diff options
Diffstat (limited to 'nixos')
414 files changed, 20367 insertions, 11809 deletions
diff --git a/nixos/doc/manual/.gitignore b/nixos/doc/manual/.gitignore new file mode 100644 index 000000000000..879282624217 --- /dev/null +++ b/nixos/doc/manual/.gitignore @@ -0,0 +1,2 @@ +generated +manual-combined.xml diff --git a/nixos/doc/manual/Makefile b/nixos/doc/manual/Makefile new file mode 100644 index 000000000000..2e2322d5fb51 --- /dev/null +++ b/nixos/doc/manual/Makefile @@ -0,0 +1,24 @@ +.PHONY: all +all: manual-combined.xml format + +.PHONY: debug +debug: generated manual-combined.xml + +manual-combined.xml: generated *.xml + rm -f ./manual-combined.xml + nix-shell --packages xmloscopy \ + --run "xmloscopy --docbook5 ./manual.xml ./manual-combined.xml" + +.PHONY: format +format: + find . -iname '*.xml' -type f -print0 | xargs -0 -I{} -n1 \ + xmlformat --config-file "../xmlformat.conf" -i {} + +.PHONY: clean +clean: + rm -f manual-combined.xml generated + +generated: ./options-to-docbook.xsl + nix-build ../../release.nix \ + --attr manualGeneratedSources.x86_64-linux \ + --out-link ./generated diff --git a/nixos/doc/manual/administration/boot-problems.xml b/nixos/doc/manual/administration/boot-problems.xml index be6ff3aac0fe..5f05ad261ef3 100644 --- a/nixos/doc/manual/administration/boot-problems.xml +++ b/nixos/doc/manual/administration/boot-problems.xml @@ -3,63 +3,83 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-boot-problems"> + <title>Boot Problems</title> -<title>Boot Problems</title> + <para> + If NixOS fails to boot, there are a number of kernel command line parameters + that may help you to identify or fix the issue. You can add these parameters + in the GRUB boot menu by pressing “e” to modify the selected boot entry + and editing the line starting with <literal>linux</literal>. The following + are some useful kernel command line parameters that are recognised by the + NixOS boot scripts or by systemd: + <variablelist> + <varlistentry> + <term><literal>boot.shell_on_fail</literal> + </term> + <listitem> + <para> + Start a root shell if something goes wrong in stage 1 of the boot process + (the initial ramdisk). This is disabled by default because there is no + authentication for the root shell. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><literal>boot.debug1</literal> + </term> + <listitem> + <para> + Start an interactive shell in stage 1 before anything useful has been + done. That is, no modules have been loaded and no file systems have been + mounted, except for <filename>/proc</filename> and + <filename>/sys</filename>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><literal>boot.trace</literal> + </term> + <listitem> + <para> + Print every shell command executed by the stage 1 and 2 boot scripts. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><literal>single</literal> + </term> + <listitem> + <para> + Boot into rescue mode (a.k.a. single user mode). This will cause systemd + to start nothing but the unit <literal>rescue.target</literal>, which + runs <command>sulogin</command> to prompt for the root password and start + a root login shell. Exiting the shell causes the system to continue with + the normal boot process. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><literal>systemd.log_level=debug systemd.log_target=console</literal> + </term> + <listitem> + <para> + Make systemd very verbose and send log messages to the console instead of + the journal. + </para> + </listitem> + </varlistentry> + </variablelist> + For more parameters recognised by systemd, see <citerefentry> + <refentrytitle>systemd</refentrytitle> + <manvolnum>1</manvolnum></citerefentry>. + </para> -<para>If NixOS fails to boot, there are a number of kernel command -line parameters that may help you to identify or fix the issue. You -can add these parameters in the GRUB boot menu by pressing “e” to -modify the selected boot entry and editing the line starting with -<literal>linux</literal>. The following are some useful kernel command -line parameters that are recognised by the NixOS boot scripts or by -systemd: - -<variablelist> - - <varlistentry><term><literal>boot.shell_on_fail</literal></term> - <listitem><para>Start a root shell if something goes wrong in - stage 1 of the boot process (the initial ramdisk). This is - disabled by default because there is no authentication for the - root shell.</para></listitem> - </varlistentry> - - <varlistentry><term><literal>boot.debug1</literal></term> - <listitem><para>Start an interactive shell in stage 1 before - anything useful has been done. That is, no modules have been - loaded and no file systems have been mounted, except for - <filename>/proc</filename> and - <filename>/sys</filename>.</para></listitem> - </varlistentry> - - <varlistentry><term><literal>boot.trace</literal></term> - <listitem><para>Print every shell command executed by the stage 1 - and 2 boot scripts.</para></listitem> - </varlistentry> - - <varlistentry><term><literal>single</literal></term> - <listitem><para>Boot into rescue mode (a.k.a. single user mode). - This will cause systemd to start nothing but the unit - <literal>rescue.target</literal>, which runs - <command>sulogin</command> to prompt for the root password and - start a root login shell. Exiting the shell causes the system to - continue with the normal boot process.</para></listitem> - </varlistentry> - - <varlistentry><term><literal>systemd.log_level=debug systemd.log_target=console</literal></term> - <listitem><para>Make systemd very verbose and send log messages to - the console instead of the journal.</para></listitem> - </varlistentry> - -</variablelist> - -For more parameters recognised by systemd, see -<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para> - -<para>If no login prompts or X11 login screens appear (e.g. due to -hanging dependencies), you can press Alt+ArrowUp. If you’re lucky, -this will start rescue mode (described above). (Also note that since -most units have a 90-second timeout before systemd gives up on them, -the <command>agetty</command> login prompts should appear eventually -unless something is very wrong.)</para> - -</section> \ No newline at end of file + <para> + If no login prompts or X11 login screens appear (e.g. due to hanging + dependencies), you can press Alt+ArrowUp. If you’re lucky, this will start + rescue mode (described above). (Also note that since most units have a + 90-second timeout before systemd gives up on them, the + <command>agetty</command> login prompts should appear eventually unless + something is very wrong.) + </para> +</section> diff --git a/nixos/doc/manual/administration/cleaning-store.xml b/nixos/doc/manual/administration/cleaning-store.xml index 4cf62947f528..ee201982a40b 100644 --- a/nixos/doc/manual/administration/cleaning-store.xml +++ b/nixos/doc/manual/administration/cleaning-store.xml @@ -3,60 +3,51 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-nix-gc"> - -<title>Cleaning the Nix Store</title> - -<para>Nix has a purely functional model, meaning that packages are -never upgraded in place. Instead new versions of packages end up in a -different location in the Nix store (<filename>/nix/store</filename>). -You should periodically run Nix’s <emphasis>garbage -collector</emphasis> to remove old, unreferenced packages. This is -easy: - + <title>Cleaning the Nix Store</title> + <para> + Nix has a purely functional model, meaning that packages are never upgraded + in place. Instead new versions of packages end up in a different location in + the Nix store (<filename>/nix/store</filename>). You should periodically run + Nix’s <emphasis>garbage collector</emphasis> to remove old, unreferenced + packages. This is easy: <screen> $ nix-collect-garbage </screen> - -Alternatively, you can use a systemd unit that does the same in the -background: - + Alternatively, you can use a systemd unit that does the same in the + background: <screen> # systemctl start nix-gc.service </screen> - -You can tell NixOS in <filename>configuration.nix</filename> to run -this unit automatically at certain points in time, for instance, every -night at 03:15: - + You can tell NixOS in <filename>configuration.nix</filename> to run this unit + automatically at certain points in time, for instance, every night at 03:15: <programlisting> -nix.gc.automatic = true; -nix.gc.dates = "03:15"; +<xref linkend="opt-nix.gc.automatic"/> = true; +<xref linkend="opt-nix.gc.dates"/> = "03:15"; </programlisting> - -</para> - -<para>The commands above do not remove garbage collector roots, such -as old system configurations. Thus they do not remove the ability to -roll back to previous configurations. The following command deletes -old roots, removing the ability to roll back to them: + </para> + <para> + The commands above do not remove garbage collector roots, such as old system + configurations. Thus they do not remove the ability to roll back to previous + configurations. The following command deletes old roots, removing the ability + to roll back to them: <screen> $ nix-collect-garbage -d </screen> -You can also do this for specific profiles, e.g. + You can also do this for specific profiles, e.g. <screen> $ nix-env -p /nix/var/nix/profiles/per-user/eelco/profile --delete-generations old </screen> -Note that NixOS system configurations are stored in the profile -<filename>/nix/var/nix/profiles/system</filename>.</para> - -<para>Another way to reclaim disk space (often as much as 40% of the -size of the Nix store) is to run Nix’s store optimiser, which seeks -out identical files in the store and replaces them with hard links to -a single copy. + Note that NixOS system configurations are stored in the profile + <filename>/nix/var/nix/profiles/system</filename>. + </para> + <para> + Another way to reclaim disk space (often as much as 40% of the size of the + Nix store) is to run Nix’s store optimiser, which seeks out identical files + in the store and replaces them with hard links to a single copy. <screen> $ nix-store --optimise </screen> -Since this command needs to read the entire Nix store, it can take -quite a while to finish.</para> - + Since this command needs to read the entire Nix store, it can take quite a + while to finish. + </para> </chapter> diff --git a/nixos/doc/manual/administration/container-networking.xml b/nixos/doc/manual/administration/container-networking.xml index d89d262eff4e..4b977d1d82eb 100644 --- a/nixos/doc/manual/administration/container-networking.xml +++ b/nixos/doc/manual/administration/container-networking.xml @@ -3,15 +3,13 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-container-networking"> + <title>Container Networking</title> - -<title>Container Networking</title> - -<para>When you create a container using <literal>nixos-container -create</literal>, it gets it own private IPv4 address in the range -<literal>10.233.0.0/16</literal>. You can get the container’s IPv4 -address as follows: - + <para> + When you create a container using <literal>nixos-container create</literal>, + it gets it own private IPv4 address in the range + <literal>10.233.0.0/16</literal>. You can get the container’s IPv4 address + as follows: <screen> # nixos-container show-ip foo 10.233.4.2 @@ -19,40 +17,39 @@ address as follows: $ ping -c1 10.233.4.2 64 bytes from 10.233.4.2: icmp_seq=1 ttl=64 time=0.106 ms </screen> - -</para> - -<para>Networking is implemented using a pair of virtual Ethernet -devices. The network interface in the container is called -<literal>eth0</literal>, while the matching interface in the host is -called <literal>ve-<replaceable>container-name</replaceable></literal> -(e.g., <literal>ve-foo</literal>). The container has its own network -namespace and the <literal>CAP_NET_ADMIN</literal> capability, so it -can perform arbitrary network configuration such as setting up -firewall rules, without affecting or having access to the host’s -network.</para> - -<para>By default, containers cannot talk to the outside network. If -you want that, you should set up Network Address Translation (NAT) -rules on the host to rewrite container traffic to use your external -IP address. This can be accomplished using the following configuration -on the host: - + </para> + + <para> + Networking is implemented using a pair of virtual Ethernet devices. The + network interface in the container is called <literal>eth0</literal>, while + the matching interface in the host is called + <literal>ve-<replaceable>container-name</replaceable></literal> (e.g., + <literal>ve-foo</literal>). The container has its own network namespace and + the <literal>CAP_NET_ADMIN</literal> capability, so it can perform arbitrary + network configuration such as setting up firewall rules, without affecting or + having access to the host’s network. + </para> + + <para> + By default, containers cannot talk to the outside network. If you want that, + you should set up Network Address Translation (NAT) rules on the host to + rewrite container traffic to use your external IP address. This can be + accomplished using the following configuration on the host: <programlisting> -networking.nat.enable = true; -networking.nat.internalInterfaces = ["ve-+"]; -networking.nat.externalInterface = "eth0"; +<xref linkend="opt-networking.nat.enable"/> = true; +<xref linkend="opt-networking.nat.internalInterfaces"/> = ["ve-+"]; +<xref linkend="opt-networking.nat.externalInterface"/> = "eth0"; </programlisting> -where <literal>eth0</literal> should be replaced with the desired -external interface. Note that <literal>ve-+</literal> is a wildcard -that matches all container interfaces.</para> - -<para>If you are using Network Manager, you need to explicitly prevent -it from managing container interfaces: - + where <literal>eth0</literal> should be replaced with the desired external + interface. Note that <literal>ve-+</literal> is a wildcard that matches all + container interfaces. + </para> + + <para> + If you are using Network Manager, you need to explicitly prevent it from + managing container interfaces: <programlisting> networking.networkmanager.unmanaged = [ "interface-name:ve-*" ]; </programlisting> -</para> - + </para> </section> diff --git a/nixos/doc/manual/administration/containers.xml b/nixos/doc/manual/administration/containers.xml index 4cd2c8ae5563..0d3355e56a58 100644 --- a/nixos/doc/manual/administration/containers.xml +++ b/nixos/doc/manual/administration/containers.xml @@ -3,32 +3,32 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="ch-containers"> - -<title>Container Management</title> - -<para>NixOS allows you to easily run other NixOS instances as -<emphasis>containers</emphasis>. Containers are a light-weight -approach to virtualisation that runs software in the container at the -same speed as in the host system. NixOS containers share the Nix store -of the host, making container creation very efficient.</para> - -<warning><para>Currently, NixOS containers are not perfectly isolated -from the host system. This means that a user with root access to the -container can do things that affect the host. So you should not give -container root access to untrusted users.</para></warning> - -<para>NixOS containers can be created in two ways: imperatively, using -the command <command>nixos-container</command>, and declaratively, by -specifying them in your <filename>configuration.nix</filename>. The -declarative approach implies that containers get upgraded along with -your host system when you run <command>nixos-rebuild</command>, which -is often not what you want. By contrast, in the imperative approach, -containers are configured and updated independently from the host -system.</para> - -<xi:include href="imperative-containers.xml" /> -<xi:include href="declarative-containers.xml" /> -<xi:include href="container-networking.xml" /> - + <title>Container Management</title> + <para> + NixOS allows you to easily run other NixOS instances as + <emphasis>containers</emphasis>. Containers are a light-weight approach to + virtualisation that runs software in the container at the same speed as in + the host system. NixOS containers share the Nix store of the host, making + container creation very efficient. + </para> + <warning> + <para> + Currently, NixOS containers are not perfectly isolated from the host system. + This means that a user with root access to the container can do things that + affect the host. So you should not give container root access to untrusted + users. + </para> + </warning> + <para> + NixOS containers can be created in two ways: imperatively, using the command + <command>nixos-container</command>, and declaratively, by specifying them in + your <filename>configuration.nix</filename>. The declarative approach implies + that containers get upgraded along with your host system when you run + <command>nixos-rebuild</command>, which is often not what you want. By + contrast, in the imperative approach, containers are configured and updated + independently from the host system. + </para> + <xi:include href="imperative-containers.xml" /> + <xi:include href="declarative-containers.xml" /> + <xi:include href="container-networking.xml" /> </chapter> - diff --git a/nixos/doc/manual/administration/control-groups.xml b/nixos/doc/manual/administration/control-groups.xml index 0d7b8ae910a7..bb8b7f83d9e0 100644 --- a/nixos/doc/manual/administration/control-groups.xml +++ b/nixos/doc/manual/administration/control-groups.xml @@ -3,20 +3,18 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-cgroups"> - -<title>Control Groups</title> - -<para>To keep track of the processes in a running system, systemd uses -<emphasis>control groups</emphasis> (cgroups). A control group is a -set of processes used to allocate resources such as CPU, memory or I/O -bandwidth. There can be multiple control group hierarchies, allowing -each kind of resource to be managed independently.</para> - -<para>The command <command>systemd-cgls</command> lists all control -groups in the <literal>systemd</literal> hierarchy, which is what -systemd uses to keep track of the processes belonging to each service -or user session: - + <title>Control Groups</title> + <para> + To keep track of the processes in a running system, systemd uses + <emphasis>control groups</emphasis> (cgroups). A control group is a set of + processes used to allocate resources such as CPU, memory or I/O bandwidth. + There can be multiple control group hierarchies, allowing each kind of + resource to be managed independently. + </para> + <para> + The command <command>systemd-cgls</command> lists all control groups in the + <literal>systemd</literal> hierarchy, which is what systemd uses to keep + track of the processes belonging to each service or user session: <screen> $ systemd-cgls ├─user @@ -34,40 +32,34 @@ $ systemd-cgls │ └─2376 dhcpcd --config /nix/store/f8dif8dsi2yaa70n03xir8r653776ka6-dhcpcd.conf └─ <replaceable>...</replaceable> </screen> - -Similarly, <command>systemd-cgls cpu</command> shows the cgroups in -the CPU hierarchy, which allows per-cgroup CPU scheduling priorities. -By default, every systemd service gets its own CPU cgroup, while all -user sessions are in the top-level CPU cgroup. This ensures, for -instance, that a thousand run-away processes in the -<literal>httpd.service</literal> cgroup cannot starve the CPU for one -process in the <literal>postgresql.service</literal> cgroup. (By -contrast, it they were in the same cgroup, then the PostgreSQL process -would get 1/1001 of the cgroup’s CPU time.) You can limit a service’s -CPU share in <filename>configuration.nix</filename>: - + Similarly, <command>systemd-cgls cpu</command> shows the cgroups in the CPU + hierarchy, which allows per-cgroup CPU scheduling priorities. By default, + every systemd service gets its own CPU cgroup, while all user sessions are in + the top-level CPU cgroup. This ensures, for instance, that a thousand + run-away processes in the <literal>httpd.service</literal> cgroup cannot + starve the CPU for one process in the <literal>postgresql.service</literal> + cgroup. (By contrast, it they were in the same cgroup, then the PostgreSQL + process would get 1/1001 of the cgroup’s CPU time.) You can limit a + service’s CPU share in <filename>configuration.nix</filename>: <programlisting> -systemd.services.httpd.serviceConfig.CPUShares = 512; +<link linkend="opt-systemd.services._name_.serviceConfig">systemd.services.httpd.serviceConfig</link>.CPUShares = 512; </programlisting> - -By default, every cgroup has 1024 CPU shares, so this will halve the -CPU allocation of the <literal>httpd.service</literal> cgroup.</para> - -<para>There also is a <literal>memory</literal> hierarchy that -controls memory allocation limits; by default, all processes are in -the top-level cgroup, so any service or session can exhaust all -available memory. Per-cgroup memory limits can be specified in -<filename>configuration.nix</filename>; for instance, to limit -<literal>httpd.service</literal> to 512 MiB of RAM (excluding swap): - + By default, every cgroup has 1024 CPU shares, so this will halve the CPU + allocation of the <literal>httpd.service</literal> cgroup. + </para> + <para> + There also is a <literal>memory</literal> hierarchy that controls memory + allocation limits; by default, all processes are in the top-level cgroup, so + any service or session can exhaust all available memory. Per-cgroup memory + limits can be specified in <filename>configuration.nix</filename>; for + instance, to limit <literal>httpd.service</literal> to 512 MiB of RAM + (excluding swap): <programlisting> -systemd.services.httpd.serviceConfig.MemoryLimit = "512M"; +<link linkend="opt-systemd.services._name_.serviceConfig">systemd.services.httpd.serviceConfig</link>.MemoryLimit = "512M"; </programlisting> - -</para> - -<para>The command <command>systemd-cgtop</command> shows a -continuously updated list of all cgroups with their CPU and memory -usage.</para> - + </para> + <para> + The command <command>systemd-cgtop</command> shows a continuously updated + list of all cgroups with their CPU and memory usage. + </para> </chapter> diff --git a/nixos/doc/manual/administration/declarative-containers.xml b/nixos/doc/manual/administration/declarative-containers.xml index 94f03a2ee116..2a98fb126231 100644 --- a/nixos/doc/manual/administration/declarative-containers.xml +++ b/nixos/doc/manual/administration/declarative-containers.xml @@ -3,58 +3,58 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-declarative-containers"> + <title>Declarative Container Specification</title> -<title>Declarative Container Specification</title> - -<para>You can also specify containers and their configuration in the -host’s <filename>configuration.nix</filename>. For example, the -following specifies that there shall be a container named -<literal>database</literal> running PostgreSQL: - + <para> + You can also specify containers and their configuration in the host’s + <filename>configuration.nix</filename>. For example, the following specifies + that there shall be a container named <literal>database</literal> running + PostgreSQL: <programlisting> containers.database = { config = { config, pkgs, ... }: - { services.postgresql.enable = true; - services.postgresql.package = pkgs.postgresql96; + { <xref linkend="opt-services.postgresql.enable"/> = true; + <xref linkend="opt-services.postgresql.package"/> = pkgs.postgresql96; }; }; </programlisting> - -If you run <literal>nixos-rebuild switch</literal>, the container will -be built. If the container was already running, it will be -updated in place, without rebooting. The container can be configured to -start automatically by setting <literal>containers.database.autoStart = true</literal> -in its configuration.</para> - -<para>By default, declarative containers share the network namespace -of the host, meaning that they can listen on (privileged) -ports. However, they cannot change the network configuration. You can -give a container its own network as follows: - + If you run <literal>nixos-rebuild switch</literal>, the container will be + built. If the container was already running, it will be updated in place, + without rebooting. The container can be configured to start automatically by + setting <literal>containers.database.autoStart = true</literal> in its + configuration. + </para> + + <para> + By default, declarative containers share the network namespace of the host, + meaning that they can listen on (privileged) ports. However, they cannot + change the network configuration. You can give a container its own network as + follows: <programlisting> -containers.database = - { privateNetwork = true; - hostAddress = "192.168.100.10"; - localAddress = "192.168.100.11"; - }; +containers.database = { + <link linkend="opt-containers._name_.privateNetwork">privateNetwork</link> = true; + <link linkend="opt-containers._name_.hostAddress">hostAddress</link> = "192.168.100.10"; + <link linkend="opt-containers._name_.localAddress">localAddress</link> = "192.168.100.11"; +}; </programlisting> - -This gives the container a private virtual Ethernet interface with IP -address <literal>192.168.100.11</literal>, which is hooked up to a -virtual Ethernet interface on the host with IP address -<literal>192.168.100.10</literal>. (See the next section for details -on container networking.)</para> - -<para>To disable the container, just remove it from -<filename>configuration.nix</filename> and run <literal>nixos-rebuild -switch</literal>. Note that this will not delete the root directory of -the container in <literal>/var/lib/containers</literal>. Containers can be -destroyed using the imperative method: <literal>nixos-container destroy - foo</literal>.</para> - -<para>Declarative containers can be started and stopped using the -corresponding systemd service, e.g. <literal>systemctl start -container@database</literal>.</para> - + This gives the container a private virtual Ethernet interface with IP address + <literal>192.168.100.11</literal>, which is hooked up to a virtual Ethernet + interface on the host with IP address <literal>192.168.100.10</literal>. (See + the next section for details on container networking.) + </para> + + <para> + To disable the container, just remove it from + <filename>configuration.nix</filename> and run <literal>nixos-rebuild + switch</literal>. Note that this will not delete the root directory of the + container in <literal>/var/lib/containers</literal>. Containers can be + destroyed using the imperative method: <literal>nixos-container destroy + foo</literal>. + </para> + + <para> + Declarative containers can be started and stopped using the corresponding + systemd service, e.g. <literal>systemctl start container@database</literal>. + </para> </section> diff --git a/nixos/doc/manual/administration/imperative-containers.xml b/nixos/doc/manual/administration/imperative-containers.xml index d5d8140e0764..9cc7ca3e672a 100644 --- a/nixos/doc/manual/administration/imperative-containers.xml +++ b/nixos/doc/manual/administration/imperative-containers.xml @@ -3,131 +3,114 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-imperative-containers"> + <title>Imperative Container Management</title> -<title>Imperative Container Management</title> - -<para>We’ll cover imperative container management using -<command>nixos-container</command> first. -Be aware that container management is currently only possible -as <literal>root</literal>.</para> - -<para>You create a container with -identifier <literal>foo</literal> as follows: + <para> + We’ll cover imperative container management using + <command>nixos-container</command> first. Be aware that container management + is currently only possible as <literal>root</literal>. + </para> + <para> + You create a container with identifier <literal>foo</literal> as follows: <screen> # nixos-container create foo </screen> - -This creates the container’s root directory in -<filename>/var/lib/containers/foo</filename> and a small configuration -file in <filename>/etc/containers/foo.conf</filename>. It also builds -the container’s initial system configuration and stores it in -<filename>/nix/var/nix/profiles/per-container/foo/system</filename>. You -can modify the initial configuration of the container on the command -line. For instance, to create a container that has -<command>sshd</command> running, with the given public key for -<literal>root</literal>: - + This creates the container’s root directory in + <filename>/var/lib/containers/foo</filename> and a small configuration file + in <filename>/etc/containers/foo.conf</filename>. It also builds the + container’s initial system configuration and stores it in + <filename>/nix/var/nix/profiles/per-container/foo/system</filename>. You can + modify the initial configuration of the container on the command line. For + instance, to create a container that has <command>sshd</command> running, + with the given public key for <literal>root</literal>: <screen> # nixos-container create foo --config ' - services.openssh.enable = true; - users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-dss AAAAB3N…"]; + <xref linkend="opt-services.openssh.enable"/> = true; + <link linkend="opt-users.users._name__.openssh.authorizedKeys.keys">users.extraUsers.root.openssh.authorizedKeys.keys</link> = ["ssh-dss AAAAB3N…"]; ' </screen> + </para> -</para> - -<para>Creating a container does not start it. To start the container, -run: - + <para> + Creating a container does not start it. To start the container, run: <screen> # nixos-container start foo </screen> - -This command will return as soon as the container has booted and has -reached <literal>multi-user.target</literal>. On the host, the -container runs within a systemd unit called -<literal>container@<replaceable>container-name</replaceable>.service</literal>. -Thus, if something went wrong, you can get status info using -<command>systemctl</command>: - + This command will return as soon as the container has booted and has reached + <literal>multi-user.target</literal>. On the host, the container runs within + a systemd unit called + <literal>container@<replaceable>container-name</replaceable>.service</literal>. + Thus, if something went wrong, you can get status info using + <command>systemctl</command>: <screen> # systemctl status container@foo </screen> + </para> -</para> - -<para>If the container has started successfully, you can log in as -root using the <command>root-login</command> operation: - + <para> + If the container has started successfully, you can log in as root using the + <command>root-login</command> operation: <screen> # nixos-container root-login foo [root@foo:~]# </screen> - -Note that only root on the host can do this (since there is no -authentication). You can also get a regular login prompt using the -<command>login</command> operation, which is available to all users on -the host: - + Note that only root on the host can do this (since there is no + authentication). You can also get a regular login prompt using the + <command>login</command> operation, which is available to all users on the + host: <screen> # nixos-container login foo foo login: alice Password: *** </screen> - -With <command>nixos-container run</command>, you can execute arbitrary -commands in the container: - + With <command>nixos-container run</command>, you can execute arbitrary + commands in the container: <screen> # nixos-container run foo -- uname -a Linux foo 3.4.82 #1-NixOS SMP Thu Mar 20 14:44:05 UTC 2014 x86_64 GNU/Linux </screen> + </para> -</para> - -<para>There are several ways to change the configuration of the -container. First, on the host, you can edit -<literal>/var/lib/container/<replaceable>name</replaceable>/etc/nixos/configuration.nix</literal>, -and run - + <para> + There are several ways to change the configuration of the container. First, + on the host, you can edit + <literal>/var/lib/container/<replaceable>name</replaceable>/etc/nixos/configuration.nix</literal>, + and run <screen> # nixos-container update foo </screen> - -This will build and activate the new configuration. You can also -specify a new configuration on the command line: - + This will build and activate the new configuration. You can also specify a + new configuration on the command line: <screen> # nixos-container update foo --config ' - services.httpd.enable = true; - services.httpd.adminAddr = "foo@example.org"; - networking.firewall.allowedTCPPorts = [ 80 ]; + <xref linkend="opt-services.httpd.enable"/> = true; + <xref linkend="opt-services.httpd.adminAddr"/> = "foo@example.org"; + <xref linkend="opt-networking.firewall.allowedTCPPorts"/> = [ 80 ]; ' # curl http://$(nixos-container show-ip foo)/ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">… </screen> - -However, note that this will overwrite the container’s -<filename>/etc/nixos/configuration.nix</filename>.</para> - -<para>Alternatively, you can change the configuration from within the -container itself by running <command>nixos-rebuild switch</command> -inside the container. Note that the container by default does not have -a copy of the NixOS channel, so you should run <command>nix-channel ---update</command> first.</para> - -<para>Containers can be stopped and started using -<literal>nixos-container stop</literal> and <literal>nixos-container -start</literal>, respectively, or by using -<command>systemctl</command> on the container’s service unit. To -destroy a container, including its file system, do - + However, note that this will overwrite the container’s + <filename>/etc/nixos/configuration.nix</filename>. + </para> + + <para> + Alternatively, you can change the configuration from within the container + itself by running <command>nixos-rebuild switch</command> inside the + container. Note that the container by default does not have a copy of the + NixOS channel, so you should run <command>nix-channel --update</command> + first. + </para> + + <para> + Containers can be stopped and started using <literal>nixos-container + stop</literal> and <literal>nixos-container start</literal>, respectively, or + by using <command>systemctl</command> on the container’s service unit. To + destroy a container, including its file system, do <screen> # nixos-container destroy foo </screen> - -</para> - + </para> </section> diff --git a/nixos/doc/manual/administration/logging.xml b/nixos/doc/manual/administration/logging.xml index 1d5df7770e29..a41936b373d6 100644 --- a/nixos/doc/manual/administration/logging.xml +++ b/nixos/doc/manual/administration/logging.xml @@ -3,26 +3,20 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-logging"> - -<title>Logging</title> - -<para>System-wide logging is provided by systemd’s -<emphasis>journal</emphasis>, which subsumes traditional logging -daemons such as syslogd and klogd. Log entries are kept in binary -files in <filename>/var/log/journal/</filename>. The command -<literal>journalctl</literal> allows you to see the contents of the -journal. For example, - + <title>Logging</title> + <para> + System-wide logging is provided by systemd’s <emphasis>journal</emphasis>, + which subsumes traditional logging daemons such as syslogd and klogd. Log + entries are kept in binary files in <filename>/var/log/journal/</filename>. + The command <literal>journalctl</literal> allows you to see the contents of + the journal. For example, <screen> $ journalctl -b </screen> - -shows all journal entries since the last reboot. (The output of -<command>journalctl</command> is piped into <command>less</command> by -default.) You can use various options and match operators to restrict -output to messages of interest. For instance, to get all messages -from PostgreSQL: - + shows all journal entries since the last reboot. (The output of + <command>journalctl</command> is piped into <command>less</command> by + default.) You can use various options and match operators to restrict output + to messages of interest. For instance, to get all messages from PostgreSQL: <screen> $ journalctl -u postgresql.service -- Logs begin at Mon, 2013-01-07 13:28:01 CET, end at Tue, 2013-01-08 01:09:57 CET. -- @@ -32,21 +26,18 @@ Jan 07 15:44:14 hagbard postgres[2681]: [2-1] LOG: database system is shut down Jan 07 15:45:10 hagbard postgres[2532]: [1-1] LOG: database system was shut down at 2013-01-07 15:44:14 CET Jan 07 15:45:13 hagbard postgres[2500]: [1-1] LOG: database system is ready to accept connections </screen> - -Or to get all messages since the last reboot that have at least a -“critical” severity level: - + Or to get all messages since the last reboot that have at least a + “critical” severity level: <screen> $ journalctl -b -p crit Dec 17 21:08:06 mandark sudo[3673]: pam_unix(sudo:auth): auth could not identify password for [alice] Dec 29 01:30:22 mandark kernel[6131]: [1053513.909444] CPU6: Core temperature above threshold, cpu clock throttled (total events = 1) </screen> - -</para> - -<para>The system journal is readable by root and by users in the -<literal>wheel</literal> and <literal>systemd-journal</literal> -groups. All users have a private journal that can be read using -<command>journalctl</command>.</para> - -</chapter> \ No newline at end of file + </para> + <para> + The system journal is readable by root and by users in the + <literal>wheel</literal> and <literal>systemd-journal</literal> groups. All + users have a private journal that can be read using + <command>journalctl</command>. + </para> +</chapter> diff --git a/nixos/doc/manual/administration/maintenance-mode.xml b/nixos/doc/manual/administration/maintenance-mode.xml index 17a1609e5579..71e3f9ea665d 100644 --- a/nixos/doc/manual/administration/maintenance-mode.xml +++ b/nixos/doc/manual/administration/maintenance-mode.xml @@ -3,16 +3,14 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-maintenance-mode"> + <title>Maintenance Mode</title> -<title>Maintenance Mode</title> - -<para>You can enter rescue mode by running: - + <para> + You can enter rescue mode by running: <screen> # systemctl rescue</screen> - -This will eventually give you a single-user root shell. Systemd will -stop (almost) all system services. To get out of maintenance mode, -just exit from the rescue shell.</para> - + This will eventually give you a single-user root shell. Systemd will stop + (almost) all system services. To get out of maintenance mode, just exit from + the rescue shell. + </para> </section> diff --git a/nixos/doc/manual/administration/network-problems.xml b/nixos/doc/manual/administration/network-problems.xml index 91f9eb4e22c6..570f58358845 100644 --- a/nixos/doc/manual/administration/network-problems.xml +++ b/nixos/doc/manual/administration/network-problems.xml @@ -3,31 +3,25 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-nix-network-issues"> + <title>Network Problems</title> -<title>Network Problems</title> - -<para>Nix uses a so-called <emphasis>binary cache</emphasis> to -optimise building a package from source into downloading it as a -pre-built binary. That is, whenever a command like -<command>nixos-rebuild</command> needs a path in the Nix store, Nix -will try to download that path from the Internet rather than build it -from source. The default binary cache is -<uri>https://cache.nixos.org/</uri>. If this cache is unreachable, -Nix operations may take a long time due to HTTP connection timeouts. -You can disable the use of the binary cache by adding <option>--option -use-binary-caches false</option>, e.g. - + <para> + Nix uses a so-called <emphasis>binary cache</emphasis> to optimise building a + package from source into downloading it as a pre-built binary. That is, + whenever a command like <command>nixos-rebuild</command> needs a path in the + Nix store, Nix will try to download that path from the Internet rather than + build it from source. The default binary cache is + <uri>https://cache.nixos.org/</uri>. If this cache is unreachable, Nix + operations may take a long time due to HTTP connection timeouts. You can + disable the use of the binary cache by adding <option>--option + use-binary-caches false</option>, e.g. <screen> # nixos-rebuild switch --option use-binary-caches false </screen> - -If you have an alternative binary cache at your disposal, you can use -it instead: - + If you have an alternative binary cache at your disposal, you can use it + instead: <screen> # nixos-rebuild switch --option binary-caches http://my-cache.example.org/ </screen> - -</para> - + </para> </section> diff --git a/nixos/doc/manual/administration/rebooting.xml b/nixos/doc/manual/administration/rebooting.xml index 23f3a3219c6a..a5abd6f02588 100644 --- a/nixos/doc/manual/administration/rebooting.xml +++ b/nixos/doc/manual/administration/rebooting.xml @@ -3,42 +3,33 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-rebooting"> - -<title>Rebooting and Shutting Down</title> - -<para>The system can be shut down (and automatically powered off) by -doing: - + <title>Rebooting and Shutting Down</title> + <para> + The system can be shut down (and automatically powered off) by doing: <screen> # shutdown </screen> - -This is equivalent to running <command>systemctl -poweroff</command>.</para> - -<para>To reboot the system, run - + This is equivalent to running <command>systemctl poweroff</command>. + </para> + <para> + To reboot the system, run <screen> # reboot </screen> - -which is equivalent to <command>systemctl reboot</command>. -Alternatively, you can quickly reboot the system using -<literal>kexec</literal>, which bypasses the BIOS by directly loading -the new kernel into memory: - + which is equivalent to <command>systemctl reboot</command>. Alternatively, + you can quickly reboot the system using <literal>kexec</literal>, which + bypasses the BIOS by directly loading the new kernel into memory: <screen> # systemctl kexec </screen> - -</para> - -<para>The machine can be suspended to RAM (if supported) using -<command>systemctl suspend</command>, and suspended to disk using -<command>systemctl hibernate</command>.</para> - -<para>These commands can be run by any user who is logged in locally, -i.e. on a virtual console or in X11; otherwise, the user is asked for -authentication.</para> - + </para> + <para> + The machine can be suspended to RAM (if supported) using <command>systemctl + suspend</command>, and suspended to disk using <command>systemctl + hibernate</command>. + </para> + <para> + These commands can be run by any user who is logged in locally, i.e. on a + virtual console or in X11; otherwise, the user is asked for authentication. + </para> </chapter> diff --git a/nixos/doc/manual/administration/rollback.xml b/nixos/doc/manual/administration/rollback.xml index ae621f33de2c..07c6acaa469c 100644 --- a/nixos/doc/manual/administration/rollback.xml +++ b/nixos/doc/manual/administration/rollback.xml @@ -3,46 +3,39 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-rollback"> - -<title>Rolling Back Configuration Changes</title> - -<para>After running <command>nixos-rebuild</command> to switch to a -new configuration, you may find that the new configuration doesn’t -work very well. In that case, there are several ways to return to a -previous configuration.</para> - -<para>First, the GRUB boot manager allows you to boot into any -previous configuration that hasn’t been garbage-collected. These -configurations can be found under the GRUB submenu “NixOS - All -configurations”. This is especially useful if the new configuration -fails to boot. After the system has booted, you can make the selected -configuration the default for subsequent boots: - + <title>Rolling Back Configuration Changes</title> + + <para> + After running <command>nixos-rebuild</command> to switch to a new + configuration, you may find that the new configuration doesn’t work very + well. In that case, there are several ways to return to a previous + configuration. + </para> + + <para> + First, the GRUB boot manager allows you to boot into any previous + configuration that hasn’t been garbage-collected. These configurations can + be found under the GRUB submenu “NixOS - All configurations”. This is + especially useful if the new configuration fails to boot. After the system + has booted, you can make the selected configuration the default for + subsequent boots: <screen> # /run/current-system/bin/switch-to-configuration boot</screen> + </para> -</para> - -<para>Second, you can switch to the previous configuration in a running -system: - + <para> + Second, you can switch to the previous configuration in a running system: <screen> # nixos-rebuild switch --rollback</screen> - -This is equivalent to running: - + This is equivalent to running: <screen> # /nix/var/nix/profiles/system-<replaceable>N</replaceable>-link/bin/switch-to-configuration switch</screen> - -where <replaceable>N</replaceable> is the number of the NixOS system -configuration. To get a list of the available configurations, do: - + where <replaceable>N</replaceable> is the number of the NixOS system + configuration. To get a list of the available configurations, do: <screen> $ ls -l /nix/var/nix/profiles/system-*-link <replaceable>...</replaceable> lrwxrwxrwx 1 root root 78 Aug 12 13:54 /nix/var/nix/profiles/system-268-link -> /nix/store/202b...-nixos-13.07pre4932_5a676e4-4be1055 </screen> - -</para> - + </para> </section> diff --git a/nixos/doc/manual/administration/running.xml b/nixos/doc/manual/administration/running.xml index 9091511ed527..786dd5e2390d 100644 --- a/nixos/doc/manual/administration/running.xml +++ b/nixos/doc/manual/administration/running.xml @@ -3,22 +3,19 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="ch-running"> - -<title>Administration</title> - -<partintro> -<para>This chapter describes various aspects of managing a running -NixOS system, such as how to use the <command>systemd</command> -service manager.</para> -</partintro> - -<xi:include href="service-mgmt.xml" /> -<xi:include href="rebooting.xml" /> -<xi:include href="user-sessions.xml" /> -<xi:include href="control-groups.xml" /> -<xi:include href="logging.xml" /> -<xi:include href="cleaning-store.xml" /> -<xi:include href="containers.xml" /> -<xi:include href="troubleshooting.xml" /> - + <title>Administration</title> + <partintro> + <para> + This chapter describes various aspects of managing a running NixOS system, + such as how to use the <command>systemd</command> service manager. + </para> + </partintro> + <xi:include href="service-mgmt.xml" /> + <xi:include href="rebooting.xml" /> + <xi:include href="user-sessions.xml" /> + <xi:include href="control-groups.xml" /> + <xi:include href="logging.xml" /> + <xi:include href="cleaning-store.xml" /> + <xi:include href="containers.xml" /> + <xi:include href="troubleshooting.xml" /> </part> diff --git a/nixos/doc/manual/administration/service-mgmt.xml b/nixos/doc/manual/administration/service-mgmt.xml index 1627c7a2fdeb..0c2085c81559 100644 --- a/nixos/doc/manual/administration/service-mgmt.xml +++ b/nixos/doc/manual/administration/service-mgmt.xml @@ -3,26 +3,23 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-systemctl"> - -<title>Service Management</title> - -<para>In NixOS, all system services are started and monitored using -the systemd program. Systemd is the “init” process of the system -(i.e. PID 1), the parent of all other processes. It manages a set of -so-called “units”, which can be things like system services -(programs), but also mount points, swap files, devices, targets -(groups of units) and more. Units can have complex dependencies; for -instance, one unit can require that another unit must be successfully -started before the first unit can be started. When the system boots, -it starts a unit named <literal>default.target</literal>; the -dependencies of this unit cause all system services to be started, -file systems to be mounted, swap files to be activated, and so -on.</para> - -<para>The command <command>systemctl</command> is the main way to -interact with <command>systemd</command>. Without any arguments, it -shows the status of active units: - + <title>Service Management</title> + <para> + In NixOS, all system services are started and monitored using the systemd + program. Systemd is the “init” process of the system (i.e. PID 1), the + parent of all other processes. It manages a set of so-called “units”, + which can be things like system services (programs), but also mount points, + swap files, devices, targets (groups of units) and more. Units can have + complex dependencies; for instance, one unit can require that another unit + must be successfully started before the first unit can be started. When the + system boots, it starts a unit named <literal>default.target</literal>; the + dependencies of this unit cause all system services to be started, file + systems to be mounted, swap files to be activated, and so on. + </para> + <para> + The command <command>systemctl</command> is the main way to interact with + <command>systemd</command>. Without any arguments, it shows the status of + active units: <screen> $ systemctl -.mount loaded active mounted / @@ -31,12 +28,10 @@ sshd.service loaded active running SSH Daemon graphical.target loaded active active Graphical Interface <replaceable>...</replaceable> </screen> - -</para> - -<para>You can ask for detailed status information about a unit, for -instance, the PostgreSQL database service: - + </para> + <para> + You can ask for detailed status information about a unit, for instance, the + PostgreSQL database service: <screen> $ systemctl status postgresql.service postgresql.service - PostgreSQL Server @@ -56,28 +51,22 @@ Jan 07 15:55:57 hagbard postgres[2390]: [1-1] LOG: database system is ready to Jan 07 15:55:57 hagbard postgres[2420]: [1-1] LOG: autovacuum launcher started Jan 07 15:55:57 hagbard systemd[1]: Started PostgreSQL Server. </screen> - -Note that this shows the status of the unit (active and running), all -the processes belonging to the service, as well as the most recent log -messages from the service. - -</para> - -<para>Units can be stopped, started or restarted: - + Note that this shows the status of the unit (active and running), all the + processes belonging to the service, as well as the most recent log messages + from the service. + </para> + <para> + Units can be stopped, started or restarted: <screen> # systemctl stop postgresql.service # systemctl start postgresql.service # systemctl restart postgresql.service </screen> - -These operations are synchronous: they wait until the service has -finished starting or stopping (or has failed). Starting a unit will -cause the dependencies of that unit to be started as well (if -necessary).</para> - + These operations are synchronous: they wait until the service has finished + starting or stopping (or has failed). Starting a unit will cause the + dependencies of that unit to be started as well (if necessary). + </para> <!-- - cgroups: each service and user session is a cgroup - cgroup resource management --> - </chapter> diff --git a/nixos/doc/manual/administration/store-corruption.xml b/nixos/doc/manual/administration/store-corruption.xml index 9f567042b727..a4ca3b651e20 100644 --- a/nixos/doc/manual/administration/store-corruption.xml +++ b/nixos/doc/manual/administration/store-corruption.xml @@ -3,35 +3,34 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-nix-store-corruption"> - -<title>Nix Store Corruption</title> - -<para>After a system crash, it’s possible for files in the Nix store -to become corrupted. (For instance, the Ext4 file system has the -tendency to replace un-synced files with zero bytes.) NixOS tries -hard to prevent this from happening: it performs a -<command>sync</command> before switching to a new configuration, and -Nix’s database is fully transactional. If corruption still occurs, -you may be able to fix it automatically.</para> - -<para>If the corruption is in a path in the closure of the NixOS -system configuration, you can fix it by doing - + <title>Nix Store Corruption</title> + + <para> + After a system crash, it’s possible for files in the Nix store to become + corrupted. (For instance, the Ext4 file system has the tendency to replace + un-synced files with zero bytes.) NixOS tries hard to prevent this from + happening: it performs a <command>sync</command> before switching to a new + configuration, and Nix’s database is fully transactional. If corruption + still occurs, you may be able to fix it automatically. + </para> + + <para> + If the corruption is in a path in the closure of the NixOS system + configuration, you can fix it by doing <screen> # nixos-rebuild switch --repair </screen> + This will cause Nix to check every path in the closure, and if its + cryptographic hash differs from the hash recorded in Nix’s database, the + path is rebuilt or redownloaded. + </para> -This will cause Nix to check every path in the closure, and if its -cryptographic hash differs from the hash recorded in Nix’s database, -the path is rebuilt or redownloaded.</para> - -<para>You can also scan the entire Nix store for corrupt paths: - + <para> + You can also scan the entire Nix store for corrupt paths: <screen> # nix-store --verify --check-contents --repair </screen> - -Any corrupt paths will be redownloaded if they’re available in a -binary cache; otherwise, they cannot be repaired.</para> - + Any corrupt paths will be redownloaded if they’re available in a binary + cache; otherwise, they cannot be repaired. + </para> </section> diff --git a/nixos/doc/manual/administration/troubleshooting.xml b/nixos/doc/manual/administration/troubleshooting.xml index 351fb1883310..6496e7bde387 100644 --- a/nixos/doc/manual/administration/troubleshooting.xml +++ b/nixos/doc/manual/administration/troubleshooting.xml @@ -3,16 +3,14 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="ch-troubleshooting"> - -<title>Troubleshooting</title> - -<para>This chapter describes solutions to common problems you might -encounter when you manage your NixOS system.</para> - -<xi:include href="boot-problems.xml" /> -<xi:include href="maintenance-mode.xml" /> -<xi:include href="rollback.xml" /> -<xi:include href="store-corruption.xml" /> -<xi:include href="network-problems.xml" /> - + <title>Troubleshooting</title> + <para> + This chapter describes solutions to common problems you might encounter when + you manage your NixOS system. + </para> + <xi:include href="boot-problems.xml" /> + <xi:include href="maintenance-mode.xml" /> + <xi:include href="rollback.xml" /> + <xi:include href="store-corruption.xml" /> + <xi:include href="network-problems.xml" /> </chapter> diff --git a/nixos/doc/manual/administration/user-sessions.xml b/nixos/doc/manual/administration/user-sessions.xml index 0a7eb8cd123c..1d95cfb22b69 100644 --- a/nixos/doc/manual/administration/user-sessions.xml +++ b/nixos/doc/manual/administration/user-sessions.xml @@ -3,14 +3,12 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-user-sessions"> - -<title>User Sessions</title> - -<para>Systemd keeps track of all users who are logged into the system -(e.g. on a virtual console or remotely via SSH). The command -<command>loginctl</command> allows querying and manipulating user -sessions. For instance, to list all user sessions: - + <title>User Sessions</title> + <para> + Systemd keeps track of all users who are logged into the system (e.g. on a + virtual console or remotely via SSH). The command <command>loginctl</command> + allows querying and manipulating user sessions. For instance, to list all + user sessions: <screen> $ loginctl SESSION UID USER SEAT @@ -18,12 +16,10 @@ $ loginctl c3 0 root seat0 c4 500 alice </screen> - -This shows that two users are logged in locally, while another is -logged in remotely. (“Seats” are essentially the combinations of -displays and input devices attached to the system; usually, there is -only one seat.) To get information about a session: - + This shows that two users are logged in locally, while another is logged in + remotely. (“Seats” are essentially the combinations of displays and input + devices attached to the system; usually, there is only one seat.) To get + information about a session: <screen> $ loginctl session-status c3 c3 - root (0) @@ -38,16 +34,12 @@ c3 - root (0) ├─10339 -bash └─10355 w3m nixos.org </screen> - -This shows that the user is logged in on virtual console 3. It also -lists the processes belonging to this session. Since systemd keeps -track of this, you can terminate a session in a way that ensures that -all the session’s processes are gone: - + This shows that the user is logged in on virtual console 3. It also lists the + processes belonging to this session. Since systemd keeps track of this, you + can terminate a session in a way that ensures that all the session’s + processes are gone: <screen> # loginctl terminate-session c3 </screen> - -</para> - + </para> </chapter> diff --git a/nixos/doc/manual/configuration/abstractions.xml b/nixos/doc/manual/configuration/abstractions.xml index cbd54bca62f9..5bf0635cc1aa 100644 --- a/nixos/doc/manual/configuration/abstractions.xml +++ b/nixos/doc/manual/configuration/abstractions.xml @@ -3,15 +3,14 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-module-abstractions"> + <title>Abstractions</title> -<title>Abstractions</title> - -<para>If you find yourself repeating yourself over and over, it’s time -to abstract. Take, for instance, this Apache HTTP Server configuration: - + <para> + If you find yourself repeating yourself over and over, it’s time to + abstract. Take, for instance, this Apache HTTP Server configuration: <programlisting> { - services.httpd.virtualHosts = + <xref linkend="opt-services.httpd.virtualHosts"/> = [ { hostName = "example.org"; documentRoot = "/webroot"; adminAddr = "alice@example.org"; @@ -28,11 +27,9 @@ to abstract. Take, for instance, this Apache HTTP Server configuration: ]; } </programlisting> - -It defines two virtual hosts with nearly identical configuration; the -only difference is that the second one has SSL enabled. To prevent -this duplication, we can use a <literal>let</literal>: - + It defines two virtual hosts with nearly identical configuration; the only + difference is that the second one has SSL enabled. To prevent this + duplication, we can use a <literal>let</literal>: <programlisting> let exampleOrgCommon = @@ -43,7 +40,7 @@ let }; in { - services.httpd.virtualHosts = + <xref linkend="opt-services.httpd.virtualHosts"/> = [ exampleOrgCommon (exampleOrgCommon // { enableSSL = true; @@ -53,40 +50,38 @@ in ]; } </programlisting> - -The <literal>let exampleOrgCommon = -<replaceable>...</replaceable></literal> defines a variable named -<literal>exampleOrgCommon</literal>. The <literal>//</literal> -operator merges two attribute sets, so the configuration of the second -virtual host is the set <literal>exampleOrgCommon</literal> extended -with the SSL options.</para> - -<para>You can write a <literal>let</literal> wherever an expression is -allowed. Thus, you also could have written: - + The <literal>let exampleOrgCommon = <replaceable>...</replaceable></literal> + defines a variable named <literal>exampleOrgCommon</literal>. The + <literal>//</literal> operator merges two attribute sets, so the + configuration of the second virtual host is the set + <literal>exampleOrgCommon</literal> extended with the SSL options. + </para> + + <para> + You can write a <literal>let</literal> wherever an expression is allowed. + Thus, you also could have written: <programlisting> { - services.httpd.virtualHosts = + <xref linkend="opt-services.httpd.virtualHosts"/> = let exampleOrgCommon = <replaceable>...</replaceable>; in [ exampleOrgCommon (exampleOrgCommon // { <replaceable>...</replaceable> }) ]; } </programlisting> - -but not <literal>{ let exampleOrgCommon = -<replaceable>...</replaceable>; in <replaceable>...</replaceable>; -}</literal> since attributes (as opposed to attribute values) are not -expressions.</para> - -<para><emphasis>Functions</emphasis> provide another method of -abstraction. For instance, suppose that we want to generate lots of -different virtual hosts, all with identical configuration except for -the host name. This can be done as follows: - + but not <literal>{ let exampleOrgCommon = <replaceable>...</replaceable>; in + <replaceable>...</replaceable>; }</literal> since attributes (as opposed to + attribute values) are not expressions. + </para> + + <para> + <emphasis>Functions</emphasis> provide another method of abstraction. For + instance, suppose that we want to generate lots of different virtual hosts, + all with identical configuration except for the host name. This can be done + as follows: <programlisting> { - services.httpd.virtualHosts = + <xref linkend="opt-services.httpd.virtualHosts"/> = let makeVirtualHost = name: { hostName = name; @@ -101,38 +96,36 @@ the host name. This can be done as follows: ]; } </programlisting> - -Here, <varname>makeVirtualHost</varname> is a function that takes a -single argument <literal>name</literal> and returns the configuration -for a virtual host. That function is then called for several names to -produce the list of virtual host configurations.</para> - -<para>We can further improve on this by using the function -<varname>map</varname>, which applies another function to every -element in a list: - + Here, <varname>makeVirtualHost</varname> is a function that takes a single + argument <literal>name</literal> and returns the configuration for a virtual + host. That function is then called for several names to produce the list of + virtual host configurations. + </para> + + <para> + We can further improve on this by using the function <varname>map</varname>, + which applies another function to every element in a list: <programlisting> { - services.httpd.virtualHosts = + <xref linkend="opt-services.httpd.virtualHosts"/> = let makeVirtualHost = <replaceable>...</replaceable>; in map makeVirtualHost [ "example.org" "example.com" "example.gov" "example.nl" ]; } </programlisting> - -(The function <literal>map</literal> is called a -<emphasis>higher-order function</emphasis> because it takes another -function as an argument.)</para> - -<para>What if you need more than one argument, for instance, if we -want to use a different <literal>documentRoot</literal> for each -virtual host? Then we can make <varname>makeVirtualHost</varname> a -function that takes a <emphasis>set</emphasis> as its argument, like this: - + (The function <literal>map</literal> is called a <emphasis>higher-order + function</emphasis> because it takes another function as an argument.) + </para> + + <para> + What if you need more than one argument, for instance, if we want to use a + different <literal>documentRoot</literal> for each virtual host? Then we can + make <varname>makeVirtualHost</varname> a function that takes a + <emphasis>set</emphasis> as its argument, like this: <programlisting> { - services.httpd.virtualHosts = + <xref linkend="opt-services.httpd.virtualHosts"/> = let makeVirtualHost = { name, root }: { hostName = name; @@ -147,10 +140,9 @@ function that takes a <emphasis>set</emphasis> as its argument, like this: ]; } </programlisting> - -But in this case (where every root is a subdirectory of -<filename>/sites</filename> named after the virtual host), it would -have been shorter to define <varname>makeVirtualHost</varname> as + But in this case (where every root is a subdirectory of + <filename>/sites</filename> named after the virtual host), it would have been + shorter to define <varname>makeVirtualHost</varname> as <programlisting> makeVirtualHost = name: { hostName = name; @@ -158,9 +150,7 @@ makeVirtualHost = name: adminAddr = "alice@example.org"; }; </programlisting> - -Here, the construct -<literal>${<replaceable>...</replaceable>}</literal> allows the result -of an expression to be spliced into a string.</para> - + Here, the construct <literal>${<replaceable>...</replaceable>}</literal> + allows the result of an expression to be spliced into a string. + </para> </section> diff --git a/nixos/doc/manual/configuration/ad-hoc-network-config.xml b/nixos/doc/manual/configuration/ad-hoc-network-config.xml index 26a572ba1fb5..00e595c7cb7f 100644 --- a/nixos/doc/manual/configuration/ad-hoc-network-config.xml +++ b/nixos/doc/manual/configuration/ad-hoc-network-config.xml @@ -3,22 +3,18 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="ad-hoc-network-config"> + <title>Ad-Hoc Configuration</title> -<title>Ad-Hoc Configuration</title> - -<para>You can use <option>networking.localCommands</option> to specify -shell commands to be run at the end of -<literal>network-setup.service</literal>. This is useful for doing -network configuration not covered by the existing NixOS modules. For -instance, to statically configure an IPv6 address: - + <para> + You can use <xref linkend="opt-networking.localCommands"/> to specify shell + commands to be run at the end of <literal>network-setup.service</literal>. + This is useful for doing network configuration not covered by the existing + NixOS modules. For instance, to statically configure an IPv6 address: <programlisting> -networking.localCommands = +<xref linkend="opt-networking.localCommands"/> = '' ip -6 addr add 2001:610:685:1::1/64 dev eth0 ''; </programlisting> - -</para> - + </para> </section> diff --git a/nixos/doc/manual/configuration/ad-hoc-packages.xml b/nixos/doc/manual/configuration/ad-hoc-packages.xml index a147291c4f3d..19159d8db5b6 100644 --- a/nixos/doc/manual/configuration/ad-hoc-packages.xml +++ b/nixos/doc/manual/configuration/ad-hoc-packages.xml @@ -3,61 +3,59 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-ad-hoc-packages"> + <title>Ad-Hoc Package Management</title> -<title>Ad-Hoc Package Management</title> - -<para>With the command <command>nix-env</command>, you can install and -uninstall packages from the command line. For instance, to install -Mozilla Thunderbird: - + <para> + With the command <command>nix-env</command>, you can install and uninstall + packages from the command line. For instance, to install Mozilla Thunderbird: <screen> $ nix-env -iA nixos.thunderbird</screen> - -If you invoke this as root, the package is installed in the Nix -profile <filename>/nix/var/nix/profiles/default</filename> and visible -to all users of the system; otherwise, the package ends up in -<filename>/nix/var/nix/profiles/per-user/<replaceable>username</replaceable>/profile</filename> -and is not visible to other users. The <option>-A</option> flag -specifies the package by its attribute name; without it, the package -is installed by matching against its package name -(e.g. <literal>thunderbird</literal>). The latter is slower because -it requires matching against all available Nix packages, and is -ambiguous if there are multiple matching packages.</para> - -<para>Packages come from the NixOS channel. You typically upgrade a -package by updating to the latest version of the NixOS channel: + If you invoke this as root, the package is installed in the Nix profile + <filename>/nix/var/nix/profiles/default</filename> and visible to all users + of the system; otherwise, the package ends up in + <filename>/nix/var/nix/profiles/per-user/<replaceable>username</replaceable>/profile</filename> + and is not visible to other users. The <option>-A</option> flag specifies the + package by its attribute name; without it, the package is installed by + matching against its package name (e.g. <literal>thunderbird</literal>). The + latter is slower because it requires matching against all available Nix + packages, and is ambiguous if there are multiple matching packages. + </para> + + <para> + Packages come from the NixOS channel. You typically upgrade a package by + updating to the latest version of the NixOS channel: <screen> $ nix-channel --update nixos </screen> -and then running <literal>nix-env -i</literal> again. Other packages -in the profile are <emphasis>not</emphasis> affected; this is the -crucial difference with the declarative style of package management, -where running <command>nixos-rebuild switch</command> causes all -packages to be updated to their current versions in the NixOS channel. -You can however upgrade all packages for which there is a newer -version by doing: + and then running <literal>nix-env -i</literal> again. Other packages in the + profile are <emphasis>not</emphasis> affected; this is the crucial difference + with the declarative style of package management, where running + <command>nixos-rebuild switch</command> causes all packages to be updated to + their current versions in the NixOS channel. You can however upgrade all + packages for which there is a newer version by doing: <screen> $ nix-env -u '*' </screen> -</para> + </para> -<para>A package can be uninstalled using the <option>-e</option> -flag: + <para> + A package can be uninstalled using the <option>-e</option> flag: <screen> $ nix-env -e thunderbird </screen> -</para> + </para> -<para>Finally, you can roll back an undesirable -<command>nix-env</command> action: + <para> + Finally, you can roll back an undesirable <command>nix-env</command> action: <screen> $ nix-env --rollback </screen> -</para> - -<para><command>nix-env</command> has many more flags. For details, -see the -<citerefentry><refentrytitle>nix-env</refentrytitle><manvolnum>1</manvolnum></citerefentry> -manpage or the Nix manual.</para> - + </para> + + <para> + <command>nix-env</command> has many more flags. For details, see the + <citerefentry> + <refentrytitle>nix-env</refentrytitle> + <manvolnum>1</manvolnum></citerefentry> manpage or the Nix manual. + </para> </section> diff --git a/nixos/doc/manual/configuration/adding-custom-packages.xml b/nixos/doc/manual/configuration/adding-custom-packages.xml index ab3665bae504..b59287a622e6 100644 --- a/nixos/doc/manual/configuration/adding-custom-packages.xml +++ b/nixos/doc/manual/configuration/adding-custom-packages.xml @@ -3,45 +3,38 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-custom-packages"> + <title>Adding Custom Packages</title> -<title>Adding Custom Packages</title> - -<para>It’s possible that a package you need is not available in NixOS. -In that case, you can do two things. First, you can clone the Nixpkgs -repository, add the package to your clone, and (optionally) submit a -patch or pull request to have it accepted into the main Nixpkgs -repository. This is described in detail in the <link -xlink:href="http://nixos.org/nixpkgs/manual">Nixpkgs manual</link>. -In short, you clone Nixpkgs: - + <para> + It’s possible that a package you need is not available in NixOS. In that + case, you can do two things. First, you can clone the Nixpkgs repository, add + the package to your clone, and (optionally) submit a patch or pull request to + have it accepted into the main Nixpkgs repository. This is described in + detail in the <link +xlink:href="http://nixos.org/nixpkgs/manual">Nixpkgs + manual</link>. In short, you clone Nixpkgs: <screen> $ git clone git://github.com/NixOS/nixpkgs.git $ cd nixpkgs </screen> - -Then you write and test the package as described in the Nixpkgs -manual. Finally, you add it to -<literal>environment.systemPackages</literal>, e.g. - + Then you write and test the package as described in the Nixpkgs manual. + Finally, you add it to <literal>environment.systemPackages</literal>, e.g. <programlisting> -environment.systemPackages = [ pkgs.my-package ]; +<xref linkend="opt-environment.systemPackages"/> = [ pkgs.my-package ]; </programlisting> - -and you run <command>nixos-rebuild</command>, specifying your own -Nixpkgs tree: - + and you run <command>nixos-rebuild</command>, specifying your own Nixpkgs + tree: <screen> # nixos-rebuild switch -I nixpkgs=/path/to/my/nixpkgs</screen> + </para> -</para> - -<para>The second possibility is to add the package outside of the -Nixpkgs tree. For instance, here is how you specify a build of the -<link xlink:href="http://www.gnu.org/software/hello/">GNU Hello</link> -package directly in <filename>configuration.nix</filename>: - + <para> + The second possibility is to add the package outside of the Nixpkgs tree. For + instance, here is how you specify a build of the + <link xlink:href="http://www.gnu.org/software/hello/">GNU Hello</link> + package directly in <filename>configuration.nix</filename>: <programlisting> -environment.systemPackages = +<xref linkend="opt-environment.systemPackages"/> = let my-hello = with pkgs; stdenv.mkDerivation rec { name = "hello-2.8"; @@ -53,13 +46,12 @@ environment.systemPackages = in [ my-hello ]; </programlisting> - -Of course, you can also move the definition of -<literal>my-hello</literal> into a separate Nix expression, e.g. + Of course, you can also move the definition of <literal>my-hello</literal> + into a separate Nix expression, e.g. <programlisting> -environment.systemPackages = [ (import ./my-hello.nix) ]; +<xref linkend="opt-environment.systemPackages"/> = [ (import ./my-hello.nix) ]; </programlisting> -where <filename>my-hello.nix</filename> contains: + where <filename>my-hello.nix</filename> contains: <programlisting> with import <nixpkgs> {}; # bring all of Nixpkgs into scope @@ -71,14 +63,11 @@ stdenv.mkDerivation rec { }; } </programlisting> - -This allows testing the package easily: + This allows testing the package easily: <screen> $ nix-build my-hello.nix $ ./result/bin/hello Hello, world! </screen> - -</para> - + </para> </section> diff --git a/nixos/doc/manual/configuration/config-file.xml b/nixos/doc/manual/configuration/config-file.xml index 3d1cdaf4c4ab..a9420b3fc921 100644 --- a/nixos/doc/manual/configuration/config-file.xml +++ b/nixos/doc/manual/configuration/config-file.xml @@ -3,49 +3,46 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-configuration-file"> + <title>NixOS Configuration File</title> -<title>NixOS Configuration File</title> - -<para>The NixOS configuration file generally looks like this: - + <para> + The NixOS configuration file generally looks like this: <programlisting> { config, pkgs, ... }: { <replaceable>option definitions</replaceable> } </programlisting> - -The first line (<literal>{ config, pkgs, ... }:</literal>) denotes -that this is actually a function that takes at least the two arguments - <varname>config</varname> and <varname>pkgs</varname>. (These are -explained later.) The function returns a <emphasis>set</emphasis> of -option definitions (<literal>{ <replaceable>...</replaceable> }</literal>). These definitions have the -form <literal><replaceable>name</replaceable> = -<replaceable>value</replaceable></literal>, where -<replaceable>name</replaceable> is the name of an option and -<replaceable>value</replaceable> is its value. For example, - + The first line (<literal>{ config, pkgs, ... }:</literal>) denotes that this + is actually a function that takes at least the two arguments + <varname>config</varname> and <varname>pkgs</varname>. (These are explained + later.) The function returns a <emphasis>set</emphasis> of option definitions + (<literal>{ <replaceable>...</replaceable> }</literal>). These definitions + have the form <literal><replaceable>name</replaceable> = + <replaceable>value</replaceable></literal>, where + <replaceable>name</replaceable> is the name of an option and + <replaceable>value</replaceable> is its value. For example, <programlisting> { config, pkgs, ... }: -{ services.httpd.enable = true; - services.httpd.adminAddr = "alice@example.org"; - services.httpd.documentRoot = "/webroot"; +{ <xref linkend="opt-services.httpd.enable"/> = true; + <xref linkend="opt-services.httpd.adminAddr"/> = "alice@example.org"; + <xref linkend="opt-services.httpd.documentRoot"/> = "/webroot"; } </programlisting> - -defines a configuration with three option definitions that together -enable the Apache HTTP Server with <filename>/webroot</filename> as -the document root.</para> - -<para>Sets can be nested, and in fact dots in option names are -shorthand for defining a set containing another set. For instance, -<option>services.httpd.enable</option> defines a set named -<varname>services</varname> that contains a set named -<varname>httpd</varname>, which in turn contains an option definition -named <varname>enable</varname> with value <literal>true</literal>. -This means that the example above can also be written as: - + defines a configuration with three option definitions that together enable + the Apache HTTP Server with <filename>/webroot</filename> as the document + root. + </para> + + <para> + Sets can be nested, and in fact dots in option names are shorthand for + defining a set containing another set. For instance, + <xref linkend="opt-services.httpd.enable"/> defines a set named + <varname>services</varname> that contains a set named + <varname>httpd</varname>, which in turn contains an option definition named + <varname>enable</varname> with value <literal>true</literal>. This means that + the example above can also be written as: <programlisting> { config, pkgs, ... }: @@ -58,160 +55,144 @@ This means that the example above can also be written as: }; } </programlisting> - -which may be more convenient if you have lots of option definitions -that share the same prefix (such as -<literal>services.httpd</literal>).</para> - -<para>NixOS checks your option definitions for correctness. For -instance, if you try to define an option that doesn’t exist (that is, -doesn’t have a corresponding <emphasis>option declaration</emphasis>), -<command>nixos-rebuild</command> will give an error like: + which may be more convenient if you have lots of option definitions that + share the same prefix (such as <literal>services.httpd</literal>). + </para> + + <para> + NixOS checks your option definitions for correctness. For instance, if you + try to define an option that doesn’t exist (that is, doesn’t have a + corresponding <emphasis>option declaration</emphasis>), + <command>nixos-rebuild</command> will give an error like: <screen> The option `services.httpd.enable' defined in `/etc/nixos/configuration.nix' does not exist. </screen> -Likewise, values in option definitions must have a correct type. For -instance, <option>services.httpd.enable</option> must be a Boolean -(<literal>true</literal> or <literal>false</literal>). Trying to give -it a value of another type, such as a string, will cause an error: + Likewise, values in option definitions must have a correct type. For + instance, <option>services.httpd.enable</option> must be a Boolean + (<literal>true</literal> or <literal>false</literal>). Trying to give it a + value of another type, such as a string, will cause an error: <screen> The option value `services.httpd.enable' in `/etc/nixos/configuration.nix' is not a boolean. </screen> + </para> -</para> - -<para>Options have various types of values. The most important are: - -<variablelist> - <varlistentry> + <para> + Options have various types of values. The most important are: + <variablelist> + <varlistentry> <term>Strings</term> <listitem> - <para>Strings are enclosed in double quotes, e.g. - + <para> + Strings are enclosed in double quotes, e.g. <programlisting> -networking.hostName = "dexter"; +<xref linkend="opt-networking.hostName"/> = "dexter"; </programlisting> - - Special characters can be escaped by prefixing them with a - backslash (e.g. <literal>\"</literal>).</para> - - <para>Multi-line strings can be enclosed in <emphasis>double - single quotes</emphasis>, e.g. - + Special characters can be escaped by prefixing them with a backslash + (e.g. <literal>\"</literal>). + </para> + <para> + Multi-line strings can be enclosed in <emphasis>double single + quotes</emphasis>, e.g. <programlisting> -networking.extraHosts = +<xref linkend="opt-networking.extraHosts"/> = '' 127.0.0.2 other-localhost 10.0.0.1 server ''; </programlisting> - - The main difference is that it strips from each line - a number of spaces equal to the minimal indentation of - the string as a whole (disregarding the indentation of - empty lines), and that characters like - <literal>"</literal> and <literal>\</literal> are not special - (making it more convenient for including things like shell - code). - See more info about this in the Nix manual <link - xlink:href="https://nixos.org/nix/manual/#ssec-values">here</link>.</para> + The main difference is that it strips from each line a number of spaces + equal to the minimal indentation of the string as a whole (disregarding + the indentation of empty lines), and that characters like + <literal>"</literal> and <literal>\</literal> are not special (making it + more convenient for including things like shell code). See more info + about this in the Nix manual + <link + xlink:href="https://nixos.org/nix/manual/#ssec-values">here</link>. + </para> </listitem> - </varlistentry> - - <varlistentry> + </varlistentry> + <varlistentry> <term>Booleans</term> <listitem> - <para>These can be <literal>true</literal> or - <literal>false</literal>, e.g. - + <para> + These can be <literal>true</literal> or <literal>false</literal>, e.g. <programlisting> -networking.firewall.enable = true; -networking.firewall.allowPing = false; +<xref linkend="opt-networking.firewall.enable"/> = true; +<xref linkend="opt-networking.firewall.allowPing"/> = false; </programlisting> - </para> + </para> </listitem> - </varlistentry> - - <varlistentry> + </varlistentry> + <varlistentry> <term>Integers</term> <listitem> - <para>For example, - + <para> + For example, <programlisting> -boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 60; +<xref linkend="opt-boot.kernel.sysctl"/>."net.ipv4.tcp_keepalive_time" = 60; </programlisting> - (Note that here the attribute name - <literal>net.ipv4.tcp_keepalive_time</literal> is enclosed in - quotes to prevent it from being interpreted as a set named - <literal>net</literal> containing a set named - <literal>ipv4</literal>, and so on. This is because it’s not a - NixOS option but the literal name of a Linux kernel - setting.)</para> + <literal>net.ipv4.tcp_keepalive_time</literal> is enclosed in quotes to + prevent it from being interpreted as a set named <literal>net</literal> + containing a set named <literal>ipv4</literal>, and so on. This is + because it’s not a NixOS option but the literal name of a Linux kernel + setting.) + </para> </listitem> - </varlistentry> - - <varlistentry> + </varlistentry> + <varlistentry> <term>Sets</term> <listitem> - <para>Sets were introduced above. They are name/value pairs - enclosed in braces, as in the option definition - + <para> + Sets were introduced above. They are name/value pairs enclosed in braces, + as in the option definition <programlisting> -fileSystems."/boot" = +<xref linkend="opt-fileSystems"/>."/boot" = { device = "/dev/sda1"; fsType = "ext4"; options = [ "rw" "data=ordered" "relatime" ]; }; </programlisting> - </para> + </para> </listitem> - </varlistentry> - - <varlistentry> + </varlistentry> + <varlistentry> <term>Lists</term> <listitem> - <para>The important thing to note about lists is that list - elements are separated by whitespace, like this: - + <para> + The important thing to note about lists is that list elements are + separated by whitespace, like this: <programlisting> -boot.kernelModules = [ "fuse" "kvm-intel" "coretemp" ]; +<xref linkend="opt-boot.kernelModules"/> = [ "fuse" "kvm-intel" "coretemp" ]; </programlisting> - List elements can be any other type, e.g. sets: - <programlisting> swapDevices = [ { device = "/dev/disk/by-label/swap"; } ]; </programlisting> - </para> + </para> </listitem> - </varlistentry> - - <varlistentry> + </varlistentry> + <varlistentry> <term>Packages</term> <listitem> - <para>Usually, the packages you need are already part of the Nix - Packages collection, which is a set that can be accessed through - the function argument <varname>pkgs</varname>. Typical uses: - + <para> + Usually, the packages you need are already part of the Nix Packages + collection, which is a set that can be accessed through the function + argument <varname>pkgs</varname>. Typical uses: <programlisting> -environment.systemPackages = +<xref linkend="opt-environment.systemPackages"/> = [ pkgs.thunderbird pkgs.emacs ]; -postgresql.package = pkgs.postgresql90; +<xref linkend="opt-services.postgresql.package"/> = pkgs.postgresql90; </programlisting> - - The latter option definition changes the default PostgreSQL - package used by NixOS’s PostgreSQL service to 9.0. For more - information on packages, including how to add new ones, see - <xref linkend="sec-custom-packages"/>.</para> + The latter option definition changes the default PostgreSQL package used + by NixOS’s PostgreSQL service to 9.0. For more information on packages, + including how to add new ones, see <xref linkend="sec-custom-packages"/>. + </para> </listitem> - </varlistentry> - -</variablelist> - -</para> - + </varlistentry> + </variablelist> + </para> </section> diff --git a/nixos/doc/manual/configuration/config-syntax.xml b/nixos/doc/manual/configuration/config-syntax.xml index 87847f8451ec..5ef498cf9ae3 100644 --- a/nixos/doc/manual/configuration/config-syntax.xml +++ b/nixos/doc/manual/configuration/config-syntax.xml @@ -3,25 +3,23 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-configuration-syntax"> - -<title>Configuration Syntax</title> - -<para>The NixOS configuration file -<filename>/etc/nixos/configuration.nix</filename> is actually a -<emphasis>Nix expression</emphasis>, which is the Nix package -manager’s purely functional language for describing how to build -packages and configurations. This means you have all the expressive -power of that language at your disposal, including the ability to -abstract over common patterns, which is very useful when managing -complex systems. The syntax and semantics of the Nix language are -fully described in the <link + <title>Configuration Syntax</title> + <para> + The NixOS configuration file + <filename>/etc/nixos/configuration.nix</filename> is actually a <emphasis>Nix + expression</emphasis>, which is the Nix package manager’s purely functional + language for describing how to build packages and configurations. This means + you have all the expressive power of that language at your disposal, + including the ability to abstract over common patterns, which is very useful + when managing complex systems. The syntax and semantics of the Nix language + are fully described in the + <link xlink:href="http://nixos.org/nix/manual/#chap-writing-nix-expressions">Nix -manual</link>, but here we give a short overview of the most important -constructs useful in NixOS configuration files.</para> - -<xi:include href="config-file.xml" /> -<xi:include href="abstractions.xml" /> -<xi:include href="modularity.xml" /> -<xi:include href="summary.xml" /> - + manual</link>, but here we give a short overview of the most important + constructs useful in NixOS configuration files. + </para> + <xi:include href="config-file.xml" /> + <xi:include href="abstractions.xml" /> + <xi:include href="modularity.xml" /> + <xi:include href="summary.xml" /> </chapter> diff --git a/nixos/doc/manual/configuration/configuration.xml b/nixos/doc/manual/configuration/configuration.xml index 8677c13db40f..8d05dcd34b4d 100644 --- a/nixos/doc/manual/configuration/configuration.xml +++ b/nixos/doc/manual/configuration/configuration.xml @@ -3,31 +3,24 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="ch-configuration"> - -<title>Configuration</title> - -<partintro> - -<para>This chapter describes how to configure various aspects of a -NixOS machine through the configuration file -<filename>/etc/nixos/configuration.nix</filename>. As described in -<xref linkend="sec-changing-config" />, changes to this file only take -effect after you run <command>nixos-rebuild</command>.</para> - -</partintro> - -<xi:include href="config-syntax.xml" /> -<xi:include href="package-mgmt.xml" /> -<xi:include href="user-mgmt.xml" /> -<xi:include href="file-systems.xml" /> -<xi:include href="x-windows.xml" /> -<xi:include href="xfce.xml" /> -<xi:include href="networking.xml" /> -<xi:include href="linux-kernel.xml" /> - -<xi:include href="modules.xml" xpointer="xpointer(//section[@id='modules']/*)" /> - + <title>Configuration</title> + <partintro> + <para> + This chapter describes how to configure various aspects of a NixOS machine + through the configuration file + <filename>/etc/nixos/configuration.nix</filename>. As described in + <xref linkend="sec-changing-config" />, changes to this file only take + effect after you run <command>nixos-rebuild</command>. + </para> + </partintro> + <xi:include href="config-syntax.xml" /> + <xi:include href="package-mgmt.xml" /> + <xi:include href="user-mgmt.xml" /> + <xi:include href="file-systems.xml" /> + <xi:include href="x-windows.xml" /> + <xi:include href="xfce.xml" /> + <xi:include href="networking.xml" /> + <xi:include href="linux-kernel.xml" /> + <xi:include href="../generated/modules.xml" xpointer="xpointer(//section[@id='modules']/*)" /> <!-- Apache; libvirtd virtualisation --> - </part> - diff --git a/nixos/doc/manual/configuration/customizing-packages.xml b/nixos/doc/manual/configuration/customizing-packages.xml index 8aa01fb57a09..03b5bb53197b 100644 --- a/nixos/doc/manual/configuration/customizing-packages.xml +++ b/nixos/doc/manual/configuration/customizing-packages.xml @@ -3,91 +3,84 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-customising-packages"> + <title>Customising Packages</title> -<title>Customising Packages</title> + <para> + Some packages in Nixpkgs have options to enable or disable optional + functionality or change other aspects of the package. For instance, the + Firefox wrapper package (which provides Firefox with a set of plugins such as + the Adobe Flash player) has an option to enable the Google Talk plugin. It + can be set in <filename>configuration.nix</filename> as follows: <filename> + nixpkgs.config.firefox.enableGoogleTalkPlugin = true; </filename> + </para> -<para>Some packages in Nixpkgs have options to enable or disable -optional functionality or change other aspects of the package. For -instance, the Firefox wrapper package (which provides Firefox with a -set of plugins such as the Adobe Flash player) has an option to enable -the Google Talk plugin. It can be set in -<filename>configuration.nix</filename> as follows: - -<filename> -nixpkgs.config.firefox.enableGoogleTalkPlugin = true; -</filename> -</para> - -<warning><para>Unfortunately, Nixpkgs currently lacks a way to query -available configuration options.</para></warning> - -<para>Apart from high-level options, it’s possible to tweak a package -in almost arbitrary ways, such as changing or disabling dependencies -of a package. For instance, the Emacs package in Nixpkgs by default -has a dependency on GTK+ 2. If you want to build it against GTK+ 3, -you can specify that as follows: + <warning> + <para> + Unfortunately, Nixpkgs currently lacks a way to query available + configuration options. + </para> + </warning> + <para> + Apart from high-level options, it’s possible to tweak a package in almost + arbitrary ways, such as changing or disabling dependencies of a package. For + instance, the Emacs package in Nixpkgs by default has a dependency on GTK+ 2. + If you want to build it against GTK+ 3, you can specify that as follows: <programlisting> -environment.systemPackages = [ (pkgs.emacs.override { gtk = pkgs.gtk3; }) ]; +<xref linkend="opt-environment.systemPackages"/> = [ (pkgs.emacs.override { gtk = pkgs.gtk3; }) ]; </programlisting> + The function <varname>override</varname> performs the call to the Nix + function that produces Emacs, with the original arguments amended by the set + of arguments specified by you. So here the function argument + <varname>gtk</varname> gets the value <literal>pkgs.gtk3</literal>, causing + Emacs to depend on GTK+ 3. (The parentheses are necessary because in Nix, + function application binds more weakly than list construction, so without + them, <xref linkend="opt-environment.systemPackages"/> would be a list with + two elements.) + </para> -The function <varname>override</varname> performs the call to the Nix -function that produces Emacs, with the original arguments amended by -the set of arguments specified by you. So here the function argument -<varname>gtk</varname> gets the value <literal>pkgs.gtk3</literal>, -causing Emacs to depend on GTK+ 3. (The parentheses are necessary -because in Nix, function application binds more weakly than list -construction, so without them, -<literal>environment.systemPackages</literal> would be a list with two -elements.)</para> - -<para>Even greater customisation is possible using the function -<varname>overrideAttrs</varname>. While the -<varname>override</varname> mechanism above overrides the arguments of -a package function, <varname>overrideAttrs</varname> allows -changing the <emphasis>attributes</emphasis> passed to <literal>mkDerivation</literal>. -This permits changing any aspect of the package, such as the source code. -For instance, if you want to override the source code of Emacs, you -can say: - + <para> + Even greater customisation is possible using the function + <varname>overrideAttrs</varname>. While the <varname>override</varname> + mechanism above overrides the arguments of a package function, + <varname>overrideAttrs</varname> allows changing the + <emphasis>attributes</emphasis> passed to <literal>mkDerivation</literal>. + This permits changing any aspect of the package, such as the source code. For + instance, if you want to override the source code of Emacs, you can say: <programlisting> -environment.systemPackages = [ +<xref linkend="opt-environment.systemPackages"/> = [ (pkgs.emacs.overrideAttrs (oldAttrs: { name = "emacs-25.0-pre"; src = /path/to/my/emacs/tree; })) ]; </programlisting> + Here, <varname>overrideAttrs</varname> takes the Nix derivation specified by + <varname>pkgs.emacs</varname> and produces a new derivation in which the + original’s <literal>name</literal> and <literal>src</literal> attribute + have been replaced by the given values by re-calling + <literal>stdenv.mkDerivation</literal>. The original attributes are + accessible via the function argument, which is conventionally named + <varname>oldAttrs</varname>. + </para> -Here, <varname>overrideAttrs</varname> takes the Nix derivation -specified by <varname>pkgs.emacs</varname> and produces a new -derivation in which the original’s <literal>name</literal> and -<literal>src</literal> attribute have been replaced by the given -values by re-calling <literal>stdenv.mkDerivation</literal>. -The original attributes are accessible via the function argument, -which is conventionally named <varname>oldAttrs</varname>.</para> - -<para>The overrides shown above are not global. They do not affect -the original package; other packages in Nixpkgs continue to depend on -the original rather than the customised package. This means that if -another package in your system depends on the original package, you -end up with two instances of the package. If you want to have -everything depend on your customised instance, you can apply a -<emphasis>global</emphasis> override as follows: - + <para> + The overrides shown above are not global. They do not affect the original + package; other packages in Nixpkgs continue to depend on the original rather + than the customised package. This means that if another package in your + system depends on the original package, you end up with two instances of the + package. If you want to have everything depend on your customised instance, + you can apply a <emphasis>global</emphasis> override as follows: <screen> nixpkgs.config.packageOverrides = pkgs: { emacs = pkgs.emacs.override { gtk = pkgs.gtk3; }; }; </screen> - -The effect of this definition is essentially equivalent to modifying -the <literal>emacs</literal> attribute in the Nixpkgs source tree. -Any package in Nixpkgs that depends on <literal>emacs</literal> will -be passed your customised instance. (However, the value -<literal>pkgs.emacs</literal> in -<varname>nixpkgs.config.packageOverrides</varname> refers to the -original rather than overridden instance, to prevent an infinite -recursion.)</para> - + The effect of this definition is essentially equivalent to modifying the + <literal>emacs</literal> attribute in the Nixpkgs source tree. Any package in + Nixpkgs that depends on <literal>emacs</literal> will be passed your + customised instance. (However, the value <literal>pkgs.emacs</literal> in + <varname>nixpkgs.config.packageOverrides</varname> refers to the original + rather than overridden instance, to prevent an infinite recursion.) + </para> </section> diff --git a/nixos/doc/manual/configuration/declarative-packages.xml b/nixos/doc/manual/configuration/declarative-packages.xml index dc2fa715097c..be9884fe9dce 100644 --- a/nixos/doc/manual/configuration/declarative-packages.xml +++ b/nixos/doc/manual/configuration/declarative-packages.xml @@ -3,41 +3,41 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-declarative-package-mgmt"> - -<title>Declarative Package Management</title> - -<para>With declarative package management, you specify which packages -you want on your system by setting the option -<option>environment.systemPackages</option>. For instance, adding the -following line to <filename>configuration.nix</filename> enables the -Mozilla Thunderbird email application: - + <title>Declarative Package Management</title> + + <para> + With declarative package management, you specify which packages you want on + your system by setting the option + <xref linkend="opt-environment.systemPackages"/>. For instance, adding the + following line to <filename>configuration.nix</filename> enables the Mozilla + Thunderbird email application: <programlisting> -environment.systemPackages = [ pkgs.thunderbird ]; +<xref linkend="opt-environment.systemPackages"/> = [ pkgs.thunderbird ]; </programlisting> + The effect of this specification is that the Thunderbird package from Nixpkgs + will be built or downloaded as part of the system when you run + <command>nixos-rebuild switch</command>. + </para> -The effect of this specification is that the Thunderbird package from -Nixpkgs will be built or downloaded as part of the system when you run -<command>nixos-rebuild switch</command>.</para> - -<para>You can get a list of the available packages as follows: + <para> + You can get a list of the available packages as follows: <screen> $ nix-env -qaP '*' --description nixos.firefox firefox-23.0 Mozilla Firefox - the browser, reloaded <replaceable>...</replaceable> </screen> + The first column in the output is the <emphasis>attribute name</emphasis>, + such as <literal>nixos.thunderbird</literal>. (The <literal>nixos</literal> + prefix allows distinguishing between different channels that you might have.) + </para> -The first column in the output is the <emphasis>attribute -name</emphasis>, such as -<literal>nixos.thunderbird</literal>. (The -<literal>nixos</literal> prefix allows distinguishing between -different channels that you might have.)</para> - -<para>To “uninstall” a package, simply remove it from -<option>environment.systemPackages</option> and run -<command>nixos-rebuild switch</command>.</para> + <para> + To “uninstall” a package, simply remove it from + <xref linkend="opt-environment.systemPackages"/> and run + <command>nixos-rebuild switch</command>. + </para> -<xi:include href="customizing-packages.xml" /> -<xi:include href="adding-custom-packages.xml" /> + <xi:include href="customizing-packages.xml" /> + <xi:include href="adding-custom-packages.xml" /> </section> diff --git a/nixos/doc/manual/configuration/file-systems.xml b/nixos/doc/manual/configuration/file-systems.xml index ae3d124cd6bb..e4c03de71b72 100644 --- a/nixos/doc/manual/configuration/file-systems.xml +++ b/nixos/doc/manual/configuration/file-systems.xml @@ -3,44 +3,44 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="ch-file-systems"> - -<title>File Systems</title> - -<para>You can define file systems using the -<option>fileSystems</option> configuration option. For instance, the -following definition causes NixOS to mount the Ext4 file system on -device <filename>/dev/disk/by-label/data</filename> onto the mount -point <filename>/data</filename>: - + <title>File Systems</title> + <para> + You can define file systems using the <option>fileSystems</option> + configuration option. For instance, the following definition causes NixOS to + mount the Ext4 file system on device + <filename>/dev/disk/by-label/data</filename> onto the mount point + <filename>/data</filename>: <programlisting> -fileSystems."/data" = +<xref linkend="opt-fileSystems"/>."/data" = { device = "/dev/disk/by-label/data"; fsType = "ext4"; }; </programlisting> - -Mount points are created automatically if they don’t already exist. -For <option>device</option>, it’s best to use the topology-independent -device aliases in <filename>/dev/disk/by-label</filename> and -<filename>/dev/disk/by-uuid</filename>, as these don’t change if the -topology changes (e.g. if a disk is moved to another IDE -controller).</para> - -<para>You can usually omit the file system type -(<option>fsType</option>), since <command>mount</command> can usually -detect the type and load the necessary kernel module automatically. -However, if the file system is needed at early boot (in the initial -ramdisk) and is not <literal>ext2</literal>, <literal>ext3</literal> -or <literal>ext4</literal>, then it’s best to specify -<option>fsType</option> to ensure that the kernel module is -available.</para> - -<note><para>System startup will fail if any of the filesystems fails to mount, -dropping you to the emergency shell. -You can make a mount asynchronous and non-critical by adding -<literal>options = [ "nofail" ];</literal>. -</para></note> - -<xi:include href="luks-file-systems.xml" /> - + Mount points are created automatically if they don’t already exist. For + <option><link linkend="opt-fileSystems._name__.device">device</link></option>, + it’s best to use the topology-independent device aliases in + <filename>/dev/disk/by-label</filename> and + <filename>/dev/disk/by-uuid</filename>, as these don’t change if the + topology changes (e.g. if a disk is moved to another IDE controller). + </para> + <para> + You can usually omit the file system type + (<option><link linkend="opt-fileSystems._name__.fsType">fsType</link></option>), + since <command>mount</command> can usually detect the type and load the + necessary kernel module automatically. However, if the file system is needed + at early boot (in the initial ramdisk) and is not <literal>ext2</literal>, + <literal>ext3</literal> or <literal>ext4</literal>, then it’s best to + specify <option>fsType</option> to ensure that the kernel module is + available. + </para> + <note> + <para> + System startup will fail if any of the filesystems fails to mount, dropping + you to the emergency shell. You can make a mount asynchronous and + non-critical by adding + <literal><link linkend="opt-fileSystems._name__.options">options</link> = [ + "nofail" ];</literal>. + </para> + </note> + <xi:include href="luks-file-systems.xml" /> </chapter> diff --git a/nixos/doc/manual/configuration/firewall.xml b/nixos/doc/manual/configuration/firewall.xml index 75cccef95b38..b66adcedce6e 100644 --- a/nixos/doc/manual/configuration/firewall.xml +++ b/nixos/doc/manual/configuration/firewall.xml @@ -3,49 +3,44 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-firewall"> + <title>Firewall</title> -<title>Firewall</title> - -<para>NixOS has a simple stateful firewall that blocks incoming -connections and other unexpected packets. The firewall applies to -both IPv4 and IPv6 traffic. It is enabled by default. It can be -disabled as follows: - + <para> + NixOS has a simple stateful firewall that blocks incoming connections and + other unexpected packets. The firewall applies to both IPv4 and IPv6 traffic. + It is enabled by default. It can be disabled as follows: <programlisting> -networking.firewall.enable = false; +<xref linkend="opt-networking.firewall.enable"/> = false; </programlisting> - -If the firewall is enabled, you can open specific TCP ports to the -outside world: - + If the firewall is enabled, you can open specific TCP ports to the outside + world: <programlisting> -networking.firewall.allowedTCPPorts = [ 80 443 ]; +<xref linkend="opt-networking.firewall.allowedTCPPorts"/> = [ 80 443 ]; </programlisting> - -Note that TCP port 22 (ssh) is opened automatically if the SSH daemon -is enabled (<option>services.openssh.enable = true</option>). UDP -ports can be opened through -<option>networking.firewall.allowedUDPPorts</option>.</para> - -<para>To open ranges of TCP ports: - + Note that TCP port 22 (ssh) is opened automatically if the SSH daemon is + enabled (<option><xref linkend="opt-services.openssh.enable"/> = + true</option>). UDP ports can be opened through + <xref linkend="opt-networking.firewall.allowedUDPPorts"/>. + </para> + + <para> + To open ranges of TCP ports: <programlisting> -networking.firewall.allowedTCPPortRanges = [ +<xref linkend="opt-networking.firewall.allowedTCPPortRanges"/> = [ { from = 4000; to = 4007; } { from = 8000; to = 8010; } ]; </programlisting> + Similarly, UDP port ranges can be opened through + <xref linkend="opt-networking.firewall.allowedUDPPortRanges"/>. + </para> -Similarly, UDP port ranges can be opened through -<option>networking.firewall.allowedUDPPortRanges</option>.</para> - -<para>Also of interest is - + <para> + Also of interest is <programlisting> -networking.firewall.allowPing = true; +<xref linkend="opt-networking.firewall.allowPing"/> = true; </programlisting> - -to allow the machine to respond to ping requests. (ICMPv6 pings are -always allowed.)</para> - + to allow the machine to respond to ping requests. (ICMPv6 pings are always + allowed.) + </para> </section> diff --git a/nixos/doc/manual/configuration/ipv4-config.xml b/nixos/doc/manual/configuration/ipv4-config.xml index 68238b547d60..71ddf41491ba 100644 --- a/nixos/doc/manual/configuration/ipv4-config.xml +++ b/nixos/doc/manual/configuration/ipv4-config.xml @@ -3,42 +3,41 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-ipv4"> + <title>IPv4 Configuration</title> -<title>IPv4 Configuration</title> - -<para>By default, NixOS uses DHCP (specifically, -<command>dhcpcd</command>) to automatically configure network -interfaces. However, you can configure an interface manually as -follows: - + <para> + By default, NixOS uses DHCP (specifically, <command>dhcpcd</command>) to + automatically configure network interfaces. However, you can configure an + interface manually as follows: <programlisting> -networking.interfaces.eth0.ipv4.addresses = [ { address = "192.168.1.2"; prefixLength = 24; } ]; +<link linkend="opt-networking.interfaces._name__.ipv4.addresses">networking.interfaces.eth0.ipv4.addresses</link> = [ { + address = "192.168.1.2"; + prefixLength = 24; +} ]; </programlisting> - -Typically you’ll also want to set a default gateway and set of name -servers: - + Typically you’ll also want to set a default gateway and set of name + servers: <programlisting> -networking.defaultGateway = "192.168.1.1"; -networking.nameservers = [ "8.8.8.8" ]; +<xref linkend="opt-networking.defaultGateway"/> = "192.168.1.1"; +<xref linkend="opt-networking.nameservers"/> = [ "8.8.8.8" ]; </programlisting> - -</para> - -<note><para>Statically configured interfaces are set up by the systemd -service -<replaceable>interface-name</replaceable><literal>-cfg.service</literal>. -The default gateway and name server configuration is performed by -<literal>network-setup.service</literal>.</para></note> - -<para>The host name is set using <option>networking.hostName</option>: - + </para> + + <note> + <para> + Statically configured interfaces are set up by the systemd service + <replaceable>interface-name</replaceable><literal>-cfg.service</literal>. + The default gateway and name server configuration is performed by + <literal>network-setup.service</literal>. + </para> + </note> + + <para> + The host name is set using <xref linkend="opt-networking.hostName"/>: <programlisting> -networking.hostName = "cartman"; +<xref linkend="opt-networking.hostName"/> = "cartman"; </programlisting> - -The default host name is <literal>nixos</literal>. Set it to the -empty string (<literal>""</literal>) to allow the DHCP server to -provide the host name.</para> - + The default host name is <literal>nixos</literal>. Set it to the empty string + (<literal>""</literal>) to allow the DHCP server to provide the host name. + </para> </section> diff --git a/nixos/doc/manual/configuration/ipv6-config.xml b/nixos/doc/manual/configuration/ipv6-config.xml index 74a21e18ec3f..e9ab7cce4eb2 100644 --- a/nixos/doc/manual/configuration/ipv6-config.xml +++ b/nixos/doc/manual/configuration/ipv6-config.xml @@ -3,44 +3,48 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-ipv6"> + <title>IPv6 Configuration</title> -<title>IPv6 Configuration</title> - -<para>IPv6 is enabled by default. Stateless address autoconfiguration -is used to automatically assign IPv6 addresses to all interfaces. You -can disable IPv6 support globally by setting: - + <para> + IPv6 is enabled by default. Stateless address autoconfiguration is used to + automatically assign IPv6 addresses to all interfaces. You can disable IPv6 + support globally by setting: <programlisting> -networking.enableIPv6 = false; -</programlisting></para> - -<para>You can disable IPv6 on a single interface using a normal sysctl (in this -example, we use interface <varname>eth0</varname>): +<xref linkend="opt-networking.enableIPv6"/> = false; +</programlisting> + </para> + <para> + You can disable IPv6 on a single interface using a normal sysctl (in this + example, we use interface <varname>eth0</varname>): <programlisting> -boot.kernel.sysctl."net.ipv6.conf.eth0.disable_ipv6" = true; +<xref linkend="opt-boot.kernel.sysctl"/>."net.ipv6.conf.eth0.disable_ipv6" = true; </programlisting> -</para> - -<para>As with IPv4 networking interfaces are automatically configured via -DHCPv6. You can configure an interface manually: + </para> + <para> + As with IPv4 networking interfaces are automatically configured via DHCPv6. + You can configure an interface manually: <programlisting> -networking.interfaces.eth0.ipv6.addresses = [ { address = "fe00:aa:bb:cc::2"; prefixLength = 64; } ]; +<link linkend="opt-networking.interfaces._name__.ipv6.addresses">networking.interfaces.eth0.ipv6.addresses</link> = [ { + address = "fe00:aa:bb:cc::2"; + prefixLength = 64; +} ]; </programlisting> -</para> - -<para>For configuring a gateway, optionally with explicitly specified interface: + </para> + <para> + For configuring a gateway, optionally with explicitly specified interface: <programlisting> -networking.defaultGateway6 = { +<xref linkend="opt-networking.defaultGateway6"/> = { address = "fe00::1"; interface = "enp0s3"; } </programlisting> -</para> - -<para>See <xref linkend='sec-ipv4' /> for similar examples and additional information. -</para> + </para> + <para> + See <xref linkend='sec-ipv4' /> for similar examples and additional + information. + </para> </section> diff --git a/nixos/doc/manual/configuration/linux-kernel.xml b/nixos/doc/manual/configuration/linux-kernel.xml index 52be26d6024a..0990e9d932ba 100644 --- a/nixos/doc/manual/configuration/linux-kernel.xml +++ b/nixos/doc/manual/configuration/linux-kernel.xml @@ -3,29 +3,29 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-kernel-config"> - -<title>Linux Kernel</title> - -<para>You can override the Linux kernel and associated packages using -the option <option>boot.kernelPackages</option>. For instance, this -selects the Linux 3.10 kernel: + <title>Linux Kernel</title> + <para> + You can override the Linux kernel and associated packages using the option + <option>boot.kernelPackages</option>. For instance, this selects the Linux + 3.10 kernel: <programlisting> -boot.kernelPackages = pkgs.linuxPackages_3_10; +<xref linkend="opt-boot.kernelPackages"/> = pkgs.linuxPackages_3_10; </programlisting> -Note that this not only replaces the kernel, but also packages that -are specific to the kernel version, such as the NVIDIA video drivers. -This ensures that driver packages are consistent with the -kernel.</para> - -<para>The default Linux kernel configuration should be fine for most users. You can see the configuration of your current kernel with the following command: + Note that this not only replaces the kernel, but also packages that are + specific to the kernel version, such as the NVIDIA video drivers. This + ensures that driver packages are consistent with the kernel. + </para> + <para> + The default Linux kernel configuration should be fine for most users. You can + see the configuration of your current kernel with the following command: <programlisting> zcat /proc/config.gz </programlisting> -If you want to change the kernel configuration, you can use the -<option>packageOverrides</option> feature (see <xref -linkend="sec-customising-packages" />). For instance, to enable -support for the kernel debugger KGDB: - + If you want to change the kernel configuration, you can use the + <option>packageOverrides</option> feature (see + <xref +linkend="sec-customising-packages" />). For instance, to enable support + for the kernel debugger KGDB: <programlisting> nixpkgs.config.packageOverrides = pkgs: { linux_3_4 = pkgs.linux_3_4.override { @@ -36,47 +36,46 @@ nixpkgs.config.packageOverrides = pkgs: }; }; </programlisting> - -<varname>extraConfig</varname> takes a list of Linux kernel -configuration options, one per line. The name of the option should -not include the prefix <literal>CONFIG_</literal>. The option value -is typically <literal>y</literal>, <literal>n</literal> or -<literal>m</literal> (to build something as a kernel module).</para> - -<para>Kernel modules for hardware devices are generally loaded -automatically by <command>udev</command>. You can force a module to -be loaded via <option>boot.kernelModules</option>, e.g. + <varname>extraConfig</varname> takes a list of Linux kernel configuration + options, one per line. The name of the option should not include the prefix + <literal>CONFIG_</literal>. The option value is typically + <literal>y</literal>, <literal>n</literal> or <literal>m</literal> (to build + something as a kernel module). + </para> + <para> + Kernel modules for hardware devices are generally loaded automatically by + <command>udev</command>. You can force a module to be loaded via + <xref linkend="opt-boot.kernelModules"/>, e.g. <programlisting> -boot.kernelModules = [ "fuse" "kvm-intel" "coretemp" ]; +<xref linkend="opt-boot.kernelModules"/> = [ "fuse" "kvm-intel" "coretemp" ]; </programlisting> -If the module is required early during the boot (e.g. to mount the -root file system), you can use -<option>boot.initrd.extraKernelModules</option>: + If the module is required early during the boot (e.g. to mount the root file + system), you can use <xref linkend="opt-boot.initrd.extraKernelModules"/>: <programlisting> -boot.initrd.extraKernelModules = [ "cifs" ]; +<xref linkend="opt-boot.initrd.extraKernelModules"/> = [ "cifs" ]; </programlisting> -This causes the specified modules and their dependencies to be added -to the initial ramdisk.</para> - -<para>Kernel runtime parameters can be set through -<option>boot.kernel.sysctl</option>, e.g. + This causes the specified modules and their dependencies to be added to the + initial ramdisk. + </para> + <para> + Kernel runtime parameters can be set through + <xref linkend="opt-boot.kernel.sysctl"/>, e.g. <programlisting> -boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 120; +<xref linkend="opt-boot.kernel.sysctl"/>."net.ipv4.tcp_keepalive_time" = 120; </programlisting> -sets the kernel’s TCP keepalive time to 120 seconds. To see the -available parameters, run <command>sysctl -a</command>.</para> - -<section> + sets the kernel’s TCP keepalive time to 120 seconds. To see the available + parameters, run <command>sysctl -a</command>. + </para> + <section> <title>Developing kernel modules</title> - <para>When developing kernel modules it's often convenient to run - edit-compile-run loop as quickly as possible. - - See below snippet as an example of developing <literal>mellanox</literal> - drivers. + <para> + When developing kernel modules it's often convenient to run edit-compile-run + loop as quickly as possible. See below snippet as an example of developing + <literal>mellanox</literal> drivers. </para> - <screen><![CDATA[ +<screen><![CDATA[ $ nix-build '<nixpkgs>' -A linuxPackages.kernel.dev $ nix-shell '<nixpkgs>' -A linuxPackages.kernel $ unpackPhase @@ -84,7 +83,5 @@ $ cd linux-* $ make -C $dev/lib/modules/*/build M=$(pwd)/drivers/net/ethernet/mellanox modules # insmod ./drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.ko ]]></screen> - -</section> - + </section> </chapter> diff --git a/nixos/doc/manual/configuration/luks-file-systems.xml b/nixos/doc/manual/configuration/luks-file-systems.xml index 00c795cd0898..8a2b107e0ee8 100644 --- a/nixos/doc/manual/configuration/luks-file-systems.xml +++ b/nixos/doc/manual/configuration/luks-file-systems.xml @@ -3,14 +3,13 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-luks-file-systems"> + <title>LUKS-Encrypted File Systems</title> -<title>LUKS-Encrypted File Systems</title> - -<para>NixOS supports file systems that are encrypted using -<emphasis>LUKS</emphasis> (Linux Unified Key Setup). For example, -here is how you create an encrypted Ext4 file system on the device -<filename>/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</filename>: - + <para> + NixOS supports file systems that are encrypted using + <emphasis>LUKS</emphasis> (Linux Unified Key Setup). For example, here is how + you create an encrypted Ext4 file system on the device + <filename>/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</filename>: <screen> # cryptsetup luksFormat /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d @@ -27,20 +26,15 @@ Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: *** # mkfs.ext4 /dev/mapper/crypted </screen> - -To ensure that this file system is automatically mounted at boot time -as <filename>/</filename>, add the following to -<filename>configuration.nix</filename>: - + To ensure that this file system is automatically mounted at boot time as + <filename>/</filename>, add the following to + <filename>configuration.nix</filename>: <programlisting> -boot.initrd.luks.devices.crypted.device = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d"; -fileSystems."/".device = "/dev/mapper/crypted"; +<link linkend="opt-boot.initrd.luks.devices._name__.device">boot.initrd.luks.devices.crypted.device</link> = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d"; +<xref linkend="opt-fileSystems"/>."/".device = "/dev/mapper/crypted"; </programlisting> - -Should grub be used as bootloader, and <filename>/boot</filename> is located -on an encrypted partition, it is necessary to add the following grub option: -<programlisting>boot.loader.grub.enableCryptodisk = true;</programlisting> - -</para> - + Should grub be used as bootloader, and <filename>/boot</filename> is located + on an encrypted partition, it is necessary to add the following grub option: +<programlisting><xref linkend="opt-boot.loader.grub.enableCryptodisk"/> = true;</programlisting> + </para> </section> diff --git a/nixos/doc/manual/configuration/modularity.xml b/nixos/doc/manual/configuration/modularity.xml index 5420c7f88385..3ff96f719ec5 100644 --- a/nixos/doc/manual/configuration/modularity.xml +++ b/nixos/doc/manual/configuration/modularity.xml @@ -3,101 +3,95 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-modularity"> - -<title>Modularity</title> - -<para>The NixOS configuration mechanism is modular. If your -<filename>configuration.nix</filename> becomes too big, you can split -it into multiple files. Likewise, if you have multiple NixOS -configurations (e.g. for different computers) with some commonality, -you can move the common configuration into a shared file.</para> - -<para>Modules have exactly the same syntax as -<filename>configuration.nix</filename>. In fact, -<filename>configuration.nix</filename> is itself a module. You can -use other modules by including them from -<filename>configuration.nix</filename>, e.g.: - + <title>Modularity</title> + + <para> + The NixOS configuration mechanism is modular. If your + <filename>configuration.nix</filename> becomes too big, you can split it into + multiple files. Likewise, if you have multiple NixOS configurations (e.g. for + different computers) with some commonality, you can move the common + configuration into a shared file. + </para> + + <para> + Modules have exactly the same syntax as + <filename>configuration.nix</filename>. In fact, + <filename>configuration.nix</filename> is itself a module. You can use other + modules by including them from <filename>configuration.nix</filename>, e.g.: <programlisting> { config, pkgs, ... }: { imports = [ ./vpn.nix ./kde.nix ]; - services.httpd.enable = true; - environment.systemPackages = [ pkgs.emacs ]; + <xref linkend="opt-services.httpd.enable"/> = true; + <xref linkend="opt-environment.systemPackages"/> = [ pkgs.emacs ]; <replaceable>...</replaceable> } </programlisting> - -Here, we include two modules from the same directory, -<filename>vpn.nix</filename> and <filename>kde.nix</filename>. The -latter might look like this: - + Here, we include two modules from the same directory, + <filename>vpn.nix</filename> and <filename>kde.nix</filename>. The latter + might look like this: <programlisting> { config, pkgs, ... }: -{ services.xserver.enable = true; - services.xserver.displayManager.sddm.enable = true; - services.xserver.desktopManager.plasma5.enable = true; +{ <xref linkend="opt-services.xserver.enable"/> = true; + <xref linkend="opt-services.xserver.displayManager.sddm.enable"/> = true; + <xref linkend="opt-services.xserver.desktopManager.plasma5.enable"/> = true; } </programlisting> - -Note that both <filename>configuration.nix</filename> and -<filename>kde.nix</filename> define the option -<option>environment.systemPackages</option>. When multiple modules -define an option, NixOS will try to <emphasis>merge</emphasis> the -definitions. In the case of -<option>environment.systemPackages</option>, that’s easy: the lists of -packages can simply be concatenated. The value in -<filename>configuration.nix</filename> is merged last, so for -list-type options, it will appear at the end of the merged list. If -you want it to appear first, you can use <varname>mkBefore</varname>: - + Note that both <filename>configuration.nix</filename> and + <filename>kde.nix</filename> define the option + <xref linkend="opt-environment.systemPackages"/>. When multiple modules + define an option, NixOS will try to <emphasis>merge</emphasis> the + definitions. In the case of <xref linkend="opt-environment.systemPackages"/>, + that’s easy: the lists of packages can simply be concatenated. The value in + <filename>configuration.nix</filename> is merged last, so for list-type + options, it will appear at the end of the merged list. If you want it to + appear first, you can use <varname>mkBefore</varname>: <programlisting> -boot.kernelModules = mkBefore [ "kvm-intel" ]; +<xref linkend="opt-boot.kernelModules"/> = mkBefore [ "kvm-intel" ]; </programlisting> - -This causes the <literal>kvm-intel</literal> kernel module to be -loaded before any other kernel modules.</para> - -<para>For other types of options, a merge may not be possible. For -instance, if two modules define -<option>services.httpd.adminAddr</option>, -<command>nixos-rebuild</command> will give an error: - + This causes the <literal>kvm-intel</literal> kernel module to be loaded + before any other kernel modules. + </para> + + <para> + For other types of options, a merge may not be possible. For instance, if two + modules define <xref linkend="opt-services.httpd.adminAddr"/>, + <command>nixos-rebuild</command> will give an error: <screen> The unique option `services.httpd.adminAddr' is defined multiple times, in `/etc/nixos/httpd.nix' and `/etc/nixos/configuration.nix'. </screen> - -When that happens, it’s possible to force one definition take -precedence over the others: - + When that happens, it’s possible to force one definition take precedence + over the others: <programlisting> -services.httpd.adminAddr = pkgs.lib.mkForce "bob@example.org"; +<xref linkend="opt-services.httpd.adminAddr"/> = pkgs.lib.mkForce "bob@example.org"; </programlisting> - -</para> - -<para>When using multiple modules, you may need to access -configuration values defined in other modules. This is what the -<varname>config</varname> function argument is for: it contains the -complete, merged system configuration. That is, -<varname>config</varname> is the result of combining the -configurations returned by every module<footnote><para>If you’re -wondering how it’s possible that the (indirect) -<emphasis>result</emphasis> of a function is passed as an -<emphasis>input</emphasis> to that same function: that’s because Nix -is a “lazy” language — it only computes values when they are needed. -This works as long as no individual configuration value depends on -itself.</para></footnote>. For example, here is a module that adds -some packages to <option>environment.systemPackages</option> only if -<option>services.xserver.enable</option> is set to -<literal>true</literal> somewhere else: - + </para> + + <para> + When using multiple modules, you may need to access configuration values + defined in other modules. This is what the <varname>config</varname> function + argument is for: it contains the complete, merged system configuration. That + is, <varname>config</varname> is the result of combining the configurations + returned by every module + <footnote> + <para> + If you’re wondering how it’s possible that the (indirect) + <emphasis>result</emphasis> of a function is passed as an + <emphasis>input</emphasis> to that same function: that’s because Nix is a + “lazy” language — it only computes values when they are needed. This + works as long as no individual configuration value depends on itself. + </para> + </footnote> + . For example, here is a module that adds some packages to + <xref linkend="opt-environment.systemPackages"/> only if + <xref linkend="opt-services.xserver.enable"/> is set to + <literal>true</literal> somewhere else: <programlisting> { config, pkgs, ... }: -{ environment.systemPackages = - if config.services.xserver.enable then +{ <xref linkend="opt-environment.systemPackages"/> = + if config.<xref linkend="opt-services.xserver.enable"/> then [ pkgs.firefox pkgs.thunderbird ] @@ -105,38 +99,32 @@ some packages to <option>environment.systemPackages</option> only if [ ]; } </programlisting> + </para> -</para> - -<para>With multiple modules, it may not be obvious what the final -value of a configuration option is. The command -<option>nixos-option</option> allows you to find out: - + <para> + With multiple modules, it may not be obvious what the final value of a + configuration option is. The command <option>nixos-option</option> allows you + to find out: <screen> -$ nixos-option services.xserver.enable +$ nixos-option <xref linkend="opt-services.xserver.enable"/> true -$ nixos-option boot.kernelModules +$ nixos-option <xref linkend="opt-boot.kernelModules"/> [ "tun" "ipv6" "loop" <replaceable>...</replaceable> ] </screen> - -Interactive exploration of the configuration is possible using -<command + Interactive exploration of the configuration is possible using + <command xlink:href="https://github.com/edolstra/nix-repl">nix-repl</command>, -a read-eval-print loop for Nix expressions. It’s not installed by -default; run <literal>nix-env -i nix-repl</literal> to get it. A -typical use: - + a read-eval-print loop for Nix expressions. It’s not installed by default; + run <literal>nix-env -i nix-repl</literal> to get it. A typical use: <screen> $ nix-repl '<nixpkgs/nixos>' -nix-repl> config.networking.hostName +nix-repl> config.<xref linkend="opt-networking.hostName"/> "mandark" -nix-repl> map (x: x.hostName) config.services.httpd.virtualHosts +nix-repl> map (x: x.hostName) config.<xref linkend="opt-services.httpd.virtualHosts"/> [ "example.org" "example.gov" ] </screen> - -</para> - + </para> </section> diff --git a/nixos/doc/manual/configuration/network-manager.xml b/nixos/doc/manual/configuration/network-manager.xml index b4808e74ff9d..e217a99148b9 100644 --- a/nixos/doc/manual/configuration/network-manager.xml +++ b/nixos/doc/manual/configuration/network-manager.xml @@ -3,39 +3,42 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-networkmanager"> + <title>NetworkManager</title> -<title>NetworkManager</title> - -<para>To facilitate network configuration, some desktop environments -use NetworkManager. You can enable NetworkManager by setting: - + <para> + To facilitate network configuration, some desktop environments use + NetworkManager. You can enable NetworkManager by setting: <programlisting> -networking.networkmanager.enable = true; +<xref linkend="opt-networking.networkmanager.enable"/> = true; </programlisting> + some desktop managers (e.g., GNOME) enable NetworkManager automatically for + you. + </para> -some desktop managers (e.g., GNOME) enable NetworkManager -automatically for you.</para> - -<para>All users that should have permission to change network settings must -belong to the <code>networkmanager</code> group: - + <para> + All users that should have permission to change network settings must belong + to the <code>networkmanager</code> group: <programlisting> -users.extraUsers.youruser.extraGroups = [ "networkmanager" ]; +<link linkend="opt-users.users._name__.extraGroups">users.extraUsers.youruser.extraGroups</link> = [ "networkmanager" ]; </programlisting> -</para> - -<para>NetworkManager is controlled using either <command>nmcli</command> or -<command>nmtui</command> (curses-based terminal user interface). See their -manual pages for details on their usage. Some desktop environments (GNOME, KDE) -have their own configuration tools for NetworkManager. On XFCE, there is no -configuration tool for NetworkManager by default: by adding -<code>networkmanagerapplet</code> to the list of system packages, the graphical -applet will be installed and will launch automatically when XFCE is starting -(and will show in the status tray).</para> - -<note><para><code>networking.networkmanager</code> and -<code>networking.wireless</code> (WPA Supplicant) cannot be enabled at the same -time: you can still connect to the wireless networks using -NetworkManager.</para></note> - + </para> + + <para> + NetworkManager is controlled using either <command>nmcli</command> or + <command>nmtui</command> (curses-based terminal user interface). See their + manual pages for details on their usage. Some desktop environments (GNOME, + KDE) have their own configuration tools for NetworkManager. On XFCE, there is + no configuration tool for NetworkManager by default: by adding + <code>networkmanagerapplet</code> to the list of system packages, the + graphical applet will be installed and will launch automatically when XFCE is + starting (and will show in the status tray). + </para> + + <note> + <para> + <code>networking.networkmanager</code> and <code>networking.wireless</code> + (WPA Supplicant) cannot be enabled at the same time: you can still connect + to the wireless networks using NetworkManager. + </para> + </note> </section> diff --git a/nixos/doc/manual/configuration/networking.xml b/nixos/doc/manual/configuration/networking.xml index 5f08bc1f1275..02cf811e0bd3 100644 --- a/nixos/doc/manual/configuration/networking.xml +++ b/nixos/doc/manual/configuration/networking.xml @@ -3,20 +3,17 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-networking"> - -<title>Networking</title> - -<para>This section describes how to configure networking components on -your NixOS machine.</para> - -<xi:include href="network-manager.xml" /> -<xi:include href="ssh.xml" /> -<xi:include href="ipv4-config.xml" /> -<xi:include href="ipv6-config.xml" /> -<xi:include href="firewall.xml" /> -<xi:include href="wireless.xml" /> -<xi:include href="ad-hoc-network-config.xml" /> - + <title>Networking</title> + <para> + This section describes how to configure networking components on your NixOS + machine. + </para> + <xi:include href="network-manager.xml" /> + <xi:include href="ssh.xml" /> + <xi:include href="ipv4-config.xml" /> + <xi:include href="ipv6-config.xml" /> + <xi:include href="firewall.xml" /> + <xi:include href="wireless.xml" /> + <xi:include href="ad-hoc-network-config.xml" /> <!-- TODO: OpenVPN, NAT --> - </chapter> diff --git a/nixos/doc/manual/configuration/package-mgmt.xml b/nixos/doc/manual/configuration/package-mgmt.xml index 73c1722da02c..e8ac5d0681a9 100644 --- a/nixos/doc/manual/configuration/package-mgmt.xml +++ b/nixos/doc/manual/configuration/package-mgmt.xml @@ -3,32 +3,29 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-package-management"> - -<title>Package Management</title> - -<para>This section describes how to add additional packages to your -system. NixOS has two distinct styles of package management: - -<itemizedlist> - - <listitem><para><emphasis>Declarative</emphasis>, where you declare - what packages you want in your - <filename>configuration.nix</filename>. Every time you run - <command>nixos-rebuild</command>, NixOS will ensure that you get a - consistent set of binaries corresponding to your - specification.</para></listitem> - - <listitem><para><emphasis>Ad hoc</emphasis>, where you install, - upgrade and uninstall packages via the <command>nix-env</command> - command. This style allows mixing packages from different Nixpkgs - versions. It’s the only choice for non-root - users.</para></listitem> - -</itemizedlist> - -</para> - -<xi:include href="declarative-packages.xml" /> -<xi:include href="ad-hoc-packages.xml" /> - + <title>Package Management</title> + <para> + This section describes how to add additional packages to your system. NixOS + has two distinct styles of package management: + <itemizedlist> + <listitem> + <para> + <emphasis>Declarative</emphasis>, where you declare what packages you want + in your <filename>configuration.nix</filename>. Every time you run + <command>nixos-rebuild</command>, NixOS will ensure that you get a + consistent set of binaries corresponding to your specification. + </para> + </listitem> + <listitem> + <para> + <emphasis>Ad hoc</emphasis>, where you install, upgrade and uninstall + packages via the <command>nix-env</command> command. This style allows + mixing packages from different Nixpkgs versions. It’s the only choice + for non-root users. + </para> + </listitem> + </itemizedlist> + </para> + <xi:include href="declarative-packages.xml" /> + <xi:include href="ad-hoc-packages.xml" /> </chapter> diff --git a/nixos/doc/manual/configuration/ssh.xml b/nixos/doc/manual/configuration/ssh.xml index 7c928baaf896..6e883e3fbbc1 100644 --- a/nixos/doc/manual/configuration/ssh.xml +++ b/nixos/doc/manual/configuration/ssh.xml @@ -3,30 +3,25 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-ssh"> + <title>Secure Shell Access</title> -<title>Secure Shell Access</title> - -<para>Secure shell (SSH) access to your machine can be enabled by -setting: - + <para> + Secure shell (SSH) access to your machine can be enabled by setting: <programlisting> -services.openssh.enable = true; +<xref linkend="opt-services.openssh.enable"/> = true; </programlisting> - -By default, root logins using a password are disallowed. They can be -disabled entirely by setting -<literal>services.openssh.permitRootLogin</literal> to -<literal>"no"</literal>.</para> - -<para>You can declaratively specify authorised RSA/DSA public keys for -a user as follows: - + By default, root logins using a password are disallowed. They can be disabled + entirely by setting <xref linkend="opt-services.openssh.permitRootLogin"/> to + <literal>"no"</literal>. + </para> + + <para> + You can declaratively specify authorised RSA/DSA public keys for a user as + follows: <!-- FIXME: this might not work if the user is unmanaged. --> <programlisting> -users.extraUsers.alice.openssh.authorizedKeys.keys = +<link linkend="opt-users.users._name__.openssh.authorizedKeys.keys">users.extraUsers.alice.openssh.authorizedKeys.keys</link> = [ "ssh-dss AAAAB3NzaC1kc3MAAACBAPIkGWVEt4..." ]; </programlisting> - -</para> - + </para> </section> diff --git a/nixos/doc/manual/configuration/summary.xml b/nixos/doc/manual/configuration/summary.xml index be1f2263149e..ea980254a8fc 100644 --- a/nixos/doc/manual/configuration/summary.xml +++ b/nixos/doc/manual/configuration/summary.xml @@ -3,190 +3,225 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-nix-syntax-summary"> + <title>Syntax Summary</title> -<title>Syntax Summary</title> - -<para>Below is a summary of the most important syntactic constructs in -the Nix expression language. It’s not complete. In particular, there -are many other built-in functions. See the <link + <para> + Below is a summary of the most important syntactic constructs in the Nix + expression language. It’s not complete. In particular, there are many other + built-in functions. See the + <link xlink:href="http://nixos.org/nix/manual/#chap-writing-nix-expressions">Nix -manual</link> for the rest.</para> + manual</link> for the rest. + </para> -<informaltable frame='none'> + <informaltable frame='none'> <tgroup cols='2'> - <colspec colname='c1' rowsep='1' colsep='1' /> - <colspec colname='c2' rowsep='1' /> - <thead> - <row> - <entry>Example</entry> - <entry>Description</entry> - </row> - </thead> - <tbody> - - <row> - <entry namest="c1" nameend="c2"><emphasis>Basic values</emphasis></entry> - </row> - <row> - <entry><literal>"Hello world"</literal></entry> - <entry>A string</entry> - </row> - <row> - <entry><literal>"${pkgs.bash}/bin/sh"</literal></entry> - <entry>A string containing an expression (expands to <literal>"/nix/store/<replaceable>hash</replaceable>-bash-<replaceable>version</replaceable>/bin/sh"</literal>)</entry> - </row> - <row> - <entry><literal>true</literal>, <literal>false</literal></entry> - <entry>Booleans</entry> - </row> - <row> - <entry><literal>123</literal></entry> - <entry>An integer</entry> - </row> - <row> - <entry><literal>./foo.png</literal></entry> - <entry>A path (relative to the containing Nix expression)</entry> - </row> - - <row> - <entry namest="c1" nameend="c2"><emphasis>Compound values</emphasis></entry> - </row> - <row> - <entry><literal>{ x = 1; y = 2; }</literal></entry> - <entry>An set with attributes names <literal>x</literal> and <literal>y</literal></entry> - </row> - <row> - <entry><literal>{ foo.bar = 1; }</literal></entry> - <entry>A nested set, equivalent to <literal>{ foo = { bar = 1; }; }</literal></entry> - </row> - <row> - <entry><literal>rec { x = "foo"; y = x + "bar"; }</literal></entry> - <entry>A recursive set, equivalent to <literal>{ x = "foo"; y = "foobar"; }</literal></entry> - </row> - <row> - <entry><literal>[ "foo" "bar" ]</literal></entry> - <entry>A list with two elements</entry> - </row> - - <row> - <entry namest="c1" nameend="c2"><emphasis>Operators</emphasis></entry> - </row> - <row> - <entry><literal>"foo" + "bar"</literal></entry> - <entry>String concatenation</entry> - </row> - <row> - <entry><literal>1 + 2</literal></entry> - <entry>Integer addition</entry> - </row> - <row> - <entry><literal>"foo" == "f" + "oo"</literal></entry> - <entry>Equality test (evaluates to <literal>true</literal>)</entry> - </row> - <row> - <entry><literal>"foo" != "bar"</literal></entry> - <entry>Inequality test (evaluates to <literal>true</literal>)</entry> - </row> - <row> - <entry><literal>!true</literal></entry> - <entry>Boolean negation</entry> - </row> - <row> - <entry><literal>{ x = 1; y = 2; }.x</literal></entry> - <entry>Attribute selection (evaluates to <literal>1</literal>)</entry> - </row> - <row> - <entry><literal>{ x = 1; y = 2; }.z or 3</literal></entry> - <entry>Attribute selection with default (evaluates to <literal>3</literal>)</entry> - </row> - <row> - <entry><literal>{ x = 1; y = 2; } // { z = 3; }</literal></entry> - <entry>Merge two sets (attributes in the right-hand set taking precedence)</entry> - </row> - - <row> - <entry namest="c1" nameend="c2"><emphasis>Control structures</emphasis></entry> - </row> - <row> - <entry><literal>if 1 + 1 == 2 then "yes!" else "no!"</literal></entry> - <entry>Conditional expression</entry> - </row> - <row> - <entry><literal>assert 1 + 1 == 2; "yes!"</literal></entry> - <entry>Assertion check (evaluates to <literal>"yes!"</literal>). See <xref + <colspec colname='c1' rowsep='1' colsep='1' /> + <colspec colname='c2' rowsep='1' /> + <thead> + <row> + <entry>Example</entry> + <entry>Description</entry> + </row> + </thead> + <tbody> + <row> + <entry namest="c1" nameend="c2"><emphasis>Basic values</emphasis> + </entry> + </row> + <row> + <entry><literal>"Hello world"</literal> + </entry> + <entry>A string</entry> + </row> + <row> + <entry><literal>"${pkgs.bash}/bin/sh"</literal> + </entry> + <entry>A string containing an expression (expands to <literal>"/nix/store/<replaceable>hash</replaceable>-bash-<replaceable>version</replaceable>/bin/sh"</literal>)</entry> + </row> + <row> + <entry><literal>true</literal>, <literal>false</literal> + </entry> + <entry>Booleans</entry> + </row> + <row> + <entry><literal>123</literal> + </entry> + <entry>An integer</entry> + </row> + <row> + <entry><literal>./foo.png</literal> + </entry> + <entry>A path (relative to the containing Nix expression)</entry> + </row> + <row> + <entry namest="c1" nameend="c2"><emphasis>Compound values</emphasis> + </entry> + </row> + <row> + <entry><literal>{ x = 1; y = 2; }</literal> + </entry> + <entry>A set with attributes named <literal>x</literal> and <literal>y</literal> + </entry> + </row> + <row> + <entry><literal>{ foo.bar = 1; }</literal> + </entry> + <entry>A nested set, equivalent to <literal>{ foo = { bar = 1; }; }</literal> + </entry> + </row> + <row> + <entry><literal>rec { x = "foo"; y = x + "bar"; }</literal> + </entry> + <entry>A recursive set, equivalent to <literal>{ x = "foo"; y = "foobar"; }</literal> + </entry> + </row> + <row> + <entry><literal>[ "foo" "bar" ]</literal> + </entry> + <entry>A list with two elements</entry> + </row> + <row> + <entry namest="c1" nameend="c2"><emphasis>Operators</emphasis> + </entry> + </row> + <row> + <entry><literal>"foo" + "bar"</literal> + </entry> + <entry>String concatenation</entry> + </row> + <row> + <entry><literal>1 + 2</literal> + </entry> + <entry>Integer addition</entry> + </row> + <row> + <entry><literal>"foo" == "f" + "oo"</literal> + </entry> + <entry>Equality test (evaluates to <literal>true</literal>)</entry> + </row> + <row> + <entry><literal>"foo" != "bar"</literal> + </entry> + <entry>Inequality test (evaluates to <literal>true</literal>)</entry> + </row> + <row> + <entry><literal>!true</literal> + </entry> + <entry>Boolean negation</entry> + </row> + <row> + <entry><literal>{ x = 1; y = 2; }.x</literal> + </entry> + <entry>Attribute selection (evaluates to <literal>1</literal>)</entry> + </row> + <row> + <entry><literal>{ x = 1; y = 2; }.z or 3</literal> + </entry> + <entry>Attribute selection with default (evaluates to <literal>3</literal>)</entry> + </row> + <row> + <entry><literal>{ x = 1; y = 2; } // { z = 3; }</literal> + </entry> + <entry>Merge two sets (attributes in the right-hand set taking precedence)</entry> + </row> + <row> + <entry namest="c1" nameend="c2"><emphasis>Control structures</emphasis> + </entry> + </row> + <row> + <entry><literal>if 1 + 1 == 2 then "yes!" else "no!"</literal> + </entry> + <entry>Conditional expression</entry> + </row> + <row> + <entry><literal>assert 1 + 1 == 2; "yes!"</literal> + </entry> + <entry>Assertion check (evaluates to <literal>"yes!"</literal>). See <xref linkend="sec-assertions"/> for using assertions in modules</entry> - </row> - <row> - <entry><literal>let x = "foo"; y = "bar"; in x + y</literal></entry> - <entry>Variable definition</entry> - </row> - <row> - <entry><literal>with pkgs.lib; head [ 1 2 3 ]</literal></entry> - <entry>Add all attributes from the given set to the scope + </row> + <row> + <entry><literal>let x = "foo"; y = "bar"; in x + y</literal> + </entry> + <entry>Variable definition</entry> + </row> + <row> + <entry><literal>with pkgs.lib; head [ 1 2 3 ]</literal> + </entry> + <entry>Add all attributes from the given set to the scope (evaluates to <literal>1</literal>)</entry> - </row> - - <row> - <entry namest="c1" nameend="c2"><emphasis>Functions (lambdas)</emphasis></entry> - </row> - <row> - <entry><literal>x: x + 1</literal></entry> - <entry>A function that expects an integer and returns it increased by 1</entry> - </row> - <row> - <entry><literal>(x: x + 1) 100</literal></entry> - <entry>A function call (evaluates to 101)</entry> - </row> - <row> - <entry><literal>let inc = x: x + 1; in inc (inc (inc 100))</literal></entry> - <entry>A function bound to a variable and subsequently called by name (evaluates to 103)</entry> - </row> - <row> - <entry><literal>{ x, y }: x + y</literal></entry> - <entry>A function that expects a set with required attributes + </row> + <row> + <entry namest="c1" nameend="c2"><emphasis>Functions (lambdas)</emphasis> + </entry> + </row> + <row> + <entry><literal>x: x + 1</literal> + </entry> + <entry>A function that expects an integer and returns it increased by 1</entry> + </row> + <row> + <entry><literal>(x: x + 1) 100</literal> + </entry> + <entry>A function call (evaluates to 101)</entry> + </row> + <row> + <entry><literal>let inc = x: x + 1; in inc (inc (inc 100))</literal> + </entry> + <entry>A function bound to a variable and subsequently called by name (evaluates to 103)</entry> + </row> + <row> + <entry><literal>{ x, y }: x + y</literal> + </entry> + <entry>A function that expects a set with required attributes <literal>x</literal> and <literal>y</literal> and concatenates them</entry> - </row> - <row> - <entry><literal>{ x, y ? "bar" }: x + y</literal></entry> - <entry>A function that expects a set with required attribute + </row> + <row> + <entry><literal>{ x, y ? "bar" }: x + y</literal> + </entry> + <entry>A function that expects a set with required attribute <literal>x</literal> and optional <literal>y</literal>, using <literal>"bar"</literal> as default value for - <literal>y</literal></entry> - </row> - <row> - <entry><literal>{ x, y, ... }: x + y</literal></entry> - <entry>A function that expects a set with required attributes + <literal>y</literal> + </entry> + </row> + <row> + <entry><literal>{ x, y, ... }: x + y</literal> + </entry> + <entry>A function that expects a set with required attributes <literal>x</literal> and <literal>y</literal> and ignores any other attributes</entry> - </row> - <row> - <entry><literal>{ x, y } @ args: x + y</literal></entry> - <entry>A function that expects a set with required attributes + </row> + <row> + <entry><literal>{ x, y } @ args: x + y</literal> + </entry> + <entry>A function that expects a set with required attributes <literal>x</literal> and <literal>y</literal>, and binds the - whole set to <literal>args</literal></entry> - </row> - - <row> - <entry namest="c1" nameend="c2"><emphasis>Built-in functions</emphasis></entry> - </row> - <row> - <entry><literal>import ./foo.nix</literal></entry> - <entry>Load and return Nix expression in given file</entry> - </row> - <row> - <entry><literal>map (x: x + x) [ 1 2 3 ]</literal></entry> - <entry>Apply a function to every element of a list (evaluates to <literal>[ 2 4 6 ]</literal>)</entry> - </row> - <!-- + whole set to <literal>args</literal> + </entry> + </row> + <row> + <entry namest="c1" nameend="c2"><emphasis>Built-in functions</emphasis> + </entry> + </row> + <row> + <entry><literal>import ./foo.nix</literal> + </entry> + <entry>Load and return Nix expression in given file</entry> + </row> + <row> + <entry><literal>map (x: x + x) [ 1 2 3 ]</literal> + </entry> + <entry>Apply a function to every element of a list (evaluates to <literal>[ 2 4 6 ]</literal>)</entry> + </row> +<!-- <row> <entry><literal>throw "Urgh"</literal></entry> <entry>Raise an error condition</entry> </row> --> - - </tbody> + </tbody> </tgroup> -</informaltable> - + </informaltable> </section> diff --git a/nixos/doc/manual/configuration/user-mgmt.xml b/nixos/doc/manual/configuration/user-mgmt.xml index c6656edff6c8..66c1c6eb3a11 100644 --- a/nixos/doc/manual/configuration/user-mgmt.xml +++ b/nixos/doc/manual/configuration/user-mgmt.xml @@ -3,98 +3,86 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-user-management"> - -<title>User Management</title> - -<para>NixOS supports both declarative and imperative styles of user -management. In the declarative style, users are specified in -<filename>configuration.nix</filename>. For instance, the following -states that a user account named <literal>alice</literal> shall exist: - + <title>User Management</title> + <para> + NixOS supports both declarative and imperative styles of user management. In + the declarative style, users are specified in + <filename>configuration.nix</filename>. For instance, the following states + that a user account named <literal>alice</literal> shall exist: <programlisting> -users.users.alice = - { isNormalUser = true; - home = "/home/alice"; - description = "Alice Foobar"; - extraGroups = [ "wheel" "networkmanager" ]; - openssh.authorizedKeys.keys = [ "ssh-dss AAAAB3Nza... alice@foobar" ]; - }; +<xref linkend="opt-users.users"/>.alice = { + <link linkend="opt-users.users._name__.isNormalUser">isNormalUser</link> = true; + <link linkend="opt-users.users._name__.home">home</link> = "/home/alice"; + <link linkend="opt-users.users._name__.description">description</link> = "Alice Foobar"; + <link linkend="opt-users.users._name__.extraGroups">extraGroups</link> = [ "wheel" "networkmanager" ]; + <link linkend="opt-users.users._name__.openssh.authorizedKeys.keys">openssh.authorizedKeys.keys</link> = [ "ssh-dss AAAAB3Nza... alice@foobar" ]; +}; </programlisting> - -Note that <literal>alice</literal> is a member of the -<literal>wheel</literal> and <literal>networkmanager</literal> groups, -which allows her to use <command>sudo</command> to execute commands as -<literal>root</literal> and to configure the network, respectively. -Also note the SSH public key that allows remote logins with the -corresponding private key. Users created in this way do not have a -password by default, so they cannot log in via mechanisms that require -a password. However, you can use the <command>passwd</command> program -to set a password, which is retained across invocations of -<command>nixos-rebuild</command>.</para> - -<para>If you set users.mutableUsers to false, then the contents of /etc/passwd -and /etc/group will be congruent to your NixOS configuration. For instance, -if you remove a user from users.users and run nixos-rebuild, the user -account will cease to exist. Also, imperative commands for managing users -and groups, such as useradd, are no longer available. Passwords may still be -assigned by setting the user's <literal>hashedPassword</literal> option. A -hashed password can be generated using <command>mkpasswd -m sha-512</command> -after installing the <literal>mkpasswd</literal> package.</para> - -<para>A user ID (uid) is assigned automatically. You can also specify -a uid manually by adding - + Note that <literal>alice</literal> is a member of the + <literal>wheel</literal> and <literal>networkmanager</literal> groups, which + allows her to use <command>sudo</command> to execute commands as + <literal>root</literal> and to configure the network, respectively. Also note + the SSH public key that allows remote logins with the corresponding private + key. Users created in this way do not have a password by default, so they + cannot log in via mechanisms that require a password. However, you can use + the <command>passwd</command> program to set a password, which is retained + across invocations of <command>nixos-rebuild</command>. + </para> + <para> + If you set <xref linkend="opt-users.mutableUsers"/> to false, then the + contents of <literal>/etc/passwd</literal> and <literal>/etc/group</literal> + will be congruent to your NixOS configuration. For instance, if you remove a + user from <xref linkend="opt-users.users"/> and run nixos-rebuild, the user + account will cease to exist. Also, imperative commands for managing users and + groups, such as useradd, are no longer available. Passwords may still be + assigned by setting the user's + <link linkend="opt-users.users._name__.hashedPassword">hashedPassword</link> + option. A hashed password can be generated using <command>mkpasswd -m + sha-512</command> after installing the <literal>mkpasswd</literal> package. + </para> + <para> + A user ID (uid) is assigned automatically. You can also specify a uid + manually by adding <programlisting> uid = 1000; </programlisting> - -to the user specification.</para> - -<para>Groups can be specified similarly. The following states that a -group named <literal>students</literal> shall exist: - + to the user specification. + </para> + <para> + Groups can be specified similarly. The following states that a group named + <literal>students</literal> shall exist: <programlisting> -users.groups.students.gid = 1000; +<xref linkend="opt-users.groups"/>.students.gid = 1000; </programlisting> - -As with users, the group ID (gid) is optional and will be assigned -automatically if it’s missing.</para> - -<para>In the imperative style, users and groups are managed by -commands such as <command>useradd</command>, -<command>groupmod</command> and so on. For instance, to create a user -account named <literal>alice</literal>: - + As with users, the group ID (gid) is optional and will be assigned + automatically if it’s missing. + </para> + <para> + In the imperative style, users and groups are managed by commands such as + <command>useradd</command>, <command>groupmod</command> and so on. For + instance, to create a user account named <literal>alice</literal>: <screen> # useradd -m alice</screen> - -To make all nix tools available to this new user use `su - USER` which -opens a login shell (==shell that loads the profile) for given user. -This will create the ~/.nix-defexpr symlink. So run: - + To make all nix tools available to this new user use `su - USER` which opens + a login shell (==shell that loads the profile) for given user. This will + create the ~/.nix-defexpr symlink. So run: <screen> # su - alice -c "true"</screen> - - -The flag <option>-m</option> causes the creation of a home directory -for the new user, which is generally what you want. The user does not -have an initial password and therefore cannot log in. A password can -be set using the <command>passwd</command> utility: - + The flag <option>-m</option> causes the creation of a home directory for the + new user, which is generally what you want. The user does not have an initial + password and therefore cannot log in. A password can be set using the + <command>passwd</command> utility: <screen> # passwd alice Enter new UNIX password: *** Retype new UNIX password: *** </screen> - -A user can be deleted using <command>userdel</command>: - + A user can be deleted using <command>userdel</command>: <screen> # userdel -r alice</screen> - -The flag <option>-r</option> deletes the user’s home directory. -Accounts can be modified using <command>usermod</command>. Unix -groups can be managed using <command>groupadd</command>, -<command>groupmod</command> and <command>groupdel</command>.</para> - + The flag <option>-r</option> deletes the user’s home directory. Accounts + can be modified using <command>usermod</command>. Unix groups can be managed + using <command>groupadd</command>, <command>groupmod</command> and + <command>groupdel</command>. + </para> </chapter> diff --git a/nixos/doc/manual/configuration/wireless.xml b/nixos/doc/manual/configuration/wireless.xml index 1868380dcbfa..999447234ad1 100644 --- a/nixos/doc/manual/configuration/wireless.xml +++ b/nixos/doc/manual/configuration/wireless.xml @@ -3,51 +3,43 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-wireless"> + <title>Wireless Networks</title> -<title>Wireless Networks</title> - -<para>For a desktop installation using NetworkManager (e.g., GNOME), -you just have to make sure the user is in the -<code>networkmanager</code> group and you can skip the rest of this -section on wireless networks.</para> - -<para> -NixOS will start wpa_supplicant for you if you enable this setting: + <para> + For a desktop installation using NetworkManager (e.g., GNOME), you just have + to make sure the user is in the <code>networkmanager</code> group and you can + skip the rest of this section on wireless networks. + </para> + <para> + NixOS will start wpa_supplicant for you if you enable this setting: <programlisting> -networking.wireless.enable = true; +<xref linkend="opt-networking.wireless.enable"/> = true; </programlisting> - -NixOS lets you specify networks for wpa_supplicant declaratively: + NixOS lets you specify networks for wpa_supplicant declaratively: <programlisting> -networking.wireless.networks = { +<xref linkend="opt-networking.wireless.networks"/> = { echelon = { psk = "abcdefgh"; }; "free.wifi" = {}; } </programlisting> - -Be aware that keys will be written to the nix store in plaintext! - -When no networks are set, it will default to using a configuration file at -<literal>/etc/wpa_supplicant.conf</literal>. You should edit this file -yourself to define wireless networks, WPA keys and so on (see -wpa_supplicant.conf(5)). -</para> - -<para> -If you are using WPA2 the <command>wpa_passphrase</command> tool might be useful -to generate the <literal>wpa_supplicant.conf</literal>. - + Be aware that keys will be written to the nix store in plaintext! When no + networks are set, it will default to using a configuration file at + <literal>/etc/wpa_supplicant.conf</literal>. You should edit this file + yourself to define wireless networks, WPA keys and so on (see + wpa_supplicant.conf(5)). + </para> + + <para> + If you are using WPA2 the <command>wpa_passphrase</command> tool might be + useful to generate the <literal>wpa_supplicant.conf</literal>. <screen> # wpa_passphrase ESSID PSK > /etc/wpa_supplicant.conf</screen> - -After you have edited the <literal>wpa_supplicant.conf</literal>, -you need to restart the wpa_supplicant service. - + After you have edited the <literal>wpa_supplicant.conf</literal>, you need to + restart the wpa_supplicant service. <screen> # systemctl restart wpa_supplicant.service</screen> -</para> - + </para> </section> diff --git a/nixos/doc/manual/configuration/x-windows.xml b/nixos/doc/manual/configuration/x-windows.xml index 9c2c59006f15..9a0969ad6355 100644 --- a/nixos/doc/manual/configuration/x-windows.xml +++ b/nixos/doc/manual/configuration/x-windows.xml @@ -3,138 +3,133 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-x11"> - -<title>X Window System</title> - -<para>The X Window System (X11) provides the basis of NixOS’ graphical -user interface. It can be enabled as follows: + <title>X Window System</title> + <para> + The X Window System (X11) provides the basis of NixOS’ graphical user + interface. It can be enabled as follows: <programlisting> -services.xserver.enable = true; +<xref linkend="opt-services.xserver.enable"/> = true; </programlisting> -The X server will automatically detect and use the appropriate video -driver from a set of X.org drivers (such as <literal>vesa</literal> -and <literal>intel</literal>). You can also specify a driver -manually, e.g. + The X server will automatically detect and use the appropriate video driver + from a set of X.org drivers (such as <literal>vesa</literal> and + <literal>intel</literal>). You can also specify a driver manually, e.g. <programlisting> -services.xserver.videoDrivers = [ "r128" ]; +<xref linkend="opt-services.xserver.videoDrivers"/> = [ "r128" ]; </programlisting> -to enable X.org’s <literal>xf86-video-r128</literal> driver.</para> - -<para>You also need to enable at least one desktop or window manager. -Otherwise, you can only log into a plain undecorated -<command>xterm</command> window. Thus you should pick one or more of -the following lines: + to enable X.org’s <literal>xf86-video-r128</literal> driver. + </para> + <para> + You also need to enable at least one desktop or window manager. Otherwise, + you can only log into a plain undecorated <command>xterm</command> window. + Thus you should pick one or more of the following lines: <programlisting> -services.xserver.desktopManager.plasma5.enable = true; -services.xserver.desktopManager.xfce.enable = true; -services.xserver.desktopManager.gnome3.enable = true; -services.xserver.windowManager.xmonad.enable = true; -services.xserver.windowManager.twm.enable = true; -services.xserver.windowManager.icewm.enable = true; -services.xserver.windowManager.i3.enable = true; +<xref linkend="opt-services.xserver.desktopManager.plasma5.enable"/> = true; +<xref linkend="opt-services.xserver.desktopManager.xfce.enable"/> = true; +<xref linkend="opt-services.xserver.desktopManager.gnome3.enable"/> = true; +<xref linkend="opt-services.xserver.windowManager.xmonad.enable"/> = true; +<xref linkend="opt-services.xserver.windowManager.twm.enable"/> = true; +<xref linkend="opt-services.xserver.windowManager.icewm.enable"/> = true; +<xref linkend="opt-services.xserver.windowManager.i3.enable"/> = true; </programlisting> -</para> - -<para>NixOS’s default <emphasis>display manager</emphasis> (the -program that provides a graphical login prompt and manages the X -server) is SLiM. You can select an alternative one by picking one -of the following lines: + </para> + <para> + NixOS’s default <emphasis>display manager</emphasis> (the program that + provides a graphical login prompt and manages the X server) is SLiM. You can + select an alternative one by picking one of the following lines: <programlisting> -services.xserver.displayManager.sddm.enable = true; -services.xserver.displayManager.lightdm.enable = true; +<xref linkend="opt-services.xserver.displayManager.sddm.enable"/> = true; +<xref linkend="opt-services.xserver.displayManager.lightdm.enable"/> = true; </programlisting> -</para> - -<para>You can set the keyboard layout (and optionally the layout variant): + </para> + <para> + You can set the keyboard layout (and optionally the layout variant): <programlisting> -services.xserver.layout = "de"; -services.xserver.xkbVariant = "neo"; +<xref linkend="opt-services.xserver.layout"/> = "de"; +<xref linkend="opt-services.xserver.xkbVariant"/> = "neo"; </programlisting> -</para> - -<para>The X server is started automatically at boot time. If you -don’t want this to happen, you can set: + </para> + <para> + The X server is started automatically at boot time. If you don’t want this + to happen, you can set: <programlisting> -services.xserver.autorun = false; +<xref linkend="opt-services.xserver.autorun"/> = false; </programlisting> -The X server can then be started manually: + The X server can then be started manually: <screen> # systemctl start display-manager.service </screen> -</para> - - -<simplesect><title>NVIDIA Graphics Cards</title> - -<para>NVIDIA provides a proprietary driver for its graphics cards that -has better 3D performance than the X.org drivers. It is not enabled -by default because it’s not free software. You can enable it as follows: + </para> + <simplesect> + <title>NVIDIA Graphics Cards</title> + <para> + NVIDIA provides a proprietary driver for its graphics cards that has better + 3D performance than the X.org drivers. It is not enabled by default because + it’s not free software. You can enable it as follows: <programlisting> -services.xserver.videoDrivers = [ "nvidia" ]; +<xref linkend="opt-services.xserver.videoDrivers"/> = [ "nvidia" ]; </programlisting> -Or if you have an older card, you may have to use one of the legacy drivers: + Or if you have an older card, you may have to use one of the legacy drivers: <programlisting> -services.xserver.videoDrivers = [ "nvidiaLegacy340" ]; -services.xserver.videoDrivers = [ "nvidiaLegacy304" ]; -services.xserver.videoDrivers = [ "nvidiaLegacy173" ]; +<xref linkend="opt-services.xserver.videoDrivers"/> = [ "nvidiaLegacy340" ]; +<xref linkend="opt-services.xserver.videoDrivers"/> = [ "nvidiaLegacy304" ]; +<xref linkend="opt-services.xserver.videoDrivers"/> = [ "nvidiaLegacy173" ]; </programlisting> -You may need to reboot after enabling this driver to prevent a clash -with other kernel modules.</para> - -<para>On 64-bit systems, if you want full acceleration for 32-bit -programs such as Wine, you should also set the following: + You may need to reboot after enabling this driver to prevent a clash with + other kernel modules. + </para> + <para> + On 64-bit systems, if you want full acceleration for 32-bit programs such as + Wine, you should also set the following: <programlisting> -hardware.opengl.driSupport32Bit = true; +<xref linkend="opt-hardware.opengl.driSupport32Bit"/> = true; </programlisting> -</para> - -</simplesect> - -<simplesect><title>AMD Graphics Cards</title> - -<para>AMD provides a proprietary driver for its graphics cards that -has better 3D performance than the X.org drivers. It is not enabled -by default because it’s not free software. You can enable it as follows: + </para> + </simplesect> + <simplesect> + <title>AMD Graphics Cards</title> + <para> + AMD provides a proprietary driver for its graphics cards that has better 3D + performance than the X.org drivers. It is not enabled by default because + it’s not free software. You can enable it as follows: <programlisting> -services.xserver.videoDrivers = [ "ati_unfree" ]; +<xref linkend="opt-services.xserver.videoDrivers"/> = [ "ati_unfree" ]; </programlisting> -You will need to reboot after enabling this driver to prevent a clash -with other kernel modules.</para> - -<para>On 64-bit systems, if you want full acceleration for 32-bit -programs such as Wine, you should also set the following: + You will need to reboot after enabling this driver to prevent a clash with + other kernel modules. + </para> + <para> + On 64-bit systems, if you want full acceleration for 32-bit programs such as + Wine, you should also set the following: <programlisting> -hardware.opengl.driSupport32Bit = true; +<xref linkend="opt-hardware.opengl.driSupport32Bit"/> = true; </programlisting> -</para> - -</simplesect> - -<simplesect><title>Touchpads</title> - -<para>Support for Synaptics touchpads (found in many laptops such as -the Dell Latitude series) can be enabled as follows: + </para> + </simplesect> + <simplesect> + <title>Touchpads</title> + <para> + Support for Synaptics touchpads (found in many laptops such as the Dell + Latitude series) can be enabled as follows: <programlisting> -services.xserver.libinput.enable = true; +<xref linkend="opt-services.xserver.libinput.enable"/> = true; </programlisting> -The driver has many options (see <xref linkend="ch-options"/>). For -instance, the following disables tap-to-click behavior: + The driver has many options (see <xref linkend="ch-options"/>). For + instance, the following disables tap-to-click behavior: <programlisting> -services.xserver.libinput.tapping = false; +<xref linkend="opt-services.xserver.libinput.tapping"/> = false; </programlisting> -Note: the use of <literal>services.xserver.synaptics</literal> is deprecated since NixOS 17.09. -</para> - -</simplesect> - -<simplesect><title>GTK/Qt themes</title> - -<para>GTK themes can be installed either to user profile or system-wide (via -<literal>environment.systemPackages</literal>). To make Qt 5 applications look similar -to GTK2 ones, you can install <literal>qt5.qtbase.gtk</literal> package into your -system environment. It should work for all Qt 5 library versions. -</para> - -</simplesect> - + Note: the use of <literal>services.xserver.synaptics</literal> is deprecated + since NixOS 17.09. + </para> + </simplesect> + <simplesect> + <title>GTK/Qt themes</title> + <para> + GTK themes can be installed either to user profile or system-wide (via + <literal>environment.systemPackages</literal>). To make Qt 5 applications + look similar to GTK2 ones, you can install <literal>qt5.qtbase.gtk</literal> + package into your system environment. It should work for all Qt 5 library + versions. + </para> + </simplesect> </chapter> diff --git a/nixos/doc/manual/configuration/xfce.xml b/nixos/doc/manual/configuration/xfce.xml index 18804d2c08be..40e61d2bd691 100644 --- a/nixos/doc/manual/configuration/xfce.xml +++ b/nixos/doc/manual/configuration/xfce.xml @@ -3,92 +3,70 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-xfce"> - - <title>Xfce Desktop Environment</title> - - <para> - To enable the Xfce Desktop Environment, set - <programlisting> -services.xserver.desktopManager = { - xfce.enable = true; - default = "xfce"; + <title>Xfce Desktop Environment</title> + <para> + To enable the Xfce Desktop Environment, set +<programlisting> +<link linkend="opt-services.xserver.desktopManager.default">services.xserver.desktopManager</link> = { + <link linkend="opt-services.xserver.desktopManager.xfce.enable">xfce.enable</link> = true; + <link linkend="opt-services.xserver.desktopManager.default">default</link> = "xfce"; }; </programlisting> - </para> - - <para> - Optionally, <emphasis>compton</emphasis> - can be enabled for nice graphical effects, some example settings: - <programlisting> -services.compton = { - enable = true; - fade = true; - inactiveOpacity = "0.9"; - shadow = true; - fadeDelta = 4; + </para> + <para> + Optionally, <emphasis>compton</emphasis> can be enabled for nice graphical + effects, some example settings: +<programlisting> +<link linkend="opt-services.compton.enable">services.compton</link> = { + <link linkend="opt-services.compton.enable">enable</link> = true; + <link linkend="opt-services.compton.fade">fade</link> = true; + <link linkend="opt-services.compton.inactiveOpacity">inactiveOpacity</link> = "0.9"; + <link linkend="opt-services.compton.shadow">shadow</link> = true; + <link linkend="opt-services.compton.fadeDelta">fadeDelta</link> = 4; }; </programlisting> - </para> - - <para> - Some Xfce programs are not installed automatically. - To install them manually (system wide), put them into your - <literal>environment.systemPackages</literal>. - </para> - - <simplesect> - <title>Thunar Volume Support</title> - - <para> - To enable - <emphasis>Thunar</emphasis> - volume support, put - <programlisting> -services.xserver.desktopManager.xfce.enable = true; + </para> + <para> + Some Xfce programs are not installed automatically. To install them manually + (system wide), put them into your + <xref linkend="opt-environment.systemPackages"/>. + </para> + <simplesect> + <title>Thunar Volume Support</title> + <para> + To enable <emphasis>Thunar</emphasis> volume support, put +<programlisting> +<xref linkend="opt-services.xserver.desktopManager.xfce.enable"/> = true; </programlisting> - into your <emphasis>configuration.nix</emphasis>. - </para> - - </simplesect> - - <simplesect> - <title>Polkit Authentication Agent</title> - - <para> - There is no authentication agent automatically installed alongside - Xfce. To allow mounting of local (non-removable) filesystems, you - will need to install one. - - Installing <emphasis>polkit_gnome</emphasis>, a rebuild, logout and - login did the trick. - </para> - - </simplesect> - - <simplesect> - <title>Troubleshooting</title> - - <para> - Even after enabling udisks2, volume management might not work. - Thunar and/or the desktop takes time to show up. - - Thunar will spit out this kind of message on start - (look at <command>journalctl --user -b</command>). - - <programlisting> + into your <emphasis>configuration.nix</emphasis>. + </para> + </simplesect> + <simplesect> + <title>Polkit Authentication Agent</title> + <para> + There is no authentication agent automatically installed alongside Xfce. To + allow mounting of local (non-removable) filesystems, you will need to + install one. Installing <emphasis>polkit_gnome</emphasis>, a rebuild, logout + and login did the trick. + </para> + </simplesect> + <simplesect> + <title>Troubleshooting</title> + <para> + Even after enabling udisks2, volume management might not work. Thunar and/or + the desktop takes time to show up. Thunar will spit out this kind of message + on start (look at <command>journalctl --user -b</command>). +<programlisting> Thunar:2410): GVFS-RemoteVolumeMonitor-WARNING **: remote volume monitor with dbus name org.gtk.Private.UDisks2VolumeMonitor is not supported </programlisting> - - This is caused by some needed GNOME services not running. - This is all fixed by enabling "Launch GNOME services on startup" in - the Advanced tab of the Session and Startup settings panel. - Alternatively, you can run this command to do the same thing. - <programlisting> + This is caused by some needed GNOME services not running. This is all fixed + by enabling "Launch GNOME services on startup" in the Advanced tab of the + Session and Startup settings panel. Alternatively, you can run this command + to do the same thing. +<programlisting> $ xfconf-query -c xfce4-session -p /compat/LaunchGNOME -s true </programlisting> - A log-out and re-log will be needed for this to take effect. - </para> - - </simplesect> - + A log-out and re-log will be needed for this to take effect. + </para> + </simplesect> </chapter> diff --git a/nixos/doc/manual/default.nix b/nixos/doc/manual/default.nix index 6098b057a370..2c6309474b37 100644 --- a/nixos/doc/manual/default.nix +++ b/nixos/doc/manual/default.nix @@ -87,7 +87,7 @@ let echo "for hints about the offending path)." exit 1 fi - ${libxslt.bin}/bin/xsltproc \ + ${buildPackages.libxslt.bin}/bin/xsltproc \ --stringparam revision '${revision}' \ -o $out ${./options-to-docbook.xsl} $optionsXML ''; @@ -102,13 +102,18 @@ let </section> ''; + generatedSources = runCommand "generated-docbook" {} '' + mkdir $out + ln -s ${modulesDoc} $out/modules.xml + ln -s ${optionsDocBook} $out/options-db.xml + printf "%s" "${version}" > $out/version + ''; + copySources = '' cp -prd $sources/* . # */ + ln -s ${generatedSources} ./generated chmod -R u+w . - ln -s ${modulesDoc} configuration/modules.xml - ln -s ${optionsDocBook} options-db.xml - printf "%s" "${version}" > version ''; toc = builtins.toFile "toc.xml" @@ -124,11 +129,12 @@ let manualXsltprocOptions = toString [ "--param section.autolabel 1" "--param section.label.includes.component.label 1" - "--stringparam html.stylesheet style.css" + "--stringparam html.stylesheet 'style.css overrides.css highlightjs/mono-blue.css'" + "--stringparam html.script './highlightjs/highlight.pack.js ./highlightjs/loader.js'" "--param xref.with.number.and.title 1" "--param toc.section.depth 3" "--stringparam admon.style ''" - "--stringparam callout.graphics.extension .gif" + "--stringparam callout.graphics.extension .svg" "--stringparam current.docid manual" "--param chunk.section.depth 0" "--param chunk.first.sections 1" @@ -139,7 +145,7 @@ let manual-combined = runCommand "nixos-manual-combined" { inherit sources; - buildInputs = [ libxml2 libxslt ]; + nativeBuildInputs = [ buildPackages.libxml2.bin buildPackages.libxslt.bin ]; meta.description = "The NixOS manual as plain docbook XML"; } '' @@ -194,7 +200,7 @@ let olinkDB = runCommand "manual-olinkdb" { inherit sources; - buildInputs = [ libxml2 libxslt ]; + nativeBuildInputs = [ buildPackages.libxml2.bin buildPackages.libxslt.bin ]; } '' xsltproc \ @@ -223,6 +229,7 @@ let ''; in rec { + inherit generatedSources; # The NixOS options in JSON format. optionsJSON = runCommand "options-json" @@ -244,7 +251,7 @@ in rec { # Generate the NixOS manual. manual = runCommand "nixos-manual" { inherit sources; - buildInputs = [ libxml2 libxslt ]; + nativeBuildInputs = [ buildPackages.libxml2.bin buildPackages.libxslt.bin ]; meta.description = "The NixOS manual in HTML format"; allowedReferences = ["out"]; } @@ -260,9 +267,11 @@ in rec { ${manual-combined}/manual-combined.xml mkdir -p $dst/images/callouts - cp ${docbook5_xsl}/xml/xsl/docbook/images/callouts/*.gif $dst/images/callouts/ + cp ${docbook5_xsl}/xml/xsl/docbook/images/callouts/*.svg $dst/images/callouts/ - cp ${./style.css} $dst/style.css + cp ${../../../doc/style.css} $dst/style.css + cp ${../../../doc/overrides.css} $dst/overrides.css + cp -r ${pkgs.documentation-highlighter} $dst/highlightjs mkdir -p $out/nix-support echo "nix-build out $out" >> $out/nix-support/hydra-build-products @@ -272,7 +281,7 @@ in rec { manualEpub = runCommand "nixos-manual-epub" { inherit sources; - buildInputs = [ libxml2 libxslt zip ]; + buildInputs = [ libxml2.bin libxslt.bin zip ]; } '' # Generate the epub manual. @@ -286,7 +295,7 @@ in rec { ${manual-combined}/manual-combined.xml mkdir -p $dst/epub/OEBPS/images/callouts - cp -r ${docbook5_xsl}/xml/xsl/docbook/images/callouts/*.gif $dst/epub/OEBPS/images/callouts # */ + cp -r ${docbook5_xsl}/xml/xsl/docbook/images/callouts/*.svg $dst/epub/OEBPS/images/callouts # */ echo "application/epub+zip" > mimetype manual="$dst/nixos-manual.epub" zip -0Xq "$manual" mimetype @@ -302,7 +311,7 @@ in rec { # Generate the NixOS manpages. manpages = runCommand "nixos-manpages" { inherit sources; - buildInputs = [ libxml2 libxslt ]; + nativeBuildInputs = [ buildPackages.libxml2.bin buildPackages.libxslt.bin ]; allowedReferences = ["out"]; } '' diff --git a/nixos/doc/manual/development/assertions.xml b/nixos/doc/manual/development/assertions.xml index d3434e1f112e..17c38ffcc717 100644 --- a/nixos/doc/manual/development/assertions.xml +++ b/nixos/doc/manual/development/assertions.xml @@ -3,30 +3,29 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-assertions"> + <title>Warnings and Assertions</title> -<title>Warnings and Assertions</title> + <para> + When configuration problems are detectable in a module, it is a good idea to + write an assertion or warning. Doing so provides clear feedback to the user + and prevents errors after the build. + </para> -<para> - When configuration problems are detectable in a module, it is a good - idea to write an assertion or warning. Doing so provides clear - feedback to the user and prevents errors after the build. -</para> - -<para> + <para> Although Nix has the <literal>abort</literal> and - <literal>builtins.trace</literal> <link xlink:href="https://nixos.org/nix/manual/#ssec-builtins">functions</link> to perform such tasks, - they are not ideally suited for NixOS modules. Instead of these - functions, you can declare your warnings and assertions using the + <literal>builtins.trace</literal> + <link xlink:href="https://nixos.org/nix/manual/#ssec-builtins">functions</link> + to perform such tasks, they are not ideally suited for NixOS modules. Instead + of these functions, you can declare your warnings and assertions using the NixOS module system. -</para> - -<section> + </para> -<title>Warnings</title> + <section> + <title>Warnings</title> -<para> - This is an example of using <literal>warnings</literal>. -</para> + <para> + This is an example of using <literal>warnings</literal>. + </para> <programlisting> <![CDATA[ @@ -43,22 +42,19 @@ } ]]> </programlisting> + </section> -</section> - -<section> - -<title>Assertions</title> + <section> + <title>Assertions</title> - -<para> - This example, extracted from the - <link xlink:href="https://github.com/NixOS/nixpkgs/blob/release-17.09/nixos/modules/services/logging/syslogd.nix"> - <literal>syslogd</literal> module - </link> shows how to use <literal>assertions</literal>. Since there - can only be one active syslog daemon at a time, an assertion is useful to - prevent such a broken system from being built. -</para> + <para> + This example, extracted from the + <link xlink:href="https://github.com/NixOS/nixpkgs/blob/release-17.09/nixos/modules/services/logging/syslogd.nix"> + <literal>syslogd</literal> module </link> shows how to use + <literal>assertions</literal>. Since there can only be one active syslog + daemon at a time, an assertion is useful to prevent such a broken system + from being built. + </para> <programlisting> <![CDATA[ @@ -74,7 +70,5 @@ } ]]> </programlisting> - -</section> - + </section> </section> diff --git a/nixos/doc/manual/development/building-nixos.xml b/nixos/doc/manual/development/building-nixos.xml index 2f963f8666f1..23d9ddf88a77 100644 --- a/nixos/doc/manual/development/building-nixos.xml +++ b/nixos/doc/manual/development/building-nixos.xml @@ -3,30 +3,25 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-building-cd"> - -<title>Building Your Own NixOS CD</title> - -<para>Building a NixOS CD is as easy as configuring your own computer. The -idea is to use another module which will replace -your <filename>configuration.nix</filename> to configure the system that -would be installed on the CD.</para> - -<para>Default CD/DVD configurations are available -inside <filename>nixos/modules/installer/cd-dvd</filename>. - + <title>Building Your Own NixOS CD</title> + <para> + Building a NixOS CD is as easy as configuring your own computer. The idea is + to use another module which will replace your + <filename>configuration.nix</filename> to configure the system that would be + installed on the CD. + </para> + <para> + Default CD/DVD configurations are available inside + <filename>nixos/modules/installer/cd-dvd</filename>. <screen> $ git clone https://github.com/NixOS/nixpkgs.git $ cd nixpkgs/nixos $ nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd-dvd/installation-cd-minimal.nix default.nix</screen> - -</para> - -<para>Before burning your CD/DVD, you can check the content of the image by mounting anywhere like -suggested by the following command: - + </para> + <para> + Before burning your CD/DVD, you can check the content of the image by + mounting anywhere like suggested by the following command: <screen> # mount -o loop -t iso9660 ./result/iso/cd.iso /mnt/iso</screen> - -</para> - + </para> </chapter> diff --git a/nixos/doc/manual/development/building-parts.xml b/nixos/doc/manual/development/building-parts.xml index 09a40114f02e..031048aaa377 100644 --- a/nixos/doc/manual/development/building-parts.xml +++ b/nixos/doc/manual/development/building-parts.xml @@ -3,111 +3,110 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-building-parts"> - -<title>Building Specific Parts of NixOS</title> - -<para>With the command <command>nix-build</command>, you can build -specific parts of your NixOS configuration. This is done as follows: - + <title>Building Specific Parts of NixOS</title> + <para> + With the command <command>nix-build</command>, you can build specific parts + of your NixOS configuration. This is done as follows: <screen> $ cd <replaceable>/path/to/nixpkgs/nixos</replaceable> $ nix-build -A config.<replaceable>option</replaceable></screen> - -where <replaceable>option</replaceable> is a NixOS option with type -“derivation” (i.e. something that can be built). Attributes of -interest include: - -<variablelist> - - <varlistentry> - <term><varname>system.build.toplevel</varname></term> + where <replaceable>option</replaceable> is a NixOS option with type + “derivation” (i.e. something that can be built). Attributes of interest + include: + <variablelist> + <varlistentry> + <term><varname>system.build.toplevel</varname> + </term> <listitem> - <para>The top-level option that builds the entire NixOS system. - Everything else in your configuration is indirectly pulled in by - this option. This is what <command>nixos-rebuild</command> - builds and what <filename>/run/current-system</filename> points - to afterwards.</para> - - <para>A shortcut to build this is: - + <para> + The top-level option that builds the entire NixOS system. Everything else + in your configuration is indirectly pulled in by this option. This is + what <command>nixos-rebuild</command> builds and what + <filename>/run/current-system</filename> points to afterwards. + </para> + <para> + A shortcut to build this is: <screen> $ nix-build -A system</screen> - </para> + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><varname>system.build.manual.manual</varname></term> - <listitem><para>The NixOS manual.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>system.build.etc</varname></term> - <listitem><para>A tree of symlinks that form the static parts of - <filename>/etc</filename>.</para></listitem> - </varlistentry> - - <varlistentry> - <term><varname>system.build.initialRamdisk</varname></term> - <term><varname>system.build.kernel</varname></term> + </varlistentry> + <varlistentry> + <term><varname>system.build.manual.manual</varname> + </term> <listitem> - <para>The initial ramdisk and kernel of the system. This allows - a quick way to test whether the kernel and the initial ramdisk - boot correctly, by using QEMU’s <option>-kernel</option> and - <option>-initrd</option> options: - + <para> + The NixOS manual. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>system.build.etc</varname> + </term> + <listitem> + <para> + A tree of symlinks that form the static parts of + <filename>/etc</filename>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>system.build.initialRamdisk</varname> + </term> + <term><varname>system.build.kernel</varname> + </term> + <listitem> + <para> + The initial ramdisk and kernel of the system. This allows a quick way to + test whether the kernel and the initial ramdisk boot correctly, by using + QEMU’s <option>-kernel</option> and <option>-initrd</option> options: <screen> $ nix-build -A config.system.build.initialRamdisk -o initrd $ nix-build -A config.system.build.kernel -o kernel $ qemu-system-x86_64 -kernel ./kernel/bzImage -initrd ./initrd/initrd -hda /dev/null </screen> - - </para> + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><varname>system.build.nixos-rebuild</varname></term> - <term><varname>system.build.nixos-install</varname></term> - <term><varname>system.build.nixos-generate-config</varname></term> + </varlistentry> + <varlistentry> + <term><varname>system.build.nixos-rebuild</varname> + </term> + <term><varname>system.build.nixos-install</varname> + </term> + <term><varname>system.build.nixos-generate-config</varname> + </term> <listitem> - <para>These build the corresponding NixOS commands.</para> + <para> + These build the corresponding NixOS commands. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><varname>systemd.units.<replaceable>unit-name</replaceable>.unit</varname></term> + </varlistentry> + <varlistentry> + <term><varname>systemd.units.<replaceable>unit-name</replaceable>.unit</varname> + </term> <listitem> - <para>This builds the unit with the specified name. Note that - since unit names contain dots - (e.g. <literal>httpd.service</literal>), you need to put them - between quotes, like this: - + <para> + This builds the unit with the specified name. Note that since unit names + contain dots (e.g. <literal>httpd.service</literal>), you need to put + them between quotes, like this: <screen> $ nix-build -A 'config.systemd.units."httpd.service".unit' </screen> - - You can also test individual units, without rebuilding the whole - system, by putting them in - <filename>/run/systemd/system</filename>: - + You can also test individual units, without rebuilding the whole system, + by putting them in <filename>/run/systemd/system</filename>: <screen> $ cp $(nix-build -A 'config.systemd.units."httpd.service".unit')/httpd.service \ /run/systemd/system/tmp-httpd.service # systemctl daemon-reload # systemctl start tmp-httpd.service </screen> - Note that the unit must not have the same name as any unit in - <filename>/etc/systemd/system</filename> since those take - precedence over <filename>/run/systemd/system</filename>. - That’s why the unit is installed as - <filename>tmp-httpd.service</filename> here.</para> + <filename>/etc/systemd/system</filename> since those take precedence over + <filename>/run/systemd/system</filename>. That’s why the unit is + installed as <filename>tmp-httpd.service</filename> here. + </para> </listitem> - </varlistentry> - -</variablelist> - -</para> - + </varlistentry> + </variablelist> + </para> </chapter> diff --git a/nixos/doc/manual/development/development.xml b/nixos/doc/manual/development/development.xml index 47343d93cde9..03dee6ff09bb 100644 --- a/nixos/doc/manual/development/development.xml +++ b/nixos/doc/manual/development/development.xml @@ -3,21 +3,18 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="ch-development"> - -<title>Development</title> - -<partintro> -<para>This chapter describes how you can modify and extend -NixOS.</para> -</partintro> - -<xi:include href="sources.xml" /> -<xi:include href="writing-modules.xml" /> -<xi:include href="building-parts.xml" /> -<xi:include href="writing-documentation.xml" /> -<xi:include href="building-nixos.xml" /> -<xi:include href="nixos-tests.xml" /> -<xi:include href="testing-installer.xml" /> -<xi:include href="releases.xml" /> - + <title>Development</title> + <partintro> + <para> + This chapter describes how you can modify and extend NixOS. + </para> + </partintro> + <xi:include href="sources.xml" /> + <xi:include href="writing-modules.xml" /> + <xi:include href="building-parts.xml" /> + <xi:include href="writing-documentation.xml" /> + <xi:include href="building-nixos.xml" /> + <xi:include href="nixos-tests.xml" /> + <xi:include href="testing-installer.xml" /> + <xi:include href="releases.xml" /> </part> diff --git a/nixos/doc/manual/development/importing-modules.xml b/nixos/doc/manual/development/importing-modules.xml new file mode 100644 index 000000000000..1c6a5671eda8 --- /dev/null +++ b/nixos/doc/manual/development/importing-modules.xml @@ -0,0 +1,56 @@ +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-importing-modules"> + <title>Importing Modules</title> + + <para> + Sometimes NixOS modules need to be used in configuration but exist outside of + Nixpkgs. These modules can be imported: + </para> + +<programlisting> +{ config, lib, pkgs, ... }: + +{ + imports = + [ # Use a locally-available module definition in + # ./example-module/default.nix + ./example-module + ]; + + services.exampleModule.enable = true; +} +</programlisting> + + <para> + The environment variable <literal>NIXOS_EXTRA_MODULE_PATH</literal> is an + absolute path to a NixOS module that is included alongside the Nixpkgs NixOS + modules. Like any NixOS module, this module can import additional modules: + </para> + +<programlisting> +# ./module-list/default.nix +[ + ./example-module1 + ./example-module2 +] +</programlisting> + +<programlisting> +# ./extra-module/default.nix +{ imports = import ./module-list.nix; } +</programlisting> + +<programlisting> +# NIXOS_EXTRA_MODULE_PATH=/absolute/path/to/extra-module +{ config, lib, pkgs, ... }: + +{ + # No `imports` needed + + services.exampleModule1.enable = true; +} +</programlisting> +</section> diff --git a/nixos/doc/manual/development/meta-attributes.xml b/nixos/doc/manual/development/meta-attributes.xml index de0870314dcb..3d019a4987e1 100644 --- a/nixos/doc/manual/development/meta-attributes.xml +++ b/nixos/doc/manual/development/meta-attributes.xml @@ -3,22 +3,26 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-meta-attributes"> + <title>Meta Attributes</title> -<title>Meta Attributes</title> - -<para>Like Nix packages, NixOS modules can declare meta-attributes to provide - extra information. Module meta attributes are defined in the + <para> + Like Nix packages, NixOS modules can declare meta-attributes to provide extra + information. Module meta attributes are defined in the <filename xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/meta.nix">meta.nix</filename> - special module.</para> + special module. + </para> -<para><literal>meta</literal> is a top level attribute like + <para> + <literal>meta</literal> is a top level attribute like <literal>options</literal> and <literal>config</literal>. Available meta-attributes are <literal>maintainers</literal> and - <literal>doc</literal>.</para> + <literal>doc</literal>. + </para> -<para>Each of the meta-attributes must be defined at most once per module - file.</para> + <para> + Each of the meta-attributes must be defined at most once per module file. + </para> <programlisting> { config, lib, pkgs, ... }: @@ -39,24 +43,21 @@ } </programlisting> -<calloutlist> - <callout arearefs='modules-meta-1'> - <para> + <calloutlist> + <callout arearefs='modules-meta-1'> + <para> <varname>maintainers</varname> contains a list of the module maintainers. - </para> - </callout> - - <callout arearefs='modules-meta-2'> - <para> + </para> + </callout> + <callout arearefs='modules-meta-2'> + <para> <varname>doc</varname> points to a valid DocBook file containing the module - documentation. Its contents is automatically added to <xref - linkend="ch-configuration"/>. - Changes to a module documentation have to be checked to not break - building the NixOS manual: - </para> - <programlisting>$ nix-build nixos/release.nix -A manual</programlisting> - </callout> - -</calloutlist> - + documentation. Its contents is automatically added to + <xref + linkend="ch-configuration"/>. Changes to a module documentation + have to be checked to not break building the NixOS manual: + </para> +<programlisting>$ nix-build nixos/release.nix -A manual</programlisting> + </callout> + </calloutlist> </section> diff --git a/nixos/doc/manual/development/nixos-tests.xml b/nixos/doc/manual/development/nixos-tests.xml index c09c41ea3bdc..2695082e3867 100644 --- a/nixos/doc/manual/development/nixos-tests.xml +++ b/nixos/doc/manual/development/nixos-tests.xml @@ -3,18 +3,17 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-nixos-tests"> - -<title>NixOS Tests</title> - -<para>When you add some feature to NixOS, you should write a test for -it. NixOS tests are kept in the directory <filename + <title>NixOS Tests</title> + <para> + When you add some feature to NixOS, you should write a test for it. NixOS + tests are kept in the directory + <filename xlink:href="https://github.com/NixOS/nixpkgs/tree/master/nixos/tests">nixos/tests</filename>, -and are executed (using Nix) by a testing framework that automatically -starts one or more virtual machines containing the NixOS system(s) -required for the test.</para> - -<xi:include href="writing-nixos-tests.xml" /> -<xi:include href="running-nixos-tests.xml" /> -<xi:include href="running-nixos-tests-interactively.xml" /> - + and are executed (using Nix) by a testing framework that automatically starts + one or more virtual machines containing the NixOS system(s) required for the + test. + </para> + <xi:include href="writing-nixos-tests.xml" /> + <xi:include href="running-nixos-tests.xml" /> + <xi:include href="running-nixos-tests-interactively.xml" /> </chapter> diff --git a/nixos/doc/manual/development/option-declarations.xml b/nixos/doc/manual/development/option-declarations.xml index ed718c89eb77..a8f528a0a804 100644 --- a/nixos/doc/manual/development/option-declarations.xml +++ b/nixos/doc/manual/development/option-declarations.xml @@ -3,14 +3,12 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-option-declarations"> + <title>Option Declarations</title> -<title>Option Declarations</title> - -<para>An option declaration specifies the name, type and description -of a NixOS configuration option. It is invalid to define an option -that hasn’t been declared in any module. An option declaration -generally looks like this: - + <para> + An option declaration specifies the name, type and description of a NixOS + configuration option. It is invalid to define an option that hasn’t been + declared in any module. An option declaration generally looks like this: <programlisting> options = { <replaceable>name</replaceable> = mkOption { @@ -21,146 +19,177 @@ options = { }; }; </programlisting> - -The attribute names within the <replaceable>name</replaceable> -attribute path must be camel cased in general but should, as an -exception, match the -<link + The attribute names within the <replaceable>name</replaceable> attribute path + must be camel cased in general but should, as an exception, match the + <link xlink:href="https://nixos.org/nixpkgs/manual/#sec-package-naming"> -package attribute name</link> when referencing a Nixpkgs package. For -example, the option <varname>services.nix-serve.bindAddress</varname> -references the <varname>nix-serve</varname> Nixpkgs package. - -</para> - -<para>The function <varname>mkOption</varname> accepts the following arguments. - -<variablelist> - - <varlistentry> - <term><varname>type</varname></term> + package attribute name</link> when referencing a Nixpkgs package. For + example, the option <varname>services.nix-serve.bindAddress</varname> + references the <varname>nix-serve</varname> Nixpkgs package. + </para> + + <para> + The function <varname>mkOption</varname> accepts the following arguments. + <variablelist> + <varlistentry> + <term><varname>type</varname> + </term> <listitem> - <para>The type of the option (see <xref linkend='sec-option-types' />). - It may be omitted, but that’s not advisable since it may lead to errors - that are hard to diagnose.</para> + <para> + The type of the option (see <xref linkend='sec-option-types' />). It may + be omitted, but that’s not advisable since it may lead to errors that + are hard to diagnose. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><varname>default</varname></term> + </varlistentry> + <varlistentry> + <term><varname>default</varname> + </term> <listitem> - <para>The default value used if no value is defined by any - module. A default is not required; but if a default is not given, - then users of the module will have to define the value of the - option, otherwise an error will be thrown.</para> + <para> + The default value used if no value is defined by any module. A default is + not required; but if a default is not given, then users of the module + will have to define the value of the option, otherwise an error will be + thrown. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><varname>example</varname></term> + </varlistentry> + <varlistentry> + <term><varname>example</varname> + </term> <listitem> - <para>An example value that will be shown in the NixOS manual.</para> + <para> + An example value that will be shown in the NixOS manual. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><varname>description</varname></term> + </varlistentry> + <varlistentry> + <term><varname>description</varname> + </term> <listitem> - <para>A textual description of the option, in DocBook format, - that will be included in the NixOS manual.</para> + <para> + A textual description of the option, in DocBook format, that will be + included in the NixOS manual. + </para> </listitem> - </varlistentry> - -</variablelist> - -</para> - -<section xml:id="sec-option-declarations-eot"><title>Extensible Option - Types</title> - - <para>Extensible option types is a feature that allow to extend certain types - declaration through multiple module files. - This feature only work with a restricted set of types, namely - <literal>enum</literal> and <literal>submodules</literal> and any composed - forms of them.</para> - - <para>Extensible option types can be used for <literal>enum</literal> options - that affects multiple modules, or as an alternative to related - <literal>enable</literal> options.</para> + </varlistentry> + </variablelist> + </para> + + <section xml:id="sec-option-declarations-eot"> + <title>Extensible Option Types</title> + + <para> + Extensible option types is a feature that allow to extend certain types + declaration through multiple module files. This feature only work with a + restricted set of types, namely <literal>enum</literal> and + <literal>submodules</literal> and any composed forms of them. + </para> - <para>As an example, we will take the case of display managers. There is a - central display manager module for generic display manager options and a - module file per display manager backend (slim, sddm, gdm ...). + <para> + Extensible option types can be used for <literal>enum</literal> options that + affects multiple modules, or as an alternative to related + <literal>enable</literal> options. </para> - <para>There are two approach to this module structure: + <para> + As an example, we will take the case of display managers. There is a central + display manager module for generic display manager options and a module file + per display manager backend (slim, sddm, gdm ...). + </para> - <itemizedlist> - <listitem><para>Managing the display managers independently by adding an - enable option to every display manager module backend. (NixOS)</para> + <para> + There are two approach to this module structure: + <itemizedlist> + <listitem> + <para> + Managing the display managers independently by adding an enable option to + every display manager module backend. (NixOS) + </para> </listitem> - <listitem><para>Managing the display managers in the central module by - adding an option to select which display manager backend to use.</para> + <listitem> + <para> + Managing the display managers in the central module by adding an option + to select which display manager backend to use. + </para> </listitem> - </itemizedlist> + </itemizedlist> </para> - <para>Both approaches have problems.</para> + <para> + Both approaches have problems. + </para> - <para>Making backends independent can quickly become hard to manage. For - display managers, there can be only one enabled at a time, but the type - system can not enforce this restriction as there is no relation between - each backend <literal>enable</literal> option. As a result, this restriction - has to be done explicitely by adding assertions in each display manager - backend module.</para> + <para> + Making backends independent can quickly become hard to manage. For display + managers, there can be only one enabled at a time, but the type system can + not enforce this restriction as there is no relation between each backend + <literal>enable</literal> option. As a result, this restriction has to be + done explicitely by adding assertions in each display manager backend + module. + </para> - <para>On the other hand, managing the display managers backends in the - central module will require to change the central module option every time - a new backend is added or removed.</para> + <para> + On the other hand, managing the display managers backends in the central + module will require to change the central module option every time a new + backend is added or removed. + </para> - <para>By using extensible option types, it is possible to create a placeholder - option in the central module (<xref linkend='ex-option-declaration-eot-service' - />), and to extend it in each backend module (<xref - linkend='ex-option-declaration-eot-backend-slim' />, <xref - linkend='ex-option-declaration-eot-backend-sddm' />).</para> + <para> + By using extensible option types, it is possible to create a placeholder + option in the central module + (<xref linkend='ex-option-declaration-eot-service' + />), and to extend + it in each backend module + (<xref + linkend='ex-option-declaration-eot-backend-slim' />, + <xref + linkend='ex-option-declaration-eot-backend-sddm' />). + </para> - <para>As a result, <literal>displayManager.enable</literal> option values can - be added without changing the main service module file and the type system - automatically enforce that there can only be a single display manager - enabled.</para> + <para> + As a result, <literal>displayManager.enable</literal> option values can be + added without changing the main service module file and the type system + automatically enforce that there can only be a single display manager + enabled. + </para> -<example xml:id='ex-option-declaration-eot-service'><title>Extensible type - placeholder in the service module</title> + <example xml:id='ex-option-declaration-eot-service'> + <title>Extensible type placeholder in the service module</title> <screen> services.xserver.displayManager.enable = mkOption { description = "Display manager to use"; type = with types; nullOr (enum [ ]); -};</screen></example> +};</screen> + </example> -<example xml:id='ex-option-declaration-eot-backend-slim'><title>Extending - <literal>services.xserver.displayManager.enable</literal> in the - <literal>slim</literal> module</title> + <example xml:id='ex-option-declaration-eot-backend-slim'> + <title>Extending <literal>services.xserver.displayManager.enable</literal> in the <literal>slim</literal> module</title> <screen> services.xserver.displayManager.enable = mkOption { type = with types; nullOr (enum [ "slim" ]); -};</screen></example> +};</screen> + </example> -<example xml:id='ex-option-declaration-eot-backend-sddm'><title>Extending - <literal>services.xserver.displayManager.enable</literal> in the - <literal>sddm</literal> module</title> + <example xml:id='ex-option-declaration-eot-backend-sddm'> + <title>Extending <literal>services.xserver.displayManager.enable</literal> in the <literal>sddm</literal> module</title> <screen> services.xserver.displayManager.enable = mkOption { type = with types; nullOr (enum [ "sddm" ]); -};</screen></example> - -<para>The placeholder declaration is a standard <literal>mkOption</literal> - declaration, but it is important that extensible option declarations only use - the <literal>type</literal> argument.</para> +};</screen> + </example> -<para>Extensible option types work with any of the composed variants of - <literal>enum</literal> such as - <literal>with types; nullOr (enum [ "foo" "bar" ])</literal> - or <literal>with types; listOf (enum [ "foo" "bar" ])</literal>.</para> + <para> + The placeholder declaration is a standard <literal>mkOption</literal> + declaration, but it is important that extensible option declarations only + use the <literal>type</literal> argument. + </para> -</section> + <para> + Extensible option types work with any of the composed variants of + <literal>enum</literal> such as <literal>with types; nullOr (enum [ "foo" + "bar" ])</literal> or <literal>with types; listOf (enum [ "foo" "bar" + ])</literal>. + </para> + </section> </section> diff --git a/nixos/doc/manual/development/option-def.xml b/nixos/doc/manual/development/option-def.xml index 4e267ecfd1e3..580a5afd58cd 100644 --- a/nixos/doc/manual/development/option-def.xml +++ b/nixos/doc/manual/development/option-def.xml @@ -3,39 +3,36 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-option-definitions"> + <title>Option Definitions</title> -<title>Option Definitions</title> - -<para>Option definitions are generally straight-forward bindings of values to option names, like - + <para> + Option definitions are generally straight-forward bindings of values to + option names, like <programlisting> config = { services.httpd.enable = true; }; </programlisting> - -However, sometimes you need to wrap an option definition or set of -option definitions in a <emphasis>property</emphasis> to achieve -certain effects:</para> - -<simplesect><title>Delaying Conditionals</title> - -<para>If a set of option definitions is conditional on the value of -another option, you may need to use <varname>mkIf</varname>. -Consider, for instance: - + However, sometimes you need to wrap an option definition or set of option + definitions in a <emphasis>property</emphasis> to achieve certain effects: + </para> + + <simplesect> + <title>Delaying Conditionals</title> + <para> + If a set of option definitions is conditional on the value of another + option, you may need to use <varname>mkIf</varname>. Consider, for instance: <programlisting> config = if config.services.httpd.enable then { environment.systemPackages = [ <replaceable>...</replaceable> ]; <replaceable>...</replaceable> } else {}; </programlisting> - -This definition will cause Nix to fail with an “infinite recursion” -error. Why? Because the value of -<option>config.services.httpd.enable</option> depends on the value -being constructed here. After all, you could also write the clearly -circular and contradictory: + This definition will cause Nix to fail with an “infinite recursion” + error. Why? Because the value of + <option>config.services.httpd.enable</option> depends on the value being + constructed here. After all, you could also write the clearly circular and + contradictory: <programlisting> config = if config.services.httpd.enable then { services.httpd.enable = false; @@ -43,56 +40,49 @@ config = if config.services.httpd.enable then { services.httpd.enable = true; }; </programlisting> - -The solution is to write: - + The solution is to write: <programlisting> config = mkIf config.services.httpd.enable { environment.systemPackages = [ <replaceable>...</replaceable> ]; <replaceable>...</replaceable> }; </programlisting> - -The special function <varname>mkIf</varname> causes the evaluation of -the conditional to be “pushed down” into the individual definitions, -as if you had written: - + The special function <varname>mkIf</varname> causes the evaluation of the + conditional to be “pushed down” into the individual definitions, as if + you had written: <programlisting> config = { environment.systemPackages = if config.services.httpd.enable then [ <replaceable>...</replaceable> ] else []; <replaceable>...</replaceable> }; </programlisting> - -</para> - -</simplesect> - -<simplesect><title>Setting Priorities</title> - -<para>A module can override the definitions of an option in other -modules by setting a <emphasis>priority</emphasis>. All option -definitions that do not have the lowest priority value are discarded. -By default, option definitions have priority 1000. You can specify an -explicit priority by using <varname>mkOverride</varname>, e.g. - + </para> + </simplesect> + + <simplesect> + <title>Setting Priorities</title> + <para> + A module can override the definitions of an option in other modules by + setting a <emphasis>priority</emphasis>. All option definitions that do not + have the lowest priority value are discarded. By default, option definitions + have priority 1000. You can specify an explicit priority by using + <varname>mkOverride</varname>, e.g. <programlisting> services.openssh.enable = mkOverride 10 false; </programlisting> - -This definition causes all other definitions with priorities above 10 -to be discarded. The function <varname>mkForce</varname> is -equal to <varname>mkOverride 50</varname>.</para> - -</simplesect> - -<simplesect><title>Merging Configurations</title> - -<para>In conjunction with <literal>mkIf</literal>, it is sometimes -useful for a module to return multiple sets of option definitions, to -be merged together as if they were declared in separate modules. This -can be done using <varname>mkMerge</varname>: - + This definition causes all other definitions with priorities above 10 to be + discarded. The function <varname>mkForce</varname> is equal to + <varname>mkOverride 50</varname>. + </para> + </simplesect> + + <simplesect> + <title>Merging Configurations</title> + <para> + In conjunction with <literal>mkIf</literal>, it is sometimes useful for a + module to return multiple sets of option definitions, to be merged together + as if they were declared in separate modules. This can be done using + <varname>mkMerge</varname>: <programlisting> config = mkMerge [ # Unconditional stuff. @@ -104,9 +94,6 @@ config = mkMerge }) ]; </programlisting> - -</para> - -</simplesect> - -</section> \ No newline at end of file + </para> + </simplesect> +</section> diff --git a/nixos/doc/manual/development/option-types.xml b/nixos/doc/manual/development/option-types.xml index ec940d5d2b86..7969d8124738 100644 --- a/nixos/doc/manual/development/option-types.xml +++ b/nixos/doc/manual/development/option-types.xml @@ -3,241 +3,346 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-option-types"> + <title>Options Types</title> -<title>Options Types</title> - - <para>Option types are a way to put constraints on the values a module option - can take. - Types are also responsible of how values are merged in case of multiple - value definitions.</para> - <section><title>Basic Types</title> - - <para>Basic types are the simplest available types in the module system. - Basic types include multiple string types that mainly differ in how - definition merging is handled.</para> - -<variablelist> - <varlistentry> - <term><varname>types.bool</varname></term> - <listitem><para>A boolean, its values can be <literal>true</literal> or - <literal>false</literal>.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>types.path</varname></term> - <listitem><para>A filesystem path, defined as anything that when coerced to - a string starts with a slash. Even if derivations can be considered as - path, the more specific <literal>types.package</literal> should be - preferred.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>types.package</varname></term> - <listitem><para>A derivation or a store path.</para></listitem> - </varlistentry> -</variablelist> - -<para>Integer-related types:</para> - -<variablelist> - <varlistentry> - <term><varname>types.int</varname></term> - <listitem><para>A signed integer.</para></listitem> - </varlistentry> - <varlistentry> - <term> - <varname>types.ints.{s8, s16, s32}</varname> - </term> - <listitem> - <para>Signed integers with a fixed length (8, 16 or 32 bits). - They go from - <inlineequation><mathphrase>−2<superscript>n</superscript>/2</mathphrase> - </inlineequation> to <inlineequation> - <mathphrase>2<superscript>n</superscript>/2−1</mathphrase> - </inlineequation> - respectively (e.g. <literal>−128</literal> to <literal>127</literal> - for 8 bits). - </para></listitem> - </varlistentry> - <varlistentry> - <term> - <varname>types.ints.unsigned</varname> - </term> - <listitem><para>An unsigned integer (that is >= 0). - </para></listitem> - </varlistentry> - <varlistentry> - <term> - <varname>types.ints.{u8, u16, u32}</varname> - </term> - <listitem> - <para>Unsigned integers with a fixed length (8, 16 or 32 bits). - They go from - <inlineequation><mathphrase>0</mathphrase></inlineequation> to <inlineequation> - <mathphrase>2<superscript>n</superscript>−1</mathphrase> - </inlineequation> - respectively (e.g. <literal>0</literal> to <literal>255</literal> - for 8 bits). - </para></listitem> - </varlistentry> - <varlistentry> - <term> - <varname>types.ints.positive</varname> - </term> - <listitem><para>A positive integer (that is > 0). - </para></listitem> - </varlistentry> -</variablelist> - -<para>String-related types:</para> - -<variablelist> - <varlistentry> - <term><varname>types.str</varname></term> - <listitem><para>A string. Multiple definitions cannot be - merged.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>types.lines</varname></term> - <listitem><para>A string. Multiple definitions are concatenated with a new - line <literal>"\n"</literal>.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>types.commas</varname></term> - <listitem><para>A string. Multiple definitions are concatenated with a comma - <literal>","</literal>.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>types.envVar</varname></term> - <listitem><para>A string. Multiple definitions are concatenated with a - collon <literal>":"</literal>.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>types.strMatching</varname></term> - <listitem><para>A string matching a specific regular expression. Multiple - definitions cannot be merged. The regular expression is processed using - <literal>builtins.match</literal>.</para></listitem> - </varlistentry> -</variablelist> + <para> + Option types are a way to put constraints on the values a module option can + take. Types are also responsible of how values are merged in case of multiple + value definitions. + </para> + <section> + <title>Basic Types</title> + + <para> + Basic types are the simplest available types in the module system. Basic + types include multiple string types that mainly differ in how definition + merging is handled. + </para> + + <variablelist> + <varlistentry> + <term><varname>types.bool</varname> + </term> + <listitem> + <para> + A boolean, its values can be <literal>true</literal> or + <literal>false</literal>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>types.path</varname> + </term> + <listitem> + <para> + A filesystem path, defined as anything that when coerced to a string + starts with a slash. Even if derivations can be considered as path, the + more specific <literal>types.package</literal> should be preferred. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>types.package</varname> + </term> + <listitem> + <para> + A derivation or a store path. + </para> + </listitem> + </varlistentry> + </variablelist> + + <para> + Integer-related types: + </para> + + <variablelist> + <varlistentry> + <term><varname>types.int</varname> + </term> + <listitem> + <para> + A signed integer. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>types.ints.{s8, s16, s32}</varname> + </term> + <listitem> + <para> + Signed integers with a fixed length (8, 16 or 32 bits). They go from + <inlineequation><mathphrase>−2<superscript>n</superscript>/2</mathphrase> + </inlineequation> to <inlineequation> + <mathphrase>2<superscript>n</superscript>/2−1</mathphrase> + </inlineequation> respectively (e.g. <literal>−128</literal> to + <literal>127</literal> for 8 bits). + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>types.ints.unsigned</varname> + </term> + <listitem> + <para> + An unsigned integer (that is >= 0). + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>types.ints.{u8, u16, u32}</varname> + </term> + <listitem> + <para> + Unsigned integers with a fixed length (8, 16 or 32 bits). They go from + <inlineequation><mathphrase>0</mathphrase></inlineequation> to + <inlineequation> + <mathphrase>2<superscript>n</superscript>−1</mathphrase> + </inlineequation> respectively (e.g. <literal>0</literal> to + <literal>255</literal> for 8 bits). + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>types.ints.positive</varname> + </term> + <listitem> + <para> + A positive integer (that is > 0). + </para> + </listitem> + </varlistentry> + </variablelist> + + <para> + String-related types: + </para> + + <variablelist> + <varlistentry> + <term><varname>types.str</varname> + </term> + <listitem> + <para> + A string. Multiple definitions cannot be merged. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>types.lines</varname> + </term> + <listitem> + <para> + A string. Multiple definitions are concatenated with a new line + <literal>"\n"</literal>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>types.commas</varname> + </term> + <listitem> + <para> + A string. Multiple definitions are concatenated with a comma + <literal>","</literal>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>types.envVar</varname> + </term> + <listitem> + <para> + A string. Multiple definitions are concatenated with a collon + <literal>":"</literal>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>types.strMatching</varname> + </term> + <listitem> + <para> + A string matching a specific regular expression. Multiple definitions + cannot be merged. The regular expression is processed using + <literal>builtins.match</literal>. + </para> + </listitem> + </varlistentry> + </variablelist> </section> - <section><title>Value Types</title> - - <para>Value types are types that take a value parameter.</para> - -<variablelist> - <varlistentry> - <term><varname>types.enum</varname> <replaceable>l</replaceable></term> - <listitem><para>One element of the list <replaceable>l</replaceable>, e.g. - <literal>types.enum [ "left" "right" ]</literal>. Multiple definitions - cannot be merged.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>types.separatedString</varname> - <replaceable>sep</replaceable></term> - <listitem><para>A string with a custom separator - <replaceable>sep</replaceable>, e.g. <literal>types.separatedString - "|"</literal>.</para></listitem> - </varlistentry> - <varlistentry> - <term> - <varname>types.ints.between</varname> - <replaceable>lowest</replaceable> - <replaceable>highest</replaceable> - </term> - <listitem><para>An integer between <replaceable>lowest</replaceable> - and <replaceable>highest</replaceable> (both inclusive). - Useful for creating types like <literal>types.port</literal>. - </para></listitem> - </varlistentry> - <varlistentry> - <term><varname>types.submodule</varname> <replaceable>o</replaceable></term> - <listitem><para>A set of sub options <replaceable>o</replaceable>. - <replaceable>o</replaceable> can be an attribute set or a function - returning an attribute set. Submodules are used in composed types to - create modular options. Submodule are detailed in <xref - linkend='section-option-types-submodule' />.</para></listitem> - </varlistentry> -</variablelist> + <section> + <title>Value Types</title> + + <para> + Value types are types that take a value parameter. + </para> + + <variablelist> + <varlistentry> + <term><varname>types.enum</varname><replaceable>l</replaceable> + </term> + <listitem> + <para> + One element of the list <replaceable>l</replaceable>, e.g. + <literal>types.enum [ "left" "right" ]</literal>. Multiple definitions + cannot be merged. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>types.separatedString</varname><replaceable>sep</replaceable> + </term> + <listitem> + <para> + A string with a custom separator <replaceable>sep</replaceable>, e.g. + <literal>types.separatedString "|"</literal>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>types.ints.between</varname><replaceable>lowest</replaceable><replaceable>highest</replaceable> + </term> + <listitem> + <para> + An integer between <replaceable>lowest</replaceable> and + <replaceable>highest</replaceable> (both inclusive). Useful for creating + types like <literal>types.port</literal>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>types.submodule</varname><replaceable>o</replaceable> + </term> + <listitem> + <para> + A set of sub options <replaceable>o</replaceable>. + <replaceable>o</replaceable> can be an attribute set or a function + returning an attribute set. Submodules are used in composed types to + create modular options. Submodule are detailed in + <xref + linkend='section-option-types-submodule' />. + </para> + </listitem> + </varlistentry> + </variablelist> </section> - <section><title>Composed Types</title> - - <para>Composed types are types that take a type as parameter. <literal>listOf - int</literal> and <literal>either int str</literal> are examples of - composed types.</para> - -<variablelist> - <varlistentry> - <term><varname>types.listOf</varname> <replaceable>t</replaceable></term> - <listitem><para>A list of <replaceable>t</replaceable> type, e.g. - <literal>types.listOf int</literal>. Multiple definitions are merged - with list concatenation.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>types.attrsOf</varname> <replaceable>t</replaceable></term> - <listitem><para>An attribute set of where all the values are of - <replaceable>t</replaceable> type. Multiple definitions result in the - joined attribute set.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>types.loaOf</varname> <replaceable>t</replaceable></term> - <listitem><para>An attribute set or a list of <replaceable>t</replaceable> - type. Multiple definitions are merged according to the - value.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>types.nullOr</varname> <replaceable>t</replaceable></term> - <listitem><para><literal>null</literal> or type - <replaceable>t</replaceable>. Multiple definitions are merged according - to type <replaceable>t</replaceable>.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>types.uniq</varname> <replaceable>t</replaceable></term> - <listitem><para>Ensures that type <replaceable>t</replaceable> cannot be - merged. It is used to ensure option definitions are declared only - once.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>types.either</varname> <replaceable>t1</replaceable> - <replaceable>t2</replaceable></term> - <listitem><para>Type <replaceable>t1</replaceable> or type - <replaceable>t2</replaceable>, e.g. <literal>with types; either int - str</literal>. Multiple definitions cannot be - merged.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>types.coercedTo</varname> <replaceable>from</replaceable> - <replaceable>f</replaceable> <replaceable>to</replaceable></term> - <listitem><para>Type <replaceable>to</replaceable> or type - <replaceable>from</replaceable> which will be coerced to - type <replaceable>to</replaceable> using function - <replaceable>f</replaceable> which takes an argument of type - <replaceable>from</replaceable> and return a value of type - <replaceable>to</replaceable>. Can be used to preserve backwards - compatibility of an option if its type was changed.</para></listitem> - </varlistentry> -</variablelist> + <section> + <title>Composed Types</title> -</section> + <para> + Composed types are types that take a type as parameter. <literal>listOf + int</literal> and <literal>either int str</literal> are examples of composed + types. + </para> + + <variablelist> + <varlistentry> + <term><varname>types.listOf</varname><replaceable>t</replaceable> + </term> + <listitem> + <para> + A list of <replaceable>t</replaceable> type, e.g. <literal>types.listOf + int</literal>. Multiple definitions are merged with list concatenation. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>types.attrsOf</varname><replaceable>t</replaceable> + </term> + <listitem> + <para> + An attribute set of where all the values are of + <replaceable>t</replaceable> type. Multiple definitions result in the + joined attribute set. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>types.loaOf</varname><replaceable>t</replaceable> + </term> + <listitem> + <para> + An attribute set or a list of <replaceable>t</replaceable> type. Multiple + definitions are merged according to the value. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>types.nullOr</varname><replaceable>t</replaceable> + </term> + <listitem> + <para> + <literal>null</literal> or type <replaceable>t</replaceable>. Multiple + definitions are merged according to type <replaceable>t</replaceable>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>types.uniq</varname><replaceable>t</replaceable> + </term> + <listitem> + <para> + Ensures that type <replaceable>t</replaceable> cannot be merged. It is + used to ensure option definitions are declared only once. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>types.either</varname><replaceable>t1</replaceable><replaceable>t2</replaceable> + </term> + <listitem> + <para> + Type <replaceable>t1</replaceable> or type <replaceable>t2</replaceable>, + e.g. <literal>with types; either int str</literal>. Multiple definitions + cannot be merged. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>types.coercedTo</varname><replaceable>from</replaceable><replaceable>f</replaceable><replaceable>to</replaceable> + </term> + <listitem> + <para> + Type <replaceable>to</replaceable> or type + <replaceable>from</replaceable> which will be coerced to type + <replaceable>to</replaceable> using function <replaceable>f</replaceable> + which takes an argument of type <replaceable>from</replaceable> and + return a value of type <replaceable>to</replaceable>. Can be used to + preserve backwards compatibility of an option if its type was changed. + </para> + </listitem> + </varlistentry> + </variablelist> + </section> -<section xml:id='section-option-types-submodule'><title>Submodule</title> + <section xml:id='section-option-types-submodule'> + <title>Submodule</title> - <para><literal>submodule</literal> is a very powerful type that defines a set - of sub-options that are handled like a separate module.</para> + <para> + <literal>submodule</literal> is a very powerful type that defines a set of + sub-options that are handled like a separate module. + </para> - <para>It takes a parameter <replaceable>o</replaceable>, that should be a set, - or a function returning a set with an <literal>options</literal> key - defining the sub-options. - Submodule option definitions are type-checked accordingly to the - <literal>options</literal> declarations. - Of course, you can nest submodule option definitons for even higher - modularity.</para> + <para> + It takes a parameter <replaceable>o</replaceable>, that should be a set, or + a function returning a set with an <literal>options</literal> key defining + the sub-options. Submodule option definitions are type-checked accordingly + to the <literal>options</literal> declarations. Of course, you can nest + submodule option definitons for even higher modularity. + </para> - <para>The option set can be defined directly - (<xref linkend='ex-submodule-direct' />) or as reference - (<xref linkend='ex-submodule-reference' />).</para> + <para> + The option set can be defined directly + (<xref linkend='ex-submodule-direct' />) or as reference + (<xref linkend='ex-submodule-reference' />). + </para> -<example xml:id='ex-submodule-direct'><title>Directly defined submodule</title> + <example xml:id='ex-submodule-direct'> + <title>Directly defined submodule</title> <screen> options.mod = mkOption { description = "submodule example"; @@ -251,10 +356,11 @@ options.mod = mkOption { }; }; }; -};</screen></example> +};</screen> + </example> -<example xml:id='ex-submodule-reference'><title>Submodule defined as a - reference</title> + <example xml:id='ex-submodule-reference'> + <title>Submodule defined as a reference</title> <screen> let modOptions = { @@ -271,19 +377,20 @@ in options.mod = mkOption { description = "submodule example"; type = with types; submodule modOptions; -};</screen></example> - - <para>The <literal>submodule</literal> type is especially interesting when - used with composed types like <literal>attrsOf</literal> or - <literal>listOf</literal>. - When composed with <literal>listOf</literal> - (<xref linkend='ex-submodule-listof-declaration' />), - <literal>submodule</literal> allows multiple definitions of the submodule - option set (<xref linkend='ex-submodule-listof-definition' />).</para> - - -<example xml:id='ex-submodule-listof-declaration'><title>Declaration of a list - nof submodules</title> +};</screen> + </example> + + <para> + The <literal>submodule</literal> type is especially interesting when used + with composed types like <literal>attrsOf</literal> or + <literal>listOf</literal>. When composed with <literal>listOf</literal> + (<xref linkend='ex-submodule-listof-declaration' />), + <literal>submodule</literal> allows multiple definitions of the submodule + option set (<xref linkend='ex-submodule-listof-definition' />). + </para> + + <example xml:id='ex-submodule-listof-declaration'> + <title>Declaration of a list of submodules</title> <screen> options.mod = mkOption { description = "submodule example"; @@ -297,24 +404,27 @@ options.mod = mkOption { }; }; }); -};</screen></example> +};</screen> + </example> -<example xml:id='ex-submodule-listof-definition'><title>Definition of a list of - submodules</title> + <example xml:id='ex-submodule-listof-definition'> + <title>Definition of a list of submodules</title> <screen> config.mod = [ { foo = 1; bar = "one"; } { foo = 2; bar = "two"; } -];</screen></example> - - <para>When composed with <literal>attrsOf</literal> - (<xref linkend='ex-submodule-attrsof-declaration' />), - <literal>submodule</literal> allows multiple named definitions of the - submodule option set (<xref linkend='ex-submodule-attrsof-definition' />). +];</screen> + </example> + + <para> + When composed with <literal>attrsOf</literal> + (<xref linkend='ex-submodule-attrsof-declaration' />), + <literal>submodule</literal> allows multiple named definitions of the + submodule option set (<xref linkend='ex-submodule-attrsof-definition' />). </para> -<example xml:id='ex-submodule-attrsof-declaration'><title>Declaration of - attribute sets of submodules</title> + <example xml:id='ex-submodule-attrsof-declaration'> + <title>Declaration of attribute sets of submodules</title> <screen> options.mod = mkOption { description = "submodule example"; @@ -328,194 +438,281 @@ options.mod = mkOption { }; }; }); -};</screen></example> +};</screen> + </example> -<example xml:id='ex-submodule-attrsof-definition'><title>Declaration of - attribute sets of submodules</title> + <example xml:id='ex-submodule-attrsof-definition'> + <title>Declaration of attribute sets of submodules</title> <screen> config.mod.one = { foo = 1; bar = "one"; }; -config.mod.two = { foo = 2; bar = "two"; };</screen></example> - -</section> - -<section><title>Extending types</title> +config.mod.two = { foo = 2; bar = "two"; };</screen> + </example> + </section> - <para>Types are mainly characterized by their <literal>check</literal> and - <literal>merge</literal> functions.</para> + <section> + <title>Extending types</title> -<variablelist> - <varlistentry> - <term><varname>check</varname></term> - <listitem><para>The function to type check the value. Takes a value as - parameter and return a boolean. - It is possible to extend a type check with the - <literal>addCheck</literal> function (<xref - linkend='ex-extending-type-check-1' />), or to fully override the - check function (<xref linkend='ex-extending-type-check-2' />).</para> + <para> + Types are mainly characterized by their <literal>check</literal> and + <literal>merge</literal> functions. + </para> -<example xml:id='ex-extending-type-check-1'><title>Adding a type check</title> + <variablelist> + <varlistentry> + <term><varname>check</varname> + </term> + <listitem> + <para> + The function to type check the value. Takes a value as parameter and + return a boolean. It is possible to extend a type check with the + <literal>addCheck</literal> function + (<xref + linkend='ex-extending-type-check-1' />), or to fully + override the check function + (<xref linkend='ex-extending-type-check-2' />). + </para> + <example xml:id='ex-extending-type-check-1'> + <title>Adding a type check</title> <screen> byte = mkOption { description = "An integer between 0 and 255."; type = addCheck types.int (x: x >= 0 && x <= 255); -};</screen></example> - -<example xml:id='ex-extending-type-check-2'><title>Overriding a type - check</title> +};</screen> + </example> + <example xml:id='ex-extending-type-check-2'> + <title>Overriding a type check</title> <screen> nixThings = mkOption { description = "words that start with 'nix'"; type = types.str // { check = (x: lib.hasPrefix "nix" x) }; -};</screen></example> - </listitem> - </varlistentry> - <varlistentry> - <term><varname>merge</varname></term> - <listitem><para>Function to merge the options values when multiple values - are set. -The function takes two parameters, <literal>loc</literal> the option path as a -list of strings, and <literal>defs</literal> the list of defined values as a -list. -It is possible to override a type merge function for custom -needs.</para></listitem> - </varlistentry> -</variablelist> +};</screen> + </example> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>merge</varname> + </term> + <listitem> + <para> + Function to merge the options values when multiple values are set. The + function takes two parameters, <literal>loc</literal> the option path as + a list of strings, and <literal>defs</literal> the list of defined values + as a list. It is possible to override a type merge function for custom + needs. + </para> + </listitem> + </varlistentry> + </variablelist> + </section> -</section> + <section> + <title>Custom Types</title> -<section><title>Custom Types</title> - -<para>Custom types can be created with the <literal>mkOptionType</literal> - function. -As type creation includes some more complex topics such as submodule handling, -it is recommended to get familiar with <filename - xlink:href="https://github.com/NixOS/nixpkgs/blob/master/lib/types.nix">types.nix</filename> -code before creating a new type.</para> - -<para>The only required parameter is <literal>name</literal>.</para> - -<variablelist> - <varlistentry> - <term><varname>name</varname></term> - <listitem><para>A string representation of the type function - name.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>definition</varname></term> - <listitem><para>Description of the type used in documentation. Give - information of the type and any of its arguments.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>check</varname></term> - <listitem><para>A function to type check the definition value. Takes the - definition value as a parameter and returns a boolean indicating the - type check result, <literal>true</literal> for success and - <literal>false</literal> for failure.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>merge</varname></term> - <listitem><para>A function to merge multiple definitions values. Takes two - parameters:</para> - <variablelist> - <varlistentry> - <term><replaceable>loc</replaceable></term> - <listitem><para>The option path as a list of strings, e.g. - <literal>["boot" "loader "grub" - "enable"]</literal>.</para></listitem> - </varlistentry> - <varlistentry> - <term><replaceable>defs</replaceable></term> - <listitem><para>The list of sets of defined <literal>value</literal> - and <literal>file</literal> where the value was defined, e.g. - <literal>[ { file = "/foo.nix"; value = 1; } { file = "/bar.nix"; - value = 2 } ]</literal>. The <literal>merge</literal> function - should return the merged value or throw an error in case the - values are impossible or not meant to be merged.</para></listitem> - </varlistentry> - </variablelist> - </listitem> - </varlistentry> - <varlistentry> - <term><varname>getSubOptions</varname></term> - <listitem><para>For composed types that can take a submodule as type - parameter, this function generate sub-options documentation. It takes - the current option prefix as a list and return the set of sub-options. - Usually defined in a recursive manner by adding a term to the prefix, - e.g. <literal>prefix: elemType.getSubOptions (prefix ++ - [<replaceable>"prefix"</replaceable>])</literal> where - <replaceable>"prefix"</replaceable> is the newly added - prefix.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>getSubModules</varname></term> - <listitem><para>For composed types that can take a submodule as type - parameter, this function should return the type parameters submodules. - If the type parameter is called <literal>elemType</literal>, the - function should just recursively look into submodules by returning - <literal>elemType.getSubModules;</literal>.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>substSubModules</varname></term> - <listitem><para>For composed types that can take a submodule as type - parameter, this function can be used to substitute the parameter of a - submodule type. It takes a module as parameter and return the type with - the submodule options substituted. It is usually defined as a type - function call with a recursive call to - <literal>substSubModules</literal>, e.g for a type - <literal>composedType</literal> that take an <literal>elemtype</literal> - type parameter, this function should be defined as <literal>m: - composedType (elemType.substSubModules m)</literal>.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>typeMerge</varname></term> - <listitem><para>A function to merge multiple type declarations. Takes the - type to merge <literal>functor</literal> as parameter. A - <literal>null</literal> return value means that type cannot be - merged.</para> - <variablelist> - <varlistentry> - <term><replaceable>f</replaceable></term> - <listitem><para>The type to merge - <literal>functor</literal>.</para></listitem> - </varlistentry> - </variablelist> - <para>Note: There is a generic <literal>defaultTypeMerge</literal> that - work with most of value and composed types.</para> - </listitem> - </varlistentry> - <varlistentry> - <term><varname>functor</varname></term> - <listitem><para>An attribute set representing the type. It is used for type - operations and has the following keys:</para> - <variablelist> - <varlistentry> - <term><varname>type</varname></term> - <listitem><para>The type function.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>wrapped</varname></term> - <listitem><para>Holds the type parameter for composed types.</para> - </listitem> - </varlistentry> - <varlistentry> - <term><varname>payload</varname></term> - <listitem><para>Holds the value parameter for value types. - The types that have a <literal>payload</literal> are the - <literal>enum</literal>, <literal>separatedString</literal> and - <literal>submodule</literal> types.</para></listitem> - </varlistentry> - <varlistentry> - <term><varname>binOp</varname></term> - <listitem><para>A binary operation that can merge the payloads of two - same types. Defined as a function that take two payloads as - parameters and return the payloads merged.</para></listitem> - </varlistentry> - </variablelist> - </listitem> - </varlistentry> -</variablelist> + <para> + Custom types can be created with the <literal>mkOptionType</literal> + function. As type creation includes some more complex topics such as + submodule handling, it is recommended to get familiar with + <filename + xlink:href="https://github.com/NixOS/nixpkgs/blob/master/lib/types.nix">types.nix</filename> + code before creating a new type. + </para> -</section> + <para> + The only required parameter is <literal>name</literal>. + </para> + + <variablelist> + <varlistentry> + <term><varname>name</varname> + </term> + <listitem> + <para> + A string representation of the type function name. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>definition</varname> + </term> + <listitem> + <para> + Description of the type used in documentation. Give information of the + type and any of its arguments. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>check</varname> + </term> + <listitem> + <para> + A function to type check the definition value. Takes the definition value + as a parameter and returns a boolean indicating the type check result, + <literal>true</literal> for success and <literal>false</literal> for + failure. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>merge</varname> + </term> + <listitem> + <para> + A function to merge multiple definitions values. Takes two parameters: + </para> + <variablelist> + <varlistentry> + <term><replaceable>loc</replaceable> + </term> + <listitem> + <para> + The option path as a list of strings, e.g. <literal>["boot" "loader + "grub" "enable"]</literal>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><replaceable>defs</replaceable> + </term> + <listitem> + <para> + The list of sets of defined <literal>value</literal> and + <literal>file</literal> where the value was defined, e.g. <literal>[ { + file = "/foo.nix"; value = 1; } { file = "/bar.nix"; value = 2 } + ]</literal>. The <literal>merge</literal> function should return the + merged value or throw an error in case the values are impossible or + not meant to be merged. + </para> + </listitem> + </varlistentry> + </variablelist> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>getSubOptions</varname> + </term> + <listitem> + <para> + For composed types that can take a submodule as type parameter, this + function generate sub-options documentation. It takes the current option + prefix as a list and return the set of sub-options. Usually defined in a + recursive manner by adding a term to the prefix, e.g. <literal>prefix: + elemType.getSubOptions (prefix ++ + [<replaceable>"prefix"</replaceable>])</literal> where + <replaceable>"prefix"</replaceable> is the newly added prefix. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>getSubModules</varname> + </term> + <listitem> + <para> + For composed types that can take a submodule as type parameter, this + function should return the type parameters submodules. If the type + parameter is called <literal>elemType</literal>, the function should just + recursively look into submodules by returning + <literal>elemType.getSubModules;</literal>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>substSubModules</varname> + </term> + <listitem> + <para> + For composed types that can take a submodule as type parameter, this + function can be used to substitute the parameter of a submodule type. It + takes a module as parameter and return the type with the submodule + options substituted. It is usually defined as a type function call with a + recursive call to <literal>substSubModules</literal>, e.g for a type + <literal>composedType</literal> that take an <literal>elemtype</literal> + type parameter, this function should be defined as <literal>m: + composedType (elemType.substSubModules m)</literal>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>typeMerge</varname> + </term> + <listitem> + <para> + A function to merge multiple type declarations. Takes the type to merge + <literal>functor</literal> as parameter. A <literal>null</literal> return + value means that type cannot be merged. + </para> + <variablelist> + <varlistentry> + <term><replaceable>f</replaceable> + </term> + <listitem> + <para> + The type to merge <literal>functor</literal>. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> + Note: There is a generic <literal>defaultTypeMerge</literal> that work + with most of value and composed types. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>functor</varname> + </term> + <listitem> + <para> + An attribute set representing the type. It is used for type operations + and has the following keys: + </para> + <variablelist> + <varlistentry> + <term><varname>type</varname> + </term> + <listitem> + <para> + The type function. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>wrapped</varname> + </term> + <listitem> + <para> + Holds the type parameter for composed types. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>payload</varname> + </term> + <listitem> + <para> + Holds the value parameter for value types. The types that have a + <literal>payload</literal> are the <literal>enum</literal>, + <literal>separatedString</literal> and <literal>submodule</literal> + types. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><varname>binOp</varname> + </term> + <listitem> + <para> + A binary operation that can merge the payloads of two same types. + Defined as a function that take two payloads as parameters and return + the payloads merged. + </para> + </listitem> + </varlistentry> + </variablelist> + </listitem> + </varlistentry> + </variablelist> + </section> </section> diff --git a/nixos/doc/manual/development/releases.xml b/nixos/doc/manual/development/releases.xml index afcb970ed700..d4e5ff3f4312 100755 --- a/nixos/doc/manual/development/releases.xml +++ b/nixos/doc/manual/development/releases.xml @@ -3,252 +3,258 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="ch-releases"> - -<title>Releases</title> - -<section xml:id="release-process"> + <title>Releases</title> + <section xml:id="release-process"> <title>Release process</title> <para> - Going through an example of releasing NixOS 17.09: + Going through an example of releasing NixOS 17.09: </para> <section xml:id="one-month-before-the-beta"> - <title>One month before the beta</title> - <itemizedlist spacing="compact"> - <listitem> - <para> - Send an email to the nix-devel mailinglist as a warning about upcoming beta "feature freeze" in a month. - </para> - </listitem> - <listitem> - <para> - Discuss with Eelco Dolstra and the community (via IRC, ML) about what will reach the deadline. - Any issue or Pull Request targeting the release should be included in the release milestone. - </para> - </listitem> - </itemizedlist> + <title>One month before the beta</title> + + <itemizedlist spacing="compact"> + <listitem> + <para> + Send an email to the nix-devel mailinglist as a warning about upcoming + beta "feature freeze" in a month. + </para> + </listitem> + <listitem> + <para> + Discuss with Eelco Dolstra and the community (via IRC, ML) about what + will reach the deadline. Any issue or Pull Request targeting the release + should be included in the release milestone. + </para> + </listitem> + </itemizedlist> </section> + <section xml:id="at-beta-release-time"> - <title>At beta release time</title> - <itemizedlist spacing="compact"> - <listitem> - <para> - <link xlink:href="https://github.com/NixOS/nixpkgs/issues/13559">Create - an issue for tracking Zero Hydra Failures progress. ZHF is an effort - to get build failures down to zero.</link> - </para> - </listitem> - <listitem> - <para> - <literal>git tag -a -s -m "Release 17.09-beta" 17.09-beta && git push --tags</literal> - </para> - </listitem> - <listitem> - <para> - From the master branch run <literal>git checkout -B release-17.09</literal>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/NixOS/nixos-org-configurations/pull/18"> - Make sure a channel is created at http://nixos.org/channels/. - </link> - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/NixOS/nixpkgs/settings/branches"> - Let a GitHub nixpkgs admin lock the branch on github for you. - (so developers can’t force push) - </link> - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/NixOS/nixpkgs/compare/bdf161ed8d21...6b63c4616790"> - Bump the <literal>system.defaultChannel</literal> attribute in - <literal>nixos/modules/misc/version.nix</literal> - </link> - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/NixOS/nixpkgs/commit/d6b08acd1ccac0d9d502c4b635e00b04d3387f06"> - Update <literal>versionSuffix</literal> in - <literal>nixos/release.nix</literal></link>, use - <literal>git log --format=%an|wc -l</literal> to get the commit - count - </para> - </listitem> - <listitem> - <para> - <literal>echo -n "18.03" > .version</literal> on - master. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/NixOS/nixpkgs/commit/b8a4095003e27659092892a4708bb3698231a842"> - Pick a new name for the unstable branch. - </link> - </para> - </listitem> - <listitem> - <para> - Create a new release notes file for the upcoming release + 1, in this - case <literal>rl-1803.xml</literal>. - </para> - </listitem> + <title>At beta release time</title> + + <itemizedlist spacing="compact"> + <listitem> + <para> + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/13559">Create + an issue for tracking Zero Hydra Failures progress. ZHF is an effort to + get build failures down to zero.</link> + </para> + </listitem> + <listitem> + <para> + <literal>git tag -a -s -m "Release 17.09-beta" 17.09-beta + && git push --tags</literal> + </para> + </listitem> + <listitem> + <para> + From the master branch run <literal>git checkout -B + release-17.09</literal>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/NixOS/nixos-org-configurations/pull/18"> + Make sure a channel is created at http://nixos.org/channels/. </link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/NixOS/nixpkgs/settings/branches"> + Let a GitHub nixpkgs admin lock the branch on github for you. (so + developers can’t force push) </link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/NixOS/nixpkgs/compare/bdf161ed8d21...6b63c4616790"> + Bump the <literal>system.defaultChannel</literal> attribute in + <literal>nixos/modules/misc/version.nix</literal> </link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/NixOS/nixpkgs/commit/d6b08acd1ccac0d9d502c4b635e00b04d3387f06"> + Update <literal>versionSuffix</literal> in + <literal>nixos/release.nix</literal></link>, use <literal>git log + --format=%an|wc -l</literal> to get the commit count + </para> + </listitem> + <listitem> + <para> + <literal>echo -n "18.03" > .version</literal> on master. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/NixOS/nixpkgs/commit/b8a4095003e27659092892a4708bb3698231a842"> + Pick a new name for the unstable branch. </link> + </para> + </listitem> + <listitem> + <para> + Create a new release notes file for the upcoming release + 1, in this + case <literal>rl-1803.xml</literal>. + </para> + </listitem> + <listitem> + <para> + Create two Hydra jobsets: release-17.09 and release-17.09-small with + <literal>stableBranch</literal> set to false. + </para> + </listitem> + <listitem> + <para> + Edit changelog at + <literal>nixos/doc/manual/release-notes/rl-1709.xml</literal> (double + check desktop versions are noted) + </para> + <itemizedlist spacing="compact"> <listitem> - <para> - Create two Hydra jobsets: release-17.09 and release-17.09-small with <literal>stableBranch</literal> set to false. - </para> + <para> + Get all new NixOS modules <literal>git diff + release-17.03..release-17.09 nixos/modules/module-list.nix|grep + ^+</literal> + </para> </listitem> <listitem> - <para> - Edit changelog at - <literal>nixos/doc/manual/release-notes/rl-1709.xml</literal> - (double check desktop versions are noted) - </para> - <itemizedlist spacing="compact"> - <listitem> - <para> - Get all new NixOS modules - <literal>git diff release-17.03..release-17.09 nixos/modules/module-list.nix|grep ^+</literal> - </para> - </listitem> - <listitem> - <para> - Note systemd, kernel, glibc and Nix upgrades. - </para> - </listitem> - </itemizedlist> + <para> + Note systemd, kernel, glibc and Nix upgrades. + </para> </listitem> - </itemizedlist> + </itemizedlist> + </listitem> + </itemizedlist> </section> + <section xml:id="during-beta"> - <title>During Beta</title> - <itemizedlist spacing="compact"> - <listitem> - <para> - Monitor the master branch for bugfixes and minor updates - and cherry-pick them to the release branch. - </para> - </listitem> - </itemizedlist> + <title>During Beta</title> + + <itemizedlist spacing="compact"> + <listitem> + <para> + Monitor the master branch for bugfixes and minor updates and cherry-pick + them to the release branch. + </para> + </listitem> + </itemizedlist> </section> + <section xml:id="before-the-final-release"> - <title>Before the final release</title> - <itemizedlist spacing="compact"> - <listitem> - <para> - Re-check that the release notes are complete. - </para> - </listitem> - <listitem> - <para> - Release Nix (currently only Eelco Dolstra can do that). - <link xlink:href="https://github.com/NixOS/nixpkgs/commit/53710c752a85f00658882531bc90a23a3d1287e4"> - Make sure fallback is updated. - </link> - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/NixOS/nixpkgs/commit/40fd9ae3ac8048758abdcfc7d28a78b5f22fe97e"> - Update README.md with new stable NixOS version information. - </link> - </para> - </listitem> - <listitem> - <para> - Change <literal>stableBranch</literal> to true and wait for channel to update. - </para> - </listitem> - </itemizedlist> + <title>Before the final release</title> + + <itemizedlist spacing="compact"> + <listitem> + <para> + Re-check that the release notes are complete. + </para> + </listitem> + <listitem> + <para> + Release Nix (currently only Eelco Dolstra can do that). + <link xlink:href="https://github.com/NixOS/nixpkgs/commit/53710c752a85f00658882531bc90a23a3d1287e4"> + Make sure fallback is updated. </link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/NixOS/nixpkgs/commit/40fd9ae3ac8048758abdcfc7d28a78b5f22fe97e"> + Update README.md with new stable NixOS version information. </link> + </para> + </listitem> + <listitem> + <para> + Change <literal>stableBranch</literal> to true and wait for channel to + update. + </para> + </listitem> + </itemizedlist> </section> + <section xml:id="at-final-release-time"> - <title>At final release time</title> - <itemizedlist spacing="compact"> - <listitem> - <para> - <literal>git tag -s -a -m "Release 15.09" 15.09</literal> - </para> - </listitem> - <listitem> - <para> - Update http://nixos.org/nixos/download.html and http://nixos.org/nixos/manual in https://github.com/NixOS/nixos-org-configurations - </para> - </listitem> - <listitem> - <para> - Get number of commits for the release: - <literal>git log release-14.04..release-14.12 --format=%an|wc -l</literal> - </para> - </listitem> - <listitem> - <para> - Commits by contributor: - <literal>git log release-14.04..release-14.12 --format=%an|sort|uniq -c|sort -rn</literal> - </para> - </listitem> - <listitem> - <para> - Send an email to nix-dev to announce the release with above information. Best to check how previous email was formulated - to see what needs to be included. - </para> - </listitem> - </itemizedlist> - </section> -</section> + <title>At final release time</title> -<section xml:id="release-schedule"> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>git tag -s -a -m "Release 15.09" 15.09</literal> + </para> + </listitem> + <listitem> + <para> + Update http://nixos.org/nixos/download.html and + http://nixos.org/nixos/manual in + https://github.com/NixOS/nixos-org-configurations + </para> + </listitem> + <listitem> + <para> + Get number of commits for the release: <literal>git log + release-14.04..release-14.12 --format=%an|wc -l</literal> + </para> + </listitem> + <listitem> + <para> + Commits by contributor: <literal>git log release-14.04..release-14.12 + --format=%an|sort|uniq -c|sort -rn</literal> + </para> + </listitem> + <listitem> + <para> + Send an email to nix-dev to announce the release with above information. + Best to check how previous email was formulated to see what needs to be + included. + </para> + </listitem> + </itemizedlist> + </section> + </section> + <section xml:id="release-schedule"> <title>Release schedule</title> <informaltable> - <tgroup cols="2"> - <colspec align="left" /> - <colspec align="left" /> - <thead> - <row> - <entry> + <tgroup cols="2"> + <colspec align="left" /> + <colspec align="left" /> + <thead> + <row> + <entry> Date </entry> - <entry> + <entry> Event </entry> - </row> - </thead> - <tbody> - <row> - <entry> + </row> + </thead> + <tbody> + <row> + <entry> 2016-07-25 </entry> - <entry> + <entry> Send email to nix-dev about upcoming branch-off </entry> - </row> - <row> - <entry> + </row> + <row> + <entry> 2016-09-01 </entry> - <entry> - <literal>release-16.09</literal> branch and corresponding jobsets are created, + <entry><literal>release-16.09</literal> branch and corresponding jobsets are created, change freeze </entry> - </row> - <row> - <entry> + </row> + <row> + <entry> 2016-09-30 </entry> - <entry> + <entry> NixOS 16.09 released </entry> - </row> - </tbody> - </tgroup> + </row> + </tbody> + </tgroup> </informaltable> -</section> - + </section> </chapter> diff --git a/nixos/doc/manual/development/replace-modules.xml b/nixos/doc/manual/development/replace-modules.xml index cc0539ec5109..7b103c36d907 100644 --- a/nixos/doc/manual/development/replace-modules.xml +++ b/nixos/doc/manual/development/replace-modules.xml @@ -3,27 +3,31 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-replace-modules"> + <title>Replace Modules</title> -<title>Replace Modules</title> + <para> + Modules that are imported can also be disabled. The option declarations and + config implementation of a disabled module will be ignored, allowing another + to take it's place. This can be used to import a set of modules from another + channel while keeping the rest of the system on a stable release. + </para> -<para>Modules that are imported can also be disabled. The option - declarations and config implementation of a disabled module will be - ignored, allowing another to take it's place. This can be used to - import a set of modules from another channel while keeping the rest - of the system on a stable release.</para> -<para><literal>disabledModules</literal> is a top level attribute like + <para> + <literal>disabledModules</literal> is a top level attribute like <literal>imports</literal>, <literal>options</literal> and - <literal>config</literal>. It contains a list of modules that will - be disabled. This can either be the full path to the module or a - string with the filename relative to the modules path - (eg. <nixpkgs/nixos/modules> for nixos). - </para> + <literal>config</literal>. It contains a list of modules that will be + disabled. This can either be the full path to the module or a string with the + filename relative to the modules path (eg. <nixpkgs/nixos/modules> for + nixos). + </para> -<para>This example will replace the existing postgresql module with - the version defined in the nixos-unstable channel while keeping the - rest of the modules and packages from the original nixos channel. - This only overrides the module definition, this won't use postgresql - from nixos-unstable unless explicitly configured to do so.</para> + <para> + This example will replace the existing postgresql module with the version + defined in the nixos-unstable channel while keeping the rest of the modules + and packages from the original nixos channel. This only overrides the module + definition, this won't use postgresql from nixos-unstable unless explicitly + configured to do so. + </para> <programlisting> { config, lib, pkgs, ... }: @@ -41,10 +45,11 @@ } </programlisting> -<para>This example shows how to define a custom module as a - replacement for an existing module. Importing this module will - disable the original module without having to know it's - implementation details.</para> + <para> + This example shows how to define a custom module as a replacement for an + existing module. Importing this module will disable the original module + without having to know it's implementation details. + </para> <programlisting> { config, lib, pkgs, ... }: @@ -71,5 +76,4 @@ in }; } </programlisting> - </section> diff --git a/nixos/doc/manual/development/running-nixos-tests-interactively.xml b/nixos/doc/manual/development/running-nixos-tests-interactively.xml index e47490777815..862b364a6d79 100644 --- a/nixos/doc/manual/development/running-nixos-tests-interactively.xml +++ b/nixos/doc/manual/development/running-nixos-tests-interactively.xml @@ -3,41 +3,38 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-running-nixos-tests"> -<title>Running Tests interactively</title> - -<para>The test itself can be run interactively. This is -particularly useful when developing or debugging a test: + <title>Running Tests interactively</title> + <para> + The test itself can be run interactively. This is particularly useful when + developing or debugging a test: <screen> $ nix-build nixos/tests/login.nix -A driver $ ./result/bin/nixos-test-driver starting VDE switch for network 1 > </screen> - -You can then take any Perl statement, e.g. - + You can then take any Perl statement, e.g. <screen> > startAll > testScript > $machine->succeed("touch /tmp/foo") </screen> - -The function <command>testScript</command> executes the entire test -script and drops you back into the test driver command line upon its -completion. This allows you to inspect the state of the VMs after the -test (e.g. to debug the test script).</para> - -<para>To just start and experiment with the VMs, run: - + The function <command>testScript</command> executes the entire test script + and drops you back into the test driver command line upon its completion. + This allows you to inspect the state of the VMs after the test (e.g. to debug + the test script). + </para> + + <para> + To just start and experiment with the VMs, run: <screen> $ nix-build nixos/tests/login.nix -A driver $ ./result/bin/nixos-run-vms </screen> - -The script <command>nixos-run-vms</command> starts the virtual -machines defined by test. The root file system of the VMs is created -on the fly and kept across VM restarts in -<filename>./</filename><varname>hostname</varname><filename>.qcow2</filename>.</para> - + The script <command>nixos-run-vms</command> starts the virtual machines + defined by test. The root file system of the VMs is created on the fly and + kept across VM restarts in + <filename>./</filename><varname>hostname</varname><filename>.qcow2</filename>. + </para> </section> diff --git a/nixos/doc/manual/development/running-nixos-tests.xml b/nixos/doc/manual/development/running-nixos-tests.xml index 908c0a66a32d..eadbe1ea4f26 100644 --- a/nixos/doc/manual/development/running-nixos-tests.xml +++ b/nixos/doc/manual/development/running-nixos-tests.xml @@ -3,20 +3,18 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-running-nixos-tests-interactively"> + <title>Running Tests</title> -<title>Running Tests</title> - -<para>You can run tests using <command>nix-build</command>. For -example, to run the test <filename + <para> + You can run tests using <command>nix-build</command>. For example, to run the + test + <filename xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/login.nix">login.nix</filename>, -you just do: - + you just do: <screen> $ nix-build '<nixpkgs/nixos/tests/login.nix>' </screen> - -or, if you don’t want to rely on <envar>NIX_PATH</envar>: - + or, if you don’t want to rely on <envar>NIX_PATH</envar>: <screen> $ cd /my/nixpkgs/nixos/tests $ nix-build login.nix @@ -26,16 +24,13 @@ machine: QEMU running (pid 8841) … 6 out of 6 tests succeeded </screen> - -After building/downloading all required dependencies, this will -perform a build that starts a QEMU/KVM virtual machine containing a -NixOS system. The virtual machine mounts the Nix store of the host; -this makes VM creation very fast, as no disk image needs to be -created. Afterwards, you can view a pretty-printed log of the test: - + After building/downloading all required dependencies, this will perform a + build that starts a QEMU/KVM virtual machine containing a NixOS system. The + virtual machine mounts the Nix store of the host; this makes VM creation very + fast, as no disk image needs to be created. Afterwards, you can view a + pretty-printed log of the test: <screen> $ firefox result/log.html </screen> - -</para> + </para> </section> diff --git a/nixos/doc/manual/development/sources.xml b/nixos/doc/manual/development/sources.xml index a2896cd7a135..c7b64cb84beb 100644 --- a/nixos/doc/manual/development/sources.xml +++ b/nixos/doc/manual/development/sources.xml @@ -3,101 +3,84 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-getting-sources"> - -<title>Getting the Sources</title> - -<para>By default, NixOS’s <command>nixos-rebuild</command> command -uses the NixOS and Nixpkgs sources provided by the -<literal>nixos</literal> channel (kept in -<filename>/nix/var/nix/profiles/per-user/root/channels/nixos</filename>). -To modify NixOS, however, you should check out the latest sources from -Git. This is as follows: - + <title>Getting the Sources</title> + <para> + By default, NixOS’s <command>nixos-rebuild</command> command uses the NixOS + and Nixpkgs sources provided by the <literal>nixos</literal> channel (kept in + <filename>/nix/var/nix/profiles/per-user/root/channels/nixos</filename>). To + modify NixOS, however, you should check out the latest sources from Git. This + is as follows: <screen> $ git clone git://github.com/NixOS/nixpkgs.git $ cd nixpkgs $ git remote add channels git://github.com/NixOS/nixpkgs-channels.git $ git remote update channels </screen> - -This will check out the latest Nixpkgs sources to -<filename>./nixpkgs</filename> the NixOS sources to -<filename>./nixpkgs/nixos</filename>. (The NixOS source tree lives in -a subdirectory of the Nixpkgs repository.) The remote -<literal>channels</literal> refers to a read-only repository that -tracks the Nixpkgs/NixOS channels (see <xref linkend="sec-upgrading"/> -for more information about channels). Thus, the Git branch -<literal>channels/nixos-17.03</literal> will contain the latest built -and tested version available in the <literal>nixos-17.03</literal> -channel.</para> - -<para>It’s often inconvenient to develop directly on the master -branch, since if somebody has just committed (say) a change to GCC, -then the binary cache may not have caught up yet and you’ll have to -rebuild everything from source. So you may want to create a local -branch based on your current NixOS version: - + This will check out the latest Nixpkgs sources to + <filename>./nixpkgs</filename> the NixOS sources to + <filename>./nixpkgs/nixos</filename>. (The NixOS source tree lives in a + subdirectory of the Nixpkgs repository.) The remote + <literal>channels</literal> refers to a read-only repository that tracks the + Nixpkgs/NixOS channels (see <xref linkend="sec-upgrading"/> for more + information about channels). Thus, the Git branch + <literal>channels/nixos-17.03</literal> will contain the latest built and + tested version available in the <literal>nixos-17.03</literal> channel. + </para> + <para> + It’s often inconvenient to develop directly on the master branch, since if + somebody has just committed (say) a change to GCC, then the binary cache may + not have caught up yet and you’ll have to rebuild everything from source. + So you may want to create a local branch based on your current NixOS version: <screen> $ nixos-version 17.09pre104379.6e0b727 (Hummingbird) $ git checkout -b local 6e0b727 </screen> - -Or, to base your local branch on the latest version available in a -NixOS channel: - + Or, to base your local branch on the latest version available in a NixOS + channel: <screen> $ git remote update channels $ git checkout -b local channels/nixos-17.03 </screen> - -(Replace <literal>nixos-17.03</literal> with the name of the channel -you want to use.) You can use <command>git merge</command> or -<command>git rebase</command> to keep your local branch in sync with -the channel, e.g. - + (Replace <literal>nixos-17.03</literal> with the name of the channel you want + to use.) You can use <command>git merge</command> or <command>git + rebase</command> to keep your local branch in sync with the channel, e.g. <screen> $ git remote update channels $ git merge channels/nixos-17.03 </screen> - -You can use <command>git cherry-pick</command> to copy commits from -your local branch to the upstream branch.</para> - -<para>If you want to rebuild your system using your (modified) -sources, you need to tell <command>nixos-rebuild</command> about them -using the <option>-I</option> flag: - + You can use <command>git cherry-pick</command> to copy commits from your + local branch to the upstream branch. + </para> + <para> + If you want to rebuild your system using your (modified) sources, you need to + tell <command>nixos-rebuild</command> about them using the + <option>-I</option> flag: <screen> # nixos-rebuild switch -I nixpkgs=<replaceable>/my/sources</replaceable>/nixpkgs </screen> - -</para> - -<para>If you want <command>nix-env</command> to use the expressions in -<replaceable>/my/sources</replaceable>, use <command>nix-env -f -<replaceable>/my/sources</replaceable>/nixpkgs</command>, or change -the default by adding a symlink in -<filename>~/.nix-defexpr</filename>: - + </para> + <para> + If you want <command>nix-env</command> to use the expressions in + <replaceable>/my/sources</replaceable>, use <command>nix-env -f + <replaceable>/my/sources</replaceable>/nixpkgs</command>, or change the + default by adding a symlink in <filename>~/.nix-defexpr</filename>: <screen> $ ln -s <replaceable>/my/sources</replaceable>/nixpkgs ~/.nix-defexpr/nixpkgs </screen> - -You may want to delete the symlink -<filename>~/.nix-defexpr/channels_root</filename> to prevent root’s -NixOS channel from clashing with your own tree (this may break the -command-not-found utility though). If you want to go back to the default -state, you may just remove the <filename>~/.nix-defexpr</filename> -directory completely, log out and log in again and it should have been -recreated with a link to the root channels.</para> - + You may want to delete the symlink + <filename>~/.nix-defexpr/channels_root</filename> to prevent root’s NixOS + channel from clashing with your own tree (this may break the + command-not-found utility though). If you want to go back to the default + state, you may just remove the <filename>~/.nix-defexpr</filename> directory + completely, log out and log in again and it should have been recreated with a + link to the root channels. + </para> <!-- FIXME: not sure what this means. <para>You should not pass the base directory <filename><replaceable>/my/sources</replaceable></filename> to <command>nix-env</command>, as it will break after interpreting expressions in <filename>nixos/</filename> as packages.</para> --> - </chapter> diff --git a/nixos/doc/manual/development/testing-installer.xml b/nixos/doc/manual/development/testing-installer.xml index 20c8d51815ad..63f5f3de7f4d 100644 --- a/nixos/doc/manual/development/testing-installer.xml +++ b/nixos/doc/manual/development/testing-installer.xml @@ -3,25 +3,20 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="ch-testing-installer"> - -<title>Testing the Installer</title> - -<para>Building, burning, and booting from an installation CD is rather -tedious, so here is a quick way to see if the installer works -properly: - + <title>Testing the Installer</title> + <para> + Building, burning, and booting from an installation CD is rather tedious, so + here is a quick way to see if the installer works properly: <screen> -$ nix-build -A config.system.build.nixos-install # mount -t tmpfs none /mnt +# nixos-generate-config --root /mnt +$ nix-build '<nixpkgs/nixos>' -A config.system.build.nixos-install # ./result/bin/nixos-install</screen> - -To start a login shell in the new NixOS installation in -<filename>/mnt</filename>: - + To start a login shell in the new NixOS installation in + <filename>/mnt</filename>: <screen> -# ./result/bin/nixos-install --chroot +$ nix-build '<nixpkgs/nixos>' -A config.system.build.nixos-enter +# ./result/bin/nixos-enter </screen> - -</para> - + </para> </chapter> diff --git a/nixos/doc/manual/development/writing-documentation.xml b/nixos/doc/manual/development/writing-documentation.xml index 59a287717acb..8ecdd1c770f2 100644 --- a/nixos/doc/manual/development/writing-documentation.xml +++ b/nixos/doc/manual/development/writing-documentation.xml @@ -3,145 +3,147 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-writing-documentation"> - -<title>Writing NixOS Documentation</title> - -<para> - As NixOS grows, so too does the need for a catalogue and explanation - of its extensive functionality. Collecting pertinent information - from disparate sources and presenting it in an accessible style - would be a worthy contribution to the project. -</para> - -<section> -<title>Building the Manual</title> -<para> - The DocBook sources of the <xref linkend="book-nixos-manual"/> are in the - <link xlink:href="https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual"><filename>nixos/doc/manual</filename></link> - subdirectory of the Nixpkgs repository. If you make modifications to - the manual, it's important to build it before committing. You can do - that as follows: - - <screen>nix-build nixos/release.nix -A manual.x86_64-linux</screen> -</para> - -<para> - When this command successfully finishes, it will tell you where the - manual got generated. The HTML will be accessible through the - <filename>result</filename> symlink at - <filename>./result/share/doc/nixos/index.html</filename>. -</para> -</section> - -<section> -<title>Editing DocBook XML</title> - -<para> - For general information on how to write in DocBook, see - <link xlink:href="http://www.docbook.org/tdg5/en/html/docbook.html"> - DocBook 5: The Definitive Guide</link>. -</para> - -<para> - Emacs nXML Mode is very helpful for editing DocBook XML because it - validates the document as you write, and precisely locates - errors. To use it, see <xref linkend="sec-emacs-docbook-xml"/>. -</para> - -<para> - <link xlink:href="http://pandoc.org">Pandoc</link> can generate - DocBook XML from a multitude of formats, which makes a good starting - point. - - <example xml:id="ex-pandoc-xml-conv"> + <title>Writing NixOS Documentation</title> + <para> + As NixOS grows, so too does the need for a catalogue and explanation of its + extensive functionality. Collecting pertinent information from disparate + sources and presenting it in an accessible style would be a worthy + contribution to the project. + </para> + <section> + <title>Building the Manual</title> + + <para> + The DocBook sources of the <xref linkend="book-nixos-manual"/> are in the + <link xlink:href="https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual"><filename>nixos/doc/manual</filename></link> + subdirectory of the Nixpkgs repository. + </para> + + <para> + You can quickly validate your edits with <command>make</command>: + </para> + +<screen> + $ cd /path/to/nixpkgs/nixos/doc/manual + $ make +</screen> + + <para> + Once you are done making modifications to the manual, it's important to + build it before committing. You can do that as follows: + </para> + +<screen>nix-build nixos/release.nix -A manual.x86_64-linux</screen> + + <para> + When this command successfully finishes, it will tell you where the manual + got generated. The HTML will be accessible through the + <filename>result</filename> symlink at + <filename>./result/share/doc/nixos/index.html</filename>. + </para> + </section> + <section> + <title>Editing DocBook XML</title> + + <para> + For general information on how to write in DocBook, see + <link xlink:href="http://www.docbook.org/tdg5/en/html/docbook.html"> DocBook + 5: The Definitive Guide</link>. + </para> + + <para> + Emacs nXML Mode is very helpful for editing DocBook XML because it validates + the document as you write, and precisely locates errors. To use it, see + <xref linkend="sec-emacs-docbook-xml"/>. + </para> + + <para> + <link xlink:href="http://pandoc.org">Pandoc</link> can generate DocBook XML + from a multitude of formats, which makes a good starting point. + <example xml:id="ex-pandoc-xml-conv"> <title>Pandoc invocation to convert GitHub-Flavoured MarkDown to DocBook 5 XML</title> - <screen>pandoc -f markdown_github -t docbook5 docs.md -o my-section.md</screen> - </example> - - Pandoc can also quickly convert a single - <filename>section.xml</filename> to HTML, which is helpful when - drafting. -</para> - -<para> - Sometimes writing valid DocBook is simply too difficult. In this - case, submit your documentation updates in a <link +<screen>pandoc -f markdown_github -t docbook5 docs.md -o my-section.md</screen> + </example> + Pandoc can also quickly convert a single <filename>section.xml</filename> to + HTML, which is helpful when drafting. + </para> + + <para> + Sometimes writing valid DocBook is simply too difficult. In this case, + submit your documentation updates in a + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/new">GitHub - Issue</link> and someone will handle the conversion to XML for you. -</para> -</section> - -<section> -<title>Creating a Topic</title> - -<para> - You can use an existing topic as a basis for the new topic or create a topic from scratch. -</para> - -<para> -Keep the following guidelines in mind when you create and add a topic: - -<itemizedlist> - <listitem><para> - The NixOS <link xlink:href="http://www.docbook.org/tdg5/en/html/book.html"><tag>book</tag></link> - element is in <filename>nixos/doc/manual/manual.xml</filename>. - It includes several - <link xlink:href="http://www.docbook.org/tdg5/en/html/book.html"><tag>part</tag>s</link> - which are in subdirectories. - </para></listitem> - - <listitem><para> - Store the topic file in the same directory as the <tag>part</tag> - to which it belongs. If your topic is about configuring a NixOS - module, then the XML file can be stored alongside the module - definition <filename>nix</filename> file. - </para></listitem> - - <listitem><para> - If you include multiple words in the file name, separate the words - with a dash. For example: <filename>ipv6-config.xml</filename>. - </para></listitem> - - <listitem><para> - Make sure that the <tag>xml:id</tag> value is unique. You can use - abbreviations if the ID is too long. For example: - <varname>nixos-config</varname>. - </para></listitem> - - <listitem><para> - Determine whether your topic is a chapter or a section. If you are - unsure, open an existing topic file and check whether the main - element is chapter or section. - </para></listitem> - -</itemizedlist> - -</para> -</section> - -<section> -<title>Adding a Topic to the Book</title> - -<para> - Open the parent XML file and add an <varname>xi:include</varname> - element to the list of chapters with the file name of the topic that - you created. If you created a <tag>section</tag>, you add the file to - the <tag>chapter</tag> file. If you created a <tag>chapter</tag>, you - add the file to the <tag>part</tag> file. -</para> - -<para> - If the topic is about configuring a NixOS module, it can be - automatically included in the manual by using the - <varname>meta.doc</varname> attribute. See <xref + Issue</link> and someone will handle the conversion to XML for you. + </para> + </section> + <section> + <title>Creating a Topic</title> + + <para> + You can use an existing topic as a basis for the new topic or create a topic + from scratch. + </para> + + <para> + Keep the following guidelines in mind when you create and add a topic: + <itemizedlist> + <listitem> + <para> + The NixOS + <link xlink:href="http://www.docbook.org/tdg5/en/html/book.html"><tag>book</tag></link> + element is in <filename>nixos/doc/manual/manual.xml</filename>. It + includes several + <link xlink:href="http://www.docbook.org/tdg5/en/html/book.html"><tag>part</tag>s</link> + which are in subdirectories. + </para> + </listitem> + <listitem> + <para> + Store the topic file in the same directory as the <tag>part</tag> to + which it belongs. If your topic is about configuring a NixOS module, then + the XML file can be stored alongside the module definition + <filename>nix</filename> file. + </para> + </listitem> + <listitem> + <para> + If you include multiple words in the file name, separate the words with a + dash. For example: <filename>ipv6-config.xml</filename>. + </para> + </listitem> + <listitem> + <para> + Make sure that the <tag>xml:id</tag> value is unique. You can use + abbreviations if the ID is too long. For example: + <varname>nixos-config</varname>. + </para> + </listitem> + <listitem> + <para> + Determine whether your topic is a chapter or a section. If you are + unsure, open an existing topic file and check whether the main element is + chapter or section. + </para> + </listitem> + </itemizedlist> + </para> + </section> + <section> + <title>Adding a Topic to the Book</title> + + <para> + Open the parent XML file and add an <varname>xi:include</varname> element to + the list of chapters with the file name of the topic that you created. If + you created a <tag>section</tag>, you add the file to the <tag>chapter</tag> + file. If you created a <tag>chapter</tag>, you add the file to the + <tag>part</tag> file. + </para> + + <para> + If the topic is about configuring a NixOS module, it can be automatically + included in the manual by using the <varname>meta.doc</varname> attribute. + See <xref linkend="sec-meta-attributes"/> for an explanation. -</para> - -</section> - - - - - - + </para> + </section> </chapter> diff --git a/nixos/doc/manual/development/writing-modules.xml b/nixos/doc/manual/development/writing-modules.xml index cb363b45675b..bbf793bb0be9 100644 --- a/nixos/doc/manual/development/writing-modules.xml +++ b/nixos/doc/manual/development/writing-modules.xml @@ -3,52 +3,54 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-writing-modules"> - -<title>Writing NixOS Modules</title> - -<para>NixOS has a modular system for declarative configuration. This -system combines multiple <emphasis>modules</emphasis> to produce the -full system configuration. One of the modules that constitute the -configuration is <filename>/etc/nixos/configuration.nix</filename>. -Most of the others live in the <link + <title>Writing NixOS Modules</title> + <para> + NixOS has a modular system for declarative configuration. This system + combines multiple <emphasis>modules</emphasis> to produce the full system + configuration. One of the modules that constitute the configuration is + <filename>/etc/nixos/configuration.nix</filename>. Most of the others live in + the + <link xlink:href="https://github.com/NixOS/nixpkgs/tree/master/nixos/modules"><filename>nixos/modules</filename></link> -subdirectory of the Nixpkgs tree.</para> - -<para>Each NixOS module is a file that handles one logical aspect of -the configuration, such as a specific kind of hardware, a service, or -network settings. A module configuration does not have to handle -everything from scratch; it can use the functionality provided by -other modules for its implementation. Thus a module can -<emphasis>declare</emphasis> options that can be used by other -modules, and conversely can <emphasis>define</emphasis> options -provided by other modules in its own implementation. For example, the -module <link + subdirectory of the Nixpkgs tree. + </para> + <para> + Each NixOS module is a file that handles one logical aspect of the + configuration, such as a specific kind of hardware, a service, or network + settings. A module configuration does not have to handle everything from + scratch; it can use the functionality provided by other modules for its + implementation. Thus a module can <emphasis>declare</emphasis> options that + can be used by other modules, and conversely can <emphasis>define</emphasis> + options provided by other modules in its own implementation. For example, the + module + <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/pam.nix"><filename>pam.nix</filename></link> -declares the option <option>security.pam.services</option> that allows -other modules (e.g. <link + declares the option <option>security.pam.services</option> that allows other + modules (e.g. + <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix"><filename>sshd.nix</filename></link>) -to define PAM services; and it defines the option -<option>environment.etc</option> (declared by <link + to define PAM services; and it defines the option + <option>environment.etc</option> (declared by + <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/system/etc/etc.nix"><filename>etc.nix</filename></link>) -to cause files to be created in -<filename>/etc/pam.d</filename>.</para> - -<para xml:id="para-module-syn">In <xref + to cause files to be created in <filename>/etc/pam.d</filename>. + </para> + <para xml:id="para-module-syn"> + In <xref linkend="sec-configuration-syntax"/>, we saw the following structure -of NixOS modules: - + of NixOS modules: <programlisting> { config, pkgs, ... }: { <replaceable>option definitions</replaceable> } </programlisting> - -This is actually an <emphasis>abbreviated</emphasis> form of module -that only defines options, but does not declare any. The structure of -full NixOS modules is shown in <xref linkend='ex-module-syntax' />.</para> - -<example xml:id='ex-module-syntax'><title>Structure of NixOS Modules</title> + This is actually an <emphasis>abbreviated</emphasis> form of module that only + defines options, but does not declare any. The structure of full NixOS + modules is shown in <xref linkend='ex-module-syntax' />. + </para> + <example xml:id='ex-module-syntax'> + <title>Structure of NixOS Modules</title> <programlisting> { config, pkgs, ... }: <co xml:id='module-syntax-1' /> @@ -65,56 +67,56 @@ full NixOS modules is shown in <xref linkend='ex-module-syntax' />.</para> <replaceable>option definitions</replaceable> <co xml:id='module-syntax-4' /> }; }</programlisting> -</example> - -<para>The meaning of each part is as follows. - -<calloutlist> - <callout arearefs='module-syntax-1'> - <para>This line makes the current Nix expression a function. The - variable <varname>pkgs</varname> contains Nixpkgs, while - <varname>config</varname> contains the full system configuration. - This line can be omitted if there is no reference to - <varname>pkgs</varname> and <varname>config</varname> inside the - module.</para> - </callout> - - <callout arearefs='module-syntax-2'> - <para>This list enumerates the paths to other NixOS modules that - should be included in the evaluation of the system configuration. - A default set of modules is defined in the file - <filename>modules/module-list.nix</filename>. These don't need to - be added in the import list.</para> - </callout> - - <callout arearefs='module-syntax-3'> - <para>The attribute <varname>options</varname> is a nested set of - <emphasis>option declarations</emphasis> (described below).</para> - </callout> - - <callout arearefs='module-syntax-4'> - <para>The attribute <varname>config</varname> is a nested set of - <emphasis>option definitions</emphasis> (also described - below).</para> - </callout> -</calloutlist> - -</para> - -<para><xref linkend='locate-example' /> shows a module that handles -the regular update of the “locate” database, an index of all files in -the file system. This module declares two options that can be defined -by other modules (typically the user’s -<filename>configuration.nix</filename>): -<option>services.locate.enable</option> (whether the database should -be updated) and <option>services.locate.interval</option> (when the -update should be done). It implements its functionality by defining -two options declared by other modules: -<option>systemd.services</option> (the set of all systemd services) -and <option>systemd.timers</option> (the list of commands to be -executed periodically by <command>systemd</command>).</para> - -<example xml:id='locate-example'><title>NixOS Module for the “locate” Service</title> + </example> + <para> + The meaning of each part is as follows. + <calloutlist> + <callout arearefs='module-syntax-1'> + <para> + This line makes the current Nix expression a function. The variable + <varname>pkgs</varname> contains Nixpkgs, while <varname>config</varname> + contains the full system configuration. This line can be omitted if there + is no reference to <varname>pkgs</varname> and <varname>config</varname> + inside the module. + </para> + </callout> + <callout arearefs='module-syntax-2'> + <para> + This list enumerates the paths to other NixOS modules that should be + included in the evaluation of the system configuration. A default set of + modules is defined in the file + <filename>modules/module-list.nix</filename>. These don't need to be added + in the import list. + </para> + </callout> + <callout arearefs='module-syntax-3'> + <para> + The attribute <varname>options</varname> is a nested set of + <emphasis>option declarations</emphasis> (described below). + </para> + </callout> + <callout arearefs='module-syntax-4'> + <para> + The attribute <varname>config</varname> is a nested set of + <emphasis>option definitions</emphasis> (also described below). + </para> + </callout> + </calloutlist> + </para> + <para> + <xref linkend='locate-example' /> shows a module that handles the regular + update of the “locate” database, an index of all files in the file + system. This module declares two options that can be defined by other modules + (typically the user’s <filename>configuration.nix</filename>): + <option>services.locate.enable</option> (whether the database should be + updated) and <option>services.locate.interval</option> (when the update + should be done). It implements its functionality by defining two options + declared by other modules: <option>systemd.services</option> (the set of all + systemd services) and <option>systemd.timers</option> (the list of commands + to be executed periodically by <command>systemd</command>). + </para> + <example xml:id='locate-example'> + <title>NixOS Module for the “locate” Service</title> <programlisting> { config, lib, pkgs, ... }: @@ -173,13 +175,12 @@ in { }; } </programlisting> -</example> - -<xi:include href="option-declarations.xml" /> -<xi:include href="option-types.xml" /> -<xi:include href="option-def.xml" /> -<xi:include href="assertions.xml" /> -<xi:include href="meta-attributes.xml" /> -<xi:include href="replace-modules.xml" /> - + </example> + <xi:include href="option-declarations.xml" /> + <xi:include href="option-types.xml" /> + <xi:include href="option-def.xml" /> + <xi:include href="assertions.xml" /> + <xi:include href="meta-attributes.xml" /> + <xi:include href="importing-modules.xml" /> + <xi:include href="replace-modules.xml" /> </chapter> diff --git a/nixos/doc/manual/development/writing-nixos-tests.xml b/nixos/doc/manual/development/writing-nixos-tests.xml index a8f6aa00858e..89a6a4423627 100644 --- a/nixos/doc/manual/development/writing-nixos-tests.xml +++ b/nixos/doc/manual/development/writing-nixos-tests.xml @@ -3,11 +3,10 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-writing-nixos-tests"> + <title>Writing Tests</title> -<title>Writing Tests</title> - -<para>A NixOS test is a Nix expression that has the following structure: - + <para> + A NixOS test is a Nix expression that has the following structure: <programlisting> import ./make-test.nix { @@ -32,277 +31,364 @@ import ./make-test.nix { ''; } </programlisting> - -The attribute <literal>testScript</literal> is a bit of Perl code that -executes the test (described below). During the test, it will start -one or more virtual machines, the configuration of which is described -by the attribute <literal>machine</literal> (if you need only one -machine in your test) or by the attribute <literal>nodes</literal> (if -you need multiple machines). For instance, <filename + The attribute <literal>testScript</literal> is a bit of Perl code that + executes the test (described below). During the test, it will start one or + more virtual machines, the configuration of which is described by the + attribute <literal>machine</literal> (if you need only one machine in your + test) or by the attribute <literal>nodes</literal> (if you need multiple + machines). For instance, + <filename xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/login.nix">login.nix</filename> -only needs a single machine to test whether users can log in on the -virtual console, whether device ownership is correctly maintained when -switching between consoles, and so on. On the other hand, <filename + only needs a single machine to test whether users can log in on the virtual + console, whether device ownership is correctly maintained when switching + between consoles, and so on. On the other hand, + <filename xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/nfs.nix">nfs.nix</filename>, -which tests NFS client and server functionality in the Linux kernel -(including whether locks are maintained across server crashes), -requires three machines: a server and two clients.</para> - -<para>There are a few special NixOS configuration options for test -VMs: + which tests NFS client and server functionality in the Linux kernel + (including whether locks are maintained across server crashes), requires + three machines: a server and two clients. + </para> + <para> + There are a few special NixOS configuration options for test VMs: <!-- FIXME: would be nice to generate this automatically. --> - -<variablelist> - - <varlistentry> - <term><option>virtualisation.memorySize</option></term> - <listitem><para>The memory of the VM in - megabytes.</para></listitem> - </varlistentry> - - <varlistentry> - <term><option>virtualisation.vlans</option></term> - <listitem><para>The virtual networks to which the VM is - connected. See <filename + <variablelist> + <varlistentry> + <term><option>virtualisation.memorySize</option> + </term> + <listitem> + <para> + The memory of the VM in megabytes. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>virtualisation.vlans</option> + </term> + <listitem> + <para> + The virtual networks to which the VM is connected. See + <filename xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/nat.nix">nat.nix</filename> - for an example.</para></listitem> - </varlistentry> - - <varlistentry> - <term><option>virtualisation.writableStore</option></term> - <listitem><para>By default, the Nix store in the VM is not - writable. If you enable this option, a writable union file system - is mounted on top of the Nix store to make it appear - writable. This is necessary for tests that run Nix operations that - modify the store.</para></listitem> - </varlistentry> - -</variablelist> - -For more options, see the module <filename -xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/qemu-vm.nix">qemu-vm.nix</filename>.</para> - -<para>The test script is a sequence of Perl statements that perform -various actions, such as starting VMs, executing commands in the VMs, -and so on. Each virtual machine is represented as an object stored in -the variable <literal>$<replaceable>name</replaceable></literal>, -where <replaceable>name</replaceable> is the identifier of the machine -(which is just <literal>machine</literal> if you didn’t specify -multiple machines using the <literal>nodes</literal> attribute). For -instance, the following starts the machine, waits until it has -finished booting, then executes a command and checks that the output -is more-or-less correct: - + for an example. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>virtualisation.writableStore</option> + </term> + <listitem> + <para> + By default, the Nix store in the VM is not writable. If you enable this + option, a writable union file system is mounted on top of the Nix store + to make it appear writable. This is necessary for tests that run Nix + operations that modify the store. + </para> + </listitem> + </varlistentry> + </variablelist> + For more options, see the module + <filename +xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/qemu-vm.nix">qemu-vm.nix</filename>. + </para> + + <para> + The test script is a sequence of Perl statements that perform various + actions, such as starting VMs, executing commands in the VMs, and so on. Each + virtual machine is represented as an object stored in the variable + <literal>$<replaceable>name</replaceable></literal>, where + <replaceable>name</replaceable> is the identifier of the machine (which is + just <literal>machine</literal> if you didn’t specify multiple machines + using the <literal>nodes</literal> attribute). For instance, the following + starts the machine, waits until it has finished booting, then executes a + command and checks that the output is more-or-less correct: <programlisting> $machine->start; $machine->waitForUnit("default.target"); $machine->succeed("uname") =~ /Linux/; </programlisting> - -The first line is actually unnecessary; machines are implicitly -started when you first execute an action on them (such as -<literal>waitForUnit</literal> or <literal>succeed</literal>). If you -have multiple machines, you can speed up the test by starting them in -parallel: - + The first line is actually unnecessary; machines are implicitly started when + you first execute an action on them (such as <literal>waitForUnit</literal> + or <literal>succeed</literal>). If you have multiple machines, you can speed + up the test by starting them in parallel: <programlisting> startAll; </programlisting> - -</para> - -<para>The following methods are available on machine objects: - -<variablelist> - - <varlistentry> - <term><methodname>start</methodname></term> - <listitem><para>Start the virtual machine. This method is - asynchronous — it does not wait for the machine to finish - booting.</para></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>shutdown</methodname></term> - <listitem><para>Shut down the machine, waiting for the VM to - exit.</para></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>crash</methodname></term> - <listitem><para>Simulate a sudden power failure, by telling the VM - to exit immediately.</para></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>block</methodname></term> - <listitem><para>Simulate unplugging the Ethernet cable that - connects the machine to the other machines.</para></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>unblock</methodname></term> - <listitem><para>Undo the effect of - <methodname>block</methodname>.</para></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>screenshot</methodname></term> - <listitem><para>Take a picture of the display of the virtual - machine, in PNG format. The screenshot is linked from the HTML - log.</para></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>getScreenText</methodname></term> - <listitem><para>Return a textual representation of what is currently - visible on the machine's screen using optical character - recognition.</para> - <note><para>This requires passing <option>enableOCR</option> to the test - attribute set.</para></note></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>sendMonitorCommand</methodname></term> - <listitem><para>Send a command to the QEMU monitor. This is rarely - used, but allows doing stuff such as attaching virtual USB disks - to a running machine.</para></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>sendKeys</methodname></term> - <listitem><para>Simulate pressing keys on the virtual keyboard, - e.g., <literal>sendKeys("ctrl-alt-delete")</literal>.</para></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>sendChars</methodname></term> - <listitem><para>Simulate typing a sequence of characters on the - virtual keyboard, e.g., <literal>sendKeys("foobar\n")</literal> - will type the string <literal>foobar</literal> followed by the - Enter key.</para></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>execute</methodname></term> - <listitem><para>Execute a shell command, returning a list - <literal>(<replaceable>status</replaceable>, - <replaceable>stdout</replaceable>)</literal>.</para></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>succeed</methodname></term> - <listitem><para>Execute a shell command, raising an exception if - the exit status is not zero, otherwise returning the standard - output.</para></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>fail</methodname></term> - <listitem><para>Like <methodname>succeed</methodname>, but raising - an exception if the command returns a zero status.</para></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>waitUntilSucceeds</methodname></term> - <listitem><para>Repeat a shell command with 1-second intervals - until it succeeds.</para></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>waitUntilFails</methodname></term> - <listitem><para>Repeat a shell command with 1-second intervals - until it fails.</para></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>waitForUnit</methodname></term> - <listitem><para>Wait until the specified systemd unit has reached - the “active” state.</para></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>waitForFile</methodname></term> - <listitem><para>Wait until the specified file - exists.</para></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>waitForOpenPort</methodname></term> - <listitem><para>Wait until a process is listening on the given TCP - port (on <literal>localhost</literal>, at least).</para></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>waitForClosedPort</methodname></term> - <listitem><para>Wait until nobody is listening on the given TCP - port.</para></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>waitForX</methodname></term> - <listitem><para>Wait until the X11 server is accepting - connections.</para></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>waitForText</methodname></term> - <listitem><para>Wait until the supplied regular expressions matches - the textual contents of the screen by using optical character recognition - (see <methodname>getScreenText</methodname>).</para> - <note><para>This requires passing <option>enableOCR</option> to the test - attribute set.</para></note></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>waitForWindow</methodname></term> - <listitem><para>Wait until an X11 window has appeared whose name - matches the given regular expression, e.g., - <literal>waitForWindow(qr/Terminal/)</literal>.</para></listitem> - </varlistentry> - - <varlistentry> - <term><methodname>copyFileFromHost</methodname></term> - <listitem><para>Copies a file from host to machine, e.g., - <literal>copyFileFromHost("myfile", "/etc/my/important/file")</literal>.</para> - <para>The first argument is the file on the host. The file needs to be - accessible while building the nix derivation. The second argument is - the location of the file on the machine.</para> + </para> + + <para> + The following methods are available on machine objects: + <variablelist> + <varlistentry> + <term><methodname>start</methodname> + </term> + <listitem> + <para> + Start the virtual machine. This method is asynchronous — it does not + wait for the machine to finish booting. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><methodname>systemctl</methodname></term> + </varlistentry> + <varlistentry> + <term><methodname>shutdown</methodname> + </term> + <listitem> + <para> + Shut down the machine, waiting for the VM to exit. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>crash</methodname> + </term> <listitem> - <para>Runs <literal>systemctl</literal> commands with optional support for - <literal>systemctl --user</literal></para> - <para> - <programlisting> + <para> + Simulate a sudden power failure, by telling the VM to exit immediately. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>block</methodname> + </term> + <listitem> + <para> + Simulate unplugging the Ethernet cable that connects the machine to the + other machines. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>unblock</methodname> + </term> + <listitem> + <para> + Undo the effect of <methodname>block</methodname>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>screenshot</methodname> + </term> + <listitem> + <para> + Take a picture of the display of the virtual machine, in PNG format. The + screenshot is linked from the HTML log. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>getScreenText</methodname> + </term> + <listitem> + <para> + Return a textual representation of what is currently visible on the + machine's screen using optical character recognition. + </para> + <note> + <para> + This requires passing <option>enableOCR</option> to the test attribute + set. + </para> + </note> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>sendMonitorCommand</methodname> + </term> + <listitem> + <para> + Send a command to the QEMU monitor. This is rarely used, but allows doing + stuff such as attaching virtual USB disks to a running machine. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>sendKeys</methodname> + </term> + <listitem> + <para> + Simulate pressing keys on the virtual keyboard, e.g., + <literal>sendKeys("ctrl-alt-delete")</literal>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>sendChars</methodname> + </term> + <listitem> + <para> + Simulate typing a sequence of characters on the virtual keyboard, e.g., + <literal>sendKeys("foobar\n")</literal> will type the string + <literal>foobar</literal> followed by the Enter key. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>execute</methodname> + </term> + <listitem> + <para> + Execute a shell command, returning a list + <literal>(<replaceable>status</replaceable>, + <replaceable>stdout</replaceable>)</literal>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>succeed</methodname> + </term> + <listitem> + <para> + Execute a shell command, raising an exception if the exit status is not + zero, otherwise returning the standard output. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>fail</methodname> + </term> + <listitem> + <para> + Like <methodname>succeed</methodname>, but raising an exception if the + command returns a zero status. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>waitUntilSucceeds</methodname> + </term> + <listitem> + <para> + Repeat a shell command with 1-second intervals until it succeeds. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>waitUntilFails</methodname> + </term> + <listitem> + <para> + Repeat a shell command with 1-second intervals until it fails. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>waitForUnit</methodname> + </term> + <listitem> + <para> + Wait until the specified systemd unit has reached the “active” state. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>waitForFile</methodname> + </term> + <listitem> + <para> + Wait until the specified file exists. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>waitForOpenPort</methodname> + </term> + <listitem> + <para> + Wait until a process is listening on the given TCP port (on + <literal>localhost</literal>, at least). + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>waitForClosedPort</methodname> + </term> + <listitem> + <para> + Wait until nobody is listening on the given TCP port. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>waitForX</methodname> + </term> + <listitem> + <para> + Wait until the X11 server is accepting connections. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>waitForText</methodname> + </term> + <listitem> + <para> + Wait until the supplied regular expressions matches the textual contents + of the screen by using optical character recognition (see + <methodname>getScreenText</methodname>). + </para> + <note> + <para> + This requires passing <option>enableOCR</option> to the test attribute + set. + </para> + </note> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>waitForWindow</methodname> + </term> + <listitem> + <para> + Wait until an X11 window has appeared whose name matches the given + regular expression, e.g., <literal>waitForWindow(qr/Terminal/)</literal>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>copyFileFromHost</methodname> + </term> + <listitem> + <para> + Copies a file from host to machine, e.g., + <literal>copyFileFromHost("myfile", "/etc/my/important/file")</literal>. + </para> + <para> + The first argument is the file on the host. The file needs to be + accessible while building the nix derivation. The second argument is the + location of the file on the machine. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><methodname>systemctl</methodname> + </term> + <listitem> + <para> + Runs <literal>systemctl</literal> commands with optional support for + <literal>systemctl --user</literal> + </para> + <para> +<programlisting> $machine->systemctl("list-jobs --no-pager"); // runs `systemctl list-jobs --no-pager` $machine->systemctl("list-jobs --no-pager", "any-user"); // spawns a shell for `any-user` and runs `systemctl --user list-jobs --no-pager` </programlisting> - </para> + </para> </listitem> - </varlistentry> + </varlistentry> + </variablelist> + </para> -</variablelist> - -</para> - -<para> - To test user units declared by <literal>systemd.user.services</literal> the optional <literal>$user</literal> - argument can be used: - - <programlisting> + <para> + To test user units declared by <literal>systemd.user.services</literal> the + optional <literal>$user</literal> argument can be used: +<programlisting> $machine->start; $machine->waitForX; $machine->waitForUnit("xautolock.service", "x-session-user"); </programlisting> - This applies to <literal>systemctl</literal>, <literal>getUnitInfo</literal>, - <literal>waitForUnit</literal>, <literal>startJob</literal> - and <literal>stopJob</literal>. -</para> - + <literal>waitForUnit</literal>, <literal>startJob</literal> and + <literal>stopJob</literal>. + </para> </section> diff --git a/nixos/doc/manual/installation/changing-config.xml b/nixos/doc/manual/installation/changing-config.xml index 4db9020b9606..680160a3cb7e 100644 --- a/nixos/doc/manual/installation/changing-config.xml +++ b/nixos/doc/manual/installation/changing-config.xml @@ -2,101 +2,84 @@ xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="sec-changing-config"> - -<title>Changing the Configuration</title> - -<para>The file <filename>/etc/nixos/configuration.nix</filename> -contains the current configuration of your machine. Whenever you’ve -<link linkend="ch-configuration">changed something</link> in that file, you should do - + <title>Changing the Configuration</title> + <para> + The file <filename>/etc/nixos/configuration.nix</filename> contains the + current configuration of your machine. Whenever you’ve + <link linkend="ch-configuration">changed something</link> in that file, you + should do <screen> # nixos-rebuild switch</screen> - -to build the new configuration, make it the default configuration for -booting, and try to realise the configuration in the running system -(e.g., by restarting system services).</para> - -<warning><para>These commands must be executed as root, so you should -either run them from a root shell or by prefixing them with -<literal>sudo -i</literal>.</para></warning> - -<para>You can also do - + to build the new configuration, make it the default configuration for + booting, and try to realise the configuration in the running system (e.g., by + restarting system services). + </para> + <warning> + <para> + These commands must be executed as root, so you should either run them from + a root shell or by prefixing them with <literal>sudo -i</literal>. + </para> + </warning> + <para> + You can also do <screen> # nixos-rebuild test</screen> - -to build the configuration and switch the running system to it, but -without making it the boot default. So if (say) the configuration -locks up your machine, you can just reboot to get back to a working -configuration.</para> - -<para>There is also - + to build the configuration and switch the running system to it, but without + making it the boot default. So if (say) the configuration locks up your + machine, you can just reboot to get back to a working configuration. + </para> + <para> + There is also <screen> # nixos-rebuild boot</screen> - -to build the configuration and make it the boot default, but not -switch to it now (so it will only take effect after the next -reboot).</para> - -<para>You can make your configuration show up in a different submenu -of the GRUB 2 boot screen by giving it a different <emphasis>profile -name</emphasis>, e.g. - + to build the configuration and make it the boot default, but not switch to it + now (so it will only take effect after the next reboot). + </para> + <para> + You can make your configuration show up in a different submenu of the GRUB 2 + boot screen by giving it a different <emphasis>profile name</emphasis>, e.g. <screen> # nixos-rebuild switch -p test </screen> - -which causes the new configuration (and previous ones created using -<literal>-p test</literal>) to show up in the GRUB submenu “NixOS - -Profile 'test'”. This can be useful to separate test configurations -from “stable” configurations.</para> - -<para>Finally, you can do - + which causes the new configuration (and previous ones created using + <literal>-p test</literal>) to show up in the GRUB submenu “NixOS - Profile + 'test'”. This can be useful to separate test configurations from + “stable” configurations. + </para> + <para> + Finally, you can do <screen> $ nixos-rebuild build</screen> - -to build the configuration but nothing more. This is useful to see -whether everything compiles cleanly.</para> - -<para>If you have a machine that supports hardware virtualisation, you -can also test the new configuration in a sandbox by building and -running a QEMU <emphasis>virtual machine</emphasis> that contains the -desired configuration. Just do - + to build the configuration but nothing more. This is useful to see whether + everything compiles cleanly. + </para> + <para> + If you have a machine that supports hardware virtualisation, you can also + test the new configuration in a sandbox by building and running a QEMU + <emphasis>virtual machine</emphasis> that contains the desired configuration. + Just do <screen> $ nixos-rebuild build-vm $ ./result/bin/run-*-vm </screen> - -The VM does not have any data from your host system, so your existing -user accounts and home directories will not be available unless you -have set <literal>mutableUsers = false</literal>. Another way is to -temporarily add the following to your configuration: - + The VM does not have any data from your host system, so your existing user + accounts and home directories will not be available unless you have set + <literal>mutableUsers = false</literal>. Another way is to temporarily add + the following to your configuration: <screen> -users.extraUsers.your-user.initialPassword = "test" +<link linkend="opt-users.users._name__.initialHashedPassword">users.extraUsers.your-user.initialHashedPassword</link> = "test"; </screen> - -<emphasis>Important:</emphasis> delete the $hostname.qcow2 file if you -have started the virtual machine at least once without the right -users, otherwise the changes will not get picked up. - -You can forward ports on the host to the guest. For -instance, the following will forward host port 2222 to guest port 22 -(SSH): - + <emphasis>Important:</emphasis> delete the $hostname.qcow2 file if you have + started the virtual machine at least once without the right users, otherwise + the changes will not get picked up. You can forward ports on the host to the + guest. For instance, the following will forward host port 2222 to guest port + 22 (SSH): <screen> $ QEMU_NET_OPTS="hostfwd=tcp::2222-:22" ./result/bin/run-*-vm </screen> - -allowing you to log in via SSH (assuming you have set the appropriate -passwords or SSH authorized keys): - + allowing you to log in via SSH (assuming you have set the appropriate + passwords or SSH authorized keys): <screen> $ ssh -p 2222 localhost </screen> - -</para> - + </para> </chapter> diff --git a/nixos/doc/manual/installation/installation.xml b/nixos/doc/manual/installation/installation.xml index ee61bedc4183..d4276be95d68 100644 --- a/nixos/doc/manual/installation/installation.xml +++ b/nixos/doc/manual/installation/installation.xml @@ -3,19 +3,15 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="ch-installation"> - -<title>Installation</title> - -<partintro> - -<para>This section describes how to obtain, install, and configure -NixOS for first-time use.</para> - -</partintro> - -<xi:include href="obtaining.xml" /> -<xi:include href="installing.xml" /> -<xi:include href="changing-config.xml" /> -<xi:include href="upgrading.xml" /> - + <title>Installation</title> + <partintro> + <para> + This section describes how to obtain, install, and configure NixOS for + first-time use. + </para> + </partintro> + <xi:include href="obtaining.xml" /> + <xi:include href="installing.xml" /> + <xi:include href="changing-config.xml" /> + <xi:include href="upgrading.xml" /> </part> diff --git a/nixos/doc/manual/installation/installing-from-other-distro.xml b/nixos/doc/manual/installation/installing-from-other-distro.xml new file mode 100644 index 000000000000..8b0c350b064d --- /dev/null +++ b/nixos/doc/manual/installation/installing-from-other-distro.xml @@ -0,0 +1,356 @@ +<!-- vim: set expandtab ts=2 softtabstop=2 shiftwidth=2 smarttab textwidth=80 wrapmargin=2 --> +<section + xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-installing-from-other-distro"> + <title>Installing from another Linux distribution</title> + + <para> + Because Nix (the package manager) & Nixpkgs (the Nix packages collection) + can both be installed on any (most?) Linux distributions, they can be used to + install NixOS in various creative ways. You can, for instance: + </para> + + <orderedlist> + <listitem> + <para> + Install NixOS on another partition, from your existing Linux distribution + (without the use of a USB or optical device!) + </para> + </listitem> + <listitem> + <para> + Install NixOS on the same partition (in place!), from your existing + non-NixOS Linux distribution using <literal>NIXOS_LUSTRATE</literal>. + </para> + </listitem> + <listitem> + <para> + Install NixOS on your hard drive from the Live CD of any Linux + distribution. + </para> + </listitem> + </orderedlist> + + <para> + The first steps to all these are the same: + </para> + + <orderedlist> + <listitem> + <para> + Install the Nix package manager: + </para> + <para> + Short version: + </para> +<screen> +$ bash <(curl https://nixos.org/nix/install) +$ . $HOME/.nix-profile/etc/profile.d/nix.sh # …or open a fresh shell</screen> + <para> + More details in the + <link + xlink:href="https://nixos.org/nix/manual/#chap-quick-start"> + Nix manual</link> + </para> + </listitem> + <listitem> + <para> + Switch to the NixOS channel: + </para> + <para> + If you've just installed Nix on a non-NixOS distribution, you will be on + the <literal>nixpkgs</literal> channel by default. + </para> +<screen> +$ nix-channel --list +nixpkgs https://nixos.org/channels/nixpkgs-unstable</screen> + <para> + As that channel gets released without running the NixOS tests, it will be + safer to use the <literal>nixos-*</literal> channels instead: + </para> +<screen> +$ nix-channel --add https://nixos.org/channels/nixos-<replaceable>version</replaceable> nixpkgs</screen> + <para> + You may want to throw in a <literal>nix-channel --update</literal> for good + measure. + </para> + </listitem> + <listitem> + <para> + Install the NixOS installation tools: + </para> + <para> + You'll need <literal>nixos-generate-config</literal> and + <literal>nixos-install</literal> and we'll throw in some man pages and + <literal>nixos-enter</literal> just in case you want to chroot into your + NixOS partition. They are installed by default on NixOS, but you don't have + NixOS yet.. + </para> +<screen>$ nix-env -iE "_: with import <nixpkgs/nixos> { configuration = {}; }; with config.system.build; [ nixos-generate-config nixos-install nixos-enter manual.manpages ]"</screen> + </listitem> + <listitem> + <note> + <para> + The following 5 steps are only for installing NixOS to another partition. + For installing NixOS in place using <literal>NIXOS_LUSTRATE</literal>, + skip ahead. + </para> + </note> + <para> + Prepare your target partition: + </para> + <para> + At this point it is time to prepare your target partition. Please refer to + the partitioning, file-system creation, and mounting steps of + <xref linkend="sec-installation" /> + </para> + <para> + If you're about to install NixOS in place using + <literal>NIXOS_LUSTRATE</literal> there is nothing to do for this step. + </para> + </listitem> + <listitem> + <para> + Generate your NixOS configuration: + </para> +<screen>$ sudo `which nixos-generate-config` --root /mnt</screen> + <para> + You'll probably want to edit the configuration files. Refer to the + <literal>nixos-generate-config</literal> step in + <xref + linkend="sec-installation" /> for more + information. + </para> + <para> + Consider setting up the NixOS bootloader to give you the ability to boot on + your existing Linux partition. For instance, if you're using GRUB and your + existing distribution is running Ubuntu, you may want to add something like + this to your <literal>configuration.nix</literal>: + </para> +<programlisting> +<xref linkend="opt-boot.loader.grub.extraEntries"/> = '' + menuentry "Ubuntu" { + search --set=ubuntu --fs-uuid 3cc3e652-0c1f-4800-8451-033754f68e6e + configfile "($ubuntu)/boot/grub/grub.cfg" + } +'';</programlisting> + <para> + (You can find the appropriate UUID for your partition in + <literal>/dev/disk/by-uuid</literal>) + </para> + </listitem> + <listitem> + <para> + Create the <literal>nixbld</literal> group and user on your original + distribution: + </para> +<screen> +$ sudo groupadd -g 30000 nixbld +$ sudo useradd -u 30000 -g nixbld -G nixbld nixbld</screen> + </listitem> + <listitem> + <para> + Download/build/install NixOS: + </para> + <warning> + <para> + Once you complete this step, you might no longer be able to boot on + existing systems without the help of a rescue USB drive or similar. + </para> + </warning> +<screen>$ sudo PATH="$PATH" NIX_PATH="$NIX_PATH" `which nixos-install` --root /mnt</screen> + <para> + Again, please refer to the <literal>nixos-install</literal> step in + <xref linkend="sec-installation" /> for more information. + </para> + <para> + That should be it for installation to another partition! + </para> + </listitem> + <listitem> + <para> + Optionally, you may want to clean up your non-NixOS distribution: + </para> +<screen> +$ sudo userdel nixbld +$ sudo groupdel nixbld</screen> + <para> + If you do not wish to keep the Nix package manager installed either, run + something like <literal>sudo rm -rv ~/.nix-* /nix</literal> and remove the + line that the Nix installer added to your <literal>~/.profile</literal>. + </para> + </listitem> + <listitem> + <note> + <para> + The following steps are only for installing NixOS in place using + <literal>NIXOS_LUSTRATE</literal>: + </para> + </note> + <para> + Generate your NixOS configuration: + </para> +<screen>$ sudo `which nixos-generate-config` --root /</screen> + <para> + Note that this will place the generated configuration files in + <literal>/etc/nixos</literal>. You'll probably want to edit the + configuration files. Refer to the <literal>nixos-generate-config</literal> + step in <xref + linkend="sec-installation" /> for more + information. + </para> + <para> + You'll likely want to set a root password for your first boot using the + configuration files because you won't have a chance to enter a password + until after you reboot. You can initalize the root password to an empty one + with this line: (and of course don't forget to set one once you've rebooted + or to lock the account with <literal>sudo passwd -l root</literal> if you + use <literal>sudo</literal>) + </para> +<programlisting> +<link linkend="opt-users.users._name__.initialHashedPassword">users.extraUsers.root.initialHashedPassword</link> = ""; + </programlisting> + </listitem> + <listitem> + <para> + Build the NixOS closure and install it in the <literal>system</literal> + profile: + </para> +<screen>$ nix-env -p /nix/var/nix/profiles/system -f '<nixpkgs/nixos>' -I nixos-config=/etc/nixos/configuration.nix -iA system</screen> + </listitem> + <listitem> + <para> + Change ownership of the <literal>/nix</literal> tree to root (since your + Nix install was probably single user): + </para> +<screen>$ sudo chown -R 0.0 /nix</screen> + </listitem> + <listitem> + <para> + Set up the <literal>/etc/NIXOS</literal> and + <literal>/etc/NIXOS_LUSTRATE</literal> files: + </para> + <para> + <literal>/etc/NIXOS</literal> officializes that this is now a NixOS + partition (the bootup scripts require its presence). + </para> + <para> + <literal>/etc/NIXOS_LUSTRATE</literal> tells the NixOS bootup scripts to + move <emphasis>everything</emphasis> that's in the root partition to + <literal>/old-root</literal>. This will move your existing distribution out + of the way in the very early stages of the NixOS bootup. There are + exceptions (we do need to keep NixOS there after all), so the NixOS + lustrate process will not touch: + </para> + <itemizedlist> + <listitem> + <para> + The <literal>/nix</literal> directory + </para> + </listitem> + <listitem> + <para> + The <literal>/boot</literal> directory + </para> + </listitem> + <listitem> + <para> + Any file or directory listed in <literal>/etc/NIXOS_LUSTRATE</literal> + (one per line) + </para> + </listitem> + </itemizedlist> + <note> + <para> + Support for <literal>NIXOS_LUSTRATE</literal> was added in NixOS 16.09. + The act of "lustrating" refers to the wiping of the existing distribution. + Creating <literal>/etc/NIXOS_LUSTRATE</literal> can also be used on NixOS + to remove all mutable files from your root partition (anything that's not + in <literal>/nix</literal> or <literal>/boot</literal> gets "lustrated" on + the next boot. + </para> + <para> + lustrate /ˈlʌstreɪt/ verb. + </para> + <para> + purify by expiatory sacrifice, ceremonial washing, or some other ritual + action. + </para> + </note> + <para> + Let's create the files: + </para> +<screen> +$ sudo touch /etc/NIXOS +$ sudo touch /etc/NIXOS_LUSTRATE + </screen> + <para> + Let's also make sure the NixOS configuration files are kept once we reboot + on NixOS: + </para> +<screen> +$ echo etc/nixos | sudo tee -a /etc/NIXOS_LUSTRATE + </screen> + </listitem> + <listitem> + <para> + Finally, move the <literal>/boot</literal> directory of your current + distribution out of the way (the lustrate process will take care of the + rest once you reboot, but this one must be moved out now because NixOS + needs to install its own boot files: + </para> + <warning> + <para> + Once you complete this step, your current distribution will no longer be + bootable! If you didn't get all the NixOS configuration right, especially + those settings pertaining to boot loading and root partition, NixOS may + not be bootable either. Have a USB rescue device ready in case this + happens. + </para> + </warning> +<screen> +$ sudo mv -v /boot /boot.bak && + sudo /nix/var/nix/profiles/system/bin/switch-to-configuration boot</screen> + <para> + Cross your fingers, reboot, hopefully you should get a NixOS prompt! + </para> + </listitem> + <listitem> + <para> + If for some reason you want to revert to the old distribution, you'll need + to boot on a USB rescue disk and do something along these lines: + </para> +<screen> +# mkdir root +# mount /dev/sdaX root +# mkdir root/nixos-root +# mv -v root/* root/nixos-root/ +# mv -v root/nixos-root/old-root/* root/ +# mv -v root/boot.bak root/boot # We had renamed this by hand earlier +# umount root +# reboot</screen> + <para> + This may work as is or you might also need to reinstall the boot loader + </para> + <para> + And of course, if you're happy with NixOS and no longer need the old + distribution: + </para> +<screen>sudo rm -rf /old-root</screen> + </listitem> + <listitem> + <para> + It's also worth noting that this whole process can be automated. This is + especially useful for Cloud VMs, where provider do not provide NixOS. For + instance, + <link + xlink:href="https://github.com/elitak/nixos-infect">nixos-infect</link> + uses the lustrate process to convert Digital Ocean droplets to NixOS from + other distributions automatically. + </para> + </listitem> + </orderedlist> +</section> diff --git a/nixos/doc/manual/installation/installing-pxe.xml b/nixos/doc/manual/installation/installing-pxe.xml index 7b7597c91626..94199e5e028d 100644 --- a/nixos/doc/manual/installation/installing-pxe.xml +++ b/nixos/doc/manual/installation/installing-pxe.xml @@ -3,46 +3,48 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-booting-from-pxe"> + <title>Booting from the <quote>netboot</quote> media (PXE)</title> -<title>Booting from the <quote>netboot</quote> media (PXE)</title> -<para> - Advanced users may wish to install NixOS using an existing PXE or - iPXE setup. -</para> -<para> + <para> + Advanced users may wish to install NixOS using an existing PXE or iPXE setup. + </para> + + <para> These instructions assume that you have an existing PXE or iPXE - infrastructure and simply want to add the NixOS installer as another - option. To build the necessary files from a recent version of - nixpkgs, you can run: -</para> + infrastructure and simply want to add the NixOS installer as another option. + To build the necessary files from a recent version of nixpkgs, you can run: + </para> + <programlisting> nix-build -A netboot nixos/release.nix </programlisting> -<para> + + <para> This will create a <literal>result</literal> directory containing: * - <literal>bzImage</literal> – the Linux kernel * - <literal>initrd</literal> – the initrd file * - <literal>netboot.ipxe</literal> – an example ipxe script - demonstrating the appropriate kernel command line arguments for this + <literal>bzImage</literal> – the Linux kernel * <literal>initrd</literal> + – the initrd file * <literal>netboot.ipxe</literal> – an example ipxe + script demonstrating the appropriate kernel command line arguments for this image -</para> -<para> + </para> + + <para> If you’re using plain PXE, configure your boot loader to use the - <literal>bzImage</literal> and <literal>initrd</literal> files and - have it provide the same kernel command line arguments found in + <literal>bzImage</literal> and <literal>initrd</literal> files and have it + provide the same kernel command line arguments found in <literal>netboot.ipxe</literal>. -</para> -<para> + </para> + + <para> If you’re using iPXE, depending on how your HTTP/FTP/etc. server is - configured you may be able to use <literal>netboot.ipxe</literal> - unmodified, or you may need to update the paths to the files to - match your server’s directory layout -</para> -<para> - In the future we may begin making these files available as build - products from hydra at which point we will update this documentation - with instructions on how to obtain them either for placing on a - dedicated TFTP server or to boot them directly over the internet. -</para> + configured you may be able to use <literal>netboot.ipxe</literal> unmodified, + or you may need to update the paths to the files to match your server’s + directory layout + </para> + <para> + In the future we may begin making these files available as build products + from hydra at which point we will update this documentation with instructions + on how to obtain them either for placing on a dedicated TFTP server or to + boot them directly over the internet. + </para> </section> diff --git a/nixos/doc/manual/installation/installing-usb.xml b/nixos/doc/manual/installation/installing-usb.xml index 122a4745f194..c5934111749c 100644 --- a/nixos/doc/manual/installation/installing-usb.xml +++ b/nixos/doc/manual/installation/installing-usb.xml @@ -3,17 +3,19 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-booting-from-usb"> + <title>Booting from a USB Drive</title> -<title>Booting from a USB Drive</title> + <para> + For systems without CD drive, the NixOS live CD can be booted from a USB + stick. You can use the <command>dd</command> utility to write the image: + <command>dd if=<replaceable>path-to-image</replaceable> + of=<replaceable>/dev/sdb</replaceable></command>. Be careful about specifying + the correct drive; you can use the <command>lsblk</command> command to get a + list of block devices. + </para> -<para>For systems without CD drive, the NixOS live CD can be booted from -a USB stick. You can use the <command>dd</command> utility to write the image: -<command>dd if=<replaceable>path-to-image</replaceable> -of=<replaceable>/dev/sdb</replaceable></command>. Be careful about specifying the -correct drive; you can use the <command>lsblk</command> command to get a list of -block devices.</para> - -<para>On macOS: + <para> + On macOS: <programlisting> $ diskutil list [..] @@ -24,36 +26,43 @@ $ diskutil unmountDisk diskN Unmount of all volumes on diskN was successful $ sudo dd bs=1m if=nix.iso of=/dev/rdiskN </programlisting> -Using the 'raw' <command>rdiskN</command> device instead of <command>diskN</command> -completes in minutes instead of hours. After <command>dd</command> completes, a GUI -dialog "The disk you inserted was not readable by this computer" will pop up, which -can be ignored.</para> - -<para>The <command>dd</command> utility will write the image verbatim to the drive, -making it the recommended option for both UEFI and non-UEFI installations. For -non-UEFI installations, you can alternatively use -<link xlink:href="http://unetbootin.sourceforge.net/">unetbootin</link>. If you -cannot use <command>dd</command> for a UEFI installation, you can also mount the -ISO, copy its contents verbatim to your drive, then either: - -<itemizedlist> - <listitem> - <para>Change the label of the disk partition to the label of the ISO - (visible with the blkid command), or</para> - </listitem> - <listitem> - <para>Edit <filename>loader/entries/nixos-livecd.conf</filename> on the drive - and change the <literal>root=</literal> field in the <literal>options</literal> - line to point to your drive (see the documentation on <literal>root=</literal> - in <link xlink:href="https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt"> - the kernel documentation</link> for more details).</para> - </listitem> - <listitem> - <para>If you want to load the contents of the ISO to ram after bootin - (So you can remove the stick after bootup) you can append the parameter - <literal>copytoram</literal>to the <literal>options</literal> field.</para> - </listitem> -</itemizedlist> -</para> + Using the 'raw' <command>rdiskN</command> device instead of + <command>diskN</command> completes in minutes instead of hours. After + <command>dd</command> completes, a GUI dialog "The disk you inserted was not + readable by this computer" will pop up, which can be ignored. + </para> + <para> + The <command>dd</command> utility will write the image verbatim to the drive, + making it the recommended option for both UEFI and non-UEFI installations. + For non-UEFI installations, you can alternatively use + <link xlink:href="http://unetbootin.sourceforge.net/">unetbootin</link>. If + you cannot use <command>dd</command> for a UEFI installation, you can also + mount the ISO, copy its contents verbatim to your drive, then either: + <itemizedlist> + <listitem> + <para> + Change the label of the disk partition to the label of the ISO (visible + with the blkid command), or + </para> + </listitem> + <listitem> + <para> + Edit <filename>loader/entries/nixos-livecd.conf</filename> on the drive + and change the <literal>root=</literal> field in the + <literal>options</literal> line to point to your drive (see the + documentation on <literal>root=</literal> in + <link xlink:href="https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt"> + the kernel documentation</link> for more details). + </para> + </listitem> + <listitem> + <para> + If you want to load the contents of the ISO to ram after bootin (So you + can remove the stick after bootup) you can append the parameter + <literal>copytoram</literal> to the <literal>options</literal> field. + </para> + </listitem> + </itemizedlist> + </para> </section> diff --git a/nixos/doc/manual/installation/installing-virtualbox-guest.xml b/nixos/doc/manual/installation/installing-virtualbox-guest.xml index 7fcd22a112cf..da78b480f5aa 100644 --- a/nixos/doc/manual/installation/installing-virtualbox-guest.xml +++ b/nixos/doc/manual/installation/installing-virtualbox-guest.xml @@ -3,63 +3,82 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-instaling-virtualbox-guest"> + <title>Installing in a VirtualBox guest</title> -<title>Installing in a VirtualBox guest</title> -<para> + <para> Installing NixOS into a VirtualBox guest is convenient for users who want to try NixOS without installing it on bare metal. If you want to use a pre-made - VirtualBox appliance, it is available at <link - xlink:href="https://nixos.org/nixos/download.html">the downloads page</link>. - If you want to set up a VirtualBox guest manually, follow these instructions: -</para> - -<orderedlist> - - <listitem><para>Add a New Machine in VirtualBox with OS Type "Linux / Other - Linux"</para></listitem> - - <listitem><para>Base Memory Size: 768 MB or higher.</para></listitem> - - <listitem><para>New Hard Disk of 8 GB or higher.</para></listitem> - - <listitem><para>Mount the CD-ROM with the NixOS ISO (by clicking on - CD/DVD-ROM)</para></listitem> - - <listitem><para>Click on Settings / System / Processor and enable - PAE/NX</para></listitem> - - <listitem><para>Click on Settings / System / Acceleration and enable - "VT-x/AMD-V" acceleration</para></listitem> - - <listitem><para>Save the settings, start the virtual machine, and continue - installation like normal</para></listitem> - -</orderedlist> - -<para> - There are a few modifications you should make in configuration.nix. - Enable booting: -</para> + VirtualBox appliance, it is available at + <link + xlink:href="https://nixos.org/nixos/download.html">the downloads + page</link>. If you want to set up a VirtualBox guest manually, follow these + instructions: + </para> + + <orderedlist> + <listitem> + <para> + Add a New Machine in VirtualBox with OS Type "Linux / Other Linux" + </para> + </listitem> + <listitem> + <para> + Base Memory Size: 768 MB or higher. + </para> + </listitem> + <listitem> + <para> + New Hard Disk of 8 GB or higher. + </para> + </listitem> + <listitem> + <para> + Mount the CD-ROM with the NixOS ISO (by clicking on CD/DVD-ROM) + </para> + </listitem> + <listitem> + <para> + Click on Settings / System / Processor and enable PAE/NX + </para> + </listitem> + <listitem> + <para> + Click on Settings / System / Acceleration and enable "VT-x/AMD-V" + acceleration + </para> + </listitem> + <listitem> + <para> + Save the settings, start the virtual machine, and continue installation + like normal + </para> + </listitem> + </orderedlist> + + <para> + There are a few modifications you should make in configuration.nix. Enable + booting: + </para> <programlisting> -boot.loader.grub.device = "/dev/sda"; +<xref linkend="opt-boot.loader.grub.device"/> = "/dev/sda"; </programlisting> -<para> + <para> Also remove the fsck that runs at startup. It will always fail to run, stopping your boot until you press <literal>*</literal>. -</para> + </para> <programlisting> -boot.initrd.checkJournalingFS = false; +<xref linkend="opt-boot.initrd.checkJournalingFS"/> = false; </programlisting> -<para> + <para> Shared folders can be given a name and a path in the host system in the VirtualBox settings (Machine / Settings / Shared Folders, then click on the "Add" icon). Add the following to the <literal>/etc/nixos/configuration.nix</literal> to auto-mount them: -</para> + </para> <programlisting> { config, pkgs, ...} : @@ -74,8 +93,7 @@ boot.initrd.checkJournalingFS = false; } </programlisting> -<para> + <para> The folder will be available directly under the root directory. -</para> - + </para> </section> diff --git a/nixos/doc/manual/installation/installing.xml b/nixos/doc/manual/installation/installing.xml index 2a5d1fc3ce8d..4e1fde662d6e 100644 --- a/nixos/doc/manual/installation/installing.xml +++ b/nixos/doc/manual/installation/installing.xml @@ -3,66 +3,92 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-installation"> - -<title>Installing NixOS</title> - -<para>NixOS can be installed on BIOS or UEFI systems. The procedure -for a UEFI installation is by and large the same as a BIOS installation. The differences are mentioned in the steps that follow.</para> - -<orderedlist> - - <listitem><para>Boot from the CD.</para> - <variablelist> - <varlistentry><term>UEFI systems</term> - <listitem><para>You should boot the live CD in UEFI mode - (consult your specific hardware's documentation for instructions). - You may find the <link xlink:href="http://www.rodsbooks.com/refind">rEFInd boot - manager</link> useful.</para></listitem></varlistentry></variablelist></listitem> - - <listitem><para>The CD contains a basic NixOS installation. (It - also contains Memtest86+, useful if you want to test new hardware). - When it’s finished booting, it should have detected most of your - hardware.</para></listitem> - - <listitem><para>The NixOS manual is available on virtual console 8 - (press Alt+F8 to access) or by running <command>nixos-help</command>. - </para></listitem> - - <listitem><para>You get logged in as <literal>root</literal> - (with empty password).</para></listitem> - - <listitem><para>If you downloaded the graphical ISO image, you can - run <command>systemctl start display-manager</command> to start KDE. If you - want to continue on the terminal, you can use - <command>loadkeys</command> to switch to your preferred keyboard layout. - (We even provide neo2 via <command>loadkeys de neo</command>!)</para></listitem> - - <listitem><para>The boot process should have brought up networking (check - <command>ip a</command>). Networking is necessary for the - installer, since it will download lots of stuff (such as source - tarballs or Nixpkgs channel binaries). It’s best if you have a DHCP - server on your network. Otherwise configure networking manually - using <command>ifconfig</command>.</para> - <para>To manually configure the network on the graphical installer, - first disable network-manager with - <command>systemctl stop network-manager</command>.</para> - <para>To manually configure the wifi on the minimal installer, run - <command>wpa_supplicant -B -i interface -c <(wpa_passphrase 'SSID' 'key')</command>.</para></listitem> - - - <listitem><para>If you would like to continue the installation from a different - machine you need to activate the SSH daemon via <literal>systemctl start sshd</literal>. - In order to be able to login you also need to set a password for - <literal>root</literal> using <literal>passwd</literal>.</para></listitem> - - <listitem><para>The NixOS installer doesn’t do any partitioning or - formatting yet, so you need to do that yourself. Use the following - commands: - - <itemizedlist> - - <listitem><para>For partitioning: - <command>fdisk</command>. + <title>Installing NixOS</title> + <para> + NixOS can be installed on BIOS or UEFI systems. The procedure for a UEFI + installation is by and large the same as a BIOS installation. The differences + are mentioned in the steps that follow. + </para> + <orderedlist> + <listitem> + <para> + Boot from the CD. + </para> + <variablelist> + <varlistentry> + <term>UEFI systems</term> + <listitem> + <para> + You should boot the live CD in UEFI mode (consult your specific + hardware's documentation for instructions). You may find the + <link xlink:href="http://www.rodsbooks.com/refind">rEFInd boot + manager</link> useful. + </para> + </listitem> + </varlistentry> + </variablelist> + </listitem> + <listitem> + <para> + The CD contains a basic NixOS installation. (It also contains Memtest86+, + useful if you want to test new hardware). When it’s finished booting, it + should have detected most of your hardware. + </para> + </listitem> + <listitem> + <para> + The NixOS manual is available on virtual console 8 (press Alt+F8 to access) + or by running <command>nixos-help</command>. + </para> + </listitem> + <listitem> + <para> + You get logged in as <literal>root</literal> (with empty password). + </para> + </listitem> + <listitem> + <para> + If you downloaded the graphical ISO image, you can run <command>systemctl + start display-manager</command> to start KDE. If you want to continue on + the terminal, you can use <command>loadkeys</command> to switch to your + preferred keyboard layout. (We even provide neo2 via <command>loadkeys de + neo</command>!) + </para> + </listitem> + <listitem> + <para> + The boot process should have brought up networking (check <command>ip + a</command>). Networking is necessary for the installer, since it will + download lots of stuff (such as source tarballs or Nixpkgs channel + binaries). It’s best if you have a DHCP server on your network. Otherwise + configure networking manually using <command>ifconfig</command>. + </para> + <para> + To manually configure the network on the graphical installer, first disable + network-manager with <command>systemctl stop network-manager</command>. + </para> + <para> + To manually configure the wifi on the minimal installer, run + <command>wpa_supplicant -B -i interface -c <(wpa_passphrase 'SSID' + 'key')</command>. + </para> + </listitem> + <listitem> + <para> + If you would like to continue the installation from a different machine you + need to activate the SSH daemon via <literal>systemctl start + sshd</literal>. In order to be able to login you also need to set a + password for <literal>root</literal> using <literal>passwd</literal>. + </para> + </listitem> + <listitem> + <para> + The NixOS installer doesn’t do any partitioning or formatting yet, so you + need to do that yourself. Use the following commands: + <itemizedlist> + <listitem> + <para> + For partitioning: <command>fdisk</command>. <screen> # fdisk /dev/sda # <lineannotation>(or whatever device you want to install on)</lineannotation> -- for UEFI systems only @@ -86,259 +112,266 @@ for a UEFI installation is by and large the same as a BIOS installation. The dif > x # <lineannotation>(enter expert mode)</lineannotation> > f # <lineannotation>(fix up the partition ordering)</lineannotation> > r # <lineannotation>(exit expert mode)</lineannotation> -> w # <lineannotation>(write the partition table to disk and exit)</lineannotation></screen></para></listitem> - - <listitem><para>For initialising Ext4 partitions: - <command>mkfs.ext4</command>. It is recommended that you assign a - unique symbolic label to the file system using the option - <option>-L <replaceable>label</replaceable></option>, since this - makes the file system configuration independent from device - changes. For example: - +> w # <lineannotation>(write the partition table to disk and exit)</lineannotation></screen> + </para> + </listitem> + <listitem> + <para> + For initialising Ext4 partitions: <command>mkfs.ext4</command>. It is + recommended that you assign a unique symbolic label to the file system + using the option <option>-L <replaceable>label</replaceable></option>, + since this makes the file system configuration independent from device + changes. For example: <screen> # mkfs.ext4 -L nixos /dev/sda1</screen> - - </para></listitem> - - <listitem><para>For creating swap partitions: - <command>mkswap</command>. Again it’s recommended to assign a - label to the swap partition: <option>-L - <replaceable>label</replaceable></option>. For example: - + </para> + </listitem> + <listitem> + <para> + For creating swap partitions: <command>mkswap</command>. Again it’s + recommended to assign a label to the swap partition: <option>-L + <replaceable>label</replaceable></option>. For example: <screen> # mkswap -L swap /dev/sda2</screen> - - </para></listitem> - - <listitem> - <variablelist> - <varlistentry><term>UEFI systems</term> - <listitem><para>For creating boot partitions: - <command>mkfs.fat</command>. Again it’s recommended to assign a - label to the boot partition: <option>-L - <replaceable>label</replaceable></option>. For example: - -<screen> -# mkfs.fat -F 32 -L boot /dev/sda3</screen> - - </para></listitem></varlistentry></variablelist></listitem> - - <listitem><para>For creating LVM volumes, the LVM commands, e.g., - + </para> + </listitem> + <listitem> + <variablelist> + <varlistentry> + <term>UEFI systems</term> + <listitem> + <para> + For creating boot partitions: <command>mkfs.fat</command>. Again + it’s recommended to assign a label to the boot partition: + <option>-n <replaceable>label</replaceable></option>. For example: <screen> -# pvcreate /dev/sda1 /dev/sdb1 -# vgcreate MyVolGroup /dev/sda1 /dev/sdb1 -# lvcreate --size 2G --name bigdisk MyVolGroup -# lvcreate --size 1G --name smalldisk MyVolGroup</screen> - - </para></listitem> - - <listitem><para>For creating software RAID devices, use - <command>mdadm</command>.</para></listitem> - - </itemizedlist> - - </para></listitem> - - <listitem><para>Mount the target file system on which NixOS should - be installed on <filename>/mnt</filename>, e.g. - +# mkfs.fat -F 32 -n boot /dev/sda3</screen> + </para> + </listitem> + </varlistentry> + </variablelist> + </listitem> + <listitem> + <para> + For creating LVM volumes, the LVM commands, e.g., + <command>pvcreate</command>, <command>vgcreate</command>, and + <command>lvcreate</command>. + </para> + </listitem> + <listitem> + <para> + For creating software RAID devices, use <command>mdadm</command>. + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + <listitem> + <para> + Mount the target file system on which NixOS should be installed on + <filename>/mnt</filename>, e.g. <screen> # mount /dev/disk/by-label/nixos /mnt </screen> - - </para></listitem> - + </para> + </listitem> <listitem> - <variablelist> - <varlistentry><term>UEFI systems</term> - <listitem><para>Mount the boot file system on <filename>/mnt/boot</filename>, e.g. - + <variablelist> + <varlistentry> + <term>UEFI systems</term> + <listitem> + <para> + Mount the boot file system on <filename>/mnt/boot</filename>, e.g. <screen> +# mkdir -p /mnt/boot # mount /dev/disk/by-label/boot /mnt/boot </screen> - - </para></listitem></varlistentry></variablelist></listitem> - - <listitem><para>If your machine has a limited amount of memory, you - may want to activate swap devices now (<command>swapon - <replaceable>device</replaceable></command>). The installer (or - rather, the build actions that it may spawn) may need quite a bit of - RAM, depending on your configuration. - + </para> + </listitem> + </varlistentry> + </variablelist> + </listitem> + <listitem> + <para> + If your machine has a limited amount of memory, you may want to activate + swap devices now (<command>swapon + <replaceable>device</replaceable></command>). The installer (or rather, the + build actions that it may spawn) may need quite a bit of RAM, depending on + your configuration. <screen> # swapon /dev/sda2</screen> - - </para></listitem> - + </para> + </listitem> <listitem> - - <para>You now need to create a file - <filename>/mnt/etc/nixos/configuration.nix</filename> that - specifies the intended configuration of the system. This is - because NixOS has a <emphasis>declarative</emphasis> configuration - model: you create or edit a description of the desired - configuration of your system, and then NixOS takes care of making - it happen. The syntax of the NixOS configuration file is - described in <xref linkend="sec-configuration-syntax"/>, while a - list of available configuration options appears in <xref - linkend="ch-options"/>. A minimal example is shown in <xref - linkend="ex-config"/>.</para> - - <para>The command <command>nixos-generate-config</command> can - generate an initial configuration file for you: - + <para> + You now need to create a file + <filename>/mnt/etc/nixos/configuration.nix</filename> that specifies the + intended configuration of the system. This is because NixOS has a + <emphasis>declarative</emphasis> configuration model: you create or edit a + description of the desired configuration of your system, and then NixOS + takes care of making it happen. The syntax of the NixOS configuration file + is described in <xref linkend="sec-configuration-syntax"/>, while a list of + available configuration options appears in + <xref + linkend="ch-options"/>. A minimal example is shown in + <xref + linkend="ex-config"/>. + </para> + <para> + The command <command>nixos-generate-config</command> can generate an + initial configuration file for you: <screen> # nixos-generate-config --root /mnt</screen> - - You should then edit - <filename>/mnt/etc/nixos/configuration.nix</filename> to suit your - needs: - + You should then edit <filename>/mnt/etc/nixos/configuration.nix</filename> + to suit your needs: <screen> # nano /mnt/etc/nixos/configuration.nix </screen> - - If you’re using the graphical ISO image, other editors may be - available (such as <command>vim</command>). If you have network - access, you can also install other editors — for instance, you can - install Emacs by running <literal>nix-env -i - emacs</literal>.</para> - - <variablelist> - - <varlistentry><term>BIOS systems</term> - <listitem><para>You <emphasis>must</emphasis> set the option - <option>boot.loader.grub.device</option> to specify on which disk - the GRUB boot loader is to be installed. Without it, NixOS cannot - boot.</para></listitem></varlistentry> - - <varlistentry><term>UEFI systems</term> - <listitem><para>You <emphasis>must</emphasis> set the option - <option>boot.loader.systemd-boot.enable</option> to <literal>true</literal>. - <command>nixos-generate-config</command> should do this automatically for new - configurations when booted in - UEFI mode.</para> - <para>You may want to look at the options starting with - <option>boot.loader.efi</option> and <option>boot.loader.systemd-boot</option> - as well.</para></listitem></varlistentry> - - </variablelist> - - <para>If there are other operating systems running on the machine before - installing NixOS, the - <option>boot.loader.grub.useOSProber</option> option can be set to - <literal>true</literal> to automatically add them to the grub menu.</para> - - <para>Another critical option is <option>fileSystems</option>, - specifying the file systems that need to be mounted by NixOS. - However, you typically don’t need to set it yourself, because + If you’re using the graphical ISO image, other editors may be available + (such as <command>vim</command>). If you have network access, you can also + install other editors — for instance, you can install Emacs by running + <literal>nix-env -i emacs</literal>. + </para> + <variablelist> + <varlistentry> + <term>BIOS systems</term> + <listitem> + <para> + You <emphasis>must</emphasis> set the option + <xref linkend="opt-boot.loader.grub.device"/> to specify on which disk + the GRUB boot loader is to be installed. Without it, NixOS cannot boot. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>UEFI systems</term> + <listitem> + <para> + You <emphasis>must</emphasis> set the option + <xref linkend="opt-boot.loader.systemd-boot.enable"/> to + <literal>true</literal>. <command>nixos-generate-config</command> should + do this automatically for new configurations when booted in UEFI mode. + </para> + <para> + You may want to look at the options starting with + <option><link linkend="opt-boot.loader.efi.canTouchEfiVariables">boot.loader.efi</link></option> + and + <option><link linkend="opt-boot.loader.systemd-boot.enable">boot.loader.systemd</link></option> + as well. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> + If there are other operating systems running on the machine before + installing NixOS, the <xref linkend="opt-boot.loader.grub.useOSProber"/> + option can be set to <literal>true</literal> to automatically add them to + the grub menu. + </para> + <para> + Another critical option is <option>fileSystems</option>, specifying the + file systems that need to be mounted by NixOS. However, you typically + don’t need to set it yourself, because <command>nixos-generate-config</command> sets it automatically in - <filename>/mnt/etc/nixos/hardware-configuration.nix</filename> - from your currently mounted file systems. (The configuration file + <filename>/mnt/etc/nixos/hardware-configuration.nix</filename> from your + currently mounted file systems. (The configuration file <filename>hardware-configuration.nix</filename> is included from - <filename>configuration.nix</filename> and will be overwritten by - future invocations of <command>nixos-generate-config</command>; - thus, you generally should not modify it.)</para> - - <note><para>Depending on your hardware configuration or type of - file system, you may need to set the option - <option>boot.initrd.kernelModules</option> to include the kernel - modules that are necessary for mounting the root file system, - otherwise the installed system will not be able to boot. (If this - happens, boot from the CD again, mount the target file system on - <filename>/mnt</filename>, fix - <filename>/mnt/etc/nixos/configuration.nix</filename> and rerun - <filename>nixos-install</filename>.) In most cases, - <command>nixos-generate-config</command> will figure out the - required modules.</para></note> - + <filename>configuration.nix</filename> and will be overwritten by future + invocations of <command>nixos-generate-config</command>; thus, you + generally should not modify it.) + </para> + <note> + <para> + Depending on your hardware configuration or type of file system, you may + need to set the option <option>boot.initrd.kernelModules</option> to + include the kernel modules that are necessary for mounting the root file + system, otherwise the installed system will not be able to boot. (If this + happens, boot from the CD again, mount the target file system on + <filename>/mnt</filename>, fix + <filename>/mnt/etc/nixos/configuration.nix</filename> and rerun + <filename>nixos-install</filename>.) In most cases, + <command>nixos-generate-config</command> will figure out the required + modules. + </para> + </note> </listitem> - - <listitem><para>Do the installation: - + <listitem> + <para> + Do the installation: <screen> # nixos-install</screen> - - Cross fingers. If this fails due to a temporary problem (such as - a network issue while downloading binaries from the NixOS binary - cache), you can just re-run <command>nixos-install</command>. - Otherwise, fix your <filename>configuration.nix</filename> and - then re-run <command>nixos-install</command>.</para> - - <para>As the last step, <command>nixos-install</command> will ask - you to set the password for the <literal>root</literal> user, e.g. - + Cross fingers. If this fails due to a temporary problem (such as a network + issue while downloading binaries from the NixOS binary cache), you can just + re-run <command>nixos-install</command>. Otherwise, fix your + <filename>configuration.nix</filename> and then re-run + <command>nixos-install</command>. + </para> + <para> + As the last step, <command>nixos-install</command> will ask you to set the + password for the <literal>root</literal> user, e.g. <screen> setting root password... Enter new UNIX password: *** Retype new UNIX password: *** -</screen> - + </screen> <note> - <para> - To prevent the password prompt, set <code>users.mutableUsers = false;</code> in - <filename>configuration.nix</filename>, which allows unattended installation - necessary in automation. - </para> + <para> + To prevent the password prompt, set + <code><xref linkend="opt-users.mutableUsers"/> = false;</code> in + <filename>configuration.nix</filename>, which allows unattended + installation necessary in automation. + </para> </note> - - </para> - + </para> </listitem> - <listitem> - <para>If everything went well: - + <para> + If everything went well: <screen> -# reboot</screen> - - </para></listitem> - + # reboot</screen> + </para> + </listitem> <listitem> - - <para>You should now be able to boot into the installed NixOS. The - GRUB boot menu shows a list of <emphasis>available - configurations</emphasis> (initially just one). Every time you - change the NixOS configuration (see <link - linkend="sec-changing-config">Changing Configuration</link> ), a - new item is added to the menu. This allows you to easily roll back - to a previous configuration if something goes wrong.</para> - - <para>You should log in and change the <literal>root</literal> - password with <command>passwd</command>.</para> - - <para>You’ll probably want to create some user accounts as well, - which can be done with <command>useradd</command>: - + <para> + You should now be able to boot into the installed NixOS. The GRUB boot menu + shows a list of <emphasis>available configurations</emphasis> (initially + just one). Every time you change the NixOS configuration (see + <link + linkend="sec-changing-config">Changing Configuration</link> + ), a new item is added to the menu. This allows you to easily roll back to + a previous configuration if something goes wrong. + </para> + <para> + You should log in and change the <literal>root</literal> password with + <command>passwd</command>. + </para> + <para> + You’ll probably want to create some user accounts as well, which can be + done with <command>useradd</command>: <screen> $ useradd -c 'Eelco Dolstra' -m eelco $ passwd eelco</screen> - - </para> - - <para>You may also want to install some software. For instance, - + </para> + <para> + You may also want to install some software. For instance, <screen> $ nix-env -qa \*</screen> - shows what packages are available, and - <screen> $ nix-env -i w3m</screen> - - install the <literal>w3m</literal> browser.</para> - + install the <literal>w3m</literal> browser. + </para> </listitem> - -</orderedlist> - -<para>To summarise, <xref linkend="ex-install-sequence" /> shows a -typical sequence of commands for installing NixOS on an empty hard -drive (here <filename>/dev/sda</filename>). <xref linkend="ex-config" -/> shows a corresponding configuration Nix expression.</para> - -<example xml:id='ex-install-sequence'><title>Commands for Installing NixOS on <filename>/dev/sda</filename></title> + </orderedlist> + <para> + To summarise, <xref linkend="ex-install-sequence" /> shows a typical sequence + of commands for installing NixOS on an empty hard drive (here + <filename>/dev/sda</filename>). <xref linkend="ex-config" +/> shows a + corresponding configuration Nix expression. + </para> + <example xml:id='ex-install-sequence'> + <title>Commands for Installing NixOS on <filename>/dev/sda</filename></title> <screen> # fdisk /dev/sda # <lineannotation>(or whatever device you want to install on)</lineannotation> -- for UEFI systems only @@ -366,40 +399,39 @@ drive (here <filename>/dev/sda</filename>). <xref linkend="ex-config" # mkfs.ext4 -L nixos /dev/sda1 # mkswap -L swap /dev/sda2 # swapon /dev/sda2 -# mkfs.fat -F 32 -L boot /dev/sda3 # <lineannotation>(for UEFI systems only)</lineannotation> +# mkfs.fat -F 32 -n boot /dev/sda3 # <lineannotation>(for UEFI systems only)</lineannotation> # mount /dev/disk/by-label/nixos /mnt +# mkdir -p /mnt/boot # <lineannotation>(for UEFI systems only)</lineannotation> # mount /dev/disk/by-label/boot /mnt/boot # <lineannotation>(for UEFI systems only)</lineannotation> # nixos-generate-config --root /mnt # nano /mnt/etc/nixos/configuration.nix # nixos-install # reboot</screen> -</example> - -<example xml:id='ex-config'><title>NixOS Configuration</title> + </example> + <example xml:id='ex-config'> + <title>NixOS Configuration</title> <screen> -{ config, pkgs, ... }: - -{ - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; +{ config, pkgs, ... }: { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; - boot.loader.grub.device = "/dev/sda"; # <lineannotation>(for BIOS systems only)</lineannotation> - boot.loader.systemd-boot.enable = true; # <lineannotation>(for UEFI systems only)</lineannotation> + <xref linkend="opt-boot.loader.grub.device"/> = "/dev/sda"; # <lineannotation>(for BIOS systems only)</lineannotation> + <xref linkend="opt-boot.loader.systemd-boot.enable"/> = true; # <lineannotation>(for UEFI systems only)</lineannotation> # Note: setting fileSystems is generally not # necessary, since nixos-generate-config figures them out # automatically in hardware-configuration.nix. - #fileSystems."/".device = "/dev/disk/by-label/nixos"; + #<link linkend="opt-fileSystems._name__.device">fileSystems."/".device</link> = "/dev/disk/by-label/nixos"; # Enable the OpenSSH server. services.sshd.enable = true; -}</screen> -</example> - -<xi:include href="installing-usb.xml" /> -<xi:include href="installing-pxe.xml" /> -<xi:include href="installing-virtualbox-guest.xml" /> - +} + </screen> + </example> + <xi:include href="installing-usb.xml" /> + <xi:include href="installing-pxe.xml" /> + <xi:include href="installing-virtualbox-guest.xml" /> + <xi:include href="installing-from-other-distro.xml" /> </chapter> diff --git a/nixos/doc/manual/installation/obtaining.xml b/nixos/doc/manual/installation/obtaining.xml index 9b2b474c60ce..56af5c0e25a0 100644 --- a/nixos/doc/manual/installation/obtaining.xml +++ b/nixos/doc/manual/installation/obtaining.xml @@ -3,46 +3,52 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-obtaining"> - -<title>Obtaining NixOS</title> - -<para>NixOS ISO images can be downloaded from the <link -xlink:href="http://nixos.org/nixos/download.html">NixOS -download page</link>. There are a number of installation options. If -you happen to have an optical drive and a spare CD, burning the -image to CD and booting from that is probably the easiest option. -Most people will need to prepare a USB stick to boot from. -<xref linkend="sec-booting-from-usb"/> describes the preferred method -to prepare a USB stick. -A number of alternative methods are presented in the <link + <title>Obtaining NixOS</title> + <para> + NixOS ISO images can be downloaded from the + <link +xlink:href="http://nixos.org/nixos/download.html">NixOS download + page</link>. There are a number of installation options. If you happen to + have an optical drive and a spare CD, burning the image to CD and booting + from that is probably the easiest option. Most people will need to prepare a + USB stick to boot from. <xref linkend="sec-booting-from-usb"/> describes the + preferred method to prepare a USB stick. A number of alternative methods are + presented in the + <link xlink:href="https://nixos.wiki/wiki/NixOS_Installation_Guide#Making_the_installation_media">NixOS -Wiki</link>.</para> - -<para>As an alternative to installing NixOS yourself, you can get a -running NixOS system through several other means: - -<itemizedlist> - <listitem> - <para>Using virtual appliances in Open Virtualization Format (OVF) - that can be imported into VirtualBox. These are available from - the <link xlink:href="http://nixos.org/nixos/download.html">NixOS - download page</link>.</para> - </listitem> - <listitem> - <para>Using AMIs for Amazon’s EC2. To find one for your region - and instance type, please refer to the <link + Wiki</link>. + </para> + <para> + As an alternative to installing NixOS yourself, you can get a running NixOS + system through several other means: + <itemizedlist> + <listitem> + <para> + Using virtual appliances in Open Virtualization Format (OVF) that can be + imported into VirtualBox. These are available from the + <link xlink:href="http://nixos.org/nixos/download.html">NixOS download + page</link>. + </para> + </listitem> + <listitem> + <para> + Using AMIs for Amazon’s EC2. To find one for your region and instance + type, please refer to the + <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/ec2-amis.nix">list - of most recent AMIs</link>.</para> - </listitem> - <listitem> - <para>Using NixOps, the NixOS-based cloud deployment tool, which - allows you to provision VirtualBox and EC2 NixOS instances from - declarative specifications. Check out the <link + of most recent AMIs</link>. + </para> + </listitem> + <listitem> + <para> + Using NixOps, the NixOS-based cloud deployment tool, which allows you to + provision VirtualBox and EC2 NixOS instances from declarative + specifications. Check out the + <link xlink:href="https://nixos.org/nixops">NixOps homepage</link> for - details.</para> - </listitem> -</itemizedlist> - -</para> - + details. + </para> + </listitem> + </itemizedlist> + </para> </chapter> diff --git a/nixos/doc/manual/installation/upgrading.xml b/nixos/doc/manual/installation/upgrading.xml index aee6523345c4..20355812ec63 100644 --- a/nixos/doc/manual/installation/upgrading.xml +++ b/nixos/doc/manual/installation/upgrading.xml @@ -2,140 +2,130 @@ xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="sec-upgrading"> - -<title>Upgrading NixOS</title> - -<para>The best way to keep your NixOS installation up to date is to -use one of the NixOS <emphasis>channels</emphasis>. A channel is a -Nix mechanism for distributing Nix expressions and associated -binaries. The NixOS channels are updated automatically from NixOS’s -Git repository after certain tests have passed and all packages have -been built. These channels are: - -<itemizedlist> - <listitem> - <para><emphasis>Stable channels</emphasis>, such as <literal + <title>Upgrading NixOS</title> + <para> + The best way to keep your NixOS installation up to date is to use one of the + NixOS <emphasis>channels</emphasis>. A channel is a Nix mechanism for + distributing Nix expressions and associated binaries. The NixOS channels are + updated automatically from NixOS’s Git repository after certain tests have + passed and all packages have been built. These channels are: + <itemizedlist> + <listitem> + <para> + <emphasis>Stable channels</emphasis>, such as + <literal xlink:href="https://nixos.org/channels/nixos-17.03">nixos-17.03</literal>. - These only get conservative bug fixes and package upgrades. For - instance, a channel update may cause the Linux kernel on your - system to be upgraded from 4.9.16 to 4.9.17 (a minor bug fix), but - not from 4.9.<replaceable>x</replaceable> to - 4.11.<replaceable>x</replaceable> (a major change that has the - potential to break things). Stable channels are generally - maintained until the next stable branch is created.</para> + These only get conservative bug fixes and package upgrades. For instance, + a channel update may cause the Linux kernel on your system to be upgraded + from 4.9.16 to 4.9.17 (a minor bug fix), but not from + 4.9.<replaceable>x</replaceable> to 4.11.<replaceable>x</replaceable> (a + major change that has the potential to break things). Stable channels are + generally maintained until the next stable branch is created. + </para> <para></para> - </listitem> - <listitem> - <para>The <emphasis>unstable channel</emphasis>, <literal + </listitem> + <listitem> + <para> + The <emphasis>unstable channel</emphasis>, + <literal xlink:href="https://nixos.org/channels/nixos-unstable">nixos-unstable</literal>. - This corresponds to NixOS’s main development branch, and may thus - see radical changes between channel updates. It’s not recommended - for production systems.</para> - </listitem> - <listitem> - <para><emphasis>Small channels</emphasis>, such as <literal + This corresponds to NixOS’s main development branch, and may thus see + radical changes between channel updates. It’s not recommended for + production systems. + </para> + </listitem> + <listitem> + <para> + <emphasis>Small channels</emphasis>, such as + <literal xlink:href="https://nixos.org/channels/nixos-17.03-small">nixos-17.03-small</literal> - or <literal - xlink:href="https://nixos.org/channels/nixos-unstable-small">nixos-unstable-small</literal>. These - are identical to the stable and unstable channels described above, - except that they contain fewer binary packages. This means they - get updated faster than the regular channels (for instance, when a - critical security patch is committed to NixOS’s source tree), but - may require more packages to be built from source than - usual. They’re mostly intended for server environments and as such - contain few GUI applications.</para> - </listitem> -</itemizedlist> - -To see what channels are available, go to <link -xlink:href="https://nixos.org/channels"/>. (Note that the URIs of the -various channels redirect to a directory that contains the channel’s -latest version and includes ISO images and VirtualBox -appliances.)</para> - -<para>When you first install NixOS, you’re automatically subscribed to -the NixOS channel that corresponds to your installation source. For -instance, if you installed from a 17.03 ISO, you will be subscribed to -the <literal>nixos-17.03</literal> channel. To see which NixOS -channel you’re subscribed to, run the following as root: - + or + <literal + xlink:href="https://nixos.org/channels/nixos-unstable-small">nixos-unstable-small</literal>. + These are identical to the stable and unstable channels described above, + except that they contain fewer binary packages. This means they get + updated faster than the regular channels (for instance, when a critical + security patch is committed to NixOS’s source tree), but may require + more packages to be built from source than usual. They’re mostly + intended for server environments and as such contain few GUI applications. + </para> + </listitem> + </itemizedlist> + To see what channels are available, go to + <link +xlink:href="https://nixos.org/channels"/>. (Note that the URIs of the + various channels redirect to a directory that contains the channel’s latest + version and includes ISO images and VirtualBox appliances.) + </para> + <para> + When you first install NixOS, you’re automatically subscribed to the NixOS + channel that corresponds to your installation source. For instance, if you + installed from a 17.03 ISO, you will be subscribed to the + <literal>nixos-17.03</literal> channel. To see which NixOS channel you’re + subscribed to, run the following as root: <screen> # nix-channel --list | grep nixos nixos https://nixos.org/channels/nixos-unstable </screen> - -To switch to a different NixOS channel, do - + To switch to a different NixOS channel, do <screen> # nix-channel --add https://nixos.org/channels/<replaceable>channel-name</replaceable> nixos </screen> - -(Be sure to include the <literal>nixos</literal> parameter at the -end.) For instance, to use the NixOS 17.03 stable channel: - + (Be sure to include the <literal>nixos</literal> parameter at the end.) For + instance, to use the NixOS 17.03 stable channel: <screen> # nix-channel --add https://nixos.org/channels/nixos-17.03 nixos </screen> - -If you have a server, you may want to use the “small” channel instead: - + If you have a server, you may want to use the “small” channel instead: <screen> # nix-channel --add https://nixos.org/channels/nixos-17.03-small nixos </screen> - -And if you want to live on the bleeding edge: - + And if you want to live on the bleeding edge: <screen> # nix-channel --add https://nixos.org/channels/nixos-unstable nixos </screen> - -</para> - -<para>You can then upgrade NixOS to the latest version in your chosen -channel by running - + </para> + <para> + You can then upgrade NixOS to the latest version in your chosen channel by + running <screen> # nixos-rebuild switch --upgrade </screen> - -which is equivalent to the more verbose <literal>nix-channel --update -nixos; nixos-rebuild switch</literal>.</para> - -<note><para>Channels are set per user. This means that running <literal> -nix-channel --add</literal> as a non root user (or without sudo) will not -affect configuration in <literal>/etc/nixos/configuration.nix</literal> -</para></note> - -<warning><para>It is generally safe to switch back and forth between -channels. The only exception is that a newer NixOS may also have a -newer Nix version, which may involve an upgrade of Nix’s database -schema. This cannot be undone easily, so in that case you will not be -able to go back to your original channel.</para></warning> - - -<section><title>Automatic Upgrades</title> - -<para>You can keep a NixOS system up-to-date automatically by adding -the following to <filename>configuration.nix</filename>: - + which is equivalent to the more verbose <literal>nix-channel --update nixos; + nixos-rebuild switch</literal>. + </para> + <note> + <para> + Channels are set per user. This means that running <literal> nix-channel + --add</literal> as a non root user (or without sudo) will not affect + configuration in <literal>/etc/nixos/configuration.nix</literal> + </para> + </note> + <warning> + <para> + It is generally safe to switch back and forth between channels. The only + exception is that a newer NixOS may also have a newer Nix version, which may + involve an upgrade of Nix’s database schema. This cannot be undone easily, + so in that case you will not be able to go back to your original channel. + </para> + </warning> + <section> + <title>Automatic Upgrades</title> + + <para> + You can keep a NixOS system up-to-date automatically by adding the following + to <filename>configuration.nix</filename>: <programlisting> -system.autoUpgrade.enable = true; +<xref linkend="opt-system.autoUpgrade.enable"/> = true; </programlisting> - -This enables a periodically executed systemd service named -<literal>nixos-upgrade.service</literal>. It runs -<command>nixos-rebuild switch --upgrade</command> to upgrade NixOS to -the latest version in the current channel. (To see when the service -runs, see <command>systemctl list-timers</command>.) You can also -specify a channel explicitly, e.g. - + This enables a periodically executed systemd service named + <literal>nixos-upgrade.service</literal>. It runs <command>nixos-rebuild + switch --upgrade</command> to upgrade NixOS to the latest version in the + current channel. (To see when the service runs, see <command>systemctl + list-timers</command>.) You can also specify a channel explicitly, e.g. <programlisting> -system.autoUpgrade.channel = https://nixos.org/channels/nixos-17.03; +<xref linkend="opt-system.autoUpgrade.channel"/> = https://nixos.org/channels/nixos-17.03; </programlisting> - -</para> - -</section> - - + </para> + </section> </chapter> diff --git a/nixos/doc/manual/man-configuration.xml b/nixos/doc/manual/man-configuration.xml index 05531b3909a3..9f30b7925101 100644 --- a/nixos/doc/manual/man-configuration.xml +++ b/nixos/doc/manual/man-configuration.xml @@ -1,38 +1,31 @@ <refentry xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude"> - -<refmeta> - <refentrytitle><filename>configuration.nix</filename></refentrytitle> - <manvolnum>5</manvolnum> + <refmeta> + <refentrytitle><filename>configuration.nix</filename> + </refentrytitle><manvolnum>5</manvolnum> <refmiscinfo class="source">NixOS</refmiscinfo> - <!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> -</refmeta> - -<refnamediv> - <refname><filename>configuration.nix</filename></refname> - <refpurpose>NixOS system configuration specification</refpurpose> -</refnamediv> - - -<refsection><title>Description</title> - -<para>The file <filename>/etc/nixos/configuration.nix</filename> -contains the declarative specification of your NixOS system -configuration. The command <command>nixos-rebuild</command> takes -this file and realises the system configuration specified -therein.</para> - -</refsection> - - -<refsection><title>Options</title> - -<para>You can use the following options in -<filename>configuration.nix</filename>.</para> - -<xi:include href="options-db.xml" /> - -</refsection> - +<!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> + </refmeta> + <refnamediv> + <refname><filename>configuration.nix</filename> + </refname><refpurpose>NixOS system configuration specification</refpurpose> + </refnamediv> + <refsection> + <title>Description</title> + <para> + The file <filename>/etc/nixos/configuration.nix</filename> contains the + declarative specification of your NixOS system configuration. The command + <command>nixos-rebuild</command> takes this file and realises the system + configuration specified therein. + </para> + </refsection> + <refsection> + <title>Options</title> + <para> + You can use the following options in <filename>configuration.nix</filename>. + </para> + <xi:include href="./generated/options-db.xml" + xpointer="configuration-variable-list" /> + </refsection> </refentry> diff --git a/nixos/doc/manual/man-nixos-build-vms.xml b/nixos/doc/manual/man-nixos-build-vms.xml index 878ebee05273..02dad4c548b8 100644 --- a/nixos/doc/manual/man-nixos-build-vms.xml +++ b/nixos/doc/manual/man-nixos-build-vms.xml @@ -1,46 +1,45 @@ <refentry xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude"> - -<refmeta> - <refentrytitle><command>nixos-build-vms</command></refentrytitle> - <manvolnum>8</manvolnum> + <refmeta> + <refentrytitle><command>nixos-build-vms</command> + </refentrytitle><manvolnum>8</manvolnum> <refmiscinfo class="source">NixOS</refmiscinfo> - <!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> -</refmeta> - -<refnamediv> - <refname><command>nixos-build-vms</command></refname> - <refpurpose>build a network of virtual machines from a network of NixOS configurations</refpurpose> -</refnamediv> - -<refsynopsisdiv> - <cmdsynopsis> - <command>nixos-build-vms</command> - <arg><option>--show-trace</option></arg> - <arg><option>--no-out-link</option></arg> - <arg><option>--help</option></arg> - <arg choice="plain"><replaceable>network.nix</replaceable></arg> +<!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> + </refmeta> + <refnamediv> + <refname><command>nixos-build-vms</command> + </refname><refpurpose>build a network of virtual machines from a network of NixOS configurations</refpurpose> + </refnamediv> + <refsynopsisdiv> + <cmdsynopsis><command>nixos-build-vms</command> + <arg><option>--show-trace</option> + </arg> + <arg><option>--no-out-link</option> + </arg> + <arg><option>--help</option> + </arg> + <arg choice="plain"><replaceable>network.nix</replaceable> + </arg> </cmdsynopsis> -</refsynopsisdiv> - -<refsection><title>Description</title> - -<para>This command builds a network of QEMU-KVM virtual machines of a Nix expression -specifying a network of NixOS machines. The virtual network can be started by -executing the <filename>bin/run-vms</filename> shell script that is generated by -this command. By default, a <filename>result</filename> symlink is produced that -points to the generated virtual network. -</para> - -<para>A network Nix expression has the following structure: - + </refsynopsisdiv> + <refsection> + <title>Description</title> + <para> + This command builds a network of QEMU-KVM virtual machines of a Nix + expression specifying a network of NixOS machines. The virtual network can + be started by executing the <filename>bin/run-vms</filename> shell script + that is generated by this command. By default, a <filename>result</filename> + symlink is produced that points to the generated virtual network. + </para> + <para> + A network Nix expression has the following structure: <screen> { test1 = {pkgs, config, ...}: { services.openssh.enable = true; - nixpkgs.system = "i686-linux"; + nixpkgs.localSystem.system = "i686-linux"; deployment.targetHost = "test1.example.net"; # Other NixOS options @@ -51,60 +50,60 @@ points to the generated virtual network. services.openssh.enable = true; services.httpd.enable = true; environment.systemPackages = [ pkgs.lynx ]; - nixpkgs.system = "x86_64-linux"; + nixpkgs.localSystem.system = "x86_64-linux"; deployment.targetHost = "test2.example.net"; # Other NixOS options }; } </screen> - -Each attribute in the expression represents a machine in the network -(e.g. <varname>test1</varname> and <varname>test2</varname>) -referring to a function defining a NixOS configuration. -In each NixOS configuration, two attributes have a special meaning. -The <varname>deployment.targetHost</varname> specifies the address -(domain name or IP address) -of the system which is used by <command>ssh</command> to perform -remote deployment operations. The <varname>nixpkgs.system</varname> -attribute can be used to specify an architecture for the target machine, -such as <varname>i686-linux</varname> which builds a 32-bit NixOS -configuration. Omitting this property will build the configuration -for the same architecture as the host system. -</para> - -</refsection> - -<refsection><title>Options</title> - -<para>This command accepts the following options:</para> - -<variablelist> - - <varlistentry> - <term><option>--show-trace</option></term> + Each attribute in the expression represents a machine in the network (e.g. + <varname>test1</varname> and <varname>test2</varname>) referring to a + function defining a NixOS configuration. In each NixOS configuration, two + attributes have a special meaning. The + <varname>deployment.targetHost</varname> specifies the address (domain name + or IP address) of the system which is used by <command>ssh</command> to + perform remote deployment operations. The + <varname>nixpkgs.localSystem.system</varname> attribute can be used to + specify an architecture for the target machine, such as + <varname>i686-linux</varname> which builds a 32-bit NixOS configuration. + Omitting this property will build the configuration for the same + architecture as the host system. + </para> + </refsection> + <refsection> + <title>Options</title> + <para> + This command accepts the following options: + </para> + <variablelist> + <varlistentry> + <term><option>--show-trace</option> + </term> <listitem> - <para>Shows a trace of the output.</para> + <para> + Shows a trace of the output. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><option>--no-out-link</option></term> + </varlistentry> + <varlistentry> + <term><option>--no-out-link</option> + </term> <listitem> - <para>Do not create a 'result' symlink.</para> + <para> + Do not create a 'result' symlink. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><option>-h</option>, <option>--help</option></term> + </varlistentry> + <varlistentry> + <term><option>-h</option>, <option>--help</option> + </term> <listitem> - <para>Shows the usage of this command to the user.</para> + <para> + Shows the usage of this command to the user. + </para> </listitem> - </varlistentry> - -</variablelist> - -</refsection> - - + </varlistentry> + </variablelist> + </refsection> </refentry> diff --git a/nixos/doc/manual/man-nixos-enter.xml b/nixos/doc/manual/man-nixos-enter.xml new file mode 100644 index 000000000000..7db4b72ee36e --- /dev/null +++ b/nixos/doc/manual/man-nixos-enter.xml @@ -0,0 +1,119 @@ +<refentry xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude"> + <refmeta> + <refentrytitle><command>nixos-enter</command> + </refentrytitle><manvolnum>8</manvolnum> + <refmiscinfo class="source">NixOS</refmiscinfo> +<!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> + </refmeta> + <refnamediv> + <refname><command>nixos-enter</command> + </refname><refpurpose>run a command in a NixOS chroot environment</refpurpose> + </refnamediv> + <refsynopsisdiv> + <cmdsynopsis><command>nixos-enter</command> + <arg> + <arg choice='plain'><option>--root</option> + </arg><replaceable>root</replaceable> + </arg> + <arg> + <arg choice='plain'><option>--system</option> + </arg><replaceable>system</replaceable> + </arg> + <arg> + <arg choice='plain'><option>-c</option> + </arg><replaceable>shell-command</replaceable> + </arg> + <arg> + <arg choice='plain'><option>--help</option> + </arg> + </arg> + <arg> + <arg choice='plain'><option>--</option> + </arg><replaceable>arguments</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + <refsection> + <title>Description</title> + <para> + This command runs a command in a NixOS chroot environment, that is, in a + filesystem hierarchy previously prepared using + <command>nixos-install</command>. + </para> + </refsection> + <refsection> + <title>Options</title> + <para> + This command accepts the following options: + </para> + <variablelist> + <varlistentry> + <term><option>--root</option> + </term> + <listitem> + <para> + The path to the NixOS system you want to enter. It defaults to + <filename>/mnt</filename>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>--system</option> + </term> + <listitem> + <para> + The NixOS system configuration to use. It defaults to + <filename>/nix/var/nix/profiles/system</filename>. You can enter a + previous NixOS configuration by specifying a path such as + <filename>/nix/var/nix/profiles/system-106-link</filename>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>--command</option> + </term> + <term><option>-c</option> + </term> + <listitem> + <para> + The bash command to execute. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>--</option> + </term> + <listitem> + <para> + Interpret the remaining arguments as the program name and arguments to be + invoked. The program is not executed in a shell. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsection> + <refsection> + <title>Examples</title> + <para> + Start an interactive shell in the NixOS installation in + <filename>/mnt</filename>: + </para> +<screen> +# nixos-enter /mnt +</screen> + <para> + Run a shell command: + </para> +<screen> +# nixos-enter -c 'ls -l /; cat /proc/mounts' +</screen> + <para> + Run a non-shell command: + </para> +<screen> +# nixos-enter -- cat /proc/mounts +</screen> + </refsection> +</refentry> diff --git a/nixos/doc/manual/man-nixos-generate-config.xml b/nixos/doc/manual/man-nixos-generate-config.xml index 993a932ddfbe..8bf90f452db6 100644 --- a/nixos/doc/manual/man-nixos-generate-config.xml +++ b/nixos/doc/manual/man-nixos-generate-config.xml @@ -1,152 +1,149 @@ <refentry xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude"> - -<refmeta> - <refentrytitle><command>nixos-generate-config</command></refentrytitle> - <manvolnum>8</manvolnum> + <refmeta> + <refentrytitle><command>nixos-generate-config</command> + </refentrytitle><manvolnum>8</manvolnum> <refmiscinfo class="source">NixOS</refmiscinfo> - <!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> -</refmeta> - -<refnamediv> - <refname><command>nixos-generate-config</command></refname> - <refpurpose>generate NixOS configuration modules</refpurpose> -</refnamediv> - -<refsynopsisdiv> - <cmdsynopsis> - <command>nixos-generate-config</command> - <arg><option>--force</option></arg> - <arg> - <arg choice='plain'><option>--root</option></arg> - <replaceable>root</replaceable> - </arg> - <arg> - <arg choice='plain'><option>--dir</option></arg> - <replaceable>dir</replaceable> - </arg> +<!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> + </refmeta> + <refnamediv> + <refname><command>nixos-generate-config</command> + </refname><refpurpose>generate NixOS configuration modules</refpurpose> + </refnamediv> + <refsynopsisdiv> + <cmdsynopsis><command>nixos-generate-config</command> + <arg><option>--force</option> + </arg> + <arg> + <arg choice='plain'><option>--root</option> + </arg><replaceable>root</replaceable> + </arg> + <arg> + <arg choice='plain'><option>--dir</option> + </arg><replaceable>dir</replaceable> + </arg> </cmdsynopsis> -</refsynopsisdiv> - - -<refsection><title>Description</title> - -<para>This command writes two NixOS configuration modules: - -<variablelist> - - <varlistentry> - <term><option>/etc/nixos/hardware-configuration.nix</option></term> + </refsynopsisdiv> + <refsection> + <title>Description</title> + <para> + This command writes two NixOS configuration modules: + <variablelist> + <varlistentry> + <term><option>/etc/nixos/hardware-configuration.nix</option> + </term> + <listitem> + <para> + This module sets NixOS configuration options based on your current + hardware configuration. In particular, it sets the + <option>fileSystem</option> option to reflect all currently mounted file + systems, the <option>swapDevices</option> option to reflect active swap + devices, and the <option>boot.initrd.*</option> options to ensure that + the initial ramdisk contains any kernel modules necessary for mounting + the root file system. + </para> + <para> + If this file already exists, it is overwritten. Thus, you should not + modify it manually. Rather, you should include it from your + <filename>/etc/nixos/configuration.nix</filename>, and re-run + <command>nixos-generate-config</command> to update it whenever your + hardware configuration changes. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>/etc/nixos/configuration.nix</option> + </term> + <listitem> + <para> + This is the main NixOS system configuration module. If it already + exists, it’s left unchanged. Otherwise, + <command>nixos-generate-config</command> will write a template for you + to customise. + </para> + </listitem> + </varlistentry> + </variablelist> + </para> + </refsection> + <refsection> + <title>Options</title> + <para> + This command accepts the following options: + </para> + <variablelist> + <varlistentry> + <term><option>--root</option> + </term> <listitem> - <para>This module sets NixOS configuration options based on your - current hardware configuration. In particular, it sets the - <option>fileSystem</option> option to reflect all currently - mounted file systems, the <option>swapDevices</option> option to - reflect active swap devices, and the - <option>boot.initrd.*</option> options to ensure that the - initial ramdisk contains any kernel modules necessary for - mounting the root file system.</para> - - <para>If this file already exists, it is overwritten. Thus, you - should not modify it manually. Rather, you should include it - from your <filename>/etc/nixos/configuration.nix</filename>, and - re-run <command>nixos-generate-config</command> to update it - whenever your hardware configuration changes.</para> + <para> + If this option is given, treat the directory + <replaceable>root</replaceable> as the root of the file system. This + means that configuration files will be written to + <filename><replaceable>root</replaceable>/etc/nixos</filename>, and that + any file systems outside of <replaceable>root</replaceable> are ignored + for the purpose of generating the <option>fileSystems</option> option. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><option>/etc/nixos/configuration.nix</option></term> + </varlistentry> + <varlistentry> + <term><option>--dir</option> + </term> <listitem> - <para>This is the main NixOS system configuration module. If it - already exists, it’s left unchanged. Otherwise, - <command>nixos-generate-config</command> will write a template - for you to customise.</para> + <para> + If this option is given, write the configuration files to the directory + <replaceable>dir</replaceable> instead of + <filename>/etc/nixos</filename>. + </para> </listitem> - </varlistentry> - -</variablelist> - -</para> - -</refsection> - - -<refsection><title>Options</title> - -<para>This command accepts the following options:</para> - -<variablelist> - - <varlistentry> - <term><option>--root</option></term> + </varlistentry> + <varlistentry> + <term><option>--force</option> + </term> <listitem> - <para>If this option is given, treat the directory - <replaceable>root</replaceable> as the root of the file system. - This means that configuration files will be written to - <filename><replaceable>root</replaceable>/etc/nixos</filename>, - and that any file systems outside of - <replaceable>root</replaceable> are ignored for the purpose of - generating the <option>fileSystems</option> option.</para> + <para> + Overwrite <filename>/etc/nixos/configuration.nix</filename> if it already + exists. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><option>--dir</option></term> + </varlistentry> + <varlistentry> + <term><option>--no-filesystems</option> + </term> <listitem> - <para>If this option is given, write the configuration files to - the directory <replaceable>dir</replaceable> instead of - <filename>/etc/nixos</filename>.</para> + <para> + Omit everything concerning file systems and swap devices from the + hardware configuration. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><option>--force</option></term> + </varlistentry> + <varlistentry> + <term><option>--show-hardware-config</option> + </term> <listitem> - <para>Overwrite - <filename>/etc/nixos/configuration.nix</filename> if it already - exists.</para> + <para> + Don't generate <filename>configuration.nix</filename> or + <filename>hardware-configuration.nix</filename> and print the hardware + configuration to stdout only. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><option>--no-filesystems</option></term> - <listitem> - <para>Omit everything concerning file systems and swap devices - from the hardware configuration.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><option>--show-hardware-config</option></term> - <listitem> - <para>Don't generate <filename>configuration.nix</filename> or - <filename>hardware-configuration.nix</filename> and print the - hardware configuration to stdout only.</para> - </listitem> - </varlistentry> - -</variablelist> - -</refsection> - - -<refsection><title>Examples</title> - -<para>This command is typically used during NixOS installation to -write initial configuration modules. For example, if you created and -mounted the target file systems on <filename>/mnt</filename> and -<filename>/mnt/boot</filename>, you would run: - + </varlistentry> + </variablelist> + </refsection> + <refsection> + <title>Examples</title> + <para> + This command is typically used during NixOS installation to write initial + configuration modules. For example, if you created and mounted the target + file systems on <filename>/mnt</filename> and + <filename>/mnt/boot</filename>, you would run: <screen> $ nixos-generate-config --root /mnt </screen> - -The resulting file -<filename>/mnt/etc/nixos/hardware-configuration.nix</filename> might -look like this: - + The resulting file + <filename>/mnt/etc/nixos/hardware-configuration.nix</filename> might look + like this: <programlisting> # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes @@ -181,28 +178,22 @@ look like this: nix.maxJobs = 8; } </programlisting> - -It will also create a basic -<filename>/mnt/etc/nixos/configuration.nix</filename>, which you -should edit to customise the logical configuration of your system. -This file includes the result of the hardware scan as follows: - + It will also create a basic + <filename>/mnt/etc/nixos/configuration.nix</filename>, which you should edit + to customise the logical configuration of your system. This file includes + the result of the hardware scan as follows: <programlisting> imports = [ ./hardware-configuration.nix ]; </programlisting> -</para> - -<para>After installation, if your hardware configuration changes, you -can run: - + </para> + <para> + After installation, if your hardware configuration changes, you can run: <screen> $ nixos-generate-config </screen> - -to update <filename>/etc/nixos/hardware-configuration.nix</filename>. -Your <filename>/etc/nixos/configuration.nix</filename> will -<emphasis>not</emphasis> be overwritten.</para> - -</refsection> - + to update <filename>/etc/nixos/hardware-configuration.nix</filename>. Your + <filename>/etc/nixos/configuration.nix</filename> will + <emphasis>not</emphasis> be overwritten. + </para> + </refsection> </refentry> diff --git a/nixos/doc/manual/man-nixos-install.xml b/nixos/doc/manual/man-nixos-install.xml index 15c603256ca7..2d45e83a863f 100644 --- a/nixos/doc/manual/man-nixos-install.xml +++ b/nixos/doc/manual/man-nixos-install.xml @@ -1,212 +1,221 @@ <refentry xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude"> - -<refmeta> - <refentrytitle><command>nixos-install</command></refentrytitle> - <manvolnum>8</manvolnum> + <refmeta> + <refentrytitle><command>nixos-install</command> + </refentrytitle><manvolnum>8</manvolnum> <refmiscinfo class="source">NixOS</refmiscinfo> - <!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> -</refmeta> - -<refnamediv> - <refname><command>nixos-install</command></refname> - <refpurpose>install bootloader and NixOS</refpurpose> -</refnamediv> - -<refsynopsisdiv> - <cmdsynopsis> - <command>nixos-install</command> - <arg> - <arg choice='plain'><option>-I</option></arg> - <replaceable>path</replaceable> +<!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> + </refmeta> + <refnamediv> + <refname><command>nixos-install</command> + </refname><refpurpose>install bootloader and NixOS</refpurpose> + </refnamediv> + <refsynopsisdiv> + <cmdsynopsis><command>nixos-install</command> + <arg> + <arg choice='plain'><option>-I</option> + </arg><replaceable>path</replaceable> + </arg> + <arg> + <arg choice='plain'><option>--root</option> + </arg><replaceable>root</replaceable> + </arg> + <arg> + <arg choice='plain'><option>--system</option> + </arg><replaceable>path</replaceable> + </arg> + <arg> + <arg choice='plain'><option>--no-channel-copy</option> </arg> - <arg> - <arg choice='plain'><option>--root</option></arg> - <replaceable>root</replaceable> + </arg> + <arg> + <arg choice='plain'><option>--no-root-passwd</option> </arg> - <arg> - <arg choice='plain'><option>--closure</option></arg> - <replaceable>closure</replaceable> + </arg> + <arg> + <arg choice='plain'><option>--no-bootloader</option> </arg> - <arg> - <arg choice='plain'><option>--no-channel-copy</option></arg> + </arg> + <arg><group choice='req'> + <arg choice='plain'><option>--max-jobs</option> </arg> - <arg> - <arg choice='plain'><option>--no-root-passwd</option></arg> + <arg choice='plain'><option>-j</option> + </arg></group><replaceable>number</replaceable> + </arg> + <arg><option>--cores</option><replaceable>number</replaceable> + </arg> + <arg><option>--option</option><replaceable>name</replaceable><replaceable>value</replaceable> + </arg> + <arg> + <arg choice='plain'><option>--show-trace</option> </arg> - <arg> - <arg choice='plain'><option>--no-bootloader</option></arg> - </arg> - <arg> - <group choice='req'> - <arg choice='plain'><option>--max-jobs</option></arg> - <arg choice='plain'><option>-j</option></arg> - </group> - <replaceable>number</replaceable> - </arg> - <arg> - <option>--cores</option> - <replaceable>number</replaceable> - </arg> - <arg> - <option>--option</option> - <replaceable>name</replaceable> - <replaceable>value</replaceable> - </arg> - <arg> - <arg choice='plain'><option>--show-trace</option></arg> - </arg> - <arg> - <arg choice='plain'><option>--chroot</option></arg> - </arg> - <arg> - <arg choice='plain'><option>--help</option></arg> + </arg> + <arg> + <arg choice='plain'><option>--help</option> </arg> + </arg> </cmdsynopsis> -</refsynopsisdiv> - - -<refsection><title>Description</title> - -<para>This command installs NixOS in the file system mounted on -<filename>/mnt</filename>, based on the NixOS configuration specified -in <filename>/mnt/etc/nixos/configuration.nix</filename>. It performs -the following steps: - -<itemizedlist> - - <listitem><para>It copies Nix and its dependencies to - <filename>/mnt/nix/store</filename>.</para></listitem> - - <listitem><para>It runs Nix in <filename>/mnt</filename> to build - the NixOS configuration specified in - <filename>/mnt/etc/nixos/configuration.nix</filename>.</para></listitem> - - <listitem><para>It installs the GRUB boot loader on the device - specified in the option <option>boot.loader.grub.device</option> - (unless <option>--no-bootloader</option> is specified), - and generates a GRUB configuration file that boots into the NixOS - configuration just installed.</para></listitem> - - <listitem><para>It prompts you for a password for the root account - (unless <option>--no-root-passwd</option> is specified).</para></listitem> - -</itemizedlist> - -</para> - -<para>This command is idempotent: if it is interrupted or fails due to -a temporary problem (e.g. a network issue), you can safely re-run -it.</para> - -</refsection> - -<refsection><title>Options</title> - -<para>This command accepts the following options:</para> - -<variablelist> - - <varlistentry> - <term><option>--root</option></term> + </refsynopsisdiv> + <refsection> + <title>Description</title> + <para> + This command installs NixOS in the file system mounted on + <filename>/mnt</filename>, based on the NixOS configuration specified in + <filename>/mnt/etc/nixos/configuration.nix</filename>. It performs the + following steps: + <itemizedlist> + <listitem> + <para> + It copies Nix and its dependencies to + <filename>/mnt/nix/store</filename>. + </para> + </listitem> + <listitem> + <para> + It runs Nix in <filename>/mnt</filename> to build the NixOS configuration + specified in <filename>/mnt/etc/nixos/configuration.nix</filename>. + </para> + </listitem> + <listitem> + <para> + It installs the GRUB boot loader on the device specified in the option + <option>boot.loader.grub.device</option> (unless + <option>--no-bootloader</option> is specified), and generates a GRUB + configuration file that boots into the NixOS configuration just + installed. + </para> + </listitem> + <listitem> + <para> + It prompts you for a password for the root account (unless + <option>--no-root-passwd</option> is specified). + </para> + </listitem> + </itemizedlist> + </para> + <para> + This command is idempotent: if it is interrupted or fails due to a temporary + problem (e.g. a network issue), you can safely re-run it. + </para> + </refsection> + <refsection> + <title>Options</title> + <para> + This command accepts the following options: + </para> + <variablelist> + <varlistentry> + <term><option>--root</option> + </term> + <listitem> + <para> + Defaults to <filename>/mnt</filename>. If this option is given, treat the + directory <replaceable>root</replaceable> as the root of the NixOS + installation. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>--system</option> + </term> + <listitem> + <para> + If this option is provided, <command>nixos-install</command> will install + the specified closure rather than attempt to build one from + <filename>/mnt/etc/nixos/configuration.nix</filename>. + </para> + <para> + The closure must be an appropriately configured NixOS system, with boot + loader and partition configuration that fits the target host. Such a + closure is typically obtained with a command such as <command>nix-build + -I nixos-config=./configuration.nix '<nixos>' -A system + --no-out-link</command> + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>-I</option> + </term> <listitem> - <para>Defaults to <filename>/mnt</filename>. If this option is given, treat the directory - <replaceable>root</replaceable> as the root of the NixOS installation. - </para> + <para> + Add a path to the Nix expression search path. This option may be given + multiple times. See the NIX_PATH environment variable for information on + the semantics of the Nix search path. Paths added through + <replaceable>-I</replaceable> take precedence over NIX_PATH. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><option>--closure</option></term> + </varlistentry> + <varlistentry> + <term><option>--max-jobs</option> + </term> + <term><option>-j</option> + </term> <listitem> - <para>If this option is provided, <command>nixos-install</command> will install the specified closure - rather than attempt to build one from <filename>/mnt/etc/nixos/configuration.nix</filename>.</para> - - <para>The closure must be an appropriately configured NixOS system, with boot loader and partition - configuration that fits the target host. Such a closure is typically obtained with a command such as - <command>nix-build -I nixos-config=./configuration.nix '<nixos>' -A system --no-out-link</command> - </para> + <para> + Sets the maximum number of build jobs that Nix will perform in parallel + to the specified number. The default is <literal>1</literal>. A higher + value is useful on SMP systems or to exploit I/O latency. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><option>-I</option></term> + </varlistentry> + <varlistentry> + <term><option>--cores</option> + </term> <listitem> - <para>Add a path to the Nix expression search path. This option may be given multiple times. - See the NIX_PATH environment variable for information on the semantics of the Nix search path. - Paths added through <replaceable>-I</replaceable> take precedence over NIX_PATH.</para> + <para> + Sets the value of the <envar>NIX_BUILD_CORES</envar> environment variable + in the invocation of builders. Builders can use this variable at their + discretion to control the maximum amount of parallelism. For instance, in + Nixpkgs, if the derivation attribute + <varname>enableParallelBuilding</varname> is set to + <literal>true</literal>, the builder passes the + <option>-j<replaceable>N</replaceable></option> flag to GNU Make. The + value <literal>0</literal> means that the builder should use all + available CPU cores in the system. + </para> </listitem> - </varlistentry> - - <varlistentry><term><option>--max-jobs</option></term> - <term><option>-j</option></term> - - <listitem><para>Sets the maximum number of build jobs that Nix will - perform in parallel to the specified number. The default is <literal>1</literal>. - A higher value is useful on SMP systems or to exploit I/O latency.</para></listitem> - - </varlistentry> - - - <varlistentry><term><option>--cores</option></term> - - <listitem><para>Sets the value of the <envar>NIX_BUILD_CORES</envar> - environment variable in the invocation of builders. Builders can - use this variable at their discretion to control the maximum amount - of parallelism. For instance, in Nixpkgs, if the derivation - attribute <varname>enableParallelBuilding</varname> is set to - <literal>true</literal>, the builder passes the - <option>-j<replaceable>N</replaceable></option> flag to GNU Make. - The value <literal>0</literal> means that the builder should use all - available CPU cores in the system.</para></listitem> - - </varlistentry> - - <varlistentry><term><option>--option</option> <replaceable>name</replaceable> <replaceable>value</replaceable></term> - - <listitem><para>Set the Nix configuration option - <replaceable>name</replaceable> to <replaceable>value</replaceable>.</para></listitem> - - </varlistentry> - - <varlistentry> - <term><option>--show-trace</option></term> + </varlistentry> + <varlistentry> + <term><option>--option</option><replaceable>name</replaceable><replaceable>value</replaceable> + </term> <listitem> - <para>Causes Nix to print out a stack trace in case of Nix expression evaluation errors.</para> + <para> + Set the Nix configuration option <replaceable>name</replaceable> to + <replaceable>value</replaceable>. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><option>--chroot</option></term> + </varlistentry> + <varlistentry> + <term><option>--show-trace</option> + </term> <listitem> - <para>Chroot into given installation. Any additional arguments passed are going to be executed inside the chroot. - </para> + <para> + Causes Nix to print out a stack trace in case of Nix expression + evaluation errors. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><option>--help</option></term> + </varlistentry> + <varlistentry> + <term><option>--help</option> + </term> <listitem> - <para>Synonym for <command>man nixos-install</command>.</para> + <para> + Synonym for <command>man nixos-install</command>. + </para> </listitem> - </varlistentry> - -</variablelist> - -</refsection> - - -<refsection><title>Examples</title> - -<para>A typical NixOS installation is done by creating and mounting a -file system on <filename>/mnt</filename>, generating a NixOS -configuration in -<filename>/mnt/etc/nixos/configuration.nix</filename>, and running -<command>nixos-install</command>. For instance, if we want to install -NixOS on an <literal>ext4</literal> file system created in -<filename>/dev/sda1</filename>: - + </varlistentry> + </variablelist> + </refsection> + <refsection> + <title>Examples</title> + <para> + A typical NixOS installation is done by creating and mounting a file system + on <filename>/mnt</filename>, generating a NixOS configuration in + <filename>/mnt/etc/nixos/configuration.nix</filename>, and running + <command>nixos-install</command>. For instance, if we want to install NixOS + on an <literal>ext4</literal> file system created in + <filename>/dev/sda1</filename>: <screen> $ mkfs.ext4 /dev/sda1 $ mount /dev/sda1 /mnt @@ -215,9 +224,6 @@ $ # edit /mnt/etc/nixos/configuration.nix $ nixos-install $ reboot </screen> - -</para> - -</refsection> - + </para> + </refsection> </refentry> diff --git a/nixos/doc/manual/man-nixos-option.xml b/nixos/doc/manual/man-nixos-option.xml index d2b2d5b7965c..c22c3811dedf 100644 --- a/nixos/doc/manual/man-nixos-option.xml +++ b/nixos/doc/manual/man-nixos-option.xml @@ -1,103 +1,96 @@ <refentry xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude"> - -<refmeta> - <refentrytitle><command>nixos-option</command></refentrytitle> - <manvolnum>8</manvolnum> + <refmeta> + <refentrytitle><command>nixos-option</command> + </refentrytitle><manvolnum>8</manvolnum> <refmiscinfo class="source">NixOS</refmiscinfo> - <!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> -</refmeta> - -<refnamediv> - <refname><command>nixos-option</command></refname> - <refpurpose>inspect a NixOS configuration</refpurpose> -</refnamediv> - -<refsynopsisdiv> - <cmdsynopsis> - <command>nixos-option</command> - <arg> - <option>-I</option> - <replaceable>path</replaceable> - </arg> - <arg><option>--verbose</option></arg> - <arg><option>--xml</option></arg> - <arg choice="plain"><replaceable>option.name</replaceable></arg> +<!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> + </refmeta> + <refnamediv> + <refname><command>nixos-option</command> + </refname><refpurpose>inspect a NixOS configuration</refpurpose> + </refnamediv> + <refsynopsisdiv> + <cmdsynopsis><command>nixos-option</command> + <arg><option>-I</option><replaceable>path</replaceable> + </arg> + <arg><option>--verbose</option> + </arg> + <arg><option>--xml</option> + </arg> + <arg choice="plain"><replaceable>option.name</replaceable> + </arg> </cmdsynopsis> -</refsynopsisdiv> - -<refsection><title>Description</title> - -<para>This command evaluates the configuration specified in -<filename>/etc/nixos/configuration.nix</filename> and returns the properties -of the option name given as argument.</para> - -<para>When the option name is not an option, the command prints the list of -attributes contained in the attribute set.</para> - -</refsection> - -<refsection><title>Options</title> - -<para>This command accepts the following options:</para> - -<variablelist> - - <varlistentry> - <term><option>-I</option> <replaceable>path</replaceable></term> + </refsynopsisdiv> + <refsection> + <title>Description</title> + <para> + This command evaluates the configuration specified in + <filename>/etc/nixos/configuration.nix</filename> and returns the properties + of the option name given as argument. + </para> + <para> + When the option name is not an option, the command prints the list of + attributes contained in the attribute set. + </para> + </refsection> + <refsection> + <title>Options</title> + <para> + This command accepts the following options: + </para> + <variablelist> + <varlistentry> + <term><option>-I</option><replaceable>path</replaceable> + </term> <listitem> - <para> - This option is passed to the underlying - <command>nix-instantiate</command> invocation. - </para> + <para> + This option is passed to the underlying + <command>nix-instantiate</command> invocation. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><option>--verbose</option></term> + </varlistentry> + <varlistentry> + <term><option>--verbose</option> + </term> <listitem> - <para> - This option enables verbose mode, which currently is just - the Bash <command>set</command> <option>-x</option> debug mode. - </para> + <para> + This option enables verbose mode, which currently is just the Bash + <command>set</command> <option>-x</option> debug mode. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><option>--xml</option></term> + </varlistentry> + <varlistentry> + <term><option>--xml</option> + </term> <listitem> - <para> - This option causes the output to be rendered as XML. - </para> + <para> + This option causes the output to be rendered as XML. + </para> </listitem> - </varlistentry> - -</variablelist> - -</refsection> - -<refsection><title>Environment</title> - -<variablelist> - - <varlistentry> - <term><envar>NIXOS_CONFIG</envar></term> + </varlistentry> + </variablelist> + </refsection> + <refsection> + <title>Environment</title> + <variablelist> + <varlistentry> + <term><envar>NIXOS_CONFIG</envar> + </term> <listitem> - <para>Path to the main NixOS configuration module. Defaults to - <filename>/etc/nixos/configuration.nix</filename>.</para> + <para> + Path to the main NixOS configuration module. Defaults to + <filename>/etc/nixos/configuration.nix</filename>. + </para> </listitem> - </varlistentry> - -</variablelist> - -</refsection> - - -<refsection><title>Examples</title> - -<para>Investigate option values: - + </varlistentry> + </variablelist> + </refsection> + <refsection> + <title>Examples</title> + <para> + Investigate option values: <screen>$ nixos-option boot.loader This attribute set contains: generationsDir @@ -119,16 +112,14 @@ Declared by: Defined by: "/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix" -</screen></para> - -</refsection> - -<refsection><title>Bugs</title> - -<para>The author listed in the following section is wrong. If there is any - other bug, please report to Nicolas Pierron.</para> - -</refsection> - - +</screen> + </para> + </refsection> + <refsection> + <title>Bugs</title> + <para> + The author listed in the following section is wrong. If there is any other + bug, please report to Nicolas Pierron. + </para> + </refsection> </refentry> diff --git a/nixos/doc/manual/man-nixos-rebuild.xml b/nixos/doc/manual/man-nixos-rebuild.xml index f74788353e67..e1a2c7108d18 100644 --- a/nixos/doc/manual/man-nixos-rebuild.xml +++ b/nixos/doc/manual/man-nixos-rebuild.xml @@ -1,399 +1,415 @@ <refentry xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude"> - -<refmeta> - <refentrytitle><command>nixos-rebuild</command></refentrytitle> - <manvolnum>8</manvolnum> + <refmeta> + <refentrytitle><command>nixos-rebuild</command> + </refentrytitle><manvolnum>8</manvolnum> <refmiscinfo class="source">NixOS</refmiscinfo> - <!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> -</refmeta> - -<refnamediv> - <refname><command>nixos-rebuild</command></refname> - <refpurpose>reconfigure a NixOS machine</refpurpose> -</refnamediv> - -<refsynopsisdiv> - <cmdsynopsis> - <command>nixos-rebuild</command> - <group choice='req'> - <arg choice='plain'><option>switch</option></arg> - <arg choice='plain'><option>boot</option></arg> - <arg choice='plain'><option>test</option></arg> - <arg choice='plain'><option>build</option></arg> - <arg choice='plain'><option>dry-build</option></arg> - <arg choice='plain'><option>dry-activate</option></arg> - <arg choice='plain'><option>build-vm</option></arg> - <arg choice='plain'><option>build-vm-with-bootloader</option></arg> - </group> - <sbr /> - <arg><option>--upgrade</option></arg> - <arg><option>--install-bootloader</option></arg> - <arg><option>--no-build-nix</option></arg> - <arg><option>--fast</option></arg> - <arg><option>--rollback</option></arg> - <sbr /> - <arg> - <group choice='req'> - <arg choice='plain'><option>--profile-name</option></arg> - <arg choice='plain'><option>-p</option></arg> - </group> - <replaceable>name</replaceable> +<!-- <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo> --> + </refmeta> + <refnamediv> + <refname><command>nixos-rebuild</command> + </refname><refpurpose>reconfigure a NixOS machine</refpurpose> + </refnamediv> + <refsynopsisdiv> + <cmdsynopsis><command>nixos-rebuild</command><group choice='req'> + <arg choice='plain'><option>switch</option> + </arg> + <arg choice='plain'><option>boot</option> + </arg> + <arg choice='plain'><option>test</option> + </arg> + <arg choice='plain'><option>build</option> + </arg> + <arg choice='plain'><option>dry-build</option> + </arg> + <arg choice='plain'><option>dry-activate</option> + </arg> + <arg choice='plain'><option>build-vm</option> + </arg> + <arg choice='plain'><option>build-vm-with-bootloader</option> + </arg></group> + <sbr /> + <arg><option>--upgrade</option> + </arg> + <arg><option>--install-bootloader</option> + </arg> + <arg><option>--no-build-nix</option> + </arg> + <arg><option>--fast</option> + </arg> + <arg><option>--rollback</option> + </arg> + <sbr /> + <arg><group choice='req'> + <arg choice='plain'><option>--profile-name</option> </arg> - <sbr /> - <arg><option>--show-trace</option></arg> + <arg choice='plain'><option>-p</option> + </arg></group><replaceable>name</replaceable> + </arg> + <sbr /> + <arg><option>--show-trace</option> + </arg> </cmdsynopsis> -</refsynopsisdiv> - - -<refsection><title>Description</title> - -<para>This command updates the system so that it corresponds to the -configuration specified in -<filename>/etc/nixos/configuration.nix</filename>. Thus, every time -you modify <filename>/etc/nixos/configuration.nix</filename> or any -NixOS module, you must run <command>nixos-rebuild</command> to make -the changes take effect. It builds the new system in -<filename>/nix/store</filename>, runs its activation script, and stop -and (re)starts any system services if needed.</para> - -<para>This command has one required argument, which specifies the -desired operation. It must be one of the following: - -<variablelist> - - <varlistentry> - <term><option>switch</option></term> - <listitem> - <para>Build and activate the new configuration, and make it the - boot default. That is, the configuration is added to the GRUB - boot menu as the default menu entry, so that subsequent reboots - will boot the system into the new configuration. Previous - configurations activated with <command>nixos-rebuild - switch</command> or <command>nixos-rebuild boot</command> remain - available in the GRUB menu.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><option>boot</option></term> - <listitem> - <para>Build the new configuration and make it the boot default - (as with <command>nixos-rebuild switch</command>), but do not - activate it. That is, the system continues to run the previous - configuration until the next reboot.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><option>test</option></term> - <listitem> - <para>Build and activate the new configuration, but do not add - it to the GRUB boot menu. Thus, if you reboot the system (or if - it crashes), you will automatically revert to the default - configuration (i.e. the configuration resulting from the last - call to <command>nixos-rebuild switch</command> or - <command>nixos-rebuild boot</command>).</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><option>build</option></term> - <listitem> - <para>Build the new configuration, but neither activate it nor - add it to the GRUB boot menu. It leaves a symlink named - <filename>result</filename> in the current directory, which - points to the output of the top-level “system” derivation. This - is essentially the same as doing + </refsynopsisdiv> + <refsection> + <title>Description</title> + <para> + This command updates the system so that it corresponds to the configuration + specified in <filename>/etc/nixos/configuration.nix</filename>. Thus, every + time you modify <filename>/etc/nixos/configuration.nix</filename> or any + NixOS module, you must run <command>nixos-rebuild</command> to make the + changes take effect. It builds the new system in + <filename>/nix/store</filename>, runs its activation script, and stop and + (re)starts any system services if needed. + </para> + <para> + This command has one required argument, which specifies the desired + operation. It must be one of the following: + <variablelist> + <varlistentry> + <term><option>switch</option> + </term> + <listitem> + <para> + Build and activate the new configuration, and make it the boot default. + That is, the configuration is added to the GRUB boot menu as the default + menu entry, so that subsequent reboots will boot the system into the new + configuration. Previous configurations activated with + <command>nixos-rebuild switch</command> or <command>nixos-rebuild + boot</command> remain available in the GRUB menu. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>boot</option> + </term> + <listitem> + <para> + Build the new configuration and make it the boot default (as with + <command>nixos-rebuild switch</command>), but do not activate it. That + is, the system continues to run the previous configuration until the + next reboot. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>test</option> + </term> + <listitem> + <para> + Build and activate the new configuration, but do not add it to the GRUB + boot menu. Thus, if you reboot the system (or if it crashes), you will + automatically revert to the default configuration (i.e. the + configuration resulting from the last call to <command>nixos-rebuild + switch</command> or <command>nixos-rebuild boot</command>). + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>build</option> + </term> + <listitem> + <para> + Build the new configuration, but neither activate it nor add it to the + GRUB boot menu. It leaves a symlink named <filename>result</filename> in + the current directory, which points to the output of the top-level + “system” derivation. This is essentially the same as doing <screen> $ nix-build /path/to/nixpkgs/nixos -A system </screen> - Note that you do not need to be <literal>root</literal> to run - <command>nixos-rebuild build</command>.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><option>dry-build</option></term> - <listitem> - <para>Show what store paths would be built or downloaded by any - of the operations above, but otherwise do nothing.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><option>dry-activate</option></term> - <listitem> - <para>Build the new configuration, but instead of activating it, - show what changes would be performed by the activation (i.e. by - <command>nixos-rebuild test</command>). For - instance, this command will print which systemd units would be - restarted. The list of changes is not guaranteed to be - complete.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><option>build-vm</option></term> - <listitem> - <para>Build a script that starts a NixOS virtual machine with - the desired configuration. It leaves a symlink - <filename>result</filename> in the current directory that points - (under - <filename>result/bin/run-<replaceable>hostname</replaceable>-vm</filename>) - at the script that starts the VM. Thus, to test a NixOS - configuration in a virtual machine, you should do the following: + Note that you do not need to be <literal>root</literal> to run + <command>nixos-rebuild build</command>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>dry-build</option> + </term> + <listitem> + <para> + Show what store paths would be built or downloaded by any of the + operations above, but otherwise do nothing. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>dry-activate</option> + </term> + <listitem> + <para> + Build the new configuration, but instead of activating it, show what + changes would be performed by the activation (i.e. by + <command>nixos-rebuild test</command>). For instance, this command will + print which systemd units would be restarted. The list of changes is not + guaranteed to be complete. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>build-vm</option> + </term> + <listitem> + <para> + Build a script that starts a NixOS virtual machine with the desired + configuration. It leaves a symlink <filename>result</filename> in the + current directory that points (under + <filename>result/bin/run-<replaceable>hostname</replaceable>-vm</filename>) + at the script that starts the VM. Thus, to test a NixOS configuration in + a virtual machine, you should do the following: <screen> $ nixos-rebuild build-vm $ ./result/bin/run-*-vm -</screen></para> - - <para>The VM is implemented using the <literal>qemu</literal> - package. For best performance, you should load the - <literal>kvm-intel</literal> or <literal>kvm-amd</literal> - kernel modules to get hardware virtualisation.</para> - - <para>The VM mounts the Nix store of the host through the 9P - file system. The host Nix store is read-only, so Nix commands - that modify the Nix store will not work in the VM. This - includes commands such as <command>nixos-rebuild</command>; to - change the VM’s configuration, you must halt the VM and re-run - the commands above. +</screen> </para> - - <para>The VM has its own <literal>ext3</literal> root file - system, which is automatically created when the VM is first - started, and is persistent across reboots of the VM. It is - stored in - <literal>./<replaceable>hostname</replaceable>.qcow2</literal>. - <!-- The entire file system hierarchy of the host is available in - the VM under <filename>/hostfs</filename>.--></para> - </listitem> - </varlistentry> - - <varlistentry> - <term><option>build-vm-with-bootloader</option></term> - <listitem> - <para>Like <option>build-vm</option>, but boots using the - regular boot loader of your configuration (e.g., GRUB 1 or 2), - rather than booting directly into the kernel and initial ramdisk - of the system. This allows you to test whether the boot loader - works correctly. However, it does not guarantee that your NixOS - configuration will boot successfully on the host hardware (i.e., - after running <command>nixos-rebuild switch</command>), because - the hardware and boot loader configuration in the VM are - different. The boot loader is installed on an automatically - generated virtual disk containing a <filename>/boot</filename> - partition, which is mounted read-only in the VM.</para> - </listitem> - </varlistentry> - -</variablelist> - -</para> - - -</refsection> - - -<refsection><title>Options</title> - -<para>This command accepts the following options:</para> - -<variablelist> - - <varlistentry> - <term><option>--upgrade</option></term> + <para> + The VM is implemented using the <literal>qemu</literal> package. For + best performance, you should load the <literal>kvm-intel</literal> or + <literal>kvm-amd</literal> kernel modules to get hardware + virtualisation. + </para> + <para> + The VM mounts the Nix store of the host through the 9P file system. The + host Nix store is read-only, so Nix commands that modify the Nix store + will not work in the VM. This includes commands such as + <command>nixos-rebuild</command>; to change the VM’s configuration, + you must halt the VM and re-run the commands above. + </para> + <para> + The VM has its own <literal>ext3</literal> root file system, which is + automatically created when the VM is first started, and is persistent + across reboots of the VM. It is stored in + <literal>./<replaceable>hostname</replaceable>.qcow2</literal>. +<!-- The entire file system hierarchy of the host is available in + the VM under <filename>/hostfs</filename>.--> + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>build-vm-with-bootloader</option> + </term> + <listitem> + <para> + Like <option>build-vm</option>, but boots using the regular boot loader + of your configuration (e.g., GRUB 1 or 2), rather than booting directly + into the kernel and initial ramdisk of the system. This allows you to + test whether the boot loader works correctly. However, it does not + guarantee that your NixOS configuration will boot successfully on the + host hardware (i.e., after running <command>nixos-rebuild + switch</command>), because the hardware and boot loader configuration in + the VM are different. The boot loader is installed on an automatically + generated virtual disk containing a <filename>/boot</filename> + partition, which is mounted read-only in the VM. + </para> + </listitem> + </varlistentry> + </variablelist> + </para> + </refsection> + <refsection> + <title>Options</title> + <para> + This command accepts the following options: + </para> + <variablelist> + <varlistentry> + <term><option>--upgrade</option> + </term> <listitem> - <para>Fetch the latest version of NixOS from the NixOS - channel.</para> + <para> + Fetch the latest version of NixOS from the NixOS channel. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><option>--install-bootloader</option></term> + </varlistentry> + <varlistentry> + <term><option>--install-bootloader</option> + </term> <listitem> - <para>Causes the boot loader to be (re)installed on the - device specified by the relevant configuration options. - </para> + <para> + Causes the boot loader to be (re)installed on the device specified by the + relevant configuration options. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><option>--no-build-nix</option></term> + </varlistentry> + <varlistentry> + <term><option>--no-build-nix</option> + </term> <listitem> - <para>Normally, <command>nixos-rebuild</command> first builds - the <varname>nixUnstable</varname> attribute in Nixpkgs, and - uses the resulting instance of the Nix package manager to build - the new system configuration. This is necessary if the NixOS - modules use features not provided by the currently installed - version of Nix. This option disables building a new Nix.</para> + <para> + Normally, <command>nixos-rebuild</command> first builds the + <varname>nixUnstable</varname> attribute in Nixpkgs, and uses the + resulting instance of the Nix package manager to build the new system + configuration. This is necessary if the NixOS modules use features not + provided by the currently installed version of Nix. This option disables + building a new Nix. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><option>--fast</option></term> + </varlistentry> + <varlistentry> + <term><option>--fast</option> + </term> <listitem> - <para>Equivalent to <option>--no-build-nix</option> - <option>--show-trace</option>. This option is useful if you - call <command>nixos-rebuild</command> frequently (e.g. if you’re - hacking on a NixOS module).</para> + <para> + Equivalent to <option>--no-build-nix</option> + <option>--show-trace</option>. This option is useful if you call + <command>nixos-rebuild</command> frequently (e.g. if you’re hacking on + a NixOS module). + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><option>--rollback</option></term> + </varlistentry> + <varlistentry> + <term><option>--rollback</option> + </term> <listitem> - <para>Instead of building a new configuration as specified by - <filename>/etc/nixos/configuration.nix</filename>, roll back to - the previous configuration. (The previous configuration is - defined as the one before the “current” generation of the - Nix profile <filename>/nix/var/nix/profiles/system</filename>.)</para> + <para> + Instead of building a new configuration as specified by + <filename>/etc/nixos/configuration.nix</filename>, roll back to the + previous configuration. (The previous configuration is defined as the one + before the “current” generation of the Nix profile + <filename>/nix/var/nix/profiles/system</filename>.) + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><option>--profile-name</option></term> - <term><option>-p</option></term> + </varlistentry> + <varlistentry> + <term><option>--profile-name</option> + </term> + <term><option>-p</option> + </term> <listitem> - <para>Instead of using the Nix profile - <filename>/nix/var/nix/profiles/system</filename> to keep track - of the current and previous system configurations, use + <para> + Instead of using the Nix profile + <filename>/nix/var/nix/profiles/system</filename> to keep track of the + current and previous system configurations, use <filename>/nix/var/nix/profiles/system-profiles/<replaceable>name</replaceable></filename>. - When you use GRUB 2, for every system profile created with this - flag, NixOS will create a submenu named “NixOS - Profile - '<replaceable>name</replaceable>'” in GRUB’s boot menu, - containing the current and previous configurations of this - profile.</para> - - <para>For instance, if you want to test a configuration file - named <filename>test.nix</filename> without affecting the - default system profile, you would do: - + When you use GRUB 2, for every system profile created with this flag, + NixOS will create a submenu named “NixOS - Profile + '<replaceable>name</replaceable>'” in GRUB’s boot menu, containing + the current and previous configurations of this profile. + </para> + <para> + For instance, if you want to test a configuration file named + <filename>test.nix</filename> without affecting the default system + profile, you would do: <screen> $ nixos-rebuild switch -p test -I nixos-config=./test.nix </screen> - - The new configuration will appear in the GRUB 2 submenu “NixOS - Profile - 'test'”.</para> + The new configuration will appear in the GRUB 2 submenu “NixOS - + Profile 'test'”. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><option>--build-host</option></term> + </varlistentry> + <varlistentry> + <term><option>--build-host</option> + </term> <listitem> - <para>Instead of building the new configuration locally, use the - specified host to perform the build. The host needs to be accessible - with ssh, and must be able to perform Nix builds. If the option + <para> + Instead of building the new configuration locally, use the specified host + to perform the build. The host needs to be accessible with ssh, and must + be able to perform Nix builds. If the option <option>--target-host</option> is not set, the build will be copied back - to the local machine when done.</para> - - <para>Note that, if <option>--no-build-nix</option> is not specified, - Nix will be built both locally and remotely. This is because the - configuration will always be evaluated locally even though the building - might be performed remotely.</para> - - <para>You can include a remote user name in - the host name (<replaceable>user@host</replaceable>). You can also set - ssh options by defining the <envar>NIX_SSHOPTS</envar> environment - variable.</para> + to the local machine when done. + </para> + <para> + Note that, if <option>--no-build-nix</option> is not specified, Nix will + be built both locally and remotely. This is because the configuration + will always be evaluated locally even though the building might be + performed remotely. + </para> + <para> + You can include a remote user name in the host name + (<replaceable>user@host</replaceable>). You can also set ssh options by + defining the <envar>NIX_SSHOPTS</envar> environment variable. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><option>--target-host</option></term> + </varlistentry> + <varlistentry> + <term><option>--target-host</option> + </term> <listitem> - <para>Specifies the NixOS target host. By setting this to something other - than <replaceable>localhost</replaceable>, the system activation will - happen on the remote host instead of the local machine. The remote host - needs to be accessible over ssh, and for the commands - <option>switch</option>, <option>boot</option> and <option>test</option> - you need root access.</para> - - <para>If <option>--build-host</option> is not explicitly - specified, <option>--build-host</option> will implicitly be set to the - same value as <option>--target-host</option>. So, if you only specify + <para> + Specifies the NixOS target host. By setting this to something other than + <replaceable>localhost</replaceable>, the system activation will happen + on the remote host instead of the local machine. The remote host needs to + be accessible over ssh, and for the commands <option>switch</option>, + <option>boot</option> and <option>test</option> you need root access. + </para> + <para> + If <option>--build-host</option> is not explicitly specified, + <option>--build-host</option> will implicitly be set to the same value as + <option>--target-host</option>. So, if you only specify <option>--target-host</option> both building and activation will take place remotely (and no build artifacts will be copied to the local - machine).</para> - - <para>You can include a remote user name in - the host name (<replaceable>user@host</replaceable>). You can also set - ssh options by defining the <envar>NIX_SSHOPTS</envar> environment - variable.</para> + machine). + </para> + <para> + You can include a remote user name in the host name + (<replaceable>user@host</replaceable>). You can also set ssh options by + defining the <envar>NIX_SSHOPTS</envar> environment variable. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> + In addition, <command>nixos-rebuild</command> accepts various Nix-related + flags, including <option>--max-jobs</option> / <option>-j</option>, + <option>--show-trace</option>, <option>--keep-failed</option>, + <option>--keep-going</option> and <option>--verbose</option> / + <option>-v</option>. See the Nix manual for details. + </para> + </refsection> + <refsection> + <title>Environment</title> + <variablelist> + <varlistentry> + <term><envar>NIXOS_CONFIG</envar> + </term> + <listitem> + <para> + Path to the main NixOS configuration module. Defaults to + <filename>/etc/nixos/configuration.nix</filename>. + </para> </listitem> - </varlistentry> - -</variablelist> - -<para>In addition, <command>nixos-rebuild</command> accepts various -Nix-related flags, including <option>--max-jobs</option> / -<option>-j</option>, <option>--show-trace</option>, -<option>--keep-failed</option>, <option>--keep-going</option> and -<option>--verbose</option> / <option>-v</option>. See -the Nix manual for details.</para> - -</refsection> - - -<refsection><title>Environment</title> - -<variablelist> - - <varlistentry> - <term><envar>NIXOS_CONFIG</envar></term> + </varlistentry> + <varlistentry> + <term><envar>NIX_SSHOPTS</envar> + </term> <listitem> - <para>Path to the main NixOS configuration module. Defaults to - <filename>/etc/nixos/configuration.nix</filename>.</para> + <para> + Additional options to be passed to <command>ssh</command> on the command + line. + </para> </listitem> - </varlistentry> - - <varlistentry><term><envar>NIX_SSHOPTS</envar></term> - - <listitem><para>Additional options to be passed to - <command>ssh</command> on the command line.</para></listitem> - - </varlistentry> - -</variablelist> - -</refsection> - - -<refsection><title>Files</title> - -<variablelist> - - <varlistentry> - <term><filename>/run/current-system</filename></term> + </varlistentry> + </variablelist> + </refsection> + <refsection> + <title>Files</title> + <variablelist> + <varlistentry> + <term><filename>/run/current-system</filename> + </term> <listitem> - <para>A symlink to the currently active system configuration in - the Nix store.</para> + <para> + A symlink to the currently active system configuration in the Nix store. + </para> </listitem> - </varlistentry> - - <varlistentry> - <term><filename>/nix/var/nix/profiles/system</filename></term> + </varlistentry> + <varlistentry> + <term><filename>/nix/var/nix/profiles/system</filename> + </term> <listitem> - <para>The Nix profile that contains the current and previous - system configurations. Used to generate the GRUB boot - menu.</para> + <para> + The Nix profile that contains the current and previous system + configurations. Used to generate the GRUB boot menu. + </para> </listitem> - </varlistentry> - -</variablelist> - -</refsection> - - -<refsection><title>Bugs</title> - -<para>This command should be renamed to something more -descriptive.</para> - -</refsection> - - - + </varlistentry> + </variablelist> + </refsection> + <refsection> + <title>Bugs</title> + <para> + This command should be renamed to something more descriptive. + </para> + </refsection> </refentry> diff --git a/nixos/doc/manual/man-nixos-version.xml b/nixos/doc/manual/man-nixos-version.xml index 615d74f90908..c173bce19136 100644 --- a/nixos/doc/manual/man-nixos-version.xml +++ b/nixos/doc/manual/man-nixos-version.xml @@ -1,97 +1,102 @@ <refentry xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude"> - -<refmeta> - <refentrytitle><command>nixos-version</command></refentrytitle> - <manvolnum>8</manvolnum> + <refmeta> + <refentrytitle><command>nixos-version</command> + </refentrytitle><manvolnum>8</manvolnum> <refmiscinfo class="source">NixOS</refmiscinfo> -</refmeta> - -<refnamediv> - <refname><command>nixos-version</command></refname> - <refpurpose>show the NixOS version</refpurpose> -</refnamediv> - -<refsynopsisdiv> - <cmdsynopsis> - <command>nixos-version</command> - <arg><option>--hash</option></arg> - <arg><option>--revision</option></arg> + </refmeta> + <refnamediv> + <refname><command>nixos-version</command> + </refname><refpurpose>show the NixOS version</refpurpose> + </refnamediv> + <refsynopsisdiv> + <cmdsynopsis><command>nixos-version</command> + <arg><option>--hash</option> + </arg> + <arg><option>--revision</option> + </arg> </cmdsynopsis> -</refsynopsisdiv> - -<refsection><title>Description</title> - -<para>This command shows the version of the currently active NixOS -configuration. For example: - + </refsynopsisdiv> + <refsection> + <title>Description</title> + <para> + This command shows the version of the currently active NixOS configuration. + For example: <screen>$ nixos-version 16.03.1011.6317da4 (Emu) </screen> - -The version consists of the following elements: - -<variablelist> - - <varlistentry> - <term><literal>16.03</literal></term> - <listitem><para>The NixOS release, indicating the year and month - in which it was released (e.g. March 2016).</para></listitem> - </varlistentry> - - <varlistentry> - <term><literal>1011</literal></term> - <listitem><para>The number of commits in the Nixpkgs Git - repository between the start of the release branch and the commit - from which this version was built. This ensures that NixOS - versions are monotonically increasing. It is - <literal>git</literal> when the current NixOS configuration was - built from a checkout of the Nixpkgs Git repository rather than - from a NixOS channel.</para></listitem> - </varlistentry> - - <varlistentry> - <term><literal>6317da4</literal></term> - <listitem><para>The first 7 characters of the commit in the - Nixpkgs Git repository from which this version was - built.</para></listitem> - </varlistentry> - - <varlistentry> - <term><literal>Emu</literal></term> - <listitem><para>The code name of the NixOS release. The first - letter of the code name indicates that this is the N'th stable - NixOS release; for example, Emu is the fifth - release.</para></listitem> - </varlistentry> - -</variablelist> - -</para> - -</refsection> - - -<refsection><title>Options</title> - -<para>This command accepts the following options:</para> - -<variablelist> - - <varlistentry> - <term><option>--hash</option></term> - <term><option>--revision</option></term> + The version consists of the following elements: + <variablelist> + <varlistentry> + <term><literal>16.03</literal> + </term> + <listitem> + <para> + The NixOS release, indicating the year and month in which it was + released (e.g. March 2016). + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><literal>1011</literal> + </term> + <listitem> + <para> + The number of commits in the Nixpkgs Git repository between the start of + the release branch and the commit from which this version was built. + This ensures that NixOS versions are monotonically increasing. It is + <literal>git</literal> when the current NixOS configuration was built + from a checkout of the Nixpkgs Git repository rather than from a NixOS + channel. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><literal>6317da4</literal> + </term> + <listitem> + <para> + The first 7 characters of the commit in the Nixpkgs Git repository from + which this version was built. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><literal>Emu</literal> + </term> + <listitem> + <para> + The code name of the NixOS release. The first letter of the code name + indicates that this is the N'th stable NixOS release; for example, Emu + is the fifth release. + </para> + </listitem> + </varlistentry> + </variablelist> + </para> + </refsection> + <refsection> + <title>Options</title> + <para> + This command accepts the following options: + </para> + <variablelist> + <varlistentry> + <term><option>--hash</option> + </term> + <term><option>--revision</option> + </term> <listitem> - <para>Show the full SHA1 hash of the Git commit from which this - configuration was built, e.g. + <para> + Show the full SHA1 hash of the Git commit from which this configuration + was built, e.g. <screen>$ nixos-version --hash 6317da40006f6bc2480c6781999c52d88dde2acf </screen> - </para> + </para> </listitem> - </varlistentry> -</variablelist> - -</refsection> + </varlistentry> + </variablelist> + </refsection> </refentry> diff --git a/nixos/doc/manual/man-pages.xml b/nixos/doc/manual/man-pages.xml index e945e0e62639..0390dda6468f 100644 --- a/nixos/doc/manual/man-pages.xml +++ b/nixos/doc/manual/man-pages.xml @@ -1,32 +1,20 @@ <reference xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude"> - - <title>NixOS Reference Pages</title> - - <info> - - <author> - <personname> - <firstname>Eelco</firstname> - <surname>Dolstra</surname> - </personname> - <contrib>Author</contrib> - </author> - - <copyright> - <year>2007-2015</year> - <holder>Eelco Dolstra</holder> - </copyright> - - </info> - - <xi:include href="man-configuration.xml" /> - <xi:include href="man-nixos-build-vms.xml" /> - <xi:include href="man-nixos-generate-config.xml" /> - <xi:include href="man-nixos-install.xml" /> - <xi:include href="man-nixos-option.xml" /> - <xi:include href="man-nixos-rebuild.xml" /> - <xi:include href="man-nixos-version.xml" /> - + <title>NixOS Reference Pages</title> + <info> + <author><personname><firstname>Eelco</firstname><surname>Dolstra</surname></personname> + <contrib>Author</contrib> + </author> + <copyright><year>2007-2018</year><holder>Eelco Dolstra</holder> + </copyright> + </info> + <xi:include href="man-configuration.xml" /> + <xi:include href="man-nixos-build-vms.xml" /> + <xi:include href="man-nixos-generate-config.xml" /> + <xi:include href="man-nixos-install.xml" /> + <xi:include href="man-nixos-enter.xml" /> + <xi:include href="man-nixos-option.xml" /> + <xi:include href="man-nixos-rebuild.xml" /> + <xi:include href="man-nixos-version.xml" /> </reference> diff --git a/nixos/doc/manual/manual.xml b/nixos/doc/manual/manual.xml index 9aa332f026da..61b21203f500 100644 --- a/nixos/doc/manual/manual.xml +++ b/nixos/doc/manual/manual.xml @@ -3,45 +3,46 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="book-nixos-manual"> - - <info> - <title>NixOS Manual</title> - <subtitle>Version <xi:include href="version" parse="text" /></subtitle> - </info> - - <preface> - <title>Preface</title> - - <para>This manual describes how to install, use and extend NixOS, - a Linux distribution based on the purely functional package - management system Nix.</para> - - <para>If you encounter problems, please report them on the - <literal + <info> + <title>NixOS Manual</title> + <subtitle>Version <xi:include href="./generated/version" parse="text" /> + </subtitle> + </info> + <preface> + <title>Preface</title> + <para> + This manual describes how to install, use and extend NixOS, a Linux + distribution based on the purely functional package management system Nix. + </para> + <para> + If you encounter problems, please report them on the + <literal xlink:href="https://groups.google.com/forum/#!forum/nix-devel">nix-devel</literal> - mailing list or on the <link + mailing list or on the <link xlink:href="irc://irc.freenode.net/#nixos"> - <literal>#nixos</literal> channel on Freenode</link>. Bugs should - be reported in <link - xlink:href="https://github.com/NixOS/nixpkgs/issues">NixOS’ GitHub - issue tracker</link>.</para> - - <note><para>Commands prefixed with <literal>#</literal> have to be run as - root, either requiring to login as root user or temporarily switching - to it using <literal>sudo</literal> for example.</para></note> - </preface> - - <xi:include href="installation/installation.xml" /> - <xi:include href="configuration/configuration.xml" /> - <xi:include href="administration/running.xml" /> - <!-- <xi:include href="userconfiguration.xml" /> --> - <xi:include href="development/development.xml" /> - - <appendix xml:id="ch-options"> - <title>Configuration Options</title> - <xi:include href="options-db.xml" /> - </appendix> - - <xi:include href="release-notes/release-notes.xml" /> - + <literal>#nixos</literal> channel on Freenode</link>. Bugs should be + reported in + <link + xlink:href="https://github.com/NixOS/nixpkgs/issues">NixOS’ + GitHub issue tracker</link>. + </para> + <note> + <para> + Commands prefixed with <literal>#</literal> have to be run as root, either + requiring to login as root user or temporarily switching to it using + <literal>sudo</literal> for example. + </para> + </note> + </preface> + <xi:include href="installation/installation.xml" /> + <xi:include href="configuration/configuration.xml" /> + <xi:include href="administration/running.xml" /> +<!-- <xi:include href="userconfiguration.xml" /> --> + <xi:include href="development/development.xml" /> + <appendix xml:id="ch-options"> + <title>Configuration Options</title> + <xi:include href="./generated/options-db.xml" + xpointer="configuration-variable-list" /> + </appendix> + <xi:include href="release-notes/release-notes.xml" /> </book> diff --git a/nixos/doc/manual/options-to-docbook.xsl b/nixos/doc/manual/options-to-docbook.xsl index 7b45b233ab2a..43a69806a2b0 100644 --- a/nixos/doc/manual/options-to-docbook.xsl +++ b/nixos/doc/manual/options-to-docbook.xsl @@ -15,9 +15,9 @@ <xsl:template match="/expr/list"> - - <variablelist> - + <appendix> + <title>Configuration Options</title> + <variablelist xml:id="configuration-variable-list"> <xsl:for-each select="attrs"> <xsl:variable name="id" select="concat('opt-', str:replace(str:replace(str:replace(str:replace(attr[@name = 'name']/string/@value, '*', '_'), '<', '_'), '>', '_'), '?', '_'))" /> <varlistentry> @@ -100,7 +100,7 @@ </xsl:for-each> </variablelist> - + </appendix> </xsl:template> diff --git a/nixos/doc/manual/release-notes/release-notes.xml b/nixos/doc/manual/release-notes/release-notes.xml index 5ed56bde6659..94f176186b6e 100644 --- a/nixos/doc/manual/release-notes/release-notes.xml +++ b/nixos/doc/manual/release-notes/release-notes.xml @@ -3,20 +3,19 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="ch-release-notes"> - -<title>Release Notes</title> - -<para>This section lists the release notes for each stable version of NixOS -and current unstable revision.</para> - -<xi:include href="rl-1803.xml" /> -<xi:include href="rl-1709.xml" /> -<xi:include href="rl-1703.xml" /> -<xi:include href="rl-1609.xml" /> -<xi:include href="rl-1603.xml" /> -<xi:include href="rl-1509.xml" /> -<xi:include href="rl-1412.xml" /> -<xi:include href="rl-1404.xml" /> -<xi:include href="rl-1310.xml" /> - + <title>Release Notes</title> + <para> + This section lists the release notes for each stable version of NixOS and + current unstable revision. + </para> + <xi:include href="rl-1809.xml" /> + <xi:include href="rl-1803.xml" /> + <xi:include href="rl-1709.xml" /> + <xi:include href="rl-1703.xml" /> + <xi:include href="rl-1609.xml" /> + <xi:include href="rl-1603.xml" /> + <xi:include href="rl-1509.xml" /> + <xi:include href="rl-1412.xml" /> + <xi:include href="rl-1404.xml" /> + <xi:include href="rl-1310.xml" /> </appendix> diff --git a/nixos/doc/manual/release-notes/rl-1310.xml b/nixos/doc/manual/release-notes/rl-1310.xml index 583912d70738..248bab70c36b 100644 --- a/nixos/doc/manual/release-notes/rl-1310.xml +++ b/nixos/doc/manual/release-notes/rl-1310.xml @@ -3,9 +3,9 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-13.10"> + <title>Release 13.10 (“Aardvark”, 2013/10/31)</title> -<title>Release 13.10 (“Aardvark”, 2013/10/31)</title> - -<para>This is the first stable release branch of NixOS.</para> - + <para> + This is the first stable release branch of NixOS. + </para> </section> diff --git a/nixos/doc/manual/release-notes/rl-1404.xml b/nixos/doc/manual/release-notes/rl-1404.xml index 137caf14cba2..8d8cea4303a3 100644 --- a/nixos/doc/manual/release-notes/rl-1404.xml +++ b/nixos/doc/manual/release-notes/rl-1404.xml @@ -3,158 +3,177 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-14.04"> - -<title>Release 14.04 (“Baboon”, 2014/04/30)</title> - -<para>This is the second stable release branch of NixOS. In addition -to numerous new and upgraded packages and modules, this release has -the following highlights: - -<itemizedlist> - - <listitem><para>Installation on UEFI systems is now supported. See - <xref linkend="sec-installation"/> for - details.</para></listitem> - - <listitem><para>Systemd has been updated to version 212, which has - <link xlink:href="http://cgit.freedesktop.org/systemd/systemd/plain/NEWS?id=v212">numerous - improvements</link>. NixOS now automatically starts systemd user - instances when you log in. You can define global user units through - the <option>systemd.unit.*</option> options.</para></listitem> - - <listitem><para>NixOS is now based on Glibc 2.19 and GCC - 4.8.</para></listitem> - - <listitem><para>The default Linux kernel has been updated to - 3.12.</para></listitem> - - <listitem><para>KDE has been updated to 4.12.</para></listitem> - - <listitem><para>GNOME 3.10 experimental support has been added.</para></listitem> - - <listitem><para>Nix has been updated to 1.7 (<link - xlink:href="http://nixos.org/nix/manual/#ssec-relnotes-1.7">details</link>).</para></listitem> - - <listitem><para>NixOS now supports fully declarative management of - users and groups. If you set <option>users.mutableUsers</option> to - <literal>false</literal>, then the contents of - <filename>/etc/passwd</filename> and <filename>/etc/group</filename> - will be <link + <title>Release 14.04 (“Baboon”, 2014/04/30)</title> + + <para> + This is the second stable release branch of NixOS. In addition to numerous + new and upgraded packages and modules, this release has the following + highlights: + <itemizedlist> + <listitem> + <para> + Installation on UEFI systems is now supported. See + <xref linkend="sec-installation"/> for details. + </para> + </listitem> + <listitem> + <para> + Systemd has been updated to version 212, which has + <link xlink:href="http://cgit.freedesktop.org/systemd/systemd/plain/NEWS?id=v212">numerous + improvements</link>. NixOS now automatically starts systemd user instances + when you log in. You can define global user units through the + <option>systemd.unit.*</option> options. + </para> + </listitem> + <listitem> + <para> + NixOS is now based on Glibc 2.19 and GCC 4.8. + </para> + </listitem> + <listitem> + <para> + The default Linux kernel has been updated to 3.12. + </para> + </listitem> + <listitem> + <para> + KDE has been updated to 4.12. + </para> + </listitem> + <listitem> + <para> + GNOME 3.10 experimental support has been added. + </para> + </listitem> + <listitem> + <para> + Nix has been updated to 1.7 + (<link + xlink:href="http://nixos.org/nix/manual/#ssec-relnotes-1.7">details</link>). + </para> + </listitem> + <listitem> + <para> + NixOS now supports fully declarative management of users and groups. If + you set <option>users.mutableUsers</option> to <literal>false</literal>, + then the contents of <filename>/etc/passwd</filename> and + <filename>/etc/group</filename> will be + <link xlink:href="https://www.usenix.org/legacy/event/lisa02/tech/full_papers/traugott/traugott_html/">congruent</link> - to your NixOS configuration. For instance, if you remove a user from - <option>users.extraUsers</option> and run - <command>nixos-rebuild</command>, the user account will cease to - exist. Also, imperative commands for managing users and groups, such - as <command>useradd</command>, are no longer available. If - <option>users.mutableUsers</option> is <literal>true</literal> (the - default), then behaviour is unchanged from NixOS - 13.10.</para></listitem> - - <listitem><para>NixOS now has basic container support, meaning you - can easily run a NixOS instance as a container in a NixOS host - system. These containers are suitable for testing and - experimentation but not production use, since they’re not fully - isolated from the host. See <xref linkend="ch-containers"/> for - details.</para></listitem> - - <listitem><para>Systemd units provided by packages can now be - overridden from the NixOS configuration. For instance, if a package - <literal>foo</literal> provides systemd units, you can say: - + to your NixOS configuration. For instance, if you remove a user from + <option>users.extraUsers</option> and run + <command>nixos-rebuild</command>, the user account will cease to exist. + Also, imperative commands for managing users and groups, such as + <command>useradd</command>, are no longer available. If + <option>users.mutableUsers</option> is <literal>true</literal> (the + default), then behaviour is unchanged from NixOS 13.10. + </para> + </listitem> + <listitem> + <para> + NixOS now has basic container support, meaning you can easily run a NixOS + instance as a container in a NixOS host system. These containers are + suitable for testing and experimentation but not production use, since + they’re not fully isolated from the host. See + <xref linkend="ch-containers"/> for details. + </para> + </listitem> + <listitem> + <para> + Systemd units provided by packages can now be overridden from the NixOS + configuration. For instance, if a package <literal>foo</literal> provides + systemd units, you can say: <programlisting> systemd.packages = [ pkgs.foo ]; </programlisting> - - to enable those units. You can then set or override unit options in - the usual way, e.g. - + to enable those units. You can then set or override unit options in the + usual way, e.g. <programlisting> systemd.services.foo.wantedBy = [ "multi-user.target" ]; systemd.services.foo.serviceConfig.MemoryLimit = "512M"; </programlisting> - - </para></listitem> - -</itemizedlist> - -</para> - -<para>When upgrading from a previous release, please be aware of the -following incompatible changes: - -<itemizedlist> - - <listitem><para>Nixpkgs no longer exposes unfree packages by - default. If your NixOS configuration requires unfree packages from - Nixpkgs, you need to enable support for them explicitly by setting: - + </para> + </listitem> + </itemizedlist> + </para> + + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + <itemizedlist> + <listitem> + <para> + Nixpkgs no longer exposes unfree packages by default. If your NixOS + configuration requires unfree packages from Nixpkgs, you need to enable + support for them explicitly by setting: <programlisting> nixpkgs.config.allowUnfree = true; </programlisting> - - Otherwise, you get an error message such as: - + Otherwise, you get an error message such as: <screen> error: package ‘nvidia-x11-331.49-3.12.17’ in ‘…/nvidia-x11/default.nix:56’ has an unfree license, refusing to evaluate </screen> - - </para></listitem> - - <listitem><para>The Adobe Flash player is no longer enabled by - default in the Firefox and Chromium wrappers. To enable it, you must - set: - + </para> + </listitem> + <listitem> + <para> + The Adobe Flash player is no longer enabled by default in the Firefox and + Chromium wrappers. To enable it, you must set: <programlisting> nixpkgs.config.allowUnfree = true; nixpkgs.config.firefox.enableAdobeFlash = true; # for Firefox nixpkgs.config.chromium.enableAdobeFlash = true; # for Chromium </programlisting> - - </para></listitem> - - <listitem><para>The firewall is now enabled by default. If you don’t - want this, you need to disable it explicitly: - + </para> + </listitem> + <listitem> + <para> + The firewall is now enabled by default. If you don’t want this, you need + to disable it explicitly: <programlisting> networking.firewall.enable = false; </programlisting> - - </para></listitem> - - <listitem><para>The option - <option>boot.loader.grub.memtest86</option> has been renamed to - <option>boot.loader.grub.memtest86.enable</option>.</para></listitem> - - <listitem><para>The <literal>mysql55</literal> service has been - merged into the <literal>mysql</literal> service, which no longer - sets a default for the option - <option>services.mysql.package</option>.</para></listitem> - - <listitem><para>Package variants are now differentiated by suffixing - the name, rather than the version. For instance, - <filename>sqlite-3.8.4.3-interactive</filename> is now called - <filename>sqlite-interactive-3.8.4.3</filename>. This ensures that - <literal>nix-env -i sqlite</literal> is unambiguous, and that - <literal>nix-env -u</literal> won’t “upgrade” - <literal>sqlite</literal> to <literal>sqlite-interactive</literal> - or vice versa. Notably, this change affects the Firefox wrapper - (which provides plugins), as it is now called - <literal>firefox-wrapper</literal>. So when using - <command>nix-env</command>, you should do <literal>nix-env -e - firefox; nix-env -i firefox-wrapper</literal> if you want to keep - using the wrapper. This change does not affect declarative package - management, since attribute names like - <literal>pkgs.firefoxWrapper</literal> were already - unambiguous.</para></listitem> - - <listitem><para>The symlink <filename>/etc/ca-bundle.crt</filename> - is gone. Programs should instead use the environment variable - <envar>OPENSSL_X509_CERT_FILE</envar> (which points to - <filename>/etc/ssl/certs/ca-bundle.crt</filename>).</para></listitem> - -</itemizedlist> - -</para> - + </para> + </listitem> + <listitem> + <para> + The option <option>boot.loader.grub.memtest86</option> has been renamed to + <option>boot.loader.grub.memtest86.enable</option>. + </para> + </listitem> + <listitem> + <para> + The <literal>mysql55</literal> service has been merged into the + <literal>mysql</literal> service, which no longer sets a default for the + option <option>services.mysql.package</option>. + </para> + </listitem> + <listitem> + <para> + Package variants are now differentiated by suffixing the name, rather than + the version. For instance, <filename>sqlite-3.8.4.3-interactive</filename> + is now called <filename>sqlite-interactive-3.8.4.3</filename>. This + ensures that <literal>nix-env -i sqlite</literal> is unambiguous, and that + <literal>nix-env -u</literal> won’t “upgrade” + <literal>sqlite</literal> to <literal>sqlite-interactive</literal> or vice + versa. Notably, this change affects the Firefox wrapper (which provides + plugins), as it is now called <literal>firefox-wrapper</literal>. So when + using <command>nix-env</command>, you should do <literal>nix-env -e + firefox; nix-env -i firefox-wrapper</literal> if you want to keep using + the wrapper. This change does not affect declarative package management, + since attribute names like <literal>pkgs.firefoxWrapper</literal> were + already unambiguous. + </para> + </listitem> + <listitem> + <para> + The symlink <filename>/etc/ca-bundle.crt</filename> is gone. Programs + should instead use the environment variable + <envar>OPENSSL_X509_CERT_FILE</envar> (which points to + <filename>/etc/ssl/certs/ca-bundle.crt</filename>). + </para> + </listitem> + </itemizedlist> + </para> </section> diff --git a/nixos/doc/manual/release-notes/rl-1412.xml b/nixos/doc/manual/release-notes/rl-1412.xml index 42b51cd4a8ef..4d93aa644c1d 100644 --- a/nixos/doc/manual/release-notes/rl-1412.xml +++ b/nixos/doc/manual/release-notes/rl-1412.xml @@ -3,175 +3,465 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-14.12"> + <title>Release 14.12 (“Caterpillar”, 2014/12/30)</title> -<title>Release 14.12 (“Caterpillar”, 2014/12/30)</title> + <para> + In addition to numerous new and upgraded packages, this release has the + following highlights: + <itemizedlist> + <listitem> + <para> + Systemd has been updated to version 217, which has numerous + <link xlink:href="http://lists.freedesktop.org/archives/systemd-devel/2014-October/024662.html">improvements.</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="http://thread.gmane.org/gmane.linux.distributions.nixos/15165"> + Nix has been updated to 1.8.</link> + </para> + </listitem> + <listitem> + <para> + NixOS is now based on Glibc 2.20. + </para> + </listitem> + <listitem> + <para> + KDE has been updated to 4.14. + </para> + </listitem> + <listitem> + <para> + The default Linux kernel has been updated to 3.14. + </para> + </listitem> + <listitem> + <para> + If <option>users.mutableUsers</option> is enabled (the default), changes + made to the declaration of a user or group will be correctly realised when + running <command>nixos-rebuild</command>. For instance, removing a user + specification from <filename>configuration.nix</filename> will cause the + actual user account to be deleted. If <option>users.mutableUsers</option> + is disabled, it is no longer necessary to specify UIDs or GIDs; if + omitted, they are allocated dynamically. + </para> + </listitem> + </itemizedlist> + </para> -<para>In addition to numerous new and upgraded packages, this release has the following highlights: + <para> + Following new services were added since the last release: + <itemizedlist> + <listitem> + <para> + <literal>atftpd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>bosun</literal> + </para> + </listitem> + <listitem> + <para> + <literal>bspwm</literal> + </para> + </listitem> + <listitem> + <para> + <literal>chronos</literal> + </para> + </listitem> + <listitem> + <para> + <literal>collectd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>consul</literal> + </para> + </listitem> + <listitem> + <para> + <literal>cpuminer-cryptonight</literal> + </para> + </listitem> + <listitem> + <para> + <literal>crashplan</literal> + </para> + </listitem> + <listitem> + <para> + <literal>dnscrypt-proxy</literal> + </para> + </listitem> + <listitem> + <para> + <literal>docker-registry</literal> + </para> + </listitem> + <listitem> + <para> + <literal>docker</literal> + </para> + </listitem> + <listitem> + <para> + <literal>etcd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>fail2ban</literal> + </para> + </listitem> + <listitem> + <para> + <literal>fcgiwrap</literal> + </para> + </listitem> + <listitem> + <para> + <literal>fleet</literal> + </para> + </listitem> + <listitem> + <para> + <literal>fluxbox</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gdm</literal> + </para> + </listitem> + <listitem> + <para> + <literal>geoclue2</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gitlab</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gitolite</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gnome3.gnome-documents</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gnome3.gnome-online-miners</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gnome3.gvfs</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gnome3.seahorse</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hbase</literal> + </para> + </listitem> + <listitem> + <para> + <literal>i2pd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>influxdb</literal> + </para> + </listitem> + <listitem> + <para> + <literal>kubernetes</literal> + </para> + </listitem> + <listitem> + <para> + <literal>liquidsoap</literal> + </para> + </listitem> + <listitem> + <para> + <literal>lxc</literal> + </para> + </listitem> + <listitem> + <para> + <literal>mailpile</literal> + </para> + </listitem> + <listitem> + <para> + <literal>mesos</literal> + </para> + </listitem> + <listitem> + <para> + <literal>mlmmj</literal> + </para> + </listitem> + <listitem> + <para> + <literal>monetdb</literal> + </para> + </listitem> + <listitem> + <para> + <literal>mopidy</literal> + </para> + </listitem> + <listitem> + <para> + <literal>neo4j</literal> + </para> + </listitem> + <listitem> + <para> + <literal>nsd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>openntpd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>opentsdb</literal> + </para> + </listitem> + <listitem> + <para> + <literal>openvswitch</literal> + </para> + </listitem> + <listitem> + <para> + <literal>parallels-guest</literal> + </para> + </listitem> + <listitem> + <para> + <literal>peerflix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>phd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>polipo</literal> + </para> + </listitem> + <listitem> + <para> + <literal>prosody</literal> + </para> + </listitem> + <listitem> + <para> + <literal>radicale</literal> + </para> + </listitem> + <listitem> + <para> + <literal>redmine</literal> + </para> + </listitem> + <listitem> + <para> + <literal>riemann</literal> + </para> + </listitem> + <listitem> + <para> + <literal>scollector</literal> + </para> + </listitem> + <listitem> + <para> + <literal>seeks</literal> + </para> + </listitem> + <listitem> + <para> + <literal>siproxd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>strongswan</literal> + </para> + </listitem> + <listitem> + <para> + <literal>tcsd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>teamspeak3</literal> + </para> + </listitem> + <listitem> + <para> + <literal>thermald</literal> + </para> + </listitem> + <listitem> + <para> + <literal>torque/mrom</literal> + </para> + </listitem> + <listitem> + <para> + <literal>torque/server</literal> + </para> + </listitem> + <listitem> + <para> + <literal>uhub</literal> + </para> + </listitem> + <listitem> + <para> + <literal>unifi</literal> + </para> + </listitem> + <listitem> + <para> + <literal>znc</literal> + </para> + </listitem> + <listitem> + <para> + <literal>zookeeper</literal> + </para> + </listitem> + </itemizedlist> + </para> -<itemizedlist> - -<listitem><para>Systemd has been updated to version 217, which has numerous -<link xlink:href="http://lists.freedesktop.org/archives/systemd-devel/2014-October/024662.html">improvements.</link></para></listitem> - -<listitem><para><link xlink:href="http://thread.gmane.org/gmane.linux.distributions.nixos/15165"> -Nix has been updated to 1.8.</link></para></listitem> - -<listitem><para>NixOS is now based on Glibc 2.20.</para></listitem> - -<listitem><para>KDE has been updated to 4.14.</para></listitem> - -<listitem><para>The default Linux kernel has been updated to 3.14.</para></listitem> - -<listitem><para>If <option>users.mutableUsers</option> is enabled (the -default), changes made to the declaration of a user or group will be -correctly realised when running <command>nixos-rebuild</command>. For -instance, removing a user specification from -<filename>configuration.nix</filename> will cause the actual user -account to be deleted. If <option>users.mutableUsers</option> is -disabled, it is no longer necessary to specify UIDs or GIDs; if -omitted, they are allocated dynamically.</para></listitem> - -</itemizedlist></para> - -<para>Following new services were added since the last release: - -<itemizedlist> -<listitem><para><literal>atftpd</literal></para></listitem> -<listitem><para><literal>bosun</literal></para></listitem> -<listitem><para><literal>bspwm</literal></para></listitem> -<listitem><para><literal>chronos</literal></para></listitem> -<listitem><para><literal>collectd</literal></para></listitem> -<listitem><para><literal>consul</literal></para></listitem> -<listitem><para><literal>cpuminer-cryptonight</literal></para></listitem> -<listitem><para><literal>crashplan</literal></para></listitem> -<listitem><para><literal>dnscrypt-proxy</literal></para></listitem> -<listitem><para><literal>docker-registry</literal></para></listitem> -<listitem><para><literal>docker</literal></para></listitem> -<listitem><para><literal>etcd</literal></para></listitem> -<listitem><para><literal>fail2ban</literal></para></listitem> -<listitem><para><literal>fcgiwrap</literal></para></listitem> -<listitem><para><literal>fleet</literal></para></listitem> -<listitem><para><literal>fluxbox</literal></para></listitem> -<listitem><para><literal>gdm</literal></para></listitem> -<listitem><para><literal>geoclue2</literal></para></listitem> -<listitem><para><literal>gitlab</literal></para></listitem> -<listitem><para><literal>gitolite</literal></para></listitem> -<listitem><para><literal>gnome3.gnome-documents</literal></para></listitem> -<listitem><para><literal>gnome3.gnome-online-miners</literal></para></listitem> -<listitem><para><literal>gnome3.gvfs</literal></para></listitem> -<listitem><para><literal>gnome3.seahorse</literal></para></listitem> -<listitem><para><literal>hbase</literal></para></listitem> -<listitem><para><literal>i2pd</literal></para></listitem> -<listitem><para><literal>influxdb</literal></para></listitem> -<listitem><para><literal>kubernetes</literal></para></listitem> -<listitem><para><literal>liquidsoap</literal></para></listitem> -<listitem><para><literal>lxc</literal></para></listitem> -<listitem><para><literal>mailpile</literal></para></listitem> -<listitem><para><literal>mesos</literal></para></listitem> -<listitem><para><literal>mlmmj</literal></para></listitem> -<listitem><para><literal>monetdb</literal></para></listitem> -<listitem><para><literal>mopidy</literal></para></listitem> -<listitem><para><literal>neo4j</literal></para></listitem> -<listitem><para><literal>nsd</literal></para></listitem> -<listitem><para><literal>openntpd</literal></para></listitem> -<listitem><para><literal>opentsdb</literal></para></listitem> -<listitem><para><literal>openvswitch</literal></para></listitem> -<listitem><para><literal>parallels-guest</literal></para></listitem> -<listitem><para><literal>peerflix</literal></para></listitem> -<listitem><para><literal>phd</literal></para></listitem> -<listitem><para><literal>polipo</literal></para></listitem> -<listitem><para><literal>prosody</literal></para></listitem> -<listitem><para><literal>radicale</literal></para></listitem> -<listitem><para><literal>redmine</literal></para></listitem> -<listitem><para><literal>riemann</literal></para></listitem> -<listitem><para><literal>scollector</literal></para></listitem> -<listitem><para><literal>seeks</literal></para></listitem> -<listitem><para><literal>siproxd</literal></para></listitem> -<listitem><para><literal>strongswan</literal></para></listitem> -<listitem><para><literal>tcsd</literal></para></listitem> -<listitem><para><literal>teamspeak3</literal></para></listitem> -<listitem><para><literal>thermald</literal></para></listitem> -<listitem><para><literal>torque/mrom</literal></para></listitem> -<listitem><para><literal>torque/server</literal></para></listitem> -<listitem><para><literal>uhub</literal></para></listitem> -<listitem><para><literal>unifi</literal></para></listitem> -<listitem><para><literal>znc</literal></para></listitem> -<listitem><para><literal>zookeeper</literal></para></listitem> -</itemizedlist> -</para> - -<para>When upgrading from a previous release, please be aware of the -following incompatible changes: - -<itemizedlist> - -<listitem><para>The default version of Apache httpd is now 2.4. If -you use the <option>extraConfig</option> option to pass literal -Apache configuration text, you may need to update it — see <link + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + <itemizedlist> + <listitem> + <para> + The default version of Apache httpd is now 2.4. If you use the + <option>extraConfig</option> option to pass literal Apache configuration + text, you may need to update it — see + <link xlink:href="http://httpd.apache.org/docs/2.4/upgrading.html">Apache’s -documentation</link> for details. If you wish to continue to use -httpd 2.2, add the following line to your NixOS configuration: - + documentation</link> for details. If you wish to continue to use httpd + 2.2, add the following line to your NixOS configuration: <programlisting> services.httpd.package = pkgs.apacheHttpd_2_2; </programlisting> - -</para></listitem> - -<listitem><para>PHP 5.3 has been removed because it is no longer -supported by the PHP project. A <link -xlink:href="http://php.net/migration54">migration guide</link> is -available.</para></listitem> - -<listitem><para>The host side of a container virtual Ethernet pair -is now called <literal>ve-<replaceable>container-name</replaceable></literal> -rather than <literal>c-<replaceable>container-name</replaceable></literal>.</para></listitem> - -<listitem><para>GNOME 3.10 support has been dropped. The default GNOME version is now 3.12.</para></listitem> - -<listitem><para>VirtualBox has been upgraded to 4.3.20 release. Users -may be required to run <command>rm -rf /tmp/.vbox*</command>. The line -<literal>imports = [ <nixpkgs/nixos/modules/programs/virtualbox.nix> ]</literal> is -no longer necessary, use <literal>services.virtualboxHost.enable = -true</literal> instead. -</para> -<para>Also, hardening mode is now enabled by default, which means that unless you want to use -USB support, you no longer need to be a member of the <literal>vboxusers</literal> group. -</para></listitem> - -<listitem><para>Chromium has been updated to 39.0.2171.65. <option>enablePepperPDF</option> is now enabled by default. -<literal>chromium*Wrapper</literal> packages no longer exist, because upstream removed NSAPI support. -<literal>chromium-stable</literal> has been renamed to <literal>chromium</literal>. -</para></listitem> - -<listitem><para>Python packaging documentation is now part of nixpkgs manual. To override -the python packages available to a custom python you now use <literal>pkgs.pythonFull.buildEnv.override</literal> -instead of <literal>pkgs.pythonFull.override</literal>. -</para></listitem> - -<listitem><para><literal>boot.resumeDevice = "8:6"</literal> is no longer supported. Most users will -want to leave it undefined, which takes the swap partitions automatically. There is an evaluation -assertion to ensure that the string starts with a slash. -</para></listitem> - -<listitem><para>The system-wide default timezone for NixOS installations -changed from <literal>CET</literal> to <literal>UTC</literal>. To choose -a different timezone for your system, configure -<literal>time.timeZone</literal> in -<literal>configuration.nix</literal>. A fairly complete list of possible -values for that setting is available at <link -xlink:href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones"/>.</para></listitem> - -<listitem><para>GNU screen has been updated to 4.2.1, which breaks -the ability to connect to sessions created by older versions of -screen.</para></listitem> - -<listitem><para>The Intel GPU driver was updated to the 3.x prerelease -version (used by most distributions) and supports DRI3 -now.</para></listitem> - -</itemizedlist> - -</para> - + </para> + </listitem> + <listitem> + <para> + PHP 5.3 has been removed because it is no longer supported by the PHP + project. A <link +xlink:href="http://php.net/migration54">migration + guide</link> is available. + </para> + </listitem> + <listitem> + <para> + The host side of a container virtual Ethernet pair is now called + <literal>ve-<replaceable>container-name</replaceable></literal> rather + than <literal>c-<replaceable>container-name</replaceable></literal>. + </para> + </listitem> + <listitem> + <para> + GNOME 3.10 support has been dropped. The default GNOME version is now + 3.12. + </para> + </listitem> + <listitem> + <para> + VirtualBox has been upgraded to 4.3.20 release. Users may be required to + run <command>rm -rf /tmp/.vbox*</command>. The line <literal>imports = [ + <nixpkgs/nixos/modules/programs/virtualbox.nix> ]</literal> is no + longer necessary, use <literal>services.virtualboxHost.enable = + true</literal> instead. + </para> + <para> + Also, hardening mode is now enabled by default, which means that unless + you want to use USB support, you no longer need to be a member of the + <literal>vboxusers</literal> group. + </para> + </listitem> + <listitem> + <para> + Chromium has been updated to 39.0.2171.65. + <option>enablePepperPDF</option> is now enabled by default. + <literal>chromium*Wrapper</literal> packages no longer exist, because + upstream removed NSAPI support. <literal>chromium-stable</literal> has + been renamed to <literal>chromium</literal>. + </para> + </listitem> + <listitem> + <para> + Python packaging documentation is now part of nixpkgs manual. To override + the python packages available to a custom python you now use + <literal>pkgs.pythonFull.buildEnv.override</literal> instead of + <literal>pkgs.pythonFull.override</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>boot.resumeDevice = "8:6"</literal> is no longer supported. Most + users will want to leave it undefined, which takes the swap partitions + automatically. There is an evaluation assertion to ensure that the string + starts with a slash. + </para> + </listitem> + <listitem> + <para> + The system-wide default timezone for NixOS installations changed from + <literal>CET</literal> to <literal>UTC</literal>. To choose a different + timezone for your system, configure <literal>time.timeZone</literal> in + <literal>configuration.nix</literal>. A fairly complete list of possible + values for that setting is available at + <link +xlink:href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones"/>. + </para> + </listitem> + <listitem> + <para> + GNU screen has been updated to 4.2.1, which breaks the ability to connect + to sessions created by older versions of screen. + </para> + </listitem> + <listitem> + <para> + The Intel GPU driver was updated to the 3.x prerelease version (used by + most distributions) and supports DRI3 now. + </para> + </listitem> + </itemizedlist> + </para> </section> diff --git a/nixos/doc/manual/release-notes/rl-1509.xml b/nixos/doc/manual/release-notes/rl-1509.xml index 6c1c46844ccb..e500c9d63422 100644 --- a/nixos/doc/manual/release-notes/rl-1509.xml +++ b/nixos/doc/manual/release-notes/rl-1509.xml @@ -3,375 +3,640 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-15.09"> + <title>Release 15.09 (“Dingo”, 2015/09/30)</title> -<title>Release 15.09 (“Dingo”, 2015/09/30)</title> - -<para>In addition to numerous new and upgraded packages, this release -has the following highlights:</para> - -<itemizedlist> + <para> + In addition to numerous new and upgraded packages, this release has the + following highlights: + </para> + <itemizedlist> <listitem> - <para>The <link xlink:href="http://haskell.org/">Haskell</link> - packages infrastructure has been re-designed from the ground up - ("Haskell NG"). NixOS now distributes the latest version - of every single package registered on <link - xlink:href="http://hackage.haskell.org/">Hackage</link> -- well in - excess of 8,000 Haskell packages. Detailed instructions on how to - use that infrastructure can be found in the <link + <para> + The <link xlink:href="http://haskell.org/">Haskell</link> packages + infrastructure has been re-designed from the ground up ("Haskell + NG"). NixOS now distributes the latest version of every single package + registered on + <link + xlink:href="http://hackage.haskell.org/">Hackage</link> -- well + in excess of 8,000 Haskell packages. Detailed instructions on how to use + that infrastructure can be found in the + <link xlink:href="http://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User's - Guide to the Haskell Infrastructure</link>. Users migrating from an - earlier release may find helpful information below, in the list of - backwards-incompatible changes. Furthermore, we distribute 51(!) - additional Haskell package sets that provide every single <link + Guide to the Haskell Infrastructure</link>. Users migrating from an earlier + release may find helpful information below, in the list of + backwards-incompatible changes. Furthermore, we distribute 51(!) additional + Haskell package sets that provide every single + <link xlink:href="http://www.stackage.org/">LTS Haskell</link> release - since version 0.0 as well as the most recent <link + since version 0.0 as well as the most recent + <link xlink:href="http://www.stackage.org/">Stackage Nightly</link> - snapshot. The announcement <link + snapshot. The announcement + <link xlink:href="https://nixos.org/nix-dev/2015-September/018138.html">"Full - Stackage Support in Nixpkgs"</link> gives additional - details.</para> + Stackage Support in Nixpkgs"</link> gives additional details. + </para> </listitem> - <listitem> - <para>Nix has been updated to version 1.10, which among other - improvements enables cryptographic signatures on binary caches for - improved security.</para> + <para> + Nix has been updated to version 1.10, which among other improvements + enables cryptographic signatures on binary caches for improved security. + </para> </listitem> - <listitem> - <para>You can now keep your NixOS system up to date automatically - by setting - + <para> + You can now keep your NixOS system up to date automatically by setting <programlisting> system.autoUpgrade.enable = true; </programlisting> - - This will cause the system to periodically check for updates in - your current channel and run <command>nixos-rebuild</command>.</para> + This will cause the system to periodically check for updates in your + current channel and run <command>nixos-rebuild</command>. + </para> </listitem> - <listitem> - <para>This release is based on Glibc 2.21, GCC 4.9 and Linux - 3.18.</para> + <para> + This release is based on Glibc 2.21, GCC 4.9 and Linux 3.18. + </para> </listitem> - <listitem> - <para>GNOME has been upgraded to 3.16. - </para> + <para> + GNOME has been upgraded to 3.16. + </para> </listitem> - <listitem> - <para>Xfce has been upgraded to 4.12. - </para> + <para> + Xfce has been upgraded to 4.12. + </para> </listitem> - <listitem> - <para>KDE 5 has been upgraded to KDE Frameworks 5.10, - Plasma 5.3.2 and Applications 15.04.3. - KDE 4 has been updated to kdelibs-4.14.10. - </para> + <para> + KDE 5 has been upgraded to KDE Frameworks 5.10, Plasma 5.3.2 and + Applications 15.04.3. KDE 4 has been updated to kdelibs-4.14.10. + </para> </listitem> - <listitem> - <para>E19 has been upgraded to 0.16.8.15. - </para> + <para> + E19 has been upgraded to 0.16.8.15. + </para> </listitem> + </itemizedlist> -</itemizedlist> - - -<para>The following new services were added since the last release: - + <para> + The following new services were added since the last release: <itemizedlist> - <listitem><para><literal>services/mail/exim.nix</literal></para></listitem> - <listitem><para><literal>services/misc/apache-kafka.nix</literal></para></listitem> - <listitem><para><literal>services/misc/canto-daemon.nix</literal></para></listitem> - <listitem><para><literal>services/misc/confd.nix</literal></para></listitem> - <listitem><para><literal>services/misc/devmon.nix</literal></para></listitem> - <listitem><para><literal>services/misc/gitit.nix</literal></para></listitem> - <listitem><para><literal>services/misc/ihaskell.nix</literal></para></listitem> - <listitem><para><literal>services/misc/mbpfan.nix</literal></para></listitem> - <listitem><para><literal>services/misc/mediatomb.nix</literal></para></listitem> - <listitem><para><literal>services/misc/mwlib.nix</literal></para></listitem> - <listitem><para><literal>services/misc/parsoid.nix</literal></para></listitem> - <listitem><para><literal>services/misc/plex.nix</literal></para></listitem> - <listitem><para><literal>services/misc/ripple-rest.nix</literal></para></listitem> - <listitem><para><literal>services/misc/ripple-data-api.nix</literal></para></listitem> - <listitem><para><literal>services/misc/subsonic.nix</literal></para></listitem> - <listitem><para><literal>services/misc/sundtek.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/cadvisor.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/das_watchdog.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/grafana.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/riemann-tools.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/teamviewer.nix</literal></para></listitem> - <listitem><para><literal>services/network-filesystems/u9fs.nix</literal></para></listitem> - <listitem><para><literal>services/networking/aiccu.nix</literal></para></listitem> - <listitem><para><literal>services/networking/asterisk.nix</literal></para></listitem> - <listitem><para><literal>services/networking/bird.nix</literal></para></listitem> - <listitem><para><literal>services/networking/charybdis.nix</literal></para></listitem> - <listitem><para><literal>services/networking/docker-registry-server.nix</literal></para></listitem> - <listitem><para><literal>services/networking/fan.nix</literal></para></listitem> - <listitem><para><literal>services/networking/firefox/sync-server.nix</literal></para></listitem> - <listitem><para><literal>services/networking/gateone.nix</literal></para></listitem> - <listitem><para><literal>services/networking/heyefi.nix</literal></para></listitem> - <listitem><para><literal>services/networking/i2p.nix</literal></para></listitem> - <listitem><para><literal>services/networking/lambdabot.nix</literal></para></listitem> - <listitem><para><literal>services/networking/mstpd.nix</literal></para></listitem> - <listitem><para><literal>services/networking/nix-serve.nix</literal></para></listitem> - <listitem><para><literal>services/networking/nylon.nix</literal></para></listitem> - <listitem><para><literal>services/networking/racoon.nix</literal></para></listitem> - <listitem><para><literal>services/networking/skydns.nix</literal></para></listitem> - <listitem><para><literal>services/networking/shout.nix</literal></para></listitem> - <listitem><para><literal>services/networking/softether.nix</literal></para></listitem> - <listitem><para><literal>services/networking/sslh.nix</literal></para></listitem> - <listitem><para><literal>services/networking/tinc.nix</literal></para></listitem> - <listitem><para><literal>services/networking/tlsdated.nix</literal></para></listitem> - <listitem><para><literal>services/networking/tox-bootstrapd.nix</literal></para></listitem> - <listitem><para><literal>services/networking/tvheadend.nix</literal></para></listitem> - <listitem><para><literal>services/networking/zerotierone.nix</literal></para></listitem> - <listitem><para><literal>services/scheduling/marathon.nix</literal></para></listitem> - <listitem><para><literal>services/security/fprintd.nix</literal></para></listitem> - <listitem><para><literal>services/security/hologram.nix</literal></para></listitem> - <listitem><para><literal>services/security/munge.nix</literal></para></listitem> - <listitem><para><literal>services/system/cloud-init.nix</literal></para></listitem> - <listitem><para><literal>services/web-servers/shellinabox.nix</literal></para></listitem> - <listitem><para><literal>services/web-servers/uwsgi.nix</literal></para></listitem> - <listitem><para><literal>services/x11/unclutter.nix</literal></para></listitem> - <listitem><para><literal>services/x11/display-managers/sddm.nix</literal></para></listitem> - <listitem><para><literal>system/boot/coredump.nix</literal></para></listitem> - <listitem><para><literal>system/boot/loader/loader.nix</literal></para></listitem> - <listitem><para><literal>system/boot/loader/generic-extlinux-compatible</literal></para></listitem> - <listitem><para><literal>system/boot/networkd.nix</literal></para></listitem> - <listitem><para><literal>system/boot/resolved.nix</literal></para></listitem> - <listitem><para><literal>system/boot/timesyncd.nix</literal></para></listitem> - <listitem><para><literal>tasks/filesystems/exfat.nix</literal></para></listitem> - <listitem><para><literal>tasks/filesystems/ntfs.nix</literal></para></listitem> - <listitem><para><literal>tasks/filesystems/vboxsf.nix</literal></para></listitem> - <listitem><para><literal>virtualisation/virtualbox-host.nix</literal></para></listitem> - <listitem><para><literal>virtualisation/vmware-guest.nix</literal></para></listitem> - <listitem><para><literal>virtualisation/xen-dom0.nix</literal></para></listitem> + <listitem> + <para> + <literal>services/mail/exim.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/apache-kafka.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/canto-daemon.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/confd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/devmon.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/gitit.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/ihaskell.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/mbpfan.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/mediatomb.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/mwlib.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/parsoid.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/plex.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/ripple-rest.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/ripple-data-api.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/subsonic.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/sundtek.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/cadvisor.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/das_watchdog.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/grafana.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/riemann-tools.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/teamviewer.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/u9fs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/aiccu.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/asterisk.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/bird.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/charybdis.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/docker-registry-server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/fan.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/firefox/sync-server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/gateone.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/heyefi.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/i2p.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/lambdabot.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/mstpd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/nix-serve.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/nylon.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/racoon.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/skydns.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/shout.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/softether.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/sslh.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/tinc.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/tlsdated.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/tox-bootstrapd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/tvheadend.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/zerotierone.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/scheduling/marathon.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/fprintd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/hologram.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/munge.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/system/cloud-init.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-servers/shellinabox.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-servers/uwsgi.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/unclutter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/display-managers/sddm.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/coredump.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/loader/loader.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/loader/generic-extlinux-compatible</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/networkd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/resolved.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/timesyncd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>tasks/filesystems/exfat.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>tasks/filesystems/ntfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>tasks/filesystems/vboxsf.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/virtualbox-host.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/vmware-guest.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/xen-dom0.nix</literal> + </para> + </listitem> </itemizedlist> -</para> - - -<para>When upgrading from a previous release, please be aware of the -following incompatible changes: - -<itemizedlist> - -<listitem><para><command>sshd</command> no longer supports DSA and ECDSA -host keys by default. If you have existing systems with such host keys -and want to continue to use them, please set + </para> + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + <itemizedlist> + <listitem> + <para> + <command>sshd</command> no longer supports DSA and ECDSA host keys by + default. If you have existing systems with such host keys and want to + continue to use them, please set <programlisting> system.stateVersion = "14.12"; </programlisting> - -The new option <option>system.stateVersion</option> ensures that -certain configuration changes that could break existing systems (such -as the <command>sshd</command> host key setting) will maintain -compatibility with the specified NixOS release. NixOps sets the state -version of existing deployments automatically.</para></listitem> - -<listitem><para><command>cron</command> is no longer enabled by -default, unless you have a non-empty -<option>services.cron.systemCronJobs</option>. To force -<command>cron</command> to be enabled, set -<option>services.cron.enable = true</option>.</para></listitem> - -<listitem><para>Nix now requires binary caches to be cryptographically -signed. If you have unsigned binary caches that you want to continue -to use, you should set <option>nix.requireSignedBinaryCaches = -false</option>.</para></listitem> - -<listitem><para>Steam now doesn't need root rights to work. Instead of using -<literal>*-steam-chrootenv</literal>, you should now just run <literal>steam</literal>. -<literal>steamChrootEnv</literal> package was renamed to <literal>steam</literal>, -and old <literal>steam</literal> package -- to <literal>steamOriginal</literal>. -</para></listitem> - -<listitem><para>CMPlayer has been renamed to bomi upstream. Package -<literal>cmplayer</literal> was accordingly renamed to -<literal>bomi</literal> </para></listitem> - -<listitem><para>Atom Shell has been renamed to Electron upstream. Package <literal>atom-shell</literal> -was accordingly renamed to <literal>electron</literal> -</para></listitem> - -<listitem><para>Elm is not released on Hackage anymore. You should now use <literal>elmPackages.elm</literal> -which contains the latest Elm platform.</para></listitem> - -<listitem> - <para>The CUPS printing service has been updated to version - <literal>2.0.2</literal>. Furthermore its systemd service has been - renamed to <literal>cups.service</literal>.</para> - - <para>Local printers are no longer shared or advertised by - default. This behavior can be changed by enabling - <option>services.printing.defaultShared</option> or - <option>services.printing.browsing</option> respectively.</para> -</listitem> - -<listitem> - <para> - The VirtualBox host and guest options have been named more - consistently. They can now found in - <option>virtualisation.virtualbox.host.*</option> instead of - <option>services.virtualboxHost.*</option> and - <option>virtualisation.virtualbox.guest.*</option> instead of - <option>services.virtualboxGuest.*</option>. - </para> - - <para> - Also, there now is support for the <literal>vboxsf</literal> file - system using the <option>fileSystems</option> configuration - attribute. An example of how this can be used in a configuration: - + The new option <option>system.stateVersion</option> ensures that certain + configuration changes that could break existing systems (such as the + <command>sshd</command> host key setting) will maintain compatibility with + the specified NixOS release. NixOps sets the state version of existing + deployments automatically. + </para> + </listitem> + <listitem> + <para> + <command>cron</command> is no longer enabled by default, unless you have a + non-empty <option>services.cron.systemCronJobs</option>. To force + <command>cron</command> to be enabled, set <option>services.cron.enable = + true</option>. + </para> + </listitem> + <listitem> + <para> + Nix now requires binary caches to be cryptographically signed. If you have + unsigned binary caches that you want to continue to use, you should set + <option>nix.requireSignedBinaryCaches = false</option>. + </para> + </listitem> + <listitem> + <para> + Steam now doesn't need root rights to work. Instead of using + <literal>*-steam-chrootenv</literal>, you should now just run + <literal>steam</literal>. <literal>steamChrootEnv</literal> package was + renamed to <literal>steam</literal>, and old <literal>steam</literal> + package -- to <literal>steamOriginal</literal>. + </para> + </listitem> + <listitem> + <para> + CMPlayer has been renamed to bomi upstream. Package + <literal>cmplayer</literal> was accordingly renamed to + <literal>bomi</literal> + </para> + </listitem> + <listitem> + <para> + Atom Shell has been renamed to Electron upstream. Package + <literal>atom-shell</literal> was accordingly renamed to + <literal>electron</literal> + </para> + </listitem> + <listitem> + <para> + Elm is not released on Hackage anymore. You should now use + <literal>elmPackages.elm</literal> which contains the latest Elm platform. + </para> + </listitem> + <listitem> + <para> + The CUPS printing service has been updated to version + <literal>2.0.2</literal>. Furthermore its systemd service has been renamed + to <literal>cups.service</literal>. + </para> + <para> + Local printers are no longer shared or advertised by default. This + behavior can be changed by enabling + <option>services.printing.defaultShared</option> or + <option>services.printing.browsing</option> respectively. + </para> + </listitem> + <listitem> + <para> + The VirtualBox host and guest options have been named more consistently. + They can now found in <option>virtualisation.virtualbox.host.*</option> + instead of <option>services.virtualboxHost.*</option> and + <option>virtualisation.virtualbox.guest.*</option> instead of + <option>services.virtualboxGuest.*</option>. + </para> + <para> + Also, there now is support for the <literal>vboxsf</literal> file system + using the <option>fileSystems</option> configuration attribute. An example + of how this can be used in a configuration: <programlisting> fileSystems."/shiny" = { device = "myshinysharedfolder"; fsType = "vboxsf"; }; </programlisting> - - </para> -</listitem> - -<listitem> - <para> - "<literal>nix-env -qa</literal>" no longer discovers - Haskell packages by name. The only packages visible in the global - scope are <literal>ghc</literal>, <literal>cabal-install</literal>, - and <literal>stack</literal>, but all other packages are hidden. The - reason for this inconvenience is the sheer size of the Haskell - package set. Name-based lookups are expensive, and most - <literal>nix-env -qa</literal> operations would become much slower - if we'd add the entire Hackage database into the top level attribute - set. Instead, the list of Haskell packages can be displayed by - running: - </para> - <programlisting> + </para> + </listitem> + <listitem> + <para> + "<literal>nix-env -qa</literal>" no longer discovers Haskell + packages by name. The only packages visible in the global scope are + <literal>ghc</literal>, <literal>cabal-install</literal>, and + <literal>stack</literal>, but all other packages are hidden. The reason + for this inconvenience is the sheer size of the Haskell package set. + Name-based lookups are expensive, and most <literal>nix-env -qa</literal> + operations would become much slower if we'd add the entire Hackage + database into the top level attribute set. Instead, the list of Haskell + packages can be displayed by running: + </para> +<programlisting> nix-env -f "<nixpkgs>" -qaP -A haskellPackages </programlisting> - <para> - Executable programs written in Haskell can be installed with: - </para> - <programlisting> + <para> + Executable programs written in Haskell can be installed with: + </para> +<programlisting> nix-env -f "<nixpkgs>" -iA haskellPackages.pandoc </programlisting> - <para> - Installing Haskell <emphasis>libraries</emphasis> this way, however, is no - longer supported. See the next item for more details. - </para> -</listitem> - -<listitem> - <para> - Previous versions of NixOS came with a feature called - <literal>ghc-wrapper</literal>, a small script that allowed GHC to - transparently pick up on libraries installed in the user's profile. This - feature has been deprecated; <literal>ghc-wrapper</literal> was removed - from the distribution. The proper way to register Haskell libraries with - the compiler now is the <literal>haskellPackages.ghcWithPackages</literal> - function. The <link + <para> + Installing Haskell <emphasis>libraries</emphasis> this way, however, is no + longer supported. See the next item for more details. + </para> + </listitem> + <listitem> + <para> + Previous versions of NixOS came with a feature called + <literal>ghc-wrapper</literal>, a small script that allowed GHC to + transparently pick up on libraries installed in the user's profile. This + feature has been deprecated; <literal>ghc-wrapper</literal> was removed + from the distribution. The proper way to register Haskell libraries with + the compiler now is the <literal>haskellPackages.ghcWithPackages</literal> + function. The + <link xlink:href="http://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User's - Guide to the Haskell Infrastructure</link> provides more information about - this subject. - </para> -</listitem> - -<listitem> - <para> - All Haskell builds that have been generated with version 1.x of - the <literal>cabal2nix</literal> utility are now invalid and need - to be re-generated with a current version of - <literal>cabal2nix</literal> to function. The most recent version - of this tool can be installed by running - <literal>nix-env -i cabal2nix</literal>. - </para> -</listitem> - -<listitem> - <para> - The <literal>haskellPackages</literal> set in Nixpkgs used to have a - function attribute called <literal>extension</literal> that users - could override in their <literal>~/.nixpkgs/config.nix</literal> - files to configure additional attributes, etc. That function still - exists, but it's now called <literal>overrides</literal>. - </para> -</listitem> - -<listitem> - <para> - The OpenBLAS library has been updated to version - <literal>0.2.14</literal>. Support for the - <literal>x86_64-darwin</literal> platform was added. Dynamic - architecture detection was enabled; OpenBLAS now selects - microarchitecture-optimized routines at runtime, so optimal - performance is achieved without the need to rebuild OpenBLAS - locally. OpenBLAS has replaced ATLAS in most packages which use an - optimized BLAS or LAPACK implementation. - </para> -</listitem> - -<listitem> - <para> - The <literal>phpfpm</literal> is now using the default PHP version - (<literal>pkgs.php</literal>) instead of PHP 5.4 (<literal>pkgs.php54</literal>). - </para> -</listitem> - -<listitem> - <para> - The <literal>locate</literal> service no longer indexes the Nix store - by default, preventing packages with potentially numerous versions from - cluttering the output. Indexing the store can be activated by setting - <option>services.locate.includeStore = true</option>. - </para> -</listitem> - -<listitem> - <para> - The Nix expression search path (<envar>NIX_PATH</envar>) no longer - contains <filename>/etc/nixos/nixpkgs</filename> by default. You - can override <envar>NIX_PATH</envar> by setting - <option>nix.nixPath</option>. - </para> -</listitem> - -<listitem> - <para> - Python 2.6 has been marked as broken (as it no longer receives - security updates from upstream). - </para> -</listitem> - -<listitem> - <para> - Any use of module arguments such as <varname>pkgs</varname> to access - library functions, or to define <literal>imports</literal> attributes - will now lead to an infinite loop at the time of the evaluation. - </para> - - <para> - In case of an infinite loop, use the <command>--show-trace</command> - command line argument and read the line just above the error message. - + Guide to the Haskell Infrastructure</link> provides more information about + this subject. + </para> + </listitem> + <listitem> + <para> + All Haskell builds that have been generated with version 1.x of the + <literal>cabal2nix</literal> utility are now invalid and need to be + re-generated with a current version of <literal>cabal2nix</literal> to + function. The most recent version of this tool can be installed by running + <literal>nix-env -i cabal2nix</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>haskellPackages</literal> set in Nixpkgs used to have a + function attribute called <literal>extension</literal> that users could + override in their <literal>~/.nixpkgs/config.nix</literal> files to + configure additional attributes, etc. That function still exists, but it's + now called <literal>overrides</literal>. + </para> + </listitem> + <listitem> + <para> + The OpenBLAS library has been updated to version + <literal>0.2.14</literal>. Support for the + <literal>x86_64-darwin</literal> platform was added. Dynamic architecture + detection was enabled; OpenBLAS now selects microarchitecture-optimized + routines at runtime, so optimal performance is achieved without the need + to rebuild OpenBLAS locally. OpenBLAS has replaced ATLAS in most packages + which use an optimized BLAS or LAPACK implementation. + </para> + </listitem> + <listitem> + <para> + The <literal>phpfpm</literal> is now using the default PHP version + (<literal>pkgs.php</literal>) instead of PHP 5.4 + (<literal>pkgs.php54</literal>). + </para> + </listitem> + <listitem> + <para> + The <literal>locate</literal> service no longer indexes the Nix store by + default, preventing packages with potentially numerous versions from + cluttering the output. Indexing the store can be activated by setting + <option>services.locate.includeStore = true</option>. + </para> + </listitem> + <listitem> + <para> + The Nix expression search path (<envar>NIX_PATH</envar>) no longer + contains <filename>/etc/nixos/nixpkgs</filename> by default. You can + override <envar>NIX_PATH</envar> by setting <option>nix.nixPath</option>. + </para> + </listitem> + <listitem> + <para> + Python 2.6 has been marked as broken (as it no longer receives security + updates from upstream). + </para> + </listitem> + <listitem> + <para> + Any use of module arguments such as <varname>pkgs</varname> to access + library functions, or to define <literal>imports</literal> attributes will + now lead to an infinite loop at the time of the evaluation. + </para> + <para> + In case of an infinite loop, use the <command>--show-trace</command> + command line argument and read the line just above the error message. <screen> $ nixos-rebuild build --show-trace … while evaluating the module argument `pkgs' in "/etc/nixos/my-module.nix": infinite recursion encountered </screen> - </para> - - - <para> - Any use of <literal>pkgs.lib</literal>, should be replaced by - <varname>lib</varname>, after adding it as argument of the module. The - following module - + </para> + <para> + Any use of <literal>pkgs.lib</literal>, should be replaced by + <varname>lib</varname>, after adding it as argument of the module. The + following module <programlisting> { config, pkgs, ... }: @@ -384,9 +649,7 @@ with pkgs.lib; config = mkIf config.foo { … }; } </programlisting> - - should be modified to look like: - + should be modified to look like: <programlisting> { config, pkgs, lib, ... }: @@ -399,13 +662,11 @@ with lib; config = mkIf config.foo { <replaceable>option definition</replaceable> }; } </programlisting> - </para> - - <para> - When <varname>pkgs</varname> is used to download other projects to - import their modules, and only in such cases, it should be replaced by - <literal>(import <nixpkgs> {})</literal>. The following module - + </para> + <para> + When <varname>pkgs</varname> is used to download other projects to import + their modules, and only in such cases, it should be replaced by + <literal>(import <nixpkgs> {})</literal>. The following module <programlisting> { config, pkgs, ... }: @@ -420,9 +681,7 @@ in imports = [ "${myProject}/module.nix" ]; } </programlisting> - - should be modified to look like: - + should be modified to look like: <programlisting> { config, pkgs, ... }: @@ -437,55 +696,55 @@ in imports = [ "${myProject}/module.nix" ]; } </programlisting> - </para> - -</listitem> - -</itemizedlist> -</para> - - -<para>Other notable improvements: - -<itemizedlist> - - <listitem><para>The nixos and nixpkgs channels were unified, - so one <emphasis>can</emphasis> use <literal>nix-env -iA nixos.bash</literal> - instead of <literal>nix-env -iA nixos.pkgs.bash</literal>. - See <link xlink:href="https://github.com/NixOS/nixpkgs/commit/2cd7c1f198">the commit</link> for details. - </para></listitem> + </para> + </listitem> + </itemizedlist> + </para> - <listitem> + <para> + Other notable improvements: + <itemizedlist> + <listitem> <para> - Users running an SSH server who worry about the quality of their - <literal>/etc/ssh/moduli</literal> file with respect to the - <link + The nixos and nixpkgs channels were unified, so one + <emphasis>can</emphasis> use <literal>nix-env -iA nixos.bash</literal> + instead of <literal>nix-env -iA nixos.pkgs.bash</literal>. See + <link xlink:href="https://github.com/NixOS/nixpkgs/commit/2cd7c1f198">the + commit</link> for details. + </para> + </listitem> + <listitem> + <para> + Users running an SSH server who worry about the quality of their + <literal>/etc/ssh/moduli</literal> file with respect to the + <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html">vulnerabilities - discovered in the Diffie-Hellman key exchange</link> can now - replace OpenSSH's default version with one they generated - themselves using the new - <option>services.openssh.moduliFile</option> option. - </para> - </listitem> - - <listitem> <para> - A newly packaged TeX Live 2015 is provided in <literal>pkgs.texlive</literal>, - split into 6500 nix packages. For basic user documentation see - <link xlink:href="https://github.com/NixOS/nixpkgs/blob/release-15.09/pkgs/tools/typesetting/tex/texlive/default.nix#L1" - >the source</link>. - Beware of <link xlink:href="https://github.com/NixOS/nixpkgs/issues/9757" - >an issue</link> when installing a too large package set. - - The plan is to deprecate and maybe delete the original TeX packages - until the next release. - </para> </listitem> - - <listitem><para> - <option>buildEnv.env</option> on all Python interpreters - is now available for nix-shell interoperability. - </para> </listitem> -</itemizedlist> - -</para> - + discovered in the Diffie-Hellman key exchange</link> can now replace + OpenSSH's default version with one they generated themselves using the new + <option>services.openssh.moduliFile</option> option. + </para> + </listitem> + <listitem> + <para> + A newly packaged TeX Live 2015 is provided in + <literal>pkgs.texlive</literal>, split into 6500 nix packages. For basic + user documentation see + <link xlink:href="https://github.com/NixOS/nixpkgs/blob/release-15.09/pkgs/tools/typesetting/tex/texlive/default.nix#L1" + >the + source</link>. Beware of + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/9757" + >an + issue</link> when installing a too large package set. The plan is to + deprecate and maybe delete the original TeX packages until the next + release. + </para> + </listitem> + <listitem> + <para> + <option>buildEnv.env</option> on all Python interpreters is now available + for nix-shell interoperability. + </para> + </listitem> + </itemizedlist> + </para> </section> diff --git a/nixos/doc/manual/release-notes/rl-1603.xml b/nixos/doc/manual/release-notes/rl-1603.xml index 7279dd058270..9b512c4b1e58 100644 --- a/nixos/doc/manual/release-notes/rl-1603.xml +++ b/nixos/doc/manual/release-notes/rl-1603.xml @@ -3,250 +3,471 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-16.03"> + <title>Release 16.03 (“Emu”, 2016/03/31)</title> -<title>Release 16.03 (“Emu”, 2016/03/31)</title> - -<para>In addition to numerous new and upgraded packages, this release -has the following highlights:</para> - -<itemizedlist> + <para> + In addition to numerous new and upgraded packages, this release has the + following highlights: + </para> + <itemizedlist> <listitem> - <para>Systemd 229, bringing <link + <para> + Systemd 229, bringing + <link xlink:href="https://github.com/systemd/systemd/blob/v229/NEWS">numerous - improvements</link> over 217.</para> + improvements</link> over 217. + </para> </listitem> - <listitem> - <para>Linux 4.4 (was 3.18).</para> + <para> + Linux 4.4 (was 3.18). + </para> </listitem> - <listitem> - <para>GCC 5.3 (was 4.9). Note that GCC 5 <link + <para> + GCC 5.3 (was 4.9). Note that GCC 5 + <link xlink:href="https://gcc.gnu.org/onlinedocs/libstdc++/manual/using_dual_abi.html">changes - the C++ ABI in an incompatible way</link>; this may cause problems - if you try to link objects compiled with different versions of - GCC.</para> + the C++ ABI in an incompatible way</link>; this may cause problems if you + try to link objects compiled with different versions of GCC. + </para> </listitem> - <listitem> - <para>Glibc 2.23 (was 2.21).</para> + <para> + Glibc 2.23 (was 2.21). + </para> </listitem> - <listitem> - <para>Binutils 2.26 (was 2.23.1). See #909</para> + <para> + Binutils 2.26 (was 2.23.1). See #909 + </para> </listitem> - <listitem> - <para>Improved support for ensuring <link - xlink:href="https://reproducible-builds.org/">bitwise reproducible - builds</link>. For example, <literal>stdenv</literal> now sets the - environment variable <envar + <para> + Improved support for ensuring + <link + xlink:href="https://reproducible-builds.org/">bitwise + reproducible builds</link>. For example, <literal>stdenv</literal> now sets + the environment variable + <envar xlink:href="https://reproducible-builds.org/specs/source-date-epoch/">SOURCE_DATE_EPOCH</envar> - to a deterministic value, and Nix has <link + to a deterministic value, and Nix has + <link xlink:href="http://nixos.org/nix/manual/#ssec-relnotes-1.11">gained - an option</link> to repeat a build a number of times to test - determinism. An ongoing project, the goal of exact reproducibility - is to allow binaries to be verified independently (e.g., a user - might only trust binaries that appear in three independent binary - caches).</para> + an option</link> to repeat a build a number of times to test determinism. + An ongoing project, the goal of exact reproducibility is to allow binaries + to be verified independently (e.g., a user might only trust binaries that + appear in three independent binary caches). + </para> </listitem> - <listitem> - <para>Perl 5.22.</para> + <para> + Perl 5.22. + </para> </listitem> + </itemizedlist> -</itemizedlist> - -<para>The following new services were added since the last release: - + <para> + The following new services were added since the last release: <itemizedlist> - <listitem><para><literal>services/monitoring/longview.nix</literal></para></listitem> - <listitem><para><literal>hardware/video/webcam/facetimehd.nix</literal></para></listitem> - <listitem><para><literal>i18n/input-method/default.nix</literal></para></listitem> - <listitem><para><literal>i18n/input-method/fcitx.nix</literal></para></listitem> - <listitem><para><literal>i18n/input-method/ibus.nix</literal></para></listitem> - <listitem><para><literal>i18n/input-method/nabi.nix</literal></para></listitem> - <listitem><para><literal>i18n/input-method/uim.nix</literal></para></listitem> - <listitem><para><literal>programs/fish.nix</literal></para></listitem> - <listitem><para><literal>security/acme.nix</literal></para></listitem> - <listitem><para><literal>security/audit.nix</literal></para></listitem> - <listitem><para><literal>security/oath.nix</literal></para></listitem> - <listitem><para><literal>services/hardware/irqbalance.nix</literal></para></listitem> - <listitem><para><literal>services/mail/dspam.nix</literal></para></listitem> - <listitem><para><literal>services/mail/opendkim.nix</literal></para></listitem> - <listitem><para><literal>services/mail/postsrsd.nix</literal></para></listitem> - <listitem><para><literal>services/mail/rspamd.nix</literal></para></listitem> - <listitem><para><literal>services/mail/rmilter.nix</literal></para></listitem> - <listitem><para><literal>services/misc/autofs.nix</literal></para></listitem> - <listitem><para><literal>services/misc/bepasty.nix</literal></para></listitem> - <listitem><para><literal>services/misc/calibre-server.nix</literal></para></listitem> - <listitem><para><literal>services/misc/cfdyndns.nix</literal></para></listitem> - <listitem><para><literal>services/misc/gammu-smsd.nix</literal></para></listitem> - <listitem><para><literal>services/misc/mathics.nix</literal></para></listitem> - <listitem><para><literal>services/misc/matrix-synapse.nix</literal></para></listitem> - <listitem><para><literal>services/misc/octoprint.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/hdaps.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/heapster.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/longview.nix</literal></para></listitem> - <listitem><para><literal>services/network-filesystems/netatalk.nix</literal></para></listitem> - <listitem><para><literal>services/network-filesystems/xtreemfs.nix</literal></para></listitem> - <listitem><para><literal>services/networking/autossh.nix</literal></para></listitem> - <listitem><para><literal>services/networking/dnschain.nix</literal></para></listitem> - <listitem><para><literal>services/networking/gale.nix</literal></para></listitem> - <listitem><para><literal>services/networking/miniupnpd.nix</literal></para></listitem> - <listitem><para><literal>services/networking/namecoind.nix</literal></para></listitem> - <listitem><para><literal>services/networking/ostinato.nix</literal></para></listitem> - <listitem><para><literal>services/networking/pdnsd.nix</literal></para></listitem> - <listitem><para><literal>services/networking/shairport-sync.nix</literal></para></listitem> - <listitem><para><literal>services/networking/supplicant.nix</literal></para></listitem> - <listitem><para><literal>services/search/kibana.nix</literal></para></listitem> - <listitem><para><literal>services/security/haka.nix</literal></para></listitem> - <listitem><para><literal>services/security/physlock.nix</literal></para></listitem> - <listitem><para><literal>services/web-apps/pump.io.nix</literal></para></listitem> - <listitem><para><literal>services/x11/hardware/libinput.nix</literal></para></listitem> - <listitem><para><literal>services/x11/window-managers/windowlab.nix</literal></para></listitem> - <listitem><para><literal>system/boot/initrd-network.nix</literal></para></listitem> - <listitem><para><literal>system/boot/initrd-ssh.nix</literal></para></listitem> - <listitem><para><literal>system/boot/loader/loader.nix</literal></para></listitem> - <listitem><para><literal>system/boot/networkd.nix</literal></para></listitem> - <listitem><para><literal>system/boot/resolved.nix</literal></para></listitem> - <listitem><para><literal>virtualisation/lxd.nix</literal></para></listitem> - <listitem><para><literal>virtualisation/rkt.nix</literal></para></listitem> + <listitem> + <para> + <literal>services/monitoring/longview.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/video/webcam/facetimehd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>i18n/input-method/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>i18n/input-method/fcitx.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>i18n/input-method/ibus.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>i18n/input-method/nabi.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>i18n/input-method/uim.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/fish.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>security/acme.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>security/audit.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>security/oath.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/hardware/irqbalance.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/dspam.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/opendkim.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/postsrsd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/rspamd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/rmilter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/autofs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/bepasty.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/calibre-server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/cfdyndns.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/gammu-smsd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/mathics.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/matrix-synapse.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/octoprint.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/hdaps.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/heapster.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/longview.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/netatalk.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/xtreemfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/autossh.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/dnschain.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/gale.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/miniupnpd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/namecoind.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/ostinato.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/pdnsd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/shairport-sync.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/supplicant.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/search/kibana.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/haka.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/physlock.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/pump.io.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/hardware/libinput.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/window-managers/windowlab.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/initrd-network.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/initrd-ssh.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/loader/loader.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/networkd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/resolved.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/lxd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/rkt.nix</literal> + </para> + </listitem> </itemizedlist> -</para> - -<para>When upgrading from a previous release, please be aware of the -following incompatible changes:</para> + </para> -<itemizedlist> + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + </para> + <itemizedlist> <listitem> - <para>We no longer produce graphical ISO images and VirtualBox - images for <literal>i686-linux</literal>. A minimal ISO image is - still provided.</para> + <para> + We no longer produce graphical ISO images and VirtualBox images for + <literal>i686-linux</literal>. A minimal ISO image is still provided. + </para> </listitem> - <listitem> - <para>Firefox and similar browsers are now <emphasis>wrapped by default</emphasis>. - The package and attribute names are plain <literal>firefox</literal> - or <literal>midori</literal>, etc. Backward-compatibility attributes were set up, - but note that <command>nix-env -u</command> will <emphasis>not</emphasis> update - your current <literal>firefox-with-plugins</literal>; - you have to uninstall it and install <literal>firefox</literal> instead.</para> + <para> + Firefox and similar browsers are now <emphasis>wrapped by + default</emphasis>. The package and attribute names are plain + <literal>firefox</literal> or <literal>midori</literal>, etc. + Backward-compatibility attributes were set up, but note that + <command>nix-env -u</command> will <emphasis>not</emphasis> update your + current <literal>firefox-with-plugins</literal>; you have to uninstall it + and install <literal>firefox</literal> instead. + </para> </listitem> - <listitem> - <para><command>wmiiSnap</command> has been replaced with + <para> + <command>wmiiSnap</command> has been replaced with <command>wmii_hg</command>, but - <command>services.xserver.windowManager.wmii.enable</command> has - been updated respectively so this only affects you if you have - explicitly installed <command>wmiiSnap</command>. - </para> + <command>services.xserver.windowManager.wmii.enable</command> has been + updated respectively so this only affects you if you have explicitly + installed <command>wmiiSnap</command>. + </para> </listitem> - <listitem> - <para><literal>jobs</literal> NixOS option has been removed. It served as + <para> + <literal>jobs</literal> NixOS option has been removed. It served as compatibility layer between Upstart jobs and SystemD services. All services - have been rewritten to use <literal>systemd.services</literal></para> + have been rewritten to use <literal>systemd.services</literal> + </para> </listitem> - <listitem> - <para><command>wmiimenu</command> is removed, as it has been - removed by the developers upstream. Use <command>wimenu</command> - from the <command>wmii-hg</command> package.</para> + <para> + <command>wmiimenu</command> is removed, as it has been removed by the + developers upstream. Use <command>wimenu</command> from the + <command>wmii-hg</command> package. + </para> </listitem> - <listitem> - <para>Gitit is no longer automatically added to the module list in - NixOS and as such there will not be any manual entries for it. You - will need to add an import statement to your NixOS configuration - in order to use it, e.g. - + <para> + Gitit is no longer automatically added to the module list in NixOS and as + such there will not be any manual entries for it. You will need to add an + import statement to your NixOS configuration in order to use it, e.g. <programlisting><![CDATA[ { imports = [ <nixpkgs/nixos/modules/services/misc/gitit.nix> ]; } ]]></programlisting> - - will include the Gitit service configuration options.</para> + will include the Gitit service configuration options. + </para> </listitem> - <listitem> - <para><command>nginx</command> does not accept flags for enabling and - disabling modules anymore. Instead it accepts <literal>modules</literal> - argument, which is a list of modules to be built in. All modules now - reside in <literal>nginxModules</literal> set. Example configuration: - + <para> + <command>nginx</command> does not accept flags for enabling and disabling + modules anymore. Instead it accepts <literal>modules</literal> argument, + which is a list of modules to be built in. All modules now reside in + <literal>nginxModules</literal> set. Example configuration: <programlisting><![CDATA[ nginx.override { modules = [ nginxModules.rtmp nginxModules.dav nginxModules.moreheaders ]; } ]]></programlisting> - </para> + </para> </listitem> - <listitem> - <para><command>s3sync</command> is removed, as it hasn't been - developed by upstream for 4 years and only runs with ruby 1.8. - For an actively-developer alternative look at - <command>tarsnap</command> and others. - </para> + <para> + <command>s3sync</command> is removed, as it hasn't been developed by + upstream for 4 years and only runs with ruby 1.8. For an actively-developer + alternative look at <command>tarsnap</command> and others. + </para> </listitem> - <listitem> - <para><command>ruby_1_8</command> has been removed as it's not - supported from upstream anymore and probably contains security - issues. - </para> + <para> + <command>ruby_1_8</command> has been removed as it's not supported from + upstream anymore and probably contains security issues. + </para> </listitem> - <listitem> - <para><literal>tidy-html5</literal> package is removed. - Upstream only provided <literal>(lib)tidy5</literal> during development, - and now they went back to <literal>(lib)tidy</literal> to work as a drop-in - replacement of the original package that has been unmaintained for years. - You can (still) use the <literal>html-tidy</literal> package, which got updated - to a stable release from this new upstream.</para> + <para> + <literal>tidy-html5</literal> package is removed. Upstream only provided + <literal>(lib)tidy5</literal> during development, and now they went back to + <literal>(lib)tidy</literal> to work as a drop-in replacement of the + original package that has been unmaintained for years. You can (still) use + the <literal>html-tidy</literal> package, which got updated to a stable + release from this new upstream. + </para> </listitem> - <listitem> - <para><literal>extraDeviceOptions</literal> argument is removed - from <literal>bumblebee</literal> package. Instead there are - now two separate arguments: <literal>extraNvidiaDeviceOptions</literal> - and <literal>extraNouveauDeviceOptions</literal> for setting - extra X11 options for nvidia and nouveau drivers, respectively. - </para> + <para> + <literal>extraDeviceOptions</literal> argument is removed from + <literal>bumblebee</literal> package. Instead there are now two separate + arguments: <literal>extraNvidiaDeviceOptions</literal> and + <literal>extraNouveauDeviceOptions</literal> for setting extra X11 options + for nvidia and nouveau drivers, respectively. + </para> </listitem> - <listitem> - <para>The <literal>Ctrl+Alt+Backspace</literal> key combination - no longer kills the X server by default. - There's a new option <option>services.xserver.enableCtrlAltBackspace</option> - allowing to enable the combination again. - </para> + <para> + The <literal>Ctrl+Alt+Backspace</literal> key combination no longer kills + the X server by default. There's a new option + <option>services.xserver.enableCtrlAltBackspace</option> allowing to enable + the combination again. + </para> </listitem> - <listitem> - <para><literal>emacsPackagesNg</literal> now contains all packages - from the ELPA, MELPA, and MELPA Stable repositories. - </para> + <para> + <literal>emacsPackagesNg</literal> now contains all packages from the ELPA, + MELPA, and MELPA Stable repositories. + </para> </listitem> - <listitem> - <para>Data directory for Postfix MTA server is moved from + <para> + Data directory for Postfix MTA server is moved from <filename>/var/postfix</filename> to <filename>/var/lib/postfix</filename>. - Old configurations are migrated automatically. <literal>service.postfix</literal> - module has also received many improvements, such as correct directories' access - rights, new <literal>aliasFiles</literal> and <literal>mapFiles</literal> - options and more.</para> + Old configurations are migrated automatically. + <literal>service.postfix</literal> module has also received many + improvements, such as correct directories' access rights, new + <literal>aliasFiles</literal> and <literal>mapFiles</literal> options and + more. + </para> </listitem> - <listitem> - <para>Filesystem options should now be configured as a list of strings, not - a comma-separated string. The old style will continue to work, but print a + <para> + Filesystem options should now be configured as a list of strings, not a + comma-separated string. The old style will continue to work, but print a warning, until the 16.09 release. An example of the new style: - <programlisting> fileSystems."/example" = { device = "/dev/sdc"; @@ -254,103 +475,103 @@ fileSystems."/example" = { options = [ "noatime" "compress=lzo" "space_cache" "autodefrag" ]; }; </programlisting> - </para> + </para> </listitem> - <listitem> - <para>CUPS, installed by <literal>services.printing</literal> module, now - has its data directory in <filename>/var/lib/cups</filename>. Old - configurations from <filename>/etc/cups</filename> are moved there - automatically, but there might be problems. Also configuration options + <para> + CUPS, installed by <literal>services.printing</literal> module, now has its + data directory in <filename>/var/lib/cups</filename>. Old configurations + from <filename>/etc/cups</filename> are moved there automatically, but + there might be problems. Also configuration options <literal>services.printing.cupsdConf</literal> and - <literal>services.printing.cupsdFilesConf</literal> were removed - because they had been allowing one to override configuration variables - required for CUPS to work at all on NixOS. For most use cases, + <literal>services.printing.cupsdFilesConf</literal> were removed because + they had been allowing one to override configuration variables required for + CUPS to work at all on NixOS. For most use cases, <literal>services.printing.extraConf</literal> and new option - <literal>services.printing.extraFilesConf</literal> should be enough; - if you encounter a situation when they are not, please file a bug.</para> - - <para>There are also Gutenprint improvements; in particular, a new option - <literal>services.printing.gutenprint</literal> is added to enable automatic - updating of Gutenprint PPMs; it's greatly recommended to enable it instead - of adding <literal>gutenprint</literal> to the <literal>drivers</literal> list. - </para> - </listitem> - - <listitem> - <para><literal>services.xserver.vaapiDrivers</literal> has been removed. Use - <literal>hardware.opengl.extraPackages{,32}</literal> instead. You can - also specify VDPAU drivers there.</para> - </listitem> - - <listitem> - <para> - <literal>programs.ibus</literal> moved to <literal>i18n.inputMethod.ibus</literal>. - The option <literal>programs.ibus.plugins</literal> changed to <literal>i18n.inputMethod.ibus.engines</literal> - and the option to enable ibus changed from <literal>programs.ibus.enable</literal> to + <literal>services.printing.extraFilesConf</literal> should be enough; if + you encounter a situation when they are not, please file a bug. + </para> + <para> + There are also Gutenprint improvements; in particular, a new option + <literal>services.printing.gutenprint</literal> is added to enable + automatic updating of Gutenprint PPMs; it's greatly recommended to enable + it instead of adding <literal>gutenprint</literal> to the + <literal>drivers</literal> list. + </para> + </listitem> + <listitem> + <para> + <literal>services.xserver.vaapiDrivers</literal> has been removed. Use + <literal>hardware.opengl.extraPackages{,32}</literal> instead. You can also + specify VDPAU drivers there. + </para> + </listitem> + <listitem> + <para> + <literal>programs.ibus</literal> moved to + <literal>i18n.inputMethod.ibus</literal>. The option + <literal>programs.ibus.plugins</literal> changed to + <literal>i18n.inputMethod.ibus.engines</literal> and the option to enable + ibus changed from <literal>programs.ibus.enable</literal> to <literal>i18n.inputMethod.enabled</literal>. - <literal>i18n.inputMethod.enabled</literal> should be set to the used input method name, - <literal>"ibus"</literal> for ibus. - An example of the new style: - + <literal>i18n.inputMethod.enabled</literal> should be set to the used input + method name, <literal>"ibus"</literal> for ibus. An example of the new + style: <programlisting> i18n.inputMethod.enabled = "ibus"; i18n.inputMethod.ibus.engines = with pkgs.ibus-engines; [ anthy mozc ]; </programlisting> - -That is equivalent to the old version: - + That is equivalent to the old version: <programlisting> programs.ibus.enable = true; programs.ibus.plugins = with pkgs; [ ibus-anthy mozc ]; </programlisting> - - </para> + </para> </listitem> - <listitem> - <para><literal>services.udev.extraRules</literal> option now writes rules - to <filename>99-local.rules</filename> instead of <filename>10-local.rules</filename>. - This makes all the user rules apply after others, so their results wouldn't be - overriden by anything else.</para> + <para> + <literal>services.udev.extraRules</literal> option now writes rules to + <filename>99-local.rules</filename> instead of + <filename>10-local.rules</filename>. This makes all the user rules apply + after others, so their results wouldn't be overriden by anything else. + </para> </listitem> - <listitem> - <para>Large parts of the <literal>services.gitlab</literal> module has been - been rewritten. There are new configuration options available. The + <para> + Large parts of the <literal>services.gitlab</literal> module has been been + rewritten. There are new configuration options available. The <literal>stateDir</literal> option was renamned to - <literal>statePath</literal> and the <literal>satellitesDir</literal> option - was removed. Please review the currently available options.</para> + <literal>statePath</literal> and the <literal>satellitesDir</literal> + option was removed. Please review the currently available options. + </para> </listitem> - <listitem> - <para> - The option <option>services.nsd.zones.<name>.data</option> no - longer interpret the dollar sign ($) as a shell variable, as such it - should not be escaped anymore. Thus the following zone data: - </para> - <programlisting> + <para> + The option <option>services.nsd.zones.<name>.data</option> no longer + interpret the dollar sign ($) as a shell variable, as such it should not be + escaped anymore. Thus the following zone data: + </para> +<programlisting> \$ORIGIN example.com. \$TTL 1800 @ IN SOA ns1.vpn.nbp.name. admin.example.com. ( </programlisting> - <para> + <para> Should modified to look like the actual file expected by nsd: - </para> - <programlisting> + </para> +<programlisting> $ORIGIN example.com. $TTL 1800 @ IN SOA ns1.vpn.nbp.name. admin.example.com. ( </programlisting> </listitem> - <listitem> - <para> - <literal>service.syncthing.dataDir</literal> options now has to point - to exact folder where syncthing is writing to. Example configuration should + <para> + <literal>service.syncthing.dataDir</literal> options now has to point to + exact folder where syncthing is writing to. Example configuration should look something like: - </para> - <programlisting> + </para> +<programlisting> services.syncthing = { enable = true; dataDir = "/home/somebody/.syncthing"; @@ -358,76 +579,73 @@ services.syncthing = { }; </programlisting> </listitem> - - <listitem> - <para> - <literal>networking.firewall.allowPing</literal> is now enabled by - default. Users are encouraged to configure an appropriate rate limit for - their machines using the Kernel interface at - <filename>/proc/sys/net/ipv4/icmp_ratelimit</filename> and - <filename>/proc/sys/net/ipv6/icmp/ratelimit</filename> or using the - firewall itself, i.e. by setting the NixOS option - <literal>networking.firewall.pingLimit</literal>. - </para> - </listitem> - - <listitem> - <para> - Systems with some broadcom cards used to result into a generated config - that is no longer accepted. If you get errors like - <screen>error: path ‘/nix/store/*-broadcom-sta-*’ does not exist and cannot be created</screen> - you should either re-run <command>nixos-generate-config</command> or manually replace - <literal>"${config.boot.kernelPackages.broadcom_sta}"</literal> - by - <literal>config.boot.kernelPackages.broadcom_sta</literal> - in your <filename>/etc/nixos/hardware-configuration.nix</filename>. - More discussion is on <link xlink:href="https://github.com/NixOS/nixpkgs/pull/12595"> - the github issue</link>. - </para> - </listitem> - <listitem> - <para> - The <literal>services.xserver.startGnuPGAgent</literal> option has been removed. - GnuPG 2.1.x changed the way the gpg-agent works, and that new approach no - longer requires (or even supports) the "start everything as a child of the - agent" scheme we've implemented in NixOS for older versions. - To configure the gpg-agent for your X session, add the following code to - <filename>~/.bashrc</filename> or some file that’s sourced when your shell is started: - <programlisting> + <para> + <literal>networking.firewall.allowPing</literal> is now enabled by default. + Users are encouraged to configure an appropriate rate limit for their + machines using the Kernel interface at + <filename>/proc/sys/net/ipv4/icmp_ratelimit</filename> and + <filename>/proc/sys/net/ipv6/icmp/ratelimit</filename> or using the + firewall itself, i.e. by setting the NixOS option + <literal>networking.firewall.pingLimit</literal>. + </para> + </listitem> + <listitem> + <para> + Systems with some broadcom cards used to result into a generated config + that is no longer accepted. If you get errors like +<screen>error: path ‘/nix/store/*-broadcom-sta-*’ does not exist and cannot be created</screen> + you should either re-run <command>nixos-generate-config</command> or + manually replace + <literal>"${config.boot.kernelPackages.broadcom_sta}"</literal> by + <literal>config.boot.kernelPackages.broadcom_sta</literal> in your + <filename>/etc/nixos/hardware-configuration.nix</filename>. More discussion + is on <link xlink:href="https://github.com/NixOS/nixpkgs/pull/12595"> the + github issue</link>. + </para> + </listitem> + <listitem> + <para> + The <literal>services.xserver.startGnuPGAgent</literal> option has been + removed. GnuPG 2.1.x changed the way the gpg-agent works, and that new + approach no longer requires (or even supports) the "start everything as a + child of the agent" scheme we've implemented in NixOS for older versions. + To configure the gpg-agent for your X session, add the following code to + <filename>~/.bashrc</filename> or some file that’s sourced when your + shell is started: +<programlisting> GPG_TTY=$(tty) export GPG_TTY </programlisting> - If you want to use gpg-agent for SSH, too, add the following to your session - initialization (e.g. <literal>displayManager.sessionCommands</literal>) - <programlisting> + If you want to use gpg-agent for SSH, too, add the following to your + session initialization (e.g. + <literal>displayManager.sessionCommands</literal>) +<programlisting> gpg-connect-agent /bye unset SSH_AGENT_PID export SSH_AUTH_SOCK="''${HOME}/.gnupg/S.gpg-agent.ssh" </programlisting> - and make sure that - <programlisting> + and make sure that +<programlisting> enable-ssh-support </programlisting> - is included in your <filename>~/.gnupg/gpg-agent.conf</filename>. - You will need to use <command>ssh-add</command> to re-add your ssh keys. - If gpg’s automatic transformation of the private keys to the new format fails, - you will need to re-import your private keyring as well: - <programlisting> + is included in your <filename>~/.gnupg/gpg-agent.conf</filename>. You will + need to use <command>ssh-add</command> to re-add your ssh keys. If gpg’s + automatic transformation of the private keys to the new format fails, you + will need to re-import your private keyring as well: +<programlisting> gpg --import ~/.gnupg/secring.gpg </programlisting> - The <command>gpg-agent(1)</command> man page has more details about this subject, - i.e. in the "EXAMPLES" section. - </para> + The <command>gpg-agent(1)</command> man page has more details about this + subject, i.e. in the "EXAMPLES" section. + </para> </listitem> -</itemizedlist> - - -<para>Other notable improvements: + </itemizedlist> -<itemizedlist> - - <!-- + <para> + Other notable improvements: + <itemizedlist> +<!-- <listitem> <para>The <command>command-not-found</command> hook was extended. Apart from <literal>$NIX_AUTO_INSTALL</literal> variable, @@ -436,18 +654,18 @@ gpg --import ~/.gnupg/secring.gpg <command>nix-shell</command> (without installing anything).</para> </listitem> --> - - <listitem> - <para><literal>ejabberd</literal> module is brought back and now works on - NixOS.</para> - </listitem> - - <listitem> - <para>Input method support was improved. New NixOS modules (fcitx, nabi and uim), - fcitx engines (chewing, hangul, m17n, mozc and table-other) and ibus engines (hangul and m17n) - have been added.</para> - </listitem> - -</itemizedlist></para> - + <listitem> + <para> + <literal>ejabberd</literal> module is brought back and now works on NixOS. + </para> + </listitem> + <listitem> + <para> + Input method support was improved. New NixOS modules (fcitx, nabi and + uim), fcitx engines (chewing, hangul, m17n, mozc and table-other) and ibus + engines (hangul and m17n) have been added. + </para> + </listitem> + </itemizedlist> + </para> </section> diff --git a/nixos/doc/manual/release-notes/rl-1609.xml b/nixos/doc/manual/release-notes/rl-1609.xml index 893f894f42fe..4a2343edc970 100644 --- a/nixos/doc/manual/release-notes/rl-1609.xml +++ b/nixos/doc/manual/release-notes/rl-1609.xml @@ -3,237 +3,275 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-16.09"> + <title>Release 16.09 (“Flounder”, 2016/09/30)</title> -<title>Release 16.09 (“Flounder”, 2016/09/30)</title> - -<para>In addition to numerous new and upgraded packages, this release -has the following highlights: </para> - -<itemizedlist> + <para> + In addition to numerous new and upgraded packages, this release has the + following highlights: + </para> + <itemizedlist> <listitem> - <para>Many NixOS configurations and Nix packages now use - significantly less disk space, thanks to the <link + <para> + Many NixOS configurations and Nix packages now use significantly less disk + space, thanks to the + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/7117">extensive - work on closure size reduction</link>. For example, the closure - size of a minimal NixOS container went down from ~424 MiB in 16.03 - to ~212 MiB in 16.09, while the closure size of Firefox went from - ~651 MiB to ~259 MiB.</para> + work on closure size reduction</link>. For example, the closure size of a + minimal NixOS container went down from ~424 MiB in 16.03 to ~212 MiB in + 16.09, while the closure size of Firefox went from ~651 MiB to ~259 MiB. + </para> </listitem> - <listitem> - <para>To improve security, packages are now <link + <para> + To improve security, packages are now + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/12895">built - using various hardening features</link>. See the Nixpkgs manual - for more information.</para> + using various hardening features</link>. See the Nixpkgs manual for more + information. + </para> </listitem> - <listitem> - <para>Support for PXE netboot. See <xref - linkend="sec-booting-from-pxe" /> for documentation.</para> + <para> + Support for PXE netboot. See <xref + linkend="sec-booting-from-pxe" /> + for documentation. + </para> </listitem> - <listitem> - <para>X.org server 1.18. If you use the - <literal>ati_unfree</literal> driver, 1.17 is still used due to an - ABI incompatibility.</para> + <para> + X.org server 1.18. If you use the <literal>ati_unfree</literal> driver, + 1.17 is still used due to an ABI incompatibility. + </para> </listitem> - <listitem> - <para>This release is based on Glibc 2.24, GCC 5.4.0 and systemd - 231. The default Linux kernel remains 4.4.</para> + <para> + This release is based on Glibc 2.24, GCC 5.4.0 and systemd 231. The default + Linux kernel remains 4.4. + </para> </listitem> + </itemizedlist> -</itemizedlist> - -<para>The following new services were added since the last release:</para> + <para> + The following new services were added since the last release: + </para> -<itemizedlist> - <listitem><para><literal>(this will get automatically generated at release time)</literal></para></listitem> -</itemizedlist> - -<para>When upgrading from a previous release, please be aware of the -following incompatible changes:</para> + <itemizedlist> + <listitem> + <para> + <literal>(this will get automatically generated at release time)</literal> + </para> + </listitem> + </itemizedlist> -<itemizedlist> + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + </para> + <itemizedlist> <listitem> - <para>A large number of packages have been converted to use the multiple outputs feature - of Nix to greatly reduce the amount of required disk space, as - mentioned above. This may require changes - to any custom packages to make them build again; see the relevant chapter in the - Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions - related to multiple-output packages - <link xlink:href="https://github.com/NixOS/nixpkgs/pull/14766">were changed</link> - late (August 2016) in the release cycle and differ from the initial introduction of multiple outputs.) - </para> + <para> + A large number of packages have been converted to use the multiple outputs + feature of Nix to greatly reduce the amount of required disk space, as + mentioned above. This may require changes to any custom packages to make + them build again; see the relevant chapter in the Nixpkgs manual for more + information. (Additional caveat to packagers: some packaging conventions + related to multiple-output packages + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/14766">were + changed</link> late (August 2016) in the release cycle and differ from the + initial introduction of multiple outputs.) + </para> </listitem> - <listitem> - <para>Previous versions of Nixpkgs had support for all versions of the LTS + <para> + Previous versions of Nixpkgs had support for all versions of the LTS Haskell package set. That support has been dropped. The previously provided <literal>haskell.packages.lts-x_y</literal> package sets still exist in name to aviod breaking user code, but these package sets don't actually contain the versions mandated by the corresponding LTS release. Instead, our package set it loosely based on the latest available LTS release, i.e. LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will - drop those old names entirely. <link + drop those old names entirely. + <link xlink:href="https://nixos.org/nix-dev/2016-June/020585.html">The motivation for this change</link> has been discussed at length on the - <literal>nix-dev</literal> mailing list and in <link - xlink:href="https://github.com/NixOS/nixpkgs/issues/14897">Github issue - #14897</link>. Development strategies for Haskell hackers who want to rely - on Nix and NixOS have been described in <link + <literal>nix-dev</literal> mailing list and in + <link + xlink:href="https://github.com/NixOS/nixpkgs/issues/14897">Github + issue #14897</link>. Development strategies for Haskell hackers who want to + rely on Nix and NixOS have been described in + <link xlink:href="https://nixos.org/nix-dev/2016-June/020642.html">another - nix-dev article</link>.</para> + nix-dev article</link>. + </para> </listitem> - <listitem> - <para>Shell aliases for systemd sub-commands - <link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were dropped</link>: - <command>start</command>, <command>stop</command>, - <command>restart</command>, <command>status</command>.</para> + <para> + Shell aliases for systemd sub-commands + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were + dropped</link>: <command>start</command>, <command>stop</command>, + <command>restart</command>, <command>status</command>. + </para> </listitem> - <listitem> - <para>Redis now binds to 127.0.0.1 only instead of listening to all network interfaces. This is the default - behavior of Redis 3.2</para> + <para> + Redis now binds to 127.0.0.1 only instead of listening to all network + interfaces. This is the default behavior of Redis 3.2 + </para> </listitem> - <listitem> - <para> - <literal>/var/empty</literal> is now immutable. Activation script runs <command>chattr +i</command> - to forbid any modifications inside the folder. See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18365"> - the pull request</link> for what bugs this caused. - </para> + <para> + <literal>/var/empty</literal> is now immutable. Activation script runs + <command>chattr +i</command> to forbid any modifications inside the folder. + See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18365"> the + pull request</link> for what bugs this caused. + </para> </listitem> - <listitem> - <para>Gitlab's maintainance script - <command>gitlab-runner</command> was removed and split up into the - more clearer <command>gitlab-run</command> and + <para> + Gitlab's maintainance script <command>gitlab-runner</command> was removed + and split up into the more clearer <command>gitlab-run</command> and <command>gitlab-rake</command> scripts, because - <command>gitlab-runner</command> is a component of Gitlab - CI.</para> + <command>gitlab-runner</command> is a component of Gitlab CI. + </para> </listitem> - <listitem> - <para><literal>services.xserver.libinput.accelProfile</literal> default - changed from <literal>flat</literal> to <literal>adaptive</literal>, - as per <link xlink:href="https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79"> - official documentation</link>.</para> + <para> + <literal>services.xserver.libinput.accelProfile</literal> default changed + from <literal>flat</literal> to <literal>adaptive</literal>, as per + <link xlink:href="https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79"> + official documentation</link>. + </para> </listitem> - <listitem> - <para><literal>fonts.fontconfig.ultimate.rendering</literal> was removed - because our presets were obsolete for some time. New presets are hardcoded - into FreeType; you can select a preset via <literal>fonts.fontconfig.ultimate.preset</literal>. - You can customize those presets via ordinary environment variables, using - <literal>environment.variables</literal>.</para> + <para> + <literal>fonts.fontconfig.ultimate.rendering</literal> was removed because + our presets were obsolete for some time. New presets are hardcoded into + FreeType; you can select a preset via + <literal>fonts.fontconfig.ultimate.preset</literal>. You can customize + those presets via ordinary environment variables, using + <literal>environment.variables</literal>. + </para> </listitem> - <listitem> - <para>The <literal>audit</literal> service is no longer enabled by default. - Use <literal>security.audit.enable = true</literal> to explicitly enable it.</para> + <para> + The <literal>audit</literal> service is no longer enabled by default. Use + <literal>security.audit.enable = true</literal> to explicitly enable it. + </para> </listitem> - <listitem> - <para> - <literal>pkgs.linuxPackages.virtualbox</literal> now contains only the - kernel modules instead of the VirtualBox user space binaries. - If you want to reference the user space binaries, you have to use the new - <literal>pkgs.virtualbox</literal> instead. - </para> + <para> + <literal>pkgs.linuxPackages.virtualbox</literal> now contains only the + kernel modules instead of the VirtualBox user space binaries. If you want + to reference the user space binaries, you have to use the new + <literal>pkgs.virtualbox</literal> instead. + </para> </listitem> - <listitem> - <para><literal>goPackages</literal> was replaced with separated Go - applications in appropriate <literal>nixpkgs</literal> - categories. Each Go package uses its own dependency set. There's - also a new <literal>go2nix</literal> tool introduced to generate a - Go package definition from its Go source automatically.</para> + <para> + <literal>goPackages</literal> was replaced with separated Go applications + in appropriate <literal>nixpkgs</literal> categories. Each Go package uses + its own dependency set. There's also a new <literal>go2nix</literal> tool + introduced to generate a Go package definition from its Go source + automatically. + </para> </listitem> - <listitem> - <para><literal>services.mongodb.extraConfig</literal> configuration format - was changed to YAML.</para> + <para> + <literal>services.mongodb.extraConfig</literal> configuration format was + changed to YAML. + </para> </listitem> - <listitem> - <para> - PHP has been upgraded to 7.0 - </para> + <para> + PHP has been upgraded to 7.0 + </para> </listitem> -</itemizedlist> - - -<para>Other notable improvements:</para> - -<itemizedlist> + </itemizedlist> - <listitem><para>Revamped grsecurity/PaX support. There is now only a single - general-purpose distribution kernel and the configuration interface has been - streamlined. Desktop users should be able to simply set - <programlisting>security.grsecurity.enable = true</programlisting> to get - a reasonably secure system without having to sacrifice too much - functionality. - </para></listitem> + <para> + Other notable improvements: + </para> - <listitem><para>Special filesystems, like <literal>/proc</literal>, - <literal>/run</literal> and others, now have the same mount options - as recommended by systemd and are unified across different places in - NixOS. Mount options are updated during <command>nixos-rebuild - switch</command> if possible. One benefit from this is improved - security — most such filesystems are now mounted with - <literal>noexec</literal>, <literal>nodev</literal> and/or - <literal>nosuid</literal> options.</para></listitem> - - <listitem><para>The reverse path filter was interfering with DHCPv4 server - operation in the past. An exception for DHCPv4 and a new option to log - packets that were dropped due to the reverse path filter was added - (<literal>networking.firewall.logReversePathDrops</literal>) for easier - debugging.</para></listitem> - - <listitem><para>Containers configuration within - <literal>containers.<name>.config</literal> is <link + <itemizedlist> + <listitem> + <para> + Revamped grsecurity/PaX support. There is now only a single general-purpose + distribution kernel and the configuration interface has been streamlined. + Desktop users should be able to simply set +<programlisting>security.grsecurity.enable = true</programlisting> + to get a reasonably secure system without having to sacrifice too much + functionality. + </para> + </listitem> + <listitem> + <para> + Special filesystems, like <literal>/proc</literal>, <literal>/run</literal> + and others, now have the same mount options as recommended by systemd and + are unified across different places in NixOS. Mount options are updated + during <command>nixos-rebuild switch</command> if possible. One benefit + from this is improved security — most such filesystems are now mounted + with <literal>noexec</literal>, <literal>nodev</literal> and/or + <literal>nosuid</literal> options. + </para> + </listitem> + <listitem> + <para> + The reverse path filter was interfering with DHCPv4 server operation in the + past. An exception for DHCPv4 and a new option to log packets that were + dropped due to the reverse path filter was added + (<literal>networking.firewall.logReversePathDrops</literal>) for easier + debugging. + </para> + </listitem> + <listitem> + <para> + Containers configuration within + <literal>containers.<name>.config</literal> is + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/17365">now - properly typed and checked</link>. In particular, partial - configurations are merged correctly.</para></listitem> - + properly typed and checked</link>. In particular, partial configurations + are merged correctly. + </para> + </listitem> <listitem> - <para>The directory container setuid wrapper programs, - <filename>/var/setuid-wrappers</filename>, <link + <para> + The directory container setuid wrapper programs, + <filename>/var/setuid-wrappers</filename>, + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now - updated atomically to prevent failures if the switch to a new - configuration is interrupted.</link></para> + updated atomically to prevent failures if the switch to a new configuration + is interrupted.</link> + </para> </listitem> - <listitem> - <para><literal>services.xserver.startGnuPGAgent</literal> - has been removed due to GnuPG 2.1.x bump. See <link + <para> + <literal>services.xserver.startGnuPGAgent</literal> has been removed due to + GnuPG 2.1.x bump. See + <link xlink:href="https://github.com/NixOS/nixpkgs/commit/5391882ebd781149e213e8817fba6ac3c503740c"> - how to achieve similar behavior</link>. You might need to - <literal>pkill gpg-agent</literal> after the upgrade - to prevent a stale agent being in the way. - </para> + how to achieve similar behavior</link>. You might need to <literal>pkill + gpg-agent</literal> after the upgrade to prevent a stale agent being in the + way. + </para> </listitem> - - <listitem><para> + <listitem> + <para> <link xlink:href="https://github.com/NixOS/nixpkgs/commit/e561edc322d275c3687fec431935095cfc717147"> - Declarative users could share the uid due to the bug in - the script handling conflict resolution. - </link> - </para></listitem> - - <listitem><para> + Declarative users could share the uid due to the bug in the script handling + conflict resolution. </link> + </para> + </listitem> + <listitem> + <para> Gummi boot has been replaced using systemd-boot. - </para></listitem> - - <listitem><para> + </para> + </listitem> + <listitem> + <para> Hydra package and NixOS module were added for convenience. - </para></listitem> - -</itemizedlist> - - + </para> + </listitem> + </itemizedlist> </section> diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml index 6147b9830137..6ca79e2bc00d 100644 --- a/nixos/doc/manual/release-notes/rl-1703.xml +++ b/nixos/doc/manual/release-notes/rl-1703.xml @@ -3,259 +3,588 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-17.03"> + <title>Release 17.03 (“Gorilla”, 2017/03/31)</title> -<title>Release 17.03 (“Gorilla”, 2017/03/31)</title> - -<section xmlns="http://docbook.org/ns/docbook" + <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-17.03-highlights"> + <title>Highlights</title> -<title>Highlights</title> + <para> + In addition to numerous new and upgraded packages, this release has the + following highlights: + </para> -<para>In addition to numerous new and upgraded packages, this release -has the following highlights: </para> - -<itemizedlist> - <listitem> - <para>Nixpkgs is now extensible through overlays. See the <link + <itemizedlist> + <listitem> + <para> + Nixpkgs is now extensible through overlays. See the + <link xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">Nixpkgs - manual</link> for more information.</para> - </listitem> - - <listitem> - <para>This release is based on Glibc 2.25, GCC 5.4.0 and systemd - 232. The default Linux kernel is 4.9 and Nix is at 1.11.8.</para> - </listitem> - - <listitem> - <para>The default desktop environment now is KDE's Plasma 5. KDE 4 has been removed</para> - </listitem> - - <listitem> - <para>The setuid wrapper functionality now supports setting - capabilities.</para> - </listitem> - - <listitem> - <para>X.org server uses branch 1.19. Due to ABI incompatibilities, - <literal>ati_unfree</literal> keeps forcing 1.17 - and <literal>amdgpu-pro</literal> starts forcing 1.18.</para> - </listitem> - - <listitem> + manual</link> for more information. + </para> + </listitem> + <listitem> <para> - Cross compilation has been rewritten. See the nixpkgs manual for - details. The most obvious breaking change is that in derivations there is no - <literal>.nativeDrv</literal> nor <literal>.crossDrv</literal> are now - cross by default, not native. + This release is based on Glibc 2.25, GCC 5.4.0 and systemd 232. The + default Linux kernel is 4.9 and Nix is at 1.11.8. </para> - </listitem> - - <listitem> - <para>The <literal>overridePackages</literal> function has been rewritten - to be replaced by <link + </listitem> + <listitem> + <para> + The default desktop environment now is KDE's Plasma 5. KDE 4 has been + removed + </para> + </listitem> + <listitem> + <para> + The setuid wrapper functionality now supports setting capabilities. + </para> + </listitem> + <listitem> + <para> + X.org server uses branch 1.19. Due to ABI incompatibilities, + <literal>ati_unfree</literal> keeps forcing 1.17 and + <literal>amdgpu-pro</literal> starts forcing 1.18. + </para> + </listitem> + <listitem> + <para> + Cross compilation has been rewritten. See the nixpkgs manual for details. + The most obvious breaking change is that in derivations there is no + <literal>.nativeDrv</literal> nor <literal>.crossDrv</literal> are now + cross by default, not native. + </para> + </listitem> + <listitem> + <para> + The <literal>overridePackages</literal> function has been rewritten to be + replaced by + <link xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install"> - overlays</link></para> - </listitem> - - <listitem> - <para>Packages in nixpkgs can be marked as insecure through listed - vulnerabilities. See the <link + overlays</link> + </para> + </listitem> + <listitem> + <para> + Packages in nixpkgs can be marked as insecure through listed + vulnerabilities. See the + <link xlink:href="https://nixos.org/nixpkgs/manual/#sec-allow-insecure">Nixpkgs - manual</link> for more information.</para> - </listitem> - - <listitem> - <para>PHP now defaults to PHP 7.1</para> - </listitem> - -</itemizedlist> + manual</link> for more information. + </para> + </listitem> + <listitem> + <para> + PHP now defaults to PHP 7.1 + </para> + </listitem> + </itemizedlist> + </section> -</section> -<section xmlns="http://docbook.org/ns/docbook" + <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-17.03-new-services"> + <title>New Services</title> -<title>New Services</title> + <para> + The following new services were added since the last release: + </para> -<para>The following new services were added since the last release:</para> - -<itemizedlist> - <listitem><para><literal>hardware/ckb.nix</literal></para></listitem> - <listitem><para><literal>hardware/mcelog.nix</literal></para></listitem> - <listitem><para><literal>hardware/usb-wwan.nix</literal></para></listitem> - <listitem><para><literal>hardware/video/capture/mwprocapture.nix</literal></para></listitem> - <listitem><para><literal>programs/adb.nix</literal></para></listitem> - <listitem><para><literal>programs/chromium.nix</literal></para></listitem> - <listitem><para><literal>programs/gphoto2.nix</literal></para></listitem> - <listitem><para><literal>programs/java.nix</literal></para></listitem> - <listitem><para><literal>programs/mtr.nix</literal></para></listitem> - <listitem><para><literal>programs/oblogout.nix</literal></para></listitem> - <listitem><para><literal>programs/vim.nix</literal></para></listitem> - <listitem><para><literal>programs/wireshark.nix</literal></para></listitem> - <listitem><para><literal>security/dhparams.nix</literal></para></listitem> - <listitem><para><literal>services/audio/ympd.nix</literal></para></listitem> - <listitem><para><literal>services/computing/boinc/client.nix</literal></para></listitem> - <listitem><para><literal>services/continuous-integration/buildbot/master.nix</literal></para></listitem> - <listitem><para><literal>services/continuous-integration/buildbot/worker.nix</literal></para></listitem> - <listitem><para><literal>services/continuous-integration/gitlab-runner.nix</literal></para></listitem> - <listitem><para><literal>services/databases/riak-cs.nix</literal></para></listitem> - <listitem><para><literal>services/databases/stanchion.nix</literal></para></listitem> - <listitem><para><literal>services/desktops/gnome3/gnome-terminal-server.nix</literal></para></listitem> - <listitem><para><literal>services/editors/infinoted.nix</literal></para></listitem> - <listitem><para><literal>services/hardware/illum.nix</literal></para></listitem> - <listitem><para><literal>services/hardware/trezord.nix</literal></para></listitem> - <listitem><para><literal>services/logging/journalbeat.nix</literal></para></listitem> - <listitem><para><literal>services/mail/offlineimap.nix</literal></para></listitem> - <listitem><para><literal>services/mail/postgrey.nix</literal></para></listitem> - <listitem><para><literal>services/misc/couchpotato.nix</literal></para></listitem> - <listitem><para><literal>services/misc/docker-registry.nix</literal></para></listitem> - <listitem><para><literal>services/misc/errbot.nix</literal></para></listitem> - <listitem><para><literal>services/misc/geoip-updater.nix</literal></para></listitem> - <listitem><para><literal>services/misc/gogs.nix</literal></para></listitem> - <listitem><para><literal>services/misc/leaps.nix</literal></para></listitem> - <listitem><para><literal>services/misc/nix-optimise.nix</literal></para></listitem> - <listitem><para><literal>services/misc/ssm-agent.nix</literal></para></listitem> - <listitem><para><literal>services/misc/sssd.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/arbtt.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/netdata.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/prometheus/default.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/prometheus/alertmanager.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/prometheus/blackbox-exporter.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/prometheus/json-exporter.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/prometheus/nginx-exporter.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/prometheus/node-exporter.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/prometheus/snmp-exporter.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/prometheus/unifi-exporter.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/prometheus/varnish-exporter.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/sysstat.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/telegraf.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/vnstat.nix</literal></para></listitem> - <listitem><para><literal>services/network-filesystems/cachefilesd.nix</literal></para></listitem> - <listitem><para><literal>services/network-filesystems/glusterfs.nix</literal></para></listitem> - <listitem><para><literal>services/network-filesystems/ipfs.nix</literal></para></listitem> - <listitem><para><literal>services/networking/dante.nix</literal></para></listitem> - <listitem><para><literal>services/networking/dnscrypt-wrapper.nix</literal></para></listitem> - <listitem><para><literal>services/networking/fakeroute.nix</literal></para></listitem> - <listitem><para><literal>services/networking/flannel.nix</literal></para></listitem> - <listitem><para><literal>services/networking/htpdate.nix</literal></para></listitem> - <listitem><para><literal>services/networking/miredo.nix</literal></para></listitem> - <listitem><para><literal>services/networking/nftables.nix</literal></para></listitem> - <listitem><para><literal>services/networking/powerdns.nix</literal></para></listitem> - <listitem><para><literal>services/networking/pdns-recursor.nix</literal></para></listitem> - <listitem><para><literal>services/networking/quagga.nix</literal></para></listitem> - <listitem><para><literal>services/networking/redsocks.nix</literal></para></listitem> - <listitem><para><literal>services/networking/wireguard.nix</literal></para></listitem> - <listitem><para><literal>services/system/cgmanager.nix</literal></para></listitem> - <listitem><para><literal>services/torrent/opentracker.nix</literal></para></listitem> - <listitem><para><literal>services/web-apps/atlassian/confluence.nix</literal></para></listitem> - <listitem><para><literal>services/web-apps/atlassian/crowd.nix</literal></para></listitem> - <listitem><para><literal>services/web-apps/atlassian/jira.nix</literal></para></listitem> - <listitem><para><literal>services/web-apps/frab.nix</literal></para></listitem> - <listitem><para><literal>services/web-apps/nixbot.nix</literal></para></listitem> - <listitem><para><literal>services/web-apps/selfoss.nix</literal></para></listitem> - <listitem><para><literal>services/web-apps/quassel-webserver.nix</literal></para></listitem> - <listitem><para><literal>services/x11/unclutter-xfixes.nix</literal></para></listitem> - <listitem><para><literal>services/x11/urxvtd.nix</literal></para></listitem> - <listitem><para><literal>system/boot/systemd-nspawn.nix</literal></para></listitem> - <listitem><para><literal>virtualisation/ecs-agent.nix</literal></para></listitem> - <listitem><para><literal>virtualisation/lxcfs.nix</literal></para></listitem> - <listitem><para><literal>virtualisation/openstack/keystone.nix</literal></para></listitem> - <listitem><para><literal>virtualisation/openstack/glance.nix</literal></para></listitem> -</itemizedlist> + <itemizedlist> + <listitem> + <para> + <literal>hardware/ckb.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/mcelog.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/usb-wwan.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/video/capture/mwprocapture.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/adb.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/chromium.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/gphoto2.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/java.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/mtr.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/oblogout.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/vim.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/wireshark.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>security/dhparams.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/audio/ympd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/computing/boinc/client.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/continuous-integration/buildbot/master.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/continuous-integration/buildbot/worker.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/continuous-integration/gitlab-runner.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/databases/riak-cs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/databases/stanchion.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/desktops/gnome3/gnome-terminal-server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/editors/infinoted.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/hardware/illum.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/hardware/trezord.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/logging/journalbeat.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/offlineimap.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/postgrey.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/couchpotato.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/docker-registry.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/errbot.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/geoip-updater.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/gogs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/leaps.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/nix-optimise.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/ssm-agent.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/sssd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/arbtt.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/netdata.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/alertmanager.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/blackbox-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/json-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/nginx-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/node-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/snmp-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/unifi-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/varnish-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/sysstat.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/telegraf.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/vnstat.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/cachefilesd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/glusterfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/ipfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/dante.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/dnscrypt-wrapper.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/fakeroute.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/flannel.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/htpdate.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/miredo.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/nftables.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/powerdns.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/pdns-recursor.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/quagga.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/redsocks.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/wireguard.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/system/cgmanager.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/torrent/opentracker.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/atlassian/confluence.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/atlassian/crowd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/atlassian/jira.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/frab.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/nixbot.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/selfoss.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/quassel-webserver.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/unclutter-xfixes.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/urxvtd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/systemd-nspawn.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/ecs-agent.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/lxcfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/openstack/keystone.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/openstack/glance.nix</literal> + </para> + </listitem> + </itemizedlist> + </section> -</section> -<section xmlns="http://docbook.org/ns/docbook" + <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-17.03-incompatibilities"> + <title>Backward Incompatibilities</title> -<title>Backward Incompatibilities</title> + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + </para> -<para>When upgrading from a previous release, please be aware of the -following incompatible changes:</para> - -<itemizedlist> - <listitem> + <itemizedlist> + <listitem> <para> - Derivations have no <literal>.nativeDrv</literal> nor <literal>.crossDrv</literal> - and are now cross by default, not native. + Derivations have no <literal>.nativeDrv</literal> nor + <literal>.crossDrv</literal> and are now cross by default, not native. </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - <literal>stdenv.overrides</literal> is now expected to take <literal>self</literal> - and <literal>super</literal> arguments. See <literal>lib.trivial.extends</literal> - for what those parameters represent. + <literal>stdenv.overrides</literal> is now expected to take + <literal>self</literal> and <literal>super</literal> arguments. See + <literal>lib.trivial.extends</literal> for what those parameters + represent. </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - <literal>ansible</literal> now defaults to ansible version 2 as version 1 - has been removed due to a serious <link + <literal>ansible</literal> now defaults to ansible version 2 as version 1 + has been removed due to a serious + <link xlink:href="https://www.computest.nl/advisories/CT-2017-0109_Ansible.txt"> - vulnerability</link> unpatched by upstream. + vulnerability</link> unpatched by upstream. </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - <literal>gnome</literal> alias has been removed along with - <literal>gtk</literal>, <literal>gtkmm</literal> and several others. - Now you need to use versioned attributes, like <literal>gnome3</literal>. + <literal>gnome</literal> alias has been removed along with + <literal>gtk</literal>, <literal>gtkmm</literal> and several others. Now + you need to use versioned attributes, like <literal>gnome3</literal>. </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - The attribute name of the Radicale daemon has been changed from - <literal>pythonPackages.radicale</literal> to - <literal>radicale</literal>. + The attribute name of the Radicale daemon has been changed from + <literal>pythonPackages.radicale</literal> to <literal>radicale</literal>. </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - The <literal>stripHash</literal> bash function in <literal>stdenv</literal> - changed according to its documentation; it now outputs the stripped name to - <literal>stdout</literal> instead of putting it in the variable - <literal>strippedName</literal>. + The <literal>stripHash</literal> bash function in + <literal>stdenv</literal> changed according to its documentation; it now + outputs the stripped name to <literal>stdout</literal> instead of putting + it in the variable <literal>strippedName</literal>. </para> - </listitem> - - <listitem> - <para>PHP now scans for extra configuration .ini files in /etc/php.d - instead of /etc. This prevents accidentally loading non-PHP .ini files - that may be in /etc. + </listitem> + <listitem> + <para> + PHP now scans for extra configuration .ini files in /etc/php.d instead of + /etc. This prevents accidentally loading non-PHP .ini files that may be in + /etc. </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - Two lone top-level dict dbs moved into <literal>dictdDBs</literal>. This - affects: <literal>dictdWordnet</literal> which is now at - <literal>dictdDBs.wordnet</literal> and <literal>dictdWiktionary</literal> - which is now at <literal>dictdDBs.wiktionary</literal> + Two lone top-level dict dbs moved into <literal>dictdDBs</literal>. This + affects: <literal>dictdWordnet</literal> which is now at + <literal>dictdDBs.wordnet</literal> and <literal>dictdWiktionary</literal> + which is now at <literal>dictdDBs.wiktionary</literal> </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - Parsoid service now uses YAML configuration format. + Parsoid service now uses YAML configuration format. <literal>service.parsoid.interwikis</literal> is now called <literal>service.parsoid.wikis</literal> and is a list of either API URLs or attribute sets as specified in parsoid's documentation. </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> <literal>Ntpd</literal> was replaced by <literal>systemd-timesyncd</literal> as the default service to synchronize @@ -263,14 +592,12 @@ following incompatible changes:</para> setting <literal>services.ntp.enable</literal> to <literal>true</literal>. Upstream time servers for all NTP implementations are now configured using <literal>networking.timeServers</literal>. - </para> - </listitem> - - <listitem> + </para> + </listitem> + <listitem> <para> - <literal>service.nylon</literal> is now declared using named instances. - As an example: - + <literal>service.nylon</literal> is now declared using named instances. As + an example: <programlisting> services.nylon = { enable = true; @@ -279,9 +606,7 @@ following incompatible changes:</para> port = 5912; }; </programlisting> - - should be replaced with: - + should be replaced with: <programlisting> services.nylon.myvpn = { enable = true; @@ -290,225 +615,203 @@ following incompatible changes:</para> port = 5912; }; </programlisting> - - this enables you to declare a SOCKS proxy for each uplink. - + this enables you to declare a SOCKS proxy for each uplink. </para> - </listitem> - - <listitem> - <para><literal>overridePackages</literal> function no longer exists. - It is replaced by <link + </listitem> + <listitem> + <para> + <literal>overridePackages</literal> function no longer exists. It is + replaced by + <link xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install"> - overlays</link>. For example, the following code: - + overlays</link>. For example, the following code: <programlisting> let pkgs = import <nixpkgs> {}; in pkgs.overridePackages (self: super: ...) </programlisting> - - should be replaced by: - + should be replaced by: <programlisting> let pkgs = import <nixpkgs> {}; in import pkgs.path { overlays = [(self: super: ...)]; } </programlisting> - </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - Autoloading connection tracking helpers is now disabled by default. - This default was also changed in the Linux kernel and is considered - insecure if not configured properly in your firewall. If you need - connection tracking helpers (i.e. for active FTP) please enable - <literal>networking.firewall.autoLoadConntrackHelpers</literal> and - tune <literal>networking.firewall.connectionTrackingModules</literal> - to suit your needs. - </para> - </listitem> - - <listitem> + Autoloading connection tracking helpers is now disabled by default. This + default was also changed in the Linux kernel and is considered insecure if + not configured properly in your firewall. If you need connection tracking + helpers (i.e. for active FTP) please enable + <literal>networking.firewall.autoLoadConntrackHelpers</literal> and tune + <literal>networking.firewall.connectionTrackingModules</literal> to suit + your needs. + </para> + </listitem> + <listitem> <para> - <literal>local_recipient_maps</literal> is not set to empty value by - Postfix service. It's an insecure default as stated by Postfix - documentation. Those who want to retain this setting need to set it via - <literal>services.postfix.extraConfig</literal>. + <literal>local_recipient_maps</literal> is not set to empty value by + Postfix service. It's an insecure default as stated by Postfix + documentation. Those who want to retain this setting need to set it via + <literal>services.postfix.extraConfig</literal>. </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - Iputils no longer provide ping6 and traceroute6. The functionality of - these tools has been integrated into ping and traceroute respectively. To - enforce an address family the new flags <literal>-4</literal> and - <literal>-6</literal> have been added. One notable incompatibility is that - specifying an interface (for link-local IPv6 for instance) is no longer done - with the <literal>-I</literal> flag, but by encoding the interface into the - address (<literal>ping fe80::1%eth0</literal>). - </para> - </listitem> - - <listitem> + Iputils no longer provide ping6 and traceroute6. The functionality of + these tools has been integrated into ping and traceroute respectively. To + enforce an address family the new flags <literal>-4</literal> and + <literal>-6</literal> have been added. One notable incompatibility is that + specifying an interface (for link-local IPv6 for instance) is no longer + done with the <literal>-I</literal> flag, but by encoding the interface + into the address (<literal>ping fe80::1%eth0</literal>). + </para> + </listitem> + <listitem> <para> - The socket handling of the <literal>services.rmilter</literal> module - has been fixed and refactored. As rmilter doesn't support binding to - more than one socket, the options <literal>bindUnixSockets</literal> - and <literal>bindInetSockets</literal> have been replaced by - <literal>services.rmilter.bindSocket.*</literal>. The default is still - a unix socket in <literal>/run/rmilter/rmilter.sock</literal>. Refer to - the options documentation for more information. - </para> - </listitem> - - <listitem> + The socket handling of the <literal>services.rmilter</literal> module has + been fixed and refactored. As rmilter doesn't support binding to more than + one socket, the options <literal>bindUnixSockets</literal> and + <literal>bindInetSockets</literal> have been replaced by + <literal>services.rmilter.bindSocket.*</literal>. The default is still a + unix socket in <literal>/run/rmilter/rmilter.sock</literal>. Refer to the + options documentation for more information. + </para> + </listitem> + <listitem> <para> - The <literal>fetch*</literal> functions no longer support md5, - please use sha256 instead. + The <literal>fetch*</literal> functions no longer support md5, please use + sha256 instead. </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - The dnscrypt-proxy module interface has been streamlined around the - <option>extraArgs</option> option. Where possible, legacy option - declarations are mapped to <option>extraArgs</option> but will emit - warnings. The <option>resolverList</option> has been outright - removed: to use an unlisted resolver, use the - <option>customResolver</option> option. - </para> - </listitem> - - <listitem> + The dnscrypt-proxy module interface has been streamlined around the + <option>extraArgs</option> option. Where possible, legacy option + declarations are mapped to <option>extraArgs</option> but will emit + warnings. The <option>resolverList</option> has been outright removed: to + use an unlisted resolver, use the <option>customResolver</option> option. + </para> + </listitem> + <listitem> <para> - torbrowser now stores local state under - <filename>~/.local/share/tor-browser</filename> by default. Any - browser profile data from the old location, - <filename>~/.torbrowser4</filename>, must be migrated manually. + torbrowser now stores local state under + <filename>~/.local/share/tor-browser</filename> by default. Any browser + profile data from the old location, <filename>~/.torbrowser4</filename>, + must be migrated manually. </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - The ihaskell, monetdb, offlineimap and sitecopy services have been removed. + The ihaskell, monetdb, offlineimap and sitecopy services have been + removed. </para> - </listitem> -</itemizedlist> + </listitem> + </itemizedlist> + </section> -</section> -<section xmlns="http://docbook.org/ns/docbook" + <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-17.03-notable-changes"> + <title>Other Notable Changes</title> -<title>Other Notable Changes</title> - -<itemizedlist> - - <listitem> - <para>Module type system have a new extensible option types feature that - allow to extend certain types, such as enum, through multiple option - declarations of the same option across multiple modules. - </para> - </listitem> - - <listitem> + <itemizedlist> + <listitem> <para> - <literal>jre</literal> now defaults to GTK+ UI by default. This - improves visual consistency and makes Java follow system font style, - improving the situation on HighDPI displays. This has a cost of increased - closure size; for server and other headless workloads it's recommended to - use <literal>jre_headless</literal>. + Module type system have a new extensible option types feature that allow + to extend certain types, such as enum, through multiple option + declarations of the same option across multiple modules. </para> - </listitem> - - <listitem> - <para>Python 2.6 interpreter and package set have been removed.</para> - </listitem> - - <listitem> + </listitem> + <listitem> + <para> + <literal>jre</literal> now defaults to GTK+ UI by default. This improves + visual consistency and makes Java follow system font style, improving the + situation on HighDPI displays. This has a cost of increased closure size; + for server and other headless workloads it's recommended to use + <literal>jre_headless</literal>. + </para> + </listitem> + <listitem> <para> - The Python 2.7 interpreter does not use modules anymore. Instead, all - CPython interpreters now include the whole standard library except for `tkinter`, - which is available in the Python package set. + Python 2.6 interpreter and package set have been removed. </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly. - Minor modifications had to be made to the interpreters in order to generate - deterministic bytecode. This has security implications and is relevant for - those using Python in a <literal>nix-shell</literal>. See the Nixpkgs manual - for details. + The Python 2.7 interpreter does not use modules anymore. Instead, all + CPython interpreters now include the whole standard library except for + `tkinter`, which is available in the Python package set. </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - The Python package sets now use a fixed-point combinator and the sets are - available as attributes of the interpreters. + Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly. + Minor modifications had to be made to the interpreters in order to + generate deterministic bytecode. This has security implications and is + relevant for those using Python in a <literal>nix-shell</literal>. See the + Nixpkgs manual for details. + </para> + </listitem> + <listitem> + <para> + The Python package sets now use a fixed-point combinator and the sets are + available as attributes of the interpreters. </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - The Python function <literal>buildPythonPackage</literal> has been improved and can be - used to build from Setuptools source, Flit source, and precompiled Wheels. + The Python function <literal>buildPythonPackage</literal> has been + improved and can be used to build from Setuptools source, Flit source, and + precompiled Wheels. </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - When adding new or updating current Python libraries, the expressions should be put - in separate files in <literal>pkgs/development/python-modules</literal> and - called from <literal>python-packages.nix</literal>. + When adding new or updating current Python libraries, the expressions + should be put in separate files in + <literal>pkgs/development/python-modules</literal> and called from + <literal>python-packages.nix</literal>. </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - The dnscrypt-proxy service supports synchronizing the list of public - resolvers without working DNS resolution. This fixes issues caused by the - resolver list becoming outdated. It also improves the viability of - DNSCrypt only configurations. + The dnscrypt-proxy service supports synchronizing the list of public + resolvers without working DNS resolution. This fixes issues caused by the + resolver list becoming outdated. It also improves the viability of + DNSCrypt only configurations. </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - Containers using bridged networking no longer lose their connection after - changes to the host networking. + Containers using bridged networking no longer lose their connection after + changes to the host networking. </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - ZFS supports pool auto scrubbing. + ZFS supports pool auto scrubbing. </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - The bind DNS utilities (e.g. dig) have been split into their own output and - are now also available in <literal>pkgs.dnsutils</literal> and it is no longer - necessary to pull in all of <literal>bind</literal> to use them. + The bind DNS utilities (e.g. dig) have been split into their own output + and are now also available in <literal>pkgs.dnsutils</literal> and it is + no longer necessary to pull in all of <literal>bind</literal> to use them. </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - Per-user configuration was moved from <filename>~/.nixpkgs</filename> to - <filename>~/.config/nixpkgs</filename>. The former is still valid for - <filename>config.nix</filename> for backwards compatibility. + Per-user configuration was moved from <filename>~/.nixpkgs</filename> to + <filename>~/.config/nixpkgs</filename>. The former is still valid for + <filename>config.nix</filename> for backwards compatibility. </para> - </listitem> -</itemizedlist> -</section> + </listitem> + </itemizedlist> + </section> </section> diff --git a/nixos/doc/manual/release-notes/rl-1709.xml b/nixos/doc/manual/release-notes/rl-1709.xml index 66f7b01db72a..795c51d2923d 100644 --- a/nixos/doc/manual/release-notes/rl-1709.xml +++ b/nixos/doc/manual/release-notes/rl-1709.xml @@ -3,40 +3,40 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-17.09"> + <title>Release 17.09 (“Hummingbird”, 2017/09/??)</title> -<title>Release 17.09 (“Hummingbird”, 2017/09/??)</title> - -<section xmlns="http://docbook.org/ns/docbook" + <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-17.09-highlights"> + <title>Highlights</title> -<title>Highlights</title> - -<para>In addition to numerous new and upgraded packages, this release -has the following highlights: </para> + <para> + In addition to numerous new and upgraded packages, this release has the + following highlights: + </para> -<itemizedlist> - <listitem> + <itemizedlist> + <listitem> <para> - The GNOME version is now 3.24. KDE Plasma was upgraded to 5.10, - KDE Applications to 17.08.1 and KDE Frameworks to 5.37. + The GNOME version is now 3.24. KDE Plasma was upgraded to 5.10, KDE + Applications to 17.08.1 and KDE Frameworks to 5.37. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - The user handling now keeps track of deallocated UIDs/GIDs. When a user - or group is revived, this allows it to be allocated the UID/GID it had before. - A consequence is that UIDs and GIDs are no longer reused. + The user handling now keeps track of deallocated UIDs/GIDs. When a user or + group is revived, this allows it to be allocated the UID/GID it had + before. A consequence is that UIDs and GIDs are no longer reused. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - The module option <option>services.xserver.xrandrHeads</option> now - causes the first head specified in this list to be set as the primary - head. Apart from that, it's now possible to also set additional options - by using an attribute set, for example: + The module option <option>services.xserver.xrandrHeads</option> now causes + the first head specified in this list to be set as the primary head. Apart + from that, it's now possible to also set additional options by using an + attribute set, for example: <programlisting> { services.xserver.xrandrHeads = [ "HDMI-0" @@ -50,365 +50,664 @@ has the following highlights: </para> ]; } </programlisting> - This will set the <literal>DVI-0</literal> output to be the primary head, - even though <literal>HDMI-0</literal> is the first head in the list. + This will set the <literal>DVI-0</literal> output to be the primary head, + even though <literal>HDMI-0</literal> is the first head in the list. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - The handling of SSL in the <literal>services.nginx</literal> module has - been cleaned up, renaming the misnamed <literal>enableSSL</literal> to - <literal>onlySSL</literal> which reflects its original intention. This - is not to be used with the already existing <literal>forceSSL</literal> - which creates a second non-SSL virtual host redirecting to the SSL - virtual host. This by chance had worked earlier due to specific - implementation details. In case you had specified both please remove - the <literal>enableSSL</literal> option to keep the previous behaviour. + The handling of SSL in the <literal>services.nginx</literal> module has + been cleaned up, renaming the misnamed <literal>enableSSL</literal> to + <literal>onlySSL</literal> which reflects its original intention. This is + not to be used with the already existing <literal>forceSSL</literal> which + creates a second non-SSL virtual host redirecting to the SSL virtual host. + This by chance had worked earlier due to specific implementation details. + In case you had specified both please remove the + <literal>enableSSL</literal> option to keep the previous behaviour. </para> <para> - Another <literal>addSSL</literal> option has been introduced to configure - both a non-SSL virtual host and an SSL virtual host with the same - configuration. + Another <literal>addSSL</literal> option has been introduced to configure + both a non-SSL virtual host and an SSL virtual host with the same + configuration. </para> <para> - Options to configure <literal>resolver</literal> options and - <literal>upstream</literal> blocks have been introduced. See their information - for further details. + Options to configure <literal>resolver</literal> options and + <literal>upstream</literal> blocks have been introduced. See their + information for further details. </para> <para> - The <literal>port</literal> option has been replaced by a more generic - <literal>listen</literal> option which makes it possible to specify - multiple addresses, ports and SSL configs dependant on the new SSL - handling mentioned above. + The <literal>port</literal> option has been replaced by a more generic + <literal>listen</literal> option which makes it possible to specify + multiple addresses, ports and SSL configs dependant on the new SSL + handling mentioned above. </para> - </listitem> -</itemizedlist> + </listitem> + </itemizedlist> + </section> -</section> -<section xmlns="http://docbook.org/ns/docbook" + <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-17.09-new-services"> + <title>New Services</title> -<title>New Services</title> - -<para>The following new services were added since the last release:</para> + <para> + The following new services were added since the last release: + </para> -<itemizedlist> - <listitem><para><literal>config/fonts/fontconfig-penultimate.nix</literal></para></listitem> - <listitem><para><literal>config/fonts/fontconfig-ultimate.nix</literal></para></listitem> - <listitem><para><literal>config/terminfo.nix</literal></para></listitem> - <listitem><para><literal>hardware/sensor/iio.nix</literal></para></listitem> - <listitem><para><literal>hardware/nitrokey.nix</literal></para></listitem> - <listitem><para><literal>hardware/raid/hpsa.nix</literal></para></listitem> - <listitem><para><literal>programs/browserpass.nix</literal></para></listitem> - <listitem><para><literal>programs/gnupg.nix</literal></para></listitem> - <listitem><para><literal>programs/qt5ct.nix</literal></para></listitem> - <listitem><para><literal>programs/slock.nix</literal></para></listitem> - <listitem><para><literal>programs/thefuck.nix</literal></para></listitem> - <listitem><para><literal>security/auditd.nix</literal></para></listitem> - <listitem><para><literal>security/lock-kernel-modules.nix</literal></para></listitem> - <listitem><para><literal>service-managers/docker.nix</literal></para></listitem> - <listitem><para><literal>service-managers/trivial.nix</literal></para></listitem> - <listitem><para><literal>services/admin/salt/master.nix</literal></para></listitem> - <listitem><para><literal>services/admin/salt/minion.nix</literal></para></listitem> - <listitem><para><literal>services/audio/slimserver.nix</literal></para></listitem> - <listitem><para><literal>services/cluster/kubernetes/default.nix</literal></para></listitem> - <listitem><para><literal>services/cluster/kubernetes/dns.nix</literal></para></listitem> - <listitem><para><literal>services/cluster/kubernetes/dashboard.nix</literal></para></listitem> - <listitem><para><literal>services/continuous-integration/hail.nix</literal></para></listitem> - <listitem><para><literal>services/databases/clickhouse.nix</literal></para></listitem> - <listitem><para><literal>services/databases/postage.nix</literal></para></listitem> - <listitem><para><literal>services/desktops/gnome3/gnome-disks.nix</literal></para></listitem> - <listitem><para><literal>services/desktops/gnome3/gpaste.nix</literal></para></listitem> - <listitem><para><literal>services/logging/SystemdJournal2Gelf.nix</literal></para></listitem> - <listitem><para><literal>services/logging/heartbeat.nix</literal></para></listitem> - <listitem><para><literal>services/logging/journalwatch.nix</literal></para></listitem> - <listitem><para><literal>services/logging/syslogd.nix</literal></para></listitem> - <listitem><para><literal>services/mail/mailhog.nix</literal></para></listitem> - <listitem><para><literal>services/mail/nullmailer.nix</literal></para></listitem> - <listitem><para><literal>services/misc/airsonic.nix</literal></para></listitem> - <listitem><para><literal>services/misc/autorandr.nix</literal></para></listitem> - <listitem><para><literal>services/misc/exhibitor.nix</literal></para></listitem> - <listitem><para><literal>services/misc/fstrim.nix</literal></para></listitem> - <listitem><para><literal>services/misc/gollum.nix</literal></para></listitem> - <listitem><para><literal>services/misc/irkerd.nix</literal></para></listitem> - <listitem><para><literal>services/misc/jackett.nix</literal></para></listitem> - <listitem><para><literal>services/misc/radarr.nix</literal></para></listitem> - <listitem><para><literal>services/misc/snapper.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/osquery.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/prometheus/collectd-exporter.nix</literal></para></listitem> - <listitem><para><literal>services/monitoring/prometheus/fritzbox-exporter.nix</literal></para></listitem> - <listitem><para><literal>services/network-filesystems/kbfs.nix</literal></para></listitem> - <listitem><para><literal>services/networking/dnscache.nix</literal></para></listitem> - <listitem><para><literal>services/networking/fireqos.nix</literal></para></listitem> - <listitem><para><literal>services/networking/iwd.nix</literal></para></listitem> - <listitem><para><literal>services/networking/keepalived/default.nix</literal></para></listitem> - <listitem><para><literal>services/networking/keybase.nix</literal></para></listitem> - <listitem><para><literal>services/networking/lldpd.nix</literal></para></listitem> - <listitem><para><literal>services/networking/matterbridge.nix</literal></para></listitem> - <listitem><para><literal>services/networking/squid.nix</literal></para></listitem> - <listitem><para><literal>services/networking/tinydns.nix</literal></para></listitem> - <listitem><para><literal>services/networking/xrdp.nix</literal></para></listitem> - <listitem><para><literal>services/security/shibboleth-sp.nix</literal></para></listitem> - <listitem><para><literal>services/security/sks.nix</literal></para></listitem> - <listitem><para><literal>services/security/sshguard.nix</literal></para></listitem> - <listitem><para><literal>services/security/torify.nix</literal></para></listitem> - <listitem><para><literal>services/security/usbguard.nix</literal></para></listitem> - <listitem><para><literal>services/security/vault.nix</literal></para></listitem> - <listitem><para><literal>services/system/earlyoom.nix</literal></para></listitem> - <listitem><para><literal>services/system/saslauthd.nix</literal></para></listitem> - <listitem><para><literal>services/web-apps/nexus.nix</literal></para></listitem> - <listitem><para><literal>services/web-apps/pgpkeyserver-lite.nix</literal></para></listitem> - <listitem><para><literal>services/web-apps/piwik.nix</literal></para></listitem> - <listitem><para><literal>services/web-servers/lighttpd/collectd.nix</literal></para></listitem> - <listitem><para><literal>services/web-servers/minio.nix</literal></para></listitem> - <listitem><para><literal>services/x11/display-managers/xpra.nix</literal></para></listitem> - <listitem><para><literal>services/x11/xautolock.nix</literal></para></listitem> - <listitem><para><literal>tasks/filesystems/bcachefs.nix</literal></para></listitem> - <listitem><para><literal>tasks/powertop.nix</literal></para></listitem> -</itemizedlist> + <itemizedlist> + <listitem> + <para> + <literal>config/fonts/fontconfig-penultimate.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>config/fonts/fontconfig-ultimate.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>config/terminfo.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/sensor/iio.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/nitrokey.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/raid/hpsa.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/browserpass.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/gnupg.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/qt5ct.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/slock.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/thefuck.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>security/auditd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>security/lock-kernel-modules.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>service-managers/docker.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>service-managers/trivial.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/admin/salt/master.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/admin/salt/minion.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/audio/slimserver.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/cluster/kubernetes/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/cluster/kubernetes/dns.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/cluster/kubernetes/dashboard.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/continuous-integration/hail.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/databases/clickhouse.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/databases/postage.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/desktops/gnome3/gnome-disks.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/desktops/gnome3/gpaste.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/logging/SystemdJournal2Gelf.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/logging/heartbeat.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/logging/journalwatch.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/logging/syslogd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/mailhog.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/nullmailer.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/airsonic.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/autorandr.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/exhibitor.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/fstrim.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/gollum.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/irkerd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/jackett.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/radarr.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/snapper.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/osquery.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/collectd-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/fritzbox-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/kbfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/dnscache.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/fireqos.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/iwd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/keepalived/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/keybase.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/lldpd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/matterbridge.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/squid.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/tinydns.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/xrdp.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/shibboleth-sp.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/sks.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/sshguard.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/torify.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/usbguard.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/vault.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/system/earlyoom.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/system/saslauthd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/nexus.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/pgpkeyserver-lite.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/piwik.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-servers/lighttpd/collectd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-servers/minio.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/display-managers/xpra.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/xautolock.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>tasks/filesystems/bcachefs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>tasks/powertop.nix</literal> + </para> + </listitem> + </itemizedlist> + </section> -</section> -<section xmlns="http://docbook.org/ns/docbook" + <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-17.09-incompatibilities"> + <title>Backward Incompatibilities</title> -<title>Backward Incompatibilities</title> - -<para>When upgrading from a previous release, please be aware of the -following incompatible changes:</para> + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + </para> -<itemizedlist> - <listitem> - <para> - <emphasis role="strong"> - In an Qemu-based virtualization environment, the network interface - names changed from i.e. <literal>enp0s3</literal> to - <literal>ens3</literal>. - </emphasis> - </para> - <para> - This is due to a kernel configuration change. The new naming - is consistent with those of other Linux distributions with - systemd. See - <link xlink:href="https://github.com/NixOS/nixpkgs/issues/29197">#29197</link> - for more information. - </para> - <para> - A machine is affected if the <literal>virt-what</literal> tool - either returns <literal>qemu</literal> or - <literal>kvm</literal> <emphasis>and</emphasis> has - interface names used in any part of its NixOS configuration, - in particular if a static network configuration with - <literal>networking.interfaces</literal> is used. - </para> - <para> - Before rebooting affected machines, please ensure: - <itemizedlist> - <listitem> - <para> - Change the interface names in your NixOS configuration. - The first interface will be called <literal>ens3</literal>, - the second one <literal>ens8</literal> and starting from there - incremented by 1. - </para> - </listitem> - <listitem> - <para> - After changing the interface names, rebuild your system with - <literal>nixos-rebuild boot</literal> to activate the new - configuration after a reboot. If you switch to the new - configuration right away you might lose network connectivity! - If using <literal>nixops</literal>, deploy with - <literal>nixops deploy --force-reboot</literal>. - </para> - </listitem> - </itemizedlist> - </para> - </listitem> - <listitem> - <para> - The following changes apply if the <literal>stateVersion</literal> is changed to 17.09 or higher. - For <literal>stateVersion = "17.03"</literal> or lower the old behavior is preserved. + <itemizedlist> + <listitem> + <para> + <emphasis role="strong"> In an Qemu-based virtualization environment, the + network interface names changed from i.e. <literal>enp0s3</literal> to + <literal>ens3</literal>. </emphasis> </para> - <itemizedlist> - <listitem> - <para> - The <literal>postgres</literal> default version was changed from 9.5 to 9.6. - </para> - </listitem> - <listitem> - <para> - The <literal>postgres</literal> superuser name has changed from <literal>root</literal> to <literal>postgres</literal> to more closely follow what other Linux distributions are doing. - </para> - </listitem> - <listitem> - <para> - The <literal>postgres</literal> default <literal>dataDir</literal> has changed from <literal>/var/db/postgres</literal> to <literal>/var/lib/postgresql/$psqlSchema</literal> where $psqlSchema is 9.6 for example. - </para> - </listitem> + <para> + This is due to a kernel configuration change. The new naming is consistent + with those of other Linux distributions with systemd. See + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/29197">#29197</link> + for more information. + </para> + <para> + A machine is affected if the <literal>virt-what</literal> tool either + returns <literal>qemu</literal> or <literal>kvm</literal> + <emphasis>and</emphasis> has interface names used in any part of its NixOS + configuration, in particular if a static network configuration with + <literal>networking.interfaces</literal> is used. + </para> + <para> + Before rebooting affected machines, please ensure: + <itemizedlist> <listitem> - <para> - The <literal>mysql</literal> default <literal>dataDir</literal> has changed from <literal>/var/mysql</literal> to <literal>/var/lib/mysql</literal>. - </para> + <para> + Change the interface names in your NixOS configuration. The first + interface will be called <literal>ens3</literal>, the second one + <literal>ens8</literal> and starting from there incremented by 1. + </para> </listitem> <listitem> - <para> - Radicale's default package has changed from 1.x to 2.x. Instructions to migrate can be found <link xlink:href="http://radicale.org/1to2/"> here </link>. It is also possible to use the newer version by setting the <literal>package</literal> to <literal>radicale2</literal>, which is done automatically when <literal>stateVersion</literal> is 17.09 or higher. The <literal>extraArgs</literal> option has been added to allow passing the data migration arguments specified in the instructions; see the <filename xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/radicale.nix">radicale.nix</filename> NixOS test for an example migration. - </para> + <para> + After changing the interface names, rebuild your system with + <literal>nixos-rebuild boot</literal> to activate the new configuration + after a reboot. If you switch to the new configuration right away you + might lose network connectivity! If using <literal>nixops</literal>, + deploy with <literal>nixops deploy --force-reboot</literal>. + </para> </listitem> + </itemizedlist> + </para> + </listitem> + <listitem> + <para> + The following changes apply if the <literal>stateVersion</literal> is + changed to 17.09 or higher. For <literal>stateVersion = "17.03"</literal> + or lower the old behavior is preserved. + </para> + <itemizedlist> + <listitem> + <para> + The <literal>postgres</literal> default version was changed from 9.5 to + 9.6. + </para> + </listitem> + <listitem> + <para> + The <literal>postgres</literal> superuser name has changed from + <literal>root</literal> to <literal>postgres</literal> to more closely + follow what other Linux distributions are doing. + </para> + </listitem> + <listitem> + <para> + The <literal>postgres</literal> default <literal>dataDir</literal> has + changed from <literal>/var/db/postgres</literal> to + <literal>/var/lib/postgresql/$psqlSchema</literal> where $psqlSchema is + 9.6 for example. + </para> + </listitem> + <listitem> + <para> + The <literal>mysql</literal> default <literal>dataDir</literal> has + changed from <literal>/var/mysql</literal> to + <literal>/var/lib/mysql</literal>. + </para> + </listitem> + <listitem> + <para> + Radicale's default package has changed from 1.x to 2.x. Instructions to + migrate can be found <link xlink:href="http://radicale.org/1to2/"> here + </link>. It is also possible to use the newer version by setting the + <literal>package</literal> to <literal>radicale2</literal>, which is + done automatically when <literal>stateVersion</literal> is 17.09 or + higher. The <literal>extraArgs</literal> option has been added to allow + passing the data migration arguments specified in the instructions; see + the + <filename xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/radicale.nix">radicale.nix</filename> + NixOS test for an example migration. + </para> + </listitem> </itemizedlist> - </listitem> - <listitem> + </listitem> + <listitem> <para> - The <literal>aiccu</literal> package was removed. This is due to SixXS - <link xlink:href="https://www.sixxs.net/main/"> sunsetting</link> its IPv6 tunnel. + The <literal>aiccu</literal> package was removed. This is due to SixXS + <link xlink:href="https://www.sixxs.net/main/"> sunsetting</link> its IPv6 + tunnel. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - The <literal>fanctl</literal> package and <literal>fan</literal> module - have been removed due to the developers not upstreaming their iproute2 - patches and lagging with compatibility to recent iproute2 versions. + The <literal>fanctl</literal> package and <literal>fan</literal> module + have been removed due to the developers not upstreaming their iproute2 + patches and lagging with compatibility to recent iproute2 versions. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - Top-level <literal>idea</literal> package collection was renamed. - All JetBrains IDEs are now at <literal>jetbrains</literal>. + Top-level <literal>idea</literal> package collection was renamed. All + JetBrains IDEs are now at <literal>jetbrains</literal>. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - <literal>flexget</literal>'s state database cannot be upgraded to its - new internal format, requiring removal of any existing - <literal>db-config.sqlite</literal> which will be automatically recreated. + <literal>flexget</literal>'s state database cannot be upgraded to its new + internal format, requiring removal of any existing + <literal>db-config.sqlite</literal> which will be automatically recreated. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - The <literal>ipfs</literal> service now doesn't ignore the <literal>dataDir</literal> option anymore. If you've ever set this option to anything other than the default you'll have to either unset it (so the default gets used) or migrate the old data manually with + The <literal>ipfs</literal> service now doesn't ignore the + <literal>dataDir</literal> option anymore. If you've ever set this option + to anything other than the default you'll have to either unset it (so the + default gets used) or migrate the old data manually with <programlisting> dataDir=<valueOfDataDir> mv /var/lib/ipfs/.ipfs/* $dataDir rmdir /var/lib/ipfs/.ipfs </programlisting> </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - The <literal>caddy</literal> service was previously using an extra - <literal>.caddy</literal> directory in the data directory specified - with the <literal>dataDir</literal> option. The contents of the - <literal>.caddy</literal> directory are now expected to be in the - <literal>dataDir</literal>. + The <literal>caddy</literal> service was previously using an extra + <literal>.caddy</literal> directory in the data directory specified with + the <literal>dataDir</literal> option. The contents of the + <literal>.caddy</literal> directory are now expected to be in the + <literal>dataDir</literal>. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - The <literal>ssh-agent</literal> user service is not started by default - anymore. Use <literal>programs.ssh.startAgent</literal> to enable it if - needed. There is also a new <literal>programs.gnupg.agent</literal> - module that creates a <literal>gpg-agent</literal> user service. It can - also serve as a SSH agent if <literal>enableSSHSupport</literal> is set. + The <literal>ssh-agent</literal> user service is not started by default + anymore. Use <literal>programs.ssh.startAgent</literal> to enable it if + needed. There is also a new <literal>programs.gnupg.agent</literal> module + that creates a <literal>gpg-agent</literal> user service. It can also + serve as a SSH agent if <literal>enableSSHSupport</literal> is set. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - The <literal>services.tinc.networks.<name>.listenAddress</literal> - option had a misleading name that did not correspond to its behavior. It - now correctly defines the ip to listen for incoming connections on. To - keep the previous behaviour, use - <literal>services.tinc.networks.<name>.bindToAddress</literal> - instead. Refer to the description of the options for more details. + The <literal>services.tinc.networks.<name>.listenAddress</literal> + option had a misleading name that did not correspond to its behavior. It + now correctly defines the ip to listen for incoming connections on. To + keep the previous behaviour, use + <literal>services.tinc.networks.<name>.bindToAddress</literal> + instead. Refer to the description of the options for more details. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - <literal>tlsdate</literal> package and module were removed. This is due to the project - being dead and not building with openssl 1.1. + <literal>tlsdate</literal> package and module were removed. This is due to + the project being dead and not building with openssl 1.1. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - <literal>wvdial</literal> package and module were removed. This is due to the project - being dead and not building with openssl 1.1. + <literal>wvdial</literal> package and module were removed. This is due to + the project being dead and not building with openssl 1.1. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - <literal>cc-wrapper</literal>'s setup-hook now exports a number of - environment variables corresponding to binutils binaries, - (e.g. <envar>LD</envar>, <envar>STRIP</envar>, <envar>RANLIB</envar>, - etc). This is done to prevent packages' build systems guessing, which is - harder to predict, especially when cross-compiling. However, some packages - have broken due to this—their build systems either not supporting, or - claiming to support without adequate testing, taking such environment - variables as parameters. + <literal>cc-wrapper</literal>'s setup-hook now exports a number of + environment variables corresponding to binutils binaries, (e.g. + <envar>LD</envar>, <envar>STRIP</envar>, <envar>RANLIB</envar>, etc). This + is done to prevent packages' build systems guessing, which is harder to + predict, especially when cross-compiling. However, some packages have + broken due to this—their build systems either not supporting, or + claiming to support without adequate testing, taking such environment + variables as parameters. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - <literal>services.firefox.syncserver</literal> now runs by default as a - non-root user. To accomodate this change, the default sqlite database - location has also been changed. Migration should work automatically. - Refer to the description of the options for more details. + <literal>services.firefox.syncserver</literal> now runs by default as a + non-root user. To accomodate this change, the default sqlite database + location has also been changed. Migration should work automatically. Refer + to the description of the options for more details. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - The <literal>compiz</literal> window manager and package was - removed. The system support had been broken for several years. + The <literal>compiz</literal> window manager and package was removed. The + system support had been broken for several years. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - Touchpad support should now be enabled through - <literal>libinput</literal> as <literal>synaptics</literal> is - now deprecated. See the option - <literal>services.xserver.libinput.enable</literal>. + Touchpad support should now be enabled through <literal>libinput</literal> + as <literal>synaptics</literal> is now deprecated. See the option + <literal>services.xserver.libinput.enable</literal>. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - grsecurity/PaX support has been dropped, following upstream's - decision to cease free support. See - <link xlink:href="https://grsecurity.net/passing_the_baton.php"> - upstream's announcement</link> for more information. - No complete replacement for grsecurity/PaX is available presently. + grsecurity/PaX support has been dropped, following upstream's decision to + cease free support. See + <link xlink:href="https://grsecurity.net/passing_the_baton.php"> + upstream's announcement</link> for more information. No complete + replacement for grsecurity/PaX is available presently. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - <literal>services.mysql</literal> now has declarative - configuration of databases and users with the <literal>ensureDatabases</literal> and - <literal>ensureUsers</literal> options. + <literal>services.mysql</literal> now has declarative configuration of + databases and users with the <literal>ensureDatabases</literal> and + <literal>ensureUsers</literal> options. </para> - <para> - These options will never delete existing databases and users, - especially not when the value of the options are changed. + These options will never delete existing databases and users, especially + not when the value of the options are changed. </para> - <para> - The MySQL users will be identified using - <link xlink:href="https://mariadb.com/kb/en/library/authentication-plugin-unix-socket/"> - Unix socket authentication</link>. This authenticates the - Unix user with the same name only, and that without the need - for a password. + The MySQL users will be identified using + <link xlink:href="https://mariadb.com/kb/en/library/authentication-plugin-unix-socket/"> + Unix socket authentication</link>. This authenticates the Unix user with + the same name only, and that without the need for a password. </para> - <para> - If you have previously created a MySQL <literal>root</literal> - user <emphasis>with a password</emphasis>, you will need to add - <literal>root</literal> user for unix socket authentication - before using the new options. This can be done by running the - following SQL script: - + If you have previously created a MySQL <literal>root</literal> user + <emphasis>with a password</emphasis>, you will need to add + <literal>root</literal> user for unix socket authentication before using + the new options. This can be done by running the following SQL script: <programlisting language="sql"> CREATE USER 'root'@'%' IDENTIFIED BY ''; GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION; @@ -418,194 +717,183 @@ FLUSH PRIVILEGES; -- DROP USER 'root'@'localhost'; </programlisting> </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - <literal>services.mysqlBackup</literal> now works by default - without any user setup, including for users other than - <literal>mysql</literal>. + <literal>services.mysqlBackup</literal> now works by default without any + user setup, including for users other than <literal>mysql</literal>. </para> - <para> - By default, the <literal>mysql</literal> user is no longer the - user which performs the backup. Instead a system account - <literal>mysqlbackup</literal> is used. + By default, the <literal>mysql</literal> user is no longer the user which + performs the backup. Instead a system account + <literal>mysqlbackup</literal> is used. </para> - <para> - The <literal>mysqlBackup</literal> service is also now using - systemd timers instead of <literal>cron</literal>. + The <literal>mysqlBackup</literal> service is also now using systemd + timers instead of <literal>cron</literal>. </para> - <para> - Therefore, the <literal>services.mysqlBackup.period</literal> - option no longer exists, and has been replaced with - <literal>services.mysqlBackup.calendar</literal>, which is in - the format of <link + Therefore, the <literal>services.mysqlBackup.period</literal> option no + longer exists, and has been replaced with + <literal>services.mysqlBackup.calendar</literal>, which is in the format + of + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.time.html#Calendar%20Events">systemd.time(7)</link>. </para> - <para> - If you expect to be sent an e-mail when the backup fails, - consider using a script which monitors the systemd journal for - errors. Regretfully, at present there is no built-in - functionality for this. + If you expect to be sent an e-mail when the backup fails, consider using a + script which monitors the systemd journal for errors. Regretfully, at + present there is no built-in functionality for this. </para> - <para> - You can check that backups still work by running - <command>systemctl start mysql-backup</command> then - <command>systemctl status mysql-backup</command>. + You can check that backups still work by running <command>systemctl start + mysql-backup</command> then <command>systemctl status + mysql-backup</command>. </para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - Templated systemd services e.g <literal>container@name</literal> are - now handled currectly when switching to a new configuration, resulting - in them being reloaded. + Templated systemd services e.g <literal>container@name</literal> are now + handled currectly when switching to a new configuration, resulting in them + being reloaded. </para> - </listitem> - - <listitem> - <para>Steam: the <literal>newStdcpp</literal> parameter - was removed and should not be needed anymore.</para> - </listitem> - - <listitem> + </listitem> + <listitem> <para> - Redis has been updated to version 4 which mandates a cluster - mass-restart, due to changes in the network handling, in order - to ensure compatibility with networks NATing traffic. + Steam: the <literal>newStdcpp</literal> parameter was removed and should + not be needed anymore. </para> - </listitem> -</itemizedlist> + </listitem> + <listitem> + <para> + Redis has been updated to version 4 which mandates a cluster mass-restart, + due to changes in the network handling, in order to ensure compatibility + with networks NATing traffic. + </para> + </listitem> + </itemizedlist> + </section> -</section> -<section xmlns="http://docbook.org/ns/docbook" + <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-17.09-notable-changes"> + <title>Other Notable Changes</title> -<title>Other Notable Changes</title> - -<itemizedlist> - - <listitem> + <itemizedlist> + <listitem> <para> - Modules can now be disabled by using <link + Modules can now be disabled by using + <link xlink:href="https://nixos.org/nixpkgs/manual/#sec-replace-modules"> - disabledModules</link>, allowing another to take it's place. This can be - used to import a set of modules from another channel while keeping the - rest of the system on a stable release. + disabledModules</link>, allowing another to take it's place. This can be + used to import a set of modules from another channel while keeping the + rest of the system on a stable release. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - Updated to FreeType 2.7.1, including a new TrueType engine. - The new engine replaces the Infinality engine which was the default in - NixOS. The default font rendering settings are now provided by - fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults - are less invasive and provide rendering that is more consistent with - other systems and hopefully with each font designer's intent. Some - system-wide configuration has been removed from the Fontconfig NixOS - module where user Fontconfig settings are available. + Updated to FreeType 2.7.1, including a new TrueType engine. The new engine + replaces the Infinality engine which was the default in NixOS. The default + font rendering settings are now provided by fontconfig-penultimate, + replacing fontconfig-ultimate; the new defaults are less invasive and + provide rendering that is more consistent with other systems and hopefully + with each font designer's intent. Some system-wide configuration has been + removed from the Fontconfig NixOS module where user Fontconfig settings + are available. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - ZFS/SPL have been updated to 0.7.0, <literal>zfsUnstable, splUnstable</literal> - have therefore been removed. + ZFS/SPL have been updated to 0.7.0, <literal>zfsUnstable, + splUnstable</literal> have therefore been removed. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - The <option>time.timeZone</option> option now allows the value - <literal>null</literal> in addition to timezone strings. This value - allows changing the timezone of a system imperatively using - <command>timedatectl set-timezone</command>. The default timezone - is still UTC. + The <option>time.timeZone</option> option now allows the value + <literal>null</literal> in addition to timezone strings. This value allows + changing the timezone of a system imperatively using <command>timedatectl + set-timezone</command>. The default timezone is still UTC. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - Nixpkgs overlays may now be specified with a file as well as a directory. The - value of <literal><nixpkgs-overlays></literal> may be a file, and - <filename>~/.config/nixpkgs/overlays.nix</filename> can be used instead of the - <filename>~/.config/nixpkgs/overlays</filename> directory. + Nixpkgs overlays may now be specified with a file as well as a directory. + The value of <literal><nixpkgs-overlays></literal> may be a file, and + <filename>~/.config/nixpkgs/overlays.nix</filename> can be used instead of + the <filename>~/.config/nixpkgs/overlays</filename> directory. </para> <para> - See the overlays chapter of the Nixpkgs manual for more details. + See the overlays chapter of the Nixpkgs manual for more details. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - Definitions for <filename>/etc/hosts</filename> can now be specified - declaratively with <literal>networking.hosts</literal>. + Definitions for <filename>/etc/hosts</filename> can now be specified + declaratively with <literal>networking.hosts</literal>. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - Two new options have been added to the installer loader, in addition - to the default having changed. The kernel log verbosity has been lowered - to the upstream default for the default options, in order to not spam - the console when e.g. joining a network. + Two new options have been added to the installer loader, in addition to + the default having changed. The kernel log verbosity has been lowered to + the upstream default for the default options, in order to not spam the + console when e.g. joining a network. </para> <para> - This therefore leads to adding a new <literal>debug</literal> option - to set the log level to the previous verbose mode, to make debugging - easier, but still accessible easily. + This therefore leads to adding a new <literal>debug</literal> option to + set the log level to the previous verbose mode, to make debugging easier, + but still accessible easily. </para> <para> - Additionally a <literal>copytoram</literal> option has been added, - which makes it possible to remove the install medium after booting. - This allows tethering from your phone after booting from it. + Additionally a <literal>copytoram</literal> option has been added, which + makes it possible to remove the install medium after booting. This allows + tethering from your phone after booting from it. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - <literal>services.gitlab-runner.configOptions</literal> has been added - to specify the configuration of gitlab-runners declaratively. + <literal>services.gitlab-runner.configOptions</literal> has been added to + specify the configuration of gitlab-runners declaratively. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - <literal>services.jenkins.plugins</literal> has been added - to install plugins easily, this can be generated with jenkinsPlugins2nix. + <literal>services.jenkins.plugins</literal> has been added to install + plugins easily, this can be generated with jenkinsPlugins2nix. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - <literal>services.postfix.config</literal> has been added - to specify the main.cf with NixOS options. Additionally other options - have been added to the postfix module and has been improved further. + <literal>services.postfix.config</literal> has been added to specify the + main.cf with NixOS options. Additionally other options have been added to + the postfix module and has been improved further. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - The GitLab package and module have been updated to the latest 10.0 - release. + The GitLab package and module have been updated to the latest 10.0 + release. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - The <literal>systemd-boot</literal> boot loader now lists the NixOS - version, kernel version and build date of all bootable generations. + The <literal>systemd-boot</literal> boot loader now lists the NixOS + version, kernel version and build date of all bootable generations. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - The dnscrypt-proxy service now defaults to using a random upstream resolver, - selected from the list of public non-logging resolvers with DNSSEC support. - Existing configurations can be migrated to this mode of operation by - omitting the <option>services.dnscrypt-proxy.resolverName</option> option - or setting it to <literal>"random"</literal>. + The dnscrypt-proxy service now defaults to using a random upstream + resolver, selected from the list of public non-logging resolvers with + DNSSEC support. Existing configurations can be migrated to this mode of + operation by omitting the + <option>services.dnscrypt-proxy.resolverName</option> option or setting it + to <literal>"random"</literal>. </para> - </listitem> - -</itemizedlist> - -</section> + </listitem> + </itemizedlist> + </section> </section> diff --git a/nixos/doc/manual/release-notes/rl-1803.xml b/nixos/doc/manual/release-notes/rl-1803.xml index 9f80dcc29341..c14679eea071 100644 --- a/nixos/doc/manual/release-notes/rl-1803.xml +++ b/nixos/doc/manual/release-notes/rl-1803.xml @@ -3,413 +3,822 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-18.03"> + <title>Release 18.03 (“Impala”, 2018/04/04)</title> -<title>Release 18.03 (“Impala”, 2018/03/??)</title> - -<section xmlns="http://docbook.org/ns/docbook" + <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-18.03-highlights"> + <title>Highlights</title> -<title>Highlights</title> - -<para>In addition to numerous new and upgraded packages, this release -has the following highlights: </para> - -<itemizedlist> - <listitem> - <para> - MariaDB 10.2, updated from 10.1, is now the default MySQL implementation. While upgrading a few changes - have been made to the infrastructure involved: - <itemizedlist> - <listitem> - <para> - <literal>libmysql</literal> has been deprecated, please use <literal>mysql.connector-c</literal> - instead, a compatibility passthru has been added to the MySQL packages. - </para> - </listitem> - <listitem> - <para> - The <literal>mysql57</literal> package has a new <literal>static</literal> output containing - the static libraries including <literal>libmysqld.a</literal> - </para> - </listitem> - </itemizedlist> - </para> - </listitem> + <para> + In addition to numerous new and upgraded packages, this release has the + following highlights: + </para> - <listitem> + <itemizedlist> + <listitem> <para> - The GNOME version is now 3.26. + End of support is planned for end of October 2018, handing over to 18.09. </para> - </listitem> - - <listitem> - <para>PHP now defaults to PHP 7.2</para> - </listitem> -</itemizedlist> + </listitem> + <listitem> + <para> + Platform support: x86_64-linux and x86_64-darwin since release time (the + latter isn't NixOS, really). Binaries for aarch64-linux are available, but + no channel exists yet, as it's waiting for some test fixes, etc. + </para> + </listitem> + <listitem> + <para> + Nix now defaults to 2.0; see its + <link xlink:href="https://nixos.org/nix/manual/#ssec-relnotes-2.0">release + notes</link>. + </para> + </listitem> + <listitem> + <para> + Core version changes: linux: 4.9 -> 4.14, glibc: 2.25 -> 2.26, gcc: 6 -> + 7, systemd: 234 -> 237. + </para> + </listitem> + <listitem> + <para> + Desktop version changes: gnome: 3.24 -> 3.26, (KDE) plasma-desktop: 5.10 + -> 5.12. + </para> + </listitem> + <listitem> + <para> + MariaDB 10.2, updated from 10.1, is now the default MySQL implementation. + While upgrading a few changes have been made to the infrastructure + involved: + <itemizedlist> + <listitem> + <para> + <literal>libmysql</literal> has been deprecated, please use + <literal>mysql.connector-c</literal> instead, a compatibility passthru + has been added to the MySQL packages. + </para> + </listitem> + <listitem> + <para> + The <literal>mysql57</literal> package has a new + <literal>static</literal> output containing the static libraries + including <literal>libmysqld.a</literal> + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + <listitem> + <para> + PHP now defaults to PHP 7.2, updated from 7.1. + </para> + </listitem> + </itemizedlist> + </section> -</section> -<section xmlns="http://docbook.org/ns/docbook" + <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-18.03-new-services"> + <title>New Services</title> -<title>New Services</title> + <para> + The following new services were added since the last release: + </para> -<para>The following new services were added since the last release:</para> - -<itemizedlist> - <listitem> - <para></para> - </listitem> -</itemizedlist> + <itemizedlist> + <listitem> + <para> + <literal>./config/krb5/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./hardware/digitalbitbox.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./misc/label.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/ccache.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/criu.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/digitalbitbox/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/less.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/npm.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/plotinus.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/rootston.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/systemtap.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/sway.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/udevil.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/way-cooler.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/yabar.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/zsh/zsh-autoenv.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/backup/borgbackup.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/backup/crashplan-small-business.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/dleyna-renderer.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/dleyna-server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/pipewire.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/gnome3/chrome-gnome-shell.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/gnome3/tracker-miners.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/hardware/fwupd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/hardware/interception-tools.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/hardware/u2f.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/hardware/usbmuxd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/mail/clamsmtp.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/mail/dkimproxy-out.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/mail/pfix-srsd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/gitea.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/home-assistant.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/ihaskell.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/logkeys.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/novacomd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/osrm.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/plexpy.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/pykms.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/tzupdate.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/monitoring/fusion-inventory.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/monitoring/prometheus/exporters.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/network-filesystems/beegfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/network-filesystems/davfs2.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/network-filesystems/openafs/client.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/network-filesystems/openafs/server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/network-filesystems/ceph.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/aria2.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/monero.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/nghttpx/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/nixops-dns.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/rxe.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/stunnel.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-apps/matomo.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-apps/restya-board.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-servers/mighttpd2.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/x11/fractalart.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./system/boot/binfmt.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./system/boot/grow-partition.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./tasks/filesystems/ecryptfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./virtualisation/hyperv-guest.nix</literal> + </para> + </listitem> + </itemizedlist> + </section> -</section> -<section xmlns="http://docbook.org/ns/docbook" + <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-18.03-incompatibilities"> + <title>Backward Incompatibilities</title> -<title>Backward Incompatibilities</title> - -<para>When upgrading from a previous release, please be aware of the -following incompatible changes:</para> - -<itemizedlist> - <listitem> - <para> - <literal>sound.enable</literal> now defaults to false. - </para> - </listitem> - <listitem> - <para> - Dollar signs in options under <option>services.postfix</option> are - passed verbatim to Postfix, which will interpret them as the beginning of - a parameter expression. This was already true for string-valued options - in the previous release, but not for list-valued options. If you need to - pass literal dollar signs through Postfix, double them. - </para> - </listitem> - <listitem> - <para> - The <literal>postage</literal> package (for web-based PostgreSQL - administration) has been renamed to <literal>pgmanage</literal>. The - corresponding module has also been renamed. To migrate please rename all - <option>services.postage</option> options to - <option>services.pgmanage</option>. - </para> - </listitem> - <listitem> - <para> - Package attributes starting with a digit have been prefixed with an - underscore sign. This is to avoid quoting in the configuration and - other issues with command-line tools like <literal>nix-env</literal>. - The change affects the following packages: - <itemizedlist> - <listitem> - <para><literal>2048-in-terminal</literal> → <literal>_2048-in-terminal</literal></para> - </listitem> - <listitem> - <para><literal>90secondportraits</literal> → <literal>_90secondportraits</literal></para> - </listitem> - <listitem> - <para><literal>2bwm</literal> → <literal>_2bwm</literal></para> - </listitem> - <listitem> - <para><literal>389-ds-base</literal> → <literal>_389-ds-base</literal></para> - </listitem> - </itemizedlist> - </para> - </listitem> - <listitem> - <para> - <emphasis role="strong"> - The OpenSSH service no longer enables support for DSA keys by default, - which could cause a system lock out. Update your keys or, unfavorably, - re-enable DSA support manually. - </emphasis> - </para> + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + </para> + <itemizedlist> + <listitem> <para> - DSA support was - <link xlink:href="https://www.openssh.com/legacy.html">deprecated in OpenSSH 7.0</link>, - due to it being too weak. To re-enable support, add - <literal>PubkeyAcceptedKeyTypes +ssh-dss</literal> to the end of your - <option>services.openssh.extraConfig</option>. + <literal>sound.enable</literal> now defaults to false. </para> - + </listitem> + <listitem> <para> - After updating the keys to be stronger, anyone still on a pre-17.03 - version is safe to jump to 17.03, as vetted - <link xlink:href="https://search.nix.gsc.io/?q=stateVersion">here</link>. + Dollar signs in options under <option>services.postfix</option> are passed + verbatim to Postfix, which will interpret them as the beginning of a + parameter expression. This was already true for string-valued options in + the previous release, but not for list-valued options. If you need to pass + literal dollar signs through Postfix, double them. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - The <literal>openssh</literal> package - now includes Kerberos support by default; - the <literal>openssh_with_kerberos</literal> package - is now a deprecated alias. - If you do not want Kerberos support, - you can do <literal>openssh.override { withKerboros = false; }</literal>. - Note, this also applies to the <literal>openssh_hpn</literal> package. + The <literal>postage</literal> package (for web-based PostgreSQL + administration) has been renamed to <literal>pgmanage</literal>. The + corresponding module has also been renamed. To migrate please rename all + <option>services.postage</option> options to + <option>services.pgmanage</option>. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - <literal>cc-wrapper</literal> has been split in two; there is now also a <literal>bintools-wrapper</literal>. - The most commonly used files in <filename>nix-support</filename> are now split between the two wrappers. - Some commonly used ones, like <filename>nix-support/dynamic-linker</filename>, are duplicated for backwards compatability, even though they rightly belong only in <literal>bintools-wrapper</literal>. - Other more obscure ones are just moved. + Package attributes starting with a digit have been prefixed with an + underscore sign. This is to avoid quoting in the configuration and other + issues with command-line tools like <literal>nix-env</literal>. The change + affects the following packages: + <itemizedlist> + <listitem> + <para> + <literal>2048-in-terminal</literal> → + <literal>_2048-in-terminal</literal> + </para> + </listitem> + <listitem> + <para> + <literal>90secondportraits</literal> → + <literal>_90secondportraits</literal> + </para> + </listitem> + <listitem> + <para> + <literal>2bwm</literal> → <literal>_2bwm</literal> + </para> + </listitem> + <listitem> + <para> + <literal>389-ds-base</literal> → <literal>_389-ds-base</literal> + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + <listitem> + <para> + <emphasis role="strong"> The OpenSSH service no longer enables support for + DSA keys by default, which could cause a system lock out. Update your keys + or, unfavorably, re-enable DSA support manually. </emphasis> + </para> + <para> + DSA support was + <link xlink:href="https://www.openssh.com/legacy.html">deprecated in + OpenSSH 7.0</link>, due to it being too weak. To re-enable support, add + <literal>PubkeyAcceptedKeyTypes +ssh-dss</literal> to the end of your + <option>services.openssh.extraConfig</option>. + </para> + <para> + After updating the keys to be stronger, anyone still on a pre-17.03 + version is safe to jump to 17.03, as vetted + <link xlink:href="https://search.nix.gsc.io/?q=stateVersion">here</link>. + </para> + </listitem> + <listitem> + <para> + The <literal>openssh</literal> package now includes Kerberos support by + default; the <literal>openssh_with_kerberos</literal> package is now a + deprecated alias. If you do not want Kerberos support, you can do + <literal>openssh.override { withKerberos = false; }</literal>. Note, this + also applies to the <literal>openssh_hpn</literal> package. + </para> + </listitem> + <listitem> + <para> + <literal>cc-wrapper</literal> has been split in two; there is now also a + <literal>bintools-wrapper</literal>. The most commonly used files in + <filename>nix-support</filename> are now split between the two wrappers. + Some commonly used ones, like + <filename>nix-support/dynamic-linker</filename>, are duplicated for + backwards compatability, even though they rightly belong only in + <literal>bintools-wrapper</literal>. Other more obscure ones are just + moved. + </para> + </listitem> + <listitem> + <para> + The propagation logic has been changed. The new logic, along with new + types of dependencies that go with, is thoroughly documented in the + "Specifying dependencies" section of the "Standard Environment" chapter of + the nixpkgs manual. +<!-- That's <xref linkend="ssec-stdenv-attributes"> were we to merge the manuals. --> + The old logic isn't but is easy to describe: dependencies were propagated + as the same type of dependency no matter what. In practice, that means + that many <function>propagatedNativeBuildInputs</function> should instead + be <function>propagatedBuildInputs</function>. Thankfully, that was and is + the least used type of dependency. Also, it means that some + <function>propagatedBuildInputs</function> should instead be + <function>depsTargetTargetPropagated</function>. Other types dependencies + should be unaffected. + </para> + </listitem> + <listitem> + <para> + <literal>lib.addPassthru drv passthru</literal> is removed. Use + <literal>lib.extendDerivation true passthru drv</literal> instead. + </para> + </listitem> + <listitem> + <para> + The <literal>memcached</literal> service no longer accept dynamic socket + paths via <option>services.memcached.socket</option>. Unix sockets can be + still enabled by <option>services.memcached.enableUnixSocket</option> and + will be accessible at <literal>/run/memcached/memcached.sock</literal>. + </para> + </listitem> + <listitem> + <para> + The <varname>hardware.amdHybridGraphics.disable</varname> option was + removed for lack of a maintainer. If you still need this module, you may + wish to include a copy of it from an older version of nixos in your + imports. + </para> + </listitem> + <listitem> + <para> + The merging of config options for + <varname>services.postfix.config</varname> was buggy. Previously, if other + options in the Postfix module like + <varname>services.postfix.useSrs</varname> were set and the user set + config options that were also set by such options, the resulting config + wouldn't include all options that were needed. They are now merged + correctly. If config options need to be overridden, + <literal>lib.mkForce</literal> or <literal>lib.mkOverride</literal> can be + used. + </para> + </listitem> + <listitem> + <para> + The following changes apply if the <literal>stateVersion</literal> is + changed to 18.03 or higher. For <literal>stateVersion = "17.09"</literal> + or lower the old behavior is preserved. </para> - </listitem> - <listitem> + <itemizedlist> + <listitem> + <para> + <literal>matrix-synapse</literal> uses postgresql by default instead of + sqlite. Migration instructions can be found + <link xlink:href="https://github.com/matrix-org/synapse/blob/master/docs/postgres.rst#porting-from-sqlite"> + here </link>. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> <para> - The propagation logic has been changed. - The new logic, along with new types of dependencies that go with, is thoroughly documented in the "Specifying dependencies" section of the "Standard Environment" chapter of the nixpkgs manual. - <!-- That's <xref linkend="ssec-stdenv-attributes"> were we to merge the manuals. --> - The old logic isn't but is easy to describe: dependencies were propagated as the same type of dependency no matter what. - In practice, that means that many <function>propagatedNativeBuildInputs</function> should instead be <function>propagatedBuildInputs</function>. - Thankfully, that was and is the least used type of dependency. - Also, it means that some <function>propagatedBuildInputs</function> should instead be <function>depsTargetTargetPropagated</function>. - Other types dependencies should be unaffected. + The <literal>jid</literal> package has been removed, due to maintenance + overhead of a go package having non-versioned dependencies. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - <literal>lib.addPassthru drv passthru</literal> is removed. Use <literal>lib.extendDerivation true passthru drv</literal> instead. <emphasis role="strong">TODO: actually remove it before branching 18.03 off.</emphasis> + When using <option>services.xserver.libinput</option> (enabled by default + in GNOME), it now handles all input devices, not just touchpads. As a + result, you might need to re-evaluate any custom Xorg configuration. In + particular, <literal>Option "XkbRules" "base"</literal> may result in + broken keyboard layout. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - The <literal>memcached</literal> service no longer accept dynamic socket - paths via <option>services.memcached.socket</option>. Unix sockets can be - still enabled by <option>services.memcached.enableUnixSocket</option> and - will be accessible at <literal>/run/memcached/memcached.sock</literal>. + The <literal>attic</literal> package was removed. A maintained fork called + <link xlink:href="https://www.borgbackup.org/">Borg</link> should be used + instead. Migration instructions can be found + <link xlink:href="http://borgbackup.readthedocs.io/en/stable/usage/upgrade.html#attic-and-borg-0-xx-to-borg-1-x">here</link>. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - The <varname>hardware.amdHybridGraphics.disable</varname> option was removed for lack of a maintainer. If you still need this module, you may wish to include a copy of it from an older version of nixos in your imports. + The Piwik analytics software was renamed to Matomo: + <itemizedlist> + <listitem> + <para> + The package <literal>pkgs.piwik</literal> was renamed to + <literal>pkgs.matomo</literal>. + </para> + </listitem> + <listitem> + <para> + The service <literal>services.piwik</literal> was renamed to + <literal>services.matomo</literal>. + </para> + </listitem> + <listitem> + <para> + The data directory <filename>/var/lib/piwik</filename> was renamed to + <filename>/var/lib/matomo</filename>. All files will be moved + automatically on first startup, but you might need to adjust your + backup scripts. + </para> + </listitem> + <listitem> + <para> + The default <option>serverName</option> for the nginx configuration + changed from <literal>piwik.${config.networking.hostName}</literal> to + <literal>matomo.${config.networking.hostName}.${config.networking.domain}</literal> + if <option>config.networking.domain</option> is set, + <literal>matomo.${config.networking.hostName}</literal> if it is not + set. If you change your <option>serverName</option>, remember you'll + need to update the <literal>trustedHosts[]</literal> array in + <filename>/var/lib/matomo/config/config.ini.php</filename> as well. + </para> + </listitem> + <listitem> + <para> + The <literal>piwik</literal> user was renamed to + <literal>matomo</literal>. The service will adjust ownership + automatically for files in the data directory. If you use unix socket + authentication, remember to give the new <literal>matomo</literal> user + access to the database and to change the <literal>username</literal> to + <literal>matomo</literal> in the <literal>[database]</literal> section + of <filename>/var/lib/matomo/config/config.ini.php</filename>. + </para> + </listitem> + <listitem> + <para> + If you named your database `piwik`, you might want to rename it to + `matomo` to keep things clean, but this is neither enforced nor + required. + </para> + </listitem> + </itemizedlist> </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - The merging of config options for <varname>services.postfix.config</varname> - was buggy. Previously, if other options in the Postfix module like - <varname>services.postfix.useSrs</varname> were set and the user set config - options that were also set by such options, the resulting config wouldn't - include all options that were needed. They are now merged correctly. If - config options need to be overridden, <literal>lib.mkForce</literal> or - <literal>lib.mkOverride</literal> can be used. + <literal>nodejs-4_x</literal> is end-of-life. + <literal>nodejs-4_x</literal>, <literal>nodejs-slim-4_x</literal> and + <literal>nodePackages_4_x</literal> are removed. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - The following changes apply if the <literal>stateVersion</literal> is changed to 18.03 or higher. - For <literal>stateVersion = "17.09"</literal> or lower the old behavior is preserved. + The <literal>pump.io</literal> NixOS module was removed. It is now + maintained as an + <link xlink:href="https://github.com/rvl/pump.io-nixos">external + module</link>. </para> - <itemizedlist> + </listitem> + <listitem> + <para> + The Prosody XMPP server has received a major update. The following modules + were renamed: + <itemizedlist> <listitem> - <para> - <literal>matrix-synapse</literal> uses postgresql by default instead of sqlite. - Migration instructions can be found <link xlink:href="https://github.com/matrix-org/synapse/blob/master/docs/postgres.rst#porting-from-sqlite"> here </link>. - </para> + <para> + <option>services.prosody.modules.httpserver</option> is now + <option>services.prosody.modules.http_files</option> + </para> </listitem> - </itemizedlist> - </listitem> - <listitem> - <para> - The <literal>jid</literal> package has been removed, due to maintenance - overhead of a go package having non-versioned dependencies. - </para> - </listitem> - <listitem> - <para> - When using <option>services.xserver.libinput</option> (enabled by default in GNOME), - it now handles all input devices, not just touchpads. As a result, you might need to - re-evaluate any custom Xorg configuration. In particular, - <literal>Option "XkbRules" "base"</literal> may result in broken keyboard layout. - </para> - </listitem> - <listitem> - <para> - The <literal>attic</literal> package was removed. A maintained fork called - <link xlink:href="https://www.borgbackup.org/">Borg</link> should be used instead. - Migration instructions can be found - <link xlink:href="http://borgbackup.readthedocs.io/en/stable/usage/upgrade.html#attic-and-borg-0-xx-to-borg-1-x">here</link>. - </para> - </listitem> - <listitem> - <para> - The Piwik analytics software was renamed to Matomo: - <itemizedlist> - <listitem> - <para>The package <literal>pkgs.piwik</literal> was renamed to <literal>pkgs.matomo</literal>.</para> - </listitem> - <listitem> - <para>The service <literal>services.piwik</literal> was renamed to <literal>services.matomo</literal>.</para> - </listitem> - <listitem> - <para> - The data directory <filename>/var/lib/piwik</filename> was renamed to <filename>/var/lib/matomo</filename>. - All files will be moved automatically on first startup, but you might need to adjust your backup scripts. - </para> - </listitem> - <listitem> - <para> - The default <option>serverName</option> for the nginx configuration changed from - <literal>piwik.${config.networking.hostName}</literal> to - <literal>matomo.${config.networking.hostName}.${config.networking.domain}</literal> - if <option>config.networking.domain</option> is set, - <literal>matomo.${config.networking.hostName}</literal> if it is not set. - If you change your <option>serverName</option>, remember you'll need to update the - <literal>trustedHosts[]</literal> array in <filename>/var/lib/matomo/config/config.ini.php</filename> - as well. - </para> - </listitem> - <listitem> - <para> - The <literal>piwik</literal> user was renamed to <literal>matomo</literal>. - The service will adjust ownership automatically for files in the data directory. - If you use unix socket authentication, remember to give the new <literal>matomo</literal> user - access to the database and to change the <literal>username</literal> to <literal>matomo</literal> - in the <literal>[database]</literal> section of <filename>/var/lib/matomo/config/config.ini.php</filename>. - </para> - </listitem> - <listitem> - <para> - If you named your database `piwik`, you might want to rename it to `matomo` to keep things clean, - but this is neither enforced nor required. - </para> - </listitem> - </itemizedlist> - </para> - </listitem> - <listitem> - <para> - <literal>nodejs-4_x</literal> is end-of-life. - <literal>nodejs-4_x</literal>, <literal>nodejs-slim-4_x</literal> and <literal>nodePackages_4_x</literal> are removed. - </para> - </listitem> -</itemizedlist> + <listitem> + <para> + <option>services.prosody.modules.console</option> is now + <option>services.prosody.modules.admin_telnet</option> + </para> + </listitem> + </itemizedlist> + </para> + <para> + Many new modules are now core modules, most notably + <option>services.prosody.modules.carbons</option> and + <option>services.prosody.modules.mam</option>. + </para> + <para> + The better-performing <literal>libevent</literal> backend is now enabled + by default. + </para> + <para> + <literal>withCommunityModules</literal> now passes through the modules to + <option>services.prosody.extraModules</option>. Use + <literal>withOnlyInstalledCommunityModules</literal> for modules that + should not be enabled directly, e.g <literal>lib_ldap</literal>. + </para> + </listitem> + <listitem> + <para> + All prometheus exporter modules are now defined as submodules. The + exporters are configured using + <literal>services.prometheus.exporters</literal>. + </para> + </listitem> + </itemizedlist> + </section> -</section> -<section xmlns="http://docbook.org/ns/docbook" + <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-18.03-notable-changes"> + <title>Other Notable Changes</title> -<title>Other Notable Changes</title> - -<itemizedlist> - <listitem> - <para> - ZNC option <option>services.znc.mutable</option> now defaults to - <literal>true</literal>. That means that old configuration is not - overwritten by default when update to the znc options are made. - </para> - </listitem> - <listitem> - <para> - The option <option>networking.wireless.networks.<name>.auth</option> - has been added for wireless networks with WPA-Enterprise authentication. - There is also a new <option>extraConfig</option> option to directly - configure <literal>wpa_supplicant</literal> and <option>hidden</option> - to connect to hidden networks. - </para> - </listitem> - <listitem> - <para> - In the module <option>networking.interfaces.<name></option> the - following options have been removed: - <itemizedlist> - <listitem> - <para><option>ipAddress</option></para> - </listitem> - <listitem> - <para><option>ipv6Address</option></para> - </listitem> - <listitem> - <para><option>prefixLength</option></para> - </listitem> - <listitem> - <para><option>ipv6PrefixLength</option></para> - </listitem> - <listitem> - <para><option>subnetMask</option></para> - </listitem> - </itemizedlist> - To assign static addresses to an interface the options - <option>ipv4.addresses</option> and <option>ipv6.addresses</option> - should be used instead. - The options <option>ip4</option> and <option>ip6</option> have been - renamed to <option>ipv4.addresses</option> <option>ipv6.addresses</option> - respectively. - The new options <option>ipv4.routes</option> and <option>ipv6.routes</option> - have been added to set up static routing. - </para> - </listitem> - <listitem> - <para> - The option <option>services.xserver.desktopManager.default</option> is now - <literal>none</literal> by default. An assertion failure is thrown if WM's - and DM's default are <literal>none</literal>. - To explicitly run a plain X session without and DM or WM, the newly - introduced option <option>services.xserver.plainX</option> must be set to true. - </para> - </listitem> - <listitem> - <para> - The option <option>services.logstash.listenAddress</option> is now <literal>127.0.0.1</literal> by default. - Previously the default behaviour was to listen on all interfaces. - </para> - </listitem> - <listitem> - <para> - <literal>services.btrfs.autoScrub</literal> has been added, to - periodically check btrfs filesystems for data corruption. - If there's a correct copy available, it will automatically repair - corrupted blocks. - </para> - </listitem> - <listitem> - <para> - <literal>displayManager.lightdm.greeters.gtk.clock-format.</literal> - has been added, the clock format string (as expected by - strftime, e.g. <literal>%H:%M</literal>) to use with the lightdm - gtk greeter panel. - </para> - <para> - If set to null the default clock format is used. - </para> - </listitem> - <listitem> - <para> - <literal>displayManager.lightdm.greeters.gtk.indicators</literal> - has been added, a list of allowed indicator modules to use with - the lightdm gtk greeter panel. - </para> - <para> - Built-in indicators include <literal>~a11y</literal>, - <literal>~language</literal>, <literal>~session</literal>, - <literal>~power</literal>, <literal>~clock</literal>, - <literal>~host</literal>, <literal>~spacer</literal>. Unity - indicators can be represented by short name - (e.g. <literal>sound</literal>, <literal>power</literal>), - service file name, or absolute path. - </para> - <para> - If set to <literal>null</literal> the default indicators are - used. - </para> - <para> - In order to have the previous default configuration add + <itemizedlist> + <listitem> + <para> + ZNC option <option>services.znc.mutable</option> now defaults to + <literal>true</literal>. That means that old configuration is not + overwritten by default when update to the znc options are made. + </para> + </listitem> + <listitem> + <para> + The option <option>networking.wireless.networks.<name>.auth</option> + has been added for wireless networks with WPA-Enterprise authentication. + There is also a new <option>extraConfig</option> option to directly + configure <literal>wpa_supplicant</literal> and <option>hidden</option> to + connect to hidden networks. + </para> + </listitem> + <listitem> + <para> + In the module <option>networking.interfaces.<name></option> the + following options have been removed: + <itemizedlist> + <listitem> + <para> + <option>ipAddress</option> + </para> + </listitem> + <listitem> + <para> + <option>ipv6Address</option> + </para> + </listitem> + <listitem> + <para> + <option>prefixLength</option> + </para> + </listitem> + <listitem> + <para> + <option>ipv6PrefixLength</option> + </para> + </listitem> + <listitem> + <para> + <option>subnetMask</option> + </para> + </listitem> + </itemizedlist> + To assign static addresses to an interface the options + <option>ipv4.addresses</option> and <option>ipv6.addresses</option> should + be used instead. The options <option>ip4</option> and <option>ip6</option> + have been renamed to <option>ipv4.addresses</option> + <option>ipv6.addresses</option> respectively. The new options + <option>ipv4.routes</option> and <option>ipv6.routes</option> have been + added to set up static routing. + </para> + </listitem> + <listitem> + <para> + The option <option>services.logstash.listenAddress</option> is now + <literal>127.0.0.1</literal> by default. Previously the default behaviour + was to listen on all interfaces. + </para> + </listitem> + <listitem> + <para> + <literal>services.btrfs.autoScrub</literal> has been added, to + periodically check btrfs filesystems for data corruption. If there's a + correct copy available, it will automatically repair corrupted blocks. + </para> + </listitem> + <listitem> + <para> + <literal>displayManager.lightdm.greeters.gtk.clock-format.</literal> has + been added, the clock format string (as expected by strftime, e.g. + <literal>%H:%M</literal>) to use with the lightdm gtk greeter panel. + </para> + <para> + If set to null the default clock format is used. + </para> + </listitem> + <listitem> + <para> + <literal>displayManager.lightdm.greeters.gtk.indicators</literal> has been + added, a list of allowed indicator modules to use with the lightdm gtk + greeter panel. + </para> + <para> + Built-in indicators include <literal>~a11y</literal>, + <literal>~language</literal>, <literal>~session</literal>, + <literal>~power</literal>, <literal>~clock</literal>, + <literal>~host</literal>, <literal>~spacer</literal>. Unity indicators can + be represented by short name (e.g. <literal>sound</literal>, + <literal>power</literal>), service file name, or absolute path. + </para> + <para> + If set to <literal>null</literal> the default indicators are used. + </para> + <para> + In order to have the previous default configuration add <programlisting> services.xserver.displayManager.lightdm.greeters.gtk.indicators = [ "~host" "~spacer" @@ -420,24 +829,27 @@ following incompatible changes:</para> "~power" ]; </programlisting> - to your <literal>configuration.nix</literal>. + to your <literal>configuration.nix</literal>. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - The NixOS test driver supports user services declared by <literal>systemd.user.services</literal>. - The methods <literal>waitForUnit</literal>, <literal>getUnitInfo</literal>, <literal>startJob</literal> - and <literal>stopJob</literal> provide an optional <literal>$user</literal> argument for that purpose. + The NixOS test driver supports user services declared by + <literal>systemd.user.services</literal>. The methods + <literal>waitForUnit</literal>, <literal>getUnitInfo</literal>, + <literal>startJob</literal> and <literal>stopJob</literal> provide an + optional <literal>$user</literal> argument for that purpose. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - Enabling bash completion on NixOS, <literal>programs.bash.enableCompletion</literal>, will now also enable - completion for the Nix command line tools by installing the - <link xlink:href="https://github.com/hedning/nix-bash-completions">nix-bash-completions</link> package. + Enabling bash completion on NixOS, + <literal>programs.bash.enableCompletion</literal>, will now also enable + completion for the Nix command line tools by installing the + <link xlink:href="https://github.com/hedning/nix-bash-completions">nix-bash-completions</link> + package. </para> - </listitem> -</itemizedlist> - -</section> + </listitem> + </itemizedlist> + </section> </section> diff --git a/nixos/doc/manual/release-notes/rl-1809.xml b/nixos/doc/manual/release-notes/rl-1809.xml new file mode 100644 index 000000000000..2fd7b7709797 --- /dev/null +++ b/nixos/doc/manual/release-notes/rl-1809.xml @@ -0,0 +1,167 @@ +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-18.09"> + <title>Release 18.09 (“Jellyfish”, 2018/09/??)</title> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-18.09-highlights"> + <title>Highlights</title> + + <para> + In addition to numerous new and upgraded packages, this release has the + following highlights: + </para> + + <itemizedlist> + <listitem> + <para> + User channels are now in the default <literal>NIX_PATH</literal>, allowing + users to use their personal <command>nix-channel</command> defined + channels in <command>nix-build</command> and <command>nix-shell</command> + commands, as well as in imports like <code>import + <mychannel></code>. + </para> + <para> + For example + </para> +<programlisting> +$ nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgsunstable +$ nix-channel --update +$ nix-build '<nixpkgsunstable>' -A gitFull +$ nix run -f '<nixpkgsunstable>' gitFull +$ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' +</programlisting> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-18.09-new-services"> + <title>New Services</title> + + <para> + The following new services were added since the last release: + </para> + + <itemizedlist> + <listitem> + <para></para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-18.09-incompatibilities"> + <title>Backward Incompatibilities</title> + + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + </para> + + <itemizedlist> + <listitem> + <para> + <literal>lib.strict</literal> is removed. Use + <literal>builtins.seq</literal> instead. + </para> + </listitem> + <listitem> + <para> + The <literal>clementine</literal> package points now to the free + derivation. <literal>clementineFree</literal> is removed now and + <literal>clementineUnfree</literal> points to the package which is bundled + with the unfree <literal>libspotify</literal> package. + </para> + </listitem> + <listitem> + <para> + The <literal>netcat</literal> package is now taken directly from OpenBSD's + <literal>libressl</literal>, instead of relying on Debian's fork. The new + version should be very close to the old version, but there are some minor + differences. Importantly, flags like -b, -q, -C, and -Z are no longer + accepted by the nc command. + </para> + </listitem> + <listitem> + <para> + The <varname>services.docker-registry.extraConfig</varname> object doesn't contain + environment variables anymore. Instead it needs to provide an object structure + that can be mapped onto the YAML configuration defined in <link xlink:href="https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md">the <varname>docker/distribution</varname> docs</link>. + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-18.09-notable-changes"> + <title>Other Notable Changes</title> + + <itemizedlist> + <listitem> + <para> + <literal>lib.attrNamesToStr</literal> has been deprecated. Use more + specific concatenation (<literal>lib.concat(Map)StringsSep</literal>) + instead. + </para> + </listitem> + <listitem> + <para> + <literal>lib.addErrorContextToAttrs</literal> has been deprecated. Use + <literal>builtins.addErrorContext</literal> directly. + </para> + </listitem> + <listitem> + <para> + <literal>lib.showVal</literal> has been deprecated. Use + <literal>lib.traceSeqN</literal> instead. + </para> + </listitem> + <listitem> + <para> + <literal>lib.traceXMLVal</literal> has been deprecated. Use + <literal>lib.traceValFn builtins.toXml</literal> instead. + </para> + </listitem> + <listitem> + <para> + <literal>lib.traceXMLValMarked</literal> has been deprecated. Use + <literal>lib.traceValFn (x: str + builtins.toXML x)</literal> instead. + </para> + </listitem> + <listitem> + <para> + <literal>lib.traceValIfNot</literal> has been deprecated. Use + <literal>if/then/else</literal> and <literal>lib.traceValSeq</literal> + instead. + </para> + </listitem> + <listitem> + <para> + <literal>lib.traceCallXml</literal> has been deprecated. Please complain + if you use the function regularly. + </para> + <para> + The attribute <literal>lib.nixpkgsVersion</literal> has been deprecated in + favor of <literal>lib.version</literal>. Please refer to the discussion in + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/39416#discussion_r183845745">NixOS/nixpkgs#39416</link> + for further reference. + </para> + </listitem> + </itemizedlist> + </section> +</section> diff --git a/nixos/doc/manual/shell.nix b/nixos/doc/manual/shell.nix new file mode 100644 index 000000000000..7f8422b4ec11 --- /dev/null +++ b/nixos/doc/manual/shell.nix @@ -0,0 +1,8 @@ +let + pkgs = import ../../.. { }; +in +pkgs.mkShell { + name = "nixos-manual"; + + buildInputs = with pkgs; [ xmlformat jing xmloscopy ]; +} diff --git a/nixos/doc/manual/style.css b/nixos/doc/manual/style.css deleted file mode 100644 index 3118b37ead1f..000000000000 --- a/nixos/doc/manual/style.css +++ /dev/null @@ -1,267 +0,0 @@ -/* Copied from http://bakefile.sourceforge.net/, which appears - licensed under the GNU GPL. */ - - -/*************************************************************************** - Basic headers and text: - ***************************************************************************/ - -body -{ - font-family: "Nimbus Sans L", sans-serif; - background: white; - margin: 2em 1em 2em 1em; -} - -h1, h2, h3, h4 -{ - color: #005aa0; -} - -h1 /* title */ -{ - font-size: 200%; -} - -h2 /* chapters, appendices, subtitle */ -{ - font-size: 180%; -} - -/* Extra space between chapters, appendices. */ -div.chapter > div.titlepage h2, div.appendix > div.titlepage h2 -{ - margin-top: 1.5em; -} - -div.section > div.titlepage h2 /* sections */ -{ - font-size: 150%; - margin-top: 1.5em; -} - -h3 /* subsections */ -{ - font-size: 125%; -} - -div.simplesect h2 -{ - font-size: 110%; -} - -div.appendix h3 -{ - font-size: 150%; - margin-top: 1.5em; -} - -div.refnamediv h2, div.refsynopsisdiv h2, div.refsection h2 /* refentry parts */ -{ - margin-top: 1.4em; - font-size: 125%; -} - -div.refsection h3 -{ - font-size: 110%; -} - - -/*************************************************************************** - Examples: - ***************************************************************************/ - -div.example -{ - border: 1px solid #b0b0b0; - padding: 6px 6px; - margin-left: 1.5em; - margin-right: 1.5em; - background: #f4f4f8; - border-radius: 0.4em; - box-shadow: 0.4em 0.4em 0.5em #e0e0e0; -} - -div.example p.title -{ - margin-top: 0em; -} - -div.example pre -{ - box-shadow: none; -} - - -/*************************************************************************** - Screen dumps: - ***************************************************************************/ - -pre.screen, pre.programlisting -{ - border: 1px solid #b0b0b0; - padding: 3px 3px; - margin-left: 1.5em; - margin-right: 1.5em; - color: #600000; - background: #f4f4f8; - font-family: monospace; - border-radius: 0.4em; - box-shadow: 0.4em 0.4em 0.5em #e0e0e0; -} - -div.example pre.programlisting -{ - border: 0px; - padding: 0 0; - margin: 0 0 0 0; -} - - -/*************************************************************************** - Notes, warnings etc: - ***************************************************************************/ - -.note, .warning -{ - border: 1px solid #b0b0b0; - padding: 3px 3px; - margin-left: 1.5em; - margin-right: 1.5em; - margin-bottom: 1em; - padding: 0.3em 0.3em 0.3em 0.3em; - background: #fffff5; - border-radius: 0.4em; - box-shadow: 0.4em 0.4em 0.5em #e0e0e0; -} - -div.note, div.warning -{ - font-style: italic; -} - -div.note h3, div.warning h3 -{ - color: red; - font-size: 100%; - padding-right: 0.5em; - display: inline; -} - -div.note p, div.warning p -{ - margin-bottom: 0em; -} - -div.note h3 + p, div.warning h3 + p -{ - display: inline; -} - -div.note h3 -{ - color: blue; - font-size: 100%; -} - -div.navfooter * -{ - font-size: 90%; -} - - -/*************************************************************************** - Links colors and highlighting: - ***************************************************************************/ - -a { text-decoration: none; } -a:hover { text-decoration: underline; } -a:link { color: #0048b3; } -a:visited { color: #002a6a; } - - -/*************************************************************************** - Table of contents: - ***************************************************************************/ - -div.toc -{ - font-size: 90%; -} - -div.toc dl -{ - margin-top: 0em; - margin-bottom: 0em; -} - - -/*************************************************************************** - Special elements: - ***************************************************************************/ - -tt, code -{ - color: #400000; -} - -.term -{ - font-weight: bold; - -} - -div.variablelist dd p, div.glosslist dd p -{ - margin-top: 0em; -} - -div.variablelist dd, div.glosslist dd -{ - margin-left: 1.5em; -} - -div.glosslist dt -{ - font-style: italic; -} - -.varname -{ - color: #400000; -} - -span.command strong -{ - font-weight: normal; - color: #400000; -} - -div.calloutlist table -{ - box-shadow: none; -} - -table -{ - border-collapse: collapse; - box-shadow: 0.4em 0.4em 0.5em #e0e0e0; -} - -table.simplelist -{ - text-align: left; - color: #005aa0; - border: 0; - padding: 5px; - background: #fffff5; - font-weight: normal; - font-style: italic; - box-shadow: none; - margin-bottom: 1em; -} - -div.navheader table, div.navfooter table { - box-shadow: none; -} diff --git a/nixos/doc/xmlformat.conf b/nixos/doc/xmlformat.conf new file mode 100644 index 000000000000..50255857b24a --- /dev/null +++ b/nixos/doc/xmlformat.conf @@ -0,0 +1,72 @@ +# +# DocBook Configuration file for "xmlformat" +# see http://www.kitebird.com/software/xmlformat/ +# 10 Sept. 2004 +# + +# Only block elements +ackno address appendix article biblioentry bibliography bibliomixed \ +biblioset blockquote book bridgehead callout calloutlist caption caution \ +chapter chapterinfo classsynopsis cmdsynopsis colophon constraintdef \ +constructorsynopsis dedication destructorsynopsis entry epigraph equation example \ +figure formalpara funcsynopsis glossary glossdef glossdiv glossentry glosslist \ +glosssee glossseealso graphic graphicco highlights imageobjectco important \ +index indexdiv indexentry indexinfo info informalequation informalexample \ +informalfigure informaltable legalnotice literallayout lot lotentry mediaobject \ +mediaobjectco msgmain msgset note orderedlist para part preface primaryie \ +procedure qandadiv qandaentry qandaset refentry refentrytitle reference \ +refnamediv refsect1 refsect2 refsect3 refsection revhistory screenshot sect1 \ +sect2 sect3 sect4 sect5 section seglistitem set setindex sidebar simpara \ +simplesect step substeps synopfragment synopsis table term title \ +toc variablelist varlistentry warning itemizedlist listitem \ +footnote colspec partintro row simplelist subtitle tbody tgroup thead tip + format block + normalize no + + +#appendix bibliography chapter glossary preface reference +# element-break 3 + +sect1 section + element-break 2 + + +# +para abstract + format block + entry-break 1 + exit-break 1 + normalize yes + wrap-length 79 + +title + format block + normalize = yes + entry-break = 0 + exit-break = 0 + +# Inline elements +abbrev accel acronym action application citation citebiblioid citerefentry citetitle \ +classname co code command computeroutput constant country database date email emphasis \ +envar errorcode errorname errortext errortype exceptionname fax filename \ +firstname firstterm footnoteref foreignphrase funcdef funcparams function \ +glossterm group guibutton guiicon guilabel guimenu guimenuitem guisubmenu \ +hardware holder honorific indexterm inlineequation inlinegraphic inlinemediaobject \ +interface interfacename \ +keycap keycode keycombo keysym lineage link literal manvolnum markup medialabel \ +menuchoice methodname methodparam modifier mousebutton olink ooclass ooexception \ +oointerface option optional otheraddr othername package paramdef parameter personname \ +phrase pob postcode productname prompt property quote refpurpose replaceable \ +returnvalue revnumber sgmltag state street structfield structname subscript \ +superscript surname symbol systemitem token trademark type ulink userinput \ +uri varargs varname void wordasword xref year mathphrase member tag + format inline + +programlisting screen + format verbatim + entry-break = 0 + exit-break = 0 + + +#term +# format inline diff --git a/nixos/lib/eval-config.nix b/nixos/lib/eval-config.nix index 2e7971cca810..97c79487df4c 100644 --- a/nixos/lib/eval-config.nix +++ b/nixos/lib/eval-config.nix @@ -26,7 +26,7 @@ , lib ? import ../../lib }: -let extraArgs_ = extraArgs; pkgs_ = pkgs; system_ = system; +let extraArgs_ = extraArgs; pkgs_ = pkgs; extraModules = let e = builtins.getEnv "NIXOS_EXTRA_MODULE_PATH"; in if e == "" then [] else [(import (builtins.toPath e))]; in @@ -36,7 +36,7 @@ let _file = ./eval-config.nix; key = _file; config = { - nixpkgs.system = lib.mkDefault system_; + nixpkgs.localSystem = lib.mkDefault { inherit system; }; _module.args.pkgs = lib.mkIf (pkgs_ != null) (lib.mkForce pkgs_); }; }; diff --git a/nixos/lib/make-disk-image.nix b/nixos/lib/make-disk-image.nix index b7a38760dd3a..ebfb09db7b7e 100644 --- a/nixos/lib/make-disk-image.nix +++ b/nixos/lib/make-disk-image.nix @@ -51,7 +51,7 @@ with lib; let format' = format; in let - format = if (format' == "qcow2-compressed") then "qcow2" else format'; + format = if format' == "qcow2-compressed" then "qcow2" else format'; compress = optionalString (format' == "qcow2-compressed") "-c"; @@ -84,6 +84,7 @@ let format' = format; in let nixpkgs = cleanSource pkgs.path; + # FIXME: merge with channel.nix / make-channel.nix. channelSources = pkgs.runCommand "nixos-${config.system.nixos.version}" {} '' mkdir -p $out cp -prd ${nixpkgs} $out/nixos @@ -95,13 +96,16 @@ let format' = format; in let echo -n ${config.system.nixos.versionSuffix} > $out/nixos/.version-suffix ''; - metaClosure = pkgs.writeText "meta" '' - ${config.system.build.toplevel} - ${config.nix.package.out} - ${channelSources} - ''; - - prepareImageInputs = with pkgs; [ rsync utillinux parted e2fsprogs lkl fakeroot config.system.build.nixos-prepare-root ] ++ stdenv.initialPath; + binPath = with pkgs; makeBinPath ( + [ rsync + utillinux + parted + e2fsprogs + lkl + config.system.build.nixos-install + config.system.build.nixos-enter + nix + ] ++ stdenv.initialPath); # I'm preserving the line below because I'm going to search for it across nixpkgs to consolidate # image building logic. The comment right below this now appears in 4 different places in nixpkgs :) @@ -109,8 +113,10 @@ let format' = format; in let sources = map (x: x.source) contents; targets = map (x: x.target) contents; + closureInfo = pkgs.closureInfo { rootPaths = [ config.system.build.toplevel channelSources ]; }; + prepareImage = '' - export PATH=${makeBinPath prepareImageInputs} + export PATH=${binPath} # Yes, mkfs.ext4 takes different units in different contexts. Fun. sectorsToKilobytes() { @@ -168,11 +174,15 @@ let format' = format; in let fi done - # TODO: Nix really likes to chown things it creates to its current user... - fakeroot nixos-prepare-root $root ${channelSources} ${config.system.build.toplevel} closure + export HOME=$TMPDIR + + # Provide a Nix database so that nixos-install can copy closures. + export NIX_STATE_DIR=$TMPDIR/state + nix-store --load-db < ${closureInfo}/registration - # fakeroot seems to always give the owner write permissions, which we do not want - find $root/nix/store -mindepth 1 -maxdepth 1 -type f -o -type d | xargs chmod -R a-w + echo "running nixos-install..." + nixos-install --root $root --no-bootloader --no-root-passwd \ + --system ${config.system.build.toplevel} --channel ${channelSources} --substituters "" echo "copying staging root to image..." cptofs -p ${optionalString (partitionTableType != "none") "-P ${rootPartition}"} -t ${fsType} -i $diskImage $root/* / @@ -181,7 +191,6 @@ in pkgs.vmTools.runInLinuxVM ( pkgs.runCommand name { preVM = prepareImage; buildInputs = with pkgs; [ utillinux e2fsprogs dosfstools ]; - exportReferencesGraph = [ "closure" metaClosure ]; postVM = '' ${if format == "raw" then '' mv $diskImage $out/${filename} @@ -194,6 +203,8 @@ in pkgs.vmTools.runInLinuxVM ( memSize = 1024; } '' + export PATH=${binPath}:$PATH + rootDisk=${if partitionTableType != "none" then "/dev/vda${rootPartition}" else "/dev/vda"} # Some tools assume these exist @@ -218,15 +229,8 @@ in pkgs.vmTools.runInLinuxVM ( cp ${configFile} /mnt/etc/nixos/configuration.nix ''} - mount --rbind /dev $mountPoint/dev - mount --rbind /proc $mountPoint/proc - mount --rbind /sys $mountPoint/sys - # Set up core system link, GRUB, etc. - NIXOS_INSTALL_BOOTLOADER=1 chroot $mountPoint /nix/var/nix/profiles/system/bin/switch-to-configuration boot - - # TODO: figure out if I should activate, but for now I won't - # chroot $mountPoint /nix/var/nix/profiles/system/activate + NIXOS_INSTALL_BOOTLOADER=1 nixos-enter --root $mountPoint -- /nix/var/nix/profiles/system/bin/switch-to-configuration boot # The above scripts will generate a random machine-id and we don't want to bake a single ID into all our images rm -f $mountPoint/etc/machine-id diff --git a/nixos/lib/make-ext4-fs.nix b/nixos/lib/make-ext4-fs.nix index 21c69ed560a3..986d80ff1b99 100644 --- a/nixos/lib/make-ext4-fs.nix +++ b/nixos/lib/make-ext4-fs.nix @@ -7,23 +7,22 @@ , volumeLabel }: +let + sdClosureInfo = pkgs.closureInfo { rootPaths = storePaths; }; +in + pkgs.stdenv.mkDerivation { name = "ext4-fs.img"; nativeBuildInputs = with pkgs; [e2fsprogs libfaketime perl]; - # For obtaining the closure of `storePaths'. - exportReferencesGraph = - map (x: [("closure-" + baseNameOf x) x]) storePaths; - buildCommand = '' # Add the closures of the top-level store objects. - storePaths=$(perl ${pkgs.pathsFromGraph} closure-*) + storePaths=$(cat ${sdClosureInfo}/store-paths) - # Also include a manifest of the closures in a format suitable - # for nix-store --load-db. - printRegistration=1 perl ${pkgs.pathsFromGraph} closure-* > nix-path-registration + # Also include a manifest of the closures in a format suitable for nix-store --load-db. + cp ${sdClosureInfo}/registration nix-path-registration # Make a crude approximation of the size of the target image. # If the script starts failing, increase the fudge factors here. diff --git a/nixos/lib/make-iso9660-image.nix b/nixos/lib/make-iso9660-image.nix index 75be70dbcb2b..c6bafd48f9db 100644 --- a/nixos/lib/make-iso9660-image.nix +++ b/nixos/lib/make-iso9660-image.nix @@ -1,4 +1,4 @@ -{ stdenv, perl, pathsFromGraph, xorriso, syslinux +{ stdenv, perl, closureInfo, xorriso, syslinux , # The file name of the resulting ISO image. isoName ? "cd.iso" @@ -48,9 +48,9 @@ assert usbBootable -> isohybridMbrImage != ""; stdenv.mkDerivation { name = isoName; builder = ./make-iso9660-image.sh; - buildInputs = [perl xorriso syslinux]; + buildInputs = [ xorriso syslinux ]; - inherit isoName bootable bootImage compressImage volumeID pathsFromGraph efiBootImage efiBootable isohybridMbrImage usbBootable; + inherit isoName bootable bootImage compressImage volumeID efiBootImage efiBootable isohybridMbrImage usbBootable; # !!! should use XML. sources = map (x: x.source) contents; @@ -61,6 +61,5 @@ stdenv.mkDerivation { symlinks = map (x: x.symlink) storeContents; # For obtaining the closure of `storeContents'. - exportReferencesGraph = - map (x: [("closure-" + baseNameOf x.object) x.object]) storeContents; + closureInfo = closureInfo { rootPaths = map (x: x.object) storeContents; }; } diff --git a/nixos/lib/make-iso9660-image.sh b/nixos/lib/make-iso9660-image.sh index c623436f6c5b..45cdef1ef4df 100644 --- a/nixos/lib/make-iso9660-image.sh +++ b/nixos/lib/make-iso9660-image.sh @@ -72,16 +72,15 @@ done # Add the closures of the top-level store objects. -storePaths=$(perl $pathsFromGraph closure-*) -for i in $storePaths; do +for i in $(< $closureInfo/store-paths); do addPath "${i:1}" "$i" done # Also include a manifest of the closures in a format suitable for # nix-store --load-db. -if [ -n "$object" ]; then - printRegistration=1 perl $pathsFromGraph closure-* > nix-path-registration +if [[ ${#objects[*]} != 0 ]]; then + cp $closureInfo/registration nix-path-registration addPath "nix-path-registration" "nix-path-registration" fi diff --git a/nixos/lib/make-squashfs.nix b/nixos/lib/make-squashfs.nix index 9d47a3222cc2..7ab84e47f53b 100644 --- a/nixos/lib/make-squashfs.nix +++ b/nixos/lib/make-squashfs.nix @@ -1,4 +1,4 @@ -{ stdenv, squashfsTools, perl, pathsFromGraph +{ stdenv, squashfsTools, closureInfo , # The root directory of the squashfs filesystem is filled with the # closures of the Nix store paths listed here. @@ -8,50 +8,18 @@ stdenv.mkDerivation { name = "squashfs.img"; - nativeBuildInputs = [perl squashfsTools]; - - # For obtaining the closure of `storeContents'. - exportReferencesGraph = - map (x: [("closure-" + baseNameOf x) x]) storeContents; + nativeBuildInputs = [ squashfsTools ]; buildCommand = '' - # Add the closures of the top-level store objects. - storePaths=$(perl ${pathsFromGraph} closure-*) - - # If a Hydra slave happens to have store paths with bad permissions/mtime, - # abort now so that they don't end up in ISO images in the channel. - # https://github.com/NixOS/nixpkgs/issues/32242 - hasBadPaths="" - for path in $storePaths; do - if [ -h "$path" ]; then - continue - fi - - mtime=$(stat -c %Y "$path") - mode=$(stat -c %a "$path") - - if [ "$mtime" != 1 ]; then - echo "Store path '$path' has an invalid mtime." - hasBadPaths=1 - fi - if [ "$mode" != 444 ] && [ "$mode" != 555 ]; then - echo "Store path '$path' has invalid permissions ($mode)." - hasBadPaths=1 - fi - done - - if [ -n "$hasBadPaths" ]; then - echo "You have bad paths in your store, please fix them." - exit 1 - fi + closureInfo=${closureInfo { rootPaths = storeContents; }} # Also include a manifest of the closures in a format suitable # for nix-store --load-db. - printRegistration=1 perl ${pathsFromGraph} closure-* > nix-path-registration + cp $closureInfo/registration nix-path-registration # Generate the squashfs image. - mksquashfs nix-path-registration $storePaths $out \ + mksquashfs nix-path-registration $(cat $closureInfo/store-paths) $out \ -keep-as-directory -all-root -b 1048576 -comp xz -Xdict-size 100% ''; } diff --git a/nixos/lib/make-system-tarball.nix b/nixos/lib/make-system-tarball.nix index a2a0340a6bd3..92539235be75 100644 --- a/nixos/lib/make-system-tarball.nix +++ b/nixos/lib/make-system-tarball.nix @@ -1,4 +1,4 @@ -{ stdenv, perl, xz, pathsFromGraph +{ stdenv, perl, pixz, pathsFromGraph , # The file name of the resulting tarball fileName ? "nixos-system-${stdenv.system}" @@ -21,14 +21,20 @@ # Extra tar arguments , extraArgs ? "" + # Command used for compression +, compressCommand ? "pixz" + # Extension for the compressed tarball +, compressionExtension ? ".xz" + # extra inputs, like the compressor to use +, extraInputs ? [ pixz ] }: stdenv.mkDerivation { name = "tarball"; builder = ./make-system-tarball.sh; - buildInputs = [perl xz]; + buildInputs = [ perl ] ++ extraInputs; - inherit fileName pathsFromGraph extraArgs extraCommands; + inherit fileName pathsFromGraph extraArgs extraCommands compressCommand; # !!! should use XML. sources = map (x: x.source) contents; @@ -41,4 +47,6 @@ stdenv.mkDerivation { # For obtaining the closure of `storeContents'. exportReferencesGraph = map (x: [("closure-" + baseNameOf x.object) x.object]) storeContents; + + extension = compressionExtension; } diff --git a/nixos/lib/make-system-tarball.sh b/nixos/lib/make-system-tarball.sh index 73a009d8488a..1a52a284a257 100644 --- a/nixos/lib/make-system-tarball.sh +++ b/nixos/lib/make-system-tarball.sh @@ -1,5 +1,4 @@ source $stdenv/setup -set -x sources_=($sources) targets_=($targets) @@ -54,8 +53,8 @@ mkdir -p $out/tarball rm env-vars -tar --sort=name --mtime='@1' --owner=0 --group=0 --numeric-owner -cvJf $out/tarball/$fileName.tar.xz * $extraArgs +time tar --sort=name --mtime='@1' --owner=0 --group=0 --numeric-owner -c * $extraArgs | $compressCommand > $out/tarball/$fileName.tar${extension} mkdir -p $out/nix-support echo $system > $out/nix-support/system -echo "file system-tarball $out/tarball/$fileName.tar.xz" > $out/nix-support/hydra-build-products +echo "file system-tarball $out/tarball/$fileName.tar${extension}" > $out/nix-support/hydra-build-products diff --git a/nixos/lib/qemu-flags.nix b/nixos/lib/qemu-flags.nix index fcdcbf1b0077..e4c95ebdfb0d 100644 --- a/nixos/lib/qemu-flags.nix +++ b/nixos/lib/qemu-flags.nix @@ -9,7 +9,7 @@ ]; qemuSerialDevice = if pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64 then "ttyS0" - else if pkgs.stdenv.isArm || pkgs.stdenv.isAarch64 then "ttyAMA0" + else if pkgs.stdenv.isAarch32 || pkgs.stdenv.isAarch64 then "ttyAMA0" else throw "Unknown QEMU serial device for system '${pkgs.stdenv.system}'"; qemuBinary = qemuPkg: { diff --git a/nixos/lib/test-driver/Machine.pm b/nixos/lib/test-driver/Machine.pm index 78598b3efb4b..b18f48464cee 100644 --- a/nixos/lib/test-driver/Machine.pm +++ b/nixos/lib/test-driver/Machine.pm @@ -33,9 +33,20 @@ sub new { $startCommand = "qemu-kvm -m 384 " . "-net nic,model=virtio \$QEMU_OPTS "; - my $iface = $args->{hdaInterface} || "virtio"; - $startCommand .= "-drive file=" . Cwd::abs_path($args->{hda}) . ",if=$iface,werror=report " - if defined $args->{hda}; + + if (defined $args->{hda}) { + if ($args->{hdaInterface} eq "scsi") { + $startCommand .= "-drive id=hda,file=" + . Cwd::abs_path($args->{hda}) + . ",werror=report,if=none " + . "-device scsi-hd,drive=hda "; + } else { + $startCommand .= "-drive file=" . Cwd::abs_path($args->{hda}) + . ",if=" . $args->{hdaInterface} + . ",werror=report "; + } + } + $startCommand .= "-cdrom $args->{cdrom} " if defined $args->{cdrom}; $startCommand .= "-device piix3-usb-uhci -drive id=usbdisk,file=$args->{usb},if=none,readonly -device usb-storage,drive=usbdisk " @@ -612,7 +623,7 @@ sub waitForX { my ($self, $regexp) = @_; $self->nest("waiting for the X11 server", sub { retry sub { - my ($status, $out) = $self->execute("journalctl -b SYSLOG_IDENTIFIER=systemd | grep 'session opened'"); + my ($status, $out) = $self->execute("journalctl -b SYSLOG_IDENTIFIER=systemd | grep 'Reached target Current graphical'"); return 0 if $status != 0; ($status, $out) = $self->execute("[ -e /tmp/.X11-unix/X0 ]"); return 1 if $status == 0; diff --git a/nixos/lib/testing.nix b/nixos/lib/testing.nix index efcafbaa5554..57acc990a48f 100644 --- a/nixos/lib/testing.nix +++ b/nixos/lib/testing.nix @@ -3,7 +3,11 @@ with import ./build-vms.nix { inherit system minimal config; }; with pkgs; -rec { +let + jquery-ui = callPackage ./testing/jquery-ui.nix { }; + jquery = callPackage ./testing/jquery.nix { }; + +in rec { inherit pkgs; @@ -107,6 +111,8 @@ rec { ocrProg = tesseract_4.override { enableLanguages = [ "eng" ]; }; + imagemagick_tiff = imagemagick_light.override { inherit libtiff; }; + # Generate onvenience wrappers for running the test driver # interactively with the specified network, and for starting the # VMs from the command line. @@ -124,7 +130,7 @@ rec { wrapProgram $out/bin/nixos-test-driver \ --add-flags "''${vms[*]}" \ ${lib.optionalString enableOCR - "--prefix PATH : '${ocrProg}/bin:${imagemagick}/bin'"} \ + "--prefix PATH : '${ocrProg}/bin:${imagemagick_tiff}/bin'"} \ --run "export testScript=\"\$(cat $out/test-script)\"" \ --set VLANS '${toString vlans}' ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms @@ -143,8 +149,8 @@ rec { test = passMeta (runTests driver); report = passMeta (releaseTools.gcovReport { coverageRuns = [ test ]; }); - in (if makeCoverageReport then report else test) // { - inherit nodes driver test; + in (if makeCoverageReport then report else test) // { + inherit nodes driver test; }; runInMachine = diff --git a/nixos/lib/testing/jquery-ui.nix b/nixos/lib/testing/jquery-ui.nix new file mode 100644 index 000000000000..e65107a3c2fb --- /dev/null +++ b/nixos/lib/testing/jquery-ui.nix @@ -0,0 +1,24 @@ +{ stdenv, fetchurl, unzip }: + +stdenv.mkDerivation rec { + name = "jquery-ui-1.11.4"; + + src = fetchurl { + url = "http://jqueryui.com/resources/download/${name}.zip"; + sha256 = "0ciyaj1acg08g8hpzqx6whayq206fvf4whksz2pjgxlv207lqgjh"; + }; + + buildInputs = [ unzip ]; + + installPhase = + '' + mkdir -p "$out/js" + cp -rv . "$out/js" + ''; + + meta = { + homepage = http://jqueryui.com/; + description = "A library of JavaScript widgets and effects"; + platforms = stdenv.lib.platforms.all; + }; +} diff --git a/nixos/lib/testing/jquery.nix b/nixos/lib/testing/jquery.nix new file mode 100644 index 000000000000..103721cadc38 --- /dev/null +++ b/nixos/lib/testing/jquery.nix @@ -0,0 +1,36 @@ +{ stdenv, fetchurl, compressed ? true }: + +with stdenv.lib; + +stdenv.mkDerivation rec { + name = "jquery-1.11.3"; + + src = if compressed then + fetchurl { + url = "http://code.jquery.com/${name}.min.js"; + sha256 = "1f4glgxxn3jnvry3dpzmazj3207baacnap5w20gr2xlk789idfgc"; + } + else + fetchurl { + url = "http://code.jquery.com/${name}.js"; + sha256 = "1v956yf5spw0156rni5z77hzqwmby7ajwdcd6mkhb6zvl36awr90"; + }; + + unpackPhase = "true"; + + installPhase = + '' + mkdir -p "$out/js" + cp -v "$src" "$out/js/jquery.js" + ${optionalString compressed '' + (cd "$out/js" && ln -s jquery.js jquery.min.js) + ''} + ''; + + meta = with stdenv.lib; { + description = "JavaScript library designed to simplify the client-side scripting of HTML"; + homepage = http://jquery.com/; + license = licenses.mit; + platforms = platforms.all; + }; +} diff --git a/nixos/maintainers/option-usages.nix b/nixos/maintainers/option-usages.nix index 7be0255b35ac..371ee7d91808 100644 --- a/nixos/maintainers/option-usages.nix +++ b/nixos/maintainers/option-usages.nix @@ -15,7 +15,7 @@ # # $ nix-build ./option-usage.nix --argstr testOption service.xserver.enable -A txt -o service.xserver.enable._txt # -# otther target exists such as, `dotContent`, `dot`, and `pdf`. If you are +# Other targets exists such as `dotContent`, `dot`, and `pdf`. If you are # looking for the option usage of multiple options, you can provide a list # as argument. # @@ -35,7 +35,7 @@ # value is replaced by a `throw` statement which is caught by the `tryEval` # evaluation of each option value. # -# We then compare the result of the evluation of the original module, with +# We then compare the result of the evaluation of the original module, with # the result of the second evaluation, and consider that the new failures are # caused by our mutation of the `config` argument. # @@ -62,7 +62,7 @@ let "_module.args" # For some reasons which we yet have to investigate, some options cannot - # be replaced by a throw without cuasing a non-catchable failure. + # be replaced by a throw without causing a non-catchable failure. "networking.bonds" "networking.bridges" "networking.interfaces" diff --git a/nixos/maintainers/scripts/ec2/create-amis.sh b/nixos/maintainers/scripts/ec2/create-amis.sh index 347e6b9c6e0d..9461144fad5a 100755 --- a/nixos/maintainers/scripts/ec2/create-amis.sh +++ b/nixos/maintainers/scripts/ec2/create-amis.sh @@ -6,7 +6,7 @@ set -e set -o pipefail -version=$(nix-instantiate --eval --strict '<nixpkgs>' -A lib.nixpkgsVersion | sed s/'"'//g) +version=$(nix-instantiate --eval --strict '<nixpkgs>' -A lib.version | sed s/'"'//g) major=${version:0:5} echo "NixOS version is $version ($major)" diff --git a/nixos/maintainers/scripts/gce/create-gce.sh b/nixos/maintainers/scripts/gce/create-gce.sh index ef1801fe54be..0fd26d34d07f 100755 --- a/nixos/maintainers/scripts/gce/create-gce.sh +++ b/nixos/maintainers/scripts/gce/create-gce.sh @@ -3,7 +3,7 @@ set -euo pipefail -BUCKET_NAME="${BUCKET_NAME:-nixos-images}" +BUCKET_NAME="${BUCKET_NAME:-nixos-cloud-images}" TIMESTAMP="$(date +%Y%m%d%H%M)" export TIMESTAMP @@ -19,5 +19,5 @@ img_name=$(basename "$img_path") img_id=$(echo "$img_name" | sed 's|.raw.tar.gz$||;s|\.|-|g;s|_|-|g') if ! gsutil ls "gs://${BUCKET_NAME}/$img_name"; then gsutil cp "$img_path" "gs://${BUCKET_NAME}/$img_name" + gsutil acl ch -u AllUsers:R "gs://${BUCKET_NAME}/$img_name" fi -gcloud compute images create "$img_id" --source-uri "gs://${BUCKET_NAME}/$img_name" diff --git a/nixos/modules/config/gnu.nix b/nixos/modules/config/gnu.nix index ef48ccb7b4fe..93d130970190 100644 --- a/nixos/modules/config/gnu.nix +++ b/nixos/modules/config/gnu.nix @@ -26,11 +26,11 @@ with lib; nano zile texinfo # for the stand-alone Info reader ] - ++ stdenv.lib.optional (!stdenv.isArm) grub2; + ++ stdenv.lib.optional (!stdenv.isAarch32) grub2; # GNU GRUB, where available. - boot.loader.grub.enable = !pkgs.stdenv.isArm; + boot.loader.grub.enable = !pkgs.stdenv.isAarch32; boot.loader.grub.version = 2; # GNU lsh. diff --git a/nixos/modules/config/i18n.nix b/nixos/modules/config/i18n.nix index 46b22fc12854..6bf8c653e113 100644 --- a/nixos/modules/config/i18n.nix +++ b/nixos/modules/config/i18n.nix @@ -10,7 +10,7 @@ with lib; i18n = { glibcLocales = mkOption { type = types.path; - default = pkgs.glibcLocales.override { + default = pkgs.buildPackages.glibcLocales.override { allLocales = any (x: x == "all") config.i18n.supportedLocales; locales = config.i18n.supportedLocales; }; diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix index d8980944adc0..a20910353f34 100644 --- a/nixos/modules/config/no-x-libs.nix +++ b/nixos/modules/config/no-x-libs.nix @@ -32,10 +32,10 @@ with lib; networkmanager-l2tp = pkgs.networkmanager-l2tp.override { withGnome = false; }; networkmanager-openconnect = pkgs.networkmanager-openconnect.override { withGnome = false; }; networkmanager-openvpn = pkgs.networkmanager-openvpn.override { withGnome = false; }; - networkmanager-pptp = pkgs.networkmanager-pptp.override { withGnome = false; }; networkmanager-vpnc = pkgs.networkmanager-vpnc.override { withGnome = false; }; networkmanager-iodine = pkgs.networkmanager-iodine.override { withGnome = false; }; pinentry = pkgs.pinentry_ncurses; + gobjectIntrospection = pkgs.gobjectIntrospection.override { x11Support = false; }; }; }; } diff --git a/nixos/modules/config/nsswitch.nix b/nixos/modules/config/nsswitch.nix index 7b36d4f1cbdf..c595c6932946 100644 --- a/nixos/modules/config/nsswitch.nix +++ b/nixos/modules/config/nsswitch.nix @@ -17,23 +17,23 @@ let resolved = canLoadExternalModules && config.services.resolved.enable; hostArray = [ "files" ] - ++ optionals mymachines [ "mymachines" ] - ++ optionals nssmdns [ "mdns_minimal [NOTFOUND=return]" ] - ++ optionals nsswins [ "wins" ] - ++ optionals resolved ["resolve [!UNAVAIL=return]"] + ++ optional mymachines "mymachines" + ++ optional nssmdns "mdns_minimal [NOTFOUND=return]" + ++ optional nsswins "wins" + ++ optional resolved "resolve [!UNAVAIL=return]" ++ [ "dns" ] - ++ optionals nssmdns [ "mdns" ] - ++ optionals myhostname ["myhostname" ]; + ++ optional nssmdns "mdns" + ++ optional myhostname "myhostname"; passwdArray = [ "files" ] ++ optional sssd "sss" - ++ optionals ldap [ "ldap" ] - ++ optionals mymachines [ "mymachines" ] + ++ optional ldap "ldap" + ++ optional mymachines "mymachines" ++ [ "systemd" ]; shadowArray = [ "files" ] ++ optional sssd "sss" - ++ optionals ldap [ "ldap" ]; + ++ optional ldap "ldap"; servicesArray = [ "files" ] ++ optional sssd "sss"; diff --git a/nixos/modules/config/pulseaudio.nix b/nixos/modules/config/pulseaudio.nix index a9c5fc75660d..90cea47b70ae 100644 --- a/nixos/modules/config/pulseaudio.nix +++ b/nixos/modules/config/pulseaudio.nix @@ -214,6 +214,8 @@ in { (mkIf cfg.enable { environment.systemPackages = [ overriddenPackage ]; + sound.enable = true; + environment.etc = [ { target = "asound.conf"; source = alsaConf; } diff --git a/nixos/modules/config/system-path.nix b/nixos/modules/config/system-path.nix index d3212d931605..361151665018 100644 --- a/nixos/modules/config/system-path.nix +++ b/nixos/modules/config/system-path.nix @@ -109,7 +109,6 @@ in "/sbin" "/share/applications" "/share/desktop-directories" - "/share/doc" "/share/emacs" "/share/icons" "/share/menus" diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index c1102d558101..621ca36fb6b8 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -35,6 +35,7 @@ let name = mkOption { type = types.str; + apply = x: assert (builtins.stringLength x < 32 || abort "Username '${x}' is longer than 31 characters which is not allowed!"); x; description = '' The name of the user account. If undefined, the name of the attribute set will be used. @@ -91,6 +92,7 @@ let group = mkOption { type = types.str; + apply = x: assert (builtins.stringLength x < 32 || abort "Group name '${x}' is longer than 31 characters which is not allowed!"); x; default = "nogroup"; description = "The user's primary group."; }; @@ -502,9 +504,6 @@ in { }; }; - # Install all the user shells - environment.systemPackages = systemShells; - users.groups = { root.gid = ids.gids.root; wheel.gid = ids.gids.wheel; @@ -529,6 +528,9 @@ in { system.activationScripts.users = stringAfter [ "stdio" ] '' + install -m 0700 -d /root + install -m 0755 -d /home + ${pkgs.perl}/bin/perl -w \ -I${pkgs.perlPackages.FileSlurp}/lib/perl5/site_perl \ -I${pkgs.perlPackages.JSON}/lib/perl5/site_perl \ @@ -538,14 +540,29 @@ in { # for backwards compatibility system.activationScripts.groups = stringAfter [ "users" ] ""; - environment.etc."subuid" = { - text = subuidFile; - mode = "0644"; - }; - environment.etc."subgid" = { - text = subgidFile; - mode = "0644"; - }; + # Install all the user shells + environment.systemPackages = systemShells; + + environment.etc = { + "subuid" = { + text = subuidFile; + mode = "0644"; + }; + "subgid" = { + text = subgidFile; + mode = "0644"; + }; + } // (mapAttrs' (name: { packages, ... }: { + name = "profiles/per-user/${name}"; + value.source = pkgs.buildEnv { + name = "user-environment"; + paths = packages; + inherit (config.environment) pathsToLink extraOutputsToInstall; + inherit (config.system.path) ignoreCollisions postBuild; + }; + }) (filterAttrs (_: u: u.packages != []) cfg.users)); + + environment.profiles = [ "/etc/profiles/per-user/$USER" ]; assertions = [ { assertion = !cfg.enforceIdUniqueness || (uidsAreUnique && gidsAreUnique); @@ -576,22 +593,4 @@ in { }; - imports = - [ (mkAliasOptionModule [ "users" "extraUsers" ] [ "users" "users" ]) - (mkAliasOptionModule [ "users" "extraGroups" ] [ "users" "groups" ]) - { - environment = { - etc = mapAttrs' (name: { packages, ... }: { - name = "profiles/per-user/${name}"; - value.source = pkgs.buildEnv { - name = "user-environment"; - paths = packages; - inherit (config.environment) pathsToLink extraOutputsToInstall; - inherit (config.system.path) ignoreCollisions postBuild; - }; - }) (filterAttrs (_: { packages, ... }: packages != []) cfg.users); - profiles = ["/etc/profiles/per-user/$USER"]; - }; - } - ]; } diff --git a/nixos/modules/config/zram.nix b/nixos/modules/config/zram.nix index ad41ad4f3d7c..c1748812821e 100644 --- a/nixos/modules/config/zram.nix +++ b/nixos/modules/config/zram.nix @@ -25,16 +25,16 @@ in type = types.bool; description = '' Enable in-memory compressed swap space provided by the zram kernel - module. It is recommended to enable only for kernel 3.14 or higher. + module. + See https://www.kernel.org/doc/Documentation/blockdev/zram.txt ''; }; numDevices = mkOption { - default = 4; + default = 1; type = types.int; description = '' - Number of zram swap devices to create. It should be equal to the - number of CPU cores your system has. + Number of zram swap devices to create. ''; }; @@ -93,7 +93,7 @@ in serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - ExecStop = "${pkgs.stdenv.shell} -c 'echo 1 > /sys/class/block/${dev}/reset'"; + ExecStop = "${pkgs.runtimeShell} -c 'echo 1 > /sys/class/block/${dev}/reset'"; }; script = '' set -u diff --git a/nixos/modules/hardware/onlykey.nix b/nixos/modules/hardware/onlykey.nix new file mode 100644 index 000000000000..b6820fe01911 --- /dev/null +++ b/nixos/modules/hardware/onlykey.nix @@ -0,0 +1,33 @@ +{ config, lib, ... }: + +with lib; + +{ + + ####### interface + + options = { + + hardware.onlykey = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable OnlyKey device (https://crp.to/p/) support. + ''; + }; + }; + + }; + + ## As per OnlyKey's documentation piece (hhttps://docs.google.com/document/d/1Go_Rs218fKUx-j_JKhddbSVTqY6P0vQO831t2MKCJC8), + ## it is important to add udev rule for OnlyKey for it to work on Linux + + ####### implementation + + config = mkIf config.hardware.onlykey.enable { + services.udev.extraRules = builtin.readFile ./onlykey.udev; + }; + + +} diff --git a/nixos/modules/hardware/onlykey.udev b/nixos/modules/hardware/onlykey.udev new file mode 100644 index 000000000000..6583530e5684 --- /dev/null +++ b/nixos/modules/hardware/onlykey.udev @@ -0,0 +1,4 @@ +ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1" +ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1" +SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", GROUP+="plugdev" +KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", GROUP+="plugdev" diff --git a/nixos/modules/hardware/opengl.nix b/nixos/modules/hardware/opengl.nix index c2c36f02a143..b371af353cf9 100644 --- a/nixos/modules/hardware/opengl.nix +++ b/nixos/modules/hardware/opengl.nix @@ -14,7 +14,6 @@ let name = "mesa-drivers+txc-${p.mesa_drivers.version}"; paths = [ p.mesa_drivers - p.mesa_drivers.out # mainly for libGL (if cfg.s3tcSupport then p.libtxc_dxtn else p.libtxc_dxtn_s2tc) ]; }; @@ -33,82 +32,92 @@ in { options = { - hardware.opengl.enable = mkOption { - description = "Whether this configuration requires OpenGL."; - type = types.bool; - default = false; - internal = true; - }; - - hardware.opengl.driSupport = mkOption { - type = types.bool; - default = true; - description = '' - Whether to enable accelerated OpenGL rendering through the - Direct Rendering Interface (DRI). - ''; - }; - - hardware.opengl.driSupport32Bit = mkOption { - type = types.bool; - default = false; - description = '' - On 64-bit systems, whether to support Direct Rendering for - 32-bit applications (such as Wine). This is currently only - supported for the <literal>nvidia</literal> and - <literal>ati_unfree</literal> drivers, as well as - <literal>Mesa</literal>. - ''; - }; - - hardware.opengl.s3tcSupport = mkOption { - type = types.bool; - default = false; - description = '' - Make S3TC(S3 Texture Compression) via libtxc_dxtn available - to OpenGL drivers instead of the patent-free S2TC replacement. - - Using this library may require a patent license depending on your location. - ''; - }; - hardware.opengl.package = mkOption { - type = types.package; - internal = true; - description = '' - The package that provides the OpenGL implementation. - ''; - }; - - hardware.opengl.package32 = mkOption { - type = types.package; - internal = true; - description = '' - The package that provides the 32-bit OpenGL implementation on - 64-bit systems. Used when <option>driSupport32Bit</option> is - set. - ''; - }; - - hardware.opengl.extraPackages = mkOption { - type = types.listOf types.package; - default = []; - example = literalExample "with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau intel-ocl ]"; - description = '' - Additional packages to add to OpenGL drivers. This can be used - to add OpenCL drivers, VA-API/VDPAU drivers etc. - ''; - }; - - hardware.opengl.extraPackages32 = mkOption { - type = types.listOf types.package; - default = []; - example = literalExample "with pkgs.pkgsi686Linux; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]"; - description = '' - Additional packages to add to 32-bit OpenGL drivers on - 64-bit systems. Used when <option>driSupport32Bit</option> is - set. This can be used to add OpenCL drivers, VA-API/VDPAU drivers etc. - ''; + hardware.opengl = { + enable = mkOption { + description = '' + Whether to enable OpenGL drivers. This is needed to enable + OpenGL support in X11 systems, as well as for Wayland compositors + like sway, way-cooler and Weston. It is enabled by default + by the corresponding modules, so you do not usually have to + set it yourself, only if there is no module for your wayland + compositor of choice. See services.xserver.enable, + programs.sway.enable, and programs.way-cooler.enable. + ''; + type = types.bool; + default = false; + }; + + driSupport = mkOption { + type = types.bool; + default = true; + description = '' + Whether to enable accelerated OpenGL rendering through the + Direct Rendering Interface (DRI). + ''; + }; + + driSupport32Bit = mkOption { + type = types.bool; + default = false; + description = '' + On 64-bit systems, whether to support Direct Rendering for + 32-bit applications (such as Wine). This is currently only + supported for the <literal>nvidia</literal> and + <literal>ati_unfree</literal> drivers, as well as + <literal>Mesa</literal>. + ''; + }; + + s3tcSupport = mkOption { + type = types.bool; + default = false; + description = '' + Make S3TC(S3 Texture Compression) via libtxc_dxtn available + to OpenGL drivers instead of the patent-free S2TC replacement. + + Using this library may require a patent license depending on your location. + ''; + }; + + package = mkOption { + type = types.package; + internal = true; + description = '' + The package that provides the OpenGL implementation. + ''; + }; + + package32 = mkOption { + type = types.package; + internal = true; + description = '' + The package that provides the 32-bit OpenGL implementation on + 64-bit systems. Used when <option>driSupport32Bit</option> is + set. + ''; + }; + + extraPackages = mkOption { + type = types.listOf types.package; + default = []; + example = literalExample "with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau intel-ocl ]"; + description = '' + Additional packages to add to OpenGL drivers. This can be used + to add OpenCL drivers, VA-API/VDPAU drivers etc. + ''; + }; + + extraPackages32 = mkOption { + type = types.listOf types.package; + default = []; + example = literalExample "with pkgs.pkgsi686Linux; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]"; + description = '' + Additional packages to add to 32-bit OpenGL drivers on + 64-bit systems. Used when <option>driSupport32Bit</option> is + set. This can be used to add OpenCL drivers, VA-API/VDPAU drivers etc. + ''; + }; }; }; diff --git a/nixos/modules/hardware/video/amdgpu-pro.nix b/nixos/modules/hardware/video/amdgpu-pro.nix index 5cc96d8bd074..50af022b93c8 100644 --- a/nixos/modules/hardware/video/amdgpu-pro.nix +++ b/nixos/modules/hardware/video/amdgpu-pro.nix @@ -15,13 +15,19 @@ let opengl = config.hardware.opengl; + kernel = pkgs.linux_4_9.override { + extraConfig = '' + KALLSYMS_ALL y + ''; + }; + in { config = mkIf enabled { - nixpkgs.config.xorg.abiCompat = "1.18"; + nixpkgs.config.xorg.abiCompat = "1.19"; services.xserver.drivers = singleton { name = "amdgpu"; modules = [ package ]; libPath = [ package ]; }; @@ -31,6 +37,9 @@ in boot.extraModulePackages = [ package ]; + boot.kernelPackages = + pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor kernel); + boot.blacklistedKernelModules = [ "radeon" ]; hardware.firmware = [ package ]; @@ -38,10 +47,15 @@ in system.activationScripts.setup-amdgpu-pro = '' mkdir -p /run/lib ln -sfn ${package}/lib ${package.libCompatDir} + ln -sfn ${package} /run/amdgpu-pro '' + optionalString opengl.driSupport32Bit '' ln -sfn ${package32}/lib ${package32.libCompatDir} ''; + system.requiredKernelConfig = with config.lib.kernelConfig; [ + (isYes "KALLSYMS_ALL") + ]; + environment.etc = { "amd/amdrc".source = package + "/etc/amd/amdrc"; "amd/amdapfxx.blb".source = package + "/etc/amd/amdapfxx.blb"; diff --git a/nixos/modules/hardware/video/nvidia.nix b/nixos/modules/hardware/video/nvidia.nix index 50c085dd7ee2..eb1952280331 100644 --- a/nixos/modules/hardware/video/nvidia.nix +++ b/nixos/modules/hardware/video/nvidia.nix @@ -16,8 +16,6 @@ let kernelPackages.nvidia_x11 else if elem "nvidiaBeta" drivers then kernelPackages.nvidia_x11_beta - else if elem "nvidiaLegacy173" drivers then - kernelPackages.nvidia_x11_legacy173 else if elem "nvidiaLegacy304" drivers then kernelPackages.nvidia_x11_legacy304 else if elem "nvidiaLegacy340" drivers then @@ -27,13 +25,6 @@ let nvidia_x11 = nvidiaForKernel config.boot.kernelPackages; nvidia_libs32 = (nvidiaForKernel pkgs_i686.linuxPackages).override { libsOnly = true; kernel = null; }; - nvidiaPackage = nvidia: pkgs: - if !nvidia.useGLVND then nvidia.out - else pkgs.buildEnv { - name = "nvidia-libs"; - paths = [ pkgs.libglvnd nvidia.out ]; - }; - enabled = nvidia_x11 != null; in @@ -59,8 +50,8 @@ in source = "${nvidia_x11.bin}/share/nvidia/nvidia-application-profiles-rc"; }; - hardware.opengl.package = nvidiaPackage nvidia_x11 pkgs; - hardware.opengl.package32 = nvidiaPackage nvidia_libs32 pkgs_i686; + hardware.opengl.package = nvidia_x11.out; + hardware.opengl.package32 = nvidia_libs32.out; environment.systemPackages = [ nvidia_x11.bin nvidia_x11.settings ] ++ lib.filter (p: p != null) [ nvidia_x11.persistenced ]; @@ -75,10 +66,10 @@ in # Create /dev/nvidia-uvm when the nvidia-uvm module is loaded. services.udev.extraRules = '' - KERNEL=="nvidia", RUN+="${pkgs.stdenv.shell} -c 'mknod -m 666 /dev/nvidiactl c $(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 255'" - KERNEL=="nvidia_modeset", RUN+="${pkgs.stdenv.shell} -c 'mknod -m 666 /dev/nvidia-modeset c $(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 254'" - KERNEL=="card*", SUBSYSTEM=="drm", DRIVERS=="nvidia", RUN+="${pkgs.stdenv.shell} -c 'mknod -m 666 /dev/nvidia%n c $(grep nvidia-frontend /proc/devices | cut -d \ -f 1) %n'" - KERNEL=="nvidia_uvm", RUN+="${pkgs.stdenv.shell} -c 'mknod -m 666 /dev/nvidia-uvm c $(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'" + KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidiactl c $(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 255'" + KERNEL=="nvidia_modeset", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-modeset c $(grep nvidia-frontend /proc/devices | cut -d \ -f 1) 254'" + KERNEL=="card*", SUBSYSTEM=="drm", DRIVERS=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia%n c $(grep nvidia-frontend /proc/devices | cut -d \ -f 1) %n'" + KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'" ''; boot.blacklistedKernelModules = [ "nouveau" "nvidiafb" ]; diff --git a/nixos/modules/i18n/input-method/default.xml b/nixos/modules/i18n/input-method/default.xml index 45d6daf068b3..76ffa8cb7e37 100644 --- a/nixos/modules/i18n/input-method/default.xml +++ b/nixos/modules/i18n/input-method/default.xml @@ -6,56 +6,56 @@ <title>Input Methods</title> -<para>Input methods are an operating system component that allows any data, such - as keyboard strokes or mouse movements, to be received as input. In this way - users can enter characters and symbols not found on their input devices. Using - an input method is obligatory for any language that has more graphemes than +<para>Input methods are an operating system component that allows any data, such + as keyboard strokes or mouse movements, to be received as input. In this way + users can enter characters and symbols not found on their input devices. Using + an input method is obligatory for any language that has more graphemes than there are keys on the keyboard.</para> <para>The following input methods are available in NixOS:</para> <itemizedlist> <listitem><para>IBus: The intelligent input bus.</para></listitem> - <listitem><para>Fcitx: A customizable lightweight input + <listitem><para>Fcitx: A customizable lightweight input method.</para></listitem> <listitem><para>Nabi: A Korean input method based on XIM.</para></listitem> - <listitem><para>Uim: The universal input method, is a library with a XIM + <listitem><para>Uim: The universal input method, is a library with a XIM bridge.</para></listitem> </itemizedlist> <section><title>IBus</title> -<para>IBus is an Intelligent Input Bus. It provides full featured and user +<para>IBus is an Intelligent Input Bus. It provides full featured and user friendly input method user interface.</para> <para>The following snippet can be used to configure IBus:</para> <programlisting> i18n.inputMethod = { - enabled = "ibus"; - ibus.engines = with pkgs.ibus-engines; [ anthy hangul mozc ]; + <link linkend="opt-i18n.inputMethod.enabled">enabled</link> = "ibus"; + <link linkend="opt-i18n.inputMethod.ibus.engines">ibus.engines</link> = with pkgs.ibus-engines; [ anthy hangul mozc ]; }; </programlisting> -<para><literal>i18n.inputMethod.ibus.engines</literal> is optional and can be +<para><literal>i18n.inputMethod.ibus.engines</literal> is optional and can be used to add extra IBus engines.</para> <para>Available extra IBus engines are:</para> <itemizedlist> - <listitem><para>Anthy (<literal>ibus-engines.anthy</literal>): Anthy is a - system for Japanese input method. It converts Hiragana text to Kana Kanji + <listitem><para>Anthy (<literal>ibus-engines.anthy</literal>): Anthy is a + system for Japanese input method. It converts Hiragana text to Kana Kanji mixed text.</para></listitem> - <listitem><para>Hangul (<literal>ibus-engines.hangul</literal>): Korean input + <listitem><para>Hangul (<literal>ibus-engines.hangul</literal>): Korean input method.</para></listitem> - <listitem><para>m17n (<literal>ibus-engines.m17n</literal>): m17n is an input - method that uses input methods and corresponding icons in the m17n + <listitem><para>m17n (<literal>ibus-engines.m17n</literal>): m17n is an input + method that uses input methods and corresponding icons in the m17n database.</para></listitem> - <listitem><para>mozc (<literal>ibus-engines.mozc</literal>): A Japanese input + <listitem><para>mozc (<literal>ibus-engines.mozc</literal>): A Japanese input method from Google.</para></listitem> - <listitem><para>Table (<literal>ibus-engines.table</literal>): An input method + <listitem><para>Table (<literal>ibus-engines.table</literal>): An input method that load tables of input methods.</para></listitem> - <listitem><para>table-others (<literal>ibus-engines.table-others</literal>): + <listitem><para>table-others (<literal>ibus-engines.table-others</literal>): Various table-based input methods. To use this, and any other table-based input methods, it must appear in the list of engines along with <literal>table</literal>. For example: @@ -72,71 +72,71 @@ ibus.engines = with pkgs.ibus-engines; [ table table-others ]; <section><title>Fcitx</title> -<para>Fcitx is an input method framework with extension support. It has three - built-in Input Method Engine, Pinyin, QuWei and Table-based input +<para>Fcitx is an input method framework with extension support. It has three + built-in Input Method Engine, Pinyin, QuWei and Table-based input methods.</para> <para>The following snippet can be used to configure Fcitx:</para> <programlisting> i18n.inputMethod = { - enabled = "fcitx"; - fcitx.engines = with pkgs.fcitx-engines; [ mozc hangul m17n ]; + <link linkend="opt-i18n.inputMethod.enabled">enabled</link> = "fcitx"; + <link linkend="opt-i18n.inputMethod.fcitx.engines">fcitx.engines</link> = with pkgs.fcitx-engines; [ mozc hangul m17n ]; }; </programlisting> -<para><literal>i18n.inputMethod.fcitx.engines</literal> is optional and can be +<para><literal>i18n.inputMethod.fcitx.engines</literal> is optional and can be used to add extra Fcitx engines.</para> <para>Available extra Fcitx engines are:</para> <itemizedlist> - <listitem><para>Anthy (<literal>fcitx-engines.anthy</literal>): Anthy is a - system for Japanese input method. It converts Hiragana text to Kana Kanji + <listitem><para>Anthy (<literal>fcitx-engines.anthy</literal>): Anthy is a + system for Japanese input method. It converts Hiragana text to Kana Kanji mixed text.</para></listitem> - <listitem><para>Chewing (<literal>fcitx-engines.chewing</literal>): Chewing is - an intelligent Zhuyin input method. It is one of the most popular input + <listitem><para>Chewing (<literal>fcitx-engines.chewing</literal>): Chewing is + an intelligent Zhuyin input method. It is one of the most popular input methods among Traditional Chinese Unix users.</para></listitem> - <listitem><para>Hangul (<literal>fcitx-engines.hangul</literal>): Korean input + <listitem><para>Hangul (<literal>fcitx-engines.hangul</literal>): Korean input method.</para></listitem> - <listitem><para>Unikey (<literal>fcitx-engines.unikey</literal>): Vietnamese input + <listitem><para>Unikey (<literal>fcitx-engines.unikey</literal>): Vietnamese input method.</para></listitem> - <listitem><para>m17n (<literal>fcitx-engines.m17n</literal>): m17n is an input - method that uses input methods and corresponding icons in the m17n + <listitem><para>m17n (<literal>fcitx-engines.m17n</literal>): m17n is an input + method that uses input methods and corresponding icons in the m17n database.</para></listitem> - <listitem><para>mozc (<literal>fcitx-engines.mozc</literal>): A Japanese input + <listitem><para>mozc (<literal>fcitx-engines.mozc</literal>): A Japanese input method from Google.</para></listitem> - <listitem><para>table-others (<literal>fcitx-engines.table-others</literal>): + <listitem><para>table-others (<literal>fcitx-engines.table-others</literal>): Various table-based input methods.</para></listitem> </itemizedlist> </section> <section><title>Nabi</title> -<para>Nabi is an easy to use Korean X input method. It allows you to enter - phonetic Korean characters (hangul) and pictographic Korean characters +<para>Nabi is an easy to use Korean X input method. It allows you to enter + phonetic Korean characters (hangul) and pictographic Korean characters (hanja).</para> <para>The following snippet can be used to configure Nabi:</para> <programlisting> i18n.inputMethod = { - enabled = "nabi"; + <link linkend="opt-i18n.inputMethod.enabled">enabled</link> = "nabi"; }; </programlisting> </section> <section><title>Uim</title> -<para>Uim (short for "universal input method") is a multilingual input method +<para>Uim (short for "universal input method") is a multilingual input method framework. Applications can use it through so-called bridges.</para> <para>The following snippet can be used to configure uim:</para> <programlisting> i18n.inputMethod = { - enabled = "uim"; + <link linkend="opt-i18n.inputMethod.enabled">enabled</link> = "uim"; }; </programlisting> -<para>Note: The <literal>i18n.inputMethod.uim.toolbar</literal> option can be +<para>Note: The <xref linkend="opt-i18n.inputMethod.uim.toolbar"/> option can be used to choose uim toolbar.</para> </section> diff --git a/nixos/modules/installer/cd-dvd/channel.nix b/nixos/modules/installer/cd-dvd/channel.nix index 4a1983167957..01cfe8a02e10 100644 --- a/nixos/modules/installer/cd-dvd/channel.nix +++ b/nixos/modules/installer/cd-dvd/channel.nix @@ -21,7 +21,9 @@ let if [ ! -e $out/nixos/nixpkgs ]; then ln -s . $out/nixos/nixpkgs fi + echo -n ${config.system.nixos.revision} > $out/nixos/.git-revision echo -n ${config.system.nixos.versionSuffix} > $out/nixos/.version-suffix + echo ${config.system.nixos.versionSuffix} | sed -e s/pre// > $out/nixos/svn-revision ''; in diff --git a/nixos/modules/installer/cd-dvd/iso-image.nix b/nixos/modules/installer/cd-dvd/iso-image.nix index 811449e9fe7e..08923970cd38 100644 --- a/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/nixos/modules/installer/cd-dvd/iso-image.nix @@ -59,7 +59,7 @@ let INITRD /boot/${config.system.boot.loader.initrdFile} # A variant to boot with verbose logging to the console - LABEL boot-nomodeset + LABEL boot-debug MENU LABEL NixOS ${config.system.nixos.label}${config.isoImage.appendToMenuLabel} (debug) LINUX /boot/${config.system.boot.loader.kernelFile} APPEND init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams} loglevel=7 @@ -73,7 +73,8 @@ let APPEND ${toString config.boot.loader.grub.memtest86.params} ''; - isolinuxCfg = baseIsolinuxCfg + (optionalString config.boot.loader.grub.memtest86.enable isolinuxMemtest86Entry); + isolinuxCfg = concatStringsSep "\n" + ([ baseIsolinuxCfg ] ++ optional config.boot.loader.grub.memtest86.enable isolinuxMemtest86Entry); # The EFI boot image. efiDir = pkgs.runCommand "efi-directory" {} '' @@ -331,8 +332,7 @@ in config.system.build.toplevel.drvPath; # Create the squashfs image that contains the Nix store. - system.build.squashfsStore = import ../../../lib/make-squashfs.nix { - inherit (pkgs) stdenv squashfsTools perl pathsFromGraph; + system.build.squashfsStore = pkgs.callPackage ../../../lib/make-squashfs.nix { storeContents = config.isoImage.storeContents; }; @@ -383,11 +383,8 @@ in boot.loader.timeout = 10; # Create the ISO image. - system.build.isoImage = import ../../../lib/make-iso9660-image.nix ({ - inherit (pkgs) stdenv perl pathsFromGraph xorriso syslinux; - + system.build.isoImage = pkgs.callPackage ../../../lib/make-iso9660-image.nix ({ inherit (config.isoImage) isoName compressImage volumeID contents; - bootable = true; bootImage = "/isolinux/isolinux.bin"; } // optionalAttrs config.isoImage.makeUsbBootable { diff --git a/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix b/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix index 3306846b7fa7..ddf91a5656c7 100644 --- a/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix +++ b/nixos/modules/installer/cd-dvd/sd-image-aarch64.nix @@ -21,9 +21,6 @@ in "it cannot be cross compiled"; }; - # Needed by RPi firmware - nixpkgs.config.allowUnfree = true; - boot.loader.grub.enable = false; boot.loader.generic-extlinux-compatible.enable = true; diff --git a/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix b/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix index 08903ba397a1..891923234dda 100644 --- a/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix +++ b/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix @@ -21,9 +21,6 @@ in "it cannot be cross compiled"; }; - # Needed by RPi firmware - nixpkgs.config.allowUnfree = true; - boot.loader.grub.enable = false; boot.loader.generic-extlinux-compatible.enable = true; diff --git a/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix b/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix index 2833b75b84d8..212013b5e289 100644 --- a/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix +++ b/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix @@ -21,9 +21,6 @@ in "it cannot be cross compiled"; }; - # Needed by RPi firmware - nixpkgs.config.allowUnfree = true; - boot.loader.grub.enable = false; boot.loader.generic-extlinux-compatible.enable = true; diff --git a/nixos/modules/installer/cd-dvd/sd-image.nix b/nixos/modules/installer/cd-dvd/sd-image.nix index 23312c073d56..c091923de60f 100644 --- a/nixos/modules/installer/cd-dvd/sd-image.nix +++ b/nixos/modules/installer/cd-dvd/sd-image.nix @@ -20,6 +20,20 @@ let in { options.sdImage = { + imageName = mkOption { + default = "${config.sdImage.imageBaseName}-${config.system.nixos.label}-${pkgs.stdenv.system}.img"; + description = '' + Name of the generated image file. + ''; + }; + + imageBaseName = mkOption { + default = "nixos-sd-image"; + description = '' + Prefix of the name of the generated image file. + ''; + }; + storePaths = mkOption { type = with types; listOf package; example = literalExample "[ pkgs.stdenv ]"; @@ -61,19 +75,25 @@ in sdImage.storePaths = [ config.system.build.toplevel ]; system.build.sdImage = pkgs.stdenv.mkDerivation { - name = "sd-image-${pkgs.stdenv.system}.img"; + name = config.sdImage.imageName; buildInputs = with pkgs; [ dosfstools e2fsprogs mtools libfaketime utillinux ]; buildCommand = '' + mkdir -p $out/nix-support $out/sd-image + export img=$out/sd-image/${config.sdImage.imageName} + + echo "${pkgs.stdenv.system}" > $out/nix-support/system + echo "file sd-image $img" >> $out/nix-support/hydra-build-products + # Create the image file sized to fit /boot and /, plus 20M of slack rootSizeBlocks=$(du -B 512 --apparent-size ${rootfsImage} | awk '{ print $1 }') bootSizeBlocks=$((${toString config.sdImage.bootSize} * 1024 * 1024 / 512)) imageSize=$((rootSizeBlocks * 512 + bootSizeBlocks * 512 + 20 * 1024 * 1024)) - truncate -s $imageSize $out + truncate -s $imageSize $img # type=b is 'W95 FAT32', type=83 is 'Linux'. - sfdisk $out <<EOF + sfdisk $img <<EOF label: dos label-id: 0x2178694e @@ -82,11 +102,11 @@ in EOF # Copy the rootfs into the SD image - eval $(partx $out -o START,SECTORS --nr 2 --pairs) - dd conv=notrunc if=${rootfsImage} of=$out seek=$START count=$SECTORS + eval $(partx $img -o START,SECTORS --nr 2 --pairs) + dd conv=notrunc if=${rootfsImage} of=$img seek=$START count=$SECTORS # Create a FAT32 /boot partition of suitable size into bootpart.img - eval $(partx $out -o START,SECTORS --nr 1 --pairs) + eval $(partx $img -o START,SECTORS --nr 1 --pairs) truncate -s $((SECTORS * 512)) bootpart.img faketime "1970-01-01 00:00:00" mkfs.vfat -i 0x2178694e -n NIXOS_BOOT bootpart.img @@ -96,7 +116,7 @@ in # Copy the populated /boot into the SD image (cd boot; mcopy -bpsvm -i ../bootpart.img ./* ::) - dd conv=notrunc if=bootpart.img of=$out seek=$START count=$SECTORS + dd conv=notrunc if=bootpart.img of=$img seek=$START count=$SECTORS ''; }; diff --git a/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix b/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix index ba84cd51098f..6d4ba96dba0c 100644 --- a/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix +++ b/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix @@ -54,7 +54,7 @@ in environment.systemPackages = [ pkgs.w3m # needed for the manual anyway pkgs.testdisk # useful for repairing boot problems - pkgs.mssys # for writing Microsoft boot sectors / MBRs + pkgs.ms-sys # for writing Microsoft boot sectors / MBRs pkgs.parted pkgs.ddrescue pkgs.ccrypt diff --git a/nixos/modules/installer/netboot/netboot.nix b/nixos/modules/installer/netboot/netboot.nix index 52239b619126..a4eda3c52dce 100644 --- a/nixos/modules/installer/netboot/netboot.nix +++ b/nixos/modules/installer/netboot/netboot.nix @@ -67,7 +67,7 @@ with lib; # Create the squashfs image that contains the Nix store. system.build.squashfsStore = import ../../../lib/make-squashfs.nix { - inherit (pkgs) stdenv squashfsTools perl pathsFromGraph; + inherit (pkgs) stdenv squashfsTools closureInfo; storeContents = config.netboot.storeContents; }; diff --git a/nixos/modules/installer/tools/nix-fallback-paths.nix b/nixos/modules/installer/tools/nix-fallback-paths.nix index 131c779b1ab1..6bb556a0123c 100644 --- a/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,6 +1,6 @@ { - x86_64-linux = "/nix/store/gy4yv67gv3j6in0lalw37j353zdmfcwm-nix-1.11.16"; - i686-linux = "/nix/store/ifmyq5ryfxhhrzh62hiq65xyz1fwffga-nix-1.11.16"; - aarch64-linux = "/nix/store/y9mfv3sx75mbfibf1zna1kq9v98fk2nb-nix-1.11.16"; - x86_64-darwin = "/nix/store/hwpp7kia2f0in5ns2hiw41q38k30jpj2-nix-1.11.16"; + x86_64-linux = "/nix/store/2gk7rk2sx2dkmsjr59gignrfdmya8f6s-nix-2.0.1"; + i686-linux = "/nix/store/5160glkphiv13qggnivyidg8r0491pbl-nix-2.0.1"; + aarch64-linux = "/nix/store/jk29zz3ns9vdkkclcyzzkpzp8dhv1x3i-nix-2.0.1"; + x86_64-darwin = "/nix/store/4a9czmrpd4hf3r80zcmga2c2lm3hbbvv-nix-2.0.1"; } diff --git a/nixos/modules/installer/tools/nixos-enter.sh b/nixos/modules/installer/tools/nixos-enter.sh new file mode 100644 index 000000000000..518dbbbf21e3 --- /dev/null +++ b/nixos/modules/installer/tools/nixos-enter.sh @@ -0,0 +1,61 @@ +#! @shell@ + +set -e + +# Re-exec ourselves in a private mount namespace so that our bind +# mounts get cleaned up automatically. +if [ -z "$NIXOS_ENTER_REEXEC" ]; then + export NIXOS_ENTER_REEXEC=1 + if [ "$(id -u)" != 0 ]; then + extraFlags="-r" + fi + exec unshare --fork --mount --uts --mount-proc --pid $extraFlags -- "$0" "$@" +else + mount --make-rprivate / +fi + +mountPoint=/mnt +system=/nix/var/nix/profiles/system +command=($system/sw/bin/bash "--login") + +while [ "$#" -gt 0 ]; do + i="$1"; shift 1 + case "$i" in + --root) + mountPoint="$1"; shift 1 + ;; + --system) + system="$1"; shift 1 + ;; + --help) + exec man nixos-enter + exit 1 + ;; + --command|-c) + command=($system/sw/bin/bash "-c" "$1") + shift 1 + ;; + --) + command=("$@") + break + ;; + *) + echo "$0: unknown option \`$i'" + exit 1 + ;; + esac +done + +if [[ ! -e $mountPoint/etc/NIXOS ]]; then + echo "$0: '$mountPoint' is not a NixOS installation" >&2 + exit 126 +fi + +mkdir -m 0755 -p "$mountPoint/dev" "$mountPoint/sys" +mount --rbind /dev "$mountPoint/dev" +mount --rbind /sys "$mountPoint/sys" + +# Run the activation script. Set $LOCALE_ARCHIVE to supress some Perl locale warnings. +LOCALE_ARCHIVE=$system/sw/lib/locale/locale-archive chroot "$mountPoint" "$system/activate" >&2 || true + +exec chroot "$mountPoint" "${command[@]}" diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index 0e0744a52e42..74b61a64667e 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -577,15 +577,14 @@ $bootLoaderConfig # Set your time zone. # time.timeZone = "Europe/Amsterdam"; - # List packages installed in system profile. To search by name, run: - # \$ nix-env -qaP | grep wget + # List packages installed in system profile. To search, run: + # \$ nix search wget # environment.systemPackages = with pkgs; [ # wget vim # ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. - # programs.bash.enableCompletion = true; # programs.mtr.enable = true; # programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index f994d5b4bde1..22c1e0fe9a34 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -1,35 +1,23 @@ #! @shell@ -# - make Nix store etc. -# - copy closure of Nix to target device -# - register validity -# - with a chroot to the target device: -# * nix-env -p /nix/var/nix/profiles/system -i <nix-expr for the configuration> -# * install the boot loader +set -e +shopt -s nullglob + +export PATH=@path@:$PATH # Ensure a consistent umask. umask 0022 -# Re-exec ourselves in a private mount namespace so that our bind -# mounts get cleaned up automatically. -if [ "$(id -u)" = 0 ]; then - if [ -z "$NIXOS_INSTALL_REEXEC" ]; then - export NIXOS_INSTALL_REEXEC=1 - exec unshare --mount --uts -- "$0" "$@" - else - mount --make-rprivate / - fi -fi - # Parse the command line for the -I flag extraBuildFlags=() -chrootCommand=(/run/current-system/sw/bin/bash) -buildUsersGroup="nixbld" + +mountPoint=/mnt +channelPath= while [ "$#" -gt 0 ]; do i="$1"; shift 1 case "$i" in - --max-jobs|-j|--cores|-I) + --max-jobs|-j|--cores|-I|--substituters) j="$1"; shift 1 extraBuildFlags+=("$i" "$j") ;; @@ -41,9 +29,11 @@ while [ "$#" -gt 0 ]; do --root) mountPoint="$1"; shift 1 ;; - --closure) - closure="$1"; shift 1 - buildUsersGroup="" + --system|--closure) + system="$1"; shift 1 + ;; + --channel) + channelPath="$1"; shift 1 ;; --no-channel-copy) noChannelCopy=1 @@ -57,17 +47,13 @@ while [ "$#" -gt 0 ]; do --show-trace) extraBuildFlags+=("$i") ;; - --chroot) - runChroot=1 - if [[ "$@" != "" ]]; then - chrootCommand=("$@") - fi - break - ;; --help) exec man nixos-install exit 1 ;; + --debug) + set -x + ;; *) echo "$0: unknown option \`$i'" exit 1 @@ -75,132 +61,83 @@ while [ "$#" -gt 0 ]; do esac done -set -e -shopt -s nullglob - -if test -z "$mountPoint"; then - mountPoint=/mnt -fi - if ! test -e "$mountPoint"; then echo "mount point $mountPoint doesn't exist" exit 1 fi # Get the path of the NixOS configuration file. -if test -z "$NIXOS_CONFIG"; then - NIXOS_CONFIG=/etc/nixos/configuration.nix +if [[ -z $NIXOS_CONFIG ]]; then + NIXOS_CONFIG=$mountPoint/etc/nixos/configuration.nix fi -if [ ! -e "$mountPoint/$NIXOS_CONFIG" ] && [ -z "$closure" ]; then - echo "configuration file $mountPoint/$NIXOS_CONFIG doesn't exist" +if [[ ${NIXOS_CONFIG:0:1} != / ]]; then + echo "$0: \$NIXOS_CONFIG is not an absolute path" exit 1 fi - -# Builds will use users that are members of this group -extraBuildFlags+=(--option "build-users-group" "$buildUsersGroup") - -# Inherit binary caches from the host -# TODO: will this still work with Nix 1.12 now that it has no perl? Probably not... -binary_caches="$(@perl@/bin/perl -I @nix@/lib/perl5/site_perl/*/* -e 'use Nix::Config; Nix::Config::readConfig; print $Nix::Config::config{"binary-caches"};')" -extraBuildFlags+=(--option "binary-caches" "$binary_caches") - -# We only need nixpkgs in the path if we don't already have a system closure to install -if [[ -z "$closure" ]]; then - nixpkgs="$(readlink -f "$(nix-instantiate --find-file nixpkgs)")" - export NIX_PATH="nixpkgs=$nixpkgs:nixos-config=$mountPoint/$NIXOS_CONFIG" -fi -unset NIXOS_CONFIG - -# These get created in nixos-prepare-root as well, but we want to make sure they're here in case we're -# running with --chroot. TODO: --chroot should just be split into a separate tool. -mkdir -m 0755 -p "$mountPoint/dev" "$mountPoint/proc" "$mountPoint/sys" - -# Set up some bind mounts we'll want regardless of chroot or not -mount --rbind /dev "$mountPoint/dev" -mount --rbind /proc "$mountPoint/proc" -mount --rbind /sys "$mountPoint/sys" - -# If we asked for a chroot, that means we're not actually installing anything (yeah I was confused too) -# and we just want to run a command in the context of a $mountPoint that we're assuming has already been -# set up by a previous nixos-install invocation. In that case we set up some remaining bind mounts and -# exec the requested command, skipping the rest of the installation procedure. -if [ -n "$runChroot" ]; then - mount -t tmpfs -o "mode=0755" none $mountPoint/run - rm -rf $mountPoint/var/run - ln -s /run $mountPoint/var/run - for f in /etc/resolv.conf /etc/hosts; do rm -f $mountPoint/$f; [ -f "$f" ] && cp -Lf $f $mountPoint/etc/; done - for f in /etc/passwd /etc/group; do touch $mountPoint/$f; [ -f "$f" ] && mount --rbind -o ro $f $mountPoint/$f; done - - if ! [ -L $mountPoint/nix/var/nix/profiles/system ]; then - echo "$0: installation not finished; cannot chroot into installation directory" - exit 1 - fi - ln -s /nix/var/nix/profiles/system $mountPoint/run/current-system - exec chroot $mountPoint "${chrootCommand[@]}" +if [[ ! -e $NIXOS_CONFIG && -z $system ]]; then + echo "configuration file $NIXOS_CONFIG doesn't exist" + exit 1 fi -# A place to drop temporary closures +# A place to drop temporary stuff. trap "rm -rf $tmpdir" EXIT tmpdir="$(mktemp -d)" -# Build a closure (on the host; we then copy it into the guest) -function closure() { - nix-build "${extraBuildFlags[@]}" --no-out-link -E "with import <nixpkgs> {}; runCommand \"closure\" { exportReferencesGraph = [ \"x\" (buildEnv { name = \"env\"; paths = [ ($1) stdenv ]; }) ]; } \"cp x \$out\"" -} - -system_closure="$tmpdir/system.closure" -# Use a FIFO for piping nix-store --export into nix-store --import, saving disk -# I/O and space. nix-store --import is run by nixos-prepare-root. -mkfifo $system_closure - -if [ -z "$closure" ]; then - expr="(import <nixpkgs/nixos> {}).system" - system_root="$(nix-build -E "$expr")" - system_closure="$(closure "$expr")" -else - system_root=$closure - # Create a temporary file ending in .closure (so nixos-prepare-root knows to --import it) to transport the store closure - # to the filesytem we're preparing. Also delete it on exit! - # Run in background to avoid blocking while trying to write to the FIFO - # $system_closure refers to - nix-store --export $(nix-store -qR $closure) > $system_closure & -fi - -channel_root="$(nix-env -p /nix/var/nix/profiles/per-user/root/channels -q nixos --no-name --out-path 2>/dev/null || echo -n "")" -channel_closure="$tmpdir/channel.closure" -nix-store --export $channel_root > $channel_closure - -# Populate the target root directory with the basics -@prepare_root@/bin/nixos-prepare-root "$mountPoint" "$channel_root" "$system_root" @nixClosure@ "$system_closure" "$channel_closure" - -# nixos-prepare-root doesn't currently do anything with file ownership, so we set it up here instead -chown @root_uid@:@nixbld_gid@ $mountPoint/nix/store +sub="auto?trusted=1" +# Build the system configuration in the target filesystem. +if [[ -z $system ]]; then + echo "building the configuration in $NIXOS_CONFIG..." + outLink="$tmpdir/system" + nix build --out-link "$outLink" --store "$mountPoint" "${extraBuildFlags[@]}" \ + --extra-substituters "$sub" \ + -f '<nixpkgs/nixos>' system -I "nixos-config=$NIXOS_CONFIG" + system=$(readlink -f $outLink) +fi +# Set the system profile to point to the configuration. TODO: combine +# this with the previous step once we have a nix-env replacement with +# a progress bar. +nix-env --store "$mountPoint" "${extraBuildFlags[@]}" \ + --extra-substituters "$sub" \ + -p $mountPoint/nix/var/nix/profiles/system --set "$system" + +# Copy the NixOS/Nixpkgs sources to the target as the initial contents +# of the NixOS channel. +if [[ -z $noChannelCopy ]]; then + if [[ -z $channelPath ]]; then + channelPath="$(nix-env -p /nix/var/nix/profiles/per-user/root/channels -q nixos --no-name --out-path 2>/dev/null || echo -n "")" + fi + if [[ -n $channelPath ]]; then + echo "copying channel..." + mkdir -p $mountPoint/nix/var/nix/profiles/per-user/root + nix-env --store "$mountPoint" "${extraBuildFlags[@]}" --extra-substituters "$sub" \ + -p $mountPoint/nix/var/nix/profiles/per-user/root/channels --set "$channelPath" --quiet + install -m 0700 -d $mountPoint/root/.nix-defexpr + ln -sfn /nix/var/nix/profiles/per-user/root/channels $mountPoint/root/.nix-defexpr/channels + fi +fi -# Grub needs an mtab. -ln -sfn /proc/mounts $mountPoint/etc/mtab +# Mark the target as a NixOS installation, otherwise switch-to-configuration will chicken out. +mkdir -m 0755 -p "$mountPoint/etc" +touch "$mountPoint/etc/NIXOS" # Switch to the new system configuration. This will install Grub with # a menu default pointing at the kernel/initrd/etc of the new # configuration. -echo "finalising the installation..." -if [ -z "$noBootLoader" ]; then - NIXOS_INSTALL_BOOTLOADER=1 chroot $mountPoint \ - /nix/var/nix/profiles/system/bin/switch-to-configuration boot +if [[ -z $noBootLoader ]]; then + echo "installing the boot loader..." + # Grub needs an mtab. + ln -sfn /proc/mounts $mountPoint/etc/mtab + NIXOS_INSTALL_BOOTLOADER=1 nixos-enter --root "$mountPoint" -- /run/current-system/bin/switch-to-configuration boot fi -# Run the activation script. -chroot $mountPoint /nix/var/nix/profiles/system/activate - - -# Ask the user to set a root password. -if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/bin/passwd ] && [ -t 0 ]; then - echo "setting root password..." - chroot $mountPoint /run/wrappers/bin/passwd +# Ask the user to set a root password, but only if the passwd command +# exists (i.e. when mutable user accounts are enabled). +if [[ -z $noRootPasswd ]] && [ -t 0 ]; then + nixos-enter --root "$mountPoint" -c '[[ -e /nix/var/nix/profiles/system/sw/bin/passwd ]] && echo "setting root password..." && /nix/var/nix/profiles/system/sw/bin/passwd' fi - echo "installation finished!" diff --git a/nixos/modules/installer/tools/nixos-prepare-root.sh b/nixos/modules/installer/tools/nixos-prepare-root.sh deleted file mode 100644 index ed5af234fec9..000000000000 --- a/nixos/modules/installer/tools/nixos-prepare-root.sh +++ /dev/null @@ -1,104 +0,0 @@ -#! @shell@ - -# This script's goal is to perform all "static" setup of a filesystem structure from pre-built store paths. Everything -# in here should run in a non-root context and inside a Nix builder. It's designed primarily to be called from image- -# building scripts and from nixos-install, but because it makes very few assumptions about the context in which it runs, -# it could be useful in other contexts as well. -# -# Current behavior: -# - set up basic filesystem structure -# - make Nix store etc. -# - copy Nix, system, channel, and misceallaneous closures to target Nix store -# - register validity of all paths in the target store -# - set up channel and system profiles - -# Ensure a consistent umask. -umask 0022 - -set -e - -mountPoint="$1" -channel="$2" -system="$3" -shift 3 -closures="$@" - -PATH="@coreutils@/bin:@nix@/bin:@perl@/bin:@utillinux@/bin:@rsync@/bin" - -if ! test -e "$mountPoint"; then - echo "mount point $mountPoint doesn't exist" - exit 1 -fi - -# Create a few of the standard directories in the target root directory. -install -m 0755 -d $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home -install -m 01777 -d $mountPoint/tmp -install -m 0755 -d $mountPoint/tmp/root -install -m 0755 -d $mountPoint/var -install -m 0700 -d $mountPoint/root - -ln -sf /run $mountPoint/var/run - -# Create the necessary Nix directories on the target device -install -m 0755 -d \ - $mountPoint/nix/var/nix/gcroots \ - $mountPoint/nix/var/nix/temproots \ - $mountPoint/nix/var/nix/userpool \ - $mountPoint/nix/var/nix/profiles \ - $mountPoint/nix/var/nix/db \ - $mountPoint/nix/var/log/nix/drvs - -install -m 1775 -d $mountPoint/nix/store - -# All Nix operations below should operate on our target store, not /nix/store. -# N.B: this relies on Nix 1.12 or higher -export NIX_REMOTE=local?root=$mountPoint - -# Copy our closures to the Nix store on the target mount point, unless they're already there. -for i in $closures; do - # We support closures both in the format produced by `nix-store --export` and by `exportReferencesGraph`, - # mostly because there doesn't seem to be a single format that can be produced outside of a nix build and - # inside one. See https://github.com/NixOS/nix/issues/1242 for more discussion. - if [[ "$i" =~ \.closure$ ]]; then - echo "importing serialized closure $i to $mountPoint..." - nix-store --import < $i - else - # There has to be a better way to do this, right? - echo "copying closure $i to $mountPoint..." - for j in $(perl @pathsFromGraph@ $i); do - echo " $j... " - rsync -a $j $mountPoint/nix/store/ - done - - nix-store --option build-users-group root --register-validity < $i - fi -done - -# Create the required /bin/sh symlink; otherwise lots of things -# (notably the system() function) won't work. -if [ ! -x $mountPoint/@shell@ ]; then - echo "Error: @shell@ wasn't included in the closure" >&2 - exit 1 -fi -install -m 0755 -d $mountPoint/bin -ln -sf @shell@ $mountPoint/bin/sh - -echo "setting the system closure to '$system'..." -nix-env "${extraBuildFlags[@]}" -p $mountPoint/nix/var/nix/profiles/system --set "$system" - -ln -sfn /nix/var/nix/profiles/system $mountPoint/run/current-system - -# Copy the NixOS/Nixpkgs sources to the target as the initial contents of the NixOS channel. -install -m 0755 -d $mountPoint/nix/var/nix/profiles -install -m 1777 -d $mountPoint/nix/var/nix/profiles/per-user -install -m 0755 -d $mountPoint/nix/var/nix/profiles/per-user/root - -if [ -z "$noChannelCopy" ] && [ -n "$channel" ]; then - echo "copying channel..." - nix-env --option build-use-substitutes false "${extraBuildFlags[@]}" -p $mountPoint/nix/var/nix/profiles/per-user/root/channels --set "$channel" --quiet -fi -install -m 0700 -d $mountPoint/root/.nix-defexpr -ln -sfn /nix/var/nix/profiles/per-user/root/channels $mountPoint/root/.nix-defexpr/channels - -# Mark the target as a NixOS installation, otherwise switch-to-configuration will chicken out. -touch $mountPoint/etc/NIXOS diff --git a/nixos/modules/installer/tools/nixos-rebuild.sh b/nixos/modules/installer/tools/nixos-rebuild.sh index 9ede74a54cd7..2af73519bc52 100644 --- a/nixos/modules/installer/tools/nixos-rebuild.sh +++ b/nixos/modules/installer/tools/nixos-rebuild.sh @@ -382,6 +382,6 @@ fi if [ "$action" = build-vm ]; then cat >&2 <<EOF -Done. The virtual machine can be started by running $(echo $pathToConfig/bin/run-*-vm). +Done. The virtual machine can be started by running $(echo $pathToConfig/bin/run-*-vm) EOF fi diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix index eab5f1147667..beac9e29d59c 100644 --- a/nixos/modules/installer/tools/tools.nix +++ b/nixos/modules/installer/tools/tools.nix @@ -1,7 +1,9 @@ # This module generates nixos-install, nixos-rebuild, # nixos-generate-config, etc. -{ config, pkgs, modulesPath, ... }: +{ config, lib, pkgs, modulesPath, ... }: + +with lib; let cfg = config.installer; @@ -16,28 +18,11 @@ let src = ./nixos-build-vms/nixos-build-vms.sh; }; - nixos-prepare-root = makeProg { - name = "nixos-prepare-root"; - src = ./nixos-prepare-root.sh; - - nix = pkgs.nixUnstable; - inherit (pkgs) perl pathsFromGraph rsync utillinux coreutils; - }; - nixos-install = makeProg { name = "nixos-install"; src = ./nixos-install.sh; - - inherit (pkgs) perl pathsFromGraph rsync; nix = config.nix.package.out; - cacert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; - root_uid = config.ids.uids.root; - nixbld_gid = config.ids.gids.nixbld; - prepare_root = nixos-prepare-root; - - nixClosure = pkgs.runCommand "closure" - { exportReferencesGraph = ["refs" config.nix.package.out]; } - "cp refs $out"; + path = makeBinPath [ nixos-enter ]; }; nixos-rebuild = @@ -69,6 +54,11 @@ let inherit (config.system.nixos) version codeName revision; }; + nixos-enter = makeProg { + name = "nixos-enter"; + src = ./nixos-enter.sh; + }; + in { @@ -77,16 +67,16 @@ in environment.systemPackages = [ nixos-build-vms - nixos-prepare-root nixos-install nixos-rebuild nixos-generate-config nixos-option nixos-version + nixos-enter ]; system.build = { - inherit nixos-install nixos-prepare-root nixos-generate-config nixos-option nixos-rebuild; + inherit nixos-install nixos-prepare-root nixos-generate-config nixos-option nixos-rebuild nixos-enter; }; }; diff --git a/nixos/modules/installer/virtualbox-demo.nix b/nixos/modules/installer/virtualbox-demo.nix index 5316cfce906b..13a0d7f4f6ee 100644 --- a/nixos/modules/installer/virtualbox-demo.nix +++ b/nixos/modules/installer/virtualbox-demo.nix @@ -19,4 +19,6 @@ with lib; # Add some more video drivers to give X11 a shot at working in # VMware and QEMU. services.xserver.videoDrivers = mkOverride 40 [ "virtualbox" "vmware" "cirrus" "vesa" "modesetting" ]; + + powerManagement.enable = false; } diff --git a/nixos/modules/misc/documentation.nix b/nixos/modules/misc/documentation.nix new file mode 100644 index 000000000000..2e426c017080 --- /dev/null +++ b/nixos/modules/misc/documentation.nix @@ -0,0 +1,96 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let cfg = config.documentation; in + +{ + + options = { + + documentation = { + + enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to install documentation of packages from + <option>environment.systemPackages</option> into the generated system path. + + See "Multiple-output packages" chapter in the nixpkgs manual for more info. + ''; + # which is at ../../../doc/multiple-output.xml + }; + + man.enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to install manual pages and the <command>man</command> command. + This also includes "man" outputs. + ''; + }; + + info.enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to install info pages and the <command>info</command> command. + This also includes "info" outputs. + ''; + }; + + doc.enable = mkOption { + type = types.bool; + default = true; + description = '' + Whether to install documentation distributed in packages' <literal>/share/doc</literal>. + Usually plain text and/or HTML. + This also includes "doc" outputs. + ''; + }; + + dev.enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to install documentation targeted at developers. + <itemizedlist> + <listitem><para>This includes man pages targeted at developers if <option>man.enable</option> is + set (this also includes "devman" outputs).</para></listitem> + <listitem><para>This includes info pages targeted at developers if <option>info.enable</option> + is set (this also includes "devinfo" outputs).</para></listitem> + <listitem><para>This includes other pages targeted at developers if <option>doc.enable</option> + is set (this also includes "devdoc" outputs).</para></listitem> + </itemizedlist> + ''; + }; + + }; + + }; + + config = mkIf cfg.enable (mkMerge [ + + (mkIf cfg.man.enable { + environment.systemPackages = [ pkgs.man-db ]; + environment.pathsToLink = [ "/share/man" ]; + environment.extraOutputsToInstall = [ "man" ] ++ optional cfg.dev.enable [ "devman" ]; + }) + + (mkIf cfg.info.enable { + environment.systemPackages = [ pkgs.texinfoInteractive ]; + environment.pathsToLink = [ "/share/info" ]; + environment.extraOutputsToInstall = [ "info" ] ++ optional cfg.dev.enable [ "devinfo" ]; + }) + + (mkIf cfg.doc.enable { + # TODO(@oxij): put it here and remove from profiles? + # environment.systemPackages = [ pkgs.w3m ]; # w3m-nox? + environment.pathsToLink = [ "/share/doc" ]; + environment.extraOutputsToInstall = [ "doc" ] ++ optional cfg.dev.enable [ "devdoc" ]; + }) + + ]); + +} diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index c0c6a6ef9244..0ed820a32acc 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -56,7 +56,7 @@ #dialout = 27; # unused polkituser = 28; #utmp = 29; # unused - ddclient = 30; + # ddclient = 30; # converted to DynamicUser = true davfs2 = 31; #disnix = 33; # unused osgi = 34; @@ -106,7 +106,7 @@ freenet = 79; ircd = 80; bacula = 81; - almir = 82; + #almir = 82; # removed 2018-03-25, the almir package was removed in 30291227f2411abaca097773eedb49b8f259e297 during 2017-08 deluge = 83; mysql = 84; rabbitmq = 85; @@ -138,7 +138,6 @@ ngircd = 112; btsync = 113; minecraft = 114; - #monetdb = 115; # unused (not packaged), removed 2016-09-19 vault = 115; rippled = 116; murmur = 117; @@ -233,7 +232,7 @@ calibre-server = 213; heapster = 214; bepasty = 215; - pumpio = 216; + # pumpio = 216; # unused, removed 2018-02-24 nm-openvpn = 217; mathics = 218; ejabberd = 219; @@ -304,6 +303,9 @@ mighttpd2 = 285; hass = 286; monero = 287; + ceph = 288; + duplicati = 289; + monetdb = 290; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -342,7 +344,7 @@ dialout = 27; #polkituser = 28; # currently unused, polkitd doesn't need a group utmp = 29; - ddclient = 30; + # ddclient = 30; # converted to DynamicUser = true davfs2 = 31; disnix = 33; osgi = 34; @@ -392,7 +394,7 @@ freenet = 79; ircd = 80; bacula = 81; - almir = 82; + #almir = 82; # removed 2018-03-25, the almir package was removed in 30291227f2411abaca097773eedb49b8f259e297 during 2017-08 deluge = 83; mysql = 84; rabbitmq = 85; @@ -422,7 +424,6 @@ #ngircd = 112; # unused btsync = 113; #minecraft = 114; # unused - #monetdb = 115; # unused (not packaged), removed 2016-09-19 vault = 115; #ripped = 116; # unused #murmur = 117; # unused @@ -513,7 +514,7 @@ xtreemfs = 212; calibre-server = 213; bepasty = 215; - pumpio = 216; + # pumpio = 216; # unused, removed 2018-02-24 nm-openvpn = 217; mathics = 218; ejabberd = 219; @@ -576,6 +577,9 @@ mighttpd2 = 285; hass = 286; monero = 287; + ceph = 288; + duplicati = 289; + monetdb = 290; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/misc/locate.nix b/nixos/modules/misc/locate.nix index 51953d1110c4..ce5765cf1978 100644 --- a/nixos/modules/misc/locate.nix +++ b/nixos/modules/misc/locate.nix @@ -97,7 +97,7 @@ in { Whether not to index bind mounts ''; }; - + }; config = mkIf cfg.enable { @@ -133,13 +133,26 @@ in { systemd.services.update-locatedb = { description = "Update Locate Database"; path = mkIf (!isMLocate) [ pkgs.su ]; + + # mlocate's updatedb takes flags via a configuration file or + # on the command line, but not by environment variable. script = + if isMLocate + then let toFlags = x: optional (cfg.${x} != []) + "--${lib.toLower x} '${concatStringsSep " " cfg.${x}}'"; + args = concatLists (map toFlags ["pruneFS" "pruneNames" "prunePaths"]); + in '' + exec ${cfg.locate}/bin/updatedb \ + --output ${toString cfg.output} ${concatStringsSep " " args} \ + --prune-bind-mounts ${if cfg.pruneBindMounts then "yes" else "no"} \ + ${concatStringsSep " " cfg.extraFlags} '' + else '' exec ${cfg.locate}/bin/updatedb \ ${optionalString (cfg.localuser != null && ! isMLocate) ''--localuser=${cfg.localuser}''} \ --output=${toString cfg.output} ${concatStringsSep " " cfg.extraFlags} ''; - environment = { + environment = optionalAttrs (!isMLocate) { PRUNEFS = concatStringsSep " " cfg.pruneFS; PRUNEPATHS = concatStringsSep " " cfg.prunePaths; PRUNENAMES = concatStringsSep " " cfg.pruneNames; diff --git a/nixos/modules/misc/nixpkgs.nix b/nixos/modules/misc/nixpkgs.nix index 11bd148d5dee..8fbe218b232a 100644 --- a/nixos/modules/misc/nixpkgs.nix +++ b/nixos/modules/misc/nixpkgs.nix @@ -33,7 +33,11 @@ let configType = mkOptionType { name = "nixpkgs-config"; description = "nixpkgs config"; - check = traceValIfNot isConfig; + check = x: + let traceXIfNot = c: + if c x then true + else lib.traceSeqN 1 x false; + in traceXIfNot isConfig; merge = args: fold (def: mergeConfig def.value) {}; }; @@ -58,10 +62,13 @@ in pkgs = mkOption { defaultText = literalExample ''import "''${nixos}/.." { - inherit (config.nixpkgs) config overlays system; + inherit (config.nixpkgs) config overlays localSystem crossSystem; } ''; - default = import ../../.. { inherit (cfg) config overlays system; }; + default = import ../../.. { + localSystem = { inherit (cfg) system; } // cfg.localSystem; + inherit (cfg) config overlays crossSystem; + }; type = pkgsType; example = literalExample ''import <nixpkgs> {}''; description = '' @@ -73,8 +80,9 @@ in relative to the location of this NixOS module, because NixOS and Nixpkgs are distributed together for consistency, so the <code>nixos</code> in the default value is in fact a - relative path. The <code>config</code>, <code>overlays</code> - and <code>system</code> come from this option's siblings. + relative path. The <code>config</code>, <code>overlays</code>, + <code>localSystem</code>, and <code>crossSystem</code> come + from this option's siblings. This option can be used by applications like NixOps to increase the performance of evaluation, or to create packages that depend @@ -130,14 +138,63 @@ in ''; }; + localSystem = mkOption { + type = types.attrs; # TODO utilize lib.systems.parsedPlatform + default = { system = builtins.currentSystem; }; + example = { system = "aarch64-linux"; config = "aarch64-unknown-linux-gnu"; }; + defaultText = literalExample + ''(import "''${nixos}/../lib").lib.systems.examples.aarch64-multiplatform''; + description = '' + Specifies the platform on which NixOS should be built. When + <code>nixpkgs.crossSystem</code> is unset, it also specifies + the platform <emphasis>for</emphasis> which NixOS should be + built. If this option is unset, it defaults to the platform + type of the machine where evaluation happens. Specifying this + option is useful when doing distributed multi-platform + deployment, or when building virtual machines. See its + description in the Nixpkgs manual for more details. + + Ignored when <code>nixpkgs.pkgs</code> is set. + ''; + }; + + crossSystem = mkOption { + type = types.nullOr types.attrs; # TODO utilize lib.systems.parsedPlatform + default = null; + example = { system = "aarch64-linux"; config = "aarch64-unknown-linux-gnu"; }; + defaultText = literalExample + ''(import "''${nixos}/../lib").lib.systems.examples.aarch64-multiplatform''; + description = '' + Specifies the platform for which NixOS should be + built. Specify this only if it is different from + <code>nixpkgs.localSystem</code>, the platform + <emphasis>on</emphasis> which NixOS should be built. In other + words, specify this to cross-compile NixOS. Otherwise it + should be set as null, the default. See its description in the + Nixpkgs manual for more details. + + Ignored when <code>nixpkgs.pkgs</code> is set. + ''; + }; + system = mkOption { type = types.str; example = "i686-linux"; description = '' - Specifies the Nix platform type for which NixOS should be built. - If unset, it defaults to the platform type of your host system. - Specifying this option is useful when doing distributed - multi-platform deployment, or when building virtual machines. + Specifies the Nix platform type on which NixOS should be built. + It is better to specify <code>nixpkgs.localSystem</code> instead. + <programlisting> + { + nixpkgs.system = ..; + } + </programlisting> + is the same as + <programlisting> + { + nixpkgs.localSystem.system = ..; + } + </programlisting> + See <code>nixpkgs.localSystem</code> for more information. Ignored when <code>nixpkgs.pkgs</code> is set. ''; diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix index 6af584250a70..74c86443ab90 100644 --- a/nixos/modules/misc/version.nix +++ b/nixos/modules/misc/version.nix @@ -5,8 +5,6 @@ with lib; let cfg = config.system.nixos; - releaseFile = "${toString pkgs.path}/.version"; - suffixFile = "${toString pkgs.path}/.version-suffix"; revisionFile = "${toString pkgs.path}/.git-revision"; gitRepo = "${toString pkgs.path}/.git"; gitCommitId = lib.substring 0 7 (commitIdFromGitRepo gitRepo); @@ -25,14 +23,14 @@ in nixos.release = mkOption { readOnly = true; type = types.str; - default = fileContents releaseFile; + default = trivial.release; description = "The NixOS release (e.g. <literal>16.03</literal>)."; }; nixos.versionSuffix = mkOption { internal = true; type = types.str; - default = if pathExists suffixFile then fileContents suffixFile else "pre-git"; + default = trivial.versionSuffix; description = "The NixOS version suffix (e.g. <literal>1160.f2d4ee1</literal>)."; }; @@ -85,8 +83,8 @@ in revision = mkIf (pathIsDirectory gitRepo) (mkDefault gitCommitId); versionSuffix = mkIf (pathIsDirectory gitRepo) (mkDefault (".git." + gitCommitId)); - # Note: code names must only increase in alphabetical order. - codeName = "Impala"; + # Note: the first letter is bumped on every release. It's an animal. + codeName = "Jellyfish"; }; # Generate /etc/os-release. See diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 13a32b968dcb..505c5497d36d 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -41,6 +41,7 @@ ./hardware/pcmcia.nix ./hardware/raid/hpsa.nix ./hardware/usb-wwan.nix + ./hardware/onlykey.nix ./hardware/video/amdgpu.nix ./hardware/video/amdgpu-pro.nix ./hardware/video/ati.nix @@ -58,6 +59,7 @@ ./installer/tools/tools.nix ./misc/assertions.nix ./misc/crashdump.nix + ./misc/documentation.nix ./misc/extra-arguments.nix ./misc/ids.nix ./misc/lib.nix @@ -85,12 +87,11 @@ ./programs/freetds.nix ./programs/gnupg.nix ./programs/gphoto2.nix - ./programs/info.nix + ./programs/iftop.nix ./programs/java.nix ./programs/kbdlight.nix ./programs/less.nix ./programs/light.nix - ./programs/man.nix ./programs/mosh.nix ./programs/mtr.nix ./programs/nano.nix @@ -104,6 +105,7 @@ ./programs/shadow.nix ./programs/shell.nix ./programs/spacefm.nix + ./programs/singularity.nix ./programs/ssh.nix ./programs/ssmtp.nix ./programs/sysdig.nix @@ -157,12 +159,14 @@ ./services/audio/slimserver.nix ./services/audio/squeezelite.nix ./services/audio/ympd.nix - ./services/backup/almir.nix ./services/backup/bacula.nix + ./services/backup/borgbackup.nix + ./services/backup/duplicati.nix ./services/backup/crashplan.nix ./services/backup/crashplan-small-business.nix ./services/backup/mysql-backup.nix ./services/backup/postgresql-backup.nix + ./services/backup/restic.nix ./services/backup/rsnapshot.nix ./services/backup/tarsnap.nix ./services/backup/znapzend.nix @@ -191,9 +195,11 @@ ./services/databases/clickhouse.nix ./services/databases/couchdb.nix ./services/databases/firebird.nix + ./services/databases/foundationdb.nix ./services/databases/hbase.nix ./services/databases/influxdb.nix ./services/databases/memcached.nix + ./services/databases/monetdb.nix ./services/databases/mongodb.nix ./services/databases/mysql.nix ./services/databases/neo4j.nix @@ -245,6 +251,7 @@ ./services/hardware/illum.nix ./services/hardware/interception-tools.nix ./services/hardware/irqbalance.nix + ./services/hardware/lcd.nix ./services/hardware/nvidia-optimus.nix ./services/hardware/pcscd.nix ./services/hardware/pommed.nix @@ -324,6 +331,7 @@ #./services/misc/gitit.nix ./services/misc/gitlab.nix ./services/misc/gitolite.nix + ./services/misc/gitweb.nix ./services/misc/gogs.nix ./services/misc/gollum.nix ./services/misc/gpsd.nix @@ -361,6 +369,8 @@ ./services/misc/rippled.nix ./services/misc/ripple-data-api.nix ./services/misc/rogue.nix + ./services/misc/serviio.nix + ./services/misc/safeeyes.nix ./services/misc/siproxd.nix ./services/misc/snapper.nix ./services/misc/sonarr.nix @@ -396,16 +406,7 @@ ./services/monitoring/osquery.nix ./services/monitoring/prometheus/default.nix ./services/monitoring/prometheus/alertmanager.nix - ./services/monitoring/prometheus/blackbox-exporter.nix - ./services/monitoring/prometheus/collectd-exporter.nix - ./services/monitoring/prometheus/fritzbox-exporter.nix - ./services/monitoring/prometheus/json-exporter.nix - ./services/monitoring/prometheus/minio-exporter.nix - ./services/monitoring/prometheus/nginx-exporter.nix - ./services/monitoring/prometheus/node-exporter.nix - ./services/monitoring/prometheus/snmp-exporter.nix - ./services/monitoring/prometheus/unifi-exporter.nix - ./services/monitoring/prometheus/varnish-exporter.nix + ./services/monitoring/prometheus/exporters.nix ./services/monitoring/riemann.nix ./services/monitoring/riemann-dash.nix ./services/monitoring/riemann-tools.nix @@ -439,6 +440,7 @@ ./services/network-filesystems/u9fs.nix ./services/network-filesystems/yandex-disk.nix ./services/network-filesystems/xtreemfs.nix + ./services/network-filesystems/ceph.nix ./services/networking/amuled.nix ./services/networking/aria2.nix ./services/networking/asterisk.nix @@ -482,6 +484,7 @@ ./services/networking/gnunet.nix ./services/networking/gogoclient.nix ./services/networking/gvpe.nix + ./services/networking/hans.nix ./services/networking/haproxy.nix ./services/networking/heyefi.nix ./services/networking/hostapd.nix @@ -535,7 +538,7 @@ ./services/networking/prayer.nix ./services/networking/privoxy.nix ./services/networking/prosody.nix - # ./services/networking/quagga.nix + ./services/networking/quagga.nix ./services/networking/quassel.nix ./services/networking/racoon.nix ./services/networking/radicale.nix @@ -549,6 +552,7 @@ ./services/networking/searx.nix ./services/networking/seeks.nix ./services/networking/skydns.nix + ./services/networking/shadowsocks.nix ./services/networking/shairport-sync.nix ./services/networking/shout.nix ./services/networking/sniproxy.nix @@ -560,6 +564,7 @@ ./services/networking/ssh/lshd.nix ./services/networking/ssh/sshd.nix ./services/networking/strongswan.nix + ./services/networking/strongswan-swanctl/module.nix ./services/networking/stunnel.nix ./services/networking/supplicant.nix ./services/networking/supybot.nix @@ -637,11 +642,9 @@ ./services/web-apps/atlassian/jira.nix ./services/web-apps/frab.nix ./services/web-apps/mattermost.nix - ./services/web-apps/nixbot.nix ./services/web-apps/nexus.nix ./services/web-apps/pgpkeyserver-lite.nix ./services/web-apps/matomo.nix - ./services/web-apps/pump.io.nix ./services/web-apps/restya-board.nix ./services/web-apps/tt-rss.nix ./services/web-apps/selfoss.nix @@ -649,6 +652,7 @@ ./services/web-servers/apache-httpd/default.nix ./services/web-servers/caddy.nix ./services/web-servers/fcgiwrap.nix + ./services/web-servers/hitch/default.nix ./services/web-servers/jboss/default.nix ./services/web-servers/lighttpd/cgit.nix ./services/web-servers/lighttpd/collectd.nix @@ -658,6 +662,7 @@ ./services/web-servers/mighttpd2.nix ./services/web-servers/minio.nix ./services/web-servers/nginx/default.nix + ./services/web-servers/nginx/gitweb.nix ./services/web-servers/phpfpm/default.nix ./services/web-servers/shellinabox.nix ./services/web-servers/tomcat.nix diff --git a/nixos/modules/profiles/base.nix b/nixos/modules/profiles/base.nix index 39b8553976eb..3bf06a951193 100644 --- a/nixos/modules/profiles/base.nix +++ b/nixos/modules/profiles/base.nix @@ -9,7 +9,7 @@ environment.systemPackages = [ pkgs.w3m-nox # needed for the manual anyway pkgs.testdisk # useful for repairing boot problems - pkgs.mssys # for writing Microsoft boot sectors / MBRs + pkgs.ms-sys # for writing Microsoft boot sectors / MBRs pkgs.efibootmgr pkgs.efivar pkgs.parted diff --git a/nixos/modules/profiles/demo.nix b/nixos/modules/profiles/demo.nix index ef6fd77b5f8d..c3ee6e98371e 100644 --- a/nixos/modules/profiles/demo.nix +++ b/nixos/modules/profiles/demo.nix @@ -10,4 +10,10 @@ password = "demo"; uid = 1000; }; + + services.xserver.displayManager.sddm.autoLogin = { + enable = true; + relogin = true; + user = "demo"; + }; } diff --git a/nixos/modules/profiles/docker-container.nix b/nixos/modules/profiles/docker-container.nix index 433492b96137..7031d7d1d593 100644 --- a/nixos/modules/profiles/docker-container.nix +++ b/nixos/modules/profiles/docker-container.nix @@ -14,9 +14,7 @@ in { ]; # Create the tarball - system.build.tarball = import ../../lib/make-system-tarball.nix { - inherit (pkgs) stdenv perl xz pathsFromGraph; - + system.build.tarball = pkgs.callPackage ../../lib/make-system-tarball.nix { contents = []; extraArgs = "--owner=0"; diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index 506a6ee3eaa8..43f06c219f82 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -72,7 +72,13 @@ with lib; # To speed up installation a little bit, include the complete # stdenv in the Nix store on the CD. - system.extraDependencies = with pkgs; [ stdenv stdenvNoCC busybox ]; + system.extraDependencies = with pkgs; + [ + stdenv + stdenvNoCC # for runCommand + busybox + jq # for closureInfo + ]; # Show all debug messages from the kernel but don't log refused packets # because we have the firewall enabled. This makes installs from the diff --git a/nixos/modules/profiles/minimal.nix b/nixos/modules/profiles/minimal.nix index e2497d04252e..40df7063a9bf 100644 --- a/nixos/modules/profiles/minimal.nix +++ b/nixos/modules/profiles/minimal.nix @@ -10,10 +10,9 @@ with lib; # This isn't perfect, but let's expect the user specifies an UTF-8 defaultLocale i18n.supportedLocales = [ (config.i18n.defaultLocale + "/UTF-8") ]; - services.nixosManual.enable = mkDefault false; - programs.man.enable = mkDefault false; - programs.info.enable = mkDefault false; + documentation.enable = mkDefault false; + services.nixosManual.enable = mkDefault false; sound.enable = mkDefault false; } diff --git a/nixos/modules/programs/bash/bash.nix b/nixos/modules/programs/bash/bash.nix index 1a62f04972df..69a1a482d074 100644 --- a/nixos/modules/programs/bash/bash.nix +++ b/nixos/modules/programs/bash/bash.nix @@ -110,7 +110,7 @@ in }; enableCompletion = mkOption { - default = false; + default = true; description = '' Enable Bash completion for all interactive bash shells. ''; @@ -126,7 +126,7 @@ in programs.bash = { shellInit = '' - . ${config.system.build.setEnvironment} + ${config.system.build.setEnvironment.text} ${cfge.shellInit} ''; diff --git a/nixos/modules/programs/digitalbitbox/doc.xml b/nixos/modules/programs/digitalbitbox/doc.xml index 7acbc2fc4dde..a26653dda535 100644 --- a/nixos/modules/programs/digitalbitbox/doc.xml +++ b/nixos/modules/programs/digitalbitbox/doc.xml @@ -15,9 +15,9 @@ installed by setting <literal>programs.digitalbitbox</literal> to <literal>true</literal> in a manner similar to - <programlisting> - programs.digitalbitbox.enable = true; - </programlisting> +<programlisting> +<xref linkend="opt-programs.digitalbitbox.enable"/> = true; +</programlisting> and bundles the <literal>digitalbitbox</literal> package (see <xref linkend="sec-digitalbitbox-package" />), which contains the @@ -46,11 +46,11 @@ <literal>digitalbitbox</literal> package which could be installed as follows: - <programlisting> - environment.systemPackages = [ - pkgs.digitalbitbox - ]; - </programlisting> +<programlisting> +<xref linkend="opt-environment.systemPackages"/> = [ + pkgs.digitalbitbox +]; +</programlisting> </para> </section> @@ -62,9 +62,9 @@ The digitalbitbox hardware package enables the udev rules for Digital Bitbox devices and may be installed as follows: - <programlisting> - hardware.digitalbitbox.enable = true; - </programlisting> +<programlisting> +<xref linkend="opt-hardware.digitalbitbox.enable"/> = true; +</programlisting> </para> <para> @@ -72,14 +72,14 @@ the <literal>udevRule51</literal> and <literal>udevRule52</literal> attributes by means of overriding as follows: - <programlisting> - programs.digitalbitbox = { - enable = true; - package = pkgs.digitalbitbox.override { - udevRule51 = "something else"; - }; - }; - </programlisting> +<programlisting> +programs.digitalbitbox = { + <link linkend="opt-programs.digitalbitbox.enable">enable</link> = true; + <link linkend="opt-programs.digitalbitbox.package">package</link> = pkgs.digitalbitbox.override { + udevRule51 = "something else"; + }; +}; +</programlisting> </para> </section> </chapter> diff --git a/nixos/modules/programs/iftop.nix b/nixos/modules/programs/iftop.nix new file mode 100644 index 000000000000..a98a9a8187d4 --- /dev/null +++ b/nixos/modules/programs/iftop.nix @@ -0,0 +1,18 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.programs.iftop; +in { + options = { + programs.iftop.enable = mkEnableOption "iftop + setcap wrapper"; + }; + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.iftop ]; + security.wrappers.iftop = { + source = "${pkgs.iftop}/bin/iftop"; + capabilities = "cap_net_raw+p"; + }; + }; +} diff --git a/nixos/modules/programs/info.nix b/nixos/modules/programs/info.nix deleted file mode 100644 index be6439dca5ad..000000000000 --- a/nixos/modules/programs/info.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -{ - - options = { - - programs.info.enable = mkOption { - type = types.bool; - default = true; - description = '' - Whether to enable info pages and the <command>info</command> command. - ''; - }; - - }; - - - config = mkIf config.programs.info.enable { - - environment.systemPackages = [ pkgs.texinfoInteractive ]; - - environment.pathsToLink = [ "/info" "/share/info" ]; - - environment.extraOutputsToInstall = [ "info" ]; - - }; - -} diff --git a/nixos/modules/programs/less.nix b/nixos/modules/programs/less.nix index c0283c9e6862..d39103a58057 100644 --- a/nixos/modules/programs/less.nix +++ b/nixos/modules/programs/less.nix @@ -6,7 +6,7 @@ let cfg = config.programs.less; - configFile = '' + configText = if (cfg.configFile != null) then (builtins.readFile cfg.configFile) else '' #command ${concatStringsSep "\n" (mapAttrsToList (command: action: "${command} ${action}") cfg.commands) @@ -25,7 +25,7 @@ let ''; lessKey = pkgs.runCommand "lesskey" - { src = pkgs.writeText "lessconfig" configFile; } + { src = pkgs.writeText "lessconfig" configText; } "${pkgs.less}/bin/lesskey -o $out $src"; in @@ -37,6 +37,19 @@ in enable = mkEnableOption "less"; + configFile = mkOption { + type = types.nullOr types.path; + default = null; + example = literalExample "$${pkgs.my-configs}/lesskey"; + description = '' + Path to lesskey configuration file. + + <option>configFile</option> takes precedence over <option>commands</option>, + <option>clearDefaultCommands</option>, <option>lineEditingKeys</option>, and + <option>envVariables</option>. + ''; + }; + commands = mkOption { type = types.attrsOf types.str; default = {}; diff --git a/nixos/modules/programs/man.nix b/nixos/modules/programs/man.nix deleted file mode 100644 index 5b20a38d8856..000000000000 --- a/nixos/modules/programs/man.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -{ - - options = { - - programs.man.enable = mkOption { - type = types.bool; - default = true; - description = '' - Whether to enable manual pages and the <command>man</command> command. - This also includes "man" outputs of all <literal>systemPackages</literal>. - ''; - }; - - }; - - - config = mkIf config.programs.man.enable { - - environment.systemPackages = [ pkgs.man-db ]; - - environment.pathsToLink = [ "/share/man" ]; - - environment.extraOutputsToInstall = [ "man" ]; - - }; - -} diff --git a/nixos/modules/programs/plotinus.xml b/nixos/modules/programs/plotinus.xml index 85b0e023e6c1..91740ee16ec2 100644 --- a/nixos/modules/programs/plotinus.xml +++ b/nixos/modules/programs/plotinus.xml @@ -17,7 +17,7 @@ <para>To enable Plotinus, add the following to your <filename>configuration.nix</filename>: <programlisting> -programs.plotinus.enable = true; +<xref linkend="opt-programs.plotinus.enable"/> = true; </programlisting> </para> diff --git a/nixos/modules/programs/rootston.nix b/nixos/modules/programs/rootston.nix index 1946b1db657b..842d9e6cfb48 100644 --- a/nixos/modules/programs/rootston.nix +++ b/nixos/modules/programs/rootston.nix @@ -6,7 +6,7 @@ let cfg = config.programs.rootston; rootstonWrapped = pkgs.writeScriptBin "rootston" '' - #! ${pkgs.stdenv.shell} + #! ${pkgs.runtimeShell} if [[ "$#" -ge 1 ]]; then exec ${pkgs.rootston}/bin/rootston "$@" else diff --git a/nixos/modules/programs/singularity.nix b/nixos/modules/programs/singularity.nix new file mode 100644 index 000000000000..86153d933855 --- /dev/null +++ b/nixos/modules/programs/singularity.nix @@ -0,0 +1,20 @@ +{ config, pkgs, lib, ... }: + +with lib; +let + cfg = config.programs.singularity; +in { + options.programs.singularity = { + enable = mkEnableOption "Singularity"; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.singularity ]; + systemd.tmpfiles.rules = [ "d /var/singularity/mnt/session 0770 root root -" + "d /var/singularity/mnt/final 0770 root root -" + "d /var/singularity/mnt/overlay 0770 root root -" + "d /var/singularity/mnt/container 0770 root root -" + "d /var/singularity/mnt/source 0770 root root -"]; + }; + +} diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index 0935bf0cae71..36289080a82a 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -13,7 +13,7 @@ let askPasswordWrapper = pkgs.writeScript "ssh-askpass-wrapper" '' - #! ${pkgs.stdenv.shell} -e + #! ${pkgs.runtimeShell} -e export DISPLAY="$(systemctl --user show-environment | ${pkgs.gnused}/bin/sed 's/^DISPLAY=\(.*\)/\1/; t; d')" exec ${askPassword} ''; diff --git a/nixos/modules/programs/zsh/zsh.nix b/nixos/modules/programs/zsh/zsh.nix index 5102bfef0325..f689250dc61f 100644 --- a/nixos/modules/programs/zsh/zsh.nix +++ b/nixos/modules/programs/zsh/zsh.nix @@ -108,7 +108,7 @@ in if [ -n "$__ETC_ZSHENV_SOURCED" ]; then return; fi export __ETC_ZSHENV_SOURCED=1 - . ${config.system.build.setEnvironment} + ${config.system.build.setEnvironment.text} ${cfge.shellInit} diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 489d7d8b9b50..a1ead80cc215 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -4,6 +4,7 @@ with lib; { imports = [ + (mkRenamedOptionModule [ "dysnomia" ] [ "services" "dysnomia" ]) (mkRenamedOptionModule [ "environment" "x11Packages" ] [ "environment" "systemPackages" ]) (mkRenamedOptionModule [ "environment" "enableBashCompletion" ] [ "programs" "bash" "enableCompletion" ]) (mkRenamedOptionModule [ "environment" "nix" ] [ "nix" "package" ]) @@ -22,6 +23,8 @@ with lib; (config: let enabled = getAttrFromPath [ "services" "printing" "gutenprint" ] config; in if enabled then [ pkgs.gutenprint ] else [ ])) + (mkRenamedOptionModule [ "services" "ddclient" "domain" ] [ "services" "ddclient" "domains" ]) + (mkRemovedOptionModule [ "services" "ddclient" "homeDir" ] "") (mkRenamedOptionModule [ "services" "elasticsearch" "host" ] [ "services" "elasticsearch" "listenAddress" ]) (mkRenamedOptionModule [ "services" "graphite" "api" "host" ] [ "services" "graphite" "api" "listenAddress" ]) (mkRenamedOptionModule [ "services" "graphite" "web" "host" ] [ "services" "graphite" "web" "listenAddress" ]) @@ -186,22 +189,24 @@ with lib; (mkRenamedOptionModule [ "services" "xserver" "desktopManager" "kde5" ] [ "services" "xserver" "desktopManager" "plasma5" ]) # Fontconfig - (mkRenamedOptionModule [ "config" "fonts" "fontconfig" "ultimate" "allowBitmaps" ] [ "config" "fonts" "fontconfig" "allowBitmaps" ]) - (mkRenamedOptionModule [ "config" "fonts" "fontconfig" "ultimate" "allowType1" ] [ "config" "fonts" "fontconfig" "allowType1" ]) - (mkRenamedOptionModule [ "config" "fonts" "fontconfig" "ultimate" "useEmbeddedBitmaps" ] [ "config" "fonts" "fontconfig" "useEmbeddedBitmaps" ]) - (mkRenamedOptionModule [ "config" "fonts" "fontconfig" "ultimate" "forceAutohint" ] [ "config" "fonts" "fontconfig" "forceAutohint" ]) - (mkRenamedOptionModule [ "config" "fonts" "fontconfig" "ultimate" "renderMonoTTFAsBitmap" ] [ "config" "fonts" "fontconfig" "renderMonoTTFAsBitmap" ]) + (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "allowBitmaps" ] [ "fonts" "fontconfig" "allowBitmaps" ]) + (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "allowType1" ] [ "fonts" "fontconfig" "allowType1" ]) + (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "useEmbeddedBitmaps" ] [ "fonts" "fontconfig" "useEmbeddedBitmaps" ]) + (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "forceAutohint" ] [ "fonts" "fontconfig" "forceAutohint" ]) + (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "renderMonoTTFAsBitmap" ] [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ]) # Profile splitting (mkRenamedOptionModule [ "virtualization" "growPartition" ] [ "boot" "growPartition" ]) # misc/version.nix - (mkRenamedOptionModule [ "config" "system" "nixosVersion" ] [ "config" "system" "nixos" "version" ]) - (mkRenamedOptionModule [ "config" "system" "nixosRelease" ] [ "config" "system" "nixos" "release" ]) - (mkRenamedOptionModule [ "config" "system" "nixosVersionSuffix" ] [ "config" "system" "nixos" "versionSuffix" ]) - (mkRenamedOptionModule [ "config" "system" "nixosRevision" ] [ "config" "system" "nixos" "revision" ]) - (mkRenamedOptionModule [ "config" "system" "nixosCodeName" ] [ "config" "system" "nixos" "codeName" ]) - (mkRenamedOptionModule [ "config" "system" "nixosLabel" ] [ "config" "system" "nixos" "label" ]) + (mkRenamedOptionModule [ "system" "nixosVersion" ] [ "system" "nixos" "version" ]) + (mkRenamedOptionModule [ "system" "nixosVersionSuffix" ] [ "system" "nixos" "versionSuffix" ]) + (mkRenamedOptionModule [ "system" "nixosRevision" ] [ "system" "nixos" "revision" ]) + (mkRenamedOptionModule [ "system" "nixosLabel" ] [ "system" "nixos" "label" ]) + + # Users + (mkAliasOptionModule [ "users" "extraUsers" ] [ "users" "users" ]) + (mkAliasOptionModule [ "users" "extraGroups" ] [ "users" "groups" ]) # Options that are obsolete and have no replacement. (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "") @@ -240,5 +245,15 @@ with lib; # Xen (mkRenamedOptionModule [ "virtualisation" "xen" "qemu-package" ] [ "virtualisation" "xen" "package-qemu" ]) - ]; + + (mkRenamedOptionModule [ "programs" "info" "enable" ] [ "documentation" "info" "enable" ]) + (mkRenamedOptionModule [ "programs" "man" "enable" ] [ "documentation" "man" "enable" ]) + + ] ++ (flip map [ "blackboxExporter" "collectdExporter" "fritzboxExporter" + "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter" + "snmpExporter" "unifiExporter" "varnishExporter" ] + (opt: mkRemovedOptionModule [ "services" "prometheus" "${opt}" ] '' + The prometheus exporters are now configured using `services.prometheus.exporters'. + See the 18.03 release notes for more information. + '' )); } diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 0736239ed2cf..e430c2ddb903 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -58,9 +58,11 @@ let default = ""; example = "systemctl reload nginx.service"; description = '' - Commands to run after certificates are re-issued. Typically + Commands to run after new certificates go live. Typically the web server and other servers using certificates need to be reloaded. + + Executed in the same directory with the new certificate. ''; }; @@ -78,6 +80,27 @@ let ''; }; + activationDelay = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Systemd time span expression to delay copying new certificates to main + state directory. See <citerefentry><refentrytitle>systemd.time</refentrytitle> + <manvolnum>7</manvolnum></citerefentry>. + ''; + }; + + preDelay = mkOption { + type = types.lines; + default = ""; + description = '' + Commands to run after certificates are re-issued but before they are + activated. Typically the new certificate is published to DNS. + + Executed in the same directory with the new certificate. + ''; + }; + extraDomains = mkOption { type = types.attrsOf (types.nullOr types.str); default = {}; @@ -140,14 +163,6 @@ in ''; }; - tosHash = mkOption { - type = types.string; - default = "cc88d8d9517f490191401e7b54e9ffd12a2b9082ec7a1d4cec6101f9f1647e7b"; - description = '' - SHA256 of the Terms of Services document. This changes once in a while. - ''; - }; - production = mkOption { type = types.bool; default = true; @@ -194,14 +209,15 @@ in servicesLists = mapAttrsToList certToServices cfg.certs; certToServices = cert: data: let - cpath = "${cfg.directory}/${cert}"; + domain = if data.domain != null then data.domain else cert; + cpath = lpath + optionalString (data.activationDelay != null) ".staging"; + lpath = "${cfg.directory}/${cert}"; rights = if data.allowKeysForGroup then "750" else "700"; - cmdline = [ "-v" "-d" data.domain "--default_root" data.webroot "--valid_min" cfg.validMin "--tos_sha256" cfg.tosHash ] + cmdline = [ "-v" "-d" data.domain "--default_root" data.webroot "--valid_min" cfg.validMin ] ++ optionals (data.email != null) [ "--email" data.email ] ++ concatMap (p: [ "-f" p ]) data.plugins ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains) - ++ (if cfg.production then [] - else ["--server" "https://acme-staging.api.letsencrypt.org/directory"]); + ++ optionals (!cfg.production) ["--server" "https://acme-staging.api.letsencrypt.org/directory"]; acmeService = { description = "Renew ACME Certificate for ${cert}"; after = [ "network.target" "network-online.target" ]; @@ -214,7 +230,7 @@ in Group = data.group; PrivateTmp = true; }; - path = [ pkgs.simp_le ]; + path = with pkgs; [ simp_le systemd ]; preStart = '' mkdir -p '${cfg.directory}' chown 'root:root' '${cfg.directory}' @@ -237,17 +253,39 @@ in exit "$EXITCODE" ''; postStop = '' + cd '${cpath}' + if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then - echo "Executing postRun hook..." - ${data.postRun} + ${if data.activationDelay != null then '' + + ${data.preDelay} + + if [ -d '${lpath}' ]; then + systemd-run --no-block --on-active='${data.activationDelay}' --unit acme-setlive-${cert}.service + else + systemctl --wait start acme-setlive-${cert}.service + fi + '' else data.postRun} fi ''; before = [ "acme-certificates.target" ]; wantedBy = [ "acme-certificates.target" ]; }; + delayService = { + description = "Set certificate for ${cert} live"; + path = with pkgs; [ rsync ]; + serviceConfig = { + Type = "oneshot"; + }; + script = '' + rsync -a --delete-after '${cpath}/' '${lpath}' + ''; + postStop = data.postRun; + }; selfsignedService = { description = "Create preliminary self-signed certificate for ${cert}"; + path = [ pkgs.openssl ]; preStart = '' if [ ! -d '${cpath}' ] then @@ -258,37 +296,41 @@ in ''; script = '' - # Create self-signed key - workdir="/run/acme-selfsigned-${cert}" - ${pkgs.openssl.bin}/bin/openssl genrsa -des3 -passout pass:x -out $workdir/server.pass.key 2048 - ${pkgs.openssl.bin}/bin/openssl rsa -passin pass:x -in $workdir/server.pass.key -out $workdir/server.key - ${pkgs.openssl.bin}/bin/openssl req -new -key $workdir/server.key -out $workdir/server.csr \ + workdir="$(mktemp -d)" + + # Create CA + openssl genrsa -des3 -passout pass:x -out $workdir/ca.pass.key 2048 + openssl rsa -passin pass:x -in $workdir/ca.pass.key -out $workdir/ca.key + openssl req -new -key $workdir/ca.key -out $workdir/ca.csr \ + -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=Security Department/CN=example.com" + openssl x509 -req -days 1 -in $workdir/ca.csr -signkey $workdir/ca.key -out $workdir/ca.crt + + # Create key + openssl genrsa -des3 -passout pass:x -out $workdir/server.pass.key 2048 + openssl rsa -passin pass:x -in $workdir/server.pass.key -out $workdir/server.key + openssl req -new -key $workdir/server.key -out $workdir/server.csr \ -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com" - ${pkgs.openssl.bin}/bin/openssl x509 -req -days 1 -in $workdir/server.csr -signkey $workdir/server.key -out $workdir/server.crt + openssl x509 -req -days 1 -in $workdir/server.csr -CA $workdir/ca.crt \ + -CAkey $workdir/ca.key -CAserial $workdir/ca.srl -CAcreateserial \ + -out $workdir/server.crt - # Move key to destination - mv $workdir/server.key ${cpath}/key.pem - mv $workdir/server.crt ${cpath}/fullchain.pem + # Copy key to destination + cp $workdir/server.key ${cpath}/key.pem - # Create full.pem for e.g. lighttpd (same format as "simp_le ... -f full.pem" creates) - cat "${cpath}/key.pem" "${cpath}/fullchain.pem" > "${cpath}/full.pem" + # Create fullchain.pem (same format as "simp_le ... -f fullchain.pem" creates) + cat $workdir/{server.crt,ca.crt} > "${cpath}/fullchain.pem" - # Clean up working directory - rm $workdir/server.csr - rm $workdir/server.pass.key + # Create full.pem for e.g. lighttpd + cat $workdir/{server.key,server.crt,ca.crt} > "${cpath}/full.pem" # Give key acme permissions - chmod ${rights} '${cpath}/key.pem' - chown '${data.user}:${data.group}' '${cpath}/key.pem' - chmod ${rights} '${cpath}/fullchain.pem' - chown '${data.user}:${data.group}' '${cpath}/fullchain.pem' - chmod ${rights} '${cpath}/full.pem' - chown '${data.user}:${data.group}' '${cpath}/full.pem' + chown '${data.user}:${data.group}' "${cpath}/"{key,fullchain,full}.pem + chmod ${rights} "${cpath}/"{key,fullchain,full}.pem ''; serviceConfig = { Type = "oneshot"; - RuntimeDirectory = "acme-selfsigned-${cert}"; PermissionsStartOnly = true; + PrivateTmp = true; User = data.user; Group = data.group; }; @@ -305,11 +347,8 @@ in }; in ( [ { name = "acme-${cert}"; value = acmeService; } ] - ++ - (if cfg.preliminarySelfsigned - then [ { name = "acme-selfsigned-${cert}"; value = selfsignedService; } ] - else [] - ) + ++ optional cfg.preliminarySelfsigned { name = "acme-selfsigned-${cert}"; value = selfsignedService; } + ++ optional (data.activationDelay != null) { name = "acme-setlive-${cert}"; value = delayService; } ); servicesAttr = listToAttrs services; injectServiceDep = { diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml index 6130ed82ed38..7cdc554989ea 100644 --- a/nixos/modules/security/acme.xml +++ b/nixos/modules/security/acme.xml @@ -48,9 +48,9 @@ http { <filename>configuration.nix</filename>: <programlisting> -security.acme.certs."foo.example.com" = { - webroot = "/var/www/challenges"; - email = "foo@example.com"; +<xref linkend="opt-security.acme.certs"/>."foo.example.com" = { + <link linkend="opt-security.acme.certs._name_.webroot">webroot</link> = "/var/www/challenges"; + <link linkend="opt-security.acme.certs._name_.email">email</link> = "foo@example.com"; }; </programlisting> </para> @@ -58,17 +58,17 @@ security.acme.certs."foo.example.com" = { <para>The private key <filename>key.pem</filename> and certificate <filename>fullchain.pem</filename> will be put into <filename>/var/lib/acme/foo.example.com</filename>. The target directory can -be configured with the option <literal>security.acme.directory</literal>. +be configured with the option <xref linkend="opt-security.acme.directory"/>. </para> <para>Refer to <xref linkend="ch-options" /> for all available configuration -options for the <literal>security.acme</literal> module.</para> +options for the <link linkend="opt-security.acme.certs">security.acme</link> module.</para> </section> <section><title>Using ACME certificates in Nginx</title> <para>NixOS supports fetching ACME certificates for you by setting -<literal>enableACME = true;</literal> in a virtualHost config. We + <literal><link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true;</literal> in a virtualHost config. We first create self-signed placeholder certificates in place of the real ACME certs. The placeholder certs are overwritten when the ACME certs arrive. For <literal>foo.example.com</literal> the config would @@ -77,13 +77,13 @@ look like. <programlisting> services.nginx = { - enable = true; - virtualHosts = { + <link linkend="opt-services.nginx.enable">enable = true;</link> + <link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = { "foo.example.com" = { - forceSSL = true; - enableACME = true; + <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true; + <link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true; locations."/" = { - root = "/var/www"; + <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.root">root</link> = "/var/www"; }; }; }; diff --git a/nixos/modules/security/audit.nix b/nixos/modules/security/audit.nix index 7ac21fd96507..2b22bdd9f0ae 100644 --- a/nixos/modules/security/audit.nix +++ b/nixos/modules/security/audit.nix @@ -13,7 +13,7 @@ let }; disableScript = pkgs.writeScript "audit-disable" '' - #!${pkgs.stdenv.shell} -eu + #!${pkgs.runtimeShell} -eu # Explicitly disable everything, as otherwise journald might start it. auditctl -D auditctl -e 0 -a task,never @@ -23,7 +23,7 @@ let # put in the store like this. At the same time, it doesn't feel like a huge deal and working # around that is a pain so I'm leaving it like this for now. startScript = pkgs.writeScript "audit-start" '' - #!${pkgs.stdenv.shell} -eu + #!${pkgs.runtimeShell} -eu # Clear out any rules we may start with auditctl -D @@ -43,7 +43,7 @@ let ''; stopScript = pkgs.writeScript "audit-stop" '' - #!${pkgs.stdenv.shell} -eu + #!${pkgs.runtimeShell} -eu # Clear the rules auditctl -D diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index 9ca818e86ffa..df6108dede7c 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -25,14 +25,14 @@ let loginCfgFile = optional cfg.ssh.enable { source = pkgs.writeText "login_duo.conf" configFile; mode = "0600"; - uid = config.ids.uids.sshd; + user = "sshd"; target = "duo/login_duo.conf"; }; pamCfgFile = optional cfg.pam.enable { source = pkgs.writeText "pam_duo.conf" configFile; mode = "0600"; - uid = config.ids.uids.sshd; + user = "sshd"; target = "duo/pam_duo.conf"; }; in diff --git a/nixos/modules/security/hidepid.xml b/nixos/modules/security/hidepid.xml index 5715ee7ac165..d69341eb3cde 100644 --- a/nixos/modules/security/hidepid.xml +++ b/nixos/modules/security/hidepid.xml @@ -8,9 +8,9 @@ <para> Setting - <programlisting> - security.hideProcessInformation = true; - </programlisting> +<programlisting> +<xref linkend="opt-security.hideProcessInformation"/> = true; +</programlisting> ensures that access to process information is restricted to the owning user. This implies, among other things, that command-line arguments remain private. Unless your deployment relies on unprivileged @@ -25,9 +25,9 @@ <para> To allow a service <replaceable>foo</replaceable> to run without process information hiding, set - <programlisting> - systemd.services.<replaceable>foo</replaceable>.serviceConfig.SupplementaryGroups = [ "proc" ]; - </programlisting> +<programlisting> +<link linkend="opt-systemd.services._name_.serviceConfig">systemd.services.<replaceable>foo</replaceable>.serviceConfig</link>.SupplementaryGroups = [ "proc" ]; +</programlisting> </para> </chapter> diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index e1cad03e66e2..48998285d89d 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -234,6 +234,11 @@ let password, KDE will prompt separately after login. ''; }; + sssdStrictAccess = mkOption { + default = false; + type = types.bool; + description = "enforce sssd access control"; + }; enableGnomeKeyring = mkOption { default = false; @@ -264,11 +269,13 @@ let text = mkDefault ('' # Account management. - account sufficient pam_unix.so + account ${if cfg.sssdStrictAccess then "required" else "sufficient"} pam_unix.so ${optionalString use_ldap "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"} - ${optionalString config.services.sssd.enable + ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) "account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"} + ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) + "account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"} ${optionalString config.krb5.enable "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"} @@ -386,7 +393,7 @@ let ${optionalString (cfg.enableGnomeKeyring) "session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"} ${optionalString (config.virtualisation.lxc.lxcfs.enable) - "session optional ${pkgs.lxcfs}/lib/security/pam_cgfs.so -c freezer,memory,name=systemd,unified,cpuset"} + "session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all"} ''); }; diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index a57f14bb5ae1..24283e1d6165 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -47,8 +47,8 @@ in default = true; description = '' - Whether users of the <code>wheel</code> group can execute - commands as super user without entering a password. + Whether users of the <code>wheel</code> group must + provide a password to run commands as super user via <command>sudo</command>. ''; }; @@ -215,7 +215,7 @@ in { src = pkgs.writeText "sudoers-in" cfg.configFile; } # Make sure that the sudoers file is syntactically valid. # (currently disabled - NIXOS-66) - "${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out"; + "${pkgs.buildPackages.sudo}/sbin/visudo -f $src -c && cp $src $out"; target = "sudoers"; mode = "0440"; }; diff --git a/nixos/modules/security/wrappers/wrapper.c b/nixos/modules/security/wrappers/wrapper.c index 7091e314bb22..494e9e93ac22 100644 --- a/nixos/modules/security/wrappers/wrapper.c +++ b/nixos/modules/security/wrappers/wrapper.c @@ -10,8 +10,8 @@ #include <errno.h> #include <linux/capability.h> #include <sys/capability.h> -#include <linux/prctl.h> #include <sys/prctl.h> +#include <limits.h> #include <cap-ng.h> // Make sure assertions are not compiled out, we use them to codify diff --git a/nixos/modules/services/audio/alsa.nix b/nixos/modules/services/audio/alsa.nix index e3e8bb28c58b..376aad66e236 100644 --- a/nixos/modules/services/audio/alsa.nix +++ b/nixos/modules/services/audio/alsa.nix @@ -54,6 +54,11 @@ in description = '' Whether to enable volume and capture control with keyboard media keys. + You want to leave this disabled if you run a desktop environment + like KDE, Gnome, Xfce, etc, as those handle such things themselves. + You might want to enable this if you run a minimalistic desktop + environment or work from bare linux ttys/framebuffers. + Enabling this will turn on <option>services.actkbd</option>. ''; }; diff --git a/nixos/modules/services/backup/almir.nix b/nixos/modules/services/backup/almir.nix deleted file mode 100644 index fbb4ff4034f1..000000000000 --- a/nixos/modules/services/backup/almir.nix +++ /dev/null @@ -1,173 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.almir; - - bconsoleconf = pkgs.writeText "bconsole.conf" - '' - Director { - Name = ${cfg.director_name} - DIRport = ${toString cfg.director_port} - address = ${cfg.director_address} - Password = "${cfg.director_password}" - } - ''; - - productionini = pkgs.writeText "production.ini" - '' -[app:main] -use = egg:almir - -pyramid.reload_templates = false -pyramid.debug_authorization = false -pyramid.debug_notfound = false -pyramid.debug_routematch = false -pyramid.debug_templates = false -pyramid.default_locale_name = en -pyramid.includes = - pyramid_exclog -exclog.extra_info = true - -sqlalchemy.url = ${cfg.sqlalchemy_engine_url} -timezone = ${cfg.timezone} -bconsole_config = ${bconsoleconf} - -[server:main] -use = egg:waitress#main -host = 127.0.0.1 -port = ${toString cfg.port} - - -# Begin logging configuration - -[loggers] -keys = root, almir, sqlalchemy, exc_logger - -[handlers] -keys = console - -[formatters] -keys = generic - -[logger_root] -level = WARN -handlers = console - -[logger_almir] -level = WARN -handlers = -qualname = almir - -[logger_exc_logger] -level = ERROR -handlers = -qualname = exc_logger - -[logger_sqlalchemy] -level = WARN -handlers = -qualname = sqlalchemy.engine -# "level = INFO" logs SQL queries. -# "level = DEBUG" logs SQL queries and results. -# "level = WARN" logs neither. (Recommended for production systems.) - -[handler_console] -class = StreamHandler -args = (sys.stderr,) -level = NOTSET -formatter = generic - -[formatter_generic] -format = %(asctime)s %(levelname)-5.5s [%(name)s][%(threadName)s] %(message)s - ''; -in { - options = { - services.almir = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enable Almir web server. Also configures postgresql database and installs bacula. - ''; - }; - - port = mkOption { - default = 35000; - type = types.int; - description = '' - Port for Almir web server to listen on. - ''; - }; - - timezone = mkOption { - description = '' - Timezone as specified in https://en.wikipedia.org/wiki/List_of_tz_database_time_zones - ''; - example = "Europe/Ljubljana"; - }; - - sqlalchemy_engine_url = mkOption { - default = "postgresql:///bacula"; - example = '' - postgresql://bacula:bacula@localhost:5432/bacula - mysql+mysqlconnector://<user>:<password>@<hostname>/<database>' - sqlite:////var/lib/bacula/bacula.db' - ''; - description = '' - Define SQL database connection to bacula catalog as specified in http://docs.sqlalchemy.org/en/latest/core/engines.html#database-urls - ''; - }; - - director_name = mkOption { - description = '' - Name of the Director to connect with bconsole. - ''; - }; - - director_password = mkOption { - description = '' - Password for Director to connect with bconsole. - ''; - }; - - director_port = mkOption { - default = 9101; - type = types.int; - description = '' - Port for Director to connect with bconsole. - ''; - }; - - director_address = mkOption { - default = "127.0.0.1"; - description = '' - IP/Hostname for Director to connect with bconsole. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - systemd.services.almir = { - after = [ "network.target" "postgresql.service" ]; - description = "Almir web app"; - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.pythonPackages.almir ]; - environment.PYTHONPATH = "${pkgs.pythonPackages.almir}/lib/${pkgs.pythonPackages.python.libPrefix}/site-packages"; - serviceConfig.ExecStart = "${pkgs.pythonPackages.pyramid}/bin/pserve ${productionini}"; - }; - - environment.systemPackages = [ pkgs.pythonPackages.almir ]; - - users.extraUsers.almir = { - group = "almir"; - uid = config.ids.uids.almir; - createHome = true; - shell = "${pkgs.bash}/bin/bash"; - }; - - users.extraGroups.almir.gid = config.ids.gids.almir; - }; -} diff --git a/nixos/modules/services/backup/borgbackup.nix b/nixos/modules/services/backup/borgbackup.nix new file mode 100644 index 000000000000..1b730e0c2b76 --- /dev/null +++ b/nixos/modules/services/backup/borgbackup.nix @@ -0,0 +1,580 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + isLocalPath = x: + builtins.substring 0 1 x == "/" # absolute path + || builtins.substring 0 1 x == "." # relative path + || builtins.match "[.*:.*]" == null; # not machine:path + + mkExcludeFile = cfg: + # Write each exclude pattern to a new line + pkgs.writeText "excludefile" (concatStringsSep "\n" cfg.exclude); + + mkKeepArgs = cfg: + # If cfg.prune.keep e.g. has a yearly attribute, + # its content is passed on as --keep-yearly + concatStringsSep " " + (mapAttrsToList (x: y: "--keep-${x}=${toString y}") cfg.prune.keep); + + mkBackupScript = cfg: '' + on_exit() + { + exitStatus=$? + # Reset the EXIT handler, or else we're called again on 'exit' below + trap - EXIT + ${cfg.postHook} + exit $exitStatus + } + trap 'on_exit' INT TERM QUIT EXIT + + archiveName="${cfg.archiveBaseName}-$(date ${cfg.dateFormat})" + archiveSuffix="${optionalString cfg.appendFailedSuffix ".failed"}" + ${cfg.preHook} + '' + optionalString cfg.doInit '' + # Run borg init if the repo doesn't exist yet + if ! borg list > /dev/null; then + borg init \ + --encryption ${cfg.encryption.mode} \ + $extraInitArgs + ${cfg.postInit} + fi + '' + '' + borg create \ + --compression ${cfg.compression} \ + --exclude-from ${mkExcludeFile cfg} \ + $extraCreateArgs \ + "::$archiveName$archiveSuffix" \ + ${escapeShellArgs cfg.paths} + '' + optionalString cfg.appendFailedSuffix '' + borg rename "::$archiveName$archiveSuffix" "$archiveName" + '' + '' + ${cfg.postCreate} + '' + optionalString (cfg.prune.keep != { }) '' + borg prune \ + ${mkKeepArgs cfg} \ + --prefix ${escapeShellArg cfg.prune.prefix} \ + $extraPruneArgs + ${cfg.postPrune} + ''; + + mkPassEnv = cfg: with cfg.encryption; + if passCommand != null then + { BORG_PASSCOMMAND = passCommand; } + else if passphrase != null then + { BORG_PASSPHRASE = passphrase; } + else { }; + + mkBackupService = name: cfg: + let + userHome = config.users.users.${cfg.user}.home; + in nameValuePair "borgbackup-job-${name}" { + description = "BorgBackup job ${name}"; + path = with pkgs; [ + borgbackup openssh + ]; + script = mkBackupScript cfg; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + # Only run when no other process is using CPU or disk + CPUSchedulingPolicy = "idle"; + IOSchedulingClass = "idle"; + ProtectSystem = "strict"; + ReadWritePaths = + [ "${userHome}/.config/borg" "${userHome}/.cache/borg" ] + # Borg needs write access to repo if it is not remote + ++ optional (isLocalPath cfg.repo) cfg.repo; + PrivateTmp = true; + }; + environment = { + BORG_REPO = cfg.repo; + inherit (cfg) extraInitArgs extraCreateArgs extraPruneArgs; + } // (mkPassEnv cfg) // cfg.environment; + inherit (cfg) startAt; + }; + + # Paths listed in ReadWritePaths must exist before service is started + mkActivationScript = name: cfg: + let + install = "install -o ${cfg.user} -g ${cfg.group}"; + in + nameValuePair "borgbackup-job-${name}" (stringAfter [ "users" ] ('' + # Eensure that the home directory already exists + # We can't assert createHome == true because that's not the case for root + cd "${config.users.users.${cfg.user}.home}" + ${install} -d .config/borg + ${install} -d .cache/borg + '' + optionalString (isLocalPath cfg.repo) '' + ${install} -d ${escapeShellArg cfg.repo} + '')); + + mkPassAssertion = name: cfg: { + assertion = with cfg.encryption; + mode != "none" -> passCommand != null || passphrase != null; + message = + "passCommand or passphrase has to be specified because" + + '' borgbackup.jobs.${name}.encryption != "none"''; + }; + + mkRepoService = name: cfg: + nameValuePair "borgbackup-repo-${name}" { + description = "Create BorgBackup repository ${name} directory"; + script = '' + mkdir -p ${escapeShellArg cfg.path} + chown ${cfg.user}:${cfg.group} ${escapeShellArg cfg.path} + ''; + serviceConfig = { + # The service's only task is to ensure that the specified path exists + Type = "oneshot"; + }; + wantedBy = [ "multi-user.target" ]; + }; + + mkAuthorizedKey = cfg: appendOnly: key: + let + # Because of the following line, clients do not need to specify an absolute repo path + cdCommand = "cd ${escapeShellArg cfg.path}"; + restrictedArg = "--restrict-to-${if cfg.allowSubRepos then "path" else "repository"} ."; + appendOnlyArg = optionalString appendOnly "--append-only"; + quotaArg = optionalString (cfg.quota != null) "--storage-quota ${cfg.quota}"; + serveCommand = "borg serve ${restrictedArg} ${appendOnlyArg} ${quotaArg}"; + in + ''command="${cdCommand} && ${serveCommand}",restrict ${key}''; + + mkUsersConfig = name: cfg: { + users.${cfg.user} = { + openssh.authorizedKeys.keys = + (map (mkAuthorizedKey cfg false) cfg.authorizedKeys + ++ map (mkAuthorizedKey cfg true) cfg.authorizedKeysAppendOnly); + useDefaultShell = true; + }; + groups.${cfg.group} = { }; + }; + + mkKeysAssertion = name: cfg: { + assertion = cfg.authorizedKeys != [ ] || cfg.authorizedKeysAppendOnly != [ ]; + message = + "borgbackup.repos.${name} does not make sense" + + " without at least one public key"; + }; + +in { + meta.maintainers = with maintainers; [ dotlambda ]; + + ###### interface + + options.services.borgbackup.jobs = mkOption { + description = "Deduplicating backups using BorgBackup."; + default = { }; + example = literalExample '' + { + rootBackup = { + paths = "/"; + exclude = [ "/nix" ]; + repo = "/path/to/local/repo"; + encryption = { + mode = "repokey"; + passphrase = "secret"; + }; + compression = "auto,lzma"; + startAt = "weekly"; + }; + } + ''; + type = types.attrsOf (types.submodule (let globalConfig = config; in + { name, config, ... }: { + options = { + + paths = mkOption { + type = with types; either path (nonEmptyListOf path); + description = "Path(s) to back up."; + example = "/home/user"; + apply = x: if isList x then x else [ x ]; + }; + + repo = mkOption { + type = types.str; + description = "Remote or local repository to back up to."; + example = "user@machine:/path/to/repo"; + }; + + archiveBaseName = mkOption { + type = types.strMatching "[^/{}]+"; + default = "${globalConfig.networking.hostName}-${name}"; + defaultText = "\${config.networking.hostName}-<name>"; + description = '' + How to name the created archives. A timestamp, whose format is + determined by <option>dateFormat</option>, will be appended. The full + name can be modified at runtime (<literal>$archiveName</literal>). + Placeholders like <literal>{hostname}</literal> must not be used. + ''; + }; + + dateFormat = mkOption { + type = types.str; + description = '' + Arguments passed to <command>date</command> + to create a timestamp suffix for the archive name. + ''; + default = "+%Y-%m-%dT%H:%M:%S"; + example = "-u +%s"; + }; + + startAt = mkOption { + type = with types; either str (listOf str); + default = "daily"; + description = '' + When or how often the backup should run. + Must be in the format described in + <citerefentry><refentrytitle>systemd.time</refentrytitle> + <manvolnum>7</manvolnum></citerefentry>. + If you do not want the backup to start + automatically, use <literal>[ ]</literal>. + ''; + }; + + user = mkOption { + type = types.str; + description = '' + The user <command>borg</command> is run as. + User or group need read permission + for the specified <option>paths</option>. + ''; + default = "root"; + }; + + group = mkOption { + type = types.str; + description = '' + The group borg is run as. User or group needs read permission + for the specified <option>paths</option>. + ''; + default = "root"; + }; + + encryption.mode = mkOption { + type = types.enum [ + "repokey" "keyfile" + "repokey-blake2" "keyfile-blake2" + "authenticated" "authenticated-blake2" + "none" + ]; + description = '' + Encryption mode to use. Setting a mode + other than <literal>"none"</literal> requires + you to specify a <option>passCommand</option> + or a <option>passphrase</option>. + ''; + }; + + encryption.passCommand = mkOption { + type = with types; nullOr str; + description = '' + A command which prints the passphrase to stdout. + Mutually exclusive with <option>passphrase</option>. + ''; + default = null; + example = "cat /path/to/passphrase_file"; + }; + + encryption.passphrase = mkOption { + type = with types; nullOr str; + description = '' + The passphrase the backups are encrypted with. + Mutually exclusive with <option>passCommand</option>. + If you do not want the passphrase to be stored in the + world-readable Nix store, use <option>passCommand</option>. + ''; + default = null; + }; + + compression = mkOption { + # "auto" is optional, + # compression mode must be given, + # compression level is optional + type = types.strMatching "none|(auto,)?(lz4|zstd|zlib|lzma)(,[[:digit:]]{1,2})?"; + description = '' + Compression method to use. Refer to + <command>borg help compression</command> + for all available options. + ''; + default = "lz4"; + example = "auto,lzma"; + }; + + exclude = mkOption { + type = with types; listOf str; + description = '' + Exclude paths matching any of the given patterns. See + <command>borg help patterns</command> for pattern syntax. + ''; + default = [ ]; + example = [ + "/home/*/.cache" + "/nix" + ]; + }; + + doInit = mkOption { + type = types.bool; + description = '' + Run <command>borg init</command> if the + specified <option>repo</option> does not exist. + You should set this to <literal>false</literal> + if the repository is located on an external drive + that might not always be mounted. + ''; + default = true; + }; + + appendFailedSuffix = mkOption { + type = types.bool; + description = '' + Append a <literal>.failed</literal> suffix + to the archive name, which is only removed if + <command>borg create</command> has a zero exit status. + ''; + default = true; + }; + + prune.keep = mkOption { + # Specifying e.g. `prune.keep.yearly = -1` + # means there is no limit of yearly archives to keep + # The regex is for use with e.g. --keep-within 1y + type = with types; attrsOf (either int (strMatching "[[:digit:]]+[Hdwmy]")); + description = '' + Prune a repository by deleting all archives not matching any of the + specified retention options. See <command>borg help prune</command> + for the available options. + ''; + default = { }; + example = literalExample '' + { + within = "1d"; # Keep all archives from the last day + daily = 7; + weekly = 4; + monthly = -1; # Keep at least one archive for each month + } + ''; + }; + + prune.prefix = mkOption { + type = types.str; + description = '' + Only consider archive names starting with this prefix for pruning. + By default, only archives created by this job are considered. + Use <literal>""</literal> to consider all archives. + ''; + default = config.archiveBaseName; + defaultText = "\${archiveBaseName}"; + }; + + environment = mkOption { + type = with types; attrsOf str; + description = '' + Environment variables passed to the backup script. + You can for example specify which SSH key to use. + ''; + default = { }; + example = { BORG_RSH = "ssh -i /path/to/key"; }; + }; + + preHook = mkOption { + type = types.lines; + description = '' + Shell commands to run before the backup. + This can for example be used to mount file systems. + ''; + default = ""; + example = '' + # To add excluded paths at runtime + extraCreateArgs="$extraCreateArgs --exclude /some/path" + ''; + }; + + postInit = mkOption { + type = types.lines; + description = '' + Shell commands to run after <command>borg init</command>. + ''; + default = ""; + }; + + postCreate = mkOption { + type = types.lines; + description = '' + Shell commands to run after <command>borg create</command>. The name + of the created archive is stored in <literal>$archiveName</literal>. + ''; + default = ""; + }; + + postPrune = mkOption { + type = types.lines; + description = '' + Shell commands to run after <command>borg prune</command>. + ''; + default = ""; + }; + + postHook = mkOption { + type = types.lines; + description = '' + Shell commands to run just before exit. They are executed + even if a previous command exits with a non-zero exit code. + The latter is available as <literal>$exitStatus</literal>. + ''; + default = ""; + }; + + extraInitArgs = mkOption { + type = types.str; + description = '' + Additional arguments for <command>borg init</command>. + Can also be set at runtime using <literal>$extraInitArgs</literal>. + ''; + default = ""; + example = "--append-only"; + }; + + extraCreateArgs = mkOption { + type = types.str; + description = '' + Additional arguments for <command>borg create</command>. + Can also be set at runtime using <literal>$extraCreateArgs</literal>. + ''; + default = ""; + example = "--stats --checkpoint-interval 600"; + }; + + extraPruneArgs = mkOption { + type = types.str; + description = '' + Additional arguments for <command>borg prune</command>. + Can also be set at runtime using <literal>$extraPruneArgs</literal>. + ''; + default = ""; + example = "--save-space"; + }; + + }; + } + )); + }; + + options.services.borgbackup.repos = mkOption { + description = '' + Serve BorgBackup repositories to given public SSH keys, + restricting their access to the repository only. + Also, clients do not need to specify the absolute path when accessing the repository, + i.e. <literal>user@machine:.</literal> is enough. (Note colon and dot.) + ''; + default = { }; + type = types.attrsOf (types.submodule ( + { name, config, ... }: { + options = { + + path = mkOption { + type = types.path; + description = '' + Where to store the backups. Note that the directory + is created automatically, with correct permissions. + ''; + default = "/var/lib/borgbackup"; + }; + + user = mkOption { + type = types.str; + description = '' + The user <command>borg serve</command> is run as. + User or group needs write permission + for the specified <option>path</option>. + ''; + default = "borg"; + }; + + group = mkOption { + type = types.str; + description = '' + The group <command>borg serve</command> is run as. + User or group needs write permission + for the specified <option>path</option>. + ''; + default = "borg"; + }; + + authorizedKeys = mkOption { + type = with types; listOf str; + description = '' + Public SSH keys that are given full write access to this repository. + You should use a different SSH key for each repository you write to, because + the specified keys are restricted to running <command>borg serve</command> + and can only access this single repository. + ''; + default = [ ]; + }; + + authorizedKeysAppendOnly = mkOption { + type = with types; listOf str; + description = '' + Public SSH keys that can only be used to append new data (archives) to the repository. + Note that archives can still be marked as deleted and are subsequently removed from disk + upon accessing the repo with full write access, e.g. when pruning. + ''; + default = [ ]; + }; + + allowSubRepos = mkOption { + type = types.bool; + description = '' + Allow clients to create repositories in subdirectories of the + specified <option>path</option>. These can be accessed using + <literal>user@machine:path/to/subrepo</literal>. Note that a + <option>quota</option> applies to repositories independently. + Therefore, if this is enabled, clients can create multiple + repositories and upload an arbitrary amount of data. + ''; + default = false; + }; + + quota = mkOption { + # See the definition of parse_file_size() in src/borg/helpers/parseformat.py + type = with types; nullOr (strMatching "[[:digit:].]+[KMGTP]?"); + description = '' + Storage quota for the repository. This quota is ensured for all + sub-repositories if <option>allowSubRepos</option> is enabled + but not for the overall storage space used. + ''; + default = null; + example = "100G"; + }; + + }; + } + )); + }; + + ###### implementation + + config = mkIf (with config.services.borgbackup; jobs != { } || repos != { }) + (with config.services.borgbackup; { + assertions = + mapAttrsToList mkPassAssertion jobs + ++ mapAttrsToList mkKeysAssertion repos; + + system.activationScripts = mapAttrs' mkActivationScript jobs; + + systemd.services = + # A job named "foo" is mapped to systemd.services.borgbackup-job-foo + mapAttrs' mkBackupService jobs + # A repo named "foo" is mapped to systemd.services.borgbackup-repo-foo + // mapAttrs' mkRepoService repos; + + users = mkMerge (mapAttrsToList mkUsersConfig repos); + + environment.systemPackages = with pkgs; [ borgbackup ]; + }); +} diff --git a/nixos/modules/services/backup/duplicati.nix b/nixos/modules/services/backup/duplicati.nix new file mode 100644 index 000000000000..9772ca4d20a7 --- /dev/null +++ b/nixos/modules/services/backup/duplicati.nix @@ -0,0 +1,40 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.duplicati; +in +{ + options = { + services.duplicati = { + enable = mkEnableOption "Duplicati"; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.duplicati ]; + + systemd.services.duplicati = { + description = "Duplicati backup"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "duplicati"; + Group = "duplicati"; + ExecStart = "${pkgs.duplicati}/bin/duplicati-server --webservice-interface=any --webservice-port=8200 --server-datafolder=/var/lib/duplicati"; + Restart = "on-failure"; + }; + }; + + users.extraUsers.duplicati = { + uid = config.ids.uids.duplicati; + home = "/var/lib/duplicati"; + createHome = true; + group = "duplicati"; + }; + users.extraGroups.duplicati.gid = config.ids.gids.duplicati; + + }; +} + diff --git a/nixos/modules/services/backup/restic.nix b/nixos/modules/services/backup/restic.nix new file mode 100644 index 000000000000..21d82469c605 --- /dev/null +++ b/nixos/modules/services/backup/restic.nix @@ -0,0 +1,150 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + options.services.restic.backups = mkOption { + description = '' + Periodic backups to create with Restic. + ''; + type = types.attrsOf (types.submodule ({ name, config, ... }: { + options = { + passwordFile = mkOption { + type = types.str; + description = '' + Read the repository password from a file. + ''; + example = "/etc/nixos/restic-password"; + + }; + + repository = mkOption { + type = types.str; + description = '' + repository to backup to. + ''; + example = "sftp:backup@192.168.1.100:/backups/${name}"; + }; + + paths = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Which paths to backup. + ''; + example = [ + "/var/lib/postgresql" + "/home/user/backup" + ]; + }; + + timerConfig = mkOption { + type = types.attrsOf types.str; + default = { + OnCalendar = "daily"; + }; + description = '' + When to run the backup. See man systemd.timer for details. + ''; + example = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + }; + }; + + user = mkOption { + type = types.str; + default = "root"; + description = '' + As which user the backup should run. + ''; + example = "postgresql"; + }; + + extraBackupArgs = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Extra arguments passed to restic backup. + ''; + example = [ + "--exclude-file=/etc/nixos/restic-ignore" + ]; + }; + + extraOptions = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Extra extended options to be passed to the restic --option flag. + ''; + example = [ + "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp'" + ]; + }; + + initialize = mkOption { + type = types.bool; + default = false; + description = '' + Create the repository if it doesn't exist. + ''; + }; + }; + })); + default = {}; + example = { + localbackup = { + paths = [ "/home" ]; + repository = "/mnt/backup-hdd"; + passwordFile = "/etc/nixos/secrets/restic-password"; + initialize = true; + }; + remotebackup = { + paths = [ "/home" ]; + repository = "sftp:backup@host:/backups/home"; + passwordFile = "/etc/nixos/secrets/restic-password"; + extraOptions = [ + "sftp.command='ssh backup@host -i /etc/nixos/secrets/backup-private-key -s sftp'" + ]; + timerConfig = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + }; + }; + }; + }; + + config = { + systemd.services = + mapAttrs' (name: backup: + let + extraOptions = concatMapStrings (arg: " -o ${arg}") backup.extraOptions; + connectTo = elemAt (splitString ":" backup.repository) 1; + resticCmd = "${pkgs.restic}/bin/restic${extraOptions}"; + in nameValuePair "restic-backups-${name}" ({ + environment = { + RESTIC_PASSWORD_FILE = backup.passwordFile; + RESTIC_REPOSITORY = backup.repository; + }; + path = with pkgs; [ + openssh + ]; + restartIfChanged = false; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${resticCmd} backup ${concatStringsSep " " backup.extraBackupArgs} ${concatStringsSep " " backup.paths}"; + User = backup.user; + }; + } // optionalAttrs backup.initialize { + preStart = '' + ${resticCmd} snapshots || ${resticCmd} init + ''; + }) + ) config.services.restic.backups; + systemd.timers = + mapAttrs' (name: backup: nameValuePair "restic-backups-${name}" { + wantedBy = [ "timers.target" ]; + timerConfig = backup.timerConfig; + }) config.services.restic.backups; + }; +} diff --git a/nixos/modules/services/backup/tarsnap.nix b/nixos/modules/services/backup/tarsnap.nix index 59e9d122fb50..4fc7c24813a5 100644 --- a/nixos/modules/services/backup/tarsnap.nix +++ b/nixos/modules/services/backup/tarsnap.nix @@ -238,6 +238,20 @@ in Whether to produce verbose logging output. ''; }; + explicitSymlinks = mkOption { + type = types.bool; + default = false; + description = '' + Whether to follow symlinks specified as archives. + ''; + }; + followSymlinks = mkOption { + type = types.bool; + default = false; + description = '' + Whether to follow all symlinks in archive trees. + ''; + }; }; } )); @@ -285,12 +299,12 @@ in }) gcfg.archives); systemd.services = - mapAttrs' (name: cfg: nameValuePair "tarsnap-${name}" { + (mapAttrs' (name: cfg: nameValuePair "tarsnap-${name}" { description = "Tarsnap archive '${name}'"; requires = [ "network-online.target" ]; after = [ "network-online.target" ]; - path = [ pkgs.iputils pkgs.tarsnap pkgs.utillinux ]; + path = with pkgs; [ iputils tarsnap utillinux ]; # In order for the persistent tarsnap timer to work reliably, we have to # make sure that the tarsnap server is reachable after systemd starts up @@ -300,10 +314,12 @@ in while ! ping -q -c 1 v1-0-0-server.tarsnap.com &> /dev/null; do sleep 3; done ''; - script = - let run = ''tarsnap --configfile "/etc/tarsnap/${name}.conf" \ - -c -f "${name}-$(date +"%Y%m%d%H%M%S")" \ + script = let + tarsnap = ''tarsnap --configfile "/etc/tarsnap/${name}.conf"''; + run = ''${tarsnap} -c -f "${name}-$(date +"%Y%m%d%H%M%S")" \ ${optionalString cfg.verbose "-v"} \ + ${optionalString cfg.explicitSymlinks "-H"} \ + ${optionalString cfg.followSymlinks "-L"} \ ${concatStringsSep " " cfg.directories}''; in if (cfg.cachedir != null) then '' mkdir -p ${cfg.cachedir} @@ -313,7 +329,7 @@ in if [ ! -e ${cfg.cachedir}/firstrun ]; then ( flock 10 flock -u 9 - tarsnap --configfile "/etc/tarsnap/${name}.conf" --fsck + ${tarsnap} --fsck flock 9 ) 10>${cfg.cachedir}/firstrun fi @@ -329,7 +345,44 @@ in CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ]; PermissionsStartOnly = "true"; }; - }) gcfg.archives; + }) gcfg.archives) // + + (mapAttrs' (name: cfg: nameValuePair "tarsnap-restore-${name}"{ + description = "Tarsnap restore '${name}'"; + requires = [ "network-online.target" ]; + + path = with pkgs; [ iputils tarsnap utillinux ]; + + script = let + tarsnap = ''tarsnap --configfile "/etc/tarsnap/${name}.conf"''; + lastArchive = ''$(${tarsnap} --list-archives | sort | tail -1)''; + run = ''${tarsnap} -x -f "${lastArchive}" ${optionalString cfg.verbose "-v"}''; + + in if (cfg.cachedir != null) then '' + mkdir -p ${cfg.cachedir} + chmod 0700 ${cfg.cachedir} + + ( flock 9 + if [ ! -e ${cfg.cachedir}/firstrun ]; then + ( flock 10 + flock -u 9 + ${tarsnap} --fsck + flock 9 + ) 10>${cfg.cachedir}/firstrun + fi + ) 9>${cfg.cachedir}/lockf + + exec flock ${cfg.cachedir}/firstrun ${run} + '' else "exec ${run}"; + + serviceConfig = { + Type = "oneshot"; + IOSchedulingClass = "idle"; + NoNewPrivileges = "true"; + CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ]; + PermissionsStartOnly = "true"; + }; + }) gcfg.archives); # Note: the timer must be Persistent=true, so that systemd will start it even # if e.g. your laptop was asleep while the latest interval occurred. diff --git a/nixos/modules/services/backup/znapzend.nix b/nixos/modules/services/backup/znapzend.nix index 762bb4b38675..3d133f82d204 100644 --- a/nixos/modules/services/backup/znapzend.nix +++ b/nixos/modules/services/backup/znapzend.nix @@ -386,7 +386,7 @@ in echo Resetting znapzend zetups ${pkgs.znapzend}/bin/znapzendzetup list \ | grep -oP '(?<=\*\*\* backup plan: ).*(?= \*\*\*)' \ - | xargs ${pkgs.znapzend}/bin/znapzendzetup delete + | xargs -I{} ${pkgs.znapzend}/bin/znapzendzetup delete "{}" '' + concatStringsSep "\n" (mapAttrsToList (dataset: config: '' echo Importing znapzend zetup ${config} for dataset ${dataset} ${pkgs.znapzend}/bin/znapzendzetup import --write ${dataset} ${config} diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index 4a2c6f0833eb..aeb0a0d2432d 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -279,7 +279,7 @@ in { tokenAuthFile = mkOption { description = '' Kubernetes apiserver token authentication file. See - <link xlink:href="http://kubernetes.io/docs/admin/authentication.html"/> + <link xlink:href="https://kubernetes.io/docs/admin/authentication.html"/> ''; default = null; type = types.nullOr types.path; @@ -288,7 +288,7 @@ in { basicAuthFile = mkOption { description = '' Kubernetes apiserver basic authentication file. See - <link xlink:href="http://kubernetes.io/docs/admin/authentication.html"/> + <link xlink:href="https://kubernetes.io/docs/admin/authentication.html"/> ''; default = pkgs.writeText "users" '' kubernetes,admin,0 @@ -299,7 +299,7 @@ in { authorizationMode = mkOption { description = '' Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/RBAC). See - <link xlink:href="http://kubernetes.io/docs/admin/authorization.html"/> + <link xlink:href="https://kubernetes.io/docs/admin/authorization.html"/> ''; default = ["RBAC" "Node"]; type = types.listOf (types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "RBAC" "Node"]); @@ -308,7 +308,7 @@ in { authorizationPolicy = mkOption { description = '' Kubernetes apiserver authorization policy file. See - <link xlink:href="http://kubernetes.io/docs/admin/authorization.html"/> + <link xlink:href="https://kubernetes.io/docs/admin/authorization.html"/> ''; default = []; type = types.listOf types.attrs; @@ -332,7 +332,7 @@ in { runtimeConfig = mkOption { description = '' Api runtime configuration. See - <link xlink:href="http://kubernetes.io/docs/admin/cluster-management.html"/> + <link xlink:href="https://kubernetes.io/docs/admin/cluster-management.html"/> ''; default = "authentication.k8s.io/v1beta1=true"; example = "api/all=false,api/v1=true"; @@ -342,7 +342,7 @@ in { admissionControl = mkOption { description = '' Kubernetes admission control plugins to use. See - <link xlink:href="http://kubernetes.io/docs/admin/admission-controllers/"/> + <link xlink:href="https://kubernetes.io/docs/admin/admission-controllers/"/> ''; default = ["NamespaceLifecycle" "LimitRanger" "ServiceAccount" "ResourceQuota" "DefaultStorageClass" "DefaultTolerationSeconds" "NodeRestriction"]; example = [ @@ -766,7 +766,7 @@ in { rm /opt/cni/bin/* || true ${concatMapStrings (package: '' echo "Linking cni package: ${package}" - ln -fs ${package.plugins}/* /opt/cni/bin + ln -fs ${package}/bin/* /opt/cni/bin '') cfg.kubelet.cni.packages} ''; serviceConfig = { @@ -828,7 +828,7 @@ in { }; # Allways include cni plugins - services.kubernetes.kubelet.cni.packages = [pkgs.cni]; + services.kubernetes.kubelet.cni.packages = [pkgs.cni-plugins]; boot.kernelModules = ["br_netfilter"]; diff --git a/nixos/modules/services/computing/boinc/client.nix b/nixos/modules/services/computing/boinc/client.nix index e43b6bbb2536..8abe3c5b8c9b 100644 --- a/nixos/modules/services/computing/boinc/client.nix +++ b/nixos/modules/services/computing/boinc/client.nix @@ -6,6 +6,13 @@ let cfg = config.services.boinc; allowRemoteGuiRpcFlag = optionalString cfg.allowRemoteGuiRpc "--allow_remote_gui_rpc"; + fhsEnv = pkgs.buildFHSUserEnv { + name = "boinc-fhs-env"; + targetPkgs = pkgs': [ cfg.package ] ++ cfg.extraEnvPackages; + runScript = "/bin/boinc_client"; + }; + fhsEnvExecutable = "${fhsEnv}/bin/${fhsEnv.name}"; + in { options.services.boinc = { @@ -49,6 +56,43 @@ in See also: <link xlink:href="http://boinc.berkeley.edu/wiki/Controlling_BOINC_remotely#Remote_access"/> ''; }; + + extraEnvPackages = mkOption { + type = types.listOf types.package; + default = []; + example = "[ pkgs.virtualbox ]"; + description = '' + Additional packages to make available in the environment in which + BOINC will run. Common choices are: + <variablelist> + <varlistentry> + <term><varname>pkgs.virtualbox</varname></term> + <listitem><para> + The VirtualBox virtual machine framework. Required by some BOINC + projects, such as ATLAS@home. + </para></listitem> + </varlistentry> + <varlistentry> + <term><varname>pkgs.ocl-icd</varname></term> + <listitem><para> + OpenCL infrastructure library. Required by BOINC projects that + use OpenCL, in addition to a device-specific OpenCL driver. + </para></listitem> + </varlistentry> + <varlistentry> + <term><varname>pkgs.linuxPackages.nvidia_x11</varname></term> + <listitem><para> + Provides CUDA libraries. Required by BOINC projects that use + CUDA. Note that this requires an NVIDIA graphics device to be + present on the system. + </para><para> + Also provides OpenCL drivers for NVIDIA GPUs; + <varname>pkgs.ocl-icd</varname> is also needed in this case. + </para></listitem> + </varlistentry> + </variablelist> + ''; + }; }; config = mkIf cfg.enable { @@ -70,7 +114,7 @@ in chown boinc ${cfg.dataDir} ''; script = '' - ${cfg.package}/bin/boinc_client --dir ${cfg.dataDir} --redirectio ${allowRemoteGuiRpcFlag} + ${fhsEnvExecutable} --dir ${cfg.dataDir} --redirectio ${allowRemoteGuiRpcFlag} ''; serviceConfig = { PermissionsStartOnly = true; # preStart must be run as root diff --git a/nixos/modules/services/continuous-integration/buildkite-agent.nix b/nixos/modules/services/continuous-integration/buildkite-agent.nix index 0a0c9f665d25..d647b7b9fa49 100644 --- a/nixos/modules/services/continuous-integration/buildkite-agent.nix +++ b/nixos/modules/services/continuous-integration/buildkite-agent.nix @@ -17,8 +17,8 @@ let hooksDir = let mkHookEntry = name: value: '' - cat > $out/${name} <<EOF - #! ${pkgs.stdenv.shell} + cat > $out/${name} <<'EOF' + #! ${pkgs.runtimeShell} set -e ${value} EOF diff --git a/nixos/modules/services/continuous-integration/jenkins/default.nix b/nixos/modules/services/continuous-integration/jenkins/default.nix index 0dd59e4fb444..c2f4e9c0c5a7 100644 --- a/nixos/modules/services/continuous-integration/jenkins/default.nix +++ b/nixos/modules/services/continuous-integration/jenkins/default.nix @@ -145,6 +145,11 @@ in { }; config = mkIf cfg.enable { + # server references the dejavu fonts + environment.systemPackages = [ + pkgs.dejavu_fonts + ]; + users.extraGroups = optional (cfg.group == "jenkins") { name = "jenkins"; gid = config.ids.gids.jenkins; @@ -200,15 +205,17 @@ in { ${replacePlugins} ''; + # For reference: https://wiki.jenkins.io/display/JENKINS/JenkinsLinuxStartupScript script = '' ${pkgs.jdk}/bin/java ${concatStringsSep " " cfg.extraJavaOptions} -jar ${cfg.package}/webapps/jenkins.war --httpListenAddress=${cfg.listenAddress} \ --httpPort=${toString cfg.port} \ --prefix=${cfg.prefix} \ + -Djava.awt.headless=true \ ${concatStringsSep " " cfg.extraOptions} ''; postStart = '' - until [[ $(${pkgs.curl.bin}/bin/curl -s --head -w '\n%{http_code}' http://${cfg.listenAddress}:${toString cfg.port}${cfg.prefix} | tail -n1) =~ ^(200|403)$ ]]; do + until [[ $(${pkgs.curl.bin}/bin/curl -L -s --head -w '\n%{http_code}' http://${cfg.listenAddress}:${toString cfg.port}${cfg.prefix} | tail -n1) =~ ^(200|403)$ ]]; do sleep 1 done ''; diff --git a/nixos/modules/services/databases/4store-endpoint.nix b/nixos/modules/services/databases/4store-endpoint.nix index 906cb320df98..d528355671f6 100644 --- a/nixos/modules/services/databases/4store-endpoint.nix +++ b/nixos/modules/services/databases/4store-endpoint.nix @@ -2,7 +2,7 @@ let cfg = config.services.fourStoreEndpoint; endpointUser = "fourstorehttp"; - run = "${pkgs.su}/bin/su -s ${pkgs.stdenv.shell} ${endpointUser} -c"; + run = "${pkgs.su}/bin/su -s ${pkgs.runtimeShell} ${endpointUser} -c"; in with lib; { diff --git a/nixos/modules/services/databases/4store.nix b/nixos/modules/services/databases/4store.nix index 62856822f906..abb62e1f2637 100644 --- a/nixos/modules/services/databases/4store.nix +++ b/nixos/modules/services/databases/4store.nix @@ -3,7 +3,7 @@ let cfg = config.services.fourStore; stateDir = "/var/lib/4store"; fourStoreUser = "fourstore"; - run = "${pkgs.su}/bin/su -s ${pkgs.stdenv.shell} ${fourStoreUser}"; + run = "${pkgs.su}/bin/su -s ${pkgs.runtimeShell} ${fourStoreUser}"; in with lib; { diff --git a/nixos/modules/services/databases/foundationdb.nix b/nixos/modules/services/databases/foundationdb.nix new file mode 100644 index 000000000000..693d2fde9916 --- /dev/null +++ b/nixos/modules/services/databases/foundationdb.nix @@ -0,0 +1,416 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.foundationdb; + pkg = cfg.package; + + # used for initial cluster configuration + initialIpAddr = if (cfg.publicAddress != "auto") then cfg.publicAddress else "127.0.0.1"; + + fdbServers = n: + concatStringsSep "\n" (map (x: "[fdbserver.${toString (x+cfg.listenPortStart)}]") (range 0 (n - 1))); + + backupAgents = n: + concatStringsSep "\n" (map (x: "[backup_agent.${toString x}]") (range 1 n)); + + configFile = pkgs.writeText "foundationdb.conf" '' + [general] + cluster_file = /etc/foundationdb/fdb.cluster + + [fdbmonitor] + restart_delay = ${toString cfg.restartDelay} + user = ${cfg.user} + group = ${cfg.group} + + [fdbserver] + command = ${pkg}/bin/fdbserver + public_address = ${cfg.publicAddress}:$ID + listen_address = ${cfg.listenAddress} + datadir = ${cfg.dataDir}/$ID + logdir = ${cfg.logDir} + logsize = ${cfg.logSize} + maxlogssize = ${cfg.maxLogSize} + ${optionalString (cfg.class != null) "class = ${cfg.class}"} + memory = ${cfg.memory} + storage_memory = ${cfg.storageMemory} + + ${optionalString (cfg.tls != null) '' + tls_plugin = ${pkg}/libexec/plugins/FDBLibTLS.so + tls_certificate_file = ${cfg.tls.certificate} + tls_key_file = ${cfg.tls.key} + tls_verify_peers = ${cfg.tls.allowedPeers} + ''} + + ${optionalString (cfg.locality.machineId != null) "locality_machineid=${cfg.locality.machineId}"} + ${optionalString (cfg.locality.zoneId != null) "locality_zoneid=${cfg.locality.zoneId}"} + ${optionalString (cfg.locality.datacenterId != null) "locality_dcid=${cfg.locality.datacenterId}"} + ${optionalString (cfg.locality.dataHall != null) "locality_data_hall=${cfg.locality.dataHall}"} + + ${fdbServers cfg.serverProcesses} + + [backup_agent] + command = ${pkg}/libexec/backup_agent + ${backupAgents cfg.backupProcesses} + ''; +in +{ + options.services.foundationdb = { + + enable = mkEnableOption "FoundationDB Server"; + + package = mkOption { + type = types.package; + description = '' + The FoundationDB package to use for this server. This must be specified by the user + in order to ensure migrations and upgrades are controlled appropriately. + ''; + }; + + publicAddress = mkOption { + type = types.str; + default = "auto"; + description = "Publicly visible IP address of the process. Port is determined by process ID"; + }; + + listenAddress = mkOption { + type = types.str; + default = "public"; + description = "Publicly visible IP address of the process. Port is determined by process ID"; + }; + + listenPortStart = mkOption { + type = types.int; + default = 4500; + description = '' + Starting port number for database listening sockets. Every FDB process binds to a + subsequent port, to this number reflects the start of the overall range. e.g. having + 8 server processes will use all ports between 4500 and 4507. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Open the firewall ports corresponding to FoundationDB processes and coordinators + using <option>config.networking.firewall.*</option>. + ''; + }; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/foundationdb"; + description = "Data directory. All cluster data will be put under here."; + }; + + logDir = mkOption { + type = types.path; + default = "/var/log/foundationdb"; + description = "Log directory."; + }; + + user = mkOption { + type = types.str; + default = "foundationdb"; + description = "User account under which FoundationDB runs."; + }; + + group = mkOption { + type = types.str; + default = "foundationdb"; + description = "Group account under which FoundationDB runs."; + }; + + class = mkOption { + type = types.nullOr (types.enum [ "storage" "transaction" "stateless" ]); + default = null; + description = "Process class"; + }; + + restartDelay = mkOption { + type = types.int; + default = 10; + description = "Number of seconds to wait before restarting servers."; + }; + + logSize = mkOption { + type = types.string; + default = "10MiB"; + description = '' + Roll over to a new log file after the current log file + reaches the specified size. + ''; + }; + + maxLogSize = mkOption { + type = types.string; + default = "100MiB"; + description = '' + Delete the oldest log file when the total size of all log + files exceeds the specified size. If set to 0, old log files + will not be deleted. + ''; + }; + + serverProcesses = mkOption { + type = types.int; + default = 1; + description = "Number of fdbserver processes to run."; + }; + + backupProcesses = mkOption { + type = types.int; + default = 1; + description = "Number of backup_agent processes to run for snapshots."; + }; + + memory = mkOption { + type = types.string; + default = "8GiB"; + description = '' + Maximum memory used by the process. The default value is + <literal>8GiB</literal>. When specified without a unit, + <literal>MiB</literal> is assumed. This parameter does not + change the memory allocation of the program. Rather, it sets + a hard limit beyond which the process will kill itself and + be restarted. The default value of <literal>8GiB</literal> + is double the intended memory usage in the default + configuration (providing an emergency buffer to deal with + memory leaks or similar problems). It is not recommended to + decrease the value of this parameter below its default + value. It may be increased if you wish to allocate a very + large amount of storage engine memory or cache. In + particular, when the <literal>storageMemory</literal> + parameter is increased, the <literal>memory</literal> + parameter should be increased by an equal amount. + ''; + }; + + storageMemory = mkOption { + type = types.string; + default = "1GiB"; + description = '' + Maximum memory used for data storage. The default value is + <literal>1GiB</literal>. When specified without a unit, + <literal>MB</literal> is assumed. Clusters using the memory + storage engine will be restricted to using this amount of + memory per process for purposes of data storage. Memory + overhead associated with storing the data is counted against + this total. If you increase the + <literal>storageMemory</literal>, you should also increase + the <literal>memory</literal> parameter by the same amount. + ''; + }; + + tls = mkOption { + default = null; + description = '' + FoundationDB Transport Security Layer (TLS) settings. + ''; + + type = types.nullOr (types.submodule ({ + options = { + certificate = mkOption { + type = types.str; + description = '' + Path to the TLS certificate file. This certificate will + be offered to, and may be verified by, clients. + ''; + }; + + key = mkOption { + type = types.str; + description = "Private key file for the certificate."; + }; + + allowedPeers = mkOption { + type = types.str; + default = "Check.Valid=1,Check.Unexpired=1"; + description = '' + "Peer verification string". This may be used to adjust which TLS + client certificates a server will accept, as a form of user + authorization; for example, it may only accept TLS clients who + offer a certificate abiding by some locality or organization name. + + For more information, please see the FoundationDB documentation. + ''; + }; + }; + })); + }; + + locality = mkOption { + default = { + machineId = null; + zoneId = null; + datacenterId = null; + dataHall = null; + }; + + description = '' + FoundationDB locality settings. + ''; + + type = types.submodule ({ + options = { + machineId = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + Machine identifier key. All processes on a machine should share a + unique id. By default, processes on a machine determine a unique id to share. + This does not generally need to be set. + ''; + }; + + zoneId = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + Zone identifier key. Processes that share a zone id are + considered non-unique for the purposes of data replication. + If unset, defaults to machine id. + ''; + }; + + datacenterId = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + Data center identifier key. All processes physically located in a + data center should share the id. If you are depending on data + center based replication this must be set on all processes. + ''; + }; + + dataHall = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + Data hall identifier key. All processes physically located in a + data hall should share the id. If you are depending on data + hall based replication this must be set on all processes. + ''; + }; + }; + }); + }; + + extraReadWritePaths = mkOption { + default = [ ]; + type = types.listOf types.path; + description = '' + An extra set of filesystem paths that FoundationDB can read to + and write from. By default, FoundationDB runs under a heavily + namespaced systemd environment without write access to most of + the filesystem outside of its data and log directories. By + adding paths to this list, the set of writeable paths will be + expanded. This is useful for allowing e.g. backups to local files, + which must be performed on behalf of the foundationdb service. + ''; + }; + + pidfile = mkOption { + type = types.path; + default = "/run/foundationdb.pid"; + description = "Path to pidfile for fdbmonitor."; + }; + }; + + config = mkIf cfg.enable { + meta.doc = ./foundationdb.xml; + meta.maintainers = with lib.maintainers; [ thoughtpolice ]; + + environment.systemPackages = [ pkg ]; + + users.extraUsers = optionalAttrs (cfg.user == "foundationdb") (singleton + { name = "foundationdb"; + description = "FoundationDB User"; + uid = config.ids.uids.foundationdb; + group = cfg.group; + }); + + users.extraGroups = optionalAttrs (cfg.group == "foundationdb") (singleton + { name = "foundationdb"; + gid = config.ids.gids.foundationdb; + }); + + networking.firewall.allowedTCPPortRanges = mkIf cfg.openFirewall + [ { from = cfg.listenPortStart; + to = (cfg.listenPortStart + cfg.serverProcesses) - 1; + } + ]; + + systemd.services.foundationdb = { + description = "FoundationDB Service"; + + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + unitConfig = + { RequiresMountsFor = "${cfg.dataDir} ${cfg.logDir}"; + }; + + serviceConfig = + let rwpaths = [ cfg.dataDir cfg.logDir cfg.pidfile "/etc/foundationdb" ] + ++ cfg.extraReadWritePaths; + in + { Type = "simple"; + Restart = "always"; + RestartSec = 5; + User = cfg.user; + Group = cfg.group; + PIDFile = "${cfg.pidfile}"; + + PermissionsStartOnly = true; # setup needs root perms + TimeoutSec = 120; # give reasonable time to shut down + + # Security options + NoNewPrivileges = true; + ProtectHome = true; + ProtectSystem = "strict"; + ProtectKernelTunables = true; + ProtectControlGroups = true; + PrivateTmp = true; + PrivateDevices = true; + ReadWritePaths = lib.concatStringsSep " " (map (x: "-" + x) rwpaths); + }; + + path = [ pkg pkgs.coreutils ]; + + preStart = '' + rm -f ${cfg.pidfile} && \ + touch ${cfg.pidfile} && \ + chown -R ${cfg.user}:${cfg.group} ${cfg.pidfile} + + for x in "${cfg.logDir}" "${cfg.dataDir}"; do + [ ! -d "$x" ] && mkdir -m 0700 -vp "$x"; + chown -R ${cfg.user}:${cfg.group} "$x"; + done + + [ ! -d /etc/foundationdb ] && \ + mkdir -m 0775 -vp /etc/foundationdb && \ + chown -R ${cfg.user}:${cfg.group} "/etc/foundationdb" + + if [ ! -f /etc/foundationdb/fdb.cluster ]; then + cf=/etc/foundationdb/fdb.cluster + desc=$(tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c8) + rand=$(tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c8) + echo ''${desc}:''${rand}@${initialIpAddr}:${builtins.toString cfg.listenPortStart} > $cf + chmod 0664 $cf && chown -R ${cfg.user}:${cfg.group} $cf + touch "${cfg.dataDir}/.first_startup" + fi + ''; + + script = "exec fdbmonitor --lockfile ${cfg.pidfile} --conffile ${configFile}"; + + postStart = '' + if [ -e "${cfg.dataDir}/.first_startup" ]; then + fdbcli --exec "configure new single memory" + rm -f "${cfg.dataDir}/.first_startup"; + fi + ''; + }; + }; +} diff --git a/nixos/modules/services/databases/foundationdb.xml b/nixos/modules/services/databases/foundationdb.xml new file mode 100644 index 000000000000..def9cc436691 --- /dev/null +++ b/nixos/modules/services/databases/foundationdb.xml @@ -0,0 +1,322 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="module-foundationdb"> + +<title>FoundationDB</title> + +<para><emphasis>Source:</emphasis> <filename>modules/services/databases/foundationdb.nix</filename></para> + +<para><emphasis>Upstream documentation:</emphasis> <link xlink:href="https://apple.github.io/foundationdb/"/></para> + +<para><emphasis>Maintainer:</emphasis> Austin Seipp</para> + +<para><emphasis>Available version(s):</emphasis> 5.1.x</para> + +<para>FoundationDB (or "FDB") is a distributed, open source, high performance, +transactional key-value store. It can store petabytes of data and deliver +exceptional performance while maintaining consistency and ACID semantics +(serializable transactions) over a large cluster.</para> + +<section><title>Configuring and basic setup</title> + +<para>To enable FoundationDB, add the following to your +<filename>configuration.nix</filename>: + +<programlisting> +services.foundationdb.enable = true; +services.foundationdb.package = pkgs.foundationdb51; # FoundationDB 5.1.x +</programlisting> +</para> + +<para>The <option>services.foundationdb.package</option> option is required, +and must always be specified. Because FoundationDB network protocols and +on-disk storage formats may change between (major) versions, and upgrades must +be explicitly handled by the user, you must always manually specify this +yourself so that the NixOS module will use the proper version. Note that minor, +bugfix releases are always compatible.</para> + +<para>After running <command>nixos-rebuild</command>, you can verify whether +FoundationDB is running by executing <command>fdbcli</command> (which is added +to <option>environment.systemPackages</option>): + +<programlisting> +$ sudo -u foundationdb fdbcli +Using cluster file `/etc/foundationdb/fdb.cluster'. + +The database is available. + +Welcome to the fdbcli. For help, type `help'. +fdb> status + +Using cluster file `/etc/foundationdb/fdb.cluster'. + +Configuration: + Redundancy mode - single + Storage engine - memory + Coordinators - 1 + +Cluster: + FoundationDB processes - 1 + Machines - 1 + Memory availability - 5.4 GB per process on machine with least available + Fault Tolerance - 0 machines + Server time - 04/20/18 15:21:14 + +... + +fdb> +</programlisting> +</para> + +<para>FoundationDB is run under the <command>foundationdb</command> user and +group by default, but this may be changed in the NixOS configuration. The +systemd unit <command>foundationdb.service</command> controls the +<command>fdbmonitor</command> process.</para> + +<para>By default, the NixOS module for FoundationDB creates a single +SSD-storage based database for development and basic usage. This storage engine +is designed for SSDs and will perform poorly on HDDs; however it can handle far +more data than the alternative "memory" engine and is a better default choice +for most deployments. (Note that you can change the storage backend on-the-fly +for a given FoundationDB cluster using <command>fdbcli</command>.)</para> + +<para>Furthermore, only 1 server process and 1 backup agent are started in the +default configuration. See below for more on scaling to increase this.</para> + +<para>FoundationDB stores all data for all server processes under +<filename>/var/lib/foundationdb</filename>. You can override this using +<option>services.foundationdb.dataDir</option>, e.g. + +<programlisting> +services.foundationdb.dataDir = "/data/fdb"; +</programlisting> + +</para> + +<para>Similarly, logs are stored under +<filename>/var/log/foundationdb</filename> by default, and there is a +corresponding <option>services.foundationdb.logDir</option> as well.</para> + +</section> + +<section><title>Scaling processes and backup agents</title> + +<para>Scaling the number of server processes is quite easy; simply specify +<option>services.foundationdb.serverProcesses</option> to be the number of +FoundationDB worker processes that should be started on the machine.</para> + +<para>FoundationDB worker processes typically require 4GB of RAM per-process at +minimum for good performance, so this option is set to 1 by default since the +maximum amount of RAM is unknown. You're advised to abide by this restriction, +so pick a number of processes so that each has 4GB or more.</para> + +<para>A similar option exists in order to scale backup agent processes, +<option>services.foundationdb.backupProcesses</option>. Backup agents are not +as performance/RAM sensitive, so feel free to experiment with the number of +available backup processes.</para> + +</section> + +<section><title>Clustering</title> + +<para>FoundationDB on NixOS works similarly to other Linux systems, so this +section will be brief. Please refer to the full FoundationDB documentation for +more on clustering.</para> + +<para>FoundationDB organizes clusters using a set of +<emphasis>coordinators</emphasis>, which are just specially-designated worker +processes. By default, every installation of FoundationDB on NixOS will start +as its own individual cluster, with a single coordinator: the first worker +process on <command>localhost</command>.</para> + +<para>Coordinators are specified globally using the +<command>/etc/foundationdb/fdb.cluster</command> file, which all servers and +client applications will use to find and join coordinators. Note that this file +<emphasis>can not</emphasis> be managed by NixOS so easily: FoundationDB is +designed so that it will rewrite the file at runtime for all clients and nodes +when cluster coordinators change, with clients transparently handling this +without intervention. It is fundamentally a mutable file, and you should not +try to manage it in any way in NixOS.</para> + +<para>When dealing with a cluster, there are two main things you want to +do:</para> + +<itemizedlist> + <listitem><para>Add a node to the cluster for storage/compute.</para></listitem> + <listitem><para>Promote an ordinary worker to a coordinator.</para></listitem> +</itemizedlist> + +<para>A node must already be a member of the cluster in order to properly be +promoted to a coordinator, so you must always add it first if you wish to +promote it.</para> + +<para>To add a machine to a FoundationDB cluster:</para> + +<itemizedlist> + <listitem><para>Choose one of the servers to start as the initial coordinator. + </para></listitem> + <listitem><para>Copy the <command>/etc/foundationdb/fdb.cluster</command> file + from this server to all the other servers. Restart FoundationDB on all of + these other servers, so they join the cluster.</para></listitem> + <listitem><para>All of these servers are now connected and working together + in the cluster, under the chosen coordinator.</para></listitem> +</itemizedlist> + +<para>At this point, you can add as many nodes as you want by just repeating +the above steps. By default there will still be a single coordinator: you can +use <command>fdbcli</command> to change this and add new coordinators.</para> + +<para>As a convenience, FoundationDB can automatically assign coordinators +based on the redundancy mode you wish to achieve for the cluster. Once all the +nodes have been joined, simply set the replication policy, and then issue the +<command>coordinators auto</command> command</para> + +<para>For example, assuming we have 3 nodes available, we can enable double +redundancy mode, then auto-select coordinators. For double redundancy, 3 +coordinators is ideal: therefore FoundationDB will make +<emphasis>every</emphasis> node a coordinator automatically:</para> + +<programlisting> +fdbcli> configure double ssd +fdbcli> coordinators auto +</programlisting> + +<para>This will transparently update all the servers within seconds, and +appropriately rewrite the <command>fdb.cluster</command> file, as well as +informing all client processes to do the same.</para> + +</section> + +<section><title>Client connectivity</title> + +<para>By default, all clients must use the current +<command>fdb.cluster</command> file to access a given FoundationDB cluster. +This file is located by default in +<command>/etc/foundationdb/fdb.cluster</command> on all machines with the +FoundationDB service enabled, so you may copy the active one from your cluster +to a new node in order to connect, if it is not part of the cluster.</para> + +</section> + +<section><title>Client authorization and TLS</title> + +<para>By default, any user who can connect to a FoundationDB process with the +correct cluster configuration can access anything. FoundationDB uses a +pluggable design to transport security, and out of the box it supports a +LibreSSL-based plugin for TLS support. This plugin not only does in-flight +encryption, but also performs client authorization based on the given +endpoint's certificate chain. For example, a FoundationDB server may be +configured to only accept client connections over TLS, where the client TLS +certificate is from organization <emphasis>Acme Co</emphasis> in the +<emphasis>Research and Development</emphasis> unit.</para> + +<para>Configuring TLS with FoundationDB is done using the +<option>services.foundationdb.tls</option> options in order to control the peer +verification string, as well as the certificate and its private key.</para> + +<para>Note that the certificate and its private key must be accessible to the +FoundationDB user account that the server runs under. These files are also NOT +managed by NixOS, as putting them into the store may reveal private +information.</para> + +<para>After you have a key and certificate file in place, it is not enough to +simply set the NixOS module options -- you must also configure the +<command>fdb.cluster</command> file to specify that a given set of coordinators +use TLS. This is as simple as adding the suffix <command>:tls</command> to your +cluster coordinator configuration, after the port number. For example, assuming +you have a coordinator on localhost with the default configuration, simply +specifying:</para> + +<programlisting> +XXXXXX:XXXXXX@127.0.0.1:4500:tls +</programlisting> + +<para>will configure all clients and server processes to use TLS from now +on.</para> + +</section> + +<section><title>Backups and Disaster Recovery</title> + +<para>The usual rules for doing FoundationDB backups apply on NixOS as written +in the FoundationDB manual. However, one important difference is the security +profile for NixOS: by default, the <command>foundationdb</command> systemd unit +uses <emphasis>Linux namespaces</emphasis> to restrict write access to the +system, except for the log directory, data directory, and the +<command>/etc/foundationdb/</command> directory. This is enforced by default +and cannot be disabled.</para> + +<para>However, a side effect of this is that the <command>fdbbackup</command> +command doesn't work properly for local filesystem backups: FoundationDB uses a +server process alongside the database processes to perform backups and copy the +backups to the filesystem. As a result, this process is put under the +restricted namespaces above: the backup process can only write to a limited +number of paths.</para> + +<para>In order to allow flexible backup locations on local disks, the +FoundationDB NixOS module supports a +<option>services.foundationdb.extraReadWritePaths</option> option. This option +takes a list of paths, and adds them to the systemd unit, allowing the +processes inside the service to write (and read) the specified +directories.</para> + +<para>For example, to create backups in <command>/opt/fdb-backups</command>, +first set up the paths in the module options:</para> + +<programlisting> +services.foundationdb.extraReadWritePaths = [ "/opt/fdb-backups" ]; +</programlisting> + +<para>Restart the FoundationDB service, and it will now be able to write to +this directory (even if it does not yet exist.) Note: this path +<emphasis>must</emphasis> exist before restarting the unit. Otherwise, systemd +will not include it in the private FoundationDB namespace (and it will not add +it dynamically at runtime).</para> + +<para>You can now perform a backup:</para> + +<programlisting> +$ sudo -u foundationdb fdbbackup start -t default -d file:///opt/fdb-backups +$ sudo -u foundationdb fdbbackup status -t default +</programlisting> + +</section> + +<section><title>Known limitations</title> + +<para>The FoundationDB setup for NixOS should currently be considered beta. +FoundationDB is not new software, but the NixOS compilation and integration has +only undergone fairly basic testing of all the available functionality.</para> + +<itemizedlist> + <listitem><para>There is no way to specify individual parameters for + individual <command>fdbserver</command> processes. Currently, all server + processes inherit all the global <command>fdbmonitor</command> settings. + </para></listitem> + <listitem><para>Python bindings are not currently installed.</para></listitem> + <listitem><para>Ruby bindings are not currently installed.</para></listitem> + <listitem><para>Go bindings are not currently installed.</para></listitem> +</itemizedlist> + +</section> + +<section><title>Options</title> + +<para>NixOS's FoundationDB module allows you to configure all of the most +relevant configuration options for <command>fdbmonitor</command>, matching it +quite closely. For a complete list of all options, check <command>man +configuration.nix</command>.</para> + +</section> + +<section><title>Full documentation</title> + +<para>FoundationDB is a complex piece of software, and requires careful +administration to properly use. Full documentation for administration can be +found here: <link xlink:href="https://apple.github.io/foundationdb/"/>.</para> + +</section> + +</chapter> diff --git a/nixos/modules/services/databases/monetdb.nix b/nixos/modules/services/databases/monetdb.nix new file mode 100644 index 000000000000..5c66fc7b2e36 --- /dev/null +++ b/nixos/modules/services/databases/monetdb.nix @@ -0,0 +1,100 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.monetdb; + +in { + meta.maintainers = with maintainers; [ StillerHarpo primeos ]; + + ###### interface + options = { + services.monetdb = { + + enable = mkEnableOption "the MonetDB database server"; + + package = mkOption { + type = types.package; + default = pkgs.monetdb; + defaultText = "pkgs.monetdb"; + description = "MonetDB package to use."; + }; + + user = mkOption { + type = types.str; + default = "monetdb"; + description = "User account under which MonetDB runs."; + }; + + group = mkOption { + type = types.str; + default = "monetdb"; + description = "Group under which MonetDB runs."; + }; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/monetdb"; + description = "Data directory for the dbfarm."; + }; + + port = mkOption { + type = types.ints.u16; + default = 50000; + description = "Port to listen on."; + }; + + listenAddress = mkOption { + type = types.str; + default = "127.0.0.1"; + example = "0.0.0.0"; + description = "Address to listen on."; + }; + }; + }; + + ###### implementation + config = mkIf cfg.enable { + + users.users.monetdb = mkIf (cfg.user == "monetdb") { + uid = config.ids.uids.monetdb; + group = cfg.group; + description = "MonetDB user"; + home = cfg.dataDir; + createHome = true; + }; + + users.groups.monetdb = mkIf (cfg.group == "monetdb") { + gid = config.ids.gids.monetdb; + members = [ cfg.user ]; + }; + + environment.systemPackages = [ cfg.package ]; + + systemd.services.monetdb = { + description = "MonetDB database server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + path = [ cfg.package ]; + unitConfig.RequiresMountsFor = "${cfg.dataDir}"; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + ExecStart = "${cfg.package}/bin/monetdbd start -n ${cfg.dataDir}"; + ExecStop = "${cfg.package}/bin/monetdbd stop ${cfg.dataDir}"; + }; + preStart = '' + if [ ! -e ${cfg.dataDir}/.merovingian_properties ]; then + # Create the dbfarm (as cfg.user) + ${cfg.package}/bin/monetdbd create ${cfg.dataDir} + fi + + # Update the properties + ${cfg.package}/bin/monetdbd set port=${toString cfg.port} ${cfg.dataDir} + ${cfg.package}/bin/monetdbd set listenaddr=${cfg.listenAddress} ${cfg.dataDir} + ''; + }; + + }; +} diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix index e884098cb08d..a67c61eb9949 100644 --- a/nixos/modules/services/databases/openldap.nix +++ b/nixos/modules/services/databases/openldap.nix @@ -7,8 +7,10 @@ let cfg = config.services.openldap; openldap = pkgs.openldap; + dataFile = pkgs.writeText "ldap-contents.ldif" cfg.declarativeContents; configFile = pkgs.writeText "slapd.conf" cfg.extraConfig; - + configOpts = if cfg.configDir == null then "-f ${configFile}" + else "-F ${cfg.configDir}"; in { @@ -81,6 +83,34 @@ in ''' ''; }; + + declarativeContents = mkOption { + type = with types; nullOr lines; + default = null; + description = '' + Declarative contents for the LDAP database, in LDIF format. + + Note a few facts when using it. First, the database + <emphasis>must</emphasis> be stored in the directory defined by + <code>dataDir</code>. Second, all <code>dataDir</code> will be erased + when starting the LDAP server. Third, modifications to the database + are not prevented, they are just dropped on the next reboot of the + server. Finally, performance-wise the database and indexes are rebuilt + on each server startup, so this will slow down server startup, + especially with large databases. + ''; + example = '' + dn: dc=example,dc=org + objectClass: domain + dc: example + + dn: ou=users,dc=example,dc=org + objectClass = organizationalUnit + ou: users + + # ... + ''; + }; }; }; @@ -88,7 +118,7 @@ in ###### implementation - config = mkIf config.services.openldap.enable { + config = mkIf cfg.enable { environment.systemPackages = [ openldap ]; @@ -98,11 +128,21 @@ in after = [ "network.target" ]; preStart = '' mkdir -p /var/run/slapd - chown -R ${cfg.user}:${cfg.group} /var/run/slapd - mkdir -p ${cfg.dataDir} - chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} + chown -R "${cfg.user}:${cfg.group}" /var/run/slapd + ${optionalString (cfg.declarativeContents != null) '' + rm -Rf "${cfg.dataDir}" + ''} + mkdir -p "${cfg.dataDir}" + ${optionalString (cfg.declarativeContents != null) '' + ${openldap.out}/bin/slapadd ${configOpts} -l ${dataFile} + ''} + chown -R "${cfg.user}:${cfg.group}" "${cfg.dataDir}" ''; - serviceConfig.ExecStart = "${openldap.out}/libexec/slapd -u ${cfg.user} -g ${cfg.group} -d 0 -h \"${concatStringsSep " " cfg.urlList}\" ${if cfg.configDir == null then "-f "+configFile else "-F "+cfg.configDir}"; + serviceConfig.ExecStart = + "${openldap.out}/libexec/slapd -d 0 " + + "-u '${cfg.user}' -g '${cfg.group}' " + + "-h '${concatStringsSep " " cfg.urlList}' " + + "${configOpts}"; }; users.extraUsers.openldap = diff --git a/nixos/modules/services/databases/pgmanage.nix b/nixos/modules/services/databases/pgmanage.nix index 86733a3e5a07..d1b48c06440e 100644 --- a/nixos/modules/services/databases/pgmanage.nix +++ b/nixos/modules/services/databases/pgmanage.nix @@ -22,7 +22,7 @@ let web_root = ${cfg.package}/etc/pgmanage/web_root - data_root = ${cfg.dataRoot} + sql_root = ${cfg.sqlRoot} ${optionalString (!isNull cfg.tls) '' tls_cert = ${cfg.tls.cert} @@ -130,7 +130,7 @@ let ''; }; - dataRoot = mkOption { + sqlRoot = mkOption { type = types.str; default = "/var/lib/pgmanage"; description = '' @@ -210,7 +210,7 @@ in { users."${pgmanage}" = { name = pgmanage; group = pgmanage; - home = cfg.dataRoot; + home = cfg.sqlRoot; createHome = true; }; groups."${pgmanage}" = { diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 0dcbfe2e47ac..f022e0863dfd 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -36,9 +36,6 @@ let ${cfg.extraConfig} ''; - pre84 = versionOlder (builtins.parseDrvName postgresql.name).version "8.4"; - - in { @@ -182,7 +179,7 @@ in services.postgresql.authentication = mkAfter '' # Generated file; do not edit! - local all all ident ${optionalString pre84 "sameuser"} + local all all ident host all all 127.0.0.1/32 md5 host all all ::1/128 md5 ''; diff --git a/nixos/modules/services/databases/postgresql.xml b/nixos/modules/services/databases/postgresql.xml index a98026942959..98a631c0cd32 100644 --- a/nixos/modules/services/databases/postgresql.xml +++ b/nixos/modules/services/databases/postgresql.xml @@ -23,15 +23,15 @@ <filename>configuration.nix</filename>: <programlisting> -services.postgresql.enable = true; -services.postgresql.package = pkgs.postgresql94; +<xref linkend="opt-services.postgresql.enable"/> = true; +<xref linkend="opt-services.postgresql.package"/> = pkgs.postgresql94; </programlisting> Note that you are required to specify the desired version of PostgreSQL (e.g. <literal>pkgs.postgresql94</literal>). Since upgrading your PostgreSQL version requires a database dump and reload (see below), NixOS cannot provide a default value for -<option>services.postgresql.package</option> such as the most recent +<xref linkend="opt-services.postgresql.package"/> such as the most recent release of PostgreSQL.</para> <!-- @@ -49,10 +49,10 @@ alice=> <para>By default, PostgreSQL stores its databases in <filename>/var/db/postgresql</filename>. You can override this using -<option>services.postgresql.dataDir</option>, e.g. +<xref linkend="opt-services.postgresql.dataDir"/>, e.g. <programlisting> -services.postgresql.dataDir = "/data/postgresql"; +<xref linkend="opt-services.postgresql.dataDir"/> = "/data/postgresql"; </programlisting> </para> @@ -69,7 +69,7 @@ services.postgresql.dataDir = "/data/postgresql"; <section><title>Options</title> -<para>FIXME: auto-generated list of module options.</para> + <para>A complete list of options for the PostgreSQL module may be found <link linkend="opt-services.postgresql.enable">here</link>.</para> </section> diff --git a/nixos/modules/services/editors/emacs.nix b/nixos/modules/services/editors/emacs.nix index 2c5a0c4849ef..ba7ec967919e 100644 --- a/nixos/modules/services/editors/emacs.nix +++ b/nixos/modules/services/editors/emacs.nix @@ -7,7 +7,7 @@ let cfg = config.services.emacs; editorScript = pkgs.writeScriptBin "emacseditor" '' - #!${pkgs.stdenv.shell} + #!${pkgs.runtimeShell} if [ -z "$1" ]; then exec ${cfg.package}/bin/emacsclient --create-frame --alternate-editor ${cfg.package}/bin/emacs else @@ -15,6 +15,25 @@ let fi ''; +desktopApplicationFile = pkgs.writeTextFile { + name = "emacsclient.desktop"; + destination = "/share/applications/emacsclient.desktop"; + text = '' +[Desktop Entry] +Name=Emacsclient +GenericName=Text Editor +Comment=Edit text +MimeType=text/english;text/plain;text/x-makefile;text/x-c++hdr;text/x-c++src;text/x-chdr;text/x-csrc;text/x-java;text/x-moc;text/x-pascal;text/x-tcl;text/x-tex;application/x-shellscript;text/x-c;text/x-c++; +Exec=emacseditor %F +Icon=emacs +Type=Application +Terminal=false +Categories=Development;TextEditor; +StartupWMClass=Emacs +Keywords=Text;Editor; +''; +}; + in { options.services.emacs = { @@ -74,7 +93,7 @@ in { }; } // optionalAttrs cfg.enable { wantedBy = [ "default.target" ]; }; - environment.systemPackages = [ cfg.package editorScript ]; + environment.systemPackages = [ cfg.package editorScript desktopApplicationFile ]; environment.variables = { # This is required so that GTK applications launched from Emacs diff --git a/nixos/modules/services/editors/emacs.xml b/nixos/modules/services/editors/emacs.xml index dd66bac442c6..dfab5ce4a79d 100644 --- a/nixos/modules/services/editors/emacs.xml +++ b/nixos/modules/services/editors/emacs.xml @@ -404,10 +404,10 @@ in [...] user service for Emacs daemon, add the following to your <filename>configuration.nix</filename>: - <programlisting><![CDATA[ -services.emacs.enable = true; -services.emacs.package = import /home/cassou/.emacs.d { pkgs = pkgs; }; -]]></programlisting> +<programlisting> +<xref linkend="opt-services.emacs.enable"/> = true; +<xref linkend="opt-services.emacs.package"/> = import /home/cassou/.emacs.d { pkgs = pkgs; }; +</programlisting> </para> <para> @@ -462,7 +462,7 @@ emacsclient --create-frame --tty # opens a new frame on the current terminal <!--<title><command>emacsclient</command> as the Default Editor</title>--> <para> - If <varname>services.emacs.defaultEditor</varname> is + If <xref linkend="opt-services.emacs.defaultEditor"/> is <literal>true</literal>, the <varname>EDITOR</varname> variable will be set to a wrapper script which launches <command>emacsclient</command>. @@ -497,10 +497,10 @@ emacsclient --create-frame --tty # opens a new frame on the current terminal Emacs daemon is not wanted for all users, it is possible to install the service but not globally enable it: - <programlisting><![CDATA[ -services.emacs.enable = false; -services.emacs.install = true; -]]></programlisting> +<programlisting> +<xref linkend="opt-services.emacs.enable"/> = false; +<xref linkend="opt-services.emacs.install"/> = true; +</programlisting> </para> <para> @@ -582,7 +582,7 @@ services.emacs.install = true; <para> To install the DocBook 5.0 schemas, either add <varname>pkgs.docbook5</varname> to - <varname>environment.systemPackages</varname> (<link + <xref linkend="opt-environment.systemPackages"/> (<link linkend="sec-declarative-package-mgmt">NixOS</link>), or run <literal>nix-env -i pkgs.docbook5</literal> (<link linkend="sec-ad-hoc-packages">Nix</link>). diff --git a/nixos/modules/services/editors/infinoted.nix b/nixos/modules/services/editors/infinoted.nix index 963147b18a04..9074a4345eae 100644 --- a/nixos/modules/services/editors/infinoted.nix +++ b/nixos/modules/services/editors/infinoted.nix @@ -129,7 +129,7 @@ in { serviceConfig = { Type = "simple"; Restart = "always"; - ExecStart = "${cfg.package}/bin/infinoted-0.6 --config-file=/var/lib/infinoted/infinoted.conf"; + ExecStart = "${cfg.package}/bin/infinoted-${versions.majorMinor cfg.package.version} --config-file=/var/lib/infinoted/infinoted.conf"; User = cfg.user; Group = cfg.group; PermissionsStartOnly = true; diff --git a/nixos/modules/services/hardware/bluetooth.nix b/nixos/modules/services/hardware/bluetooth.nix index 4a8cd86b0b11..d7ca8a431794 100644 --- a/nixos/modules/services/hardware/bluetooth.nix +++ b/nixos/modules/services/hardware/bluetooth.nix @@ -3,8 +3,8 @@ with lib; let - bluez-bluetooth = pkgs.bluez; cfg = config.hardware.bluetooth; + bluez-bluetooth = cfg.package; in { @@ -21,6 +21,16 @@ in { description = "Whether to power up the default Bluetooth controller on boot."; }; + package = mkOption { + type = types.package; + default = pkgs.bluez; + defaultText = "pkgs.bluez"; + example = "pkgs.bluez.override { enableMidi = true; }"; + description = '' + Which BlueZ package to use. + ''; + }; + extraConfig = mkOption { type = types.lines; default = ""; diff --git a/nixos/modules/services/hardware/lcd.nix b/nixos/modules/services/hardware/lcd.nix new file mode 100644 index 000000000000..d78d742cd318 --- /dev/null +++ b/nixos/modules/services/hardware/lcd.nix @@ -0,0 +1,172 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.hardware.lcd; + pkg = lib.getBin pkgs.lcdproc; + + serverCfg = pkgs.writeText "lcdd.conf" '' + [server] + DriverPath=${pkg}/lib/lcdproc/ + ReportToSyslog=false + Bind=${cfg.serverHost} + Port=${toString cfg.serverPort} + ${cfg.server.extraConfig} + ''; + + clientCfg = pkgs.writeText "lcdproc.conf" '' + [lcdproc] + Server=${cfg.serverHost} + Port=${toString cfg.serverPort} + ReportToSyslog=false + ${cfg.client.extraConfig} + ''; + + serviceCfg = { + DynamicUser = true; + Restart = "on-failure"; + Slice = "lcd.slice"; + }; + +in with lib; { + + meta.maintainers = with maintainers; [ peterhoeg ]; + + options = with types; { + services.hardware.lcd = { + serverHost = mkOption { + type = str; + default = "localhost"; + description = "Host on which LCDd is listening."; + }; + + serverPort = mkOption { + type = int; + default = 13666; + description = "Port on which LCDd is listening."; + }; + + server = { + enable = mkOption { + type = bool; + default = false; + description = "Enable the LCD panel server (LCDd)"; + }; + + openPorts = mkOption { + type = bool; + default = false; + description = "Open the ports in the firewall"; + }; + + usbPermissions = mkOption { + type = bool; + default = false; + description = '' + Set group-write permissions on a USB device. + </para> + <para> + A USB connected LCD panel will most likely require having its + permissions modified for lcdd to write to it. Enabling this option + sets group-write permissions on the device identified by + <option>services.hardware.lcd.usbVid</option> and + <option>services.hardware.lcd.usbPid</option>. In order to find the + values, you can run the <command>lsusb</command> command. Example + output: + </para> + <para> + <literal> + Bus 005 Device 002: ID 0403:c630 Future Technology Devices International, Ltd lcd2usb interface + </literal> + </para> + <para> + In this case the vendor id is 0403 and the product id is c630. + ''; + }; + + usbVid = mkOption { + type = str; + default = ""; + description = "The vendor ID of the USB device to claim."; + }; + + usbPid = mkOption { + type = str; + default = ""; + description = "The product ID of the USB device to claim."; + }; + + usbGroup = mkOption { + type = str; + default = "dialout"; + description = "The group to use for settings permissions. This group must exist or you will have to create it."; + }; + + extraConfig = mkOption { + type = lines; + default = ""; + description = "Additional configuration added verbatim to the server config."; + }; + }; + + client = { + enable = mkOption { + type = bool; + default = false; + description = "Enable the LCD panel client (LCDproc)"; + }; + + extraConfig = mkOption { + type = lines; + default = ""; + description = "Additional configuration added verbatim to the client config."; + }; + + restartForever = mkOption { + type = bool; + default = true; + description = "Try restarting the client forever."; + }; + }; + }; + }; + + config = mkIf (cfg.server.enable || cfg.client.enable) { + networking.firewall.allowedTCPPorts = mkIf (cfg.server.enable && cfg.server.openPorts) [ cfg.serverPort ]; + + services.udev.extraRules = mkIf (cfg.server.enable && cfg.server.usbPermissions) '' + ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="${cfg.server.usbVid}", ATTRS{idProduct}=="${cfg.server.usbPid}", MODE="660", GROUP="${cfg.server.usbGroup}" + ''; + + systemd.services = { + lcdd = mkIf cfg.server.enable { + description = "LCDproc - server"; + wantedBy = [ "lcd.target" ]; + serviceConfig = serviceCfg // { + ExecStart = "${pkg}/bin/LCDd -f -c ${serverCfg}"; + SupplementaryGroups = cfg.server.usbGroup; + }; + }; + + lcdproc = mkIf cfg.client.enable { + description = "LCDproc - client"; + after = [ "lcdd.service" ]; + wantedBy = [ "lcd.target" ]; + serviceConfig = serviceCfg // { + ExecStart = "${pkg}/bin/lcdproc -f -c ${clientCfg}"; + # If the server is being restarted at the same time, the client will + # fail as it cannot connect, so space it out a bit. + RestartSec = "5"; + # Allow restarting for eternity + StartLimitIntervalSec = lib.mkIf cfg.client.restartForever "0"; + StartLimitBurst = lib.mkIf cfg.client.restartForever "0"; + }; + }; + }; + + systemd.targets.lcd = { + description = "LCD client/server"; + after = [ "lcdd.service" "lcdproc.service" ]; + wantedBy = [ "multi-user.target" ]; + }; + }; +} diff --git a/nixos/modules/services/hardware/trezord.nix b/nixos/modules/services/hardware/trezord.nix index 38d0a3a1d752..f2ec00a7d3e1 100644 --- a/nixos/modules/services/hardware/trezord.nix +++ b/nixos/modules/services/hardware/trezord.nix @@ -26,8 +26,15 @@ in { name = "trezord-udev-rules"; destination = "/etc/udev/rules.d/51-trezor.rules"; text = '' - SUBSYSTEM=="usb", ATTR{idVendor}=="534c", ATTR{idProduct}=="0001", MODE="0666", GROUP="dialout", SYMLINK+="trezor%n" - KERNEL=="hidraw*", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", MODE="0666", GROUP="dialout" + # Trezor 1 + SUBSYSTEM=="usb", ATTR{idVendor}=="534c", ATTR{idProduct}=="0001", MODE="0666", GROUP="dialout", SYMLINK+="trezor%n" + KERNEL=="hidraw*", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", MODE="0666", GROUP="dialout" + + # Trezor 2 (Model-T) + SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c0", MODE="0661", GROUP="dialout", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n" + SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c1", MODE="0660", GROUP="dialout", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n" + KERNEL=="hidraw*", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c1", MODE="0660", GROUP="dialout", TAG+="uaccess", TAG+="udev-acl" + ]; ''; }); @@ -38,7 +45,7 @@ in { path = []; serviceConfig = { Type = "simple"; - ExecStart = "${pkgs.trezord}/bin/trezord -f"; + ExecStart = "${pkgs.trezord}/bin/trezord-go"; User = "trezord"; }; }; diff --git a/nixos/modules/services/hardware/udev.nix b/nixos/modules/services/hardware/udev.nix index 9f42f9e59ad5..7bfc3bb64872 100644 --- a/nixos/modules/services/hardware/udev.nix +++ b/nixos/modules/services/hardware/udev.nix @@ -146,7 +146,7 @@ let echo "Generating hwdb database..." # hwdb --update doesn't return error code even on errors! - res="$(${udev}/bin/udevadm hwdb --update --root=$(pwd) 2>&1)" + res="$(${pkgs.buildPackages.udev}/bin/udevadm hwdb --update --root=$(pwd) 2>&1)" echo "$res" [ -z "$(echo "$res" | egrep '^Error')" ] mv etc/udev/hwdb.bin $out diff --git a/nixos/modules/services/logging/graylog.nix b/nixos/modules/services/logging/graylog.nix index a0dc0d6d089d..95f31829882f 100644 --- a/nixos/modules/services/logging/graylog.nix +++ b/nixos/modules/services/logging/graylog.nix @@ -141,7 +141,7 @@ in JAVA_HOME = jre; GRAYLOG_CONF = "${confFile}"; }; - path = [ pkgs.openjdk8 pkgs.which pkgs.procps ]; + path = [ pkgs.jre_headless pkgs.which pkgs.procps ]; preStart = '' mkdir -p /var/lib/graylog -m 755 diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index b42c73b86668..543e732127a5 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -30,6 +30,7 @@ let '' default_internal_user = ${cfg.user} + default_internal_group = ${cfg.group} ${optionalString (cfg.mailUser != null) "mail_uid = ${cfg.mailUser}"} ${optionalString (cfg.mailGroup != null) "mail_gid = ${cfg.mailGroup}"} diff --git a/nixos/modules/services/misc/defaultUnicornConfig.rb b/nixos/modules/services/misc/defaultUnicornConfig.rb index 84622622db70..0b58c59c7a51 100644 --- a/nixos/modules/services/misc/defaultUnicornConfig.rb +++ b/nixos/modules/services/misc/defaultUnicornConfig.rb @@ -1,205 +1,69 @@ -# The following was taken from github.com/crohr/syslogger and is BSD -# licensed. -require 'syslog' -require 'logger' -require 'thread' +worker_processes 3 -class Syslogger - - VERSION = "1.6.0" - - attr_reader :level, :ident, :options, :facility, :max_octets - attr_accessor :formatter - - MAPPING = { - Logger::DEBUG => Syslog::LOG_DEBUG, - Logger::INFO => Syslog::LOG_INFO, - Logger::WARN => Syslog::LOG_WARNING, - Logger::ERROR => Syslog::LOG_ERR, - Logger::FATAL => Syslog::LOG_CRIT, - Logger::UNKNOWN => Syslog::LOG_ALERT - } - - # - # Initializes default options for the logger - # <tt>ident</tt>:: the name of your program [default=$0]. - # <tt>options</tt>:: syslog options [default=<tt>Syslog::LOG_PID | Syslog::LOG_CONS</tt>]. - # Correct values are: - # LOG_CONS : writes the message on the console if an error occurs when sending the message; - # LOG_NDELAY : no delay before sending the message; - # LOG_PERROR : messages will also be written on STDERR; - # LOG_PID : adds the process number to the message (just after the program name) - # <tt>facility</tt>:: the syslog facility [default=nil] Correct values include: - # Syslog::LOG_DAEMON - # Syslog::LOG_USER - # Syslog::LOG_SYSLOG - # Syslog::LOG_LOCAL2 - # Syslog::LOG_NEWS - # etc. - # - # Usage: - # logger = Syslogger.new("my_app", Syslog::LOG_PID | Syslog::LOG_CONS, Syslog::LOG_LOCAL0) - # logger.level = Logger::INFO # use Logger levels - # logger.warn "warning message" - # logger.debug "debug message" - # - def initialize(ident = $0, options = Syslog::LOG_PID | Syslog::LOG_CONS, facility = nil) - @ident = ident - @options = options || (Syslog::LOG_PID | Syslog::LOG_CONS) - @facility = facility - @level = Logger::INFO - @mutex = Mutex.new - @formatter = Logger::Formatter.new - end - - %w{debug info warn error fatal unknown}.each do |logger_method| - # Accepting *args as message could be nil. - # Default params not supported in ruby 1.8.7 - define_method logger_method.to_sym do |*args, &block| - return true if @level > Logger.const_get(logger_method.upcase) - message = args.first || block && block.call - add(Logger.const_get(logger_method.upcase), message) - end - - unless logger_method == 'unknown' - define_method "#{logger_method}?".to_sym do - @level <= Logger.const_get(logger_method.upcase) - end - end - end - - # Log a message at the Logger::INFO level. Useful for use with Rack::CommonLogger - def write(msg) - add(Logger::INFO, msg) - end - - # Logs a message at the Logger::INFO level. - def <<(msg) - add(Logger::INFO, msg) - end - - # Low level method to add a message. - # +severity+:: the level of the message. One of Logger::DEBUG, Logger::INFO, Logger::WARN, Logger::ERROR, Logger::FATAL, Logger::UNKNOWN - # +message+:: the message string. - # If nil, the method will call the block and use the result as the message string. - # If both are nil or no block is given, it will use the progname as per the behaviour of both the standard Ruby logger, and the Rails BufferedLogger. - # +progname+:: optionally, overwrite the program name that appears in the log message. - def add(severity, message = nil, progname = nil, &block) - if message.nil? && block.nil? && !progname.nil? - message, progname = progname, nil - end - progname ||= @ident - - @mutex.synchronize do - Syslog.open(progname, @options, @facility) do |s| - s.mask = Syslog::LOG_UPTO(MAPPING[@level]) - communication = clean(message || block && block.call) - if self.max_octets - buffer = "#{tags_text}" - communication.bytes do |byte| - buffer.concat(byte) - # if the last byte we added is potentially part of an escape, we'll go ahead and add another byte - if buffer.bytesize >= self.max_octets && !['%'.ord,'\\'.ord].include?(byte) - s.log(MAPPING[severity],buffer) - buffer = "" - end - end - s.log(MAPPING[severity],buffer) unless buffer.empty? - else - s.log(MAPPING[severity],"#{tags_text}#{communication}") - end - end - end - end - - # Set the max octets of the messages written to the log - def max_octets=(max_octets) - @max_octets = max_octets - end - - # Sets the minimum level for messages to be written in the log. - # +level+:: one of <tt>Logger::DEBUG</tt>, <tt>Logger::INFO</tt>, <tt>Logger::WARN</tt>, <tt>Logger::ERROR</tt>, <tt>Logger::FATAL</tt>, <tt>Logger::UNKNOWN</tt> - def level=(level) - level = Logger.const_get(level.to_s.upcase) if level.is_a?(Symbol) - - unless level.is_a?(Fixnum) - raise ArgumentError.new("Invalid logger level `#{level.inspect}`") - end - - @level = level - end - - # Sets the ident string passed along to Syslog - def ident=(ident) - @ident = ident - end - - # Tagging code borrowed from ActiveSupport gem - def tagged(*tags) - new_tags = push_tags(*tags) - yield self - ensure - pop_tags(new_tags.size) - end - - def push_tags(*tags) - tags.flatten.reject{ |i| i.respond_to?(:empty?) ? i.empty? : !i }.tap do |new_tags| - current_tags.concat new_tags - end - end - - def pop_tags(size = 1) - current_tags.pop size - end - - def clear_tags! - current_tags.clear - end - - protected - - # Borrowed from SyslogLogger. - def clean(message) - message = message.to_s.dup - message.strip! # remove whitespace - message.gsub!(/\n/, '\\n') # escape newlines - message.gsub!(/%/, '%%') # syslog(3) freaks on % (printf) - message.gsub!(/\e\[[^m]*m/, '') # remove useless ansi color codes - message - end - - private - - def tags_text - tags = current_tags - if tags.any? - tags.collect { |tag| "[#{tag}] " }.join - end - end - - def current_tags - Thread.current[:syslogger_tagged_logging_tags] ||= [] - end -end +listen ENV["UNICORN_PATH"] + "/tmp/sockets/gitlab.socket", :backlog => 1024 +listen "/run/gitlab/gitlab.socket", :backlog => 1024 -worker_processes 2 working_directory ENV["GITLAB_PATH"] -pid ENV["UNICORN_PATH"] + "/tmp/pids/unicorn.pid" -listen ENV["UNICORN_PATH"] + "/tmp/sockets/gitlab.socket", :backlog => 1024 +pid ENV["UNICORN_PATH"] + "/tmp/pids/unicorn.pid" timeout 60 -logger Syslogger.new - +# combine Ruby 2.0.0dev or REE with "preload_app true" for memory savings +# http://rubyenterpriseedition.com/faq.html#adapt_apps_for_cow preload_app true - GC.respond_to?(:copy_on_write_friendly=) and GC.copy_on_write_friendly = true check_client_connection false +before_fork do |server, worker| + # the following is highly recommended for Rails + "preload_app true" + # as there's no need for the master process to hold a connection + defined?(ActiveRecord::Base) and + ActiveRecord::Base.connection.disconnect! + + # The following is only recommended for memory/DB-constrained + # installations. It is not needed if your system can house + # twice as many worker_processes as you have configured. + # + # This allows a new master process to incrementally + # phase out the old master process with SIGTTOU to avoid a + # thundering herd (especially in the "preload_app false" case) + # when doing a transparent upgrade. The last worker spawned + # will then kill off the old master process with a SIGQUIT. + old_pid = "#{server.config[:pid]}.oldbin" + if old_pid != server.pid + begin + sig = (worker.nr + 1) >= server.worker_processes ? :QUIT : :TTOU + Process.kill(sig, File.read(old_pid).to_i) + rescue Errno::ENOENT, Errno::ESRCH + end + end + + # Throttle the master from forking too quickly by sleeping. Due + # to the implementation of standard Unix signal handlers, this + # helps (but does not completely) prevent identical, repeated signals + # from being lost when the receiving process is busy. + # sleep 1 +end + after_fork do |server, worker| + # per-process listener ports for debugging/admin/migrations + # addr = "127.0.0.1:#{9293 + worker.nr}" + # server.listen(addr, :tries => -1, :delay => 5, :tcp_nopush => true) + + # the following is *required* for Rails + "preload_app true", defined?(ActiveRecord::Base) and ActiveRecord::Base.establish_connection + + # reset prometheus client, this will cause any opened metrics files to be closed + defined?(::Prometheus::Client.reinitialize_on_pid_change) && + Prometheus::Client.reinitialize_on_pid_change + + # if preload_app is true, then you may also want to check and + # restart any other shared sockets/descriptors such as Memcached, + # and Redis. TokyoCabinet file handles are safe to reuse + # between any number of forked children (assuming your kernel + # correctly implements pread()/pwrite() system calls) end diff --git a/nixos/modules/services/misc/disnix.nix b/nixos/modules/services/misc/disnix.nix index 39d23610b064..e4517c636e88 100644 --- a/nixos/modules/services/misc/disnix.nix +++ b/nixos/modules/services/misc/disnix.nix @@ -57,7 +57,7 @@ in ###### implementation config = mkIf cfg.enable { - dysnomia.enable = true; + services.dysnomia.enable = true; environment.systemPackages = [ pkgs.disnix ] ++ optional cfg.useWebServiceInterface pkgs.DisnixWebService; diff --git a/nixos/modules/services/misc/docker-registry.nix b/nixos/modules/services/misc/docker-registry.nix index 96ac2a1cf2c9..45931cb42b54 100644 --- a/nixos/modules/services/misc/docker-registry.nix +++ b/nixos/modules/services/misc/docker-registry.nix @@ -5,6 +5,45 @@ with lib; let cfg = config.services.dockerRegistry; + blobCache = if cfg.enableRedisCache + then "redis" + else "inmemory"; + + registryConfig = { + version = "0.1"; + log.fields.service = "registry"; + storage = { + cache.blobdescriptor = blobCache; + filesystem.rootdirectory = cfg.storagePath; + delete.enabled = cfg.enableDelete; + }; + http = { + addr = ":${builtins.toString cfg.port}"; + headers.X-Content-Type-Options = ["nosniff"]; + }; + health.storagedriver = { + enabled = true; + interval = "10s"; + threshold = 3; + }; + }; + + registryConfig.redis = mkIf cfg.enableRedisCache { + addr = "${cfg.redisUrl}"; + password = "${cfg.redisPassword}"; + db = 0; + dialtimeout = "10ms"; + readtimeout = "10ms"; + writetimeout = "10ms"; + pool = { + maxidle = 16; + maxactive = 64; + idletimeout = "300s"; + }; + }; + + configFile = pkgs.writeText "docker-registry-config.yml" (builtins.toJSON (registryConfig // cfg.extraConfig)); + in { options.services.dockerRegistry = { enable = mkEnableOption "Docker Registry"; @@ -27,6 +66,26 @@ in { description = "Docker registry storage path."; }; + enableDelete = mkOption { + type = types.bool; + default = false; + description = "Enable delete for manifests and blobs."; + }; + + enableRedisCache = mkEnableOption "redis as blob cache"; + + redisUrl = mkOption { + type = types.str; + default = "localhost:6379"; + description = "Set redis host and port."; + }; + + redisPassword = mkOption { + type = types.str; + default = ""; + description = "Set redis password."; + }; + extraConfig = mkOption { description = '' Docker extra registry configuration via environment variables. @@ -34,6 +93,19 @@ in { default = {}; type = types.attrsOf types.str; }; + + enableGarbageCollect = mkEnableOption "garbage collect"; + + garbageCollectDates = mkOption { + default = "daily"; + type = types.str; + description = '' + Specification (in the format described by + <citerefentry><refentrytitle>systemd.time</refentrytitle> + <manvolnum>7</manvolnum></citerefentry>) of the time at + which the garbage collect will occur. + ''; + }; }; config = mkIf cfg.enable { @@ -41,15 +113,8 @@ in { description = "Docker Container Registry"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - - environment = { - REGISTRY_HTTP_ADDR = "${cfg.listenAddress}:${toString cfg.port}"; - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY = cfg.storagePath; - } // cfg.extraConfig; - script = '' - ${pkgs.docker-distribution}/bin/registry serve \ - ${pkgs.docker-distribution.out}/share/go/src/github.com/docker/distribution/cmd/registry/config-example.yml + ${pkgs.docker-distribution}/bin/registry serve ${configFile} ''; serviceConfig = { @@ -58,6 +123,22 @@ in { }; }; + systemd.services.docker-registry-garbage-collect = { + description = "Run Garbage Collection for docker registry"; + + restartIfChanged = false; + unitConfig.X-StopOnRemoval = false; + + serviceConfig.Type = "oneshot"; + + script = '' + ${pkgs.docker-distribution}/bin/registry garbage-collect ${configFile} + ${pkgs.systemd}/bin/systemctl restart docker-registry.service + ''; + + startAt = optional cfg.enableGarbageCollect cfg.garbageCollectDates; + }; + users.extraUsers.docker-registry = { createHome = true; home = cfg.storagePath; diff --git a/nixos/modules/services/misc/dysnomia.nix b/nixos/modules/services/misc/dysnomia.nix index c5c41ad296da..9e66e0811ab7 100644 --- a/nixos/modules/services/misc/dysnomia.nix +++ b/nixos/modules/services/misc/dysnomia.nix @@ -3,8 +3,8 @@ with lib; let - cfg = config.dysnomia; - + cfg = config.services.dysnomia; + printProperties = properties: concatMapStrings (propertyName: let @@ -13,7 +13,7 @@ let if isList property then "${propertyName}=(${lib.concatMapStrings (elem: "\"${toString elem}\" ") (properties."${propertyName}")})\n" else "${propertyName}=\"${toString property}\"\n" ) (builtins.attrNames properties); - + properties = pkgs.stdenv.mkDerivation { name = "dysnomia-properties"; buildCommand = '' @@ -22,13 +22,13 @@ let EOF ''; }; - + containersDir = pkgs.stdenv.mkDerivation { name = "dysnomia-containers"; buildCommand = '' mkdir -p $out cd $out - + ${concatMapStrings (containerName: let containerProperties = cfg.containers."${containerName}"; @@ -42,11 +42,11 @@ let ) (builtins.attrNames cfg.containers)} ''; }; - + linkMutableComponents = {containerName}: '' mkdir ${containerName} - + ${concatMapStrings (componentName: let component = cfg.components."${containerName}"."${componentName}"; @@ -54,13 +54,13 @@ let "ln -s ${component} ${containerName}/${componentName}\n" ) (builtins.attrNames (cfg.components."${containerName}" or {}))} ''; - + componentsDir = pkgs.stdenv.mkDerivation { name = "dysnomia-components"; buildCommand = '' mkdir -p $out cd $out - + ${concatMapStrings (containerName: let components = cfg.components."${containerName}"; @@ -72,59 +72,59 @@ let in { options = { - dysnomia = { - + services.dysnomia = { + enable = mkOption { type = types.bool; default = false; description = "Whether to enable Dysnomia"; }; - + enableAuthentication = mkOption { type = types.bool; default = false; description = "Whether to publish privacy-sensitive authentication credentials"; }; - + package = mkOption { type = types.path; description = "The Dysnomia package"; }; - + properties = mkOption { description = "An attribute set in which each attribute represents a machine property. Optionally, these values can be shell substitutions."; default = {}; }; - + containers = mkOption { description = "An attribute set in which each key represents a container and each value an attribute set providing its configuration properties"; default = {}; }; - + components = mkOption { description = "An atttribute set in which each key represents a container and each value an attribute set in which each key represents a component and each value a derivation constructing its initial state"; default = {}; }; - + extraContainerProperties = mkOption { description = "An attribute set providing additional container settings in addition to the default properties"; default = {}; }; - + extraContainerPaths = mkOption { description = "A list of paths containing additional container configurations that are added to the search folders"; default = []; }; - + extraModulePaths = mkOption { description = "A list of paths containing additional modules that are added to the search folders"; default = []; }; }; }; - + config = mkIf cfg.enable { - + environment.etc = { "dysnomia/containers" = { source = containersDir; @@ -136,16 +136,16 @@ in source = properties; }; }; - + environment.variables = { DYSNOMIA_STATEDIR = "/var/state/dysnomia-nixos"; DYSNOMIA_CONTAINERS_PATH = "${lib.concatMapStrings (containerPath: "${containerPath}:") cfg.extraContainerPaths}/etc/dysnomia/containers"; DYSNOMIA_MODULES_PATH = "${lib.concatMapStrings (modulePath: "${modulePath}:") cfg.extraModulePaths}/etc/dysnomia/modules"; }; - + environment.systemPackages = [ cfg.package ]; - - dysnomia.package = pkgs.dysnomia.override (origArgs: { + + services.dysnomia.package = pkgs.dysnomia.override (origArgs: { enableApacheWebApplication = config.services.httpd.enable; enableAxis2WebService = config.services.tomcat.axis2.enable; enableEjabberdDump = config.services.ejabberd.enable; @@ -155,10 +155,10 @@ in enableTomcatWebApplication = config.services.tomcat.enable; enableMongoDatabase = config.services.mongodb.enable; }); - - dysnomia.properties = { + + services.dysnomia.properties = { hostname = config.networking.hostName; - system = if config.nixpkgs.system == "" then builtins.currentSystem else config.nixpkgs.system; + inherit (config.nixpkgs.localSystem) system; supportedTypes = (import "${pkgs.stdenv.mkDerivation { name = "supportedtypes"; @@ -173,8 +173,8 @@ in ''; }}"); }; - - dysnomia.containers = lib.recursiveUpdate ({ + + services.dysnomia.containers = lib.recursiveUpdate ({ process = {}; wrapper = {}; } diff --git a/nixos/modules/services/misc/folding-at-home.nix b/nixos/modules/services/misc/folding-at-home.nix index 053e7e95635f..164221cbab7f 100644 --- a/nixos/modules/services/misc/folding-at-home.nix +++ b/nixos/modules/services/misc/folding-at-home.nix @@ -57,7 +57,7 @@ in { chown ${fahUser} ${stateDir} cp -f ${pkgs.writeText "client.cfg" cfg.config} ${stateDir}/client.cfg ''; - script = "${pkgs.su}/bin/su -s ${pkgs.stdenv.shell} ${fahUser} -c 'cd ${stateDir}; ${pkgs.foldingathome}/bin/fah6'"; + script = "${pkgs.su}/bin/su -s ${pkgs.runtimeShell} ${fahUser} -c 'cd ${stateDir}; ${pkgs.foldingathome}/bin/fah6'"; }; services.foldingAtHome.config = '' diff --git a/nixos/modules/services/misc/geoip-updater.nix b/nixos/modules/services/misc/geoip-updater.nix index 760fa66e80d6..e0b9df96f8e8 100644 --- a/nixos/modules/services/misc/geoip-updater.nix +++ b/nixos/modules/services/misc/geoip-updater.nix @@ -14,7 +14,7 @@ let # ExecStart= command with '@' doesn't work because we start a shell (new # process) that creates a new argv[0].) geoip-updater = pkgs.writeScriptBin "geoip-updater" '' - #!${pkgs.stdenv.shell} + #!${pkgs.runtimeShell} skipExisting=0 debug() { diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index f0b44b7bedeb..63e976ae566c 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -4,6 +4,8 @@ with lib; let cfg = config.services.gitea; + pg = config.services.postgresql; + usePostgresql = cfg.database.type == "postgres"; configFile = pkgs.writeText "app.ini" '' APP_NAME = ${cfg.appName} RUN_USER = ${cfg.user} @@ -16,6 +18,9 @@ let USER = ${cfg.database.user} PASSWD = #dbpass# PATH = ${cfg.database.path} + ${optionalString usePostgresql '' + SSL_MODE = disable + ''} [repository] ROOT = ${cfg.repositoryRoot} @@ -35,6 +40,10 @@ let SECRET_KEY = #secretkey# INSTALL_LOCK = true + [log] + ROOT_PATH = ${cfg.log.rootPath} + LEVEL = ${cfg.log.level} + ${cfg.extraConfig} ''; in @@ -60,6 +69,19 @@ in description = "gitea data directory."; }; + log = { + rootPath = mkOption { + default = "${cfg.stateDir}/log"; + type = types.str; + description = "Root path for log files."; + }; + level = mkOption { + default = "Trace"; + type = types.enum [ "Trace" "Debug" "Info" "Warn" "Error" "Critical" ]; + description = "General log level."; + }; + }; + user = mkOption { type = types.str; default = "gitea"; @@ -82,7 +104,7 @@ in port = mkOption { type = types.int; - default = 3306; + default = (if !usePostgresql then 3306 else pg.port); description = "Database host port."; }; @@ -123,6 +145,15 @@ in default = "${cfg.stateDir}/data/gitea.db"; description = "Path to the sqlite3 database file."; }; + + createDatabase = mkOption { + type = types.bool; + default = true; + description = '' + Whether to create a local postgresql database automatically. + This only applies if database type "postgres" is selected. + ''; + }; }; appName = mkOption { @@ -186,10 +217,11 @@ in }; config = mkIf cfg.enable { + services.postgresql.enable = mkIf usePostgresql (mkDefault true); systemd.services.gitea = { description = "gitea"; - after = [ "network.target" ]; + after = [ "network.target" "postgresql.service" ]; wantedBy = [ "multi-user.target" ]; path = [ pkgs.gitea.bin ]; @@ -231,12 +263,31 @@ in mkdir -p ${cfg.stateDir}/conf cp -r ${pkgs.gitea.out}/locale ${cfg.stateDir}/conf/locale fi + '' + optionalString (usePostgresql && cfg.database.createDatabase) '' + if ! test -e "${cfg.stateDir}/db-created"; then + echo "CREATE ROLE ${cfg.database.user} + WITH ENCRYPTED PASSWORD '$(head -n1 ${cfg.database.passwordFile})' + NOCREATEDB NOCREATEROLE LOGIN" | + ${pkgs.sudo}/bin/sudo -u ${pg.superUser} ${pg.package}/bin/psql + ${pkgs.sudo}/bin/sudo -u ${pg.superUser} \ + ${pg.package}/bin/createdb \ + --owner=${cfg.database.user} \ + --encoding=UTF8 \ + --lc-collate=C \ + --lc-ctype=C \ + --template=template0 \ + ${cfg.database.name} + touch "${cfg.stateDir}/db-created" + fi + '' + '' + chown ${cfg.user} -R ${cfg.stateDir} ''; serviceConfig = { Type = "simple"; User = cfg.user; WorkingDirectory = cfg.stateDir; + PermissionsStartOnly = true; ExecStart = "${pkgs.gitea.bin}/bin/gitea web"; Restart = "always"; }; @@ -253,6 +304,7 @@ in description = "Gitea Service"; home = cfg.stateDir; createHome = true; + useDefaultShell = true; }; }; diff --git a/nixos/modules/services/misc/gitit.nix b/nixos/modules/services/misc/gitit.nix index 44880ebeda14..94a98e0335df 100644 --- a/nixos/modules/services/misc/gitit.nix +++ b/nixos/modules/services/misc/gitit.nix @@ -17,7 +17,7 @@ let gititSh = hsPkgs: extras: with pkgs; let env = gititWithPkgs hsPkgs extras; in writeScript "gitit" '' - #!${stdenv.shell} + #!${runtimeShell} cd $HOME export NIX_GHC="${env}/bin/ghc" export NIX_GHCPKG="${env}/bin/ghc-pkg" diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index 9ed5875a0191..be13fed860bd 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -8,9 +8,6 @@ let cfg = config.services.gitlab; ruby = cfg.packages.gitlab.ruby; - bundler = pkgs.bundler; - - gemHome = "${cfg.packages.gitlab.rubyEnv}/${ruby.gemPath}"; gitlabSocket = "${cfg.statePath}/tmp/sockets/gitlab.socket"; gitalySocket = "${cfg.statePath}/tmp/sockets/gitaly.socket"; @@ -137,12 +134,11 @@ let gitlabEnv = { HOME = "${cfg.statePath}/home"; - GEM_HOME = gemHome; - BUNDLE_GEMFILE = "${cfg.packages.gitlab}/share/gitlab/Gemfile"; UNICORN_PATH = "${cfg.statePath}/"; GITLAB_PATH = "${cfg.packages.gitlab}/share/gitlab/"; GITLAB_STATE_PATH = "${cfg.statePath}"; GITLAB_UPLOADS_PATH = "${cfg.statePath}/uploads"; + SCHEMA = "${cfg.statePath}/db/schema.rb"; GITLAB_LOG_PATH = "${cfg.statePath}/log"; GITLAB_SHELL_PATH = "${cfg.packages.gitlab-shell}"; GITLAB_SHELL_CONFIG_PATH = "${cfg.statePath}/shell/config.yml"; @@ -157,19 +153,17 @@ let gitlab-rake = pkgs.stdenv.mkDerivation rec { name = "gitlab-rake"; - buildInputs = [ cfg.packages.gitlab cfg.packages.gitlab.rubyEnv pkgs.makeWrapper ]; - phases = "installPhase fixupPhase"; - buildPhase = ""; + buildInputs = [ pkgs.makeWrapper ]; + dontBuild = true; + unpackPhase = ":"; installPhase = '' mkdir -p $out/bin - makeWrapper ${cfg.packages.gitlab.rubyEnv}/bin/bundle $out/bin/gitlab-bundle \ + makeWrapper ${cfg.packages.gitlab.rubyEnv}/bin/rake $out/bin/gitlab-rake \ ${concatStrings (mapAttrsToList (name: value: "--set ${name} '${value}' ") gitlabEnv)} \ --set GITLAB_CONFIG_PATH '${cfg.statePath}/config' \ --set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip pkgs.git pkgs.gnutar config.services.postgresql.package ]}:$PATH' \ --set RAKEOPT '-f ${cfg.packages.gitlab}/share/gitlab/Rakefile' \ --run 'cd ${cfg.packages.gitlab}/share/gitlab' - makeWrapper $out/bin/gitlab-bundle $out/bin/gitlab-rake \ - --add-flags "exec rake" ''; }; @@ -481,10 +475,10 @@ in { Type = "simple"; User = cfg.user; Group = cfg.group; - TimeoutSec = "300"; + TimeoutSec = "infinity"; Restart = "on-failure"; WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab"; - ExecStart="${cfg.packages.gitlab.rubyEnv}/bin/bundle exec \"sidekiq -C \"${cfg.packages.gitlab}/share/gitlab/config/sidekiq_queues.yml\" -e production -P ${cfg.statePath}/tmp/sidekiq.pid\""; + ExecStart="${cfg.packages.gitlab.rubyEnv}/bin/sidekiq -C \"${cfg.packages.gitlab}/share/gitlab/config/sidekiq_queues.yml\" -e production -P ${cfg.statePath}/tmp/sidekiq.pid"; }; }; @@ -492,15 +486,13 @@ in { after = [ "network.target" "gitlab.service" ]; wantedBy = [ "multi-user.target" ]; environment.HOME = gitlabEnv.HOME; - environment.GEM_HOME = "${cfg.packages.gitaly.rubyEnv}/${ruby.gemPath}"; environment.GITLAB_SHELL_CONFIG_PATH = gitlabEnv.GITLAB_SHELL_CONFIG_PATH; - path = with pkgs; [ gitAndTools.git cfg.packages.gitaly.rubyEnv ruby ]; + path = with pkgs; [ gitAndTools.git cfg.packages.gitaly.rubyEnv cfg.packages.gitaly.rubyEnv.wrappedRuby ]; serviceConfig = { - #PermissionsStartOnly = true; # preStart must be run as root Type = "simple"; User = cfg.user; Group = cfg.group; - TimeoutSec = "300"; + TimeoutSec = "infinity"; Restart = "on-failure"; WorkingDirectory = gitlabEnv.HOME; ExecStart = "${cfg.packages.gitaly}/bin/gitaly ${gitalyToml}"; @@ -528,7 +520,7 @@ in { Type = "simple"; User = cfg.user; Group = cfg.group; - TimeoutSec = "300"; + TimeoutSec = "infinity"; Restart = "on-failure"; WorkingDirectory = gitlabEnv.HOME; ExecStart = @@ -566,6 +558,7 @@ in { mkdir -p ${cfg.statePath}/tmp/pids mkdir -p ${cfg.statePath}/tmp/sockets mkdir -p ${cfg.statePath}/shell + mkdir -p ${cfg.statePath}/db rm -rf ${cfg.statePath}/config ${cfg.statePath}/shell/hooks mkdir -p ${cfg.statePath}/config @@ -580,6 +573,7 @@ in { ln -sf ${cfg.statePath}/log /run/gitlab/log ln -sf ${cfg.statePath}/uploads /run/gitlab/uploads ln -sf ${cfg.statePath}/tmp /run/gitlab/tmp + ln -sf $GITLAB_SHELL_CONFIG_PATH /run/gitlab/shell-config.yml chown -R ${cfg.user}:${cfg.group} /run/gitlab # Prepare home directory @@ -587,6 +581,7 @@ in { touch ${gitlabEnv.HOME}/.ssh/authorized_keys chown -R ${cfg.user}:${cfg.group} ${gitlabEnv.HOME}/ + cp -rf ${cfg.packages.gitlab}/share/gitlab/db/* ${cfg.statePath}/db cp -rf ${cfg.packages.gitlab}/share/gitlab/config.dist/* ${cfg.statePath}/config ${optionalString cfg.smtp.enable '' ln -sf ${smtpSettings} ${cfg.statePath}/config/initializers/smtp_settings.rb @@ -654,10 +649,10 @@ in { Type = "simple"; User = cfg.user; Group = cfg.group; - TimeoutSec = "300"; + TimeoutSec = "infinity"; Restart = "on-failure"; WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab"; - ExecStart = "${cfg.packages.gitlab.rubyEnv}/bin/bundle exec \"unicorn -c ${cfg.statePath}/config/unicorn.rb -E production\""; + ExecStart = "${cfg.packages.gitlab.rubyEnv}/bin/unicorn -c ${cfg.statePath}/config/unicorn.rb -E production"; }; }; diff --git a/nixos/modules/services/misc/gitlab.xml b/nixos/modules/services/misc/gitlab.xml index 4b00f50abd63..3306ba8e9b11 100644 --- a/nixos/modules/services/misc/gitlab.xml +++ b/nixos/modules/services/misc/gitlab.xml @@ -18,19 +18,18 @@ webserver to proxy HTTP requests to the socket.</para> frontend proxy: <programlisting> - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - virtualHosts."git.example.com" = { - enableACME = true; - forceSSL = true; - locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; - }; - }; -''; +<link linkend="opt-services.nginx.enable">services.nginx</link> = { + <link linkend="opt-services.nginx.enable">enable</link> = true; + <link linkend="opt-services.nginx.recommendedGzipSettings">recommendedGzipSettings</link> = true; + <link linkend="opt-services.nginx.recommendedOptimisation">recommendedOptimisation</link> = true; + <link linkend="opt-services.nginx.recommendedProxySettings">recommendedProxySettings</link> = true; + <link linkend="opt-services.nginx.recommendedTlsSettings">recommendedTlsSettings</link> = true; + <link linkend="opt-services.nginx.virtualHosts">virtualHosts</link>."git.example.com" = { + <link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true; + <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true; + <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.proxyPass">locations."/".proxyPass</link> = "http://unix:/run/gitlab/gitlab-workhorse.socket"; + }; +}; </programlisting> </para> @@ -49,24 +48,24 @@ all data like the repositories and uploads will be stored.</para> <programlisting> services.gitlab = { - enable = true; - databasePassword = "eXaMpl3"; - initialRootPassword = "UseNixOS!"; - https = true; - host = "git.example.com"; - port = 443; - user = "git"; - group = "git"; + <link linkend="opt-services.gitlab.enable">enable</link> = true; + <link linkend="opt-services.gitlab.databasePassword">databasePassword</link> = "eXaMpl3"; + <link linkend="opt-services.gitlab.initialRootPassword">initialRootPassword</link> = "UseNixOS!"; + <link linkend="opt-services.gitlab.https">https</link> = true; + <link linkend="opt-services.gitlab.host">host</link> = "git.example.com"; + <link linkend="opt-services.gitlab.port">port</link> = 443; + <link linkend="opt-services.gitlab.user">user</link> = "git"; + <link linkend="opt-services.gitlab.group">group</link> = "git"; smtp = { - enable = true; - address = "localhost"; - port = 25; + <link linkend="opt-services.gitlab.smtp.enable">enable</link> = true; + <link linkend="opt-services.gitlab.smtp.address">address</link> = "localhost"; + <link linkend="opt-services.gitlab.smtp.port">port</link> = 25; }; secrets = { - db = "uPgq1gtwwHiatiuE0YHqbGa5lEIXH7fMsvuTNgdzJi8P0Dg12gibTzBQbq5LT7PNzcc3BP9P1snHVnduqtGF43PgrQtU7XL93ts6gqe9CBNhjtaqUwutQUDkygP5NrV6"; - secret = "devzJ0Tz0POiDBlrpWmcsjjrLaltyiAdS8TtgT9YNBOoUcDsfppiY3IXZjMVtKgXrFImIennFGOpPN8IkP8ATXpRgDD5rxVnKuTTwYQaci2NtaV1XxOQGjdIE50VGsR3"; - otp = "e1GATJVuS2sUh7jxiPzZPre4qtzGGaS22FR50Xs1TerRVdgI3CBVUi5XYtQ38W4xFeS4mDqi5cQjExE838iViSzCdcG19XSL6qNsfokQP9JugwiftmhmCadtsnHErBMI"; - jws = '' + <link linkend="opt-services.gitlab.secrets.db">db</link> = "uPgq1gtwwHiatiuE0YHqbGa5lEIXH7fMsvuTNgdzJi8P0Dg12gibTzBQbq5LT7PNzcc3BP9P1snHVnduqtGF43PgrQtU7XL93ts6gqe9CBNhjtaqUwutQUDkygP5NrV6"; + <link linkend="opt-services.gitlab.secrets.secret">secret</link> = "devzJ0Tz0POiDBlrpWmcsjjrLaltyiAdS8TtgT9YNBOoUcDsfppiY3IXZjMVtKgXrFImIennFGOpPN8IkP8ATXpRgDD5rxVnKuTTwYQaci2NtaV1XxOQGjdIE50VGsR3"; + <link linkend="opt-services.gitlab.secrets.otp">otp</link> = "e1GATJVuS2sUh7jxiPzZPre4qtzGGaS22FR50Xs1TerRVdgI3CBVUi5XYtQ38W4xFeS4mDqi5cQjExE838iViSzCdcG19XSL6qNsfokQP9JugwiftmhmCadtsnHErBMI"; + <link linkend="opt-services.gitlab.secrets.jws">jws</link> = '' -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEArrtx4oHKwXoqUbMNqnHgAklnnuDon3XG5LJB35yPsXKv/8GK ke92wkI+s1Xkvsp8tg9BIY/7c6YK4SR07EWL+dB5qwctsWR2Q8z+/BKmTx9D99pm @@ -96,7 +95,7 @@ services.gitlab = { -----END RSA PRIVATE KEY----- ''; }; - extraConfig = { + <link linkend="opt-services.gitlab.extraConfig">extraConfig</link> = { gitlab = { email_from = "gitlab-no-reply@example.com"; email_display_name = "Example GitLab"; @@ -116,7 +115,7 @@ secret from <literal>config/secrets.yml</literal> located in your Gitlab state folder.</para> <para>Refer to <xref linkend="ch-options" /> for all available configuration -options for the <literal>services.gitlab</literal> module.</para> +options for the <link linkend="opt-services.gitlab.enable">services.gitlab</link> module.</para> </section> diff --git a/nixos/modules/services/misc/gitweb.nix b/nixos/modules/services/misc/gitweb.nix new file mode 100644 index 000000000000..ca21366b7796 --- /dev/null +++ b/nixos/modules/services/misc/gitweb.nix @@ -0,0 +1,59 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.gitweb; + +in +{ + + options.services.gitweb = { + + projectroot = mkOption { + default = "/srv/git"; + type = types.path; + description = '' + Path to git projects (bare repositories) that should be served by + gitweb. Must not end with a slash. + ''; + }; + + extraConfig = mkOption { + default = ""; + type = types.lines; + description = '' + Verbatim configuration text appended to the generated gitweb.conf file. + ''; + example = '' + $feature{'highlight'}{'default'} = [1]; + $feature{'ctags'}{'default'} = [1]; + $feature{'avatar'}{'default'} = ['gravatar']; + ''; + }; + + gitwebTheme = mkOption { + default = false; + type = types.bool; + description = '' + Use an alternative theme for gitweb, strongly inspired by GitHub. + ''; + }; + + gitwebConfigFile = mkOption { + default = pkgs.writeText "gitweb.conf" '' + # path to git projects (<project>.git) + $projectroot = "${cfg.projectroot}"; + $highlight_bin = "${pkgs.highlight}/bin/highlight"; + ${cfg.extraConfig} + ''; + type = types.path; + readOnly = true; + internal = true; + }; + + }; + + meta.maintainers = with maintainers; [ gnidorah ]; + +} diff --git a/nixos/modules/services/misc/gogs.nix b/nixos/modules/services/misc/gogs.nix index f6d326e43d94..ba744d37e71c 100644 --- a/nixos/modules/services/misc/gogs.nix +++ b/nixos/modules/services/misc/gogs.nix @@ -35,6 +35,9 @@ let SECRET_KEY = #secretkey# INSTALL_LOCK = true + [log] + ROOT_PATH = ${cfg.stateDir}/log + ${cfg.extraConfig} ''; in diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix index cc60a143fa6c..1dc7b44ee37b 100644 --- a/nixos/modules/services/misc/home-assistant.nix +++ b/nixos/modules/services/misc/home-assistant.nix @@ -5,7 +5,10 @@ with lib; let cfg = config.services.home-assistant; - configFile = pkgs.writeText "configuration.yaml" (builtins.toJSON cfg.config); + # cfg.config != null can be assumed here + configFile = pkgs.writeText "configuration.json" + (builtins.toJSON (if cfg.applyDefaultConfig then + (lib.recursiveUpdate defaultConfig cfg.config) else cfg.config)); availableComponents = pkgs.home-assistant.availableComponents; @@ -38,6 +41,12 @@ let then (cfg.package.override { inherit extraComponents; }) else cfg.package; + # If you are changing this, please update the description in applyDefaultConfig + defaultConfig = { + homeassistant.time_zone = config.time.timeZone; + http.server_port = (toString cfg.port); + }; + in { meta.maintainers = with maintainers; [ dotlambda ]; @@ -50,6 +59,26 @@ in { description = "The config directory, where your <filename>configuration.yaml</filename> is located."; }; + port = mkOption { + default = 8123; + type = types.int; + description = "The port on which to listen."; + }; + + applyDefaultConfig = mkOption { + default = true; + type = types.bool; + description = '' + Setting this option enables a few configuration options for HA based on NixOS configuration (such as time zone) to avoid having to manually specify configuration we already have. + </para> + <para> + Currently one side effect of enabling this is that the <literal>http</literal> component will be enabled. + </para> + <para> + This only takes effect if <literal>config != null</literal> in order to ensure that a manually managed <filename>configuration.yaml</filename> is not overwritten. + ''; + }; + config = mkOption { default = null; type = with types; nullOr attrs; @@ -104,23 +133,33 @@ in { config = mkIf cfg.enable { systemd.services.home-assistant = { description = "Home Assistant"; - wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; preStart = lib.optionalString (cfg.config != null) '' - rm -f ${cfg.configDir}/configuration.yaml - ln -s ${configFile} ${cfg.configDir}/configuration.yaml + config=${cfg.configDir}/configuration.yaml + rm -f $config + ${pkgs.remarshal}/bin/json2yaml -i ${configFile} -o $config + chmod 444 $config ''; serviceConfig = { - ExecStart = '' - ${package}/bin/hass --config "${cfg.configDir}" - ''; + ExecStart = "${package}/bin/hass --config '${cfg.configDir}'"; User = "hass"; Group = "hass"; Restart = "on-failure"; ProtectSystem = "strict"; ReadWritePaths = "${cfg.configDir}"; PrivateTmp = true; + RemoveIPC = true; }; + path = [ + "/run/wrappers" # needed for ping + ]; + }; + + systemd.targets.home-assistant = rec { + description = "Home Assistant"; + wantedBy = [ "multi-user.target" ]; + wants = [ "home-assistant.service" ]; + after = wants; }; users.extraUsers.hass = { diff --git a/nixos/modules/services/misc/ihaskell.nix b/nixos/modules/services/misc/ihaskell.nix index e07a4a44613a..6da9cc8c47e6 100644 --- a/nixos/modules/services/misc/ihaskell.nix +++ b/nixos/modules/services/misc/ihaskell.nix @@ -55,7 +55,7 @@ in serviceConfig = { User = config.users.extraUsers.ihaskell.name; Group = config.users.extraGroups.ihaskell.name; - ExecStart = "${pkgs.stdenv.shell} -c \"cd $HOME;${ihaskell}/bin/ihaskell-notebook\""; + ExecStart = "${pkgs.runtimeShell} -c \"cd $HOME;${ihaskell}/bin/ihaskell-notebook\""; }; }; }; diff --git a/nixos/modules/services/misc/logkeys.nix b/nixos/modules/services/misc/logkeys.nix index df0b3ae24c90..ad13d9eaa674 100644 --- a/nixos/modules/services/misc/logkeys.nix +++ b/nixos/modules/services/misc/logkeys.nix @@ -7,6 +7,13 @@ let in { options.services.logkeys = { enable = mkEnableOption "logkeys service"; + + device = mkOption { + description = "Use the given device as keyboard input event device instead of /dev/input/eventX default."; + default = null; + type = types.nullOr types.string; + example = "/dev/input/event15"; + }; }; config = mkIf cfg.enable { @@ -14,7 +21,7 @@ in { description = "LogKeys Keylogger Daemon"; wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = "${pkgs.logkeys}/bin/logkeys -s"; + ExecStart = "${pkgs.logkeys}/bin/logkeys -s${lib.optionalString (cfg.device != null) " -d ${cfg.device}"}"; ExecStop = "${pkgs.logkeys}/bin/logkeys -k"; Type = "forking"; }; diff --git a/nixos/modules/services/misc/mesos-slave.nix b/nixos/modules/services/misc/mesos-slave.nix index 47be10274d3b..effa29b64f63 100644 --- a/nixos/modules/services/misc/mesos-slave.nix +++ b/nixos/modules/services/misc/mesos-slave.nix @@ -188,7 +188,7 @@ in { description = "Mesos Slave"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - path = [ pkgs.stdenv.shellPackage ]; + path = [ pkgs.runtimeShellPackage ]; serviceConfig = { ExecStart = '' ${pkgs.mesos}/bin/mesos-slave \ @@ -213,7 +213,7 @@ in { PermissionsStartOnly = true; }; preStart = '' - mkdir -m 0700 -p ${cfg.workDir} + mkdir -m 0701 -p ${cfg.workDir} ''; }; }; diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index a169b0f2c784..277ae9e292ce 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -30,12 +30,12 @@ let # /bin/sh in the sandbox as a bind-mount to bash. This means we # also need to include the entire closure of bash. Nix >= 2.0 # provides a /bin/sh by default. - sh = pkgs.stdenv.shell; + sh = pkgs.runtimeShell; binshDeps = pkgs.writeReferencesToFile sh; in - pkgs.runCommand "nix.conf" { extraOptions = cfg.extraOptions; inherit binshDeps; } '' + pkgs.runCommand "nix.conf" { extraOptions = cfg.extraOptions; } '' ${optionalString (!isNix20) '' - extraPaths=$(for i in $(cat binshDeps); do if test -d $i; then echo $i; fi; done) + extraPaths=$(for i in $(cat ${binshDeps}); do if test -d $i; then echo $i; fi; done) ''} cat > $out <<END # WARNING: this file is generated from the nix.* options in @@ -338,7 +338,9 @@ in nixPath = mkOption { type = types.listOf types.str; default = - [ "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs" + [ + "$HOME/.nix-defexpr/channels" + "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs" "nixos-config=/etc/nixos/configuration.nix" "/nix/var/nix/profiles/per-user/root/channels" ]; @@ -439,19 +441,18 @@ in services.xserver.displayManager.hiddenUsers = map ({ name, ... }: name) nixbldUsers; + # FIXME: use systemd-tmpfiles to create Nix directories. system.activationScripts.nix = stringAfter [ "etc" "users" ] '' # Nix initialisation. - mkdir -m 0755 -p \ + install -m 0755 -d \ /nix/var/nix/gcroots \ /nix/var/nix/temproots \ - /nix/var/nix/manifests \ /nix/var/nix/userpool \ /nix/var/nix/profiles \ /nix/var/nix/db \ - /nix/var/log/nix/drvs \ - /nix/var/nix/channel-cache - mkdir -m 1777 -p \ + /nix/var/log/nix/drvs + install -m 1777 -d \ /nix/var/nix/gcroots/per-user \ /nix/var/nix/profiles/per-user \ /nix/var/nix/gcroots/tmp diff --git a/nixos/modules/services/misc/nixos-manual.nix b/nixos/modules/services/misc/nixos-manual.nix index 5d0f2abd13a9..4bd1c20edf71 100644 --- a/nixos/modules/services/misc/nixos-manual.nix +++ b/nixos/modules/services/misc/nixos-manual.nix @@ -23,7 +23,7 @@ let options = let scrubbedEval = evalModules { - modules = [ { nixpkgs.system = config.nixpkgs.system; } ] ++ baseModules; + modules = [ { nixpkgs.localSystem = config.nixpkgs.localSystem; } ] ++ baseModules; args = (config._module.args) // { modules = [ ]; }; specialArgs = { pkgs = scrubDerivations "pkgs" pkgs; }; }; @@ -43,7 +43,7 @@ let helpScript = pkgs.writeScriptBin "nixos-help" '' - #! ${pkgs.stdenv.shell} -e + #! ${pkgs.runtimeShell} -e browser="$BROWSER" if [ -z "$browser" ]; then browser="$(type -P xdg-open || true)" @@ -112,10 +112,10 @@ in system.build.manual = manual; - environment.systemPackages = - [ manual.manual helpScript ] - ++ optionals config.services.xserver.enable [desktopItem pkgs.nixos-icons] - ++ optional config.programs.man.enable manual.manpages; + environment.systemPackages = [] + ++ optionals config.services.xserver.enable [ desktopItem pkgs.nixos-icons ] + ++ optional config.documentation.man.enable manual.manpages + ++ optionals config.documentation.doc.enable [ manual.manual helpScript ]; boot.extraTTYs = mkIf cfg.showManual ["tty${toString cfg.ttyNumber}"]; diff --git a/nixos/modules/services/misc/parsoid.nix b/nixos/modules/services/misc/parsoid.nix index ae3f84333d2d..c757093e5c1b 100644 --- a/nixos/modules/services/misc/parsoid.nix +++ b/nixos/modules/services/misc/parsoid.nix @@ -6,6 +6,8 @@ let cfg = config.services.parsoid; + parsoid = pkgs.nodePackages."parsoid-git://github.com/abbradar/parsoid#stable"; + confTree = { worker_heartbeat_timeout = 300000; logging = { level = "info"; }; @@ -93,7 +95,7 @@ in after = [ "network.target" ]; serviceConfig = { User = "nobody"; - ExecStart = "${pkgs.nodePackages.parsoid}/lib/node_modules/parsoid/bin/server.js -c ${confFile} -n ${toString cfg.workers}"; + ExecStart = "${parsoid}/lib/node_modules/parsoid/bin/server.js -c ${confFile} -n ${toString cfg.workers}"; }; }; diff --git a/nixos/modules/services/misc/safeeyes.nix b/nixos/modules/services/misc/safeeyes.nix new file mode 100644 index 000000000000..1a33971d9227 --- /dev/null +++ b/nixos/modules/services/misc/safeeyes.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.safeeyes; + +in + +{ + + ###### interface + + options = { + + services.safeeyes = { + + enable = mkOption { + default = false; + description = "Whether to enable the safeeyes OSGi service"; + }; + + }; + + }; + + ###### implementation + + config = mkIf cfg.enable { + + systemd.user.services.safeeyes = { + description = "Safeeyes"; + + wantedBy = [ "graphical-session.target" ]; + partOf = [ "graphical-session.target" ]; + + serviceConfig = { + ExecStart = '' + ${pkgs.safeeyes}/bin/safeeyes + ''; + Restart = "on-failure"; + RestartSec = 3; + StartLimitInterval = 350; + StartLimitBurst = 10; + }; + }; + + }; +} diff --git a/nixos/modules/services/misc/serviio.nix b/nixos/modules/services/misc/serviio.nix new file mode 100644 index 000000000000..a6612e9c6adb --- /dev/null +++ b/nixos/modules/services/misc/serviio.nix @@ -0,0 +1,92 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.serviio; + + serviioStart = pkgs.writeScript "serviio.sh" '' + #!${pkgs.bash}/bin/sh + + SERVIIO_HOME=${pkgs.serviio} + + # Setup the classpath + SERVIIO_CLASS_PATH="$SERVIIO_HOME/lib/*:$SERVIIO_HOME/config" + + # Setup Serviio specific properties + JAVA_OPTS="-Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -Dorg.restlet.engine.loggerFacadeClass=org.restlet.ext.slf4j.Slf4jLoggerFacade + -Dderby.system.home=${cfg.dataDir}/library -Dserviio.home=${cfg.dataDir} -Dffmpeg.location=${pkgs.ffmpeg}/bin/ffmpeg -Ddcraw.location=${pkgs.dcraw}/bin/dcraw" + + # Execute the JVM in the foreground + exec ${pkgs.jre}/bin/java -Xmx512M -Xms20M -XX:+UseG1GC -XX:GCTimeRatio=1 -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 $JAVA_OPTS -classpath "$SERVIIO_CLASS_PATH" org.serviio.MediaServer "$@" + ''; + +in { + + ###### interface + options = { + services.serviio = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the Serviio Media Server. + ''; + }; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/serviio"; + description = '' + The directory where serviio stores its state, data, etc. + ''; + }; + + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + systemd.services.serviio = { + description = "Serviio Media Server"; + after = [ "local-fs.target" "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.serviio ]; + serviceConfig = { + User = "serviio"; + Group = "serviio"; + ExecStart = "${serviioStart}"; + ExecStop = "${serviioStart} -stop"; + }; + }; + + users.extraUsers = [ + { + name = "serviio"; + group = "serviio"; + home = cfg.dataDir; + description = "Serviio Media Server User"; + createHome = true; + isSystemUser = true; + } + ]; + + users.extraGroups = [ + { name = "serviio";} + ]; + + networking.firewall = { + allowedTCPPorts = [ + 8895 # serve UPnP responses + 23423 # console + 23424 # mediabrowser + ]; + allowedUDPPorts = [ + 1900 # UPnP service discovey + ]; + }; + }; +} diff --git a/nixos/modules/services/misc/ssm-agent.nix b/nixos/modules/services/misc/ssm-agent.nix index a57fbca86fb6..e951a4c7ffa8 100644 --- a/nixos/modules/services/misc/ssm-agent.nix +++ b/nixos/modules/services/misc/ssm-agent.nix @@ -8,7 +8,7 @@ let # in nixpkgs doesn't seem to work properly on NixOS, so let's just fake the two fields SSM # looks for. See https://github.com/aws/amazon-ssm-agent/issues/38 for upstream fix. fake-lsb-release = pkgs.writeScriptBin "lsb_release" '' - #!${pkgs.stdenv.shell} + #!${pkgs.runtimeShell} case "$1" in -i) echo "nixos";; diff --git a/nixos/modules/services/misc/taskserver/doc.xml b/nixos/modules/services/misc/taskserver/doc.xml index 6d4d2a9b488c..75493ac1394f 100644 --- a/nixos/modules/services/misc/taskserver/doc.xml +++ b/nixos/modules/services/misc/taskserver/doc.xml @@ -55,7 +55,7 @@ Because Taskserver by default only provides scripts to setup users imperatively, the <command>nixos-taskserver</command> tool is used for addition and deletion of organisations along with users and groups defined - by <option>services.taskserver.organisations</option> and as well for + by <xref linkend="opt-services.taskserver.organisations"/> and as well for imperative set up. </para> @@ -99,10 +99,10 @@ For example, let's say you have the following configuration: <screen> { - services.taskserver.enable = true; - services.taskserver.fqdn = "server"; - services.taskserver.listenHost = "::"; - services.taskserver.organisations.my-company.users = [ "alice" ]; + <xref linkend="opt-services.taskserver.enable"/> = true; + <xref linkend="opt-services.taskserver.fqdn"/> = "server"; + <xref linkend="opt-services.taskserver.listenHost"/> = "::"; + <link linkend="opt-services.taskserver.organisations._name_.users">services.taskserver.organisations.my-company.users</link> = [ "alice" ]; } </screen> This creates an organisation called <literal>my-company</literal> with the @@ -136,7 +136,7 @@ $ ssh server nixos-taskserver user export my-company alice | sh <para> If you set any options within - <option>service.taskserver.pki.manual.*</option>, + <link linkend="opt-services.taskserver.pki.manual.ca.cert">service.taskserver.pki.manual</link>.*, <command>nixos-taskserver</command> won't issue certificates, but you can still use it for adding or removing user accounts. </para> diff --git a/nixos/modules/services/monitoring/apcupsd.nix b/nixos/modules/services/monitoring/apcupsd.nix index 9abd6e9ab641..839116de6265 100644 --- a/nixos/modules/services/monitoring/apcupsd.nix +++ b/nixos/modules/services/monitoring/apcupsd.nix @@ -38,7 +38,7 @@ let ]; shellCmdsForEventScript = eventname: commands: '' - echo "#!${pkgs.stdenv.shell}" > "$out/${eventname}" + echo "#!${pkgs.runtimeShell}" > "$out/${eventname}" echo '${commands}' >> "$out/${eventname}" chmod a+x "$out/${eventname}" ''; diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index d48b78ae6d02..eceb91525db4 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -25,6 +25,7 @@ let DATABASE_USER = cfg.database.user; DATABASE_PASSWORD = cfg.database.password; DATABASE_PATH = cfg.database.path; + DATABASE_CONN_MAX_LIFETIME = cfg.database.connMaxLifetime; SECURITY_ADMIN_USER = cfg.security.adminUser; SECURITY_ADMIN_PASSWORD = cfg.security.adminPassword; @@ -49,7 +50,7 @@ in { protocol = mkOption { description = "Which protocol to listen."; default = "http"; - type = types.enum ["http" "https"]; + type = types.enum ["http" "https" "socket"]; }; addr = mkOption { @@ -143,6 +144,15 @@ in { default = "${cfg.dataDir}/data/grafana.db"; type = types.path; }; + + connMaxLifetime = mkOption { + description = '' + Sets the maximum amount of time (in seconds) a connection may be reused. + For MySQL this setting should be shorter than the `wait_timeout' variable. + ''; + default = 14400; + type = types.int; + }; }; security = { @@ -241,7 +251,9 @@ in { description = "Grafana Service Daemon"; wantedBy = ["multi-user.target"]; after = ["networking.target"]; - environment = mapAttrs' (n: v: nameValuePair "GF_${n}" (toString v)) envOptions; + environment = { + QT_QPA_PLATFORM = "offscreen"; + } // mapAttrs' (n: v: nameValuePair "GF_${n}" (toString v)) envOptions; serviceConfig = { ExecStart = "${cfg.package.bin}/bin/grafana-server -homepath ${cfg.dataDir}"; WorkingDirectory = cfg.dataDir; @@ -249,7 +261,7 @@ in { }; preStart = '' ln -fs ${cfg.package}/share/grafana/conf ${cfg.dataDir} - ln -fs ${cfg.package}/share/grafana/vendor ${cfg.dataDir} + ln -fs ${cfg.package}/share/grafana/tools ${cfg.dataDir} ''; }; diff --git a/nixos/modules/services/monitoring/monit.nix b/nixos/modules/services/monitoring/monit.nix index 71f50cc0f19d..d48e5c550abb 100644 --- a/nixos/modules/services/monitoring/monit.nix +++ b/nixos/modules/services/monitoring/monit.nix @@ -26,16 +26,10 @@ in environment.systemPackages = [ pkgs.monit ]; - environment.etc = [ - { - source = pkgs.writeTextFile { - name = "monitrc"; - text = config.services.monit.config; - }; - target = "monitrc"; - mode = "0400"; - } - ]; + environment.etc."monitrc" = { + text = config.services.monit.config; + mode = "0400"; + }; systemd.services.monit = { description = "Pro-active monitoring utility for unix systems"; @@ -48,6 +42,8 @@ in KillMode = "process"; Restart = "always"; }; + restartTriggers = [ config.environment.etc."monitrc".source ]; }; + }; } diff --git a/nixos/modules/services/monitoring/prometheus/blackbox-exporter.nix b/nixos/modules/services/monitoring/prometheus/blackbox-exporter.nix deleted file mode 100644 index ce2e1cf2d74b..000000000000 --- a/nixos/modules/services/monitoring/prometheus/blackbox-exporter.nix +++ /dev/null @@ -1,68 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.services.prometheus.blackboxExporter; -in { - options = { - services.prometheus.blackboxExporter = { - enable = mkEnableOption "prometheus blackbox exporter"; - - configFile = mkOption { - type = types.path; - description = '' - Path to configuration file. - ''; - }; - - port = mkOption { - type = types.int; - default = 9115; - description = '' - Port to listen on. - ''; - }; - - extraFlags = mkOption { - type = types.listOf types.str; - default = []; - description = '' - Extra commandline options when launching the blackbox exporter. - ''; - }; - - openFirewall = mkOption { - type = types.bool; - default = false; - description = '' - Open port in firewall for incoming connections. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.port; - - systemd.services.prometheus-blackbox-exporter = { - description = "Prometheus exporter for blackbox probes"; - unitConfig.Documentation = "https://github.com/prometheus/blackbox_exporter"; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - User = "nobody"; - Restart = "always"; - PrivateTmp = true; - WorkingDirectory = /tmp; - AmbientCapabilities = [ "CAP_NET_RAW" ]; # for ping probes - ExecStart = '' - ${pkgs.prometheus-blackbox-exporter}/bin/blackbox_exporter \ - --web.listen-address :${toString cfg.port} \ - --config.file ${cfg.configFile} \ - ${concatStringsSep " \\\n " cfg.extraFlags} - ''; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - }; - }; - }; -} diff --git a/nixos/modules/services/monitoring/prometheus/collectd-exporter.nix b/nixos/modules/services/monitoring/prometheus/collectd-exporter.nix deleted file mode 100644 index f8a5b9576a11..000000000000 --- a/nixos/modules/services/monitoring/prometheus/collectd-exporter.nix +++ /dev/null @@ -1,128 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.services.prometheus.collectdExporter; - - collectSettingsArgs = if (cfg.collectdBinary.enable) then '' - -collectd.listen-address ${optionalString (cfg.collectdBinary.listenAddress != null) cfg.collectdBinary.listenAddress}:${toString cfg.collectdBinary.port} \ - -collectd.security-level ${cfg.collectdBinary.securityLevel} \ - '' else ""; - -in { - options = { - services.prometheus.collectdExporter = { - enable = mkEnableOption "prometheus collectd exporter"; - - port = mkOption { - type = types.int; - default = 9103; - description = '' - Port to listen on. - This is used for scraping as well as the to receive collectd data via the write_http plugin. - ''; - }; - - listenAddress = mkOption { - type = types.nullOr types.str; - default = null; - example = "0.0.0.0"; - description = '' - Address to listen on for web interface, telemetry and collectd JSON data. - ''; - }; - - collectdBinary = { - enable = mkEnableOption "collectd binary protocol receiver"; - - authFile = mkOption { - default = null; - type = types.nullOr types.path; - description = "File mapping user names to pre-shared keys (passwords)."; - }; - - port = mkOption { - type = types.int; - default = 25826; - description = ''Network address on which to accept collectd binary network packets.''; - }; - - listenAddress = mkOption { - type = types.nullOr types.str; - default = null; - example = "0.0.0.0"; - description = '' - Address to listen on for binary network packets. - ''; - }; - - securityLevel = mkOption { - type = types.enum ["None" "Sign" "Encrypt"]; - default = "None"; - description = '' - Minimum required security level for accepted packets. - ''; - }; - }; - - extraFlags = mkOption { - type = types.listOf types.str; - default = []; - description = '' - Extra commandline options when launching the collectd exporter. - ''; - }; - - logFormat = mkOption { - type = types.str; - default = "logger:stderr"; - example = "logger:syslog?appname=bob&local=7 or logger:stdout?json=true"; - description = '' - Set the log target and format. - ''; - }; - - logLevel = mkOption { - type = types.enum ["debug" "info" "warn" "error" "fatal"]; - default = "info"; - description = '' - Only log messages with the given severity or above. - ''; - }; - - openFirewall = mkOption { - type = types.bool; - default = false; - description = '' - Open port in firewall for incoming connections. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = (optional cfg.openFirewall cfg.port) ++ - (optional (cfg.openFirewall && cfg.collectdBinary.enable) cfg.collectdBinary.port); - - systemd.services.prometheus-collectd-exporter = { - description = "Prometheus exporter for Collectd metrics"; - unitConfig.Documentation = "https://github.com/prometheus/collectd_exporter"; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - DynamicUser = true; - Restart = "always"; - PrivateTmp = true; - WorkingDirectory = /tmp; - ExecStart = '' - ${pkgs.prometheus-collectd-exporter}/bin/collectd_exporter \ - -log.format ${cfg.logFormat} \ - -log.level ${cfg.logLevel} \ - -web.listen-address ${optionalString (cfg.listenAddress != null) cfg.listenAddress}:${toString cfg.port} \ - ${collectSettingsArgs} \ - ${concatStringsSep " " cfg.extraFlags} - ''; - }; - }; - }; -} diff --git a/nixos/modules/services/monitoring/prometheus/exporters.nix b/nixos/modules/services/monitoring/prometheus/exporters.nix new file mode 100644 index 000000000000..780448d8bad8 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters.nix @@ -0,0 +1,174 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.prometheus.exporters; + + # each attribute in `exporterOpts` is expected to have specified: + # - port (types.int): port on which the exporter listens + # - serviceOpts (types.attrs): config that is merged with the + # default definition of the exporter's + # systemd service + # - extraOpts (types.attrs): extra configuration options to + # configure the exporter with, which + # are appended to the default options + # + # Note that `extraOpts` is optional, but a script for the exporter's + # systemd service must be provided by specifying either + # `serviceOpts.script` or `serviceOpts.serviceConfig.ExecStart` + exporterOpts = { + blackbox = import ./exporters/blackbox.nix { inherit config lib pkgs; }; + collectd = import ./exporters/collectd.nix { inherit config lib pkgs; }; + dovecot = import ./exporters/dovecot.nix { inherit config lib pkgs; }; + fritzbox = import ./exporters/fritzbox.nix { inherit config lib pkgs; }; + json = import ./exporters/json.nix { inherit config lib pkgs; }; + minio = import ./exporters/minio.nix { inherit config lib pkgs; }; + nginx = import ./exporters/nginx.nix { inherit config lib pkgs; }; + node = import ./exporters/node.nix { inherit config lib pkgs; }; + postfix = import ./exporters/postfix.nix { inherit config lib pkgs; }; + snmp = import ./exporters/snmp.nix { inherit config lib pkgs; }; + surfboard = import ./exporters/surfboard.nix { inherit config lib pkgs; }; + unifi = import ./exporters/unifi.nix { inherit config lib pkgs; }; + varnish = import ./exporters/varnish.nix { inherit config lib pkgs; }; + }; + + mkExporterOpts = ({ name, port }: { + enable = mkEnableOption "the prometheus ${name} exporter"; + port = mkOption { + type = types.int; + default = port; + description = '' + Port to listen on. + ''; + }; + listenAddress = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + Address to listen on. + ''; + }; + extraFlags = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Extra commandline options to pass to the ${name} exporter. + ''; + }; + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Open port in firewall for incoming connections. + ''; + }; + firewallFilter = mkOption { + type = types.str; + default = "-p tcp -m tcp --dport ${toString port}"; + example = literalExample '' + "-i eth0 -p tcp -m tcp --dport ${toString port}" + ''; + description = '' + Specify a filter for iptables to use when + <option>services.prometheus.exporters.${name}.openFirewall</option> + is true. It is used as `ip46tables -I INPUT <option>firewallFilter</option> -j ACCEPT`. + ''; + }; + user = mkOption { + type = types.str; + default = "nobody"; + description = '' + User name under which the ${name} exporter shall be run. + Has no effect when <option>systemd.services.prometheus-${name}-exporter.serviceConfig.DynamicUser</option> is true. + ''; + }; + group = mkOption { + type = types.str; + default = "nobody"; + description = '' + Group under which the ${name} exporter shall be run. + Has no effect when <option>systemd.services.prometheus-${name}-exporter.serviceConfig.DynamicUser</option> is true. + ''; + }; + }); + + mkSubModule = { name, port, extraOpts, serviceOpts }: { + ${name} = mkOption { + type = types.submodule { + options = (mkExporterOpts { + inherit name port; + } // extraOpts); + }; + internal = true; + default = {}; + }; + }; + + mkSubModules = (foldl' (a: b: a//b) {} + (mapAttrsToList (name: opts: mkSubModule { + inherit name; + inherit (opts) port serviceOpts; + extraOpts = opts.extraOpts or {}; + }) exporterOpts) + ); + + mkExporterConf = { name, conf, serviceOpts }: + mkIf conf.enable { + networking.firewall.extraCommands = mkIf conf.openFirewall '' + ip46tables -I INPUT ${conf.firewallFilter} -j ACCEPT + ''; + systemd.services."prometheus-${name}-exporter" = mkMerge ([{ + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + Restart = mkDefault "always"; + PrivateTmp = mkDefault true; + WorkingDirectory = mkDefault /tmp; + } // mkIf (!(serviceOpts.serviceConfig.DynamicUser or false)) { + User = conf.user; + Group = conf.group; + }; + } serviceOpts ]); + }; +in +{ + options.services.prometheus.exporters = mkOption { + type = types.submodule { + options = (mkSubModules); + }; + description = "Prometheus exporter configuration"; + default = {}; + example = literalExample '' + { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + }; + varnish.enable = true; + } + ''; + }; + + config = mkMerge ([{ + assertions = [{ + assertion = (cfg.snmp.configurationPath == null) != (cfg.snmp.configuration == null); + message = '' + Please ensure you have either `services.prometheus.exporters.snmp.configuration' + or `services.prometheus.exporters.snmp.configurationPath' set! + ''; + }]; + }] ++ [(mkIf config.services.minio.enable { + services.prometheus.exporters.minio.minioAddress = mkDefault "http://localhost:9000"; + services.prometheus.exporters.minio.minioAccessKey = mkDefault config.services.minio.accessKey; + services.prometheus.exporters.minio.minioAccessSecret = mkDefault config.services.minio.secretKey; + })] ++ (mapAttrsToList (name: conf: + mkExporterConf { + inherit name; + inherit (conf) serviceOpts; + conf = cfg.${name}; + }) exporterOpts) + ); + + meta.doc = ./exporters.xml; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters.xml b/nixos/modules/services/monitoring/prometheus/exporters.xml new file mode 100644 index 000000000000..4f0bcb298106 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters.xml @@ -0,0 +1,135 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="module-services-prometheus-exporters"> + +<title>Prometheus exporters</title> + +<para>Prometheus exporters provide metrics for the <link xlink:href="https://prometheus.io">prometheus monitoring system</link>.</para> + +<section><title>Configuration</title> + <para>One of the most common exporters is the <link xlink:href="https://github.com/prometheus/node_exporter">node exporter</link>, it provides hardware and OS metrics from the host it's running on. The exporter could be configured as follows: +<programlisting> + services.promtheus.exporters.node = { + enable = true; + enabledCollectors = [ + "logind" + "systemd" + ]; + disabledCollectors = [ + "textfile" + ]; + openFirewall = true; + firewallFilter = "-i br0 -p tcp -m tcp --dport 9100"; + }; +</programlisting> +It should now serve all metrics from the collectors +that are explicitly enabled and the ones that are +<link xlink:href="https://github.com/prometheus/node_exporter#enabled-by-default">enabled by default</link>, via http under <literal>/metrics</literal>. In this example the firewall should just +allow incoming connections to the exporter's port on the bridge interface <literal>br0</literal> +(this would have to be configured seperately of course). +For more information about configuration see <literal>man configuration.nix</literal> or +search through the <link xlink:href="https://nixos.org/nixos/options.html#prometheus.exporters">available options</link>. +</para> +</section> +<section><title>Adding a new exporter</title> + <para>To add a new exporter, it has to be packaged first (see <literal>nixpkgs/pkgs/servers/monitoring/prometheus/</literal> for examples), then a module can be added. The postfix exporter is used in this example:</para> +<itemizedlist> + <listitem> + <para> + Some default options for all exporters are provided by + <literal>nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix</literal>: + </para> + </listitem> + <listitem override='none'> + <itemizedlist> + <listitem><para><literal>enable</literal></para></listitem> + <listitem><para><literal>port</literal></para></listitem> + <listitem><para><literal>listenAddress</literal></para></listitem> + <listitem><para><literal>extraFlags</literal></para></listitem> + <listitem><para><literal>openFirewall</literal></para></listitem> + <listitem><para><literal>firewallFilter</literal></para></listitem> + <listitem><para><literal>user</literal></para></listitem> + <listitem><para><literal>group</literal></para></listitem> + </itemizedlist> + </listitem> + <listitem> + <para>As there is already a package available, the module can now be added. + This is accomplished by adding a new file to the + <literal>nixos/modules/services/monitoring/prometheus/exporters/</literal> directory, + which will be called postfix.nix and contains all exporter specific options + and configuration: + <programlisting> + # nixpgs/nixos/modules/services/prometheus/exporters/postfix.nix + { config, lib, pkgs }: + + with lib; + + let + # for convenience we define cfg here + cfg = config.services.prometheus.exporters.postfix; + in + { + port = 9154; # The postfix exporter listens on this port by default + + # `extraOpts` is an attribute set which contains additional options + # (and optional overrides for default options). + # Note that this attribute is optional. + extraOpts = { + telemetryPath = mkOption { + type = types.str; + default = "/metrics"; + description = '' + Path under which to expose metrics. + ''; + }; + logfilePath = mkOption { + type = types.path; + default = /var/log/postfix_exporter_input.log; + example = /var/log/mail.log; + description = '' + Path where Postfix writes log entries. + This file will be truncated by this exporter! + ''; + }; + showqPath = mkOption { + type = types.path; + default = /var/spool/postfix/public/showq; + example = /var/lib/postfix/queue/public/showq; + description = '' + Path at which Postfix places its showq socket. + ''; + }; + }; + + # `serviceOpts` is an attribute set which contains configuration + # for the exporter's systemd service. One of + # `serviceOpts.script` and `serviceOpts.serviceConfig.ExecStart` + # has to be specified here. This will be merged with the default + # service confiuration. + serviceOpts = { + serviceConfig = { + ExecStart = '' + ${pkgs.prometheus-postfix-exporter}/bin/postfix_exporter \ + --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + --web.telemetry-path ${cfg.telemetryPath} \ + ${concatStringsSep " \\\n " cfg.extraFlags} + ''; + }; + }; + } + </programlisting> + </para> + </listitem> + <listitem> + <para> + This should already be enough for the postfix exporter. Additionally one could + now add assertions and conditional default values. This can be done in the + 'meta-module' that combines all exporter definitions and generates the submodules: + <literal>nixpkgs/nixos/modules/services/prometheus/exporters.nix</literal> + </para> + </listitem> +</itemizedlist> +</section> +</chapter> diff --git a/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix b/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix new file mode 100644 index 000000000000..d09d1c4f3663 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs }: + +with lib; + +let + cfg = config.services.prometheus.exporters.blackbox; +in +{ + port = 9115; + extraOpts = { + configFile = mkOption { + type = types.path; + description = '' + Path to configuration file. + ''; + }; + }; + serviceOpts = { + serviceConfig = { + AmbientCapabilities = [ "CAP_NET_RAW" ]; # for ping probes + DynamicUser = true; + ExecStart = '' + ${pkgs.prometheus-blackbox-exporter}/bin/blackbox_exporter \ + --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + --config.file ${cfg.configFile} \ + ${concatStringsSep " \\\n " cfg.extraFlags} + ''; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix b/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix new file mode 100644 index 000000000000..0eba3527162d --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix @@ -0,0 +1,78 @@ +{ config, lib, pkgs }: + +with lib; + +let + cfg = config.services.prometheus.exporters.collectd; +in +{ + port = 9103; + extraOpts = { + collectdBinary = { + enable = mkEnableOption "collectd binary protocol receiver"; + + authFile = mkOption { + default = null; + type = types.nullOr types.path; + description = "File mapping user names to pre-shared keys (passwords)."; + }; + + port = mkOption { + type = types.int; + default = 25826; + description = ''Network address on which to accept collectd binary network packets.''; + }; + + listenAddress = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + Address to listen on for binary network packets. + ''; + }; + + securityLevel = mkOption { + type = types.enum ["None" "Sign" "Encrypt"]; + default = "None"; + description = '' + Minimum required security level for accepted packets. + ''; + }; + }; + + logFormat = mkOption { + type = types.str; + default = "logger:stderr"; + example = "logger:syslog?appname=bob&local=7 or logger:stdout?json=true"; + description = '' + Set the log target and format. + ''; + }; + + logLevel = mkOption { + type = types.enum ["debug" "info" "warn" "error" "fatal"]; + default = "info"; + description = '' + Only log messages with the given severity or above. + ''; + }; + }; + serviceOpts = let + collectSettingsArgs = if (cfg.collectdBinary.enable) then '' + -collectd.listen-address ${cfg.collectdBinary.listenAddress}:${toString cfg.collectdBinary.port} \ + -collectd.security-level ${cfg.collectdBinary.securityLevel} \ + '' else ""; + in { + serviceConfig = { + DynamicUser = true; + ExecStart = '' + ${pkgs.prometheus-collectd-exporter}/bin/collectd_exporter \ + -log.format ${cfg.logFormat} \ + -log.level ${cfg.logLevel} \ + -web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + ${collectSettingsArgs} \ + ${concatStringsSep " \\\n " cfg.extraFlags} + ''; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix new file mode 100644 index 000000000000..4ca6d4e5f8b6 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs }: + +with lib; + +let + cfg = config.services.prometheus.exporters.dovecot; +in +{ + port = 9166; + extraOpts = { + telemetryPath = mkOption { + type = types.str; + default = "/metrics"; + description = '' + Path under which to expose metrics. + ''; + }; + socketPath = mkOption { + type = types.path; + default = "/var/run/dovecot/stats"; + example = "/var/run/dovecot2/stats"; + description = '' + Path under which the stats socket is placed. + The user/group under which the exporter runs, + should be able to access the socket in order + to scrape the metrics successfully. + ''; + }; + scopes = mkOption { + type = types.listOf types.str; + default = [ "user" ]; + example = [ "user" "global" ]; + description = '' + Stats scopes to query. + ''; + }; + }; + serviceOpts = { + serviceConfig = { + ExecStart = '' + ${pkgs.prometheus-dovecot-exporter}/bin/dovecot_exporter \ + --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + --web.telemetry-path ${cfg.telemetryPath} \ + --dovecot.socket-path ${cfg.socketPath} \ + --dovecot.scopes ${concatStringsSep "," cfg.scopes} \ + ${concatStringsSep " \\\n " cfg.extraFlags} + ''; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/fritzbox.nix b/nixos/modules/services/monitoring/prometheus/exporters/fritzbox.nix new file mode 100644 index 000000000000..a3f1d9d31323 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/fritzbox.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs }: + +with lib; + +let + cfg = config.services.prometheus.exporters.fritzbox; +in +{ + port = 9133; + extraOpts = { + gatewayAddress = mkOption { + type = types.str; + default = "fritz.box"; + description = '' + The hostname or IP of the FRITZ!Box. + ''; + }; + + gatewayPort = mkOption { + type = types.int; + default = 49000; + description = '' + The port of the FRITZ!Box UPnP service. + ''; + }; + }; + serviceOpts = { + serviceConfig = { + DynamicUser = true; + ExecStart = '' + ${pkgs.prometheus-fritzbox-exporter}/bin/fritzbox_exporter \ + -listen-address ${cfg.listenAddress}:${toString cfg.port} \ + -gateway-address ${cfg.gatewayAddress} \ + -gateway-port ${toString cfg.gatewayPort} \ + ${concatStringsSep " \\\n " cfg.extraFlags} + ''; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/json.nix b/nixos/modules/services/monitoring/prometheus/exporters/json.nix new file mode 100644 index 000000000000..a5494e85e016 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/json.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs }: + +with lib; + +let + cfg = config.services.prometheus.exporters.json; +in +{ + port = 7979; + extraOpts = { + url = mkOption { + type = types.str; + description = '' + URL to scrape JSON from. + ''; + }; + configFile = mkOption { + type = types.path; + description = '' + Path to configuration file. + ''; + }; + listenAddress = {}; # not used + }; + serviceOpts = { + serviceConfig = { + DynamicUser = true; + ExecStart = '' + ${pkgs.prometheus-json-exporter}/bin/prometheus-json-exporter \ + --port ${toString cfg.port} \ + ${cfg.url} ${cfg.configFile} \ + ${concatStringsSep " \\\n " cfg.extraFlags} + ''; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/minio.nix b/nixos/modules/services/monitoring/prometheus/exporters/minio.nix new file mode 100644 index 000000000000..3cc4ffdbc8fd --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/minio.nix @@ -0,0 +1,65 @@ +{ config, lib, pkgs }: + +with lib; + +let + cfg = config.services.prometheus.exporters.minio; +in +{ + port = 9290; + extraOpts = { + minioAddress = mkOption { + type = types.str; + example = "https://10.0.0.1:9000"; + description = '' + The URL of the minio server. + Use HTTPS if Minio accepts secure connections only. + By default this connects to the local minio server if enabled. + ''; + }; + + minioAccessKey = mkOption { + type = types.str; + example = "yourMinioAccessKey"; + description = '' + The value of the Minio access key. + It is required in order to connect to the server. + By default this uses the one from the local minio server if enabled + and <literal>config.services.minio.accessKey</literal>. + ''; + }; + + minioAccessSecret = mkOption { + type = types.str; + description = '' + The value of the Minio access secret. + It is required in order to connect to the server. + By default this uses the one from the local minio server if enabled + and <literal>config.services.minio.secretKey</literal>. + ''; + }; + + minioBucketStats = mkOption { + type = types.bool; + default = false; + description = '' + Collect statistics about the buckets and files in buckets. + It requires more computation, use it carefully in case of large buckets.. + ''; + }; + }; + serviceOpts = { + serviceConfig = { + DynamicUser = true; + ExecStart = '' + ${pkgs.prometheus-minio-exporter}/bin/minio-exporter \ + -web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + -minio.server ${cfg.minioAddress} \ + -minio.access-key ${cfg.minioAccessKey} \ + -minio.access-secret ${cfg.minioAccessSecret} \ + ${optionalString cfg.minioBucketStats "-minio.bucket-stats"} \ + ${concatStringsSep " \\\n " cfg.extraFlags} + ''; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/nginx.nix b/nixos/modules/services/monitoring/prometheus/exporters/nginx.nix new file mode 100644 index 000000000000..431dd8b4ead7 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/nginx.nix @@ -0,0 +1,47 @@ +{ config, lib, pkgs }: + +with lib; + +let + cfg = config.services.prometheus.exporters.nginx; +in +{ + port = 9113; + extraOpts = { + scrapeUri = mkOption { + type = types.str; + default = "http://localhost/nginx_status"; + description = '' + Address to access the nginx status page. + Can be enabled with services.nginx.statusPage = true. + ''; + }; + telemetryEndpoint = mkOption { + type = types.str; + default = "/metrics"; + description = '' + Path under which to expose metrics. + ''; + }; + insecure = mkOption { + type = types.bool; + default = true; + description = '' + Ignore server certificate if using https. + ''; + }; + }; + serviceOpts = { + serviceConfig = { + DynamicUser = true; + ExecStart = '' + ${pkgs.prometheus-nginx-exporter}/bin/nginx_exporter \ + --nginx.scrape_uri '${cfg.scrapeUri}' \ + --telemetry.address ${cfg.listenAddress}:${toString cfg.port} \ + --telemetry.endpoint ${cfg.telemetryEndpoint} \ + --insecure ${toString cfg.insecure} \ + ${concatStringsSep " \\\n " cfg.extraFlags} + ''; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/node.nix b/nixos/modules/services/monitoring/prometheus/exporters/node.nix new file mode 100644 index 000000000000..c85f5f9cfb2d --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/node.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs }: + +with lib; + +let + cfg = config.services.prometheus.exporters.node; +in +{ + port = 9100; + extraOpts = { + enabledCollectors = mkOption { + type = types.listOf types.string; + default = []; + example = ''[ "systemd" ]''; + description = '' + Collectors to enable. The collectors listed here are enabled in addition to the default ones. + ''; + }; + disabledCollectors = mkOption { + type = types.listOf types.str; + default = []; + example = ''[ "timex" ]''; + description = '' + Collectors to disable which are enabled by default. + ''; + }; + }; + serviceOpts = { + serviceConfig = { + ExecStart = '' + ${pkgs.prometheus-node-exporter}/bin/node_exporter \ + ${concatMapStringsSep " " (x: "--collector." + x) cfg.enabledCollectors} \ + ${concatMapStringsSep " " (x: "--no-collector." + x) cfg.disabledCollectors} \ + --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + ${concatStringsSep " \\\n " cfg.extraFlags} + ''; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix b/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix new file mode 100644 index 000000000000..efe78ebcba86 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/postfix.nix @@ -0,0 +1,81 @@ +{ config, lib, pkgs }: + +with lib; + +let + cfg = config.services.prometheus.exporters.postfix; +in +{ + port = 9154; + extraOpts = { + telemetryPath = mkOption { + type = types.str; + default = "/metrics"; + description = '' + Path under which to expose metrics. + ''; + }; + logfilePath = mkOption { + type = types.path; + default = "/var/log/postfix_exporter_input.log"; + example = "/var/log/mail.log"; + description = '' + Path where Postfix writes log entries. + This file will be truncated by this exporter! + ''; + }; + showqPath = mkOption { + type = types.path; + default = "/var/spool/postfix/public/showq"; + example = "/var/lib/postfix/queue/public/showq"; + description = '' + Path where Postfix places it's showq socket. + ''; + }; + systemd = { + enable = mkEnableOption '' + reading metrics from the systemd-journal instead of from a logfile + ''; + unit = mkOption { + type = types.str; + default = "postfix.service"; + description = '' + Name of the postfix systemd unit. + ''; + }; + slice = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Name of the postfix systemd slice. + This overrides the <option>systemd.unit</option>. + ''; + }; + journalPath = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Path to the systemd journal. + ''; + }; + }; + }; + serviceOpts = { + serviceConfig = { + ExecStart = '' + ${pkgs.prometheus-postfix-exporter}/bin/postfix_exporter \ + --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + --web.telemetry-path ${cfg.telemetryPath} \ + --postfix.showq_path ${cfg.showqPath} \ + ${concatStringsSep " \\\n " (cfg.extraFlags + ++ optional cfg.systemd.enable "--systemd.enable" + ++ optional cfg.systemd.enable (if cfg.systemd.slice != null + then "--systemd.slice ${cfg.systemd.slice}" + else "--systemd.unit ${cfg.systemd.unit}") + ++ optional (cfg.systemd.enable && (cfg.systemd.journalPath != null)) + "--systemd.jounal_path ${cfg.systemd.journalPath}" + ++ optional (!cfg.systemd.enable) "--postfix.logfile_path ${cfg.logfilePath}")} + ''; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix b/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix new file mode 100644 index 000000000000..404cd0a1896b --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/snmp.nix @@ -0,0 +1,71 @@ +{ config, lib, pkgs }: + +with lib; + +let + cfg = config.services.prometheus.exporters.snmp; +in +{ + port = 9116; + extraOpts = { + configurationPath = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Path to a snmp exporter configuration file. Mutually exclusive with 'configuration' option. + ''; + example = "./snmp.yml"; + }; + + configuration = mkOption { + type = types.nullOr types.attrs; + default = {}; + description = '' + Snmp exporter configuration as nix attribute set. Mutually exclusive with 'configurationPath' option. + ''; + example = '' + { + "default" = { + "version" = 2; + "auth" = { + "community" = "public"; + }; + }; + }; + ''; + }; + + logFormat = mkOption { + type = types.str; + default = "logger:stderr"; + description = '' + Set the log target and format. + ''; + }; + + logLevel = mkOption { + type = types.enum ["debug" "info" "warn" "error" "fatal"]; + default = "info"; + description = '' + Only log messages with the given severity or above. + ''; + }; + }; + serviceOpts = let + configFile = if cfg.configurationPath != null + then cfg.configurationPath + else "${pkgs.writeText "snmp-eporter-conf.yml" (builtins.toJSON cfg.configuration)}"; + in { + serviceConfig = { + DynamicUser = true; + ExecStart = '' + ${pkgs.prometheus-snmp-exporter.bin}/bin/snmp_exporter \ + -config.file ${configFile} \ + -log.format ${cfg.logFormat} \ + -log.level ${cfg.logLevel} \ + -web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + ${concatStringsSep " \\\n " cfg.extraFlags} + ''; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/surfboard.nix b/nixos/modules/services/monitoring/prometheus/exporters/surfboard.nix new file mode 100644 index 000000000000..715dba06a3dc --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/surfboard.nix @@ -0,0 +1,32 @@ +{ config, lib, pkgs }: + +with lib; + +let + cfg = config.services.prometheus.exporters.surfboard; +in +{ + port = 9239; + extraOpts = { + modemAddress = mkOption { + type = types.str; + default = "192.168.100.1"; + description = '' + The hostname or IP of the cable modem. + ''; + }; + }; + serviceOpts = { + description = "Prometheus exporter for surfboard cable modem"; + unitConfig.Documentation = "https://github.com/ipstatic/surfboard_exporter"; + serviceConfig = { + DynamicUser = true; + ExecStart = '' + ${pkgs.prometheus-surfboard-exporter}/bin/surfboard_exporter \ + --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + --modem-address ${cfg.modemAddress} \ + ${concatStringsSep " \\\n " cfg.extraFlags} + ''; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/unifi.nix b/nixos/modules/services/monitoring/prometheus/exporters/unifi.nix new file mode 100644 index 000000000000..011dcbe208e4 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/unifi.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs }: + +with lib; + +let + cfg = config.services.prometheus.exporters.unifi; +in +{ + port = 9130; + extraOpts = { + unifiAddress = mkOption { + type = types.str; + example = "https://10.0.0.1:8443"; + description = '' + URL of the UniFi Controller API. + ''; + }; + + unifiInsecure = mkOption { + type = types.bool; + default = false; + description = '' + If enabled skip the verification of the TLS certificate of the UniFi Controller API. + Use with caution. + ''; + }; + + unifiUsername = mkOption { + type = types.str; + example = "ReadOnlyUser"; + description = '' + username for authentication against UniFi Controller API. + ''; + }; + + unifiPassword = mkOption { + type = types.str; + description = '' + Password for authentication against UniFi Controller API. + ''; + }; + + unifiTimeout = mkOption { + type = types.str; + default = "5s"; + example = "2m"; + description = '' + Timeout including unit for UniFi Controller API requests. + ''; + }; + }; + serviceOpts = { + serviceConfig = { + DynamicUser = true; + ExecStart = '' + ${pkgs.prometheus-unifi-exporter}/bin/unifi_exporter \ + -telemetry.addr ${cfg.listenAddress}:${toString cfg.port} \ + -unifi.addr ${cfg.unifiAddress} \ + -unifi.username ${cfg.unifiUsername} \ + -unifi.password ${cfg.unifiPassword} \ + -unifi.timeout ${cfg.unifiTimeout} \ + ${optionalString cfg.unifiInsecure "-unifi.insecure" } \ + ${concatStringsSep " \\\n " cfg.extraFlags} + ''; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix b/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix new file mode 100644 index 000000000000..8dbf2d735ab9 --- /dev/null +++ b/nixos/modules/services/monitoring/prometheus/exporters/varnish.nix @@ -0,0 +1,87 @@ +{ config, lib, pkgs }: + +with lib; + +let + cfg = config.services.prometheus.exporters.varnish; +in +{ + port = 9131; + extraOpts = { + noExit = mkOption { + type = types.bool; + default = false; + description = '' + Do not exit server on Varnish scrape errors. + ''; + }; + withGoMetrics = mkOption { + type = types.bool; + default = false; + description = '' + Export go runtime and http handler metrics. + ''; + }; + verbose = mkOption { + type = types.bool; + default = false; + description = '' + Enable verbose logging. + ''; + }; + raw = mkOption { + type = types.bool; + default = false; + description = '' + Enable raw stdout logging without timestamps. + ''; + }; + varnishStatPath = mkOption { + type = types.str; + default = "varnishstat"; + description = '' + Path to varnishstat. + ''; + }; + instance = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + varnishstat -n value. + ''; + }; + healthPath = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Path under which to expose healthcheck. Disabled unless configured. + ''; + }; + telemetryPath = mkOption { + type = types.str; + default = "/metrics"; + description = '' + Path under which to expose metrics. + ''; + }; + }; + serviceOpts = { + path = [ pkgs.varnish ]; + serviceConfig = { + DynamicUser = true; + ExecStart = '' + ${pkgs.prometheus-varnish-exporter}/bin/prometheus_varnish_exporter \ + --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ + --web.telemetry-path ${cfg.telemetryPath} \ + --varnishstat-path ${cfg.varnishStatPath} \ + ${concatStringsSep " \\\n " (cfg.extraFlags + ++ optional (cfg.healthPath != null) "--web.health-path ${cfg.healthPath}" + ++ optional (cfg.instance != null) "-n ${cfg.instance}" + ++ optional cfg.noExit "--no-exit" + ++ optional cfg.withGoMetrics "--with-go-metrics" + ++ optional cfg.verbose "--verbose" + ++ optional cfg.raw "--raw")} + ''; + }; + }; +} diff --git a/nixos/modules/services/monitoring/prometheus/fritzbox-exporter.nix b/nixos/modules/services/monitoring/prometheus/fritzbox-exporter.nix deleted file mode 100644 index 6da39b6519cb..000000000000 --- a/nixos/modules/services/monitoring/prometheus/fritzbox-exporter.nix +++ /dev/null @@ -1,76 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.services.prometheus.fritzboxExporter; -in { - options = { - services.prometheus.fritzboxExporter = { - enable = mkEnableOption "prometheus fritzbox exporter"; - - port = mkOption { - type = types.int; - default = 9133; - description = '' - Port to listen on. - ''; - }; - - gatewayAddress = mkOption { - type = types.str; - default = "fritz.box"; - description = '' - The hostname or IP of the FRITZ!Box. - ''; - }; - - gatewayPort = mkOption { - type = types.int; - default = 49000; - description = '' - The port of the FRITZ!Box UPnP service. - ''; - }; - - extraFlags = mkOption { - type = types.listOf types.str; - default = []; - description = '' - Extra commandline options when launching the fritzbox exporter. - ''; - }; - - openFirewall = mkOption { - type = types.bool; - default = false; - description = '' - Open port in firewall for incoming connections. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.port; - - systemd.services.prometheus-fritzbox-exporter = { - description = "Prometheus exporter for FRITZ!Box via UPnP"; - unitConfig.Documentation = "https://github.com/ndecker/fritzbox_exporter"; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - User = "nobody"; - Restart = "always"; - PrivateTmp = true; - WorkingDirectory = /tmp; - ExecStart = '' - ${pkgs.prometheus-fritzbox-exporter}/bin/fritzbox_exporter \ - -listen-address :${toString cfg.port} \ - -gateway-address ${cfg.gatewayAddress} \ - -gateway-port ${toString cfg.gatewayPort} \ - ${concatStringsSep " \\\n " cfg.extraFlags} - ''; - }; - }; - }; -} diff --git a/nixos/modules/services/monitoring/prometheus/json-exporter.nix b/nixos/modules/services/monitoring/prometheus/json-exporter.nix deleted file mode 100644 index 6bc56df9834b..000000000000 --- a/nixos/modules/services/monitoring/prometheus/json-exporter.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.services.prometheus.jsonExporter; -in { - options = { - services.prometheus.jsonExporter = { - enable = mkEnableOption "prometheus JSON exporter"; - - url = mkOption { - type = types.str; - description = '' - URL to scrape JSON from. - ''; - }; - - configFile = mkOption { - type = types.path; - description = '' - Path to configuration file. - ''; - }; - - port = mkOption { - type = types.int; - default = 7979; - description = '' - Port to listen on. - ''; - }; - - extraFlags = mkOption { - type = types.listOf types.str; - default = []; - description = '' - Extra commandline options when launching the JSON exporter. - ''; - }; - - openFirewall = mkOption { - type = types.bool; - default = false; - description = '' - Open port in firewall for incoming connections. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.port; - - systemd.services.prometheus-json-exporter = { - description = "Prometheus exporter for JSON over HTTP"; - unitConfig.Documentation = "https://github.com/kawamuray/prometheus-json-exporter"; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - User = "nobody"; - Restart = "always"; - PrivateTmp = true; - WorkingDirectory = /tmp; - ExecStart = '' - ${pkgs.prometheus-json-exporter}/bin/prometheus-json-exporter \ - --port ${toString cfg.port} \ - ${cfg.url} ${cfg.configFile} \ - ${concatStringsSep " \\\n " cfg.extraFlags} - ''; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - }; - }; - }; -} diff --git a/nixos/modules/services/monitoring/prometheus/minio-exporter.nix b/nixos/modules/services/monitoring/prometheus/minio-exporter.nix deleted file mode 100644 index 4314671523cf..000000000000 --- a/nixos/modules/services/monitoring/prometheus/minio-exporter.nix +++ /dev/null @@ -1,117 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.services.prometheus.minioExporter; -in { - options = { - services.prometheus.minioExporter = { - enable = mkEnableOption "prometheus minio exporter"; - - port = mkOption { - type = types.int; - default = 9290; - description = '' - Port to listen on. - ''; - }; - - listenAddress = mkOption { - type = types.nullOr types.str; - default = null; - example = "0.0.0.0"; - description = '' - Address to listen on for web interface and telemetry. - ''; - }; - - minioAddress = mkOption { - type = types.str; - example = "https://10.0.0.1:9000"; - default = if config.services.minio.enable then "http://localhost:9000" else null; - description = '' - The URL of the minio server. - Use HTTPS if Minio accepts secure connections only. - By default this connects to the local minio server if enabled. - ''; - }; - - minioAccessKey = mkOption ({ - type = types.str; - example = "BKIKJAA5BMMU2RHO6IBB"; - description = '' - The value of the Minio access key. - It is required in order to connect to the server. - By default this uses the one from the local minio server if enabled - and <literal>config.services.minio.accessKey</literal>. - ''; - } // optionalAttrs (config.services.minio.enable && config.services.minio.accessKey != "") { - default = config.services.minio.accessKey; - }); - - minioAccessSecret = mkOption ({ - type = types.str; - description = '' - The calue of the Minio access secret. - It is required in order to connect to the server. - By default this uses the one from the local minio server if enabled - and <literal>config.services.minio.secretKey</literal>. - ''; - } // optionalAttrs (config.services.minio.enable && config.services.minio.secretKey != "") { - default = config.services.minio.secretKey; - }); - - minioBucketStats = mkOption { - type = types.bool; - default = false; - description = '' - Collect statistics about the buckets and files in buckets. - It requires more computation, use it carefully in case of large buckets.. - ''; - }; - - extraFlags = mkOption { - type = types.listOf types.str; - default = []; - description = '' - Extra commandline options when launching the minio exporter. - ''; - }; - - openFirewall = mkOption { - type = types.bool; - default = false; - description = '' - Open port in firewall for incoming connections. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.port; - - systemd.services.prometheus-minio-exporter = { - description = "Prometheus exporter for Minio server metrics"; - unitConfig.Documentation = "https://github.com/joe-pll/minio-exporter"; - wantedBy = [ "multi-user.target" ]; - after = optional config.services.minio.enable "minio.service"; - serviceConfig = { - DynamicUser = true; - Restart = "always"; - PrivateTmp = true; - WorkingDirectory = /tmp; - ExecStart = '' - ${pkgs.prometheus-minio-exporter}/bin/minio-exporter \ - -web.listen-address ${optionalString (cfg.listenAddress != null) cfg.listenAddress}:${toString cfg.port} \ - -minio.server ${cfg.minioAddress} \ - -minio.access-key ${cfg.minioAccessKey} \ - -minio.access-secret ${cfg.minioAccessSecret} \ - ${optionalString cfg.minioBucketStats "-minio.bucket-stats"} \ - ${concatStringsSep " \\\n " cfg.extraFlags} - ''; - }; - }; - }; -} diff --git a/nixos/modules/services/monitoring/prometheus/nginx-exporter.nix b/nixos/modules/services/monitoring/prometheus/nginx-exporter.nix deleted file mode 100644 index 1ccafee3b18b..000000000000 --- a/nixos/modules/services/monitoring/prometheus/nginx-exporter.nix +++ /dev/null @@ -1,78 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.services.prometheus.nginxExporter; -in { - options = { - services.prometheus.nginxExporter = { - enable = mkEnableOption "prometheus nginx exporter"; - - port = mkOption { - type = types.int; - default = 9113; - description = '' - Port to listen on. - ''; - }; - - listenAddress = mkOption { - type = types.string; - default = "0.0.0.0"; - description = '' - Address to listen on. - ''; - }; - - scrapeUri = mkOption { - type = types.string; - default = "http://localhost/nginx_status"; - description = '' - Address to access the nginx status page. - Can be enabled with services.nginx.statusPage = true. - ''; - }; - - extraFlags = mkOption { - type = types.listOf types.str; - default = []; - description = '' - Extra commandline options when launching the nginx exporter. - ''; - }; - - openFirewall = mkOption { - type = types.bool; - default = false; - description = '' - Open port in firewall for incoming connections. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.port; - - systemd.services.prometheus-nginx-exporter = { - after = [ "network.target" "nginx.service" ]; - description = "Prometheus exporter for nginx metrics"; - unitConfig.Documentation = "https://github.com/discordianfish/nginx_exporter"; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - User = "nobody"; - Restart = "always"; - PrivateTmp = true; - WorkingDirectory = /tmp; - ExecStart = '' - ${pkgs.prometheus-nginx-exporter}/bin/nginx_exporter \ - -nginx.scrape_uri '${cfg.scrapeUri}' \ - -telemetry.address ${cfg.listenAddress}:${toString cfg.port} \ - ${concatStringsSep " \\\n " cfg.extraFlags} - ''; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - }; - }; - }; -} diff --git a/nixos/modules/services/monitoring/prometheus/node-exporter.nix b/nixos/modules/services/monitoring/prometheus/node-exporter.nix deleted file mode 100644 index bad4389ce799..000000000000 --- a/nixos/modules/services/monitoring/prometheus/node-exporter.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.services.prometheus.nodeExporter; -in { - options = { - services.prometheus.nodeExporter = { - enable = mkEnableOption "prometheus node exporter"; - - port = mkOption { - type = types.int; - default = 9100; - description = '' - Port to listen on. - ''; - }; - - listenAddress = mkOption { - type = types.string; - default = "0.0.0.0"; - description = '' - Address to listen on. - ''; - }; - - enabledCollectors = mkOption { - type = types.listOf types.string; - default = []; - example = ''[ "systemd" ]''; - description = '' - Collectors to enable. The collectors listed here are enabled in addition to the default ones. - ''; - }; - - disabledCollectors = mkOption { - type = types.listOf types.str; - default = []; - example = ''[ "timex" ]''; - description = '' - Collectors to disable which are enabled by default. - ''; - }; - - extraFlags = mkOption { - type = types.listOf types.str; - default = []; - description = '' - Extra commandline options when launching the node exporter. - ''; - }; - - openFirewall = mkOption { - type = types.bool; - default = false; - description = '' - Open port in firewall for incoming connections. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.port; - - systemd.services.prometheus-node-exporter = { - description = "Prometheus exporter for machine metrics"; - unitConfig.Documentation = "https://github.com/prometheus/node_exporter"; - wantedBy = [ "multi-user.target" ]; - script = '' - exec ${pkgs.prometheus-node-exporter}/bin/node_exporter \ - ${concatMapStringsSep " " (x: "--collector." + x) cfg.enabledCollectors} \ - ${concatMapStringsSep " " (x: "--no-collector." + x) cfg.disabledCollectors} \ - --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \ - ${concatStringsSep " \\\n " cfg.extraFlags} - ''; - serviceConfig = { - User = "nobody"; - Restart = "always"; - PrivateTmp = true; - WorkingDirectory = /tmp; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - }; - }; - }; -} diff --git a/nixos/modules/services/monitoring/prometheus/snmp-exporter.nix b/nixos/modules/services/monitoring/prometheus/snmp-exporter.nix deleted file mode 100644 index fe33f8c1f04d..000000000000 --- a/nixos/modules/services/monitoring/prometheus/snmp-exporter.nix +++ /dev/null @@ -1,127 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.services.prometheus.snmpExporter; - mkConfigFile = pkgs.writeText "snmp.yml" (if cfg.configurationPath == null then builtins.toJSON cfg.configuration else builtins.readFile cfg.configurationPath); -in { - options = { - services.prometheus.snmpExporter = { - enable = mkEnableOption "Prometheus snmp exporter"; - - user = mkOption { - type = types.str; - default = "nobody"; - description = '' - User name under which snmp exporter shall be run. - ''; - }; - - group = mkOption { - type = types.str; - default = "nogroup"; - description = '' - Group under which snmp exporter shall be run. - ''; - }; - - port = mkOption { - type = types.int; - default = 9116; - description = '' - Port to listen on. - ''; - }; - - listenAddress = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Address to listen on for web interface and telemetry. - ''; - }; - - configurationPath = mkOption { - type = types.nullOr types.path; - default = null; - description = '' - Path to a snmp exporter configuration file. Mutually exclusive with 'configuration' option. - ''; - example = "./snmp.yml"; - }; - - configuration = mkOption { - type = types.nullOr types.attrs; - default = {}; - description = '' - Snmp exporter configuration as nix attribute set. Mutually exclusive with 'configurationPath' option. - ''; - example = '' - { - "default" = { - "version" = 2; - "auth" = { - "community" = "public"; - }; - }; - }; - ''; - }; - - logFormat = mkOption { - type = types.str; - default = "logger:stderr"; - description = '' - Set the log target and format. - ''; - }; - - logLevel = mkOption { - type = types.enum ["debug" "info" "warn" "error" "fatal"]; - default = "info"; - description = '' - Only log messages with the given severity or above. - ''; - }; - - openFirewall = mkOption { - type = types.bool; - default = false; - description = '' - Open port in firewall for incoming connections. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.port; - - assertions = singleton - { - assertion = (cfg.configurationPath == null) != (cfg.configuration == null); - message = "Please ensure you have either 'configuration' or 'configurationPath' set!"; - }; - - systemd.services.prometheus-snmp-exporter = { - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - script = '' - ${pkgs.prometheus-snmp-exporter.bin}/bin/snmp_exporter \ - -config.file ${mkConfigFile} \ - -log.format ${cfg.logFormat} \ - -log.level ${cfg.logLevel} \ - -web.listen-address ${optionalString (cfg.listenAddress != null) cfg.listenAddress}:${toString cfg.port} - ''; - - serviceConfig = { - User = cfg.user; - Group = cfg.group; - Restart = "always"; - PrivateTmp = true; - WorkingDirectory = "/tmp"; - }; - }; - }; -} diff --git a/nixos/modules/services/monitoring/prometheus/unifi-exporter.nix b/nixos/modules/services/monitoring/prometheus/unifi-exporter.nix deleted file mode 100644 index 0a56d6ae95a5..000000000000 --- a/nixos/modules/services/monitoring/prometheus/unifi-exporter.nix +++ /dev/null @@ -1,105 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.services.prometheus.unifiExporter; -in { - options = { - services.prometheus.unifiExporter = { - enable = mkEnableOption "prometheus unifi exporter"; - - port = mkOption { - type = types.int; - default = 9130; - description = '' - Port to listen on. - ''; - }; - - unifiAddress = mkOption { - type = types.str; - example = "https://10.0.0.1:8443"; - description = '' - URL of the UniFi Controller API. - ''; - }; - - unifiInsecure = mkOption { - type = types.bool; - default = false; - description = '' - If enabled skip the verification of the TLS certificate of the UniFi Controller API. - Use with caution. - ''; - }; - - unifiUsername = mkOption { - type = types.str; - example = "ReadOnlyUser"; - description = '' - username for authentication against UniFi Controller API. - ''; - }; - - unifiPassword = mkOption { - type = types.str; - description = '' - Password for authentication against UniFi Controller API. - ''; - }; - - unifiTimeout = mkOption { - type = types.str; - default = "5s"; - example = "2m"; - description = '' - Timeout including unit for UniFi Controller API requests. - ''; - }; - - extraFlags = mkOption { - type = types.listOf types.str; - default = []; - description = '' - Extra commandline options when launching the unifi exporter. - ''; - }; - - openFirewall = mkOption { - type = types.bool; - default = false; - description = '' - Open port in firewall for incoming connections. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.port; - - systemd.services.prometheus-unifi-exporter = { - description = "Prometheus exporter for UniFi Controller metrics"; - unitConfig.Documentation = "https://github.com/mdlayher/unifi_exporter"; - wantedBy = [ "multi-user.target" ]; - after = optional config.services.unifi.enable "unifi.service"; - serviceConfig = { - User = "nobody"; - Restart = "always"; - PrivateTmp = true; - WorkingDirectory = /tmp; - ExecStart = '' - ${pkgs.prometheus-unifi-exporter}/bin/unifi_exporter \ - -telemetry.addr :${toString cfg.port} \ - -unifi.addr ${cfg.unifiAddress} \ - -unifi.username ${cfg.unifiUsername} \ - -unifi.password ${cfg.unifiPassword} \ - -unifi.timeout ${cfg.unifiTimeout} \ - ${optionalString cfg.unifiInsecure "-unifi.insecure" } \ - ${concatStringsSep " \\\n " cfg.extraFlags} - ''; - }; - }; - }; -} diff --git a/nixos/modules/services/monitoring/prometheus/varnish-exporter.nix b/nixos/modules/services/monitoring/prometheus/varnish-exporter.nix deleted file mode 100644 index 143ebb62aeac..000000000000 --- a/nixos/modules/services/monitoring/prometheus/varnish-exporter.nix +++ /dev/null @@ -1,61 +0,0 @@ -{ config, pkgs, lib, ... }: - -# Shamelessly cribbed from nginx-exporter.nix. ~ C. -with lib; - -let - cfg = config.services.prometheus.varnishExporter; -in { - options = { - services.prometheus.varnishExporter = { - enable = mkEnableOption "prometheus Varnish exporter"; - - port = mkOption { - type = types.int; - default = 9131; - description = '' - Port to listen on. - ''; - }; - - extraFlags = mkOption { - type = types.listOf types.str; - default = []; - description = '' - Extra commandline options when launching the Varnish exporter. - ''; - }; - - openFirewall = mkOption { - type = types.bool; - default = false; - description = '' - Open port in firewall for incoming connections. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.port; - - systemd.services.prometheus-varnish-exporter = { - description = "Prometheus exporter for Varnish metrics"; - unitConfig.Documentation = "https://github.com/jonnenauha/prometheus_varnish_exporter"; - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.varnish ]; - script = '' - exec ${pkgs.prometheus-varnish-exporter}/bin/prometheus_varnish_exporter \ - -web.listen-address :${toString cfg.port} \ - ${concatStringsSep " \\\n " cfg.extraFlags} - ''; - serviceConfig = { - User = "nobody"; - Restart = "always"; - PrivateTmp = true; - WorkingDirectory = /tmp; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - }; - }; - }; -} diff --git a/nixos/modules/services/monitoring/smartd.nix b/nixos/modules/services/monitoring/smartd.nix index b8d9e58a5a82..fecae4ca1b36 100644 --- a/nixos/modules/services/monitoring/smartd.nix +++ b/nixos/modules/services/monitoring/smartd.nix @@ -14,7 +14,7 @@ let nx = cfg.notifications.x11; smartdNotify = pkgs.writeScript "smartd-notify.sh" '' - #! ${pkgs.stdenv.shell} + #! ${pkgs.runtimeShell} ${optionalString nm.enable '' { ${pkgs.coreutils}/bin/cat << EOF diff --git a/nixos/modules/services/network-filesystems/ceph.nix b/nixos/modules/services/network-filesystems/ceph.nix new file mode 100644 index 000000000000..5de8ae79a246 --- /dev/null +++ b/nixos/modules/services/network-filesystems/ceph.nix @@ -0,0 +1,371 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + ceph = pkgs.ceph; + cfg = config.services.ceph; + # function that translates "camelCaseOptions" to "camel case options", credits to tilpner in #nixos@freenode + translateOption = replaceStrings upperChars (map (s: " ${s}") lowerChars); + generateDaemonList = (daemonType: daemons: extraServiceConfig: + mkMerge ( + map (daemon: + { "ceph-${daemonType}-${daemon}" = generateServiceFile daemonType daemon cfg.global.clusterName ceph extraServiceConfig; } + ) daemons + ) + ); + generateServiceFile = (daemonType: daemonId: clusterName: ceph: extraServiceConfig: { + enable = true; + description = "Ceph ${builtins.replaceStrings lowerChars upperChars daemonType} daemon ${daemonId}"; + after = [ "network-online.target" "local-fs.target" "time-sync.target" ] ++ optional (daemonType == "osd") "ceph-mon.target"; + wants = [ "network-online.target" "local-fs.target" "time-sync.target" ]; + partOf = [ "ceph-${daemonType}.target" ]; + wantedBy = [ "ceph-${daemonType}.target" ]; + + serviceConfig = { + LimitNOFILE = 1048576; + LimitNPROC = 1048576; + Environment = "CLUSTER=${clusterName}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + PrivateDevices = "yes"; + PrivateTmp = "true"; + ProtectHome = "true"; + ProtectSystem = "full"; + Restart = "on-failure"; + StartLimitBurst = "5"; + StartLimitInterval = "30min"; + ExecStart = "${ceph.out}/bin/${if daemonType == "rgw" then "radosgw" else "ceph-${daemonType}"} -f --cluster ${clusterName} --id ${if daemonType == "rgw" then "client.${daemonId}" else daemonId} --setuser ceph --setgroup ceph"; + } // extraServiceConfig + // optionalAttrs (daemonType == "osd") { ExecStartPre = "${ceph.out}/libexec/ceph/ceph-osd-prestart.sh --id ${daemonId} --cluster ${clusterName}"; }; + } // optionalAttrs (builtins.elem daemonType [ "mds" "mon" "rgw" "mgr" ]) { preStart = '' + daemonPath="/var/lib/ceph/${if daemonType == "rgw" then "radosgw" else daemonType}/${clusterName}-${daemonId}" + if [ ! -d ''$daemonPath ]; then + mkdir -m 755 -p ''$daemonPath + chown -R ceph:ceph ''$daemonPath + fi + ''; + } // optionalAttrs (daemonType == "osd") { path = [ pkgs.getopt ]; } + ); + generateTargetFile = (daemonType: + { + "ceph-${daemonType}" = { + description = "Ceph target allowing to start/stop all ceph-${daemonType} services at once"; + partOf = [ "ceph.target" ]; + before = [ "ceph.target" ]; + }; + } + ); +in +{ + options.services.ceph = { + # Ceph has a monolithic configuration file but different sections for + # each daemon, a separate client section and a global section + enable = mkEnableOption "Ceph global configuration"; + + global = { + fsid = mkOption { + type = types.str; + example = '' + 433a2193-4f8a-47a0-95d2-209d7ca2cca5 + ''; + description = '' + Filesystem ID, a generated uuid, its must be generated and set before + attempting to start a cluster + ''; + }; + + clusterName = mkOption { + type = types.str; + default = "ceph"; + description = '' + Name of cluster + ''; + }; + + monInitialMembers = mkOption { + type = with types; nullOr commas; + default = null; + example = '' + node0, node1, node2 + ''; + description = '' + List of hosts that will be used as monitors at startup. + ''; + }; + + monHost = mkOption { + type = with types; nullOr commas; + default = null; + example = '' + 10.10.0.1, 10.10.0.2, 10.10.0.3 + ''; + description = '' + List of hostname shortnames/IP addresses of the initial monitors. + ''; + }; + + maxOpenFiles = mkOption { + type = types.int; + default = 131072; + description = '' + Max open files for each OSD daemon. + ''; + }; + + authClusterRequired = mkOption { + type = types.enum [ "cephx" "none" ]; + default = "cephx"; + description = '' + Enables requiring daemons to authenticate with eachother in the cluster. + ''; + }; + + authServiceRequired = mkOption { + type = types.enum [ "cephx" "none" ]; + default = "cephx"; + description = '' + Enables requiring clients to authenticate with the cluster to access services in the cluster (e.g. radosgw, mds or osd). + ''; + }; + + authClientRequired = mkOption { + type = types.enum [ "cephx" "none" ]; + default = "cephx"; + description = '' + Enables requiring the cluster to authenticate itself to the client. + ''; + }; + + publicNetwork = mkOption { + type = with types; nullOr commas; + default = null; + example = '' + 10.20.0.0/24, 192.168.1.0/24 + ''; + description = '' + A comma-separated list of subnets that will be used as public networks in the cluster. + ''; + }; + + clusterNetwork = mkOption { + type = with types; nullOr commas; + default = null; + example = '' + 10.10.0.0/24, 192.168.0.0/24 + ''; + description = '' + A comma-separated list of subnets that will be used as cluster networks in the cluster. + ''; + }; + }; + + mgr = { + enable = mkEnableOption "Ceph MGR daemon"; + daemons = mkOption { + type = with types; listOf str; + default = []; + example = '' + [ "name1" "name2" ]; + ''; + description = '' + A list of names for manager daemons that should have a service created. The names correspond + to the id part in ceph i.e. [ "name1" ] would result in mgr.name1 + ''; + }; + extraConfig = mkOption { + type = with types; attrsOf str; + default = {}; + description = '' + Extra configuration to add to the global section for manager daemons. + ''; + }; + }; + + mon = { + enable = mkEnableOption "Ceph MON daemon"; + daemons = mkOption { + type = with types; listOf str; + default = []; + example = '' + [ "name1" "name2" ]; + ''; + description = '' + A list of monitor daemons that should have a service created. The names correspond + to the id part in ceph i.e. [ "name1" ] would result in mon.name1 + ''; + }; + extraConfig = mkOption { + type = with types; attrsOf str; + default = {}; + description = '' + Extra configuration to add to the monitor section. + ''; + }; + }; + + osd = { + enable = mkEnableOption "Ceph OSD daemon"; + daemons = mkOption { + type = with types; listOf str; + default = []; + example = '' + [ "name1" "name2" ]; + ''; + description = '' + A list of OSD daemons that should have a service created. The names correspond + to the id part in ceph i.e. [ "name1" ] would result in osd.name1 + ''; + }; + extraConfig = mkOption { + type = with types; attrsOf str; + default = { + "osd journal size" = "10000"; + "osd pool default size" = "3"; + "osd pool default min size" = "2"; + "osd pool default pg num" = "200"; + "osd pool default pgp num" = "200"; + "osd crush chooseleaf type" = "1"; + }; + description = '' + Extra configuration to add to the OSD section. + ''; + }; + }; + + mds = { + enable = mkEnableOption "Ceph MDS daemon"; + daemons = mkOption { + type = with types; listOf str; + default = []; + example = '' + [ "name1" "name2" ]; + ''; + description = '' + A list of metadata service daemons that should have a service created. The names correspond + to the id part in ceph i.e. [ "name1" ] would result in mds.name1 + ''; + }; + extraConfig = mkOption { + type = with types; attrsOf str; + default = {}; + description = '' + Extra configuration to add to the MDS section. + ''; + }; + }; + + rgw = { + enable = mkEnableOption "Ceph RadosGW daemon"; + daemons = mkOption { + type = with types; listOf str; + default = []; + example = '' + [ "name1" "name2" ]; + ''; + description = '' + A list of rados gateway daemons that should have a service created. The names correspond + to the id part in ceph i.e. [ "name1" ] would result in client.name1, radosgw daemons + aren't daemons to cluster in the sense that OSD, MGR or MON daemons are. They are simply + daemons, from ceph, that uses the cluster as a backend. + ''; + }; + }; + + client = { + enable = mkEnableOption "Ceph client configuration"; + extraConfig = mkOption { + type = with types; attrsOf str; + default = {}; + example = '' + { + # This would create a section for a radosgw daemon named node0 and related + # configuration for it + "client.radosgw.node0" = { "some config option" = "true"; }; + }; + ''; + description = '' + Extra configuration to add to the client section. Configuration for rados gateways + would be added here, with their own sections, see example. + ''; + }; + }; + }; + + config = mkIf config.services.ceph.enable { + assertions = [ + { assertion = cfg.global.fsid != ""; + message = "fsid has to be set to a valid uuid for the cluster to function"; + } + { assertion = cfg.mgr.enable == true; + message = "ceph 12.x requires atleast 1 MGR daemon enabled for the cluster to function"; + } + { assertion = cfg.mon.enable == true -> cfg.mon.daemons != []; + message = "have to set id of atleast one MON if you're going to enable Monitor"; + } + { assertion = cfg.mds.enable == true -> cfg.mds.daemons != []; + message = "have to set id of atleast one MDS if you're going to enable Metadata Service"; + } + { assertion = cfg.osd.enable == true -> cfg.osd.daemons != []; + message = "have to set id of atleast one OSD if you're going to enable OSD"; + } + { assertion = cfg.mgr.enable == true -> cfg.mgr.daemons != []; + message = "have to set id of atleast one MGR if you're going to enable MGR"; + } + ]; + + warnings = optional (cfg.global.monInitialMembers == null) + ''Not setting up a list of members in monInitialMembers requires that you set the host variable for each mon daemon or else the cluster won't function''; + + environment.etc."ceph/ceph.conf".text = let + # Translate camelCaseOptions to the expected camel case option for ceph.conf + translatedGlobalConfig = mapAttrs' (name: value: nameValuePair (translateOption name) value) cfg.global; + # Merge the extraConfig set for mgr daemons, as mgr don't have their own section + globalAndMgrConfig = translatedGlobalConfig // optionalAttrs cfg.mgr.enable cfg.mgr.extraConfig; + # Remove all name-value pairs with null values from the attribute set to avoid making empty sections in the ceph.conf + globalConfig = mapAttrs' (name: value: nameValuePair (translateOption name) value) (filterAttrs (name: value: value != null) globalAndMgrConfig); + totalConfig = { + "global" = globalConfig; + } // optionalAttrs (cfg.mon.enable && cfg.mon.extraConfig != {}) { "mon" = cfg.mon.extraConfig; } + // optionalAttrs (cfg.mds.enable && cfg.mds.extraConfig != {}) { "mds" = cfg.mds.extraConfig; } + // optionalAttrs (cfg.osd.enable && cfg.osd.extraConfig != {}) { "osd" = cfg.osd.extraConfig; } + // optionalAttrs (cfg.client.enable && cfg.client.extraConfig != {}) cfg.client.extraConfig; + in + generators.toINI {} totalConfig; + + users.extraUsers = singleton { + name = "ceph"; + uid = config.ids.uids.ceph; + description = "Ceph daemon user"; + }; + + users.extraGroups = singleton { + name = "ceph"; + gid = config.ids.gids.ceph; + }; + + systemd.services = let + services = [] + ++ optional cfg.mon.enable (generateDaemonList "mon" cfg.mon.daemons { RestartSec = "10"; }) + ++ optional cfg.mds.enable (generateDaemonList "mds" cfg.mds.daemons { StartLimitBurst = "3"; }) + ++ optional cfg.osd.enable (generateDaemonList "osd" cfg.osd.daemons { StartLimitBurst = "30"; RestartSec = "20s"; }) + ++ optional cfg.rgw.enable (generateDaemonList "rgw" cfg.rgw.daemons { }) + ++ optional cfg.mgr.enable (generateDaemonList "mgr" cfg.mgr.daemons { StartLimitBurst = "3"; }); + in + mkMerge services; + + systemd.targets = let + targets = [ + { "ceph" = { description = "Ceph target allowing to start/stop all ceph service instances at once"; }; } + ] ++ optional cfg.mon.enable (generateTargetFile "mon") + ++ optional cfg.mds.enable (generateTargetFile "mds") + ++ optional cfg.osd.enable (generateTargetFile "osd") + ++ optional cfg.rgw.enable (generateTargetFile "rgw") + ++ optional cfg.mgr.enable (generateTargetFile "mgr"); + in + mkMerge targets; + + systemd.tmpfiles.rules = [ + "d /run/ceph 0770 ceph ceph -" + ]; + }; +} diff --git a/nixos/modules/services/network-filesystems/xtreemfs.nix b/nixos/modules/services/network-filesystems/xtreemfs.nix index 0c6714563d8a..95d7641e8b53 100644 --- a/nixos/modules/services/network-filesystems/xtreemfs.nix +++ b/nixos/modules/services/network-filesystems/xtreemfs.nix @@ -11,7 +11,7 @@ let home = cfg.homeDir; startupScript = class: configPath: pkgs.writeScript "xtreemfs-osd.sh" '' - #! ${pkgs.stdenv.shell} + #! ${pkgs.runtimeShell} JAVA_HOME="${pkgs.jdk}" JAVADIR="${xtreemfs}/share/java" JAVA_CALL="$JAVA_HOME/bin/java -ea -cp $JAVADIR/XtreemFS.jar:$JAVADIR/BabuDB.jar:$JAVADIR/Flease.jar:$JAVADIR/protobuf-java-2.5.0.jar:$JAVADIR/Foundation.jar:$JAVADIR/jdmkrt.jar:$JAVADIR/jdmktk.jar:$JAVADIR/commons-codec-1.3.jar" diff --git a/nixos/modules/services/network-filesystems/yandex-disk.nix b/nixos/modules/services/network-filesystems/yandex-disk.nix index 4de206641331..44b0edf62018 100644 --- a/nixos/modules/services/network-filesystems/yandex-disk.nix +++ b/nixos/modules/services/network-filesystems/yandex-disk.nix @@ -99,10 +99,10 @@ in exit 1 fi - ${pkgs.su}/bin/su -s ${pkgs.stdenv.shell} ${u} \ + ${pkgs.su}/bin/su -s ${pkgs.runtimeShell} ${u} \ -c '${pkgs.yandex-disk}/bin/yandex-disk token -p ${cfg.password} ${cfg.username} ${dir}/token' - ${pkgs.su}/bin/su -s ${pkgs.stdenv.shell} ${u} \ + ${pkgs.su}/bin/su -s ${pkgs.runtimeShell} ${u} \ -c '${pkgs.yandex-disk}/bin/yandex-disk start --no-daemon -a ${dir}/token -d ${cfg.directory} --exclude-dirs=${cfg.excludes}' ''; diff --git a/nixos/modules/services/networking/amuled.nix b/nixos/modules/services/networking/amuled.nix index fc7d56a24fa7..9898f164c5cf 100644 --- a/nixos/modules/services/networking/amuled.nix +++ b/nixos/modules/services/networking/amuled.nix @@ -68,7 +68,7 @@ in ''; script = '' - ${pkgs.su}/bin/su -s ${pkgs.stdenv.shell} ${user} \ + ${pkgs.su}/bin/su -s ${pkgs.runtimeShell} ${user} \ -c 'HOME="${cfg.dataDir}" ${pkgs.amuleDaemon}/bin/amuled' ''; }; diff --git a/nixos/modules/services/networking/dante.nix b/nixos/modules/services/networking/dante.nix index 32acce51e692..20d4faa1cdb1 100644 --- a/nixos/modules/services/networking/dante.nix +++ b/nixos/modules/services/networking/dante.nix @@ -6,6 +6,7 @@ let confFile = pkgs.writeText "dante-sockd.conf" '' user.privileged: root user.unprivileged: dante + logoutput: syslog ${cfg.config} ''; @@ -21,11 +22,10 @@ in enable = mkEnableOption "Dante SOCKS proxy"; config = mkOption { - default = null; - type = types.nullOr types.str; + type = types.lines; description = '' - Contents of Dante's configuration file - NOTE: user.privileged/user.unprivileged are set by the service + Contents of Dante's configuration file. + NOTE: user.privileged, user.unprivileged and logoutput are set by the service. ''; }; }; @@ -33,7 +33,7 @@ in config = mkIf cfg.enable { assertions = [ - { assertion = cfg.config != null; + { assertion = cfg.config != ""; message = "please provide Dante configuration file contents"; } ]; @@ -54,7 +54,8 @@ in Type = "simple"; ExecStart = "${pkgs.dante}/bin/sockd -f ${confFile}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - Restart = "always"; + # Can crash sometimes; see https://github.com/NixOS/nixpkgs/pull/39005#issuecomment-381828708 + Restart = "on-failure"; }; }; }; diff --git a/nixos/modules/services/networking/ddclient.nix b/nixos/modules/services/networking/ddclient.nix index 9e56545f746c..9a2e13e9553c 100644 --- a/nixos/modules/services/networking/ddclient.nix +++ b/nixos/modules/services/networking/ddclient.nix @@ -3,24 +3,24 @@ let cfg = config.services.ddclient; boolToStr = bool: if bool then "yes" else "no"; + dataDir = "/var/lib/ddclient"; configText = '' # This file can be used as a template for configFile or is automatically generated by Nix options. - daemon=${toString cfg.interval} - cache=${cfg.homeDir}/ddclient.cache - pid=/run/ddclient/ddclient.pid - foreground=NO + cache=${dataDir}/ddclient.cache + foreground=YES use=${cfg.use} login=${cfg.username} password=${cfg.password} protocol=${cfg.protocol} - ${let server = cfg.server; in - lib.optionalString (server != "") "server=${server}"} + ${lib.optionalString (cfg.script != "") "script=${cfg.script}"} + ${lib.optionalString (cfg.server != "") "server=${cfg.server}"} + ${lib.optionalString (cfg.zone != "") "zone=${cfg.zone}"} ssl=${boolToStr cfg.ssl} wildcard=YES quiet=${boolToStr cfg.quiet} verbose=${boolToStr cfg.verbose} - ${cfg.domain} + ${lib.concatStringsSep "," cfg.domains} ${cfg.extraConfig} ''; @@ -44,17 +44,11 @@ with lib; ''; }; - homeDir = mkOption { - default = "/var/lib/ddclient"; - type = str; - description = "Home directory for the daemon user."; - }; - - domain = mkOption { - default = ""; - type = str; + domains = mkOption { + default = [ "" ]; + type = listOf str; description = '' - Domain name to synchronize. + Domain name(s) to synchronize. ''; }; @@ -62,7 +56,7 @@ with lib; default = ""; type = str; description = '' - Username. + User name. ''; }; @@ -75,9 +69,12 @@ with lib; }; interval = mkOption { - default = 600; - type = int; - description = "The interval at which to run the check and update."; + default = "10min"; + type = str; + description = '' + The interval at which to run the check and update. + See <command>man 7 systemd.time</command> for the format. + ''; }; configFile = mkOption { @@ -95,7 +92,7 @@ with lib; default = "dyndns2"; type = str; description = '' - Protocol to use with dynamic DNS provider (see http://sourceforge.net/apps/trac/ddclient/wiki/Protocols). + Protocol to use with dynamic DNS provider (see https://sourceforge.net/p/ddclient/wiki/protocols). ''; }; @@ -115,11 +112,20 @@ with lib; ''; }; - extraConfig = mkOption { + + quiet = mkOption { + default = false; + type = bool; + description = '' + Print no messages for unnecessary updates. + ''; + }; + + script = mkOption { default = ""; - type = lines; + type = str; description = '' - Extra configuration. Contents will be added verbatim to the configuration file. + script as required by some providers. ''; }; @@ -139,11 +145,19 @@ with lib; ''; }; - quiet = mkOption { - default = false; - type = bool; + zone = mkOption { + default = ""; + type = str; description = '' - Print no messages for unnecessary updates. + zone as required by some providers. + ''; + }; + + extraConfig = mkOption { + default = ""; + type = lines; + description = '' + Extra configuration. Contents will be added verbatim to the configuration file. ''; }; }; @@ -153,23 +167,8 @@ with lib; ###### implementation config = mkIf config.services.ddclient.enable { - - users = { - extraGroups.ddclient.gid = config.ids.gids.ddclient; - - extraUsers.ddclient = { - uid = config.ids.uids.ddclient; - description = "ddclient daemon user"; - group = "ddclient"; - home = cfg.homeDir; - createHome = true; - }; - }; - environment.etc."ddclient.conf" = { enable = cfg.configFile == "/etc/ddclient.conf"; - uid = config.ids.uids.ddclient; - gid = config.ids.gids.ddclient; mode = "0600"; text = configText; }; @@ -180,15 +179,22 @@ with lib; after = [ "network.target" ]; restartTriggers = [ config.environment.etc."ddclient.conf".source ]; - serviceConfig = { - RuntimeDirectory = "ddclient"; - # we cannot run in forking mode as it swallows all the program output - Type = "simple"; - User = "ddclient"; - Group = "ddclient"; - ExecStart = "${lib.getBin pkgs.ddclient}/bin/ddclient -foreground -file ${cfg.configFile}"; - ProtectSystem = "full"; - PrivateTmp = true; + serviceConfig = rec { + DynamicUser = true; + RuntimeDirectory = StateDirectory; + StateDirectory = builtins.baseNameOf dataDir; + Type = "oneshot"; + ExecStartPre = "!${lib.getBin pkgs.coreutils}/bin/install -m666 ${cfg.configFile} /run/${RuntimeDirectory}/ddclient.conf"; + ExecStart = "${lib.getBin pkgs.ddclient}/bin/ddclient -file /run/${RuntimeDirectory}/ddclient.conf"; + }; + }; + + systemd.timers.ddclient = { + description = "Run ddclient"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = cfg.interval; + OnUnitInactiveSec = cfg.interval; }; }; }; diff --git a/nixos/modules/services/networking/dhcpd.nix b/nixos/modules/services/networking/dhcpd.nix index 2eac6dfec5b7..fd7e317eee95 100644 --- a/nixos/modules/services/networking/dhcpd.nix +++ b/nixos/modules/services/networking/dhcpd.nix @@ -36,6 +36,7 @@ let preStart = '' mkdir -m 755 -p ${cfg.stateDir} + chown dhcpd:nogroup ${cfg.stateDir} touch ${cfg.stateDir}/dhcpd.leases ''; diff --git a/nixos/modules/services/networking/dnscache.nix b/nixos/modules/services/networking/dnscache.nix index 379203cd1ab6..ba5c8e2d5e53 100644 --- a/nixos/modules/services/networking/dnscache.nix +++ b/nixos/modules/services/networking/dnscache.nix @@ -9,12 +9,12 @@ let mkdir -p $out/{servers,ip} ${concatMapStrings (ip: '' - echo > "$out/ip/"${lib.escapeShellArg ip} + touch "$out/ip/"${lib.escapeShellArg ip} '') cfg.clientIps} ${concatStrings (mapAttrsToList (host: ips: '' ${concatMapStrings (ip: '' - echo ${lib.escapeShellArg ip} > "$out/servers/"${lib.escapeShellArg host} + echo ${lib.escapeShellArg ip} >> "$out/servers/"${lib.escapeShellArg host} '') ips} '') cfg.domainServers)} @@ -34,33 +34,49 @@ in { options = { services.dnscache = { + enable = mkOption { default = false; type = types.bool; - description = "Whether to run the dnscache caching dns server"; + description = "Whether to run the dnscache caching dns server."; }; ip = mkOption { default = "0.0.0.0"; type = types.str; - description = "IP address on which to listen for connections"; + description = "IP address on which to listen for connections."; }; clientIps = mkOption { default = [ "127.0.0.1" ]; type = types.listOf types.str; - description = "client IP addresses (or prefixes) from which to accept connections"; + description = "Client IP addresses (or prefixes) from which to accept connections."; example = ["192.168" "172.23.75.82"]; }; domainServers = mkOption { default = { }; type = types.attrsOf (types.listOf types.str); - description = "table of {hostname: server} pairs to use as authoritative servers for hosts (and subhosts)"; + description = '' + Table of {hostname: server} pairs to use as authoritative servers for hosts (and subhosts). + If entry for @ is not specified predefined list of root servers is used. + ''; example = { - "example.com" = ["8.8.8.8" "8.8.4.4"]; + "@" = ["8.8.8.8" "8.8.4.4"]; + "example.com" = ["192.168.100.100"]; }; }; + + forwardOnly = mkOption { + default = false; + type = types.bool; + description = '' + Whether to treat root servers (for @) as caching + servers, requesting addresses the same way a client does. This is + needed if you want to use e.g. Google DNS as your upstream DNS. + ''; + }; + }; }; @@ -82,6 +98,7 @@ in { ''; script = '' cd /var/lib/dnscache/ + ${optionalString cfg.forwardOnly "export FORWARDONLY=1"} exec ./run ''; }; diff --git a/nixos/modules/services/networking/dnscrypt-proxy.xml b/nixos/modules/services/networking/dnscrypt-proxy.xml index 555c6df4d551..ff1088698589 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.xml +++ b/nixos/modules/services/networking/dnscrypt-proxy.xml @@ -19,7 +19,7 @@ <para> To enable the client proxy, set <programlisting> - services.dnscrypt-proxy.enable = true; +<xref linkend="opt-services.dnscrypt-proxy.enable"/> = true; </programlisting> </para> @@ -38,17 +38,17 @@ DNS client, change the default proxy listening port to a non-standard value and point the other client to it: <programlisting> - services.dnscrypt-proxy.localPort = 43; +<xref linkend="opt-services.dnscrypt-proxy.localPort"/> = 43; </programlisting> </para> <sect2><title>dnsmasq</title> <para> <programlisting> - { - services.dnsmasq.enable = true; - services.dnsmasq.servers = [ "127.0.0.1#43" ]; - } +{ + <xref linkend="opt-services.dnsmasq.enable"/> = true; + <xref linkend="opt-services.dnsmasq.servers"/> = [ "127.0.0.1#43" ]; +} </programlisting> </para> </sect2> @@ -56,10 +56,10 @@ <sect2><title>unbound</title> <para> <programlisting> - { - services.unbound.enable = true; - services.unbound.forwardAddresses = [ "127.0.0.1@43" ]; - } +{ + <xref linkend="opt-services.unbound.enable"/> = true; + <xref linkend="opt-services.unbound.forwardAddresses"/> = [ "127.0.0.1@43" ]; +} </programlisting> </para> </sect2> diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index bce48c8f65e5..20c0b0acf165 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -54,7 +54,7 @@ let ''; writeShScript = name: text: let dir = pkgs.writeScriptBin name '' - #! ${pkgs.stdenv.shell} -e + #! ${pkgs.runtimeShell} -e ${text} ''; in "${dir}/bin/${name}"; diff --git a/nixos/modules/services/networking/flashpolicyd.nix b/nixos/modules/services/networking/flashpolicyd.nix index 5ba85178179b..5b83ce131389 100644 --- a/nixos/modules/services/networking/flashpolicyd.nix +++ b/nixos/modules/services/networking/flashpolicyd.nix @@ -22,7 +22,7 @@ let flashpolicydWrapper = pkgs.writeScriptBin "flashpolicyd" '' - #! ${pkgs.stdenv.shell} + #! ${pkgs.runtimeShell} exec ${flashpolicyd}/Perl_xinetd/in.flashpolicyd.pl \ --file=${pkgs.writeText "flashpolixy.xml" cfg.policy} \ 2> /dev/null diff --git a/nixos/modules/services/networking/hans.nix b/nixos/modules/services/networking/hans.nix new file mode 100644 index 000000000000..dd34ef8d4ca1 --- /dev/null +++ b/nixos/modules/services/networking/hans.nix @@ -0,0 +1,145 @@ +# NixOS module for hans, ip over icmp daemon + +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.hans; + + hansUser = "hans"; + +in +{ + + ### configuration + + options = { + + services.hans = { + clients = mkOption { + default = {}; + description = '' + Each attribute of this option defines a systemd service that + runs hans. Many or none may be defined. + The name of each service is + <literal>hans-<replaceable>name</replaceable></literal> + where <replaceable>name</replaceable> is the name of the + corresponding attribute name. + ''; + example = literalExample '' + { + foo = { + server = "192.0.2.1"; + extraConfig = "-v"; + } + } + ''; + type = types.attrsOf (types.submodule ( + { + options = { + server = mkOption { + type = types.str; + default = ""; + description = "IP address of server running hans"; + example = "192.0.2.1"; + }; + + extraConfig = mkOption { + type = types.str; + default = ""; + description = "Additional command line parameters"; + example = "-v"; + }; + + passwordFile = mkOption { + type = types.str; + default = ""; + description = "File that containts password"; + }; + + }; + })); + }; + + server = { + enable = mkOption { + type = types.bool; + default = false; + description = "enable hans server"; + }; + + ip = mkOption { + type = types.str; + default = ""; + description = "The assigned ip range"; + example = "198.51.100.0"; + }; + + respondToSystemPings = mkOption { + type = types.bool; + default = false; + description = "Force hans respond to ordinary pings"; + }; + + extraConfig = mkOption { + type = types.str; + default = ""; + description = "Additional command line parameters"; + example = "-v"; + }; + + passwordFile = mkOption { + type = types.str; + default = ""; + description = "File that containts password"; + }; + }; + + }; + }; + + ### implementation + + config = mkIf (cfg.server.enable || cfg.clients != {}) { + boot.kernel.sysctl = optionalAttrs cfg.server.respondToSystemPings { + "net.ipv4.icmp_echo_ignore_all" = 1; + }; + + boot.kernelModules = [ "tun" ]; + + systemd.services = + let + createHansClientService = name: cfg: + { + description = "hans client - ${name}"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + script = "${pkgs.hans}/bin/hans -f -u ${hansUser} ${cfg.extraConfig} -c ${cfg.server} ${optionalString (cfg.passwordFile != "") "-p $(cat \"${cfg.passwordFile}\")"}"; + serviceConfig = { + RestartSec = "30s"; + Restart = "always"; + }; + }; + in + listToAttrs ( + mapAttrsToList + (name: value: nameValuePair "hans-${name}" (createHansClientService name value)) + cfg.clients + ) // { + hans = mkIf (cfg.server.enable) { + description = "hans, ip over icmp server daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + script = "${pkgs.hans}/bin/hans -f -u ${hansUser} ${cfg.server.extraConfig} -s ${cfg.server.ip} ${optionalString cfg.server.respondToSystemPings "-r"} ${optionalString (cfg.server.passwordFile != "") "-p $(cat \"${cfg.server.passwordFile}\")"}"; + }; + }; + + users.extraUsers = singleton { + name = hansUser; + description = "Hans daemon user"; + }; + }; + + meta.maintainers = with maintainers; [ gnidorah ]; +} diff --git a/nixos/modules/services/networking/iodine.nix b/nixos/modules/services/networking/iodine.nix index 512dbd77ae4b..3f41421d27f7 100644 --- a/nixos/modules/services/networking/iodine.nix +++ b/nixos/modules/services/networking/iodine.nix @@ -32,7 +32,7 @@ in foo = { server = "tunnel.mdomain.com"; relay = "8.8.8.8"; - extraConfig = "-P mysecurepassword"; + extraConfig = "-v"; } } ''; @@ -57,7 +57,13 @@ in type = types.str; default = ""; description = "Additional command line parameters"; - example = "-P mysecurepassword -l 192.168.1.10 -p 23"; + example = "-l 192.168.1.10 -p 23"; + }; + + passwordFile = mkOption { + type = types.str; + default = ""; + description = "File that containts password"; }; }; })); @@ -88,7 +94,13 @@ in type = types.str; default = ""; description = "Additional command line parameters"; - example = "-P mysecurepassword -l 192.168.1.10 -p 23"; + example = "-l 192.168.1.10 -p 23"; + }; + + passwordFile = mkOption { + type = types.str; + default = ""; + description = "File that containts password"; }; }; @@ -108,10 +120,10 @@ in description = "iodine client - ${name}"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; + script = "${pkgs.iodine}/bin/iodine -f -u ${iodinedUser} ${cfg.extraConfig} ${optionalString (cfg.passwordFile != "") "-P $(cat \"${cfg.passwordFile}\")"} ${cfg.relay} ${cfg.server}"; serviceConfig = { RestartSec = "30s"; Restart = "always"; - ExecStart = "${pkgs.iodine}/bin/iodine -f -u ${iodinedUser} ${cfg.extraConfig} ${cfg.relay} ${cfg.server}"; }; }; in @@ -124,7 +136,7 @@ in description = "iodine, ip over dns server daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = "${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${cfg.server.ip} ${cfg.server.domain}"; + script = "${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${optionalString (cfg.server.passwordFile != "") "-P $(cat \"${cfg.server.passwordFile}\")"} ${cfg.server.ip} ${cfg.server.domain}"; }; }; diff --git a/nixos/modules/services/networking/iwd.nix b/nixos/modules/services/networking/iwd.nix index 23787bce9911..344212ad8329 100644 --- a/nixos/modules/services/networking/iwd.nix +++ b/nixos/modules/services/networking/iwd.nix @@ -26,7 +26,7 @@ in { wants = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = "${pkgs.iwd}/bin/iwd"; + serviceConfig.ExecStart = "${pkgs.iwd}/libexec/iwd"; }; }; diff --git a/nixos/modules/services/networking/murmur.nix b/nixos/modules/services/networking/murmur.nix index 13d7c3254f9d..873d62dbf341 100644 --- a/nixos/modules/services/networking/murmur.nix +++ b/nixos/modules/services/networking/murmur.nix @@ -80,7 +80,7 @@ in pidfile = mkOption { type = types.path; - default = "/tmp/murmurd.pid"; + default = "/run/murmur/murmurd.pid"; description = "Path to PID file for Murmur daemon."; }; @@ -252,6 +252,7 @@ in serviceConfig = { Type = "forking"; + RuntimeDirectory = "murmur"; PIDFile = cfg.pidfile; Restart = "always"; User = "murmur"; diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index e9a035d17d38..10e96eb40362 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -135,8 +135,7 @@ in { default = { inherit networkmanager modemmanager wpa_supplicant networkmanager-openvpn networkmanager-vpnc networkmanager-openconnect networkmanager-fortisslvpn - networkmanager-pptp networkmanager-l2tp - networkmanager-iodine; }; + networkmanager-l2tp networkmanager-iodine; }; internal = true; }; @@ -267,8 +266,6 @@ in { message = "You can not use networking.networkmanager with networking.wireless"; }]; - boot.kernelModules = [ "ppp_mppe" ]; # Needed for most (all?) PPTP VPN connections. - environment.etc = with cfg.basePackages; [ { source = configFile; target = "NetworkManager/NetworkManager.conf"; @@ -285,9 +282,6 @@ in { { source = "${networkmanager-fortisslvpn}/etc/NetworkManager/VPN/nm-fortisslvpn-service.name"; target = "NetworkManager/VPN/nm-fortisslvpn-service.name"; } - { source = "${networkmanager-pptp}/etc/NetworkManager/VPN/nm-pptp-service.name"; - target = "NetworkManager/VPN/nm-pptp-service.name"; - } { source = "${networkmanager-l2tp}/etc/NetworkManager/VPN/nm-l2tp-service.name"; target = "NetworkManager/VPN/nm-l2tp-service.name"; } @@ -335,6 +329,7 @@ in { preStart = '' mkdir -m 700 -p /etc/NetworkManager/system-connections + mkdir -m 700 -p /etc/ipsec.d mkdir -m 755 -p ${stateDirs} ''; }; diff --git a/nixos/modules/services/networking/nftables.nix b/nixos/modules/services/networking/nftables.nix index 56b942054140..ad7c013a5449 100644 --- a/nixos/modules/services/networking/nftables.nix +++ b/nixos/modules/services/networking/nftables.nix @@ -116,7 +116,7 @@ in include "${cfg.rulesetFile}" ''; checkScript = pkgs.writeScript "nftables-check" '' - #! ${pkgs.stdenv.shell} -e + #! ${pkgs.runtimeShell} -e if $(${pkgs.kmod}/bin/lsmod | grep -q ip_tables); then echo "Unload ip_tables before using nftables!" 1>&2 exit 1 diff --git a/nixos/modules/services/networking/nix-serve.nix b/nixos/modules/services/networking/nix-serve.nix index 3e865e3b76a8..8499e7c0f7c4 100644 --- a/nixos/modules/services/networking/nix-serve.nix +++ b/nixos/modules/services/networking/nix-serve.nix @@ -55,6 +55,8 @@ in environment.NIX_SECRET_KEY_FILE = cfg.secretKeyFile; serviceConfig = { + Restart = "always"; + RestartSec = "5s"; ExecStart = "${pkgs.nix-serve}/bin/nix-serve " + "--listen ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}"; User = "nix-serve"; diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix index 4241e6fcceab..0b52b1d3e302 100644 --- a/nixos/modules/services/networking/nsd.nix +++ b/nixos/modules/services/networking/nsd.nix @@ -250,6 +250,46 @@ let Use imports or pkgs.lib.readFile if you don't want this data in your config file. ''; }; + + dnssec = mkEnableOption "DNSSEC"; + + dnssecPolicy = { + algorithm = mkOption { + type = types.str; + default = "RSASHA256"; + description = "Which algorithm to use for DNSSEC"; + }; + keyttl = mkOption { + type = types.str; + default = "1h"; + description = "TTL for dnssec records"; + }; + coverage = mkOption { + type = types.str; + default = "1y"; + description = '' + The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time. + ''; + }; + zsk = mkOption { + type = keyPolicy; + default = { keySize = 2048; + prePublish = "1w"; + postPublish = "1w"; + rollPeriod = "1mo"; + }; + description = "Key policy for zone signing keys"; + }; + ksk = mkOption { + type = keyPolicy; + default = { keySize = 4096; + prePublish = "1mo"; + postPublish = "1mo"; + rollPeriod = "0"; + }; + description = "Key policy for key signing keys"; + }; + }; maxRefreshSecs = mkOption { type = types.nullOr types.int; @@ -367,10 +407,61 @@ let and stats_noreset. ''; }; + }; + }; + keyPolicy = types.submodule { + options = { + keySize = mkOption { + type = types.int; + description = "Key size in bits"; + }; + prePublish = mkOption { + type = types.str; + description = "How long in advance to publish new keys"; + }; + postPublish = mkOption { + type = types.str; + description = "How long after deactivation to keep a key in the zone"; + }; + rollPeriod = mkOption { + type = types.str; + description = "How frequently to change keys"; + }; }; }; + dnssecZones = (filterAttrs (n: v: if v ? dnssec then v.dnssec else false) zoneConfigs); + + dnssec = length (attrNames dnssecZones) != 0; + + signZones = optionalString dnssec '' + mkdir -p ${stateDir}/dnssec + chown ${username}:${username} ${stateDir}/dnssec + chmod 0600 ${stateDir}/dnssec + + ${concatStrings (mapAttrsToList signZone dnssecZones)} + ''; + signZone = name: zone: '' + ${pkgs.bind}/bin/dnssec-keymgr -g ${pkgs.bind}/bin/dnssec-keygen -s ${pkgs.bind}/bin/dnssec-settime -K ${stateDir}/dnssec -c ${policyFile name zone.dnssecPolicy} ${name} + ${pkgs.bind}/bin/dnssec-signzone -S -K ${stateDir}/dnssec -o ${name} -O full -N date ${stateDir}/zones/${name} + ${nsdPkg}/sbin/nsd-checkzone ${name} ${stateDir}/zones/${name}.signed && mv -v ${stateDir}/zones/${name}.signed ${stateDir}/zones/${name} + ''; + policyFile = name: policy: pkgs.writeText "${name}.policy" '' + zone ${name} { + algorithm ${policy.algorithm}; + key-size zsk ${toString policy.zsk.keySize}; + key-size ksk ${toString policy.ksk.keySize}; + keyttl ${policy.keyttl}; + pre-publish zsk ${policy.zsk.prePublish}; + pre-publish ksk ${policy.ksk.prePublish}; + post-publish zsk ${policy.zsk.postPublish}; + post-publish ksk ${policy.ksk.postPublish}; + roll-period zsk ${policy.zsk.rollPeriod}; + roll-period ksk ${policy.ksk.rollPeriod}; + coverage ${policy.coverage}; + }; + ''; in { # options are ordered alphanumerically @@ -380,6 +471,14 @@ in bind8Stats = mkEnableOption "BIND8 like statistics"; + dnssecInterval = mkOption { + type = types.str; + default = "1h"; + description = '' + How often to check whether dnssec key rollover is required + ''; + }; + extraConfig = mkOption { type = types.str; default = ""; @@ -741,7 +840,6 @@ in }; - zones = mkOption { type = types.attrsOf zoneOptions; default = {}; @@ -785,7 +883,6 @@ in serverGroup1. ''; }; - }; config = mkIf cfg.enable { @@ -832,9 +929,9 @@ in mkdir -m 0700 -p "${stateDir}/var" cat > "${stateDir}/don't touch anything in here" << EOF - Everything in this directory except NSD's state in var is - automatically generated and will be purged and redeployed - by the nsd.service pre-start script. + Everything in this directory except NSD's state in var and dnssec + is automatically generated and will be purged and redeployed by + the nsd.service pre-start script. EOF chown ${username}:${username} -R "${stateDir}/private" @@ -848,6 +945,34 @@ in ''; }; + nixpkgs.config = mkIf dnssec { + bind.enablePython = true; + }; + + systemd.timers."nsd-dnssec" = mkIf dnssec { + description = "Automatic DNSSEC key rollover"; + + wantedBy = [ "nsd.service" ]; + + timerConfig = { + OnActiveSec = cfg.dnssecInterval; + OnUnitActiveSec = cfg.dnssecInterval; + }; + }; + + systemd.services."nsd-dnssec" = mkIf dnssec { + description = "DNSSEC key rollover"; + + wantedBy = [ "nsd.service" ]; + before = [ "nsd.service" ]; + + script = signZones; + + postStop = '' + ${pkgs.systemd}/bin/systemctl kill -s SIGHUP nsd.service + ''; + }; + }; meta.maintainers = with lib.maintainers; [ hrdinka ]; diff --git a/nixos/modules/services/networking/openvpn.nix b/nixos/modules/services/networking/openvpn.nix index 7a96b673c51e..a418839d22b8 100644 --- a/nixos/modules/services/networking/openvpn.nix +++ b/nixos/modules/services/networking/openvpn.nix @@ -65,7 +65,7 @@ let path = [ pkgs.iptables pkgs.iproute pkgs.nettools ]; - serviceConfig.ExecStart = "@${openvpn}/sbin/openvpn openvpn --config ${configFile}"; + serviceConfig.ExecStart = "@${openvpn}/sbin/openvpn openvpn --suppress-timestamps --config ${configFile}"; serviceConfig.Restart = "always"; serviceConfig.Type = "notify"; }; diff --git a/nixos/modules/services/networking/prosody.nix b/nixos/modules/services/networking/prosody.nix index 9d7e6d6018af..1b4f81f6b56e 100644 --- a/nixos/modules/services/networking/prosody.nix +++ b/nixos/modules/services/networking/prosody.nix @@ -15,6 +15,7 @@ let description = "Path to the key file."; }; + # TODO: rename to certificate to match the prosody config cert = mkOption { type = types.path; description = "Path to the certificate file."; @@ -30,7 +31,7 @@ let }; moduleOpts = { - + # Generally required roster = mkOption { type = types.bool; default = true; @@ -61,12 +62,38 @@ let description = "Service discovery"; }; - legacyauth = mkOption { + # Not essential, but recommended + carbons = mkOption { type = types.bool; default = true; - description = "Legacy authentication. Only used by some old clients and bots"; + description = "Keep multiple clients in sync"; + }; + + pep = mkOption { + type = types.bool; + default = true; + description = "Enables users to publish their mood, activity, playing music and more"; + }; + + private = mkOption { + type = types.bool; + default = true; + description = "Private XML storage (for room bookmarks, etc.)"; + }; + + blocklist = mkOption { + type = types.bool; + default = true; + description = "Allow users to block communications with other users"; }; + vcard = mkOption { + type = types.bool; + default = true; + description = "Allow users to set vCards"; + }; + + # Nice to have version = mkOption { type = types.bool; default = true; @@ -91,36 +118,112 @@ let description = "Replies to XMPP pings with pongs"; }; - console = mkOption { + register = mkOption { + type = types.bool; + default = true; + description = "Allow users to register on this server using a client and change passwords"; + }; + + mam = mkOption { type = types.bool; default = false; - description = "telnet to port 5582"; + description = "Store messages in an archive and allow users to access it"; }; + # Admin interfaces + admin_adhoc = mkOption { + type = types.bool; + default = true; + description = "Allows administration via an XMPP client that supports ad-hoc commands"; + }; + + admin_telnet = mkOption { + type = types.bool; + default = false; + description = "Opens telnet console interface on localhost port 5582"; + }; + + # HTTP modules bosh = mkOption { type = types.bool; default = false; description = "Enable BOSH clients, aka 'Jabber over HTTP'"; }; - httpserver = mkOption { + websocket = mkOption { + type = types.bool; + default = false; + description = "Enable WebSocket support"; + }; + + http_files = mkOption { type = types.bool; default = false; description = "Serve static files from a directory over HTTP"; }; - websocket = mkOption { + # Other specific functionality + limits = mkOption { type = types.bool; default = false; - description = "Enable WebSocket support"; + description = "Enable bandwidth limiting for XMPP connections"; + }; + + groups = mkOption { + type = types.bool; + default = false; + description = "Shared roster support"; + }; + + server_contact_info = mkOption { + type = types.bool; + default = false; + description = "Publish contact information for this service"; + }; + + announce = mkOption { + type = types.bool; + default = false; + description = "Send announcement to all online users"; + }; + + welcome = mkOption { + type = types.bool; + default = false; + description = "Welcome users who register accounts"; + }; + + watchregistrations = mkOption { + type = types.bool; + default = false; + description = "Alert admins of registrations"; + }; + + motd = mkOption { + type = types.bool; + default = false; + description = "Send a message to users when they log in"; + }; + + legacyauth = mkOption { + type = types.bool; + default = false; + description = "Legacy authentication. Only used by some old clients and bots"; + }; + + proxy65 = mkOption { + type = types.bool; + default = false; + description = "Enables a file transfer proxy service which clients behind NAT can use"; }; }; toLua = x: if builtins.isString x then ''"${x}"'' - else if builtins.isBool x then toString x + else if builtins.isBool x then (if x == true then "true" else "false") else if builtins.isInt x then toString x + else if builtins.isList x then ''{ ${lib.concatStringsSep ", " (map (n: toLua n) x) } }'' else throw "Invalid Lua value"; createSSLOptsStr = o: '' @@ -192,12 +295,83 @@ in ''; }; + dataDir = mkOption { + type = types.string; + description = "Directory where Prosody stores its data"; + default = "/var/lib/prosody"; + }; + + user = mkOption { + type = types.str; + default = "prosody"; + description = "User account under which prosody runs."; + }; + + group = mkOption { + type = types.str; + default = "prosody"; + description = "Group account under which prosody runs."; + }; + allowRegistration = mkOption { type = types.bool; default = false; description = "Allow account creation"; }; + c2sRequireEncryption = mkOption { + type = types.bool; + default = true; + description = '' + Force clients to use encrypted connections? This option will + prevent clients from authenticating unless they are using encryption. + ''; + }; + + s2sRequireEncryption = mkOption { + type = types.bool; + default = true; + description = '' + Force servers to use encrypted connections? This option will + prevent servers from authenticating unless they are using encryption. + Note that this is different from authentication. + ''; + }; + + s2sSecureAuth = mkOption { + type = types.bool; + default = false; + description = '' + Force certificate authentication for server-to-server connections? + This provides ideal security, but requires servers you communicate + with to support encryption AND present valid, trusted certificates. + For more information see https://prosody.im/doc/s2s#security + ''; + }; + + s2sInsecureDomains = mkOption { + type = types.listOf types.str; + default = []; + example = [ "insecure.example.com" ]; + description = '' + Some servers have invalid or self-signed certificates. You can list + remote domains here that will not be required to authenticate using + certificates. They will be authenticated using DNS instead, even + when s2s_secure_auth is enabled. + ''; + }; + + s2sSecureDomains = mkOption { + type = types.listOf types.str; + default = []; + example = [ "jabber.org" ]; + description = '' + Even if you leave s2s_secure_auth disabled, you can still require valid + certificates for some domains by specifying a list here. + ''; + }; + + modules = moduleOpts; extraModules = mkOption { @@ -206,6 +380,12 @@ in description = "Enable custom modules"; }; + extraPluginPaths = mkOption { + type = types.listOf types.path; + default = []; + description = "Addtional path in which to look find plugins/modules"; + }; + virtualHosts = mkOption { description = "Define the virtual hosts"; @@ -255,37 +435,47 @@ in config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.prosody ]; + environment.systemPackages = [ cfg.package ]; environment.etc."prosody/prosody.cfg.lua".text = '' - pidfile = "/var/lib/prosody/prosody.pid" - + pidfile = "/run/prosody/prosody.pid" log = "*syslog" - data_path = "/var/lib/prosody" - - allow_registration = ${boolToString cfg.allowRegistration}; - - ${ optionalString cfg.modules.console "console_enabled = true;" } + data_path = "${cfg.dataDir}" + plugin_paths = { + ${lib.concatStringsSep ", " (map (n: "\"${n}\"") cfg.extraPluginPaths) } + } ${ optionalString (cfg.ssl != null) (createSSLOptsStr cfg.ssl) } - admins = { ${lib.concatStringsSep ", " (map (n: "\"${n}\"") cfg.admins) } }; + admins = ${toLua cfg.admins} + + -- we already build with libevent, so we can just enable it for a more performant server + use_libevent = true modules_enabled = { ${ lib.concatStringsSep "\n\ \ " (lib.mapAttrsToList - (name: val: optionalString val ''"${name}";'') + (name: val: optionalString val "${toLua name};") cfg.modules) } + ${ lib.concatStringsSep "\n" (map (x: "${toLua x};") cfg.package.communityModules)} + ${ lib.concatStringsSep "\n" (map (x: "${toLua x};") cfg.extraModules)} + }; - ${ optionalString cfg.allowRegistration "\"register\"\;" } + allow_registration = ${toLua cfg.allowRegistration} - ${ lib.concatStringsSep "\n" (map (x: "\"${x}\";") cfg.extraModules)} + c2s_require_encryption = ${toLua cfg.c2sRequireEncryption} + + s2s_require_encryption = ${toLua cfg.s2sRequireEncryption} + + s2s_secure_auth = ${toLua cfg.s2sSecureAuth} + + s2s_insecure_domains = ${toLua cfg.s2sInsecureDomains} + + s2s_secure_domains = ${toLua cfg.s2sSecureDomains} - "posix"; - }; ${ cfg.extraConfig } @@ -297,15 +487,15 @@ in '') cfg.virtualHosts) } ''; - users.extraUsers.prosody = { + users.extraUsers.prosody = mkIf (cfg.user == "prosody") { uid = config.ids.uids.prosody; description = "Prosody user"; createHome = true; - group = "prosody"; - home = "/var/lib/prosody"; + inherit (cfg) group; + home = "${cfg.dataDir}"; }; - users.extraGroups.prosody = { + users.extraGroups.prosody = mkIf (cfg.group == "prosody") { gid = config.ids.gids.prosody; }; @@ -316,9 +506,11 @@ in wantedBy = [ "multi-user.target" ]; restartTriggers = [ config.environment.etc."prosody/prosody.cfg.lua".source ]; serviceConfig = { - User = "prosody"; + User = cfg.user; + Group = cfg.group; Type = "forking"; - PIDFile = "/var/lib/prosody/prosody.pid"; + RuntimeDirectory = [ "prosody" ]; + PIDFile = "/run/prosody/prosody.pid"; ExecStart = "${cfg.package}/bin/prosodyctl start"; }; }; diff --git a/nixos/modules/services/networking/quagga.nix b/nixos/modules/services/networking/quagga.nix index aab58cc77b90..22204e53203c 100644 --- a/nixos/modules/services/networking/quagga.nix +++ b/nixos/modules/services/networking/quagga.nix @@ -133,7 +133,7 @@ in users.groups = { quagga = {}; # Members of the quaggavty group can use vtysh to inspect the Quagga daemons - quaggavty = {}; + quaggavty = { members = [ "quagga" ]; }; }; systemd.services = diff --git a/nixos/modules/services/networking/rdnssd.nix b/nixos/modules/services/networking/rdnssd.nix index 95833d31e99d..a102242eae71 100644 --- a/nixos/modules/services/networking/rdnssd.nix +++ b/nixos/modules/services/networking/rdnssd.nix @@ -6,7 +6,7 @@ with lib; let mergeHook = pkgs.writeScript "rdnssd-merge-hook" '' - #! ${pkgs.stdenv.shell} -e + #! ${pkgs.runtimeShell} -e ${pkgs.openresolv}/bin/resolvconf -u ''; in diff --git a/nixos/modules/services/networking/resilio.nix b/nixos/modules/services/networking/resilio.nix index d1c4101f80bd..2956a5ecbc04 100644 --- a/nixos/modules/services/networking/resilio.nix +++ b/nixos/modules/services/networking/resilio.nix @@ -50,12 +50,7 @@ in description = '' If enabled, start the Resilio Sync daemon. Once enabled, you can interact with the service through the Web UI, or configure it in your - NixOS configuration. Enabling the <literal>resilio</literal> service - also installs a systemd user unit which can be used to start - user-specific copies of the daemon. Once installed, you can use - <literal>systemctl --user start resilio</literal> as your user to start - the daemon using the configuration file located at - <literal>$HOME/.config/resilio-sync/config.json</literal>. + NixOS configuration. ''; }; diff --git a/nixos/modules/services/networking/shadowsocks.nix b/nixos/modules/services/networking/shadowsocks.nix new file mode 100644 index 000000000000..fe6d65a5f963 --- /dev/null +++ b/nixos/modules/services/networking/shadowsocks.nix @@ -0,0 +1,112 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.shadowsocks; + + opts = { + server = cfg.localAddress; + server_port = cfg.port; + method = cfg.encryptionMethod; + mode = cfg.mode; + user = "nobody"; + fast_open = true; + } // optionalAttrs (cfg.password != null) { password = cfg.password; }; + + configFile = pkgs.writeText "shadowsocks.json" (builtins.toJSON opts); + +in + +{ + + ###### interface + + options = { + + services.shadowsocks = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to run shadowsocks-libev shadowsocks server. + ''; + }; + + localAddress = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + Local address to which the server binds. + ''; + }; + + port = mkOption { + type = types.int; + default = 8388; + description = '' + Port which the server uses. + ''; + }; + + password = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Password for connecting clients. + ''; + }; + + passwordFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Password file with a password for connecting clients. + ''; + }; + + mode = mkOption { + type = types.enum [ "tcp_only" "tcp_and_udp" "udp_only" ]; + default = "tcp_and_udp"; + description = '' + Relay protocols. + ''; + }; + + encryptionMethod = mkOption { + type = types.str; + default = "chacha20-ietf-poly1305"; + description = '' + Encryption method. See <link xlink:href="https://github.com/shadowsocks/shadowsocks-org/wiki/AEAD-Ciphers"/>. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + assertions = singleton + { assertion = cfg.password == null || cfg.passwordFile == null; + message = "Cannot use both password and passwordFile for shadowsocks-libev"; + }; + + systemd.services.shadowsocks-libev = { + description = "shadowsocks-libev Daemon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.shadowsocks-libev ] ++ optional (cfg.passwordFile != null) pkgs.jq; + serviceConfig.PrivateTmp = true; + script = '' + ${optionalString (cfg.passwordFile != null) '' + cat ${configFile} | jq --arg password "$(cat "${cfg.passwordFile}")" '. + { password: $password }' > /tmp/shadowsocks.json + ''} + exec ss-server -c ${if cfg.passwordFile != null then "/tmp/shadowsocks.json" else configFile} + ''; + }; + }; +} diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index e50c4dbacf36..aab1203086ce 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -213,6 +213,65 @@ in description = "Files from which authorized keys are read."; }; + kexAlgorithms = mkOption { + type = types.listOf types.str; + default = [ + "curve25519-sha256@libssh.org" + "diffie-hellman-group-exchange-sha256" + ]; + description = '' + Allowed key exchange algorithms + </para> + <para> + Defaults to recommended settings from both + <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> + and + <link xlink:href="https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29" /> + ''; + }; + + ciphers = mkOption { + type = types.listOf types.str; + default = [ + "chacha20-poly1305@openssh.com" + "aes256-gcm@openssh.com" + "aes128-gcm@openssh.com" + "aes256-ctr" + "aes192-ctr" + "aes128-ctr" + ]; + description = '' + Allowed ciphers + </para> + <para> + Defaults to recommended settings from both + <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> + and + <link xlink:href="https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29" /> + ''; + }; + + macs = mkOption { + type = types.listOf types.str; + default = [ + "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-256-etm@openssh.com" + "umac-128-etm@openssh.com" + "hmac-sha2-512" + "hmac-sha2-256" + "umac-128@openssh.com" + ]; + description = '' + Allowed MACs + </para> + <para> + Defaults to recommended settings from both + <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> + and + <link xlink:href="https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29" /> + ''; + }; + extraConfig = mkOption { type = types.lines; default = ""; @@ -363,14 +422,9 @@ in HostKey ${k.path} '')} - ### Recommended settings from both: - # https://stribika.github.io/2015/01/04/secure-secure-shell.html - # and - # https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29 - - KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 - Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr - MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms} + Ciphers ${concatStringsSep "," cfg.ciphers} + MACs ${concatStringsSep "," cfg.macs} # LogLevel VERBOSE logs user's key fingerprint on login. # Needed to have a clear audit track of which key was used to log in. diff --git a/nixos/modules/services/networking/strongswan-swanctl/module.nix b/nixos/modules/services/networking/strongswan-swanctl/module.nix new file mode 100644 index 000000000000..d770094960b2 --- /dev/null +++ b/nixos/modules/services/networking/strongswan-swanctl/module.nix @@ -0,0 +1,82 @@ +{ config, lib, pkgs, ... }: + +with lib; +with (import ./param-lib.nix lib); + +let + cfg = config.services.strongswan-swanctl; + swanctlParams = import ./swanctl-params.nix lib; +in { + options.services.strongswan-swanctl = { + enable = mkEnableOption "strongswan-swanctl service"; + + package = mkOption { + type = types.package; + default = pkgs.strongswan; + defaultText = "pkgs.strongswan"; + description = '' + The strongswan derivation to use. + ''; + }; + + strongswan.extraConfig = mkOption { + type = types.str; + default = ""; + description = '' + Contents of the <literal>strongswan.conf</literal> file. + ''; + }; + + swanctl = paramsToOptions swanctlParams; + }; + + config = mkIf cfg.enable { + + assertions = [ + { assertion = !config.services.strongswan.enable; + message = "cannot enable both services.strongswan and services.strongswan-swanctl. Choose either one."; + } + ]; + + environment.etc."swanctl/swanctl.conf".text = + paramsToConf cfg.swanctl swanctlParams; + + # The swanctl command complains when the following directories don't exist: + # See: https://wiki.strongswan.org/projects/strongswan/wiki/Swanctldirectory + system.activationScripts.strongswan-swanctl-etc = stringAfter ["etc"] '' + mkdir -p '/etc/swanctl/x509' # Trusted X.509 end entity certificates + mkdir -p '/etc/swanctl/x509ca' # Trusted X.509 Certificate Authority certificates + mkdir -p '/etc/swanctl/x509ocsp' + mkdir -p '/etc/swanctl/x509aa' # Trusted X.509 Attribute Authority certificates + mkdir -p '/etc/swanctl/x509ac' # Attribute Certificates + mkdir -p '/etc/swanctl/x509crl' # Certificate Revocation Lists + mkdir -p '/etc/swanctl/pubkey' # Raw public keys + mkdir -p '/etc/swanctl/private' # Private keys in any format + mkdir -p '/etc/swanctl/rsa' # PKCS#1 encoded RSA private keys + mkdir -p '/etc/swanctl/ecdsa' # Plain ECDSA private keys + mkdir -p '/etc/swanctl/bliss' + mkdir -p '/etc/swanctl/pkcs8' # PKCS#8 encoded private keys of any type + mkdir -p '/etc/swanctl/pkcs12' # PKCS#12 containers + ''; + + systemd.services.strongswan-swanctl = { + description = "strongSwan IPsec IKEv1/IKEv2 daemon using swanctl"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" "keys.target" ]; + wants = [ "keys.target" ]; + path = with pkgs; [ kmod iproute iptables utillinux ]; + environment.STRONGSWAN_CONF = pkgs.writeTextFile { + name = "strongswan.conf"; + text = cfg.strongswan.extraConfig; + }; + restartTriggers = [ config.environment.etc."swanctl/swanctl.conf".source ]; + serviceConfig = { + ExecStart = "${cfg.package}/sbin/charon-systemd"; + Type = "notify"; + ExecStartPost = "${cfg.package}/sbin/swanctl --load-all --noprompt"; + ExecReload = "${cfg.package}/sbin/swanctl --reload"; + Restart = "on-abnormal"; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix b/nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix new file mode 100644 index 000000000000..5e74a96664f0 --- /dev/null +++ b/nixos/modules/services/networking/strongswan-swanctl/param-constructors.nix @@ -0,0 +1,162 @@ +# In the following context a parameter is an attribute set that +# contains a NixOS option and a render function. It also contains the +# attribute: '_type = "param"' so we can distinguish it from other +# sets. +# +# The render function is used to convert the value of the option to a +# snippet of strongswan.conf. Most parameters simply render their +# value to a string. For example, take the following parameter: +# +# threads = mkIntParam 10 "Threads to use for request handling."; +# +# When a users defines the corresponding option as for example: +# +# services.strongswan-swanctl.strongswan.threads = 32; +# +# It will get rendered to the following snippet in strongswan.conf: +# +# threads = 32 +# +# Some parameters however need to be able to change the attribute +# name. For example, take the following parameter: +# +# id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") "..."; +# +# A user can define the corresponding option as for example: +# +# id = { +# "foo" = "bar"; +# "baz" = "qux"; +# }; +# +# This will get rendered to the following snippet: +# +# foo-id = bar +# baz-id = qux +# +# For this reason the render function is not simply a function from +# value -> string but a function from a value to an attribute set: +# { "${name}" = string }. This allows parameters to change the attribute +# name like in the previous example. + +lib : + +with lib; +with (import ./param-lib.nix lib); + +rec { + mkParamOfType = type : strongswanDefault : description : { + _type = "param"; + option = mkOption { + type = types.nullOr type; + default = null; + description = documentDefault description strongswanDefault; + }; + render = single toString; + }; + + documentDefault = description : strongswanDefault : + if isNull strongswanDefault + then description + else description + '' + </para><para> + StrongSwan default: <literal><![CDATA[${builtins.toJSON strongswanDefault}]]></literal> + ''; + + single = f: name: value: { "${name}" = f value; }; + + mkStrParam = mkParamOfType types.str; + mkOptionalStrParam = mkStrParam null; + + mkEnumParam = values : mkParamOfType (types.enum values); + + mkIntParam = mkParamOfType types.int; + mkOptionalIntParam = mkIntParam null; + + # We should have floats in Nix... + mkFloatParam = mkStrParam; + + # TODO: Check for hex format: + mkHexParam = mkStrParam; + mkOptionalHexParam = mkOptionalStrParam; + + # TODO: Check for duration format: + mkDurationParam = mkStrParam; + mkOptionalDurationParam = mkOptionalStrParam; + + mkYesNoParam = strongswanDefault : description : { + _type = "param"; + option = mkOption { + type = types.nullOr types.bool; + default = null; + description = documentDefault description strongswanDefault; + }; + render = single (b: if b then "yes" else "no"); + }; + yes = true; + no = false; + + mkSpaceSepListParam = mkSepListParam " "; + mkCommaSepListParam = mkSepListParam ","; + + mkSepListParam = sep : strongswanDefault : description : { + _type = "param"; + option = mkOption { + type = types.nullOr (types.listOf types.str); + default = null; + description = documentDefault description strongswanDefault; + }; + render = single (value: concatStringsSep sep value); + }; + + mkAttrsOfParams = params : + mkAttrsOf params (types.submodule {options = paramsToOptions params;}); + + mkAttrsOfParam = param : + mkAttrsOf param param.option.type; + + mkAttrsOf = param : option : description : { + _type = "param"; + option = mkOption { + type = types.attrsOf option; + default = {}; + inherit description; + }; + render = single (attrs: + (paramsToRenderedStrings attrs + (mapAttrs (_n: _v: param) attrs))); + }; + + mkPrefixedAttrsOfParams = params : + mkPrefixedAttrsOf params (types.submodule {options = paramsToOptions params;}); + + mkPrefixedAttrsOfParam = param : + mkPrefixedAttrsOf param param.option.type; + + mkPrefixedAttrsOf = p : option : description : { + _type = "param"; + option = mkOption { + type = types.attrsOf option; + default = {}; + inherit description; + }; + render = prefix: attrs: + let prefixedAttrs = mapAttrs' (name: nameValuePair "${prefix}-${name}") attrs; + in paramsToRenderedStrings prefixedAttrs + (mapAttrs (_n: _v: p) prefixedAttrs); + }; + + mkPostfixedAttrsOfParams = params : description : { + _type = "param"; + option = mkOption { + type = types.attrsOf (types.submodule {options = paramsToOptions params;}); + default = {}; + inherit description; + }; + render = postfix: attrs: + let postfixedAttrs = mapAttrs' (name: nameValuePair "${name}-${postfix}") attrs; + in paramsToRenderedStrings postfixedAttrs + (mapAttrs (_n: _v: params) postfixedAttrs); + }; + +} diff --git a/nixos/modules/services/networking/strongswan-swanctl/param-lib.nix b/nixos/modules/services/networking/strongswan-swanctl/param-lib.nix new file mode 100644 index 000000000000..fb87e81f3215 --- /dev/null +++ b/nixos/modules/services/networking/strongswan-swanctl/param-lib.nix @@ -0,0 +1,82 @@ +lib : + +with lib; + +rec { + paramsToConf = cfg : ps : mkConf 0 (paramsToRenderedStrings cfg ps); + + # mkConf takes an indentation level (which usually starts at 0) and a nested + # attribute set of strings and will render that set to a strongswan.conf style + # configuration format. For example: + # + # mkConf 0 {a = "1"; b = { c = { "foo" = "2"; "bar" = "3"; }; d = "4";};} => '' + # a = 1 + # b { + # c { + # foo = 2 + # bar = 3 + # } + # d = 4 + # }'' + mkConf = indent : ps : + concatMapStringsSep "\n" + (name: + let value = ps."${name}"; + indentation = replicate indent " "; + in + indentation + ( + if isAttrs value + then "${name} {\n" + + mkConf (indent + 2) value + "\n" + + indentation + "}" + else "${name} = ${value}" + ) + ) + (attrNames ps); + + replicate = n : c : concatStrings (builtins.genList (_x : c) n); + + # `paramsToRenderedStrings cfg ps` converts the NixOS configuration `cfg` + # (typically the "config" argument of a NixOS module) and the set of + # parameters `ps` (an attribute set where the values are constructed using the + # parameter constructors in ./param-constructors.nix) to a nested attribute + # set of strings (rendered parameters). + paramsToRenderedStrings = cfg : ps : + filterEmptySets ( + (mapParamsRecursive (path: name: param: + let value = attrByPath path null cfg; + in optionalAttrs (!isNull value) (param.render name value) + ) ps)); + + filterEmptySets = set : filterAttrs (n: v: !(isNull v)) (mapAttrs (name: value: + if isAttrs value + then let value' = filterEmptySets value; + in if value' == {} + then null + else value' + else value + ) set); + + # Recursively map over every parameter in the given attribute set. + mapParamsRecursive = mapAttrsRecursiveCond' (as: (!(as ? "_type" && as._type == "param"))); + + mapAttrsRecursiveCond' = cond: f: set: + let + recurse = path: set: + let + g = + name: value: + if isAttrs value && cond value + then { "${name}" = recurse (path ++ [name]) value; } + else f (path ++ [name]) name value; + in mapAttrs'' g set; + in recurse [] set; + + mapAttrs'' = f: set: + foldl' (a: b: a // b) {} (map (attr: f attr set.${attr}) (attrNames set)); + + # Extract the options from the given set of parameters. + paramsToOptions = ps : + mapParamsRecursive (_path: name: param: { "${name}" = param.option; }) ps; + +} diff --git a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix new file mode 100644 index 000000000000..ad211f41eef0 --- /dev/null +++ b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix @@ -0,0 +1,1168 @@ +# See: https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf +# +# When strongSwan is upgraded please update the parameters in this file. You can +# see which parameters should be deleted, changed or added by diffing +# swanctl.opt: +# +# git clone https://github.com/strongswan/strongswan.git +# cd strongswan +# git diff 5.5.3..5.6.0 src/swanctl/swanctl.opt + +lib: with (import ./param-constructors.nix lib); + +let + certParams = { + file = mkOptionalStrParam '' + Absolute path to the certificate to load. Passed as-is to the daemon, so + it must be readable by it. + </para><para> + Configure either this or <option>handle</option>, but not both, in one section. + ''; + + handle = mkOptionalHexParam '' + Hex-encoded CKA_ID or handle of the certificate on a token or TPM, + respectively. + </para><para> + Configure either this or <option>file</option>, but not both, in one section. + ''; + + slot = mkOptionalIntParam '' + Optional slot number of the token that stores the certificate. + ''; + + module = mkOptionalStrParam '' + Optional PKCS#11 module name. + ''; + }; +in { + authorities = mkAttrsOfParams ({ + + cacert = mkOptionalStrParam '' + The certificates may use a relative path from the swanctl + <literal>x509ca</literal> directory or an absolute path. + </para><para> + Configure one of <option>cacert</option>, + <option>file</option>, or + <option>handle</option> per section. + ''; + + cert_uri_base = mkOptionalStrParam '' + Defines the base URI for the Hash and URL feature supported by + IKEv2. Instead of exchanging complete certificates, IKEv2 allows one to + send an URI that resolves to the DER encoded certificate. The certificate + URIs are built by appending the SHA1 hash of the DER encoded certificates + to this base URI. + ''; + + crl_uris = mkCommaSepListParam [] '' + List of CRL distribution points (ldap, http, or file URI). + ''; + + ocsp_uris = mkCommaSepListParam [] '' + List of OCSP URIs. + ''; + + } // certParams) '' + Section defining complementary attributes of certification authorities, each + in its own subsection with an arbitrary yet unique name + ''; + + connections = mkAttrsOfParams { + + version = mkIntParam 0 '' + IKE major version to use for connection. + <itemizedlist> + <listitem><para>1 uses IKEv1 aka ISAKMP,</para></listitem> + <listitem><para>2 uses IKEv2.</para></listitem> + <listitem><para>A connection using the default of 0 accepts both IKEv1 and IKEv2 as + responder, and initiates the connection actively with IKEv2.</para></listitem> + </itemizedlist> + ''; + + local_addrs = mkCommaSepListParam [] '' + Local address(es) to use for IKE communication. Takes + single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges. + </para><para> + As initiator, the first non-range/non-subnet is used to initiate the + connection from. As responder, the local destination address must match at + least to one of the specified addresses, subnets or ranges. + </para><para> + If FQDNs are assigned they are resolved every time a configuration lookup + is done. If DNS resolution times out, the lookup is delayed for that time. + ''; + + remote_addrs = mkCommaSepListParam [] '' + Remote address(es) to use for IKE communication. Takes + single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges. + </para><para> + As initiator, the first non-range/non-subnet is used to initiate the + connection to. As responder, the initiator source address must match at + least to one of the specified addresses, subnets or ranges. + </para><para> + If FQDNs are assigned they are resolved every time a configuration lookup + is done. If DNS resolution times out, the lookup is delayed for that time. + To initiate a connection, at least one specific address or DNS name must + be specified. + ''; + + local_port = mkIntParam 500 '' + Local UDP port for IKE communication. By default the port of the socket + backend is used, which is usually <literal>500</literal>. If port + <literal>500</literal> is used, automatic IKE port floating to port + <literal>4500</literal> is used to work around NAT issues. + </para><para> + Using a non-default local IKE port requires support from the socket + backend in use (socket-dynamic). + ''; + + remote_port = mkIntParam 500 '' + Remote UDP port for IKE communication. If the default of port + <literal>500</literal> is used, automatic IKE port floating to port + <literal>4500</literal> is used to work around NAT issues. + ''; + + proposals = mkCommaSepListParam ["default"] '' + A proposal is a set of algorithms. For non-AEAD algorithms, this includes + for IKE an encryption algorithm, an integrity algorithm, a pseudo random + function and a Diffie-Hellman group. For AEAD algorithms, instead of + encryption and integrity algorithms, a combined algorithm is used. + </para><para> + In IKEv2, multiple algorithms of the same kind can be specified in a + single proposal, from which one gets selected. In IKEv1, only one + algorithm per kind is allowed per proposal, more algorithms get implicitly + stripped. Use multiple proposals to offer different algorithms + combinations in IKEv1. + </para><para> + Algorithm keywords get separated using dashes. Multiple proposals may be + specified in a list. The special value <literal>default</literal> forms a + default proposal of supported algorithms considered safe, and is usually a + good choice for interoperability. + ''; + + vips = mkCommaSepListParam [] '' + List of virtual IPs to request in IKEv2 configuration payloads or IKEv1 + Mode Config. The wildcard addresses <literal>0.0.0.0</literal> and + <literal>::</literal> request an arbitrary address, specific addresses may + be defined. The responder may return a different address, though, or none + at all. + ''; + + aggressive = mkYesNoParam no '' + Enables Aggressive Mode instead of Main Mode with Identity + Protection. Aggressive Mode is considered less secure, because the ID and + HASH payloads are exchanged unprotected. This allows a passive attacker to + snoop peer identities, and even worse, start dictionary attacks on the + Preshared Key. + ''; + + pull = mkYesNoParam yes '' + If the default of yes is used, Mode Config works in pull mode, where the + initiator actively requests a virtual IP. With no, push mode is used, + where the responder pushes down a virtual IP to the initiating peer. + </para><para> + Push mode is currently supported for IKEv1, but not in IKEv2. It is used + by a few implementations only, pull mode is recommended. + ''; + + dscp = mkStrParam "000000" '' + Differentiated Services Field Codepoint to set on outgoing IKE packets for + this connection. The value is a six digit binary encoded string specifying + the Codepoint to set, as defined in RFC 2474. + ''; + + encap = mkYesNoParam no '' + To enforce UDP encapsulation of ESP packets, the IKE daemon can fake the + NAT detection payloads. This makes the peer believe that NAT takes place + on the path, forcing it to encapsulate ESP packets in UDP. + </para><para> + Usually this is not required, but it can help to work around connectivity + issues with too restrictive intermediary firewalls. + ''; + + mobike = mkYesNoParam yes '' + Enables MOBIKE on IKEv2 connections. MOBIKE is enabled by default on IKEv2 + connections, and allows mobility of clients and multi-homing on servers by + migrating active IPsec tunnels. + </para><para> + Usually keeping MOBIKE enabled is unproblematic, as it is not used if the + peer does not indicate support for it. However, due to the design of + MOBIKE, IKEv2 always floats to port 4500 starting from the second + exchange. Some implementations don't like this behavior, hence it can be + disabled. + ''; + + dpd_delay = mkDurationParam "0s" '' + Interval to check the liveness of a peer actively using IKEv2 + INFORMATIONAL exchanges or IKEv1 R_U_THERE messages. Active DPD checking + is only enforced if no IKE or ESP/AH packet has been received for the + configured DPD delay. + ''; + + dpd_timeout = mkDurationParam "0s" '' + Charon by default uses the normal retransmission mechanism and timeouts to + check the liveness of a peer, as all messages are used for liveness + checking. For compatibility reasons, with IKEv1 a custom interval may be + specified; this option has no effect on connections using IKEv2. + ''; + + fragmentation = mkEnumParam ["yes" "accept" "force" "no"] "yes" '' + Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2 + fragmentation). Acceptable values are <literal>yes</literal> (the default + since 5.5.1), <literal>accept</literal> (since versions:5.5.3), + <literal>force</literal> and <literal>no</literal>. + <itemizedlist> + <listitem><para>If set to <literal>yes</literal>, and the peer + supports it, oversized IKE messages will be sent in fragments.</para></listitem> + <listitem><para>If set to + <literal>accept</literal>, support for fragmentation is announced to the peer but the daemon + does not send its own messages in fragments.</para></listitem> + <listitem><para>If set to <literal>force</literal> (only + supported for IKEv1) the initial IKE message will already be fragmented if + required.</para></listitem> + <listitem><para>Finally, setting the option to <literal>no</literal> will disable announcing + support for this feature.</para></listitem> + </itemizedlist> + </para><para> + Note that fragmented IKE messages sent by a peer are always processed + irrespective of the value of this option (even when set to no). + ''; + + send_certreq = mkYesNoParam yes '' + Send certificate request payloads to offer trusted root CA certificates to + the peer. Certificate requests help the peer to choose an appropriate + certificate/private key for authentication and are enabled by default. + Disabling certificate requests can be useful if too many trusted root CA + certificates are installed, as each certificate request increases the size + of the initial IKE packets. + ''; + + send_cert = mkEnumParam ["always" "never" "ifasked" ] "ifasked" '' + Send certificate payloads when using certificate authentication. + <itemizedlist> + <listitem><para>With the default of <literal>ifasked</literal> the daemon sends + certificate payloads only if certificate requests have been received.</para></listitem> + <listitem><para><literal>never</literal> disables sending of certificate payloads + altogether,</para></listitem> + <listitem><para><literal>always</literal> causes certificate payloads to be sent + unconditionally whenever certificate authentication is used.</para></listitem> + </itemizedlist> + ''; + + keyingtries = mkIntParam 1 '' + Number of retransmission sequences to perform during initial + connect. Instead of giving up initiation after the first retransmission + sequence with the default value of <literal>1</literal>, additional + sequences may be started according to the configured value. A value of + <literal>0</literal> initiates a new sequence until the connection + establishes or fails with a permanent error. + ''; + + unique = mkEnumParam ["no" "never" "keep" "replace"] "no" '' + Connection uniqueness policy to enforce. To avoid multiple connections + from the same user, a uniqueness policy can be enforced. + </para><para> + <itemizedlist> + <listitem><para> + The value <literal>never</literal> does never enforce such a policy, even + if a peer included INITIAL_CONTACT notification messages, + </para></listitem> + <listitem><para> + whereas <literal>no</literal> replaces existing connections for the same + identity if a new one has the INITIAL_CONTACT notify. + </para></listitem> + <listitem><para> + <literal>keep</literal> rejects new connection attempts if the same user + already has an active connection, + </para></listitem> + <listitem><para> + <literal>replace</literal> deletes any existing connection if a new one + for the same user gets established. + </para></listitem> + </itemizedlist> + To compare connections for uniqueness, the remote IKE identity is used. If + EAP or XAuth authentication is involved, the EAP-Identity or XAuth + username is used to enforce the uniqueness policy instead. + </para><para> + On initiators this setting specifies whether an INITIAL_CONTACT notify is + sent during IKE_AUTH if no existing connection is found with the remote + peer (determined by the identities of the first authentication + round). Unless set to <literal>never</literal> the client will send a notify. + ''; + + reauth_time = mkDurationParam "0s" '' + Time to schedule IKE reauthentication. IKE reauthentication recreates the + IKE/ISAKMP SA from scratch and re-evaluates the credentials. In asymmetric + configurations (with EAP or configuration payloads) it might not be + possible to actively reauthenticate as responder. The IKEv2 + reauthentication lifetime negotiation can instruct the client to perform + reauthentication. + </para><para> + Reauthentication is disabled by default. Enabling it usually may lead to + small connection interruptions, as strongSwan uses a break-before-make + policy with IKEv2 to avoid any conflicts with associated tunnel resources. + ''; + + rekey_time = mkDurationParam "4h" '' + IKE rekeying refreshes key material using a Diffie-Hellman exchange, but + does not re-check associated credentials. It is supported in IKEv2 only, + IKEv1 performs a reauthentication procedure instead. + </para><para> + With the default value IKE rekeying is scheduled every 4 hours, minus the + configured rand_time. If a reauth_time is configured, rekey_time defaults + to zero, disabling rekeying; explicitly set both to enforce rekeying and + reauthentication. + ''; + + over_time = mkOptionalDurationParam '' + Hard IKE_SA lifetime if rekey/reauth does not complete, as time. To avoid + having an IKE/ISAKMP kept alive if IKE reauthentication or rekeying fails + perpetually, a maximum hard lifetime may be specified. If the IKE_SA fails + to rekey or reauthenticate within the specified time, the IKE_SA gets + closed. + </para><para> + In contrast to CHILD_SA rekeying, over_time is relative in time to the + rekey_time and reauth_time values, as it applies to both. + </para><para> + The default is 10% of the longer of <option>rekey_time</option> and + <option>reauth_time</option>. + ''; + + rand_time = mkOptionalDurationParam '' + Time range from which to choose a random value to subtract from + rekey/reauth times. To avoid having both peers initiating the rekey/reauth + procedure simultaneously, a random time gets subtracted from the + rekey/reauth times. + </para><para> + The default is equal to the configured <option>over_time</option>. + ''; + + pools = mkCommaSepListParam [] '' + List of named IP pools to allocate virtual IP addresses + and other configuration attributes from. Each name references a pool by + name from either the pools section or an external pool. + ''; + + mediation = mkYesNoParam no '' + Whether this connection is a mediation connection, that is, whether this + connection is used to mediate other connections using the IKEv2 Mediation + Extension. Mediation connections create no CHILD_SA. + ''; + + mediated_by = mkOptionalStrParam '' + The name of the connection to mediate this connection through. If given, + the connection will be mediated through the named mediation + connection. The mediation connection must have mediation enabled. + ''; + + mediation_peer = mkOptionalStrParam '' + Identity under which the peer is registered at the mediation server, that + is, the IKE identity the other end of this connection uses as its local + identity on its connection to the mediation server. This is the identity + we request the mediation server to mediate us with. Only relevant on + connections that set mediated_by. If it is not given, the remote IKE + identity of the first authentication round of this connection will be + used. + ''; + + local = mkPrefixedAttrsOfParams { + + round = mkIntParam 0 '' + Optional numeric identifier by which authentication rounds are + sorted. If not specified rounds are ordered by their position in the + config file/vici message. + ''; + + certs = mkCommaSepListParam [] '' + List of certificate candidates to use for + authentication. The certificates may use a relative path from the + swanctl <literal>x509</literal> directory or an absolute path. + </para><para> + The certificate used for authentication is selected based on the + received certificate request payloads. If no appropriate CA can be + located, the first certificate is used. + ''; + + cert = mkPostfixedAttrsOfParams certParams '' + Section for a certificate candidate to use for + authentication. Certificates in certs are transmitted as binary blobs, + these sections offer more flexibility. + ''; + + pubkeys = mkCommaSepListParam [] '' + List of raw public key candidates to use for + authentication. The public keys may use a relative path from the swanctl + <literal>pubkey</literal> directory or an absolute path. + </para><para> + Even though multiple local public keys could be defined in principle, + only the first public key in the list is used for authentication. + ''; + + auth = mkStrParam "pubkey" '' + Authentication to perform locally. + <itemizedlist> + <listitem><para> + The default <literal>pubkey</literal> uses public key authentication + using a private key associated to a usable certificate. + </para></listitem> + <listitem><para> + <literal>psk</literal> uses pre-shared key authentication. + </para></listitem> + <listitem><para> + The IKEv1 specific <literal>xauth</literal> is used for XAuth or Hybrid + authentication, + </para></listitem> + <listitem><para> + while the IKEv2 specific <literal>eap</literal> keyword defines EAP + authentication. + </para></listitem> + <listitem><para> + For <literal>xauth</literal>, a specific backend name may be appended, + separated by a dash. The appropriate <literal>xauth</literal> backend is + selected to perform the XAuth exchange. For traditional XAuth, the + <literal>xauth</literal> method is usually defined in the second + authentication round following an initial <literal>pubkey</literal> (or + <literal>psk</literal>) round. Using <literal>xauth</literal> in the + first round performs Hybrid Mode client authentication. + </para></listitem> + <listitem><para> + For <literal>eap</literal>, a specific EAP method name may be appended, separated by a + dash. An EAP module implementing the appropriate method is selected to + perform the EAP conversation. + </para></listitem> + <listitem><para> + Since 5.4.0, if both peers support RFC 7427 ("Signature Authentication + in IKEv2") specific hash algorithms to be used during IKEv2 + authentication may be configured. To do so use <literal>ike:</literal> + followed by a trust chain signature scheme constraint (see description + of the <option>remote</option> section's <option>auth</option> + keyword). For example, with <literal>ike:pubkey-sha384-sha256</literal> + a public key signature scheme with either SHA-384 or SHA-256 would get + used for authentication, in that order and depending on the hash + algorithms supported by the peer. If no specific hash algorithms are + configured, the default is to prefer an algorithm that matches or + exceeds the strength of the signature key. If no constraints with + <literal>ike:</literal> prefix are configured any signature scheme + constraint (without <literal>ike:</literal> prefix) will also apply to + IKEv2 authentication, unless this is disabled in + <literal>strongswan.conf</literal>. To use RSASSA-PSS signatures use + <literal>rsa/pss</literal> instead of <literal>pubkey</literal> or + <literal>rsa</literal> as in e.g. + <literal>ike:rsa/pss-sha256</literal>. If <literal>pubkey</literal> or + <literal>rsa</literal> constraints are configured RSASSA-PSS signatures + will only be used if enabled in <literal>strongswan.conf</literal>(5). + </para></listitem> + </itemizedlist> + ''; + + id = mkOptionalStrParam '' + IKE identity to use for authentication round. When using certificate + authentication, the IKE identity must be contained in the certificate, + either as subject or as subjectAltName. + ''; + + eap_id = mkOptionalStrParam '' + Client EAP-Identity to use in EAP-Identity exchange and the EAP method. + ''; + + aaa_id = mkOptionalStrParam '' + Server side EAP-Identity to expect in the EAP method. Some EAP methods, + such as EAP-TLS, use an identity for the server to perform mutual + authentication. This identity may differ from the IKE identity, + especially when EAP authentication is delegated from the IKE responder + to an AAA backend. + </para><para> + For EAP-(T)TLS, this defines the identity for which the server must + provide a certificate in the TLS exchange. + ''; + + xauth_id = mkOptionalStrParam '' + Client XAuth username used in the XAuth exchange. + ''; + + } '' + Section for a local authentication round. A local authentication round + defines the rules how authentication is performed for the local + peer. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple + Authentication or IKEv1 XAuth. + </para><para> + Each round is defined in a section having <literal>local</literal> as + prefix, and an optional unique suffix. To define a single authentication + round, the suffix may be omitted. + ''; + + remote = mkPrefixedAttrsOfParams { + + round = mkIntParam 0 '' + Optional numeric identifier by which authentication rounds are + sorted. If not specified rounds are ordered by their position in the + config file/vici message. + ''; + + id = mkStrParam "%any" '' + IKE identity to expect for authentication round. When using certificate + authentication, the IKE identity must be contained in the certificate, + either as subject or as subjectAltName. + ''; + + eap_id = mkOptionalStrParam '' + Identity to use as peer identity during EAP authentication. If set to + <literal>%any</literal> the EAP-Identity method will be used to ask the + client for an EAP identity. + ''; + + groups = mkCommaSepListParam [] '' + Authorization group memberships to require. The peer + must prove membership to at least one of the specified groups. Group + membership can be certified by different means, for example by + appropriate Attribute Certificates or by an AAA backend involved in the + authentication. + ''; + + cert_policy = mkCommaSepListParam [] '' + List of certificate policy OIDs the peer's certificate + must have. OIDs are specified using the numerical dotted representation. + ''; + + certs = mkCommaSepListParam [] '' + List of certificates to accept for authentication. The certificates may + use a relative path from the swanctl <literal>x509</literal> directory + or an absolute path. + ''; + + cert = mkPostfixedAttrsOfParams certParams '' + Section for a certificate candidate to use for + authentication. Certificates in certs are transmitted as binary blobs, + these sections offer more flexibility. + ''; + + cacerts = mkCommaSepListParam [] '' + List of CA certificates to accept for + authentication. The certificates may use a relative path from the + swanctl <literal>x509ca</literal> directory or an absolute path. + ''; + + cacert = mkPostfixedAttrsOfParams certParams '' + Section for a CA certificate to accept for authentication. Certificates + in cacerts are transmitted as binary blobs, these sections offer more + flexibility. + ''; + + pubkeys = mkCommaSepListParam [] '' + List of raw public keys to accept for + authentication. The public keys may use a relative path from the swanctl + <literal>pubkey</literal> directory or an absolute path. + ''; + + revocation = mkEnumParam ["strict" "ifuri" "relaxed"] "relaxed" '' + Certificate revocation policy for CRL or OCSP revocation. + <itemizedlist> + <listitem><para> + A <literal>strict</literal> revocation policy fails if no revocation information is + available, i.e. the certificate is not known to be unrevoked. + </para></listitem> + <listitem><para> + <literal>ifuri</literal> fails only if a CRL/OCSP URI is available, but certificate + revocation checking fails, i.e. there should be revocation information + available, but it could not be obtained. + </para></listitem> + <listitem><para> + The default revocation policy <literal>relaxed</literal> fails only if a certificate is + revoked, i.e. it is explicitly known that it is bad. + </para></listitem> + </itemizedlist> + ''; + + auth = mkStrParam "pubkey" '' + Authentication to expect from remote. See the <option>local</option> + section's <option>auth</option> keyword description about the details of + supported mechanisms. + </para><para> + Since 5.4.0, to require a trustchain public key strength for the remote + side, specify the key type followed by the minimum strength in bits (for + example <literal>ecdsa-384</literal> or + <literal>rsa-2048-ecdsa-256</literal>). To limit the acceptable set of + hashing algorithms for trustchain validation, append hash algorithms to + pubkey or a key strength definition (for example + <literal>pubkey-sha256-sha512</literal>, + <literal>rsa-2048-sha256-sha384-sha512</literal> or + <literal>rsa-2048-sha256-ecdsa-256-sha256-sha384</literal>). + Unless disabled in <literal>strongswan.conf</literal>, or explicit IKEv2 + signature constraints are configured (refer to the description of the + <option>local</option> section's <option>auth</option> keyword for + details), such key types and hash algorithms are also applied as + constraints against IKEv2 signature authentication schemes used by the + remote side. To require RSASSA-PSS signatures use + <literal>rsa/pss</literal> instead of <literal>pubkey</literal> or + <literal>rsa</literal> as in e.g. <literal>rsa/pss-sha256</literal>. If + <literal>pubkey</literal> or <literal>rsa</literal> constraints are + configured RSASSA-PSS signatures will only be accepted if enabled in + <literal>strongswan.conf</literal>(5). + </para><para> + To specify trust chain constraints for EAP-(T)TLS, append a colon to the + EAP method, followed by the key type/size and hash algorithm as + discussed above (e.g. <literal>eap-tls:ecdsa-384-sha384</literal>). + ''; + + } '' + Section for a remote authentication round. A remote authentication round + defines the constraints how the peers must authenticate to use this + connection. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple + Authentication or IKEv1 XAuth. + </para><para> + Each round is defined in a section having <literal>remote</literal> as + prefix, and an optional unique suffix. To define a single authentication + round, the suffix may be omitted. + ''; + + children = mkAttrsOfParams { + ah_proposals = mkCommaSepListParam [] '' + AH proposals to offer for the CHILD_SA. A proposal is a set of + algorithms. For AH, this includes an integrity algorithm and an optional + Diffie-Hellman group. If a DH group is specified, CHILD_SA/Quick Mode + rekeying and initial negotiation uses a separate Diffie-Hellman exchange + using the specified group (refer to esp_proposals for details). + </para><para> + In IKEv2, multiple algorithms of the same kind can be specified in a + single proposal, from which one gets selected. In IKEv1, only one + algorithm per kind is allowed per proposal, more algorithms get + implicitly stripped. Use multiple proposals to offer different algorithms + combinations in IKEv1. + </para><para> + Algorithm keywords get separated using dashes. Multiple proposals may be + specified in a list. The special value <literal>default</literal> forms + a default proposal of supported algorithms considered safe, and is + usually a good choice for interoperability. By default no AH proposals + are included, instead ESP is proposed. + ''; + + esp_proposals = mkCommaSepListParam ["default"] '' + ESP proposals to offer for the CHILD_SA. A proposal is a set of + algorithms. For ESP non-AEAD proposals, this includes an integrity + algorithm, an encryption algorithm, an optional Diffie-Hellman group and + an optional Extended Sequence Number Mode indicator. For AEAD proposals, + a combined mode algorithm is used instead of the separate + encryption/integrity algorithms. + </para><para> + If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial + negotiation use a separate Diffie-Hellman exchange using the specified + group. However, for IKEv2, the keys of the CHILD_SA created implicitly + with the IKE_SA will always be derived from the IKE_SA's key material. So + any DH group specified here will only apply when the CHILD_SA is later + rekeyed or is created with a separate CREATE_CHILD_SA exchange. A + proposal mismatch might, therefore, not immediately be noticed when the + SA is established, but may later cause rekeying to fail. + </para><para> + Extended Sequence Number support may be indicated with the + <literal>esn</literal> and <literal>noesn</literal> values, both may be + included to indicate support for both modes. If omitted, + <literal>noesn</literal> is assumed. + </para><para> + In IKEv2, multiple algorithms of the same kind can be specified in a + single proposal, from which one gets selected. In IKEv1, only one + algorithm per kind is allowed per proposal, more algorithms get + implicitly stripped. Use multiple proposals to offer different algorithms + combinations in IKEv1. + </para><para> + Algorithm keywords get separated using dashes. Multiple proposals may be + specified as a list. The special value <literal>default</literal> forms + a default proposal of supported algorithms considered safe, and is + usually a good choice for interoperability. If no algorithms are + specified for AH nor ESP, the default set of algorithms for ESP is + included. + ''; + + sha256_96 = mkYesNoParam no '' + HMAC-SHA-256 is used with 128-bit truncation with IPsec. For + compatibility with implementations that incorrectly use 96-bit truncation + this option may be enabled to configure the shorter truncation length in + the kernel. This is not negotiated, so this only works with peers that + use the incorrect truncation length (or have this option enabled). + ''; + + local_ts = mkCommaSepListParam ["dynamic"] '' + List of local traffic selectors to include in CHILD_SA. Each selector is + a CIDR subnet definition, followed by an optional proto/port + selector. The special value <literal>dynamic</literal> may be used + instead of a subnet definition, which gets replaced by the tunnel outer + address or the virtual IP, if negotiated. This is the default. + </para><para> + A protocol/port selector is surrounded by opening and closing square + brackets. Between these brackets, a numeric or getservent(3) protocol + name may be specified. After the optional protocol restriction, an + optional port restriction may be specified, separated by a slash. The + port restriction may be numeric, a getservent(3) service name, or the + special value <literal>opaque</literal> for RFC 4301 OPAQUE + selectors. Port ranges may be specified as well, none of the kernel + backends currently support port ranges, though. + </para><para> + When IKEv1 is used only the first selector is interpreted, except if the + Cisco Unity extension plugin is used. This is due to a limitation of the + IKEv1 protocol, which only allows a single pair of selectors per + CHILD_SA. So to tunnel traffic matched by several pairs of selectors when + using IKEv1 several children (CHILD_SAs) have to be defined that cover + the selectors. The IKE daemon uses traffic selector narrowing for IKEv1, + the same way it is standardized and implemented for IKEv2. However, this + may lead to problems with other implementations. To avoid that, configure + identical selectors in such scenarios. + ''; + + remote_ts = mkCommaSepListParam ["dynamic"] '' + List of remote selectors to include in CHILD_SA. See + <option>local_ts</option> for a description of the selector syntax. + ''; + + rekey_time = mkDurationParam "1h" '' + Time to schedule CHILD_SA rekeying. CHILD_SA rekeying refreshes key + material, optionally using a Diffie-Hellman exchange if a group is + specified in the proposal. To avoid rekey collisions initiated by both + ends simultaneously, a value in the range of <option>rand_time</option> + gets subtracted to form the effective soft lifetime. + </para><para> + By default CHILD_SA rekeying is scheduled every hour, minus + <option>rand_time</option>. + ''; + + life_time = mkOptionalDurationParam '' + Maximum lifetime before CHILD_SA gets closed. Usually this hard lifetime + is never reached, because the CHILD_SA gets rekeyed before. If that fails + for whatever reason, this limit closes the CHILD_SA. The default is 10% + more than the <option>rekey_time</option>. + ''; + + rand_time = mkOptionalDurationParam '' + Time range from which to choose a random value to subtract from + <option>rekey_time</option>. The default is the difference between + <option>life_time</option> and <option>rekey_time</option>. + ''; + + rekey_bytes = mkIntParam 0 '' + Number of bytes processed before initiating CHILD_SA rekeying. CHILD_SA + rekeying refreshes key material, optionally using a Diffie-Hellman + exchange if a group is specified in the proposal. + </para><para> + To avoid rekey collisions initiated by both ends simultaneously, a value + in the range of <option>rand_bytes</option> gets subtracted to form the + effective soft volume limit. + </para><para> + Volume based CHILD_SA rekeying is disabled by default. + ''; + + life_bytes = mkOptionalIntParam '' + Maximum bytes processed before CHILD_SA gets closed. Usually this hard + volume limit is never reached, because the CHILD_SA gets rekeyed + before. If that fails for whatever reason, this limit closes the + CHILD_SA. The default is 10% more than <option>rekey_bytes</option>. + ''; + + rand_bytes = mkOptionalIntParam '' + Byte range from which to choose a random value to subtract from + <option>rekey_bytes</option>. The default is the difference between + <option>life_bytes</option> and <option>rekey_bytes</option>. + ''; + + rekey_packets = mkIntParam 0 '' + Number of packets processed before initiating CHILD_SA rekeying. CHILD_SA + rekeying refreshes key material, optionally using a Diffie-Hellman + exchange if a group is specified in the proposal. + </para><para> + To avoid rekey collisions initiated by both ends simultaneously, a value + in the range of <option>rand_packets</option> gets subtracted to form + the effective soft packet count limit. + </para><para> + Packet count based CHILD_SA rekeying is disabled by default. + ''; + + life_packets = mkOptionalIntParam '' + Maximum number of packets processed before CHILD_SA gets closed. Usually + this hard packets limit is never reached, because the CHILD_SA gets + rekeyed before. If that fails for whatever reason, this limit closes the + CHILD_SA. + </para><para> + The default is 10% more than <option>rekey_bytes</option>. + ''; + + rand_packets = mkOptionalIntParam '' + Packet range from which to choose a random value to subtract from + <option>rekey_packets</option>. The default is the difference between + <option>life_packets</option> and <option>rekey_packets</option>. + ''; + + updown = mkOptionalStrParam '' + Updown script to invoke on CHILD_SA up and down events. + ''; + + hostaccess = mkYesNoParam yes '' + Hostaccess variable to pass to <literal>updown</literal> script. + ''; + + mode = mkEnumParam [ "tunnel" + "transport" + "transport_proxy" + "beet" + "pass" + "drop" + ] "tunnel" '' + IPsec Mode to establish CHILD_SA with. + <itemizedlist> + <listitem><para> + <literal>tunnel</literal> negotiates the CHILD_SA in IPsec Tunnel Mode, + </para></listitem> + <listitem><para> + whereas <literal>transport</literal> uses IPsec Transport Mode. + </para></listitem> + <listitem><para> + <literal>transport_proxy</literal> signifying the special Mobile IPv6 + Transport Proxy Mode. + </para></listitem> + <listitem><para> + <literal>beet</literal> is the Bound End to End Tunnel mixture mode, + working with fixed inner addresses without the need to include them in + each packet. + </para></listitem> + <listitem><para> + Both <literal>transport</literal> and <literal>beet</literal> modes are + subject to mode negotiation; <literal>tunnel</literal> mode is + negotiated if the preferred mode is not available. + </para></listitem> + <listitem><para> + <literal>pass</literal> and <literal>drop</literal> are used to install + shunt policies which explicitly bypass the defined traffic from IPsec + processing or drop it, respectively. + </para></listitem> + </itemizedlist> + ''; + + policies = mkYesNoParam yes '' + Whether to install IPsec policies or not. Disabling this can be useful in + some scenarios e.g. MIPv6, where policies are not managed by the IKE + daemon. Since 5.3.3. + ''; + + policies_fwd_out = mkYesNoParam no '' + Whether to install outbound FWD IPsec policies or not. Enabling this is + required in case there is a drop policy that would match and block + forwarded traffic for this CHILD_SA. Since 5.5.1. + ''; + + dpd_action = mkEnumParam ["clear" "trap" "restart"] "clear" '' + Action to perform for this CHILD_SA on DPD timeout. The default clear + closes the CHILD_SA and does not take further action. trap installs a + trap policy, which will catch matching traffic and tries to re-negotiate + the tunnel on-demand. restart immediately tries to re-negotiate the + CHILD_SA under a fresh IKE_SA. + ''; + + ipcomp = mkYesNoParam no '' + Enable IPComp compression before encryption. If enabled, IKE tries to + negotiate IPComp compression to compress ESP payload data prior to + encryption. + ''; + + inactivity = mkDurationParam "0s" '' + Timeout before closing CHILD_SA after inactivity. If no traffic has been + processed in either direction for the configured timeout, the CHILD_SA + gets closed due to inactivity. The default value of 0 disables inactivity + checks. + ''; + + reqid = mkIntParam 0 '' + Fixed reqid to use for this CHILD_SA. This might be helpful in some + scenarios, but works only if each CHILD_SA configuration is instantiated + not more than once. The default of 0 uses dynamic reqids, allocated + incrementally. + ''; + + priority = mkIntParam 0 '' + Optional fixed priority for IPsec policies. This could be useful to + install high-priority drop policies. The default of 0 uses dynamically + calculated priorities based on the size of the traffic selectors. + ''; + + interface = mkOptionalStrParam '' + Optional interface name to restrict outbound IPsec policies. + ''; + + mark_in = mkStrParam "0/0x00000000" '' + Netfilter mark and mask for input traffic. On Linux, Netfilter may + require marks on each packet to match an SA/policy having that option + set. This allows installing duplicate policies and enables Netfilter + rules to select specific SAs/policies for incoming traffic. Note that + inbound marks are only set on policies, by default, unless + <option>mark_in_sa</option> is enabled. The special value + <literal>%unique</literal> sets a unique mark on each CHILD_SA instance, + beyond that the value <literal>%unique-dir</literal> assigns a different + unique mark for each + </para><para> + An additional mask may be appended to the mark, separated by + <literal>/</literal>. The default mask if omitted is + <literal>0xffffffff</literal>. + ''; + + mark_in_sa = mkYesNoParam no '' + Whether to set <option>mark_in</option> on the inbound SA. By default, + the inbound mark is only set on the inbound policy. The tuple destination + address, protocol and SPI is unique and the mark is not required to find + the correct SA, allowing to mark traffic after decryption instead (where + more specific selectors may be used) to match different policies. Marking + packets before decryption is still possible, even if no mark is set on + the SA. + ''; + + mark_out = mkStrParam "0/0x00000000" '' + Netfilter mark and mask for output traffic. On Linux, Netfilter may + require marks on each packet to match a policy/SA having that option + set. This allows installing duplicate policies and enables Netfilter + rules to select specific policies/SAs for outgoing traffic. The special + value <literal>%unique</literal> sets a unique mark on each CHILD_SA + instance, beyond that the value <literal>%unique-dir</literal> assigns a + different unique mark for each CHILD_SA direction (in/out). + </para><para> + An additional mask may be appended to the mark, separated by + <literal>/</literal>. The default mask if omitted is + <literal>0xffffffff</literal>. + ''; + + tfc_padding = mkParamOfType (with lib.types; either int (enum ["mtu"])) 0 '' + Pads ESP packets with additional data to have a consistent ESP packet + size for improved Traffic Flow Confidentiality. The padding defines the + minimum size of all ESP packets sent. The default value of + <literal>0</literal> disables TFC padding, the special value + <literal>mtu</literal> adds TFC padding to create a packet size equal to + the Path Maximum Transfer Unit. + ''; + + replay_window = mkIntParam 32 '' + IPsec replay window to configure for this CHILD_SA. Larger values than + the default of <literal>32</literal> are supported using the Netlink + backend only, a value of <literal>0</literal> disables IPsec replay + protection. + ''; + + hw_offload = mkYesNoParam no '' + Enable hardware offload for this CHILD_SA, if supported by the IPsec + implementation. + ''; + + start_action = mkEnumParam ["none" "trap" "start"] "none" '' + Action to perform after loading the configuration. + <itemizedlist> + <listitem><para> + The default of <literal>none</literal> loads the connection only, which + then can be manually initiated or used as a responder configuration. + </para></listitem> + <listitem><para> + The value <literal>trap</literal> installs a trap policy, which triggers + the tunnel as soon as matching traffic has been detected. + </para></listitem> + <listitem><para> + The value <literal>start</literal> initiates the connection actively. + </para></listitem> + </itemizedlist> + When unloading or replacing a CHILD_SA configuration having a + <option>start_action</option> different from <literal>none</literal>, + the inverse action is performed. Configurations with + <literal>start</literal> get closed, while such with + <literal>trap</literal> get uninstalled. + ''; + + close_action = mkEnumParam ["none" "trap" "start"] "none" '' + Action to perform after a CHILD_SA gets closed by the peer. + <itemizedlist> + <listitem><para> + The default of <literal>none</literal> does not take any action, + </para></listitem> + <listitem><para> + <literal>trap</literal> installs a trap policy for the CHILD_SA. + </para></listitem> + <listitem><para> + <literal>start</literal> tries to re-create the CHILD_SA. + </para></listitem> + </itemizedlist> + </para><para> + <option>close_action</option> does not provide any guarantee that the + CHILD_SA is kept alive. It acts on explicit close messages only, but not + on negotiation failures. Use trap policies to reliably re-create failed + CHILD_SAs. + ''; + + } '' + CHILD_SA configuration sub-section. Each connection definition may have + one or more sections in its <option>children</option> subsection. The + section name defines the name of the CHILD_SA configuration, which must be + unique within the connection (denoted <child> below). + ''; + } '' + Section defining IKE connection configurations, each in its own subsection + with an arbitrary yet unique name + ''; + + secrets = let + mkEapXauthParams = mkPrefixedAttrsOfParams { + secret = mkOptionalStrParam '' + Value of the EAP/XAuth secret. It may either be an ASCII string, a hex + encoded string if it has a 0x prefix or a Base64 encoded string if it + has a 0s prefix in its value. + ''; + + id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") '' + Identity the EAP/XAuth secret belongs to. Multiple unique identities may + be specified, each having an <literal>id</literal> prefix, if a secret + is shared between multiple users. + ''; + + } '' + EAP secret section for a specific secret. Each EAP secret is defined in a + unique section having the <literal>eap</literal> prefix. EAP secrets are + used for XAuth authentication as well. + ''; + + in { + + eap = mkEapXauthParams; + xauth = mkEapXauthParams; + + ntlm = mkPrefixedAttrsOfParams { + secret = mkOptionalStrParam '' + Value of the NTLM secret, which is the NT Hash of the actual secret, + that is, MD4(UTF-16LE(secret)). The resulting 16-byte value may either + be given as a hex encoded string with a 0x prefix or as a Base64 encoded + string with a 0s prefix. + ''; + + id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") '' + Identity the NTLM secret belongs to. Multiple unique identities may be + specified, each having an id prefix, if a secret is shared between + multiple users. + ''; + } '' + NTLM secret section for a specific secret. Each NTLM secret is defined in + a unique section having the <literal>ntlm</literal> prefix. NTLM secrets + may only be used for EAP-MSCHAPv2 authentication. + ''; + + ike = mkPrefixedAttrsOfParams { + secret = mkOptionalStrParam '' + Value of the IKE preshared secret. It may either be an ASCII string, a + hex encoded string if it has a 0x prefix or a Base64 encoded string if + it has a 0s prefix in its value. + ''; + + id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") '' + IKE identity the IKE preshared secret belongs to. Multiple unique + identities may be specified, each having an <literal>id</literal> + prefix, if a secret is shared between multiple peers. + ''; + } '' + IKE preshared secret section for a specific secret. Each IKE PSK is + defined in a unique section having the <literal>ike</literal> prefix. + ''; + + private = mkPrefixedAttrsOfParams { + file = mkOptionalStrParam '' + File name in the private folder for which this passphrase should be used. + ''; + + secret = mkOptionalStrParam '' + Value of decryption passphrase for private key. + ''; + } '' + Private key decryption passphrase for a key in the + <literal>private</literal> folder. + ''; + + rsa = mkPrefixedAttrsOfParams { + file = mkOptionalStrParam '' + File name in the <literal>rsa</literal> folder for which this passphrase + should be used. + ''; + secret = mkOptionalStrParam '' + Value of decryption passphrase for RSA key. + ''; + } '' + Private key decryption passphrase for a key in the <literal>rsa</literal> + folder. + ''; + + ecdsa = mkPrefixedAttrsOfParams { + file = mkOptionalStrParam '' + File name in the <literal>ecdsa</literal> folder for which this + passphrase should be used. + ''; + secret = mkOptionalStrParam '' + Value of decryption passphrase for ECDSA key. + ''; + } '' + Private key decryption passphrase for a key in the + <literal>ecdsa</literal> folder. + ''; + + pkcs8 = mkPrefixedAttrsOfParams { + file = mkOptionalStrParam '' + File name in the <literal>pkcs8</literal> folder for which this + passphrase should be used. + ''; + secret = mkOptionalStrParam '' + Value of decryption passphrase for PKCS#8 key. + ''; + } '' + Private key decryption passphrase for a key in the + <literal>pkcs8</literal> folder. + ''; + + pkcs12 = mkPrefixedAttrsOfParams { + file = mkOptionalStrParam '' + File name in the <literal>pkcs12</literal> folder for which this + passphrase should be used. + ''; + secret = mkOptionalStrParam '' + Value of decryption passphrase for PKCS#12 container. + ''; + } '' + PKCS#12 decryption passphrase for a container in the + <literal>pkcs12</literal> folder. + ''; + + token = mkPrefixedAttrsOfParams { + handle = mkOptionalHexParam '' + Hex-encoded CKA_ID or handle of the private key on the token or TPM, + respectively. + ''; + + slot = mkOptionalIntParam '' + Optional slot number to access the token. + ''; + + module = mkOptionalStrParam '' + Optional PKCS#11 module name to access the token. + ''; + + pin = mkOptionalStrParam '' + Optional PIN required to access the key on the token. If none is + provided the user is prompted during an interactive + <literal>--load-creds</literal> call. + ''; + } ''Definition for a private key that's stored on a token/smartcard/TPM.''; + + }; + + pools = mkAttrsOfParams { + addrs = mkOptionalStrParam '' + Subnet or range defining addresses allocated in pool. Accepts a single + CIDR subnet defining the pool to allocate addresses from or an address + range (<from>-<to>). Pools must be unique and non-overlapping. + ''; + + dns = mkCommaSepListParam [] "Address or CIDR subnets"; + nbns = mkCommaSepListParam [] "Address or CIDR subnets"; + dhcp = mkCommaSepListParam [] "Address or CIDR subnets"; + netmask = mkCommaSepListParam [] "Address or CIDR subnets"; + server = mkCommaSepListParam [] "Address or CIDR subnets"; + subnet = mkCommaSepListParam [] "Address or CIDR subnets"; + split_include = mkCommaSepListParam [] "Address or CIDR subnets"; + split_exclude = mkCommaSepListParam [] "Address or CIDR subnets"; + } '' + Section defining named pools. Named pools may be referenced by connections + with the pools option to assign virtual IPs and other configuration + attributes. Each pool must have a unique name (denoted <name> below). + ''; +} diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix index 3a3f64221c42..707d24b9220f 100644 --- a/nixos/modules/services/networking/strongswan.nix +++ b/nixos/modules/services/networking/strongswan.nix @@ -32,13 +32,13 @@ let ${caConf} ''; - strongswanConf = {setup, connections, ca, secrets, managePlugins, enabledPlugins}: toFile "strongswan.conf" '' + strongswanConf = {setup, connections, ca, secretsFile, managePlugins, enabledPlugins}: toFile "strongswan.conf" '' charon { ${if managePlugins then "load_modular = no" else ""} ${if managePlugins then ("load = " + (concatStringsSep " " enabledPlugins)) else ""} plugins { stroke { - secrets_file = ${ipsecSecrets secrets} + secrets_file = ${secretsFile} } } } @@ -135,7 +135,18 @@ in }; }; - config = with cfg; mkIf enable { + + config = with cfg; + let + secretsFile = ipsecSecrets cfg.secrets; + in + mkIf enable + { + + # here we should use the default strongswan ipsec.secrets and + # append to it (default one is empty so not a pb for now) + environment.etc."ipsec.secrets".source = secretsFile; + systemd.services.strongswan = { description = "strongSwan IPSec Service"; wantedBy = [ "multi-user.target" ]; @@ -143,11 +154,15 @@ in wants = [ "keys.target" ]; after = [ "network-online.target" "keys.target" ]; environment = { - STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secrets managePlugins enabledPlugins; }; + STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; }; }; serviceConfig = { ExecStart = "${pkgs.strongswan}/sbin/ipsec start --nofork"; }; + preStart = '' + # with 'nopeerdns' setting, ppp writes into this folder + mkdir -m 700 -p /etc/ppp + ''; }; }; } diff --git a/nixos/modules/services/networking/tcpcrypt.nix b/nixos/modules/services/networking/tcpcrypt.nix index 2f304165eb4b..ee005e11aa32 100644 --- a/nixos/modules/services/networking/tcpcrypt.nix +++ b/nixos/modules/services/networking/tcpcrypt.nix @@ -44,9 +44,9 @@ in path = [ pkgs.iptables pkgs.tcpcrypt pkgs.procps ]; preStart = '' - mkdir -p /var/run/tcpcryptd - chown tcpcryptd /var/run/tcpcryptd - sysctl -n net.ipv4.tcp_ecn >/run/pre-tcpcrypt-ecn-state + mkdir -p /run/tcpcryptd + chown tcpcryptd /run/tcpcryptd + sysctl -n net.ipv4.tcp_ecn > /run/tcpcryptd/pre-tcpcrypt-ecn-state sysctl -w net.ipv4.tcp_ecn=0 iptables -t raw -N nixos-tcpcrypt @@ -61,8 +61,8 @@ in script = "tcpcryptd -x 0x10"; postStop = '' - if [ -f /run/pre-tcpcrypt-ecn-state ]; then - sysctl -w net.ipv4.tcp_ecn=$(cat /run/pre-tcpcrypt-ecn-state) + if [ -f /run/tcpcryptd/pre-tcpcrypt-ecn-state ]; then + sysctl -w net.ipv4.tcp_ecn=$(cat /run/tcpcryptd/pre-tcpcrypt-ecn-state) fi iptables -t mangle -D POSTROUTING -j nixos-tcpcrypt || true diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index 545ee327d596..f069a9883a7f 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -112,7 +112,7 @@ in mkdir -m 0755 -p ${stateDir}/dev/ cp ${confFile} ${stateDir}/unbound.conf ${optionalString cfg.enableRootTrustAnchor '' - ${pkgs.unbound}/bin/unbound-anchor -a ${rootTrustAnchorFile} + ${pkgs.unbound}/bin/unbound-anchor -a ${rootTrustAnchorFile} || echo "Root anchor updated!" chown unbound ${stateDir} ${rootTrustAnchorFile} ''} touch ${stateDir}/dev/random diff --git a/nixos/modules/services/networking/unifi.nix b/nixos/modules/services/networking/unifi.nix index 8e5f0bfc070d..94958bfdd83e 100644 --- a/nixos/modules/services/networking/unifi.nix +++ b/nixos/modules/services/networking/unifi.nix @@ -4,22 +4,22 @@ let cfg = config.services.unifi; stateDir = "/var/lib/unifi"; cmd = '' - @${pkgs.jre}/bin/java java \ + @${cfg.jrePackage}/bin/java java \ ${optionalString (cfg.initialJavaHeapSize != null) "-Xms${(toString cfg.initialJavaHeapSize)}m"} \ ${optionalString (cfg.maximumJavaHeapSize != null) "-Xmx${(toString cfg.maximumJavaHeapSize)}m"} \ -jar ${stateDir}/lib/ace.jar ''; mountPoints = [ { - what = "${pkgs.unifi}/dl"; + what = "${cfg.unifiPackage}/dl"; where = "${stateDir}/dl"; } { - what = "${pkgs.unifi}/lib"; + what = "${cfg.unifiPackage}/lib"; where = "${stateDir}/lib"; } { - what = "${pkgs.mongodb}/bin"; + what = "${cfg.mongodbPackage}/bin"; where = "${stateDir}/bin"; } { @@ -41,6 +41,33 @@ in ''; }; + services.unifi.jrePackage = mkOption { + type = types.package; + default = pkgs.jre8; + defaultText = "pkgs.jre8"; + description = '' + The JRE package to use. Check the release notes to ensure it is supported. + ''; + }; + + services.unifi.unifiPackage = mkOption { + type = types.package; + default = pkgs.unifiLTS; + defaultText = "pkgs.unifiLTS"; + description = '' + The unifi package to use. + ''; + }; + + services.unifi.mongodbPackage = mkOption { + type = types.package; + default = pkgs.mongodb; + defaultText = "pkgs.mongodb"; + description = '' + The mongodb package to use. + ''; + }; + services.unifi.dataDir = mkOption { type = types.str; default = "${stateDir}/data"; @@ -137,7 +164,7 @@ in rm -rf "${stateDir}/webapps" mkdir -p "${stateDir}/webapps" chown unifi "${stateDir}/webapps" - ln -s "${pkgs.unifi}/webapps/ROOT" "${stateDir}/webapps/ROOT" + ln -s "${cfg.unifiPackage}/webapps/ROOT" "${stateDir}/webapps/ROOT" ''; postStop = '' diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index 24accd41511c..0591917c7423 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -53,30 +53,30 @@ let }; preSetup = mkOption { - example = literalExample ['' + example = literalExample '' ${pkgs.iproute}/bin/ip netns add foo - '']; - default = []; - type = with types; listOf str; + ''; + default = ""; + type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; description = '' - A list of commands called at the start of the interface setup. + Commands called at the start of the interface setup. ''; }; postSetup = mkOption { - example = literalExample ['' - ${pkgs.bash} -c 'printf "nameserver 10.200.100.1" | ${pkgs.openresolv}/bin/resolvconf -a wg0 -m 0' - '']; - default = []; - type = with types; listOf str; - description = "A list of commands called at the end of the interface setup."; + example = literalExample '' + printf "nameserver 10.200.100.1" | ${pkgs.openresolv}/bin/resolvconf -a wg0 -m 0 + ''; + default = ""; + type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; + description = "Commands called at the end of the interface setup."; }; postShutdown = mkOption { - example = literalExample ["${pkgs.openresolv}/bin/resolvconf -d wg0"]; - default = []; - type = with types; listOf str; - description = "A list of commands called after shutting down the interface."; + example = literalExample "${pkgs.openresolv}/bin/resolvconf -d wg0"; + default = ""; + type = with types; coercedTo (listOf str) (concatStringsSep "\n") lines; + description = "Commands called after shutting down the interface."; }; table = mkOption { @@ -182,9 +182,6 @@ let }; - ipCommand = "${pkgs.iproute}/bin/ip"; - wgCommand = "${pkgs.wireguard}/bin/wg"; - generateUnit = name: values: # exactly one way to specify the private key must be set assert (values.privateKey != null) != (values.privateKeyFile != null); @@ -196,49 +193,53 @@ let after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; environment.DEVICE = name; + path = with pkgs; [ kmod iproute wireguard ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - ExecStart = flatten([ - values.preSetup + }; + + script = '' + modprobe wireguard + + ${values.preSetup} - "-${ipCommand} link del dev ${name}" - "${ipCommand} link add dev ${name} type wireguard" + ip link add dev ${name} type wireguard - (map (ip: - "${ipCommand} address add ${ip} dev ${name}" - ) values.ips) + ${concatMapStringsSep "\n" (ip: + "ip address add ${ip} dev ${name}" + ) values.ips} - ("${wgCommand} set ${name} private-key ${privKey}" + - optionalString (values.listenPort != null) " listen-port ${toString values.listenPort}") + wg set ${name} private-key ${privKey} ${ + optionalString (values.listenPort != null) " listen-port ${toString values.listenPort}"} - (map (peer: + ${concatMapStringsSep "\n" (peer: assert (peer.presharedKeyFile == null) || (peer.presharedKey == null); # at most one of the two must be set let psk = if peer.presharedKey != null then pkgs.writeText "wg-psk" peer.presharedKey else peer.presharedKeyFile; in - "${wgCommand} set ${name} peer ${peer.publicKey}" + - optionalString (psk != null) " preshared-key ${psk}" + - optionalString (peer.endpoint != null) " endpoint ${peer.endpoint}" + - optionalString (peer.persistentKeepalive != null) " persistent-keepalive ${toString peer.persistentKeepalive}" + - optionalString (peer.allowedIPs != []) " allowed-ips ${concatStringsSep "," peer.allowedIPs}" - ) values.peers) - - "${ipCommand} link set up dev ${name}" - - (optionals (values.allowedIPsAsRoutes != false) (map (peer: - (map (allowedIP: - "${ipCommand} route replace ${allowedIP} dev ${name} table ${values.table}" - ) peer.allowedIPs) - ) values.peers)) - - values.postSetup - ]); - ExecStop = flatten([ - "${ipCommand} link del dev ${name}" - values.postShutdown - ]); - }; + "wg set ${name} peer ${peer.publicKey}" + + optionalString (psk != null) " preshared-key ${psk}" + + optionalString (peer.endpoint != null) " endpoint ${peer.endpoint}" + + optionalString (peer.persistentKeepalive != null) " persistent-keepalive ${toString peer.persistentKeepalive}" + + optionalString (peer.allowedIPs != []) " allowed-ips ${concatStringsSep "," peer.allowedIPs}" + ) values.peers} + + ip link set up dev ${name} + + ${optionalString (values.allowedIPsAsRoutes != false) (concatStringsSep "\n" (concatMap (peer: + (map (allowedIP: + "ip route replace ${allowedIP} dev ${name} table ${values.table}" + ) peer.allowedIPs) + ) values.peers))} + + ${values.postSetup} + ''; + + preStop = '' + ip link del dev ${name} + ${values.postShutdown} + ''; }; in diff --git a/nixos/modules/services/networking/zerotierone.nix b/nixos/modules/services/networking/zerotierone.nix index 86e0204ec2f7..cd1617b8e2ba 100644 --- a/nixos/modules/services/networking/zerotierone.nix +++ b/nixos/modules/services/networking/zerotierone.nix @@ -7,6 +7,16 @@ let in { options.services.zerotierone.enable = mkEnableOption "ZeroTierOne"; + + options.services.zerotierone.joinNetworks = mkOption { + default = []; + example = [ "a8a2c3c10c1a68de" ]; + type = types.listOf types.str; + description = '' + List of ZeroTier Network IDs to join on startup + ''; + }; + options.services.zerotierone.package = mkOption { default = pkgs.zerotierone; defaultText = "pkgs.zerotierone"; @@ -22,12 +32,13 @@ in path = [ cfg.package ]; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - preStart = - '' - mkdir -p /var/lib/zerotier-one + preStart = '' + mkdir -p /var/lib/zerotier-one/networks.d chmod 700 /var/lib/zerotier-one chown -R root:root /var/lib/zerotier-one - ''; + '' + (concatMapStrings (netId: '' + touch "/var/lib/zerotier-one/networks.d/${netId}.conf" + '') cfg.joinNetworks); serviceConfig = { ExecStart = "${cfg.package}/bin/zerotier-one"; Restart = "always"; @@ -38,6 +49,9 @@ in # ZeroTier does not issue DHCP leases, but some strangers might... networking.dhcpcd.denyInterfaces = [ "zt0" ]; + # ZeroTier receives UDP transmissions on port 9993 by default + networking.firewall.allowedUDPPorts = [ 9993 ]; + environment.systemPackages = [ cfg.package ]; }; } diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix index 4c7f58d1d8bc..c4147986439c 100644 --- a/nixos/modules/services/printing/cupsd.nix +++ b/nixos/modules/services/printing/cupsd.nix @@ -83,6 +83,8 @@ let WebInterface ${if cfg.webInterface then "Yes" else "No"} + LogLevel ${cfg.logLevel} + ${cfg.extraConf} ''; @@ -124,7 +126,7 @@ in listenAddresses = mkOption { type = types.listOf types.str; - default = [ "127.0.0.1:631" ]; + default = [ "localhost:631" ]; example = [ "*:631" ]; description = '' A list of addresses and ports on which to listen. @@ -165,6 +167,15 @@ in ''; }; + logLevel = mkOption { + type = types.str; + default = "info"; + example = "debug"; + description = '' + Specifies the cupsd logging verbosity. + ''; + }; + extraFilesConf = mkOption { type = types.lines; default = ""; @@ -180,7 +191,7 @@ in example = '' BrowsePoll cups.example.com - LogLevel debug + MaxCopies 42 ''; description = '' Extra contents of the configuration file of the CUPS daemon @@ -321,7 +332,10 @@ in ''} ''; - serviceConfig.PrivateTmp = true; + serviceConfig = { + PrivateTmp = true; + RuntimeDirectory = [ "cups" ]; + }; }; systemd.services.cups-browsed = mkIf avahiEnabled @@ -342,8 +356,6 @@ in services.printing.extraConf = '' - LogLevel info - DefaultAuthType Basic <Location /> diff --git a/nixos/modules/services/search/elasticsearch.nix b/nixos/modules/services/search/elasticsearch.nix index adef500b7b5c..d61f588205af 100644 --- a/nixos/modules/services/search/elasticsearch.nix +++ b/nixos/modules/services/search/elasticsearch.nix @@ -32,8 +32,11 @@ let (if es5 then (pkgs.writeTextDir "log4j2.properties" cfg.logging) else (pkgs.writeTextDir "logging.yml" cfg.logging)) ]; - # Elasticsearch 5.x won't start when the scripts directory does not exist - postBuild = if es5 then "${pkgs.coreutils}/bin/mkdir -p $out/scripts" else ""; + postBuild = concatStringsSep "\n" (concatLists [ + # Elasticsearch 5.x won't start when the scripts directory does not exist + (optional es5 "${pkgs.coreutils}/bin/mkdir -p $out/scripts") + (optional es6 "ln -s ${cfg.package}/config/jvm.options $out/jvm.options") + ]); }; esPlugins = pkgs.buildEnv { diff --git a/nixos/modules/services/security/hologram-server.nix b/nixos/modules/services/security/hologram-server.nix index e267fed27955..bad02c7440ba 100644 --- a/nixos/modules/services/security/hologram-server.nix +++ b/nixos/modules/services/security/hologram-server.nix @@ -12,16 +12,20 @@ let dn = cfg.ldapBindDN; password = cfg.ldapBindPassword; }; - insecureldap = cfg.ldapInsecure; - userattr = cfg.ldapUserAttr; - baseDN = cfg.ldapBaseDN; + insecureldap = cfg.ldapInsecure; + userattr = cfg.ldapUserAttr; + baseDN = cfg.ldapBaseDN; + enableldapRoles = cfg.enableLdapRoles; + roleAttr = cfg.roleAttr; + groupClassAttr = cfg.groupClassAttr; }; aws = { account = cfg.awsAccount; defaultrole = cfg.awsDefaultRole; }; - stats = cfg.statsAddress; - listen = cfg.listenAddress; + stats = cfg.statsAddress; + listen = cfg.listenAddress; + cachetimeout = cfg.cacheTimeoutSeconds; }); in { options = { @@ -70,6 +74,24 @@ in { description = "Password of account to use to query the LDAP server"; }; + enableLdapRoles = mkOption { + type = types.bool; + default = false; + description = "Whether to assign user roles based on the user's LDAP group memberships"; + }; + + groupClassAttr = mkOption { + type = types.str; + default = "groupOfNames"; + description = "The objectclass attribute to search for groups when enableLdapRoles is true"; + }; + + roleAttr = mkOption { + type = types.str; + default = "businessCategory"; + description = "Which LDAP group attribute to search for authorized role ARNs"; + }; + awsAccount = mkOption { type = types.str; description = "AWS account number"; @@ -85,6 +107,12 @@ in { default = ""; description = "Address of statsd server"; }; + + cacheTimeoutSeconds = mkOption { + type = types.int; + default = 3600; + description = "How often (in seconds) to refresh the LDAP cache"; + }; }; }; diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix index ef48d52e7a94..433d97c2a7d7 100644 --- a/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixos/modules/services/security/oauth2_proxy.nix @@ -6,70 +6,81 @@ with lib; let cfg = config.services.oauth2_proxy; - # Use like: - # repeatedArgs (arg: "--arg=${arg}") args - repeatedArgs = concatMapStringsSep " "; - # oauth2_proxy provides many options that are only relevant if you are using # a certain provider. This set maps from provider name to a function that # takes the configuration and returns a string that can be inserted into the # command-line to launch oauth2_proxy. providerSpecificOptions = { - azure = cfg: '' - --azure-tenant=${cfg.azure.tenant} \ - --resource=${cfg.azure.resource} \ - ''; - - github = cfg: '' - ${optionalString (!isNull cfg.github.org) "--github-org=${cfg.github.org}"} \ - ${optionalString (!isNull cfg.github.team) "--github-org=${cfg.github.team}"} \ - ''; - - google = cfg: '' - --google-admin-email=${cfg.google.adminEmail} \ - --google-service-account=${cfg.google.serviceAccountJSON} \ - ${repeatedArgs (group: "--google-group=${group}") cfg.google.groups} \ - ''; + azure = cfg: { + azure.tenant = cfg.azure.tenant; + resource = cfg.azure.resource; + }; + + github = cfg: { github = { + inherit (cfg.github) org team; + }; }; + + google = cfg: { google = with cfg.google; optionalAttrs (groups != []) { + admin-email = adminEmail; + service-account = serviceAccountJSON; + group = groups; + }; }; }; authenticatedEmailsFile = pkgs.writeText "authenticated-emails" cfg.email.addresses; - getProviderOptions = cfg: provider: providerSpecificOptions.${provider} or (_: "") cfg; - - mkCommandLine = cfg: '' - --provider='${cfg.provider}' \ - ${optionalString (!isNull cfg.email.addresses) "--authenticated-emails-file='${authenticatedEmailsFile}'"} \ - --approval-prompt='${cfg.approvalPrompt}' \ - ${optionalString (cfg.passBasicAuth && !isNull cfg.basicAuthPassword) "--basic-auth-password='${cfg.basicAuthPassword}'"} \ - --client-id='${cfg.clientID}' \ - --client-secret='${cfg.clientSecret}' \ - ${optionalString (!isNull cfg.cookie.domain) "--cookie-domain='${cfg.cookie.domain}'"} \ - --cookie-expire='${cfg.cookie.expire}' \ - --cookie-httponly=${boolToString cfg.cookie.httpOnly} \ - --cookie-name='${cfg.cookie.name}' \ - --cookie-secret='${cfg.cookie.secret}' \ - --cookie-secure=${boolToString cfg.cookie.secure} \ - ${optionalString (!isNull cfg.cookie.refresh) "--cookie-refresh='${cfg.cookie.refresh}'"} \ - ${optionalString (!isNull cfg.customTemplatesDir) "--custom-templates-dir='${cfg.customTemplatesDir}'"} \ - ${repeatedArgs (x: "--email-domain='${x}'") cfg.email.domains} \ - --http-address='${cfg.httpAddress}' \ - ${optionalString (!isNull cfg.htpasswd.file) "--htpasswd-file='${cfg.htpasswd.file}' --display-htpasswd-form=${boolToString cfg.htpasswd.displayForm}"} \ - ${optionalString (!isNull cfg.loginURL) "--login-url='${cfg.loginURL}'"} \ - --pass-access-token=${boolToString cfg.passAccessToken} \ - --pass-basic-auth=${boolToString cfg.passBasicAuth} \ - --pass-host-header=${boolToString cfg.passHostHeader} \ - --proxy-prefix='${cfg.proxyPrefix}' \ - ${optionalString (!isNull cfg.profileURL) "--profile-url='${cfg.profileURL}'"} \ - ${optionalString (!isNull cfg.redeemURL) "--redeem-url='${cfg.redeemURL}'"} \ - ${optionalString (!isNull cfg.redirectURL) "--redirect-url='${cfg.redirectURL}'"} \ - --request-logging=${boolToString cfg.requestLogging} \ - ${optionalString (!isNull cfg.scope) "--scope='${cfg.scope}'"} \ - ${repeatedArgs (x: "--skip-auth-regex='${x}'") cfg.skipAuthRegexes} \ - ${optionalString (!isNull cfg.signatureKey) "--signature-key='${cfg.signatureKey}'"} \ - --upstream='${cfg.upstream}' \ - ${optionalString (!isNull cfg.validateURL) "--validate-url='${cfg.validateURL}'"} \ - ${optionalString cfg.tls.enable "--tls-cert='${cfg.tls.certificate}' --tls-key='${cfg.tls.key}' --https-address='${cfg.tls.httpsAddress}'"} \ - '' + getProviderOptions cfg cfg.provider; + getProviderOptions = cfg: provider: providerSpecificOptions.${provider} or (_: {}) cfg; + + allConfig = with cfg; { + inherit (cfg) provider scope upstream; + approval-prompt = approvalPrompt; + basic-auth-password = basicAuthPassword; + client-id = clientID; + client-secret = clientSecret; + custom-templates-dir = customTemplatesDir; + email-domain = email.domains; + http-address = httpAddress; + login-url = loginURL; + pass-access-token = passAccessToken; + pass-basic-auth = passBasicAuth; + pass-host-header = passHostHeader; + proxy-prefix = proxyPrefix; + profile-url = profileURL; + redeem-url = redeemURL; + redirect-url = redirectURL; + request-logging = requestLogging; + skip-auth-regex = skipAuthRegexes; + signature-key = signatureKey; + validate-url = validateURL; + htpasswd-file = htpasswd.file; + cookie = { + inherit (cookie) domain secure expire name secret refresh; + httponly = cookie.httpOnly; + }; + set-xauthrequest = setXauthrequest; + } // lib.optionalAttrs (!isNull cfg.email.addresses) { + authenticated-emails-file = authenticatedEmailsFile; + } // lib.optionalAttrs (cfg.passBasicAuth) { + basic-auth-password = cfg.basicAuthPassword; + } // lib.optionalAttrs (!isNull cfg.htpasswd.file) { + display-htpasswd-file = cfg.htpasswd.displayForm; + } // lib.optionalAttrs tls.enable { + tls-cert = tls.certificate; + tls-key = tls.key; + https-address = tls.httpsAddress; + } // (getProviderOptions cfg cfg.provider) // cfg.extraConfig; + + mapConfig = key: attr: + if (!isNull attr && attr != []) then ( + if (builtins.typeOf attr) == "set" then concatStringsSep " " + (mapAttrsToList (name: value: mapConfig (key + "-" + name) value) attr) else + if (builtins.typeOf attr) == "list" then concatMapStringsSep " " (mapConfig key) attr else + if (builtins.typeOf attr) == "bool" then "--${key}=${boolToString attr}" else + if (builtins.typeOf attr) == "string" then "--${key}='${attr}'" else + "--${key}=${toString attr}") + else ""; + + configString = concatStringsSep " " (mapAttrsToList mapConfig allConfig); in { options.services.oauth2_proxy = { @@ -110,7 +121,7 @@ in }; clientID = mkOption { - type = types.str; + type = types.nullOr types.str; description = '' The OAuth Client ID. ''; @@ -118,7 +129,7 @@ in }; clientSecret = mkOption { - type = types.str; + type = types.nullOr types.str; description = '' The OAuth Client Secret. ''; @@ -272,7 +283,8 @@ in #################################################### # UPSTREAM Configuration upstream = mkOption { - type = types.commas; + type = with types; coercedTo string (x: [x]) (listOf string); + default = []; description = '' The http url(s) of the upstream endpoint or <literal>file://</literal> paths for static files. Routing is based on the path. @@ -365,7 +377,7 @@ in }; secret = mkOption { - type = types.str; + type = types.nullOr types.str; description = '' The seed string for secure cookies. ''; @@ -494,10 +506,43 @@ in ''; }; + setXauthrequest = mkOption { + type = types.nullOr types.bool; + default = false; + description = '' + Set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode). Setting this to 'null' means using the upstream default (false). + ''; + }; + + extraConfig = mkOption { + default = {}; + description = '' + Extra config to pass to oauth2_proxy. + ''; + }; + + keyFile = mkOption { + type = types.nullOr types.string; + default = null; + description = '' + oauth2_proxy allows passing sensitive configuration via environment variables. + Make a file that contains lines like + OAUTH2_PROXY_CLIENT_SECRET=asdfasdfasdf.apps.googleuserscontent.com + and specify the path here. + ''; + example = "/run/keys/oauth2_proxy"; + }; + }; config = mkIf cfg.enable { + services.oauth2_proxy = mkIf (!isNull cfg.keyFile) { + clientID = mkDefault null; + clientSecret = mkDefault null; + cookie.secret = mkDefault null; + }; + users.extraUsers.oauth2_proxy = { description = "OAuth2 Proxy"; }; @@ -511,7 +556,8 @@ in serviceConfig = { User = "oauth2_proxy"; Restart = "always"; - ExecStart = "${cfg.package.bin}/bin/oauth2_proxy ${mkCommandLine cfg}"; + ExecStart = "${cfg.package.bin}/bin/oauth2_proxy ${configString}"; + EnvironmentFile = mkIf (cfg.keyFile != null) cfg.keyFile; }; }; diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index fed91756e769..806252f49b8d 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -5,6 +5,7 @@ with lib; let cfg = config.services.tor; torDirectory = "/var/lib/tor"; + torRunDirectory = "/run/tor"; opt = name: value: optionalString (value != null) "${name} ${value}"; optint = name: value: optionalString (value != null && value != 0) "${name} ${toString value}"; @@ -38,6 +39,7 @@ let ''} ${optint "ControlPort" cfg.controlPort} + ${optionalString cfg.controlSocket.enable "ControlSocket ${torRunDirectory}/control GroupWritable RelaxDirModeCheck"} '' # Client connection config + optionalString cfg.client.enable '' @@ -140,6 +142,17 @@ in ''; }; + controlSocket = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Wheter to enable Tor control socket. Control socket is created + in <literal>${torRunDirectory}/control</literal> + ''; + }; + }; + client = { enable = mkOption { type = types.bool; @@ -690,14 +703,10 @@ in after = [ "network.target" ]; restartTriggers = [ torRcFile ]; - # Translated from the upstream contrib/dist/tor.service.in - preStart = '' - install -o tor -g tor -d ${torDirectory}/onion - ${pkgs.tor}/bin/tor -f ${torRcFile} --verify-config - ''; - serviceConfig = { Type = "simple"; + # Translated from the upstream contrib/dist/tor.service.in + ExecStartPre = "${pkgs.tor}/bin/tor -f ${torRcFile} --verify-config"; ExecStart = "${pkgs.tor}/bin/tor -f ${torRcFile} --RunAsDaemon 0"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; KillSignal = "SIGINT"; @@ -712,11 +721,13 @@ in # DeviceAllow /dev/urandom r # .. but we can't specify DeviceAllow multiple times. 'closed' # is close enough. + RuntimeDirectory = "tor"; + StateDirectory = [ "tor" "tor/onion" ]; PrivateTmp = "yes"; DevicePolicy = "closed"; InaccessibleDirectories = "/home"; ReadOnlyDirectories = "/"; - ReadWriteDirectories = torDirectory; + ReadWriteDirectories = [torDirectory torRunDirectory]; NoNewPrivileges = "yes"; }; }; diff --git a/nixos/modules/services/security/torify.nix b/nixos/modules/services/security/torify.nix index a29cb3f33dae..08da726437ea 100644 --- a/nixos/modules/services/security/torify.nix +++ b/nixos/modules/services/security/torify.nix @@ -7,7 +7,7 @@ let torify = pkgs.writeTextFile { name = "tsocks"; text = '' - #!${pkgs.stdenv.shell} + #!${pkgs.runtimeShell} TSOCKS_CONF_FILE=${pkgs.writeText "tsocks.conf" cfg.tsocks.config} LD_PRELOAD="${pkgs.tsocks}/lib/libtsocks.so $LD_PRELOAD" "$@" ''; executable = true; diff --git a/nixos/modules/services/security/torsocks.nix b/nixos/modules/services/security/torsocks.nix index 1b5a05b21e77..c60c745443bc 100644 --- a/nixos/modules/services/security/torsocks.nix +++ b/nixos/modules/services/security/torsocks.nix @@ -23,7 +23,7 @@ let wrapTorsocks = name: server: pkgs.writeTextFile { name = name; text = '' - #!${pkgs.stdenv.shell} + #!${pkgs.runtimeShell} TORSOCKS_CONF_FILE=${pkgs.writeText "torsocks.conf" (configFile server)} ${pkgs.torsocks}/bin/torsocks "$@" ''; executable = true; diff --git a/nixos/modules/services/torrent/deluge.nix b/nixos/modules/services/torrent/deluge.nix index ec1e97f4125e..bff22cd13594 100644 --- a/nixos/modules/services/torrent/deluge.nix +++ b/nixos/modules/services/torrent/deluge.nix @@ -11,10 +11,7 @@ in { options = { services = { deluge = { - enable = mkOption { - default = false; - description = "Start the Deluge daemon"; - }; + enable = mkEnableOption "Deluge daemon"; openFilesLimit = mkOption { default = openFilesLimit; @@ -25,14 +22,7 @@ in { }; }; - deluge.web = { - enable = mkOption { - default = false; - description = '' - Start Deluge Web daemon. - ''; - }; - }; + deluge.web.enable = mkEnableOption "Deluge Web daemon"; }; }; diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index dd6b585b7e23..3564afd77f41 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -21,6 +21,19 @@ let # for users in group "transmission" to have access to torrents fullSettings = { umask = 2; download-dir = downloadDir; incomplete-dir = incompleteDir; } // cfg.settings; + + # Directories transmission expects to exist and be ug+rwx. + directoriesToManage = [ homeDir settingsDir fullSettings.download-dir fullSettings.incomplete-dir ]; + + preStart = pkgs.writeScript "transmission-pre-start" '' + #!${pkgs.runtimeShell} + set -ex + for DIR in ${escapeShellArgs directoriesToManage}; do + mkdir -p "$DIR" + chmod 770 "$DIR" + done + cp -f ${settingsFile} ${settingsDir}/settings.json + ''; in { options = { @@ -59,8 +72,8 @@ in time the service starts). String values must be quoted, integer and boolean values must not. - See https://trac.transmissionbt.com/wiki/EditConfigFiles for - documentation. + See https://github.com/transmission/transmission/wiki/Editing-Configuration-Files + for documentation. ''; }; @@ -89,9 +102,7 @@ in # 1) Only the "transmission" user and group have access to torrents. # 2) Optionally update/force specific fields into the configuration file. - serviceConfig.ExecStartPre = '' - ${pkgs.stdenv.shell} -c "mkdir -p ${homeDir} ${settingsDir} ${fullSettings.download-dir} ${fullSettings.incomplete-dir} && chmod 770 ${homeDir} ${settingsDir} ${fullSettings.download-dir} ${fullSettings.incomplete-dir} && rm -f ${settingsDir}/settings.json && cp -f ${settingsFile} ${settingsDir}/settings.json" - ''; + serviceConfig.ExecStartPre = preStart; serviceConfig.ExecStart = "${pkgs.transmission}/bin/transmission-daemon -f --port ${toString config.services.transmission.port}"; serviceConfig.ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; serviceConfig.User = "transmission"; @@ -136,6 +147,7 @@ in ${getLib pkgs.libcap}/lib/libcap*.so* mr, ${getLib pkgs.attr}/lib/libattr*.so* mr, ${getLib pkgs.lz4}/lib/liblz4*.so* mr, + ${getLib pkgs.libkrb5}/lib/lib*.so* mr, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/vm/overcommit_memory r, diff --git a/nixos/modules/services/web-apps/atlassian/jira.nix b/nixos/modules/services/web-apps/atlassian/jira.nix index 81ee8154326c..13c5951524d9 100644 --- a/nixos/modules/services/web-apps/atlassian/jira.nix +++ b/nixos/modules/services/web-apps/atlassian/jira.nix @@ -155,7 +155,7 @@ in requires = [ "postgresql.service" ]; after = [ "postgresql.service" ]; - path = [ cfg.jrePackage ]; + path = [ cfg.jrePackage pkgs.bash ]; environment = { JIRA_USER = cfg.user; diff --git a/nixos/modules/services/web-apps/nixbot.nix b/nixos/modules/services/web-apps/nixbot.nix deleted file mode 100644 index 0592d01bf369..000000000000 --- a/nixos/modules/services/web-apps/nixbot.nix +++ /dev/null @@ -1,149 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.nixbot; - pyramidIni = '' - ### - # app configuration - # http://docs.pylonsproject.org/projects/pyramid/en/1.7-branch/narr/environment.html - ### - - [app:main] - use = egg:nixbot - - nixbot.github_token = ${cfg.githubToken} - nixbot.bot_name = ${cfg.botName} - nixbot.repo = ${cfg.repo} - nixbot.pr_repo = ${cfg.prRepo} - nixbot.hydra_jobsets_repo = ${cfg.hydraJobsetsRepo} - nixbot.github_secret = justnotsorandom - nixbot.public_url = ${cfg.publicUrl} - nixbot.repo_dir = ${cfg.repoDir} - - pyramid.reload_templates = false - pyramid.debug_authorization = false - pyramid.debug_notfound = false - pyramid.debug_routematch = false - pyramid.default_locale_name = en - - # By default, the toolbar only appears for clients from IP addresses - # '127.0.0.1' and '::1'. - # debugtoolbar.hosts = 127.0.0.1 ::1 - - ### - # wsgi server configuration - ### - - [server:main] - use = egg:waitress#main - host = 0.0.0.0 - port = 6543 - - ### - # logging configuration - # http://docs.pylonsproject.org/projects/pyramid/en/1.7-branch/narr/logging.html - ### - - [loggers] - keys = root, nixbot - - [handlers] - keys = console - - [formatters] - keys = generic - - [logger_root] - level = INFO - handlers = console - - [logger_nixbot] - level = INFO - handlers = - qualname = nixbot - - [handler_console] - class = StreamHandler - args = (sys.stderr,) - level = NOTSET - formatter = generic - - [formatter_generic] - format = %(asctime)s %(levelname)-5.5s [%(name)s:%(lineno)s][%(threadName)s] %(message)s - ''; -in { - options = { - services.nixbot = { - enable = mkEnableOption "nixbot"; - - botName = mkOption { - type = types.str; - description = "The bot's github user account name."; - default = "nixbot"; - }; - - githubToken = mkOption { - type = types.str; - description = "The bot's github user account token."; - example = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; - }; - - repo = mkOption { - type = types.str; - description = "The github repository to check for PRs."; - example = "nixos/nixpkgs"; - }; - - prRepo = mkOption { - type = types.str; - description = "The github repository to push the testing branches to."; - example = "nixos/nixpkgs-pr"; - }; - - hydraJobsetsRepo = mkOption { - type = types.str; - description = "The github repository to push the hydra jobset definitions to."; - example = "nixos/hydra-jobsets"; - }; - - publicUrl = mkOption { - type = types.str; - description = "The public URL the bot is reachable at (Github hook endpoint)."; - example = "https://nixbot.nixos.org"; - }; - - repoDir = mkOption { - type = types.path; - description = "The directory the repositories are stored in."; - default = "/var/lib/nixbot"; - }; - }; - }; - - config = mkIf cfg.enable { - users.extraUsers.nixbot = { - createHome = true; - home = cfg.repoDir; - }; - - systemd.services.nixbot = let - env = pkgs.python3.buildEnv.override { - extraLibs = [ pkgs.nixbot ]; - }; - in { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - script = '' - ${env}/bin/pserve ${pkgs.writeText "production.ini" pyramidIni} - ''; - - serviceConfig = { - User = "nixbot"; - Group = "nogroup"; - PermissionsStartOnly = true; - }; - }; - }; -} diff --git a/nixos/modules/services/web-apps/pump.io-configure.js b/nixos/modules/services/web-apps/pump.io-configure.js deleted file mode 100644 index 1fbf346a34c4..000000000000 --- a/nixos/modules/services/web-apps/pump.io-configure.js +++ /dev/null @@ -1,23 +0,0 @@ -var fs = require('fs'); - -var opts = JSON.parse(fs.readFileSync("/dev/stdin").toString()); -var config = opts.config; - -var readSecret = function(filename) { - return fs.readFileSync(filename).toString().trim(); -}; - -if (opts.secretFile) { - config.secret = readSecret(opts.secretFile); -} -if (opts.dbPasswordFile) { - config.params.dbpass = readSecret(opts.dbPasswordFile); -} -if (opts.smtpPasswordFile) { - config.smtppass = readSecret(opts.smtpPasswordFile); -} -if (opts.spamClientSecretFile) { - config.spamclientsecret = readSecret(opts.opts.spamClientSecretFile); -} - -fs.writeFileSync(opts.outputFile, JSON.stringify(config)); diff --git a/nixos/modules/services/web-apps/pump.io.nix b/nixos/modules/services/web-apps/pump.io.nix deleted file mode 100644 index 27ae68516367..000000000000 --- a/nixos/modules/services/web-apps/pump.io.nix +++ /dev/null @@ -1,438 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.pumpio; - dataDir = "/var/lib/pump.io"; - runDir = "/run/pump.io"; - user = "pumpio"; - - optionalSet = condition: value: if condition then value else {}; - - configScript = ./pump.io-configure.js; - configOptions = { - outputFile = "${runDir}/config.json"; - config = - (optionalSet (cfg.driver != "disk") { - driver = cfg.driver; - }) // - { - params = (optionalSet (cfg.driver == "disk") { dir = dataDir; }) // - (optionalSet (cfg.driver == "mongodb" || cfg.driver == "redis") { - host = cfg.dbHost; - port = cfg.dbPort; - dbname = cfg.dbName; - dbuser = cfg.dbUser; - dbpass = cfg.dbPassword; - }) // - (optionalSet (cfg.driver == "memcached") { - host = cfg.dbHost; - port = cfg.dbPort; - }) // cfg.driverParams; - secret = cfg.secret; - - address = cfg.address; - port = cfg.port; - - noweb = false; - urlPort = cfg.urlPort; - hostname = cfg.hostname; - favicon = cfg.favicon; - - site = cfg.site; - owner = cfg.owner; - ownerURL = cfg.ownerURL; - - key = cfg.sslKey; - cert = cfg.sslCert; - bounce = false; - - spamhost = cfg.spamHost; - spamclientid = cfg.spamClientId; - spamclientsecret = cfg.spamClientSecret; - - requireEmail = cfg.requireEmail; - smtpserver = cfg.smtpHost; - smtpport = cfg.smtpPort; - smtpuser = cfg.smtpUser; - smtppass = cfg.smtpPassword; - smtpusessl = cfg.smtpUseSSL; - smtpfrom = cfg.smtpFrom; - - nologger = false; - enableUploads = cfg.enableUploads; - datadir = dataDir; - debugClient = false; - firehose = cfg.firehose; - disableRegistration = cfg.disableRegistration; - - inherit (cfg) secretFile dbPasswordFile smtpPasswordFile spamClientSecretFile; - } // - (optionalSet (cfg.port < 1024) { - serverUser = user; # have pump.io listen then drop privileges - }) // cfg.extraConfig; -}; in { - options = { - - services.pumpio = { - - enable = mkEnableOption "Pump.io social streams server"; - - secret = mkOption { - type = types.nullOr types.str; - default = null; - example = "my dog has fleas"; - description = '' - A session-generating secret, server-wide password. Warning: - this is stored in cleartext in the Nix store! - ''; - }; - - secretFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/run/keys/pump.io-secret"; - description = '' - A file containing the session-generating secret, - server-wide password. - ''; - }; - - site = mkOption { - type = types.str; - example = "Awesome Sauce"; - description = "Name of the server"; - }; - - owner = mkOption { - type = types.str; - default = ""; - example = "Awesome Inc."; - description = "Name of owning entity, if you want to link to it."; - }; - - ownerURL = mkOption { - type = types.str; - default = ""; - example = "https://pump.io"; - description = "URL of owning entity, if you want to link to it."; - }; - - address = mkOption { - type = types.str; - default = "localhost"; - description = '' - Web server listen address. - ''; - }; - - port = mkOption { - type = types.int; - default = 31337; - description = '' - Port to listen on. Defaults to 31337, which is suitable for - running behind a reverse proxy. For a standalone server, - use 443. - ''; - }; - - hostname = mkOption { - type = types.nullOr types.str; - default = "localhost"; - description = '' - The hostname of the server, used for generating - URLs. Defaults to "localhost" which doesn't do much for you. - ''; - }; - - urlPort = mkOption { - type = types.int; - default = 443; - description = '' - Port to use for generating URLs. This basically has to be - either 80 or 443 because the host-meta and Webfinger - protocols don't make any provision for HTTP/HTTPS servers - running on other ports. - ''; - }; - - favicon = mkOption { - type = types.nullOr types.path; - default = null; - description = '' - Local filesystem path to the favicon.ico file to use. This - will be served as "/favicon.ico" by the server. - ''; - }; - - enableUploads = mkOption { - type = types.bool; - default = true; - description = '' - If you want to disable file uploads, set this to false. Uploaded files will be stored - in ${dataDir}/uploads. - ''; - }; - - sslKey = mkOption { - type = types.path; - example = "${dataDir}/myserver.key"; - default = ""; - description = '' - The path to the server certificate private key. The - certificate is required, but it can be self-signed. - ''; - }; - - sslCert = mkOption { - type = types.path; - example = "${dataDir}/myserver.crt"; - default = ""; - description = '' - The path to the server certificate. The certificate is - required, but it can be self-signed. - ''; - }; - - firehose = mkOption { - type = types.str; - default = "ofirehose.com"; - description = '' - Firehose host running the ofirehose software. Defaults to - "ofirehose.com". Public notices will be ping this firehose - server and from there go out to search engines and the - world. If you want to disconnect from the public web, set - this to something falsy. - ''; - }; - - disableRegistration = mkOption { - type = types.bool; - default = false; - description = '' - Disables registering new users on the site through the Web - or the API. - ''; - }; - - requireEmail = mkOption { - type = types.bool; - default = false; - description = "Require an e-mail address to register."; - }; - - extraConfig = mkOption { - default = { }; - description = '' - Extra configuration options which are serialized to json and added - to the pump.io.json config file. - ''; - }; - - driver = mkOption { - type = types.enum [ "mongodb" "disk" "lrucache" "memcached" "redis" ]; - default = "mongodb"; - description = "Type of database. Corresponds to a nodejs databank driver."; - }; - - driverParams = mkOption { - default = { }; - description = "Extra parameters for the driver."; - }; - - dbHost = mkOption { - type = types.str; - default = "localhost"; - description = "The database host to connect to."; - }; - - dbPort = mkOption { - type = types.int; - default = 27017; - description = "The port that the database is listening on."; - }; - - dbName = mkOption { - type = types.str; - default = "pumpio"; - description = "The name of the database to use."; - }; - - dbUser = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - The username. Defaults to null, meaning no authentication. - ''; - }; - - dbPassword = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - The password corresponding to dbUser. Warning: this is - stored in cleartext in the Nix store! - ''; - }; - - dbPasswordFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/run/keys/pump.io-dbpassword"; - description = '' - A file containing the password corresponding to dbUser. - ''; - }; - - smtpHost = mkOption { - type = types.nullOr types.str; - default = null; - example = "localhost"; - description = '' - Server to use for sending transactional email. If it's not - set up, no email is sent and features like password recovery - and email notification won't work. - ''; - }; - - smtpPort = mkOption { - type = types.int; - default = 25; - description = '' - Port to connect to on SMTP server. - ''; - }; - - smtpUser = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Username to use to connect to SMTP server. Might not be - necessary for some servers. - ''; - }; - - smtpPassword = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Password to use to connect to SMTP server. Might not be - necessary for some servers. Warning: this is stored in - cleartext in the Nix store! - ''; - }; - - smtpPasswordFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/run/keys/pump.io-smtppassword"; - description = '' - A file containing the password used to connect to SMTP - server. Might not be necessary for some servers. - ''; - }; - - - smtpUseSSL = mkOption { - type = types.bool; - default = false; - description = '' - Only use SSL with the SMTP server. By default, a SSL - connection is negotiated using TLS. You may need to change - the smtpPort value if you set this. - ''; - }; - - smtpFrom = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Email address to use in the "From:" header of outgoing - notifications. Defaults to 'no-reply@' plus the site - hostname. - ''; - }; - - spamHost = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Host running activityspam software to use to test updates - for spam. - ''; - }; - spamClientId = mkOption { - type = types.nullOr types.str; - default = null; - description = "OAuth pair for spam server."; - }; - spamClientSecret = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - OAuth pair for spam server. Warning: this is - stored in cleartext in the Nix store! - ''; - }; - spamClientSecretFile = mkOption { - type = types.nullOr types.path; - default = null; - example = "/run/keys/pump.io-spamclientsecret"; - description = '' - A file containing the OAuth key for the spam server. - ''; - }; - }; - - }; - - config = mkIf cfg.enable { - warnings = let warn = k: optional (cfg.${k} != null) - "config.services.pumpio.${k} is insecure. Use ${k}File instead."; - in concatMap warn [ "secret" "dbPassword" "smtpPassword" "spamClientSecret" ]; - - assertions = [ - { assertion = !(isNull cfg.secret && isNull cfg.secretFile); - message = "pump.io needs a secretFile configured"; - } - ]; - - systemd.services."pump.io" = - { description = "Pump.io - stream server that does most of what people really want from a social network"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - preStart = '' - mkdir -p ${dataDir}/uploads - mkdir -p ${runDir} - chown pumpio:pumpio ${dataDir}/uploads ${runDir} - chmod 770 ${dataDir}/uploads ${runDir} - - ${pkgs.nodejs}/bin/node ${configScript} <<EOF - ${builtins.toJSON configOptions} - EOF - - chgrp pumpio ${configOptions.outputFile} - chmod 640 ${configOptions.outputFile} - ''; - - serviceConfig = { - ExecStart = "${pkgs.pumpio}/bin/pump -c ${configOptions.outputFile}"; - PermissionsStartOnly = true; - User = if cfg.port < 1024 then "root" else user; - Group = user; - }; - environment = { NODE_ENV = "production"; }; - }; - - users.extraGroups.pumpio.gid = config.ids.gids.pumpio; - users.extraUsers.pumpio = { - group = "pumpio"; - uid = config.ids.uids.pumpio; - description = "Pump.io user"; - home = dataDir; - createHome = true; - }; - }; -} diff --git a/nixos/modules/services/web-apps/tt-rss.nix b/nixos/modules/services/web-apps/tt-rss.nix index c784f4756d19..610c6463a5eb 100644 --- a/nixos/modules/services/web-apps/tt-rss.nix +++ b/nixos/modules/services/web-apps/tt-rss.nix @@ -466,10 +466,10 @@ let ''; }; - services.nginx = { + # NOTE: No configuration is done if not using virtual host + services.nginx = mkIf (cfg.virtualHost != null) { enable = true; - # NOTE: No configuration is done if not using virtual host - virtualHosts = mkIf (cfg.virtualHost != null) { + virtualHosts = { "${cfg.virtualHost}" = { root = "${cfg.root}"; @@ -505,7 +505,7 @@ let ${cfg.database.name}'' else if cfg.database.type == "mysql" then '' - echo '${e}' | ${pkgs.mysql}/bin/mysql \ + echo '${e}' | ${pkgs.sudo}/bin/sudo -u ${cfg.user} ${config.services.mysql.package}/bin/mysql \ -u ${cfg.database.user} \ ${optionalString (cfg.database.password != null) "-p${cfg.database.password}"} \ ${optionalString (cfg.database.host != null) "-h ${cfg.database.host} -P ${toString dbPort}"} \ diff --git a/nixos/modules/services/web-apps/youtrack.nix b/nixos/modules/services/web-apps/youtrack.nix new file mode 100644 index 000000000000..e057e3025629 --- /dev/null +++ b/nixos/modules/services/web-apps/youtrack.nix @@ -0,0 +1,177 @@ +{ config, lib, pkgs, options, ... }: + +with lib; + +let + cfg = config.services.youtrack; + + extraAttr = concatStringsSep " " (mapAttrsToList (k: v: "-D${k}=${v}") (stdParams // cfg.extraParams)); + mergeAttrList = lib.foldl' lib.mergeAttrs {}; + + stdParams = mergeAttrList [ + (optionalAttrs (cfg.baseUrl != null) { + "jetbrains.youtrack.baseUrl" = cfg.baseUrl; + }) + { + "java.aws.headless" = "true"; + "jetbrains.youtrack.disableBrowser" = "true"; + } + ]; +in +{ + options.services.youtrack = { + + enable = mkEnableOption "YouTrack service"; + + address = mkOption { + description = '' + The interface youtrack will listen on. + ''; + default = "127.0.0.1"; + type = types.string; + }; + + baseUrl = mkOption { + description = '' + Base URL for youtrack. Will be auto-detected and stored in database. + ''; + type = types.nullOr types.string; + default = null; + }; + + extraParams = mkOption { + default = {}; + description = '' + Extra parameters to pass to youtrack. See + https://www.jetbrains.com/help/youtrack/standalone/YouTrack-Java-Start-Parameters.html + for more information. + ''; + example = { + "jetbrains.youtrack.overrideRootPassword" = "tortuga"; + }; + type = types.attrsOf types.string; + }; + + package = mkOption { + description = '' + Package to use. + ''; + type = types.package; + default = pkgs.youtrack; + defaultText = "pkgs.youtrack"; + }; + + port = mkOption { + description = '' + The port youtrack will listen on. + ''; + default = 8080; + type = types.int; + }; + + statePath = mkOption { + description = '' + Where to keep the youtrack database. + ''; + type = types.string; + default = "/var/lib/youtrack"; + }; + + virtualHost = mkOption { + description = '' + Name of the nginx virtual host to use and setup. + If null, do not setup anything. + ''; + default = null; + type = types.nullOr types.string; + }; + + jvmOpts = mkOption { + description = '' + Extra options to pass to the JVM. + See https://www.jetbrains.com/help/youtrack/standalone/Configure-JVM-Options.html + for more information. + ''; + type = types.string; + example = "-XX:MetaspaceSize=250m"; + default = ""; + }; + + maxMemory = mkOption { + description = '' + Maximum Java heap size + ''; + type = types.string; + default = "1g"; + }; + + maxMetaspaceSize = mkOption { + description = '' + Maximum java Metaspace memory. + ''; + type = types.string; + default = "350m"; + }; + }; + + config = mkIf cfg.enable { + + systemd.services.youtrack = { + environment.HOME = cfg.statePath; + environment.YOUTRACK_JVM_OPTS = "-Xmx${cfg.maxMemory} -XX:MaxMetaspaceSize=${cfg.maxMetaspaceSize} ${cfg.jvmOpts} ${extraAttr}"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + User = "youtrack"; + Group = "youtrack"; + ExecStart = ''${cfg.package}/bin/youtrack ${cfg.address}:${toString cfg.port}''; + }; + }; + + users.users.youtrack = { + description = "Youtrack service user"; + isSystemUser = true; + home = cfg.statePath; + createHome = true; + group = "youtrack"; + }; + + users.groups.youtrack = {}; + + services.nginx = mkIf (cfg.virtualHost != null) { + upstreams.youtrack.servers."${cfg.address}:${toString cfg.port}" = {}; + virtualHosts.${cfg.virtualHost}.locations = { + "/" = { + proxyPass = "http://youtrack"; + extraConfig = '' + client_max_body_size 10m; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + + "/api/eventSourceBus" = { + proxyPass = "http://youtrack"; + extraConfig = '' + proxy_cache off; + proxy_buffering off; + proxy_read_timeout 86400s; + proxy_send_timeout 86400s; + proxy_set_header Connection ""; + chunked_transfer_encoding off; + client_max_body_size 10m; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + + }; + }; + + }; +} diff --git a/nixos/modules/services/web-servers/apache-httpd/owncloud.nix b/nixos/modules/services/web-servers/apache-httpd/owncloud.nix index cfddab2f5047..82b8bf3e30db 100644 --- a/nixos/modules/services/web-servers/apache-httpd/owncloud.nix +++ b/nixos/modules/services/web-servers/apache-httpd/owncloud.nix @@ -346,7 +346,7 @@ let postgresql = serverInfo.fullConfig.services.postgresql.package; setupDb = pkgs.writeScript "setup-owncloud-db" '' - #!${pkgs.stdenv.shell} + #!${pkgs.runtimeShell} PATH="${postgresql}/bin" createuser --no-superuser --no-createdb --no-createrole "${config.dbUser}" || true createdb "${config.dbName}" -O "${config.dbUser}" || true diff --git a/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix b/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix index 1d53ce659005..4bbd041b6e04 100644 --- a/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix +++ b/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix @@ -118,7 +118,7 @@ with lib; default = []; example = [ { urlPath = "/foo/bar.png"; - files = "/home/eelco/some-file.png"; + file = "/home/eelco/some-file.png"; } ]; description = '' diff --git a/nixos/modules/services/web-servers/caddy.nix b/nixos/modules/services/web-servers/caddy.nix index d8efa24bc6d5..2124a42f01a1 100644 --- a/nixos/modules/services/web-servers/caddy.nix +++ b/nixos/modules/services/web-servers/caddy.nix @@ -25,8 +25,8 @@ in { }; ca = mkOption { - default = "https://acme-v01.api.letsencrypt.org/directory"; - example = "https://acme-staging.api.letsencrypt.org/directory"; + default = "https://acme-v02.api.letsencrypt.org/directory"; + example = "https://acme-staging-v02.api.letsencrypt.org/directory"; type = types.string; description = "Certificate authority ACME server. The default (Let's Encrypt production server) should be fine for most people."; }; diff --git a/nixos/modules/services/web-servers/hitch/default.nix b/nixos/modules/services/web-servers/hitch/default.nix new file mode 100644 index 000000000000..895d02827f71 --- /dev/null +++ b/nixos/modules/services/web-servers/hitch/default.nix @@ -0,0 +1,108 @@ +{ config, lib, pkgs, ...}: +let + cfg = config.services.hitch; + ocspDir = lib.optionalString cfg.ocsp-stapling.enabled "/var/cache/hitch/ocsp"; + hitchConfig = with lib; pkgs.writeText "hitch.conf" (concatStringsSep "\n" [ + ("backend = \"${cfg.backend}\"") + (concatMapStrings (s: "frontend = \"${s}\"\n") cfg.frontend) + (concatMapStrings (s: "pem-file = \"${s}\"\n") cfg.pem-files) + ("ciphers = \"${cfg.ciphers}\"") + ("ocsp-dir = \"${ocspDir}\"") + "user = \"${cfg.user}\"" + "group = \"${cfg.group}\"" + cfg.extraConfig + ]); +in +with lib; +{ + options = { + services.hitch = { + enable = mkEnableOption "Hitch Server"; + + backend = mkOption { + type = types.str; + description = '' + The host and port Hitch connects to when receiving + a connection in the form [HOST]:PORT + ''; + }; + + ciphers = mkOption { + type = types.str; + default = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; + description = "The list of ciphers to use"; + }; + + frontend = mkOption { + type = types.either types.str (types.listOf types.str); + default = "[127.0.0.1]:443"; + description = '' + The port and interface of the listen endpoint in the ++ form [HOST]:PORT[+CERT]. + ''; + apply = toList; + }; + + pem-files = mkOption { + type = types.listOf types.path; + default = []; + description = "PEM files to use"; + }; + + ocsp-stapling = { + enabled = mkOption { + type = types.bool; + default = true; + description = "Whether to enable OCSP Stapling"; + }; + }; + + user = mkOption { + type = types.str; + default = "hitch"; + description = "The user to run as"; + }; + + group = mkOption { + type = types.str; + default = "hitch"; + description = "The group to run as"; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Additional configuration lines"; + }; + }; + + }; + + config = mkIf cfg.enable { + + systemd.services.hitch = { + description = "Hitch"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + preStart = '' + ${pkgs.hitch}/sbin/hitch -t --config ${hitchConfig} + '' + (optionalString cfg.ocsp-stapling.enabled '' + mkdir -p ${ocspDir} + chown -R hitch:hitch ${ocspDir} + ''); + serviceConfig = { + Type = "forking"; + ExecStart = "${pkgs.hitch}/sbin/hitch --daemon --config ${hitchConfig}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "always"; + RestartSec = "5s"; + LimitNOFILE = 131072; + }; + }; + + environment.systemPackages = [ pkgs.hitch ]; + + users.extraUsers.hitch.group = "hitch"; + users.extraGroups.hitch = {}; + }; +} diff --git a/nixos/modules/services/web-servers/lighttpd/gitweb.nix b/nixos/modules/services/web-servers/lighttpd/gitweb.nix index c8d9836b0b68..c494d6966a7f 100644 --- a/nixos/modules/services/web-servers/lighttpd/gitweb.nix +++ b/nixos/modules/services/web-servers/lighttpd/gitweb.nix @@ -3,12 +3,10 @@ with lib; let - cfg = config.services.lighttpd.gitweb; - gitwebConfigFile = pkgs.writeText "gitweb.conf" '' - # path to git projects (<project>.git) - $projectroot = "${cfg.projectroot}"; - ${cfg.extraConfig} - ''; + cfg = config.services.gitweb; + package = pkgs.gitweb.override (optionalAttrs cfg.gitwebTheme { + gitwebTheme = true; + }); in { @@ -23,26 +21,9 @@ in ''; }; - projectroot = mkOption { - default = "/srv/git"; - type = types.path; - description = '' - Path to git projects (bare repositories) that should be served by - gitweb. Must not end with a slash. - ''; - }; - - extraConfig = mkOption { - default = ""; - type = types.lines; - description = '' - Verbatim configuration text appended to the generated gitweb.conf file. - ''; - }; - }; - config = mkIf cfg.enable { + config = mkIf config.services.lighttpd.gitweb.enable { # declare module dependencies services.lighttpd.enableModules = [ "mod_cgi" "mod_redirect" "mod_alias" "mod_setenv" ]; @@ -56,11 +37,11 @@ in "^/gitweb$" => "/gitweb/" ) alias.url = ( - "/gitweb/static/" => "${pkgs.git}/share/gitweb/static/", - "/gitweb/" => "${pkgs.git}/share/gitweb/gitweb.cgi" + "/gitweb/static/" => "${package}/static/", + "/gitweb/" => "${package}/gitweb.cgi" ) setenv.add-environment = ( - "GITWEB_CONFIG" => "${gitwebConfigFile}", + "GITWEB_CONFIG" => "${cfg.gitwebConfigFile}", "HOME" => "${cfg.projectroot}" ) } diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index dee877f1c114..815c3147e647 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -9,15 +9,16 @@ let serverName = if vhostConfig.serverName != null then vhostConfig.serverName else vhostName; + acmeDirectory = config.security.acme.directory; in vhostConfig // { inherit serverName; } // (optionalAttrs vhostConfig.enableACME { - sslCertificate = "/var/lib/acme/${serverName}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${serverName}/key.pem"; + sslCertificate = "${acmeDirectory}/${serverName}/fullchain.pem"; + sslCertificateKey = "${acmeDirectory}/${serverName}/key.pem"; }) // (optionalAttrs (vhostConfig.useACMEHost != null) { - sslCertificate = "/var/lib/acme/${vhostConfig.useACMEHost}/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/${vhostConfig.useACMEHost}/key.pem"; + sslCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem"; + sslCertificateKey = "${acmeDirectory}/${vhostConfig.useACMEHost}/key.pem"; }) ) cfg.virtualHosts; enableIPv6 = config.networking.enableIPv6; @@ -217,7 +218,10 @@ let ssl_certificate_key ${vhost.sslCertificateKey}; ''} - ${optionalString (vhost.basicAuth != {}) (mkBasicAuth vhostName vhost.basicAuth)} + ${optionalString (vhost.basicAuthFile != null || vhost.basicAuth != {}) '' + auth_basic secured; + auth_basic_user_file ${if vhost.basicAuthFile != null then vhost.basicAuthFile else mkHtpasswd vhostName vhost.basicAuth}; + ''} ${mkLocations vhost.locations} @@ -247,16 +251,11 @@ let ${optionalString (config.proxyPass != null && cfg.recommendedProxySettings) "include ${recommendedProxyConfig};"} } '') locations); - mkBasicAuth = vhostName: authDef: let - htpasswdFile = pkgs.writeText "${vhostName}.htpasswd" ( - concatStringsSep "\n" (mapAttrsToList (user: password: '' - ${user}:{PLAIN}${password} - '') authDef) - ); - in '' - auth_basic secured; - auth_basic_user_file ${htpasswdFile}; - ''; + mkHtpasswd = vhostName: authDef: pkgs.writeText "${vhostName}.htpasswd" ( + concatStringsSep "\n" (mapAttrsToList (user: password: '' + ${user}:{PLAIN}${password} + '') authDef) + ); in { diff --git a/nixos/modules/services/web-servers/nginx/gitweb.nix b/nixos/modules/services/web-servers/nginx/gitweb.nix new file mode 100644 index 000000000000..272fd1480185 --- /dev/null +++ b/nixos/modules/services/web-servers/nginx/gitweb.nix @@ -0,0 +1,61 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.gitweb; + package = pkgs.gitweb.override (optionalAttrs cfg.gitwebTheme { + gitwebTheme = true; + }); + +in +{ + + options.services.nginx.gitweb = { + + enable = mkOption { + default = false; + type = types.bool; + description = '' + If true, enable gitweb in nginx. Access it at http://yourserver/gitweb + ''; + }; + + }; + + config = mkIf config.services.nginx.gitweb.enable { + + systemd.services.gitweb = { + description = "GitWeb service"; + script = "${package}/gitweb.cgi --fastcgi --nproc=1"; + environment = { + FCGI_SOCKET_PATH = "/run/gitweb/gitweb.sock"; + }; + serviceConfig = { + User = "nginx"; + Group = "nginx"; + RuntimeDirectory = [ "gitweb" ]; + }; + wantedBy = [ "multi-user.target" ]; + }; + + services.nginx = { + virtualHosts.default = { + locations."/gitweb/static/" = { + alias = "${package}/static/"; + }; + locations."/gitweb/" = { + extraConfig = '' + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param GITWEB_CONFIG ${cfg.gitwebConfigFile}; + fastcgi_pass unix:/run/gitweb/gitweb.sock; + ''; + }; + }; + }; + + }; + + meta.maintainers = with maintainers; [ gnidorah ]; + +} diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index bf18108a1a3c..f014d817e80e 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -193,6 +193,14 @@ with lib; ''; }; + basicAuthFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Basic Auth password file for a vhost. + ''; + }; + locations = mkOption { type = types.attrsOf (types.submodule (import ./location-options.nix { inherit lib; diff --git a/nixos/modules/services/web-servers/tomcat.nix b/nixos/modules/services/web-servers/tomcat.nix index 0b2e5c0b69d9..aa94e0e976c9 100644 --- a/nixos/modules/services/web-servers/tomcat.nix +++ b/nixos/modules/services/web-servers/tomcat.nix @@ -19,11 +19,7 @@ in options = { services.tomcat = { - - enable = mkOption { - default = false; - description = "Whether to enable Apache Tomcat"; - }; + enable = mkEnableOption "Apache Tomcat"; package = mkOption { type = types.package; @@ -36,10 +32,30 @@ in }; baseDir = mkOption { + type = lib.types.path; default = "/var/tomcat"; description = "Location where Tomcat stores configuration files, webapplications and logfiles"; }; + logDirs = mkOption { + default = []; + type = types.listOf types.path; + description = "Directories to create in baseDir/logs/"; + }; + + extraConfigFiles = mkOption { + default = []; + type = types.listOf types.path; + description = "Extra configuration files to pull into the tomcat conf directory"; + }; + + extraEnvironment = mkOption { + type = types.listOf types.str; + default = []; + example = [ "ENVIRONMENT=production" ]; + description = "Environment Variables to pass to the tomcat service"; + }; + extraGroups = mkOption { default = []; example = [ "users" ]; @@ -47,31 +63,46 @@ in }; user = mkOption { + type = types.str; default = "tomcat"; description = "User account under which Apache Tomcat runs."; }; group = mkOption { + type = types.str; default = "tomcat"; description = "Group account under which Apache Tomcat runs."; }; javaOpts = mkOption { + type = types.either (types.listOf types.str) types.str; default = ""; description = "Parameters to pass to the Java Virtual Machine which spawns Apache Tomcat"; }; catalinaOpts = mkOption { + type = types.either (types.listOf types.str) types.str; default = ""; description = "Parameters to pass to the Java Virtual Machine which spawns the Catalina servlet container"; }; sharedLibs = mkOption { + type = types.listOf types.str; default = []; description = "List containing JAR files or directories with JAR files which are libraries shared by the web applications"; }; + serverXml = mkOption { + type = types.lines; + default = ""; + description = " + Verbatim server.xml configuration. + This is mutually exclusive with the virtualHosts options. + "; + }; + commonLibs = mkOption { + type = types.listOf types.str; default = []; description = "List containing JAR files or directories with JAR files which are libraries shared by the web applications and the servlet container"; }; @@ -84,11 +115,21 @@ in }; virtualHosts = mkOption { + type = types.listOf (types.submodule { + options = { + name = mkOption { + type = types.listOf types.str; + description = "name of the virtualhost"; + default = []; + }; + }; + }); default = []; description = "List consisting of a virtual host name and a list of web applications to deploy on each virtual host"; }; logPerVirtualHost = mkOption { + type = types.bool; default = false; description = "Whether to enable logging per virtual host."; }; @@ -104,11 +145,13 @@ in enable = mkOption { default = false; + type = types.bool; description = "Whether to enable an Apache Axis2 container"; }; services = mkOption { default = []; + type = types.listOf types.str; description = "List containing AAR files or directories with AAR files which are web services to be deployed on Axis2"; }; @@ -140,130 +183,104 @@ in description = "Apache Tomcat server"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; preStart = '' # Create the base directory - mkdir -p ${cfg.baseDir} + mkdir -p \ + ${cfg.baseDir}/{conf,virtualhosts,logs,temp,lib,shared/lib,webapps,work} + chown ${cfg.user}:${cfg.group} \ + ${cfg.baseDir}/{conf,virtualhosts,logs,temp,lib,shared/lib,webapps,work} # Create a symlink to the bin directory of the tomcat component ln -sfn ${tomcat}/bin ${cfg.baseDir}/bin - # Create a conf/ directory - mkdir -p ${cfg.baseDir}/conf - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/conf - # Symlink the config files in the conf/ directory (except for catalina.properties and server.xml) - for i in $(ls ${tomcat}/conf | grep -v catalina.properties | grep -v server.xml) - do - ln -sfn ${tomcat}/conf/$i ${cfg.baseDir}/conf/`basename $i` + for i in $(ls ${tomcat}/conf | grep -v catalina.properties | grep -v server.xml); do + ln -sfn ${tomcat}/conf/$i ${cfg.baseDir}/conf/`basename $i` done - # Create subdirectory for virtual hosts - mkdir -p ${cfg.baseDir}/virtualhosts + ${if cfg.extraConfigFiles != [] then '' + for i in ${toString cfg.extraConfigFiles}; do + ln -sfn $i ${cfg.baseDir}/conf/`basename $i` + done + '' else ""} # Create a modified catalina.properties file # Change all references from CATALINA_HOME to CATALINA_BASE and add support for shared libraries sed -e 's|''${catalina.home}|''${catalina.base}|g' \ - -e 's|shared.loader=|shared.loader=''${catalina.base}/shared/lib/*.jar|' \ - ${tomcat}/conf/catalina.properties > ${cfg.baseDir}/conf/catalina.properties - - # Create a modified server.xml which also includes all virtual hosts - sed -e "/<Engine name=\"Catalina\" defaultHost=\"localhost\">/a\ ${ - toString (map (virtualHost: ''<Host name=\"${virtualHost.name}\" appBase=\"virtualhosts/${virtualHost.name}/webapps\" unpackWARs=\"true\" autoDeploy=\"true\" xmlValidation=\"false\" xmlNamespaceAware=\"false\" >${if cfg.logPerVirtualHost then ''<Valve className=\"org.apache.catalina.valves.AccessLogValve\" directory=\"logs/${virtualHost.name}\" prefix=\"${virtualHost.name}_access_log.\" pattern=\"combined\" resolveHosts=\"false\"/>'' else ""}</Host>'') cfg.virtualHosts)}" \ - ${tomcat}/conf/server.xml > ${cfg.baseDir}/conf/server.xml - - # Create a logs/ directory - mkdir -p ${cfg.baseDir}/logs - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/logs - ${if cfg.logPerVirtualHost then - toString (map (h: '' - mkdir -p ${cfg.baseDir}/logs/${h.name} - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/logs/${h.name} - '') cfg.virtualHosts) else ''''} - - # Create a temp/ directory - mkdir -p ${cfg.baseDir}/temp - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/temp - - # Create a lib/ directory - mkdir -p ${cfg.baseDir}/lib - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/lib - - # Create a shared/lib directory - mkdir -p ${cfg.baseDir}/shared/lib - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/shared/lib - - # Create a webapps/ directory - mkdir -p ${cfg.baseDir}/webapps - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/webapps + -e 's|shared.loader=|shared.loader=''${catalina.base}/shared/lib/*.jar|' \ + ${tomcat}/conf/catalina.properties > ${cfg.baseDir}/conf/catalina.properties + + ${if cfg.serverXml != "" then '' + cp -f ${pkgs.writeTextDir "server.xml" cfg.serverXml}/* ${cfg.baseDir}/conf/ + '' else '' + # Create a modified server.xml which also includes all virtual hosts + sed -e "/<Engine name=\"Catalina\" defaultHost=\"localhost\">/a\ ${toString (map (virtualHost: ''<Host name=\"${virtualHost.name}\" appBase=\"virtualhosts/${virtualHost.name}/webapps\" unpackWARs=\"true\" autoDeploy=\"true\" xmlValidation=\"false\" xmlNamespaceAware=\"false\" >${if cfg.logPerVirtualHost then ''<Valve className=\"org.apache.catalina.valves.AccessLogValve\" directory=\"logs/${virtualHost.name}\" prefix=\"${virtualHost.name}_access_log.\" pattern=\"combined\" resolveHosts=\"false\"/>'' else ""}</Host>'') cfg.virtualHosts)}" \ + ${tomcat}/conf/server.xml > ${cfg.baseDir}/conf/server.xml + '' + } + ${optionalString (cfg.logDirs != []) '' + for i in ${toString cfg.logDirs}; do + mkdir -p ${cfg.baseDir}/logs/$i + chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/logs/$i + done + ''} + ${optionalString cfg.logPerVirtualHost (toString (map (h: '' + mkdir -p ${cfg.baseDir}/logs/${h.name} + chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/logs/${h.name} + '') cfg.virtualHosts))} # Symlink all the given common libs files or paths into the lib/ directory - for i in ${tomcat} ${toString cfg.commonLibs} - do - if [ -f $i ] - then - # If the given web application is a file, symlink it into the common/lib/ directory - ln -sfn $i ${cfg.baseDir}/lib/`basename $i` - elif [ -d $i ] - then - # If the given web application is a directory, then iterate over the files - # in the special purpose directories and symlink them into the tomcat tree - - for j in $i/lib/* - do - ln -sfn $j ${cfg.baseDir}/lib/`basename $j` - done - fi + for i in ${tomcat} ${toString cfg.commonLibs}; do + if [ -f $i ]; then + # If the given web application is a file, symlink it into the common/lib/ directory + ln -sfn $i ${cfg.baseDir}/lib/`basename $i` + elif [ -d $i ]; then + # If the given web application is a directory, then iterate over the files + # in the special purpose directories and symlink them into the tomcat tree + + for j in $i/lib/*; do + ln -sfn $j ${cfg.baseDir}/lib/`basename $j` + done + fi done # Symlink all the given shared libs files or paths into the shared/lib/ directory - for i in ${toString cfg.sharedLibs} - do - if [ -f $i ] - then - # If the given web application is a file, symlink it into the common/lib/ directory - ln -sfn $i ${cfg.baseDir}/shared/lib/`basename $i` - elif [ -d $i ] - then - # If the given web application is a directory, then iterate over the files - # in the special purpose directories and symlink them into the tomcat tree - - for j in $i/shared/lib/* - do - ln -sfn $j ${cfg.baseDir}/shared/lib/`basename $j` - done - fi + for i in ${toString cfg.sharedLibs}; do + if [ -f $i ]; then + # If the given web application is a file, symlink it into the common/lib/ directory + ln -sfn $i ${cfg.baseDir}/shared/lib/`basename $i` + elif [ -d $i ]; then + # If the given web application is a directory, then iterate over the files + # in the special purpose directories and symlink them into the tomcat tree + + for j in $i/shared/lib/*; do + ln -sfn $j ${cfg.baseDir}/shared/lib/`basename $j` + done + fi done # Symlink all the given web applications files or paths into the webapps/ directory - for i in ${toString cfg.webapps} - do - if [ -f $i ] - then - # If the given web application is a file, symlink it into the webapps/ directory - ln -sfn $i ${cfg.baseDir}/webapps/`basename $i` - elif [ -d $i ] - then - # If the given web application is a directory, then iterate over the files - # in the special purpose directories and symlink them into the tomcat tree - - for j in $i/webapps/* - do - ln -sfn $j ${cfg.baseDir}/webapps/`basename $j` - done + for i in ${toString cfg.webapps}; do + if [ -f $i ]; then + # If the given web application is a file, symlink it into the webapps/ directory + ln -sfn $i ${cfg.baseDir}/webapps/`basename $i` + elif [ -d $i ]; then + # If the given web application is a directory, then iterate over the files + # in the special purpose directories and symlink them into the tomcat tree + + for j in $i/webapps/*; do + ln -sfn $j ${cfg.baseDir}/webapps/`basename $j` + done - # Also symlink the configuration files if they are included - if [ -d $i/conf/Catalina ] - then - for j in $i/conf/Catalina/* - do - mkdir -p ${cfg.baseDir}/conf/Catalina/localhost - ln -sfn $j ${cfg.baseDir}/conf/Catalina/localhost/`basename $j` - done - fi + # Also symlink the configuration files if they are included + if [ -d $i/conf/Catalina ]; then + for j in $i/conf/Catalina/*; do + mkdir -p ${cfg.baseDir}/conf/Catalina/localhost + ln -sfn $j ${cfg.baseDir}/conf/Catalina/localhost/`basename $j` + done fi + fi done ${toString (map (virtualHost: '' @@ -275,94 +292,79 @@ in # Symlink all the given web applications files or paths into the webapps/ directory # of this virtual host - for i in "${if virtualHost ? webapps then toString virtualHost.webapps else ""}" - do - if [ -f $i ] - then - # If the given web application is a file, symlink it into the webapps/ directory - ln -sfn $i ${cfg.baseDir}/virtualhosts/${virtualHost.name}/webapps/`basename $i` - elif [ -d $i ] - then - # If the given web application is a directory, then iterate over the files - # in the special purpose directories and symlink them into the tomcat tree - - for j in $i/webapps/* - do - ln -sfn $j ${cfg.baseDir}/virtualhosts/${virtualHost.name}/webapps/`basename $j` - done - - # Also symlink the configuration files if they are included - if [ -d $i/conf/Catalina ] - then - for j in $i/conf/Catalina/* - do - mkdir -p ${cfg.baseDir}/conf/Catalina/${virtualHost.name} - ln -sfn $j ${cfg.baseDir}/conf/Catalina/${virtualHost.name}/`basename $j` - done - fi + for i in "${if virtualHost ? webapps then toString virtualHost.webapps else ""}"; do + if [ -f $i ]; then + # If the given web application is a file, symlink it into the webapps/ directory + ln -sfn $i ${cfg.baseDir}/virtualhosts/${virtualHost.name}/webapps/`basename $i` + elif [ -d $i ]; then + # If the given web application is a directory, then iterate over the files + # in the special purpose directories and symlink them into the tomcat tree + + for j in $i/webapps/*; do + ln -sfn $j ${cfg.baseDir}/virtualhosts/${virtualHost.name}/webapps/`basename $j` + done + + # Also symlink the configuration files if they are included + if [ -d $i/conf/Catalina ]; then + for j in $i/conf/Catalina/*; do + mkdir -p ${cfg.baseDir}/conf/Catalina/${virtualHost.name} + ln -sfn $j ${cfg.baseDir}/conf/Catalina/${virtualHost.name}/`basename $j` + done fi + fi done - - '' - ) cfg.virtualHosts) } - - # Create a work/ directory - mkdir -p ${cfg.baseDir}/work - chown ${cfg.user}:${cfg.group} ${cfg.baseDir}/work - - ${if cfg.axis2.enable then - '' - # Copy the Axis2 web application - cp -av ${pkgs.axis2}/webapps/axis2 ${cfg.baseDir}/webapps - - # Turn off addressing, which causes many errors - sed -i -e 's%<module ref="addressing"/>%<!-- <module ref="addressing"/> -->%' ${cfg.baseDir}/webapps/axis2/WEB-INF/conf/axis2.xml - - # Modify permissions on the Axis2 application - chown -R ${cfg.user}:${cfg.group} ${cfg.baseDir}/webapps/axis2 - - # Symlink all the given web service files or paths into the webapps/axis2/WEB-INF/services directory - for i in ${toString cfg.axis2.services} - do - if [ -f $i ] - then - # If the given web service is a file, symlink it into the webapps/axis2/WEB-INF/services - ln -sfn $i ${cfg.baseDir}/webapps/axis2/WEB-INF/services/`basename $i` - elif [ -d $i ] - then - # If the given web application is a directory, then iterate over the files - # in the special purpose directories and symlink them into the tomcat tree - - for j in $i/webapps/axis2/WEB-INF/services/* - do - ln -sfn $j ${cfg.baseDir}/webapps/axis2/WEB-INF/services/`basename $j` - done - - # Also symlink the configuration files if they are included - if [ -d $i/conf/Catalina ] - then - for j in $i/conf/Catalina/* - do - ln -sfn $j ${cfg.baseDir}/conf/Catalina/localhost/`basename $j` - done - fi - fi - done - '' - else ""} - ''; - - script = '' - ${pkgs.su}/bin/su -s ${pkgs.bash}/bin/sh ${cfg.user} -c 'CATALINA_BASE=${cfg.baseDir} JAVA_HOME=${cfg.jdk} JAVA_OPTS="${cfg.javaOpts}" CATALINA_OPTS="${cfg.catalinaOpts}" ${tomcat}/bin/startup.sh' - ''; - - preStop = '' - echo "Stopping tomcat..." - CATALINA_BASE=${cfg.baseDir} JAVA_HOME=${cfg.jdk} ${pkgs.su}/bin/su -s ${pkgs.bash}/bin/sh ${cfg.user} -c ${tomcat}/bin/shutdown.sh + '') cfg.virtualHosts)} + + ${optionalString cfg.axis2.enable '' + # Copy the Axis2 web application + cp -av ${pkgs.axis2}/webapps/axis2 ${cfg.baseDir}/webapps + + # Turn off addressing, which causes many errors + sed -i -e 's%<module ref="addressing"/>%<!-- <module ref="addressing"/> -->%' ${cfg.baseDir}/webapps/axis2/WEB-INF/conf/axis2.xml + + # Modify permissions on the Axis2 application + chown -R ${cfg.user}:${cfg.group} ${cfg.baseDir}/webapps/axis2 + + # Symlink all the given web service files or paths into the webapps/axis2/WEB-INF/services directory + for i in ${toString cfg.axis2.services}; do + if [ -f $i ]; then + # If the given web service is a file, symlink it into the webapps/axis2/WEB-INF/services + ln -sfn $i ${cfg.baseDir}/webapps/axis2/WEB-INF/services/`basename $i` + elif [ -d $i ]; then + # If the given web application is a directory, then iterate over the files + # in the special purpose directories and symlink them into the tomcat tree + + for j in $i/webapps/axis2/WEB-INF/services/*; do + ln -sfn $j ${cfg.baseDir}/webapps/axis2/WEB-INF/services/`basename $j` + done + + # Also symlink the configuration files if they are included + if [ -d $i/conf/Catalina ]; then + for j in $i/conf/Catalina/*; do + ln -sfn $j ${cfg.baseDir}/conf/Catalina/localhost/`basename $j` + done + fi + fi + done + ''} ''; + serviceConfig = { + Type = "forking"; + PermissionsStartOnly = true; + PIDFile="/run/tomcat/tomcat.pid"; + RuntimeDirectory = "tomcat"; + User = cfg.user; + Environment=[ + "CATALINA_BASE=${cfg.baseDir}" + "CATALINA_PID=/run/tomcat/tomcat.pid" + "JAVA_HOME='${cfg.jdk}'" + "JAVA_OPTS='${builtins.toString cfg.javaOpts}'" + "CATALINA_OPTS='${builtins.toString cfg.catalinaOpts}'" + ] ++ cfg.extraEnvironment; + ExecStart = "${tomcat}/bin/startup.sh"; + ExecStop = "${tomcat}/bin/shutdown.sh"; + }; }; - }; - } diff --git a/nixos/modules/services/web-servers/varnish/default.nix b/nixos/modules/services/web-servers/varnish/default.nix index d63fb954ef96..bc74d62b116a 100644 --- a/nixos/modules/services/web-servers/varnish/default.nix +++ b/nixos/modules/services/web-servers/varnish/default.nix @@ -6,13 +6,22 @@ let cfg = config.services.varnish; commandLine = "-f ${pkgs.writeText "default.vcl" cfg.config}" + - optionalString (cfg.extraModules != []) " -p vmod_path='${makeSearchPathOutput "lib" "lib/varnish/vmods" ([pkgs.varnish] ++ cfg.extraModules)}' -r vmod_path"; + optionalString (cfg.extraModules != []) " -p vmod_path='${makeSearchPathOutput "lib" "lib/varnish/vmods" ([cfg.package] ++ cfg.extraModules)}' -r vmod_path"; in { options = { services.varnish = { enable = mkEnableOption "Varnish Server"; + package = mkOption { + type = types.package; + default = pkgs.varnish5; + defaultText = "pkgs.varnish5"; + description = '' + The package to use + ''; + }; + http_address = mkOption { type = types.str; default = "*:6081"; @@ -39,7 +48,7 @@ in extraModules = mkOption { type = types.listOf types.package; default = []; - example = literalExample "[ pkgs.varnish-geoip ]"; + example = literalExample "[ pkgs.varnish5Packages.geoip ]"; description = " Varnish modules (except 'std'). "; @@ -73,7 +82,7 @@ in serviceConfig = { Type = "simple"; PermissionsStartOnly = true; - ExecStart = "${pkgs.varnish}/sbin/varnishd -a ${cfg.http_address} -n ${cfg.stateDir} -F ${cfg.extraCommandLine} ${commandLine}"; + ExecStart = "${cfg.package}/sbin/varnishd -a ${cfg.http_address} -n ${cfg.stateDir} -F ${cfg.extraCommandLine} ${commandLine}"; Restart = "always"; RestartSec = "5s"; User = "varnish"; @@ -84,13 +93,13 @@ in }; }; - environment.systemPackages = [ pkgs.varnish ]; + environment.systemPackages = [ cfg.package ]; # check .vcl syntax at compile time (e.g. before nixops deployment) system.extraDependencies = [ (pkgs.stdenv.mkDerivation { name = "check-varnish-syntax"; - buildCommand = "${pkgs.varnish}/sbin/varnishd -C ${commandLine} 2> $out"; + buildCommand = "${cfg.package}/sbin/varnishd -C ${commandLine} 2> $out || (cat $out; exit 1)"; }) ]; diff --git a/nixos/modules/services/x11/desktop-managers/default.nix b/nixos/modules/services/x11/desktop-managers/default.nix index 4622c7b760f0..f435e85f6b83 100644 --- a/nixos/modules/services/x11/desktop-managers/default.nix +++ b/nixos/modules/services/x11/desktop-managers/default.nix @@ -87,11 +87,11 @@ in default = mkOption { type = types.str; - default = "none"; - example = "plasma5"; + default = ""; + example = "none"; description = "Default desktop manager loaded if none have been chosen."; apply = defaultDM: - if defaultDM == "none" && cfg.session.list != [] then + if defaultDM == "" && cfg.session.list != [] then (head cfg.session.list).name else if any (w: w.name == defaultDM) cfg.session.list then defaultDM diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix index 3d68f2b1c9b3..10e8ef0ed381 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -124,7 +124,7 @@ in { # If gnome3 is installed, build vim for gtk3 too. nixpkgs.config.vim.gui = "gtk3"; - fonts.fonts = [ pkgs.dejavu_fonts pkgs.cantarell_fonts ]; + fonts.fonts = [ pkgs.dejavu_fonts pkgs.cantarell-fonts ]; services.xserver.desktopManager.session = singleton { name = "gnome3"; @@ -182,8 +182,7 @@ in { { inherit (pkgs) networkmanager modemmanager wpa_supplicant; inherit (pkgs.gnome3) networkmanager-openvpn networkmanager-vpnc networkmanager-openconnect networkmanager-fortisslvpn - networkmanager-pptp networkmanager-iodine - networkmanager-l2tp; }; + networkmanager-iodine networkmanager-l2tp; }; # Needed for themes and backgrounds environment.pathsToLink = [ "/share" ]; diff --git a/nixos/modules/services/x11/desktop-managers/lxqt.nix b/nixos/modules/services/x11/desktop-managers/lxqt.nix index fb907618d35b..2596ec4ad85c 100644 --- a/nixos/modules/services/x11/desktop-managers/lxqt.nix +++ b/nixos/modules/services/x11/desktop-managers/lxqt.nix @@ -61,6 +61,8 @@ in environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.gvfs}/lib/gio/modules" ]; + services.upower.enable = config.powerManagement.enable; }; + } diff --git a/nixos/modules/services/x11/desktop-managers/mate.nix b/nixos/modules/services/x11/desktop-managers/mate.nix index 0117dc9d132b..db83aaf3c19f 100644 --- a/nixos/modules/services/x11/desktop-managers/mate.nix +++ b/nixos/modules/services/x11/desktop-managers/mate.nix @@ -108,6 +108,8 @@ in services.gnome3.gnome-keyring.enable = true; services.upower.enable = config.powerManagement.enable; + security.pam.services."mate-screensaver".unixAuth = true; + environment.pathsToLink = [ "/share" ]; }; diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index 489bffbee917..7dcc600d2664 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -128,7 +128,7 @@ in # Set GTK_DATA_PREFIX so that GTK+ can find the Xfce themes. export GTK_DATA_PREFIX=${config.system.path} - ${pkgs.stdenv.shell} ${pkgs.xfce.xinitrc} & + ${pkgs.runtimeShell} ${pkgs.xfce.xinitrc} & waitPID=$! ''; }]; diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index b5e936830918..9d30155a7234 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -9,6 +9,10 @@ let xEnv = config.systemd.services."display-manager".environment; cfg = dmcfg.lightdm; + dmDefault = xcfg.desktopManager.default; + wmDefault = xcfg.windowManager.default; + hasDefaultUserSession = dmDefault != "none" || wmDefault != "none"; + inherit (pkgs) stdenv lightdm writeScript writeText; # lightdm runs with clearenv(), but we need a few things in the enviornment for X to startup @@ -54,14 +58,13 @@ let autologin-user-timeout = ${toString cfg.autoLogin.timeout} autologin-session = ${defaultSessionName} ''} + ${optionalString hasDefaultUserSession '' + user-session=${defaultSessionName} + ''} ${cfg.extraSeatDefaults} ''; - defaultSessionName = - let - dm = xcfg.desktopManager.default; - wm = xcfg.windowManager.default; - in dm + optionalString (wm != "none") ("+" + wm); + defaultSessionName = dmDefault + optionalString (wmDefault != "none") ("+" + wmDefault); in { # Note: the order in which lightdm greeter modules are imported @@ -179,6 +182,14 @@ in default session: ${defaultSessionName} is not valid. ''; } + { assertion = hasDefaultUserSession -> elem defaultSessionName dmcfg.session.names; + message = '' + services.xserver.desktopManager.default and + services.xserver.windowMananger.default are not set to valid + values. The current default session: ${defaultSessionName} + is not valid. + ''; + } { assertion = !cfg.greeter.enable -> (cfg.autoLogin.enable && cfg.autoLogin.timeout == 0); message = '' LightDM can only run without greeter if automatic login is enabled and the timeout for it diff --git a/nixos/modules/services/x11/display-managers/slim.nix b/nixos/modules/services/x11/display-managers/slim.nix index 0c4dd1973b53..f645a5c2f078 100644 --- a/nixos/modules/services/x11/display-managers/slim.nix +++ b/nixos/modules/services/x11/display-managers/slim.nix @@ -14,7 +14,7 @@ let default_xserver ${dmcfg.xserverBin} xserver_arguments ${toString dmcfg.xserverArgs} sessiondir ${dmcfg.session.desktops} - login_cmd exec ${pkgs.stdenv.shell} ${dmcfg.session.script} "%session" + login_cmd exec ${pkgs.runtimeShell} ${dmcfg.session.script} "%session" halt_cmd ${config.systemd.package}/sbin/shutdown -h now reboot_cmd ${config.systemd.package}/sbin/shutdown -r now logfile /dev/stderr diff --git a/nixos/modules/services/x11/window-managers/bspwm.nix b/nixos/modules/services/x11/window-managers/bspwm.nix index 6783ac3479e6..23cd4f6529a6 100644 --- a/nixos/modules/services/x11/window-managers/bspwm.nix +++ b/nixos/modules/services/x11/window-managers/bspwm.nix @@ -59,7 +59,7 @@ in start = '' export _JAVA_AWT_WM_NONREPARENTING=1 SXHKD_SHELL=/bin/sh ${cfg.sxhkd.package}/bin/sxhkd ${optionalString (cfg.sxhkd.configFile != null) "-c \"${cfg.sxhkd.configFile}\""} & - ${cfg.package}/bin/bspwm ${optionalString (cfg.configFile != null) "-c \"${cfg.configFile}\""} + ${cfg.package}/bin/bspwm ${optionalString (cfg.configFile != null) "-c \"${cfg.configFile}\""} & waitPID=$! ''; }; diff --git a/nixos/modules/services/x11/window-managers/default.nix b/nixos/modules/services/x11/window-managers/default.nix index 25ba95fccd75..e617e55a7a57 100644 --- a/nixos/modules/services/x11/window-managers/default.nix +++ b/nixos/modules/services/x11/window-managers/default.nix @@ -12,6 +12,7 @@ in ./afterstep.nix ./bspwm.nix ./dwm.nix + ./evilwm.nix ./exwm.nix ./fluxbox.nix ./fvwm.nix @@ -61,9 +62,7 @@ in example = "wmii"; description = "Default window manager loaded if none have been chosen."; apply = defaultWM: - if defaultWM == "none" && cfg.session != [] then - (head cfg.session).name - else if any (w: w.name == defaultWM) cfg.session then + if any (w: w.name == defaultWM) cfg.session then defaultWM else throw "Default window manager (${defaultWM}) not found."; diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index f96d3c5afbac..1404231f837e 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -161,15 +161,6 @@ in ''; }; - plainX = mkOption { - type = types.bool; - default = false; - description = '' - Whether the X11 session can be plain (without DM/WM) and - the Xsession script will be used as fallback or not. - ''; - }; - autorun = mkOption { type = types.bool; default = true; @@ -249,7 +240,10 @@ in type = types.listOf types.str; # !!! We'd like "nv" here, but it segfaults the X server. default = [ "ati" "cirrus" "intel" "vesa" "vmware" "modesetting" ]; - example = [ "vesa" ]; + example = [ + "ati_unfree" "amdgpu" "amdgpu-pro" + "nv" "nvidia" "nvidiaLegacy340" "nvidiaLegacy304" + ]; description = '' The names of the video drivers the configuration supports. They will be tried in order until one that @@ -561,11 +555,6 @@ in + "${toString (length primaryHeads)} heads set to primary: " + concatMapStringsSep ", " (x: x.output) primaryHeads; }) - { assertion = cfg.desktopManager.default == "none" && cfg.windowManager.default == "none" -> cfg.plainX; - message = "Either the desktop manager or the window manager shouldn't be `none`! " - + "To explicitly allow this, you can also set `services.xserver.plainX` to `true`. " - + "The `default` value looks for enabled WMs/DMs and select the first one."; - } ]; environment.etc = @@ -640,9 +629,7 @@ in environment = { - XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime. - LD_LIBRARY_PATH = concatStringsSep ":" ( - [ "${xorg.libX11.out}/lib" "${xorg.libXext.out}/lib" "/run/opengl-driver/lib" ] + LD_LIBRARY_PATH = concatStringsSep ":" ([ "/run/opengl-driver/lib" ] ++ concatLists (catAttrs "libPath" cfg.drivers)); } // cfg.displayManager.job.environment; diff --git a/nixos/modules/system/activation/activation-script.nix b/nixos/modules/system/activation/activation-script.nix index c2ac731d433d..c563614caaaf 100644 --- a/nixos/modules/system/activation/activation-script.nix +++ b/nixos/modules/system/activation/activation-script.nix @@ -61,7 +61,7 @@ in apply = set: { script = '' - #! ${pkgs.stdenv.shell} + #! ${pkgs.runtimeShell} systemConfig=@out@ @@ -117,14 +117,7 @@ in config = { - system.activationScripts.stdio = - '' - # Needed by some programs. - ln -sfn /proc/self/fd /dev/fd - ln -sfn /proc/self/fd/0 /dev/stdin - ln -sfn /proc/self/fd/1 /dev/stdout - ln -sfn /proc/self/fd/2 /dev/stderr - ''; + system.activationScripts.stdio = ""; # obsolete system.activationScripts.var = '' diff --git a/nixos/modules/system/boot/grow-partition.nix b/nixos/modules/system/boot/grow-partition.nix index c4c6d82dc5c8..1e6f9e442b67 100644 --- a/nixos/modules/system/boot/grow-partition.nix +++ b/nixos/modules/system/boot/grow-partition.nix @@ -32,8 +32,15 @@ with lib; rootDevice="${config.fileSystems."/".device}" if [ -e "$rootDevice" ]; then rootDevice="$(readlink -f "$rootDevice")" - parentDevice="$(lsblk -npo PKNAME "$rootDevice")" - TMPDIR=/run sh $(type -P growpart) "$parentDevice" "''${rootDevice#$parentDevice}" + parentDevice="$rootDevice" + while [ "''${parentDevice%[0-9]}" != "''${parentDevice}" ]; do + parentDevice="''${parentDevice%[0-9]}"; + done + partNum="''${rootDevice#''${parentDevice}}" + if [ "''${parentDevice%[0-9]p}" != "''${parentDevice}" ] && [ -b "''${parentDevice%p}" ]; then + parentDevice="''${parentDevice%p}" + fi + TMPDIR=/run sh $(type -P growpart) "$parentDevice" "$partNum" udevadm settle fi ''; diff --git a/nixos/modules/system/boot/initrd-network.nix b/nixos/modules/system/boot/initrd-network.nix index 4a6e1c7e56e5..33862b0965cc 100644 --- a/nixos/modules/system/boot/initrd-network.nix +++ b/nixos/modules/system/boot/initrd-network.nix @@ -23,6 +23,8 @@ let fi ''; + udhcpcArgs = toString cfg.udhcpc.extraArgs; + in { @@ -47,6 +49,16 @@ in ''; }; + boot.initrd.network.udhcpc.extraArgs = mkOption { + default = []; + type = types.listOf types.str; + description = '' + Additional command-line arguments passed verbatim to udhcpc if + <option>boot.initrd.network.enable</option> and <option>networking.useDHCP</option> + are enabled. + ''; + }; + boot.initrd.network.postCommands = mkOption { default = ""; type = types.lines; @@ -91,7 +103,7 @@ in # Acquire a DHCP lease. echo "acquiring IP address via DHCP..." - udhcpc --quit --now --script ${udhcpcScript} && hasNetwork=1 + udhcpc --quit --now --script ${udhcpcScript} ${udhcpcArgs} && hasNetwork=1 fi '' diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix index cdeff4845948..8b3dc2d90eb3 100644 --- a/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixos/modules/system/boot/initrd-ssh.nix @@ -118,7 +118,7 @@ in echo ${escapeShellArg key} >> /root/.ssh/authorized_keys '') cfg.authorizedKeys)} - dropbear -s -j -k -E -m -p ${toString cfg.port} ${optionalString (cfg.hostRSAKey == null && cfg.hostDSSKey == null && cfg.hostECDSAKey == null) "-R"} + dropbear -s -j -k -E -p ${toString cfg.port} ${optionalString (cfg.hostRSAKey == null && cfg.hostDSSKey == null && cfg.hostECDSAKey == null) "-R"} ''; boot.initrd.secrets = diff --git a/nixos/modules/system/boot/kernel.nix b/nixos/modules/system/boot/kernel.nix index 3bd7d3558269..8ea05ed14687 100644 --- a/nixos/modules/system/boot/kernel.nix +++ b/nixos/modules/system/boot/kernel.nix @@ -77,8 +77,8 @@ in type = types.int; default = 4; description = '' - The kernel console log level. Log messages with a priority - numerically less than this will not appear on the console. + The kernel console <literal>loglevel</literal>. All Kernel Messages with a log level smaller + than this setting will be printed to the console. ''; }; diff --git a/nixos/modules/system/boot/kexec.nix b/nixos/modules/system/boot/kexec.nix index b7821f9509f1..3fc1af28f628 100644 --- a/nixos/modules/system/boot/kexec.nix +++ b/nixos/modules/system/boot/kexec.nix @@ -1,21 +1,22 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { - environment.systemPackages = [ pkgs.kexectools ]; + config = lib.mkIf (pkgs.kexectools.meta.available) { + environment.systemPackages = [ pkgs.kexectools ]; - systemd.services."prepare-kexec" = - { description = "Preparation for kexec"; - wantedBy = [ "kexec.target" ]; - before = [ "systemd-kexec.service" ]; - unitConfig.DefaultDependencies = false; - serviceConfig.Type = "oneshot"; - path = [ pkgs.kexectools ]; - script = - '' - p=$(readlink -f /nix/var/nix/profiles/system) - if ! [ -d $p ]; then exit 1; fi - exec kexec --load $p/kernel --initrd=$p/initrd --append="$(cat $p/kernel-params) init=$p/init" - ''; - }; - -} \ No newline at end of file + systemd.services."prepare-kexec" = + { description = "Preparation for kexec"; + wantedBy = [ "kexec.target" ]; + before = [ "systemd-kexec.service" ]; + unitConfig.DefaultDependencies = false; + serviceConfig.Type = "oneshot"; + path = [ pkgs.kexectools ]; + script = + '' + p=$(readlink -f /nix/var/nix/profiles/system) + if ! [ -d $p ]; then exit 1; fi + exec kexec --load $p/kernel --initrd=$p/initrd --append="$(cat $p/kernel-params) init=$p/init" + ''; + }; + }; +} diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 0d83391de893..e2cff1c1bd94 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -40,7 +40,7 @@ let { splashImage = f cfg.splashImage; grub = f grub; grubTarget = f (grub.grubTarget or ""); - shell = "${pkgs.stdenv.shell}"; + shell = "${pkgs.runtimeShell}"; fullName = (builtins.parseDrvName realGrub.name).name; fullVersion = (builtins.parseDrvName realGrub.name).version; grubEfi = f grubEfi; @@ -536,9 +536,9 @@ in btrfsprogs = pkgs.btrfs-progs; }; in pkgs.writeScript "install-grub.sh" ('' - #!${pkgs.stdenv.shell} + #!${pkgs.runtimeShell} set -e - export PERL5LIB=${makePerlPath (with pkgs.perlPackages; [ FileSlurp XMLLibXML XMLSAX ListCompare ])} + export PERL5LIB=${makePerlPath (with pkgs.perlPackages; [ FileSlurp XMLLibXML XMLSAX XMLSAXBase ListCompare ])} ${optionalString cfg.enableCryptodisk "export GRUB_ENABLE_CRYPTODISK=y"} '' + flip concatMapStrings cfg.mirroredBoots (args: '' ${pkgs.perl}/bin/perl ${install-grub-pl} ${grubConfig args} $@ diff --git a/nixos/modules/system/boot/loader/grub/install-grub.pl b/nixos/modules/system/boot/loader/grub/install-grub.pl index cc03e54ead63..8bd203106f55 100644 --- a/nixos/modules/system/boot/loader/grub/install-grub.pl +++ b/nixos/modules/system/boot/loader/grub/install-grub.pl @@ -182,7 +182,7 @@ sub GrubFs { # Based on the type pull in the identifier from the system my ($status, @devInfo) = runCommand("@utillinux@/bin/blkid -o export @{[$fs->device]}"); if ($status != 0) { - die "Failed to get blkid info for @{[$fs->mount]} on @{[$fs->device]}"; + die "Failed to get blkid info (returned $status) for @{[$fs->mount]} on @{[$fs->device]}"; } my @matches = join("", @devInfo) =~ m/@{[uc $fsIdentifier]}=([^\n]*)/; if ($#matches != 0) { diff --git a/nixos/modules/system/boot/loader/raspberrypi/builder.sh b/nixos/modules/system/boot/loader/raspberrypi/builder.sh index f627d093eafb..8adc8a6a7e11 100644 --- a/nixos/modules/system/boot/loader/raspberrypi/builder.sh +++ b/nixos/modules/system/boot/loader/raspberrypi/builder.sh @@ -109,11 +109,15 @@ copyForced $fwdir/bootcode.bin /boot/bootcode.bin copyForced $fwdir/fixup.dat /boot/fixup.dat copyForced $fwdir/fixup_cd.dat /boot/fixup_cd.dat copyForced $fwdir/fixup_db.dat /boot/fixup_db.dat +copyForced $fwdir/fixup_x.dat /boot/fixup_x.dat copyForced $fwdir/start.elf /boot/start.elf copyForced $fwdir/start_cd.elf /boot/start_cd.elf copyForced $fwdir/start_db.elf /boot/start_db.elf copyForced $fwdir/start_x.elf /boot/start_x.elf +# Add the config.txt +copyForced @configTxt@ /boot/config.txt + # Remove obsolete files from /boot and /boot/old. for fn in /boot/old/*linux* /boot/old/*initrd-initrd* /boot/bcm*.dtb; do if ! test "${filesCopied[$fn]}" = 1; then diff --git a/nixos/modules/system/boot/loader/raspberrypi/builder_uboot.nix b/nixos/modules/system/boot/loader/raspberrypi/builder_uboot.nix new file mode 100644 index 000000000000..47f25a9c2b1b --- /dev/null +++ b/nixos/modules/system/boot/loader/raspberrypi/builder_uboot.nix @@ -0,0 +1,34 @@ +{ config, pkgs, configTxt }: + +let + cfg = config.boot.loader.raspberryPi; + isAarch64 = pkgs.stdenv.isAarch64; + + uboot = + if cfg.version == 1 then + pkgs.ubootRaspberryPi + else if cfg.version == 2 then + pkgs.ubootRaspberryPi2 + else + if isAarch64 then + pkgs.ubootRaspberryPi3_64bit + else + pkgs.ubootRaspberryPi3_32bit; + + extlinuxConfBuilder = + import ../generic-extlinux-compatible/extlinux-conf-builder.nix { + inherit pkgs; + }; +in +pkgs.substituteAll { + src = ./builder_uboot.sh; + isExecutable = true; + inherit (pkgs) bash; + path = [pkgs.coreutils pkgs.gnused pkgs.gnugrep]; + firmware = pkgs.raspberrypifw; + inherit uboot; + inherit configTxt; + inherit extlinuxConfBuilder; + version = cfg.version; +} + diff --git a/nixos/modules/system/boot/loader/raspberrypi/builder_uboot.sh b/nixos/modules/system/boot/loader/raspberrypi/builder_uboot.sh new file mode 100644 index 000000000000..36bf15066274 --- /dev/null +++ b/nixos/modules/system/boot/loader/raspberrypi/builder_uboot.sh @@ -0,0 +1,29 @@ +#! @bash@/bin/sh -e + +copyForced() { + local src="$1" + local dst="$2" + cp $src $dst.tmp + mv $dst.tmp $dst +} + +# Call the extlinux builder +"@extlinuxConfBuilder@" "$@" + +# Add the firmware files +fwdir=@firmware@/share/raspberrypi/boot/ +copyForced $fwdir/bootcode.bin /boot/bootcode.bin +copyForced $fwdir/fixup.dat /boot/fixup.dat +copyForced $fwdir/fixup_cd.dat /boot/fixup_cd.dat +copyForced $fwdir/fixup_db.dat /boot/fixup_db.dat +copyForced $fwdir/fixup_x.dat /boot/fixup_x.dat +copyForced $fwdir/start.elf /boot/start.elf +copyForced $fwdir/start_cd.elf /boot/start_cd.elf +copyForced $fwdir/start_db.elf /boot/start_db.elf +copyForced $fwdir/start_x.elf /boot/start_x.elf + +# Add the uboot file +copyForced @uboot@/u-boot.bin /boot/u-boot-rpi.bin + +# Add the config.txt +copyForced @configTxt@ /boot/config.txt diff --git a/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix b/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix index f246d04284ca..f974d07da9e5 100644 --- a/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix +++ b/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix @@ -5,42 +5,108 @@ with lib; let cfg = config.boot.loader.raspberryPi; - builder = pkgs.substituteAll { + builderGeneric = pkgs.substituteAll { src = ./builder.sh; isExecutable = true; inherit (pkgs) bash; path = [pkgs.coreutils pkgs.gnused pkgs.gnugrep]; firmware = pkgs.raspberrypifw; version = cfg.version; + inherit configTxt; }; platform = pkgs.stdenv.platform; + builderUboot = import ./builder_uboot.nix { inherit config; inherit pkgs; inherit configTxt; }; + + builder = + if cfg.uboot.enable then + "${builderUboot} -g ${toString cfg.uboot.configurationLimit} -t ${timeoutStr} -c" + else + builderGeneric; + + blCfg = config.boot.loader; + timeoutStr = if blCfg.timeout == null then "-1" else toString blCfg.timeout; + + isAarch64 = pkgs.stdenv.isAarch64; + optional = pkgs.stdenv.lib.optionalString; + + configTxt = + pkgs.writeText "config.txt" ('' + # U-Boot used to need this to work, regardless of whether UART is actually used or not. + # TODO: check when/if this can be removed. + enable_uart=1 + + # Prevent the firmware from smashing the framebuffer setup done by the mainline kernel + # when attempting to show low-voltage or overtemperature warnings. + avoid_warnings=1 + '' + optional isAarch64 '' + # Boot in 64-bit mode. + arm_control=0x200 + '' + optional cfg.uboot.enable '' + kernel=u-boot-rpi.bin + '' + optional (cfg.firmwareConfig != null) cfg.firmwareConfig); + in { options = { - boot.loader.raspberryPi.enable = mkOption { - default = false; - type = types.bool; - description = '' - Whether to create files with the system generations in - <literal>/boot</literal>. - <literal>/boot/old</literal> will hold files from old generations. - ''; - }; + boot.loader.raspberryPi = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + Whether to create files with the system generations in + <literal>/boot</literal>. + <literal>/boot/old</literal> will hold files from old generations. + ''; + }; - boot.loader.raspberryPi.version = mkOption { - default = 2; - type = types.enum [ 1 2 3 ]; - description = '' - ''; - }; + version = mkOption { + default = 2; + type = types.enum [ 1 2 3 ]; + description = '' + ''; + }; + + uboot = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + Enable using uboot as bootmanager for the raspberry pi. + ''; + }; + + configurationLimit = mkOption { + default = 20; + example = 10; + type = types.int; + description = '' + Maximum number of configurations in the boot menu. + ''; + }; + + }; + firmwareConfig = mkOption { + default = null; + type = types.nullOr types.string; + description = '' + Extra options that will be appended to <literal>/boot/config.txt</literal> file. + For possible values, see: https://www.raspberrypi.org/documentation/configuration/config-txt/ + ''; + }; + }; }; - config = mkIf config.boot.loader.raspberryPi.enable { + config = mkIf cfg.enable { + assertions = singleton { + assertion = !pkgs.stdenv.isAarch64 || cfg.version == 3; + message = "Only Raspberry Pi 3 supports aarch64."; + }; + system.build.installBootLoader = builder; system.boot.loader.id = "raspberrypi"; system.boot.loader.kernelFile = platform.kernelTarget; diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 8b390e1b60c4..54dfb53fd30f 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -5,7 +5,7 @@ with lib; let luks = config.boot.initrd.luks; - openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; '' + openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, fallbackToPassword, ... }: assert name' == name; '' # Wait for a target (e.g. device, keyFile, header, ...) to appear. wait_target() { @@ -43,8 +43,17 @@ let open_normally() { echo luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} \ ${optionalString (header != null) "--header=${header}"} \ - ${optionalString (keyFile != null) "--key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}"} \ > /.luksopen_args + ${optionalString (keyFile != null) '' + ${optionalString fallbackToPassword "if [ -e ${keyFile} ]; then"} + echo " --key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}" \ + >> /.luksopen_args + ${optionalString fallbackToPassword '' + else + echo "keyfile ${keyFile} not found -- fallback to interactive unlocking" + fi + ''} + ''} cryptsetup-askpass rm /.luksopen_args } @@ -324,6 +333,16 @@ in ''; }; + fallbackToPassword = mkOption { + default = false; + type = types.bool; + description = '' + Whether to fallback to interactive passphrase prompt if the keyfile + cannot be found. This will prevent unattended boot should the keyfile + go missing. + ''; + }; + yubikey = mkOption { default = null; description = '' diff --git a/nixos/modules/system/boot/modprobe.nix b/nixos/modules/system/boot/modprobe.nix index b915a98d5375..dee0ab470c99 100644 --- a/nixos/modules/system/boot/modprobe.nix +++ b/nixos/modules/system/boot/modprobe.nix @@ -54,7 +54,7 @@ with lib; environment.systemPackages = [ pkgs.kmod ]; - system.activationScripts.modprobe = + system.activationScripts.modprobe = stringAfter ["specialfs"] '' # Allow the kernel to find our wrapped modprobe (which searches # in the right location in the Nix store for kernel modules). diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index eea10613ea58..9aa557ac8595 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -146,12 +146,13 @@ let # .network files have a [Link] section with different options than in .netlink files checkNetworkLink = checkUnitConfig "Link" [ (assertOnlyFields [ - "MACAddress" "MTUBytes" "ARP" "Unmanaged" + "MACAddress" "MTUBytes" "ARP" "Unmanaged" "RequiredForOnline" ]) (assertMacAddress "MACAddress") (assertByteFormat "MTUBytes") (assertValueOneOf "ARP" boolValues) (assertValueOneOf "Unmanaged" boolValues) + (assertValueOneOf "RquiredForOnline" boolValues) ]; @@ -712,6 +713,9 @@ in systemd.services.systemd-networkd = { wantedBy = [ "multi-user.target" ]; restartTriggers = map (f: f.source) (unitFiles); + # prevent race condition with interface renaming (#39069) + requires = [ "systemd-udev-settle.service" ]; + after = [ "systemd-udev-settle.service" ]; }; systemd.services.systemd-networkd-wait-online = { diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index df450be8c401..55bb6d3449c5 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -30,6 +30,50 @@ let # mounting `/`, like `/` on a loopback). fileSystems = filter utils.fsNeededForBoot config.system.build.fileSystems; + # A utility for enumerating the shared-library dependencies of a program + findLibs = pkgs.writeShellScriptBin "find-libs" '' + set -euo pipefail + + declare -A seen + declare -a left + + patchelf="${pkgs.buildPackages.patchelf}/bin/patchelf" + + function add_needed { + rpath="$($patchelf --print-rpath $1)" + dir="$(dirname $1)" + for lib in $($patchelf --print-needed $1); do + left+=("$lib" "$rpath" "$dir") + done + } + + add_needed $1 + + while [ ''${#left[@]} -ne 0 ]; do + next=''${left[0]} + rpath=''${left[1]} + ORIGIN=''${left[2]} + left=("''${left[@]:3}") + if [ -z ''${seen[$next]+x} ]; then + seen[$next]=1 + IFS=: read -ra paths <<< $rpath + res= + for path in "''${paths[@]}"; do + path=$(eval "echo $path") + if [ -f "$path/$next" ]; then + res="$path/$next" + echo "$res" + add_needed "$res" + break + fi + done + if [ -z "$res" ]; then + echo "Couldn't satisfy dependency $next" >&2 + exit 1 + fi + fi + done + ''; # Some additional utilities needed in stage 1, like mount, lvm, fsck # etc. We don't want to bring in all of those packages, so we just @@ -37,7 +81,7 @@ let # we just copy what we need from Glibc and use patchelf to make it # work. extraUtils = pkgs.runCommandCC "extra-utils" - { buildInputs = [pkgs.nukeReferences]; + { nativeBuildInputs = [pkgs.buildPackages.nukeReferences]; allowedReferences = [ "out" ]; # prevent accidents like glibc being included in the initrd } '' @@ -103,9 +147,7 @@ let # Copy all of the needed libraries find $out/bin $out/lib -type f | while read BIN; do echo "Copying libs for executable $BIN" - LDD="$(ldd $BIN)" || continue - LIBS="$(echo "$LDD" | awk '{print $3}' | sed '/^$/d')" - for LIB in $LIBS; do + for LIB in $(${findLibs}/bin/find-libs $BIN); do TGT="$out/lib/$(basename $LIB)" if [ ! -f "$TGT" ]; then SRC="$(readlink -e $LIB)" @@ -132,6 +174,7 @@ let fi done + if [ -z "${toString pkgs.stdenv.isCross}" ]; then # Make sure that the patchelf'ed binaries still work. echo "testing patched programs..." $out/bin/ash -c 'echo hello world' | grep "hello world" @@ -144,6 +187,7 @@ let $out/bin/mdadm --version ${config.boot.initrd.extraUtilsCommandsTest} + fi ''; # */ @@ -245,7 +289,7 @@ let { src = "${pkgs.kmod-blacklist-ubuntu}/modprobe.conf"; } '' target=$out - ${pkgs.perl}/bin/perl -0pe 's/## file: iwlwifi.conf(.+?)##/##/s;' $src > $out + ${pkgs.buildPackages.perl}/bin/perl -0pe 's/## file: iwlwifi.conf(.+?)##/##/s;' $src > $out ''; symlink = "/etc/modprobe.d/ubuntu.conf"; } diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index 46aed44bf10f..b83012dfda7e 100644 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -43,7 +43,7 @@ if [ ! -e /proc/1 ]; then local options="$3" local fsType="$4" - mkdir -m 0755 -p "$mountPoint" + install -m 0755 -d "$mountPoint" mount -n -t "$fsType" -o "$options" "$device" "$mountPoint" } source @earlyMountScript@ @@ -71,7 +71,7 @@ fi # Provide a /etc/mtab. -mkdir -m 0755 -p /etc +install -m 0755 -d /etc test -e /etc/fstab || touch /etc/fstab # to shut up mount rm -f /etc/mtab* # not that we care about stale locks ln -s /proc/mounts /etc/mtab @@ -79,10 +79,9 @@ ln -s /proc/mounts /etc/mtab # More special file systems, initialise required directories. [ -e /proc/bus/usb ] && mount -t usbfs usbfs /proc/bus/usb # UML doesn't have USB by default -mkdir -m 01777 -p /tmp -mkdir -m 0755 -p /var/{log,lib,db} /nix/var /etc/nixos/ \ +install -m 01777 -d /tmp +install -m 0755 -d /var/{log,lib,db} /nix/var /etc/nixos/ \ /run/lock /home /bin # for the /bin/sh symlink -install -m 0700 -d /root # Miscellaneous boot time cleanup. diff --git a/nixos/modules/system/boot/stage-2.nix b/nixos/modules/system/boot/stage-2.nix index 8db6d2d2f734..78afbd8dbc12 100644 --- a/nixos/modules/system/boot/stage-2.nix +++ b/nixos/modules/system/boot/stage-2.nix @@ -10,6 +10,7 @@ let bootStage2 = pkgs.substituteAll { src = ./stage-2-init.sh; shellDebug = "${pkgs.bashInteractive}/bin/bash"; + shell = "${pkgs.bash}/bin/bash"; isExecutable = true; inherit (config.nix) readOnlyStore; inherit (config.networking) useHostResolvConf; diff --git a/nixos/modules/system/boot/systemd-nspawn.nix b/nixos/modules/system/boot/systemd-nspawn.nix index 8fa9f8b795e5..64b3b8b584e3 100644 --- a/nixos/modules/system/boot/systemd-nspawn.nix +++ b/nixos/modules/system/boot/systemd-nspawn.nix @@ -110,7 +110,7 @@ in { config = let - units = mapAttrs' (n: v: nameValuePair "${n}.nspawn" (instanceToUnit n v)) cfg; + units = mapAttrs' (n: v: let nspawnFile = "${n}.nspawn"; in nameValuePair nspawnFile (instanceToUnit nspawnFile v)) cfg; in mkIf (cfg != {}) { environment.etc."systemd/nspawn".source = generateUnits "nspawn" units [] []; diff --git a/nixos/modules/system/boot/systemd-unit-options.nix b/nixos/modules/system/boot/systemd-unit-options.nix index 43a9c28bb694..5255f1a1b97a 100644 --- a/nixos/modules/system/boot/systemd-unit-options.nix +++ b/nixos/modules/system/boot/systemd-unit-options.nix @@ -217,7 +217,7 @@ in rec { environment = mkOption { default = {}; - type = types.attrs; # FIXME + type = with types; attrsOf (nullOr (either str package)); example = { PATH = "/foo/bar/bin"; LANG = "nl_NL.UTF-8"; }; description = "Environment variables passed to the service's processes."; }; diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index aff46ea861a2..d2fe33488a7a 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -137,7 +137,6 @@ let # Slices / containers. "slices.target" - "system.slice" "user.slice" "machine.slice" "machines.target" @@ -241,37 +240,37 @@ let } (mkIf (config.preStart != "") { serviceConfig.ExecStartPre = makeJobScript "${name}-pre-start" '' - #! ${pkgs.stdenv.shell} -e + #! ${pkgs.runtimeShell} -e ${config.preStart} ''; }) (mkIf (config.script != "") { serviceConfig.ExecStart = makeJobScript "${name}-start" '' - #! ${pkgs.stdenv.shell} -e + #! ${pkgs.runtimeShell} -e ${config.script} '' + " " + config.scriptArgs; }) (mkIf (config.postStart != "") { serviceConfig.ExecStartPost = makeJobScript "${name}-post-start" '' - #! ${pkgs.stdenv.shell} -e + #! ${pkgs.runtimeShell} -e ${config.postStart} ''; }) (mkIf (config.reload != "") { serviceConfig.ExecReload = makeJobScript "${name}-reload" '' - #! ${pkgs.stdenv.shell} -e + #! ${pkgs.runtimeShell} -e ${config.reload} ''; }) (mkIf (config.preStop != "") { serviceConfig.ExecStop = makeJobScript "${name}-pre-stop" '' - #! ${pkgs.stdenv.shell} -e + #! ${pkgs.runtimeShell} -e ${config.preStop} ''; }) (mkIf (config.postStop != "") { serviceConfig.ExecStopPost = makeJobScript "${name}-post-stop" '' - #! ${pkgs.stdenv.shell} -e + #! ${pkgs.runtimeShell} -e ${config.postStop} ''; }) @@ -516,7 +515,7 @@ in }; systemd.globalEnvironment = mkOption { - type = types.attrs; + type = with types; attrsOf (nullOr (either str package)); default = {}; example = { TZ = "CET"; }; description = '' @@ -524,6 +523,14 @@ in ''; }; + systemd.enableCgroupAccounting = mkOption { + default = false; + type = types.bool; + description = '' + Whether to enable cgroup accounting. + ''; + }; + systemd.extraConfig = mkOption { default = ""; type = types.lines; @@ -725,6 +732,13 @@ in "systemd/system.conf".text = '' [Manager] + ${optionalString config.systemd.enableCgroupAccounting '' + DefaultCPUAccounting=yes + DefaultIOAccounting=yes + DefaultBlockIOAccounting=yes + DefaultMemoryAccounting=yes + DefaultTasksAccounting=yes + ''} ${config.systemd.extraConfig} ''; @@ -821,7 +835,8 @@ in system.requiredKernelConfig = map config.lib.kernelConfig.isEnabled [ "DEVTMPFS" "CGROUPS" "INOTIFY_USER" "SIGNALFD" "TIMERFD" "EPOLL" "NET" - "SYSFS" "PROC_FS" "FHANDLE" "DMIID" "AUTOFS4_FS" "TMPFS_POSIX_ACL" + "SYSFS" "PROC_FS" "FHANDLE" "CRYPTO_USER_API_HASH" "CRYPTO_HMAC" + "CRYPTO_SHA256" "DMIID" "AUTOFS4_FS" "TMPFS_POSIX_ACL" "TMPFS_XATTR" "SECCOMP" ]; diff --git a/nixos/modules/tasks/filesystems/exfat.nix b/nixos/modules/tasks/filesystems/exfat.nix index 963bc940b4fa..1527f993fdd4 100644 --- a/nixos/modules/tasks/filesystems/exfat.nix +++ b/nixos/modules/tasks/filesystems/exfat.nix @@ -5,7 +5,7 @@ with lib; { config = mkIf (any (fs: fs == "exfat") config.boot.supportedFilesystems) { - system.fsPackages = [ pkgs.exfat-utils pkgs.fuse_exfat ]; + system.fsPackages = [ pkgs.exfat ]; }; } diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index 30c54ddd0e4e..c3bf897d51fd 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -305,6 +305,8 @@ in } ]; + virtualisation.lxd.zfsSupport = true; + boot = { kernelModules = [ "spl" "zfs" ] ; extraModulePackages = with packages; [ spl zfs ]; @@ -452,7 +454,7 @@ in }) snapshotNames); systemd.timers = let - timer = name: if name == "frequent" then "*:15,30,45" else name; + timer = name: if name == "frequent" then "*:0,15,30,45" else name; in builtins.listToAttrs (map (snapName: { name = "zfs-snapshot-${snapName}"; diff --git a/nixos/modules/tasks/kbd.nix b/nixos/modules/tasks/kbd.nix index 7fb3cbc5c1bc..fbe42b8e8f04 100644 --- a/nixos/modules/tasks/kbd.nix +++ b/nixos/modules/tasks/kbd.nix @@ -13,7 +13,7 @@ let isUnicode = hasSuffix "UTF-8" (toUpper config.i18n.defaultLocale); optimizedKeymap = pkgs.runCommand "keymap" { - nativeBuildInputs = [ pkgs.kbd ]; + nativeBuildInputs = [ pkgs.buildPackages.kbd ]; LOADKEYS_KEYMAP_PATH = "${kbdEnv}/share/keymaps/**"; } '' loadkeys -b ${optionalString isUnicode "-u"} "${config.i18n.consoleKeyMap}" > $out diff --git a/nixos/modules/tasks/network-interfaces-scripted.nix b/nixos/modules/tasks/network-interfaces-scripted.nix index 8aa5163ce229..e754a1e8718d 100644 --- a/nixos/modules/tasks/network-interfaces-scripted.nix +++ b/nixos/modules/tasks/network-interfaces-scripted.nix @@ -68,8 +68,7 @@ let (hasAttr dev cfg.macvlans) || (hasAttr dev cfg.sits) || (hasAttr dev cfg.vlans) || - (hasAttr dev cfg.vswitches) || - (hasAttr dev cfg.wlanInterfaces) + (hasAttr dev cfg.vswitches) then [ "${dev}-netdev.service" ] else optional (dev != null && dev != "lo" && !config.boot.isContainer) (subsystemDevice dev); @@ -192,7 +191,7 @@ let if out=$(ip addr add "${cidr}" dev "${i.name}" 2>&1); then echo "done" elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then - echo "failed" + echo "'ip addr add "${cidr}" dev "${i.name}"' failed: $out" exit 1 fi '' @@ -213,7 +212,7 @@ let if out=$(ip route add "${cidr}" ${options} ${via} dev "${i.name}" 2>&1); then echo "done" elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then - echo "failed" + echo "'ip route add "${cidr}" ${options} ${via} dev "${i.name}"' failed: $out" exit 1 fi '' @@ -288,6 +287,17 @@ let ${i} '')}" > /run/${n}.interfaces + ${optionalString config.virtualisation.libvirtd.enable '' + # Enslave dynamically added interfaces which may be lost on nixos-rebuild + for uri in qemu:///system lxc:///; do + for dom in $(${pkgs.libvirt}/bin/virsh -c $uri list --name); do + ${pkgs.libvirt}/bin/virsh -c $uri dumpxml "$dom" | \ + ${pkgs.xmlstarlet}/bin/xmlstarlet sel -t -m "//domain/devices/interface[@type='bridge'][source/@bridge='${n}'][target/@dev]" -v "concat('ip link set ',target/@dev,' master ',source/@bridge,';')" | \ + ${pkgs.bash}/bin/bash + done + done + ''} + # Enable stp on the interface ${optionalString v.rstp '' echo 2 >/sys/class/net/${n}/bridge/stp_state diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 5036b701bd86..14f9b9567515 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -26,7 +26,7 @@ let executable = true; destination = "/bin/bridge-stp"; text = '' - #!${pkgs.stdenv.shell} -e + #!${pkgs.runtimeShell} -e export PATH="${pkgs.mstpd}/bin" BRIDGES=(${concatStringsSep " " (attrNames rstpBridges)}) @@ -62,35 +62,6 @@ let then mapAttrsToList (n: v: v//{_iName=n;}) (filterAttrs (n: _: n==device) interfaces) ++ mapAttrsToList (n: v: v//{_iName=n;}) (filterAttrs (n: _: n!=device) interfaces) else mapAttrsToList (n: v: v // {_iName = n;}) interfaces; - # udev script that configures a physical wlan device and adds virtual interfaces - wlanDeviceUdevScript = device: interfaceList: pkgs.writeScript "wlan-${device}-udev-script" '' - #!${pkgs.stdenv.shell} - - # Change the wireless phy device to a predictable name. - if [ -e "/sys/class/net/${device}/phy80211/name" ]; then - ${pkgs.iw}/bin/iw phy `${pkgs.coreutils}/bin/cat /sys/class/net/${device}/phy80211/name` set name ${device} || true - fi - - # Crate new, virtual interfaces and configure them at the same time - ${flip concatMapStrings (drop 1 interfaceList) (i: '' - ${pkgs.iw}/bin/iw dev ${device} interface add ${i._iName} type ${i.type} \ - ${optionalString (i.type == "mesh" && i.meshID != null) "mesh_id ${i.meshID}"} \ - ${optionalString (i.type == "monitor" && i.flags != null) "flags ${i.flags}"} \ - ${optionalString (i.type == "managed" && i.fourAddr != null) "4addr ${if i.fourAddr then "on" else "off"}"} \ - ${optionalString (i.mac != null) "addr ${i.mac}"} - '')} - - # Reconfigure and rename the default interface that already exists - ${flip concatMapStrings (take 1 interfaceList) (i: '' - ${pkgs.iw}/bin/iw dev ${device} set type ${i.type} - ${optionalString (i.type == "mesh" && i.meshID != null) "${pkgs.iw}/bin/iw dev ${device} set meshid ${i.meshID}"} - ${optionalString (i.type == "monitor" && i.flags != null) "${pkgs.iw}/bin/iw dev ${device} set monitor ${i.flags}"} - ${optionalString (i.type == "managed" && i.fourAddr != null) "${pkgs.iw}/bin/iw dev ${device} set 4addr ${if i.fourAddr then "on" else "off"}"} - ${optionalString (i.mac != null) "${pkgs.iproute}/bin/ip link set dev ${device} address ${i.mac}"} - ${optionalString (device != i._iName) "${pkgs.iproute}/bin/ip link set dev ${device} name ${i._iName}"} - '')} - ''; - # We must escape interfaces due to the systemd interpretation subsystemDevice = interface: "sys-subsystem-net-devices-${escapeSystemdPath interface}.device"; @@ -142,7 +113,7 @@ let default = { }; example = { mtu = "1492"; window = "524288"; }; description = '' - Other route options. See the symbol <literal>OPTION</literal> + Other route options. See the symbol <literal>OPTIONS</literal> in the <literal>ip-route(8)</literal> manual page for the details. ''; }; @@ -191,7 +162,7 @@ let preferTempAddress = mkOption { type = types.bool; default = cfg.enableIPv6; - defaultText = literalExample "config.networking.enableIpv6"; + defaultText = literalExample "config.networking.enableIPv6"; description = '' When using SLAAC prefer a temporary (IPv6) address over the EUI-64 address for originating connections. This is used to reduce tracking. @@ -489,7 +460,7 @@ in networking.interfaces = mkOption { default = {}; example = - { eth0.ipv4 = [ { + { eth0.ipv4.addresses = [ { address = "131.211.84.78"; prefixLength = 25; } ]; @@ -1158,7 +1129,7 @@ in # The script creates the required, new WLAN interfaces interfaces and configures the # existing, default interface. curInterfaceScript = device: current: new: pkgs.writeScript "udev-run-script-wlan-interfaces-${device}.sh" '' - #!${pkgs.stdenv.shell} + #!${pkgs.runtimeShell} # Change the wireless phy device to a predictable name. ${pkgs.iw}/bin/iw phy `${pkgs.coreutils}/bin/cat /sys/class/net/$INTERFACE/phy80211/name` set name ${device} @@ -1177,7 +1148,7 @@ in # Udev script to execute for a new WLAN interface. The script configures the new WLAN interface. newInterfaceScript = device: new: pkgs.writeScript "udev-run-script-wlan-interfaces-${new._iName}.sh" '' - #!${pkgs.stdenv.shell} + #!${pkgs.runtimeShell} # Configure the new interface ${pkgs.iw}/bin/iw dev ${new._iName} set type ${new.type} ${optionalString (new.type == "mesh" && new.meshID!=null) "${pkgs.iw}/bin/iw dev ${device} set meshid ${new.meshID}"} diff --git a/nixos/modules/virtualisation/amazon-init.nix b/nixos/modules/virtualisation/amazon-init.nix index a7362423eb46..8032b2c6d7ca 100644 --- a/nixos/modules/virtualisation/amazon-init.nix +++ b/nixos/modules/virtualisation/amazon-init.nix @@ -2,7 +2,7 @@ let script = '' - #!${pkgs.stdenv.shell} -eu + #!${pkgs.runtimeShell} -eu echo "attempting to fetch configuration from EC2 user data..." diff --git a/nixos/modules/virtualisation/azure-agent.nix b/nixos/modules/virtualisation/azure-agent.nix index 6817eb837a01..b7ab54aab7ec 100644 --- a/nixos/modules/virtualisation/azure-agent.nix +++ b/nixos/modules/virtualisation/azure-agent.nix @@ -47,7 +47,7 @@ let }; provisionedHook = pkgs.writeScript "provisioned-hook" '' - #!${pkgs.stdenv.shell} + #!${pkgs.runtimeShell} ${config.systemd.package}/bin/systemctl start provisioned.target ''; @@ -66,6 +66,10 @@ in default = false; description = "Whether to enable verbose logging."; }; + mountResourceDisk = mkOption { + default = true; + description = "Whether the agent should format (ext4) and mount the resource disk to /mnt/resource."; + }; }; ###### implementation @@ -112,7 +116,7 @@ in Provisioning.ExecuteCustomData=n # Format if unformatted. If 'n', resource disk will not be mounted. - ResourceDisk.Format=y + ResourceDisk.Format=${if cfg.mountResourceDisk then "y" else "n"} # File system on the resource disk # Typically ext3 or ext4. FreeBSD images should use 'ufs2' here. @@ -181,7 +185,7 @@ in after = [ "network-online.target" "sshd.service" ]; wants = [ "network-online.target" ]; - path = [ pkgs.e2fsprogs ]; + path = [ pkgs.e2fsprogs pkgs.bash ]; description = "Windows Azure Agent Service"; unitConfig.ConditionPathExists = "/etc/waagent.conf"; serviceConfig = { diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 4038454b2d2f..248c2fc1fb23 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -33,7 +33,7 @@ let in pkgs.writeScript "container-init" '' - #! ${pkgs.stdenv.shell} -e + #! ${pkgs.runtimeShell} -e # Initialise the container side of the veth pair. if [ "$PRIVATE_NETWORK" = 1 ]; then @@ -112,7 +112,7 @@ let # If the host is 64-bit and the container is 32-bit, add a # --personality flag. - ${optionalString (config.nixpkgs.system == "x86_64-linux") '' + ${optionalString (config.nixpkgs.localSystem.system == "x86_64-linux") '' if [ "$(< ''${SYSTEM_PATH:-/nix/var/nix/profiles/per-container/$INSTANCE/system}/system)" = i686-linux ]; then extraFlags+=" --personality=x86" fi @@ -223,7 +223,7 @@ let serviceDirectives = cfg: { ExecReload = pkgs.writeScript "reload-container" '' - #! ${pkgs.stdenv.shell} -e + #! ${pkgs.runtimeShell} -e ${pkgs.nixos-container}/bin/nixos-container run "$INSTANCE" -- \ bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test" ''; @@ -255,7 +255,7 @@ let }; - system = config.nixpkgs.system; + system = config.nixpkgs.localSystem.system; bindMountOpts = { name, config, ... }: { @@ -575,6 +575,16 @@ in ''; }; + extraFlags = mkOption { + type = types.listOf types.str; + default = []; + example = [ "--drop-capability=CAP_SYS_CHROOT" ]; + description = '' + Extra flags passed to the systemd-nspawn command. + See systemd-nspawn(1) for details. + ''; + }; + } // networkOptions; config = mkMerge @@ -714,7 +724,9 @@ in ${optionalString cfg.autoStart '' AUTO_START=1 ''} - EXTRA_NSPAWN_FLAGS="${mkBindFlags cfg.bindMounts}" + EXTRA_NSPAWN_FLAGS="${mkBindFlags cfg.bindMounts + + optionalString (cfg.extraFlags != []) + (" " + concatStringsSep " " cfg.extraFlags)}" ''; }) config.containers; diff --git a/nixos/modules/virtualisation/ec2-amis.nix b/nixos/modules/virtualisation/ec2-amis.nix index 01512911a057..baffad79b001 100644 --- a/nixos/modules/virtualisation/ec2-amis.nix +++ b/nixos/modules/virtualisation/ec2-amis.nix @@ -240,5 +240,22 @@ let self = { "17.09".sa-east-1.hvm-ebs = "ami-4762202b"; "17.09".ap-south-1.hvm-ebs = "ami-4e376021"; - latest = self."17.09"; + # 18.03.131792.becbe4dbe16 + "18.03".eu-west-1.hvm-ebs = "ami-cda4fab4"; + "18.03".eu-west-2.hvm-ebs = "ami-d96786be"; + "18.03".eu-west-3.hvm-ebs = "ami-6b0cba16"; + "18.03".eu-central-1.hvm-ebs = "ami-5e2b75b5"; + "18.03".us-east-1.hvm-ebs = "ami-d464cba9"; + "18.03".us-east-2.hvm-ebs = "ami-fd221298"; + "18.03".us-west-1.hvm-ebs = "ami-ff0d1d9f"; + "18.03".us-west-2.hvm-ebs = "ami-c05c3bb8"; + "18.03".ca-central-1.hvm-ebs = "ami-cc72f4a8"; + "18.03".ap-southeast-1.hvm-ebs = "ami-b61633ca"; + "18.03".ap-southeast-2.hvm-ebs = "ami-530fc131"; + "18.03".ap-northeast-1.hvm-ebs = "ami-90d6c0ec"; + "18.03".ap-northeast-2.hvm-ebs = "ami-a1248bcf"; + "18.03".sa-east-1.hvm-ebs = "ami-b090c6dc"; + "18.03".ap-south-1.hvm-ebs = "ami-32c9ec5d"; + + latest = self."18.03"; }; in self diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 155a33b3bb37..0b6bec786da4 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -2,7 +2,7 @@ with lib; let - diskSize = 1024; # MB + diskSize = 1536; # MB gce = pkgs.google-compute-engine; in { @@ -57,6 +57,12 @@ in # Always include cryptsetup so that NixOps can use it. environment.systemPackages = [ pkgs.cryptsetup ]; + # Make sure GCE image does not replace host key that NixOps sets + environment.etc."default/instance_configs.cfg".text = lib.mkDefault '' + [InstanceSetup] + set_host_keys = false + ''; + # Rely on GCP's firewall instead networking.firewall.enable = mkDefault false; @@ -69,6 +75,9 @@ in networking.usePredictableInterfaceNames = false; + # GC has 1460 MTU + networking.interfaces.eth0.mtu = 1460; + # allow the google-accounts-daemon to manage users users.mutableUsers = true; # and allow users to sudo without password diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix index a369b7ddbe1d..024db7f87c2e 100644 --- a/nixos/modules/virtualisation/libvirtd.nix +++ b/nixos/modules/virtualisation/libvirtd.nix @@ -119,18 +119,10 @@ in { after = [ "systemd-udev-settle.service" ] ++ optional vswitch.enable "vswitchd.service"; - environment = { - LIBVIRTD_ARGS = ''--config "${configFile}" ${concatStringsSep " " cfg.extraOptions}''; - }; + environment.LIBVIRTD_ARGS = ''--config "${configFile}" ${concatStringsSep " " cfg.extraOptions}''; - path = with pkgs; [ - bridge-utils - dmidecode - dnsmasq - ebtables - cfg.qemuPackage # libvirtd requires qemu-img to manage disk images - ] - ++ optional vswitch.enable vswitch.package; + path = [ cfg.qemuPackage ] # libvirtd requires qemu-img to manage disk images + ++ optional vswitch.enable vswitch.package; preStart = '' mkdir -p /var/log/libvirt/qemu -m 755 diff --git a/nixos/modules/virtualisation/lxc.nix b/nixos/modules/virtualisation/lxc.nix index 2310fe984325..9b5adaf08249 100644 --- a/nixos/modules/virtualisation/lxc.nix +++ b/nixos/modules/virtualisation/lxc.nix @@ -74,6 +74,9 @@ in systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ]; security.apparmor.packages = [ pkgs.lxc ]; - security.apparmor.profiles = [ "${pkgs.lxc}/etc/apparmor.d/lxc-containers" ]; + security.apparmor.profiles = [ + "${pkgs.lxc}/etc/apparmor.d/lxc-containers" + "${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start" + ]; }; } diff --git a/nixos/modules/virtualisation/lxd.nix b/nixos/modules/virtualisation/lxd.nix index 4988886baf60..3e76cdacfc4b 100644 --- a/nixos/modules/virtualisation/lxd.nix +++ b/nixos/modules/virtualisation/lxd.nix @@ -15,28 +15,34 @@ in options = { - virtualisation.lxd.enable = - mkOption { + virtualisation.lxd = { + enable = mkOption { type = types.bool; default = false; - description = - '' - This option enables lxd, a daemon that manages - containers. Users in the "lxd" group can interact with - the daemon (e.g. to start or stop containers) using the - <command>lxc</command> command line tool, among others. - ''; + description = '' + This option enables lxd, a daemon that manages + containers. Users in the "lxd" group can interact with + the daemon (e.g. to start or stop containers) using the + <command>lxc</command> command line tool, among others. + ''; }; - + zfsSupport = mkOption { + type = types.bool; + default = false; + description = '' + enables lxd to use zfs as a storage for containers. + This option is enabled by default if a zfs pool is configured + with nixos. + ''; + }; + }; }; - ###### implementation config = mkIf cfg.enable { - environment.systemPackages = - [ pkgs.lxd ]; + environment.systemPackages = [ pkgs.lxd ]; security.apparmor = { enable = true; @@ -47,31 +53,31 @@ in packages = [ pkgs.lxc ]; }; - systemd.services.lxd = - { description = "LXD Container Management Daemon"; + systemd.services.lxd = { + description = "LXD Container Management Daemon"; - wantedBy = [ "multi-user.target" ]; - after = [ "systemd-udev-settle.service" ]; + wantedBy = [ "multi-user.target" ]; + after = [ "systemd-udev-settle.service" ]; - # TODO(wkennington): Add lvm2 and thin-provisioning-tools - path = with pkgs; [ acl rsync gnutar xz btrfs-progs gzip dnsmasq squashfsTools iproute iptables ]; + path = lib.optional cfg.zfsSupport pkgs.zfs; - preStart = '' - mkdir -m 0755 -p /var/lib/lxc/rootfs - ''; + preStart = '' + mkdir -m 0755 -p /var/lib/lxc/rootfs + ''; - serviceConfig.ExecStart = "@${pkgs.lxd.bin}/bin/lxd lxd --syslog --group lxd"; - serviceConfig.Type = "simple"; - serviceConfig.KillMode = "process"; # when stopping, leave the containers alone + serviceConfig = { + ExecStart = "@${pkgs.lxd.bin}/bin/lxd lxd --group lxd"; + Type = "simple"; + KillMode = "process"; # when stopping, leave the containers alone }; + }; + users.extraGroups.lxd.gid = config.ids.gids.lxd; users.extraUsers.root = { subUidRanges = [ { startUid = 1000000; count = 65536; } ]; subGidRanges = [ { startGid = 1000000; count = 65536; } ]; }; - }; - } diff --git a/nixos/modules/virtualisation/openvswitch.nix b/nixos/modules/virtualisation/openvswitch.nix index 4218a3840fc1..38b138e06326 100644 --- a/nixos/modules/virtualisation/openvswitch.nix +++ b/nixos/modules/virtualisation/openvswitch.nix @@ -169,7 +169,7 @@ in { mkdir -p ${runDir}/ipsec/{etc/racoon,etc/init.d/,usr/sbin/} ln -fs ${pkgs.ipsecTools}/bin/setkey ${runDir}/ipsec/usr/sbin/setkey ln -fs ${pkgs.writeScript "racoon-restart" '' - #!${pkgs.stdenv.shell} + #!${pkgs.runtimeShell} /var/run/current-system/sw/bin/systemctl $1 racoon ''} ${runDir}/ipsec/etc/init.d/racoon ''; diff --git a/nixos/modules/virtualisation/parallels-guest.nix b/nixos/modules/virtualisation/parallels-guest.nix index fc0409e9ec77..36ca7f356d44 100644 --- a/nixos/modules/virtualisation/parallels-guest.nix +++ b/nixos/modules/virtualisation/parallels-guest.nix @@ -3,9 +3,7 @@ with lib; let - - prl-tools = config.boot.kernelPackages.prl-tools; - + prl-tools = config.hardware.parallels.package; in { @@ -22,6 +20,26 @@ in ''; }; + autoMountShares = mkOption { + type = types.bool; + default = true; + description = '' + Control prlfsmountd service. When this service is running, shares can not be manually + mounted through `mount -t prl_fs ...` as this service will remount and trample any set options. + Recommended to enable for simple file sharing, but extended share use such as for code should + disable this to manually mount shares. + ''; + }; + + package = mkOption { + type = types.package; + default = config.boot.kernelPackages.prl-tools; + defaultText = "config.boot.kernelPackages.prl-tools"; + example = literalExample "config.boot.kernelPackages.prl-tools"; + description = '' + Defines which package to use for prl-tools. Override to change the version. + ''; + }; }; }; @@ -67,7 +85,7 @@ in }; }; - systemd.services.prlfsmountd = { + systemd.services.prlfsmountd = mkIf config.hardware.parallels.autoMountShares { description = "Parallels Shared Folders Daemon"; wantedBy = [ "multi-user.target" ]; serviceConfig = rec { diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 13d0eb7de5c2..66ff43c8547d 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -27,10 +27,25 @@ let kernelConsole = if cfg.graphics then "" else "console=${qemuSerialDevice}"; ttys = [ "tty1" "tty2" "tty3" "tty4" "tty5" "tty6" ]; + # XXX: This is very ugly and in the future we really should use attribute + # sets to build ALL of the QEMU flags instead of this mixed mess of Nix + # expressions and shell script stuff. + mkDiskIfaceDriveFlag = idx: driveArgs: let + inherit (cfg.qemu) diskInterface; + # The drive identifier created by incrementing the index by one using the + # shell. + drvId = "drive$((${idx} + 1))"; + # NOTE: DO NOT shell escape, because this may contain shell variables. + commonArgs = "index=${idx},id=${drvId},${driveArgs}"; + isSCSI = diskInterface == "scsi"; + devArgs = "${diskInterface}-hd,drive=${drvId}"; + args = "-drive ${commonArgs},if=none -device lsi53c895a -device ${devArgs}"; + in if isSCSI then args else "-drive ${commonArgs},if=${diskInterface}"; + # Shell script to start the VM. startVM = '' - #! ${pkgs.stdenv.shell} + #! ${pkgs.runtimeShell} NIX_DISK_IMAGE=$(readlink -f ''${NIX_DISK_IMAGE:-${config.virtualisation.diskImage}}) @@ -68,7 +83,7 @@ let if ! test -e "empty$idx.qcow2"; then ${qemu}/bin/qemu-img create -f qcow2 "empty$idx.qcow2" "${toString size}M" fi - extraDisks="$extraDisks -drive index=$idx,file=$(pwd)/empty$idx.qcow2,if=${cfg.qemu.diskInterface},werror=report" + extraDisks="$extraDisks ${mkDiskIfaceDriveFlag "$idx" "file=$(pwd)/empty$idx.qcow2,werror=report"}" idx=$((idx + 1)) '')} @@ -77,19 +92,20 @@ let -name ${vmName} \ -m ${toString config.virtualisation.memorySize} \ -smp ${toString config.virtualisation.cores} \ + -device virtio-rng-pci \ ${concatStringsSep " " config.virtualisation.qemu.networkingOptions} \ -virtfs local,path=/nix/store,security_model=none,mount_tag=store \ -virtfs local,path=$TMPDIR/xchg,security_model=none,mount_tag=xchg \ -virtfs local,path=''${SHARED_DIR:-$TMPDIR/xchg},security_model=none,mount_tag=shared \ ${if cfg.useBootLoader then '' - -drive index=0,id=drive1,file=$NIX_DISK_IMAGE,if=${cfg.qemu.diskInterface},cache=writeback,werror=report \ - -drive index=1,id=drive2,file=$TMPDIR/disk.img,media=disk \ + ${mkDiskIfaceDriveFlag "0" "file=$NIX_DISK_IMAGE,cache=writeback,werror=report"} \ + ${mkDiskIfaceDriveFlag "1" "file=$TMPDIR/disk.img,media=disk"} \ ${if cfg.useEFIBoot then '' -pflash $TMPDIR/bios.bin \ '' else '' ''} '' else '' - -drive index=0,id=drive1,file=$NIX_DISK_IMAGE,if=${cfg.qemu.diskInterface},cache=writeback,werror=report \ + ${mkDiskIfaceDriveFlag "0" "file=$NIX_DISK_IMAGE,cache=writeback,werror=report"} \ -kernel ${config.system.build.toplevel}/kernel \ -initrd ${config.system.build.toplevel}/initrd \ -append "$(cat ${config.system.build.toplevel}/kernel-params) init=${config.system.build.toplevel}/init regInfo=${regInfo}/registration ${kernelConsole} $QEMU_KERNEL_PARAMS" \ @@ -98,7 +114,7 @@ let ${qemuGraphics} \ ${toString config.virtualisation.qemu.options} \ $QEMU_OPTS \ - $@ + "$@" ''; @@ -319,8 +335,8 @@ in networkingOptions = mkOption { default = [ - "-net nic,vlan=0,model=virtio" - "-net user,vlan=0\${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}" + "-net nic,netdev=user.0,model=virtio" + "-netdev user,id=user.0\${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}" ]; type = types.listOf types.str; description = '' @@ -337,11 +353,8 @@ in mkOption { default = "virtio"; example = "scsi"; - type = types.str; - description = '' - The interface used for the virtual hard disks - (<literal>virtio</literal> or <literal>scsi</literal>). - ''; + type = types.enum [ "virtio" "scsi" "ide" ]; + description = "The interface used for the virtual hard disks."; }; }; @@ -434,9 +447,11 @@ in virtualisation.pathsInNixDB = [ config.system.build.toplevel ]; - # FIXME: Figure out how to make this work on non-x86 - virtualisation.qemu.options = - mkIf (pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64) [ "-vga std" "-usbdevice tablet" ]; + # FIXME: Consolidate this one day. + virtualisation.qemu.options = mkMerge [ + (mkIf (pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64) [ "-vga std" "-usb" "-device usb-tablet,bus=usb-bus.0" ]) + (mkIf (pkgs.stdenv.isAarch32 || pkgs.stdenv.isAarch64) [ "-device virtio-gpu-pci" "-device usb-ehci,id=usb0" "-device usb-kbd" "-device usb-tablet" ]) + ]; # Mount the host filesystem via 9P, and bind-mount the Nix store # of the host into our own filesystem. We use mkVMOverride to diff --git a/nixos/modules/virtualisation/virtualbox-host.nix b/nixos/modules/virtualisation/virtualbox-host.nix index 7413e12c8f3d..885d752577d5 100644 --- a/nixos/modules/virtualisation/virtualbox-host.nix +++ b/nixos/modules/virtualisation/virtualbox-host.nix @@ -6,7 +6,7 @@ let cfg = config.virtualisation.virtualbox.host; virtualbox = pkgs.virtualbox.override { - inherit (cfg) enableHardening headless; + inherit (cfg) enableExtensionPack enableHardening headless; }; kernelModules = config.boot.kernelPackages.virtualbox.override { @@ -17,9 +17,7 @@ in { options.virtualisation.virtualbox.host = { - enable = mkOption { - type = types.bool; - default = false; + enable = mkEnableOption "VirtualBox" // { description = '' Whether to enable VirtualBox. @@ -30,6 +28,8 @@ in ''; }; + enableExtensionPack = mkEnableOption "VirtualBox extension pack"; + addNetworkInterface = mkOption { type = types.bool; default = true; diff --git a/nixos/modules/virtualisation/xen-dom0.nix b/nixos/modules/virtualisation/xen-dom0.nix index afc5a42f8b4e..cf57868acef9 100644 --- a/nixos/modules/virtualisation/xen-dom0.nix +++ b/nixos/modules/virtualisation/xen-dom0.nix @@ -241,6 +241,12 @@ in ''; target = "default/xendomains"; } + ] + ++ lib.optionals (builtins.compareVersions cfg.package.version "4.10" >= 0) [ + # in V 4.10 oxenstored requires /etc/xen/oxenstored.conf to start + { source = "${cfg.package}/etc/xen/oxenstored.conf"; + target = "xen/oxenstored.conf"; + } ]; # Xen provides udev rules. @@ -262,7 +268,7 @@ in mkdir -p /var/lib/xen # so we create them here unconditionally. grep -q control_d /proc/xen/capabilities ''; - serviceConfig = if cfg.package.version < "4.8" then + serviceConfig = if (builtins.compareVersions cfg.package.version "4.8" < 0) then { ExecStart = '' ${cfg.stored}${optionalString cfg.trace " -T /var/log/xen/xenstored-trace.log"} --no-fork ''; @@ -275,7 +281,7 @@ in NotifyAccess = "all"; }; postStart = '' - ${optionalString (cfg.package.version < "4.8") '' + ${optionalString (builtins.compareVersions cfg.package.version "4.8" < 0) '' time=0 timeout=30 # Wait for xenstored to actually come up, timing out after 30 seconds @@ -320,7 +326,7 @@ in serviceConfig = { ExecStart = '' ${cfg.package}/bin/xenconsoled\ - ${optionalString ((cfg.package.version >= "4.8")) " -i"}\ + ${optionalString ((builtins.compareVersions cfg.package.version "4.8" >= 0)) " -i"}\ ${optionalString cfg.trace " --log=all --log-dir=/var/log/xen"} ''; }; diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index 9d4a551a958b..e010b532a688 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -52,17 +52,17 @@ in rec { (all nixos.dummy) (all nixos.manual) - nixos.iso_minimal.x86_64-linux - nixos.iso_minimal.i686-linux - nixos.iso_graphical.x86_64-linux - nixos.ova.x86_64-linux + nixos.iso_minimal.x86_64-linux or [] + nixos.iso_minimal.i686-linux or [] + nixos.iso_graphical.x86_64-linux or [] + nixos.ova.x86_64-linux or [] #(all nixos.tests.containers) - nixos.tests.chromium.x86_64-linux + nixos.tests.chromium.x86_64-linux or [] (all nixos.tests.firefox) (all nixos.tests.firewall) (all nixos.tests.gnome3) - nixos.tests.installer.zfsroot.x86_64-linux # ZFS is 64bit only + nixos.tests.installer.zfsroot.x86_64-linux or [] # ZFS is 64bit only (all nixos.tests.installer.lvm) (all nixos.tests.installer.luksroot) (all nixos.tests.installer.separateBoot) @@ -81,7 +81,7 @@ in rec { (all nixos.tests.boot.uefiUsb) (all nixos.tests.boot-stage1) (all nixos.tests.hibernate) - nixos.tests.docker.x86_64-linux + nixos.tests.docker.x86_64-linux or [] (all nixos.tests.ecryptfs) (all nixos.tests.env) (all nixos.tests.ipv6) diff --git a/nixos/release-small.nix b/nixos/release-small.nix index 2b532c70763f..4bfb9a423f7d 100644 --- a/nixos/release-small.nix +++ b/nixos/release-small.nix @@ -50,6 +50,10 @@ in rec { separateBoot simple; }; + boot = { + inherit (nixos'.tests.boot) + biosCdrom; + }; }; }; diff --git a/nixos/release.nix b/nixos/release.nix index 558bbbf9a9d4..5b6640f1d3cc 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -1,4 +1,4 @@ -{ nixpkgs ? { outPath = (import ../lib).cleanSource ./..; revCount = 56789; shortRev = "gfedcba"; } +{ nixpkgs ? { outPath = (import ../lib).cleanSource ./..; revCount = 130979; shortRev = "gfedcba"; } , stableBranch ? false , supportedSystems ? [ "x86_64-linux" "aarch64-linux" ] }: @@ -16,11 +16,15 @@ let inherit system; } // args); - callTestOnTheseSystems = systems: fn: args: forTheseSystems systems (system: hydraJob (importTest fn args system)); - callTest = callTestOnTheseSystems supportedSystems; + # Note: only supportedSystems are considered. + callTestOnMatchingSystems = systems: fn: args: + forMatchingSystems + (intersectLists supportedSystems systems) + (system: hydraJob (importTest fn args system)); + callTest = callTestOnMatchingSystems supportedSystems; - callSubTests = callSubTestsOnTheseSystems supportedSystems; - callSubTestsOnTheseSystems = systems: fn: args: let + callSubTests = callSubTestsOnMatchingSystems supportedSystems; + callSubTestsOnMatchingSystems = systems: fn: args: let discover = attrs: let subTests = filterAttrs (const (hasAttr "test")) attrs; in mapAttrs (const (t: hydraJob t.test)) subTests; @@ -51,6 +55,17 @@ let }).config.system.build.isoImage); + makeSdImage = + { module, maintainers ? ["dezgeg"], system }: + + with import nixpkgs { inherit system; }; + + hydraJob ((import lib/eval-config.nix { + inherit system; + modules = [ module versionModule ]; + }).config.system.build.sdImage); + + makeSystemTarball = { module, maintainers ? ["viric"], system }: @@ -109,7 +124,6 @@ let preferLocalBuild = true; }; - in rec { channel = import lib/make-channel.nix { inherit pkgs nixpkgs version versionSuffix; }; @@ -117,13 +131,14 @@ in rec { manual = buildFromConfig ({ pkgs, ... }: { }) (config: config.system.build.manual.manual); manualEpub = (buildFromConfig ({ pkgs, ... }: { }) (config: config.system.build.manual.manualEpub)); manpages = buildFromConfig ({ pkgs, ... }: { }) (config: config.system.build.manual.manpages); + manualGeneratedSources = buildFromConfig ({ pkgs, ... }: { }) (config: config.system.build.manual.generatedSources); options = (buildFromConfig ({ pkgs, ... }: { }) (config: config.system.build.manual.optionsJSON)).x86_64-linux; # Build the initial ramdisk so Hydra can keep track of its size over time. initialRamdisk = buildFromConfig ({ pkgs, ... }: { }) (config: config.system.build.initialRamdisk); - netboot = forTheseSystems [ "x86_64-linux" "aarch64-linux" ] (system: makeNetboot { + netboot = forMatchingSystems [ "x86_64-linux" "aarch64-linux" ] (system: makeNetboot { inherit system; modules = [ ./modules/installer/netboot/netboot-minimal.nix @@ -137,7 +152,7 @@ in rec { inherit system; }); - iso_graphical = forTheseSystems [ "x86_64-linux" ] (system: makeIso { + iso_graphical = forMatchingSystems [ "x86_64-linux" ] (system: makeIso { module = ./modules/installer/cd-dvd/installation-cd-graphical-kde.nix; type = "graphical"; inherit system; @@ -145,15 +160,23 @@ in rec { # A variant with a more recent (but possibly less stable) kernel # that might support more hardware. - iso_minimal_new_kernel = forTheseSystems [ "x86_64-linux" ] (system: makeIso { + iso_minimal_new_kernel = forMatchingSystems [ "x86_64-linux" ] (system: makeIso { module = ./modules/installer/cd-dvd/installation-cd-minimal-new-kernel.nix; type = "minimal-new-kernel"; inherit system; }); + sd_image = forMatchingSystems [ "armv6l-linux" "armv7l-linux" "aarch64-linux" ] (system: makeSdImage { + module = { + armv6l-linux = ./modules/installer/cd-dvd/sd-image-raspberrypi.nix; + armv7l-linux = ./modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix; + aarch64-linux = ./modules/installer/cd-dvd/sd-image-aarch64.nix; + }.${system}; + inherit system; + }); # A bootable VirtualBox virtual appliance as an OVA file (i.e. packaged OVF). - ova = forTheseSystems [ "x86_64-linux" ] (system: + ova = forMatchingSystems [ "x86_64-linux" ] (system: with import nixpkgs { inherit system; }; @@ -229,8 +252,9 @@ in rec { tests.boot-stage1 = callTest tests/boot-stage1.nix {}; tests.borgbackup = callTest tests/borgbackup.nix {}; tests.buildbot = callTest tests/buildbot.nix {}; - tests.cadvisor = callTestOnTheseSystems ["x86_64-linux"] tests/cadvisor.nix {}; - tests.chromium = (callSubTestsOnTheseSystems ["x86_64-linux"] tests/chromium.nix {}).stable; + tests.cadvisor = callTestOnMatchingSystems ["x86_64-linux"] tests/cadvisor.nix {}; + tests.ceph = callTestOnMatchingSystems ["x86_64-linux"] tests/ceph.nix {}; + tests.chromium = (callSubTestsOnMatchingSystems ["x86_64-linux"] tests/chromium.nix {}).stable or {}; tests.cjdns = callTest tests/cjdns.nix {}; tests.cloud-init = callTest tests/cloud-init.nix {}; tests.containers-ipv4 = callTest tests/containers-ipv4.nix {}; @@ -244,21 +268,23 @@ in rec { tests.containers-hosts = callTest tests/containers-hosts.nix {}; tests.containers-macvlans = callTest tests/containers-macvlans.nix {}; tests.couchdb = callTest tests/couchdb.nix {}; - tests.docker = callTestOnTheseSystems ["x86_64-linux"] tests/docker.nix {}; - tests.docker-tools = callTestOnTheseSystems ["x86_64-linux"] tests/docker-tools.nix {}; - tests.docker-edge = callTestOnTheseSystems ["x86_64-linux"] tests/docker-edge.nix {}; + tests.deluge = callTest tests/deluge.nix {}; + tests.docker = callTestOnMatchingSystems ["x86_64-linux"] tests/docker.nix {}; + tests.docker-tools = callTestOnMatchingSystems ["x86_64-linux"] tests/docker-tools.nix {}; + tests.docker-tools-overlay = callTestOnMatchingSystems ["x86_64-linux"] tests/docker-tools-overlay.nix {}; + tests.docker-edge = callTestOnMatchingSystems ["x86_64-linux"] tests/docker-edge.nix {}; tests.dovecot = callTest tests/dovecot.nix {}; - tests.dnscrypt-proxy = callTestOnTheseSystems ["x86_64-linux"] tests/dnscrypt-proxy.nix {}; + tests.dnscrypt-proxy = callTestOnMatchingSystems ["x86_64-linux"] tests/dnscrypt-proxy.nix {}; tests.ecryptfs = callTest tests/ecryptfs.nix {}; - tests.etcd = callTestOnTheseSystems ["x86_64-linux"] tests/etcd.nix {}; - tests.ec2-nixops = (callSubTestsOnTheseSystems ["x86_64-linux"] tests/ec2.nix {}).boot-ec2-nixops; - tests.ec2-config = (callSubTestsOnTheseSystems ["x86_64-linux"] tests/ec2.nix {}).boot-ec2-config; - tests.elk = callSubTestsOnTheseSystems ["x86_64-linux"] tests/elk.nix {}; + tests.etcd = callTestOnMatchingSystems ["x86_64-linux"] tests/etcd.nix {}; + tests.ec2-nixops = (callSubTestsOnMatchingSystems ["x86_64-linux"] tests/ec2.nix {}).boot-ec2-nixops or {}; + tests.ec2-config = (callSubTestsOnMatchingSystems ["x86_64-linux"] tests/ec2.nix {}).boot-ec2-config or {}; + tests.elk = callSubTestsOnMatchingSystems ["x86_64-linux"] tests/elk.nix {}; tests.env = callTest tests/env.nix {}; tests.ferm = callTest tests/ferm.nix {}; tests.firefox = callTest tests/firefox.nix {}; tests.firewall = callTest tests/firewall.nix {}; - tests.fleet = callTestOnTheseSystems ["x86_64-linux"] tests/fleet.nix {}; + tests.fleet = callTestOnMatchingSystems ["x86_64-linux"] tests/fleet.nix {}; tests.fwupd = callTest tests/fwupd.nix {}; #tests.gitlab = callTest tests/gitlab.nix {}; tests.gitolite = callTest tests/gitolite.nix {}; @@ -271,14 +297,18 @@ in rec { tests.graphite = callTest tests/graphite.nix {}; tests.hardened = callTest tests/hardened.nix { }; tests.hibernate = callTest tests/hibernate.nix {}; + tests.hitch = callTest tests/hitch {}; tests.home-assistant = callTest tests/home-assistant.nix { }; tests.hound = callTest tests/hound.nix {}; + tests.hocker-fetchdocker = callTest tests/hocker-fetchdocker {}; tests.i3wm = callTest tests/i3wm.nix {}; + tests.iftop = callTest tests/iftop.nix {}; tests.initrd-network-ssh = callTest tests/initrd-network-ssh {}; tests.installer = callSubTests tests/installer.nix {}; tests.influxdb = callTest tests/influxdb.nix {}; tests.ipv6 = callTest tests/ipv6.nix {}; tests.jenkins = callTest tests/jenkins.nix {}; + tests.osquery = callTest tests/osquery.nix {}; tests.plasma5 = callTest tests/plasma5.nix {}; tests.plotinus = callTest tests/plotinus.nix {}; tests.keymap = callSubTests tests/keymap.nix {}; @@ -290,7 +320,10 @@ in rec { tests.kernel-copperhead = callTest tests/kernel-copperhead.nix {}; tests.kernel-latest = callTest tests/kernel-latest.nix {}; tests.kernel-lts = callTest tests/kernel-lts.nix {}; - tests.kubernetes = hydraJob (import tests/kubernetes/default.nix { system = "x86_64-linux"; }); + tests.kubernetes.dns = callSubTestsOnMatchingSystems ["x86_64-linux"] tests/kubernetes/dns.nix {}; + ## kubernetes.e2e should eventually replace kubernetes.rbac when it works + #tests.kubernetes.e2e = callSubTestsOnMatchingSystems ["x86_64-linux"] tests/kubernetes/e2e.nix {}; + tests.kubernetes.rbac = callSubTestsOnMatchingSystems ["x86_64-linux"] tests/kubernetes/rbac.nix {}; tests.latestKernel.login = callTest tests/login.nix { latestKernel = true; }; tests.ldap = callTest tests/ldap.nix {}; #tests.lightdm = callTest tests/lightdm.nix {}; @@ -320,13 +353,14 @@ in rec { tests.nginx = callTest tests/nginx.nix { }; tests.nghttpx = callTest tests/nghttpx.nix { }; tests.nix-ssh-serve = callTest tests/nix-ssh-serve.nix { }; - tests.novacomd = callTestOnTheseSystems ["x86_64-linux"] tests/novacomd.nix { }; + tests.novacomd = callTestOnMatchingSystems ["x86_64-linux"] tests/novacomd.nix { }; tests.leaps = callTest tests/leaps.nix { }; tests.nsd = callTest tests/nsd.nix {}; tests.openssh = callTest tests/openssh.nix {}; + tests.openldap = callTest tests/openldap.nix {}; tests.owncloud = callTest tests/owncloud.nix {}; tests.pam-oath-login = callTest tests/pam-oath-login.nix {}; - #tests.panamax = callTestOnTheseSystems ["x86_64-linux"] tests/panamax.nix {}; + #tests.panamax = callTestOnMatchingSystems ["x86_64-linux"] tests/panamax.nix {}; tests.peerflix = callTest tests/peerflix.nix {}; tests.php-pcre = callTest tests/php-pcre.nix {}; tests.postgresql = callSubTests tests/postgresql.nix {}; @@ -337,9 +371,9 @@ in rec { tests.predictable-interface-names = callSubTests tests/predictable-interface-names.nix {}; tests.printing = callTest tests/printing.nix {}; tests.prometheus = callTest tests/prometheus.nix {}; + tests.prosody = callTest tests/prosody.nix {}; tests.proxy = callTest tests/proxy.nix {}; - tests.pumpio = callTest tests/pump.io.nix {}; - # tests.quagga = callTest tests/quagga.nix {}; + tests.quagga = callTest tests/quagga.nix {}; tests.quake3 = callTest tests/quake3.nix {}; tests.rabbitmq = callTest tests/rabbitmq.nix {}; tests.radicale = callTest tests/radicale.nix {}; @@ -353,14 +387,18 @@ in rec { tests.smokeping = callTest tests/smokeping.nix {}; tests.snapper = callTest tests/snapper.nix {}; tests.statsd = callTest tests/statsd.nix {}; + tests.strongswan-swanctl = callTest tests/strongswan-swanctl.nix {}; tests.sudo = callTest tests/sudo.nix {}; + tests.systemd = callTest tests/systemd.nix {}; tests.switchTest = callTest tests/switch-test.nix {}; tests.taskserver = callTest tests/taskserver.nix {}; tests.tomcat = callTest tests/tomcat.nix {}; + tests.transmission = callTest tests/transmission.nix {}; tests.udisks2 = callTest tests/udisks2.nix {}; tests.vault = callTest tests/vault.nix {}; - tests.virtualbox = callSubTestsOnTheseSystems ["x86_64-linux"] tests/virtualbox.nix {}; + tests.virtualbox = callSubTestsOnMatchingSystems ["x86_64-linux"] tests/virtualbox.nix {}; tests.wordpress = callTest tests/wordpress.nix {}; + tests.xautolock = callTest tests/xautolock.nix {}; tests.xfce = callTest tests/xfce.nix {}; tests.xmonad = callTest tests/xmonad.nix {}; tests.xrdp = callTest tests/xrdp.nix {}; diff --git a/nixos/tests/atd.nix b/nixos/tests/atd.nix index c2c0a716e0de..5260c8ddfb82 100644 --- a/nixos/tests/atd.nix +++ b/nixos/tests/atd.nix @@ -17,20 +17,14 @@ import ./make-test.nix ({ pkgs, lib, ... }: startAll; $machine->fail("test -f ~root/at-1"); - $machine->fail("test -f ~root/batch-1"); $machine->fail("test -f ~alice/at-1"); - $machine->fail("test -f ~alice/batch-1"); $machine->succeed("echo 'touch ~root/at-1' | at now+1min"); - $machine->succeed("echo 'touch ~root/batch-1' | batch"); $machine->succeed("su - alice -c \"echo 'touch at-1' | at now+1min\""); - $machine->succeed("su - alice -c \"echo 'touch batch-1' | batch\""); $machine->succeed("sleep 1.5m"); $machine->succeed("test -f ~root/at-1"); - $machine->succeed("test -f ~root/batch-1"); $machine->succeed("test -f ~alice/at-1"); - $machine->succeed("test -f ~alice/batch-1"); ''; }) diff --git a/nixos/tests/boot.nix b/nixos/tests/boot.nix index fc52cd09f209..301d9d0f817f 100644 --- a/nixos/tests/boot.nix +++ b/nixos/tests/boot.nix @@ -24,6 +24,12 @@ let my $machine = createMachine({ ${machineConfig}, qemuFlags => '-m 768' }); $machine->start; $machine->waitForUnit("multi-user.target"); + $machine->succeed("nix verify -r --no-trust /run/current-system"); + + # Test whether the channel got installed correctly. + $machine->succeed("nix-instantiate --dry-run '<nixpkgs>' -A hello"); + $machine->succeed("nix-env --dry-run -iA nixos.procps"); + $machine->shutdown; ''; }; diff --git a/nixos/tests/borgbackup.nix b/nixos/tests/borgbackup.nix index 123b02be7251..36731773de27 100644 --- a/nixos/tests/borgbackup.nix +++ b/nixos/tests/borgbackup.nix @@ -1,21 +1,162 @@ -import ./make-test.nix ({ pkgs, ...}: { +import ./make-test.nix ({ pkgs, ... }: + +let + passphrase = "supersecret"; + dataDir = "/ran:dom/data"; + excludeFile = "not_this_file"; + keepFile = "important_file"; + keepFileData = "important_data"; + localRepo = "/root/back:up"; + archiveName = "my_archive"; + remoteRepo = "borg@server:."; # No need to specify path + privateKey = pkgs.writeText "id_ed25519" '' + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACBx8UB04Q6Q/fwDFjakHq904PYFzG9pU2TJ9KXpaPMcrwAAAJB+cF5HfnBe + RwAAAAtzc2gtZWQyNTUxOQAAACBx8UB04Q6Q/fwDFjakHq904PYFzG9pU2TJ9KXpaPMcrw + AAAEBN75NsJZSpt63faCuaD75Unko0JjlSDxMhYHAPJk2/xXHxQHThDpD9/AMWNqQer3Tg + 9gXMb2lTZMn0pelo8xyvAAAADXJzY2h1ZXR6QGt1cnQ= + -----END OPENSSH PRIVATE KEY----- + ''; + publicKey = '' + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHHxQHThDpD9/AMWNqQer3Tg9gXMb2lTZMn0pelo8xyv root@client + ''; + privateKeyAppendOnly = pkgs.writeText "id_ed25519" '' + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACBacZuz1ELGQdhI7PF6dGFafCDlvh8pSEc4cHjkW0QjLwAAAJC9YTxxvWE8 + cQAAAAtzc2gtZWQyNTUxOQAAACBacZuz1ELGQdhI7PF6dGFafCDlvh8pSEc4cHjkW0QjLw + AAAEAAhV7wTl5dL/lz+PF/d4PnZXuG1Id6L/mFEiGT1tZsuFpxm7PUQsZB2Ejs8Xp0YVp8 + IOW+HylIRzhweORbRCMvAAAADXJzY2h1ZXR6QGt1cnQ= + -----END OPENSSH PRIVATE KEY----- + ''; + publicKeyAppendOnly = '' + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFpxm7PUQsZB2Ejs8Xp0YVp8IOW+HylIRzhweORbRCMv root@client + ''; + +in { name = "borgbackup"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ mic92 ]; + meta = with pkgs.stdenv.lib; { + maintainers = with maintainers; [ dotlambda ]; }; nodes = { - machine = { config, pkgs, ... }: { - environment.systemPackages = [ pkgs.borgbackup ]; + client = { config, pkgs, ... }: { + services.borgbackup.jobs = { + + local = rec { + paths = dataDir; + repo = localRepo; + preHook = '' + # Don't append a timestamp + archiveName="${archiveName}" + ''; + encryption = { + mode = "repokey"; + inherit passphrase; + }; + compression = "auto,zlib,9"; + prune.keep = { + within = "1y"; + yearly = 5; + }; + exclude = [ "*/${excludeFile}" ]; + postHook = "echo post"; + startAt = [ ]; # Do not run automatically + }; + + remote = { + paths = dataDir; + repo = remoteRepo; + encryption.mode = "none"; + startAt = [ ]; + environment.BORG_RSH = "ssh -oStrictHostKeyChecking=no -i /root/id_ed25519"; + }; + + remoteAppendOnly = { + paths = dataDir; + repo = remoteRepo; + encryption.mode = "none"; + startAt = [ ]; + environment.BORG_RSH = "ssh -oStrictHostKeyChecking=no -i /root/id_ed25519.appendOnly"; + }; + + }; + }; + + server = { config, pkgs, ... }: { + services.openssh = { + enable = true; + passwordAuthentication = false; + challengeResponseAuthentication = false; + }; + + services.borgbackup.repos.repo1 = { + authorizedKeys = [ publicKey ]; + path = "/data/borgbackup"; + }; + + # Second repo to make sure the authorizedKeys options are merged correctly + services.borgbackup.repos.repo2 = { + authorizedKeysAppendOnly = [ publicKeyAppendOnly ]; + path = "/data/borgbackup"; + quota = ".5G"; + }; }; }; testScript = '' - my $borg = "BORG_PASSPHRASE=supersecret borg"; - $machine->succeed("$borg init --encryption=repokey /tmp/backup"); - $machine->succeed("mkdir /tmp/data/ && echo 'data' >/tmp/data/file"); - $machine->succeed("$borg create --stats /tmp/backup::test /tmp/data"); - $machine->succeed("$borg extract /tmp/backup::test"); - $machine->succeed('c=$(cat data/file) && echo "c = $c" >&2 && [[ "$c" == "data" ]]'); + startAll; + + $client->fail('test -d "${remoteRepo}"'); + + $client->succeed("cp ${privateKey} /root/id_ed25519"); + $client->succeed("chmod 0600 /root/id_ed25519"); + $client->succeed("cp ${privateKeyAppendOnly} /root/id_ed25519.appendOnly"); + $client->succeed("chmod 0600 /root/id_ed25519.appendOnly"); + + $client->succeed("mkdir -p ${dataDir}"); + $client->succeed("touch ${dataDir}/${excludeFile}"); + $client->succeed("echo '${keepFileData}' > ${dataDir}/${keepFile}"); + + subtest "local", sub { + my $borg = "BORG_PASSPHRASE='${passphrase}' borg"; + $client->systemctl("start --wait borgbackup-job-local"); + $client->fail("systemctl is-failed borgbackup-job-local"); + # Make sure exactly one archive has been created + $client->succeed("c=\$($borg list '${localRepo}' | wc -l) && [[ \$c == '1' ]]"); + # Make sure excludeFile has been excluded + $client->fail("$borg list '${localRepo}::${archiveName}' | grep -qF '${excludeFile}'"); + # Make sure keepFile has the correct content + $client->succeed("$borg extract '${localRepo}::${archiveName}'"); + $client->succeed('c=$(cat ${dataDir}/${keepFile}) && [[ "$c" == "${keepFileData}" ]]'); + }; + + subtest "remote", sub { + my $borg = "BORG_RSH='ssh -oStrictHostKeyChecking=no -i /root/id_ed25519' borg"; + $server->waitForUnit("sshd.service"); + $client->waitForUnit("network.target"); + $client->systemctl("start --wait borgbackup-job-remote"); + $client->fail("systemctl is-failed borgbackup-job-remote"); + + # Make sure we can't access repos other than the specified one + $client->fail("$borg list borg\@server:wrong"); + + #TODO: Make sure that data is actually deleted + }; + + subtest "remoteAppendOnly", sub { + my $borg = "BORG_RSH='ssh -oStrictHostKeyChecking=no -i /root/id_ed25519.appendOnly' borg"; + $server->waitForUnit("sshd.service"); + $client->waitForUnit("network.target"); + $client->systemctl("start --wait borgbackup-job-remoteAppendOnly"); + $client->fail("systemctl is-failed borgbackup-job-remoteAppendOnly"); + + # Make sure we can't access repos other than the specified one + $client->fail("$borg list borg\@server:wrong"); + + #TODO: Make sure that data is not actually deleted + }; + ''; }) diff --git a/nixos/tests/ceph.nix b/nixos/tests/ceph.nix new file mode 100644 index 000000000000..b9993062c079 --- /dev/null +++ b/nixos/tests/ceph.nix @@ -0,0 +1,140 @@ +import ./make-test.nix ({pkgs, ...}: rec { + name = "All-in-one-basic-ceph-cluster"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ lejonet ]; + }; + + nodes = { + aio = { config, pkgs, ... }: { + virtualisation = { + emptyDiskImages = [ 20480 20480 ]; + vlans = [ 1 ]; + }; + + networking = { + firewall.allowPing = true; + useDHCP = false; + interfaces.eth1.ipv4.addresses = pkgs.lib.mkOverride 0 [ + { address = "192.168.1.1"; prefixLength = 24; } + ]; + }; + + environment.systemPackages = with pkgs; [ + bash + sudo + ceph + xfsprogs + ]; + nixpkgs.config.packageOverrides = super: { + ceph = super.ceph.override({ nss = super.nss; libxfs = super.libxfs; libaio = super.libaio; jemalloc = super.jemalloc; }); + }; + + boot.kernelModules = [ "xfs" ]; + + services.ceph.enable = true; + services.ceph.global = { + fsid = "066ae264-2a5d-4729-8001-6ad265f50b03"; + monInitialMembers = "aio"; + monHost = "192.168.1.1"; + }; + + services.ceph.mon = { + enable = true; + daemons = [ "aio" ]; + }; + + services.ceph.mgr = { + enable = true; + daemons = [ "aio" ]; + }; + + services.ceph.osd = { + enable = true; + daemons = [ "0" "1" ]; + }; + }; + }; + + testScript = { nodes, ... }: '' + startAll; + + $aio->waitForUnit("network.target"); + + # Create the ceph-related directories + $aio->mustSucceed( + "mkdir -p /var/lib/ceph/mgr/ceph-aio/", + "mkdir -p /var/lib/ceph/mon/ceph-aio/", + "mkdir -p /var/lib/ceph/osd/ceph-{0..1}/", + "chown ceph:ceph -R /var/lib/ceph/" + ); + + # Bootstrap ceph-mon daemon + $aio->mustSucceed( + "mkdir -p /var/lib/ceph/bootstrap-osd && chown ceph:ceph /var/lib/ceph/bootstrap-osd", + "sudo -u ceph ceph-authtool --create-keyring /tmp/ceph.mon.keyring --gen-key -n mon. --cap mon 'allow *'", + "ceph-authtool --create-keyring /etc/ceph/ceph.client.admin.keyring --gen-key -n client.admin --set-uid=0 --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *'", + "ceph-authtool /tmp/ceph.mon.keyring --import-keyring /etc/ceph/ceph.client.admin.keyring", + "monmaptool --create --add aio 192.168.1.1 --fsid 066ae264-2a5d-4729-8001-6ad265f50b03 /tmp/monmap", + "sudo -u ceph ceph-mon --mkfs -i aio --monmap /tmp/monmap --keyring /tmp/ceph.mon.keyring", + "touch /var/lib/ceph/mon/ceph-aio/done", + "systemctl start ceph-mon-aio" + ); + $aio->waitForUnit("ceph-mon-aio"); + + # Can't check ceph status until a mon is up + $aio->succeed("ceph -s | grep 'mon: 1 daemons'"); + + # Start the ceph-mgr daemon, it has no deps and hardly any setup + $aio->mustSucceed( + "ceph auth get-or-create mgr.aio mon 'allow profile mgr' osd 'allow *' mds 'allow *' > /var/lib/ceph/mgr/ceph-aio/keyring", + "systemctl start ceph-mgr-aio" + ); + $aio->waitForUnit("ceph-mgr-aio"); + $aio->waitUntilSucceeds("ceph -s | grep 'quorum aio'"); + + # Bootstrap both OSDs + $aio->mustSucceed( + "mkfs.xfs /dev/vdb", + "mkfs.xfs /dev/vdc", + "mount /dev/vdb /var/lib/ceph/osd/ceph-0", + "mount /dev/vdc /var/lib/ceph/osd/ceph-1", + "ceph-authtool --create-keyring /var/lib/ceph/osd/ceph-0/keyring --name osd.0 --add-key AQBCEJNa3s8nHRAANvdsr93KqzBznuIWm2gOGg==", + "ceph-authtool --create-keyring /var/lib/ceph/osd/ceph-1/keyring --name osd.1 --add-key AQBEEJNac00kExAAXEgy943BGyOpVH1LLlHafQ==", + "echo '{\"cephx_secret\": \"AQBCEJNa3s8nHRAANvdsr93KqzBznuIWm2gOGg==\"}' | ceph osd new 55ba2294-3e24-478f-bee0-9dca4c231dd9 -i -", + "echo '{\"cephx_secret\": \"AQBEEJNac00kExAAXEgy943BGyOpVH1LLlHafQ==\"}' | ceph osd new 5e97a838-85b6-43b0-8950-cb56d554d1e5 -i -" + ); + + # Initialize the OSDs with regular filestore + $aio->mustSucceed( + "ceph-osd -i 0 --mkfs --osd-uuid 55ba2294-3e24-478f-bee0-9dca4c231dd9", + "ceph-osd -i 1 --mkfs --osd-uuid 5e97a838-85b6-43b0-8950-cb56d554d1e5", + "chown -R ceph:ceph /var/lib/ceph/osd", + "systemctl start ceph-osd-0", + "systemctl start ceph-osd-1" + ); + + $aio->waitUntilSucceeds("ceph osd stat | grep '2 osds: 2 up, 2 in'"); + $aio->waitUntilSucceeds("ceph -s | grep 'mgr: aio(active)'"); + $aio->waitUntilSucceeds("ceph -s | grep 'HEALTH_OK'"); + + $aio->mustSucceed( + "ceph osd pool create aio-test 100 100", + "ceph osd pool ls | grep 'aio-test'", + "ceph osd pool rename aio-test aio-other-test", + "ceph osd pool ls | grep 'aio-other-test'", + "ceph -s | grep '1 pools, 100 pgs'", + "ceph osd getcrushmap -o crush", + "crushtool -d crush -o decrushed", + "sed 's/step chooseleaf firstn 0 type host/step chooseleaf firstn 0 type osd/' decrushed > modcrush", + "crushtool -c modcrush -o recrushed", + "ceph osd setcrushmap -i recrushed", + "ceph osd pool set aio-other-test size 2" + ); + $aio->waitUntilSucceeds("ceph -s | grep 'HEALTH_OK'"); + $aio->waitUntilSucceeds("ceph -s | grep '100 active+clean'"); + $aio->mustFail( + "ceph osd pool ls | grep 'aio-test'", + "ceph osd pool delete aio-other-test aio-other-test --yes-i-really-really-mean-it" + ); + ''; +}) diff --git a/nixos/tests/chromium.nix b/nixos/tests/chromium.nix index 3a2c65164766..c341e83961a8 100644 --- a/nixos/tests/chromium.nix +++ b/nixos/tests/chromium.nix @@ -94,6 +94,11 @@ mapAttrs (channel: chromiumPkg: makeTest rec { ''}"); if ($status == 0) { $ret = 1; + + # XXX: Somehow Chromium is not accepting keystrokes for a few + # seconds after a new window has appeared, so let's wait a while. + $machine->sleep(10); + last; } $machine->sleep(1); @@ -151,11 +156,11 @@ mapAttrs (channel: chromiumPkg: makeTest rec { $machine->screenshot("sandbox_info"); - $machine->succeed(ru "${xdo "submit-url" '' + $machine->succeed(ru "${xdo "find-window" '' search --sync --onlyvisible --name "sandbox status" windowfocus --sync ''}"); - $machine->succeed(ru "${xdo "submit-url" '' + $machine->succeed(ru "${xdo "copy-sandbox-info" '' key --delay 1000 Ctrl+a Ctrl+c ''}"); @@ -166,6 +171,26 @@ mapAttrs (channel: chromiumPkg: makeTest rec { && $clipboard =~ /network namespaces.*yes/mi && $clipboard =~ /seccomp.*sandbox.*yes/mi && $clipboard =~ /you are adequately sandboxed/mi; + + $machine->sleep(1); + $machine->succeed(ru "${xdo "find-window-after-copy" '' + search --onlyvisible --name "sandbox status" + ''}"); + + my $clipboard = $machine->succeed(ru "echo void | ${pkgs.xclip}/bin/xclip -i"); + $machine->succeed(ru "${xdo "copy-sandbox-info" '' + key --delay 1000 Ctrl+a Ctrl+c + ''}"); + + my $clipboard = $machine->succeed(ru "${pkgs.xclip}/bin/xclip -o"); + die "copying twice in a row does not work properly: $clipboard" + unless $clipboard =~ /namespace sandbox.*yes/mi + && $clipboard =~ /pid namespaces.*yes/mi + && $clipboard =~ /network namespaces.*yes/mi + && $clipboard =~ /seccomp.*sandbox.*yes/mi + && $clipboard =~ /you are adequately sandboxed/mi; + + $machine->screenshot("afer_copy_from_chromium"); }; $machine->shutdown; diff --git a/nixos/tests/common/letsencrypt.nix b/nixos/tests/common/letsencrypt.nix index 9b53d9d61a16..10cde45d18a8 100644 --- a/nixos/tests/common/letsencrypt.nix +++ b/nixos/tests/common/letsencrypt.nix @@ -138,8 +138,8 @@ let boulder = let owner = "letsencrypt"; repo = "boulder"; - rev = "9866abab8962a591f06db457a4b84c518cc88243"; - version = "20170510"; + rev = "9c6a1f2adc4c26d925588f5ae366cfd4efb7813a"; + version = "20180129"; in pkgs.buildGoPackage rec { name = "${repo}-${version}"; @@ -147,7 +147,7 @@ let src = pkgs.fetchFromGitHub { name = "${name}-src"; inherit rev owner repo; - sha256 = "170m5cjngbrm36wi7wschqw8jzs7kxpcyzmshq3pcrmcpigrhna1"; + sha256 = "09kszswrifm9rc6idfaq0p1mz5w21as2qbc8gd5pphrq9cf9pn55"; }; postPatch = '' @@ -168,6 +168,18 @@ let cat "${snakeOilCa}/ca.pem" > test/test-ca.pem ''; + # Until vendored pkcs11 is go 1.9 compatible + preBuild = '' + rm -r go/src/github.com/letsencrypt/boulder/vendor/github.com/miekg/pkcs11 + ''; + + extraSrcs = map mkGoDep [ + { goPackagePath = "github.com/miekg/pkcs11"; + rev = "6dbd569b952ec150d1425722dbbe80f2c6193f83"; + sha256 = "1m8g6fx7df6hf6q6zsbyw1icjmm52dmsx28rgb0h930wagvngfwb"; + } + ]; + goPackagePath = "github.com/${owner}/${repo}"; buildInputs = [ pkgs.libtool ]; }; @@ -284,7 +296,11 @@ let ocsp-updater.after = [ "boulder-publisher" ]; ocsp-responder.args = "--config ${cfgDir}/ocsp-responder.json"; ct-test-srv = {}; - mail-test-srv.args = "--closeFirst 5"; + mail-test-srv.args = let + key = "${boulderSource}/test/mail-test-srv/minica-key.pem"; + crt = "${boulderSource}/test/mail-test-srv/minica.pem"; + in + "--closeFirst 5 --cert ${crt} --key ${key}"; }; commonPath = [ softhsm pkgs.mariadb goose boulder ]; diff --git a/nixos/tests/containers-imperative.nix b/nixos/tests/containers-imperative.nix index 7e2a54976387..015b79b1cee6 100644 --- a/nixos/tests/containers-imperative.nix +++ b/nixos/tests/containers-imperative.nix @@ -15,12 +15,12 @@ import ./make-test.nix ({ pkgs, ...} : { # container available within the VM, because we don't have network access. virtualisation.pathsInNixDB = let emptyContainer = import ../lib/eval-config.nix { - inherit (config.nixpkgs) system; + inherit (config.nixpkgs.localSystem) system; modules = lib.singleton { containers.foo.config = {}; }; }; - in [ pkgs.stdenv emptyContainer.config.containers.foo.path ]; + in [ pkgs.stdenv emptyContainer.config.containers.foo.path pkgs.libxslt ]; }; testScript = diff --git a/nixos/tests/containers-physical_interfaces.nix b/nixos/tests/containers-physical_interfaces.nix index bd1228b8e37d..bde8e175f953 100644 --- a/nixos/tests/containers-physical_interfaces.nix +++ b/nixos/tests/containers-physical_interfaces.nix @@ -52,7 +52,7 @@ import ./make-test.nix ({ pkgs, ...} : { config = { networking.bonds.bond0 = { interfaces = [ "eth1" ]; - mode = "active-backup"; + driverOptions.mode = "active-backup"; }; networking.interfaces.bond0.ipv4.addresses = [ { address = "10.10.0.3"; prefixLength = 24; } @@ -73,7 +73,7 @@ import ./make-test.nix ({ pkgs, ...} : { config = { networking.bonds.bond0 = { interfaces = [ "eth1" ]; - mode = "active-backup"; + driverOptions.mode = "active-backup"; }; networking.bridges.br0.interfaces = [ "bond0" ]; networking.interfaces.br0.ipv4.addresses = [ diff --git a/nixos/tests/containers-tmpfs.nix b/nixos/tests/containers-tmpfs.nix index 564831fa2737..873dd364369f 100644 --- a/nixos/tests/containers-tmpfs.nix +++ b/nixos/tests/containers-tmpfs.nix @@ -1,7 +1,7 @@ # Test for NixOS' container support. import ./make-test.nix ({ pkgs, ...} : { - name = "containers-bridge"; + name = "containers-tmpfs"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ckampka ]; }; diff --git a/nixos/tests/deluge.nix b/nixos/tests/deluge.nix new file mode 100644 index 000000000000..6119fd58447c --- /dev/null +++ b/nixos/tests/deluge.nix @@ -0,0 +1,29 @@ +import ./make-test.nix ({ pkgs, ...} : { + name = "deluge"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ flokli ]; + }; + + nodes = { + server = + { pkgs, config, ... }: + + { services.deluge = { + enable = true; + web.enable = true; + }; + networking.firewall.allowedTCPPorts = [ 8112 ]; + }; + + client = { }; + }; + + testScript = '' + startAll; + + $server->waitForUnit("deluged"); + $server->waitForUnit("delugeweb"); + $client->waitForUnit("network.target"); + $client->waitUntilSucceeds("curl --fail http://server:8112"); + ''; +}) diff --git a/nixos/tests/docker-registry.nix b/nixos/tests/docker-registry.nix index 109fca440e57..1fbd199c7bc4 100644 --- a/nixos/tests/docker-registry.nix +++ b/nixos/tests/docker-registry.nix @@ -3,14 +3,16 @@ import ./make-test.nix ({ pkgs, ...} : { name = "docker-registry"; meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ globin ]; + maintainers = [ globin ma27 ironpinguin ]; }; nodes = { registry = { config, pkgs, ... }: { services.dockerRegistry.enable = true; + services.dockerRegistry.enableDelete = true; services.dockerRegistry.port = 8080; services.dockerRegistry.listenAddress = "0.0.0.0"; + services.dockerRegistry.enableGarbageCollect = true; networking.firewall.allowedTCPPorts = [ 8080 ]; }; @@ -33,11 +35,29 @@ import ./make-test.nix ({ pkgs, ...} : { $registry->start(); $registry->waitForUnit("docker-registry.service"); + $registry->waitForOpenPort("8080"); $client1->succeed("docker push registry:8080/scratch"); $client2->start(); $client2->waitForUnit("docker.service"); $client2->succeed("docker pull registry:8080/scratch"); $client2->succeed("docker images | grep scratch"); + + $client2->succeed( + 'curl -fsS -X DELETE registry:8080/v2/scratch/manifests/$(curl -fsS -I -H"Accept: application/vnd.docker.distribution.manifest.v2+json" registry:8080/v2/scratch/manifests/latest | grep Docker-Content-Digest | sed -e \'s/Docker-Content-Digest: //\' | tr -d \'\r\')' + ); + + $registry->systemctl("start docker-registry-garbage-collect.service"); + $registry->waitUntilFails("systemctl status docker-registry-garbage-collect.service"); + $registry->waitForUnit("docker-registry.service"); + + $registry->fail( + 'ls -l /var/lib/docker-registry/docker/registry/v2/blobs/sha256/*/*/data' + ); + + $client1->succeed("docker push registry:8080/scratch"); + $registry->succeed( + 'ls -l /var/lib/docker-registry/docker/registry/v2/blobs/sha256/*/*/data' + ); ''; }) diff --git a/nixos/tests/docker-tools-overlay.nix b/nixos/tests/docker-tools-overlay.nix new file mode 100644 index 000000000000..9d7fa3e7a8c5 --- /dev/null +++ b/nixos/tests/docker-tools-overlay.nix @@ -0,0 +1,32 @@ +# this test creates a simple GNU image with docker tools and sees if it executes + +import ./make-test.nix ({ pkgs, ... }: +{ + name = "docker-tools-overlay"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ lnl7 ]; + }; + + nodes = { + docker = + { config, pkgs, ... }: + { + virtualisation.docker.enable = true; + virtualisation.docker.storageDriver = "overlay"; # defaults to overlay2 + }; + }; + + testScript = + '' + $docker->waitForUnit("sockets.target"); + + $docker->succeed("docker load --input='${pkgs.dockerTools.examples.bash}'"); + $docker->succeed("docker run --rm ${pkgs.dockerTools.examples.bash.imageName} bash --version"); + + # Check if the nix store has correct user permissions depending on what + # storage driver is used, incorrectly built images can show up as readonly. + # drw------- 3 0 0 3 Apr 14 11:36 /nix + # drw------- 99 0 0 100 Apr 14 11:36 /nix/store + $docker->succeed("docker run --rm -u 1000:1000 ${pkgs.dockerTools.examples.bash.imageName} bash --version"); + ''; +}) diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix index e52a4c3f884e..4466081d01e9 100644 --- a/nixos/tests/docker-tools.nix +++ b/nixos/tests/docker-tools.nix @@ -3,14 +3,14 @@ import ./make-test.nix ({ pkgs, ... }: { name = "docker-tools"; meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ ]; + maintainers = [ lnl7 ]; }; nodes = { docker = { config, pkgs, ... }: { virtualisation = { - diskSize = 1024; + diskSize = 2048; docker.enable = true; }; }; @@ -21,19 +21,29 @@ import ./make-test.nix ({ pkgs, ... }: { $docker->waitForUnit("sockets.target"); $docker->succeed("docker load --input='${pkgs.dockerTools.examples.bash}'"); - $docker->succeed("docker run ${pkgs.dockerTools.examples.bash.imageName} /bin/bash --version"); + $docker->succeed("docker run --rm ${pkgs.dockerTools.examples.bash.imageName} bash --version"); + $docker->succeed("docker rmi ${pkgs.dockerTools.examples.bash.imageName}"); + # Check if the nix store is correctly initialized by listing dependencies of the installed Nix binary $docker->succeed("docker load --input='${pkgs.dockerTools.examples.nix}'"); - $docker->succeed("docker run ${pkgs.dockerTools.examples.nix.imageName} /bin/nix-store -qR ${pkgs.nix}"); + $docker->succeed("docker run --rm ${pkgs.dockerTools.examples.nix.imageName} nix-store -qR ${pkgs.nix}"); + $docker->succeed("docker rmi ${pkgs.dockerTools.examples.nix.imageName}"); # To test the pullImage tool $docker->succeed("docker load --input='${pkgs.dockerTools.examples.nixFromDockerHub}'"); - $docker->succeed("docker run nixos/nix:1.11 nix-store --version"); + $docker->succeed("docker run --rm nixos/nix:1.11 nix-store --version"); + $docker->succeed("docker rmi nixos/nix:1.11"); # To test runAsRoot and entry point $docker->succeed("docker load --input='${pkgs.dockerTools.examples.nginx}'"); $docker->succeed("docker run --name nginx -d -p 8000:80 ${pkgs.dockerTools.examples.nginx.imageName}"); $docker->waitUntilSucceeds('curl http://localhost:8000/'); $docker->succeed("docker rm --force nginx"); + $docker->succeed("docker rmi '${pkgs.dockerTools.examples.nginx.imageName}'"); + + # An pulled image can be used as base image + $docker->succeed("docker load --input='${pkgs.dockerTools.examples.onTopOfPulledImage}'"); + $docker->succeed("docker run --rm ontopofpulledimage hello"); + $docker->succeed("docker rmi ontopofpulledimage"); ''; }) diff --git a/nixos/tests/dovecot.nix b/nixos/tests/dovecot.nix index 3814855ed8e7..156079d1d585 100644 --- a/nixos/tests/dovecot.nix +++ b/nixos/tests/dovecot.nix @@ -18,6 +18,18 @@ import ./make-test.nix { MAIL ''; + sendTestMailViaDeliveryAgent = pkgs.writeScriptBin "send-lda" '' + #!${pkgs.stdenv.shell} + + exec ${pkgs.dovecot}/libexec/dovecot/deliver -d bob <<MAIL + From: root@localhost + To: bob@localhost + Subject: Something else... + + I'm running short of ideas! + MAIL + ''; + testImap = pkgs.writeScriptBin "test-imap" '' #!${pkgs.python3.interpreter} import imaplib @@ -39,24 +51,25 @@ import ./make-test.nix { pop = poplib.POP3('localhost') try: - pop.user('alice') + pop.user('bob') pop.pass_('foobar') assert len(pop.list()[1]) == 1 status, fullmail, size = pop.retr(1) assert status.startswith(b'+OK ') body = b"".join(fullmail[fullmail.index(b""):]).strip() - assert body == b'Hello world!' + assert body == b"I'm running short of ideas!" finally: pop.quit() ''; - in [ sendTestMail testImap testPop ]; + in [ sendTestMail sendTestMailViaDeliveryAgent testImap testPop ]; }; testScript = '' $machine->waitForUnit('postfix.service'); $machine->waitForUnit('dovecot2.service'); $machine->succeed('send-testmail'); + $machine->succeed('send-lda'); $machine->waitUntilFails('[ "$(postqueue -p)" != "Mail queue is empty" ]'); $machine->succeed('test-imap'); $machine->succeed('test-pop'); diff --git a/nixos/tests/gnome3-gdm.nix b/nixos/tests/gnome3-gdm.nix index 4b459e93e1be..71ae1709d526 100644 --- a/nixos/tests/gnome3-gdm.nix +++ b/nixos/tests/gnome3-gdm.nix @@ -26,15 +26,22 @@ import ./make-test.nix ({ pkgs, ...} : { testScript = '' + # wait for gdm to start and bring up X + $machine->waitForUnit("display-manager.service"); $machine->waitForX; - $machine->sleep(15); + + # wait for alice to be logged in + $machine->waitForUnit("default.target","alice"); # Check that logging in has given the user ownership of devices. $machine->succeed("getfacl /dev/snd/timer | grep -q alice"); - $machine->succeed("su - alice -c 'DISPLAY=:0.0 gnome-terminal &'"); - $machine->succeed("xauth merge ~alice/.Xauthority"); + # open a terminal and check it's there + $machine->succeed("su - alice -c 'DISPLAY=:0.0 XAUTHORITY=/run/user/\$UID/gdm/Xauthority gnome-terminal'"); + $machine->succeed("xauth merge /run/user/1000/gdm/Xauthority"); $machine->waitForWindow(qr/Terminal/); + + # wait to get a nice screenshot $machine->sleep(20); $machine->screenshot("screen"); ''; diff --git a/nixos/tests/grafana.nix b/nixos/tests/grafana.nix index 16b8181498a6..d45776c3ee29 100644 --- a/nixos/tests/grafana.nix +++ b/nixos/tests/grafana.nix @@ -20,6 +20,6 @@ import ./make-test.nix ({ lib, ... }: $machine->start; $machine->waitForUnit("grafana.service"); $machine->waitForOpenPort(3000); - $machine->succeed("curl -sS http://127.0.0.1:3000/"); + $machine->succeed("curl -sSfL http://127.0.0.1:3000/"); ''; }) diff --git a/nixos/tests/hibernate.nix b/nixos/tests/hibernate.nix index a95235887e89..3ae2bdffed90 100644 --- a/nixos/tests/hibernate.nix +++ b/nixos/tests/hibernate.nix @@ -37,7 +37,7 @@ import ./make-test.nix (pkgs: { $machine->waitForShutdown; $machine->start; $probe->waitForUnit("network.target"); - $probe->waitUntilSucceeds("echo test | nc machine 4444 -q 0"); + $probe->waitUntilSucceeds("echo test | nc machine 4444 -N"); ''; }) diff --git a/nixos/tests/hitch/default.nix b/nixos/tests/hitch/default.nix new file mode 100644 index 000000000000..b024306cde56 --- /dev/null +++ b/nixos/tests/hitch/default.nix @@ -0,0 +1,33 @@ +import ../make-test.nix ({ pkgs, ... }: +{ + name = "hitch"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ jflanglois ]; + }; + machine = { config, pkgs, ... }: { + environment.systemPackages = [ pkgs.curl ]; + services.hitch = { + enable = true; + backend = "[127.0.0.1]:80"; + pem-files = [ + ./example.pem + ]; + }; + + services.httpd = { + enable = true; + documentRoot = ./example; + adminAddr = "noone@testing.nowhere"; + }; + }; + + testScript = + '' + startAll; + + $machine->waitForUnit('multi-user.target'); + $machine->waitForUnit('hitch.service'); + $machine->waitForOpenPort(443); + $machine->succeed('curl -k https://localhost:443/index.txt | grep "We are all good!"'); + ''; +}) diff --git a/nixos/tests/hitch/example.pem b/nixos/tests/hitch/example.pem new file mode 100644 index 000000000000..fde6f3cbd19a --- /dev/null +++ b/nixos/tests/hitch/example.pem @@ -0,0 +1,53 @@ +-----BEGIN CERTIFICATE----- +MIIEKTCCAxGgAwIBAgIJAIFAWQXSZ7lIMA0GCSqGSIb3DQEBCwUAMIGqMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UEBwwMUmVkd29vZCBD +aXR5MRkwFwYDVQQKDBBUZXN0aW5nIDEyMyBJbmMuMRQwEgYDVQQLDAtJVCBTZXJ2 +aWNlczEYMBYGA1UEAwwPdGVzdGluZy5ub3doZXJlMSQwIgYJKoZIhvcNAQkBFhVu +b29uZUB0ZXN0aW5nLm5vd2hlcmUwHhcNMTgwNDIzMDcxMTI5WhcNMTkwNDIzMDcx +MTI5WjCBqjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNV +BAcMDFJlZHdvb2QgQ2l0eTEZMBcGA1UECgwQVGVzdGluZyAxMjMgSW5jLjEUMBIG +A1UECwwLSVQgU2VydmljZXMxGDAWBgNVBAMMD3Rlc3Rpbmcubm93aGVyZTEkMCIG +CSqGSIb3DQEJARYVbm9vbmVAdGVzdGluZy5ub3doZXJlMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAxQq6AA9o/QErMbQwfgDF4mqXcvglRTwPr2zPE6Rv +1g0ncRBSMM8iKbPapHM6qHNfg2e1fU2SFqzD6HkyZqHHLCgLzkdzswEcEjsMqiUP +OR++5g4CWoQrdTi31itzYzCjnQ45BrAMrLEhBQgDTNwrEE+Tit0gpOGggtj/ktLk +OD8BKa640lkmWEUGF18fd3rYTUC4hwM5qhAVXTe21vj9ZWsgprpQKdN61v0dCUap +C5eAgvZ8Re+Cd0Id674hK4cJ4SekqfHKv/jLyIg3Vsdc9nkhmiC4O6KH5f1Zzq2i +E4Kd5mnJDFxfSzIErKWmbhriLWsj3KEJ983AGLJ9hxQTAwIDAQABo1AwTjAdBgNV +HQ4EFgQU76Mm6DP/BePJRQUNrJ9z038zjocwHwYDVR0jBBgwFoAU76Mm6DP/BePJ +RQUNrJ9z038zjocwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAZzt +VdPaUqrvDAh5rMYqzYMJ3tj6daNYoX6CbTFoevK5J5D4FESM0D/FMKgpNiVz39kB +8Cjaw5rPHMHY61rHz7JRDK1sWXsonwzCF21BK7Tx0G1CIfLpYHWYb/FfdWGROx+O +hPgKuoMRWQB+txozkZp5BqWJmk5MOyFCDEXhMOmrfsJq0IYU6QaH3Lsf1oJRy4yU +afFrT9o3DLOyYLG/j/HXijCu8DVjZVa4aboum79ecYzPjjGF1posrFUnvQiuAeYy +t7cuHNUB8gW9lWR5J7tP8fzFWtIcyT2oRL8u3H+fXf0i4bW73wtOBOoeULBzBNE7 +6rphcSrQunSZQIc+hg== +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFCroAD2j9ASsx +tDB+AMXiapdy+CVFPA+vbM8TpG/WDSdxEFIwzyIps9qkczqoc1+DZ7V9TZIWrMPo +eTJmoccsKAvOR3OzARwSOwyqJQ85H77mDgJahCt1OLfWK3NjMKOdDjkGsAyssSEF +CANM3CsQT5OK3SCk4aCC2P+S0uQ4PwEprrjSWSZYRQYXXx93ethNQLiHAzmqEBVd +N7bW+P1layCmulAp03rW/R0JRqkLl4CC9nxF74J3Qh3rviErhwnhJ6Sp8cq/+MvI +iDdWx1z2eSGaILg7oofl/VnOraITgp3mackMXF9LMgSspaZuGuItayPcoQn3zcAY +sn2HFBMDAgMBAAECggEAcaR8HijFHpab+PC5vxJnDuz3KEHiDQpU6ZJR5DxEnCm+ +A8GsBaaRR4gJpCspO5o/DiS0Ue55QUanPt8XqIXJv7fhBznCiw0qyYDxDviMzR94 +FGskBFySS+tIa+dnh1+4HY7kaO0Egl0udB5o+N1KoP+kUsSyXSYcUxsgW+fx5FW9 +22Ya3HNWnWxMCSfSGGlTFXGj2whf25SkL25dM9iblO4ZOx4MX8kaXij7TaYy8hMM +Vf6/OMnXqtPKho+ctZZVKZkE9PxdS4f/pnp5EsdoOZwNBtfQ1WqVLWd3DlGWhnsH +7L8ZSP2HkoI4Pd1wtkpOKZc+yM2bFXWa8WY4TcmpUQKBgQD33HxGdtmtZehrexSA +/ZwWJlMslUsNz4Ivv6s7J4WCRhdh94+r9TWQP/yHdT9Ry5bvn84I5ZLUdp+aA962 +mvjz+GIglkCGpA7HU/hqurB1O63pj2cIDB8qhV21zjVIoqXcQ7IBJ+tqD79nF8vm +h3KfuHUhuu1rayGepbtIyNhLdwKBgQDLgw4TJBg/QB8RzYECk78QnfZpCExsQA/z +YJpc+dF2/nsid5R2u9jWzfmgHM2Jjo2/+ofRUaTqcFYU0K57CqmQkOLIzsbNQoYt +e2NOANNVHiZLuzTZC2r3BrrkNbo3YvQzhAesUA5lS6LfrxBLUKiwo2LU9NlmJs3b +UPVFYI0/1QKBgCswxIcS1sOcam+wNtZzWuuRKhUuvrFdY3YmlBPuwxj8Vb7AgMya +IgdM3xhLmgkKzPZchm6OcpOLSCxyWDDBuHfq5E6BYCUWGW0qeLNAbNdA2wFD99Qz +KIskSjwP/sD1dql3MmF5L1CABf5U6zb0i0jBv8ds50o8lNMsVgJM3UPpAoGBAL1+ +nzllb4pdi1CJWKnspoizfQCZsIdPM0r71V/jYY36MO+MBtpz2NlSWzAiAaQm74gl +oBdgfT2qMg0Zro11BSRONEykdOolGkj5TiMQk7b65s+3VeMPRZ8UTis2d9kgs5/Q +PVDODkl1nwfGu1ZVmW04BUujXVZHpYCkJm1eFMetAoGAImE7gWj+qRMhpbtCCGCg +z06gDKvMrF6S+GJsvUoSyM8oUtfdPodI6gWAC65NfYkIiqbpCaEVNzfui73f5Lnz +p5X1IbzhuH5UZs/k5A3OR2PPDbPs3lqEw7YJdBdLVRmO1o824uaXaJJwkL/1C+lq +8dh1wV3CnynNmZApkz4vpzQ= +-----END PRIVATE KEY----- diff --git a/nixos/tests/hitch/example/index.txt b/nixos/tests/hitch/example/index.txt new file mode 100644 index 000000000000..0478b1c26351 --- /dev/null +++ b/nixos/tests/hitch/example/index.txt @@ -0,0 +1 @@ +We are all good! diff --git a/nixos/tests/hocker-fetchdocker/default.nix b/nixos/tests/hocker-fetchdocker/default.nix new file mode 100644 index 000000000000..4f30f01e4032 --- /dev/null +++ b/nixos/tests/hocker-fetchdocker/default.nix @@ -0,0 +1,15 @@ +import ../make-test.nix ({ pkgs, ...} : { + name = "test-hocker-fetchdocker"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ ixmatus ]; + }; + + machine = import ./machine.nix; + + testScript = '' + startAll; + + $machine->waitForUnit("sockets.target"); + $machine->waitUntilSucceeds("docker run registry-1.docker.io/v2/library/hello-world:latest"); + ''; +}) diff --git a/nixos/tests/hocker-fetchdocker/hello-world-container.nix b/nixos/tests/hocker-fetchdocker/hello-world-container.nix new file mode 100644 index 000000000000..a127875264e9 --- /dev/null +++ b/nixos/tests/hocker-fetchdocker/hello-world-container.nix @@ -0,0 +1,19 @@ +{ fetchDockerConfig, fetchDockerLayer, fetchdocker }: +fetchdocker rec { + name = "hello-world"; + registry = "https://registry-1.docker.io/v2/"; + repository = "library"; + imageName = "hello-world"; + tag = "latest"; + imageConfig = fetchDockerConfig { + inherit tag registry repository imageName; + sha256 = "1ivbd23hyindkahzfw4kahgzi6ibzz2ablmgsz6340vc6qr1gagj"; + }; + imageLayers = let + layer0 = fetchDockerLayer { + inherit registry repository imageName; + layerDigest = "ca4f61b1923c10e9eb81228bd46bee1dfba02b9c7dac1844527a734752688ede"; + sha256 = "1plfd194fwvsa921ib3xkhms1yqxxrmx92r2h7myj41wjaqn2kya"; + }; + in [ layer0 ]; + } diff --git a/nixos/tests/hocker-fetchdocker/machine.nix b/nixos/tests/hocker-fetchdocker/machine.nix new file mode 100644 index 000000000000..12c58a012243 --- /dev/null +++ b/nixos/tests/hocker-fetchdocker/machine.nix @@ -0,0 +1,26 @@ +{ config, pkgs, ... }: +{ nixpkgs.config.packageOverrides = pkgs': { + hello-world-container = pkgs'.callPackage ./hello-world-container.nix { }; + }; + + virtualisation.docker = { + enable = true; + package = pkgs.docker; + }; + + systemd.services.docker-load-fetchdocker-image = { + description = "Docker load hello-world-container"; + wantedBy = [ "multi-user.target" ]; + wants = [ "docker.service" "local-fs.target" ]; + after = [ "docker.service" "local-fs.target" ]; + + script = '' + ${pkgs.hello-world-container}/compositeImage.sh | ${pkgs.docker}/bin/docker load + ''; + + serviceConfig = { + Type = "oneshot"; + }; + }; +} + diff --git a/nixos/tests/home-assistant.nix b/nixos/tests/home-assistant.nix index 2e45dc78471f..4ebccb7ab868 100644 --- a/nixos/tests/home-assistant.nix +++ b/nixos/tests/home-assistant.nix @@ -51,9 +51,9 @@ in { startAll; $hass->waitForUnit("home-assistant.service"); - # Since config is specified using a Nix attribute set, - # configuration.yaml is a link to the Nix store - $hass->succeed("test -L ${configDir}/configuration.yaml"); + # The config is specified using a Nix attribute set, + # but then converted from JSON to YAML + $hass->succeed("test -f ${configDir}/configuration.yaml"); # Check that Home Assistant's web interface and API can be reached $hass->waitForOpenPort(8123); diff --git a/nixos/tests/iftop.nix b/nixos/tests/iftop.nix new file mode 100644 index 000000000000..21ff3cafed7c --- /dev/null +++ b/nixos/tests/iftop.nix @@ -0,0 +1,30 @@ +import ./make-test.nix ({ pkgs, lib, ... }: + +with lib; + +{ + name = "iftop"; + meta.maintainers = with pkgs.stdenv.lib.maintainers; [ ma27 ]; + + nodes = { + withIftop = { + imports = [ ./common/user-account.nix ]; + + programs.iftop.enable = true; + }; + withoutIftop = { + imports = [ ./common/user-account.nix ]; + }; + }; + + testScript = '' + subtest "machine with iftop enabled", sub { + $withIftop->start; + $withIftop->succeed("su -l alice -c 'iftop -t -s 1'"); + }; + subtest "machine without iftop", sub { + $withoutIftop->start; + $withoutIftop->mustFail("su -l alice -c 'iftop -t -s 1'"); + }; + ''; +}) diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 637cbb45709d..acf248d0a5a6 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -69,13 +69,20 @@ let let iface = if grubVersion == 1 then "ide" else "virtio"; isEfi = bootLoader == "systemd-boot" || (bootLoader == "grub" && grubUseEfi); + + # FIXME don't duplicate the -enable-kvm etc. flags here yet again! qemuFlags = (if system == "x86_64-linux" then "-m 768 " else "-m 512 ") + - (optionalString (system == "x86_64-linux") "-cpu kvm64 "); + (optionalString (system == "x86_64-linux") "-cpu kvm64 ") + + (optionalString (system == "aarch64-linux") "-enable-kvm -machine virt,gic-version=host -cpu host "); + hdFlags = ''hda => "vm-state-machine/machine.qcow2", hdaInterface => "${iface}", '' - + optionalString isEfi ''bios => "${pkgs.OVMF.fd}/FV/OVMF.fd", ''; - in - '' + + optionalString isEfi (if pkgs.stdenv.isAarch64 + then ''bios => "${pkgs.OVMF.fd}/FV/QEMU_EFI.fd", '' + else ''bios => "${pkgs.OVMF.fd}/FV/OVMF.fd", ''); + in if !isEfi && !(pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64) then + throw "Non-EFI boot methods are only supported on i686 / x86_64" + else '' $machine->start; # Make sure that we get a login prompt etc. @@ -145,7 +152,7 @@ let # Check that the daemon works, and that non-root users can run builds (this will build a new profile generation through the daemon) $machine->succeed("su alice -l -c 'nix-env -iA nixos.procps' >&2"); - # We need to a writable nix-store on next boot. + # We need a writable Nix store on next boot. $machine->copyFileFromHost( "${ makeConfig { inherit bootLoader grubVersion grubDevice grubIdentifier grubUseEfi extraConfig; forceGrubReinstallCount = 1; } }", "/etc/nixos/configuration.nix"); @@ -195,8 +202,7 @@ let }; nodes = { - # The configuration of the machine used to run "nixos-install". It - # also has a web server that simulates cache.nixos.org. + # The configuration of the machine used to run "nixos-install". machine = { config, lib, pkgs, ... }: @@ -208,7 +214,6 @@ let virtualisation.diskSize = 8 * 1024; virtualisation.memorySize = 1024; - virtualisation.writableStore = true; # Use a small /dev/vdb as the root disk for the # installer. This ensures the target disk (/dev/vda) is @@ -245,6 +250,11 @@ let ++ optionals (bootLoader == "grub" && grubVersion == 2) [ pkgs.grub2 pkgs.grub2_efi ]; nix.binaryCaches = mkForce [ ]; + nix.extraOptions = + '' + hashed-mirrors = + connect-timeout = 1 + ''; }; }; diff --git a/nixos/tests/kernel-copperhead.nix b/nixos/tests/kernel-copperhead.nix index 07427d7f2a89..aa133c9b0aa7 100644 --- a/nixos/tests/kernel-copperhead.nix +++ b/nixos/tests/kernel-copperhead.nix @@ -6,14 +6,14 @@ import ./make-test.nix ({ pkgs, ...} : { machine = { config, lib, pkgs, ... }: { - boot.kernelPackages = pkgs.linuxPackages_hardened_copperhead; + boot.kernelPackages = pkgs.linuxPackages_copperhead_lts; }; testScript = '' $machine->succeed("uname -a"); $machine->succeed("uname -s | grep 'Linux'"); - $machine->succeed("uname -a | grep '${pkgs.linuxPackages_hardened_copperhead.kernel.modDirVersion}'"); + $machine->succeed("uname -a | grep '${pkgs.linuxPackages_copperhead_lts.kernel.modDirVersion}'"); $machine->succeed("uname -a | grep 'hardened'"); ''; }) diff --git a/nixos/tests/keymap.nix b/nixos/tests/keymap.nix index eec674e227df..be880388314c 100644 --- a/nixos/tests/keymap.nix +++ b/nixos/tests/keymap.nix @@ -3,46 +3,36 @@ with import ../lib/testing.nix { inherit system; }; let + readyFile = "/tmp/readerReady"; + resultFile = "/tmp/readerResult"; + testReader = pkgs.writeScript "test-input-reader" '' #!${pkgs.stdenv.shell} - readInput() { - touch /tmp/reader.ready - echo "Waiting for '$1' to be typed" - read -r -n1 c - if [ "$c" = "$2" ]; then - echo "SUCCESS: Got back '$c' as expected." - echo 0 >&2 - else - echo "FAIL: Expected '$2' but got '$c' instead." - echo 1 >&2 - fi - } - - main() { - error=0 - while [ $# -gt 0 ]; do - ret="$((readInput "$2" "$3" | systemd-cat -t "$1") 2>&1)" - if [ $ret -ne 0 ]; then error=1; fi - shift 3 - done - return $error - } - - main "$@"; echo -n $? > /tmp/reader.exit + rm -f ${resultFile} ${resultFile}.tmp + logger "testReader: START: Waiting for $1 characters, expecting '$2'." + touch ${readyFile} + read -r -N $1 chars + rm -f ${readyFile} + + if [ "$chars" == "$2" ]; then + logger -s "testReader: PASS: Got '$2' as expected." 2>${resultFile}.tmp + else + logger -s "testReader: FAIL: Expected '$2' but got '$chars'." 2>${resultFile}.tmp + fi + # rename after the file is written to prevent a race condition + mv ${resultFile}.tmp ${resultFile} ''; - mkReaderInput = testname: { qwerty, expect }: with pkgs.lib; let - lq = length qwerty; - le = length expect; - msg = "`qwerty' (${lq}) and `expect' (${le}) lists" - + " need to be of the same length!"; - result = flatten (zipListsWith (a: b: [testname a b]) qwerty expect); - in if lq != le then throw msg else result; mkKeyboardTest = layout: { extraConfig ? {}, tests }: with pkgs.lib; let - readerInput = flatten (mapAttrsToList mkReaderInput tests); + combinedTests = foldAttrs (acc: val: acc ++ val) [] (builtins.attrValues tests); perlStr = val: "'${escape ["'" "\\"] val}'"; - perlReaderInput = concatMapStringsSep ", " perlStr readerInput; + lq = length combinedTests.qwerty; + le = length combinedTests.expect; + msg = "length mismatch between qwerty (${toString lq}) and expect (${toString le}) lists!"; + send = concatMapStringsSep ", " perlStr combinedTests.qwerty; + expect = if (lq == le) then concatStrings combinedTests.expect else throw msg; + in makeTest { name = "keymap-${layout}"; @@ -50,69 +40,40 @@ let machine.i18n.consoleKeyMap = mkOverride 900 layout; machine.services.xserver.layout = mkOverride 900 layout; machine.imports = [ ./common/x11.nix extraConfig ]; - machine.services.xserver.displayManager.slim = { - enable = true; - - # Use a custom theme in order to get best OCR results - theme = pkgs.runCommand "slim-theme-ocr" { - nativeBuildInputs = [ pkgs.imagemagick ]; - } '' - mkdir "$out" - convert -size 1x1 xc:white "$out/background.jpg" - convert -size 200x100 xc:white "$out/panel.jpg" - cat > "$out/slim.theme" <<EOF - background_color #ffffff - background_style tile - - input_fgcolor #000000 - msg_color #000000 - - session_color #000000 - session_font Verdana:size=16:bold - - username_msg Username: - username_font Verdana:size=16:bold - username_color #000000 - username_x 50% - username_y 40% - - password_msg Password: - password_x 50% - password_y 40% - EOF - ''; - }; testScript = '' - sub waitCatAndDelete ($) { - return $machine->succeed( - "for i in \$(seq 600); do if [ -e '$_[0]' ]; then ". - "cat '$_[0]' && rm -f '$_[0]' && exit 0; ". - "fi; sleep 0.1; done; echo timed out after 60 seconds >&2; exit 1" - ); - }; sub mkTest ($$) { my ($desc, $cmd) = @_; - my @testdata = (${perlReaderInput}); - my $shellTestdata = join ' ', map { "'".s/'/'\\'''/gr."'" } @testdata; - subtest $desc, sub { - $machine->succeed("$cmd ${testReader} $shellTestdata &"); - while (my ($testname, $qwerty, $expect) = splice(@testdata, 0, 3)) { - waitCatAndDelete "/tmp/reader.ready"; - $machine->sendKeys($qwerty); - }; - my $exitcode = waitCatAndDelete "/tmp/reader.exit"; - die "tests for $desc failed" if $exitcode ne 0; + # prepare and start testReader + $machine->execute("rm -f ${readyFile} ${resultFile}"); + $machine->succeed("$cmd ${testReader} ${toString le} ".q(${escapeShellArg expect} & )); + + if ($desc eq "Xorg keymap") { + # make sure the xterm window is open and has focus + $machine->waitForWindow(qr/testterm/); + $machine->waitUntilSucceeds("${pkgs.xdotool}/bin/xdotool search --sync --onlyvisible --class testterm windowfocus --sync"); + } + + # wait for reader to be ready + $machine->waitForFile("${readyFile}"); + $machine->sleep(1); + + # send all keys + foreach ((${send})) { $machine->sendKeys($_); }; + + # wait for result and check + $machine->waitForFile("${resultFile}"); + $machine->succeed("grep -q 'PASS:' ${resultFile}"); }; - } + }; $machine->waitForX; mkTest "VT keymap", "openvt -sw --"; - mkTest "Xorg keymap", "DISPLAY=:0 xterm -fullscreen -e"; + mkTest "Xorg keymap", "DISPLAY=:0 xterm -title testterm -class testterm -fullscreen -e"; ''; }; diff --git a/nixos/tests/kubernetes/certs.nix b/nixos/tests/kubernetes/certs.nix index d3eff910c467..520c728b65ee 100644 --- a/nixos/tests/kubernetes/certs.nix +++ b/nixos/tests/kubernetes/certs.nix @@ -6,29 +6,62 @@ kubelets }: let - runWithCFSSL = name: cmd: - builtins.fromJSON (builtins.readFile ( - pkgs.runCommand "${name}-cfss.json" { - buildInputs = [ pkgs.cfssl ]; - } "cfssl ${cmd} > $out" - )); - - writeCFSSL = content: - pkgs.runCommand content.name { - buildInputs = [ pkgs.cfssl ]; - } '' - mkdir -p $out - cd $out - cat ${writeFile content} | cfssljson -bare ${content.name} - ''; + runWithCFSSL = name: cmd: + let secrets = pkgs.runCommand "${name}-cfss.json" { + buildInputs = [ pkgs.cfssl pkgs.jq ]; + outputs = [ "out" "cert" "key" "csr" ]; + } + '' + ( + echo "${cmd}" + cfssl ${cmd} > tmp + cat tmp | jq -r .key > $key + cat tmp | jq -r .cert > $cert + cat tmp | jq -r .csr > $csr + + touch $out + ) 2>&1 | fold -w 80 -s + ''; + in { + key = secrets.key; + cert = secrets.cert; + csr = secrets.csr; + }; + + writeCFSSL = content: + pkgs.runCommand content.name { + buildInputs = [ pkgs.cfssl pkgs.jq ]; + } '' + mkdir -p $out + cd $out + + json=${pkgs.lib.escapeShellArg (builtins.toJSON content)} + + # for a given $field in the $json, treat the associated value as a + # file path and substitute the contents thereof into the $json + # object. + expandFileField() { + local field=$1 + if jq -e --arg field "$field" 'has($field)'; then + local path="$(echo "$json" | jq -r ".$field")" + json="$(echo "$json" | jq --arg val "$(cat "$path")" ".$field = \$val")" + fi + } + + expandFileField key + expandFileField ca + expandFileField cert + + echo "$json" | cfssljson -bare ${content.name} + ''; noCSR = content: pkgs.lib.filterAttrs (n: v: n != "csr") content; noKey = content: pkgs.lib.filterAttrs (n: v: n != "key") content; - writeFile = content: pkgs.writeText "content" ( - if pkgs.lib.isAttrs content then builtins.toJSON content - else toString content - ); + writeFile = content: + if pkgs.lib.isDerivation content + then content + else pkgs.writeText "content" (builtins.toJSON content); createServingCertKey = { ca, cn, hosts? [], size ? 2048, name ? cn }: noCSR ( diff --git a/nixos/tests/kubernetes/e2e.nix b/nixos/tests/kubernetes/e2e.nix index d9d7ba9bb2cc..175d8413045e 100644 --- a/nixos/tests/kubernetes/e2e.nix +++ b/nixos/tests/kubernetes/e2e.nix @@ -2,7 +2,7 @@ with import ./base.nix { inherit system; }; let domain = "my.zyx"; - certs = import ./certs.nix { externalDomain = domain; }; + certs = import ./certs.nix { externalDomain = domain; kubelets = ["machine1" "machine2"]; }; kubeconfig = pkgs.writeText "kubeconfig.json" (builtins.toJSON { apiVersion = "v1"; kind = "Config"; diff --git a/nixos/tests/kubernetes/rbac.nix b/nixos/tests/kubernetes/rbac.nix index 1966fed3a5fb..226808c4b263 100644 --- a/nixos/tests/kubernetes/rbac.nix +++ b/nixos/tests/kubernetes/rbac.nix @@ -12,7 +12,7 @@ let }); roRoleBinding = pkgs.writeText "ro-role-binding.json" (builtins.toJSON { - apiVersion = "rbac.authorization.k8s.io/v1beta1"; + apiVersion = "rbac.authorization.k8s.io/v1"; kind = "RoleBinding"; metadata = { name = "read-pods"; @@ -31,7 +31,7 @@ let }); roRole = pkgs.writeText "ro-role.json" (builtins.toJSON { - apiVersion = "rbac.authorization.k8s.io/v1beta1"; + apiVersion = "rbac.authorization.k8s.io/v1"; kind = "Role"; metadata = { name = "pod-reader"; diff --git a/nixos/tests/misc.nix b/nixos/tests/misc.nix index 6de17518214c..179c95e76436 100644 --- a/nixos/tests/misc.nix +++ b/nixos/tests/misc.nix @@ -1,11 +1,13 @@ # Miscellaneous small tests that don't warrant their own VM run. -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test.nix ({ pkgs, ...} : rec { name = "misc"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ eelco chaoflow ]; }; + foo = pkgs.writeText "foo" "Hello World"; + machine = { config, lib, pkgs, ... }: with lib; @@ -27,10 +29,17 @@ import ./make-test.nix ({ pkgs, ...} : { security.sudo = { enable = true; wheelNeedsPassword = false; }; boot.kernel.sysctl."vm.swappiness" = 1; boot.kernelParams = [ "vsyscall=emulate" ]; + system.extraDependencies = [ foo ]; }; testScript = '' + subtest "nix-db", sub { + my $json = $machine->succeed("nix path-info --json ${foo}"); + $json =~ /"narHash":"sha256:0afw0d9j1hvwiz066z93jiddc33nxg6i6qyp26vnqyglpyfivlq5"/ or die "narHash not set"; + $json =~ /"narSize":128/ or die "narSize not set"; + }; + subtest "nixos-version", sub { $machine->succeed("[ `nixos-version | wc -w` = 2 ]"); }; @@ -87,7 +96,7 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->succeed("systemctl start systemd-udev-settle.service"); subtest "udev-auto-load", sub { $machine->waitForUnit('systemd-udev-settle.service'); - $machine->succeed('lsmod | grep psmouse'); + $machine->succeed('lsmod | grep mousedev'); }; # Test whether systemd-tmpfiles-clean works. diff --git a/nixos/tests/openldap.nix b/nixos/tests/openldap.nix new file mode 100644 index 000000000000..1eaf87a8eaa8 --- /dev/null +++ b/nixos/tests/openldap.nix @@ -0,0 +1,35 @@ +import ./make-test.nix { + name = "openldap"; + + machine = { pkgs, ... }: { + services.openldap = { + enable = true; + extraConfig = '' + include ${pkgs.openldap}/etc/schema/core.schema + include ${pkgs.openldap}/etc/schema/cosine.schema + include ${pkgs.openldap}/etc/schema/inetorgperson.schema + include ${pkgs.openldap}/etc/schema/nis.schema + database bdb + suffix dc=example + directory /var/db/openldap + rootdn cn=root,dc=example + rootpw notapassword + ''; + declarativeContents = '' + dn: dc=example + objectClass: domain + dc: example + + dn: ou=users,dc=example + objectClass: organizationalUnit + ou: users + ''; + }; + }; + + testScript = '' + $machine->waitForUnit('openldap.service'); + $machine->succeed('systemctl status openldap.service'); + $machine->succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"'); + ''; +} diff --git a/nixos/tests/osquery.nix b/nixos/tests/osquery.nix new file mode 100644 index 000000000000..281dbcff6643 --- /dev/null +++ b/nixos/tests/osquery.nix @@ -0,0 +1,28 @@ +import ./make-test.nix ({ pkgs, lib, ... }: + +with lib; + +{ + name = "osquery"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ ma27 ]; + }; + + machine = { + services.osquery.enable = true; + services.osquery.loggerPath = "/var/log/osquery/logs"; + services.osquery.pidfile = "/var/run/osqueryd.pid"; + }; + + testScript = '' + $machine->start; + $machine->waitForUnit("osqueryd.service"); + + $machine->succeed("echo 'SELECT address FROM etc_hosts LIMIT 1;' | osqueryi | grep '127.0.0.1'"); + $machine->succeed( + "echo 'SELECT value FROM osquery_flags WHERE name = \"logger_path\";' | osqueryi | grep /var/log/osquery/logs" + ); + + $machine->succeed("echo 'SELECT value FROM osquery_flags WHERE name = \"pidfile\";' | osqueryi | grep /var/run/osqueryd.pid"); + ''; +}) diff --git a/nixos/tests/predictable-interface-names.nix b/nixos/tests/predictable-interface-names.nix index b4c2039923cf..0b431034a7a9 100644 --- a/nixos/tests/predictable-interface-names.nix +++ b/nixos/tests/predictable-interface-names.nix @@ -1,27 +1,24 @@ -{ system ? builtins.currentSystem -, pkgs ? import ../.. { inherit system; } -}: -with import ../lib/testing.nix { inherit system; }; -let boolToString = x: if x then "yes" else "no"; in -let testWhenSetTo = predictable: withNetworkd: -makeTest { - name = "${if predictable then "" else "un"}predictableInterfaceNames${if withNetworkd then "-with-networkd" else ""}"; - meta = {}; +{ system ? builtins.currentSystem }: - machine = { config, pkgs, ... }: { - networking.usePredictableInterfaceNames = pkgs.stdenv.lib.mkForce predictable; - networking.useNetworkd = withNetworkd; - networking.dhcpcd.enable = !withNetworkd; - }; +let + inherit (import ../lib/testing.nix { inherit system; }) makeTest pkgs; +in pkgs.lib.listToAttrs (pkgs.lib.crossLists (predictable: withNetworkd: { + name = pkgs.lib.optionalString (!predictable) "un" + "predictable" + + pkgs.lib.optionalString withNetworkd "Networkd"; + value = makeTest { + name = "${if predictable then "" else "un"}predictableInterfaceNames${if withNetworkd then "-with-networkd" else ""}"; + meta = {}; + + machine = { config, lib, ... }: { + networking.usePredictableInterfaceNames = lib.mkForce predictable; + networking.useNetworkd = withNetworkd; + networking.dhcpcd.enable = !withNetworkd; + }; - testScript = '' - print $machine->succeed("ip link"); - $machine->succeed("ip link show ${if predictable then "ens3" else "eth0"}"); - $machine->fail("ip link show ${if predictable then "eth0" else "ens3"}"); - ''; -}; in -with pkgs.stdenv.lib.lists; -with pkgs.stdenv.lib.attrsets; -listToAttrs (map (drv: nameValuePair drv.name drv) ( -crossLists testWhenSetTo [[true false] [true false]] -)) + testScript = '' + print $machine->succeed("ip link"); + $machine->succeed("ip link show ${if predictable then "ens3" else "eth0"}"); + $machine->fail("ip link show ${if predictable then "eth0" else "ens3"}"); + ''; + }; +}) [[true false] [true false]]) diff --git a/nixos/tests/printing.nix b/nixos/tests/printing.nix index 2d3ecaf94cfa..989008830613 100644 --- a/nixos/tests/printing.nix +++ b/nixos/tests/printing.nix @@ -39,7 +39,9 @@ import ./make-test.nix ({pkgs, ... }: { $client->waitForUnit("cups.service"); $client->sleep(10); # wait until cups is fully initialized $client->succeed("lpstat -r") =~ /scheduler is running/ or die; - $client->succeed("lpstat -H") =~ "localhost:631" or die; + # Test that UNIX socket is used for connections. + $client->succeed("lpstat -H") =~ "/var/run/cups/cups.sock" or die; + # Test that HTTP server is available too. $client->succeed("curl --fail http://localhost:631/"); $client->succeed("curl --fail http://server:631/"); $server->fail("curl --fail --connect-timeout 2 http://client:631/"); diff --git a/nixos/tests/prosody.nix b/nixos/tests/prosody.nix new file mode 100644 index 000000000000..fcebfaf74e12 --- /dev/null +++ b/nixos/tests/prosody.nix @@ -0,0 +1,75 @@ +import ./make-test.nix { + name = "prosody"; + + machine = { config, pkgs, ... }: { + services.prosody = { + enable = true; + # TODO: use a self-signed certificate + c2sRequireEncryption = false; + }; + environment.systemPackages = let + sendMessage = pkgs.writeScriptBin "send-message" '' + #!/usr/bin/env python3 + # Based on the sleekxmpp send_client example, look there for more details: + # https://github.com/fritzy/SleekXMPP/blob/develop/examples/send_client.py + import sleekxmpp + + class SendMsgBot(sleekxmpp.ClientXMPP): + """ + A basic SleekXMPP bot that will log in, send a message, + and then log out. + """ + def __init__(self, jid, password, recipient, message): + sleekxmpp.ClientXMPP.__init__(self, jid, password) + + self.recipient = recipient + self.msg = message + + self.add_event_handler("session_start", self.start, threaded=True) + + def start(self, event): + self.send_presence() + self.get_roster() + + self.send_message(mto=self.recipient, + mbody=self.msg, + mtype='chat') + + self.disconnect(wait=True) + + + if __name__ == '__main__': + xmpp = SendMsgBot("test1@localhost", "test1", "test2@localhost", "Hello World!") + xmpp.register_plugin('xep_0030') # Service Discovery + xmpp.register_plugin('xep_0199') # XMPP Ping + + # TODO: verify certificate + # If you want to verify the SSL certificates offered by a server: + # xmpp.ca_certs = "path/to/ca/cert" + + if xmpp.connect(('localhost', 5222)): + xmpp.process(block=True) + else: + print("Unable to connect.") + sys.exit(1) + ''; + in [ (pkgs.python3.withPackages (ps: [ ps.sleekxmpp ])) sendMessage ]; + }; + + testScript = '' + $machine->waitForUnit('prosody.service'); + $machine->succeed('prosodyctl status') =~ /Prosody is running/; + + # set password to 'test' (it's asked twice) + $machine->succeed('yes test1 | prosodyctl adduser test1@localhost'); + # set password to 'y' + $machine->succeed('yes | prosodyctl adduser test2@localhost'); + # correct password to 'test2' + $machine->succeed('yes test2 | prosodyctl passwd test2@localhost'); + + $machine->succeed("send-message"); + + $machine->succeed('prosodyctl deluser test1@localhost'); + $machine->succeed('prosodyctl deluser test2@localhost'); + ''; +} diff --git a/nixos/tests/pump.io.nix b/nixos/tests/pump.io.nix deleted file mode 100644 index 0991ed3fce1f..000000000000 --- a/nixos/tests/pump.io.nix +++ /dev/null @@ -1,89 +0,0 @@ -# This test runs pump.io with mongodb, listing on port 443. - -import ./make-test.nix ({ pkgs, ...} : let - snakeOilKey = '' - -----BEGIN PRIVATE KEY----- - MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCqVemio78R41Tz - MnR2zFD/wFT0iScOpFkuytNmuPf28FLaa9wSBWmuAGbEi7wBIfw8/bUqFBTQp2G1 - m1cmcCKxhmvvOkGs89eM131s1lW/bXU3zYso4e7724kHwU65jRlQs6cFWIlmW7V5 - 3HQobP05dy+zPpujPPSlOQ0qYViR1s+RgZI8r0wS2ZDsliNtQwBLJSIvX6XVnXLo - F/HmF4/ySJ9pL2AxQXCwZE8SfCzHpArs9COIqTaAuwB79kxWSFQJewmab74BXiM6 - 9FMCtHON24Pl7OR9sRJHH8rMEzUumppmUeCNEzABjzQQ7svR18cmbzRWetp0tT9Y - 7rj6URHHAgMBAAECggEAGmbCldDnlrAzxJY3cwpsK5f2EwkHIr/aiuQpLCzTUlUh - onVBYRGxtaSeSSyXcV2BKTrxz5nZOBYZkPqI4Y5T8kwxgpz2/QW2jUABUtNN6yPe - HU4gma+bSTJX5PnTZ/M0z0tpQezdLx5b3I2M+48ZGMUegZvcp8qU6N8U6VK5VbFD - DMTGL4b+Kc9HScRkCJjU3FfQcqf9Ml5w9jzHSeHImYEDrG0nX8N8EImRCBXbgxCl - 5XT1h6LFUGdr+N6n2w56+6l8OZZVmwj1NdF6NJybUQl4Y7b0niA+5czzjRt/YUjZ - HW0fXmx3XlbYGWYdMdS+VaIW6pkUpm8kZkqjngqLwQKBgQDfhbFQmg9lsJQ8/dQZ - WzRNsozHKWkQiZbW5sXBWygJbAB3Hc8gvQkuZe9TVyF99cznRj6ro6pGZjP0rTdY - 3ACTL+ygRArcIR6VsJCIr6nPvBLpOoNb8TQeKPmHC2gnSP9zaT/K2lldYISKNaYQ - 0seB2gvZhIgMgWtZtmb3jdgl9wKBgQDDFdknXgvFgB+y96//9wTu2WWuE5yQ5yB7 - utAcHNO9rx5X1tJqxymYh+iE8HUN25By+96SpNMQFI+0wNGVB00YWNBKtyepimWN - EUCojTy+MIXIjrLcvviEePsI4TPWYf8XtZeiYtcczYrt/wPQUYaDb8LBRfpIfmhr - rCGW93s+sQKBgEDOKTeeQyKPjJsWWL01RTfVsZ04s155FcOeyu0heb0plAT1Ho12 - YUgTg8zc8Tfs4QiYxCjNXdvlW+Dvq6FWv8/s0CUzNRbXf1+U/oKys4AoHi+CqH0q - tJqd9KKjuwHQ10dl13n/znMVPbg4j7pG8lMCnfblxvAhQbeT+8yAUo/HAoGBAL3t - /n4KXNGK3NHDvXEp0H6t3wWsiEi3DPQJO+Wy1x8caCFCv5c/kaqz3tfWt0+njSm1 - N8tzdx13tzVWaHV8Jz3l8dxcFtxEJnxB6L5wy0urOAS7kT3DG3b1xgmuH2a//7fY - jumE60NahcER/2eIh7pdS7IZbAO6NfVmH0m4Zh/xAoGAbquh60sAfLC/1O2/4Xom - PHS7z2+TNpwu4ou3nspxfigNQcTWzzzTVFLnaTPg+HKbLRXSWysjssmmj5u3lCyc - S2M9xuhApa9CrN/udz4gEojRVsTla/gyLifIZ3CtTn2QEQiIJEMxM+59KAlkgUBo - 9BeZ03xTaEZfhVZ9bEN30Ak= - -----END PRIVATE KEY----- - ''; - - snakeOilCert = '' - -----BEGIN CERTIFICATE----- - MIICvjCCAaagAwIBAgIJANhA6+PPhomZMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV - BAMMDGIwOTM0YWMwYWZkNTAeFw0xNTExMzAxNzQ3MzVaFw0yNTExMjcxNzQ3MzVa - MBcxFTATBgNVBAMMDGIwOTM0YWMwYWZkNTCCASIwDQYJKoZIhvcNAQEBBQADggEP - ADCCAQoCggEBAKpV6aKjvxHjVPMydHbMUP/AVPSJJw6kWS7K02a49/bwUtpr3BIF - aa4AZsSLvAEh/Dz9tSoUFNCnYbWbVyZwIrGGa+86Qazz14zXfWzWVb9tdTfNiyjh - 7vvbiQfBTrmNGVCzpwVYiWZbtXncdChs/Tl3L7M+m6M89KU5DSphWJHWz5GBkjyv - TBLZkOyWI21DAEslIi9fpdWdcugX8eYXj/JIn2kvYDFBcLBkTxJ8LMekCuz0I4ip - NoC7AHv2TFZIVAl7CZpvvgFeIzr0UwK0c43bg+Xs5H2xEkcfyswTNS6ammZR4I0T - MAGPNBDuy9HXxyZvNFZ62nS1P1juuPpREccCAwEAAaMNMAswCQYDVR0TBAIwADAN - BgkqhkiG9w0BAQsFAAOCAQEAd2w9rxi6qF9WV8L3rHnTE7uu0ldtdgJlCASx6ouj - TleOnjfEg+kH8r8UbmRV5vsTDn1Qp5JGDYxfytRUQwLb1zTLde0xotx37E3LY8Wr - sD6Al4t8sHywB/hc5dy29TgG0iyG8LKZrkwytLvDZ814W3OwpN2rpEz6pdizdHNn - jsoDEngZiDHvLjIyE0cDkFXkeYMGXOnBUeOcu4nfu4C5eKs3nXGGAcNDbDRIuLoE - BZExUBY+YSs6JBvh5tvRqLVW0Dz0akEcjb/jhwS2LmDip8Pdoxx4Q1jPKEu38zrr - Vd5WD2HJhLb9u0UxVp9vfWIUDgydopV5ZmWCQ5YvNepb1w== - -----END CERTIFICATE----- - ''; -in { - name = "pumpio"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ rvl ]; - }; - - nodes = { - one = - { config, pkgs, ... }: - { - services = { - pumpio = { - port = 443; - enable = true; - sslCert = pkgs.writeText "snakeoil.cert" snakeOilCert; - sslKey = pkgs.writeText "snakeoil.pem" snakeOilKey; - secretFile = pkgs.writeText "secretFile" "test123"; - site = "test"; - }; - mongodb.enable = true; - mongodb.extraConfig = '' - storage.journal.enabled: false - ''; - }; - systemd.services.mongodb.unitConfig.Before = "pump.io.service"; - systemd.services."pump.io".unitConfig.Requires = "mongodb.service"; - }; - }; - - testScript = '' - startAll; - - $one->waitForUnit("pump.io.service"); - $one->waitUntilSucceeds("curl -k https://localhost"); - ''; -}) diff --git a/nixos/tests/strongswan-swanctl.nix b/nixos/tests/strongswan-swanctl.nix new file mode 100644 index 000000000000..021743021b40 --- /dev/null +++ b/nixos/tests/strongswan-swanctl.nix @@ -0,0 +1,148 @@ +# This strongswan-swanctl test is based on: +# https://www.strongswan.org/testing/testresults/swanctl/rw-psk-ipv4/index.html +# https://github.com/strongswan/strongswan/tree/master/testing/tests/swanctl/rw-psk-ipv4 +# +# The roadwarrior carol sets up a connection to gateway moon. The authentication +# is based on pre-shared keys and IPv4 addresses. Upon the successful +# establishment of the IPsec tunnels, the specified updown script automatically +# inserts iptables-based firewall rules that let pass the tunneled traffic. In +# order to test both tunnel and firewall, carol pings the client alice behind +# the gateway moon. +# +# alice moon carol +# eth1------vlan_0------eth1 eth2------vlan_1------eth1 +# 192.168.0.1 192.168.0.3 192.168.1.3 192.168.1.2 +# +# See the NixOS manual for how to run this test: +# https://nixos.org/nixos/manual/index.html#sec-running-nixos-tests-interactively + +import ./make-test.nix ({ pkgs, ...} : + +let + allowESP = "iptables --insert INPUT --protocol ESP --jump ACCEPT"; + + # Shared VPN settings: + vlan0 = "192.168.0.0/24"; + carolIp = "192.168.1.2"; + moonIp = "192.168.1.3"; + version = 2; + secret = "0sFpZAZqEN6Ti9sqt4ZP5EWcqx"; + esp_proposals = [ "aes128gcm128-x25519" ]; + proposals = [ "aes128-sha256-x25519" ]; +in { + name = "strongswan-swanctl"; + meta.maintainers = with pkgs.stdenv.lib.maintainers; [ basvandijk ]; + nodes = { + + alice = { nodes, ... } : { + virtualisation.vlans = [ 0 ]; + networking = { + dhcpcd.enable = false; + defaultGateway = "192.168.0.3"; + }; + }; + + moon = {pkgs, config, nodes, ...} : + let strongswan = config.services.strongswan-swanctl.package; + in { + virtualisation.vlans = [ 0 1 ]; + networking = { + dhcpcd.enable = false; + firewall = { + allowedUDPPorts = [ 4500 500 ]; + extraCommands = allowESP; + }; + nat = { + enable = true; + internalIPs = [ vlan0 ]; + internalInterfaces = [ "eth1" ]; + externalIP = moonIp; + externalInterface = "eth2"; + }; + }; + environment.systemPackages = [ strongswan ]; + services.strongswan-swanctl = { + enable = true; + swanctl = { + connections = { + "rw" = { + local_addrs = [ moonIp ]; + local."main" = { + auth = "psk"; + }; + remote."main" = { + auth = "psk"; + }; + children = { + "net" = { + local_ts = [ vlan0 ]; + updown = "${strongswan}/libexec/ipsec/_updown iptables"; + inherit esp_proposals; + }; + }; + inherit version; + inherit proposals; + }; + }; + secrets = { + ike."carol" = { + id."main" = carolIp; + inherit secret; + }; + }; + }; + }; + }; + + carol = {pkgs, config, nodes, ...} : + let strongswan = config.services.strongswan-swanctl.package; + in { + virtualisation.vlans = [ 1 ]; + networking = { + dhcpcd.enable = false; + firewall.extraCommands = allowESP; + }; + environment.systemPackages = [ strongswan ]; + services.strongswan-swanctl = { + enable = true; + swanctl = { + connections = { + "home" = { + local_addrs = [ carolIp ]; + remote_addrs = [ moonIp ]; + local."main" = { + auth = "psk"; + id = carolIp; + }; + remote."main" = { + auth = "psk"; + id = moonIp; + }; + children = { + "home" = { + remote_ts = [ vlan0 ]; + start_action = "trap"; + updown = "${strongswan}/libexec/ipsec/_updown iptables"; + inherit esp_proposals; + }; + }; + inherit version; + inherit proposals; + }; + }; + secrets = { + ike."moon" = { + id."main" = moonIp; + inherit secret; + }; + }; + }; + }; + }; + + }; + testScript = '' + startAll(); + $carol->waitUntilSucceeds("ping -c 1 alice"); + ''; +}) diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix new file mode 100644 index 000000000000..65aa553b3148 --- /dev/null +++ b/nixos/tests/systemd.nix @@ -0,0 +1,68 @@ +import ./make-test.nix { + name = "systemd"; + + machine = { lib, ... }: { + imports = [ common/user-account.nix common/x11.nix ]; + + virtualisation.emptyDiskImages = [ 512 ]; + + fileSystems = lib.mkVMOverride { + "/test-x-initrd-mount" = { + device = "/dev/vdb"; + fsType = "ext2"; + autoFormat = true; + noCheck = true; + options = [ "x-initrd.mount" ]; + }; + }; + + systemd.extraConfig = "DefaultEnvironment=\"XXX_SYSTEM=foo\""; + systemd.user.extraConfig = "DefaultEnvironment=\"XXX_USER=bar\""; + services.journald.extraConfig = "Storage=volatile"; + services.xserver.displayManager.auto.user = "alice"; + + systemd.services.testservice1 = { + description = "Test Service 1"; + wantedBy = [ "multi-user.target" ]; + serviceConfig.Type = "oneshot"; + script = '' + if [ "$XXX_SYSTEM" = foo ]; then + touch /system_conf_read + fi + ''; + }; + + systemd.user.services.testservice2 = { + description = "Test Service 2"; + wantedBy = [ "default.target" ]; + serviceConfig.Type = "oneshot"; + script = '' + if [ "$XXX_USER" = bar ]; then + touch "$HOME/user_conf_read" + fi + ''; + }; + }; + + testScript = '' + $machine->waitForX; + # wait for user services + $machine->waitForUnit("default.target","alice"); + + # Regression test for https://github.com/NixOS/nixpkgs/issues/35415 + subtest "configuration files are recognized by systemd", sub { + $machine->succeed('test -e /system_conf_read'); + $machine->succeed('test -e /home/alice/user_conf_read'); + $machine->succeed('test -z $(ls -1 /var/log/journal)'); + }; + + # Regression test for https://github.com/NixOS/nixpkgs/issues/35268 + subtest "file system with x-initrd.mount is not unmounted", sub { + $machine->shutdown; + $machine->waitForUnit('multi-user.target'); + # If the file system was unmounted during the shutdown the file system + # has a last mount time, because the file system wasn't checked. + $machine->fail('dumpe2fs /dev/vdb | grep -q "^Last mount time: *n/a"'); + }; + ''; +} diff --git a/nixos/tests/transmission.nix b/nixos/tests/transmission.nix new file mode 100644 index 000000000000..34c49bd7f15b --- /dev/null +++ b/nixos/tests/transmission.nix @@ -0,0 +1,21 @@ +import ./make-test.nix ({ pkgs, ...} : { + name = "transmission"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ coconnor ]; + }; + + machine = { config, pkgs, ... }: { + imports = [ ../modules/profiles/minimal.nix ]; + + networking.firewall.allowedTCPPorts = [ 9091 ]; + + services.transmission.enable = true; + }; + + testScript = + '' + startAll; + $machine->waitForUnit("transmission"); + $machine->shutdown; + ''; +}) diff --git a/nixos/tests/udisks2.nix b/nixos/tests/udisks2.nix index 72d51c0051c0..70a999267a54 100644 --- a/nixos/tests/udisks2.nix +++ b/nixos/tests/udisks2.nix @@ -37,7 +37,8 @@ in $machine->fail("udisksctl info -b /dev/sda1"); # Attach a USB stick and wait for it to show up. - $machine->sendMonitorCommand("usb_add disk:$stick"); + $machine->sendMonitorCommand("drive_add 0 id=stick,if=none,file=$stick,format=raw"); + $machine->sendMonitorCommand("device_add usb-storage,id=stick,drive=stick"); $machine->waitUntilSucceeds("udisksctl info -b /dev/sda1"); $machine->succeed("udisksctl info -b /dev/sda1 | grep 'IdLabel:.*USBSTICK'"); @@ -52,7 +53,7 @@ in $machine->fail("[ -d /run/media/alice/USBSTICK ]"); # Remove the USB stick. - $machine->sendMonitorCommand("usb_del 0.3"); # FIXME + $machine->sendMonitorCommand("device_del stick"); $machine->waitUntilFails("udisksctl info -b /dev/sda1"); $machine->fail("[ -e /dev/sda ]"); ''; diff --git a/nixos/tests/vault.nix b/nixos/tests/vault.nix index 2c08d06f286b..515d5c8bac25 100644 --- a/nixos/tests/vault.nix +++ b/nixos/tests/vault.nix @@ -17,7 +17,7 @@ import ./make-test.nix ({ pkgs, ... }: $machine->waitForUnit('multi-user.target'); $machine->waitForUnit('vault.service'); $machine->waitForOpenPort(8200); - $machine->succeed('vault init'); - $machine->succeed('vault status | grep "Sealed: true"'); + $machine->succeed('vault operator init'); + $machine->succeed('vault status | grep Sealed | grep true'); ''; }) diff --git a/nixos/tests/virtualbox.nix b/nixos/tests/virtualbox.nix index 5574293ba377..249571fcedec 100644 --- a/nixos/tests/virtualbox.nix +++ b/nixos/tests/virtualbox.nix @@ -43,6 +43,9 @@ let "init=${pkgs.writeScript "mini-init.sh" miniInit}" ]; + # XXX: Remove this once TSS location detection has been fixed in VirtualBox + boot.kernelPackages = pkgs.linuxPackages_4_9; + fileSystems."/" = { device = "vboxshare"; fsType = "vboxsf"; diff --git a/nixos/tests/xautolock.nix b/nixos/tests/xautolock.nix new file mode 100644 index 000000000000..ee46d9e05b06 --- /dev/null +++ b/nixos/tests/xautolock.nix @@ -0,0 +1,24 @@ +import ./make-test.nix ({ pkgs, lib, ... }: + +with lib; + +{ + name = "xautolock"; + meta.maintainers = with pkgs.stdenv.lib.maintainers; [ ma27 ]; + + nodes.machine = { + imports = [ ./common/x11.nix ./common/user-account.nix ]; + + services.xserver.displayManager.auto.user = "bob"; + services.xserver.xautolock.enable = true; + services.xserver.xautolock.time = 1; + }; + + testScript = '' + $machine->start; + $machine->waitForX; + $machine->mustFail("pgrep xlock"); + $machine->sleep(120); + $machine->mustSucceed("pgrep xlock"); + ''; +}) |