats-io/prometheus-nats-exporter), a Prometheus exporter for NATS. Available as [services.prometheus.exporters.nats](#opt-services.prometheus.exporters.nats.enable). - [isolate](https://github.com/ioi/isolate), a sandbox for securely executing untrusted programs. Available as [security.isolate](#opt-security.isolate.enable). +- [ydotool](https://github.com/ReimuNotMoe/ydotool), a generic command-line automation tool now has a module. Available as [programs.ydotool](#opt-programs.ydotool.enable). + +- [private-gpt](https://github.com/zylon-ai/private-gpt), a service to interact with your documents using the power of LLMs, 100% privately, no data leaks. Available as [services.private-gpt](#opt-services.private-gpt.enable). + +- [keto](https://www.ory.sh/keto/), a permission & access control server, the first open source implementation of ["Zanzibar: Google's Consistent, Global Authorization System"](https://research.google/pubs/zanzibar-googles-consistent-global-authorization-system/). + ## Backward Incompatibilities {#sec-release-24.05-incompatibilities} <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> -- `k3s`: was updated to version [v1.29](https://github.com/k3s-io/k3s/releases/tag/v1.29.1%2Bk3s2), all previous versions (k3s_1_26, k3s_1_27, k3s_1_28) will be removed. See [changelog and upgrade notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#urgent-upgrade-notes) for more information. +- `k3s`: has been updated to version [v1.30](https://github.com/k3s-io/k3s/releases/tag/v1.30.0%2Bk3s1), previous supported versions are available under release specific names (e.g. k3s_1_27, k3s_1_28, and k3s_1_29) and present to help you migrate to the latest supported version. See [changelog and upgrade notes](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.30.md#changelog-since-v1290) for more information. - `himalaya` was updated to v1.0.0-beta.4, which introduces breaking changes. Check out the [release note](https://github.com/soywod/himalaya/releases/tag/v1.0.0-beta.4) for details. @@ -236,6 +261,10 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `unrar` was updated to v7. See [changelog](https://www.rarlab.com/unrar7notes.htm) for more information. +- `percona-server` now follows [the same two-fold release cycle](https://www.percona.com/blog/lts-and-innovation-releases-for-percona-server-for-mysql/) as Oracle MySQL and provides a *Long-Term-Support (LTS)* in parallel with a continuous-delivery *Innovation* release. `percona-server` defaults to `percona-server_lts`, will be backed by the same release branch throughout the lifetime of this stable NixOS release, and is still available under the versioned attribute `percona-server_8_0`. + The `percona-server_innovation` releases however have support periods shorter than the lifetime of this NixOS release and will continuously be updated to newer Percona releases. Note that Oracle considers the *Innovation* releases to be production-grade, but each release might include backwards-incompatible changes, even in its on-disk format. + The same release scheme is applied to the supporting `percona-xtrabackup` tool as well. + - `git-town` was updated from version 11 to 13. See the [changelog](https://github.com/git-town/git-town/blob/main/CHANGELOG.md#1300-2024-03-22) for breaking changes. - `k9s` was updated to v0.31. There have been various breaking changes in the config file format, @@ -244,6 +273,9 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m [v0.31](https://github.com/derailed/k9s/releases/tag/v0.31.0) for details. It is recommended to back up your current configuration and let k9s recreate the new base configuration. +- the .csv format used to define lua packages to be updated via + `luarocks-packages-updater` has changed: `src` (URL towards a git repository) has now become `rockspec` (URL towards a rockspec) to remove ambiguity regarding which rockspec to use and simplify implementation. + - NixOS AMIs are now uploaded regularly to a new AWS Account. Instructions on how to use them can be found on <https://nixos.github.io/amis>. We are working on integration the data into the NixOS homepage. @@ -257,7 +289,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `idris2` was updated to v0.7.0. This version introduces breaking changes. Check out the [changelog](https://github.com/idris-lang/Idris2/blob/v0.7.0/CHANGELOG.md#v070) for details. -- `nvtop` family of packages was reorganized into nested attrset. `nvtop` has been renamed to `nvtopPackages.full`, and all `nvtop-{amd,nvidia,intel,msm}` packages are now named as `nvtopPackages.{amd,nvidia,intel,msm}` +- `nvtop` family of packages was reorganized into nested attrset. `nvtop` has been renamed to `nvtopPackages.full`, and all `nvtop-{amd,nvidia,intel,msm}` packages are now named as `nvtopPackages.{amd,nvidia,intel,msm}`. - `neo4j` has been updated to version 5. You may want to read the [release notes for Neo4j 5](https://neo4j.com/release-notes/database/neo4j-5/). @@ -267,6 +299,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `mongodb-4_4` has been removed as it has reached end of life. Consequently, `unifi7` and `unifi8` now use MongoDB 5.0 by default. +- `mongodb-5_0` and newer requires a cpu with the avx instruction set to run. + - `nitter` requires a `guest_accounts.jsonl` to be provided as a path or loaded into the default location at `/var/lib/nitter/guest_accounts.jsonl`. See [Guest Account Branch Deployment](https://github.com/zedeus/nitter/wiki/Guest-Account-Branch-Deployment) for details. - `boot.supportedFilesystems` and `boot.initrd.supportedFilesystems` are now attribute sets instead of lists. Assignment from lists as done previously is still supported, but checking whether a filesystem is enabled must now by done using `supportedFilesystems.fs or false` instead of using `lib.elem "fs" supportedFilesystems` as was done previously. @@ -278,12 +312,14 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m "mysecret"` becomes `services.aria2.rpcSecretFile = "/path/to/secret_file"` where the file `secret_file` contains the string `mysecret`. +- The `system.forbiddenDependenciesRegex` option has been renamed to `system.forbiddenDependenciesRegexes` and now has the type of `listOf string` instead of `string` to accept multiple regexes. + - `openssh`, `openssh_hpn` and `openssh_gssapi` are now compiled without support for the DSA signature algorithm as it is being deprecated upstream. Users still relying on DSA keys should consider upgrading to another signature algorithm. However, for the time being it is possible to restore DSA key support using `override` to set `dsaKeysSupport = true`. - `buildGoModule` now throws an error when `vendorHash` is not specified. `vendorSha256`, deprecated in Nixpkgs 23.11, is now ignored and is no longer a `vendorHash` alias. -- `services.invidious.settings.db.user`, the default database username has changed from `kemal` to `invidious`. Setups involving an externally-provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857) +- `services.invidious.settings.db.user`, the default database username has changed from `kemal` to `invidious`. Setups involving an externally-provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857). - `writeReferencesToFile` is deprecated in favour of the new trivial build helper `writeClosure`. The latter accepts a list of paths and has an unambiguous name and cleaner implementation. @@ -317,9 +353,11 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - Proxies are now defined with a new option `settings.proxies` which takes a list of proxies. - Consult the [upstream documentation](https://github.com/fatedier/frp#example-usage) for more details on the changes. -- `mkosi` was updated to v20. Parts of the user interface have changed. Consult the - release notes of [v19](https://github.com/systemd/mkosi/releases/tag/v19) and - [v20](https://github.com/systemd/mkosi/releases/tag/v20) for a list of changes. +- `mkosi` was updated to v22. Parts of the user interface have changed. Consult the + release notes of [v19](https://github.com/systemd/mkosi/releases/tag/v19), + [v20](https://github.com/systemd/mkosi/releases/tag/v20), + [v21](https://github.com/systemd/mkosi/releases/tag/v21) and + [v22](https://github.com/systemd/mkosi/releases/tag/v22) for a list of changes. - `gonic` has been updated to v0.16.4. Config now requires `playlists-path` to be set. See the rest of the [v0.16.0 release notes](https://github.com/sentriz/gonic/releases/tag/v0.16.0) for more details. @@ -349,7 +387,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `optparse-bash` is now dropped due to upstream inactivity. Alternatives available in Nixpkgs include [`argc`](https://github.com/sigoden/argc), [`argbash`](https://github.com/matejak/argbash), [`bashly`](https://github.com/DannyBen/bashly) and [`gum`](https://github.com/charmbracelet/gum), to name a few. -- `kanata` package has been updated to v1.6.0, which includes breaking changes. Check out the changelog of [v1.5.0](https://github.com/jtroo/kanata/releases/tag/v1.5.0) and [v1.6.0](https://github.com/jtroo/kanata/releases/tag/v1.6.0) for details. +- `kanata` package has been updated to v1.6.1, which includes breaking changes. Check out the changelog of [v1.5.0](https://github.com/jtroo/kanata/releases/tag/v1.5.0) and [v1.6.0](https://github.com/jtroo/kanata/releases/tag/v1.6.0) for details. - `craftos-pc` package has been updated to v2.8, which includes [breaking changes](https://github.com/MCJack123/craftos2/releases/tag/v2.8). - Files are now handled in binary mode; this could break programs with embedded UTF-8 characters. @@ -366,7 +404,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - If [`system.stateVersion`](#opt-system.stateVersion) is >=24.05, `pkgs.nextcloud29` will be installed by default. - If [`system.stateVersion`](#opt-system.stateVersion) is >=23.11, `pkgs.nextcloud27` will be installed by default. - Please note that an upgrade from v27 (or older) to v29 directly is not possible. Please upgrade to `nextcloud28` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud28;`](options.html#opt-services.nextcloud.package). - - Known warnings after the upgrade are documented in [](#module-services-nextcloud-known-warnings). + - Known warnings after the upgrade are documented in [](#module-services-nextcloud-known-warnings) from now on. + - The "Photos" app only displays Media from inside the `Photos` directory. This can be changed manually in the "Photos" tab below "Photos settings". - The vendored third party libraries have been mostly removed from `cudaPackages.nsight_systems`, which we now only ship for `cudaPackages_11_8` and later due to outdated dependencies. Users comfortable with the vendored dependencies may use `overrideAttrs` to amend the `postPatch` phase and the `meta.broken` correspondingly. Alternatively, one could package the deprecated `boost170` locally, as required for `cudaPackages_11_4.nsight_systems`. @@ -380,6 +419,12 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `halloy` package was updated past 2024.5 which introduced a breaking change by switching the config format from YAML to TOML. See https://github.com/squidowl/halloy/releases/tag/2024.5 for details. +- If `services.smokeping.webService` was enabled, smokeping is now served via nginx instead of thttpd. This change brings the following consequences: + - The default port for smokeping is now the nginx default port 80 instead of 8081. + - The option `services.smokeping.port` has been removed. To customize the port, use `services.nginx.virtualHosts.smokeping.listen.*.port`. + +- The `wpaperd` package has a breaking change moving to 1.0.1, previous version 0.3.0 had 2 different configuration files, one for wpaperd and one for the wallpapers. Remove the former and move the latter (`wallpaper.toml`) to `config.toml`. + - Ada packages (libraries and tools) have been moved into the `gnatPackages` scope. `gnatPackages` uses the default GNAT compiler, `gnat12Packages` and `gnat13Packages` use the respective matching compiler version. - Paths provided as `restartTriggers` and `reloadTriggers` for systemd units will now be copied into the nix store to make the behavior consistent. @@ -440,6 +485,11 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `firefox-devedition`, `firefox-beta`, `firefox-esr` executable file names for now match their package names, which is consistent with the `firefox-*-bin` packages. The desktop entries are also updated so that you can have multiple editions of firefox in your app launcher. +- `chromium` and `ungoogled-chromium` had a long standing issue regarding Widevine DRM handling in nixpkgs fixed. + `chromium` now no longer automatically downloads Widevine when encountering DRM protected content. + To be able to play DRM protected content in `chromium` now, you have to explicitly opt-in as originally intended using `chromium.override { enableWideVine = true; }`. + This override has been added almost 10 years ago. + - switch-to-configuration does not directly call systemd-tmpfiles anymore. Instead, the new artificial sysinit-reactivation.target is introduced which allows to restart multiple services that are ordered before sysinit.target @@ -448,11 +498,11 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `systemd.oomd` module behavior is changed as: - Raise ManagedOOMMemoryPressureLimit from 50% to 80%. This should make systemd-oomd kill things less often, and fix issues like [this](https://pagure.io/fedora-workstation/issue/358). - Reference: [commit](https://src.fedoraproject.org/rpms/systemd/c/806c95e1c70af18f81d499b24cd7acfa4c36ffd6?branch=806c95e1c70af18f81d499b24cd7acfa4c36ffd6) + Reference: [commit](https://src.fedoraproject.org/rpms/systemd/c/806c95e1c70af18f81d499b24cd7acfa4c36ffd6?branch=806c95e1c70af18f81d499b24cd7acfa4c36ffd6). - Remove swap policy. This helps prevent killing processes when user's swap is small. - - Expand the memory pressure policy to system.slice, user-.slice, and all user owned slices. Reference: [commit](https://src.fedoraproject.org/rpms/systemd/c/7665e1796f915dedbf8e014f0a78f4f576d609bb) + - Expand the memory pressure policy to system.slice, user-.slice, and all user owned slices. Reference: [commit](https://src.fedoraproject.org/rpms/systemd/c/7665e1796f915dedbf8e014f0a78f4f576d609bb). - `systemd.oomd.enableUserServices` is renamed to `systemd.oomd.enableUserSlices`. @@ -503,6 +553,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `erlang-ls` package no longer ships the `els_dap` binary as of v0.51.0. +- `icu` no longer includes `install-sh` and `mkinstalldirs` in the shared folder. + ## Other Notable Changes {#sec-release-24.05-notable-changes} <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> @@ -511,7 +563,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `cinnamon` has been updated to 6.0. Please beware that the [Wayland session](https://blog.linuxmint.com/?p=4591) is still experimental in this release and could potentially [affect Xorg sessions](https://blog.linuxmint.com/?p=4639). We suggest a reboot when switching between sessions. -- (TODO awaiting feedback on code-casing package names) MATE has been updated to 1.28. +- `mate` has been updated to 1.28. - To properly support panel plugins built with Wayland (in-process) support, we are introducing `services.xserver.desktopManager.mate.extraPanelApplets` option, please use that for installing panel applets. - Similarly, please use `services.xserver.desktopManager.mate.extraCajaExtensions` option for installing Caja extensions. - To use the Wayland session, enable `services.xserver.desktopManager.mate.enableWaylandSession`. This is opt-in for now as it is in early stage and introduces a new set of Wayfire closure. Due to [known issues with LightDM](https://github.com/canonical/lightdm/issues/63), we suggest using SDDM for display manager. @@ -525,6 +577,17 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `services.postgresql.extraPlugins` changed its type from just a list of packages to also a function that returns such a list. For example a config line like ``services.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ];`` is recommended to be changed to ``services.postgresql.extraPlugins = ps: with ps; [ postgis ];``; +- `services.openssh` now has an option `authorizedKeysInHomedir`, controlling whether `~/.ssh/authorizedKeys` is + added to `authorizedKeysFiles`. + ::: {.note} + This option currently defaults to `true` for NixOS 24.05, preserving the previous behaviour. + This is expected to change in NixOS 24.11. + ::: + ::: {.warning} + Users should check that their SSH keys are in `users.users.*.openssh`, or that they have another way to access + and administer the system, before setting this option to `false`. + ::: + - [`matrix-synapse`](https://element-hq.github.io/synapse/) homeserver module now supports configuring UNIX domain socket [`listeners`](#opt-services.matrix-synapse.settings.listeners) through the `path` option. The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets. @@ -536,9 +599,11 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m The `nimPackages` and `nim2Packages` sets have been removed. See https://nixos.org/manual/nixpkgs/unstable#nim for more information. -- [TODO: reword to place an attribute at the front] Programs written in [D](https://dlang.org/) using the `dub` build system and package manager can now be built using `buildDubPackage` utilizing lockfiles provided by the new `dub-to-nix` helper program. +- `buildDubPackage` can now be used to build Programs written in [D](https://dlang.org/) using the `dub` build system and package manager. See the [D section](https://nixos.org/manual/nixpkgs/unstable#dlang) in the manual for more information. +- `stalwart-mail` service uses the legacy version 0.6.X as default because newer `stalwart-mail` versions require a [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md). Change [`services.stalwart-mail.package`](#opt-services.stalwart-mail.package) to `pkgs.stalwart-mail` if you wish to switch to the new version. + - [`portunus`](https://github.com/majewsky/portunus) has been updated to major version 2. This version of Portunus supports strong password hashes, but the legacy hash SHA-256 is also still supported to ensure a smooth migration of existing user accounts. After upgrading, follow the instructions on the [upstream release notes](https://github.com/majewsky/portunus/releases/tag/v2.0.0) to upgrade all user accounts to strong password hashes. @@ -552,7 +617,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `garage` has been updated to v1.x.x. Users should read the [upstream release notes](https://git.deuxfleurs.fr/Deuxfleurs/garage/releases/tag/v1.0.0) and follow the documentation when changing over their `services.garage.package` and performing this manual upgrade. -- [TODO: reword to place an attribute at the front] The EC2 image module now enables the [Amazon SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) by default. +- The EC2 image module now enables the [Amazon SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) by default. - The following options of the Nextcloud module were moved into [`services.nextcloud.settings`](#opt-services.nextcloud.settings) and renamed to match the name from Nextcloud's `config.php`: - `logLevel` -> [`loglevel`](#opt-services.nextcloud.settings.loglevel), @@ -587,7 +652,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `sonarr` version bumped to from 3.0.10 to 4.0.3. Consequently existing config database files will be upgraded automatically, but note that some old apparently-working configs [might actually be corrupt and fail to upgrade cleanly](https://forums.sonarr.tv/t/sonarr-v4-released/33089). -- [TODO: reword to place an attribute at the front] The Yama LSM is now enabled by default in the kernel, which prevents ptracing +- The kernel Yama LSM is now enabled by default, which prevents ptracing non-child processes. This means you will not be able to attach gdb to an existing process, but will need to start that process from gdb (so it is a child). Or you can set `boot.kernel.sysctl."kernel.yama.ptrace_scope"` to 0. @@ -605,7 +670,7 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - [](#opt-boot.kernel.sysctl._net.core.wmem_max_) changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as [](#opt-boot.kernel.sysctl._net.core.rmem_max_) since 22.11. -- [TODO: reword to place an attribute at the front] A new top-level package set, `pkgsExtraHardening` is added. This is a set of packages built with stricter hardening flags - those that have not yet received enough testing to be applied universally, those that are more likely to cause build failures or those that have drawbacks to their use (e.g. performance or required hardware features). +- `pkgsExtraHardening`, a new top-level package set, was added. This is a set of packages built with stricter hardening flags - those that have not yet received enough testing to be applied universally, those that are more likely to cause build failures or those that have drawbacks to their use (e.g. performance or required hardware features). - `services.zfs.zed.enableMail` now uses the global `sendmail` wrapper defined by an email module (such as msmtp or Postfix). It no longer requires using a special ZFS build with email support. @@ -657,16 +722,22 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m making it possible to accumulate definitions without resorting to `mkForce`, hence to retain the definitions not anticipating that need. +- Lisp modules: previously deprecated interface based on `common-lisp.sh` has now been removed. + - `youtrack` is bumped to 2023.3. The update is not performed automatically, it requires manual interaction. See the YouTrack section in the manual for details. -- QtMultimedia has changed its default backend to `QT_MEDIA_BACKEND=ffmpeg` (previously `gstreamer` on Linux or `darwin` on MacOS). +- `qt6.qtmultimedia` has changed its default backend to `QT_MEDIA_BACKEND=ffmpeg` (previously `gstreamer` on Linux or `darwin` on MacOS). The previous native backends remain available but are now minimally maintained. Refer to [upstream documentation](https://doc.qt.io/qt-6/qtmultimedia-index.html#ffmpeg-as-the-default-backend) for further details about each platform. - `drbd` out-of-tree Linux kernel driver has been added in version 9.2.7. With it the DRBD 9.x features can be used instead of the 8.x features provided by the 8.4.11 in-tree driver. -- [TODO: reword to place an attribute at the front] The oil shell's c++ version is now available as `oils-for-unix`. The python version is still available as `oil` +- `oils-for-unix`, the oil shell's c++ version is now available. The python version is still available as `oil`. - `documentation.man.mandoc` now by default uses `MANPATH` to set the directories where mandoc will search for manual pages. This enables mandoc to find manual pages in Nix profiles. To set the manual search paths via the `mandoc.conf` configuration file like before, use `documentation.man.mandoc.settings.manpath` instead. -- `grafana-loki` package was updated to 3.0.0 which includes [breaking changes](https://github.com/grafana/loki/releases/tag/v3.0.0) +- The `systemd-confinement` module extension is now compatible with `DynamicUser=true` and thus `ProtectSystem=strict` too. + +- `grafana-loki` package was updated to 3.0.0 which includes [breaking changes](https://github.com/grafana/loki/releases/tag/v3.0.0). + +- `programs.fish.package` now allows you to override the package used in the `fish` module. diff --git a/nixpkgs/nixos/lib/systemd-lib.nix b/nixpkgs/nixos/lib/systemd-lib.nix index eef49f8c4ef3..0641da8e7751 100644 --- a/nixpkgs/nixos/lib/systemd-lib.nix +++ b/nixpkgs/nixos/lib/systemd-lib.nix @@ -18,6 +18,7 @@ let flip head isInt + isFloat isList isPath length @@ -152,7 +153,7 @@ in rec { "Systemd ${group} field `${name}' is outside the range [${toString min},${toString max}]"; assertRangeOrOneOf = name: min: max: values: group: attr: - optional (attr ? ${name} && !((min <= attr.${name} && max >= attr.${name}) || elem attr.${name} values)) + optional (attr ? ${name} && !(((isInt attr.${name} || isFloat attr.${name}) && min <= attr.${name} && max >= attr.${name}) || elem attr.${name} values)) "Systemd ${group} field `${name}' is not a value in range [${toString min},${toString max}], or one of ${toString values}"; assertMinimum = name: min: group: attr: diff --git a/nixpkgs/nixos/lib/testing/driver.nix b/nixpkgs/nixos/lib/testing/driver.nix index 7eb06e023918..d4f8e0f0c6e3 100644 --- a/nixpkgs/nixos/lib/testing/driver.nix +++ b/nixpkgs/nixos/lib/testing/driver.nix @@ -139,7 +139,7 @@ in enableOCR = mkOption { description = '' Whether to enable Optical Character Recognition functionality for - testing graphical programs. See [Machine objects](`ssec-machine-objects`). + testing graphical programs. See [`Machine objects`](#ssec-machine-objects). ''; type = types.bool; default = false; diff --git a/nixpkgs/nixos/modules/config/terminfo.nix b/nixpkgs/nixos/modules/config/terminfo.nix index 4b58605aa7f1..b538d749ffcb 100644 --- a/nixpkgs/nixos/modules/config/terminfo.nix +++ b/nixpkgs/nixos/modules/config/terminfo.nix @@ -31,7 +31,7 @@ with lib; # attrNames (filterAttrs # (_: drv: (builtins.tryEval (isDerivation drv && drv ? terminfo)).value) # pkgs) - environment.systemPackages = mkIf config.environment.enableAllTerminfo (map (x: x.terminfo) (with pkgs; [ + environment.systemPackages = mkIf config.environment.enableAllTerminfo (map (x: x.terminfo) (with pkgs.pkgsBuildBuild; [ alacritty contour foot diff --git a/nixpkgs/nixos/modules/config/xdg/terminal-exec.nix b/nixpkgs/nixos/modules/config/xdg/terminal-exec.nix new file mode 100644 index 000000000000..daf2055d2e90 --- /dev/null +++ b/nixpkgs/nixos/modules/config/xdg/terminal-exec.nix @@ -0,0 +1,54 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + cfg = config.xdg.terminal-exec; + inherit (lib) mkIf mkEnableOption mkOption mkPackageOption types; +in +{ + meta.maintainers = with lib.maintainers; [ Cryolitia ]; + + ###### interface + + options = { + xdg.terminal-exec = { + enable = mkEnableOption "xdg-terminal-exec, the [proposed](https://gitlab.freedesktop.org/xdg/xdg-specs/-/merge_requests/46) Default Terminal Execution Specification"; + package = mkPackageOption pkgs "xdg-terminal-exec" { }; + settings = mkOption { + type = with types; attrsOf (listOf str); + default = { }; + description = '' + Configuration options for the Default Terminal Execution Specification. + + The keys are the desktop environments that are matched (case-insensitively) against `$XDG_CURRENT_DESKTOP`, + or `default` which is used when the current desktop environment is not found in the configuration. + The values are a list of terminals' [desktop file IDs](https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s02.html#desktop-file-id) to try in order of decreasing priority. + ''; + example = { + default = [ "kitty.desktop" ]; + GNOME = [ "com.raggesilver.BlackBox.desktop" "org.gnome.Terminal.desktop" ]; + }; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + environment = { + systemPackages = [ cfg.package ]; + + etc = lib.mapAttrs' ( + desktop: terminals: + # map desktop name such as GNOME to `xdg/gnome-xdg-terminals.list`, default to `xdg/xdg-terminals.list` + lib.nameValuePair ( + "xdg/${if desktop == "default" then "" else "${lib.toLower desktop}-"}xdg-terminals.list" + ) { text = lib.concatLines terminals; } + ) cfg.settings; + }; + }; +} diff --git a/nixpkgs/nixos/modules/hardware/openrazer.nix b/nixpkgs/nixos/modules/hardware/openrazer.nix index 5ba6abfdb3d7..6f61254a60c1 100644 --- a/nixpkgs/nixos/modules/hardware/openrazer.nix +++ b/nixpkgs/nixos/modules/hardware/openrazer.nix @@ -19,7 +19,7 @@ let [Startup] sync_effects_enabled = ${toPyBoolStr cfg.syncEffectsEnabled} devices_off_on_screensaver = ${toPyBoolStr cfg.devicesOffOnScreensaver} - battery_notifier = ${toPyBoolStr (cfg.mouseBatteryNotifier || cfg.batteryNotifier.enable)} + battery_notifier = ${toPyBoolStr cfg.batteryNotifier.enable} battery_notifier_freq = ${builtins.toString cfg.batteryNotifier.frequency} battery_notifier_percent = ${builtins.toString cfg.batteryNotifier.percentage} @@ -80,14 +80,6 @@ in ''; }; - mouseBatteryNotifier = mkOption { - type = types.bool; - default = true; - description = '' - Mouse battery notifier. - ''; - }; - batteryNotifier = mkOption { description = '' Settings for device battery notifications. @@ -143,14 +135,11 @@ in }; }; - config = mkIf cfg.enable { - warnings = flatten [ - (optional cfg.mouseBatteryNotifier '' - The option openrazer.mouseBatteryNotifier is deprecated. - Please use openrazer.batteryNotifier instead to enable and configure battery notifications. - '') - ]; + imports = [ + (mkRenamedOptionModule [ "hardware" "openrazer" "mouseBatteryNotifier" ] [ "hardware" "openrazer" "batteryNotifier" "enable" ]) + ]; + config = mkIf cfg.enable { boot.extraModulePackages = [ kernelPackages.openrazer ]; boot.kernelModules = drivers; diff --git a/nixpkgs/nixos/modules/hardware/video/intel-gpu-tools.nix b/nixpkgs/nixos/modules/hardware/video/intel-gpu-tools.nix new file mode 100644 index 000000000000..b69fefcae118 --- /dev/null +++ b/nixpkgs/nixos/modules/hardware/video/intel-gpu-tools.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.hardware.intel-gpu-tools; +in +{ + options = { + hardware.intel-gpu-tools = { + enable = lib.mkEnableOption "a setcap wrapper for intel-gpu-tools"; + }; + }; + + config = lib.mkIf cfg.enable { + security.wrappers.intel_gpu_top = { + owner = "root"; + group = "root"; + source = "${pkgs.intel-gpu-tools}/bin/intel_gpu_top"; + capabilities = "cap_perfmon+ep"; + }; + }; + + meta = { + maintainers = with lib.maintainers; [ kira-bruneau ]; + }; +} diff --git a/nixpkgs/nixos/modules/misc/version.nix b/nixpkgs/nixos/modules/misc/version.nix index d582e0c162de..29e9498018ec 100644 --- a/nixpkgs/nixos/modules/misc/version.nix +++ b/nixpkgs/nixos/modules/misc/version.nix @@ -135,7 +135,7 @@ in }; version = lib.mkOption { - type = types.nullOr (types.strMatching "^[a-z0-9._-]+$"); + type = types.nullOr (types.strMatching "^[a-z0-9._-~^]+$"); default = null; description = '' Image version. diff --git a/nixpkgs/nixos/modules/module-list.nix b/nixpkgs/nixos/modules/module-list.nix index a3fcbca29bdf..95a7ef3d7cbe 100644 --- a/nixpkgs/nixos/modules/module-list.nix +++ b/nixpkgs/nixos/modules/module-list.nix @@ -45,6 +45,7 @@ ./config/xdg/portals/lxqt.nix ./config/xdg/portals/wlr.nix ./config/xdg/sounds.nix + ./config/xdg/terminal-exec.nix ./config/zram.nix ./hardware/acpilight.nix ./hardware/all-firmware.nix @@ -106,6 +107,7 @@ ./hardware/video/bumblebee.nix ./hardware/video/capture/mwprocapture.nix ./hardware/video/displaylink.nix + ./hardware/video/intel-gpu-tools.nix ./hardware/video/nvidia.nix ./hardware/video/switcheroo-control.nix ./hardware/video/uvcvideo/default.nix @@ -156,6 +158,7 @@ ./programs/bash/ls-colors.nix ./programs/bash/undistract-me.nix ./programs/bcc.nix + ./programs/benchexec.nix ./programs/browserpass.nix ./programs/calls.nix ./programs/captive-browser.nix @@ -165,6 +168,7 @@ ./programs/chromium.nix ./programs/clash-verge.nix ./programs/cnping.nix + ./programs/cpu-energy-meter.nix ./programs/command-not-found/command-not-found.nix ./programs/coolercontrol.nix ./programs/criu.nix @@ -248,6 +252,7 @@ ./programs/pantheon-tweaks.nix ./programs/partition-manager.nix ./programs/plotinus.nix + ./programs/pqos-wrapper.nix ./programs/projecteur.nix ./programs/proxychains.nix ./programs/qdmr.nix @@ -306,6 +311,7 @@ ./programs/xwayland.nix ./programs/yabar.nix ./programs/yazi.nix + ./programs/ydotool.nix ./programs/yubikey-touch-detector.nix ./programs/zmap.nix ./programs/zsh/oh-my-zsh.nix @@ -665,6 +671,7 @@ ./services/matrix/maubot.nix ./services/matrix/mautrix-facebook.nix ./services/matrix/mautrix-meta.nix + ./services/matrix/mautrix-signal.nix ./services/matrix/mautrix-telegram.nix ./services/matrix/mautrix-whatsapp.nix ./services/matrix/mjolnir.nix @@ -697,6 +704,7 @@ ./services/misc/cpuminer-cryptonight.nix ./services/misc/db-rest.nix ./services/misc/devmon.nix + ./services/misc/devpi-server.nix ./services/misc/dictd.nix ./services/misc/disnix.nix ./services/misc/docker-registry.nix @@ -774,6 +782,7 @@ ./services/misc/polaris.nix ./services/misc/portunus.nix ./services/misc/preload.nix + ./services/misc/private-gpt.nix ./services/misc/prowlarr.nix ./services/misc/pufferpanel.nix ./services/misc/pykms.nix @@ -1320,6 +1329,7 @@ ./services/web-apps/akkoma.nix ./services/web-apps/alps.nix ./services/web-apps/anuko-time-tracker.nix + ./services/web-apps/artalk.nix ./services/web-apps/atlassian/confluence.nix ./services/web-apps/atlassian/crowd.nix ./services/web-apps/atlassian/jira.nix @@ -1333,6 +1343,7 @@ ./services/web-apps/chatgpt-retrieval-plugin.nix ./services/web-apps/cloudlog.nix ./services/web-apps/code-server.nix + ./services/web-apps/commafeed.nix ./services/web-apps/convos.nix ./services/web-apps/crabfit.nix ./services/web-apps/davis.nix @@ -1426,6 +1437,7 @@ ./services/web-apps/windmill.nix ./services/web-apps/wordpress.nix ./services/web-apps/writefreely.nix + ./services/web-apps/your_spotify.nix ./services/web-apps/youtrack.nix ./services/web-apps/zabbix.nix ./services/web-apps/zitadel.nix diff --git a/nixpkgs/nixos/modules/profiles/perlless.nix b/nixpkgs/nixos/modules/profiles/perlless.nix index 90abd14f077e..010e4f8f2a28 100644 --- a/nixpkgs/nixos/modules/profiles/perlless.nix +++ b/nixpkgs/nixos/modules/profiles/perlless.nix @@ -26,6 +26,6 @@ # Check that the system does not contain a Nix store path that contains the # string "perl". - system.forbiddenDependenciesRegex = "perl"; + system.forbiddenDependenciesRegexes = ["perl"]; } diff --git a/nixpkgs/nixos/modules/programs/_1password-gui.nix b/nixpkgs/nixos/modules/programs/_1password-gui.nix index b21e8783f660..04f36cf0237a 100644 --- a/nixpkgs/nixos/modules/programs/_1password-gui.nix +++ b/nixpkgs/nixos/modules/programs/_1password-gui.nix @@ -1,7 +1,5 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs._1password-gui; @@ -9,25 +7,25 @@ let in { imports = [ - (mkRemovedOptionModule [ "programs" "_1password-gui" "gid" ] '' + (lib.mkRemovedOptionModule [ "programs" "_1password-gui" "gid" ] '' A preallocated GID will be used instead. '') ]; options = { programs._1password-gui = { - enable = mkEnableOption "the 1Password GUI application"; + enable = lib.mkEnableOption "the 1Password GUI application"; - polkitPolicyOwners = mkOption { - type = types.listOf types.str; + polkitPolicyOwners = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ ]; - example = literalExpression ''["user1" "user2" "user3"]''; + example = lib.literalExpression ''["user1" "user2" "user3"]''; description = '' A list of users who should be able to integrate 1Password with polkit-based authentication mechanisms. ''; }; - package = mkPackageOption pkgs "1Password GUI" { + package = lib.mkPackageOption pkgs "1Password GUI" { default = [ "_1password-gui" ]; }; }; @@ -39,7 +37,7 @@ in polkitPolicyOwners = cfg.polkitPolicyOwners; }; in - mkIf cfg.enable { + lib.mkIf cfg.enable { environment.systemPackages = [ package ]; users.groups.onepassword.gid = config.ids.gids.onepassword; diff --git a/nixpkgs/nixos/modules/programs/_1password.nix b/nixpkgs/nixos/modules/programs/_1password.nix index b87e9b776e85..5dff199341b9 100644 --- a/nixpkgs/nixos/modules/programs/_1password.nix +++ b/nixpkgs/nixos/modules/programs/_1password.nix @@ -1,7 +1,5 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs._1password; @@ -9,22 +7,22 @@ let in { imports = [ - (mkRemovedOptionModule [ "programs" "_1password" "gid" ] '' + (lib.mkRemovedOptionModule [ "programs" "_1password" "gid" ] '' A preallocated GID will be used instead. '') ]; options = { programs._1password = { - enable = mkEnableOption "the 1Password CLI tool"; + enable = lib.mkEnableOption "the 1Password CLI tool"; - package = mkPackageOption pkgs "1Password CLI" { + package = lib.mkPackageOption pkgs "1Password CLI" { default = [ "_1password" ]; }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; users.groups.onepassword-cli.gid = config.ids.gids.onepassword-cli; diff --git a/nixpkgs/nixos/modules/programs/adb.nix b/nixpkgs/nixos/modules/programs/adb.nix index d8c700bc36b6..62ab6ab4137a 100644 --- a/nixpkgs/nixos/modules/programs/adb.nix +++ b/nixpkgs/nixos/modules/programs/adb.nix @@ -1,16 +1,14 @@ { config, lib, pkgs, ... }: -with lib; - { - meta.maintainers = [ maintainers.mic92 ]; + meta.maintainers = [ lib.maintainers.mic92 ]; ###### interface options = { programs.adb = { - enable = mkOption { + enable = lib.mkOption { default = false; - type = types.bool; + type = lib.types.bool; description = '' Whether to configure system to use Android Debug Bridge (adb). To grant access to a user, it must be part of adbusers group: @@ -21,7 +19,7 @@ with lib; }; ###### implementation - config = mkIf config.programs.adb.enable { + config = lib.mkIf config.programs.adb.enable { services.udev.packages = [ pkgs.android-udev-rules ]; environment.systemPackages = [ pkgs.android-tools ]; users.groups.adbusers = {}; diff --git a/nixpkgs/nixos/modules/programs/alvr.nix b/nixpkgs/nixos/modules/programs/alvr.nix index e5de06f1157a..da66200cf075 100644 --- a/nixpkgs/nixos/modules/programs/alvr.nix +++ b/nixpkgs/nixos/modules/programs/alvr.nix @@ -1,19 +1,17 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.alvr; in { options = { programs.alvr = { - enable = mkEnableOption "ALVR, the VR desktop streamer"; + enable = lib.mkEnableOption "ALVR, the VR desktop streamer"; - package = mkPackageOption pkgs "alvr" { }; + package = lib.mkPackageOption pkgs "alvr" { }; - openFirewall = mkOption { - type = types.bool; + openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to open the default ports in the firewall for the ALVR server. @@ -22,14 +20,14 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; - networking.firewall = mkIf cfg.openFirewall { + networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = [ 9943 9944 ]; allowedUDPPorts = [ 9943 9944 ]; }; }; - meta.maintainers = with maintainers; [ passivelemon ]; + meta.maintainers = with lib.maintainers; [ passivelemon ]; } diff --git a/nixpkgs/nixos/modules/programs/appgate-sdp.nix b/nixpkgs/nixos/modules/programs/appgate-sdp.nix index 6d61c87eeb61..f4d4140571a6 100644 --- a/nixpkgs/nixos/modules/programs/appgate-sdp.nix +++ b/nixpkgs/nixos/modules/programs/appgate-sdp.nix @@ -1,15 +1,13 @@ { config, pkgs, lib, ... }: -with lib; - { options = { programs.appgate-sdp = { - enable = mkEnableOption "the AppGate SDP VPN client"; + enable = lib.mkEnableOption "the AppGate SDP VPN client"; }; }; - config = mkIf config.programs.appgate-sdp.enable { + config = lib.mkIf config.programs.appgate-sdp.enable { boot.kernelModules = [ "tun" ]; environment.systemPackages = [ pkgs.appgate-sdp ]; services.dbus.packages = [ pkgs.appgate-sdp ]; diff --git a/nixpkgs/nixos/modules/programs/atop.nix b/nixpkgs/nixos/modules/programs/atop.nix index 618b64114359..3738f926ca3d 100644 --- a/nixpkgs/nixos/modules/programs/atop.nix +++ b/nixpkgs/nixos/modules/programs/atop.nix @@ -2,8 +2,6 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.atop; in @@ -14,31 +12,31 @@ in programs.atop = rec { - enable = mkEnableOption "Atop, a tool for monitoring system resources"; + enable = lib.mkEnableOption "Atop, a tool for monitoring system resources"; - package = mkPackageOption pkgs "atop" { }; + package = lib.mkPackageOption pkgs "atop" { }; netatop = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to install and enable the netatop kernel module. Note: this sets the kernel taint flag "O" for loading out-of-tree modules. ''; }; - package = mkOption { - type = types.package; + package = lib.mkOption { + type = lib.types.package; default = config.boot.kernelPackages.netatop; - defaultText = literalExpression "config.boot.kernelPackages.netatop"; + defaultText = lib.literalExpression "config.boot.kernelPackages.netatop"; description = '' Which package to use for netatop. ''; }; }; - atopgpu.enable = mkOption { - type = types.bool; + atopgpu.enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to install and enable the atopgpud daemon to get information about @@ -46,8 +44,8 @@ in ''; }; - setuidWrapper.enable = mkOption { - type = types.bool; + setuidWrapper.enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to install a setuid wrapper for Atop. This is required to use some of @@ -56,24 +54,24 @@ in ''; }; - atopService.enable = mkOption { - type = types.bool; + atopService.enable = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to enable the atop service responsible for storing statistics for long-term analysis. ''; }; - atopRotateTimer.enable = mkOption { - type = types.bool; + atopRotateTimer.enable = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to enable the atop-rotate timer, which restarts the atop service daily to make sure the data files are rotate. ''; }; - atopacctService.enable = mkOption { - type = types.bool; + atopacctService.enable = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to enable the atopacct service which manages process accounting. @@ -81,8 +79,8 @@ in two refresh intervals. ''; }; - settings = mkOption { - type = types.attrs; + settings = lib.mkOption { + type = lib.types.attrs; default = { }; example = { flags = "a1f"; @@ -95,7 +93,7 @@ in }; }; - config = mkIf cfg.enable ( + config = lib.mkIf cfg.enable ( let atop = if cfg.atopgpu.enable then @@ -104,11 +102,11 @@ in cfg.package; in { - environment.etc = mkIf (cfg.settings != { }) { - atoprc.text = concatStrings - (mapAttrsToList + environment.etc = lib.mkIf (cfg.settings != { }) { + atoprc.text = lib.concatStrings + (lib.mapAttrsToList (n: v: '' - ${n} ${toString v} + ${n} ${builtins.toString v} '') cfg.settings); }; diff --git a/nixpkgs/nixos/modules/programs/ausweisapp.nix b/nixpkgs/nixos/modules/programs/ausweisapp.nix index 0359e58c554c..ebd6a3e13bf6 100644 --- a/nixpkgs/nixos/modules/programs/ausweisapp.nix +++ b/nixpkgs/nixos/modules/programs/ausweisapp.nix @@ -1,15 +1,13 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.ausweisapp; in { options.programs.ausweisapp = { - enable = mkEnableOption "AusweisApp"; + enable = lib.mkEnableOption "AusweisApp"; - openFirewall = mkOption { + openFirewall = lib.mkOption { description = '' Whether to open the required firewall ports for the Smartphone as Card Reader (SaC) functionality of AusweisApp. ''; @@ -18,7 +16,7 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ ausweisapp ]; networking.firewall.allowedUDPPorts = lib.optionals cfg.openFirewall [ 24727 ]; }; diff --git a/nixpkgs/nixos/modules/programs/autojump.nix b/nixpkgs/nixos/modules/programs/autojump.nix index ecfc2f658079..5011d7e14237 100644 --- a/nixpkgs/nixos/modules/programs/autojump.nix +++ b/nixpkgs/nixos/modules/programs/autojump.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.autojump; prg = config.programs; @@ -10,8 +8,8 @@ in options = { programs.autojump = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to enable autojump. @@ -22,12 +20,12 @@ in ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.pathsToLink = [ "/share/autojump" ]; environment.systemPackages = [ pkgs.autojump ]; programs.bash.interactiveShellInit = "source ${pkgs.autojump}/share/autojump/autojump.bash"; - programs.zsh.interactiveShellInit = mkIf prg.zsh.enable "source ${pkgs.autojump}/share/autojump/autojump.zsh"; - programs.fish.interactiveShellInit = mkIf prg.fish.enable "source ${pkgs.autojump}/share/autojump/autojump.fish"; + programs.zsh.interactiveShellInit = lib.mkIf prg.zsh.enable "source ${pkgs.autojump}/share/autojump/autojump.zsh"; + programs.fish.interactiveShellInit = lib.mkIf prg.fish.enable "source ${pkgs.autojump}/share/autojump/autojump.fish"; }; } diff --git a/nixpkgs/nixos/modules/programs/bandwhich.nix b/nixpkgs/nixos/modules/programs/bandwhich.nix index 2c78584f2d24..e2c55ca5bea4 100644 --- a/nixpkgs/nixos/modules/programs/bandwhich.nix +++ b/nixpkgs/nixos/modules/programs/bandwhich.nix @@ -1,15 +1,13 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.bandwhich; in { - meta.maintainers = with maintainers; [ Br1ght0ne ]; + meta.maintainers = with lib.maintainers; [ Br1ght0ne ]; options = { programs.bandwhich = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to add bandwhich to the global environment and configure a @@ -19,7 +17,7 @@ in { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ bandwhich ]; security.wrappers.bandwhich = { owner = "root"; diff --git a/nixpkgs/nixos/modules/programs/bash-my-aws.nix b/nixpkgs/nixos/modules/programs/bash-my-aws.nix index 15e429a75497..85618ad98f08 100644 --- a/nixpkgs/nixos/modules/programs/bash-my-aws.nix +++ b/nixpkgs/nixos/modules/programs/bash-my-aws.nix @@ -1,7 +1,5 @@ { config, pkgs, lib, ... }: -with lib; - let prg = config.programs; cfg = prg.bash-my-aws; @@ -13,11 +11,11 @@ in { options = { programs.bash-my-aws = { - enable = mkEnableOption "bash-my-aws"; + enable = lib.mkEnableOption "bash-my-aws"; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ bash-my-aws ]; programs.bash.interactiveShellInit = initScript; diff --git a/nixpkgs/nixos/modules/programs/bash/bash-completion.nix b/nixpkgs/nixos/modules/programs/bash/bash-completion.nix index b8e5b1bfa336..c973d36fdfbf 100644 --- a/nixpkgs/nixos/modules/programs/bash/bash-completion.nix +++ b/nixpkgs/nixos/modules/programs/bash/bash-completion.nix @@ -1,18 +1,16 @@ { config, lib, pkgs, ... }: -with lib; - let enable = config.programs.bash.enableCompletion; in { options = { - programs.bash.enableCompletion = mkEnableOption "Bash completion for all interactive bash shells" // { + programs.bash.enableCompletion = lib.mkEnableOption "Bash completion for all interactive bash shells" // { default = true; }; }; - config = mkIf enable { + config = lib.mkIf enable { programs.bash.promptPluginInit = '' # Check whether we're running a version of Bash that has support for # programmable completion. If we do, enable all modules installed in diff --git a/nixpkgs/nixos/modules/programs/bash/bash.nix b/nixpkgs/nixos/modules/programs/bash/bash.nix index 21ef8338d8dd..0f8c40da801b 100644 --- a/nixpkgs/nixos/modules/programs/bash/bash.nix +++ b/nixpkgs/nixos/modules/programs/bash/bash.nix @@ -3,24 +3,22 @@ { config, lib, pkgs, ... }: -with lib; - let cfge = config.environment; cfg = config.programs.bash; - bashAliases = concatStringsSep "\n" ( - mapAttrsFlatten (k: v: "alias -- ${k}=${escapeShellArg v}") - (filterAttrs (k: v: v != null) cfg.shellAliases) + bashAliases = builtins.concatStringsSep "\n" ( + lib.mapAttrsFlatten (k: v: "alias -- ${k}=${lib.escapeShellArg v}") + (lib.filterAttrs (k: v: v != null) cfg.shellAliases) ); in { imports = [ - (mkRemovedOptionModule [ "programs" "bash" "enable" ] "") + (lib.mkRemovedOptionModule [ "programs" "bash" "enable" ] "") ]; options = { @@ -28,7 +26,7 @@ in programs.bash = { /* - enable = mkOption { + enable = lib.mkOption { default = true; description = '' Whenever to configure Bash as an interactive shell. @@ -38,44 +36,44 @@ in set this variable if you have another shell configured with NixOS. ''; - type = types.bool; + type = lib.types.bool; }; */ - shellAliases = mkOption { + shellAliases = lib.mkOption { default = {}; description = '' Set of aliases for bash shell, which overrides {option}`environment.shellAliases`. See {option}`environment.shellAliases` for an option format description. ''; - type = with types; attrsOf (nullOr (either str path)); + type = with lib.types; attrsOf (nullOr (either str path)); }; - shellInit = mkOption { + shellInit = lib.mkOption { default = ""; description = '' Shell script code called during bash shell initialisation. ''; - type = types.lines; + type = lib.types.lines; }; - loginShellInit = mkOption { + loginShellInit = lib.mkOption { default = ""; description = '' Shell script code called during login bash shell initialisation. ''; - type = types.lines; + type = lib.types.lines; }; - interactiveShellInit = mkOption { + interactiveShellInit = lib.mkOption { default = ""; description = '' Shell script code called during interactive bash shell initialisation. ''; - type = types.lines; + type = lib.types.lines; }; - promptInit = mkOption { + promptInit = lib.mkOption { default = '' # Provide a nice prompt if the terminal supports it. if [ "$TERM" != "dumb" ] || [ -n "$INSIDE_EMACS" ]; then @@ -95,15 +93,15 @@ in description = '' Shell script code used to initialise the bash prompt. ''; - type = types.lines; + type = lib.types.lines; }; - promptPluginInit = mkOption { + promptPluginInit = lib.mkOption { default = ""; description = '' Shell script code used to initialise bash prompt plugins. ''; - type = types.lines; + type = lib.types.lines; internal = true; }; @@ -111,11 +109,11 @@ in }; - config = /* mkIf cfg.enable */ { + config = /* lib.mkIf cfg.enable */ { programs.bash = { - shellAliases = mapAttrs (name: mkDefault) cfge.shellAliases; + shellAliases = builtins.mapAttrs (name: lib.mkDefault) cfge.shellAliases; shellInit = '' if [ -z "$__NIXOS_SET_ENVIRONMENT_DONE" ]; then @@ -196,11 +194,11 @@ in # Configuration for readline in bash. We use "option default" # priority to allow user override using both .text and .source. - environment.etc.inputrc.source = mkOptionDefault ./inputrc; + environment.etc.inputrc.source = lib.mkOptionDefault ./inputrc; - users.defaultUserShell = mkDefault pkgs.bashInteractive; + users.defaultUserShell = lib.mkDefault pkgs.bashInteractive; - environment.pathsToLink = optionals cfg.enableCompletion [ + environment.pathsToLink = lib.optionals cfg.enableCompletion [ "/etc/bash_completion.d" "/share/bash-completion" ]; diff --git a/nixpkgs/nixos/modules/programs/bash/blesh.nix b/nixpkgs/nixos/modules/programs/bash/blesh.nix index ea342b0ce3ee..b5ca83a883bb 100644 --- a/nixpkgs/nixos/modules/programs/bash/blesh.nix +++ b/nixpkgs/nixos/modules/programs/bash/blesh.nix @@ -1,16 +1,15 @@ { lib, config, pkgs, ... }: -with lib; let cfg = config.programs.bash.blesh; in { options = { - programs.bash.blesh.enable = mkEnableOption "blesh, a full-featured line editor written in pure Bash"; + programs.bash.blesh.enable = lib.mkEnableOption "blesh, a full-featured line editor written in pure Bash"; }; - config = mkIf cfg.enable { - programs.bash.interactiveShellInit = mkBefore '' + config = lib.mkIf cfg.enable { + programs.bash.interactiveShellInit = lib.mkBefore '' source ${pkgs.blesh}/share/blesh/ble.sh ''; }; - meta.maintainers = with maintainers; [ laalsaas ]; + meta.maintainers = with lib.maintainers; [ laalsaas ]; } diff --git a/nixpkgs/nixos/modules/programs/bash/ls-colors.nix b/nixpkgs/nixos/modules/programs/bash/ls-colors.nix index 254ee14c477d..3ee00e93d4da 100644 --- a/nixpkgs/nixos/modules/programs/bash/ls-colors.nix +++ b/nixpkgs/nixos/modules/programs/bash/ls-colors.nix @@ -1,18 +1,16 @@ { config, lib, pkgs, ... }: -with lib; - let enable = config.programs.bash.enableLsColors; in { options = { - programs.bash.enableLsColors = mkEnableOption "extra colors in directory listings" // { + programs.bash.enableLsColors = lib.mkEnableOption "extra colors in directory listings" // { default = true; }; }; - config = mkIf enable { + config = lib.mkIf enable { programs.bash.promptPluginInit = '' eval "$(${pkgs.coreutils}/bin/dircolors -b)" ''; diff --git a/nixpkgs/nixos/modules/programs/bash/undistract-me.nix b/nixpkgs/nixos/modules/programs/bash/undistract-me.nix index 0e6465e048a1..af4f3a737dab 100644 --- a/nixpkgs/nixos/modules/programs/bash/undistract-me.nix +++ b/nixpkgs/nixos/modules/programs/bash/undistract-me.nix @@ -1,36 +1,34 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.bash.undistractMe; in { options = { programs.bash.undistractMe = { - enable = mkEnableOption "notifications when long-running terminal commands complete"; + enable = lib.mkEnableOption "notifications when long-running terminal commands complete"; - playSound = mkEnableOption "notification sounds when long-running terminal commands complete"; + playSound = lib.mkEnableOption "notification sounds when long-running terminal commands complete"; - timeout = mkOption { + timeout = lib.mkOption { default = 10; description = '' Number of seconds it would take for a command to be considered long-running. ''; - type = types.int; + type = lib.types.int; }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { programs.bash.promptPluginInit = '' - export LONG_RUNNING_COMMAND_TIMEOUT=${toString cfg.timeout} + export LONG_RUNNING_COMMAND_TIMEOUT=${builtins.toString cfg.timeout} export UDM_PLAY_SOUND=${if cfg.playSound then "1" else "0"} . "${pkgs.undistract-me}/etc/profile.d/undistract-me.sh" ''; }; meta = { - maintainers = with maintainers; [ kira-bruneau ]; + maintainers = with lib.maintainers; [ kira-bruneau ]; }; } diff --git a/nixpkgs/nixos/modules/programs/benchexec.nix b/nixpkgs/nixos/modules/programs/benchexec.nix new file mode 100644 index 000000000000..652670c117ea --- /dev/null +++ b/nixpkgs/nixos/modules/programs/benchexec.nix @@ -0,0 +1,98 @@ +{ lib +, pkgs +, config +, options +, ... +}: +let + cfg = config.programs.benchexec; + opt = options.programs.benchexec; + + filterUsers = x: + if builtins.isString x then config.users.users ? ${x} else + if builtins.isInt x then x else + throw "filterUsers expects string (username) or int (UID)"; + + uid = x: + if builtins.isString x then config.users.users.${x}.uid else + if builtins.isInt x then x else + throw "uid expects string (username) or int (UID)"; +in +{ + options.programs.benchexec = { + enable = lib.mkEnableOption "BenchExec"; + package = lib.options.mkPackageOption pkgs "benchexec" { }; + + users = lib.options.mkOption { + type = with lib.types; listOf (either str int); + description = '' + Users that intend to use BenchExec. + Provide usernames of users that are configured via {option}`${options.users.users}` as string, + and UIDs of "mutable users" as integers. + Control group delegation will be configured via systemd. + For more information, see <https://github.com/sosy-lab/benchexec/blob/3.18/doc/INSTALL.md#setting-up-cgroups>. + ''; + default = [ ]; + example = lib.literalExpression '' + [ + "alice" # username of a user configured via ${options.users.users} + 1007 # UID of a mutable user + ] + ''; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = (map + (user: { + assertion = config.users.users ? ${user}; + message = '' + The user '${user}' intends to use BenchExec (via `${opt.users}`), but is not configured via `${options.users.users}`. + ''; + }) + (builtins.filter builtins.isString cfg.users) + ) ++ (map + (id: { + assertion = config.users.mutableUsers; + message = '' + The user with UID '${id}' intends to use BenchExec (via `${opt.users}`), but mutable users are disabled via `${options.users.mutableUsers}`. + ''; + }) + (builtins.filter builtins.isInt cfg.users) + ) ++ [ + { + assertion = config.systemd.enableUnifiedCgroupHierarchy == true; + message = '' + The BenchExec module `${opt.enable}` only supports control groups 2 (`${options.systemd.enableUnifiedCgroupHierarchy} = true`). + ''; + } + ]; + + environment.systemPackages = [ cfg.package ]; + + # See <https://github.com/sosy-lab/benchexec/blob/3.18/doc/INSTALL.md#setting-up-cgroups>. + systemd.services = builtins.listToAttrs (map + (user: { + name = "user@${builtins.toString (uid user)}"; + value = { + serviceConfig.Delegate = "yes"; + overrideStrategy = "asDropin"; + }; + }) + (builtins.filter filterUsers cfg.users)); + + # See <https://github.com/sosy-lab/benchexec/blob/3.18/doc/INSTALL.md#requirements>. + virtualisation.lxc.lxcfs.enable = lib.mkDefault true; + + # See <https://github.com/sosy-lab/benchexec/blob/3.18/doc/INSTALL.md#requirements>. + programs = { + cpu-energy-meter.enable = lib.mkDefault true; + pqos-wrapper.enable = lib.mkDefault true; + }; + + # See <https://github.com/sosy-lab/benchexec/blob/3.18/doc/INSTALL.md#kernel-requirements>. + security.unprivilegedUsernsClone = true; + }; + + meta.maintainers = with lib.maintainers; [ lorenzleutgeb ]; +} diff --git a/nixpkgs/nixos/modules/programs/browserpass.nix b/nixpkgs/nixos/modules/programs/browserpass.nix index 2894e237e3d4..ab6be266ea8d 100644 --- a/nixpkgs/nixos/modules/programs/browserpass.nix +++ b/nixpkgs/nixos/modules/programs/browserpass.nix @@ -1,12 +1,10 @@ { config, lib, pkgs, ... }: -with lib; - { - options.programs.browserpass.enable = mkEnableOption "Browserpass native messaging host"; + options.programs.browserpass.enable = lib.mkEnableOption "Browserpass native messaging host"; - config = mkIf config.programs.browserpass.enable { + config = lib.mkIf config.programs.browserpass.enable { environment.etc = let appId = "com.github.browserpass.native.json"; source = part: "${pkgs.browserpass}/lib/browserpass/${part}/${appId}"; diff --git a/nixpkgs/nixos/modules/programs/calls.nix b/nixpkgs/nixos/modules/programs/calls.nix index 0cf05f8a2ea0..36a4c51ddf43 100644 --- a/nixpkgs/nixos/modules/programs/calls.nix +++ b/nixpkgs/nixos/modules/programs/calls.nix @@ -1,19 +1,17 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.calls; in { options = { programs.calls = { - enable = mkEnableOption '' + enable = lib.mkEnableOption '' GNOME calls: a phone dialer and call handler ''; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { programs.dconf.enable = true; environment.systemPackages = [ diff --git a/nixpkgs/nixos/modules/programs/cdemu.nix b/nixpkgs/nixos/modules/programs/cdemu.nix index 3ee8b2d8fcd6..1aac28af1d2c 100644 --- a/nixpkgs/nixos/modules/programs/cdemu.nix +++ b/nixpkgs/nixos/modules/programs/cdemu.nix @@ -1,36 +1,34 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.cdemu; in { options = { programs.cdemu = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' {command}`cdemu` for members of {option}`programs.cdemu.group`. ''; }; - group = mkOption { - type = types.str; + group = lib.mkOption { + type = lib.types.str; default = "cdrom"; description = '' Group that users must be in to use {command}`cdemu`. ''; }; - gui = mkOption { - type = types.bool; + gui = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to install the {command}`cdemu` GUI (gCDEmu). ''; }; - image-analyzer = mkOption { - type = types.bool; + image-analyzer = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to install the image analyzer. @@ -39,7 +37,7 @@ in { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { boot = { extraModulePackages = [ config.boot.kernelPackages.vhba ]; @@ -68,8 +66,8 @@ in { environment.systemPackages = [ pkgs.cdemu-daemon pkgs.cdemu-client ] - ++ optional cfg.gui pkgs.gcdemu - ++ optional cfg.image-analyzer pkgs.image-analyzer; + ++ lib.optional cfg.gui pkgs.gcdemu + ++ lib.optional cfg.image-analyzer pkgs.image-analyzer; }; } diff --git a/nixpkgs/nixos/modules/programs/cfs-zen-tweaks.nix b/nixpkgs/nixos/modules/programs/cfs-zen-tweaks.nix index 28d1ef5992d7..bc1626403935 100644 --- a/nixpkgs/nixos/modules/programs/cfs-zen-tweaks.nix +++ b/nixpkgs/nixos/modules/programs/cfs-zen-tweaks.nix @@ -2,8 +2,6 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.cfs-zen-tweaks; @@ -13,14 +11,14 @@ in { meta = { - maintainers = with maintainers; [ mkg20001 ]; + maintainers = with lib.maintainers; [ mkg20001 ]; }; options = { - programs.cfs-zen-tweaks.enable = mkEnableOption "CFS Zen Tweaks"; + programs.cfs-zen-tweaks.enable = lib.mkEnableOption "CFS Zen Tweaks"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { systemd.packages = [ pkgs.cfs-zen-tweaks ]; systemd.services.set-cfs-tweaks.wantedBy = [ diff --git a/nixpkgs/nixos/modules/programs/chromium.nix b/nixpkgs/nixos/modules/programs/chromium.nix index fa5abe957a90..4d248dbe0945 100644 --- a/nixpkgs/nixos/modules/programs/chromium.nix +++ b/nixpkgs/nixos/modules/programs/chromium.nix @@ -1,11 +1,9 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.chromium; - defaultProfile = filterAttrs (k: v: v != null) { + defaultProfile = lib.filterAttrs (k: v: v != null) { HomepageLocation = cfg.homepageLocation; DefaultSearchProviderEnabled = cfg.defaultSearchProviderEnabled; DefaultSearchProviderSearchURL = cfg.defaultSearchProviderSearchURL; @@ -19,14 +17,14 @@ in options = { programs.chromium = { - enable = mkEnableOption "{command}`chromium` policies"; + enable = lib.mkEnableOption "{command}`chromium` policies"; - enablePlasmaBrowserIntegration = mkEnableOption "Native Messaging Host for Plasma Browser Integration"; + enablePlasmaBrowserIntegration = lib.mkEnableOption "Native Messaging Host for Plasma Browser Integration"; - plasmaBrowserIntegrationPackage = mkPackageOption pkgs [ "plasma5Packages" "plasma-browser-integration" ] { }; + plasmaBrowserIntegrationPackage = lib.mkPackageOption pkgs [ "plasma5Packages" "plasma-browser-integration" ] { }; - extensions = mkOption { - type = with types; nullOr (listOf str); + extensions = lib.mkOption { + type = with lib.types; nullOr (listOf str); description = '' List of chromium extensions to install. For list of plugins ids see id in url of extensions on @@ -38,7 +36,7 @@ in for additional details. ''; default = null; - example = literalExpression '' + example = lib.literalExpression '' [ "chlffgpmiacpedhhbkiomidkjlcfhogd" # pushbullet "mbniclmhobmnbdlbpiphghaielnnpgdp" # lightshot @@ -48,36 +46,36 @@ in ''; }; - homepageLocation = mkOption { - type = types.nullOr types.str; + homepageLocation = lib.mkOption { + type = lib.types.nullOr lib.types.str; description = "Chromium default homepage"; default = null; example = "https://nixos.org"; }; - defaultSearchProviderEnabled = mkOption { - type = types.nullOr types.bool; + defaultSearchProviderEnabled = lib.mkOption { + type = lib.types.nullOr lib.types.bool; description = "Enable the default search provider."; default = null; example = true; }; - defaultSearchProviderSearchURL = mkOption { - type = types.nullOr types.str; + defaultSearchProviderSearchURL = lib.mkOption { + type = lib.types.nullOr lib.types.str; description = "Chromium default search provider url."; default = null; example = "https://encrypted.google.com/search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}"; }; - defaultSearchProviderSuggestURL = mkOption { - type = types.nullOr types.str; + defaultSearchProviderSuggestURL = lib.mkOption { + type = lib.types.nullOr lib.types.str; description = "Chromium default search provider url for suggestions."; default = null; example = "https://encrypted.google.com/complete/search?output=chrome&q={searchTerms}"; }; - extraOpts = mkOption { - type = types.attrs; + extraOpts = lib.mkOption { + type = lib.types.attrs; description = '' Extra chromium policy options. A list of available policies can be found in the Chrome Enterprise documentation: @@ -85,7 +83,7 @@ in Make sure the selected policy is supported on Linux and your browser version. ''; default = {}; - example = literalExpression '' + example = lib.literalExpression '' { "BrowserSignin" = 0; "SyncDisabled" = true; @@ -99,8 +97,8 @@ in ''; }; - initialPrefs = mkOption { - type = types.attrs; + initialPrefs = lib.mkOption { + type = lib.types.attrs; description = '' Initial preferences are used to configure the browser for the first run. Unlike {option}`programs.chromium.extraOpts`, initialPrefs can be changed by users in the browser settings. @@ -108,7 +106,7 @@ in <https://www.chromium.org/administrators/configuring-other-preferences/> ''; default = {}; - example = literalExpression '' + example = lib.literalExpression '' { "first_run_tabs" = [ "https://nixos.org/" diff --git a/nixpkgs/nixos/modules/programs/cnping.nix b/nixpkgs/nixos/modules/programs/cnping.nix index 77cbf4d82086..f4b5aa845b5f 100644 --- a/nixpkgs/nixos/modules/programs/cnping.nix +++ b/nixpkgs/nixos/modules/programs/cnping.nix @@ -1,18 +1,16 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.cnping; in { options = { programs.cnping = { - enable = mkEnableOption "a setcap wrapper for cnping"; + enable = lib.mkEnableOption "a setcap wrapper for cnping"; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { security.wrappers.cnping = { source = "${pkgs.cnping}/bin/cnping"; capabilities = "cap_net_raw+ep"; diff --git a/nixpkgs/nixos/modules/programs/command-not-found/command-not-found.nix b/nixpkgs/nixos/modules/programs/command-not-found/command-not-found.nix index 4d2a89b51584..a223e811728d 100644 --- a/nixpkgs/nixos/modules/programs/command-not-found/command-not-found.nix +++ b/nixpkgs/nixos/modules/programs/command-not-found/command-not-found.nix @@ -5,8 +5,6 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.command-not-found; commandNotFound = pkgs.substituteAll { @@ -23,8 +21,8 @@ in { options.programs.command-not-found = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether interactive shells should show which Nix package (if @@ -32,7 +30,7 @@ in ''; }; - dbPath = mkOption { + dbPath = lib.mkOption { default = "/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite" ; description = '' Absolute path to programs.sqlite. @@ -40,11 +38,11 @@ in By default this file will be provided by your channel (nixexprs.tar.xz). ''; - type = types.path; + type = lib.types.path; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { programs.bash.interactiveShellInit = '' # This function is called whenever a command is not found. diff --git a/nixpkgs/nixos/modules/programs/cpu-energy-meter.nix b/nixpkgs/nixos/modules/programs/cpu-energy-meter.nix new file mode 100644 index 000000000000..653ec067492d --- /dev/null +++ b/nixpkgs/nixos/modules/programs/cpu-energy-meter.nix @@ -0,0 +1,27 @@ +{ config +, lib +, pkgs +, ... +}: { + options.programs.cpu-energy-meter = { + enable = lib.mkEnableOption "CPU Energy Meter"; + package = lib.mkPackageOption pkgs "cpu-energy-meter" { }; + }; + + config = + let + cfg = config.programs.cpu-energy-meter; + in + lib.mkIf cfg.enable { + hardware.cpu.x86.msr.enable = true; + + security.wrappers.${cfg.package.meta.mainProgram} = { + owner = "nobody"; + group = config.hardware.cpu.x86.msr.group; + source = lib.getExe cfg.package; + capabilities = "cap_sys_rawio=ep"; + }; + }; + + meta.maintainers = with lib.maintainers; [ lorenzleutgeb ]; +} diff --git a/nixpkgs/nixos/modules/programs/criu.nix b/nixpkgs/nixos/modules/programs/criu.nix index 9414d0b27f0d..492a158923cb 100644 --- a/nixpkgs/nixos/modules/programs/criu.nix +++ b/nixpkgs/nixos/modules/programs/criu.nix @@ -1,14 +1,12 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.criu; in { options = { programs.criu = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Install {command}`criu` along with necessary kernel options. @@ -16,7 +14,7 @@ in { }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { system.requiredKernelConfig = with config.lib.kernelConfig; [ (isYes "CHECKPOINT_RESTORE") ]; diff --git a/nixpkgs/nixos/modules/programs/digitalbitbox/default.nix b/nixpkgs/nixos/modules/programs/digitalbitbox/default.nix index 10b5a88171fc..06d33966b4a0 100644 --- a/nixpkgs/nixos/modules/programs/digitalbitbox/default.nix +++ b/nixpkgs/nixos/modules/programs/digitalbitbox/default.nix @@ -1,29 +1,27 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.digitalbitbox; in { options.programs.digitalbitbox = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Installs the Digital Bitbox application and enables the complementary hardware module. ''; }; - package = mkPackageOption pkgs "digitalbitbox" { + package = lib.mkPackageOption pkgs "digitalbitbox" { extraDescription = '' This can be used to install a package with udev rules that differ from the defaults. ''; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; hardware.digitalbitbox = { enable = true; diff --git a/nixpkgs/nixos/modules/programs/dmrconfig.nix b/nixpkgs/nixos/modules/programs/dmrconfig.nix index 15338681e642..0078ca19f41a 100644 --- a/nixpkgs/nixos/modules/programs/dmrconfig.nix +++ b/nixpkgs/nixos/modules/programs/dmrconfig.nix @@ -1,19 +1,17 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.dmrconfig; in { - meta.maintainers = with maintainers; [ ]; + meta.maintainers = with lib.maintainers; [ ]; ###### interface options = { programs.dmrconfig = { - enable = mkOption { + enable = lib.mkOption { default = false; - type = types.bool; + type = lib.types.bool; description = '' Whether to configure system to enable use of dmrconfig. This enables the required udev rules and installs the program. @@ -21,12 +19,12 @@ in { relatedPackages = [ "dmrconfig" ]; }; - package = mkPackageOption pkgs "dmrconfig" { }; + package = lib.mkPackageOption pkgs "dmrconfig" { }; }; }; ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; services.udev.packages = [ cfg.package ]; }; diff --git a/nixpkgs/nixos/modules/programs/droidcam.nix b/nixpkgs/nixos/modules/programs/droidcam.nix index 9843a1f5be25..eef3997e6b80 100644 --- a/nixpkgs/nixos/modules/programs/droidcam.nix +++ b/nixpkgs/nixos/modules/programs/droidcam.nix @@ -1,10 +1,8 @@ { lib, pkgs, config, ... }: -with lib; - { options.programs.droidcam = { - enable = mkEnableOption "DroidCam client"; + enable = lib.mkEnableOption "DroidCam client"; }; config = lib.mkIf config.programs.droidcam.enable { diff --git a/nixpkgs/nixos/modules/programs/dublin-traceroute.nix b/nixpkgs/nixos/modules/programs/dublin-traceroute.nix index 6ff8a5bdefc3..de9446ad7377 100644 --- a/nixpkgs/nixos/modules/programs/dublin-traceroute.nix +++ b/nixpkgs/nixos/modules/programs/dublin-traceroute.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.dublin-traceroute; @@ -10,22 +8,22 @@ in { options = { programs.dublin-traceroute = { - enable = mkEnableOption '' + enable = lib.mkEnableOption '' dublin-traceroute, add it to the global environment and configure a setcap wrapper for it. ''; - package = mkPackageOption pkgs "dublin-traceroute" { }; + package = lib.mkPackageOption pkgs "dublin-traceroute" { }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; security.wrappers.dublin-traceroute = { owner = "root"; group = "root"; capabilities = "cap_net_raw+p"; - source = getExe cfg.package; + source = lib.getExe cfg.package; }; }; } diff --git a/nixpkgs/nixos/modules/programs/ecryptfs.nix b/nixpkgs/nixos/modules/programs/ecryptfs.nix index ced5eb26fb9a..8674f7ec80e0 100644 --- a/nixpkgs/nixos/modules/programs/ecryptfs.nix +++ b/nixpkgs/nixos/modules/programs/ecryptfs.nix @@ -1,16 +1,14 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.ecryptfs; in { options.programs.ecryptfs = { - enable = mkEnableOption "ecryptfs setuid mount wrappers"; + enable = lib.mkEnableOption "ecryptfs setuid mount wrappers"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { security.wrappers = { "mount.ecryptfs_private" = { diff --git a/nixpkgs/nixos/modules/programs/environment.nix b/nixpkgs/nixos/modules/programs/environment.nix index 8ac723f42f61..8a565b7bcac4 100644 --- a/nixpkgs/nixos/modules/programs/environment.nix +++ b/nixpkgs/nixos/modules/programs/environment.nix @@ -4,8 +4,6 @@ { config, lib, ... }: -with lib; - let cfg = config.environment; @@ -20,14 +18,14 @@ in { NIXPKGS_CONFIG = "/etc/nix/nixpkgs-config.nix"; # note: many programs exec() this directly, so default options for less must not # be specified here; do so in the default value of programs.less.envVariables instead - PAGER = mkDefault "less"; - EDITOR = mkDefault "nano"; + PAGER = lib.mkDefault "less"; + EDITOR = lib.mkDefault "nano"; }; # since we set PAGER to this above, make sure it's installed programs.less.enable = true; - environment.profiles = mkAfter + environment.profiles = lib.mkAfter [ "/nix/var/nix/profiles/default" "/run/current-system/sw" ]; @@ -53,7 +51,7 @@ in environment.extraInit = '' export NIX_USER_PROFILE_DIR="/nix/var/nix/profiles/per-user/$USER" - export NIX_PROFILES="${concatStringsSep " " (reverseList cfg.profiles)}" + export NIX_PROFILES="${builtins.concatStringsSep " " (lib.reverseList cfg.profiles)}" ''; }; diff --git a/nixpkgs/nixos/modules/programs/extra-container.nix b/nixpkgs/nixos/modules/programs/extra-container.nix index c10ccd769168..6dcfba7971da 100644 --- a/nixpkgs/nixos/modules/programs/extra-container.nix +++ b/nixpkgs/nixos/modules/programs/extra-container.nix @@ -1,16 +1,15 @@ { config, pkgs, lib, ... }: -with lib; let cfg = config.programs.extra-container; in { options = { - programs.extra-container.enable = mkEnableOption '' + programs.extra-container.enable = lib.mkEnableOption '' extra-container, a tool for running declarative NixOS containers without host system rebuilds ''; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.extra-container ]; boot.extraSystemdUnitPaths = [ "/etc/systemd-mutable/system" ]; }; diff --git a/nixpkgs/nixos/modules/programs/feedbackd.nix b/nixpkgs/nixos/modules/programs/feedbackd.nix index 9de604c34a7e..0c82c7840c8f 100644 --- a/nixpkgs/nixos/modules/programs/feedbackd.nix +++ b/nixpkgs/nixos/modules/programs/feedbackd.nix @@ -1,21 +1,19 @@ { pkgs, lib, config, ... }: -with lib; - let cfg = config.programs.feedbackd; in { options = { programs.feedbackd = { - enable = mkEnableOption '' + enable = lib.mkEnableOption '' the feedbackd D-BUS service and udev rules. Your user needs to be in the `feedbackd` group to trigger effects ''; - package = mkPackageOption pkgs "feedbackd" { }; + package = lib.mkPackageOption pkgs "feedbackd" { }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; services.dbus.packages = [ cfg.package ]; diff --git a/nixpkgs/nixos/modules/programs/firefox.nix b/nixpkgs/nixos/modules/programs/firefox.nix index 39b30be48de9..7e0dec57d2da 100644 --- a/nixpkgs/nixos/modules/programs/firefox.nix +++ b/nixpkgs/nixos/modules/programs/firefox.nix @@ -1,7 +1,5 @@ { pkgs, config, lib, ... }: -with lib; - let cfg = config.programs.firefox; @@ -62,13 +60,13 @@ let in { options.programs.firefox = { - enable = mkEnableOption "the Firefox web browser"; + enable = lib.mkEnableOption "the Firefox web browser"; - package = mkOption { - type = types.package; + package = lib.mkOption { + type = lib.types.package; default = pkgs.firefox; description = "Firefox package to use."; - defaultText = literalExpression "pkgs.firefox"; + defaultText = lib.literalExpression "pkgs.firefox"; relatedPackages = [ "firefox" "firefox-beta-bin" @@ -78,13 +76,13 @@ in ]; }; - wrapperConfig = mkOption { - type = types.attrs; + wrapperConfig = lib.mkOption { + type = lib.types.attrs; default = {}; description = "Arguments to pass to Firefox wrapper"; }; - policies = mkOption { + policies = lib.mkOption { type = policyFormat.type; default = { }; description = '' @@ -100,8 +98,8 @@ in ''; }; - preferences = mkOption { - type = with types; attrsOf (oneOf [ bool int str ]); + preferences = lib.mkOption { + type = with lib.types; attrsOf (oneOf [ bool int str ]); default = { }; description = '' Preferences to set from `about:config`. @@ -113,8 +111,8 @@ in ''; }; - preferencesStatus = mkOption { - type = types.enum [ "default" "locked" "user" "clear" ]; + preferencesStatus = lib.mkOption { + type = lib.types.enum [ "default" "locked" "user" "clear" ]; default = "locked"; description = '' The status of `firefox.preferences`. @@ -127,9 +125,9 @@ in ''; }; - languagePacks = mkOption { + languagePacks = lib.mkOption { # Available languages can be found in https://releases.mozilla.org/pub/firefox/releases/${cfg.package.version}/linux-x86_64/xpi/ - type = types.listOf (types.enum ([ + type = lib.types.listOf (lib.types.enum ([ "ach" "af" "an" @@ -235,8 +233,8 @@ in ''; }; - autoConfig = mkOption { - type = types.lines; + autoConfig = lib.mkOption { + type = lib.types.lines; default = ""; description = '' AutoConfig files can be used to set and lock preferences that are not covered @@ -247,19 +245,19 @@ in }; nativeMessagingHosts = ({ - packages = mkOption { - type = types.listOf types.package; + packages = lib.mkOption { + type = lib.types.listOf lib.types.package; default = []; description = '' Additional packages containing native messaging hosts that should be made available to Firefox extensions. ''; }; - }) // (mapAttrs (k: v: mkEnableOption "${v.name} support") nmhOptions); + }) // (builtins.mapAttrs (k: v: lib.mkEnableOption "${v.name} support") nmhOptions); }; config = let - forEachEnabledNmh = fn: flatten (mapAttrsToList (k: v: lib.optional cfg.nativeMessagingHosts.${k} (fn k v)) nmhOptions); - in mkIf cfg.enable { + forEachEnabledNmh = fn: lib.flatten (lib.mapAttrsToList (k: v: lib.optional cfg.nativeMessagingHosts.${k} (fn k v)) nmhOptions); + in lib.mkIf cfg.enable { warnings = forEachEnabledNmh (k: v: "The `programs.firefox.nativeMessagingHosts.${k}` option is deprecated, " + "please add `${v.package.pname}` to `programs.firefox.nativeMessagingHosts.packages` instead." @@ -278,18 +276,18 @@ in let policiesJSON = policyFormat.generate "firefox-policies.json" { inherit (cfg) policies; }; in - mkIf (cfg.policies != { }) { + lib.mkIf (cfg.policies != { }) { "firefox/policies/policies.json".source = "${policiesJSON}"; }; # Preferences are converted into a policy programs.firefox.policies = { DisableAppUpdate = true; - Preferences = (mapAttrs + Preferences = (builtins.mapAttrs (_: value: { Value = value; Status = cfg.preferencesStatus; }) cfg.preferences); - ExtensionSettings = listToAttrs (map - (lang: nameValuePair + ExtensionSettings = builtins.listToAttrs (builtins.map + (lang: lib.attrsets.nameValuePair "langpack-${lang}@firefox.mozilla.org" { installation_mode = "normal_installed"; @@ -300,5 +298,5 @@ in }; }; - meta.maintainers = with maintainers; [ danth ]; + meta.maintainers = with lib.maintainers; [ danth ]; } diff --git a/nixpkgs/nixos/modules/programs/firejail.nix b/nixpkgs/nixos/modules/programs/firejail.nix index 0510cf8c610d..90da93818274 100644 --- a/nixpkgs/nixos/modules/programs/firejail.nix +++ b/nixpkgs/nixos/modules/programs/firejail.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.firejail; @@ -21,13 +19,13 @@ let else { executable = value; desktop = null; profile = null; extraArgs = []; }; args = lib.escapeShellArgs ( opts.extraArgs - ++ (optional (opts.profile != null) "--profile=${toString opts.profile}") + ++ (lib.optional (opts.profile != null) "--profile=${builtins.toString opts.profile}") ); in '' cat <<_EOF >$out/bin/${command} #! ${pkgs.runtimeShell} -e - exec /run/wrappers/bin/firejail ${args} -- ${toString opts.executable} "\$@" + exec /run/wrappers/bin/firejail ${args} -- ${builtins.toString opts.executable} "\$@" _EOF chmod 0755 $out/bin/${command} @@ -40,30 +38,30 @@ let in { options.programs.firejail = { - enable = mkEnableOption "firejail, a sandboxing tool for Linux"; + enable = lib.mkEnableOption "firejail, a sandboxing tool for Linux"; - wrappedBinaries = mkOption { - type = types.attrsOf (types.either types.path (types.submodule { + wrappedBinaries = lib.mkOption { + type = lib.types.attrsOf (lib.types.either lib.types.path (lib.types.submodule { options = { - executable = mkOption { - type = types.path; + executable = lib.mkOption { + type = lib.types.path; description = "Executable to run sandboxed"; - example = literalExpression ''"''${lib.getBin pkgs.firefox}/bin/firefox"''; + example = lib.literalExpression ''"''${lib.getBin pkgs.firefox}/bin/firefox"''; }; - desktop = mkOption { - type = types.nullOr types.path; + desktop = lib.mkOption { + type = lib.types.nullOr lib.types.path; default = null; description = ".desktop file to modify. Only necessary if it uses the absolute path to the executable."; - example = literalExpression ''"''${pkgs.firefox}/share/applications/firefox.desktop"''; + example = lib.literalExpression ''"''${pkgs.firefox}/share/applications/firefox.desktop"''; }; - profile = mkOption { - type = types.nullOr types.path; + profile = lib.mkOption { + type = lib.types.nullOr lib.types.path; default = null; description = "Profile to use"; - example = literalExpression ''"''${pkgs.firejail}/etc/firejail/firefox.profile"''; + example = lib.literalExpression ''"''${pkgs.firejail}/etc/firejail/firefox.profile"''; }; - extraArgs = mkOption { - type = types.listOf types.str; + extraArgs = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; description = "Extra arguments to pass to firejail"; example = [ "--private=~/.firejail_home" ]; @@ -71,7 +69,7 @@ in { }; })); default = {}; - example = literalExpression '' + example = lib.literalExpression '' { firefox = { executable = "''${lib.getBin pkgs.firefox}/bin/firefox"; @@ -89,7 +87,7 @@ in { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { security.wrappers.firejail = { setuid = true; owner = "root"; @@ -100,5 +98,5 @@ in { environment.systemPackages = [ pkgs.firejail ] ++ [ wrappedBins ]; }; - meta.maintainers = with maintainers; [ peterhoeg ]; + meta.maintainers = with lib.maintainers; [ peterhoeg ]; } diff --git a/nixpkgs/nixos/modules/programs/fish.nix b/nixpkgs/nixos/modules/programs/fish.nix index 2102a07cd0bc..5a6fdb9b5ec5 100644 --- a/nixpkgs/nixos/modules/programs/fish.nix +++ b/nixpkgs/nixos/modules/programs/fish.nix @@ -1,21 +1,19 @@ { config, lib, pkgs, ... }: -with lib; - let cfge = config.environment; cfg = config.programs.fish; - fishAbbrs = concatStringsSep "\n" ( - mapAttrsFlatten (k: v: "abbr -ag ${k} ${escapeShellArg v}") + fishAbbrs = lib.concatStringsSep "\n" ( + lib.mapAttrsFlatten (k: v: "abbr -ag ${k} ${lib.escapeShellArg v}") cfg.shellAbbrs ); - fishAliases = concatStringsSep "\n" ( - mapAttrsFlatten (k: v: "alias ${k} ${escapeShellArg v}") - (filterAttrs (k: v: v != null) cfg.shellAliases) + fishAliases = lib.concatStringsSep "\n" ( + lib.mapAttrsFlatten (k: v: "alias ${k} ${lib.escapeShellArg v}") + (lib.filterAttrs (k: v: v != null) cfg.shellAliases) ); envShellInit = pkgs.writeText "shellInit" cfge.shellInit; @@ -47,16 +45,18 @@ in programs.fish = { - enable = mkOption { + enable = lib.mkOption { default = false; description = '' Whether to configure fish as an interactive shell. ''; - type = types.bool; + type = lib.types.bool; }; - useBabelfish = mkOption { - type = types.bool; + package = lib.mkPackageOption pkgs "fish" { }; + + useBabelfish = lib.mkOption { + type = lib.types.bool; default = false; description = '' If enabled, the configured environment will be translated to native fish using [babelfish](https://github.com/bouk/babelfish). @@ -64,31 +64,31 @@ in ''; }; - vendor.config.enable = mkOption { - type = types.bool; + vendor.config.enable = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether fish should source configuration snippets provided by other packages. ''; }; - vendor.completions.enable = mkOption { - type = types.bool; + vendor.completions.enable = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether fish should use completion files provided by other packages. ''; }; - vendor.functions.enable = mkOption { - type = types.bool; + vendor.functions.enable = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether fish should autoload fish functions provided by other packages. ''; }; - shellAbbrs = mkOption { + shellAbbrs = lib.mkOption { default = {}; example = { gco = "git checkout"; @@ -97,63 +97,63 @@ in description = '' Set of fish abbreviations. ''; - type = with types; attrsOf str; + type = with lib.types; attrsOf str; }; - shellAliases = mkOption { + shellAliases = lib.mkOption { default = {}; description = '' Set of aliases for fish shell, which overrides {option}`environment.shellAliases`. See {option}`environment.shellAliases` for an option format description. ''; - type = with types; attrsOf (nullOr (either str path)); + type = with lib.types; attrsOf (nullOr (either str path)); }; - shellInit = mkOption { + shellInit = lib.mkOption { default = ""; description = '' Shell script code called during fish shell initialisation. ''; - type = types.lines; + type = lib.types.lines; }; - loginShellInit = mkOption { + loginShellInit = lib.mkOption { default = ""; description = '' Shell script code called during fish login shell initialisation. ''; - type = types.lines; + type = lib.types.lines; }; - interactiveShellInit = mkOption { + interactiveShellInit = lib.mkOption { default = ""; description = '' Shell script code called during interactive fish shell initialisation. ''; - type = types.lines; + type = lib.types.lines; }; - promptInit = mkOption { + promptInit = lib.mkOption { default = ""; description = '' Shell script code used to initialise fish prompt. ''; - type = types.lines; + type = lib.types.lines; }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { - programs.fish.shellAliases = mapAttrs (name: mkDefault) cfge.shellAliases; + programs.fish.shellAliases = lib.mapAttrs (name: lib.mkDefault) cfge.shellAliases; # Required for man completions documentation.man.generateCaches = lib.mkDefault true; - environment = mkMerge [ - (mkIf cfg.useBabelfish + environment = lib.mkMerge [ + (lib.mkIf cfg.useBabelfish { etc."fish/setEnvironment.fish".source = babelfishTranslate config.system.build.setEnvironment "setEnvironment"; etc."fish/shellInit.fish".source = babelfishTranslate envShellInit "shellInit"; @@ -161,7 +161,7 @@ in etc."fish/interactiveShellInit.fish".source = babelfishTranslate envInteractiveShellInit "interactiveShellInit"; }) - (mkIf (!cfg.useBabelfish) + (lib.mkIf (!cfg.useBabelfish) { etc."fish/foreign-env/shellInit".source = envShellInit; etc."fish/foreign-env/loginShellInit".source = envLoginShellInit; @@ -244,8 +244,8 @@ in patchedGenerator = pkgs.stdenv.mkDerivation { name = "fish_patched-completion-generator"; srcs = [ - "${pkgs.fish}/share/fish/tools/create_manpage_completions.py" - "${pkgs.fish}/share/fish/tools/deroff.py" + "${cfg.package}/share/fish/tools/create_manpage_completions.py" + "${cfg.package}/share/fish/tools/deroff.py" ]; unpackCmd = "cp $curSrc $(basename $curSrc)"; sourceRoot = "."; @@ -264,7 +264,7 @@ in pathName = substring storeLength (stringLength package - storeLength) package; in (package.name or pathName) + "_fish-completions") ( { inherit package; } // - optionalAttrs (package ? meta.priority) { meta.priority = package.meta.priority; }) + lib.optionalAttrs (package ? meta.priority) { meta.priority = package.meta.priority; }) '' mkdir -p $out if [ -d $package/share/man ]; then @@ -275,24 +275,24 @@ in pkgs.buildEnv { name = "system_fish-completions"; ignoreCollisions = true; - paths = map generateCompletions config.environment.systemPackages; + paths = builtins.map generateCompletions config.environment.systemPackages; }; } # include programs that bring their own completions { pathsToLink = [] - ++ optional cfg.vendor.config.enable "/share/fish/vendor_conf.d" - ++ optional cfg.vendor.completions.enable "/share/fish/vendor_completions.d" - ++ optional cfg.vendor.functions.enable "/share/fish/vendor_functions.d"; + ++ lib.optional cfg.vendor.config.enable "/share/fish/vendor_conf.d" + ++ lib.optional cfg.vendor.completions.enable "/share/fish/vendor_completions.d" + ++ lib.optional cfg.vendor.functions.enable "/share/fish/vendor_functions.d"; } - { systemPackages = [ pkgs.fish ]; } + { systemPackages = [ cfg.package ]; } { shells = [ "/run/current-system/sw/bin/fish" - "${pkgs.fish}/bin/fish" + (lib.getExe cfg.package) ]; } ]; diff --git a/nixpkgs/nixos/modules/programs/flashrom.nix b/nixpkgs/nixos/modules/programs/flashrom.nix index 1b9b4493ef20..dd398497c2d0 100644 --- a/nixpkgs/nixos/modules/programs/flashrom.nix +++ b/nixpkgs/nixos/modules/programs/flashrom.nix @@ -1,14 +1,12 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.flashrom; in { options.programs.flashrom = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Installs flashrom and configures udev rules for programmers @@ -16,10 +14,10 @@ in group. ''; }; - package = mkPackageOption pkgs "flashrom" { }; + package = lib.mkPackageOption pkgs "flashrom" { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { services.udev.packages = [ cfg.package ]; environment.systemPackages = [ cfg.package ]; }; diff --git a/nixpkgs/nixos/modules/programs/flexoptix-app.nix b/nixpkgs/nixos/modules/programs/flexoptix-app.nix index 47a76da125f0..baa9e33882ca 100644 --- a/nixpkgs/nixos/modules/programs/flexoptix-app.nix +++ b/nixpkgs/nixos/modules/programs/flexoptix-app.nix @@ -1,19 +1,17 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.flexoptix-app; in { options = { programs.flexoptix-app = { - enable = mkEnableOption "FLEXOPTIX app + udev rules"; + enable = lib.mkEnableOption "FLEXOPTIX app + udev rules"; - package = mkPackageOption pkgs "flexoptix-app" { }; + package = lib.mkPackageOption pkgs "flexoptix-app" { }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; services.udev.packages = [ cfg.package ]; }; diff --git a/nixpkgs/nixos/modules/programs/freetds.nix b/nixpkgs/nixos/modules/programs/freetds.nix index 8b52fc37c5e0..77daaa8fd398 100644 --- a/nixpkgs/nixos/modules/programs/freetds.nix +++ b/nixpkgs/nixos/modules/programs/freetds.nix @@ -2,8 +2,6 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.environment.freetds; @@ -14,10 +12,10 @@ in options = { - environment.freetds = mkOption { - type = types.attrsOf types.str; + environment.freetds = lib.mkOption { + type = lib.types.attrsOf lib.types.str; default = {}; - example = literalExpression '' + example = lib.literalExpression '' { MYDATABASE = ''' host = 10.0.2.100 port = 1433 @@ -40,14 +38,14 @@ in ###### implementation - config = mkIf (length (attrNames cfg) > 0) { + config = lib.mkIf (builtins.length (builtins.attrNames cfg) > 0) { environment.variables.FREETDSCONF = "/etc/freetds.conf"; environment.variables.FREETDS = "/etc/freetds.conf"; environment.variables.SYBASE = "${pkgs.freetds}"; environment.etc."freetds.conf" = { text = - (concatStrings (mapAttrsToList (name: value: + (lib.concatStrings (lib.mapAttrsToList (name: value: '' [${name}] ${value} diff --git a/nixpkgs/nixos/modules/programs/fuse.nix b/nixpkgs/nixos/modules/programs/fuse.nix index c15896efbb51..7083194bd989 100644 --- a/nixpkgs/nixos/modules/programs/fuse.nix +++ b/nixpkgs/nixos/modules/programs/fuse.nix @@ -1,25 +1,23 @@ { config, lib, ... }: -with lib; - let cfg = config.programs.fuse; in { - meta.maintainers = with maintainers; [ primeos ]; + meta.maintainers = with lib.maintainers; [ primeos ]; options.programs.fuse = { - mountMax = mkOption { + mountMax = lib.mkOption { # In the C code it's an "int" (i.e. signed and at least 16 bit), but # negative numbers obviously make no sense: - type = types.ints.between 0 32767; # 2^15 - 1 + type = lib.types.ints.between 0 32767; # 2^15 - 1 default = 1000; description = '' Set the maximum number of FUSE mounts allowed to non-root users. ''; }; - userAllowOther = mkOption { - type = types.bool; + userAllowOther = lib.mkOption { + type = lib.types.bool; default = false; description = '' Allow non-root users to specify the allow_other or allow_root mount @@ -30,8 +28,8 @@ in { config = { environment.etc."fuse.conf".text = '' - ${optionalString (!cfg.userAllowOther) "#"}user_allow_other - mount_max = ${toString cfg.mountMax} + ${lib.optionalString (!cfg.userAllowOther) "#"}user_allow_other + mount_max = ${builtins.toString cfg.mountMax} ''; }; } diff --git a/nixpkgs/nixos/modules/programs/gamemode.nix b/nixpkgs/nixos/modules/programs/gamemode.nix index 878f785074f1..14892f9c6eac 100644 --- a/nixpkgs/nixos/modules/programs/gamemode.nix +++ b/nixpkgs/nixos/modules/programs/gamemode.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.gamemode; settingsFormat = pkgs.formats.ini { }; @@ -10,20 +8,20 @@ in { options = { programs.gamemode = { - enable = mkEnableOption "GameMode to optimise system performance on demand"; + enable = lib.mkEnableOption "GameMode to optimise system performance on demand"; - enableRenice = mkEnableOption "CAP_SYS_NICE on gamemoded to support lowering process niceness" // { + enableRenice = lib.mkEnableOption "CAP_SYS_NICE on gamemoded to support lowering process niceness" // { default = true; }; - settings = mkOption { + settings = lib.mkOption { type = settingsFormat.type; default = { }; description = '' System-wide configuration for GameMode (/etc/gamemode.ini). See gamemoded(8) man page for available settings. ''; - example = literalExpression '' + example = lib.literalExpression '' { general = { renice = 10; @@ -46,7 +44,7 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment = { systemPackages = [ pkgs.gamemode ]; etc."gamemode.ini".source = configFile; @@ -54,7 +52,7 @@ in security = { polkit.enable = true; - wrappers = mkIf cfg.enableRenice { + wrappers = lib.mkIf cfg.enableRenice { gamemoded = { owner = "root"; group = "root"; @@ -77,14 +75,14 @@ in # # This uses a link farm to make sure other wrapped executables # aren't included in PATH. - environment.PATH = mkForce (pkgs.linkFarm "pkexec" [ + environment.PATH = lib.mkForce (pkgs.linkFarm "pkexec" [ { name = "pkexec"; path = "${config.security.wrapperDir}/pkexec"; } ]); - serviceConfig.ExecStart = mkIf cfg.enableRenice [ + serviceConfig.ExecStart = lib.mkIf cfg.enableRenice [ "" # Tell systemd to clear the existing ExecStart list, to prevent appending to it. "${config.security.wrapperDir}/gamemoded" ]; @@ -95,6 +93,6 @@ in }; meta = { - maintainers = with maintainers; [ kira-bruneau ]; + maintainers = with lib.maintainers; [ kira-bruneau ]; }; } diff --git a/nixpkgs/nixos/modules/programs/gamescope.nix b/nixpkgs/nixos/modules/programs/gamescope.nix index af9ced471539..6a0b0a8fbddd 100644 --- a/nixpkgs/nixos/modules/programs/gamescope.nix +++ b/nixpkgs/nixos/modules/programs/gamescope.nix @@ -3,30 +3,30 @@ , pkgs , ... }: -with lib; let +let cfg = config.programs.gamescope; gamescope = let wrapperArgs = - optional (cfg.args != [ ]) - ''--add-flags "${toString cfg.args}"'' - ++ builtins.attrValues (mapAttrs (var: val: "--set-default ${var} ${val}") cfg.env); + lib.optional (cfg.args != [ ]) + ''--add-flags "${builtins.toString cfg.args}"'' + ++ builtins.attrValues (builtins.mapAttrs (var: val: "--set-default ${var} ${val}") cfg.env); in pkgs.runCommand "gamescope" { nativeBuildInputs = [ pkgs.makeBinaryWrapper ]; } '' mkdir -p $out/bin makeWrapper ${cfg.package}/bin/gamescope $out/bin/gamescope --inherit-argv0 \ - ${toString wrapperArgs} + ${builtins.toString wrapperArgs} ''; in { options.programs.gamescope = { - enable = mkEnableOption "gamescope, the SteamOS session compositing window manager"; + enable = lib.mkEnableOption "gamescope, the SteamOS session compositing window manager"; - package = mkPackageOption pkgs "gamescope" { }; + package = lib.mkPackageOption pkgs "gamescope" { }; - capSysNice = mkOption { - type = types.bool; + capSysNice = lib.mkOption { + type = lib.types.bool; default = false; description = '' Add cap_sys_nice capability to the GameScope @@ -34,8 +34,8 @@ in ''; }; - args = mkOption { - type = types.listOf types.str; + args = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ ]; example = [ "--rt" "--prefer-vk-device 8086:9bc4" ]; description = '' @@ -43,10 +43,10 @@ in ''; }; - env = mkOption { - type = types.attrsOf types.str; + env = lib.mkOption { + type = lib.types.attrsOf lib.types.str; default = { }; - example = literalExpression '' + example = lib.literalExpression '' # for Prime render offload on Nvidia laptops. # Also requires `hardware.nvidia.prime.offload.enable`. { @@ -61,8 +61,8 @@ in }; }; - config = mkIf cfg.enable { - security.wrappers = mkIf cfg.capSysNice { + config = lib.mkIf cfg.enable { + security.wrappers = lib.mkIf cfg.capSysNice { gamescope = { owner = "root"; group = "root"; @@ -71,8 +71,8 @@ in }; }; - environment.systemPackages = mkIf (!cfg.capSysNice) [ gamescope ]; + environment.systemPackages = lib.mkIf (!cfg.capSysNice) [ gamescope ]; }; - meta.maintainers = with maintainers; [ nrdxp ]; + meta.maintainers = with lib.maintainers; [ nrdxp ]; } diff --git a/nixpkgs/nixos/modules/programs/geary.nix b/nixpkgs/nixos/modules/programs/geary.nix index 6103ee7df859..cfd5bed78d97 100644 --- a/nixpkgs/nixos/modules/programs/geary.nix +++ b/nixpkgs/nixos/modules/programs/geary.nix @@ -1,20 +1,18 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.geary; in { meta = { - maintainers = teams.gnome.members; + maintainers = lib.teams.gnome.members; }; options = { - programs.geary.enable = mkEnableOption "Geary, a Mail client for GNOME"; + programs.geary.enable = lib.mkEnableOption "Geary, a Mail client for GNOME"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.gnome.geary ]; programs.dconf.enable = true; services.gnome.gnome-keyring.enable = true; diff --git a/nixpkgs/nixos/modules/programs/git.nix b/nixpkgs/nixos/modules/programs/git.nix index 2a5d52f2d191..e4f6ce937f04 100644 --- a/nixpkgs/nixos/modules/programs/git.nix +++ b/nixpkgs/nixos/modules/programs/git.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.git; in @@ -9,23 +7,23 @@ in { options = { programs.git = { - enable = mkEnableOption "git, a distributed version control system"; + enable = lib.mkEnableOption "git, a distributed version control system"; - package = mkPackageOption pkgs "git" { + package = lib.mkPackageOption pkgs "git" { example = "gitFull"; }; - config = mkOption { + config = lib.mkOption { type = - with types; + with lib.types; let gitini = attrsOf (attrsOf anything); in either gitini (listOf gitini) // { merge = loc: defs: let - config = foldl' - (acc: { value, ... }@x: acc // (if isList value then { + config = builtins.foldl' + (acc: { value, ... }@x: acc // (if builtins.isList value then { ordered = acc.ordered ++ value; } else { unordered = acc.unordered ++ [ x ]; @@ -55,25 +53,25 @@ in }; prompt = { - enable = mkEnableOption "automatically sourcing git-prompt.sh. This does not change $PS1; it simply provides relevant utility functions"; + enable = lib.mkEnableOption "automatically sourcing git-prompt.sh. This does not change $PS1; it simply provides relevant utility functions"; }; lfs = { - enable = mkEnableOption "git-lfs (Large File Storage)"; + enable = lib.mkEnableOption "git-lfs (Large File Storage)"; - package = mkPackageOption pkgs "git-lfs" { }; + package = lib.mkPackageOption pkgs "git-lfs" { }; }; }; }; - config = mkMerge [ - (mkIf cfg.enable { + config = lib.mkMerge [ + (lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; - environment.etc.gitconfig = mkIf (cfg.config != [ ]) { - text = concatMapStringsSep "\n" generators.toGitINI cfg.config; + environment.etc.gitconfig = lib.mkIf (cfg.config != [ ]) { + text = lib.concatMapStringsSep "\n" lib.generators.toGitINI cfg.config; }; }) - (mkIf (cfg.enable && cfg.lfs.enable) { + (lib.mkIf (cfg.enable && cfg.lfs.enable) { environment.systemPackages = [ cfg.lfs.package ]; programs.git.config = { filter.lfs = { @@ -84,12 +82,12 @@ in }; }; }) - (mkIf (cfg.enable && cfg.prompt.enable) { + (lib.mkIf (cfg.enable && cfg.prompt.enable) { environment.interactiveShellInit = '' source ${cfg.package}/share/bash-completion/completions/git-prompt.sh ''; }) ]; - meta.maintainers = with maintainers; [ figsoda ]; + meta.maintainers = with lib.maintainers; [ figsoda ]; } diff --git a/nixpkgs/nixos/modules/programs/gphoto2.nix b/nixpkgs/nixos/modules/programs/gphoto2.nix index d99259b54582..d9f09483f63c 100644 --- a/nixpkgs/nixos/modules/programs/gphoto2.nix +++ b/nixpkgs/nixos/modules/programs/gphoto2.nix @@ -1,16 +1,14 @@ { config, lib, pkgs, ... }: -with lib; - { - meta.maintainers = [ maintainers.league ]; + meta.maintainers = [ lib.maintainers.league ]; ###### interface options = { programs.gphoto2 = { - enable = mkOption { + enable = lib.mkOption { default = false; - type = types.bool; + type = lib.types.bool; description = '' Whether to configure system to use gphoto2. To grant digital camera access to a user, the user must @@ -22,7 +20,7 @@ with lib; }; ###### implementation - config = mkIf config.programs.gphoto2.enable { + config = lib.mkIf config.programs.gphoto2.enable { services.udev.packages = [ pkgs.libgphoto2 ]; environment.systemPackages = [ pkgs.gphoto2 ]; users.groups.camera = {}; diff --git a/nixpkgs/nixos/modules/programs/haguichi.nix b/nixpkgs/nixos/modules/programs/haguichi.nix index 4f48551cf1da..fd769ac8d0a0 100644 --- a/nixpkgs/nixos/modules/programs/haguichi.nix +++ b/nixpkgs/nixos/modules/programs/haguichi.nix @@ -1,13 +1,11 @@ { lib, pkgs, config, ... }: -with lib; - { options.programs.haguichi = { - enable = mkEnableOption "Haguichi, a Linux GUI frontend to the proprietary LogMeIn Hamachi"; + enable = lib.mkEnableOption "Haguichi, a Linux GUI frontend to the proprietary LogMeIn Hamachi"; }; - config = mkIf config.programs.haguichi.enable { + config = lib.mkIf config.programs.haguichi.enable { environment.systemPackages = with pkgs; [ haguichi ]; services.logmein-hamachi.enable = true; diff --git a/nixpkgs/nixos/modules/programs/hamster.nix b/nixpkgs/nixos/modules/programs/hamster.nix index 0bb56ad7ff36..90cfc0f86a24 100644 --- a/nixpkgs/nixos/modules/programs/hamster.nix +++ b/nixpkgs/nixos/modules/programs/hamster.nix @@ -1,12 +1,10 @@ { config, lib, pkgs, ... }: -with lib; - { meta.maintainers = pkgs.hamster.meta.maintainers; options.programs.hamster.enable = - mkEnableOption "hamster, a time tracking program"; + lib.mkEnableOption "hamster, a time tracking program"; config = lib.mkIf config.programs.hamster.enable { environment.systemPackages = [ pkgs.hamster ]; diff --git a/nixpkgs/nixos/modules/programs/htop.nix b/nixpkgs/nixos/modules/programs/htop.nix index bf3d85108170..1252b41e8b85 100644 --- a/nixpkgs/nixos/modules/programs/htop.nix +++ b/nixpkgs/nixos/modules/programs/htop.nix @@ -1,29 +1,27 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.htop; fmt = value: - if isList value then concatStringsSep " " (map fmt value) else - if isString value then value else - if isBool value then if value then "1" else "0" else - if isInt value then toString value else - throw "Unrecognized type ${typeOf value} in htop settings"; + if builtins.isList value then builtins.concatStringsSep " " (builtins.map fmt value) else + if builtins.isString value then value else + if builtins.isBool value then if value then "1" else "0" else + if builtins.isInt value then builtins.toString value else + throw "Unrecognized type ${builtins.typeOf value} in htop settings"; in { options.programs.htop = { - package = mkPackageOption pkgs "htop" { }; + package = lib.mkPackageOption pkgs "htop" { }; - enable = mkEnableOption "htop process monitor"; + enable = lib.mkEnableOption "htop process monitor"; - settings = mkOption { - type = with types; attrsOf (oneOf [ str int bool (listOf (oneOf [ str int bool ])) ]); + settings = lib.mkOption { + type = with lib.types; attrsOf (oneOf [ str int bool (listOf (oneOf [ str int bool ])) ]); default = {}; example = { hide_kernel_threads = true; @@ -38,7 +36,7 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; @@ -46,7 +44,7 @@ in environment.etc."htoprc".text = '' # Global htop configuration # To change set: programs.htop.settings.KEY = VALUE; - '' + concatStringsSep "\n" (mapAttrsToList (key: value: "${key}=${fmt value}") cfg.settings); + '' + builtins.concatStringsSep "\n" (lib.mapAttrsToList (key: value: "${key}=${fmt value}") cfg.settings); }; } diff --git a/nixpkgs/nixos/modules/programs/i3lock.nix b/nixpkgs/nixos/modules/programs/i3lock.nix index 8068ecaf08ca..ff616144e283 100644 --- a/nixpkgs/nixos/modules/programs/i3lock.nix +++ b/nixpkgs/nixos/modules/programs/i3lock.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.i3lock; @@ -12,8 +10,8 @@ in { options = { programs.i3lock = { - enable = mkEnableOption "i3lock"; - package = mkPackageOption pkgs "i3lock" { + enable = lib.mkEnableOption "i3lock"; + package = lib.mkPackageOption pkgs "i3lock" { example = "i3lock-color"; extraDescription = '' ::: {.note} @@ -21,8 +19,8 @@ in { ::: ''; }; - u2fSupport = mkOption { - type = types.bool; + u2fSupport = lib.mkOption { + type = lib.types.bool; default = false; example = true; description = '' @@ -36,11 +34,11 @@ in { ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; - security.wrappers.i3lock = mkIf cfg.u2fSupport { + security.wrappers.i3lock = lib.mkIf cfg.u2fSupport { setuid = true; owner = "root"; group = "root"; diff --git a/nixpkgs/nixos/modules/programs/iftop.nix b/nixpkgs/nixos/modules/programs/iftop.nix index c74714a9a6d6..d6e56c8fded6 100644 --- a/nixpkgs/nixos/modules/programs/iftop.nix +++ b/nixpkgs/nixos/modules/programs/iftop.nix @@ -1,14 +1,12 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.iftop; in { options = { - programs.iftop.enable = mkEnableOption "iftop + setcap wrapper"; + programs.iftop.enable = lib.mkEnableOption "iftop + setcap wrapper"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.iftop ]; security.wrappers.iftop = { owner = "root"; diff --git a/nixpkgs/nixos/modules/programs/iotop.nix b/nixpkgs/nixos/modules/programs/iotop.nix index b7c1c69f9ddd..ba8d028f6bb8 100644 --- a/nixpkgs/nixos/modules/programs/iotop.nix +++ b/nixpkgs/nixos/modules/programs/iotop.nix @@ -1,14 +1,12 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.iotop; in { options = { - programs.iotop.enable = mkEnableOption "iotop + setcap wrapper"; + programs.iotop.enable = lib.mkEnableOption "iotop + setcap wrapper"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { security.wrappers.iotop = { owner = "root"; group = "root"; diff --git a/nixpkgs/nixos/modules/programs/java.nix b/nixpkgs/nixos/modules/programs/java.nix index f201f67b42e4..784add809682 100644 --- a/nixpkgs/nixos/modules/programs/java.nix +++ b/nixpkgs/nixos/modules/programs/java.nix @@ -3,8 +3,6 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.java; in @@ -14,7 +12,7 @@ in programs.java = { - enable = mkEnableOption "java" // { + enable = lib.mkEnableOption "java" // { description = '' Install and setup the Java development kit. @@ -30,19 +28,19 @@ in ''; }; - package = mkPackageOption pkgs "jdk" { + package = lib.mkPackageOption pkgs "jdk" { example = "jre"; }; - binfmt = mkEnableOption "binfmt to execute java jar's and classes"; + binfmt = lib.mkEnableOption "binfmt to execute java jar's and classes"; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { - boot.binfmt.registrations = mkIf cfg.binfmt { + boot.binfmt.registrations = lib.mkIf cfg.binfmt { java-class = { recognitionType = "extension"; magicOrExtension = "class"; diff --git a/nixpkgs/nixos/modules/programs/joycond-cemuhook.nix b/nixpkgs/nixos/modules/programs/joycond-cemuhook.nix index ebb0198ee60c..6cdd198a7df2 100644 --- a/nixpkgs/nixos/modules/programs/joycond-cemuhook.nix +++ b/nixpkgs/nixos/modules/programs/joycond-cemuhook.nix @@ -1,8 +1,7 @@ { lib, pkgs, config, ... }: -with lib; { options.programs.joycond-cemuhook = { - enable = mkEnableOption "joycond-cemuhook, a program to enable support for cemuhook's UDP protocol for joycond devices."; + enable = lib.mkEnableOption "joycond-cemuhook, a program to enable support for cemuhook's UDP protocol for joycond devices."; }; config = lib.mkIf config.programs.joycond-cemuhook.enable { diff --git a/nixpkgs/nixos/modules/programs/k3b.nix b/nixpkgs/nixos/modules/programs/k3b.nix index 4d6385dab4f0..3e9435d3dc60 100644 --- a/nixpkgs/nixos/modules/programs/k3b.nix +++ b/nixpkgs/nixos/modules/programs/k3b.nix @@ -1,12 +1,10 @@ { config, pkgs, lib, ... }: -with lib; - { # interface options.programs.k3b = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to enable k3b, the KDE disk burning application. @@ -22,7 +20,7 @@ with lib; }; # implementation - config = mkIf config.programs.k3b.enable { + config = lib.mkIf config.programs.k3b.enable { environment.systemPackages = with pkgs; [ k3b diff --git a/nixpkgs/nixos/modules/programs/k40-whisperer.nix b/nixpkgs/nixos/modules/programs/k40-whisperer.nix index 156ded6c39fe..0f29c476cbb7 100644 --- a/nixpkgs/nixos/modules/programs/k40-whisperer.nix +++ b/nixpkgs/nixos/modules/programs/k40-whisperer.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.k40-whisperer; pkg = cfg.package.override { @@ -10,20 +8,20 @@ let in { options.programs.k40-whisperer = { - enable = mkEnableOption "K40-Whisperer"; + enable = lib.mkEnableOption "K40-Whisperer"; - group = mkOption { - type = types.str; + group = lib.mkOption { + type = lib.types.str; description = '' Group assigned to the device when connected. ''; default = "k40"; }; - package = mkPackageOption pkgs "k40-whisperer" { }; + package = lib.mkPackageOption pkgs "k40-whisperer" { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { users.groups.${cfg.group} = {}; environment.systemPackages = [ pkg ]; diff --git a/nixpkgs/nixos/modules/programs/kbdlight.nix b/nixpkgs/nixos/modules/programs/kbdlight.nix index 8a2a0057cf2d..934bb214c116 100644 --- a/nixpkgs/nixos/modules/programs/kbdlight.nix +++ b/nixpkgs/nixos/modules/programs/kbdlight.nix @@ -1,15 +1,13 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.kbdlight; in { - options.programs.kbdlight.enable = mkEnableOption "kbdlight"; + options.programs.kbdlight.enable = lib.mkEnableOption "kbdlight"; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.kbdlight ]; security.wrappers.kbdlight = { setuid = true; diff --git a/nixpkgs/nixos/modules/programs/kclock.nix b/nixpkgs/nixos/modules/programs/kclock.nix index c2299a3f1b03..b69f358ec1ff 100644 --- a/nixpkgs/nixos/modules/programs/kclock.nix +++ b/nixpkgs/nixos/modules/programs/kclock.nix @@ -1,12 +1,11 @@ { lib, pkgs, config, ... }: -with lib; let cfg = config.programs.kclock; kclockPkg = pkgs.libsForQt5.kclock; in { - options.programs.kclock = { enable = mkEnableOption "KClock"; }; + options.programs.kclock = { enable = lib.mkEnableOption "KClock"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { services.dbus.packages = [ kclockPkg ]; environment.systemPackages = [ kclockPkg ]; }; diff --git a/nixpkgs/nixos/modules/programs/kdeconnect.nix b/nixpkgs/nixos/modules/programs/kdeconnect.nix index 143128140596..76bba4010308 100644 --- a/nixpkgs/nixos/modules/programs/kdeconnect.nix +++ b/nixpkgs/nixos/modules/programs/kdeconnect.nix @@ -1,8 +1,7 @@ { config, pkgs, lib, ... }: -with lib; { options.programs.kdeconnect = { - enable = mkEnableOption '' + enable = lib.mkEnableOption '' kdeconnect. Note that it will open the TCP and UDP port from @@ -11,7 +10,7 @@ with lib; `gnomeExtensions.gsconnect` as an alternative implementation if you use Gnome ''; - package = mkPackageOption pkgs [ "plasma5Packages" "kdeconnect-kde" ] { + package = lib.mkPackageOption pkgs [ "plasma5Packages" "kdeconnect-kde" ] { example = "gnomeExtensions.gsconnect"; }; }; @@ -19,10 +18,9 @@ with lib; let cfg = config.programs.kdeconnect; in - mkIf cfg.enable { + lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package - pkgs.sshfs ]; networking.firewall = rec { allowedTCPPortRanges = [ { from = 1714; to = 1764; } ]; diff --git a/nixpkgs/nixos/modules/programs/less.nix b/nixpkgs/nixos/modules/programs/less.nix index 2cb762007511..c904fc2089aa 100644 --- a/nixpkgs/nixos/modules/programs/less.nix +++ b/nixpkgs/nixos/modules/programs/less.nix @@ -1,26 +1,24 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.less; configText = if (cfg.configFile != null) then (builtins.readFile cfg.configFile) else '' #command - ${concatStringsSep "\n" - (mapAttrsToList (command: action: "${command} ${action}") cfg.commands) + ${builtins.concatStringsSep "\n" + (lib.mapAttrsToList (command: action: "${command} ${action}") cfg.commands) } - ${optionalString cfg.clearDefaultCommands "#stop"} + ${lib.optionalString cfg.clearDefaultCommands "#stop"} #line-edit - ${concatStringsSep "\n" - (mapAttrsToList (command: action: "${command} ${action}") cfg.lineEditingKeys) + ${builtins.concatStringsSep "\n" + (lib.mapAttrsToList (command: action: "${command} ${action}") cfg.lineEditingKeys) } #env - ${concatStringsSep "\n" - (mapAttrsToList (variable: values: "${variable}=${values}") cfg.envVariables) + ${builtins.concatStringsSep "\n" + (lib.mapAttrsToList (variable: values: "${variable}=${values}") cfg.envVariables) } ''; @@ -35,12 +33,12 @@ in # note that environment.nix sets PAGER=less, and # therefore also enables this module - enable = mkEnableOption "less, a file pager"; + enable = lib.mkEnableOption "less, a file pager"; - configFile = mkOption { - type = types.nullOr types.path; + configFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; default = null; - example = literalExpression ''"''${pkgs.my-configs}/lesskey"''; + example = lib.literalExpression ''"''${pkgs.my-configs}/lesskey"''; description = '' Path to lesskey configuration file. @@ -50,8 +48,8 @@ in ''; }; - commands = mkOption { - type = types.attrsOf types.str; + commands = lib.mkOption { + type = lib.types.attrsOf lib.types.str; default = {}; example = { h = "noaction 5\\e("; @@ -60,8 +58,8 @@ in description = "Defines new command keys."; }; - clearDefaultCommands = mkOption { - type = types.bool; + clearDefaultCommands = lib.mkOption { + type = lib.types.bool; default = false; description = '' Clear all default commands. @@ -70,8 +68,8 @@ in ''; }; - lineEditingKeys = mkOption { - type = types.attrsOf types.str; + lineEditingKeys = lib.mkOption { + type = lib.types.attrsOf lib.types.str; default = {}; example = { e = "abort"; @@ -79,8 +77,8 @@ in description = "Defines new line-editing keys."; }; - envVariables = mkOption { - type = types.attrsOf types.str; + envVariables = lib.mkOption { + type = lib.types.attrsOf lib.types.str; default = { LESS = "-R"; }; @@ -90,17 +88,17 @@ in description = "Defines environment variables."; }; - lessopen = mkOption { - type = types.nullOr types.str; + lessopen = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = "|${pkgs.lesspipe}/bin/lesspipe.sh %s"; - defaultText = literalExpression ''"|''${pkgs.lesspipe}/bin/lesspipe.sh %s"''; + defaultText = lib.literalExpression ''"|''${pkgs.lesspipe}/bin/lesspipe.sh %s"''; description = '' Before less opens a file, it first gives your input preprocessor a chance to modify the way the contents of the file are displayed. ''; }; - lessclose = mkOption { - type = types.nullOr types.str; + lessclose = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = null; description = '' When less closes a file opened in such a way, it will call another program, called the input postprocessor, @@ -110,26 +108,26 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.less ]; environment.variables = { - LESSKEYIN_SYSTEM = toString lessKey; - } // optionalAttrs (cfg.lessopen != null) { + LESSKEYIN_SYSTEM = builtins.toString lessKey; + } // lib.optionalAttrs (cfg.lessopen != null) { LESSOPEN = cfg.lessopen; - } // optionalAttrs (cfg.lessclose != null) { + } // lib.optionalAttrs (cfg.lessclose != null) { LESSCLOSE = cfg.lessclose; }; - warnings = optional ( - cfg.clearDefaultCommands && (all (x: x != "quit") (attrValues cfg.commands)) + warnings = lib.optional ( + cfg.clearDefaultCommands && (builtins.all (x: x != "quit") (builtins.attrValues cfg.commands)) ) '' config.programs.less.clearDefaultCommands clears all default commands of less but there is no alternative binding for exiting. Consider adding a binding for 'quit'. ''; }; - meta.maintainers = with maintainers; [ johnazoidberg ]; + meta.maintainers = with lib.maintainers; [ johnazoidberg ]; } diff --git a/nixpkgs/nixos/modules/programs/liboping.nix b/nixpkgs/nixos/modules/programs/liboping.nix index 4433f9767d6e..5ff9ad74b158 100644 --- a/nixpkgs/nixos/modules/programs/liboping.nix +++ b/nixpkgs/nixos/modules/programs/liboping.nix @@ -1,16 +1,14 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.liboping; in { options.programs.liboping = { - enable = mkEnableOption "liboping"; + enable = lib.mkEnableOption "liboping"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ liboping ]; - security.wrappers = mkMerge (map ( + security.wrappers = lib.mkMerge (builtins.map ( exec: { "${exec}" = { owner = "root"; diff --git a/nixpkgs/nixos/modules/programs/light.nix b/nixpkgs/nixos/modules/programs/light.nix index b1584a1b3d28..29fcc98a8e0a 100644 --- a/nixpkgs/nixos/modules/programs/light.nix +++ b/nixpkgs/nixos/modules/programs/light.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.light; @@ -10,9 +8,9 @@ in options = { programs.light = { - enable = mkOption { + enable = lib.mkOption { default = false; - type = types.bool; + type = lib.types.bool; description = '' Whether to install Light backlight control command and udev rules granting access to members of the "video" group. @@ -20,8 +18,8 @@ in }; brightnessKeys = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to enable brightness control with keyboard keys. @@ -38,8 +36,8 @@ in ''; }; - step = mkOption { - type = types.int; + step = lib.mkOption { + type = lib.types.int; default = 10; description = '' The percentage value by which to increase/decrease brightness. @@ -51,14 +49,14 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.light ]; services.udev.packages = [ pkgs.light ]; - services.actkbd = mkIf cfg.brightnessKeys.enable { + services.actkbd = lib.mkIf cfg.brightnessKeys.enable { enable = true; bindings = let light = "${pkgs.light}/bin/light"; - step = toString cfg.brightnessKeys.step; + step = builtins.toString cfg.brightnessKeys.step; in [ { keys = [ 224 ]; diff --git a/nixpkgs/nixos/modules/programs/mdevctl.nix b/nixpkgs/nixos/modules/programs/mdevctl.nix index be33835639d2..a7e7d01dffdf 100644 --- a/nixpkgs/nixos/modules/programs/mdevctl.nix +++ b/nixpkgs/nixos/modules/programs/mdevctl.nix @@ -1,14 +1,13 @@ { config, pkgs, lib, ... }: -with lib; let cfg = config.programs.mdevctl; in { options.programs.mdevctl = { - enable = mkEnableOption "Mediated Device Management"; + enable = lib.mkEnableOption "Mediated Device Management"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ mdevctl ]; environment.etc."mdevctl.d/scripts.d/notifiers/.keep".text = ""; diff --git a/nixpkgs/nixos/modules/programs/mepo.nix b/nixpkgs/nixos/modules/programs/mepo.nix index 22596892ff5d..783d2ad14962 100644 --- a/nixpkgs/nixos/modules/programs/mepo.nix +++ b/nixpkgs/nixos/modules/programs/mepo.nix @@ -1,15 +1,14 @@ { pkgs, config, lib, ...}: -with lib; let cfg = config.programs.mepo; in { options.programs.mepo = { - enable = mkEnableOption "Mepo, a fast, simple and hackable OSM map viewer"; + enable = lib.mkEnableOption "Mepo, a fast, simple and hackable OSM map viewer"; locationBackends = { - gpsd = mkOption { - type = types.bool; + gpsd = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to enable location detection via gpsd. @@ -17,21 +16,21 @@ in ''; }; - geoclue = mkOption { - type = types.bool; + geoclue = lib.mkOption { + type = lib.types.bool; default = true; description = "Whether to enable location detection via geoclue"; }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ mepo ] ++ lib.optional cfg.locationBackends.geoclue geoclue2-with-demo-agent ++ lib.optional cfg.locationBackends.gpsd gpsd; - services.geoclue2 = mkIf cfg.locationBackends.geoclue { + services.geoclue2 = lib.mkIf cfg.locationBackends.geoclue { enable = true; appConfig.where-am-i = { isAllowed = true; @@ -42,5 +41,5 @@ in services.gpsd.enable = cfg.locationBackends.gpsd; }; - meta.maintainers = with maintainers; [ laalsaas ]; + meta.maintainers = with lib.maintainers; [ laalsaas ]; } diff --git a/nixpkgs/nixos/modules/programs/mininet.nix b/nixpkgs/nixos/modules/programs/mininet.nix index a9190ed98900..ab862b21fe02 100644 --- a/nixpkgs/nixos/modules/programs/mininet.nix +++ b/nixpkgs/nixos/modules/programs/mininet.nix @@ -2,15 +2,13 @@ # kernel must have NETNS/VETH/SCHED { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.mininet; in { - options.programs.mininet.enable = mkEnableOption "Mininet, an emulator for rapid prototyping of Software Defined Networks"; + options.programs.mininet.enable = lib.mkEnableOption "Mininet, an emulator for rapid prototyping of Software Defined Networks"; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { virtualisation.vswitch.enable = true; diff --git a/nixpkgs/nixos/modules/programs/msmtp.nix b/nixpkgs/nixos/modules/programs/msmtp.nix index 9c067bdc9695..8a04acb3b7ea 100644 --- a/nixpkgs/nixos/modules/programs/msmtp.nix +++ b/nixpkgs/nixos/modules/programs/msmtp.nix @@ -1,27 +1,25 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.msmtp; in { - meta.maintainers = with maintainers; [ pacien ]; + meta.maintainers = with lib.maintainers; [ pacien ]; options = { programs.msmtp = { - enable = mkEnableOption "msmtp - an SMTP client"; + enable = lib.mkEnableOption "msmtp - an SMTP client"; - setSendmail = mkOption { - type = types.bool; + setSendmail = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to set the system sendmail to msmtp's. ''; }; - defaults = mkOption { - type = types.attrs; + defaults = lib.mkOption { + type = lib.types.attrs; default = {}; example = { aliases = "/etc/aliases"; @@ -34,8 +32,8 @@ in { ''; }; - accounts = mkOption { - type = with types; attrsOf attrs; + accounts = lib.mkOption { + type = with lib.types; attrsOf attrs; default = {}; example = { "default" = { @@ -59,8 +57,8 @@ in { ''; }; - extraConfig = mkOption { - type = types.lines; + extraConfig = lib.mkOption { + type = lib.types.lines; default = ""; description = '' Extra lines to add to the msmtp configuration verbatim. @@ -70,10 +68,10 @@ in { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.msmtp ]; - services.mail.sendmailSetuidWrapper = mkIf cfg.setSendmail { + services.mail.sendmailSetuidWrapper = lib.mkIf cfg.setSendmail { program = "sendmail"; source = "${pkgs.msmtp}/bin/sendmail"; setuid = false; @@ -86,10 +84,10 @@ in { mkValueString = v: if v == true then "on" else if v == false then "off" - else generators.mkValueStringDefault {} v; + else lib.generators.mkValueStringDefault {} v; mkKeyValueString = k: v: "${k} ${mkValueString v}"; mkInnerSectionString = - attrs: concatStringsSep "\n" (mapAttrsToList mkKeyValueString attrs); + attrs: builtins.concatStringsSep "\n" (lib.mapAttrsToList mkKeyValueString attrs); mkAccountString = name: attrs: '' account ${name} ${mkInnerSectionString attrs} @@ -98,7 +96,7 @@ in { defaults ${mkInnerSectionString cfg.defaults} - ${concatStringsSep "\n" (mapAttrsToList mkAccountString cfg.accounts)} + ${builtins.concatStringsSep "\n" (lib.mapAttrsToList mkAccountString cfg.accounts)} ${cfg.extraConfig} ''; diff --git a/nixpkgs/nixos/modules/programs/mtr.nix b/nixpkgs/nixos/modules/programs/mtr.nix index 6a767df15f09..1a9deba98966 100644 --- a/nixpkgs/nixos/modules/programs/mtr.nix +++ b/nixpkgs/nixos/modules/programs/mtr.nix @@ -1,15 +1,13 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.mtr; in { options = { programs.mtr = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to add mtr to the global environment and configure a @@ -17,12 +15,12 @@ in { ''; }; - package = mkPackageOption pkgs "mtr" { }; + package = lib.mkPackageOption pkgs "mtr" { }; }; }; - config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ cfg.package ]; + config = lib.mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; security.wrappers.mtr-packet = { owner = "root"; diff --git a/nixpkgs/nixos/modules/programs/nbd.nix b/nixpkgs/nixos/modules/programs/nbd.nix index fea9bc1ff71a..1e319f027345 100644 --- a/nixpkgs/nixos/modules/programs/nbd.nix +++ b/nixpkgs/nixos/modules/programs/nbd.nix @@ -1,18 +1,16 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.nbd; in { options = { programs.nbd = { - enable = mkEnableOption "Network Block Device (nbd) support"; + enable = lib.mkEnableOption "Network Block Device (nbd) support"; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ nbd ]; boot.kernelModules = [ "nbd" ]; }; diff --git a/nixpkgs/nixos/modules/programs/neovim.nix b/nixpkgs/nixos/modules/programs/neovim.nix index 6f6829444a64..8fe6a664b675 100644 --- a/nixpkgs/nixos/modules/programs/neovim.nix +++ b/nixpkgs/nixos/modules/programs/neovim.nix @@ -1,14 +1,12 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.neovim; in { options.programs.neovim = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; example = true; description = '' @@ -21,8 +19,8 @@ in ''; }; - defaultEditor = mkOption { - type = types.bool; + defaultEditor = lib.mkOption { + type = lib.types.bool; default = false; description = '' When enabled, installs neovim and configures neovim to be the default editor @@ -30,44 +28,44 @@ in ''; }; - viAlias = mkOption { - type = types.bool; + viAlias = lib.mkOption { + type = lib.types.bool; default = false; description = '' Symlink {command}`vi` to {command}`nvim` binary. ''; }; - vimAlias = mkOption { - type = types.bool; + vimAlias = lib.mkOption { + type = lib.types.bool; default = false; description = '' Symlink {command}`vim` to {command}`nvim` binary. ''; }; - withRuby = mkOption { - type = types.bool; + withRuby = lib.mkOption { + type = lib.types.bool; default = true; description = "Enable Ruby provider."; }; - withPython3 = mkOption { - type = types.bool; + withPython3 = lib.mkOption { + type = lib.types.bool; default = true; description = "Enable Python 3 provider."; }; - withNodeJs = mkOption { - type = types.bool; + withNodeJs = lib.mkOption { + type = lib.types.bool; default = false; description = "Enable Node provider."; }; - configure = mkOption { - type = types.attrs; + configure = lib.mkOption { + type = lib.types.attrs; default = { }; - example = literalExpression '' + example = lib.literalExpression '' { customRC = ''' " here your custom configuration goes! @@ -86,31 +84,31 @@ in ''; }; - package = mkPackageOption pkgs "neovim-unwrapped" { }; + package = lib.mkPackageOption pkgs "neovim-unwrapped" { }; - finalPackage = mkOption { - type = types.package; + finalPackage = lib.mkOption { + type = lib.types.package; visible = false; readOnly = true; description = "Resulting customized neovim package."; }; - runtime = mkOption { + runtime = lib.mkOption { default = { }; - example = literalExpression '' + example = lib.literalExpression '' { "ftplugin/c.vim".text = "setlocal omnifunc=v:lua.vim.lsp.omnifunc"; } ''; description = '' Set of files that have to be linked in {file}`runtime`. ''; - type = with types; attrsOf (submodule ( + type = with lib.types; attrsOf (submodule ( { name, config, ... }: { options = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether this runtime directory should be generated. This @@ -118,49 +116,49 @@ in ''; }; - target = mkOption { - type = types.str; + target = lib.mkOption { + type = lib.types.str; description = '' Name of symlink. Defaults to the attribute name. ''; }; - text = mkOption { + text = lib.mkOption { default = null; - type = types.nullOr types.lines; + type = lib.types.nullOr lib.types.lines; description = "Text of the file."; }; - source = mkOption { + source = lib.mkOption { default = null; - type = types.nullOr types.path; + type = lib.types.nullOr lib.types.path; description = "Path of the source file."; }; }; - config.target = mkDefault name; + config.target = lib.mkDefault name; } )); }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.finalPackage ]; - environment.variables.EDITOR = mkIf cfg.defaultEditor (mkOverride 900 "nvim"); + environment.variables.EDITOR = lib.mkIf cfg.defaultEditor (lib.mkOverride 900 "nvim"); - environment.etc = listToAttrs (attrValues (mapAttrs + environment.etc = builtins.listToAttrs (builtins.attrValues (builtins.mapAttrs (name: value: { name = "xdg/nvim/${name}"; - value = removeAttrs + value = builtins.removeAttrs (value // { target = "xdg/nvim/${value.target}"; }) - (optionals (isNull value.source) [ "source" ]); + (lib.optionals (builtins.isNull value.source) [ "source" ]); }) cfg.runtime)); diff --git a/nixpkgs/nixos/modules/programs/nethoscope.nix b/nixpkgs/nixos/modules/programs/nethoscope.nix index 495548e9c656..7bc1f61b31ea 100644 --- a/nixpkgs/nixos/modules/programs/nethoscope.nix +++ b/nixpkgs/nixos/modules/programs/nethoscope.nix @@ -1,16 +1,14 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.nethoscope; in { - meta.maintainers = with maintainers; [ _0x4A6F ]; + meta.maintainers = with lib.maintainers; [ _0x4A6F ]; options = { programs.nethoscope = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to add nethoscope to the global environment and configure a @@ -20,7 +18,7 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ nethoscope ]; security.wrappers.nethoscope = { source = "${pkgs.nethoscope}/bin/nethoscope"; diff --git a/nixpkgs/nixos/modules/programs/nncp.nix b/nixpkgs/nixos/modules/programs/nncp.nix index aa2e7c7a6e5b..3feccef4cf11 100644 --- a/nixpkgs/nixos/modules/programs/nncp.nix +++ b/nixpkgs/nixos/modules/programs/nncp.nix @@ -1,6 +1,5 @@ { config, lib, pkgs, ... }: -with lib; let nncpCfgFile = "/run/nncp.hjson"; programCfg = config.programs.nncp; @@ -11,10 +10,10 @@ in { options.programs.nncp = { enable = - mkEnableOption "NNCP (Node to Node copy) utilities and configuration"; + lib.mkEnableOption "NNCP (Node to Node copy) utilities and configuration"; - group = mkOption { - type = types.str; + group = lib.mkOption { + type = lib.types.str; default = "uucp"; description = '' The group under which NNCP files shall be owned. @@ -23,10 +22,10 @@ in { ''; }; - package = mkPackageOption pkgs "nncp" { }; + package = lib.mkPackageOption pkgs "nncp" { }; - secrets = mkOption { - type = with types; listOf str; + secrets = lib.mkOption { + type = with lib.types; listOf str; example = [ "/run/keys/nncp.hjson" ]; description = '' A list of paths to NNCP configuration files that should not be @@ -35,7 +34,7 @@ in { ''; }; - settings = mkOption { + settings = lib.mkOption { type = settingsFormat.type; description = '' NNCP configuration, see @@ -52,7 +51,7 @@ in { }; - config = mkIf programCfg.enable { + config = lib.mkIf programCfg.enable { environment = { systemPackages = [ pkg ]; @@ -60,8 +59,8 @@ in { }; programs.nncp.settings = { - spool = mkDefault "/var/spool/nncp"; - log = mkDefault "/var/spool/nncp/log"; + spool = lib.mkDefault "/var/spool/nncp"; + log = lib.mkDefault "/var/spool/nncp/log"; }; systemd.tmpfiles.rules = [ @@ -77,7 +76,7 @@ in { script = '' umask u=rw nncpCfgDir=$(mktemp --directory nncp.XXX) - for f in ${jsonCfgFile} ${toString config.programs.nncp.secrets}; do + for f in ${jsonCfgFile} ${builtins.toString config.programs.nncp.secrets}; do tmpdir=$(mktemp --directory nncp.XXX) nncp-cfgdir -cfg $f -dump $tmpdir find $tmpdir -size 1c -delete diff --git a/nixpkgs/nixos/modules/programs/noisetorch.nix b/nixpkgs/nixos/modules/programs/noisetorch.nix index 70a0441bd767..5e37061d9a1d 100644 --- a/nixpkgs/nixos/modules/programs/noisetorch.nix +++ b/nixpkgs/nixos/modules/programs/noisetorch.nix @@ -1,17 +1,15 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.noisetorch; in { options.programs.noisetorch = { - enable = mkEnableOption "noisetorch (+ setcap wrapper), a virtual microphone device with noise suppression"; + enable = lib.mkEnableOption "noisetorch (+ setcap wrapper), a virtual microphone device with noise suppression"; - package = mkPackageOption pkgs "noisetorch" { }; + package = lib.mkPackageOption pkgs "noisetorch" { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { security.wrappers.noisetorch = { owner = "root"; group = "root"; diff --git a/nixpkgs/nixos/modules/programs/npm.nix b/nixpkgs/nixos/modules/programs/npm.nix index b379f0165bfe..470188b879b6 100644 --- a/nixpkgs/nixos/modules/programs/npm.nix +++ b/nixpkgs/nixos/modules/programs/npm.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.npm; in @@ -11,13 +9,13 @@ in options = { programs.npm = { - enable = mkEnableOption "{command}`npm` global config"; + enable = lib.mkEnableOption "{command}`npm` global config"; - package = mkPackageOption pkgs [ "nodePackages" "npm" ] { + package = lib.mkPackageOption pkgs [ "nodePackages" "npm" ] { example = "nodePackages_13_x.npm"; }; - npmrc = mkOption { + npmrc = lib.mkOption { type = lib.types.lines; description = '' The system-wide npm configuration. diff --git a/nixpkgs/nixos/modules/programs/oblogout.nix b/nixpkgs/nixos/modules/programs/oblogout.nix index a039b0623b52..f09fbdc06242 100644 --- a/nixpkgs/nixos/modules/programs/oblogout.nix +++ b/nixpkgs/nixos/modules/programs/oblogout.nix @@ -1,11 +1,9 @@ { config, lib, pkgs, ... }: -with lib; - { imports = [ - (mkRemovedOptionModule [ "programs" "oblogout" ] "programs.oblogout has been removed from NixOS. This is because the oblogout repository has been archived upstream.") + (lib.mkRemovedOptionModule [ "programs" "oblogout" ] "programs.oblogout has been removed from NixOS. This is because the oblogout repository has been archived upstream.") ]; } diff --git a/nixpkgs/nixos/modules/programs/openvpn3.nix b/nixpkgs/nixos/modules/programs/openvpn3.nix index 6415cccecb4f..10042b44471f 100644 --- a/nixpkgs/nixos/modules/programs/openvpn3.nix +++ b/nixpkgs/nixos/modules/programs/openvpn3.nix @@ -1,19 +1,17 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.openvpn3; in { options.programs.openvpn3 = { - enable = mkEnableOption "the openvpn3 client"; - package = mkOption { - type = types.package; + enable = lib.mkEnableOption "the openvpn3 client"; + package = lib.mkOption { + type = lib.types.package; default = pkgs.openvpn3.override { enableSystemdResolved = config.services.resolved.enable; }; - defaultText = literalExpression ''pkgs.openvpn3.override { + defaultText = lib.literalExpression ''pkgs.openvpn3.override { enableSystemdResolved = config.services.resolved.enable; }''; description = '' @@ -22,7 +20,7 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { services.dbus.packages = [ cfg.package ]; diff --git a/nixpkgs/nixos/modules/programs/pantheon-tweaks.nix b/nixpkgs/nixos/modules/programs/pantheon-tweaks.nix index 0b8a19ea22c0..b7258e2eb4bf 100644 --- a/nixpkgs/nixos/modules/programs/pantheon-tweaks.nix +++ b/nixpkgs/nixos/modules/programs/pantheon-tweaks.nix @@ -1,19 +1,17 @@ { config, lib, pkgs, ... }: -with lib; - { meta = { - maintainers = teams.pantheon.members; + maintainers = lib.teams.pantheon.members; }; ###### interface options = { - programs.pantheon-tweaks.enable = mkEnableOption "Pantheon Tweaks, an unofficial system settings panel for Pantheon"; + programs.pantheon-tweaks.enable = lib.mkEnableOption "Pantheon Tweaks, an unofficial system settings panel for Pantheon"; }; ###### implementation - config = mkIf config.programs.pantheon-tweaks.enable { + config = lib.mkIf config.programs.pantheon-tweaks.enable { services.xserver.desktopManager.pantheon.extraSwitchboardPlugs = [ pkgs.pantheon-tweaks ]; }; } diff --git a/nixpkgs/nixos/modules/programs/plotinus.nix b/nixpkgs/nixos/modules/programs/plotinus.nix index 41c75b69a2d2..835db049d862 100644 --- a/nixpkgs/nixos/modules/programs/plotinus.nix +++ b/nixpkgs/nixos/modules/programs/plotinus.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.plotinus; in @@ -15,21 +13,21 @@ in options = { programs.plotinus = { - enable = mkOption { + enable = lib.mkOption { default = false; description = '' Whether to enable the Plotinus GTK 3 plugin. Plotinus provides a popup (triggered by Ctrl-Shift-P) to search the menus of a compatible application. ''; - type = types.bool; + type = lib.types.bool; }; }; }; ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.sessionVariables.XDG_DATA_DIRS = [ "${pkgs.plotinus}/share/gsettings-schemas/${pkgs.plotinus.name}" ]; environment.variables.GTK3_MODULES = [ "${pkgs.plotinus}/lib/libplotinus.so" ]; }; diff --git a/nixpkgs/nixos/modules/programs/pqos-wrapper.nix b/nixpkgs/nixos/modules/programs/pqos-wrapper.nix new file mode 100644 index 000000000000..82023e67a2ae --- /dev/null +++ b/nixpkgs/nixos/modules/programs/pqos-wrapper.nix @@ -0,0 +1,27 @@ +{ config +, lib +, pkgs +, ... +}: +let + cfg = config.programs.pqos-wrapper; +in +{ + options.programs.pqos-wrapper = { + enable = lib.mkEnableOption "PQoS Wrapper for BenchExec"; + package = lib.mkPackageOption pkgs "pqos-wrapper" { }; + }; + + config = lib.mkIf cfg.enable { + hardware.cpu.x86.msr.enable = true; + + security.wrappers.${cfg.package.meta.mainProgram} = { + owner = "nobody"; + group = config.hardware.cpu.x86.msr.group; + source = lib.getExe cfg.package; + capabilities = "cap_sys_rawio=eip"; + }; + }; + + meta.maintainers = with lib.maintainers; [ lorenzleutgeb ]; +} diff --git a/nixpkgs/nixos/modules/programs/proxychains.nix b/nixpkgs/nixos/modules/programs/proxychains.nix index b15475dac075..86bbf16a64ce 100644 --- a/nixpkgs/nixos/modules/programs/proxychains.nix +++ b/nixpkgs/nixos/modules/programs/proxychains.nix @@ -1,15 +1,14 @@ { config, lib, pkgs, ... }: -with lib; let cfg = config.programs.proxychains; configFile = '' ${cfg.chain.type}_chain - ${optionalString (cfg.chain.type == "random") + ${lib.optionalString (cfg.chain.type == "random") "chain_len = ${builtins.toString cfg.chain.length}"} - ${optionalString cfg.proxyDNS "proxy_dns"} - ${optionalString cfg.quietMode "quiet_mode"} + ${lib.optionalString cfg.proxyDNS "proxy_dns"} + ${lib.optionalString cfg.quietMode "quiet_mode"} remote_dns_subnet ${builtins.toString cfg.remoteDNSSubnet} tcp_read_time_out ${builtins.toString cfg.tcpReadTimeOut} tcp_connect_time_out ${builtins.toString cfg.tcpConnectTimeOut} @@ -22,20 +21,20 @@ let proxyOptions = { options = { - enable = mkEnableOption "this proxy"; + enable = lib.mkEnableOption "this proxy"; - type = mkOption { - type = types.enum [ "http" "socks4" "socks5" ]; + type = lib.mkOption { + type = lib.types.enum [ "http" "socks4" "socks5" ]; description = "Proxy type."; }; - host = mkOption { - type = types.str; + host = lib.mkOption { + type = lib.types.str; description = "Proxy host or IP address."; }; - port = mkOption { - type = types.port; + port = lib.mkOption { + type = lib.types.port; description = "Proxy port"; }; }; @@ -49,15 +48,15 @@ in { programs.proxychains = { - enable = mkEnableOption "proxychains configuration"; + enable = lib.mkEnableOption "proxychains configuration"; - package = mkPackageOption pkgs "proxychains" { + package = lib.mkPackageOption pkgs "proxychains" { example = "proxychains-ng"; }; chain = { - type = mkOption { - type = types.enum [ "dynamic" "strict" "random" ]; + type = lib.mkOption { + type = lib.types.enum [ "dynamic" "strict" "random" ]; default = "strict"; description = '' `dynamic` - Each connection will be done via chained proxies @@ -75,8 +74,8 @@ in { (or proxy chain, see {option}`programs.proxychains.chain.length`) from the list. ''; }; - length = mkOption { - type = types.nullOr types.int; + length = lib.mkOption { + type = lib.types.nullOr lib.types.int; default = null; description = '' Chain length for random chain. @@ -84,47 +83,47 @@ in { }; }; - proxyDNS = mkOption { - type = types.bool; + proxyDNS = lib.mkOption { + type = lib.types.bool; default = true; description = "Proxy DNS requests - no leak for DNS data."; }; - quietMode = mkEnableOption "Quiet mode (no output from the library)"; + quietMode = lib.mkEnableOption "Quiet mode (no output from the library)"; - remoteDNSSubnet = mkOption { - type = types.enum [ 10 127 224 ]; + remoteDNSSubnet = lib.mkOption { + type = lib.types.enum [ 10 127 224 ]; default = 224; description = '' Set the class A subnet number to use for the internal remote DNS mapping, uses the reserved 224.x.x.x range by default. ''; }; - tcpReadTimeOut = mkOption { - type = types.int; + tcpReadTimeOut = lib.mkOption { + type = lib.types.int; default = 15000; description = "Connection read time-out in milliseconds."; }; - tcpConnectTimeOut = mkOption { - type = types.int; + tcpConnectTimeOut = lib.mkOption { + type = lib.types.int; default = 8000; description = "Connection time-out in milliseconds."; }; - localnet = mkOption { - type = types.str; + localnet = lib.mkOption { + type = lib.types.str; default = "127.0.0.0/255.0.0.0"; description = "By default enable localnet for loopback address ranges."; }; - proxies = mkOption { - type = types.attrsOf (types.submodule proxyOptions); + proxies = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule proxyOptions); description = '' Proxies to be used by proxychains. ''; - example = literalExpression '' + example = lib.literalExpression '' { myproxy = { type = "socks4"; host = "127.0.0.1"; @@ -140,11 +139,11 @@ in { ###### implementation - meta.maintainers = with maintainers; [ sorki ]; + meta.maintainers = with lib.maintainers; [ sorki ]; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { - assertions = singleton { + assertions = lib.singleton { assertion = cfg.chain.type != "random" && cfg.chain.length == null; message = '' Option `programs.proxychains.chain.length` @@ -152,9 +151,9 @@ in { ''; }; - programs.proxychains.proxies = mkIf config.services.tor.client.enable + programs.proxychains.proxies = lib.mkIf config.services.tor.client.enable { - torproxy = mkDefault { + torproxy = lib.mkDefault { enable = true; type = "socks4"; host = "127.0.0.1"; diff --git a/nixpkgs/nixos/modules/programs/qt5ct.nix b/nixpkgs/nixos/modules/programs/qt5ct.nix index 3ff47b355915..bc7b28b9c6e9 100644 --- a/nixpkgs/nixos/modules/programs/qt5ct.nix +++ b/nixpkgs/nixos/modules/programs/qt5ct.nix @@ -1,9 +1,7 @@ { lib, ... }: -with lib; - { imports = [ - (mkRemovedOptionModule [ "programs" "qt5ct" "enable" ] "Use qt5.platformTheme = \"qt5ct\" instead.") + (lib.mkRemovedOptionModule [ "programs" "qt5ct" "enable" ] "Use qt5.platformTheme = \"qt5ct\" instead.") ]; } diff --git a/nixpkgs/nixos/modules/programs/rust-motd.nix b/nixpkgs/nixos/modules/programs/rust-motd.nix index 93240fcdd85e..301b7cebb7f8 100644 --- a/nixpkgs/nixos/modules/programs/rust-motd.nix +++ b/nixpkgs/nixos/modules/programs/rust-motd.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.rust-motd; format = pkgs.formats.toml { }; @@ -24,10 +22,10 @@ let ''; in { options.programs.rust-motd = { - enable = mkEnableOption "rust-motd, a Message Of The Day (MOTD) generator"; - enableMotdInSSHD = mkOption { + enable = lib.mkEnableOption "rust-motd, a Message Of The Day (MOTD) generator"; + enableMotdInSSHD = lib.mkOption { default = true; - type = types.bool; + type = lib.types.bool; description = '' Whether to let `openssh` print the result when entering a new `ssh`-session. @@ -36,18 +34,18 @@ in { the latter option is incompatible with this module. ''; }; - refreshInterval = mkOption { + refreshInterval = lib.mkOption { default = "*:0/5"; - type = types.str; + type = lib.types.str; description = '' Interval in which the {manpage}`motd(5)` file is refreshed. For possible formats, please refer to {manpage}`systemd.time(7)`. ''; }; - order = mkOption { - type = types.listOf types.str; - default = attrNames cfg.settings; - defaultText = literalExpression "attrNames cfg.settings"; + order = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = builtins.attrNames cfg.settings; + defaultText = lib.literalExpression "attrNames cfg.settings"; description = '' The order of the sections in [](#opt-programs.rust-motd.settings). By default they are ordered alphabetically. @@ -79,8 +77,8 @@ in { makes sure that `uptime` is placed before `banner` in the motd. ''; }; - settings = mkOption { - type = types.attrsOf format.type; + settings = lib.mkOption { + type = lib.types.attrsOf format.type; description = '' Settings on what to generate. Please read the [upstream documentation](https://github.com/rust-motd/rust-motd/blob/main/README.md#configuration) @@ -88,14 +86,14 @@ in { ''; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { assertions = [ { assertion = config.users.motd == null; message = '' `programs.rust-motd` is incompatible with `users.motd`! ''; } - { assertion = sort (a: b: a < b) cfg.order == attrNames cfg.settings; + { assertion = builtins.sort (a: b: a < b) cfg.order == builtins.attrNames cfg.settings; message = '' Please ensure that every section from `programs.rust-motd.settings` is present in `programs.rust-motd.order`. @@ -138,12 +136,12 @@ in { wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = cfg.refreshInterval; }; - security.pam.services.sshd.text = mkIf cfg.enableMotdInSSHD (mkDefault (mkAfter '' + security.pam.services.sshd.text = lib.mkIf cfg.enableMotdInSSHD (lib.mkDefault (lib.mkAfter '' session optional ${pkgs.pam}/lib/security/pam_motd.so motd=/var/lib/rust-motd/motd '')); - services.openssh.extraConfig = mkIf (cfg.settings ? last_login && cfg.settings.last_login != {}) '' + services.openssh.extraConfig = lib.mkIf (cfg.settings ? last_login && cfg.settings.last_login != {}) '' PrintLastLog no ''; }; - meta.maintainers = with maintainers; [ ma27 ]; + meta.maintainers = with lib.maintainers; [ ma27 ]; } diff --git a/nixpkgs/nixos/modules/programs/sedutil.nix b/nixpkgs/nixos/modules/programs/sedutil.nix index c62ca24eaa01..978aaa5c82d5 100644 --- a/nixpkgs/nixos/modules/programs/sedutil.nix +++ b/nixpkgs/nixos/modules/programs/sedutil.nix @@ -1,14 +1,12 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.sedutil; in { - options.programs.sedutil.enable = mkEnableOption "sedutil, to manage self encrypting drives that conform to the Trusted Computing Group OPAL 2.0 SSC specification"; + options.programs.sedutil.enable = lib.mkEnableOption "sedutil, to manage self encrypting drives that conform to the Trusted Computing Group OPAL 2.0 SSC specification"; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { boot.kernelParams = [ "libata.allow_tpm=1" ]; diff --git a/nixpkgs/nixos/modules/programs/shadow.nix b/nixpkgs/nixos/modules/programs/shadow.nix index 2d20644ec51e..f09bfaa5393d 100644 --- a/nixpkgs/nixos/modules/programs/shadow.nix +++ b/nixpkgs/nixos/modules/programs/shadow.nix @@ -1,15 +1,14 @@ # Configuration for the pwdutils suite of tools: passwd, useradd, etc. { config, lib, utils, pkgs, ... }: -with lib; let cfg = config.security.loginDefs; in { - options = with types; { + options = with lib.types; { security.loginDefs = { - package = mkPackageOption pkgs "shadow" { }; + package = lib.mkPackageOption pkgs "shadow" { }; - chfnRestrict = mkOption { + chfnRestrict = lib.mkOption { description = '' Use chfn SUID to allow non-root users to change their account GECOS information. ''; @@ -17,7 +16,7 @@ in default = null; }; - settings = mkOption { + settings = lib.mkOption { description = '' Config options for the /etc/login.defs file, that defines the site-specific configuration for the shadow password suite. @@ -35,68 +34,68 @@ in by systemd for features like ConditionUser=@system and systemd-sysusers */ options = { - DEFAULT_HOME = mkOption { + DEFAULT_HOME = lib.mkOption { description = "Indicate if login is allowed if we can't cd to the home directory."; default = "yes"; type = enum [ "yes" "no" ]; }; - ENCRYPT_METHOD = mkOption { + ENCRYPT_METHOD = lib.mkOption { description = "This defines the system default encryption algorithm for encrypting passwords."; # The default crypt() method, keep in sync with the PAM default default = "YESCRYPT"; type = enum [ "YESCRYPT" "SHA512" "SHA256" "MD5" "DES"]; }; - SYS_UID_MIN = mkOption { + SYS_UID_MIN = lib.mkOption { description = "Range of user IDs used for the creation of system users by useradd or newusers."; default = 400; type = int; }; - SYS_UID_MAX = mkOption { + SYS_UID_MAX = lib.mkOption { description = "Range of user IDs used for the creation of system users by useradd or newusers."; default = 999; type = int; }; - UID_MIN = mkOption { + UID_MIN = lib.mkOption { description = "Range of user IDs used for the creation of regular users by useradd or newusers."; default = 1000; type = int; }; - UID_MAX = mkOption { + UID_MAX = lib.mkOption { description = "Range of user IDs used for the creation of regular users by useradd or newusers."; default = 29999; type = int; }; - SYS_GID_MIN = mkOption { + SYS_GID_MIN = lib.mkOption { description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers"; default = 400; type = int; }; - SYS_GID_MAX = mkOption { + SYS_GID_MAX = lib.mkOption { description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers"; default = 999; type = int; }; - GID_MIN = mkOption { + GID_MIN = lib.mkOption { description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers."; default = 1000; type = int; }; - GID_MAX = mkOption { + GID_MAX = lib.mkOption { description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers."; default = 29999; type = int; }; - TTYGROUP = mkOption { + TTYGROUP = lib.mkOption { description = '' The terminal permissions: the login tty will be owned by the TTYGROUP group, and the permissions will be set to TTYPERM''; @@ -104,7 +103,7 @@ in type = str; }; - TTYPERM = mkOption { + TTYPERM = lib.mkOption { description = '' The terminal permissions: the login tty will be owned by the TTYGROUP group, and the permissions will be set to TTYPERM''; @@ -113,7 +112,7 @@ in }; # Ensure privacy for newly created home directories. - UMASK = mkOption { + UMASK = lib.mkOption { description = "The file mode creation mask is initialized to this value."; default = "077"; type = str; @@ -124,7 +123,7 @@ in }; }; - users.defaultUserShell = mkOption { + users.defaultUserShell = lib.mkOption { description = '' This option defines the default shell assigned to user accounts. This can be either a full system path or a shell package. @@ -132,7 +131,7 @@ in This must not be a store path, since the path is used outside the store (in particular in /etc/passwd). ''; - example = literalExpression "pkgs.zsh"; + example = lib.literalExpression "pkgs.zsh"; type = either path shellPackage; }; }; @@ -160,18 +159,18 @@ in ]; security.loginDefs.settings.CHFN_RESTRICT = - mkIf (cfg.chfnRestrict != null) cfg.chfnRestrict; + lib.mkIf (cfg.chfnRestrict != null) cfg.chfnRestrict; - environment.systemPackages = optional config.users.mutableUsers cfg.package - ++ optional (types.shellPackage.check config.users.defaultUserShell) config.users.defaultUserShell - ++ optional (cfg.chfnRestrict != null) pkgs.util-linux; + environment.systemPackages = lib.optional config.users.mutableUsers cfg.package + ++ lib.optional (lib.types.shellPackage.check config.users.defaultUserShell) config.users.defaultUserShell + ++ lib.optional (cfg.chfnRestrict != null) pkgs.util-linux; environment.etc = # Create custom toKeyValue generator # see https://man7.org/linux/man-pages/man5/login.defs.5.html for config specification let - toKeyValue = generators.toKeyValue { - mkKeyValue = generators.mkKeyValueDefault { } " "; + toKeyValue = lib.generators.toKeyValue { + mkKeyValue = lib.generators.mkKeyValueDefault { } " "; }; in { @@ -231,7 +230,7 @@ in newuidmap = mkSetuidRoot "${cfg.package.out}/bin/newuidmap"; newgidmap = mkSetuidRoot "${cfg.package.out}/bin/newgidmap"; } - // optionalAttrs config.users.mutableUsers { + // lib.optionalAttrs config.users.mutableUsers { chsh = mkSetuidRoot "${cfg.package.out}/bin/chsh"; passwd = mkSetuidRoot "${cfg.package.out}/bin/passwd"; }; diff --git a/nixpkgs/nixos/modules/programs/sharing.nix b/nixpkgs/nixos/modules/programs/sharing.nix index 211dc9815166..0fe8100bbc56 100644 --- a/nixpkgs/nixos/modules/programs/sharing.nix +++ b/nixpkgs/nixos/modules/programs/sharing.nix @@ -1,8 +1,7 @@ { config, pkgs, lib, ... }: -with lib; { options.programs.sharing = { - enable = mkEnableOption '' + enable = lib.mkEnableOption '' sharing, a CLI tool for sharing files. Note that it will opens the 7478 port for TCP in the firewall, which is needed for it to function properly @@ -12,7 +11,7 @@ with lib; let cfg = config.programs.sharing; in - mkIf cfg.enable { + lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.sharing ]; networking.firewall.allowedTCPPorts = [ 7478 ]; }; diff --git a/nixpkgs/nixos/modules/programs/singularity.nix b/nixpkgs/nixos/modules/programs/singularity.nix index f4c0a6fe487e..bc989ad2dbaf 100644 --- a/nixpkgs/nixos/modules/programs/singularity.nix +++ b/nixpkgs/nixos/modules/programs/singularity.nix @@ -5,21 +5,20 @@ ... }: -with lib; let cfg = config.programs.singularity; in { options.programs.singularity = { - enable = mkEnableOption "singularity" // { + enable = lib.mkEnableOption "singularity" // { description = '' Whether to install Singularity/Apptainer with system-level overriding such as SUID support. ''; }; - package = mkPackageOption pkgs "singularity" { example = "apptainer"; }; - packageOverriden = mkOption { - type = types.nullOr types.package; + package = lib.mkPackageOption pkgs "singularity" { example = "apptainer"; }; + packageOverriden = lib.mkOption { + type = lib.types.nullOr lib.types.package; default = null; description = '' This option provides access to the overridden result of `programs.singularity.package`. @@ -42,8 +41,8 @@ in Use `lib.mkForce` to forcefully specify the overridden package. ''; }; - enableExternalLocalStateDir = mkOption { - type = types.bool; + enableExternalLocalStateDir = lib.mkOption { + type = lib.types.bool; default = true; example = false; description = '' @@ -54,22 +53,22 @@ in `/var/lib/''${projectName}/mnt/session`. ''; }; - enableFakeroot = mkOption { - type = types.bool; + enableFakeroot = lib.mkOption { + type = lib.types.bool; default = true; example = false; description = '' Whether to enable the `--fakeroot` support of Singularity/Apptainer. ''; }; - enableSuid = mkOption { - type = types.bool; + enableSuid = lib.mkOption { + type = lib.types.bool; # SingularityCE requires SETUID for most things. Apptainer prefers user # namespaces, e.g. `apptainer exec --nv` would fail if built # `--with-suid`: # > `FATAL: nvidia-container-cli not allowed in setuid mode` default = cfg.package.projectName != "apptainer"; - defaultText = literalExpression ''config.services.singularity.package.projectName != "apptainer"''; + defaultText = lib.literalExpression ''config.services.singularity.package.projectName != "apptainer"''; example = false; description = '' Whether to enable the SUID support of Singularity/Apptainer. @@ -77,28 +76,28 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { programs.singularity.packageOverriden = ( cfg.package.override ( - optionalAttrs cfg.enableExternalLocalStateDir { externalLocalStateDir = "/var/lib"; } - // optionalAttrs cfg.enableFakeroot { + lib.optionalAttrs cfg.enableExternalLocalStateDir { externalLocalStateDir = "/var/lib"; } + // lib.optionalAttrs cfg.enableFakeroot { newuidmapPath = "/run/wrappers/bin/newuidmap"; newgidmapPath = "/run/wrappers/bin/newgidmap"; } - // optionalAttrs cfg.enableSuid { + // lib.optionalAttrs cfg.enableSuid { enableSuid = true; starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid"; } ) ); environment.systemPackages = [ cfg.packageOverriden ]; - security.wrappers."${cfg.packageOverriden.projectName}-suid" = mkIf cfg.enableSuid { + security.wrappers."${cfg.packageOverriden.projectName}-suid" = lib.mkIf cfg.enableSuid { setuid = true; owner = "root"; group = "root"; source = "${cfg.packageOverriden}/libexec/${cfg.packageOverriden.projectName}/bin/starter-suid.orig"; }; - systemd.tmpfiles.rules = mkIf cfg.enableExternalLocalStateDir [ + systemd.tmpfiles.rules = lib.mkIf cfg.enableExternalLocalStateDir [ "d /var/lib/${cfg.packageOverriden.projectName}/mnt/session 0770 root root -" ]; }; diff --git a/nixpkgs/nixos/modules/programs/slock.nix b/nixpkgs/nixos/modules/programs/slock.nix index f39b4d5e9280..ce24f662f218 100644 --- a/nixpkgs/nixos/modules/programs/slock.nix +++ b/nixpkgs/nixos/modules/programs/slock.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.slock; @@ -9,18 +7,18 @@ in { options = { programs.slock = { - enable = mkOption { + enable = lib.mkOption { default = false; - type = types.bool; + type = lib.types.bool; description = '' Whether to install slock screen locker with setuid wrapper. ''; }; - package = mkPackageOption pkgs "slock" {}; + package = lib.mkPackageOption pkgs "slock" {}; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; security.wrappers.slock = { setuid = true; diff --git a/nixpkgs/nixos/modules/programs/soundmodem.nix b/nixpkgs/nixos/modules/programs/soundmodem.nix index ab992c63c608..5f57e24a4524 100644 --- a/nixpkgs/nixos/modules/programs/soundmodem.nix +++ b/nixpkgs/nixos/modules/programs/soundmodem.nix @@ -1,26 +1,24 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.soundmodem; in { options = { programs.soundmodem = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to add Soundmodem to the global environment and configure a wrapper for 'soundmodemconfig' for users in the 'soundmodem' group. ''; }; - package = mkPackageOption pkgs "soundmodem" { }; + package = lib.mkPackageOption pkgs "soundmodem" { }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; users.groups.soundmodem = { }; diff --git a/nixpkgs/nixos/modules/programs/spacefm.nix b/nixpkgs/nixos/modules/programs/spacefm.nix index fec14fca48e1..73d48cf6a3a8 100644 --- a/nixpkgs/nixos/modules/programs/spacefm.nix +++ b/nixpkgs/nixos/modules/programs/spacefm.nix @@ -2,8 +2,6 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.spacefm; in @@ -14,21 +12,21 @@ in programs.spacefm = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to install SpaceFM and create {file}`/etc/spacefm/spacefm.conf`. ''; }; - settings = mkOption { - type = types.attrs; + settings = lib.mkOption { + type = lib.types.attrs; default = { tmp_dir = "/tmp"; terminal_su = "${pkgs.sudo}/bin/sudo"; }; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' { tmp_dir = "/tmp"; terminal_su = "''${pkgs.sudo}/bin/sudo"; @@ -46,10 +44,10 @@ in ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.spaceFM ]; environment.etc."spacefm/spacefm.conf".text = - concatStrings (mapAttrsToList (n: v: "${n}=${toString v}\n") cfg.settings); + lib.concatStrings (lib.mapAttrsToList (n: v: "${n}=${builtins.toString v}\n") cfg.settings); }; } diff --git a/nixpkgs/nixos/modules/programs/ssh.nix b/nixpkgs/nixos/modules/programs/ssh.nix index 2d25c7a93662..0692dd46f7d0 100644 --- a/nixpkgs/nixos/modules/programs/ssh.nix +++ b/nixpkgs/nixos/modules/programs/ssh.nix @@ -2,8 +2,6 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.ssh; @@ -17,16 +15,16 @@ let exec ${cfg.askPassword} "$@" ''; - knownHosts = attrValues cfg.knownHosts; + knownHosts = builtins.attrValues cfg.knownHosts; - knownHostsText = (flip (concatMapStringsSep "\n") knownHosts + knownHostsText = (lib.flip (lib.concatMapStringsSep "\n") knownHosts (h: assert h.hostNames != []; - optionalString h.certAuthority "@cert-authority " + concatStringsSep "," h.hostNames + " " - + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile) + lib.optionalString h.certAuthority "@cert-authority " + builtins.concatStringsSep "," h.hostNames + " " + + (if h.publicKey != null then h.publicKey else builtins.readFile h.publicKeyFile) )) + "\n"; knownHostsFiles = [ "/etc/ssh/ssh_known_hosts" ] - ++ map pkgs.copyPathToStore cfg.knownHostsFiles; + ++ builtins.map pkgs.copyPathToStore cfg.knownHostsFiles; in { @@ -36,21 +34,21 @@ in programs.ssh = { - enableAskPassword = mkOption { - type = types.bool; + enableAskPassword = lib.mkOption { + type = lib.types.bool; default = config.services.xserver.enable; - defaultText = literalExpression "config.services.xserver.enable"; + defaultText = lib.literalExpression "config.services.xserver.enable"; description = "Whether to configure SSH_ASKPASS in the environment."; }; - askPassword = mkOption { - type = types.str; + askPassword = lib.mkOption { + type = lib.types.str; default = "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"; - defaultText = literalExpression ''"''${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"''; + defaultText = lib.literalExpression ''"''${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"''; description = "Program used by SSH to ask for passwords."; }; - forwardX11 = mkOption { + forwardX11 = lib.mkOption { type = with lib.types; nullOr bool; default = false; description = '' @@ -65,25 +63,25 @@ in ''; }; - setXAuthLocation = mkOption { - type = types.bool; + setXAuthLocation = lib.mkOption { + type = lib.types.bool; description = '' Whether to set the path to {command}`xauth` for X11-forwarded connections. This causes a dependency on X11 packages. ''; }; - pubkeyAcceptedKeyTypes = mkOption { - type = types.listOf types.str; + pubkeyAcceptedKeyTypes = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; example = [ "ssh-ed25519" "ssh-rsa" ]; description = '' - Specifies the key types that will be used for public key authentication. + Specifies the key lib.types that will be used for public key authentication. ''; }; - hostKeyAlgorithms = mkOption { - type = types.listOf types.str; + hostKeyAlgorithms = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; example = [ "ssh-ed25519" "ssh-rsa" ]; description = '' @@ -91,8 +89,8 @@ in ''; }; - extraConfig = mkOption { - type = types.lines; + extraConfig = lib.mkOption { + type = lib.types.lines; default = ""; description = '' Extra configuration text prepended to {file}`ssh_config`. Other generated @@ -102,8 +100,8 @@ in ''; }; - startAgent = mkOption { - type = types.bool; + startAgent = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to start the OpenSSH agent when you log in. The OpenSSH agent @@ -113,8 +111,8 @@ in ''; }; - agentTimeout = mkOption { - type = types.nullOr types.str; + agentTimeout = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = null; example = "1h"; description = '' @@ -122,34 +120,34 @@ in ''; }; - agentPKCS11Whitelist = mkOption { - type = types.nullOr types.str; + agentPKCS11Whitelist = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = null; - example = literalExpression ''"''${pkgs.opensc}/lib/opensc-pkcs11.so"''; + example = lib.literalExpression ''"''${pkgs.opensc}/lib/opensc-pkcs11.so"''; description = '' A pattern-list of acceptable paths for PKCS#11 shared libraries that may be used with the -s option to ssh-add. ''; }; - package = mkPackageOption pkgs "openssh" { }; + package = lib.mkPackageOption pkgs "openssh" { }; - knownHosts = mkOption { + knownHosts = lib.mkOption { default = {}; - type = types.attrsOf (types.submodule ({ name, config, options, ... }: { + type = lib.types.attrsOf (lib.types.submodule ({ name, config, options, ... }: { options = { - certAuthority = mkOption { - type = types.bool; + certAuthority = lib.mkOption { + type = lib.types.bool; default = false; description = '' This public key is an SSH certificate authority, rather than an individual host's key. ''; }; - hostNames = mkOption { - type = types.listOf types.str; + hostNames = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ name ] ++ config.extraHostNames; - defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}"; + defaultText = lib.literalExpression "[ ${name} ] ++ config.${options.extraHostNames}"; description = '' A list of host names and/or IP numbers used for accessing the host's ssh service. This list includes the name of the @@ -160,8 +158,8 @@ in `hostNames` list. ''; }; - extraHostNames = mkOption { - type = types.listOf types.str; + extraHostNames = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; description = '' A list of additional host names and/or IP numbers used for @@ -169,9 +167,9 @@ in `hostNames` is set explicitly. ''; }; - publicKey = mkOption { + publicKey = lib.mkOption { default = null; - type = types.nullOr types.str; + type = lib.types.nullOr lib.types.str; example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg=="; description = '' The public key data for the host. You can fetch a public key @@ -180,9 +178,9 @@ in the key type and the key itself. ''; }; - publicKeyFile = mkOption { + publicKeyFile = lib.mkOption { default = null; - type = types.nullOr types.path; + type = lib.types.nullOr lib.types.path; description = '' The path to the public key file for the host. The public key file is read at build time and saved in the Nix store. @@ -204,7 +202,7 @@ in `extraHostNames` to add additional host names without disabling this default. ''; - example = literalExpression '' + example = lib.literalExpression '' { myhost = { extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ]; @@ -219,16 +217,16 @@ in ''; }; - knownHostsFiles = mkOption { + knownHostsFiles = lib.mkOption { default = []; - type = with types; listOf path; + type = with lib.types; listOf path; description = '' Files containing SSH host keys to set as global known hosts. `/etc/ssh/ssh_known_hosts` (which is generated by {option}`programs.ssh.knownHosts`) is always included. ''; - example = literalExpression '' + example = lib.literalExpression '' [ ./known_hosts (writeText "github.keys" ''' @@ -240,8 +238,8 @@ in ''; }; - kexAlgorithms = mkOption { - type = types.nullOr (types.listOf types.str); + kexAlgorithms = lib.mkOption { + type = lib.types.nullOr (lib.types.listOf lib.types.str); default = null; example = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; description = '' @@ -249,8 +247,8 @@ in ''; }; - ciphers = mkOption { - type = types.nullOr (types.listOf types.str); + ciphers = lib.mkOption { + type = lib.types.nullOr (lib.types.listOf lib.types.str); default = null; example = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" ]; description = '' @@ -258,8 +256,8 @@ in ''; }; - macs = mkOption { - type = types.nullOr (types.listOf types.str); + macs = lib.mkOption { + type = lib.types.nullOr (lib.types.listOf lib.types.str); default = null; example = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha1" ]; description = '' @@ -274,13 +272,13 @@ in config = { programs.ssh.setXAuthLocation = - mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 == true || config.services.openssh.settings.X11Forwarding); + lib.mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 == true || config.services.openssh.settings.X11Forwarding); assertions = [ { assertion = cfg.forwardX11 == true -> cfg.setXAuthLocation; message = "cannot enable X11 forwarding without setting XAuth location"; } - ] ++ flip mapAttrsToList cfg.knownHosts (name: data: { + ] ++ lib.flip lib.mapAttrsToList cfg.knownHosts (name: data: { assertion = (data.publicKey == null && data.publicKeyFile != null) || (data.publicKey != null && data.publicKeyFile == null); message = "knownHost ${name} must contain either a publicKey or publicKeyFile"; @@ -296,22 +294,22 @@ in # Generated options from other settings Host * AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} - GlobalKnownHostsFile ${concatStringsSep " " knownHostsFiles} + GlobalKnownHostsFile ${builtins.concatStringsSep " " knownHostsFiles} - ${optionalString cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth"} + ${lib.optionalString cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth"} ${lib.optionalString (cfg.forwardX11 != null) "ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}"} - ${optionalString (cfg.pubkeyAcceptedKeyTypes != []) "PubkeyAcceptedKeyTypes ${concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"} - ${optionalString (cfg.hostKeyAlgorithms != []) "HostKeyAlgorithms ${concatStringsSep "," cfg.hostKeyAlgorithms}"} - ${optionalString (cfg.kexAlgorithms != null) "KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms}"} - ${optionalString (cfg.ciphers != null) "Ciphers ${concatStringsSep "," cfg.ciphers}"} - ${optionalString (cfg.macs != null) "MACs ${concatStringsSep "," cfg.macs}"} + ${lib.optionalString (cfg.pubkeyAcceptedKeyTypes != []) "PubkeyAcceptedKeyTypes ${builtins.concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"} + ${lib.optionalString (cfg.hostKeyAlgorithms != []) "HostKeyAlgorithms ${builtins.concatStringsSep "," cfg.hostKeyAlgorithms}"} + ${lib.optionalString (cfg.kexAlgorithms != null) "KexAlgorithms ${builtins.concatStringsSep "," cfg.kexAlgorithms}"} + ${lib.optionalString (cfg.ciphers != null) "Ciphers ${builtins.concatStringsSep "," cfg.ciphers}"} + ${lib.optionalString (cfg.macs != null) "MACs ${builtins.concatStringsSep "," cfg.macs}"} ''; environment.etc."ssh/ssh_known_hosts".text = knownHostsText; # FIXME: this should really be socket-activated for über-awesomeness. - systemd.user.services.ssh-agent = mkIf cfg.startAgent + systemd.user.services.ssh-agent = lib.mkIf cfg.startAgent { description = "SSH Agent"; wantedBy = [ "default.target" ]; unitConfig.ConditionUser = "!@system"; @@ -319,8 +317,8 @@ in { ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent"; ExecStart = "${cfg.package}/bin/ssh-agent " + - optionalString (cfg.agentTimeout != null) ("-t ${cfg.agentTimeout} ") + - optionalString (cfg.agentPKCS11Whitelist != null) ("-P ${cfg.agentPKCS11Whitelist} ") + + lib.optionalString (cfg.agentTimeout != null) ("-t ${cfg.agentTimeout} ") + + lib.optionalString (cfg.agentPKCS11Whitelist != null) ("-P ${cfg.agentPKCS11Whitelist} ") + "-a %t/ssh-agent"; StandardOutput = "null"; Type = "forking"; @@ -330,18 +328,18 @@ in # Allow ssh-agent to ask for confirmation. This requires the # unit to know about the user's $DISPLAY (via ‘systemctl # import-environment’). - environment.SSH_ASKPASS = optionalString cfg.enableAskPassword askPasswordWrapper; + environment.SSH_ASKPASS = lib.optionalString cfg.enableAskPassword askPasswordWrapper; environment.DISPLAY = "fake"; # required to make ssh-agent start $SSH_ASKPASS }; - environment.extraInit = optionalString cfg.startAgent + environment.extraInit = lib.optionalString cfg.startAgent '' if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent" fi ''; - environment.variables.SSH_ASKPASS = optionalString cfg.enableAskPassword cfg.askPassword; + environment.variables.SSH_ASKPASS = lib.optionalString cfg.enableAskPassword cfg.askPassword; }; } diff --git a/nixpkgs/nixos/modules/programs/steam.nix b/nixpkgs/nixos/modules/programs/steam.nix index 58aa0aa25b08..d76863aff83b 100644 --- a/nixpkgs/nixos/modules/programs/steam.nix +++ b/nixpkgs/nixos/modules/programs/steam.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.steam; gamescopeCfg = config.programs.gamescope; @@ -11,7 +9,7 @@ let in pkgs.writeShellScriptBin "steam-gamescope" '' ${builtins.concatStringsSep "\n" exports} - gamescope --steam ${toString cfg.gamescopeSession.args} -- steam -tenfoot -pipewire-dmabuf + gamescope --steam ${builtins.toString cfg.gamescopeSession.args} -- steam -tenfoot -pipewire-dmabuf ''; gamescopeSessionFile = @@ -24,13 +22,13 @@ let '').overrideAttrs (_: { passthru.providedSessions = [ "steam" ]; }); in { options.programs.steam = { - enable = mkEnableOption "steam"; + enable = lib.mkEnableOption "steam"; - package = mkOption { - type = types.package; + package = lib.mkOption { + type = lib.types.package; default = pkgs.steam; - defaultText = literalExpression "pkgs.steam"; - example = literalExpression '' + defaultText = lib.literalExpression "pkgs.steam"; + example = lib.literalExpression '' pkgs.steam-small.override { extraEnv = { MANGOHUD = true; @@ -44,8 +42,8 @@ in { ''; apply = steam: steam.override (prev: { extraEnv = (lib.optionalAttrs (cfg.extraCompatPackages != [ ]) { - STEAM_EXTRA_COMPAT_TOOLS_PATHS = makeSearchPathOutput "steamcompattool" "" cfg.extraCompatPackages; - }) // (optionalAttrs cfg.extest.enable { + STEAM_EXTRA_COMPAT_TOOLS_PATHS = lib.makeSearchPathOutput "steamcompattool" "" cfg.extraCompatPackages; + }) // (lib.optionalAttrs cfg.extest.enable { LD_PRELOAD = "${pkgs.pkgsi686Linux.extest}/lib/libextest.so"; }) // (prev.extraEnv or {}); extraLibraries = pkgs: let @@ -55,7 +53,7 @@ in { then [ package ] ++ extraPackages else [ package32 ] ++ extraPackages32; in prevLibs ++ additionalLibs; - } // optionalAttrs (cfg.gamescopeSession.enable && gamescopeCfg.capSysNice) + } // lib.optionalAttrs (cfg.gamescopeSession.enable && gamescopeCfg.capSysNice) { buildFHSEnv = pkgs.buildFHSEnv.override { # use the setuid wrapped bubblewrap @@ -71,10 +69,10 @@ in { ''; }; - extraCompatPackages = mkOption { - type = types.listOf types.package; + extraCompatPackages = lib.mkOption { + type = lib.types.listOf lib.types.package; default = [ ]; - example = literalExpression '' + example = lib.literalExpression '' with pkgs; [ proton-ge-bin ] @@ -88,46 +86,46 @@ in { ''; }; - remotePlay.openFirewall = mkOption { - type = types.bool; + remotePlay.openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = '' Open ports in the firewall for Steam Remote Play. ''; }; - dedicatedServer.openFirewall = mkOption { - type = types.bool; + dedicatedServer.openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = '' Open ports in the firewall for Source Dedicated Server. ''; }; - localNetworkGameTransfers.openFirewall = mkOption { - type = types.bool; + localNetworkGameTransfers.openFirewall = lib.mkOption { + type = lib.types.bool; default = false; description = '' Open ports in the firewall for Steam Local Network Game Transfers. ''; }; - gamescopeSession = mkOption { + gamescopeSession = lib.mkOption { description = "Run a GameScope driven Steam session from your display-manager"; default = {}; - type = types.submodule { + type = lib.types.submodule { options = { - enable = mkEnableOption "GameScope Session"; - args = mkOption { - type = types.listOf types.str; + enable = lib.mkEnableOption "GameScope Session"; + args = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ ]; description = '' Arguments to be passed to GameScope for the session. ''; }; - env = mkOption { - type = types.attrsOf types.str; + env = lib.mkOption { + type = lib.types.attrsOf lib.types.str; default = { }; description = '' Environmental variables to be passed to GameScope for the session. @@ -137,20 +135,20 @@ in { }; }; - extest.enable = mkEnableOption '' + extest.enable = lib.mkEnableOption '' Load the extest library into Steam, to translate X11 input events to uinput events (e.g. for using Steam Input on Wayland) ''; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { hardware.opengl = { # this fixes the "glXChooseVisual failed" bug, context: https://github.com/NixOS/nixpkgs/issues/47932 enable = true; driSupport = true; driSupport32Bit = true; }; - security.wrappers = mkIf (cfg.gamescopeSession.enable && gamescopeCfg.capSysNice) { + security.wrappers = lib.mkIf (cfg.gamescopeSession.enable && gamescopeCfg.capSysNice) { # needed or steam fails bwrap = { owner = "root"; @@ -160,8 +158,8 @@ in { }; }; - programs.gamescope.enable = mkDefault cfg.gamescopeSession.enable; - services.displayManager.sessionPackages = mkIf cfg.gamescopeSession.enable [ gamescopeSessionFile ]; + programs.gamescope.enable = lib.mkDefault cfg.gamescopeSession.enable; + services.displayManager.sessionPackages = lib.mkIf cfg.gamescopeSession.enable [ gamescopeSessionFile ]; # optionally enable 32bit pulseaudio support if pulseaudio is enabled hardware.pulseaudio.support32Bit = config.hardware.pulseaudio.enable; @@ -174,25 +172,25 @@ in { ] ++ lib.optional cfg.gamescopeSession.enable steam-gamescope; networking.firewall = lib.mkMerge [ - (mkIf (cfg.remotePlay.openFirewall || cfg.localNetworkGameTransfers.openFirewall) { + (lib.mkIf (cfg.remotePlay.openFirewall || cfg.localNetworkGameTransfers.openFirewall) { allowedUDPPorts = [ 27036 ]; # Peer discovery }) - (mkIf cfg.remotePlay.openFirewall { + (lib.mkIf cfg.remotePlay.openFirewall { allowedTCPPorts = [ 27036 ]; allowedUDPPortRanges = [ { from = 27031; to = 27035; } ]; }) - (mkIf cfg.dedicatedServer.openFirewall { + (lib.mkIf cfg.dedicatedServer.openFirewall { allowedTCPPorts = [ 27015 ]; # SRCDS Rcon port allowedUDPPorts = [ 27015 ]; # Gameplay traffic }) - (mkIf cfg.localNetworkGameTransfers.openFirewall { + (lib.mkIf cfg.localNetworkGameTransfers.openFirewall { allowedTCPPorts = [ 27040 ]; # Data transfers }) ]; }; - meta.maintainers = teams.steam; + meta.maintainers = lib.teams.steam.members; } diff --git a/nixpkgs/nixos/modules/programs/streamdeck-ui.nix b/nixpkgs/nixos/modules/programs/streamdeck-ui.nix index 6bec2abdfbec..a1366c42181c 100644 --- a/nixpkgs/nixos/modules/programs/streamdeck-ui.nix +++ b/nixpkgs/nixos/modules/programs/streamdeck-ui.nix @@ -1,34 +1,32 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.streamdeck-ui; in { options.programs.streamdeck-ui = { - enable = mkEnableOption "streamdeck-ui"; + enable = lib.mkEnableOption "streamdeck-ui"; - autoStart = mkOption { + autoStart = lib.mkOption { default = true; - type = types.bool; + type = lib.types.bool; description = "Whether streamdeck-ui should be started automatically."; }; - package = mkPackageOption pkgs "streamdeck-ui" { + package = lib.mkPackageOption pkgs "streamdeck-ui" { default = [ "streamdeck-ui" ]; }; }; - config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ + config = lib.mkIf cfg.enable { + environment.systemPackages = [ cfg.package - (mkIf cfg.autoStart (makeAutostartItem { name = "streamdeck-ui-noui"; package = cfg.package; })) + (lib.mkIf cfg.autoStart (pkgs.makeAutostartItem { name = "streamdeck-ui-noui"; package = cfg.package; })) ]; services.udev.packages = [ cfg.package ]; }; - meta.maintainers = with maintainers; [ majiir ]; + meta.maintainers = with lib.maintainers; [ majiir ]; } diff --git a/nixpkgs/nixos/modules/programs/sysdig.nix b/nixpkgs/nixos/modules/programs/sysdig.nix index cf2cbab5cf6e..47b95ef64e97 100644 --- a/nixpkgs/nixos/modules/programs/sysdig.nix +++ b/nixpkgs/nixos/modules/programs/sysdig.nix @@ -1,13 +1,11 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.sysdig; in { - options.programs.sysdig.enable = mkEnableOption "sysdig, a tracing tool"; + options.programs.sysdig.enable = lib.mkEnableOption "sysdig, a tracing tool"; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.sysdig ]; boot.extraModulePackages = [ config.boot.kernelPackages.sysdig ]; }; diff --git a/nixpkgs/nixos/modules/programs/system-config-printer.nix b/nixpkgs/nixos/modules/programs/system-config-printer.nix index 34592dd7064b..68b7897d64c2 100644 --- a/nixpkgs/nixos/modules/programs/system-config-printer.nix +++ b/nixpkgs/nixos/modules/programs/system-config-printer.nix @@ -1,7 +1,5 @@ { config, pkgs, lib, ... }: -with lib; - { ###### interface @@ -10,7 +8,7 @@ with lib; programs.system-config-printer = { - enable = mkEnableOption "system-config-printer, a Graphical user interface for CUPS administration"; + enable = lib.mkEnableOption "system-config-printer, a Graphical user interface for CUPS administration"; }; @@ -19,7 +17,7 @@ with lib; ###### implementation - config = mkIf config.programs.system-config-printer.enable { + config = lib.mkIf config.programs.system-config-printer.enable { environment.systemPackages = [ pkgs.system-config-printer diff --git a/nixpkgs/nixos/modules/programs/systemtap.nix b/nixpkgs/nixos/modules/programs/systemtap.nix index d23bd13fdd85..e61e255e5221 100644 --- a/nixpkgs/nixos/modules/programs/systemtap.nix +++ b/nixpkgs/nixos/modules/programs/systemtap.nix @@ -1,14 +1,12 @@ { config, lib, ... }: -with lib; - let cfg = config.programs.systemtap; in { options = { programs.systemtap = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Install {command}`systemtap` along with necessary kernel options. @@ -16,7 +14,7 @@ in { }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { system.requiredKernelConfig = with config.lib.kernelConfig; [ (isYes "DEBUG") ]; diff --git a/nixpkgs/nixos/modules/programs/thefuck.nix b/nixpkgs/nixos/modules/programs/thefuck.nix index ba2e39c013ae..0e65352a1f21 100644 --- a/nixpkgs/nixos/modules/programs/thefuck.nix +++ b/nixpkgs/nixos/modules/programs/thefuck.nix @@ -1,7 +1,5 @@ { config, pkgs, lib, ... }: -with lib; - let prg = config.programs; cfg = prg.thefuck; @@ -16,11 +14,11 @@ in { options = { programs.thefuck = { - enable = mkEnableOption "thefuck, an app which corrects your previous console command"; + enable = lib.mkEnableOption "thefuck, an app which corrects your previous console command"; - alias = mkOption { + alias = lib.mkOption { default = "fuck"; - type = types.str; + type = lib.types.str; description = '' `thefuck` needs an alias to be configured. @@ -30,11 +28,11 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ thefuck ]; programs.bash.interactiveShellInit = bashAndZshInitScript; - programs.zsh.interactiveShellInit = mkIf prg.zsh.enable bashAndZshInitScript; - programs.fish.interactiveShellInit = mkIf prg.fish.enable fishInitScript; + programs.zsh.interactiveShellInit = lib.mkIf prg.zsh.enable bashAndZshInitScript; + programs.fish.interactiveShellInit = lib.mkIf prg.fish.enable fishInitScript; }; } diff --git a/nixpkgs/nixos/modules/programs/thunar.nix b/nixpkgs/nixos/modules/programs/thunar.nix index 5ea2982dd93c..76fcc9d8298f 100644 --- a/nixpkgs/nixos/modules/programs/thunar.nix +++ b/nixpkgs/nixos/modules/programs/thunar.nix @@ -1,29 +1,27 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.thunar; in { meta = { - maintainers = teams.xfce.members; + maintainers = lib.teams.xfce.members; }; options = { programs.thunar = { - enable = mkEnableOption "Thunar, the Xfce file manager"; + enable = lib.mkEnableOption "Thunar, the Xfce file manager"; - plugins = mkOption { + plugins = lib.mkOption { default = []; - type = types.listOf types.package; + type = lib.types.listOf lib.types.package; description = "List of thunar plugins to install."; - example = literalExpression "with pkgs.xfce; [ thunar-archive-plugin thunar-volman ]"; + example = lib.literalExpression "with pkgs.xfce; [ thunar-archive-plugin thunar-volman ]"; }; }; }; - config = mkIf cfg.enable ( + config = lib.mkIf cfg.enable ( let package = pkgs.xfce.thunar.override { thunarPlugins = cfg.plugins; }; in { diff --git a/nixpkgs/nixos/modules/programs/traceroute.nix b/nixpkgs/nixos/modules/programs/traceroute.nix index 6e04057ac503..0864dbe79db6 100644 --- a/nixpkgs/nixos/modules/programs/traceroute.nix +++ b/nixpkgs/nixos/modules/programs/traceroute.nix @@ -1,14 +1,12 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.traceroute; in { options = { programs.traceroute = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to configure a setcap wrapper for traceroute. @@ -17,7 +15,7 @@ in { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { security.wrappers.traceroute = { owner = "root"; group = "root"; diff --git a/nixpkgs/nixos/modules/programs/turbovnc.nix b/nixpkgs/nixos/modules/programs/turbovnc.nix index fbb3a7bf22e9..c28b7f7d7991 100644 --- a/nixpkgs/nixos/modules/programs/turbovnc.nix +++ b/nixpkgs/nixos/modules/programs/turbovnc.nix @@ -2,8 +2,6 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.turbovnc; in @@ -12,8 +10,8 @@ in programs.turbovnc = { - ensureHeadlessSoftwareOpenGL = mkOption { - type = types.bool; + ensureHeadlessSoftwareOpenGL = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to set up NixOS such that TurboVNC's built-in software OpenGL @@ -36,7 +34,7 @@ in }; - config = mkIf cfg.ensureHeadlessSoftwareOpenGL { + config = lib.mkIf cfg.ensureHeadlessSoftwareOpenGL { # TurboVNC has builtin support for Mesa llvmpipe's `swrast` # software rendering to implement GLX (OpenGL on Xorg). diff --git a/nixpkgs/nixos/modules/programs/udevil.nix b/nixpkgs/nixos/modules/programs/udevil.nix index 44b9dd9234b3..e4c0daea72c1 100644 --- a/nixpkgs/nixos/modules/programs/udevil.nix +++ b/nixpkgs/nixos/modules/programs/udevil.nix @@ -1,14 +1,12 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.udevil; in { - options.programs.udevil.enable = mkEnableOption "udevil, to mount filesystems without password"; + options.programs.udevil.enable = lib.mkEnableOption "udevil, to mount filesystems without password"; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { security.wrappers.udevil = { setuid = true; owner = "root"; diff --git a/nixpkgs/nixos/modules/programs/usbtop.nix b/nixpkgs/nixos/modules/programs/usbtop.nix index 4f13ce5f6262..8b77b2bf51c4 100644 --- a/nixpkgs/nixos/modules/programs/usbtop.nix +++ b/nixpkgs/nixos/modules/programs/usbtop.nix @@ -1,15 +1,13 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.usbtop; in { options = { - programs.usbtop.enable = mkEnableOption "usbtop and required kernel module, to show estimated USB bandwidth"; + programs.usbtop.enable = lib.mkEnableOption "usbtop and required kernel module, to show estimated USB bandwidth"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ usbtop ]; diff --git a/nixpkgs/nixos/modules/programs/vim.nix b/nixpkgs/nixos/modules/programs/vim.nix index eb3499fd243f..8232340ddebb 100644 --- a/nixpkgs/nixos/modules/programs/vim.nix +++ b/nixpkgs/nixos/modules/programs/vim.nix @@ -1,13 +1,11 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.vim; in { options.programs.vim = { - defaultEditor = mkOption { - type = types.bool; + defaultEditor = lib.mkOption { + type = lib.types.bool; default = false; description = '' When enabled, installs vim and configures vim to be the default editor @@ -15,13 +13,13 @@ in { ''; }; - package = mkPackageOption pkgs "vim" { + package = lib.mkPackageOption pkgs "vim" { example = "vim-full"; }; }; - config = mkIf cfg.defaultEditor { + config = lib.mkIf cfg.defaultEditor { environment.systemPackages = [ cfg.package ]; - environment.variables = { EDITOR = mkOverride 900 "vim"; }; + environment.variables = { EDITOR = lib.mkOverride 900 "vim"; }; }; } diff --git a/nixpkgs/nixos/modules/programs/virt-manager.nix b/nixpkgs/nixos/modules/programs/virt-manager.nix index 095db7586a03..9b5fa22268ae 100644 --- a/nixpkgs/nixos/modules/programs/virt-manager.nix +++ b/nixpkgs/nixos/modules/programs/virt-manager.nix @@ -2,15 +2,27 @@ let cfg = config.programs.virt-manager; -in { +in +{ options.programs.virt-manager = { enable = lib.mkEnableOption "virt-manager, an UI for managing virtual machines in libvirt"; - package = lib.mkPackageOption pkgs "virt-manager" {}; + package = lib.mkPackageOption pkgs "virt-manager" { }; }; config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; - programs.dconf.enable = true; + programs.dconf = { + profiles.user.databases = [ + { + settings = { + "org/virt-manager/virt-manager/connections" = { + autoconnect = [ "qemu:///system" ]; + uris = [ "qemu:///system" ]; + }; + }; + } + ]; + }; }; } diff --git a/nixpkgs/nixos/modules/programs/wavemon.nix b/nixpkgs/nixos/modules/programs/wavemon.nix index e5ccacba75d4..86bc7cc09795 100644 --- a/nixpkgs/nixos/modules/programs/wavemon.nix +++ b/nixpkgs/nixos/modules/programs/wavemon.nix @@ -1,14 +1,12 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.wavemon; in { options = { programs.wavemon = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to add wavemon to the global environment and configure a @@ -18,7 +16,7 @@ in { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ wavemon ]; security.wrappers.wavemon = { owner = "root"; diff --git a/nixpkgs/nixos/modules/programs/wayland/hyprland.nix b/nixpkgs/nixos/modules/programs/wayland/hyprland.nix index e648eaa1b68e..c963429f2e2a 100644 --- a/nixpkgs/nixos/modules/programs/wayland/hyprland.nix +++ b/nixpkgs/nixos/modules/programs/wayland/hyprland.nix @@ -3,7 +3,7 @@ , pkgs , ... }: -with lib; let +let cfg = config.programs.hyprland; finalPortalPackage = cfg.portalPackage.override { @@ -12,7 +12,7 @@ with lib; let in { options.programs.hyprland = { - enable = mkEnableOption null // { + enable = lib.mkEnableOption null // { description = '' Whether to enable Hyprland, the dynamic tiling Wayland compositor that doesn't sacrifice on its looks. @@ -23,35 +23,26 @@ in ''; }; - package = mkPackageOption pkgs "hyprland" { }; + package = lib.mkPackageOption pkgs "hyprland" { }; - finalPackage = mkOption { - type = types.package; + finalPackage = lib.mkOption { + type = lib.types.package; readOnly = true; default = cfg.package.override { enableXWayland = cfg.xwayland.enable; }; - defaultText = literalExpression + defaultText = lib.literalExpression "`programs.hyprland.package` with applied configuration"; description = '' The Hyprland package after applying configuration. ''; }; - portalPackage = mkPackageOption pkgs "xdg-desktop-portal-hyprland" { }; + portalPackage = lib.mkPackageOption pkgs "xdg-desktop-portal-hyprland" { }; - xwayland.enable = mkEnableOption ("XWayland") // { default = true; }; + xwayland.enable = lib.mkEnableOption ("XWayland") // { default = true; }; - envVars.enable = mkEnableOption null // { - default = true; - example = false; - description = '' - Set environment variables for Hyprland to work properly. - Enabled by default. - ''; - }; - - systemd.setPath.enable = mkEnableOption null // { + systemd.setPath.enable = lib.mkEnableOption null // { default = true; example = false; description = '' @@ -62,15 +53,15 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.finalPackage ]; - fonts.enableDefaultPackages = mkDefault true; - hardware.opengl.enable = mkDefault true; + fonts.enableDefaultPackages = lib.mkDefault true; + hardware.opengl.enable = lib.mkDefault true; programs = { - dconf.enable = mkDefault true; - xwayland.enable = mkDefault cfg.xwayland.enable; + dconf.enable = lib.mkDefault true; + xwayland.enable = lib.mkDefault cfg.xwayland.enable; }; security.polkit.enable = true; @@ -78,37 +69,28 @@ in services.displayManager.sessionPackages = [ cfg.finalPackage ]; xdg.portal = { - enable = mkDefault true; + enable = lib.mkDefault true; extraPortals = [ finalPortalPackage ]; - configPackages = mkDefault [ cfg.finalPackage ]; - }; - - environment.sessionVariables = mkIf cfg.envVars.enable { - XDG_CURRENT_DESKTOP = "Hyprland"; - XDG_SESSION_DESKTOP = "Hyprland"; - XDG_SESSION_TYPE = "wayland"; - GDK_BACKEND = "wayland,x11"; - QT_QPA_PLATFORM = "wayland;xcb"; - _JAVA_AWT_WM_NONREPARENTING = "1"; # Fix for Java applications on tiling window managers + configPackages = lib.mkDefault [ cfg.finalPackage ]; }; - systemd = mkIf cfg.systemd.setPath.enable { + systemd = lib.mkIf cfg.systemd.setPath.enable { user.extraConfig = '' DefaultEnvironment="PATH=$PATH:/run/current-system/sw/bin:/etc/profiles/per-user/%u/bin:/run/wrappers/bin" ''; }; }; - imports = with lib; [ - (mkRemovedOptionModule + imports = [ + (lib.mkRemovedOptionModule [ "programs" "hyprland" "xwayland" "hidpi" ] "XWayland patches are deprecated. Refer to https://wiki.hyprland.org/Configuring/XWayland" ) - (mkRemovedOptionModule + (lib.mkRemovedOptionModule [ "programs" "hyprland" "enableNvidiaPatches" ] "Nvidia patches are no longer needed" ) - (mkRemovedOptionModule + (lib.mkRemovedOptionModule [ "programs" "hyprland" "nvidiaPatches" ] "Nvidia patches are no longer needed" ) diff --git a/nixpkgs/nixos/modules/programs/wayland/river.nix b/nixpkgs/nixos/modules/programs/wayland/river.nix index d0e309646b0e..6f8bafb15506 100644 --- a/nixpkgs/nixos/modules/programs/wayland/river.nix +++ b/nixpkgs/nixos/modules/programs/wayland/river.nix @@ -4,13 +4,13 @@ lib, ... }: -with lib; let +let cfg = config.programs.river; in { options.programs.river = { - enable = mkEnableOption "river, a dynamic tiling Wayland compositor"; + enable = lib.mkEnableOption "river, a dynamic tiling Wayland compositor"; - package = mkPackageOption pkgs "river" { + package = lib.mkPackageOption pkgs "river" { nullable = true; extraDescription = '' Set to `null` to not add any River package to your path. @@ -18,17 +18,17 @@ in { ''; }; - extraPackages = mkOption { - type = with types; listOf package; + extraPackages = lib.mkOption { + type = with lib.types; listOf package; default = with pkgs; [ swaylock foot dmenu ]; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' with pkgs; [ swaylock foot dmenu ]; ''; - example = literalExpression '' + example = lib.literalExpression '' with pkgs; [ termite rofi light ] @@ -42,15 +42,15 @@ in { }; config = - mkIf cfg.enable (mkMerge [ + lib.mkIf cfg.enable (lib.mkMerge [ { - environment.systemPackages = optional (cfg.package != null) cfg.package ++ cfg.extraPackages; + environment.systemPackages = lib.optional (cfg.package != null) cfg.package ++ cfg.extraPackages; # To make a river session available if a display manager like SDDM is enabled: - services.displayManager.sessionPackages = optionals (cfg.package != null) [ cfg.package ]; + services.displayManager.sessionPackages = lib.optionals (cfg.package != null) [ cfg.package ]; # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050913 - xdg.portal.config.river.default = mkDefault [ "wlr" "gtk" ]; + xdg.portal.config.river.default = lib.mkDefault [ "wlr" "gtk" ]; } (import ./wayland-session.nix { inherit lib pkgs; }) ]); diff --git a/nixpkgs/nixos/modules/programs/wayland/sway.nix b/nixpkgs/nixos/modules/programs/wayland/sway.nix index 348e1db7cdc1..cec634b6b033 100644 --- a/nixpkgs/nixos/modules/programs/wayland/sway.nix +++ b/nixpkgs/nixos/modules/programs/wayland/sway.nix @@ -1,15 +1,13 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.sway; - wrapperOptions = types.submodule { + wrapperOptions = lib.types.submodule { options = let - mkWrapperFeature = default: description: mkOption { - type = types.bool; + mkWrapperFeature = default: description: lib.mkOption { + type = lib.types.bool; inherit default; example = !default; description = "Whether to make use of the ${description}"; @@ -50,18 +48,18 @@ let }; in { options.programs.sway = { - enable = mkEnableOption '' + enable = lib.mkEnableOption '' Sway, the i3-compatible tiling Wayland compositor. You can manually launch Sway by executing "exec sway" on a TTY. Copy /etc/sway/config to ~/.config/sway/config to modify the default configuration. See <https://github.com/swaywm/sway/wiki> and "man 5 sway" for more information''; - package = mkOption { - type = with types; nullOr package; + package = lib.mkOption { + type = with lib.types; nullOr package; default = pkgs.sway; apply = p: if p == null then null else genFinalPackage p; - defaultText = literalExpression "pkgs.sway"; + defaultText = lib.literalExpression "pkgs.sway"; description = '' Sway package to use. If the package does not contain the override arguments `extraSessionCommands`, `extraOptions`, `withBaseWrapper`, `withGtkWrapper`, @@ -72,7 +70,7 @@ in { ''; }; - wrapperFeatures = mkOption { + wrapperFeatures = lib.mkOption { type = wrapperOptions; default = { }; example = { gtk = true; }; @@ -81,8 +79,8 @@ in { ''; }; - extraSessionCommands = mkOption { - type = types.lines; + extraSessionCommands = lib.mkOption { + type = lib.types.lines; default = ""; example = '' # SDL: @@ -102,8 +100,8 @@ in { ''; }; - extraOptions = mkOption { - type = types.listOf types.str; + extraOptions = lib.mkOption { + type = lib.types.listOf lib.types.str; default = []; example = [ "--verbose" @@ -116,15 +114,15 @@ in { ''; }; - extraPackages = mkOption { - type = with types; listOf package; + extraPackages = lib.mkOption { + type = with lib.types; listOf package; default = with pkgs; [ swaylock swayidle foot dmenu wmenu ]; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' with pkgs; [ swaylock swayidle foot dmenu wmenu ]; ''; - example = literalExpression '' + example = lib.literalExpression '' with pkgs; [ i3status i3status-rust termite rofi light @@ -140,8 +138,8 @@ in { }; - config = mkIf cfg.enable - (mkMerge [ + config = lib.mkIf cfg.enable + (lib.mkMerge [ { assertions = [ { @@ -154,27 +152,27 @@ in { ]; environment = { - systemPackages = optional (cfg.package != null) cfg.package ++ cfg.extraPackages; + systemPackages = lib.optional (cfg.package != null) cfg.package ++ cfg.extraPackages; # Needed for the default wallpaper: - pathsToLink = optionals (cfg.package != null) [ "/share/backgrounds/sway" ]; + pathsToLink = lib.optionals (cfg.package != null) [ "/share/backgrounds/sway" ]; etc = { "sway/config.d/nixos.conf".source = pkgs.writeText "nixos.conf" '' # Import the most important environment variables into the D-Bus and systemd # user environments (e.g. required for screen sharing and Pinentry prompts): exec dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK XDG_CURRENT_DESKTOP ''; - } // optionalAttrs (cfg.package != null) { - "sway/config".source = mkOptionDefault "${cfg.package}/etc/sway/config"; + } // lib.optionalAttrs (cfg.package != null) { + "sway/config".source = lib.mkOptionDefault "${cfg.package}/etc/sway/config"; }; }; programs.gnupg.agent.pinentryPackage = lib.mkDefault pkgs.pinentry-gnome3; # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050913 - xdg.portal.config.sway.default = mkDefault [ "wlr" "gtk" ]; + xdg.portal.config.sway.default = lib.mkDefault [ "wlr" "gtk" ]; # To make a Sway session available if a display manager like SDDM is enabled: - services.displayManager.sessionPackages = optionals (cfg.package != null) [ cfg.package ]; } + services.displayManager.sessionPackages = lib.optionals (cfg.package != null) [ cfg.package ]; } (import ./wayland-session.nix { inherit lib pkgs; }) ]); diff --git a/nixpkgs/nixos/modules/programs/wayland/waybar.nix b/nixpkgs/nixos/modules/programs/wayland/waybar.nix index ffe889504cd3..ab811994be07 100644 --- a/nixpkgs/nixos/modules/programs/wayland/waybar.nix +++ b/nixpkgs/nixos/modules/programs/wayland/waybar.nix @@ -1,17 +1,15 @@ { lib, pkgs, config, ... }: -with lib; - let cfg = config.programs.waybar; in { options.programs.waybar = { - enable = mkEnableOption "waybar, a highly customizable Wayland bar for Sway and Wlroots based compositors"; - package = mkPackageOption pkgs "waybar" { }; + enable = lib.mkEnableOption "waybar, a highly customizable Wayland bar for Sway and Wlroots based compositors"; + package = lib.mkPackageOption pkgs "waybar" { }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; systemd.user.services.waybar = { description = "Waybar as systemd service"; @@ -21,5 +19,5 @@ in }; }; - meta.maintainers = [ maintainers.FlorianFranzen ]; + meta.maintainers = [ lib.maintainers.FlorianFranzen ]; } diff --git a/nixpkgs/nixos/modules/programs/wayland/wayland-session.nix b/nixpkgs/nixos/modules/programs/wayland/wayland-session.nix index da117ceae0ad..47ee0788e0f3 100644 --- a/nixpkgs/nixos/modules/programs/wayland/wayland-session.nix +++ b/nixpkgs/nixos/modules/programs/wayland/wayland-session.nix @@ -1,19 +1,19 @@ -{ lib, pkgs, ... }: with lib; { +{ lib, pkgs, ... }: { security = { polkit.enable = true; pam.services.swaylock = {}; }; - hardware.opengl.enable = mkDefault true; - fonts.enableDefaultPackages = mkDefault true; + hardware.opengl.enable = lib.mkDefault true; + fonts.enableDefaultPackages = lib.mkDefault true; programs = { - dconf.enable = mkDefault true; - xwayland.enable = mkDefault true; + dconf.enable = lib.mkDefault true; + xwayland.enable = lib.mkDefault true; }; xdg.portal = { - enable = mkDefault true; + enable = lib.mkDefault true; extraPortals = [ # For screen sharing diff --git a/nixpkgs/nixos/modules/programs/weylus.nix b/nixpkgs/nixos/modules/programs/weylus.nix index a47dccb95cd9..d76e2f81b2c9 100644 --- a/nixpkgs/nixos/modules/programs/weylus.nix +++ b/nixpkgs/nixos/modules/programs/weylus.nix @@ -1,15 +1,13 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.weylus; in { - options.programs.weylus = with types; { - enable = mkEnableOption "weylus, which turns your smart phone into a graphic tablet/touch screen for your computer"; + options.programs.weylus = with lib.types; { + enable = lib.mkEnableOption "weylus, which turns your smart phone into a graphic tablet/touch screen for your computer"; - openFirewall = mkOption { + openFirewall = lib.mkOption { type = bool; default = false; description = '' @@ -17,7 +15,7 @@ in ''; }; - users = mkOption { + users = lib.mkOption { type = listOf str; default = [ ]; description = '' @@ -26,10 +24,10 @@ in ''; }; - package = mkPackageOption pkgs "weylus" { }; + package = lib.mkPackageOption pkgs "weylus" { }; }; - config = mkIf cfg.enable { - networking.firewall = mkIf cfg.openFirewall { + config = lib.mkIf cfg.enable { + networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = [ 1701 9001 ]; }; diff --git a/nixpkgs/nixos/modules/programs/wireshark.nix b/nixpkgs/nixos/modules/programs/wireshark.nix index 2d947154e822..f5673e5940fe 100644 --- a/nixpkgs/nixos/modules/programs/wireshark.nix +++ b/nixpkgs/nixos/modules/programs/wireshark.nix @@ -1,28 +1,26 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.wireshark; wireshark = cfg.package; in { options = { programs.wireshark = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to add Wireshark to the global environment and configure a setcap wrapper for 'dumpcap' for users in the 'wireshark' group. ''; }; - package = mkPackageOption pkgs "wireshark-cli" { + package = lib.mkPackageOption pkgs "wireshark-cli" { example = "wireshark"; }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ wireshark ]; users.groups.wireshark = {}; diff --git a/nixpkgs/nixos/modules/programs/xastir.nix b/nixpkgs/nixos/modules/programs/xastir.nix index d9c687289ec2..96201eb5455d 100644 --- a/nixpkgs/nixos/modules/programs/xastir.nix +++ b/nixpkgs/nixos/modules/programs/xastir.nix @@ -1,17 +1,15 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.xastir; in { - meta.maintainers = with maintainers; [ melling ]; + meta.maintainers = with lib.maintainers; [ melling ]; options.programs.xastir = { - enable = mkEnableOption "Xastir Graphical APRS client"; + enable = lib.mkEnableOption "Xastir Graphical APRS client"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ xastir ]; security.wrappers.xastir = { source = "${pkgs.xastir}/bin/xastir"; diff --git a/nixpkgs/nixos/modules/programs/xfconf.nix b/nixpkgs/nixos/modules/programs/xfconf.nix index 8e854b40e513..f2fda3b692d3 100644 --- a/nixpkgs/nixos/modules/programs/xfconf.nix +++ b/nixpkgs/nixos/modules/programs/xfconf.nix @@ -1,21 +1,19 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.xfconf; in { meta = { - maintainers = teams.xfce.members; + maintainers = lib.teams.xfce.members; }; options = { programs.xfconf = { - enable = mkEnableOption "Xfconf, the Xfce configuration storage system"; + enable = lib.mkEnableOption "Xfconf, the Xfce configuration storage system"; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.xfce.xfconf ]; diff --git a/nixpkgs/nixos/modules/programs/xfs_quota.nix b/nixpkgs/nixos/modules/programs/xfs_quota.nix index 8f70cc2d9416..5ca05f4dc297 100644 --- a/nixpkgs/nixos/modules/programs/xfs_quota.nix +++ b/nixpkgs/nixos/modules/programs/xfs_quota.nix @@ -2,15 +2,13 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.xfs_quota; - limitOptions = opts: concatStringsSep " " [ - (optionalString (opts.sizeSoftLimit != null) "bsoft=${opts.sizeSoftLimit}") - (optionalString (opts.sizeHardLimit != null) "bhard=${opts.sizeHardLimit}") + limitOptions = opts: builtins.concatStringsSep " " [ + (lib.optionalString (opts.sizeSoftLimit != null) "bsoft=${opts.sizeSoftLimit}") + (lib.optionalString (opts.sizeHardLimit != null) "bhard=${opts.sizeHardLimit}") ]; in @@ -22,35 +20,35 @@ in options = { programs.xfs_quota = { - projects = mkOption { + projects = lib.mkOption { default = {}; - type = types.attrsOf (types.submodule { + type = lib.types.attrsOf (lib.types.submodule { options = { - id = mkOption { - type = types.int; + id = lib.mkOption { + type = lib.types.int; description = "Project ID."; }; - fileSystem = mkOption { - type = types.str; + fileSystem = lib.mkOption { + type = lib.types.str; description = "XFS filesystem hosting the xfs_quota project."; default = "/"; }; - path = mkOption { - type = types.str; + path = lib.mkOption { + type = lib.types.str; description = "Project directory."; }; - sizeSoftLimit = mkOption { - type = types.nullOr types.str; + sizeSoftLimit = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = null; example = "30g"; description = "Soft limit of the project size"; }; - sizeHardLimit = mkOption { - type = types.nullOr types.str; + sizeHardLimit = lib.mkOption { + type = lib.types.nullOr lib.types.str; default = null; example = "50g"; description = "Hard limit of the project size."; @@ -75,18 +73,18 @@ in ###### implementation - config = mkIf (cfg.projects != {}) { + config = lib.mkIf (cfg.projects != {}) { environment.etc.projects.source = pkgs.writeText "etc-project" - (concatStringsSep "\n" (mapAttrsToList - (name: opts: "${toString opts.id}:${opts.path}") cfg.projects)); + (builtins.concatStringsSep "\n" (lib.mapAttrsToList + (name: opts: "${builtins.toString opts.id}:${opts.path}") cfg.projects)); environment.etc.projid.source = pkgs.writeText "etc-projid" - (concatStringsSep "\n" (mapAttrsToList - (name: opts: "${name}:${toString opts.id}") cfg.projects)); + (builtins.concatStringsSep "\n" (lib.mapAttrsToList + (name: opts: "${name}:${builtins.toString opts.id}") cfg.projects)); - systemd.services = mapAttrs' (name: opts: - nameValuePair "xfs_quota-${name}" { + systemd.services = lib.mapAttrs' (name: opts: + lib.nameValuePair "xfs_quota-${name}" { description = "Setup xfs_quota for project ${name}"; script = '' ${pkgs.xfsprogs.bin}/bin/xfs_quota -x -c 'project -s ${name}' ${opts.fileSystem} @@ -94,7 +92,7 @@ in ''; wantedBy = [ "multi-user.target" ]; - after = [ ((replaceStrings [ "/" ] [ "-" ] opts.fileSystem) + ".mount") ]; + after = [ ((builtins.replaceStrings [ "/" ] [ "-" ] opts.fileSystem) + ".mount") ]; restartTriggers = [ config.environment.etc.projects.source ]; diff --git a/nixpkgs/nixos/modules/programs/xonsh.nix b/nixpkgs/nixos/modules/programs/xonsh.nix index fefe6b456c96..eed5152ba69a 100644 --- a/nixpkgs/nixos/modules/programs/xonsh.nix +++ b/nixpkgs/nixos/modules/programs/xonsh.nix @@ -2,8 +2,6 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.xonsh; @@ -16,29 +14,29 @@ in programs.xonsh = { - enable = mkOption { + enable = lib.mkOption { default = false; description = '' Whether to configure xonsh as an interactive shell. ''; - type = types.bool; + type = lib.types.bool; }; - package = mkPackageOption pkgs "xonsh" { + package = lib.mkPackageOption pkgs "xonsh" { example = "xonsh.override { extraPackages = ps: [ ps.requests ]; }"; }; - config = mkOption { + config = lib.mkOption { default = ""; description = "Control file to customize your shell behavior."; - type = types.lines; + type = lib.types.lines; }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.etc."xonsh/xonshrc".text = '' # /etc/xonsh/xonshrc: DO NOT EDIT -- this file has been generated automatically. diff --git a/nixpkgs/nixos/modules/programs/xss-lock.nix b/nixpkgs/nixos/modules/programs/xss-lock.nix index 1bb73905599f..b818c52e1442 100644 --- a/nixpkgs/nixos/modules/programs/xss-lock.nix +++ b/nixpkgs/nixos/modules/programs/xss-lock.nix @@ -1,26 +1,24 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.xss-lock; in { options.programs.xss-lock = { - enable = mkEnableOption "xss-lock"; + enable = lib.mkEnableOption "xss-lock"; - lockerCommand = mkOption { + lockerCommand = lib.mkOption { default = "${pkgs.i3lock}/bin/i3lock"; - defaultText = literalExpression ''"''${pkgs.i3lock}/bin/i3lock"''; - example = literalExpression ''"''${pkgs.i3lock-fancy}/bin/i3lock-fancy"''; - type = types.separatedString " "; + defaultText = lib.literalExpression ''"''${pkgs.i3lock}/bin/i3lock"''; + example = lib.literalExpression ''"''${pkgs.i3lock-fancy}/bin/i3lock-fancy"''; + type = lib.types.separatedString " "; description = "Locker to be used with xsslock"; }; - extraOptions = mkOption { + extraOptions = lib.mkOption { default = [ ]; example = [ "--ignore-sleep" ]; - type = types.listOf types.str; + type = lib.types.listOf lib.types.str; description = '' Additional command-line arguments to pass to {command}`xss-lock`. @@ -28,19 +26,24 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { systemd.user.services.xss-lock = { description = "XSS Lock Daemon"; wantedBy = [ "graphical-session.target" ]; partOf = [ "graphical-session.target" ]; - serviceConfig.ExecStart = with lib; - strings.concatStringsSep " " ([ + serviceConfig.ExecStart = + builtins.concatStringsSep " " ([ "${pkgs.xss-lock}/bin/xss-lock" "--session \${XDG_SESSION_ID}" - ] ++ (map escapeShellArg cfg.extraOptions) ++ [ + ] ++ (builtins.map lib.escapeShellArg cfg.extraOptions) ++ [ "--" cfg.lockerCommand ]); serviceConfig.Restart = "always"; }; + + warnings = lib.mkIf (config.services.xserver.displayManager.startx.enable) [ + "xss-lock service only works if a displayManager is set; it doesn't work when services.xserver.displayManager.startx.enable = true" + ]; + }; } diff --git a/nixpkgs/nixos/modules/programs/xwayland.nix b/nixpkgs/nixos/modules/programs/xwayland.nix index 3a8080fa4c4d..3df3dbf3783f 100644 --- a/nixpkgs/nixos/modules/programs/xwayland.nix +++ b/nixpkgs/nixos/modules/programs/xwayland.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.xwayland; @@ -10,13 +8,13 @@ in { options.programs.xwayland = { - enable = mkEnableOption "Xwayland (an X server for interfacing X11 apps with the Wayland protocol)"; + enable = lib.mkEnableOption "Xwayland (an X server for interfacing X11 apps with the Wayland protocol)"; - defaultFontPath = mkOption { - type = types.str; - default = optionalString config.fonts.fontDir.enable + defaultFontPath = lib.mkOption { + type = lib.types.str; + default = lib.optionalString config.fonts.fontDir.enable "/run/current-system/sw/share/X11/fonts"; - defaultText = literalExpression '' + defaultText = lib.literalExpression '' optionalString config.fonts.fontDir.enable "/run/current-system/sw/share/X11/fonts" ''; description = '' @@ -24,12 +22,12 @@ in ''; }; - package = mkOption { - type = types.path; + package = lib.mkOption { + type = lib.types.path; default = pkgs.xwayland.override (oldArgs: { inherit (cfg) defaultFontPath; }); - defaultText = literalExpression '' + defaultText = lib.literalExpression '' pkgs.xwayland.override (oldArgs: { inherit (config.programs.xwayland) defaultFontPath; }) @@ -39,7 +37,7 @@ in }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { # Needed by some applications for fonts and default settings environment.pathsToLink = [ "/share/X11" ]; diff --git a/nixpkgs/nixos/modules/programs/yabar.nix b/nixpkgs/nixos/modules/programs/yabar.nix index 6e117506a2dc..0457f8e76655 100644 --- a/nixpkgs/nixos/modules/programs/yabar.nix +++ b/nixpkgs/nixos/modules/programs/yabar.nix @@ -1,18 +1,16 @@ { lib, pkgs, config, ... }: -with lib; - let cfg = config.programs.yabar; - mapExtra = v: lib.concatStringsSep "\n" (mapAttrsToList ( - key: val: "${key} = ${if (isString val) then "\"${val}\"" else "${builtins.toString val}"};" + mapExtra = v: lib.concatStringsSep "\n" (lib.mapAttrsToList ( + key: val: "${key} = ${if (builtins.isString val) then "\"${val}\"" else "${builtins.toString val}"};" ) v); - listKeys = r: concatStringsSep "," (map (n: "\"${n}\"") (attrNames r)); + listKeys = r: builtins.concatStringsSep "," (builtins.map (n: "\"${n}\"") (builtins.attrNames r)); configFile = let - bars = mapAttrsToList ( + bars = lib.mapAttrsToList ( name: cfg: '' ${name}: { font: "${cfg.font}"; @@ -22,7 +20,7 @@ let block-list: [${listKeys cfg.indicators}] - ${concatStringsSep "\n" (mapAttrsToList ( + ${builtins.concatStringsSep "\n" (lib.mapAttrsToList ( name: cfg: '' ${name}: { exec: "${cfg.exec}"; @@ -36,21 +34,21 @@ let ) cfg.bars; in pkgs.writeText "yabar.conf" '' bar-list = [${listKeys cfg.bars}]; - ${concatStringsSep "\n" bars} + ${builtins.concatStringsSep "\n" bars} ''; in { options.programs.yabar = { - enable = mkEnableOption "yabar, a status bar for X window managers"; + enable = lib.mkEnableOption "yabar, a status bar for X window managers"; - package = mkOption { + package = lib.mkOption { default = pkgs.yabar-unstable; - defaultText = literalExpression "pkgs.yabar-unstable"; - example = literalExpression "pkgs.yabar"; - type = types.package; + defaultText = lib.literalExpression "pkgs.yabar-unstable"; + example = lib.literalExpression "pkgs.yabar"; + type = lib.types.package; # `yabar-stable` segfaults under certain conditions. - apply = x: if x == pkgs.yabar-unstable then x else flip warn x '' + apply = x: if x == pkgs.yabar-unstable then x else lib.flip lib.warn x '' It's not recommended to use `yabar' with `programs.yabar', the (old) stable release tends to segfault under certain circumstances: @@ -70,63 +68,63 @@ in ''; }; - bars = mkOption { + bars = lib.mkOption { default = {}; - type = types.attrsOf(types.submodule { + type = lib.types.attrsOf(lib.types.submodule { options = { - font = mkOption { + font = lib.mkOption { default = "sans bold 9"; example = "Droid Sans, FontAwesome Bold 9"; - type = types.str; + type = lib.types.str; description = '' The font that will be used to draw the status bar. ''; }; - position = mkOption { + position = lib.mkOption { default = "top"; example = "bottom"; - type = types.enum [ "top" "bottom" ]; + type = lib.types.enum [ "top" "bottom" ]; description = '' The position where the bar will be rendered. ''; }; - extra = mkOption { + extra = lib.mkOption { default = {}; - type = types.attrsOf types.str; + type = lib.types.attrsOf lib.types.str; description = '' An attribute set which contains further attributes of a bar. ''; }; - indicators = mkOption { + indicators = lib.mkOption { default = {}; - type = types.attrsOf(types.submodule { - options.exec = mkOption { + type = lib.types.attrsOf(lib.types.submodule { + options.exec = lib.mkOption { example = "YABAR_DATE"; - type = types.str; + type = lib.types.str; description = '' The type of the indicator to be executed. ''; }; - options.align = mkOption { + options.align = lib.mkOption { default = "left"; example = "right"; - type = types.enum [ "left" "center" "right" ]; + type = lib.types.enum [ "left" "center" "right" ]; description = '' Whether to align the indicator at the left or right of the bar. ''; }; - options.extra = mkOption { + options.extra = lib.mkOption { default = {}; - type = types.attrsOf (types.either types.str types.int); + type = lib.types.attrsOf (lib.types.either lib.types.str lib.types.int); description = '' An attribute set which contains further attributes of a indicator. @@ -147,7 +145,7 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { systemd.user.services.yabar = { description = "yabar service"; wantedBy = [ "graphical-session.target" ]; diff --git a/nixpkgs/nixos/modules/programs/yazi.nix b/nixpkgs/nixos/modules/programs/yazi.nix index 5905f2afb946..d9f38d8d8118 100644 --- a/nixpkgs/nixos/modules/programs/yazi.nix +++ b/nixpkgs/nixos/modules/programs/yazi.nix @@ -5,7 +5,7 @@ let settingsFormat = pkgs.formats.toml { }; - names = [ "yazi" "theme" "keymap" ]; + files = [ "yazi" "theme" "keymap" ]; in { options.programs.yazi = { @@ -15,7 +15,7 @@ in settings = lib.mkOption { type = with lib.types; submodule { - options = lib.listToAttrs (map + options = (lib.listToAttrs (map (name: lib.nameValuePair name (lib.mkOption { inherit (settingsFormat) type; default = { }; @@ -25,26 +25,65 @@ in See https://yazi-rs.github.io/docs/configuration/${name}/ for documentation. ''; })) - names); + files)); }; default = { }; description = '' Configuration included in `$YAZI_CONFIG_HOME`. ''; }; + + initLua = lib.mkOption { + type = with lib.types; nullOr path; + default = null; + description = '' + The init.lua for Yazi itself. + ''; + example = lib.literalExpression "./init.lua"; + }; + + plugins = lib.mkOption { + type = with lib.types; attrsOf (oneOf [ path package ]); + default = { }; + description = '' + Lua plugins. + + See https://yazi-rs.github.io/docs/plugins/overview/ for documentation. + ''; + example = lib.literalExpression '' + { + foo = ./foo; + bar = pkgs.bar; + } + ''; + }; + + flavors = lib.mkOption { + type = with lib.types; attrsOf (oneOf [ path package ]); + default = { }; + description = '' + Pre-made themes. + + See https://yazi-rs.github.io/docs/flavors/overview/ for documentation. + ''; + example = lib.literalExpression '' + { + foo = ./foo; + bar = pkgs.bar; + } + ''; + }; + }; config = lib.mkIf cfg.enable { - environment = { - systemPackages = [ cfg.package ]; - variables.YAZI_CONFIG_HOME = "/etc/yazi/"; - etc = lib.attrsets.mergeAttrsList (map - (name: lib.optionalAttrs (cfg.settings.${name} != { }) { - "yazi/${name}.toml".source = settingsFormat.generate "${name}.toml" cfg.settings.${name}; - }) - names); - }; + environment.systemPackages = [ + (cfg.package.override { + inherit (cfg) settings initLua plugins flavors; + }) + ]; }; + meta = { maintainers = with lib.maintainers; [ linsui ]; }; diff --git a/nixpkgs/nixos/modules/programs/ydotool.nix b/nixpkgs/nixos/modules/programs/ydotool.nix new file mode 100644 index 000000000000..f639e9283de4 --- /dev/null +++ b/nixpkgs/nixos/modules/programs/ydotool.nix @@ -0,0 +1,83 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.programs.ydotool; +in +{ + meta = { + maintainers = with lib.maintainers; [ quantenzitrone ]; + }; + + options.programs.ydotool = { + enable = lib.mkEnableOption '' + ydotoold system service and install ydotool. + Add yourself to the 'ydotool' group to be able to use it. + ''; + }; + + config = lib.mkIf cfg.enable { + users.groups.ydotool = { }; + + systemd.services.ydotoold = { + description = "ydotoold - backend for ydotool"; + wantedBy = [ "multi-user.target" ]; + partOf = [ "multi-user.target" ]; + serviceConfig = { + Group = "ydotool"; + RuntimeDirectory = "ydotoold"; + RuntimeDirectoryMode = "0750"; + ExecStart = "${lib.getExe' pkgs.ydotool "ydotoold"} --socket-path=/run/ydotoold/socket --socket-perm=0660"; + + # hardening + + ## allow access to uinput + DeviceAllow = [ "/dev/uinput" ]; + DevicePolicy = "closed"; + + ## allow creation of unix sockets + RestrictAddressFamilies = [ "AF_UNIX" ]; + + CapabilityBoundingSet = ""; + IPAddressDeny = "any"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateNetwork = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ProtectUser = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + UMask = "0077"; + + # -> systemd-analyze security score 0.7 SAFE 😀 + }; + }; + + environment.variables = { + YDOTOOL_SOCKET = "/run/ydotoold/socket"; + }; + environment.systemPackages = with pkgs; [ ydotool ]; + }; +} diff --git a/nixpkgs/nixos/modules/programs/zmap.nix b/nixpkgs/nixos/modules/programs/zmap.nix index 827d9bedca13..4f31d42c4add 100644 --- a/nixpkgs/nixos/modules/programs/zmap.nix +++ b/nixpkgs/nixos/modules/programs/zmap.nix @@ -1,15 +1,13 @@ { pkgs, config, lib, ... }: -with lib; - let cfg = config.programs.zmap; in { options.programs.zmap = { - enable = mkEnableOption "ZMap, a network scanner designed for Internet-wide network surveys"; + enable = lib.mkEnableOption "ZMap, a network scanner designed for Internet-wide network surveys"; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.zmap ]; environment.etc."zmap/blacklist.conf".source = "${pkgs.zmap}/etc/zmap/blacklist.conf"; diff --git a/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix b/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix index f2a5a7560e40..2120cf1af07e 100644 --- a/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix +++ b/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix @@ -1,7 +1,5 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.zsh.ohMyZsh; @@ -20,7 +18,7 @@ let custom = if cfg.custom != null then cfg.custom - else if length cfg.customPkgs == 0 then null + else if builtins.length cfg.customPkgs == 0 then null else pkgs.linkFarm "oh-my-zsh-custom" [ (mkLinkFarmEntry' "themes") (mkLinkFarmEntry "completions" "site-functions") @@ -30,60 +28,60 @@ let in { imports = [ - (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "enable" ] [ "programs" "zsh" "ohMyZsh" "enable" ]) - (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "theme" ] [ "programs" "zsh" "ohMyZsh" "theme" ]) - (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "custom" ] [ "programs" "zsh" "ohMyZsh" "custom" ]) - (mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "plugins" ] [ "programs" "zsh" "ohMyZsh" "plugins" ]) + (lib.mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "enable" ] [ "programs" "zsh" "ohMyZsh" "enable" ]) + (lib.mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "theme" ] [ "programs" "zsh" "ohMyZsh" "theme" ]) + (lib.mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "custom" ] [ "programs" "zsh" "ohMyZsh" "custom" ]) + (lib.mkRenamedOptionModule [ "programs" "zsh" "oh-my-zsh" "plugins" ] [ "programs" "zsh" "ohMyZsh" "plugins" ]) ]; options = { programs.zsh.ohMyZsh = { - enable = mkOption { - type = types.bool; + enable = lib.mkOption { + type = lib.types.bool; default = false; description = '' Enable oh-my-zsh. ''; }; - package = mkPackageOption pkgs "oh-my-zsh" { }; + package = lib.mkPackageOption pkgs "oh-my-zsh" { }; - plugins = mkOption { + plugins = lib.mkOption { default = []; - type = types.listOf(types.str); + type = lib.types.listOf(lib.types.str); description = '' List of oh-my-zsh plugins ''; }; - custom = mkOption { + custom = lib.mkOption { default = null; - type = with types; nullOr str; + type = with lib.types; nullOr str; description = '' Path to a custom oh-my-zsh package to override config of oh-my-zsh. (Can't be used along with `customPkgs`). ''; }; - customPkgs = mkOption { + customPkgs = lib.mkOption { default = []; - type = types.listOf types.package; + type = lib.types.listOf lib.types.package; description = '' List of custom packages that should be loaded into `oh-my-zsh`. ''; }; - theme = mkOption { + theme = lib.mkOption { default = ""; - type = types.str; + type = lib.types.str; description = '' Name of the theme to be used by oh-my-zsh. ''; }; - cacheDir = mkOption { + cacheDir = lib.mkOption { default = "$HOME/.cache/oh-my-zsh"; - type = types.str; + type = lib.types.str; description = '' Cache directory to be used by `oh-my-zsh`. Without this option it would default to the read-only nix store. @@ -92,10 +90,10 @@ in }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { # Prevent zsh from overwriting oh-my-zsh's prompt - programs.zsh.promptInit = mkDefault ""; + programs.zsh.promptInit = lib.mkDefault ""; environment.systemPackages = [ cfg.package ]; @@ -103,19 +101,19 @@ in # oh-my-zsh configuration generated by NixOS export ZSH=${cfg.package}/share/oh-my-zsh - ${optionalString (length(cfg.plugins) > 0) - "plugins=(${concatStringsSep " " cfg.plugins})" + ${lib.optionalString (builtins.length(cfg.plugins) > 0) + "plugins=(${builtins.concatStringsSep " " cfg.plugins})" } - ${optionalString (custom != null) + ${lib.optionalString (custom != null) "ZSH_CUSTOM=\"${custom}\"" } - ${optionalString (stringLength(cfg.theme) > 0) + ${lib.optionalString (builtins.stringLength(cfg.theme) > 0) "ZSH_THEME=\"${cfg.theme}\"" } - ${optionalString (cfg.cacheDir != null) '' + ${lib.optionalString (cfg.cacheDir != null) '' if [[ ! -d "${cfg.cacheDir}" ]]; then mkdir -p "${cfg.cacheDir}" fi diff --git a/nixpkgs/nixos/modules/programs/zsh/zsh-autoenv.nix b/nixpkgs/nixos/modules/programs/zsh/zsh-autoenv.nix index f07fb5c24d7b..8e0c19f1afea 100644 --- a/nixpkgs/nixos/modules/programs/zsh/zsh-autoenv.nix +++ b/nixpkgs/nixos/modules/programs/zsh/zsh-autoenv.nix @@ -1,18 +1,16 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.zsh.zsh-autoenv; in { options = { programs.zsh.zsh-autoenv = { - enable = mkEnableOption "zsh-autoenv"; - package = mkPackageOption pkgs "zsh-autoenv" { }; + enable = lib.mkEnableOption "zsh-autoenv"; + package = lib.mkPackageOption pkgs "zsh-autoenv" { }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { programs.zsh.interactiveShellInit = '' source ${cfg.package}/share/zsh-autoenv/autoenv.zsh ''; diff --git a/nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix b/nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix index 2e53e907d547..e046c2102500 100644 --- a/nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix +++ b/nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix @@ -1,28 +1,26 @@ { config, pkgs, lib, ... }: -with lib; - let cfg = config.programs.zsh.autosuggestions; in { imports = [ - (mkRenamedOptionModule [ "programs" "zsh" "enableAutosuggestions" ] [ "programs" "zsh" "autosuggestions" "enable" ]) + (lib.mkRenamedOptionModule [ "programs" "zsh" "enableAutosuggestions" ] [ "programs" "zsh" "autosuggestions" "enable" ]) ]; options.programs.zsh.autosuggestions = { - enable = mkEnableOption "zsh-autosuggestions"; + enable = lib.mkEnableOption "zsh-autosuggestions"; - highlightStyle = mkOption { - type = types.str; + highlightStyle = lib.mkOption { + type = lib.types.str; default = "fg=8"; # https://github.com/zsh-users/zsh-autosuggestions/tree/v0.4.3#suggestion-highlight-style description = "Highlight style for suggestions ({fore,back}ground color)"; example = "fg=cyan"; }; - strategy = mkOption { - type = types.listOf (types.enum [ "history" "completion" "match_prev_cmd" ]); + strategy = lib.mkOption { + type = lib.types.listOf (lib.types.enum [ "history" "completion" "match_prev_cmd" ]); default = [ "history" ]; description = '' `ZSH_AUTOSUGGEST_STRATEGY` is an array that specifies how suggestions should be generated. @@ -37,18 +35,18 @@ in ''; }; - async = mkOption { - type = types.bool; + async = lib.mkOption { + type = lib.types.bool; default = true; description = "Whether to fetch suggestions asynchronously"; example = false; }; - extraConfig = mkOption { - type = with types; attrsOf str; + extraConfig = lib.mkOption { + type = lib.types.attrsOf lib.types.str; default = {}; description = "Attribute set with additional configuration values"; - example = literalExpression '' + example = lib.literalExpression '' { "ZSH_AUTOSUGGEST_BUFFER_MAX_SIZE" = "20"; } @@ -57,16 +55,16 @@ in }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { programs.zsh.interactiveShellInit = '' source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh export ZSH_AUTOSUGGEST_HIGHLIGHT_STYLE="${cfg.highlightStyle}" - export ZSH_AUTOSUGGEST_STRATEGY=(${concatStringsSep " " cfg.strategy}) - ${optionalString (!cfg.async) "unset ZSH_AUTOSUGGEST_USE_ASYNC"} + export ZSH_AUTOSUGGEST_STRATEGY=(${builtins.concatStringsSep " " cfg.strategy}) + ${lib.optionalString (!cfg.async) "unset ZSH_AUTOSUGGEST_USE_ASYNC"} - ${concatStringsSep "\n" (mapAttrsToList (key: value: ''export ${key}="${value}"'') cfg.extraConfig)} + ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (key: value: ''export ${key}="${value}"'') cfg.extraConfig)} ''; }; diff --git a/nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix b/nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix index 46bc4fcb87f4..3f70c14048c7 100644 --- a/nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix +++ b/nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix @@ -1,27 +1,25 @@ { config, lib, pkgs, ... }: -with lib; - let cfg = config.programs.zsh.syntaxHighlighting; in { imports = [ - (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) - (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "enable" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) - (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "highlighters" ] [ "programs" "zsh" "syntaxHighlighting" "highlighters" ]) - (mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "patterns" ] [ "programs" "zsh" "syntaxHighlighting" "patterns" ]) + (lib.mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) + (lib.mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "enable" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ]) + (lib.mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "highlighters" ] [ "programs" "zsh" "syntaxHighlighting" "highlighters" ]) + (lib.mkRenamedOptionModule [ "programs" "zsh" "syntax-highlighting" "patterns" ] [ "programs" "zsh" "syntaxHighlighting" "patterns" ]) ]; options = { programs.zsh.syntaxHighlighting = { - enable = mkEnableOption "zsh-syntax-highlighting"; + enable = lib.mkEnableOption "zsh-syntax-highlighting"; - highlighters = mkOption { + highlighters = lib.mkOption { default = [ "main" ]; # https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters.md - type = types.listOf(types.enum([ + type = lib.types.listOf(lib.types.enum([ "main" "brackets" "pattern" @@ -39,11 +37,11 @@ in ''; }; - patterns = mkOption { + patterns = lib.mkOption { default = {}; - type = types.attrsOf types.str; + type = lib.types.attrsOf lib.types.str; - example = literalExpression '' + example = lib.literalExpression '' { "rm -rf *" = "fg=white,bold,bg=red"; } @@ -56,11 +54,11 @@ in https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters/pattern.md ''; }; - styles = mkOption { + styles = lib.mkOption { default = {}; - type = types.attrsOf types.str; + type = lib.types.attrsOf lib.types.str; - example = literalExpression '' + example = lib.literalExpression '' { "alias" = "fg=magenta,bold"; } @@ -76,30 +74,30 @@ in }; }; - config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ zsh-syntax-highlighting ]; + config = lib.mkIf cfg.enable { + environment.systemPackages = [ pkgs.zsh-syntax-highlighting ]; assertions = [ { - assertion = length(attrNames cfg.patterns) > 0 -> elem "pattern" cfg.highlighters; + assertion = builtins.length(builtins.attrNames cfg.patterns) > 0 -> builtins.elem "pattern" cfg.highlighters; message = '' When highlighting patterns, "pattern" needs to be included in the list of highlighters. ''; } ]; - programs.zsh.interactiveShellInit = with pkgs; + programs.zsh.interactiveShellInit = lib.mkAfter (lib.concatStringsSep "\n" ([ - "source ${zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh" - ] ++ optional (length(cfg.highlighters) > 0) - "ZSH_HIGHLIGHT_HIGHLIGHTERS=(${concatStringsSep " " cfg.highlighters})" - ++ optionals (length(attrNames cfg.patterns) > 0) - (mapAttrsToList ( + "source ${pkgs.zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh" + ] ++ lib.optional (builtins.length(cfg.highlighters) > 0) + "ZSH_HIGHLIGHT_HIGHLIGHTERS=(${builtins.concatStringsSep " " cfg.highlighters})" + ++ lib.optionals (builtins.length(builtins.attrNames cfg.patterns) > 0) + (lib.mapAttrsToList ( pattern: design: "ZSH_HIGHLIGHT_PATTERNS+=('${pattern}' '${design}')" ) cfg.patterns) - ++ optionals (length(attrNames cfg.styles) > 0) - (mapAttrsToList ( + ++ lib.optionals (builtins.length(builtins.attrNames cfg.styles) > 0) + (lib.mapAttrsToList ( styles: design: "ZSH_HIGHLIGHT_STYLES[${styles}]='${design}'" ) cfg.styles) diff --git a/nixpkgs/nixos/modules/programs/zsh/zsh.nix b/nixpkgs/nixos/modules/programs/zsh/zsh.nix index d7e300b50136..35d2cf461056 100644 --- a/nixpkgs/nixos/modules/programs/zsh/zsh.nix +++ b/nixpkgs/nixos/modules/programs/zsh/zsh.nix @@ -2,8 +2,6 @@ { config, lib, options, pkgs, ... }: -with lib; - let cfge = config.environment; @@ -11,9 +9,9 @@ let cfg = config.programs.zsh; opt = options.programs.zsh; - zshAliases = concatStringsSep "\n" ( - mapAttrsFlatten (k: v: "alias -- ${k}=${escapeShellArg v}") - (filterAttrs (k: v: v != null) cfg.shellAliases) + zshAliases = builtins.concatStringsSep "\n" ( + lib.mapAttrsFlatten (k: v: "alias -- ${k}=${lib.escapeShellArg v}") + (lib.filterAttrs (k: v: v != null) cfg.shellAliases) ); zshStartupNotes = '' @@ -42,7 +40,7 @@ in programs.zsh = { - enable = mkOption { + enable = lib.mkOption { default = false; description = '' Whether to configure zsh as an interactive shell. To enable zsh for @@ -50,43 +48,43 @@ in option for that user. To enable zsh system-wide use the {option}`users.defaultUserShell` option. ''; - type = types.bool; + type = lib.types.bool; }; - shellAliases = mkOption { + shellAliases = lib.mkOption { default = { }; description = '' Set of aliases for zsh shell, which overrides {option}`environment.shellAliases`. See {option}`environment.shellAliases` for an option format description. ''; - type = with types; attrsOf (nullOr (either str path)); + type = with lib.types; attrsOf (nullOr (either str path)); }; - shellInit = mkOption { + shellInit = lib.mkOption { default = ""; description = '' Shell script code called during zsh shell initialisation. ''; - type = types.lines; + type = lib.types.lines; }; - loginShellInit = mkOption { + loginShellInit = lib.mkOption { default = ""; description = '' Shell script code called during zsh login shell initialisation. ''; - type = types.lines; + type = lib.types.lines; }; - interactiveShellInit = mkOption { + interactiveShellInit = lib.mkOption { default = ""; description = '' Shell script code called during interactive zsh shell initialisation. ''; - type = types.lines; + type = lib.types.lines; }; - promptInit = mkOption { + promptInit = lib.mkOption { default = '' # Note that to manually override this in ~/.zshrc you should run `prompt off` # before setting your PS1 and etc. Otherwise this will likely to interact with @@ -97,27 +95,27 @@ in description = '' Shell script code used to initialise the zsh prompt. ''; - type = types.lines; + type = lib.types.lines; }; - histSize = mkOption { + histSize = lib.mkOption { default = 2000; description = '' Change history size. ''; - type = types.int; + type = lib.types.int; }; - histFile = mkOption { + histFile = lib.mkOption { default = "$HOME/.zsh_history"; description = '' Change history file. ''; - type = types.str; + type = lib.types.str; }; - setOptions = mkOption { - type = types.listOf types.str; + setOptions = lib.mkOption { + type = lib.types.listOf lib.types.str; default = [ "HIST_IGNORE_DUPS" "SHARE_HISTORY" @@ -130,25 +128,25 @@ in ''; }; - enableCompletion = mkOption { + enableCompletion = lib.mkOption { default = true; description = '' Enable zsh completion for all interactive zsh shells. ''; - type = types.bool; + type = lib.types.bool; }; - enableBashCompletion = mkOption { + enableBashCompletion = lib.mkOption { default = false; description = '' Enable compatibility with bash's programmable completion system. ''; - type = types.bool; + type = lib.types.bool; }; - enableGlobalCompInit = mkOption { + enableGlobalCompInit = lib.mkOption { default = cfg.enableCompletion; - defaultText = literalExpression "config.${opt.enableCompletion}"; + defaultText = lib.literalExpression "config.${opt.enableCompletion}"; description = '' Enable execution of compinit call for all interactive zsh shells. @@ -156,24 +154,24 @@ in `fpath` and a custom `compinit` call in the local config is required. ''; - type = types.bool; + type = lib.types.bool; }; - enableLsColors = mkOption { + enableLsColors = lib.mkOption { default = true; description = '' Enable extra colors in directory listings (used by `ls` and `tree`). ''; - type = types.bool; + type = lib.types.bool; }; }; }; - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { - programs.zsh.shellAliases = mapAttrs (name: mkDefault) cfge.shellAliases; + programs.zsh.shellAliases = builtins.mapAttrs (name: lib.mkDefault) cfge.shellAliases; environment.etc.zshenv.text = '' @@ -239,9 +237,9 @@ in if [ -n "$__ETC_ZSHRC_SOURCED" -o -n "$NOSYSZSHRC" ]; then return; fi __ETC_ZSHRC_SOURCED=1 - ${optionalString (cfg.setOptions != []) '' + ${lib.optionalString (cfg.setOptions != []) '' # Set zsh options. - setopt ${concatStringsSep " " cfg.setOptions} + setopt ${builtins.concatStringsSep " " cfg.setOptions} ''} # Alternative method of determining short and full hostname. @@ -249,19 +247,19 @@ in # Setup command line history. # Don't export these, otherwise other shells (bash) will try to use same HISTFILE. - SAVEHIST=${toString cfg.histSize} - HISTSIZE=${toString cfg.histSize} + SAVEHIST=${builtins.toString cfg.histSize} + HISTSIZE=${builtins.toString cfg.histSize} HISTFILE=${cfg.histFile} # Configure sane keyboard defaults. . /etc/zinputrc - ${optionalString cfg.enableGlobalCompInit '' + ${lib.optionalString cfg.enableGlobalCompInit '' # Enable autocompletion. autoload -U compinit && compinit ''} - ${optionalString cfg.enableBashCompletion '' + ${lib.optionalString cfg.enableBashCompletion '' # Enable compatibility with bash's completion system. autoload -U bashcompinit && bashcompinit ''} @@ -271,7 +269,7 @@ in ${cfg.interactiveShellInit} - ${optionalString cfg.enableLsColors '' + ${lib.optionalString cfg.enableLsColors '' # Extra colors for directory listings. eval "$(${pkgs.coreutils}/bin/dircolors -b)" ''} @@ -302,11 +300,11 @@ in environment.etc.zinputrc.text = builtins.readFile ./zinputrc; environment.systemPackages = [ pkgs.zsh ] - ++ optional cfg.enableCompletion pkgs.nix-zsh-completions; + ++ lib.optional cfg.enableCompletion pkgs.nix-zsh-completions; - environment.pathsToLink = optional cfg.enableCompletion "/share/zsh"; + environment.pathsToLink = lib.optional cfg.enableCompletion "/share/zsh"; - #users.defaultUserShell = mkDefault "/run/current-system/sw/bin/zsh"; + #users.defaultUserShell = lib.mkDefault "/run/current-system/sw/bin/zsh"; environment.shells = [ diff --git a/nixpkgs/nixos/modules/security/systemd-confinement.nix b/nixpkgs/nixos/modules/security/systemd-confinement.nix index 0304749b8d10..041c90033886 100644 --- a/nixpkgs/nixos/modules/security/systemd-confinement.nix +++ b/nixpkgs/nixos/modules/security/systemd-confinement.nix @@ -79,13 +79,20 @@ in { description = '' The value `full-apivfs` (the default) sets up private {file}`/dev`, {file}`/proc`, - {file}`/sys` and {file}`/tmp` file systems in a separate user - name space. + {file}`/sys`, {file}`/tmp` and {file}`/var/tmp` file systems + in a separate user name space. If this is set to `chroot-only`, only the file system name space is set up along with the call to {manpage}`chroot(2)`. + In all cases, unless `serviceConfig.PrivateTmp=true` is set, + both {file}`/tmp` and {file}`/var/tmp` paths are added to `InaccessiblePaths=`. + This is to overcome options like `DynamicUser=true` + implying `PrivateTmp=true` without letting it being turned off. + Beware however that giving processes the `CAP_SYS_ADMIN` and `@mount` privileges + can let them undo the effects of `InaccessiblePaths=`. + ::: {.note} This doesn't cover network namespaces and is solely for file system level isolation. @@ -98,8 +105,12 @@ in { wantsAPIVFS = lib.mkDefault (config.confinement.mode == "full-apivfs"); in lib.mkIf config.confinement.enable { serviceConfig = { - RootDirectory = "/var/empty"; - TemporaryFileSystem = "/"; + ReadOnlyPaths = [ "+/" ]; + RuntimeDirectory = [ "confinement/${mkPathSafeName name}" ]; + RootDirectory = "/run/confinement/${mkPathSafeName name}"; + InaccessiblePaths = [ + "-+/run/confinement/${mkPathSafeName name}" + ]; PrivateMounts = lib.mkDefault true; # https://github.com/NixOS/nixpkgs/issues/14645 is a future attempt @@ -148,16 +159,6 @@ in { + " Please either define a separate service or find a way to run" + " commands other than ExecStart within the chroot."; } - { assertion = !cfg.serviceConfig.DynamicUser or false; - message = "${whatOpt "DynamicUser"}. Please create a dedicated user via" - + " the 'users.users' option instead as this combination is" - + " currently not supported."; - } - { assertion = cfg.serviceConfig ? ProtectSystem -> cfg.serviceConfig.ProtectSystem == false; - message = "${whatOpt "ProtectSystem"}. ProtectSystem is not compatible" - + " with service confinement as it fails to remount /usr within" - + " our chroot. Please disable the option."; - } ]) config.systemd.services); config.systemd.packages = lib.concatLists (lib.mapAttrsToList (name: cfg: let @@ -183,6 +184,13 @@ in { echo "BindReadOnlyPaths=$realprog:/bin/sh" >> "$serviceFile" ''} + # If DynamicUser= is enabled, PrivateTmp=true is implied (and cannot be turned off). + # so disable them unless PrivateTmp=true is explicitely set. + ${lib.optionalString (!cfg.serviceConfig.PrivateTmp) '' + echo "InaccessiblePaths=-+/tmp" >> "$serviceFile" + echo "InaccessiblePaths=-+/var/tmp" >> "$serviceFile" + ''} + while read storePath; do if [ -L "$storePath" ]; then # Currently, systemd can't cope with symlinks in Bind(ReadOnly)Paths, diff --git a/nixpkgs/nixos/modules/services/admin/pgadmin.nix b/nixpkgs/nixos/modules/services/admin/pgadmin.nix index ead0c3c6c9a3..b3dd3c78874c 100644 --- a/nixpkgs/nixos/modules/services/admin/pgadmin.nix +++ b/nixpkgs/nixos/modules/services/admin/pgadmin.nix @@ -152,7 +152,8 @@ in # Check here for password length to prevent pgadmin from starting # and presenting a hard to find error message # see https://github.com/NixOS/nixpkgs/issues/270624 - PW_LENGTH=$(wc -m < ${escapeShellArg cfg.initialPasswordFile}) + PW_FILE="$CREDENTIALS_DIRECTORY/initial_password" + PW_LENGTH=$(wc -m < "$PW_FILE") if [ $PW_LENGTH -lt ${toString cfg.minimumPasswordLength} ]; then echo "Password must be at least ${toString cfg.minimumPasswordLength} characters long" exit 1 @@ -162,7 +163,7 @@ in echo ${escapeShellArg cfg.initialEmail} # file might not contain newline. echo hack fixes that. - PW=$(cat ${escapeShellArg cfg.initialPasswordFile}) + PW=$(cat "$PW_FILE") # Password: echo "$PW" @@ -181,6 +182,8 @@ in LogsDirectory = "pgadmin"; StateDirectory = "pgadmin"; ExecStart = "${cfg.package}/bin/pgadmin4"; + LoadCredential = [ "initial_password:${cfg.initialPasswordFile}" ] + ++ optional cfg.emailServer.enable "email_password:${cfg.emailServer.passwordFile}"; }; }; @@ -193,7 +196,8 @@ in environment.etc."pgadmin/config_system.py" = { text = lib.optionalString cfg.emailServer.enable '' - with open("${cfg.emailServer.passwordFile}") as f: + import os + with open(os.path.join(os.environ['CREDENTIALS_DIRECTORY'], 'email_password')) as f: pw = f.read() MAIL_PASSWORD = pw '' + formatPy cfg.settings; diff --git a/nixpkgs/nixos/modules/services/audio/navidrome.nix b/nixpkgs/nixos/modules/services/audio/navidrome.nix index a5a7e805e3d6..ca1cd6ca43af 100644 --- a/nixpkgs/nixos/modules/services/audio/navidrome.nix +++ b/nixpkgs/nixos/modules/services/audio/navidrome.nix @@ -1,11 +1,17 @@ -{ config, lib, pkgs, ... }: - -with lib; +{ + config, + lib, + pkgs, + ... +}: let + inherit (lib) mkEnableOption mkPackageOption mkOption maintainers; + inherit (lib.types) bool str; cfg = config.services.navidrome; - settingsFormat = pkgs.formats.json {}; -in { + settingsFormat = pkgs.formats.json { }; +in +{ options = { services.navidrome = { @@ -13,9 +19,8 @@ in { package = mkPackageOption pkgs "navidrome" { }; - settings = mkOption rec { + settings = mkOption { type = settingsFormat.type; - apply = recursiveUpdate default; default = { Address = "127.0.0.1"; Port = 4533; @@ -23,62 +28,111 @@ in { example = { MusicFolder = "/mnt/music"; }; - description = '' - Configuration for Navidrome, see <https://www.navidrome.org/docs/usage/configuration-options/> for supported values. - ''; + description = "Configuration for Navidrome, see <https://www.navidrome.org/docs/usage/configuration-options/> for supported values."; + }; + + user = mkOption { + type = str; + default = "navidrome"; + description = "User under which Navidrome runs."; + }; + + group = mkOption { + type = str; + default = "navidrome"; + description = "Group under which Navidrome runs."; }; openFirewall = mkOption { - type = types.bool; + type = bool; default = false; description = "Whether to open the TCP port in the firewall"; }; }; }; - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [cfg.settings.Port]; + config = + let + inherit (lib) mkIf optional getExe; + WorkingDirectory = "/var/lib/navidrome"; + in + mkIf cfg.enable { + systemd = { + tmpfiles.settings.navidromeDirs = { + "${cfg.settings.DataFolder or WorkingDirectory}"."d" = { + mode = "700"; + inherit (cfg) user group; + }; + "${cfg.settings.CacheFolder or (WorkingDirectory + "/cache")}"."d" = { + mode = "700"; + inherit (cfg) user group; + }; + }; + services.navidrome = { + description = "Navidrome Media Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = '' + ${getExe cfg.package} --configfile ${settingsFormat.generate "navidrome.json" cfg.settings} + ''; + User = cfg.user; + Group = cfg.group; + StateDirectory = "navidrome"; + inherit WorkingDirectory; + RuntimeDirectory = "navidrome"; + RootDirectory = "/run/navidrome"; + ReadWritePaths = ""; + BindPaths = + optional (cfg.settings ? DataFolder) cfg.settings.DataFolder + ++ optional (cfg.settings ? CacheFolder) cfg.settings.CacheFolder; + BindReadOnlyPaths = [ + # navidrome uses online services to download additional album metadata / covers + "${ + config.environment.etc."ssl/certs/ca-certificates.crt".source + }:/etc/ssl/certs/ca-certificates.crt" + builtins.storeDir + "/etc" + ] ++ optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder; + CapabilityBoundingSet = ""; + RestrictAddressFamilies = [ + "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + RestrictRealtime = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + UMask = "0066"; + ProtectHostname = true; + }; + }; + }; - systemd.services.navidrome = { - description = "Navidrome Media Server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - ExecStart = '' - ${cfg.package}/bin/navidrome --configfile ${settingsFormat.generate "navidrome.json" cfg.settings} - ''; - DynamicUser = true; - StateDirectory = "navidrome"; - WorkingDirectory = "/var/lib/navidrome"; - RuntimeDirectory = "navidrome"; - RootDirectory = "/run/navidrome"; - ReadWritePaths = ""; - BindPaths = lib.optional (cfg.settings ? DataFolder) cfg.settings.DataFolder; - BindReadOnlyPaths = [ - # navidrome uses online services to download additional album metadata / covers - "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt" - builtins.storeDir - "/etc" - ] ++ lib.optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder; - CapabilityBoundingSet = ""; - RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; - RestrictNamespaces = true; - PrivateDevices = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ "@system-service" "~@privileged" ]; - RestrictRealtime = true; - LockPersonality = true; - MemoryDenyWriteExecute = true; - UMask = "0066"; - ProtectHostname = true; + users.users = mkIf (cfg.user == "navidrome") { + navidrome = { + inherit (cfg) group; + isSystemUser = true; + }; }; + + users.groups = mkIf (cfg.group == "navidrome") { navidrome = { }; }; + + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.Port ]; }; - }; + meta.maintainers = with maintainers; [ nu-nu-ko ]; } diff --git a/nixpkgs/nixos/modules/services/backup/borgbackup.nix b/nixpkgs/nixos/modules/services/backup/borgbackup.nix index 570f8931bd9e..04f971008073 100644 --- a/nixpkgs/nixos/modules/services/backup/borgbackup.nix +++ b/nixpkgs/nixos/modules/services/backup/borgbackup.nix @@ -33,13 +33,24 @@ let } trap on_exit EXIT + borgWrapper () { + local result + borg "$@" && result=$? || result=$? + if [[ -z "${toString cfg.failOnWarnings}" ]] && [[ "$result" == 1 ]]; then + echo "ignoring warning return value 1" + return 0 + else + return "$result" + fi + } + archiveName="${optionalString (cfg.archiveBaseName != null) (cfg.archiveBaseName + "-")}$(date ${cfg.dateFormat})" archiveSuffix="${optionalString cfg.appendFailedSuffix ".failed"}" ${cfg.preHook} '' + optionalString cfg.doInit '' # Run borg init if the repo doesn't exist yet - if ! borg list $extraArgs > /dev/null; then - borg init $extraArgs \ + if ! borgWrapper list $extraArgs > /dev/null; then + borgWrapper init $extraArgs \ --encryption ${cfg.encryption.mode} \ $extraInitArgs ${cfg.postInit} @@ -48,7 +59,7 @@ let ( set -o pipefail ${optionalString (cfg.dumpCommand != null) ''${escapeShellArg cfg.dumpCommand} | \''} - borg create $extraArgs \ + borgWrapper create $extraArgs \ --compression ${cfg.compression} \ --exclude-from ${mkExcludeFile cfg} \ --patterns-from ${mkPatternsFile cfg} \ @@ -57,16 +68,16 @@ let ${if cfg.paths == null then "-" else escapeShellArgs cfg.paths} ) '' + optionalString cfg.appendFailedSuffix '' - borg rename $extraArgs \ + borgWrapper rename $extraArgs \ "::$archiveName$archiveSuffix" "$archiveName" '' + '' ${cfg.postCreate} '' + optionalString (cfg.prune.keep != { }) '' - borg prune $extraArgs \ + borgWrapper prune $extraArgs \ ${mkKeepArgs cfg} \ ${optionalString (cfg.prune.prefix != null) "--glob-archives ${escapeShellArg "${cfg.prune.prefix}*"}"} \ $extraPruneArgs - borg compact $extraArgs $extraCompactArgs + borgWrapper compact $extraArgs $extraCompactArgs ${cfg.postPrune} ''); @@ -488,6 +499,15 @@ in { default = true; }; + failOnWarnings = mkOption { + type = types.bool; + description = '' + Fail the whole backup job if any borg command returns a warning + (exit code 1), for example because a file changed during backup. + ''; + default = true; + }; + doInit = mkOption { type = types.bool; description = '' diff --git a/nixpkgs/nixos/modules/services/backup/restic.nix b/nixpkgs/nixos/modules/services/backup/restic.nix index 8b56636c7969..8be2649189b9 100644 --- a/nixpkgs/nixos/modules/services/backup/restic.nix +++ b/nixpkgs/nixos/modules/services/backup/restic.nix @@ -11,7 +11,7 @@ in description = '' Periodic backups to create with Restic. ''; - type = types.attrsOf (types.submodule ({ config, name, ... }: { + type = types.attrsOf (types.submodule ({ name, ... }: { options = { passwordFile = mkOption { type = types.str; @@ -206,12 +206,19 @@ in ]; }; + runCheck = mkOption { + type = types.bool; + default = (builtins.length config.services.restic.backups.${name}.checkOpts > 0); + defaultText = literalExpression ''builtins.length config.services.backups.${name}.checkOpts > 0''; + description = "Whether to run the `check` command with the provided `checkOpts` options."; + example = true; + }; + checkOpts = mkOption { type = types.listOf types.str; default = [ ]; description = '' - A list of options for 'restic check', which is run after - pruning. + A list of options for 'restic check'. ''; example = [ "--with-cache" @@ -298,7 +305,9 @@ in doBackup = (backup.dynamicFilesFrom != null) || (backup.paths != null && backup.paths != []); pruneCmd = optionals (builtins.length backup.pruneOpts > 0) [ (resticCmd + " forget --prune " + (concatStringsSep " " backup.pruneOpts)) - (resticCmd + " check " + (concatStringsSep " " backup.checkOpts)) + ]; + checkCmd = optionals backup.runCheck [ + (resticCmd + " check " + (concatStringsSep " " backup.checkOpts)) ]; # Helper functions for rclone remotes rcloneRemoteName = builtins.elemAt (splitString ":" backup.repository) 1; @@ -331,7 +340,7 @@ in serviceConfig = { Type = "oneshot"; ExecStart = (optionals doBackup [ "${resticCmd} backup ${concatStringsSep " " (backup.extraBackupArgs ++ excludeFlags)} --files-from=${filesFromTmpFile}" ]) - ++ pruneCmd; + ++ pruneCmd ++ checkCmd; User = backup.user; RuntimeDirectory = "restic-backups-${name}"; CacheDirectory = "restic-backups-${name}"; diff --git a/nixpkgs/nixos/modules/services/cluster/k3s/default.nix b/nixpkgs/nixos/modules/services/cluster/k3s/default.nix index 040cf7640de1..4d18d378d794 100644 --- a/nixpkgs/nixos/modules/services/cluster/k3s/default.nix +++ b/nixpkgs/nixos/modules/services/cluster/k3s/default.nix @@ -1,15 +1,25 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.services.k3s; - removeOption = config: instruction: - lib.mkRemovedOptionModule ([ "services" "k3s" ] ++ config) instruction; + removeOption = + config: instruction: + lib.mkRemovedOptionModule ( + [ + "services" + "k3s" + ] + ++ config + ) instruction; in { - imports = [ - (removeOption [ "docker" ] "k3s docker option is no longer supported.") - ]; + imports = [ (removeOption [ "docker" ] "k3s docker option is no longer supported.") ]; # interface options.services.k3s = { @@ -33,7 +43,10 @@ in - `serverAddr` is required. ''; default = "server"; - type = types.enum [ "server" "agent" ]; + type = types.enum [ + "server" + "agent" + ]; }; serverAddr = mkOption { @@ -125,7 +138,8 @@ in message = "serverAddr or configPath (with 'server' key) should be set if role is 'agent'"; } { - assertion = cfg.role == "agent" -> cfg.configPath != null || cfg.tokenFile != null || cfg.token != ""; + assertion = + cfg.role == "agent" -> cfg.configPath != null || cfg.tokenFile != null || cfg.token != ""; message = "token or tokenFile or configPath (with 'token' or 'token-file' keys) should be set if role is 'agent'"; } { @@ -142,8 +156,14 @@ in systemd.services.k3s = { description = "k3s service"; - after = [ "firewall.service" "network-online.target" ]; - wants = [ "firewall.service" "network-online.target" ]; + after = [ + "firewall.service" + "network-online.target" + ]; + wants = [ + "firewall.service" + "network-online.target" + ]; wantedBy = [ "multi-user.target" ]; path = optional config.boot.zfs.enabled config.boot.zfs.package; serviceConfig = { @@ -159,9 +179,7 @@ in TasksMax = "infinity"; EnvironmentFile = cfg.environmentFile; ExecStart = concatStringsSep " \\\n " ( - [ - "${cfg.package}/bin/k3s ${cfg.role}" - ] + [ "${cfg.package}/bin/k3s ${cfg.role}" ] ++ (optional cfg.clusterInit "--cluster-init") ++ (optional cfg.disableAgent "--disable-agent") ++ (optional (cfg.serverAddr != "") "--server ${cfg.serverAddr}") diff --git a/nixpkgs/nixos/modules/services/databases/postgresql.nix b/nixpkgs/nixos/modules/services/databases/postgresql.nix index 35d3ba0aa209..8a9d8c210b34 100644 --- a/nixpkgs/nixos/modules/services/databases/postgresql.nix +++ b/nixpkgs/nixos/modules/services/databases/postgresql.nix @@ -37,7 +37,7 @@ let # package = pkgs.postgresql_<major>; # }; # works. - base = if cfg.enableJIT then cfg.package.withJIT else cfg.package; + base = if cfg.enableJIT then cfg.package.withJIT else cfg.package.withoutJIT; in if cfg.extraPlugins == [] then base diff --git a/nixpkgs/nixos/modules/services/desktop-managers/plasma6.nix b/nixpkgs/nixos/modules/services/desktop-managers/plasma6.nix index 08507b4d370a..842b0716b928 100644 --- a/nixpkgs/nixos/modules/services/desktop-managers/plasma6.nix +++ b/nixpkgs/nixos/modules/services/desktop-managers/plasma6.nix @@ -286,6 +286,15 @@ in { kde-smartcard = lib.mkIf config.security.pam.p11.enable { p11Auth = true; }; }; + security.wrappers = { + kwin_wayland = { + owner = "root"; + group = "root"; + capabilities = "cap_sys_nice+ep"; + source = "${lib.getBin pkgs.kdePackages.kwin}/bin/kwin_wayland"; + }; + }; + programs.dconf.enable = true; programs.firefox.nativeMessagingHosts.packages = [kdePackages.plasma-browser-integration]; diff --git a/nixpkgs/nixos/modules/services/desktops/gnome/gnome-remote-desktop.nix b/nixpkgs/nixos/modules/services/desktops/gnome/gnome-remote-desktop.nix index b56027b6eb4b..d81a9edfa126 100644 --- a/nixpkgs/nixos/modules/services/desktops/gnome/gnome-remote-desktop.nix +++ b/nixpkgs/nixos/modules/services/desktops/gnome/gnome-remote-desktop.nix @@ -16,7 +16,21 @@ ###### implementation config = lib.mkIf config.services.gnome.gnome-remote-desktop.enable { services.pipewire.enable = true; + services.dbus.packages = [ pkgs.gnome.gnome-remote-desktop ]; + + environment.systemPackages = [ pkgs.gnome.gnome-remote-desktop ]; systemd.packages = [ pkgs.gnome.gnome-remote-desktop ]; + systemd.tmpfiles.packages = [ pkgs.gnome.gnome-remote-desktop ]; + + # TODO: if possible, switch to using provided g-r-d sysusers.d + users = { + users.gnome-remote-desktop = { + isSystemUser = true; + group = "gnome-remote-desktop"; + home = "/var/lib/gnome-remote-desktop"; + }; + groups.gnome-remote-desktop = { }; + }; }; } diff --git a/nixpkgs/nixos/modules/services/display-managers/default.nix b/nixpkgs/nixos/modules/services/display-managers/default.nix index 005ae8f1c8a5..feba4b163ccd 100644 --- a/nixpkgs/nixos/modules/services/display-managers/default.nix +++ b/nixpkgs/nixos/modules/services/display-managers/default.nix @@ -113,10 +113,10 @@ in type = lib.types.nullOr lib.types.str // { description = "session name"; check = d: - lib.assertMsg (d != null -> (lib.types.str.check d && lib.elem d config.services.displayManager.sessionData.sessionNames)) '' + lib.assertMsg (d != null -> (lib.types.str.check d && lib.elem d cfg.sessionData.sessionNames)) '' Default graphical session, '${d}', not found. Valid names for 'services.displayManager.defaultSession' are: - ${lib.concatStringsSep "\n " cfg.displayManager.sessionData.sessionNames} + ${lib.concatStringsSep "\n " cfg.sessionData.sessionNames} ''; }; default = null; @@ -187,7 +187,7 @@ in services.displayManager.sessionData = { desktops = installedSessions; - sessionNames = lib.concatMap (p: p.providedSessions) config.services.displayManager.sessionPackages; + sessionNames = lib.concatMap (p: p.providedSessions) cfg.sessionPackages; # We do not want to force users to set defaultSession when they have only single DE. autologinSession = if cfg.defaultSession != null then diff --git a/nixpkgs/nixos/modules/services/display-managers/greetd.nix b/nixpkgs/nixos/modules/services/display-managers/greetd.nix index c07b225fc4d9..118a3e1df378 100644 --- a/nixpkgs/nixos/modules/services/display-managers/greetd.nix +++ b/nixpkgs/nixos/modules/services/display-managers/greetd.nix @@ -27,6 +27,17 @@ in ''; }; + greeterManagesPlymouth = mkOption { + type = types.bool; + internal = true; + default = false; + description = '' + Don't configure the greetd service to wait for Plymouth to exit. + + Enable this if the greeter you're using can manage Plymouth itself to provide a smoother handoff. + ''; + }; + vt = mkOption { type = types.int; default = 1; @@ -72,8 +83,9 @@ in ]; After = [ "systemd-user-sessions.service" - "plymouth-quit-wait.service" "getty@${tty}.service" + ] ++ lib.optionals (!cfg.greeterManagesPlymouth) [ + "plymouth-quit-wait.service" ]; Conflicts = [ "getty@${tty}.service" diff --git a/nixpkgs/nixos/modules/services/display-managers/sddm.nix b/nixpkgs/nixos/modules/services/display-managers/sddm.nix index a6bfa213fe38..54356f7bb617 100644 --- a/nixpkgs/nixos/modules/services/display-managers/sddm.nix +++ b/nixpkgs/nixos/modules/services/display-managers/sddm.nix @@ -66,7 +66,14 @@ let HideShells = "/run/current-system/sw/bin/nologin"; }; - X11 = optionalAttrs xcfg.enable { + Wayland = { + EnableHiDPI = cfg.enableHidpi; + SessionDir = "${dmcfg.sessionData.desktops}/share/wayland-sessions"; + CompositorCommand = lib.optionalString cfg.wayland.enable cfg.wayland.compositorCommand; + }; + + } // optionalAttrs xcfg.enable { + X11 = { MinimumVT = if xcfg.tty != null then xcfg.tty else 7; ServerPath = toString xserverWrapper; XephyrPath = "${pkgs.xorg.xorgserver.out}/bin/Xephyr"; @@ -77,12 +84,6 @@ let DisplayStopCommand = toString Xstop; EnableHiDPI = cfg.enableHidpi; }; - - Wayland = { - EnableHiDPI = cfg.enableHidpi; - SessionDir = "${dmcfg.sessionData.desktops}/share/wayland-sessions"; - CompositorCommand = lib.optionalString cfg.wayland.enable cfg.wayland.compositorCommand; - }; } // optionalAttrs dmcfg.autoLogin.enable { Autologin = { User = dmcfg.autoLogin.user; diff --git a/nixpkgs/nixos/modules/services/hardware/kanata.nix b/nixpkgs/nixos/modules/services/hardware/kanata.nix index 333b2d2a88a5..46af3e36b985 100644 --- a/nixpkgs/nixos/modules/services/hardware/kanata.nix +++ b/nixpkgs/nixos/modules/services/hardware/kanata.nix @@ -5,6 +5,8 @@ with lib; let cfg = config.services.kanata; + upstreamDoc = "See [the upstream documentation](https://github.com/jtroo/kanata/blob/main/docs/config.adoc) and [example config files](https://github.com/jtroo/kanata/tree/main/cfg_samples) for more information."; + keyboard = { options = { devices = mkOption { @@ -22,28 +24,16 @@ let type = types.lines; example = '' (defsrc - grv 1 2 3 4 5 6 7 8 9 0 - = bspc - tab q w e r t y u i o p [ ] \ - caps a s d f g h j k l ; ' ret - lsft z x c v b n m , . / rsft - lctl lmet lalt spc ralt rmet rctl) - - (deflayer qwerty - grv 1 2 3 4 5 6 7 8 9 0 - = bspc - tab q w e r t y u i o p [ ] \ - @cap a s d f g h j k l ; ' ret - lsft z x c v b n m , . / rsft - lctl lmet lalt spc ralt rmet rctl) - - (defalias - ;; tap within 100ms for capslk, hold more than 100ms for lctl - cap (tap-hold 100 100 caps lctl)) + caps) + + (deflayermap (default-layer) + ;; tap caps lock as caps lock, hold caps lock as left control + caps (tap-hold 100 100 caps lctl)) ''; description = '' Configuration other than `defcfg`. - See [example config files](https://github.com/jtroo/kanata) - for more information. + ${upstreamDoc} ''; }; extraDefCfg = mkOption { @@ -55,8 +45,7 @@ let from the devices option) and `linux-continue-if-no-devs-found` (hardcoded to be yes). - See [example config files](https://github.com/jtroo/kanata) - for more information. + ${upstreamDoc} ''; }; extraArgs = mkOption { @@ -86,14 +75,20 @@ let in optionalString ((length devices) > 0) "linux-dev (${devicesString})"; - mkConfig = name: keyboard: pkgs.writeText "${mkName name}-config.kdb" '' - (defcfg - ${keyboard.extraDefCfg} - ${mkDevices keyboard.devices} - linux-continue-if-no-devs-found yes) - - ${keyboard.config} - ''; + mkConfig = name: keyboard: pkgs.writeTextFile { + name = "${mkName name}-config.kdb"; + text = '' + (defcfg + ${keyboard.extraDefCfg} + ${mkDevices keyboard.devices} + linux-continue-if-no-devs-found yes) + + ${keyboard.config} + ''; + checkPhase = '' + ${getExe cfg.package} --cfg "$target" --check --debug + ''; + }; mkService = name: keyboard: nameValuePair (mkName name) { wantedBy = [ "multi-user.target" ]; @@ -153,7 +148,7 @@ in options.services.kanata = { enable = mkEnableOption "kanata, a tool to improve keyboard comfort and usability with advanced customization"; package = mkPackageOption pkgs "kanata" { - example = "kanata-with-cmd"; + example = [ "kanata-with-cmd" ]; extraDescription = '' ::: {.note} If {option}`danger-enable-cmd` is enabled in any of the keyboards, the diff --git a/nixpkgs/nixos/modules/services/hardware/thermald.nix b/nixpkgs/nixos/modules/services/hardware/thermald.nix index 4f9202d13d90..fb7cf3735a7e 100644 --- a/nixpkgs/nixos/modules/services/hardware/thermald.nix +++ b/nixpkgs/nixos/modules/services/hardware/thermald.nix @@ -28,7 +28,13 @@ in configFile = mkOption { type = types.nullOr types.path; default = null; - description = "the thermald manual configuration file."; + description = '' + The thermald manual configuration file. + + Leave unspecified to run with the `--adaptive` flag instead which will have thermald use your computer's DPTF adaptive tables. + + See `man thermald` for more information. + ''; }; package = mkPackageOption pkgs "thermald" { }; @@ -49,9 +55,8 @@ in --no-daemon \ ${optionalString cfg.debug "--loglevel=debug"} \ ${optionalString cfg.ignoreCpuidCheck "--ignore-cpuid-check"} \ - ${optionalString (cfg.configFile != null) "--config-file ${cfg.configFile}"} \ - --dbus-enable \ - --adaptive + ${if cfg.configFile != null then "--config-file ${cfg.configFile}" else "--adaptive"} \ + --dbus-enable ''; }; }; diff --git a/nixpkgs/nixos/modules/services/hardware/udev.nix b/nixpkgs/nixos/modules/services/hardware/udev.nix index 3db661644281..62603d20e2d3 100644 --- a/nixpkgs/nixos/modules/services/hardware/udev.nix +++ b/nixpkgs/nixos/modules/services/hardware/udev.nix @@ -167,10 +167,16 @@ let mv etc/udev/hwdb.bin $out ''; - compressFirmware = firmware: if (config.boot.kernelPackages.kernelAtLeast "5.3" && (firmware.compressFirmware or true)) then - pkgs.compressFirmwareXz firmware - else - id firmware; + compressFirmware = firmware: + let + inherit (config.boot.kernelPackages) kernelAtLeast; + in + if ! (firmware.compressFirmware or true) then + firmware + else + if kernelAtLeast "5.19" then pkgs.compressFirmwareZstd firmware + else if kernelAtLeast "5.3" then pkgs.compressFirmwareXz firmware + else firmware; # Udev has a 512-character limit for ENV{PATH}, so create a symlink # tree to work around this. diff --git a/nixpkgs/nixos/modules/services/home-automation/ebusd.nix b/nixpkgs/nixos/modules/services/home-automation/ebusd.nix index d388022d7b50..ac9ec06639c1 100644 --- a/nixpkgs/nixos/modules/services/home-automation/ebusd.nix +++ b/nixpkgs/nixos/modules/services/home-automation/ebusd.nix @@ -4,41 +4,6 @@ with lib; let cfg = config.services.ebusd; - - package = pkgs.ebusd; - - arguments = [ - "${package}/bin/ebusd" - "--foreground" - "--updatecheck=off" - "--device=${cfg.device}" - "--port=${toString cfg.port}" - "--configpath=${cfg.configpath}" - "--scanconfig=${cfg.scanconfig}" - "--log=all:${cfg.logs.all}" - "--log=main:${cfg.logs.main}" - "--log=network:${cfg.logs.network}" - "--log=bus:${cfg.logs.bus}" - "--log=update:${cfg.logs.update}" - "--log=other:${cfg.logs.other}" - ] ++ lib.optionals cfg.readonly [ - "--readonly" - ] ++ lib.optionals cfg.mqtt.enable [ - "--mqtthost=${cfg.mqtt.host}" - "--mqttport=${toString cfg.mqtt.port}" - "--mqttuser=${cfg.mqtt.user}" - "--mqttpass=${cfg.mqtt.password}" - ] ++ lib.optionals cfg.mqtt.home-assistant [ - "--mqttint=${package}/etc/ebusd/mqtt-hassio.cfg" - "--mqttjson" - ] ++ lib.optionals cfg.mqtt.retain [ - "--mqttretain" - ] ++ cfg.extraArguments; - - usesDev = hasPrefix "/" cfg.device; - - command = concatStringsSep " " arguments; - in { meta.maintainers = with maintainers; [ nathan-gs ]; @@ -46,6 +11,8 @@ in options.services.ebusd = { enable = mkEnableOption "ebusd, a daemon for communication with eBUS heating systems"; + package = mkPackageOptionMD pkgs "ebusd" { }; + device = mkOption { type = types.str; default = ""; @@ -57,7 +24,8 @@ in ens:DEVICE for enhanced high speed serial device (only adapter v3 and newer with firmware since 20220731), DEVICE for serial device (normal speed, for all other serial adapters like adapter v2 as well as adapter v3 in non-enhanced mode), or [udp:]IP:PORT for network device. - https://github.com/john30/ebusd/wiki/2.-Run#device-options + + Source: <https://github.com/john30/ebusd/wiki/2.-Run#device-options> ''; }; @@ -81,7 +49,7 @@ in type = types.str; default = "https://cfg.ebusd.eu/"; description = '' - Read CSV config files from PATH (local folder or HTTPS URL) [https://cfg.ebusd.eu/] + Directory to read CSV config files from. This can be a local folder or a URL. ''; }; @@ -95,65 +63,21 @@ in ''; }; - logs = { - main = mkOption { - type = types.enum [ "none" "error" "notice" "info" "debug"]; - default = "info"; - description = '' - Only write log for matching AREAs (main|network|bus|update|other|all) below or equal to LEVEL (none|error|notice|info|debug) [all:notice]. - ''; - }; - - network = mkOption { - type = types.enum [ "none" "error" "notice" "info" "debug"]; - default = "info"; - description = '' - Only write log for matching AREAs (main|network|bus|update|other|all) below or equal to LEVEL (none|error|notice|info|debug) [all:notice]. - ''; - }; - - bus = mkOption { - type = types.enum [ "none" "error" "notice" "info" "debug"]; - default = "info"; - description = '' - Only write log for matching AREAs (main|network|bus|update|other|all) below or equal to LEVEL (none|error|notice|info|debug) [all:notice]. - ''; - }; - - update = mkOption { - type = types.enum [ "none" "error" "notice" "info" "debug"]; - default = "info"; - description = '' - Only write log for matching AREAs (main|network|bus|update|other|all) below or equal to LEVEL (none|error|notice|info|debug) [all:notice]. - ''; - }; - - other = mkOption { - type = types.enum [ "none" "error" "notice" "info" "debug"]; - default = "info"; - description = '' - Only write log for matching AREAs (main|network|bus|update|other|all) below or equal to LEVEL (none|error|notice|info|debug) [all:notice]. - ''; - }; - - all = mkOption { - type = types.enum [ "none" "error" "notice" "info" "debug"]; - default = "info"; - description = '' - Only write log for matching AREAs (main|network|bus|update|other|all) below or equal to LEVEL (none|error|notice|info|debug) [all:notice]. - ''; - }; - }; + logs = let + # "all" must come first so it can be overridden by more specific areas + areas = [ "all" "main" "network" "bus" "update" "other" ]; + levels = [ "none" "error" "notice" "info" "debug" ]; + in listToAttrs (map (area: nameValuePair area (mkOption { + type = types.enum levels; + default = "notice"; + example = "debug"; + description = '' + Only write log for matching `AREA`s (${concatStringsSep "|" areas}) below or equal to `LEVEL` (${concatStringsSep "|" levels}) + ''; + })) areas); mqtt = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - Adds support for MQTT - ''; - }; + enable = mkEnableOption "support for MQTT"; host = mkOption { type = types.str; @@ -179,13 +103,7 @@ in ''; }; - retain = mkOption { - type = types.bool; - default = false; - description = '' - Set the retain flag on all topics instead of only selected global ones - ''; - }; + retain = mkEnableOption "set the retain flag on all topics instead of only selected global ones"; user = mkOption { type = types.str; @@ -200,7 +118,6 @@ in The MQTT password. ''; }; - }; extraArguments = mkOption { @@ -210,25 +127,44 @@ in Extra arguments to the ebus daemon ''; }; - }; - config = mkIf (cfg.enable) { - + config = let + usesDev = hasPrefix "/" cfg.device; + in mkIf cfg.enable { systemd.services.ebusd = { description = "EBUSd Service"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { - ExecStart = command; + ExecStart = let + args = cli.toGNUCommandLineShell { } (foldr (a: b: a // b) { } [ + { + inherit (cfg) device port configpath scanconfig readonly; + foreground = true; + updatecheck = "off"; + log = mapAttrsToList (name: value: "${name}:${value}") cfg.logs; + mqttretain = cfg.mqtt.retain; + } + (optionalAttrs cfg.mqtt.enable { + mqtthost = cfg.mqtt.host; + mqttport = cfg.mqtt.port; + mqttuser = cfg.mqtt.user; + mqttpass = cfg.mqtt.password; + }) + (optionalAttrs cfg.mqtt.home-assistant { + mqttint = "${cfg.package}/etc/ebusd/mqtt-hassio.cfg"; + mqttjson = true; + }) + ]); + in "${cfg.package}/bin/ebusd ${args} ${escapeShellArgs cfg.extraArguments}"; + DynamicUser = true; Restart = "on-failure"; # Hardening CapabilityBoundingSet = ""; - DeviceAllow = lib.optionals usesDev [ - cfg.device - ] ; + DeviceAllow = optionals usesDev [ cfg.device ]; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = false; @@ -254,9 +190,7 @@ in RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; - SupplementaryGroups = [ - "dialout" - ]; + SupplementaryGroups = [ "dialout" ]; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service @pkey" @@ -265,6 +199,5 @@ in UMask = "0077"; }; }; - }; } diff --git a/nixpkgs/nixos/modules/services/logging/promtail.nix b/nixpkgs/nixos/modules/services/logging/promtail.nix index a34bc07b6ab2..9eccd34cef23 100644 --- a/nixpkgs/nixos/modules/services/logging/promtail.nix +++ b/nixpkgs/nixos/modules/services/logging/promtail.nix @@ -41,6 +41,10 @@ in { wantedBy = [ "multi-user.target" ]; stopIfChanged = false; + preStart = '' + ${lib.getExe pkgs.promtail} -config.file=${prettyJSON cfg.configuration} -check-syntax + ''; + serviceConfig = { Restart = "on-failure"; TimeoutStopSec = 10; diff --git a/nixpkgs/nixos/modules/services/mail/stalwart-mail.nix b/nixpkgs/nixos/modules/services/mail/stalwart-mail.nix index 9cc919fd117d..c69a2ca400ba 100644 --- a/nixpkgs/nixos/modules/services/mail/stalwart-mail.nix +++ b/nixpkgs/nixos/modules/services/mail/stalwart-mail.nix @@ -7,11 +7,28 @@ let configFormat = pkgs.formats.toml { }; configFile = configFormat.generate "stalwart-mail.toml" cfg.settings; dataDir = "/var/lib/stalwart-mail"; + stalwartAtLeast = versionAtLeast cfg.package.version; in { options.services.stalwart-mail = { enable = mkEnableOption "the Stalwart all-in-one email server"; - package = mkPackageOption pkgs "stalwart-mail" { }; + + package = mkOption { + type = types.package; + description = '' + Which package to use for the Stalwart mail server. + + ::: {.note} + Upgrading from version 0.6.0 to version 0.7.0 or higher requires manual + intervention. See <https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md> + for upgrade instructions. + ::: + ''; + default = pkgs.stalwart-mail_0_6; + defaultText = lib.literalExpression "pkgs.stalwart-mail_0_6"; + example = lib.literalExpression "pkgs.stalwart-mail"; + relatedPackages = [ "stalwart-mail_0_6" "stalwart-mail" ]; + }; settings = mkOption { inherit (configFormat) type; @@ -26,6 +43,18 @@ in { }; config = mkIf cfg.enable { + + warnings = lib.optionals (!stalwartAtLeast "0.7.0") [ + '' + Versions of stalwart-mail < 0.7.0 will get deprecated in NixOS 24.11. + Please set services.stalwart-mail.package to pkgs.stalwart-mail to + upgrade to the latest version. + Please note that upgrading to version >= 0.7 requires manual + intervention, see <https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md> + for upgrade instructions. + '' + ]; + # Default config: all local services.stalwart-mail.settings = { global.tracing.method = mkDefault "stdout"; @@ -38,6 +67,7 @@ in { store.blob.path = mkDefault "${dataDir}/data/blobs"; storage.data = mkDefault "db"; storage.fts = mkDefault "db"; + storage.lookup = mkDefault "db"; storage.blob = mkDefault "blob"; resolver.type = mkDefault "system"; resolver.public-suffix = mkDefault ["https://publicsuffix.org/list/public_suffix_list.dat"]; diff --git a/nixpkgs/nixos/modules/services/matrix/conduit.nix b/nixpkgs/nixos/modules/services/matrix/conduit.nix index 9b8a4f45c268..b1d9b0424295 100644 --- a/nixpkgs/nixos/modules/services/matrix/conduit.nix +++ b/nixpkgs/nixos/modules/services/matrix/conduit.nix @@ -9,7 +9,7 @@ let configFile = format.generate "conduit.toml" cfg.settings; in { - meta.maintainers = with maintainers; [ pstn piegames ]; + meta.maintainers = with maintainers; [ pstn ]; options.services.matrix-conduit = { enable = mkEnableOption "matrix-conduit"; diff --git a/nixpkgs/nixos/modules/services/matrix/mautrix-signal.nix b/nixpkgs/nixos/modules/services/matrix/mautrix-signal.nix new file mode 100644 index 000000000000..faca10551abb --- /dev/null +++ b/nixpkgs/nixos/modules/services/matrix/mautrix-signal.nix @@ -0,0 +1,249 @@ +{ lib +, config +, pkgs +, ... +}: +let + cfg = config.services.mautrix-signal; + dataDir = "/var/lib/mautrix-signal"; + registrationFile = "${dataDir}/signal-registration.yaml"; + settingsFile = "${dataDir}/config.yaml"; + settingsFileUnsubstituted = settingsFormat.generate "mautrix-signal-config-unsubstituted.json" cfg.settings; + settingsFormat = pkgs.formats.json { }; + appservicePort = 29328; + + # to be used with a list of lib.mkIf values + optOneOf = lib.lists.findFirst (value: value.condition) (lib.mkIf false null); + mkDefaults = lib.mapAttrsRecursive (n: v: lib.mkDefault v); + defaultConfig = { + homeserver.address = "http://localhost:8448"; + appservice = { + hostname = "[::]"; + port = appservicePort; + database.type = "sqlite3"; + database.uri = "file:${dataDir}/mautrix-signal.db?_txlock=immediate"; + id = "signal"; + bot = { + username = "signalbot"; + displayname = "Signal Bridge Bot"; + }; + as_token = ""; + hs_token = ""; + }; + bridge = { + username_template = "signal_{{.}}"; + displayname_template = "{{or .ProfileName .PhoneNumber \"Unknown user\"}}"; + double_puppet_server_map = { }; + login_shared_secret_map = { }; + command_prefix = "!signal"; + permissions."*" = "relay"; + relay.enabled = true; + }; + logging = { + min_level = "info"; + writers = lib.singleton { + type = "stdout"; + format = "pretty-colored"; + time_format = " "; + }; + }; + }; + +in +{ + options.services.mautrix-signal = { + enable = lib.mkEnableOption "mautrix-signal, a Matrix-Signal puppeting bridge."; + + settings = lib.mkOption { + apply = lib.recursiveUpdate defaultConfig; + type = settingsFormat.type; + default = defaultConfig; + description = '' + {file}`config.yaml` configuration as a Nix attribute set. + Configuration options should match those described in + [example-config.yaml](https://github.com/mautrix/signal/blob/master/example-config.yaml). + Secret tokens should be specified using {option}`environmentFile` + instead of this world-readable attribute set. + ''; + example = { + appservice = { + database = { + type = "postgres"; + uri = "postgresql:///mautrix_signal?host=/run/postgresql"; + }; + id = "signal"; + ephemeral_events = false; + }; + bridge = { + history_sync = { + request_full_sync = true; + }; + private_chat_portal_meta = true; + mute_bridging = true; + encryption = { + allow = true; + default = true; + require = true; + }; + provisioning = { + shared_secret = "disable"; + }; + permissions = { + "example.com" = "user"; + }; + }; + }; + }; + + environmentFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = '' + File containing environment variables to be passed to the mautrix-signal service. + If an environment variable `MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET` is set, + then its value will be used in the configuration file for the option + `login_shared_secret_map` without leaking it to the store, using the configured + `homeserver.domain` as key. + See [here](https://github.com/mautrix/signal/blob/main/example-config.yaml) + for the documentation of `login_shared_secret_map`. + ''; + }; + + serviceDependencies = lib.mkOption { + type = with lib.types; listOf str; + default = (lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit) + ++ (lib.optional config.services.matrix-conduit.enable "conduit.service"); + defaultText = lib.literalExpression '' + (optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit) + ++ (optional config.services.matrix-conduit.enable "conduit.service") + ''; + description = '' + List of systemd units to require and wait for when starting the application service. + ''; + }; + + registerToSynapse = lib.mkOption { + type = lib.types.bool; + default = config.services.matrix-synapse.enable; + defaultText = lib.literalExpression '' + config.services.matrix-synapse.enable + ''; + description = '' + Whether to add the bridge's app service registration file to + `services.matrix-synapse.settings.app_service_config_files`. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + + users.users.mautrix-signal = { + isSystemUser = true; + group = "mautrix-signal"; + home = dataDir; + description = "Mautrix-Signal bridge user"; + }; + + users.groups.mautrix-signal = { }; + + services.matrix-synapse = lib.mkIf cfg.registerToSynapse { + settings.app_service_config_files = [ registrationFile ]; + }; + systemd.services.matrix-synapse = lib.mkIf cfg.registerToSynapse { + serviceConfig.SupplementaryGroups = [ "mautrix-signal" ]; + }; + + # Note: this is defined here to avoid the docs depending on `config` + services.mautrix-signal.settings.homeserver = optOneOf (with config.services; [ + (lib.mkIf matrix-synapse.enable (mkDefaults { + domain = matrix-synapse.settings.server_name; + })) + (lib.mkIf matrix-conduit.enable (mkDefaults { + domain = matrix-conduit.settings.global.server_name; + address = "http://localhost:${toString matrix-conduit.settings.global.port}"; + })) + ]); + + systemd.services.mautrix-signal = { + description = "mautrix-signal, a Matrix-Signal puppeting bridge."; + + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ] ++ cfg.serviceDependencies; + after = [ "network-online.target" ] ++ cfg.serviceDependencies; + # ffmpeg is required for conversion of voice messages + path = [ pkgs.ffmpeg-headless ]; + + preStart = '' + # substitute the settings file by environment variables + # in this case read from EnvironmentFile + test -f '${settingsFile}' && rm -f '${settingsFile}' + old_umask=$(umask) + umask 0177 + ${pkgs.envsubst}/bin/envsubst \ + -o '${settingsFile}' \ + -i '${settingsFileUnsubstituted}' + umask $old_umask + + # generate the appservice's registration file if absent + if [ ! -f '${registrationFile}' ]; then + ${pkgs.mautrix-signal}/bin/mautrix-signal \ + --generate-registration \ + --config='${settingsFile}' \ + --registration='${registrationFile}' + fi + chmod 640 ${registrationFile} + + umask 0177 + # 1. Overwrite registration tokens in config + # 2. If environment variable MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET + # is set, set it as the login shared secret value for the configured + # homeserver domain. + ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token + | .[0].appservice.hs_token = .[1].hs_token + | .[0] + | if env.MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET then .bridge.login_shared_secret_map.[.homeserver.domain] = env.MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET else . end' \ + '${settingsFile}' '${registrationFile}' > '${settingsFile}.tmp' + mv '${settingsFile}.tmp' '${settingsFile}' + umask $old_umask + ''; + + serviceConfig = { + User = "mautrix-signal"; + Group = "mautrix-signal"; + EnvironmentFile = cfg.environmentFile; + StateDirectory = baseNameOf dataDir; + WorkingDirectory = dataDir; + ExecStart = '' + ${pkgs.mautrix-signal}/bin/mautrix-signal \ + --config='${settingsFile}' \ + --registration='${registrationFile}' + ''; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + Restart = "on-failure"; + RestartSec = "30s"; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ "@system-service" ]; + Type = "simple"; + UMask = 0027; + }; + restartTriggers = [ settingsFileUnsubstituted ]; + }; + }; + meta.maintainers = with lib.maintainers; [ niklaskorz ]; +} diff --git a/nixpkgs/nixos/modules/services/misc/bcg.nix b/nixpkgs/nixos/modules/services/misc/bcg.nix index 626a67f66d08..63c441833d95 100644 --- a/nixpkgs/nixos/modules/services/misc/bcg.nix +++ b/nixpkgs/nixos/modules/services/misc/bcg.nix @@ -149,20 +149,20 @@ in systemd.services.bcg = let envConfig = cfg.environmentFiles != []; finalConfig = if envConfig - then "$RUNTIME_DIRECTORY/bcg.config.yaml" + then "\${RUNTIME_DIRECTORY}/bcg.config.yaml" else configFile; in { description = "BigClown Gateway"; wantedBy = [ "multi-user.target" ]; wants = [ "network-online.target" ] ++ lib.optional config.services.mosquitto.enable "mosquitto.service"; after = [ "network-online.target" ]; - preStart = '' + preStart = mkIf envConfig '' umask 077 ${pkgs.envsubst}/bin/envsubst -i "${configFile}" -o "${finalConfig}" ''; serviceConfig = { EnvironmentFile = cfg.environmentFiles; - ExecStart="${cfg.package}/bin/bcg -c ${finalConfig} -v ${cfg.verbose}"; + ExecStart = "${cfg.package}/bin/bcg -c ${finalConfig} -v ${cfg.verbose}"; RuntimeDirectory = "bcg"; }; }; diff --git a/nixpkgs/nixos/modules/services/misc/devpi-server.nix b/nixpkgs/nixos/modules/services/misc/devpi-server.nix new file mode 100644 index 000000000000..0234db4bc2c5 --- /dev/null +++ b/nixpkgs/nixos/modules/services/misc/devpi-server.nix @@ -0,0 +1,128 @@ +{ + pkgs, + lib, + config, + ... +}: +with lib; +let + cfg = config.services.devpi-server; + + secretsFileName = "devpi-secret-file"; + + stateDirName = "devpi"; + + runtimeDir = "/run/${stateDirName}"; + serverDir = "/var/lib/${stateDirName}"; +in +{ + options.services.devpi-server = { + enable = mkEnableOption "Devpi Server"; + + package = mkPackageOption pkgs "devpi-server" { }; + + primaryUrl = mkOption { + type = types.str; + description = "Url for the primary node. Required option for replica nodes."; + }; + + replica = mkOption { + type = types.bool; + default = false; + description = '' + Run node as a replica. + Requires the secretFile option and the primaryUrl to be enabled. + ''; + }; + + secretFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Path to a shared secret file used for synchronization, + Required for all nodes in a replica/primary setup. + ''; + }; + + host = mkOption { + type = types.str; + default = "localhost"; + description = '' + domain/ip address to listen on + ''; + }; + + port = mkOption { + type = types.port; + default = 3141; + description = "The port on which Devpi Server will listen."; + }; + + openFirewall = mkEnableOption "opening the default ports in the firewall for Devpi Server"; + }; + + config = mkIf cfg.enable { + + systemd.services.devpi-server = { + enable = true; + description = "devpi PyPI-compatible server"; + documentation = [ "https://devpi.net/docs/devpi/devpi/stable/+d/index.html" ]; + wants = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + # Since at least devpi-server 6.10.0, devpi requires the secrets file to + # have 0600 permissions. + preStart = + '' + cp ${cfg.secretFile} ${runtimeDir}/${secretsFileName} + chmod 0600 ${runtimeDir}/*${secretsFileName} + + if [ -f ${serverDir}/.nodeinfo ]; then + # already initialized the package index, exit gracefully + exit 0 + fi + ${cfg.package}/bin/devpi-init --serverdir ${serverDir} '' + + strings.optionalString cfg.replica "--role=replica --master-url=${cfg.primaryUrl}"; + + serviceConfig = { + Restart = "always"; + ExecStart = + let + args = + [ + "--request-timeout=5" + "--serverdir=${serverDir}" + "--host=${cfg.host}" + "--port=${builtins.toString cfg.port}" + ] + ++ lib.optionals (! isNull cfg.secretFile) [ + "--secretfile=${runtimeDir}/${secretsFileName}" + ] + ++ ( + if cfg.replica then + [ + "--role=replica" + "--master-url=${cfg.primaryUrl}" + ] + else + [ "--role=master" ] + ); + in + "${cfg.package}/bin/devpi-server ${concatStringsSep " " args}"; + DynamicUser = true; + StateDirectory = stateDirName; + RuntimeDirectory = stateDirName; + PrivateDevices = true; + PrivateTmp = true; + ProtectHome = true; + ProtectSystem = "strict"; + }; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + }; + + meta.maintainers = [ cafkafk ]; + }; +} diff --git a/nixpkgs/nixos/modules/services/misc/heisenbridge.nix b/nixpkgs/nixos/modules/services/misc/heisenbridge.nix index de109e726633..54c298f1b560 100644 --- a/nixpkgs/nixos/modules/services/misc/heisenbridge.nix +++ b/nixpkgs/nixos/modules/services/misc/heisenbridge.nix @@ -210,5 +210,5 @@ in }; }; - meta.maintainers = [ lib.maintainers.piegames ]; + meta.maintainers = [ ]; } diff --git a/nixpkgs/nixos/modules/services/misc/llama-cpp.nix b/nixpkgs/nixos/modules/services/misc/llama-cpp.nix index c73cff027e22..2fa1a7b28e3b 100644 --- a/nixpkgs/nixos/modules/services/misc/llama-cpp.nix +++ b/nixpkgs/nixos/modules/services/misc/llama-cpp.nix @@ -92,7 +92,6 @@ in { SystemCallFilter = [ "@system-service" "~@privileged" - "~@resources" ]; SystemCallErrorNumber = "EPERM"; ProtectProc = "invisible"; diff --git a/nixpkgs/nixos/modules/services/misc/portunus.nix b/nixpkgs/nixos/modules/services/misc/portunus.nix index ab78479c96cd..bdb35da788e3 100644 --- a/nixpkgs/nixos/modules/services/misc/portunus.nix +++ b/nixpkgs/nixos/modules/services/misc/portunus.nix @@ -231,12 +231,14 @@ in }; systemd.services = { - dex.serviceConfig = mkIf cfg.dex.enable { - # `dex.service` is super locked down out of the box, but we need some - # place to write the SQLite database. This creates $STATE_DIRECTORY below - # /var/lib/private because DynamicUser=true, but it gets symlinked into - # /var/lib/dex inside the unit - StateDirectory = "dex"; + dex = mkIf cfg.dex.enable { + serviceConfig = { + # `dex.service` is super locked down out of the box, but we need some + # place to write the SQLite database. This creates $STATE_DIRECTORY below + # /var/lib/private because DynamicUser=true, but it gets symlinked into + # /var/lib/dex inside the unit + StateDirectory = "dex"; + }; }; portunus = { diff --git a/nixpkgs/nixos/modules/services/misc/private-gpt.nix b/nixpkgs/nixos/modules/services/misc/private-gpt.nix new file mode 100644 index 000000000000..9a3e5317cdb1 --- /dev/null +++ b/nixpkgs/nixos/modules/services/misc/private-gpt.nix @@ -0,0 +1,121 @@ +{ config +, lib +, pkgs +, ... +}: +let + inherit (lib) types; + + format = pkgs.formats.yaml { }; + cfg = config.services.private-gpt; +in +{ + options = { + services.private-gpt = { + enable = lib.mkEnableOption "private-gpt for local large language models"; + package = lib.mkPackageOption pkgs "private-gpt" { }; + + stateDir = lib.mkOption { + type = types.path; + default = "/var/lib/private-gpt"; + description = "State directory of private-gpt."; + }; + + settings = lib.mkOption { + type = format.type; + default = { + llm = { + mode = "ollama"; + tokenizer = ""; + }; + embedding = { + mode = "ollama"; + }; + ollama = { + llm_model = "llama3"; + embedding_model = "nomic-embed-text"; + api_base = "http://localhost:11434"; + embedding_api_base = "http://localhost:11434"; + keep_alive = "5m"; + tfs_z = 1; + top_k = 40; + top_p = 0.9; + repeat_last_n = 64; + repeat_penalty = 1.2; + request_timeout = 120; + }; + vectorstore = { + database = "qdrant"; + }; + qdrant = { + path = "/var/lib/private-gpt/vectorstore/qdrant"; + }; + data = { + local_data_folder = "/var/lib/private-gpt"; + }; + openai = { }; + azopenai = { }; + }; + description = '' + settings-local.yaml for private-gpt + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.private-gpt = { + description = "Interact with your documents using the power of GPT, 100% privately, no data leaks"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + preStart = + let + config = format.generate "settings-local.yaml" (cfg.settings // { server.env_name = "local"; }); + in + '' + mkdir -p ${cfg.stateDir}/{settings,huggingface,matplotlib,tiktoken_cache} + cp ${cfg.package.cl100k_base.tiktoken} ${cfg.stateDir}/tiktoken_cache/9b5ad71b2ce5302211f9c61530b329a4922fc6a4 + cp ${pkgs.python3Packages.private-gpt}/${pkgs.python3.sitePackages}/private_gpt/settings.yaml ${cfg.stateDir}/settings/settings.yaml + cp "${config}" "${cfg.stateDir}/settings/settings-local.yaml" + chmod 600 "${cfg.stateDir}/settings/settings-local.yaml" + ''; + + environment = { + PGPT_PROFILES = "local"; + PGPT_SETTINGS_FOLDER = "${cfg.stateDir}/settings"; + HF_HOME = "${cfg.stateDir}/huggingface"; + TRANSFORMERS_OFFLINE = "1"; + HF_DATASETS_OFFLINE = "1"; + MPLCONFIGDIR = "${cfg.stateDir}/matplotlib"; + }; + + serviceConfig = { + ExecStart = lib.getExe cfg.package; + WorkingDirectory = cfg.stateDir; + StateDirectory = "private-gpt"; + RuntimeDirectory = "private-gpt"; + RuntimeDirectoryMode = "0755"; + PrivateTmp = true; + DynamicUser = true; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateUsers = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProcSubset = "pid"; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + UMask = "0077"; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ drupol ]; +} diff --git a/nixpkgs/nixos/modules/services/misc/snapper.nix b/nixpkgs/nixos/modules/services/misc/snapper.nix index 3a3ed1b5c0f5..33207ac2b5bd 100644 --- a/nixpkgs/nixos/modules/services/misc/snapper.nix +++ b/nixpkgs/nixos/modules/services/misc/snapper.nix @@ -103,6 +103,18 @@ in ''; }; + persistentTimer = mkOption { + default = false; + type = types.bool; + example = true; + description = '' + Set the `persistentTimer` option for the + {manpage}`systemd.timer(5)` + which triggers the snapshot immediately if the last trigger + was missed (e.g. if the system was powered down). + ''; + }; + cleanupInterval = mkOption { type = types.str; default = "1d"; @@ -198,7 +210,14 @@ in inherit documentation; requires = [ "local-fs.target" ]; serviceConfig.ExecStart = "${pkgs.snapper}/lib/snapper/systemd-helper --timeline"; - startAt = cfg.snapshotInterval; + }; + + systemd.timers.snapper-timeline = { + wantedBy = [ "timers.target" ]; + timerConfig = { + Persistent = cfg.persistentTimer; + OnCalendar = cfg.snapshotInterval; + }; }; systemd.services.snapper-cleanup = { diff --git a/nixpkgs/nixos/modules/services/misc/tzupdate.nix b/nixpkgs/nixos/modules/services/misc/tzupdate.nix index eac1e1112a5a..be63bb179e42 100644 --- a/nixpkgs/nixos/modules/services/misc/tzupdate.nix +++ b/nixpkgs/nixos/modules/services/misc/tzupdate.nix @@ -41,5 +41,5 @@ in { }; }; - meta.maintainers = [ maintainers.michaelpj ]; + meta.maintainers = [ ]; } diff --git a/nixpkgs/nixos/modules/services/misc/wastebin.nix b/nixpkgs/nixos/modules/services/misc/wastebin.nix index 3d0af2862683..f24bf94fa52b 100644 --- a/nixpkgs/nixos/modules/services/misc/wastebin.nix +++ b/nixpkgs/nixos/modules/services/misc/wastebin.nix @@ -10,7 +10,7 @@ in options.services.wastebin = { - enable = mkEnableOption "Wastenbin pastebin service"; + enable = mkEnableOption "Wastebin, a pastebin service"; package = mkPackageOption pkgs "wastebin" { }; diff --git a/nixpkgs/nixos/modules/services/misc/zoneminder.nix b/nixpkgs/nixos/modules/services/misc/zoneminder.nix index 84c3a6710c0d..d09cd87febff 100644 --- a/nixpkgs/nixos/modules/services/misc/zoneminder.nix +++ b/nixpkgs/nixos/modules/services/misc/zoneminder.nix @@ -350,7 +350,7 @@ in { RestartSec = "10s"; CacheDirectory = dirs cacheDirs; RuntimeDirectory = dirName; - ReadWriteDirectories = lib.mkIf useCustomDir [ cfg.storageDir ]; + ReadWritePaths = lib.mkIf useCustomDir [ cfg.storageDir ]; StateDirectory = dirs (lib.optionals (!useCustomDir) libDirs); LogsDirectory = dirName; PrivateTmp = true; diff --git a/nixpkgs/nixos/modules/services/monitoring/arbtt.nix b/nixpkgs/nixos/modules/services/monitoring/arbtt.nix index 6dad6bdec328..cf9a236c079c 100644 --- a/nixpkgs/nixos/modules/services/monitoring/arbtt.nix +++ b/nixpkgs/nixos/modules/services/monitoring/arbtt.nix @@ -45,5 +45,5 @@ in { }; }; - meta.maintainers = [ maintainers.michaelpj ]; + meta.maintainers = [ ]; } diff --git a/nixpkgs/nixos/modules/services/monitoring/loki.nix b/nixpkgs/nixos/modules/services/monitoring/loki.nix index ba63f95e7f1a..de4f1bc7aa23 100644 --- a/nixpkgs/nixos/modules/services/monitoring/loki.nix +++ b/nixpkgs/nixos/modules/services/monitoring/loki.nix @@ -97,8 +97,20 @@ in { serviceConfig = let conf = if cfg.configFile == null - then prettyJSON cfg.configuration + then + # Config validation may fail when using extraFlags = [ "-config.expand-env=true" ]. + # To work around this, we simply skip it when extraFlags is not empty. + if cfg.extraFlags == [] + then validateConfig (prettyJSON cfg.configuration) + else prettyJSON cfg.configuration else cfg.configFile; + validateConfig = file: + pkgs.runCommand "validate-loki-conf" { + nativeBuildInputs = [ cfg.package ]; + } '' + loki -verify-config -config.file "${file}" + ln -s "${file}" "$out" + ''; in { ExecStart = "${cfg.package}/bin/loki --config.file=${conf} ${escapeShellArgs cfg.extraFlags}"; diff --git a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/bitcoin.nix b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/bitcoin.nix index e44140b1f51a..e1b7dc91a0d7 100644 --- a/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/bitcoin.nix +++ b/nixpkgs/nixos/modules/services/monitoring/prometheus/exporters/bitcoin.nix @@ -7,6 +7,8 @@ in { port = 9332; extraOpts = { + package = lib.mkPackageOption pkgs "prometheus-bitcoin-exporter" { }; + rpcUser = mkOption { type = types.str; default = "bitcoinrpc"; @@ -65,7 +67,7 @@ in serviceOpts = { script = '' export BITCOIN_RPC_PASSWORD=$(cat ${cfg.rpcPasswordFile}) - exec ${pkgs.prometheus-bitcoin-exporter}/bin/bitcoind-monitor.py + exec ${cfg.package}/bin/bitcoind-monitor.py ''; environment = { diff --git a/nixpkgs/nixos/modules/services/networking/clatd.nix b/nixpkgs/nixos/modules/services/networking/clatd.nix index 76e0c130ca46..de6cde4e979c 100644 --- a/nixpkgs/nixos/modules/services/networking/clatd.nix +++ b/nixpkgs/nixos/modules/services/networking/clatd.nix @@ -43,7 +43,6 @@ in serviceConfig = { ExecStart = "${cfg.package}/bin/clatd -c ${configFile}"; - startLimitIntervalSec = 0; # Hardening CapabilityBoundingSet = [ diff --git a/nixpkgs/nixos/modules/services/networking/hostapd.nix b/nixpkgs/nixos/modules/services/networking/hostapd.nix index 1bef5a1f0a9e..b678656f2e04 100644 --- a/nixpkgs/nixos/modules/services/networking/hostapd.nix +++ b/nixpkgs/nixos/modules/services/networking/hostapd.nix @@ -687,7 +687,7 @@ in { authentication = { mode = mkOption { default = "wpa3-sae"; - type = types.enum ["none" "wpa2-sha256" "wpa3-sae-transition" "wpa3-sae"]; + type = types.enum ["none" "wpa2-sha1" "wpa2-sha256" "wpa3-sae-transition" "wpa3-sae"]; description = '' Selects the authentication mode for this AP. @@ -695,7 +695,9 @@ in { and create an open AP. Use {option}`settings` together with this option if you want to configure the authentication manually. Any password options will still be effective, if set. - - {var}`"wpa2-sha256"`: WPA2-Personal using SHA256 (IEEE 802.11i/RSN). Passwords are set + - {var}`"wpa2-sha1"`: Not recommended. WPA2-Personal using HMAC-SHA1. Passwords are set + using {option}`wpaPassword` or preferably by {option}`wpaPasswordFile` or {option}`wpaPskFile`. + - {var}`"wpa2-sha256"`: WPA2-Personal using HMAC-SHA256 (IEEE 802.11i/RSN). Passwords are set using {option}`wpaPassword` or preferably by {option}`wpaPasswordFile` or {option}`wpaPskFile`. - {var}`"wpa3-sae-transition"`: Use WPA3-Personal (SAE) if possible, otherwise fallback to WPA2-SHA256. Only use if necessary and switch to the newer WPA3-SAE when possible. @@ -812,7 +814,7 @@ in { Warning: These entries will get put into a world-readable file in the Nix store! Using {option}`saePasswordFile` instead is recommended. - Not used when {option}`mode` is {var}`"wpa2-sha256"`. + Not used when {option}`mode` is {var}`"wpa2-sha1"` or {var}`"wpa2-sha256"`. ''; type = types.listOf (types.submodule { options = { @@ -884,7 +886,7 @@ in { parameters doesn't matter: `<password>[|mac=<peer mac>][|vlanid=<VLAN ID>][|pk=<m:ECPrivateKey-base64>][|id=<identifier>]` - Not used when {option}`mode` is {var}`"wpa2-sha256"`. + Not used when {option}`mode` is {var}`"wpa2-sha1"` or {var}`"wpa2-sha256"`. ''; }; @@ -959,6 +961,9 @@ in { } // optionalAttrs (bssCfg.authentication.mode == "wpa3-sae-transition") { wpa = 2; wpa_key_mgmt = "WPA-PSK-SHA256 SAE"; + } // optionalAttrs (bssCfg.authentication.mode == "wpa2-sha1") { + wpa = 2; + wpa_key_mgmt = "WPA-PSK"; } // optionalAttrs (bssCfg.authentication.mode == "wpa2-sha256") { wpa = 2; wpa_key_mgmt = "WPA-PSK-SHA256"; @@ -1186,8 +1191,8 @@ in { message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE in transition mode requires defining both a wpa password option and a sae password option''; } { - assertion = auth.mode == "wpa2-sha256" -> countWpaPasswordDefinitions == 1; - message = ''hostapd radio ${radio} bss ${bss}: uses WPA2-SHA256 which requires defining a wpa password option''; + assertion = (auth.mode == "wpa2-sha1" || auth.mode == "wpa2-sha256") -> countWpaPasswordDefinitions == 1; + message = ''hostapd radio ${radio} bss ${bss}: uses WPA2-PSK which requires defining a wpa password option''; } ]) radioCfg.networks)) diff --git a/nixpkgs/nixos/modules/services/networking/jotta-cli.md b/nixpkgs/nixos/modules/services/networking/jotta-cli.md index fee002a4e604..335e5c8e3856 100644 --- a/nixpkgs/nixos/modules/services/networking/jotta-cli.md +++ b/nixpkgs/nixos/modules/services/networking/jotta-cli.md @@ -6,7 +6,7 @@ The [Jottacloud Command-line Tool](https://docs.jottacloud.com/en/articles/14368 ```nix { - user.services.jotta-cli.enable = true; + services.jotta-cli.enable = true; } ``` @@ -15,7 +15,7 @@ This adds `jotta-cli` to `environment.systemPackages` and starts a user service ## Example Configuration {#module-services-jotta-cli-example-configuration} ```nix -user.services.jotta-cli = { +services.jotta-cli = { enable = true; options = [ "slow" ]; package = pkgs.jotta-cli; diff --git a/nixpkgs/nixos/modules/services/networking/jotta-cli.nix b/nixpkgs/nixos/modules/services/networking/jotta-cli.nix index c7e6dad5453c..e0fa1ef332fe 100644 --- a/nixpkgs/nixos/modules/services/networking/jotta-cli.nix +++ b/nixpkgs/nixos/modules/services/networking/jotta-cli.nix @@ -2,10 +2,10 @@ with lib; -let cfg = config.user.services.jotta-cli; +let cfg = config.services.jotta-cli; in { options = { - user.services.jotta-cli = { + services.jotta-cli = { enable = mkEnableOption "Jottacloud Command-line Tool"; diff --git a/nixpkgs/nixos/modules/services/networking/networkmanager.nix b/nixpkgs/nixos/modules/services/networking/networkmanager.nix index e33bbb2af178..b7143cf520f9 100644 --- a/nixpkgs/nixos/modules/services/networking/networkmanager.nix +++ b/nixpkgs/nixos/modules/services/networking/networkmanager.nix @@ -470,7 +470,7 @@ in - [main] - no-auto-default=* - ''' - + extraConfig.main.no-auto-default = "*"; + + settings.main.no-auto-default = "*"; }; ``` '' diff --git a/nixpkgs/nixos/modules/services/networking/pixiecore.nix b/nixpkgs/nixos/modules/services/networking/pixiecore.nix index cfdb8014136e..111cb7e35504 100644 --- a/nixpkgs/nixos/modules/services/networking/pixiecore.nix +++ b/nixpkgs/nixos/modules/services/networking/pixiecore.nix @@ -82,8 +82,8 @@ in apiServer = mkOption { type = types.str; - example = "localhost:8080"; - description = "host:port to connect to the API. Ignored unless mode is set to 'api'"; + example = "http://localhost:8080"; + description = "URI to connect to the API. Ignored unless mode is set to 'api'"; }; extraArguments = mkOption { diff --git a/nixpkgs/nixos/modules/services/networking/radvd.nix b/nixpkgs/nixos/modules/services/networking/radvd.nix index 4e3e501d2f59..0143324a7815 100644 --- a/nixpkgs/nixos/modules/services/networking/radvd.nix +++ b/nixpkgs/nixos/modules/services/networking/radvd.nix @@ -33,6 +33,17 @@ in package = mkPackageOption pkgs "radvd" { }; + debugLevel = mkOption { + type = types.int; + default = 0; + example = 5; + description = '' + The debugging level is an integer in the range from 1 to 5, + from quiet to very verbose. A debugging level of 0 completely + turns off debugging. + ''; + }; + config = mkOption { type = types.lines; example = @@ -67,7 +78,7 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = - { ExecStart = "@${cfg.package}/bin/radvd radvd -n -u radvd -C ${confFile}"; + { ExecStart = "@${cfg.package}/bin/radvd radvd -n -u radvd -d ${toString cfg.debugLevel} -C ${confFile}"; Restart = "always"; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/rosenpass.nix b/nixpkgs/nixos/modules/services/networking/rosenpass.nix index 373a6c769079..66b6f960a81a 100644 --- a/nixpkgs/nixos/modules/services/networking/rosenpass.nix +++ b/nixpkgs/nixos/modules/services/networking/rosenpass.nix @@ -225,8 +225,10 @@ in # See <https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Specifiers> environment.CONFIG = "%t/${serviceConfig.RuntimeDirectory}/config.toml"; - preStart = "${getExe pkgs.envsubst} -i ${config} -o \"$CONFIG\""; - script = "rosenpass exchange-config \"$CONFIG\""; + script = '' + ${getExe pkgs.envsubst} -i ${config} -o "$CONFIG" + rosenpass exchange-config "$CONFIG" + ''; }; }; } diff --git a/nixpkgs/nixos/modules/services/networking/smokeping.nix b/nixpkgs/nixos/modules/services/networking/smokeping.nix index 38d6e4452c97..3fb3eac45cc8 100644 --- a/nixpkgs/nixos/modules/services/networking/smokeping.nix +++ b/nixpkgs/nixos/modules/services/networking/smokeping.nix @@ -47,6 +47,13 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "smokeping" "port" ] '' + The smokeping web service is now served by nginx. + In order to change the port, you need to change the nginx configuration under `services.nginx.virtualHosts.smokeping.listen.*.port`. + '') + ]; + options = { services.smokeping = { enable = mkEnableOption "smokeping service"; @@ -71,8 +78,8 @@ in }; cgiUrl = mkOption { type = types.str; - default = "http://${cfg.hostName}:${toString cfg.port}/smokeping.cgi"; - defaultText = literalExpression ''"http://''${hostName}:''${toString port}/smokeping.cgi"''; + default = "http://${cfg.hostName}/smokeping.cgi"; + defaultText = literalExpression ''"http://''${hostName}/smokeping.cgi"''; example = "https://somewhere.example.com/smokeping.cgi"; description = "URL to the smokeping cgi."; }; @@ -177,11 +184,6 @@ in which makes it bind to all interfaces. ''; }; - port = mkOption { - type = types.port; - default = 8081; - description = "TCP port to use for the web server."; - }; presentationConfig = mkOption { type = types.lines; default = '' @@ -312,17 +314,8 @@ in description = "smokeping daemon user"; home = smokepingHome; createHome = true; - # When `cfg.webService` is enabled, `thttpd` makes SmokePing available - # under `${cfg.host}:${cfg.port}/smokeping.fcgi` as per the `ln -s` below. - # We also want that going to `${cfg.host}:${cfg.port}` without `smokeping.fcgi` - # makes it easy for the user to find SmokePing. - # However `thttpd` does not seem to support easy redirections from `/` to `smokeping.fcgi` - # and only allows directory listings or `/` -> `index.html` resolution if the directory - # has `chmod 755` (see https://acme.com/software/thttpd/thttpd_man.html#PERMISSIONS, - # " directories should be 755 if you want to allow indexing"). - # Otherwise it shows `403 Forbidden` on `/`. - # Thus, we need to make `smokepingHome` (which is given to `thttpd -d` below) `755`. - homeMode = "755"; + # When `cfg.webService` is enabled, `nginx` requires read permissions on the home directory. + homeMode = "711"; }; users.groups.${cfg.user} = { }; systemd.services.smokeping = { @@ -342,21 +335,25 @@ in ${cfg.package}/bin/smokeping --static --config=${configPath} ''; }; - systemd.services.thttpd = mkIf cfg.webService { - requiredBy = [ "multi-user.target" ]; - requires = [ "smokeping.service" ]; - path = with pkgs; [ bash rrdtool smokeping thttpd ]; - serviceConfig = { - Restart = "always"; - ExecStart = lib.concatStringsSep " " (lib.concatLists [ - [ "${pkgs.thttpd}/bin/thttpd" ] - [ "-u ${cfg.user}" ] - [ ''-c "**.fcgi"'' ] - [ "-d ${smokepingHome}" ] - (lib.optional (cfg.host != null) "-h ${cfg.host}") - [ "-p ${builtins.toString cfg.port}" ] - [ "-D -nos" ] - ]); + + # use nginx to serve the smokeping web service + services.fcgiwrap.enable = mkIf cfg.webService true; + services.nginx = mkIf cfg.webService { + enable = true; + virtualHosts."smokeping" = { + serverName = mkDefault cfg.host; + locations."/" = { + root = smokepingHome; + index = "smokeping.fcgi"; + }; + locations."/smokeping.fcgi" = { + extraConfig = '' + include ${config.services.nginx.package}/conf/fastcgi_params; + fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; + fastcgi_param SCRIPT_FILENAME ${smokepingHome}/smokeping.fcgi; + fastcgi_param DOCUMENT_ROOT ${smokepingHome}; + ''; + }; }; }; }; diff --git a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix index bc95679d5d3c..57ca2b85bed2 100644 --- a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix @@ -296,6 +296,17 @@ in ''; }; + authorizedKeysInHomedir = mkOption { + type = types.bool; + default = true; + description = '' + Enables the use of the `~/.ssh/authorized_keys` file. + + Otherwise, the only files trusted by default are those in `/etc/ssh/authorized_keys.d`, + *i.e.* SSH keys from [](#opt-users.users._name_.openssh.authorizedKeys.keys). + ''; + }; + authorizedKeysCommand = mkOption { type = types.str; default = "none"; @@ -637,7 +648,7 @@ in # https://github.com/NixOS/nixpkgs/pull/10155 # https://github.com/NixOS/nixpkgs/pull/41745 services.openssh.authorizedKeysFiles = - [ "%h/.ssh/authorized_keys" "/etc/ssh/authorized_keys.d/%u" ]; + lib.optional cfg.authorizedKeysInHomedir "%h/.ssh/authorized_keys" ++ [ "/etc/ssh/authorized_keys.d/%u" ]; services.openssh.settings.AuthorizedPrincipalsFile = mkIf (authPrincipalsFiles != {}) "/etc/ssh/authorized_principals.d/%u"; diff --git a/nixpkgs/nixos/modules/services/networking/sunshine.nix b/nixpkgs/nixos/modules/services/networking/sunshine.nix index 0749eaee95d8..ec78db1f3f8e 100644 --- a/nixpkgs/nixos/modules/services/networking/sunshine.nix +++ b/nixpkgs/nixos/modules/services/networking/sunshine.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, utils, ... }: let - inherit (lib) mkEnableOption mkPackageOption mkOption mkIf mkDefault types optionals getExe; + inherit (lib) mkEnableOption mkPackageOption mkOption literalExpression mkIf mkDefault types optionals getExe; inherit (utils) escapeSystemdExecArgs; cfg = config.services.sunshine; @@ -46,7 +46,7 @@ in See https://docs.lizardbyte.dev/projects/sunshine/en/latest/about/advanced_usage.html#configuration for syntax. ''; - example = '' + example = literalExpression '' { sunshine_name = "nixos"; } @@ -67,7 +67,7 @@ in description = '' Configuration for applications to be exposed to Moonlight. If this is set, no configuration is possible from the web UI, and must be by the `settings` option. ''; - example = '' + example = literalExpression '' { env = { PATH = "$(PATH):$(HOME)/.local/bin"; diff --git a/nixpkgs/nixos/modules/services/networking/tayga.nix b/nixpkgs/nixos/modules/services/networking/tayga.nix index 1a0df33fe883..9f118b243e90 100644 --- a/nixpkgs/nixos/modules/services/networking/tayga.nix +++ b/nixpkgs/nixos/modules/services/networking/tayga.nix @@ -16,6 +16,8 @@ let prefix ${strAddr cfg.ipv6.pool} dynamic-pool ${strAddr cfg.ipv4.pool} data-dir ${cfg.dataDir} + + ${concatStringsSep "\n" (mapAttrsToList (ipv4: ipv6: "map " + ipv4 + " " + ipv6) cfg.mappings)} ''; addrOpts = v: @@ -103,18 +105,38 @@ in dataDir = mkOption { type = types.path; default = "/var/lib/tayga"; - description = "Directory for persistent data"; + description = "Directory for persistent data."; }; tunDevice = mkOption { type = types.str; default = "nat64"; - description = "Name of the nat64 tun device"; + description = "Name of the nat64 tun device."; + }; + + mappings = mkOption { + type = types.attrsOf types.str; + default = {}; + description = "Static IPv4 -> IPv6 host mappings."; + example = literalExpression '' + { + "192.168.5.42" = "2001:db8:1:4444::1"; + "192.168.5.43" = "2001:db8:1:4444::2"; + "192.168.255.2" = "2001:db8:1:569::143"; + } + ''; }; }; }; config = mkIf cfg.enable { + assertions = [ + { + assertion = allUnique (attrValues cfg.mappings); + message = "Neither the IPv4 nor the IPv6 addresses must be entered twice in the mappings."; + } + ]; + networking.interfaces."${cfg.tunDevice}" = { virtual = true; virtualType = "tun"; diff --git a/nixpkgs/nixos/modules/services/networking/vsftpd.nix b/nixpkgs/nixos/modules/services/networking/vsftpd.nix index 25f950600b91..07b93e92a750 100644 --- a/nixpkgs/nixos/modules/services/networking/vsftpd.nix +++ b/nixpkgs/nixos/modules/services/networking/vsftpd.nix @@ -278,7 +278,7 @@ in } { assertion = (cfg.enableVirtualUsers -> cfg.userDbPath != null) - && (cfg.enableVirtualUsers -> cfg.localUsers != null); + && (cfg.enableVirtualUsers -> cfg.localUsers); message = "vsftpd: If enableVirtualUsers is true, you need to setup both the userDbPath and localUsers options."; }]; diff --git a/nixpkgs/nixos/modules/services/security/oauth2-proxy-nginx.nix b/nixpkgs/nixos/modules/services/security/oauth2-proxy-nginx.nix index c05bd304752d..07192e7287b0 100644 --- a/nixpkgs/nixos/modules/services/security/oauth2-proxy-nginx.nix +++ b/nixpkgs/nixos/modules/services/security/oauth2-proxy-nginx.nix @@ -64,11 +64,11 @@ in }; }; - config.services.oauth2-proxy = lib.mkIf (cfg.virtualHosts != [] && (lib.hasPrefix "127.0.0.1:" cfg.proxy)) { + config.services.oauth2-proxy = lib.mkIf (cfg.virtualHosts != {} && (lib.hasPrefix "127.0.0.1:" cfg.proxy)) { enable = true; }; - config.services.nginx = lib.mkIf (cfg.virtualHosts != [] && config.services.oauth2-proxy.enable) (lib.mkMerge ([ + config.services.nginx = lib.mkIf (cfg.virtualHosts != {} && config.services.oauth2-proxy.enable) (lib.mkMerge ([ { virtualHosts.${cfg.domain}.locations."/oauth2/" = { proxyPass = cfg.proxy; @@ -78,7 +78,7 @@ in ''; }; } - ] ++ lib.optional (cfg.virtualHosts != []) { + ] ++ lib.optional (cfg.virtualHosts != {}) { recommendedProxySettings = true; # needed because duplicate headers } ++ (lib.mapAttrsToList (vhost: conf: { virtualHosts.${vhost} = { diff --git a/nixpkgs/nixos/modules/services/security/oauth2-proxy.nix b/nixpkgs/nixos/modules/services/security/oauth2-proxy.nix index 075e64b743b1..3079a1d030c5 100644 --- a/nixpkgs/nixos/modules/services/security/oauth2-proxy.nix +++ b/nixpkgs/nixos/modules/services/security/oauth2-proxy.nix @@ -17,7 +17,7 @@ let inherit (cfg.github) org team; }; }; - google = cfg: { google = with cfg.google; optionalAttrs (groups != []) { + google = cfg: { google = with cfg.google; lib.optionalAttrs (groups != []) { admin-email = adminEmail; service-account = serviceAccountJSON; group = groups; @@ -577,20 +577,22 @@ in users.groups.oauth2-proxy = {}; - systemd.services.oauth2-proxy = { - description = "OAuth2 Proxy"; - path = [ cfg.package ]; - wantedBy = [ "multi-user.target" ]; - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; - - serviceConfig = { - User = "oauth2-proxy"; - Restart = "always"; - ExecStart = "${cfg.package}/bin/oauth2-proxy ${configString}"; - EnvironmentFile = lib.mkIf (cfg.keyFile != null) cfg.keyFile; + systemd.services.oauth2-proxy = + let needsKeycloak = lib.elem cfg.provider ["keycloak" "keycloak-oidc"] + && config.services.keycloak.enable; + in { + description = "OAuth2 Proxy"; + path = [ cfg.package ]; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ] ++ lib.optionals needsKeycloak [ "keycloak.service" ]; + after = [ "network-online.target" ] ++ lib.optionals needsKeycloak [ "keycloak.service" ]; + + serviceConfig = { + User = "oauth2-proxy"; + Restart = "always"; + ExecStart = "${cfg.package}/bin/oauth2-proxy ${configString}"; + EnvironmentFile = lib.mkIf (cfg.keyFile != null) cfg.keyFile; + }; }; - }; - }; } diff --git a/nixpkgs/nixos/modules/services/security/step-ca.nix b/nixpkgs/nixos/modules/services/security/step-ca.nix index c708cb2b8910..e9195fbd5160 100644 --- a/nixpkgs/nixos/modules/services/security/step-ca.nix +++ b/nixpkgs/nixos/modules/services/security/step-ca.nix @@ -107,7 +107,7 @@ in UMask = "0077"; Environment = "HOME=%S/step-ca"; WorkingDirectory = ""; # override upstream - ReadWriteDirectories = ""; # override upstream + ReadWritePaths = ""; # override upstream # LocalCredential handles file permission problems arising from the use of DynamicUser. LoadCredential = "intermediate_password:${cfg.intermediatePasswordFile}"; diff --git a/nixpkgs/nixos/modules/services/system/dbus.nix b/nixpkgs/nixos/modules/services/system/dbus.nix index 8dba0aca6433..26f4eba707f9 100644 --- a/nixpkgs/nixos/modules/services/system/dbus.nix +++ b/nixpkgs/nixos/modules/services/system/dbus.nix @@ -147,6 +147,10 @@ in }; systemd.services.dbus = { + aliases = [ + # hack aiding to prevent dbus from restarting when switching from dbus-broker back to dbus + "dbus-broker.service" + ]; # Don't restart dbus-daemon. Bad things tend to happen if we do. reloadIfChanged = true; restartTriggers = [ @@ -158,6 +162,10 @@ in }; systemd.user.services.dbus = { + aliases = [ + # hack aiding to prevent dbus from restarting when switching from dbus-broker back to dbus + "dbus-broker.service" + ]; # Don't restart dbus-daemon. Bad things tend to happen if we do. reloadIfChanged = true; restartTriggers = [ @@ -184,6 +192,8 @@ in # https://github.com/NixOS/nixpkgs/issues/108643 systemd.services.dbus-broker = { aliases = [ + # allow other services to just depend on dbus, + # but also a hack aiding to prevent dbus from restarting when switching from dbus-broker back to dbus "dbus.service" ]; unitConfig = { @@ -203,6 +213,8 @@ in systemd.user.services.dbus-broker = { aliases = [ + # allow other services to just depend on dbus, + # but also a hack aiding to prevent dbus from restarting when switching from dbus-broker back to dbus "dbus.service" ]; # Don't restart dbus. Bad things tend to happen if we do. diff --git a/nixpkgs/nixos/modules/services/web-apps/artalk.nix b/nixpkgs/nixos/modules/services/web-apps/artalk.nix new file mode 100644 index 000000000000..d3d06f1521b6 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/artalk.nix @@ -0,0 +1,131 @@ +{ + config, + lib, + pkgs, + utils, + ... +}: +let + cfg = config.services.artalk; + settingsFormat = pkgs.formats.json { }; +in +{ + + meta = { + maintainers = with lib.maintainers; [ moraxyc ]; + }; + + options = { + services.artalk = { + enable = lib.mkEnableOption "artalk, a comment system"; + configFile = lib.mkOption { + type = lib.types.str; + default = "/etc/artalk/config.yml"; + description = "Artalk config file path. If it is not exist, Artalk will generate one."; + }; + allowModify = lib.mkOption { + type = lib.types.bool; + default = true; + description = "allow Artalk store the settings to config file persistently"; + }; + workdir = lib.mkOption { + type = lib.types.str; + default = "/var/lib/artalk"; + description = "Artalk working directory"; + }; + user = lib.mkOption { + type = lib.types.str; + default = "artalk"; + description = "Artalk user name."; + }; + + group = lib.mkOption { + type = lib.types.str; + default = "artalk"; + description = "Artalk group name."; + }; + + package = lib.mkPackageOption pkgs "artalk" { }; + settings = lib.mkOption { + type = lib.types.submodule { + freeformType = settingsFormat.type; + options = { + host = lib.mkOption { + type = lib.types.str; + default = "0.0.0.0"; + description = '' + Artalk server listen host + ''; + }; + port = lib.mkOption { + type = lib.types.port; + default = 23366; + description = '' + Artalk server listen port + ''; + }; + }; + }; + default = { }; + description = '' + The artalk configuration. + + If you set allowModify to true, Artalk will be able to store the settings in the config file persistently. This section's content will update in the config file after the service restarts. + + Options containing secret data should be set to an attribute set + containing the attribute `_secret` - a string pointing to a file + containing the value the option should be set to. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + users.users.artalk = lib.optionalAttrs (cfg.user == "artalk") { + description = "artalk user"; + isSystemUser = true; + group = cfg.group; + }; + users.groups.artalk = lib.optionalAttrs (cfg.group == "artalk") { }; + + environment.systemPackages = [ cfg.package ]; + + systemd.services.artalk = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + preStart = + '' + umask 0077 + ${utils.genJqSecretsReplacementSnippet cfg.settings "/run/artalk/new"} + '' + + ( + if cfg.allowModify then + '' + [ -e "${cfg.configFile}" ] || ${lib.getExe cfg.package} gen config "${cfg.configFile}" + cat "${cfg.configFile}" | ${lib.getExe pkgs.yj} > "/run/artalk/old" + ${lib.getExe pkgs.jq} -s '.[0] * .[1]' "/run/artalk/old" "/run/artalk/new" > "/run/artalk/result" + cat "/run/artalk/result" | ${lib.getExe pkgs.yj} -r > "${cfg.configFile}" + rm /run/artalk/{old,new,result} + '' + else + '' + cat /run/artalk/new | ${lib.getExe pkgs.yj} -r > "${cfg.configFile}" + rm /run/artalk/new + '' + ); + serviceConfig = { + User = cfg.user; + Group = cfg.group; + Type = "simple"; + ExecStart = "${lib.getExe cfg.package} server --config ${cfg.configFile} --workdir ${cfg.workdir} --host ${cfg.settings.host} --port ${builtins.toString cfg.settings.port}"; + Restart = "on-failure"; + RestartSec = "5s"; + ConfigurationDirectory = [ "artalk" ]; + StateDirectory = [ "artalk" ]; + RuntimeDirectory = [ "artalk" ]; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + ProtectHome = "yes"; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/web-apps/commafeed.nix b/nixpkgs/nixos/modules/services/web-apps/commafeed.nix new file mode 100644 index 000000000000..354e3625bb99 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/commafeed.nix @@ -0,0 +1,114 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.services.commafeed; +in +{ + options.services.commafeed = { + enable = lib.mkEnableOption "CommaFeed"; + + package = lib.mkPackageOption pkgs "commafeed" { }; + + user = lib.mkOption { + type = lib.types.str; + description = "User under which CommaFeed runs."; + default = "commafeed"; + }; + + group = lib.mkOption { + type = lib.types.str; + description = "Group under which CommaFeed runs."; + default = "commafeed"; + }; + + stateDir = lib.mkOption { + type = lib.types.path; + description = "Directory holding all state for CommaFeed to run."; + default = "/var/lib/commafeed"; + }; + + environment = lib.mkOption { + type = lib.types.attrsOf ( + lib.types.oneOf [ + lib.types.bool + lib.types.int + lib.types.str + ] + ); + description = '' + Extra environment variables passed to CommaFeed, refer to + <https://github.com/Athou/commafeed/blob/master/commafeed-server/config.yml.example> + for supported values. The default user is `admin` and the default password is `admin`. + Correct configuration for H2 database is already provided. + ''; + default = { }; + example = { + CF_SERVER_APPLICATIONCONNECTORS_0_TYPE = "http"; + CF_SERVER_APPLICATIONCONNECTORS_0_PORT = 9090; + }; + }; + + environmentFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + description = '' + Environment file as defined in {manpage}`systemd.exec(5)`. + ''; + default = null; + example = "/var/lib/commafeed/commafeed.env"; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.commafeed = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = lib.mapAttrs ( + _: v: if lib.isBool v then lib.boolToString v else toString v + ) cfg.environment; + serviceConfig = { + ExecStart = "${lib.getExe cfg.package} server ${cfg.package}/share/config.yml"; + User = cfg.user; + Group = cfg.group; + StateDirectory = baseNameOf cfg.stateDir; + WorkingDirectory = cfg.stateDir; + # Hardening + CapabilityBoundingSet = [ "" ]; + DevicePolicy = "closed"; + DynamicUser = true; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0077"; + } // lib.optionalAttrs (cfg.environmentFile != null) { EnvironmentFile = cfg.environmentFile; }; + }; + }; + + meta.maintainers = [ lib.maintainers.raroh73 ]; +} diff --git a/nixpkgs/nixos/modules/services/web-apps/keycloak.nix b/nixpkgs/nixos/modules/services/web-apps/keycloak.nix index cf1282b3d4cf..6d472cf48cd0 100644 --- a/nixpkgs/nixos/modules/services/web-apps/keycloak.nix +++ b/nixpkgs/nixos/modules/services/web-apps/keycloak.nix @@ -466,7 +466,8 @@ in confFile = pkgs.writeText "keycloak.conf" (keycloakConfig filteredConfig); keycloakBuild = cfg.package.override { inherit confFile; - plugins = cfg.package.enabledPlugins ++ cfg.plugins; + plugins = cfg.package.enabledPlugins ++ cfg.plugins ++ + (with cfg.package.plugins; [quarkus-systemd-notify quarkus-systemd-notify-deployment]); }; in mkIf cfg.enable @@ -638,6 +639,8 @@ in RuntimeDirectory = "keycloak"; RuntimeDirectoryMode = "0700"; AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + Type = "notify"; # Requires quarkus-systemd-notify plugin + NotifyAccess = "all"; }; script = '' set -o errexit -o pipefail -o nounset -o errtrace @@ -663,7 +666,7 @@ in '' + '' export KEYCLOAK_ADMIN=admin export KEYCLOAK_ADMIN_PASSWORD=${escapeShellArg cfg.initialAdminPassword} - kc.sh start --optimized + kc.sh --verbose start --optimized ''; }; diff --git a/nixpkgs/nixos/modules/services/web-apps/miniflux.nix b/nixpkgs/nixos/modules/services/web-apps/miniflux.nix index d65d6db3cdaa..61243a63c582 100644 --- a/nixpkgs/nixos/modules/services/web-apps/miniflux.nix +++ b/nixpkgs/nixos/modules/services/web-apps/miniflux.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: -with lib; let + inherit (lib) mkEnableOption mkPackageOption mkOption types literalExpression mkIf mkDefault; cfg = config.services.miniflux; defaultAddress = "localhost:8080"; @@ -20,8 +20,8 @@ in package = mkPackageOption pkgs "miniflux" { }; - createDatabaseLocally = lib.mkOption { - type = lib.types.bool; + createDatabaseLocally = mkOption { + type = types.bool; default = true; description = '' Whether a PostgreSQL database should be automatically created and @@ -66,6 +66,7 @@ in DATABASE_URL = lib.mkIf cfg.createDatabaseLocally "user=miniflux host=/run/postgresql dbname=miniflux"; RUN_MIGRATIONS = 1; CREATE_ADMIN = 1; + WATCHDOG = 1; }; services.postgresql = lib.mkIf cfg.createDatabaseLocally { @@ -96,12 +97,18 @@ in ++ lib.optionals cfg.createDatabaseLocally [ "postgresql.service" "miniflux-dbsetup.service" ]; serviceConfig = { - ExecStart = "${cfg.package}/bin/miniflux"; + Type = "notify"; + ExecStart = lib.getExe cfg.package; User = "miniflux"; DynamicUser = true; RuntimeDirectory = "miniflux"; RuntimeDirectoryMode = "0750"; EnvironmentFile = cfg.adminCredentialsFile; + WatchdogSec = 60; + WatchdogSignal = "SIGKILL"; + Restart = "always"; + RestartSec = 5; + # Hardening CapabilityBoundingSet = [ "" ]; DeviceAllow = [ "" ]; diff --git a/nixpkgs/nixos/modules/services/web-apps/nextcloud.md b/nixpkgs/nixos/modules/services/web-apps/nextcloud.md index ec860d307b38..0b615deae44b 100644 --- a/nixpkgs/nixos/modules/services/web-apps/nextcloud.md +++ b/nixpkgs/nixos/modules/services/web-apps/nextcloud.md @@ -205,11 +205,6 @@ it complains loudly now. So nothing actionable here by default. Alternatively yo * set [](#opt-services.nextcloud.settings.log_type) to "file" to be able to view logs from the admin panel. -### Your web server is not properly set up to resolve `.well-known` URLs, failed on: `/.well-known/caldav` {#module-services-nextcloud-warning-wellknown-caldav} - -This warning appearing seems to be an upstream issue and is being sorted out -in [nextcloud/server#45033](https://github.com/nextcloud/server/issues/45033). - ## Maintainer information {#module-services-nextcloud-maintainer-info} As stated in the previous paragraph, we must provide a clean upgrade-path for Nextcloud diff --git a/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix b/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix index 21f76938f20c..91d03dc16077 100644 --- a/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixpkgs/nixos/modules/services/web-apps/nextcloud.nix @@ -797,7 +797,7 @@ in { config = mkIf cfg.enable (mkMerge [ { warnings = let - latest = 28; + latest = 29; upgradeWarning = major: nixos: '' A legacy Nextcloud install (from before NixOS ${nixos}) may be installed. @@ -939,6 +939,7 @@ in { in { wantedBy = [ "multi-user.target" ]; + wants = [ "nextcloud-update-db.service" ]; before = [ "phpfpm-nextcloud.service" ]; after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service"; requires = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service"; @@ -997,7 +998,7 @@ in { after = [ "nextcloud-setup.service" ]; environment.NEXTCLOUD_CONFIG_DIR = "${datadir}/config"; serviceConfig = { - Type = "oneshot"; + Type = "exec"; User = "nextcloud"; ExecCondition = "${lib.getExe phpPackage} -f ${webroot}/occ status -e"; ExecStart = "${lib.getExe phpPackage} -f ${webroot}/cron.php"; @@ -1013,6 +1014,20 @@ in { }; startAt = cfg.autoUpdateApps.startAt; }; + nextcloud-update-db = { + after = [ "nextcloud-setup.service" ]; + environment.NEXTCLOUD_CONFIG_DIR = "${datadir}/config"; + script = '' + ${occ}/bin/nextcloud-occ db:add-missing-columns + ${occ}/bin/nextcloud-occ db:add-missing-indices + ${occ}/bin/nextcloud-occ db:add-missing-primary-keys + ''; + serviceConfig = { + Type = "exec"; + User = "nextcloud"; + ExecCondition = "${lib.getExe phpPackage} -f ${webroot}/occ status -e"; + }; + }; }; services.phpfpm = { @@ -1105,10 +1120,10 @@ in { extraConfig = '' absolute_redirect off; location = /.well-known/carddav { - return 301 /remote.php/dav; + return 301 /remote.php/dav/; } location = /.well-known/caldav { - return 301 /remote.php/dav; + return 301 /remote.php/dav/; } location ~ ^/\.well-known/(?!acme-challenge|pki-validation) { return 301 /index.php$request_uri; diff --git a/nixpkgs/nixos/modules/services/web-apps/plausible.nix b/nixpkgs/nixos/modules/services/web-apps/plausible.nix index 8e49e591f75c..1f909bbd67a3 100644 --- a/nixpkgs/nixos/modules/services/web-apps/plausible.nix +++ b/nixpkgs/nixos/modules/services/web-apps/plausible.nix @@ -276,8 +276,11 @@ in { ${lib.optionalString (cfg.mail.smtp.passwordFile != null) ''export SMTP_USER_PWD="$(< $CREDENTIALS_DIRECTORY/SMTP_USER_PWD )"''} - # setup - ${cfg.package}/createdb.sh + ${lib.optionalString cfg.database.postgres.setup '' + # setup + ${cfg.package}/createdb.sh + ''} + ${cfg.package}/migrate.sh export IP_GEOLOCATION_DB=${pkgs.dbip-country-lite}/share/dbip/dbip-country-lite.mmdb ${cfg.package}/bin/plausible eval "(Plausible.Release.prepare() ; Plausible.Auth.create_user(\"$ADMIN_USER_NAME\", \"$ADMIN_USER_EMAIL\", \"$ADMIN_USER_PWD\"))" @@ -326,6 +329,6 @@ in { ]; }; - meta.maintainers = with maintainers; [ ]; + meta.maintainers = with maintainers; [ xanderio ]; meta.doc = ./plausible.md; } diff --git a/nixpkgs/nixos/modules/services/web-apps/pretalx.nix b/nixpkgs/nixos/modules/services/web-apps/pretalx.nix index b062a8b7eeea..1411d11982c8 100644 --- a/nixpkgs/nixos/modules/services/web-apps/pretalx.nix +++ b/nixpkgs/nixos/modules/services/web-apps/pretalx.nix @@ -11,20 +11,25 @@ let configFile = format.generate "pretalx.cfg" cfg.settings; - extras = cfg.package.optional-dependencies.redis - ++ lib.optionals (cfg.settings.database.backend == "mysql") cfg.package.optional-dependencies.mysql - ++ lib.optionals (cfg.settings.database.backend == "postgresql") cfg.package.optional-dependencies.postgres; - - pythonEnv = cfg.package.python.buildEnv.override { - extraLibs = [ (cfg.package.python.pkgs.toPythonModule cfg.package) ] - ++ (with cfg.package.python.pkgs; [ gunicorn ] - ++ lib.optional cfg.celery.enable celery) ++ extras; + finalPackage = cfg.package.override { + inherit (cfg) plugins; + }; + + pythonEnv = finalPackage.python.buildEnv.override { + extraLibs = with finalPackage.python.pkgs; [ + (toPythonModule finalPackage) + gunicorn + ] + ++ finalPackage.optional-dependencies.redis + ++ lib.optionals cfg.celery.enable [ celery ] + ++ lib.optionals (cfg.settings.database.backend == "mysql") finalPackage.optional-dependencies.mysql + ++ lib.optionals (cfg.settings.database.backend == "postgresql") finalPackage.optional-dependencies.postgres; }; in { meta = with lib; { - maintainers = teams.c3d2.members; + maintainers = with maintainers; [ hexa] ++ teams.c3d2.members; }; options.services.pretalx = { @@ -44,6 +49,20 @@ in description = "User under which pretalx should run."; }; + plugins = lib.mkOption { + type = with lib.types; listOf package; + default = []; + example = lib.literalExpression '' + with config.services.pretalx.package.plugins; [ + pages + youtube + ]; + ''; + description = '' + Pretalx plugins to install into the Python environment. + ''; + }; + gunicorn.extraArgs = lib.mkOption { type = with lib.types; listOf str; default = [ @@ -329,10 +348,47 @@ in serviceConfig = { User = "pretalx"; Group = "pretalx"; - StateDirectory = [ "pretalx" "pretalx/media" ]; + StateDirectory = [ + "pretalx" + "pretalx/media" + ]; + StateDirectoryMode = "0750"; LogsDirectory = "pretalx"; WorkingDirectory = cfg.settings.filesystem.data; SupplementaryGroups = [ "redis-pretalx" ]; + AmbientCapabilities = ""; + CapabilityBoundingSet = [ "" ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProcSubset = "pid"; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "@chown" + ]; + UMask = "0027"; }; }; in { @@ -395,6 +451,8 @@ in wantedBy = [ "multi-user.target" ]; serviceConfig.ExecStart = "${lib.getExe' pythonEnv "celery"} -A pretalx.celery_app worker ${cfg.celery.extraArgs}"; }); + + nginx.serviceConfig.SupplementaryGroups = lib.mkIf cfg.nginx.enable [ "pretalx" ]; }; systemd.sockets.pretalx-web.socketConfig = { @@ -403,11 +461,9 @@ in }; users = { - groups."${cfg.group}" = {}; - users."${cfg.user}" = { + groups.${cfg.group} = {}; + users.${cfg.user} = { isSystemUser = true; - createHome = true; - home = cfg.settings.filesystem.data; inherit (cfg) group; }; }; diff --git a/nixpkgs/nixos/modules/services/web-apps/pretix.nix b/nixpkgs/nixos/modules/services/web-apps/pretix.nix index 22ee9769aa92..498face7456d 100644 --- a/nixpkgs/nixos/modules/services/web-apps/pretix.nix +++ b/nixpkgs/nixos/modules/services/web-apps/pretix.nix @@ -468,7 +468,7 @@ in StateDirectory = [ "pretix" ]; - StateDirectoryMode = "0755"; + StateDirectoryMode = "0750"; CacheDirectory = "pretix"; LogsDirectory = "pretix"; WorkingDirectory = cfg.settings.pretix.datadir; @@ -507,7 +507,7 @@ in "~@privileged" "@chown" ]; - UMask = "0022"; + UMask = "0027"; }; }; in { @@ -561,6 +561,8 @@ in wantedBy = [ "multi-user.target" ]; serviceConfig.ExecStart = "${getExe' pythonEnv "celery"} -A pretix.celery_app worker ${cfg.celery.extraArgs}"; }; + + nginx.serviceConfig.SupplementaryGroups = mkIf cfg.nginx.enable [ "pretix" ]; }; systemd.sockets.pretix-web.socketConfig = { @@ -569,11 +571,9 @@ in }; users = { - groups."${cfg.group}" = {}; - users."${cfg.user}" = { + groups.${cfg.group} = {}; + users.${cfg.user} = { isSystemUser = true; - createHome = true; - home = cfg.settings.pretix.datadir; inherit (cfg) group; }; }; diff --git a/nixpkgs/nixos/modules/services/web-apps/your_spotify.nix b/nixpkgs/nixos/modules/services/web-apps/your_spotify.nix new file mode 100644 index 000000000000..3eb2ffef4f93 --- /dev/null +++ b/nixpkgs/nixos/modules/services/web-apps/your_spotify.nix @@ -0,0 +1,191 @@ +{ + pkgs, + config, + lib, + ... +}: let + inherit + (lib) + boolToString + concatMapAttrs + concatStrings + isBool + mapAttrsToList + mkEnableOption + mkIf + mkOption + mkPackageOption + optionalAttrs + types + mkDefault + ; + cfg = config.services.your_spotify; + + configEnv = concatMapAttrs (name: value: + optionalAttrs (value != null) { + ${name} = + if isBool value + then boolToString value + else toString value; + }) + cfg.settings; + + configFile = pkgs.writeText "your_spotify.env" (concatStrings (mapAttrsToList (name: value: "${name}=${value}\n") configEnv)); +in { + options.services.your_spotify = let + inherit (types) nullOr port str path package; + in { + enable = mkEnableOption "your_spotify"; + + enableLocalDB = mkEnableOption "a local mongodb instance"; + nginxVirtualHost = mkOption { + type = nullOr str; + default = null; + description = '' + If set creates an nginx virtual host for the client. + In most cases this should be the CLIENT_ENDPOINT without + protocol prefix. + ''; + }; + + package = mkPackageOption pkgs "your_spotify" {}; + + clientPackage = mkOption { + type = package; + description = "Client package to use."; + }; + + spotifySecretFile = mkOption { + type = path; + description = '' + A file containing the secret key of your Spotify application. + Refer to: [Creating the Spotify Application](https://github.com/Yooooomi/your_spotify#creating-the-spotify-application). + ''; + }; + + settings = mkOption { + description = '' + Your Spotify Configuration. Refer to [Your Spotify](https://github.com/Yooooomi/your_spotify) for definitions and values. + ''; + example = lib.literalExpression '' + { + CLIENT_ENDPOINT = "https://example.com"; + API_ENDPOINT = "https://api.example.com"; + SPOTIFY_PUBLIC = "spotify_client_id"; + } + ''; + type = types.submodule { + freeformType = types.attrsOf types.str; + options = { + CLIENT_ENDPOINT = mkOption { + type = str; + description = '' + The endpoint of your web application. + Has to include a protocol Prefix (e.g. `http://`) + ''; + example = "https://your_spotify.example.org"; + }; + API_ENDPOINT = mkOption { + type = str; + description = '' + The endpoint of your server + This api has to be reachable from the device you use the website from not from the server. + This means that for example you may need two nginx virtual hosts if you want to expose this on the + internet. + Has to include a protocol Prefix (e.g. `http://`) + ''; + example = "https://localhost:3000"; + }; + SPOTIFY_PUBLIC = mkOption { + type = str; + description = '' + The public client ID of your Spotify application. + Refer to: [Creating the Spotify Application](https://github.com/Yooooomi/your_spotify#creating-the-spotify-application) + ''; + }; + MONGO_ENDPOINT = mkOption { + type = str; + description = ''The endpoint of the Mongo database.''; + default = "mongodb://localhost:27017/your_spotify"; + }; + PORT = mkOption { + type = port; + description = "The port of the api server"; + default = 3000; + }; + }; + }; + }; + }; + + config = mkIf cfg.enable { + services.your_spotify.clientPackage = mkDefault (cfg.package.client.override {apiEndpoint = cfg.settings.API_ENDPOINT;}); + systemd.services.your_spotify = { + after = ["network.target"]; + script = '' + export SPOTIFY_SECRET=$(< "$CREDENTIALS_DIRECTORY/SPOTIFY_SECRET") + ${lib.getExe' cfg.package "your_spotify_migrate"} + exec ${lib.getExe cfg.package} + ''; + serviceConfig = { + User = "your_spotify"; + Group = "your_spotify"; + DynamicUser = true; + EnvironmentFile = [configFile]; + StateDirectory = "your_spotify"; + LimitNOFILE = "1048576"; + PrivateTmp = true; + PrivateDevices = true; + StateDirectoryMode = "0700"; + Restart = "always"; + + LoadCredential = ["SPOTIFY_SECRET:${cfg.spotifySecretFile}"]; + + # Hardening + CapabilityBoundingSet = ""; + LockPersonality = true; + #MemoryDenyWriteExecute = true; # Leads to coredump because V8 does JIT + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "@pkey" + ]; + UMask = "0077"; + }; + wantedBy = ["multi-user.target"]; + }; + services.nginx = mkIf (cfg.nginxVirtualHost != null) { + enable = true; + virtualHosts.${cfg.nginxVirtualHost} = { + root = cfg.clientPackage; + locations."/".extraConfig = '' + add_header Content-Security-Policy "frame-ancestors 'none';" ; + add_header X-Content-Type-Options "nosniff" ; + try_files = $uri $uri/ /index.html ; + ''; + }; + }; + services.mongodb = mkIf cfg.enableLocalDB { + enable = true; + }; + }; + meta.maintainers = with lib.maintainers; [patrickdag]; +} diff --git a/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix b/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix index 08ce50bff62c..064a0c71b586 100644 --- a/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/caddy/default.nix @@ -360,14 +360,15 @@ in serviceConfig = let runOptions = ''--config ${configPath} ${optionalString (cfg.adapter != null) "--adapter ${cfg.adapter}"}''; in { + # Override the `ExecStart` line from upstream's systemd unit file by our own: # https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart= # If the empty string is assigned to this option, the list of commands to start is reset, prior assignments of this option will have no effect. ExecStart = [ "" ''${cfg.package}/bin/caddy run ${runOptions} ${optionalString cfg.resume "--resume"}'' ]; # Validating the configuration before applying it ensures we’ll get a proper error that will be reported when switching to the configuration - ExecReload = [ "" ''${cfg.package}/bin/caddy reload ${runOptions} --force'' ]; + ExecReload = [ "" ] ++ lib.optional cfg.enableReload "${lib.getExe cfg.package} reload ${runOptions} --force"; User = cfg.user; Group = cfg.group; - ReadWriteDirectories = cfg.dataDir; + ReadWritePaths = [ cfg.dataDir ]; StateDirectory = mkIf (cfg.dataDir == "/var/lib/caddy") [ "caddy" ]; LogsDirectory = mkIf (cfg.logDir == "/var/log/caddy") [ "caddy" ]; Restart = "on-failure"; diff --git a/nixpkgs/nixos/modules/services/web-servers/garage.nix b/nixpkgs/nixos/modules/services/web-servers/garage.nix index 39ea8f21b126..d2a5109e266a 100644 --- a/nixpkgs/nixos/modules/services/web-servers/garage.nix +++ b/nixpkgs/nixos/modules/services/web-servers/garage.nix @@ -52,13 +52,6 @@ in type = types.path; description = "The main data storage, put this on your large storage (e.g. high capacity HDD)"; }; - - replication_mode = mkOption { - default = "none"; - type = types.enum ([ "none" "1" "2" "3" "2-dangerous" "3-dangerous" "3-degraded" 1 2 3 ]); - apply = v: toString v; - description = "Garage replication mode, defaults to none, see: <https://garagehq.deuxfleurs.fr/documentation/reference-manual/configuration/#replication-mode> for reference."; - }; }; }; description = "Garage configuration, see <https://garagehq.deuxfleurs.fr/documentation/reference-manual/configuration/> for reference."; @@ -71,6 +64,44 @@ in }; config = mkIf cfg.enable { + + assertions = [ + # We removed our module-level default for replication_mode. If a user upgraded + # to garage 1.0.0 while relying on the module-level default, they would be left + # with a config which evaluates and builds, but then garage refuses to start + # because either replication_factor or replication_mode is required. + # The replication_factor option also was `toString`'ed before, which is + # now not possible anymore, so we prompt the user to change it to a string + # if present. + # These assertions can be removed in NixOS 24.11, when all users have been + # warned once. + { + assertion = (cfg.settings ? replication_factor || cfg.settings ? replication_mode) || lib.versionOlder cfg.package "1.0.0"; + message = '' + Garage 1.0.0 requires an explicit replication factor to be set. + Please set replication_factor to 1 explicitly to preserve the previous behavior. + https://git.deuxfleurs.fr/Deuxfleurs/garage/src/tag/v1.0.0/doc/book/reference-manual/configuration.md#replication_factor + + ''; + } + { + assertion = lib.isString (cfg.settings.replication_mode or ""); + message = '' + The explicit `replication_mode` option in `services.garage.settings` + has been removed and is now handled by the freeform settings in order + to allow it being completely absent (for Garage 1.x). + That module option previously `toString`'ed the value it's configured + with, which is now no longer possible. + + You're still using a non-string here, please manually set it to + a string, or migrate to the separate setting keys introduced in 1.x. + + Refer to https://garagehq.deuxfleurs.fr/documentation/working-documents/migration-1/ + for the migration guide. + ''; + } + ]; + environment.etc."garage.toml" = { source = configFile; }; diff --git a/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix b/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix index 08fab09e1e55..f9720c362935 100644 --- a/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixpkgs/nixos/modules/services/web-servers/nginx/default.nix @@ -142,7 +142,11 @@ let default_type application/octet-stream; ''; - configFile = pkgs.writers.writeNginxConfig "nginx.conf" '' + configFile = ( + if cfg.validateConfigFile + then pkgs.writers.writeNginxConfig + else pkgs.writeText + ) "nginx.conf" '' pid /run/nginx/nginx.pid; error_log ${cfg.logError}; daemon off; @@ -352,7 +356,7 @@ let # The acme-challenge location doesn't need to be added if we are not using any automated # certificate provisioning and can also be omitted when we use a certificate obtained via a DNS-01 challenge - acmeName = if vhost.useACMEHost != null then vhost.useACMEHost else vhostName; + acmeName = if vhost.useACMEHost != null then vhost.useACMEHost else vhost.serverName; acmeLocation = optionalString ((vhost.enableACME || vhost.useACMEHost != null) && config.security.acme.certs.${acmeName}.dnsProvider == null) # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx) # We use ^~ here, so that we don't check any regexes (which could @@ -1082,6 +1086,9 @@ in ''; description = "Declarative vhost config"; }; + validateConfigFile = lib.mkEnableOption '' + Validate configuration with pkgs.writeNginxConfig. + '' // { default = true; }; }; }; diff --git a/nixpkgs/nixos/modules/services/web-servers/traefik.nix b/nixpkgs/nixos/modules/services/web-servers/traefik.nix index 9c53455bcf3d..1a65ce21112e 100644 --- a/nixpkgs/nixos/modules/services/web-servers/traefik.nix +++ b/nixpkgs/nixos/modules/services/web-servers/traefik.nix @@ -170,7 +170,7 @@ in { PrivateDevices = true; ProtectHome = true; ProtectSystem = "full"; - ReadWriteDirectories = cfg.dataDir; + ReadWritePaths = [ cfg.dataDir ]; RuntimeDirectory = "traefik"; }; }; diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/cinnamon.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/cinnamon.nix index 482527d1e8ad..2e0eef67c0b3 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/cinnamon.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/cinnamon.nix @@ -157,6 +157,7 @@ in # packages nemo-with-extensions + gnome-online-accounts-gtk cinnamon-control-center cinnamon-settings-daemon libgnomekbd diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix index ce300431d47c..fe50d930b5af 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix @@ -343,10 +343,6 @@ in services.avahi.enable = mkDefault true; - xdg.portal.extraPortals = [ - pkgs.gnome.gnome-shell - ]; - services.geoclue2.enable = mkDefault true; services.geoclue2.enableDemoAgent = false; # GNOME has its own geoclue agent diff --git a/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix b/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix index beae07b70dbf..19235be4aa8d 100644 --- a/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix +++ b/nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix @@ -84,6 +84,7 @@ in programs.system-config-printer.enable = (mkIf config.services.printing.enable (mkDefault true)); services.gnome.at-spi2-core.enable = true; + services.gnome.glib-networking.enable = true; services.gnome.gnome-keyring.enable = true; services.udev.packages = [ pkgs.mate.mate-settings-daemon ]; services.gvfs.enable = true; diff --git a/nixpkgs/nixos/modules/services/x11/window-managers/clfswm.nix b/nixpkgs/nixos/modules/services/x11/window-managers/clfswm.nix index 5500c77a038b..09b49962f2ad 100644 --- a/nixpkgs/nixos/modules/services/x11/window-managers/clfswm.nix +++ b/nixpkgs/nixos/modules/services/x11/window-managers/clfswm.nix @@ -10,7 +10,7 @@ in options = { services.xserver.windowManager.clfswm = { enable = mkEnableOption "clfswm"; - package = mkPackageOption pkgs [ "lispPackages" "clfswm" ] { }; + package = mkPackageOption pkgs [ "sbclPackages" "clfswm" ] { }; }; }; diff --git a/nixpkgs/nixos/modules/services/x11/window-managers/qtile.nix b/nixpkgs/nixos/modules/services/x11/window-managers/qtile.nix index 78152283a0a5..700ead836600 100644 --- a/nixpkgs/nixos/modules/services/x11/window-managers/qtile.nix +++ b/nixpkgs/nixos/modules/services/x11/window-managers/qtile.nix @@ -4,7 +4,6 @@ with lib; let cfg = config.services.xserver.windowManager.qtile; - pyEnv = pkgs.python3.withPackages (p: [ (cfg.package.unwrapped or cfg.package) ] ++ (cfg.extraPackages p)); in { @@ -48,13 +47,24 @@ in ]; ''; }; + + finalPackage = mkOption { + type = types.package; + visible = false; + readOnly = true; + description = "The resulting Qtile package, bundled with extra packages"; + }; }; config = mkIf cfg.enable { + services.xserver.windowManager.qtile.finalPackage = pkgs.python3.withPackages (p: + [ (cfg.package.unwrapped or cfg.package) ] ++ (cfg.extraPackages p) + ); + services.xserver.windowManager.session = [{ name = "qtile"; start = '' - ${pyEnv}/bin/qtile start -b ${cfg.backend} \ + ${cfg.finalPackage}/bin/qtile start -b ${cfg.backend} \ ${optionalString (cfg.configFile != null) "--config \"${cfg.configFile}\""} & waitPID=$! diff --git a/nixpkgs/nixos/modules/services/x11/xserver.nix b/nixpkgs/nixos/modules/services/x11/xserver.nix index e13c27374670..5a86d055c271 100644 --- a/nixpkgs/nixos/modules/services/x11/xserver.nix +++ b/nixpkgs/nixos/modules/services/x11/xserver.nix @@ -728,9 +728,6 @@ in rm -f /tmp/.X0-lock ''; - # TODO: move declaring the systemd service to its own mkIf - script = mkIf (config.systemd.services.display-manager.enable == true) "${config.services.displayManager.execCmd}"; - # Stop restarting if the display manager stops (crashes) 2 times # in one minute. Starting X typically takes 3-4s. startLimitIntervalSec = 30; diff --git a/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl b/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl index ba45231465fb..cabc1dcc2d65 100755 --- a/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl +++ b/nixpkgs/nixos/modules/system/activation/switch-to-configuration.pl @@ -472,6 +472,9 @@ sub handle_modified_unit { ## no critic(Subroutines::ProhibitManyArgs, Subroutin $units_to_reload->{$unit} = 1; record_unit($reload_list_file, $unit); } + elsif ($unit eq "dbus.service" || $unit eq "dbus-broker.service") { + # dbus service should only ever be reloaded, not started/stoped/restarted as that would break the system. + } elsif (!parse_systemd_bool(\%new_unit_info, "Service", "X-RestartIfChanged", 1) || parse_systemd_bool(\%new_unit_info, "Unit", "RefuseManualStop", 0) || parse_systemd_bool(\%new_unit_info, "Unit", "X-OnlyManualStart", 0)) { $units_to_skip->{$unit} = 1; } else { diff --git a/nixpkgs/nixos/modules/system/activation/switchable-system.nix b/nixpkgs/nixos/modules/system/activation/switchable-system.nix index d5bd8cc1dc11..d70fefd0920b 100644 --- a/nixpkgs/nixos/modules/system/activation/switchable-system.nix +++ b/nixpkgs/nixos/modules/system/activation/switchable-system.nix @@ -4,52 +4,93 @@ let perlWrapped = pkgs.perl.withPackages (p: with p; [ ConfigIniFiles FileSlurp ]); + description = extra: '' + Whether to include the capability to switch configurations. + + Disabling this makes the system unable to be reconfigured via `nixos-rebuild`. + + ${extra} + ''; + in { - options = { - system.switch.enable = lib.mkOption { + options.system.switch = { + enable = lib.mkOption { type = lib.types.bool; default = true; - description = '' - Whether to include the capability to switch configurations. - - Disabling this makes the system unable to be reconfigured via `nixos-rebuild`. - + description = description '' This is good for image based appliances where updates are handled outside the image. Reducing features makes the image lighter and slightly more secure. ''; }; - }; - config = lib.mkIf config.system.switch.enable { - system.activatableSystemBuilderCommands = '' - mkdir $out/bin - substitute ${./switch-to-configuration.pl} $out/bin/switch-to-configuration \ - --subst-var out \ - --subst-var-by toplevel ''${!toplevelVar} \ - --subst-var-by coreutils "${pkgs.coreutils}" \ - --subst-var-by distroId ${lib.escapeShellArg config.system.nixos.distroId} \ - --subst-var-by installBootLoader ${lib.escapeShellArg config.system.build.installBootLoader} \ - --subst-var-by localeArchive "${config.i18n.glibcLocales}/lib/locale/locale-archive" \ - --subst-var-by perl "${perlWrapped}" \ - --subst-var-by shell "${pkgs.bash}/bin/sh" \ - --subst-var-by su "${pkgs.shadow.su}/bin/su" \ - --subst-var-by systemd "${config.systemd.package}" \ - --subst-var-by utillinux "${pkgs.util-linux}" \ - ; - - chmod +x $out/bin/switch-to-configuration - ${lib.optionalString (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) '' - if ! output=$(${perlWrapped}/bin/perl -c $out/bin/switch-to-configuration 2>&1); then - echo "switch-to-configuration syntax is not valid:" - echo "$output" - exit 1 - fi - ''} - ''; + enableNg = lib.mkOption { + type = lib.types.bool; + default = false; + description = description '' + Whether to use `switch-to-configuration-ng`, an experimental + re-implementation of `switch-to-configuration` with the goal of + replacing the original. + ''; + }; }; + config = lib.mkMerge [ + { + assertions = [{ + assertion = with config.system.switch; enable -> !enableNg; + message = "Only one of system.switch.enable and system.switch.enableNg may be enabled at a time"; + }]; + } + (lib.mkIf config.system.switch.enable { + system.activatableSystemBuilderCommands = '' + mkdir $out/bin + substitute ${./switch-to-configuration.pl} $out/bin/switch-to-configuration \ + --subst-var out \ + --subst-var-by toplevel ''${!toplevelVar} \ + --subst-var-by coreutils "${pkgs.coreutils}" \ + --subst-var-by distroId ${lib.escapeShellArg config.system.nixos.distroId} \ + --subst-var-by installBootLoader ${lib.escapeShellArg config.system.build.installBootLoader} \ + --subst-var-by localeArchive "${config.i18n.glibcLocales}/lib/locale/locale-archive" \ + --subst-var-by perl "${perlWrapped}" \ + --subst-var-by shell "${pkgs.bash}/bin/sh" \ + --subst-var-by su "${pkgs.shadow.su}/bin/su" \ + --subst-var-by systemd "${config.systemd.package}" \ + --subst-var-by utillinux "${pkgs.util-linux}" \ + ; + + chmod +x $out/bin/switch-to-configuration + ${lib.optionalString (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) '' + if ! output=$(${perlWrapped}/bin/perl -c $out/bin/switch-to-configuration 2>&1); then + echo "switch-to-configuration syntax is not valid:" + echo "$output" + exit 1 + fi + ''} + ''; + }) + (lib.mkIf config.system.switch.enableNg { + # Use a subshell so we can source makeWrapper's setup hook without + # affecting the rest of activatableSystemBuilderCommands. + system.activatableSystemBuilderCommands = '' + ( + source ${pkgs.buildPackages.makeWrapper}/nix-support/setup-hook + + mkdir $out/bin + ln -sf ${lib.getExe pkgs.switch-to-configuration-ng} $out/bin/switch-to-configuration + wrapProgram $out/bin/switch-to-configuration \ + --set OUT $out \ + --set TOPLEVEL ''${!toplevelVar} \ + --set DISTRO_ID ${lib.escapeShellArg config.system.nixos.distroId} \ + --set INSTALL_BOOTLOADER ${lib.escapeShellArg config.system.build.installBootLoader} \ + --set LOCALE_ARCHIVE ${config.i18n.glibcLocales}/lib/locale/locale-archive \ + --set SYSTEMD ${config.systemd.package} + ) + ''; + }) + ]; + } diff --git a/nixpkgs/nixos/modules/system/activation/test.nix b/nixpkgs/nixos/modules/system/activation/test.nix index 8cf000451c6e..fd251d528957 100644 --- a/nixpkgs/nixos/modules/system/activation/test.nix +++ b/nixpkgs/nixos/modules/system/activation/test.nix @@ -5,7 +5,7 @@ }: let node-forbiddenDependencies-fail = nixos ({ ... }: { - system.forbiddenDependenciesRegex = "-dev$"; + system.forbiddenDependenciesRegexes = ["-dev$"]; environment.etc."dev-dependency" = { text = "${expect.dev}"; }; @@ -14,7 +14,7 @@ let boot.loader.grub.enable = false; }); node-forbiddenDependencies-succeed = nixos ({ ... }: { - system.forbiddenDependenciesRegex = "-dev$"; + system.forbiddenDependenciesRegexes = ["-dev$"]; system.extraDependencies = [ expect.dev ]; documentation.enable = false; fileSystems."/".device = "ignore-root-device"; diff --git a/nixpkgs/nixos/modules/system/activation/top-level.nix b/nixpkgs/nixos/modules/system/activation/top-level.nix index 4cf3012646fa..ed0ece19f2fa 100644 --- a/nixpkgs/nixos/modules/system/activation/top-level.nix +++ b/nixpkgs/nixos/modules/system/activation/top-level.nix @@ -86,6 +86,7 @@ in ../build.nix (mkRemovedOptionModule [ "nesting" "clone" ] "Use `specialisation.«name» = { inheritParentConfig = true; configuration = { ... }; }` instead.") (mkRemovedOptionModule [ "nesting" "children" ] "Use `specialisation.«name».configuration = { ... }` instead.") + (mkRenamedOptionModule [ "system" "forbiddenDependenciesRegex" ] [ "system" "forbiddenDependenciesRegexes" ]) ]; options = { @@ -160,12 +161,12 @@ in ''; }; - system.forbiddenDependenciesRegex = mkOption { - default = ""; - example = "-dev$"; - type = types.str; + system.forbiddenDependenciesRegexes = mkOption { + default = []; + example = ["-dev$"]; + type = types.listOf types.str; description = '' - A POSIX Extended Regular Expression that matches store paths that + POSIX Extended Regular Expressions that match store paths that should not appear in the system closure, with the exception of {option}`system.extraDependencies`, which is not checked. ''; }; @@ -289,15 +290,14 @@ in "$out/configuration.nix" '' + optionalString - (config.system.forbiddenDependenciesRegex != "") - '' - if [[ $forbiddenDependenciesRegex != "" && -n $closureInfo ]]; then - if forbiddenPaths="$(grep -E -- "$forbiddenDependenciesRegex" $closureInfo/store-paths)"; then + (config.system.forbiddenDependenciesRegexes != []) (lib.concatStringsSep "\n" (map (regex: '' + if [[ ${regex} != "" && -n $closureInfo ]]; then + if forbiddenPaths="$(grep -E -- "${regex}" $closureInfo/store-paths)"; then echo -e "System closure $out contains the following disallowed paths:\n$forbiddenPaths" exit 1 fi fi - ''; + '') config.system.forbiddenDependenciesRegexes)); system.systemBuilderArgs = { @@ -319,8 +319,7 @@ in # option, as opposed to `system.extraDependencies`. passedChecks = concatStringsSep " " config.system.checks; } - // lib.optionalAttrs (config.system.forbiddenDependenciesRegex != "") { - inherit (config.system) forbiddenDependenciesRegex; + // lib.optionalAttrs (config.system.forbiddenDependenciesRegexes != []) { closureInfo = pkgs.closureInfo { rootPaths = [ # override to avoid infinite recursion (and to allow using extraDependencies to add forbidden dependencies) (config.system.build.toplevel.overrideAttrs (_: { extraDependencies = []; closureInfo = null; })) diff --git a/nixpkgs/nixos/modules/system/boot/binfmt.nix b/nixpkgs/nixos/modules/system/boot/binfmt.nix index 3605ce56910e..1d702442f7f6 100644 --- a/nixpkgs/nixos/modules/system/boot/binfmt.nix +++ b/nixpkgs/nixos/modules/system/boot/binfmt.nix @@ -280,7 +280,7 @@ in { }; config = { - boot.binfmt.registrations = builtins.listToAttrs (map (system: { + boot.binfmt.registrations = builtins.listToAttrs (map (system: assert system != pkgs.stdenv.hostPlatform.system; { name = system; value = { config, ... }: let interpreter = getEmulator system; diff --git a/nixpkgs/nixos/modules/system/boot/networkd.nix b/nixpkgs/nixos/modules/system/boot/networkd.nix index bb899c8d8999..7f53efbf83f5 100644 --- a/nixpkgs/nixos/modules/system/boot/networkd.nix +++ b/nixpkgs/nixos/modules/system/boot/networkd.nix @@ -17,11 +17,13 @@ let "ManageForeignRoutingPolicyRules" "ManageForeignRoutes" "RouteTable" + "IPv6PrivacyExtensions" ]) (assertValueOneOf "SpeedMeter" boolValues) (assertInt "SpeedMeterIntervalSec") (assertValueOneOf "ManageForeignRoutingPolicyRules" boolValues) (assertValueOneOf "ManageForeignRoutes" boolValues) + (assertValueOneOf "IPv6PrivacyExtensions" (boolValues ++ ["prefer-public" "kernel"])) ]; sectionDHCPv4 = checkUnitConfig "DHCPv4" [ diff --git a/nixpkgs/nixos/modules/system/boot/systemd/initrd.nix b/nixpkgs/nixos/modules/system/boot/systemd/initrd.nix index cc32b2a15e7c..6107a2594baf 100644 --- a/nixpkgs/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixpkgs/nixos/modules/system/boot/systemd/initrd.nix @@ -473,8 +473,8 @@ in { "${cfg.package.util-linux}/bin/umount" "${cfg.package.util-linux}/bin/sulogin" - # required for script services - "${pkgs.runtimeShell}" + # required for script services, and some tools like xfs still want the sh symlink + "${pkgs.bash}/bin" # so NSS can look up usernames "${pkgs.glibc}/lib/libnss_files.so.2" diff --git a/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix b/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix index 2c749d45d7a1..b75817a011cb 100644 --- a/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixpkgs/nixos/modules/tasks/filesystems/zfs.nix @@ -441,21 +441,45 @@ in {manpage}`systemd.time(7)`. ''; }; + + randomizedDelaySec = mkOption { + default = "6h"; + type = types.str; + example = "12h"; + description = '' + Add a randomized delay before each ZFS trim. + The delay will be chosen between zero and this value. + This value must be a time span in the format specified by + {manpage}`systemd.time(7)` + ''; + }; }; services.zfs.autoScrub = { enable = mkEnableOption "periodic scrubbing of ZFS pools"; interval = mkOption { - default = "Sun, 02:00"; + default = "monthly"; type = types.str; - example = "daily"; + example = "quarterly"; description = '' Systemd calendar expression when to scrub ZFS pools. See {manpage}`systemd.time(7)`. ''; }; + randomizedDelaySec = mkOption { + default = "6h"; + type = types.str; + example = "12h"; + description = '' + Add a randomized delay before each ZFS autoscrub. + The delay will be chosen between zero and this value. + This value must be a time span in the format specified by + {manpage}`systemd.time(7)` + ''; + }; + pools = mkOption { default = []; type = types.listOf types.str; @@ -862,6 +886,7 @@ in timerConfig = { OnCalendar = cfgScrub.interval; Persistent = "yes"; + RandomizedDelaySec = cfgScrub.randomizedDelaySec; }; }; }) @@ -879,7 +904,10 @@ in serviceConfig.ExecStart = "${pkgs.runtimeShell} -c 'for pool in $(zpool list -H -o name); do zpool trim $pool; done || true' "; }; - systemd.timers.zpool-trim.timerConfig.Persistent = "yes"; + systemd.timers.zpool-trim.timerConfig = { + Persistent = "yes"; + RandomizedDelaySec = cfgTrim.randomizedDelaySec; + }; }) ]; } diff --git a/nixpkgs/nixos/modules/testing/test-instrumentation.nix b/nixpkgs/nixos/modules/testing/test-instrumentation.nix index 28abbe66adaf..2b365bc55585 100644 --- a/nixpkgs/nixos/modules/testing/test-instrumentation.nix +++ b/nixpkgs/nixos/modules/testing/test-instrumentation.nix @@ -218,6 +218,8 @@ in services.displayManager.logToJournal = true; + services.logrotate.enable = mkOverride 150 false; + # Make sure we use the Guest Agent from the QEMU package for testing # to reduce the closure size required for the tests. services.qemuGuest.package = pkgs.qemu_test.ga; diff --git a/nixpkgs/nixos/modules/virtualisation/containers.nix b/nixpkgs/nixos/modules/virtualisation/containers.nix index 65620dd3935b..c3639f660dfe 100644 --- a/nixpkgs/nixos/modules/virtualisation/containers.nix +++ b/nixpkgs/nixos/modules/virtualisation/containers.nix @@ -53,13 +53,6 @@ in storage.settings = mkOption { type = toml.type; - default = { - storage = { - driver = "overlay"; - graphroot = "/var/lib/containers/storage"; - runroot = "/run/containers/storage"; - }; - }; description = "storage.conf configuration"; }; @@ -124,6 +117,12 @@ in }; }; + virtualisation.containers.storage.settings.storage = { + driver = lib.mkDefault "overlay"; + graphroot = lib.mkDefault "/var/lib/containers/storage"; + runroot = lib.mkDefault "/run/containers/storage"; + }; + environment.etc = { "containers/containers.conf".source = toml.generate "containers.conf" cfg.containersConf.settings; diff --git a/nixpkgs/nixos/modules/virtualisation/incus.nix b/nixpkgs/nixos/modules/virtualisation/incus.nix index 4d04853d20a5..87568390bd3b 100644 --- a/nixpkgs/nixos/modules/virtualisation/incus.nix +++ b/nixpkgs/nixos/modules/virtualisation/incus.nix @@ -105,6 +105,37 @@ let path = "${pkgs.OVMFFull.fd}/FV/${ovmf-prefix}_VARS.fd"; } ]; + + environment = lib.mkMerge [ + { + INCUS_LXC_TEMPLATE_CONFIG = "${pkgs.lxcfs}/share/lxc/config"; + INCUS_OVMF_PATH = ovmf; + INCUS_USBIDS_PATH = "${pkgs.hwdata}/share/hwdata/usb.ids"; + PATH = lib.mkForce serverBinPath; + } + (lib.mkIf (cfg.ui.enable) { "INCUS_UI" = cfg.ui.package; }) + ]; + + incus-startup = pkgs.writeShellScript "incus-startup" '' + case "$1" in + start) + systemctl is-active incus.service -q && exit 0 + exec incusd activateifneeded + ;; + + stop) + systemctl is-active incus.service -q || exit 0 + exec incusd shutdown + ;; + + *) + echo "unknown argument \`$1'" >&2 + exit 1 + ;; + esac + + exit 0 + ''; in { meta = { @@ -137,6 +168,14 @@ in description = "The incus client package to use. This package is added to PATH."; }; + softDaemonRestart = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Allow for incus.service to be stopped without affecting running instances. + ''; + }; + preseed = lib.mkOption { type = lib.types.nullOr (lib.types.submodule { freeformType = preseedFormat.type; }); @@ -282,6 +321,8 @@ in systemd.services.incus = { description = "Incus Container and Virtual Machine Management Daemon"; + inherit environment; + wantedBy = lib.mkIf (!cfg.socketActivation) [ "multi-user.target" ]; after = [ "network-online.target" @@ -296,20 +337,10 @@ in wants = [ "network-online.target" ]; - environment = lib.mkMerge [ - { - INCUS_LXC_TEMPLATE_CONFIG = "${pkgs.lxcfs}/share/lxc/config"; - INCUS_OVMF_PATH = ovmf; - INCUS_USBIDS_PATH = "${pkgs.hwdata}/share/hwdata/usb.ids"; - PATH = lib.mkForce serverBinPath; - } - (lib.mkIf (cfg.ui.enable) { "INCUS_UI" = cfg.ui.package; }) - ]; - serviceConfig = { ExecStart = "${cfg.package}/bin/incusd --group incus-admin"; ExecStartPost = "${cfg.package}/bin/incusd waitready --timeout=${cfg.startTimeout}"; - ExecStop = "${cfg.package}/bin/incus admin shutdown"; + ExecStop = lib.optionalString (!cfg.softDaemonRestart) "${cfg.package}/bin/incus admin shutdown"; KillMode = "process"; # when stopping, leave the containers alone Delegate = "yes"; @@ -324,6 +355,27 @@ in }; }; + systemd.services.incus-startup = lib.mkIf cfg.softDaemonRestart { + description = "Incus Instances Startup/Shutdown"; + + inherit environment; + + after = [ + "incus.service" + "incus.socket" + ]; + requires = [ "incus.socket" ]; + + serviceConfig = { + ExecStart = "${incus-startup} start"; + ExecStop = "${incus-startup} stop"; + RemainAfterExit = true; + TimeoutStartSec = "600s"; + TimeoutStopSec = "600s"; + Type = "oneshot"; + }; + }; + systemd.sockets.incus = { description = "Incus UNIX socket"; wantedBy = [ "sockets.target" ]; diff --git a/nixpkgs/nixos/modules/virtualisation/lxc-image-metadata.nix b/nixpkgs/nixos/modules/virtualisation/lxc-image-metadata.nix index 2c0568b4c468..38d955798f3e 100644 --- a/nixpkgs/nixos/modules/virtualisation/lxc-image-metadata.nix +++ b/nixpkgs/nixos/modules/virtualisation/lxc-image-metadata.nix @@ -87,10 +87,10 @@ in { contents = [ { source = toYAML "metadata.yaml" { - architecture = builtins.elemAt (builtins.match "^([a-z0-9_]+).+" (toString pkgs.system)) 0; + architecture = builtins.elemAt (builtins.match "^([a-z0-9_]+).+" (toString pkgs.stdenv.hostPlatform.system)) 0; creation_date = 1; properties = { - description = "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} ${pkgs.system}"; + description = "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} ${pkgs.stdenv.hostPlatform.system}"; os = "${config.system.nixos.distroId}"; release = "${config.system.nixos.codeName}"; }; diff --git a/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix b/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix index c30f4577fdd8..3b81cfaf2b8c 100644 --- a/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix @@ -912,7 +912,7 @@ in "ppc64-linux" = "tpm-spapr"; "armv7-linux" = "tpm-tis-device"; "aarch64-linux" = "tpm-tis-device"; - }.${pkgs.hostPlatform.system} or (throw "Unsupported system for TPM2 emulation in QEMU")); + }.${pkgs.stdenv.hostPlatform.system} or (throw "Unsupported system for TPM2 emulation in QEMU")); defaultText = '' Based on the guest platform Linux system: diff --git a/nixpkgs/nixos/release-combined.nix b/nixpkgs/nixos/release-combined.nix index d1773da9afa6..19223d46f6b9 100644 --- a/nixpkgs/nixos/release-combined.nix +++ b/nixpkgs/nixos/release-combined.nix @@ -43,7 +43,7 @@ in rec { name = "nixos-${nixos.channel.version}"; meta = { description = "Release-critical builds for the NixOS channel"; - maintainers = with pkgs.lib.maintainers; [ eelco ]; + maintainers = with pkgs.lib.maintainers; [ ]; }; constituents = pkgs.lib.concatLists [ [ "nixos.channel" ] @@ -112,7 +112,7 @@ in rec { (onFullSupported "nixos.tests.latestKernel.login") (onFullSupported "nixos.tests.lightdm") (onFullSupported "nixos.tests.login") - (onFullSupported "nixos.tests.misc") + (onFullSupported "nixos.tests.misc.default") (onFullSupported "nixos.tests.mutableUsers") (onFullSupported "nixos.tests.nat.firewall") (onFullSupported "nixos.tests.nat.standalone") diff --git a/nixpkgs/nixos/release-small.nix b/nixpkgs/nixos/release-small.nix index 091c2b1f305b..b87a58f5eee8 100644 --- a/nixpkgs/nixos/release-small.nix +++ b/nixpkgs/nixos/release-small.nix @@ -98,7 +98,7 @@ in rec { name = "nixos-${nixos.channel.version}"; meta = { description = "Release-critical builds for the NixOS channel"; - maintainers = [ lib.maintainers.eelco ]; + maintainers = [ ]; }; constituents = lib.flatten [ [ @@ -124,7 +124,7 @@ in rec { "nixos.tests.firewall" "nixos.tests.ipv6" "nixos.tests.login" - "nixos.tests.misc" + "nixos.tests.misc.default" "nixos.tests.nat.firewall" "nixos.tests.nat.standalone" "nixos.tests.nfs4.simple" diff --git a/nixpkgs/nixos/tests/acme.nix b/nixpkgs/nixos/tests/acme.nix index d63a77fcdd23..511d3c589fae 100644 --- a/nixpkgs/nixos/tests/acme.nix +++ b/nixpkgs/nixos/tests/acme.nix @@ -99,7 +99,14 @@ serverAliases = [ "${server}-wildcard-alias.example.test" ]; useACMEHost = "example.test"; }; - }; + } // (lib.optionalAttrs (server == "nginx") { + # The nginx module supports using a different key than the hostname + different-key = vhostBaseData // { + serverName = "${server}-different-key.example.test"; + serverAliases = [ "${server}-different-key-alias.example.test" ]; + enableACME = true; + }; + }); }; # Used to determine if service reload was triggered @@ -653,20 +660,20 @@ in { webserver.succeed("systemctl restart caddy.service") check_connection_key_bits(client, "a.example.test", "384") - domains = ["http", "dns", "wildcard"] - for server, logsrc in [ - ("nginx", "journalctl -n 30 -u nginx.service"), - ("httpd", "tail -n 30 /var/log/httpd/*.log"), + common_domains = ["http", "dns", "wildcard"] + for server, logsrc, domains in [ + ("nginx", "journalctl -n 30 -u nginx.service", common_domains + ["different-key"]), + ("httpd", "tail -n 30 /var/log/httpd/*.log", common_domains), ]: wait_for_server = lambda: webserver.wait_for_unit(f"{server}.service") with subtest(f"Works with {server}"): try: switch_to(webserver, server) - # Skip wildcard domain for this check ([:-1]) - for domain in domains[:-1]: - webserver.wait_for_unit( - f"acme-finished-{server}-{domain}.example.test.target" - ) + for domain in domains: + if domain != "wildcard": + webserver.wait_for_unit( + f"acme-finished-{server}-{domain}.example.test.target" + ) except Exception as err: _, output = webserver.execute( f"{logsrc} && ls -al /var/lib/acme/acme-challenge" @@ -676,8 +683,9 @@ in { wait_for_server() - for domain in domains[:-1]: - check_issuer(webserver, f"{server}-{domain}.example.test", "pebble") + for domain in domains: + if domain != "wildcard": + check_issuer(webserver, f"{server}-{domain}.example.test", "pebble") for domain in domains: check_connection(client, f"{server}-{domain}.example.test") check_connection(client, f"{server}-{domain}-alias.example.test") diff --git a/nixpkgs/nixos/tests/all-tests.nix b/nixpkgs/nixos/tests/all-tests.nix index d4da32c44990..10daa1bbf6d2 100644 --- a/nixpkgs/nixos/tests/all-tests.nix +++ b/nixpkgs/nixos/tests/all-tests.nix @@ -130,6 +130,7 @@ in { apparmor = handleTest ./apparmor.nix {}; archi = handleTest ./archi.nix {}; armagetronad = handleTest ./armagetronad.nix {}; + artalk = handleTest ./artalk.nix {}; atd = handleTest ./atd.nix {}; atop = handleTest ./atop.nix {}; atuin = handleTest ./atuin.nix {}; @@ -144,6 +145,7 @@ in { bcachefs = handleTestOn ["x86_64-linux" "aarch64-linux"] ./bcachefs.nix {}; beanstalkd = handleTest ./beanstalkd.nix {}; bees = handleTest ./bees.nix {}; + benchexec = handleTest ./benchexec.nix {}; binary-cache = handleTest ./binary-cache.nix {}; bind = handleTest ./bind.nix {}; bird = handleTest ./bird.nix {}; @@ -204,6 +206,7 @@ in { code-server = handleTest ./code-server.nix {}; coder = handleTest ./coder.nix {}; collectd = handleTest ./collectd.nix {}; + commafeed = handleTest ./commafeed.nix {}; connman = handleTest ./connman.nix {}; consul = handleTest ./consul.nix {}; consul-template = handleTest ./consul-template.nix {}; @@ -243,6 +246,7 @@ in { deepin = handleTest ./deepin.nix {}; deluge = handleTest ./deluge.nix {}; dendrite = handleTest ./matrix/dendrite.nix {}; + devpi-server = handleTest ./devpi-server.nix {}; dex-oidc = handleTest ./dex-oidc.nix {}; dhparams = handleTest ./dhparams.nix {}; disable-installer-tools = handleTest ./disable-installer-tools.nix {}; @@ -424,7 +428,8 @@ in { icingaweb2 = handleTest ./icingaweb2.nix {}; iftop = handleTest ./iftop.nix {}; incron = handleTest ./incron.nix {}; - incus = pkgs.recurseIntoAttrs (handleTest ./incus { inherit handleTestOn; }); + incus = pkgs.recurseIntoAttrs (handleTest ./incus { inherit handleTestOn; inherit (pkgs) incus; }); + incus-lts = pkgs.recurseIntoAttrs (handleTest ./incus { inherit handleTestOn; }); influxdb = handleTest ./influxdb.nix {}; influxdb2 = handleTest ./influxdb2.nix {}; initrd-network-openvpn = handleTestOn [ "x86_64-linux" "i686-linux" ] ./initrd-network-openvpn {}; @@ -585,7 +590,7 @@ in { mysql-backup = handleTest ./mysql/mysql-backup.nix {}; mysql-replication = handleTest ./mysql/mysql-replication.nix {}; n8n = handleTest ./n8n.nix {}; - nagios = handleTest ./nagios.nix {}; + nagios = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./nagios.nix {}; nar-serve = handleTest ./nar-serve.nix {}; nat.firewall = handleTest ./nat.nix { withFirewall = true; }; nat.standalone = handleTest ./nat.nix { withFirewall = false; }; @@ -756,6 +761,7 @@ in { pretix = runTest ./web-apps/pretix.nix; printing-socket = handleTest ./printing.nix { socket = true; }; printing-service = handleTest ./printing.nix { socket = false; }; + private-gpt = handleTest ./private-gpt.nix {}; privoxy = handleTest ./privoxy.nix {}; prometheus = handleTest ./prometheus.nix {}; prometheus-exporters = handleTest ./prometheus-exporters.nix {}; @@ -870,7 +876,8 @@ in { swap-random-encryption = handleTest ./swap-random-encryption.nix {}; sway = handleTest ./sway.nix {}; swayfx = handleTest ./swayfx.nix {}; - switchTest = handleTest ./switch-test.nix {}; + switchTest = handleTest ./switch-test.nix { ng = false; }; + switchTestNg = handleTest ./switch-test.nix { ng = true; }; sympa = handleTest ./sympa.nix {}; syncthing = handleTest ./syncthing.nix {}; syncthing-no-settings = handleTest ./syncthing-no-settings.nix {}; @@ -883,7 +890,7 @@ in { systemd-binfmt = handleTestOn ["x86_64-linux"] ./systemd-binfmt.nix {}; systemd-boot = handleTest ./systemd-boot.nix {}; systemd-bpf = handleTest ./systemd-bpf.nix {}; - systemd-confinement = handleTest ./systemd-confinement.nix {}; + systemd-confinement = handleTest ./systemd-confinement {}; systemd-coredump = handleTest ./systemd-coredump.nix {}; systemd-cryptenroll = handleTest ./systemd-cryptenroll.nix {}; systemd-credentials-tpm2 = handleTest ./systemd-credentials-tpm2.nix {}; @@ -994,6 +1001,7 @@ in { v2ray = handleTest ./v2ray.nix {}; varnish60 = handleTest ./varnish.nix { package = pkgs.varnish60; }; varnish74 = handleTest ./varnish.nix { package = pkgs.varnish74; }; + varnish75 = handleTest ./varnish.nix { package = pkgs.varnish75; }; vault = handleTest ./vault.nix {}; vault-agent = handleTest ./vault-agent.nix {}; vault-dev = handleTest ./vault-dev.nix {}; @@ -1035,7 +1043,9 @@ in { xterm = handleTest ./xterm.nix {}; xxh = handleTest ./xxh.nix {}; yabar = handleTest ./yabar.nix {}; + ydotool = handleTest ./ydotool.nix {}; yggdrasil = handleTest ./yggdrasil.nix {}; + your_spotify = handleTest ./your_spotify.nix {}; zammad = handleTest ./zammad.nix {}; zeronet-conservancy = handleTest ./zeronet-conservancy.nix {}; zfs = handleTest ./zfs.nix {}; diff --git a/nixpkgs/nixos/tests/archi.nix b/nixpkgs/nixos/tests/archi.nix index 59f2e940c005..a8cb1c503d4f 100644 --- a/nixpkgs/nixos/tests/archi.nix +++ b/nixpkgs/nixos/tests/archi.nix @@ -24,7 +24,9 @@ import ./make-test-python.nix ({ lib, ... }: { machine.wait_for_window("Archi") # wait till main UI is open - machine.wait_for_text("Welcome to Archi") + # since OCR seems to be buggy wait_for_text was replaced by sleep, issue: #302965 + # machine.wait_for_text("Welcome to Archi") + machine.sleep(20) machine.screenshot("welcome-screen") ''; diff --git a/nixpkgs/nixos/tests/artalk.nix b/nixpkgs/nixos/tests/artalk.nix new file mode 100644 index 000000000000..1338e5cd380c --- /dev/null +++ b/nixpkgs/nixos/tests/artalk.nix @@ -0,0 +1,28 @@ +import ./make-test-python.nix ( + { lib, pkgs, ... }: + { + + name = "artalk"; + + meta = { + maintainers = with lib.maintainers; [ moraxyc ]; + }; + + nodes.machine = + { pkgs, ... }: + { + environment.systemPackages = [ pkgs.curl ]; + services.artalk = { + enable = true; + }; + }; + + testScript = '' + machine.wait_for_unit("artalk.service") + + machine.wait_for_open_port(23366) + + machine.succeed("curl --fail --max-time 10 http://127.0.0.1:23366/") + ''; + } +) diff --git a/nixpkgs/nixos/tests/avahi.nix b/nixpkgs/nixos/tests/avahi.nix index d8f4d13340fb..4ae2f919f2f7 100644 --- a/nixpkgs/nixos/tests/avahi.nix +++ b/nixpkgs/nixos/tests/avahi.nix @@ -9,7 +9,7 @@ import ./make-test-python.nix { name = "avahi"; meta = with pkgs.lib.maintainers; { - maintainers = [ eelco ]; + maintainers = [ ]; }; nodes = let diff --git a/nixpkgs/nixos/tests/benchexec.nix b/nixpkgs/nixos/tests/benchexec.nix new file mode 100644 index 000000000000..3fc9ebc2c35f --- /dev/null +++ b/nixpkgs/nixos/tests/benchexec.nix @@ -0,0 +1,54 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: +let + user = "alice"; +in +{ + name = "benchexec"; + + nodes.benchexec = { + imports = [ ./common/user-account.nix ]; + + programs.benchexec = { + enable = true; + users = [ user ]; + }; + }; + + testScript = { ... }: + let + runexec = lib.getExe' pkgs.benchexec "runexec"; + echo = builtins.toString pkgs.benchexec; + test = lib.getExe (pkgs.writeShellApplication rec { + name = "test"; + meta.mainProgram = name; + text = "echo '${echo}'"; + }); + wd = "/tmp"; + stdout = "${wd}/runexec.out"; + stderr = "${wd}/runexec.err"; + in + '' + start_all() + machine.wait_for_unit("multi-user.target") + benchexec.succeed(''''\ + systemd-run \ + --property='StandardOutput=file:${stdout}' \ + --property='StandardError=file:${stderr}' \ + --unit=runexec --wait --user --machine='${user}@' \ + --working-directory ${wd} \ + '${runexec}' \ + --debug \ + --read-only-dir / \ + --hidden-dir /home \ + '${test}' \ + '''') + benchexec.succeed("grep -s '${echo}' ${wd}/output.log") + benchexec.succeed("test \"$(grep -Ec '((start|wall|cpu)time|memory)=' ${stdout})\" = 4") + benchexec.succeed("! grep -E '(WARNING|ERROR)' ${stderr}") + ''; + + interactive.nodes.benchexec.services.kmscon = { + enable = true; + fonts = [{ name = "Fira Code"; package = pkgs.fira-code; }]; + }; +}) diff --git a/nixpkgs/nixos/tests/bittorrent.nix b/nixpkgs/nixos/tests/bittorrent.nix index 473b05d4c98e..b5f5982743a1 100644 --- a/nixpkgs/nixos/tests/bittorrent.nix +++ b/nixpkgs/nixos/tests/bittorrent.nix @@ -36,7 +36,7 @@ in { name = "bittorrent"; meta = with pkgs.lib.maintainers; { - maintainers = [ domenkozar eelco rob bobvanderlinden ]; + maintainers = [ domenkozar rob bobvanderlinden ]; }; nodes = { diff --git a/nixpkgs/nixos/tests/commafeed.nix b/nixpkgs/nixos/tests/commafeed.nix new file mode 100644 index 000000000000..7b65720818a9 --- /dev/null +++ b/nixpkgs/nixos/tests/commafeed.nix @@ -0,0 +1,21 @@ +import ./make-test-python.nix ( + { lib, ... }: + { + name = "commafeed"; + + nodes.server = { + services.commafeed = { + enable = true; + }; + }; + + testScript = '' + server.start() + server.wait_for_unit("commafeed.service") + server.wait_for_open_port(8082) + server.succeed("curl --fail --silent http://localhost:8082") + ''; + + meta.maintainers = [ lib.maintainers.raroh73 ]; + } +) diff --git a/nixpkgs/nixos/tests/containers-bridge.nix b/nixpkgs/nixos/tests/containers-bridge.nix index d2e16299edaa..3001db33ba5a 100644 --- a/nixpkgs/nixos/tests/containers-bridge.nix +++ b/nixpkgs/nixos/tests/containers-bridge.nix @@ -8,7 +8,7 @@ in import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "containers-bridge"; meta = { - maintainers = with lib.maintainers; [ aristid aszlig eelco kampfschlaefer ]; + maintainers = with lib.maintainers; [ aristid aszlig kampfschlaefer ]; }; nodes.machine = diff --git a/nixpkgs/nixos/tests/containers-imperative.nix b/nixpkgs/nixos/tests/containers-imperative.nix index fff00e4f73a8..ea1046b40354 100644 --- a/nixpkgs/nixos/tests/containers-imperative.nix +++ b/nixpkgs/nixos/tests/containers-imperative.nix @@ -1,7 +1,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "containers-imperative"; meta = { - maintainers = with lib.maintainers; [ aristid aszlig eelco kampfschlaefer ]; + maintainers = with lib.maintainers; [ aristid aszlig kampfschlaefer ]; }; nodes.machine = diff --git a/nixpkgs/nixos/tests/containers-ip.nix b/nixpkgs/nixos/tests/containers-ip.nix index ecff99a3f0c2..034e5d660415 100644 --- a/nixpkgs/nixos/tests/containers-ip.nix +++ b/nixpkgs/nixos/tests/containers-ip.nix @@ -14,7 +14,7 @@ let in import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "containers-ipv4-ipv6"; meta = { - maintainers = with lib.maintainers; [ aristid aszlig eelco kampfschlaefer ]; + maintainers = with lib.maintainers; [ aristid aszlig kampfschlaefer ]; }; nodes.machine = diff --git a/nixpkgs/nixos/tests/containers-portforward.nix b/nixpkgs/nixos/tests/containers-portforward.nix index b8c7aabc5a50..1a9880fe9313 100644 --- a/nixpkgs/nixos/tests/containers-portforward.nix +++ b/nixpkgs/nixos/tests/containers-portforward.nix @@ -8,7 +8,7 @@ in import ./make-test-python.nix ({ pkgs, lib, ... }: { name = "containers-portforward"; meta = { - maintainers = with lib.maintainers; [ aristid aszlig eelco kampfschlaefer ianwookim ]; + maintainers = with lib.maintainers; [ aristid aszlig kampfschlaefer ianwookim ]; }; nodes.machine = diff --git a/nixpkgs/nixos/tests/devpi-server.nix b/nixpkgs/nixos/tests/devpi-server.nix new file mode 100644 index 000000000000..2a16d49724db --- /dev/null +++ b/nixpkgs/nixos/tests/devpi-server.nix @@ -0,0 +1,35 @@ +import ./make-test-python.nix ({pkgs, ...}: let + server-port = 3141; +in { + name = "devpi-server"; + meta = with pkgs.lib.maintainers; { + maintainers = [cafkafk]; + }; + + nodes = { + devpi = {...}: { + services.devpi-server = { + enable = true; + host = "0.0.0.0"; + port = server-port; + openFirewall = true; + secretFile = pkgs.writeText "devpi-secret" "v263P+V3YGDYUyfYL/RBURw+tCPMDw94R/iCuBNJrDhaYrZYjpA6XPFVDDH8ViN20j77y2PHoMM/U0opNkVQ2g=="; + }; + }; + + client1 = {...}: { + environment.systemPackages = with pkgs; [ + devpi-client + jq + ]; + }; + }; + + testScript = '' + start_all() + devpi.wait_for_unit("devpi-server.service") + devpi.wait_for_open_port(${builtins.toString server-port}) + + client1.succeed("devpi getjson http://devpi:${builtins.toString server-port}") + ''; +}) diff --git a/nixpkgs/nixos/tests/elk.nix b/nixpkgs/nixos/tests/elk.nix index b5a8cb532ae0..87c82877fe10 100644 --- a/nixpkgs/nixos/tests/elk.nix +++ b/nixpkgs/nixos/tests/elk.nix @@ -16,7 +16,7 @@ let import ./make-test-python.nix ({ inherit name; meta = with pkgs.lib.maintainers; { - maintainers = [ eelco offline basvandijk ]; + maintainers = [ offline basvandijk ]; }; nodes = { one = diff --git a/nixpkgs/nixos/tests/fcitx5/default.nix b/nixpkgs/nixos/tests/fcitx5/default.nix index c113f2e2c052..feea621f6b5b 100644 --- a/nixpkgs/nixos/tests/fcitx5/default.nix +++ b/nixpkgs/nixos/tests/fcitx5/default.nix @@ -89,10 +89,13 @@ rec { machine.succeed("xauth merge ${xauth}") machine.sleep(5) + machine.wait_until_succeeds("pgrep fcitx5") machine.succeed("su - ${user.name} -c 'kill $(pgrep fcitx5)'") machine.sleep(1) machine.succeed("su - ${user.name} -c 'alacritty >&2 &'") + machine.wait_for_window("alice@machine") + machine.succeed("su - ${user.name} -c 'fcitx5 >&2 &'") machine.sleep(10) diff --git a/nixpkgs/nixos/tests/firefox.nix b/nixpkgs/nixos/tests/firefox.nix index fbea95dc7523..6418e029f80d 100644 --- a/nixpkgs/nixos/tests/firefox.nix +++ b/nixpkgs/nixos/tests/firefox.nix @@ -1,9 +1,9 @@ -import ./make-test-python.nix ({ pkgs, firefoxPackage, ... }: +import ./make-test-python.nix ({ lib, pkgs, firefoxPackage, ... }: { name = firefoxPackage.pname; meta = with pkgs.lib.maintainers; { - maintainers = [ eelco shlevy ]; + maintainers = [ shlevy ]; }; nodes.machine = @@ -55,7 +55,7 @@ import ./make-test-python.nix ({ pkgs, firefoxPackage, ... }: }; testScript = let - exe = firefoxPackage.unwrapped.binaryName; + exe = lib.getExe firefoxPackage; in '' from contextlib import contextmanager diff --git a/nixpkgs/nixos/tests/firewall.nix b/nixpkgs/nixos/tests/firewall.nix index dd7551f143a5..34e8bda60eef 100644 --- a/nixpkgs/nixos/tests/firewall.nix +++ b/nixpkgs/nixos/tests/firewall.nix @@ -3,7 +3,7 @@ import ./make-test-python.nix ( { pkgs, nftables, ... } : { name = "firewall" + pkgs.lib.optionalString nftables "-nftables"; meta = with pkgs.lib.maintainers; { - maintainers = [ eelco ]; + maintainers = [ ]; }; nodes = diff --git a/nixpkgs/nixos/tests/fish.nix b/nixpkgs/nixos/tests/fish.nix index 3d9b13c6af70..c9a1bef51478 100644 --- a/nixpkgs/nixos/tests/fish.nix +++ b/nixpkgs/nixos/tests/fish.nix @@ -10,6 +10,8 @@ import ./make-test-python.nix ({ pkgs, ... }: { coreutils procps # kill collides with coreutils' to test https://github.com/NixOS/nixpkgs/issues/56432 ]; + # TODO: remove if/when #267880 is merged and this is a default + services.logrotate.enable = false; }; testScript = diff --git a/nixpkgs/nixos/tests/garage/default.nix b/nixpkgs/nixos/tests/garage/default.nix index a42236e9a5bb..b7f9bb4b865b 100644 --- a/nixpkgs/nixos/tests/garage/default.nix +++ b/nixpkgs/nixos/tests/garage/default.nix @@ -51,4 +51,5 @@ in [ "0_8" "0_9" + "1_x" ] diff --git a/nixpkgs/nixos/tests/garage/with-3node-replication.nix b/nixpkgs/nixos/tests/garage/with-3node-replication.nix index d4387b198d97..266a1082893f 100644 --- a/nixpkgs/nixos/tests/garage/with-3node-replication.nix +++ b/nixpkgs/nixos/tests/garage/with-3node-replication.nix @@ -7,10 +7,10 @@ args@{ mkNode, ver, ... }: }; nodes = { - node1 = mkNode { replicationMode = 3; publicV6Address = "fc00:1::1"; }; - node2 = mkNode { replicationMode = 3; publicV6Address = "fc00:1::2"; }; - node3 = mkNode { replicationMode = 3; publicV6Address = "fc00:1::3"; }; - node4 = mkNode { replicationMode = 3; publicV6Address = "fc00:1::4"; }; + node1 = mkNode { replicationMode = "3"; publicV6Address = "fc00:1::1"; }; + node2 = mkNode { replicationMode = "3"; publicV6Address = "fc00:1::2"; }; + node3 = mkNode { replicationMode = "3"; publicV6Address = "fc00:1::3"; }; + node4 = mkNode { replicationMode = "3"; publicV6Address = "fc00:1::4"; }; }; testScript = '' diff --git a/nixpkgs/nixos/tests/incus/container.nix b/nixpkgs/nixos/tests/incus/container.nix index a71c5355046a..10262cf2132b 100644 --- a/nixpkgs/nixos/tests/incus/container.nix +++ b/nixpkgs/nixos/tests/incus/container.nix @@ -1,4 +1,4 @@ -import ../make-test-python.nix ({ pkgs, lib, extra ? {}, name ? "incus-container", ... } : +import ../make-test-python.nix ({ pkgs, lib, extra ? {}, name ? "incus-container", incus ? pkgs.incus-lts, ... } : let releases = import ../../release.nix { @@ -28,7 +28,10 @@ in memorySize = 1024; diskSize = 4096; - incus.enable = true; + incus = { + enable = true; + package = incus; + }; }; networking.nftables.enable = true; }; @@ -70,51 +73,60 @@ in machine.succeed("incus exec container mount | grep 'lxcfs on /proc/cpuinfo type fuse.lxcfs'") machine.succeed("incus exec container mount | grep 'lxcfs on /proc/meminfo type fuse.lxcfs'") - with subtest("Container CPU limits can be managed"): - set_container("limits.cpu 1") - cpuinfo = machine.succeed("incus exec container grep -- -c ^processor /proc/cpuinfo").strip() - assert cpuinfo == "1", f"Wrong number of CPUs reported from /proc/cpuinfo, want: 1, got: {cpuinfo}" - - set_container("limits.cpu 2") - cpuinfo = machine.succeed("incus exec container grep -- -c ^processor /proc/cpuinfo").strip() - assert cpuinfo == "2", f"Wrong number of CPUs reported from /proc/cpuinfo, want: 2, got: {cpuinfo}" - - with subtest("Container memory limits can be managed"): - set_container("limits.memory 64MB") - meminfo = machine.succeed("incus exec container grep -- MemTotal /proc/meminfo").strip() - meminfo_bytes = " ".join(meminfo.split(' ')[-2:]) - assert meminfo_bytes == "62500 kB", f"Wrong amount of memory reported from /proc/meminfo, want: '62500 kB', got: '{meminfo_bytes}'" - - set_container("limits.memory 128MB") - meminfo = machine.succeed("incus exec container grep -- MemTotal /proc/meminfo").strip() - meminfo_bytes = " ".join(meminfo.split(' ')[-2:]) - assert meminfo_bytes == "125000 kB", f"Wrong amount of memory reported from /proc/meminfo, want: '125000 kB', got: '{meminfo_bytes}'" - - with subtest("lxc-container generator configures plain container"): - # reuse the existing container to save some time - machine.succeed("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf") - check_sysctl("container") - - with subtest("lxc-container generator configures nested container"): - machine.execute("incus delete --force container") - machine.succeed("incus launch nixos container --config security.nesting=true") - with machine.nested("Waiting for instance to start and be usable"): - retry(instance_is_up) - - machine.fail("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf") - target = machine.succeed("incus exec container readlink -- -f /run/systemd/system/systemd-binfmt.service").strip() - assert target == "/dev/null", "lxc generator did not correctly mask /run/systemd/system/systemd-binfmt.service" - - check_sysctl("container") - - with subtest("lxc-container generator configures privileged container"): - machine.execute("incus delete --force container") - machine.succeed("incus launch nixos container --config security.privileged=true") - with machine.nested("Waiting for instance to start and be usable"): - retry(instance_is_up) - - machine.succeed("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf") - - check_sysctl("container") + with subtest("resource limits"): + with subtest("Container CPU limits can be managed"): + set_container("limits.cpu 1") + cpuinfo = machine.succeed("incus exec container grep -- -c ^processor /proc/cpuinfo").strip() + assert cpuinfo == "1", f"Wrong number of CPUs reported from /proc/cpuinfo, want: 1, got: {cpuinfo}" + + set_container("limits.cpu 2") + cpuinfo = machine.succeed("incus exec container grep -- -c ^processor /proc/cpuinfo").strip() + assert cpuinfo == "2", f"Wrong number of CPUs reported from /proc/cpuinfo, want: 2, got: {cpuinfo}" + + with subtest("Container memory limits can be managed"): + set_container("limits.memory 64MB") + meminfo = machine.succeed("incus exec container grep -- MemTotal /proc/meminfo").strip() + meminfo_bytes = " ".join(meminfo.split(' ')[-2:]) + assert meminfo_bytes == "62500 kB", f"Wrong amount of memory reported from /proc/meminfo, want: '62500 kB', got: '{meminfo_bytes}'" + + set_container("limits.memory 128MB") + meminfo = machine.succeed("incus exec container grep -- MemTotal /proc/meminfo").strip() + meminfo_bytes = " ".join(meminfo.split(' ')[-2:]) + assert meminfo_bytes == "125000 kB", f"Wrong amount of memory reported from /proc/meminfo, want: '125000 kB', got: '{meminfo_bytes}'" + + with subtest("lxc-generator"): + with subtest("lxc-container generator configures plain container"): + # reuse the existing container to save some time + machine.succeed("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf") + check_sysctl("container") + + with subtest("lxc-container generator configures nested container"): + machine.execute("incus delete --force container") + machine.succeed("incus launch nixos container --config security.nesting=true") + with machine.nested("Waiting for instance to start and be usable"): + retry(instance_is_up) + + machine.fail("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf") + target = machine.succeed("incus exec container readlink -- -f /run/systemd/system/systemd-binfmt.service").strip() + assert target == "/dev/null", "lxc generator did not correctly mask /run/systemd/system/systemd-binfmt.service" + + check_sysctl("container") + + with subtest("lxc-container generator configures privileged container"): + machine.execute("incus delete --force container") + machine.succeed("incus launch nixos container --config security.privileged=true") + with machine.nested("Waiting for instance to start and be usable"): + retry(instance_is_up) + + machine.succeed("incus exec container test -- -e /run/systemd/system/service.d/zzz-lxc-service.conf") + + check_sysctl("container") + + with subtest("softDaemonRestart"): + with subtest("Instance remains running when softDaemonRestart is enabled and services is stopped"): + pid = machine.succeed("incus info container | grep 'PID'").split(":")[1].strip() + machine.succeed(f"ps {pid}") + machine.succeed("systemctl stop incus") + machine.succeed(f"ps {pid}") ''; }) diff --git a/nixpkgs/nixos/tests/incus/default.nix b/nixpkgs/nixos/tests/incus/default.nix index b850c4fba018..c33bf1600f27 100644 --- a/nixpkgs/nixos/tests/incus/default.nix +++ b/nixpkgs/nixos/tests/incus/default.nix @@ -3,24 +3,27 @@ config ? { }, pkgs ? import ../../.. { inherit system config; }, handleTestOn, + incus ? pkgs.incus-lts, }: { container-legacy-init = import ./container.nix { name = "container-legacy-init"; - inherit system pkgs; + inherit incus system pkgs; }; container-systemd-init = import ./container.nix { name = "container-systemd-init"; - inherit system pkgs; + inherit incus system pkgs; extra = { boot.initrd.systemd.enable = true; }; }; - lxd-to-incus = import ./lxd-to-incus.nix { inherit system pkgs; }; - openvswitch = import ./openvswitch.nix { inherit system pkgs; }; - preseed = import ./preseed.nix { inherit system pkgs; }; - socket-activated = import ./socket-activated.nix { inherit system pkgs; }; - storage = import ./storage.nix { inherit system pkgs; }; - ui = import ./ui.nix { inherit system pkgs; }; - virtual-machine = handleTestOn [ "x86_64-linux" ] ./virtual-machine.nix { inherit system pkgs; }; + incusd-options = import ./incusd-options.nix { inherit incus system pkgs; }; + lxd-to-incus = import ./lxd-to-incus.nix { inherit incus system pkgs; }; + openvswitch = import ./openvswitch.nix { inherit incus system pkgs; }; + socket-activated = import ./socket-activated.nix { inherit incus system pkgs; }; + storage = import ./storage.nix { inherit incus system pkgs; }; + ui = import ./ui.nix { inherit incus system pkgs; }; + virtual-machine = handleTestOn [ "x86_64-linux" ] ./virtual-machine.nix { + inherit incus system pkgs; + }; } diff --git a/nixpkgs/nixos/tests/incus/incusd-options.nix b/nixpkgs/nixos/tests/incus/incusd-options.nix new file mode 100644 index 000000000000..7b3a4d726e38 --- /dev/null +++ b/nixpkgs/nixos/tests/incus/incusd-options.nix @@ -0,0 +1,110 @@ +# this is a set of tests for non-default options. typically the default options +# will be handled by the other tests +import ../make-test-python.nix ( + { + pkgs, + lib, + incus ? pkgs.incus-lts, + ... + }: + + let + releases = import ../../release.nix { + configuration = { + # Building documentation makes the test unnecessarily take a longer time: + documentation.enable = lib.mkForce false; + }; + }; + + container-image-metadata = releases.lxdContainerMeta.${pkgs.stdenv.hostPlatform.system}; + container-image-rootfs = releases.lxdContainerImage.${pkgs.stdenv.hostPlatform.system}; + in + { + name = "incusd-options"; + + meta = { + maintainers = lib.teams.lxc.members; + }; + + nodes.machine = { + virtualisation = { + cores = 2; + memorySize = 1024; + diskSize = 4096; + + incus = { + enable = true; + package = incus; + softDaemonRestart = false; + + preseed = { + networks = [ + { + name = "nixostestbr0"; + type = "bridge"; + config = { + "ipv4.address" = "10.0.100.1/24"; + "ipv4.nat" = "true"; + }; + } + ]; + profiles = [ + { + name = "default"; + devices = { + eth0 = { + name = "eth0"; + network = "nixostestbr0"; + type = "nic"; + }; + root = { + path = "/"; + pool = "nixostest_pool"; + size = "35GiB"; + type = "disk"; + }; + }; + } + ]; + storage_pools = [ + { + name = "nixostest_pool"; + driver = "dir"; + } + ]; + }; + }; + }; + networking.nftables.enable = true; + }; + + testScript = '' + def instance_is_up(_) -> bool: + status, _ = machine.execute("incus exec container --disable-stdin --force-interactive /run/current-system/sw/bin/systemctl -- is-system-running") + return status == 0 + + machine.wait_for_unit("incus.service") + machine.wait_for_unit("incus-preseed.service") + + with subtest("Container image can be imported"): + machine.succeed("incus image import ${container-image-metadata}/*/*.tar.xz ${container-image-rootfs}/*/*.tar.xz --alias nixos") + + with subtest("Container can be launched and managed"): + machine.succeed("incus launch nixos container") + with machine.nested("Waiting for instance to start and be usable"): + retry(instance_is_up) + machine.succeed("echo true | incus exec container /run/current-system/sw/bin/bash -") + + with subtest("Verify preseed resources created"): + machine.succeed("incus profile show default") + machine.succeed("incus network info nixostestbr0") + machine.succeed("incus storage show nixostest_pool") + + with subtest("Instance is stopped when softDaemonRestart is disabled and services is stopped"): + pid = machine.succeed("incus info container | grep 'PID'").split(":")[1].strip() + machine.succeed(f"ps {pid}") + machine.succeed("systemctl stop incus") + machine.fail(f"ps {pid}") + ''; + } +) diff --git a/nixpkgs/nixos/tests/incus/lxd-to-incus.nix b/nixpkgs/nixos/tests/incus/lxd-to-incus.nix index e93b76591eca..66f78cbd33b4 100644 --- a/nixpkgs/nixos/tests/incus/lxd-to-incus.nix +++ b/nixpkgs/nixos/tests/incus/lxd-to-incus.nix @@ -1,6 +1,11 @@ import ../make-test-python.nix ( - { pkgs, lib, ... }: + { + pkgs, + lib, + incus ? pkgs.incus-lts, + ... + }: let releases = import ../../release.nix { configuration.documentation.enable = lib.mkForce false; }; @@ -65,7 +70,10 @@ import ../make-test-python.nix ( ]; }; - incus.enable = true; + incus = { + enable = true; + package = incus; + }; }; networking.nftables.enable = true; }; diff --git a/nixpkgs/nixos/tests/incus/openvswitch.nix b/nixpkgs/nixos/tests/incus/openvswitch.nix index 5d4aef031ad0..1cead99080e7 100644 --- a/nixpkgs/nixos/tests/incus/openvswitch.nix +++ b/nixpkgs/nixos/tests/incus/openvswitch.nix @@ -1,4 +1,4 @@ -import ../make-test-python.nix ({ pkgs, lib, ... } : +import ../make-test-python.nix ({ pkgs, lib, incus ? pkgs.incus-lts, ... } : { name = "incus-openvswitch"; @@ -9,7 +9,11 @@ import ../make-test-python.nix ({ pkgs, lib, ... } : nodes.machine = { lib, ... }: { virtualisation = { - incus.enable = true; + incus = { + enable = true; + package = incus; + }; + vswitch.enable = true; incus.preseed = { networks = [ diff --git a/nixpkgs/nixos/tests/incus/preseed.nix b/nixpkgs/nixos/tests/incus/preseed.nix deleted file mode 100644 index f2d928115f3e..000000000000 --- a/nixpkgs/nixos/tests/incus/preseed.nix +++ /dev/null @@ -1,63 +0,0 @@ -import ../make-test-python.nix ({ pkgs, lib, ... } : - -{ - name = "incus-preseed"; - - meta = { - maintainers = lib.teams.lxc.members; - }; - - nodes.machine = { lib, ... }: { - virtualisation = { - incus.enable = true; - - incus.preseed = { - networks = [ - { - name = "nixostestbr0"; - type = "bridge"; - config = { - "ipv4.address" = "10.0.100.1/24"; - "ipv4.nat" = "true"; - }; - } - ]; - profiles = [ - { - name = "nixostest_default"; - devices = { - eth0 = { - name = "eth0"; - network = "nixostestbr0"; - type = "nic"; - }; - root = { - path = "/"; - pool = "default"; - size = "35GiB"; - type = "disk"; - }; - }; - } - ]; - storage_pools = [ - { - name = "nixostest_pool"; - driver = "dir"; - } - ]; - }; - }; - networking.nftables.enable = true; - }; - - testScript = '' - machine.wait_for_unit("incus.service") - machine.wait_for_unit("incus-preseed.service") - - with subtest("Verify preseed resources created"): - machine.succeed("incus profile show nixostest_default") - machine.succeed("incus network info nixostestbr0") - machine.succeed("incus storage show nixostest_pool") - ''; -}) diff --git a/nixpkgs/nixos/tests/incus/socket-activated.nix b/nixpkgs/nixos/tests/incus/socket-activated.nix index 59caf1090fbd..55c5496396e9 100644 --- a/nixpkgs/nixos/tests/incus/socket-activated.nix +++ b/nixpkgs/nixos/tests/incus/socket-activated.nix @@ -1,4 +1,4 @@ -import ../make-test-python.nix ({ pkgs, lib, ... } : +import ../make-test-python.nix ({ pkgs, lib, incus ? pkgs.incus-lts, ... } : { name = "incus-socket-activated"; @@ -9,8 +9,11 @@ import ../make-test-python.nix ({ pkgs, lib, ... } : nodes.machine = { lib, ... }: { virtualisation = { - incus.enable = true; - incus.socketActivation = true; + incus = { + enable = true; + package = incus; + socketActivation = true; + }; }; networking.nftables.enable = true; }; diff --git a/nixpkgs/nixos/tests/incus/storage.nix b/nixpkgs/nixos/tests/incus/storage.nix index 190f4f7451c2..05ea6ba996eb 100644 --- a/nixpkgs/nixos/tests/incus/storage.nix +++ b/nixpkgs/nixos/tests/incus/storage.nix @@ -1,5 +1,10 @@ import ../make-test-python.nix ( - { pkgs, lib, ... }: + { + pkgs, + lib, + incus ? pkgs.incus-lts, + ... + }: { name = "incus-storage"; @@ -19,7 +24,10 @@ import ../make-test-python.nix ( virtualisation = { emptyDiskImages = [ 2048 ]; - incus.enable = true; + incus = { + enable = true; + package = incus; + }; }; }; diff --git a/nixpkgs/nixos/tests/incus/ui.nix b/nixpkgs/nixos/tests/incus/ui.nix index 837eb14844ce..a255d6fabe83 100644 --- a/nixpkgs/nixos/tests/incus/ui.nix +++ b/nixpkgs/nixos/tests/incus/ui.nix @@ -1,4 +1,4 @@ -import ../make-test-python.nix ({ pkgs, lib, ... }: { +import ../make-test-python.nix ({ pkgs, lib, incus ? pkgs.incus-lts, ... }: { name = "incus-ui"; meta = { @@ -7,7 +7,10 @@ import ../make-test-python.nix ({ pkgs, lib, ... }: { nodes.machine = { lib, ... }: { virtualisation = { - incus.enable = true; + incus = { + enable = true; + package = incus; + }; incus.ui.enable = true; }; networking.nftables.enable = true; diff --git a/nixpkgs/nixos/tests/incus/virtual-machine.nix b/nixpkgs/nixos/tests/incus/virtual-machine.nix index eebbbd113ed1..70e54191d330 100644 --- a/nixpkgs/nixos/tests/incus/virtual-machine.nix +++ b/nixpkgs/nixos/tests/incus/virtual-machine.nix @@ -1,4 +1,4 @@ -import ../make-test-python.nix ({ pkgs, lib, ... }: +import ../make-test-python.nix ({ pkgs, lib, incus ? pkgs.incus-lts, ... }: let releases = import ../../release.nix { @@ -33,7 +33,10 @@ in # Provide a TPM to test vTPM support for guests tpm.enable = true; - incus.enable = true; + incus = { + enable = true; + package = incus; + }; }; networking.nftables.enable = true; }; @@ -75,5 +78,11 @@ in machine.succeed("incus config set ${instance-name} limits.cpu=2") count = int(machine.succeed("incus exec ${instance-name} -- nproc").strip()) assert count == 2, f"Wrong number of CPUs reported, want: 2, got: {count}" + + with subtest("Instance remains running when softDaemonRestart is enabled and services is stopped"): + pid = machine.succeed("incus info ${instance-name} | grep 'PID'").split(":")[1].strip() + machine.succeed(f"ps {pid}") + machine.succeed("systemctl stop incus") + machine.succeed(f"ps {pid}") ''; }) diff --git a/nixpkgs/nixos/tests/initrd-network.nix b/nixpkgs/nixos/tests/initrd-network.nix index f2483b7393de..abbc3d0fce82 100644 --- a/nixpkgs/nixos/tests/initrd-network.nix +++ b/nixpkgs/nixos/tests/initrd-network.nix @@ -1,7 +1,7 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { name = "initrd-network"; - meta.maintainers = [ pkgs.lib.maintainers.eelco ]; + meta.maintainers = [ ]; nodes.machine = { ... }: { imports = [ ../modules/profiles/minimal.nix ]; diff --git a/nixpkgs/nixos/tests/installed-tests/gnome-photos.nix b/nixpkgs/nixos/tests/installed-tests/gnome-photos.nix index bcb6479ee89c..010ad9702402 100644 --- a/nixpkgs/nixos/tests/installed-tests/gnome-photos.nix +++ b/nixpkgs/nixos/tests/installed-tests/gnome-photos.nix @@ -13,7 +13,7 @@ makeInstalledTest { (stdenv.mkDerivation { name = "desktop-gsettings"; dontUnpack = true; - nativeBuildInputs = [ glib wrapGAppsHook ]; + nativeBuildInputs = [ glib wrapGAppsHook3 ]; buildInputs = [ gsettings-desktop-schemas ]; installPhase = '' runHook preInstall diff --git a/nixpkgs/nixos/tests/installer-systemd-stage-1.nix b/nixpkgs/nixos/tests/installer-systemd-stage-1.nix index 1dd55dada042..00205f941771 100644 --- a/nixpkgs/nixos/tests/installer-systemd-stage-1.nix +++ b/nixpkgs/nixos/tests/installer-systemd-stage-1.nix @@ -19,7 +19,7 @@ luksroot luksroot-format1 luksroot-format2 - # lvm + lvm separateBoot separateBootFat separateBootZfs diff --git a/nixpkgs/nixos/tests/installer.nix b/nixpkgs/nixos/tests/installer.nix index 7e835041eb39..3f57a64333dd 100644 --- a/nixpkgs/nixos/tests/installer.nix +++ b/nixpkgs/nixos/tests/installer.nix @@ -249,12 +249,11 @@ let with subtest("Check whether nixos-rebuild works"): target.succeed("nixos-rebuild switch >&2") - # FIXME: Nix 2.4 broke nixos-option, someone has to fix it. - # with subtest("Test nixos-option"): - # kernel_modules = target.succeed("nixos-option boot.initrd.kernelModules") - # assert "virtio_console" in kernel_modules - # assert "List of modules" in kernel_modules - # assert "qemu-guest.nix" in kernel_modules + with subtest("Test nixos-option"): + kernel_modules = target.succeed("nixos-option boot.initrd.kernelModules") + assert "virtio_console" in kernel_modules + assert "List of modules" in kernel_modules + assert "qemu-guest.nix" in kernel_modules target.shutdown() @@ -975,6 +974,9 @@ in { "mount LABEL=nixos /mnt", ) ''; + extraConfig = optionalString systemdStage1 '' + boot.initrd.services.lvm.enable = true; + ''; }; # Boot off an encrypted root partition with the default LUKS header format diff --git a/nixpkgs/nixos/tests/ipv6.nix b/nixpkgs/nixos/tests/ipv6.nix index 75faa6f60201..7f91457fa5ea 100644 --- a/nixpkgs/nixos/tests/ipv6.nix +++ b/nixpkgs/nixos/tests/ipv6.nix @@ -4,7 +4,7 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { name = "ipv6"; meta = with pkgs.lib.maintainers; { - maintainers = [ eelco ]; + maintainers = [ ]; }; nodes = diff --git a/nixpkgs/nixos/tests/jenkins.nix b/nixpkgs/nixos/tests/jenkins.nix index a8f621000654..d7394c866c14 100644 --- a/nixpkgs/nixos/tests/jenkins.nix +++ b/nixpkgs/nixos/tests/jenkins.nix @@ -7,7 +7,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { name = "jenkins"; meta = with pkgs.lib.maintainers; { - maintainers = [ bjornfor coconnor domenkozar eelco ]; + maintainers = [ bjornfor coconnor domenkozar ]; }; nodes = { diff --git a/nixpkgs/nixos/tests/jotta-cli.nix b/nixpkgs/nixos/tests/jotta-cli.nix index 5eefe65c1d38..0df23ee2cba5 100644 --- a/nixpkgs/nixos/tests/jotta-cli.nix +++ b/nixpkgs/nixos/tests/jotta-cli.nix @@ -4,7 +4,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { meta.maintainers = with pkgs.lib.maintainers; [ evenbrenden ]; nodes.machine = { pkgs, ... }: { - user.services.jotta-cli.enable = true; + services.jotta-cli.enable = true; imports = [ ./common/user-account.nix ]; }; diff --git a/nixpkgs/nixos/tests/k3s/default.nix b/nixpkgs/nixos/tests/k3s/default.nix index 512dc06ee77e..297b05a4e4a7 100644 --- a/nixpkgs/nixos/tests/k3s/default.nix +++ b/nixpkgs/nixos/tests/k3s/default.nix @@ -1,16 +1,20 @@ -{ system ? builtins.currentSystem -, pkgs ? import ../../.. { inherit system; } -, lib ? pkgs.lib +{ + system ? builtins.currentSystem, + pkgs ? import ../../.. { inherit system; }, + lib ? pkgs.lib, }: let allK3s = lib.filterAttrs (n: _: lib.strings.hasPrefix "k3s_" n) pkgs; in { # Testing K3s with Etcd backend - etcd = lib.mapAttrs (_: k3s: import ./etcd.nix { - inherit system pkgs k3s; - inherit (pkgs) etcd; - }) allK3s; + etcd = lib.mapAttrs ( + _: k3s: + import ./etcd.nix { + inherit system pkgs k3s; + inherit (pkgs) etcd; + } + ) allK3s; # Run a single node k3s cluster and verify a pod can run single-node = lib.mapAttrs (_: k3s: import ./single-node.nix { inherit system pkgs k3s; }) allK3s; # Run a multi-node k3s cluster and verify pod networking works across nodes diff --git a/nixpkgs/nixos/tests/k3s/etcd.nix b/nixpkgs/nixos/tests/k3s/etcd.nix index d6e9a294adb1..ac0aa9047251 100644 --- a/nixpkgs/nixos/tests/k3s/etcd.nix +++ b/nixpkgs/nixos/tests/k3s/etcd.nix @@ -1,100 +1,130 @@ -import ../make-test-python.nix ({ pkgs, lib, k3s, etcd, ... }: - -{ - name = "${k3s.name}-etcd"; - - nodes = { - - etcd = { ... }: { - services.etcd = { - enable = true; - openFirewall = true; - listenClientUrls = [ "http://192.168.1.1:2379" "http://127.0.0.1:2379" ]; - listenPeerUrls = [ "http://192.168.1.1:2380" ]; - initialAdvertisePeerUrls = [ "http://192.168.1.1:2380" ]; - initialCluster = [ "etcd=http://192.168.1.1:2380" ]; - }; - networking = { - useDHCP = false; - defaultGateway = "192.168.1.1"; - interfaces.eth1.ipv4.addresses = pkgs.lib.mkForce [ - { address = "192.168.1.1"; prefixLength = 24; } - ]; - }; - }; +import ../make-test-python.nix ( + { + pkgs, + lib, + k3s, + etcd, + ... + }: + + { + name = "${k3s.name}-etcd"; + + nodes = { + + etcd = + { ... }: + { + services.etcd = { + enable = true; + openFirewall = true; + listenClientUrls = [ + "http://192.168.1.1:2379" + "http://127.0.0.1:2379" + ]; + listenPeerUrls = [ "http://192.168.1.1:2380" ]; + initialAdvertisePeerUrls = [ "http://192.168.1.1:2380" ]; + initialCluster = [ "etcd=http://192.168.1.1:2380" ]; + }; + networking = { + useDHCP = false; + defaultGateway = "192.168.1.1"; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkForce [ + { + address = "192.168.1.1"; + prefixLength = 24; + } + ]; + }; + }; - k3s = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ jq ]; - # k3s uses enough resources the default vm fails. - virtualisation.memorySize = 1536; - virtualisation.diskSize = 4096; - - services.k3s = { - enable = true; - role = "server"; - extraFlags = builtins.toString [ - "--datastore-endpoint=\"http://192.168.1.1:2379\"" - "--disable" "coredns" - "--disable" "local-storage" - "--disable" "metrics-server" - "--disable" "servicelb" - "--disable" "traefik" - "--node-ip" "192.168.1.2" - ]; - }; - - networking = { - firewall = { - allowedTCPPorts = [ 2379 2380 6443 ]; - allowedUDPPorts = [ 8472 ]; + k3s = + { pkgs, ... }: + { + environment.systemPackages = with pkgs; [ jq ]; + # k3s uses enough resources the default vm fails. + virtualisation.memorySize = 1536; + virtualisation.diskSize = 4096; + + services.k3s = { + enable = true; + role = "server"; + extraFlags = builtins.toString [ + "--datastore-endpoint=\"http://192.168.1.1:2379\"" + "--disable" + "coredns" + "--disable" + "local-storage" + "--disable" + "metrics-server" + "--disable" + "servicelb" + "--disable" + "traefik" + "--node-ip" + "192.168.1.2" + ]; + }; + + networking = { + firewall = { + allowedTCPPorts = [ + 2379 + 2380 + 6443 + ]; + allowedUDPPorts = [ 8472 ]; + }; + useDHCP = false; + defaultGateway = "192.168.1.2"; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkForce [ + { + address = "192.168.1.2"; + prefixLength = 24; + } + ]; + }; }; - useDHCP = false; - defaultGateway = "192.168.1.2"; - interfaces.eth1.ipv4.addresses = pkgs.lib.mkForce [ - { address = "192.168.1.2"; prefixLength = 24; } - ]; - }; }; - }; - - testScript = '' - with subtest("should start etcd"): - etcd.start() - etcd.wait_for_unit("etcd.service") + testScript = '' + with subtest("should start etcd"): + etcd.start() + etcd.wait_for_unit("etcd.service") - with subtest("should wait for etcdctl endpoint status to succeed"): - etcd.wait_until_succeeds("etcdctl endpoint status") + with subtest("should wait for etcdctl endpoint status to succeed"): + etcd.wait_until_succeeds("etcdctl endpoint status") - with subtest("should start k3s"): - k3s.start() - k3s.wait_for_unit("k3s") + with subtest("should start k3s"): + k3s.start() + k3s.wait_for_unit("k3s") - with subtest("should test if kubectl works"): - k3s.wait_until_succeeds("k3s kubectl get node") + with subtest("should test if kubectl works"): + k3s.wait_until_succeeds("k3s kubectl get node") - with subtest("should wait for service account to show up; takes a sec"): - k3s.wait_until_succeeds("k3s kubectl get serviceaccount default") + with subtest("should wait for service account to show up; takes a sec"): + k3s.wait_until_succeeds("k3s kubectl get serviceaccount default") - with subtest("should create a sample secret object"): - k3s.succeed("k3s kubectl create secret generic nixossecret --from-literal thesecret=abacadabra") + with subtest("should create a sample secret object"): + k3s.succeed("k3s kubectl create secret generic nixossecret --from-literal thesecret=abacadabra") - with subtest("should check if secret is correct"): - k3s.wait_until_succeeds("[[ $(kubectl get secrets nixossecret -o json | jq -r .data.thesecret | base64 -d) == abacadabra ]]") + with subtest("should check if secret is correct"): + k3s.wait_until_succeeds("[[ $(kubectl get secrets nixossecret -o json | jq -r .data.thesecret | base64 -d) == abacadabra ]]") - with subtest("should have a secret in database"): - etcd.wait_until_succeeds("[[ $(etcdctl get /registry/secrets/default/nixossecret | head -c1 | wc -c) -ne 0 ]]") + with subtest("should have a secret in database"): + etcd.wait_until_succeeds("[[ $(etcdctl get /registry/secrets/default/nixossecret | head -c1 | wc -c) -ne 0 ]]") - with subtest("should delete the secret"): - k3s.succeed("k3s kubectl delete secret nixossecret") + with subtest("should delete the secret"): + k3s.succeed("k3s kubectl delete secret nixossecret") - with subtest("should not have a secret in database"): - etcd.wait_until_fails("[[ $(etcdctl get /registry/secrets/default/nixossecret | head -c1 | wc -c) -ne 0 ]]") + with subtest("should not have a secret in database"): + etcd.wait_until_fails("[[ $(etcdctl get /registry/secrets/default/nixossecret | head -c1 | wc -c) -ne 0 ]]") - with subtest("should shutdown k3s and etcd"): - k3s.shutdown() - etcd.shutdown() - ''; + with subtest("should shutdown k3s and etcd"): + k3s.shutdown() + etcd.shutdown() + ''; - meta.maintainers = etcd.meta.maintainers ++ k3s.meta.maintainers; -}) + meta.maintainers = etcd.meta.maintainers ++ k3s.meta.maintainers; + } +) diff --git a/nixpkgs/nixos/tests/k3s/multi-node.nix b/nixpkgs/nixos/tests/k3s/multi-node.nix index 20279f3ca4b9..b618d2aff34c 100644 --- a/nixpkgs/nixos/tests/k3s/multi-node.nix +++ b/nixpkgs/nixos/tests/k3s/multi-node.nix @@ -1,14 +1,30 @@ -import ../make-test-python.nix ({ pkgs, lib, k3s, ... }: +import ../make-test-python.nix ( + { + pkgs, + lib, + k3s, + ... + }: let imageEnv = pkgs.buildEnv { name = "k3s-pause-image-env"; - paths = with pkgs; [ tini bashInteractive coreutils socat ]; + paths = with pkgs; [ + tini + bashInteractive + coreutils + socat + ]; }; pauseImage = pkgs.dockerTools.streamLayeredImage { name = "test.local/pause"; tag = "local"; contents = imageEnv; - config.Entrypoint = [ "/bin/tini" "--" "/bin/sleep" "inf" ]; + config.Entrypoint = [ + "/bin/tini" + "--" + "/bin/sleep" + "inf" + ]; }; # A daemonset that responds 'server' on port 8000 networkTestDaemonset = pkgs.writeText "test.yml" '' @@ -42,90 +58,135 @@ import ../make-test-python.nix ({ pkgs, lib, k3s, ... }: name = "${k3s.name}-multi-node"; nodes = { - server = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ gzip jq ]; - # k3s uses enough resources the default vm fails. - virtualisation.memorySize = 1536; - virtualisation.diskSize = 4096; - - services.k3s = { - inherit tokenFile; - enable = true; - role = "server"; - package = k3s; - clusterInit = true; - extraFlags = builtins.toString [ - "--disable" "coredns" - "--disable" "local-storage" - "--disable" "metrics-server" - "--disable" "servicelb" - "--disable" "traefik" - "--node-ip" "192.168.1.1" - "--pause-image" "test.local/pause:local" + server = + { pkgs, ... }: + { + environment.systemPackages = with pkgs; [ + gzip + jq + ]; + # k3s uses enough resources the default vm fails. + virtualisation.memorySize = 1536; + virtualisation.diskSize = 4096; + + services.k3s = { + inherit tokenFile; + enable = true; + role = "server"; + package = k3s; + clusterInit = true; + extraFlags = builtins.toString [ + "--disable" + "coredns" + "--disable" + "local-storage" + "--disable" + "metrics-server" + "--disable" + "servicelb" + "--disable" + "traefik" + "--node-ip" + "192.168.1.1" + "--pause-image" + "test.local/pause:local" + ]; + }; + networking.firewall.allowedTCPPorts = [ + 2379 + 2380 + 6443 + ]; + networking.firewall.allowedUDPPorts = [ 8472 ]; + networking.firewall.trustedInterfaces = [ "flannel.1" ]; + networking.useDHCP = false; + networking.defaultGateway = "192.168.1.1"; + networking.interfaces.eth1.ipv4.addresses = pkgs.lib.mkForce [ + { + address = "192.168.1.1"; + prefixLength = 24; + } ]; }; - networking.firewall.allowedTCPPorts = [ 2379 2380 6443 ]; - networking.firewall.allowedUDPPorts = [ 8472 ]; - networking.firewall.trustedInterfaces = [ "flannel.1" ]; - networking.useDHCP = false; - networking.defaultGateway = "192.168.1.1"; - networking.interfaces.eth1.ipv4.addresses = pkgs.lib.mkForce [ - { address = "192.168.1.1"; prefixLength = 24; } - ]; - }; - - server2 = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ gzip jq ]; - virtualisation.memorySize = 1536; - virtualisation.diskSize = 4096; - - services.k3s = { - inherit tokenFile; - enable = true; - serverAddr = "https://192.168.1.1:6443"; - clusterInit = false; - extraFlags = builtins.toString [ - "--disable" "coredns" - "--disable" "local-storage" - "--disable" "metrics-server" - "--disable" "servicelb" - "--disable" "traefik" - "--node-ip" "192.168.1.3" - "--pause-image" "test.local/pause:local" + + server2 = + { pkgs, ... }: + { + environment.systemPackages = with pkgs; [ + gzip + jq + ]; + virtualisation.memorySize = 1536; + virtualisation.diskSize = 4096; + + services.k3s = { + inherit tokenFile; + enable = true; + serverAddr = "https://192.168.1.1:6443"; + clusterInit = false; + extraFlags = builtins.toString [ + "--disable" + "coredns" + "--disable" + "local-storage" + "--disable" + "metrics-server" + "--disable" + "servicelb" + "--disable" + "traefik" + "--node-ip" + "192.168.1.3" + "--pause-image" + "test.local/pause:local" + ]; + }; + networking.firewall.allowedTCPPorts = [ + 2379 + 2380 + 6443 + ]; + networking.firewall.allowedUDPPorts = [ 8472 ]; + networking.firewall.trustedInterfaces = [ "flannel.1" ]; + networking.useDHCP = false; + networking.defaultGateway = "192.168.1.3"; + networking.interfaces.eth1.ipv4.addresses = pkgs.lib.mkForce [ + { + address = "192.168.1.3"; + prefixLength = 24; + } ]; }; - networking.firewall.allowedTCPPorts = [ 2379 2380 6443 ]; - networking.firewall.allowedUDPPorts = [ 8472 ]; - networking.firewall.trustedInterfaces = [ "flannel.1" ]; - networking.useDHCP = false; - networking.defaultGateway = "192.168.1.3"; - networking.interfaces.eth1.ipv4.addresses = pkgs.lib.mkForce [ - { address = "192.168.1.3"; prefixLength = 24; } - ]; - }; - - agent = { pkgs, ... }: { - virtualisation.memorySize = 1024; - virtualisation.diskSize = 2048; - services.k3s = { - inherit tokenFile; - enable = true; - role = "agent"; - serverAddr = "https://192.168.1.3:6443"; - extraFlags = lib.concatStringsSep " " [ - "--pause-image" "test.local/pause:local" - "--node-ip" "192.168.1.2" + + agent = + { pkgs, ... }: + { + virtualisation.memorySize = 1024; + virtualisation.diskSize = 2048; + services.k3s = { + inherit tokenFile; + enable = true; + role = "agent"; + serverAddr = "https://192.168.1.3:6443"; + extraFlags = lib.concatStringsSep " " [ + "--pause-image" + "test.local/pause:local" + "--node-ip" + "192.168.1.2" + ]; + }; + networking.firewall.allowedTCPPorts = [ 6443 ]; + networking.firewall.allowedUDPPorts = [ 8472 ]; + networking.firewall.trustedInterfaces = [ "flannel.1" ]; + networking.useDHCP = false; + networking.defaultGateway = "192.168.1.2"; + networking.interfaces.eth1.ipv4.addresses = pkgs.lib.mkForce [ + { + address = "192.168.1.2"; + prefixLength = 24; + } ]; }; - networking.firewall.allowedTCPPorts = [ 6443 ]; - networking.firewall.allowedUDPPorts = [ 8472 ]; - networking.firewall.trustedInterfaces = [ "flannel.1" ]; - networking.useDHCP = false; - networking.defaultGateway = "192.168.1.2"; - networking.interfaces.eth1.ipv4.addresses = pkgs.lib.mkForce [ - { address = "192.168.1.2"; prefixLength = 24; } - ]; - }; }; meta.maintainers = k3s.meta.maintainers; @@ -178,4 +239,5 @@ import ../make-test-python.nix ({ pkgs, lib, k3s, ... }: for m in machines: m.shutdown() ''; - }) + } +) diff --git a/nixpkgs/nixos/tests/k3s/single-node.nix b/nixpkgs/nixos/tests/k3s/single-node.nix index fd64a050e61e..80d80a55ddf4 100644 --- a/nixpkgs/nixos/tests/k3s/single-node.nix +++ b/nixpkgs/nixos/tests/k3s/single-node.nix @@ -1,14 +1,29 @@ -import ../make-test-python.nix ({ pkgs, lib, k3s, ... }: +import ../make-test-python.nix ( + { + pkgs, + lib, + k3s, + ... + }: let imageEnv = pkgs.buildEnv { name = "k3s-pause-image-env"; - paths = with pkgs; [ tini (hiPrio coreutils) busybox ]; + paths = with pkgs; [ + tini + (hiPrio coreutils) + busybox + ]; }; pauseImage = pkgs.dockerTools.streamLayeredImage { name = "test.local/pause"; tag = "local"; contents = imageEnv; - config.Entrypoint = [ "/bin/tini" "--" "/bin/sleep" "inf" ]; + config.Entrypoint = [ + "/bin/tini" + "--" + "/bin/sleep" + "inf" + ]; }; testPodYaml = pkgs.writeText "test.yml" '' apiVersion: v1 @@ -27,57 +42,83 @@ import ../make-test-python.nix ({ pkgs, lib, k3s, ... }: name = "${k3s.name}-single-node"; meta.maintainers = k3s.meta.maintainers; - nodes.machine = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ k3s gzip ]; + nodes.machine = + { pkgs, ... }: + { + environment.systemPackages = with pkgs; [ + k3s + gzip + ]; - # k3s uses enough resources the default vm fails. - virtualisation.memorySize = 1536; - virtualisation.diskSize = 4096; + # k3s uses enough resources the default vm fails. + virtualisation.memorySize = 1536; + virtualisation.diskSize = 4096; - services.k3s.enable = true; - services.k3s.role = "server"; - services.k3s.package = k3s; - # Slightly reduce resource usage - services.k3s.extraFlags = builtins.toString [ - "--disable" "coredns" - "--disable" "local-storage" - "--disable" "metrics-server" - "--disable" "servicelb" - "--disable" "traefik" - "--pause-image" "test.local/pause:local" - ]; + services.k3s.enable = true; + services.k3s.role = "server"; + services.k3s.package = k3s; + # Slightly reduce resource usage + services.k3s.extraFlags = builtins.toString [ + "--disable" + "coredns" + "--disable" + "local-storage" + "--disable" + "metrics-server" + "--disable" + "servicelb" + "--disable" + "traefik" + "--pause-image" + "test.local/pause:local" + ]; - users.users = { - noprivs = { - isNormalUser = true; - description = "Can't access k3s by default"; - password = "*"; + users.users = { + noprivs = { + isNormalUser = true; + description = "Can't access k3s by default"; + password = "*"; + }; }; }; - }; - testScript = '' - start_all() + testScript = + '' + start_all() - machine.wait_for_unit("k3s") - machine.succeed("kubectl cluster-info") - machine.fail("sudo -u noprivs kubectl cluster-info") + machine.wait_for_unit("k3s") + machine.succeed("kubectl cluster-info") + machine.fail("sudo -u noprivs kubectl cluster-info") '' # Fix-Me: Tests fail for 'aarch64-linux' as: "CONFIG_CGROUP_FREEZER: missing (fail)" - + lib.optionalString (!pkgs.stdenv.isAarch64) ''machine.succeed("k3s check-config")'' + '' + + lib.optionalString (!pkgs.stdenv.isAarch64) ''machine.succeed("k3s check-config")'' + + '' - machine.succeed( - "${pauseImage} | ctr image import -" - ) + machine.succeed( + "${pauseImage} | ctr image import -" + ) - # Also wait for our service account to show up; it takes a sec - machine.wait_until_succeeds("kubectl get serviceaccount default") - machine.succeed("kubectl apply -f ${testPodYaml}") - machine.succeed("kubectl wait --for 'condition=Ready' pod/test") - machine.succeed("kubectl delete -f ${testPodYaml}") + # Also wait for our service account to show up; it takes a sec + machine.wait_until_succeeds("kubectl get serviceaccount default") + machine.succeed("kubectl apply -f ${testPodYaml}") + machine.succeed("kubectl wait --for 'condition=Ready' pod/test") + machine.succeed("kubectl delete -f ${testPodYaml}") - # regression test for #176445 - machine.fail("journalctl -o cat -u k3s.service | grep 'ipset utility not found'") + # regression test for #176445 + machine.fail("journalctl -o cat -u k3s.service | grep 'ipset utility not found'") - machine.shutdown() - ''; - }) + with subtest("Run k3s-killall"): + # Call the killall script with a clean path to assert that + # all required commands are wrapped + output = machine.succeed("PATH= ${k3s}/bin/k3s-killall.sh 2>&1 | tee /dev/stderr") + assert "command not found" not in output, "killall script contains unknown command" + + # Check that killall cleaned up properly + machine.fail("systemctl is-active k3s.service") + machine.fail("systemctl list-units | grep containerd") + machine.fail("ip link show | awk -F': ' '{print $2}' | grep -e flannel -e cni0") + machine.fail("ip netns show | grep cni-") + + machine.shutdown() + ''; + } +) diff --git a/nixpkgs/nixos/tests/kernel-generic.nix b/nixpkgs/nixos/tests/kernel-generic.nix index 5f0e7b3e37cd..07e15a380b6d 100644 --- a/nixpkgs/nixos/tests/kernel-generic.nix +++ b/nixpkgs/nixos/tests/kernel-generic.nix @@ -31,6 +31,7 @@ let linux_5_15_hardened linux_6_1_hardened linux_6_6_hardened + linux_6_8_hardened linux_rt_5_4 linux_rt_5_10 linux_rt_5_15 diff --git a/nixpkgs/nixos/tests/knot.nix b/nixpkgs/nixos/tests/knot.nix index eec94a22f2fa..4441fed6ef50 100644 --- a/nixpkgs/nixos/tests/knot.nix +++ b/nixpkgs/nixos/tests/knot.nix @@ -190,6 +190,10 @@ in { primary.wait_for_unit("knot.service") secondary.wait_for_unit("knot.service") + for zone in ("example.com.", "sub.example.com."): + secondary.wait_until_succeeds( + f"knotc zone-status {zone} | grep -q 'serial: 2019031302'" + ) def test(host, query_type, query, pattern): out = client.succeed(f"khost -t {query_type} {query} {host}").strip() diff --git a/nixpkgs/nixos/tests/login.nix b/nixpkgs/nixos/tests/login.nix index 67f5764a0a16..bcaee03175ad 100644 --- a/nixpkgs/nixos/tests/login.nix +++ b/nixpkgs/nixos/tests/login.nix @@ -3,7 +3,7 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... }: { name = "login"; meta = with pkgs.lib.maintainers; { - maintainers = [ eelco ]; + maintainers = [ ]; }; nodes.machine = diff --git a/nixpkgs/nixos/tests/logrotate.nix b/nixpkgs/nixos/tests/logrotate.nix index bcbe89c259ae..f9c5e9060970 100644 --- a/nixpkgs/nixos/tests/logrotate.nix +++ b/nixpkgs/nixos/tests/logrotate.nix @@ -16,52 +16,60 @@ import ./make-test-python.nix ({ pkgs, ... }: rec { }; nodes = { - defaultMachine = { ... }: { }; + defaultMachine = { ... }: { + services.logrotate.enable = true; + }; failingMachine = { ... }: { - services.logrotate.configFile = pkgs.writeText "logrotate.conf" '' - # self-written config file - su notarealuser notagroupeither - ''; + services.logrotate = { + enable = true; + configFile = pkgs.writeText "logrotate.conf" '' + # self-written config file + su notarealuser notagroupeither + ''; + }; }; machine = { config, ... }: { imports = [ importTest ]; - services.logrotate.settings = { - # remove default frequency header and add another - header = { - frequency = null; - delaycompress = true; - }; - # extra global setting... affecting nothing - last_line = { - global = true; - priority = 2000; - shred = true; - }; - # using mail somewhere should add --mail to logrotate invocation - sendmail = { - mail = "user@domain.tld"; - }; - # postrotate should be suffixed by 'endscript' - postrotate = { - postrotate = "touch /dev/null"; - }; - # check checkConfig works as expected: there is nothing to check here - # except that the file build passes - checkConf = { - su = "root utmp"; - createolddir = "0750 root utmp"; - create = "root utmp"; - "create " = "0750 root utmp"; - }; - # multiple paths should be aggregated - multipath = { - files = [ "file1" "file2" ]; - }; - # overriding imported path should keep existing attributes - # (e.g. olddir is still set) - import = { - notifempty = true; + services.logrotate = { + enable = true; + settings = { + # remove default frequency header and add another + header = { + frequency = null; + delaycompress = true; + }; + # extra global setting... affecting nothing + last_line = { + global = true; + priority = 2000; + shred = true; + }; + # using mail somewhere should add --mail to logrotate invocation + sendmail = { + mail = "user@domain.tld"; + }; + # postrotate should be suffixed by 'endscript' + postrotate = { + postrotate = "touch /dev/null"; + }; + # check checkConfig works as expected: there is nothing to check here + # except that the file build passes + checkConf = { + su = "root utmp"; + createolddir = "0750 root utmp"; + create = "root utmp"; + "create " = "0750 root utmp"; + }; + # multiple paths should be aggregated + multipath = { + files = [ "file1" "file2" ]; + }; + # overriding imported path should keep existing attributes + # (e.g. olddir is still set) + import = { + notifempty = true; + }; }; }; }; diff --git a/nixpkgs/nixos/tests/mediamtx.nix b/nixpkgs/nixos/tests/mediamtx.nix index 8cacd02631d9..f40c4a8cb583 100644 --- a/nixpkgs/nixos/tests/mediamtx.nix +++ b/nixpkgs/nixos/tests/mediamtx.nix @@ -1,57 +1,60 @@ -import ./make-test-python.nix ({ pkgs, lib, ...} : +import ./make-test-python.nix ( + { pkgs, lib, ... }: -{ - name = "mediamtx"; - meta.maintainers = with lib.maintainers; [ fpletz ]; + { + name = "mediamtx"; + meta.maintainers = with lib.maintainers; [ fpletz ]; - nodes = { - machine = { config, ... }: { - services.mediamtx = { - enable = true; - settings = { - metrics = true; - paths.all.source = "publisher"; + nodes = { + machine = { + services.mediamtx = { + enable = true; + settings = { + metrics = true; + paths.all.source = "publisher"; + }; }; - }; - systemd.services.rtmp-publish = { - description = "Publish an RTMP stream to mediamtx"; - after = [ "mediamtx.service" ]; - bindsTo = [ "mediamtx.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - DynamicUser = true; - Restart = "on-failure"; - RestartSec = "1s"; - TimeoutStartSec = "10s"; - ExecStart = "${lib.getBin pkgs.ffmpeg-headless}/bin/ffmpeg -re -f lavfi -i smptebars=size=800x600:rate=10 -c libx264 -f flv rtmp://localhost:1935/test"; + systemd.services.rtmp-publish = { + description = "Publish an RTMP stream to mediamtx"; + after = [ "mediamtx.service" ]; + bindsTo = [ "mediamtx.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + Restart = "on-failure"; + RestartSec = "1s"; + TimeoutStartSec = "10s"; + ExecStart = "${lib.getBin pkgs.ffmpeg-headless}/bin/ffmpeg -re -f lavfi -i smptebars=size=800x600:rate=10 -c libx264 -f flv rtmp://localhost:1935/test"; + }; }; - }; - systemd.services.rtmp-receive = { - description = "Receive an RTMP stream from mediamtx"; - after = [ "rtmp-publish.service" ]; - bindsTo = [ "rtmp-publish.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - DynamicUser = true; - Restart = "on-failure"; - RestartSec = "1s"; - TimeoutStartSec = "10s"; - ExecStart = "${lib.getBin pkgs.ffmpeg-headless}/bin/ffmpeg -y -re -i rtmp://localhost:1935/test -f flv /dev/null"; + systemd.services.rtmp-receive = { + description = "Receive an RTMP stream from mediamtx"; + after = [ "rtmp-publish.service" ]; + bindsTo = [ "rtmp-publish.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + DynamicUser = true; + Restart = "on-failure"; + RestartSec = "1s"; + TimeoutStartSec = "10s"; + ExecStart = "${lib.getBin pkgs.ffmpeg-headless}/bin/ffmpeg -y -re -i rtmp://localhost:1935/test -f flv /dev/null"; + }; }; }; }; - }; - testScript = '' - start_all() + testScript = '' + start_all() - machine.wait_for_unit("mediamtx.service") - machine.wait_for_unit("rtmp-publish.service") - machine.wait_for_unit("rtmp-receive.service") - machine.wait_for_open_port(9998) - machine.succeed("curl http://localhost:9998/metrics | grep '^rtmp_conns.*state=\"publish\".*1$'") - machine.succeed("curl http://localhost:9998/metrics | grep '^rtmp_conns.*state=\"read\".*1$'") - ''; -}) + machine.wait_for_unit("mediamtx.service") + machine.wait_for_unit("rtmp-publish.service") + machine.sleep(10) + machine.wait_for_unit("rtmp-receive.service") + machine.wait_for_open_port(9998) + machine.succeed("curl http://localhost:9998/metrics | grep '^rtmp_conns.*state=\"publish\".*1$'") + machine.succeed("curl http://localhost:9998/metrics | grep '^rtmp_conns.*state=\"read\".*1$'") + ''; + } +) diff --git a/nixpkgs/nixos/tests/misc.nix b/nixpkgs/nixos/tests/misc.nix index e7842debba7a..83e0f46be3ec 100644 --- a/nixpkgs/nixos/tests/misc.nix +++ b/nixpkgs/nixos/tests/misc.nix @@ -1,164 +1,185 @@ # Miscellaneous small tests that don't warrant their own VM run. - -import ./make-test-python.nix ({ lib, pkgs, ...} : let - foo = pkgs.writeText "foo" "Hello World"; -in { - name = "misc"; - meta.maintainers = with lib.maintainers; [ eelco ]; - - nodes.machine = - { lib, ... }: - { swapDevices = lib.mkOverride 0 - [ { device = "/root/swapfile"; size = 128; } ]; - environment.variables.EDITOR = lib.mkOverride 0 "emacs"; - documentation.nixos.enable = lib.mkOverride 0 true; - systemd.tmpfiles.rules = [ "d /tmp 1777 root root 10d" ]; - systemd.tmpfiles.settings."10-test"."/tmp/somefile".d = {}; - virtualisation.fileSystems = { "/tmp2" = - { fsType = "tmpfs"; - options = [ "mode=1777" "noauto" ]; - }; - # Tests https://discourse.nixos.org/t/how-to-make-a-derivations-executables-have-the-s-permission/8555 - "/user-mount/point" = { - device = "/user-mount/source"; - fsType = "none"; - options = [ "bind" "rw" "user" "noauto" ]; - }; - "/user-mount/denied-point" = { - device = "/user-mount/denied-source"; - fsType = "none"; - options = [ "bind" "rw" "noauto" ]; +{ pkgs, ... }: + +let + inherit (pkgs) lib; + tests = { + default = testsForPackage { nixPackage = pkgs.nix; }; + lix = testsForPackage { nixPackage = pkgs.lix; }; + }; + + testsForPackage = args: lib.recurseIntoAttrs { + # If the attribute is not named 'test' + # You will break all the universe on the release-*.nix side of things. + # `discoverTests` relies on `test` existence to perform a `callTest`. + test = testMiscFeatures args; + passthru.override = args': testsForPackage (args // args'); + }; + + testMiscFeatures = { nixPackage, ... }: pkgs.testers.nixosTest ( + let + foo = pkgs.writeText "foo" "Hello World"; + in { + name = "misc"; + meta.maintainers = with lib.maintainers; [ raitobezarius ]; + + nodes.machine = + { lib, ... }: + { swapDevices = lib.mkOverride 0 + [ { device = "/root/swapfile"; size = 128; } ]; + environment.variables.EDITOR = lib.mkOverride 0 "emacs"; + documentation.nixos.enable = lib.mkOverride 0 true; + systemd.tmpfiles.rules = [ "d /tmp 1777 root root 10d" ]; + systemd.tmpfiles.settings."10-test"."/tmp/somefile".d = {}; + virtualisation.fileSystems = { "/tmp2" = + { fsType = "tmpfs"; + options = [ "mode=1777" "noauto" ]; + }; + # Tests https://discourse.nixos.org/t/how-to-make-a-derivations-executables-have-the-s-permission/8555 + "/user-mount/point" = { + device = "/user-mount/source"; + fsType = "none"; + options = [ "bind" "rw" "user" "noauto" ]; + }; + "/user-mount/denied-point" = { + device = "/user-mount/denied-source"; + fsType = "none"; + options = [ "bind" "rw" "noauto" ]; + }; }; + systemd.automounts = lib.singleton + { wantedBy = [ "multi-user.target" ]; + where = "/tmp2"; + }; + users.users.sybil = { isNormalUser = true; group = "wheel"; }; + users.users.alice = { isNormalUser = true; }; + security.sudo = { enable = true; wheelNeedsPassword = false; }; + boot.kernel.sysctl."vm.swappiness" = 1; + boot.kernelParams = [ "vsyscall=emulate" ]; + system.extraDependencies = [ foo ]; + + nix.package = nixPackage; }; - systemd.automounts = lib.singleton - { wantedBy = [ "multi-user.target" ]; - where = "/tmp2"; - }; - users.users.sybil = { isNormalUser = true; group = "wheel"; }; - users.users.alice = { isNormalUser = true; }; - security.sudo = { enable = true; wheelNeedsPassword = false; }; - boot.kernel.sysctl."vm.swappiness" = 1; - boot.kernelParams = [ "vsyscall=emulate" ]; - system.extraDependencies = [ foo ]; - }; - - testScript = - '' - import json - - - def get_path_info(path): - result = machine.succeed(f"nix --option experimental-features nix-command path-info --json {path}") - parsed = json.loads(result) - return parsed - - - with subtest("nix-db"): - info = get_path_info("${foo}") - print(info) - - if ( - info[0]["narHash"] - != "sha256-BdMdnb/0eWy3EddjE83rdgzWWpQjfWPAj3zDIFMD3Ck=" - ): - raise Exception("narHash not set") - - if info[0]["narSize"] != 128: - raise Exception("narSize not set") - - with subtest("nixos-version"): - machine.succeed("[ `nixos-version | wc -w` = 2 ]") - - with subtest("nixos-rebuild"): - assert "NixOS module" in machine.succeed("nixos-rebuild --help") - - with subtest("Sanity check for uid/gid assignment"): - assert "4" == machine.succeed("id -u messagebus").strip() - assert "4" == machine.succeed("id -g messagebus").strip() - assert "users:x:100:" == machine.succeed("getent group users").strip() - - with subtest("Regression test for GMP aborts on QEMU."): - machine.succeed("expr 1 + 2") - - with subtest("the swap file got created"): - machine.wait_for_unit("root-swapfile.swap") - machine.succeed("ls -l /root/swapfile | grep 134217728") - - with subtest("whether kernel.poweroff_cmd is set"): - machine.succeed('[ -x "$(cat /proc/sys/kernel/poweroff_cmd)" ]') - - with subtest("whether the io cgroupv2 controller is properly enabled"): - machine.succeed("grep -q '\\bio\\b' /sys/fs/cgroup/cgroup.controllers") - - with subtest("whether we have a reboot record in wtmp"): - machine.shutdown - machine.wait_for_unit("multi-user.target") - machine.succeed("last | grep reboot >&2") - - with subtest("whether we can override environment variables"): - machine.succeed('[ "$EDITOR" = emacs ]') - - with subtest("whether hostname (and by extension nss_myhostname) works"): - assert "machine" == machine.succeed("hostname").strip() - assert "machine" == machine.succeed("hostname -s").strip() - - with subtest("whether systemd-udevd automatically loads modules for our hardware"): - machine.succeed("systemctl start systemd-udev-settle.service") - machine.wait_for_unit("systemd-udev-settle.service") - assert "mousedev" in machine.succeed("lsmod") - - with subtest("whether systemd-tmpfiles-clean works"): - machine.succeed( - "touch /tmp/foo", "systemctl start systemd-tmpfiles-clean", "[ -e /tmp/foo ]" - ) - # move into the future - machine.succeed( - 'date -s "@$(($(date +%s) + 1000000))"', - "systemctl start systemd-tmpfiles-clean", - ) - machine.fail("[ -e /tmp/foo ]") - - with subtest("whether systemd-tmpfiles settings works"): - machine.succeed("[ -e /tmp/somefile ]") - - with subtest("whether automounting works"): - machine.fail("grep '/tmp2 tmpfs' /proc/mounts") - machine.succeed("touch /tmp2/x") - machine.succeed("grep '/tmp2 tmpfs' /proc/mounts") - - with subtest( - "Whether mounting by a user is possible with the `user` option in fstab (#95444)" - ): - machine.succeed("mkdir -p /user-mount/source") - machine.succeed("touch /user-mount/source/file") - machine.succeed("chmod -R a+Xr /user-mount/source") - machine.succeed("mkdir /user-mount/point") - machine.succeed("chown alice:users /user-mount/point") - machine.succeed("su - alice -c 'mount /user-mount/point'") - machine.succeed("su - alice -c 'ls /user-mount/point/file'") - with subtest( - "Whether mounting by a user is denied without the `user` option in fstab" - ): - machine.succeed("mkdir -p /user-mount/denied-source") - machine.succeed("touch /user-mount/denied-source/file") - machine.succeed("chmod -R a+Xr /user-mount/denied-source") - machine.succeed("mkdir /user-mount/denied-point") - machine.succeed("chown alice:users /user-mount/denied-point") - machine.fail("su - alice -c 'mount /user-mount/denied-point'") - - with subtest("shell-vars"): - machine.succeed('[ -n "$NIX_PATH" ]') - - with subtest("nix-db"): - machine.succeed("nix-store -qR /run/current-system | grep nixos-") - - with subtest("Test sysctl"): - machine.wait_for_unit("systemd-sysctl.service") - assert "1" == machine.succeed("sysctl -ne vm.swappiness").strip() - machine.execute("sysctl vm.swappiness=60") - assert "60" == machine.succeed("sysctl -ne vm.swappiness").strip() - - with subtest("Test boot parameters"): - assert "vsyscall=emulate" in machine.succeed("cat /proc/cmdline") - ''; -}) + + testScript = + '' + import json + + + def get_path_info(path): + result = machine.succeed(f"nix --option experimental-features nix-command path-info --json {path}") + parsed = json.loads(result) + return parsed + + + with subtest("nix-db"): + info = get_path_info("${foo}") + print(info) + + if ( + info[0]["narHash"] + != "sha256-BdMdnb/0eWy3EddjE83rdgzWWpQjfWPAj3zDIFMD3Ck=" + ): + raise Exception("narHash not set") + + if info[0]["narSize"] != 128: + raise Exception("narSize not set") + + with subtest("nixos-version"): + machine.succeed("[ `nixos-version | wc -w` = 2 ]") + + with subtest("nixos-rebuild"): + assert "NixOS module" in machine.succeed("nixos-rebuild --help") + + with subtest("Sanity check for uid/gid assignment"): + assert "4" == machine.succeed("id -u messagebus").strip() + assert "4" == machine.succeed("id -g messagebus").strip() + assert "users:x:100:" == machine.succeed("getent group users").strip() + + with subtest("Regression test for GMP aborts on QEMU."): + machine.succeed("expr 1 + 2") + + with subtest("the swap file got created"): + machine.wait_for_unit("root-swapfile.swap") + machine.succeed("ls -l /root/swapfile | grep 134217728") + + with subtest("whether kernel.poweroff_cmd is set"): + machine.succeed('[ -x "$(cat /proc/sys/kernel/poweroff_cmd)" ]') + + with subtest("whether the io cgroupv2 controller is properly enabled"): + machine.succeed("grep -q '\\bio\\b' /sys/fs/cgroup/cgroup.controllers") + + with subtest("whether we have a reboot record in wtmp"): + machine.shutdown + machine.wait_for_unit("multi-user.target") + machine.succeed("last | grep reboot >&2") + + with subtest("whether we can override environment variables"): + machine.succeed('[ "$EDITOR" = emacs ]') + + with subtest("whether hostname (and by extension nss_myhostname) works"): + assert "machine" == machine.succeed("hostname").strip() + assert "machine" == machine.succeed("hostname -s").strip() + + with subtest("whether systemd-udevd automatically loads modules for our hardware"): + machine.succeed("systemctl start systemd-udev-settle.service") + machine.wait_for_unit("systemd-udev-settle.service") + assert "mousedev" in machine.succeed("lsmod") + + with subtest("whether systemd-tmpfiles-clean works"): + machine.succeed( + "touch /tmp/foo", "systemctl start systemd-tmpfiles-clean", "[ -e /tmp/foo ]" + ) + # move into the future + machine.succeed( + 'date -s "@$(($(date +%s) + 1000000))"', + "systemctl start systemd-tmpfiles-clean", + ) + machine.fail("[ -e /tmp/foo ]") + + with subtest("whether systemd-tmpfiles settings works"): + machine.succeed("[ -e /tmp/somefile ]") + + with subtest("whether automounting works"): + machine.fail("grep '/tmp2 tmpfs' /proc/mounts") + machine.succeed("touch /tmp2/x") + machine.succeed("grep '/tmp2 tmpfs' /proc/mounts") + + with subtest( + "Whether mounting by a user is possible with the `user` option in fstab (#95444)" + ): + machine.succeed("mkdir -p /user-mount/source") + machine.succeed("touch /user-mount/source/file") + machine.succeed("chmod -R a+Xr /user-mount/source") + machine.succeed("mkdir /user-mount/point") + machine.succeed("chown alice:users /user-mount/point") + machine.succeed("su - alice -c 'mount /user-mount/point'") + machine.succeed("su - alice -c 'ls /user-mount/point/file'") + with subtest( + "Whether mounting by a user is denied without the `user` option in fstab" + ): + machine.succeed("mkdir -p /user-mount/denied-source") + machine.succeed("touch /user-mount/denied-source/file") + machine.succeed("chmod -R a+Xr /user-mount/denied-source") + machine.succeed("mkdir /user-mount/denied-point") + machine.succeed("chown alice:users /user-mount/denied-point") + machine.fail("su - alice -c 'mount /user-mount/denied-point'") + + with subtest("shell-vars"): + machine.succeed('[ -n "$NIX_PATH" ]') + + with subtest("nix-db"): + machine.succeed("nix-store -qR /run/current-system | grep nixos-") + + with subtest("Test sysctl"): + machine.wait_for_unit("systemd-sysctl.service") + assert "1" == machine.succeed("sysctl -ne vm.swappiness").strip() + machine.execute("sysctl vm.swappiness=60") + assert "60" == machine.succeed("sysctl -ne vm.swappiness").strip() + + with subtest("Test boot parameters"): + assert "vsyscall=emulate" in machine.succeed("cat /proc/cmdline") + ''; + }); + in + tests diff --git a/nixpkgs/nixos/tests/mumble.nix b/nixpkgs/nixos/tests/mumble.nix index 8eee454721a1..12fa00b79bbf 100644 --- a/nixpkgs/nixos/tests/mumble.nix +++ b/nixpkgs/nixos/tests/mumble.nix @@ -15,7 +15,7 @@ in { name = "mumble"; meta = with pkgs.lib.maintainers; { - maintainers = [ thoughtpolice eelco ]; + maintainers = [ thoughtpolice ]; }; nodes = { diff --git a/nixpkgs/nixos/tests/munin.nix b/nixpkgs/nixos/tests/munin.nix index e371b2dffa6b..7b7bf6f41c04 100644 --- a/nixpkgs/nixos/tests/munin.nix +++ b/nixpkgs/nixos/tests/munin.nix @@ -4,7 +4,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { name = "munin"; meta = with pkgs.lib.maintainers; { - maintainers = [ domenkozar eelco ]; + maintainers = [ domenkozar ]; }; nodes = { diff --git a/nixpkgs/nixos/tests/mysql/common.nix b/nixpkgs/nixos/tests/mysql/common.nix index 1cf52347f4c7..ad54b0e00c1b 100644 --- a/nixpkgs/nixos/tests/mysql/common.nix +++ b/nixpkgs/nixos/tests/mysql/common.nix @@ -4,7 +4,7 @@ inherit (pkgs) mysql80; }; perconaPackages = { - inherit (pkgs) percona-server_8_0; + inherit (pkgs) percona-server_lts percona-server_innovation; }; mkTestName = pkg: "mariadb_${builtins.replaceStrings ["."] [""] (lib.versions.majorMinor pkg.version)}"; } diff --git a/nixpkgs/nixos/tests/mysql/mysql.nix b/nixpkgs/nixos/tests/mysql/mysql.nix index 0a61f9d38fe2..093da4f46aa1 100644 --- a/nixpkgs/nixos/tests/mysql/mysql.nix +++ b/nixpkgs/nixos/tests/mysql/mysql.nix @@ -146,6 +146,6 @@ in }) mariadbPackages) // (lib.mapAttrs (_: package: makeMySQLTest { inherit package; - name = "percona_8_0"; + name = builtins.replaceStrings ["-"] ["_"] package.pname; hasMroonga = false; useSocketAuth = false; }) perconaPackages) diff --git a/nixpkgs/nixos/tests/nat.nix b/nixpkgs/nixos/tests/nat.nix index 0b617cea7774..8b682a8b3aa7 100644 --- a/nixpkgs/nixos/tests/nat.nix +++ b/nixpkgs/nixos/tests/nat.nix @@ -22,7 +22,7 @@ import ./make-test-python.nix ({ pkgs, lib, withFirewall, nftables ? false, ... name = "nat" + (lib.optionalString nftables "Nftables") + (if withFirewall then "WithFirewall" else "Standalone"); meta = with pkgs.lib.maintainers; { - maintainers = [ eelco rob ]; + maintainers = [ rob ]; }; nodes = diff --git a/nixpkgs/nixos/tests/nfs/simple.nix b/nixpkgs/nixos/tests/nfs/simple.nix index 026da9563bc0..077c1d410935 100644 --- a/nixpkgs/nixos/tests/nfs/simple.nix +++ b/nixpkgs/nixos/tests/nfs/simple.nix @@ -20,7 +20,7 @@ in { name = "nfs"; meta = with pkgs.lib.maintainers; { - maintainers = [ eelco ]; + maintainers = [ ]; }; nodes = diff --git a/nixpkgs/nixos/tests/openssh.nix b/nixpkgs/nixos/tests/openssh.nix index 2684b6f45e84..140723a2df81 100644 --- a/nixpkgs/nixos/tests/openssh.nix +++ b/nixpkgs/nixos/tests/openssh.nix @@ -5,7 +5,7 @@ let inherit (import ./ssh-keys.nix pkgs) in { name = "openssh"; meta = with pkgs.lib.maintainers; { - maintainers = [ aszlig eelco ]; + maintainers = [ aszlig ]; }; nodes = { diff --git a/nixpkgs/nixos/tests/patroni.nix b/nixpkgs/nixos/tests/patroni.nix index 1f15cd59677a..68fce4051553 100644 --- a/nixpkgs/nixos/tests/patroni.nix +++ b/nixpkgs/nixos/tests/patroni.nix @@ -155,7 +155,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: print(node.succeed("patronictl list cluster1")) node.wait_until_succeeds(f"[ $(patronictl list -f json cluster1 | jq 'length') == {expected_replicas + 1} ]") node.wait_until_succeeds("[ $(patronictl list -f json cluster1 | jq 'map(select(.Role | test(\"^Leader$\"))) | map(select(.State | test(\"^running$\"))) | length') == 1 ]") - node.wait_until_succeeds(f"[ $(patronictl list -f json cluster1 | jq 'map(select(.Role | test(\"^Replica$\"))) | map(select(.State | test(\"^running$\"))) | length') == {expected_replicas} ]") + node.wait_until_succeeds(f"[ $(patronictl list -f json cluster1 | jq 'map(select(.Role | test(\"^Replica$\"))) | map(select(.State | test(\"^streaming$\"))) | length') == {expected_replicas} ]") print(node.succeed("patronictl list cluster1")) client.wait_until_succeeds("psql -h 127.0.0.1 -U postgres --command='select 1;'") diff --git a/nixpkgs/nixos/tests/pgvecto-rs.nix b/nixpkgs/nixos/tests/pgvecto-rs.nix index cd871dab6a0f..8d9d6c0b88f5 100644 --- a/nixpkgs/nixos/tests/pgvecto-rs.nix +++ b/nixpkgs/nixos/tests/pgvecto-rs.nix @@ -66,7 +66,7 @@ let ''; }; - applicablePostgresqlVersions = filterAttrs (_: value: versionAtLeast value.version "12") postgresql-versions; + applicablePostgresqlVersions = filterAttrs (_: value: versionAtLeast value.version "14") postgresql-versions; in mapAttrs' (name: package: { diff --git a/nixpkgs/nixos/tests/postgresql-jit.nix b/nixpkgs/nixos/tests/postgresql-jit.nix index baf26b8da2b3..f4b1d07a7faf 100644 --- a/nixpkgs/nixos/tests/postgresql-jit.nix +++ b/nixpkgs/nixos/tests/postgresql-jit.nix @@ -1,6 +1,7 @@ { system ? builtins.currentSystem , config ? {} , pkgs ? import ../.. { inherit system config; } +, package ? null }: with import ../lib/testing-python.nix { inherit system pkgs; }; @@ -9,14 +10,17 @@ let inherit (pkgs) lib; packages = builtins.attrNames (import ../../pkgs/servers/sql/postgresql pkgs); - mkJitTest = packageName: makeTest { - name = "${packageName}"; + mkJitTestFromName = name: + mkJitTest pkgs.${name}; + + mkJitTest = package: makeTest { + name = package.name; meta.maintainers = with lib.maintainers; [ ma27 ]; nodes.machine = { pkgs, lib, ... }: { services.postgresql = { + inherit package; enable = true; enableJIT = true; - package = pkgs.${packageName}; initialScript = pkgs.writeText "init.sql" '' create table demo (id int); insert into demo (id) select generate_series(1, 5); @@ -45,4 +49,7 @@ let ''; }; in -lib.genAttrs packages mkJitTest +if package == null then + lib.genAttrs packages mkJitTestFromName +else + mkJitTest package diff --git a/nixpkgs/nixos/tests/postgresql-wal-receiver.nix b/nixpkgs/nixos/tests/postgresql-wal-receiver.nix index b0bd7711dbcd..ab2ab4ad0d4f 100644 --- a/nixpkgs/nixos/tests/postgresql-wal-receiver.nix +++ b/nixpkgs/nixos/tests/postgresql-wal-receiver.nix @@ -1,6 +1,7 @@ { system ? builtins.currentSystem, config ? {}, - pkgs ? import ../.. { inherit system config; } + pkgs ? import ../.. { inherit system config; }, + package ? null }: with import ../lib/testing-python.nix { inherit system pkgs; }; @@ -9,111 +10,110 @@ let lib = pkgs.lib; # Makes a test for a PostgreSQL package, given by name and looked up from `pkgs`. - makePostgresqlWalReceiverTest = postgresqlPackage: + makeTestAttribute = name: { - name = postgresqlPackage; - value = - let - pkg = pkgs."${postgresqlPackage}"; - postgresqlDataDir = "/var/lib/postgresql/${pkg.psqlSchema}"; - replicationUser = "wal_receiver_user"; - replicationSlot = "wal_receiver_slot"; - replicationConn = "postgresql://${replicationUser}@localhost"; - baseBackupDir = "/tmp/pg_basebackup"; - walBackupDir = "/tmp/pg_wal"; - atLeast12 = lib.versionAtLeast pkg.version "12.0"; - - recoveryFile = if atLeast12 - then pkgs.writeTextDir "recovery.signal" "" - else pkgs.writeTextDir "recovery.conf" "restore_command = 'cp ${walBackupDir}/%f %p'"; - - in makeTest { - name = "postgresql-wal-receiver-${postgresqlPackage}"; - meta.maintainers = with lib.maintainers; [ pacien ]; - - nodes.machine = { ... }: { - services.postgresql = { - package = pkg; - enable = true; - settings = lib.mkMerge [ - { - wal_level = "archive"; # alias for replica on pg >= 9.6 - max_wal_senders = 10; - max_replication_slots = 10; - } - (lib.mkIf atLeast12 { - restore_command = "cp ${walBackupDir}/%f %p"; - recovery_end_command = "touch recovery.done"; - }) - ]; - authentication = '' - host replication ${replicationUser} all trust - ''; - initialScript = pkgs.writeText "init.sql" '' - create user ${replicationUser} replication; - select * from pg_create_physical_replication_slot('${replicationSlot}'); - ''; - }; + inherit name; + value = makePostgresqlWalReceiverTest pkgs."${name}"; + }; + + makePostgresqlWalReceiverTest = pkg: + let + postgresqlDataDir = "/var/lib/postgresql/${pkg.psqlSchema}"; + replicationUser = "wal_receiver_user"; + replicationSlot = "wal_receiver_slot"; + replicationConn = "postgresql://${replicationUser}@localhost"; + baseBackupDir = "/tmp/pg_basebackup"; + walBackupDir = "/tmp/pg_wal"; + + recoveryFile = pkgs.writeTextDir "recovery.signal" ""; - services.postgresqlWalReceiver.receivers.main = { - postgresqlPackage = pkg; - connection = replicationConn; - slot = replicationSlot; - directory = walBackupDir; + in makeTest { + name = "postgresql-wal-receiver-${pkg.name}"; + meta.maintainers = with lib.maintainers; [ pacien ]; + + nodes.machine = { ... }: { + services.postgresql = { + package = pkg; + enable = true; + settings = { + max_replication_slots = 10; + max_wal_senders = 10; + recovery_end_command = "touch recovery.done"; + restore_command = "cp ${walBackupDir}/%f %p"; + wal_level = "archive"; # alias for replica on pg >= 9.6 }; - # This is only to speedup test, it isn't time racing. Service is set to autorestart always, - # default 60sec is fine for real system, but is too much for a test - systemd.services.postgresql-wal-receiver-main.serviceConfig.RestartSec = lib.mkForce 5; + authentication = '' + host replication ${replicationUser} all trust + ''; + initialScript = pkgs.writeText "init.sql" '' + create user ${replicationUser} replication; + select * from pg_create_physical_replication_slot('${replicationSlot}'); + ''; }; - testScript = '' - # make an initial base backup - machine.wait_for_unit("postgresql") - machine.wait_for_unit("postgresql-wal-receiver-main") - # WAL receiver healthchecks PG every 5 seconds, so let's be sure they have connected each other - # required only for 9.4 - machine.sleep(5) - machine.succeed( - "${pkg}/bin/pg_basebackup --dbname=${replicationConn} --pgdata=${baseBackupDir}" - ) - - # create a dummy table with 100 records - machine.succeed( - "sudo -u postgres psql --command='create table dummy as select * from generate_series(1, 100) as val;'" - ) - - # stop postgres and destroy data - machine.systemctl("stop postgresql") - machine.systemctl("stop postgresql-wal-receiver-main") - machine.succeed("rm -r ${postgresqlDataDir}/{base,global,pg_*}") - - # restore the base backup - machine.succeed( - "cp -r ${baseBackupDir}/* ${postgresqlDataDir} && chown postgres:postgres -R ${postgresqlDataDir}" - ) - - # prepare WAL and recovery - machine.succeed("chmod a+rX -R ${walBackupDir}") - machine.execute( - "for part in ${walBackupDir}/*.partial; do mv $part ''${part%%.*}; done" - ) # make use of partial segments too - machine.succeed( - "cp ${recoveryFile}/* ${postgresqlDataDir}/ && chmod 666 ${postgresqlDataDir}/recovery*" - ) - - # replay WAL - machine.systemctl("start postgresql") - machine.wait_for_file("${postgresqlDataDir}/recovery.done") - machine.systemctl("restart postgresql") - machine.wait_for_unit("postgresql") - - # check that our records have been restored - machine.succeed( - "test $(sudo -u postgres psql --pset='pager=off' --tuples-only --command='select count(distinct val) from dummy;') -eq 100" - ) - ''; + services.postgresqlWalReceiver.receivers.main = { + postgresqlPackage = pkg; + connection = replicationConn; + slot = replicationSlot; + directory = walBackupDir; + }; + # This is only to speedup test, it isn't time racing. Service is set to autorestart always, + # default 60sec is fine for real system, but is too much for a test + systemd.services.postgresql-wal-receiver-main.serviceConfig.RestartSec = lib.mkForce 5; }; + + testScript = '' + # make an initial base backup + machine.wait_for_unit("postgresql") + machine.wait_for_unit("postgresql-wal-receiver-main") + # WAL receiver healthchecks PG every 5 seconds, so let's be sure they have connected each other + # required only for 9.4 + machine.sleep(5) + machine.succeed( + "${pkg}/bin/pg_basebackup --dbname=${replicationConn} --pgdata=${baseBackupDir}" + ) + + # create a dummy table with 100 records + machine.succeed( + "sudo -u postgres psql --command='create table dummy as select * from generate_series(1, 100) as val;'" + ) + + # stop postgres and destroy data + machine.systemctl("stop postgresql") + machine.systemctl("stop postgresql-wal-receiver-main") + machine.succeed("rm -r ${postgresqlDataDir}/{base,global,pg_*}") + + # restore the base backup + machine.succeed( + "cp -r ${baseBackupDir}/* ${postgresqlDataDir} && chown postgres:postgres -R ${postgresqlDataDir}" + ) + + # prepare WAL and recovery + machine.succeed("chmod a+rX -R ${walBackupDir}") + machine.execute( + "for part in ${walBackupDir}/*.partial; do mv $part ''${part%%.*}; done" + ) # make use of partial segments too + machine.succeed( + "cp ${recoveryFile}/* ${postgresqlDataDir}/ && chmod 666 ${postgresqlDataDir}/recovery*" + ) + + # replay WAL + machine.systemctl("start postgresql") + machine.wait_for_file("${postgresqlDataDir}/recovery.done") + machine.systemctl("restart postgresql") + machine.wait_for_unit("postgresql") + + # check that our records have been restored + machine.succeed( + "test $(sudo -u postgres psql --pset='pager=off' --tuples-only --command='select count(distinct val) from dummy;') -eq 100" + ) + ''; }; -# Maps the generic function over all attributes of PostgreSQL packages -in builtins.listToAttrs (map makePostgresqlWalReceiverTest (builtins.attrNames (import ../../pkgs/servers/sql/postgresql pkgs))) +in +if package == null then + # all-tests.nix: Maps the generic function over all attributes of PostgreSQL packages + builtins.listToAttrs (map makeTestAttribute (builtins.attrNames (import ../../pkgs/servers/sql/postgresql pkgs))) +else + # Called directly from <package>.tests + makePostgresqlWalReceiverTest package diff --git a/nixpkgs/nixos/tests/printing.nix b/nixpkgs/nixos/tests/printing.nix index 29c5d810f215..b413996c67db 100644 --- a/nixpkgs/nixos/tests/printing.nix +++ b/nixpkgs/nixos/tests/printing.nix @@ -9,7 +9,7 @@ import ./make-test-python.nix ( { name = "printing"; meta = with pkgs.lib.maintainers; { - maintainers = [ domenkozar eelco matthewbauer ]; + maintainers = [ domenkozar matthewbauer ]; }; nodes.server = { ... }: { diff --git a/nixpkgs/nixos/tests/private-gpt.nix b/nixpkgs/nixos/tests/private-gpt.nix new file mode 100644 index 000000000000..d19e167cc303 --- /dev/null +++ b/nixpkgs/nixos/tests/private-gpt.nix @@ -0,0 +1,27 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: +let + mainPort = "8001"; +in +{ + name = "private-gpt"; + meta = with lib.maintainers; { + maintainers = [ drupol ]; + }; + + nodes = { + machine = { ... }: { + services.private-gpt = { + enable = true; + }; + }; + }; + + testScript = '' + machine.start() + + machine.wait_for_unit("private-gpt.service") + machine.wait_for_open_port(${mainPort}) + + machine.succeed("curl http://127.0.0.1:${mainPort}") + ''; +}) diff --git a/nixpkgs/nixos/tests/proxy.nix b/nixpkgs/nixos/tests/proxy.nix index f8a3d576903e..ce7131b09a8a 100644 --- a/nixpkgs/nixos/tests/proxy.nix +++ b/nixpkgs/nixos/tests/proxy.nix @@ -12,7 +12,7 @@ let in { name = "proxy"; meta = with pkgs.lib.maintainers; { - maintainers = [ eelco ]; + maintainers = [ ]; }; nodes = { diff --git a/nixpkgs/nixos/tests/quake3.nix b/nixpkgs/nixos/tests/quake3.nix index 2d8c5207001c..4b7ca03b365b 100644 --- a/nixpkgs/nixos/tests/quake3.nix +++ b/nixpkgs/nixos/tests/quake3.nix @@ -32,7 +32,7 @@ in rec { name = "quake3"; meta = with lib.maintainers; { - maintainers = [ domenkozar eelco ]; + maintainers = [ domenkozar ]; }; # TODO: lcov doesn't work atm diff --git a/nixpkgs/nixos/tests/rabbitmq.nix b/nixpkgs/nixos/tests/rabbitmq.nix index 040679e68d98..4b8921662b7f 100644 --- a/nixpkgs/nixos/tests/rabbitmq.nix +++ b/nixpkgs/nixos/tests/rabbitmq.nix @@ -9,7 +9,7 @@ in { name = "rabbitmq"; meta = with pkgs.lib.maintainers; { - maintainers = [ eelco offline ]; + maintainers = [ offline ]; }; nodes.machine = { diff --git a/nixpkgs/nixos/tests/samba.nix b/nixpkgs/nixos/tests/samba.nix index 252c3dd9c76e..53cdbbe1c40f 100644 --- a/nixpkgs/nixos/tests/samba.nix +++ b/nixpkgs/nixos/tests/samba.nix @@ -3,7 +3,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { name = "samba"; - meta.maintainers = [ pkgs.lib.maintainers.eelco ]; + meta.maintainers = [ ]; nodes = { client = diff --git a/nixpkgs/nixos/tests/simple.nix b/nixpkgs/nixos/tests/simple.nix index c36287b4e843..afd49d481a65 100644 --- a/nixpkgs/nixos/tests/simple.nix +++ b/nixpkgs/nixos/tests/simple.nix @@ -1,7 +1,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { name = "simple"; meta = with pkgs.lib.maintainers; { - maintainers = [ eelco ]; + maintainers = [ ]; }; nodes.machine = { ... }: { diff --git a/nixpkgs/nixos/tests/smokeping.nix b/nixpkgs/nixos/tests/smokeping.nix index 04f813964291..fe1ecad9969b 100644 --- a/nixpkgs/nixos/tests/smokeping.nix +++ b/nixpkgs/nixos/tests/smokeping.nix @@ -11,7 +11,6 @@ import ./make-test-python.nix ({ pkgs, ...} : { networking.domain = "example.com"; # FQDN: sm.example.com services.smokeping = { enable = true; - port = 8081; mailHost = "127.0.0.2"; probeConfig = '' + FPing @@ -25,12 +24,19 @@ import ./make-test-python.nix ({ pkgs, ...} : { testScript = '' start_all() sm.wait_for_unit("smokeping") - sm.wait_for_unit("thttpd") + sm.wait_for_unit("nginx") sm.wait_for_file("/var/lib/smokeping/data/Local/LocalMachine.rrd") - sm.succeed("curl -s -f localhost:8081/smokeping.fcgi?target=Local") + sm.succeed("curl -s -f localhost/smokeping.fcgi?target=Local") # Check that there's a helpful page without explicit path as well. - sm.succeed("curl -s -f localhost:8081") + sm.succeed("curl -s -f localhost") sm.succeed("ls /var/lib/smokeping/cache/Local/LocalMachine_mini.png") sm.succeed("ls /var/lib/smokeping/cache/index.html") + + # stop and start the service like nixos-rebuild would do + # see https://github.com/NixOS/nixpkgs/issues/265953) + sm.succeed("systemctl stop smokeping") + sm.succeed("systemctl start smokeping") + # ensure all services restarted properly + sm.succeed("systemctl --failed | grep -q '0 loaded units listed'") ''; }) diff --git a/nixpkgs/nixos/tests/stalwart-mail.nix b/nixpkgs/nixos/tests/stalwart-mail.nix index 634c0e2e3926..581090cd70f4 100644 --- a/nixpkgs/nixos/tests/stalwart-mail.nix +++ b/nixpkgs/nixos/tests/stalwart-mail.nix @@ -40,12 +40,14 @@ in import ./make-test-python.nix ({ lib, ... }: { }; }; - session.auth.mechanisms = [ "PLAIN" ]; - session.auth.directory = "in-memory"; - storage.directory = "in-memory"; # shared with imap + resolver.public-suffix = [ ]; # do not fetch from web in sandbox - session.rcpt.directory = "in-memory"; - queue.outbound.next-hop = [ "local" ]; + session.auth.mechanisms = "[plain]"; + session.auth.directory = "'in-memory'"; + storage.directory = "in-memory"; + + session.rcpt.directory = "'in-memory'"; + queue.outbound.next-hop = "'local'"; directory."in-memory" = { type = "memory"; diff --git a/nixpkgs/nixos/tests/step-ca.nix b/nixpkgs/nixos/tests/step-ca.nix index a855b590232d..c4d8168e5c51 100644 --- a/nixpkgs/nixos/tests/step-ca.nix +++ b/nixpkgs/nixos/tests/step-ca.nix @@ -62,6 +62,24 @@ import ./make-test-python.nix ({ pkgs, ... }: }; }; + caclientcaddy = + { config, pkgs, ... }: { + security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ]; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.caddy = { + enable = true; + virtualHosts."caclientcaddy".extraConfig = '' + respond "Welcome to Caddy!" + + tls caddy@example.org { + ca https://caserver:8443/acme/acme/directory + } + ''; + }; + }; + catester = { config, pkgs, ... }: { security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ]; }; @@ -71,7 +89,12 @@ import ./make-test-python.nix ({ pkgs, ... }: '' catester.start() caserver.wait_for_unit("step-ca.service") + caserver.succeed("journalctl -o cat -u step-ca.service | grep '${pkgs.step-ca.version}'") + caclient.wait_for_unit("acme-finished-caclient.target") catester.succeed("curl https://caclient/ | grep \"Welcome to nginx!\"") + + caclientcaddy.wait_for_unit("caddy.service") + catester.succeed("curl https://caclientcaddy/ | grep \"Welcome to Caddy!\"") ''; }) diff --git a/nixpkgs/nixos/tests/stub-ld.nix b/nixpkgs/nixos/tests/stub-ld.nix index 25161301741b..72b0aebf3e6c 100644 --- a/nixpkgs/nixos/tests/stub-ld.nix +++ b/nixpkgs/nixos/tests/stub-ld.nix @@ -45,10 +45,10 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { ${if32 "machine.succeed('test -L /${libDir32}/${ldsoBasename32}')"} with subtest("Try FHS executable"): - machine.copy_from_host('${test-exec.${pkgs.system}}','test-exec') + machine.copy_from_host('${test-exec.${pkgs.stdenv.hostPlatform.system}}','test-exec') machine.succeed('if test-exec/${exec-name} 2>outfile; then false; else [ $? -eq 127 ];fi') machine.succeed('grep -qi nixos outfile') - ${if32 "machine.copy_from_host('${test-exec.${pkgs32.system}}','test-exec32')"} + ${if32 "machine.copy_from_host('${test-exec.${pkgs32.stdenv.hostPlatform.system}}','test-exec32')"} ${if32 "machine.succeed('if test-exec32/${exec-name} 2>outfile32; then false; else [ $? -eq 127 ];fi')"} ${if32 "machine.succeed('grep -qi nixos outfile32')"} diff --git a/nixpkgs/nixos/tests/switch-test.nix b/nixpkgs/nixos/tests/switch-test.nix index 4a7bcd5a8226..d90e5bb088ce 100644 --- a/nixpkgs/nixos/tests/switch-test.nix +++ b/nixpkgs/nixos/tests/switch-test.nix @@ -1,6 +1,6 @@ # Test configuration switching. -import ./make-test-python.nix ({ lib, pkgs, ...} : let +import ./make-test-python.nix ({ lib, pkgs, ng, ...} : let # Simple service that can either be socket-activated or that will # listen on port 1234 if not socket-activated. @@ -48,6 +48,11 @@ in { nodes = { machine = { pkgs, lib, ... }: { + system.switch = { + enable = !ng; + enableNg = ng; + }; + environment.systemPackages = [ pkgs.socat ]; # for the socket activation stuff users.mutableUsers = false; diff --git a/nixpkgs/nixos/tests/systemd-confinement.nix b/nixpkgs/nixos/tests/systemd-confinement.nix deleted file mode 100644 index bde5b770ea50..000000000000 --- a/nixpkgs/nixos/tests/systemd-confinement.nix +++ /dev/null @@ -1,184 +0,0 @@ -import ./make-test-python.nix { - name = "systemd-confinement"; - - nodes.machine = { pkgs, lib, ... }: let - testServer = pkgs.writeScript "testserver.sh" '' - #!${pkgs.runtimeShell} - export PATH=${lib.escapeShellArg "${pkgs.coreutils}/bin"} - ${lib.escapeShellArg pkgs.runtimeShell} 2>&1 - echo "exit-status:$?" - ''; - - testClient = pkgs.writeScriptBin "chroot-exec" '' - #!${pkgs.runtimeShell} -e - output="$(echo "$@" | nc -NU "/run/test$(< /teststep).sock")" - ret="$(echo "$output" | sed -nre '$s/^exit-status:([0-9]+)$/\1/p')" - echo "$output" | head -n -1 - exit "''${ret:-1}" - ''; - - mkTestStep = num: { - testScript, - config ? {}, - serviceName ? "test${toString num}", - }: { - systemd.sockets.${serviceName} = { - description = "Socket for Test Service ${toString num}"; - wantedBy = [ "sockets.target" ]; - socketConfig.ListenStream = "/run/test${toString num}.sock"; - socketConfig.Accept = true; - }; - - systemd.services."${serviceName}@" = { - description = "Confined Test Service ${toString num}"; - confinement = (config.confinement or {}) // { enable = true; }; - serviceConfig = (config.serviceConfig or {}) // { - ExecStart = testServer; - StandardInput = "socket"; - }; - } // removeAttrs config [ "confinement" "serviceConfig" ]; - - __testSteps = lib.mkOrder num ('' - machine.succeed("echo ${toString num} > /teststep") - '' + testScript); - }; - - in { - imports = lib.imap1 mkTestStep [ - { config.confinement.mode = "chroot-only"; - testScript = '' - with subtest("chroot-only confinement"): - paths = machine.succeed('chroot-exec ls -1 / | paste -sd,').strip() - assert_eq(paths, "bin,nix,run") - uid = machine.succeed('chroot-exec id -u').strip() - assert_eq(uid, "0") - machine.succeed("chroot-exec chown 65534 /bin") - ''; - } - { testScript = '' - with subtest("full confinement with APIVFS"): - machine.fail("chroot-exec ls -l /etc") - machine.fail("chroot-exec chown 65534 /bin") - assert_eq(machine.succeed('chroot-exec id -u').strip(), "0") - machine.succeed("chroot-exec chown 0 /bin") - ''; - } - { config.serviceConfig.BindReadOnlyPaths = [ "/etc" ]; - testScript = '' - with subtest("check existence of bind-mounted /etc"): - passwd = machine.succeed('chroot-exec cat /etc/passwd').strip() - assert len(passwd) > 0, "/etc/passwd must not be empty" - ''; - } - { config.serviceConfig.User = "chroot-testuser"; - config.serviceConfig.Group = "chroot-testgroup"; - testScript = '' - with subtest("check if User/Group really runs as non-root"): - machine.succeed("chroot-exec ls -l /dev") - uid = machine.succeed('chroot-exec id -u').strip() - assert uid != "0", "UID of chroot-testuser shouldn't be 0" - machine.fail("chroot-exec touch /bin/test") - ''; - } - (let - symlink = pkgs.runCommand "symlink" { - target = pkgs.writeText "symlink-target" "got me\n"; - } "ln -s \"$target\" \"$out\""; - in { - config.confinement.packages = lib.singleton symlink; - testScript = '' - with subtest("check if symlinks are properly bind-mounted"): - machine.fail("chroot-exec test -e /etc") - text = machine.succeed('chroot-exec cat ${symlink}').strip() - assert_eq(text, "got me") - ''; - }) - { config.serviceConfig.User = "chroot-testuser"; - config.serviceConfig.Group = "chroot-testgroup"; - config.serviceConfig.StateDirectory = "testme"; - testScript = '' - with subtest("check if StateDirectory works"): - machine.succeed("chroot-exec touch /tmp/canary") - machine.succeed('chroot-exec "echo works > /var/lib/testme/foo"') - machine.succeed('test "$(< /var/lib/testme/foo)" = works') - machine.succeed("test ! -e /tmp/canary") - ''; - } - { testScript = '' - with subtest("check if /bin/sh works"): - machine.succeed( - "chroot-exec test -e /bin/sh", - 'test "$(chroot-exec \'/bin/sh -c "echo bar"\')" = bar', - ) - ''; - } - { config.confinement.binSh = null; - testScript = '' - with subtest("check if suppressing /bin/sh works"): - machine.succeed("chroot-exec test ! -e /bin/sh") - machine.succeed('test "$(chroot-exec \'/bin/sh -c "echo foo"\')" != foo') - ''; - } - { config.confinement.binSh = "${pkgs.hello}/bin/hello"; - testScript = '' - with subtest("check if we can set /bin/sh to something different"): - machine.succeed("chroot-exec test -e /bin/sh") - machine.succeed('test "$(chroot-exec /bin/sh -g foo)" = foo') - ''; - } - { config.environment.FOOBAR = pkgs.writeText "foobar" "eek\n"; - testScript = '' - with subtest("check if only Exec* dependencies are included"): - machine.succeed('test "$(chroot-exec \'cat "$FOOBAR"\')" != eek') - ''; - } - { config.environment.FOOBAR = pkgs.writeText "foobar" "eek\n"; - config.confinement.fullUnit = true; - testScript = '' - with subtest("check if all unit dependencies are included"): - machine.succeed('test "$(chroot-exec \'cat "$FOOBAR"\')" = eek') - ''; - } - { serviceName = "shipped-unitfile"; - config.confinement.mode = "chroot-only"; - testScript = '' - with subtest("check if shipped unit file still works"): - machine.succeed( - 'chroot-exec \'kill -9 $$ 2>&1 || :\' | ' - 'grep -q "Too many levels of symbolic links"' - ) - ''; - } - ]; - - options.__testSteps = lib.mkOption { - type = lib.types.lines; - description = "All of the test steps combined as a single script."; - }; - - config.environment.systemPackages = lib.singleton testClient; - config.systemd.packages = lib.singleton (pkgs.writeTextFile { - name = "shipped-unitfile"; - destination = "/etc/systemd/system/shipped-unitfile@.service"; - text = '' - [Service] - SystemCallFilter=~kill - SystemCallErrorNumber=ELOOP - ''; - }); - - config.users.groups.chroot-testgroup = {}; - config.users.users.chroot-testuser = { - isSystemUser = true; - description = "Chroot Test User"; - group = "chroot-testgroup"; - }; - }; - - testScript = { nodes, ... }: '' - def assert_eq(a, b): - assert a == b, f"{a} != {b}" - - machine.wait_for_unit("multi-user.target") - '' + nodes.machine.config.__testSteps; -} diff --git a/nixpkgs/nixos/tests/systemd-confinement/checkperms.py b/nixpkgs/nixos/tests/systemd-confinement/checkperms.py new file mode 100644 index 000000000000..3c7ba279a3d2 --- /dev/null +++ b/nixpkgs/nixos/tests/systemd-confinement/checkperms.py @@ -0,0 +1,187 @@ +import errno +import os + +from enum import IntEnum +from pathlib import Path + + +class Accessibility(IntEnum): + """ + The level of accessibility we have on a file or directory. + + This is needed to assess the attack surface on the file system namespace we + have within a confined service. Higher levels mean more permissions for the + user and thus a bigger attack surface. + """ + NONE = 0 + + # Directories can be listed or files can be read. + READABLE = 1 + + # This is for special file systems such as procfs and for stuff such as + # FIFOs or character special files. The reason why this has a lower value + # than WRITABLE is because those files are more restricted on what and how + # they can be written to. + SPECIAL = 2 + + # Another special case are sticky directories, which do allow write access + # but restrict deletion. This does *not* apply to sticky directories that + # are read-only. + STICKY = 3 + + # Essentially full permissions, the kind of accessibility we want to avoid + # in most cases. + WRITABLE = 4 + + def assert_on(self, path: Path) -> None: + """ + Raise an AssertionError if the given 'path' allows for more + accessibility than 'self'. + """ + actual = self.NONE + + if path.is_symlink(): + actual = self.READABLE + elif path.is_dir(): + writable = True + + dummy_file = path / 'can_i_write' + try: + dummy_file.touch() + except OSError as e: + if e.errno in [errno.EROFS, errno.EACCES]: + writable = False + else: + raise + else: + dummy_file.unlink() + + if writable: + # The reason why we test this *after* we made sure it's + # writable is because we could have a sticky directory where + # the current user doesn't have write access. + if path.stat().st_mode & 0o1000 == 0o1000: + actual = self.STICKY + else: + actual = self.WRITABLE + else: + actual = self.READABLE + elif path.is_file(): + try: + with path.open('rb') as fp: + fp.read(1) + actual = self.READABLE + except PermissionError: + pass + + writable = True + try: + with path.open('ab') as fp: + fp.write('x') + size = fp.tell() + fp.truncate(size) + except PermissionError: + writable = False + except OSError as e: + if e.errno == errno.ETXTBSY: + writable = os.access(path, os.W_OK) + elif e.errno == errno.EROFS: + writable = False + else: + raise + + # Let's always try to fail towards being writable, so if *either* + # access(2) or a real write is successful it's writable. This is to + # make sure we don't accidentally introduce no-ops if we have bugs + # in the more complicated real write code above. + if writable or os.access(path, os.W_OK): + actual = self.WRITABLE + else: + # We need to be very careful when writing to or reading from + # special files (eg. FIFOs), since they can possibly block. So if + # it's not a file, just trust that access(2) won't lie. + if os.access(path, os.R_OK): + actual = self.READABLE + + if os.access(path, os.W_OK): + actual = self.SPECIAL + + if actual > self: + stat = path.stat() + details = ', '.join([ + f'permissions: {stat.st_mode & 0o7777:o}', + f'uid: {stat.st_uid}', + f'group: {stat.st_gid}', + ]) + + raise AssertionError( + f'Expected at most {self!r} but got {actual!r} for path' + f' {path} ({details}).' + ) + + +def is_special_fs(path: Path) -> bool: + """ + Check whether the given path truly is a special file system such as procfs + or sysfs. + """ + try: + if path == Path('/proc'): + return (path / 'version').read_text().startswith('Linux') + elif path == Path('/sys'): + return b'Linux' in (path / 'kernel' / 'notes').read_bytes() + except FileNotFoundError: + pass + return False + + +def is_empty_dir(path: Path) -> bool: + try: + next(path.iterdir()) + return False + except (StopIteration, PermissionError): + return True + + +def _assert_permissions_in_directory( + directory: Path, + accessibility: Accessibility, + subdirs: dict[Path, Accessibility], +) -> None: + accessibility.assert_on(directory) + + for file in directory.iterdir(): + if is_special_fs(file): + msg = f'Got unexpected special filesystem at {file}.' + assert subdirs.pop(file) == Accessibility.SPECIAL, msg + elif not file.is_symlink() and file.is_dir(): + subdir_access = subdirs.pop(file, accessibility) + if is_empty_dir(file): + # Whenever we got an empty directory, we check the permission + # constraints on the current directory (except if specified + # explicitly in subdirs) because for example if we're non-root + # (the constraints of the current directory are thus + # Accessibility.READABLE), we really have to make sure that + # empty directories are *never* writable. + subdir_access.assert_on(file) + else: + _assert_permissions_in_directory(file, subdir_access, subdirs) + else: + subdirs.pop(file, accessibility).assert_on(file) + + +def assert_permissions(subdirs: dict[str, Accessibility]) -> None: + """ + Recursively check whether the file system conforms to the accessibility + specification we specified via 'subdirs'. + """ + root = Path('/') + absolute_subdirs = {root / p: a for p, a in subdirs.items()} + _assert_permissions_in_directory( + root, + Accessibility.WRITABLE if os.getuid() == 0 else Accessibility.READABLE, + absolute_subdirs, + ) + for file in absolute_subdirs.keys(): + msg = f'Expected {file} to exist, but it was nowwhere to be found.' + raise AssertionError(msg) diff --git a/nixpkgs/nixos/tests/systemd-confinement/default.nix b/nixpkgs/nixos/tests/systemd-confinement/default.nix new file mode 100644 index 000000000000..15d442d476b0 --- /dev/null +++ b/nixpkgs/nixos/tests/systemd-confinement/default.nix @@ -0,0 +1,274 @@ +import ../make-test-python.nix { + name = "systemd-confinement"; + + nodes.machine = { pkgs, lib, ... }: let + testLib = pkgs.python3Packages.buildPythonPackage { + name = "confinement-testlib"; + unpackPhase = '' + cat > setup.py <<EOF + from setuptools import setup + setup(name='confinement-testlib', py_modules=["checkperms"]) + EOF + cp ${./checkperms.py} checkperms.py + ''; + }; + + mkTest = name: testScript: pkgs.writers.writePython3 "${name}.py" { + libraries = [ pkgs.python3Packages.pytest testLib ]; + } '' + # This runs our test script by using pytest's assertion rewriting, so + # that whenever we use "assert <something>", the actual values are + # printed rather than getting a generic AssertionError or the need to + # pass an explicit assertion error message. + import ast + from pathlib import Path + from _pytest.assertion.rewrite import rewrite_asserts + + script = Path('${pkgs.writeText "${name}-main.py" '' + import errno, os, pytest, signal + from subprocess import run + from checkperms import Accessibility, assert_permissions + + ${testScript} + ''}') # noqa + filename = str(script) + source = script.read_bytes() + + tree = ast.parse(source, filename=filename) + rewrite_asserts(tree, source, filename) + exec(compile(tree, filename, 'exec', dont_inherit=True)) + ''; + + mkTestStep = num: { + description, + testScript, + config ? {}, + serviceName ? "test${toString num}", + rawUnit ? null, + }: { + systemd.packages = lib.optional (rawUnit != null) (pkgs.writeTextFile { + name = serviceName; + destination = "/etc/systemd/system/${serviceName}.service"; + text = rawUnit; + }); + + systemd.services.${serviceName} = { + inherit description; + requiredBy = [ "multi-user.target" ]; + confinement = (config.confinement or {}) // { enable = true; }; + serviceConfig = (config.serviceConfig or {}) // { + ExecStart = mkTest serviceName testScript; + Type = "oneshot"; + }; + } // removeAttrs config [ "confinement" "serviceConfig" ]; + }; + + parametrisedTests = lib.concatMap ({ user, privateTmp }: let + withTmp = if privateTmp then "with PrivateTmp" else "without PrivateTmp"; + + serviceConfig = if user == "static-user" then { + User = "chroot-testuser"; + Group = "chroot-testgroup"; + } else if user == "dynamic-user" then { + DynamicUser = true; + } else {}; + + in [ + { description = "${user}, chroot-only confinement ${withTmp}"; + config = { + confinement.mode = "chroot-only"; + # Only set if privateTmp is true to ensure that the default is false. + serviceConfig = serviceConfig // lib.optionalAttrs privateTmp { + PrivateTmp = true; + }; + }; + testScript = if user == "root" then '' + assert os.getuid() == 0 + assert os.getgid() == 0 + + assert_permissions({ + 'bin': Accessibility.READABLE, + 'nix': Accessibility.READABLE, + 'run': Accessibility.READABLE, + ${lib.optionalString privateTmp "'tmp': Accessibility.STICKY,"} + ${lib.optionalString privateTmp "'var': Accessibility.READABLE,"} + ${lib.optionalString privateTmp "'var/tmp': Accessibility.STICKY,"} + }) + '' else '' + assert os.getuid() != 0 + assert os.getgid() != 0 + + assert_permissions({ + 'bin': Accessibility.READABLE, + 'nix': Accessibility.READABLE, + 'run': Accessibility.READABLE, + ${lib.optionalString privateTmp "'tmp': Accessibility.STICKY,"} + ${lib.optionalString privateTmp "'var': Accessibility.READABLE,"} + ${lib.optionalString privateTmp "'var/tmp': Accessibility.STICKY,"} + }) + ''; + } + { description = "${user}, full APIVFS confinement ${withTmp}"; + config = { + # Only set if privateTmp is false to ensure that the default is true. + serviceConfig = serviceConfig // lib.optionalAttrs (!privateTmp) { + PrivateTmp = false; + }; + }; + testScript = if user == "root" then '' + assert os.getuid() == 0 + assert os.getgid() == 0 + + assert_permissions({ + 'bin': Accessibility.READABLE, + 'nix': Accessibility.READABLE, + ${lib.optionalString privateTmp "'tmp': Accessibility.STICKY,"} + 'run': Accessibility.WRITABLE, + + 'proc': Accessibility.SPECIAL, + 'sys': Accessibility.SPECIAL, + 'dev': Accessibility.WRITABLE, + + ${lib.optionalString privateTmp "'var': Accessibility.READABLE,"} + ${lib.optionalString privateTmp "'var/tmp': Accessibility.STICKY,"} + }) + '' else '' + assert os.getuid() != 0 + assert os.getgid() != 0 + + assert_permissions({ + 'bin': Accessibility.READABLE, + 'nix': Accessibility.READABLE, + ${lib.optionalString privateTmp "'tmp': Accessibility.STICKY,"} + 'run': Accessibility.STICKY, + + 'proc': Accessibility.SPECIAL, + 'sys': Accessibility.SPECIAL, + 'dev': Accessibility.SPECIAL, + 'dev/shm': Accessibility.STICKY, + 'dev/mqueue': Accessibility.STICKY, + + ${lib.optionalString privateTmp "'var': Accessibility.READABLE,"} + ${lib.optionalString privateTmp "'var/tmp': Accessibility.STICKY,"} + }) + ''; + } + ]) (lib.cartesianProductOfSets { + user = [ "root" "dynamic-user" "static-user" ]; + privateTmp = [ true false ]; + }); + + in { + imports = lib.imap1 mkTestStep (parametrisedTests ++ [ + { description = "existence of bind-mounted /etc"; + config.serviceConfig.BindReadOnlyPaths = [ "/etc" ]; + testScript = '' + assert Path('/etc/passwd').read_text() + ''; + } + (let + symlink = pkgs.runCommand "symlink" { + target = pkgs.writeText "symlink-target" "got me"; + } "ln -s \"$target\" \"$out\""; + in { + description = "check if symlinks are properly bind-mounted"; + config.confinement.packages = lib.singleton symlink; + testScript = '' + assert Path('${symlink}').read_text() == 'got me' + ''; + }) + { description = "check if StateDirectory works"; + config.serviceConfig.User = "chroot-testuser"; + config.serviceConfig.Group = "chroot-testgroup"; + config.serviceConfig.StateDirectory = "testme"; + + # We restart on purpose here since we want to check whether the state + # directory actually persists. + config.serviceConfig.Restart = "on-failure"; + config.serviceConfig.RestartMode = "direct"; + + testScript = '' + assert not Path('/tmp/canary').exists() + Path('/tmp/canary').touch() + + if (foo := Path('/var/lib/testme/foo')).exists(): + assert Path('/var/lib/testme/foo').read_text() == 'works' + else: + Path('/var/lib/testme/foo').write_text('works') + print('<4>Exiting with failure to check persistence on restart.') + raise SystemExit(1) + ''; + } + { description = "check if /bin/sh works"; + testScript = '' + assert Path('/bin/sh').exists() + + result = run( + ['/bin/sh', '-c', 'echo -n bar'], + capture_output=True, + check=True, + ) + assert result.stdout == b'bar' + ''; + } + { description = "check if suppressing /bin/sh works"; + config.confinement.binSh = null; + testScript = '' + assert not Path('/bin/sh').exists() + with pytest.raises(FileNotFoundError): + run(['/bin/sh', '-c', 'echo foo']) + ''; + } + { description = "check if we can set /bin/sh to something different"; + config.confinement.binSh = "${pkgs.hello}/bin/hello"; + testScript = '' + assert Path('/bin/sh').exists() + result = run( + ['/bin/sh', '-g', 'foo'], + capture_output=True, + check=True, + ) + assert result.stdout == b'foo\n' + ''; + } + { description = "check if only Exec* dependencies are included"; + config.environment.FOOBAR = pkgs.writeText "foobar" "eek"; + testScript = '' + with pytest.raises(FileNotFoundError): + Path(os.environ['FOOBAR']).read_text() + ''; + } + { description = "check if fullUnit includes all dependencies"; + config.environment.FOOBAR = pkgs.writeText "foobar" "eek"; + config.confinement.fullUnit = true; + testScript = '' + assert Path(os.environ['FOOBAR']).read_text() == 'eek' + ''; + } + { description = "check if shipped unit file still works"; + config.confinement.mode = "chroot-only"; + rawUnit = '' + [Service] + SystemCallFilter=~kill + SystemCallErrorNumber=ELOOP + ''; + testScript = '' + with pytest.raises(OSError) as excinfo: + os.kill(os.getpid(), signal.SIGKILL) + assert excinfo.value.errno == errno.ELOOP + ''; + } + ]); + + config.users.groups.chroot-testgroup = {}; + config.users.users.chroot-testuser = { + isSystemUser = true; + description = "Chroot Test User"; + group = "chroot-testgroup"; + }; + }; + + testScript = '' + machine.wait_for_unit("multi-user.target") + ''; +} diff --git a/nixpkgs/nixos/tests/systemd-initrd-modprobe.nix b/nixpkgs/nixos/tests/systemd-initrd-modprobe.nix index 0f93492176b4..e563552a645f 100644 --- a/nixpkgs/nixos/tests/systemd-initrd-modprobe.nix +++ b/nixpkgs/nixos/tests/systemd-initrd-modprobe.nix @@ -4,21 +4,21 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { nodes.machine = { pkgs, ... }: { testing.initrdBackdoor = true; boot.initrd.systemd.enable = true; - boot.initrd.kernelModules = [ "loop" ]; # Load module in initrd. + boot.initrd.kernelModules = [ "tcp_hybla" ]; # Load module in initrd. boot.extraModprobeConfig = '' - options loop max_loop=42 + options tcp_hybla rtt0=42 ''; }; testScript = '' machine.wait_for_unit("initrd.target") - max_loop = machine.succeed("cat /sys/module/loop/parameters/max_loop") - assert int(max_loop) == 42, "Parameter should be respected for initrd kernel modules" + rtt = machine.succeed("cat /sys/module/tcp_hybla/parameters/rtt0") + assert int(rtt) == 42, "Parameter should be respected for initrd kernel modules" # Make sure it sticks in stage 2 machine.switch_root() machine.wait_for_unit("multi-user.target") - max_loop = machine.succeed("cat /sys/module/loop/parameters/max_loop") - assert int(max_loop) == 42, "Parameter should be respected for initrd kernel modules" + rtt = machine.succeed("cat /sys/module/tcp_hybla/parameters/rtt0") + assert int(rtt) == 42, "Parameter should be respected for initrd kernel modules" ''; }) diff --git a/nixpkgs/nixos/tests/tayga.nix b/nixpkgs/nixos/tests/tayga.nix index 4aade67d74d0..204391d1312f 100644 --- a/nixpkgs/nixos/tests/tayga.nix +++ b/nixpkgs/nixos/tests/tayga.nix @@ -59,6 +59,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: ]; }; }; + programs.mtr.enable = true; }; # The router is configured with static IPv4 addresses towards the server @@ -120,6 +121,9 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: prefixLength = 96; }; }; + mappings = { + "192.0.2.42" = "2001:db8::2"; + }; }; }; @@ -171,6 +175,9 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: prefixLength = 96; }; }; + mappings = { + "192.0.2.42" = "2001:db8::2"; + }; }; }; @@ -199,7 +206,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: ]; }; }; - environment.systemPackages = [ pkgs.mtr ]; + programs.mtr.enable = true; }; }; @@ -225,10 +232,16 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: with subtest("Wait for tayga"): router.wait_for_unit("tayga.service") - with subtest("Test ICMP"): + with subtest("Test ICMP server -> client"): + server.wait_until_succeeds("ping -c 3 192.0.2.42 >&2") + + with subtest("Test ICMP and show a traceroute server -> client"): + server.wait_until_succeeds("mtr --show-ips --report-wide 192.0.2.42 >&2") + + with subtest("Test ICMP client -> server"): client.wait_until_succeeds("ping -c 3 64:ff9b::100.64.0.2 >&2") - with subtest("Test ICMP and show a traceroute"): + with subtest("Test ICMP and show a traceroute client -> server"): client.wait_until_succeeds("mtr --show-ips --report-wide 64:ff9b::100.64.0.2 >&2") router.log(router.execute("systemd-analyze security tayga.service")[1]) diff --git a/nixpkgs/nixos/tests/udisks2.nix b/nixpkgs/nixos/tests/udisks2.nix index 8cc148750c7b..b934f0b95156 100644 --- a/nixpkgs/nixos/tests/udisks2.nix +++ b/nixpkgs/nixos/tests/udisks2.nix @@ -2,6 +2,7 @@ import ./make-test-python.nix ({ pkgs, ... }: let + # FIXME: 404s stick = pkgs.fetchurl { url = "https://nixos.org/~eelco/nix/udisks-test.img.xz"; sha256 = "0was1xgjkjad91nipzclaz5biv3m4b2nk029ga6nk7iklwi19l8b"; @@ -12,7 +13,7 @@ in { name = "udisks2"; meta = with pkgs.lib.maintainers; { - maintainers = [ eelco ]; + maintainers = [ ]; }; nodes.machine = diff --git a/nixpkgs/nixos/tests/vector.nix b/nixpkgs/nixos/tests/vector.nix index a55eb4e012c5..9c0d7e84fab3 100644 --- a/nixpkgs/nixos/tests/vector.nix +++ b/nixpkgs/nixos/tests/vector.nix @@ -14,15 +14,27 @@ with pkgs.lib; enable = true; journaldAccess = true; settings = { - sources.journald.type = "journald"; + sources = { + journald.type = "journald"; + + vector_metrics.type = "internal_metrics"; + + vector_logs.type = "internal_logs"; + }; sinks = { file = { type = "file"; - inputs = [ "journald" ]; + inputs = [ "journald" "vector_logs" ]; path = "/var/lib/vector/logs.log"; encoding = { codec = "json"; }; }; + + prometheus_exporter = { + type = "prometheus_exporter"; + inputs = [ "vector_metrics" ]; + address = "[::]:9598"; + }; }; }; }; @@ -31,6 +43,10 @@ with pkgs.lib; # ensure vector is forwarding the messages appropriately testScript = '' machine.wait_for_unit("vector.service") + machine.wait_for_open_port(9598) + machine.wait_until_succeeds("curl -sSf http://localhost:9598/metrics | grep vector_build_info") + machine.wait_until_succeeds("curl -sSf http://localhost:9598/metrics | grep vector_component_received_bytes_total | grep journald") + machine.wait_until_succeeds("curl -sSf http://localhost:9598/metrics | grep vector_utilization | grep prometheus_exporter") machine.wait_for_file("/var/lib/vector/logs.log") ''; }; diff --git a/nixpkgs/nixos/tests/virtualbox.nix b/nixpkgs/nixos/tests/virtualbox.nix index 3c2a391233db..5fce3ba54812 100644 --- a/nixpkgs/nixos/tests/virtualbox.nix +++ b/nixpkgs/nixos/tests/virtualbox.nix @@ -98,7 +98,6 @@ let cfg = (import ../lib/eval-config.nix { system = if use64bitGuest then "x86_64-linux" else "i686-linux"; modules = [ - ../modules/profiles/minimal.nix (testVMConfig vmName vmScript) ]; }).config; diff --git a/nixpkgs/nixos/tests/web-apps/pretalx.nix b/nixpkgs/nixos/tests/web-apps/pretalx.nix index a226639b076b..cbb6580aa051 100644 --- a/nixpkgs/nixos/tests/web-apps/pretalx.nix +++ b/nixpkgs/nixos/tests/web-apps/pretalx.nix @@ -5,13 +5,16 @@ meta.maintainers = lib.teams.c3d2.members; nodes = { - pretalx = { + pretalx = { config, ... }: { networking.extraHosts = '' 127.0.0.1 talks.local ''; services.pretalx = { enable = true; + plugins = with config.services.pretalx.package.plugins; [ + pages + ]; nginx.domain = "talks.local"; settings = { site.url = "http://talks.local"; @@ -27,5 +30,9 @@ pretalx.wait_for_unit("pretalx-worker.service") pretalx.wait_until_succeeds("curl -q --fail http://talks.local/orga/") + + pretalx.succeed("pretalx-manage --help") + + pretalx.log(pretalx.succeed("systemd-analyze security pretalx-web.service")) ''; } diff --git a/nixpkgs/nixos/tests/ydotool.nix b/nixpkgs/nixos/tests/ydotool.nix new file mode 100644 index 000000000000..818ac6f2d50d --- /dev/null +++ b/nixpkgs/nixos/tests/ydotool.nix @@ -0,0 +1,115 @@ +import ./make-test-python.nix ( + { pkgs, lib, ... }: + let + textInput = "This works."; + inputBoxText = "Enter input"; + inputBox = pkgs.writeShellScript "zenity-input" '' + ${lib.getExe pkgs.gnome.zenity} --entry --text '${inputBoxText}:' > /tmp/output & + ''; + in + { + name = "ydotool"; + + meta = { + maintainers = with lib.maintainers; [ + OPNA2608 + quantenzitrone + ]; + }; + + nodes = { + headless = + { config, ... }: + { + imports = [ ./common/user-account.nix ]; + + users.users.alice.extraGroups = [ "ydotool" ]; + + programs.ydotool.enable = true; + + services.getty.autologinUser = "alice"; + }; + + x11 = + { config, ... }: + { + imports = [ + ./common/user-account.nix + ./common/auto.nix + ./common/x11.nix + ]; + + users.users.alice.extraGroups = [ "ydotool" ]; + + programs.ydotool.enable = true; + + test-support.displayManager.auto = { + enable = true; + user = "alice"; + }; + + services.xserver.windowManager.dwm.enable = true; + services.displayManager.defaultSession = lib.mkForce "none+dwm"; + }; + + wayland = + { config, ... }: + { + imports = [ ./common/user-account.nix ]; + + services.cage = { + enable = true; + user = "alice"; + }; + + programs.ydotool.enable = true; + + services.cage.program = inputBox; + }; + }; + + enableOCR = true; + + testScript = + { nodes, ... }: + '' + def as_user(cmd: str): + """ + Return a shell command for running a shell command as a specific user. + """ + return f"sudo -u alice -i {cmd}" + + start_all() + + # Headless + headless.wait_for_unit("multi-user.target") + headless.wait_for_text("alice") + headless.succeed(as_user("ydotool type 'echo ${textInput} > /tmp/output'")) # text input + headless.succeed(as_user("ydotool key 28:1 28:0")) # text input + headless.screenshot("headless_input") + headless.wait_for_file("/tmp/output") + headless.wait_until_succeeds("grep '${textInput}' /tmp/output") # text input + + # X11 + x11.wait_for_x() + x11.execute(as_user("${inputBox}")) + x11.wait_for_text("${inputBoxText}") + x11.succeed(as_user("ydotool type '${textInput}'")) # text input + x11.screenshot("x11_input") + x11.succeed(as_user("ydotool mousemove -a 400 110")) # mouse input + x11.succeed(as_user("ydotool click 0xC0")) # mouse input + x11.wait_for_file("/tmp/output") + x11.wait_until_succeeds("grep '${textInput}' /tmp/output") # text input + + # Wayland + wayland.wait_for_unit("graphical.target") + wayland.wait_for_text("${inputBoxText}") + wayland.succeed("ydotool type '${textInput}'") # text input + wayland.screenshot("wayland_input") + wayland.succeed("ydotool mousemove -a 100 100") # mouse input + wayland.succeed("ydotool click 0xC0") # mouse input + wayland.wait_for_file("/tmp/output") + wayland.wait_until_succeeds("grep '${textInput}' /tmp/output") # text input + ''; + } +) diff --git a/nixpkgs/nixos/tests/your_spotify.nix b/nixpkgs/nixos/tests/your_spotify.nix new file mode 100644 index 000000000000..a1fa0e459a8e --- /dev/null +++ b/nixpkgs/nixos/tests/your_spotify.nix @@ -0,0 +1,33 @@ +import ./make-test-python.nix ({pkgs, ...}: { + name = "your_spotify"; + meta = with pkgs.lib.maintainers; { + maintainers = [patrickdag]; + }; + + nodes.machine = { + services.your_spotify = { + enable = true; + spotifySecretFile = pkgs.writeText "spotifySecretFile" "deadbeef"; + settings = { + CLIENT_ENDPOINT = "http://localhost"; + API_ENDPOINT = "http://localhost:3000"; + SPOTIFY_PUBLIC = "beefdead"; + }; + enableLocalDB = true; + nginxVirtualHost = "localhost"; + }; + }; + + testScript = '' + machine.wait_for_unit("your_spotify.service") + + machine.wait_for_open_port(3000) + machine.wait_for_open_port(80) + + out = machine.succeed("curl --fail -X GET 'http://localhost:3000/'") + assert "Hello !" in out + + out = machine.succeed("curl --fail -X GET 'http://localhost:80/'") + assert "<title>Your Spotify</title>" in out + ''; +}) |