diff options
| author | Frederik Rietdijk <fridh@fridh.nl> | 2020-04-03 21:54:40 +0200 |
|---|---|---|
| committer | Frederik Rietdijk <fridh@fridh.nl> | 2020-04-03 21:54:40 +0200 |
| commit | 92124ed660c033aa3caa467876f7bc1c6f514d77 (patch) | |
| tree | eaaac3b33ba341b7068ac11e536d56bb647c6480 /nixos | |
| parent | ac46ffbcfce03ad9b35c261301c008e9cf2bdb9b (diff) | |
| parent | 3420bd63b9bbd4eb4e544b898a072c6fbbc9cfa9 (diff) | |
| download | nixpkgs-92124ed660c033aa3caa467876f7bc1c6f514d77.tar nixpkgs-92124ed660c033aa3caa467876f7bc1c6f514d77.tar.gz nixpkgs-92124ed660c033aa3caa467876f7bc1c6f514d77.tar.bz2 nixpkgs-92124ed660c033aa3caa467876f7bc1c6f514d77.tar.lz nixpkgs-92124ed660c033aa3caa467876f7bc1c6f514d77.tar.xz nixpkgs-92124ed660c033aa3caa467876f7bc1c6f514d77.tar.zst nixpkgs-92124ed660c033aa3caa467876f7bc1c6f514d77.zip | |
Merge master into staging-next
Diffstat (limited to 'nixos')
74 files changed, 876 insertions, 134 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml index 76b12af362f..606add95f30 100644 --- a/nixos/doc/manual/release-notes/rl-2003.xml +++ b/nixos/doc/manual/release-notes/rl-2003.xml @@ -757,6 +757,12 @@ auth required pam_succeed_if.so uid >= 1000 quiet </warning> </para> </listitem> + <listitem> + <para> + The TokuDB storage engine will be disabled in <package>mariadb</package> 10.5. It is recommended to switch + to RocksDB. See also <link xlink:href="https://mariadb.com/kb/en/tokudb/">TokuDB</link>. + </para> + </listitem> </itemizedlist> </section> @@ -888,6 +894,15 @@ auth required pam_succeed_if.so uid >= 1000 quiet <listitem> <para> <package>mongodb</package> has been updated to version <literal>3.4.24</literal>. + <warning> + <para> + Please note that <package>mongodb</package> has been relicensed under their own + <link xlink:href="https://www.mongodb.com/licensing/server-side-public-license/faq"><literal> + sspl</literal></link>-license. Since it's not entirely free and not OSI-approved, + it's listed as non-free. This means that Hydra doesn't provide prebuilt + <package>mongodb</package>-packages and needs to be built locally. + </para> + </warning> </para> </listitem> </itemizedlist> diff --git a/nixos/modules/config/vte.nix b/nixos/modules/config/vte.nix index d4a8c926fef..24d32a00fd4 100644 --- a/nixos/modules/config/vte.nix +++ b/nixos/modules/config/vte.nix @@ -16,6 +16,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + options = { programs.bash.vteIntegration = mkOption { diff --git a/nixos/modules/config/xdg/autostart.nix b/nixos/modules/config/xdg/autostart.nix index 0ee94fed818..40984cb5ec5 100644 --- a/nixos/modules/config/xdg/autostart.nix +++ b/nixos/modules/config/xdg/autostart.nix @@ -2,19 +2,23 @@ with lib; { + meta = { + maintainers = teams.freedesktop.members; + }; + options = { xdg.autostart.enable = mkOption { type = types.bool; default = true; description = '' - Whether to install files to support the + Whether to install files to support the <link xlink:href="https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html">XDG Autostart specification</link>. ''; }; }; config = mkIf config.xdg.autostart.enable { - environment.pathsToLink = [ + environment.pathsToLink = [ "/etc/xdg/autostart" ]; }; diff --git a/nixos/modules/config/xdg/icons.nix b/nixos/modules/config/xdg/icons.nix index 4677ce090b0..c83fdc251ef 100644 --- a/nixos/modules/config/xdg/icons.nix +++ b/nixos/modules/config/xdg/icons.nix @@ -2,6 +2,10 @@ with lib; { + meta = { + maintainers = teams.freedesktop.members; + }; + options = { xdg.icons.enable = mkOption { type = types.bool; diff --git a/nixos/modules/config/xdg/menus.nix b/nixos/modules/config/xdg/menus.nix index c172692df5d..6735a7a5c43 100644 --- a/nixos/modules/config/xdg/menus.nix +++ b/nixos/modules/config/xdg/menus.nix @@ -2,19 +2,23 @@ with lib; { + meta = { + maintainers = teams.freedesktop.members; + }; + options = { xdg.menus.enable = mkOption { type = types.bool; default = true; description = '' - Whether to install files to support the + Whether to install files to support the <link xlink:href="https://specifications.freedesktop.org/menu-spec/menu-spec-latest.html">XDG Desktop Menu specification</link>. ''; }; }; config = mkIf config.xdg.menus.enable { - environment.pathsToLink = [ + environment.pathsToLink = [ "/share/applications" "/share/desktop-directories" "/etc/xdg/menus" diff --git a/nixos/modules/config/xdg/mime.nix b/nixos/modules/config/xdg/mime.nix index a5374c2b468..4cdb3f30994 100644 --- a/nixos/modules/config/xdg/mime.nix +++ b/nixos/modules/config/xdg/mime.nix @@ -2,6 +2,10 @@ with lib; { + meta = { + maintainers = teams.freedesktop.members; + }; + options = { xdg.mime.enable = mkOption { type = types.bool; diff --git a/nixos/modules/config/xdg/portal.nix b/nixos/modules/config/xdg/portal.nix index 1330a08070c..3c7cd729c60 100644 --- a/nixos/modules/config/xdg/portal.nix +++ b/nixos/modules/config/xdg/portal.nix @@ -7,6 +7,10 @@ with lib; (mkRenamedOptionModule [ "services" "flatpak" "extraPortals" ] [ "xdg" "portal" "extraPortals" ]) ]; + meta = { + maintainers = teams.freedesktop.members; + }; + options.xdg.portal = { enable = mkEnableOption "<link xlink:href='https://github.com/flatpak/xdg-desktop-portal'>xdg desktop integration</link>"//{ diff --git a/nixos/modules/config/xdg/sounds.nix b/nixos/modules/config/xdg/sounds.nix index 14d6340fc33..0b94f550929 100644 --- a/nixos/modules/config/xdg/sounds.nix +++ b/nixos/modules/config/xdg/sounds.nix @@ -2,6 +2,10 @@ with lib; { + meta = { + maintainers = teams.freedesktop.members; + }; + options = { xdg.sounds.enable = mkOption { type = types.bool; diff --git a/nixos/modules/hardware/sensor/iio.nix b/nixos/modules/hardware/sensor/iio.nix index a8bc1880002..4c359c3b172 100644 --- a/nixos/modules/hardware/sensor/iio.nix +++ b/nixos/modules/hardware/sensor/iio.nix @@ -8,7 +8,12 @@ with lib; options = { hardware.sensor.iio = { enable = mkOption { - description = "Enable this option to support IIO sensors."; + description = '' + Enable this option to support IIO sensors. + + IIO sensors are used for orientation and ambient light + sensors on some mobile devices. + ''; type = types.bool; default = false; }; diff --git a/nixos/modules/i18n/input-method/ibus.nix b/nixos/modules/i18n/input-method/ibus.nix index a3d97619fc4..b6a21c369e5 100644 --- a/nixos/modules/i18n/input-method/ibus.nix +++ b/nixos/modules/i18n/input-method/ibus.nix @@ -75,5 +75,9 @@ in QT_IM_MODULE = "ibus"; XMODIFIERS = "@im=ibus"; }; + + xdg.portal.extraPortals = mkIf xdg.portal.enable [ + ibusPackage + ]; }; } diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 7633f1ca0ad..c3d2bb85809 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -295,7 +295,6 @@ ./services/desktops/deepin/deepin.nix ./services/desktops/dleyna-renderer.nix ./services/desktops/dleyna-server.nix - ./services/desktops/pantheon/contractor.nix ./services/desktops/pantheon/files.nix ./services/desktops/flatpak.nix ./services/desktops/geoclue2.nix @@ -396,7 +395,6 @@ ./services/mail/mailcatcher.nix ./services/mail/mailhog.nix ./services/mail/mailman.nix - ./services/mail/magic-wormhole-mailbox-server.nix ./services/mail/mlmmj.nix ./services/mail/offlineimap.nix ./services/mail/opendkim.nix @@ -645,6 +643,7 @@ ./services/networking/lldpd.nix ./services/networking/logmein-hamachi.nix ./services/networking/mailpile.nix + ./services/networking/magic-wormhole-mailbox-server.nix ./services/networking/matterbridge.nix ./services/networking/mjpg-streamer.nix ./services/networking/minidlna.nix @@ -655,6 +654,7 @@ ./services/networking/miredo.nix ./services/networking/mstpd.nix ./services/networking/mtprotoproxy.nix + ./services/networking/mullvad-vpn.nix ./services/networking/murmur.nix ./services/networking/mxisd.nix ./services/networking/namecoind.nix @@ -683,6 +683,7 @@ ./services/networking/ostinato.nix ./services/networking/owamp.nix ./services/networking/pdnsd.nix + ./services/networking/pixiecore.nix ./services/networking/polipo.nix ./services/networking/powerdns.nix ./services/networking/pdns-recursor.nix diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index f7b2f5c7fc1..da3de444768 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -14,12 +14,17 @@ with lib; nix.allowedUsers = mkDefault [ "@users" ]; + environment.memoryAllocator.provider = mkDefault "scudo"; + environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1"; + security.hideProcessInformation = mkDefault true; security.lockKernelModules = mkDefault true; security.allowUserNamespaces = mkDefault false; + nix.useSandbox = mkDefault false; + security.protectKernelImage = mkDefault true; security.allowSimultaneousMultithreading = mkDefault false; diff --git a/nixos/modules/programs/geary.nix b/nixos/modules/programs/geary.nix index 01803bc411e..5e441a75cb6 100644 --- a/nixos/modules/programs/geary.nix +++ b/nixos/modules/programs/geary.nix @@ -6,6 +6,10 @@ let cfg = config.programs.geary; in { + meta = { + maintainers = teams.gnome.members; + }; + options = { programs.geary.enable = mkEnableOption "Geary, a Mail client for GNOME 3"; }; diff --git a/nixos/modules/programs/gnome-disks.nix b/nixos/modules/programs/gnome-disks.nix index 1cf839a6ddb..80dc2983ea5 100644 --- a/nixos/modules/programs/gnome-disks.nix +++ b/nixos/modules/programs/gnome-disks.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + # Added 2019-08-09 imports = [ (mkRenamedOptionModule diff --git a/nixos/modules/programs/gnome-documents.nix b/nixos/modules/programs/gnome-documents.nix index bfa3d409ee3..9dd53483055 100644 --- a/nixos/modules/programs/gnome-documents.nix +++ b/nixos/modules/programs/gnome-documents.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + # Added 2019-08-09 imports = [ (mkRenamedOptionModule diff --git a/nixos/modules/programs/gnome-terminal.nix b/nixos/modules/programs/gnome-terminal.nix index 0036677a157..f2617e5bc03 100644 --- a/nixos/modules/programs/gnome-terminal.nix +++ b/nixos/modules/programs/gnome-terminal.nix @@ -12,6 +12,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + # Added 2019-08-19 imports = [ (mkRenamedOptionModule @@ -20,9 +24,7 @@ in ]; options = { - programs.gnome-terminal.enable = mkEnableOption "GNOME Terminal"; - }; config = mkIf cfg.enable { diff --git a/nixos/modules/programs/nm-applet.nix b/nixos/modules/programs/nm-applet.nix index 1b806071c43..273a6dec59a 100644 --- a/nixos/modules/programs/nm-applet.nix +++ b/nixos/modules/programs/nm-applet.nix @@ -1,6 +1,10 @@ { config, lib, pkgs, ... }: { + meta = { + maintainers = lib.teams.freedesktop.members; + }; + options.programs.nm-applet.enable = lib.mkEnableOption "nm-applet"; config = lib.mkIf config.programs.nm-applet.enable { diff --git a/nixos/modules/services/amqp/activemq/default.nix b/nixos/modules/services/amqp/activemq/default.nix index 7729da27304..160dbddcd48 100644 --- a/nixos/modules/services/amqp/activemq/default.nix +++ b/nixos/modules/services/amqp/activemq/default.nix @@ -63,9 +63,11 @@ in { javaProperties = mkOption { type = types.attrs; default = { }; - example = { - "java.net.preferIPv4Stack" = "true"; - }; + example = literalExample '' + { + "java.net.preferIPv4Stack" = "true"; + } + ''; apply = attrs: { "activemq.base" = "${cfg.baseDir}"; "activemq.data" = "${cfg.baseDir}/data"; diff --git a/nixos/modules/services/backup/borgbackup.nix b/nixos/modules/services/backup/borgbackup.nix index a2eb80c55a8..be661b201f0 100644 --- a/nixos/modules/services/backup/borgbackup.nix +++ b/nixos/modules/services/backup/borgbackup.nix @@ -189,6 +189,7 @@ let in { meta.maintainers = with maintainers; [ dotlambda ]; + meta.doc = ./borgbackup.xml; ###### interface @@ -197,10 +198,11 @@ in { Deduplicating backups using BorgBackup. Adding a job will cause a borg-job-NAME wrapper to be added to your system path, so that you can perform maintenance easily. + See also the chapter about BorgBackup in the NixOS manual. ''; default = { }; example = literalExample '' - { + { # for a local backup rootBackup = { paths = "/"; exclude = [ "/nix" ]; @@ -213,6 +215,23 @@ in { startAt = "weekly"; }; } + { # Root backing each day up to a remote backup server. We assume that you have + # * created a password less key: ssh-keygen -N "" -t ed25519 -f /path/to/ssh_key + # best practices are: use -t ed25519, /path/to = /run/keys + # * the passphrase is in the file /run/keys/borgbackup_passphrase + # * you have initialized the repository manually + paths = [ "/etc" "/home" ]; + exclude = [ "/nix" "'**/.cache'" ]; + doInit = false; + repo = "user3@arep.repo.borgbase.com:repo"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat /path/to/passphrase"; + }; + environment = { BORG_RSH = "ssh -i /path/to/ssh_key"; }; + compression = "auto,lzma"; + startAt = "daily"; + }; ''; type = types.attrsOf (types.submodule (let globalConfig = config; in { name, config, ... }: { @@ -268,6 +287,8 @@ in { <manvolnum>7</manvolnum></citerefentry>. If you do not want the backup to start automatically, use <literal>[ ]</literal>. + It will generate a systemd service borgbackup-job-NAME. + You may trigger it manually via systemctl restart borgbackup-job-NAME. ''; }; @@ -303,6 +324,10 @@ in { you to specify a <option>passCommand</option> or a <option>passphrase</option>. ''; + example = '' + encryption.mode = "repokey-blake2" ; + encryption.passphrase = "mySecretPassphrase" ; + ''; }; encryption.passCommand = mkOption { @@ -538,6 +563,7 @@ in { description = '' Serve BorgBackup repositories to given public SSH keys, restricting their access to the repository only. + See also the chapter about BorgBackup in the NixOS manual. Also, clients do not need to specify the absolute path when accessing the repository, i.e. <literal>user@machine:.</literal> is enough. (Note colon and dot.) ''; diff --git a/nixos/modules/services/backup/borgbackup.xml b/nixos/modules/services/backup/borgbackup.xml new file mode 100644 index 00000000000..bef7db608f8 --- /dev/null +++ b/nixos/modules/services/backup/borgbackup.xml @@ -0,0 +1,227 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="module-borgbase"> + <title>BorgBackup</title> + <para> + <emphasis>Source:</emphasis> + <filename>modules/services/backup/borgbackup.nix</filename> + </para> + <para> + <emphasis>Upstream documentation:</emphasis> + <link xlink:href="https://borgbackup.readthedocs.io/"/> + </para> + <para> + <link xlink:href="https://www.borgbackup.org/">BorgBackup</link> (short: Borg) + is a deduplicating backup program. Optionally, it supports compression and + authenticated encryption. + </para> + <para> + The main goal of Borg is to provide an efficient and secure way to backup + data. The data deduplication technique used makes Borg suitable for daily + backups since only changes are stored. The authenticated encryption technique + makes it suitable for backups to not fully trusted targets. + </para> + <section xml:id="module-services-backup-borgbackup-configuring"> + <title>Configuring</title> + <para> + A complete list of options for the Borgbase module may be found + <link linkend="opt-services.borgbackup.jobs">here</link>. + </para> +</section> + <section xml:id="opt-services-backup-borgbackup-local-directory"> + <title>Basic usage for a local backup</title> + + <para> + A very basic configuration for backing up to a locally accessible directory + is: +<programlisting> +{ + opt.services.borgbackup.jobs = { + { rootBackup = { + paths = "/"; + exclude = [ "/nix" "/path/to/local/repo" ]; + repo = "/path/to/local/repo"; + doInit = true; + encryption = { + mode = "repokey"; + passphrase = "secret"; + }; + compression = "auto,lzma"; + startAt = "weekly"; + }; + } + }; +}</programlisting> + </para> + <warning> + <para> + If you do not want the passphrase to be stored in the world-readable + Nix store, use passCommand. You find an example below. + </para> + </warning> + </section> +<section xml:id="opt-services-backup-create-server"> + <title>Create a borg backup server</title> + <para>You should use a different SSH key for each repository you write to, + because the specified keys are restricted to running borg serve and can only + access this single repository. You need the output of the generate pub file. + </para> + <para> + <programlisting> +# sudo ssh-keygen -N '' -t ed25519 -f /run/keys/id_ed25519_my_borg_repo +# cat /run/keys/id_ed25519_my_borg_repo +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID78zmOyA+5uPG4Ot0hfAy+sLDPU1L4AiIoRYEIVbbQ/ root@nixos</programlisting> + </para> + <para> + Add the following snippet to your NixOS configuration: + <programlisting> +{ + services.borgbackup.repos = { + my_borg_repo = { + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID78zmOyA+5uPG4Ot0hfAy+sLDPU1L4AiIoRYEIVbbQ/ root@nixos" + ] ; + path = "/var/lib/my_borg_repo" ; + }; + }; +}</programlisting> + </para> +</section> + + <section xml:id="opt-services-backup-borgbackup-remote-server"> + <title>Backup to the borg repository server</title> + <para>The following NixOS snippet creates an hourly backup to the service + (on the host nixos) as created in the section above. We assume + that you have stored a secret passphrasse in the file + <code>/run/keys/borgbackup_passphrase</code>, which should be only + accessible by root + </para> + <para> + <programlisting> +{ + services.borgbackup.jobs = { + backupToLocalServer = { + paths = [ "/etc/nixos" ]; + doInit = true; + repo = "borg@nixos:." ; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat /run/keys/borgbackup_passphrase"; + }; + environment = { BORG_RSH = "ssh -i /run/keys/id_ed25519_my_borg_repo"; }; + compression = "auto,lzma"; + startAt = "hourly"; + }; + }; +};</programlisting> + </para> + <para>The following few commands (run as root) let you test your backup. + <programlisting> +> nixos-rebuild switch +...restarting the following units: polkit.service +> systemctl restart borgbackup-job-backupToLocalServer +> sleep 10 +> systemctl restart borgbackup-job-backupToLocalServer +> export BORG_PASSPHRASE=topSecrect +> borg list --rsh='ssh -i /run/keys/id_ed25519_my_borg_repo' borg@nixos:. +nixos-backupToLocalServer-2020-03-30T21:46:17 Mon, 2020-03-30 21:46:19 [84feb97710954931ca384182f5f3cb90665f35cef214760abd7350fb064786ac] +nixos-backupToLocalServer-2020-03-30T21:46:30 Mon, 2020-03-30 21:46:32 [e77321694ecd160ca2228611747c6ad1be177d6e0d894538898de7a2621b6e68]</programlisting> + </para> +</section> + + <section xml:id="opt-services-backup-borgbackup-borgbase"> + <title>Backup to a hosting service</title> + + <para> + Several companies offer <link + xlink:href="https://www.borgbackup.org/support/commercial.html">(paid) + hosting services</link> for Borg repositories. + </para> + <para> + To backup your home directory to borgbase you have to: + </para> + <itemizedlist> + <listitem> + <para> + Generate a SSH key without a password, to access the remote server. E.g. + </para> + <para> + <programlisting>sudo ssh-keygen -N '' -t ed25519 -f /run/keys/id_ed25519_borgbase</programlisting> + </para> + </listitem> + <listitem> + <para> + Create the repository on the server by following the instructions for your + hosting server. + </para> + </listitem> + <listitem> + <para> + Initialize the repository on the server. Eg. + <programlisting> +sudo borg init --encryption=repokey-blake2 \ + -rsh "ssh -i /run/keys/id_ed25519_borgbase" \ + zzz2aaaaa@zzz2aaaaa.repo.borgbase.com:repo</programlisting> + </para> + </listitem> + <listitem> +<para>Add it to your NixOS configuration, e.g. +<programlisting> +{ + services.borgbackup.jobs = { + my_Remote_Backup = { + paths = [ "/" ]; + exclude = [ "/nix" "'**/.cache'" ]; + repo = "zzz2aaaaa@zzz2aaaaa.repo.borgbase.com:repo"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat /run/keys/borgbackup_passphrase"; + }; + BORG_RSH = "ssh -i /run/keys/id_ed25519_borgbase"; + compression = "auto,lzma"; + startAt = "daily"; + }; + }; +}}</programlisting> + </para> + </listitem> +</itemizedlist> + </section> + <section xml:id="opt-services-backup-borgbackup-vorta"> + <title>Vorta backup client for the desktop</title> + <para> + Vorta is a backup client for macOS and Linux desktops. It integrates the + mighty BorgBackup with your desktop environment to protect your data from + disk failure, ransomware and theft. + </para> + <para> + It is available as a flatpak package. To enable it you must set the + following two configuration items. + </para> + <para> + <programlisting> +services.flatpak.enable = true ; +# next line is needed to avoid the Error +# Error deploying: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: +services.accounts-daemon.enable = true; + </programlisting> + </para> + <para>As a normal user you must first install, then run vorta using the + following commands: + <programlisting> +flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo +flatpak install flathub com.borgbase.Vorta +flatpak run --branch=stable --arch=x86_64 --command=vorta com.borgbase.Vorta +</programlisting> + After running <code>flatpak install</code> you can start Vorta also via + the KDE application menu. + </para> + <para> + Details about using Vorta can be found under <link + xlink:href="https://vorta.borgbase.com/usage">https://vorta.borgbase.com + </link>. + </para> + </section> +</chapter> diff --git a/nixos/modules/services/backup/syncoid.nix b/nixos/modules/services/backup/syncoid.nix index 53787a0182a..fff119c2cf0 100644 --- a/nixos/modules/services/backup/syncoid.nix +++ b/nixos/modules/services/backup/syncoid.nix @@ -138,7 +138,11 @@ in { }; })); default = {}; - example."pool/test".target = "root@target:pool/test"; + example = literalExample '' + { + "pool/test".target = "root@target:pool/test"; + } + ''; description = "Syncoid commands to run."; }; }; diff --git a/nixos/modules/services/cluster/hadoop/default.nix b/nixos/modules/services/cluster/hadoop/default.nix index f0f5a6ecbfc..bfb73f68371 100644 --- a/nixos/modules/services/cluster/hadoop/default.nix +++ b/nixos/modules/services/cluster/hadoop/default.nix @@ -7,33 +7,41 @@ with lib; options.services.hadoop = { coreSite = mkOption { default = {}; - example = { - "fs.defaultFS" = "hdfs://localhost"; - }; + example = literalExample '' + { + "fs.defaultFS" = "hdfs://localhost"; + } + ''; description = "Hadoop core-site.xml definition"; }; hdfsSite = mkOption { default = {}; - example = { - "dfs.nameservices" = "namenode1"; - }; + example = literalExample '' + { + "dfs.nameservices" = "namenode1"; + } + ''; description = "Hadoop hdfs-site.xml definition"; }; mapredSite = mkOption { default = {}; - example = { - "mapreduce.map.cpu.vcores" = "1"; - }; + example = literalExample '' + { + "mapreduce.map.cpu.vcores" = "1"; + } + ''; description = "Hadoop mapred-site.xml definition"; }; yarnSite = mkOption { default = {}; - example = { - "yarn.resourcemanager.ha.id" = "resourcemanager1"; - }; + example = literalExample '' + { + "yarn.resourcemanager.ha.id" = "resourcemanager1"; + } + ''; description = "Hadoop yarn-site.xml definition"; }; diff --git a/nixos/modules/services/continuous-integration/buildkite-agents.nix b/nixos/modules/services/continuous-integration/buildkite-agents.nix index c17d89c387a..b0045409ae6 100644 --- a/nixos/modules/services/continuous-integration/buildkite-agents.nix +++ b/nixos/modules/services/continuous-integration/buildkite-agents.nix @@ -208,8 +208,12 @@ in description = "Buildkite agent user"; extraGroups = [ "keys" ]; isSystemUser = true; + group = "buildkite-agent-${name}"; }; }); + config.users.groups = mapAgents (name: cfg: { + "buildkite-agent-${name}" = {}; + }); config.systemd.services = mapAgents (name: cfg: { "buildkite-agent-${name}" = diff --git a/nixos/modules/services/databases/postgresql.xml b/nixos/modules/services/databases/postgresql.xml index 72d4a8249a3..07af4c937f0 100644 --- a/nixos/modules/services/databases/postgresql.xml +++ b/nixos/modules/services/databases/postgresql.xml @@ -7,12 +7,10 @@ <!-- FIXME: render nicely --> <!-- FIXME: source can be added automatically --> <para> - <emphasis>Source:</emphasis> - <filename>modules/services/databases/postgresql.nix</filename> + <emphasis>Source:</emphasis> <filename>modules/services/databases/postgresql.nix</filename> </para> <para> - <emphasis>Upstream documentation:</emphasis> - <link xlink:href="http://www.postgresql.org/docs/"/> + <emphasis>Upstream documentation:</emphasis> <link xlink:href="http://www.postgresql.org/docs/"/> </para> <!-- FIXME: more stuff, like maintainer? --> <para> @@ -23,18 +21,12 @@ <title>Configuring</title> <para> - To enable PostgreSQL, add the following to your - <filename>configuration.nix</filename>: + To enable PostgreSQL, add the following to your <filename>configuration.nix</filename>: <programlisting> <xref linkend="opt-services.postgresql.enable"/> = true; <xref linkend="opt-services.postgresql.package"/> = pkgs.postgresql_11; </programlisting> - Note that you are required to specify the desired version of PostgreSQL - (e.g. <literal>pkgs.postgresql_11</literal>). Since upgrading your - PostgreSQL version requires a database dump and reload (see below), NixOS - cannot provide a default value for - <xref linkend="opt-services.postgresql.package"/> such as the most recent - release of PostgreSQL. + Note that you are required to specify the desired version of PostgreSQL (e.g. <literal>pkgs.postgresql_11</literal>). Since upgrading your PostgreSQL version requires a database dump and reload (see below), NixOS cannot provide a default value for <xref linkend="opt-services.postgresql.package"/> such as the most recent release of PostgreSQL. </para> <!-- @@ -51,9 +43,7 @@ Type "help" for help. --> <para> - By default, PostgreSQL stores its databases in - <filename>/var/lib/postgresql/$psqlSchema</filename>. You can override this using - <xref linkend="opt-services.postgresql.dataDir"/>, e.g. + By default, PostgreSQL stores its databases in <filename>/var/lib/postgresql/$psqlSchema</filename>. You can override this using <xref linkend="opt-services.postgresql.dataDir"/>, e.g. <programlisting> <xref linkend="opt-services.postgresql.dataDir"/> = "/data/postgresql"; </programlisting> @@ -63,25 +53,83 @@ Type "help" for help. <title>Upgrading</title> <para> - FIXME: document dump/upgrade/load cycle. + Major PostgreSQL upgrade requires PostgreSQL downtime and a few imperative steps to be called. To simplify this process, use the following NixOS module: +<programlisting> + containers.temp-pg.config.services.postgresql = { + enable = true; + package = pkgs.postgresql_12; + ## set a custom new dataDir + # dataDir = "/some/data/dir"; + }; + environment.systemPackages = + let newpg = config.containers.temp-pg.config.services.postgresql; + in [ + (pkgs.writeScriptBin "upgrade-pg-cluster" '' + set -x + export OLDDATA="${config.services.postgresql.dataDir}" + export NEWDATA="${newpg.dataDir}" + export OLDBIN="${config.services.postgresql.package}/bin" + export NEWBIN="${newpg.package}/bin" + + install -d -m 0700 -o postgres -g postgres "$NEWDATA" + cd "$NEWDATA" + sudo -u postgres $NEWBIN/initdb -D "$NEWDATA" + + systemctl stop postgresql # old one + + sudo -u postgres $NEWBIN/pg_upgrade \ + --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \ + --old-bindir $OLDBIN --new-bindir $NEWBIN \ + "$@" + '') + ]; +</programlisting> </para> + + <para> + The upgrade process is: + </para> + + <orderedlist> + <listitem> + <para> + Rebuild nixos configuration with the configuration above added to your <filename>configuration.nix</filename>. Alternatively, add that into separate file and reference it in <literal>imports</literal> list. + </para> + </listitem> + <listitem> + <para> + Login as root (<literal>sudo su -</literal>) + </para> + </listitem> + <listitem> + <para> + Run <literal>upgrade-pg-cluster</literal>. It will stop old postgresql, initialize new one and migrate old one to new one. You may supply arguments like <literal>--jobs 4</literal> and <literal>--link</literal> to speedup migration process. See <link xlink:href="https://www.postgresql.org/docs/current/pgupgrade.html" /> for details. + </para> + </listitem> + <listitem> + <para> + Change postgresql package in NixOS configuration to the one you were upgrading to, and change <literal>dataDir</literal> to the one you have migrated to. Rebuild NixOS. This should start new postgres using upgraded data directory. + </para> + </listitem> + <listitem> + <para> + After upgrade you may want to <literal>ANALYZE</literal> new db. + </para> + </listitem> + </orderedlist> </section> <section xml:id="module-services-postgres-options"> <title>Options</title> <para> - A complete list of options for the PostgreSQL module may be found - <link linkend="opt-services.postgresql.enable">here</link>. + A complete list of options for the PostgreSQL module may be found <link linkend="opt-services.postgresql.enable">here</link>. </para> </section> <section xml:id="module-services-postgres-plugins"> <title>Plugins</title> <para> - Plugins collection for each PostgreSQL version can be accessed with - <literal>.pkgs</literal>. For example, for - <literal>pkgs.postgresql_11</literal> package, its plugin collection is - accessed by <literal>pkgs.postgresql_11.pkgs</literal>: + Plugins collection for each PostgreSQL version can be accessed with <literal>.pkgs</literal>. For example, for <literal>pkgs.postgresql_11</literal> package, its plugin collection is accessed by <literal>pkgs.postgresql_11.pkgs</literal>: <screen> <prompt>$ </prompt>nix repl '<nixpkgs>' @@ -98,8 +146,9 @@ postgresql_11.pkgs.pg_partman postgresql_11.pkgs.pgroonga ... </screen> </para> + <para> - To add plugins via NixOS configuration, set <literal>services.postgresql.extraPlugins</literal>: + To add plugins via NixOS configuration, set <literal>services.postgresql.extraPlugins</literal>: <programlisting> <xref linkend="opt-services.postgresql.package"/> = pkgs.postgresql_11; <xref linkend="opt-services.postgresql.extraPlugins"/> = with pkgs.postgresql_11.pkgs; [ @@ -108,10 +157,9 @@ postgresql_11.pkgs.pg_partman postgresql_11.pkgs.pgroonga ]; </programlisting> </para> + <para> - You can build custom PostgreSQL-with-plugins (to be used outside of NixOS) using - function <literal>.withPackages</literal>. For example, creating a custom - PostgreSQL package in an overlay can look like: + You can build custom PostgreSQL-with-plugins (to be used outside of NixOS) using function <literal>.withPackages</literal>. For example, creating a custom PostgreSQL package in an overlay can look like: <programlisting> self: super: { postgresql_custom = self.postgresql_11.withPackages (ps: [ @@ -121,8 +169,9 @@ self: super: { } </programlisting> </para> + <para> - Here's a recipe on how to override a particular plugin through an overlay: + Here's a recipe on how to override a particular plugin through an overlay: <programlisting> self: super: { postgresql_11 = super.postgresql_11.override { this = self.postgresql_11; } // { diff --git a/nixos/modules/services/desktops/accountsservice.nix b/nixos/modules/services/desktops/accountsservice.nix index c48036a99e8..ae2ecb5ffeb 100644 --- a/nixos/modules/services/desktops/accountsservice.nix +++ b/nixos/modules/services/desktops/accountsservice.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.freedesktop.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/bamf.nix b/nixos/modules/services/desktops/bamf.nix index 0928ee81a64..4b35146d084 100644 --- a/nixos/modules/services/desktops/bamf.nix +++ b/nixos/modules/services/desktops/bamf.nix @@ -5,6 +5,10 @@ with lib; { + meta = { + maintainers = with maintainers; [ worldofpeace ]; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/gnome3/at-spi2-core.nix b/nixos/modules/services/desktops/gnome3/at-spi2-core.nix index 8fa108c4f9d..492242e3296 100644 --- a/nixos/modules/services/desktops/gnome3/at-spi2-core.nix +++ b/nixos/modules/services/desktops/gnome3/at-spi2-core.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix b/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix index 3d2b3ed85e3..3c7f217b18d 100644 --- a/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix +++ b/nixos/modules/services/desktops/gnome3/chrome-gnome-shell.nix @@ -4,6 +4,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { services.gnome3.chrome-gnome-shell.enable = mkEnableOption '' diff --git a/nixos/modules/services/desktops/gnome3/evolution-data-server.nix b/nixos/modules/services/desktops/gnome3/evolution-data-server.nix index 7e312a1b81e..bd62d16f61c 100644 --- a/nixos/modules/services/desktops/gnome3/evolution-data-server.nix +++ b/nixos/modules/services/desktops/gnome3/evolution-data-server.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { @@ -16,7 +20,7 @@ with lib; type = types.bool; default = false; description = '' - Whether to enable Evolution Data Server, a collection of services for + Whether to enable Evolution Data Server, a collection of services for storing addressbooks and calendars. ''; }; diff --git a/nixos/modules/services/desktops/gnome3/glib-networking.nix b/nixos/modules/services/desktops/gnome3/glib-networking.nix index fcd58509d6f..7e667b6b1f0 100644 --- a/nixos/modules/services/desktops/gnome3/glib-networking.nix +++ b/nixos/modules/services/desktops/gnome3/glib-networking.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/gnome3/gnome-initial-setup.nix b/nixos/modules/services/desktops/gnome3/gnome-initial-setup.nix index d715d52c2d0..c391ad9694c 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-initial-setup.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-initial-setup.nix @@ -44,6 +44,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix b/nixos/modules/services/desktops/gnome3/gnome-keyring.nix index bf03a7aa78f..2916a3c82b3 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-keyring.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix b/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix index 748a025414a..3f9ced5e86b 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/gnome3/gnome-online-miners.nix b/nixos/modules/services/desktops/gnome3/gnome-online-miners.nix index d406bf6f5e3..39d669e8b30 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-online-miners.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-online-miners.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix b/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix index 021f4f9534b..4fbf726e724 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix @@ -4,6 +4,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { services.gnome3.gnome-remote-desktop = { diff --git a/nixos/modules/services/desktops/gnome3/gnome-settings-daemon.nix b/nixos/modules/services/desktops/gnome3/gnome-settings-daemon.nix index 2f83fd653bd..1c33ed064a1 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-settings-daemon.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-settings-daemon.nix @@ -12,6 +12,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + imports = [ (mkRemovedOptionModule ["services" "gnome3" "gnome-settings-daemon" "package"] diff --git a/nixos/modules/services/desktops/gnome3/gnome-user-share.nix b/nixos/modules/services/desktops/gnome3/gnome-user-share.nix index f8396287770..f2fe8b41a9e 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-user-share.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-user-share.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/gnome3/rygel.nix b/nixos/modules/services/desktops/gnome3/rygel.nix index dfe4333a8ad..917a1d6541e 100644 --- a/nixos/modules/services/desktops/gnome3/rygel.nix +++ b/nixos/modules/services/desktops/gnome3/rygel.nix @@ -4,6 +4,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { services.gnome3.rygel = { diff --git a/nixos/modules/services/desktops/gnome3/sushi.nix b/nixos/modules/services/desktops/gnome3/sushi.nix index 7a4389038b2..83b17365d5d 100644 --- a/nixos/modules/services/desktops/gnome3/sushi.nix +++ b/nixos/modules/services/desktops/gnome3/sushi.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/gnome3/tracker-miners.nix b/nixos/modules/services/desktops/gnome3/tracker-miners.nix index b390d8368c6..f2af4024927 100644 --- a/nixos/modules/services/desktops/gnome3/tracker-miners.nix +++ b/nixos/modules/services/desktops/gnome3/tracker-miners.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { @@ -25,7 +29,6 @@ with lib; }; - ###### implementation config = mkIf config.services.gnome3.tracker-miners.enable { diff --git a/nixos/modules/services/desktops/gnome3/tracker.nix b/nixos/modules/services/desktops/gnome3/tracker.nix index 2e829274226..cd196e38553 100644 --- a/nixos/modules/services/desktops/gnome3/tracker.nix +++ b/nixos/modules/services/desktops/gnome3/tracker.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/gvfs.nix b/nixos/modules/services/desktops/gvfs.nix index 1d002eac41d..250ea6d4575 100644 --- a/nixos/modules/services/desktops/gvfs.nix +++ b/nixos/modules/services/desktops/gvfs.nix @@ -12,6 +12,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + # Added 2019-08-19 imports = [ (mkRenamedOptionModule diff --git a/nixos/modules/services/desktops/pantheon/contractor.nix b/nixos/modules/services/desktops/pantheon/contractor.nix deleted file mode 100644 index c76145191a7..00000000000 --- a/nixos/modules/services/desktops/pantheon/contractor.nix +++ /dev/null @@ -1,18 +0,0 @@ -# Contractor - -{ config, pkgs, lib, ... }: - -with lib; - -{ - - - ###### implementation - - config = mkIf config.services.pantheon.contractor.enable { - - - - }; - -} diff --git a/nixos/modules/services/desktops/pipewire.nix b/nixos/modules/services/desktops/pipewire.nix index 13f3d61e84c..5aee59cfdcc 100644 --- a/nixos/modules/services/desktops/pipewire.nix +++ b/nixos/modules/services/desktops/pipewire.nix @@ -8,6 +8,11 @@ let packages = with pkgs; [ pipewire ]; in { + + meta = { + maintainers = teams.freedesktop.members; + }; + ###### interface options = { services.pipewire = { @@ -33,5 +38,4 @@ in { systemd.user.sockets.pipewire.wantedBy = lib.mkIf cfg.socketActivation [ "sockets.target" ]; }; - meta.maintainers = with lib.maintainers; [ jtojnar ]; } diff --git a/nixos/modules/services/desktops/telepathy.nix b/nixos/modules/services/desktops/telepathy.nix index f5401c18098..34596bf7818 100644 --- a/nixos/modules/services/desktops/telepathy.nix +++ b/nixos/modules/services/desktops/telepathy.nix @@ -6,6 +6,10 @@ with lib; { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/tumbler.nix b/nixos/modules/services/desktops/tumbler.nix index a833e99ff8c..a09079517f0 100644 --- a/nixos/modules/services/desktops/tumbler.nix +++ b/nixos/modules/services/desktops/tumbler.nix @@ -18,6 +18,10 @@ in "") ]; + meta = { + maintainers = with maintainers; [ worldofpeace ]; + }; + ###### interface options = { diff --git a/nixos/modules/services/desktops/zeitgeist.nix b/nixos/modules/services/desktops/zeitgeist.nix index 20c82ccdd56..cf7dd5fe3a1 100644 --- a/nixos/modules/services/desktops/zeitgeist.nix +++ b/nixos/modules/services/desktops/zeitgeist.nix @@ -5,6 +5,11 @@ with lib; { + + meta = { + maintainers = with maintainers; [ worldofpeace ]; + }; + ###### interface options = { diff --git a/nixos/modules/services/mail/sympa.nix b/nixos/modules/services/mail/sympa.nix index c3ae9d4255b..0cad09927b2 100644 --- a/nixos/modules/services/mail/sympa.nix +++ b/nixos/modules/services/mail/sympa.nix @@ -25,8 +25,6 @@ let StateDirectory = "sympa"; ProtectHome = true; ProtectSystem = "full"; - ProtectKernelTunables = true; - ProtectKernelModules = true; ProtectControlGroups = true; }; @@ -415,7 +413,7 @@ in # force-copy static_content so it's up to date with package # set permissions for wwsympa which needs write access (...) "R ${dataDir}/static_content - - - - -" - "C ${dataDir}/static_content 0711 ${user} ${group} - ${pkg}/static_content" + "C ${dataDir}/static_content 0711 ${user} ${group} - ${pkg}/var/lib/sympa/static_content" "e ${dataDir}/static_content/* 0711 ${user} ${group} - -" "d /run/sympa 0755 ${user} ${group} - -" @@ -497,7 +495,7 @@ in -F ${toString cfg.web.fcgiProcs} \ -P /run/sympa/wwsympa.pid \ -s /run/sympa/wwsympa.socket \ - -- ${pkg}/bin/wwsympa.fcgi + -- ${pkg}/lib/sympa/cgi/wwsympa.fcgi ''; } // commonServiceConfig; @@ -518,7 +516,7 @@ in fastcgi_split_path_info ^(${loc})(.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param SCRIPT_FILENAME ${pkg}/bin/wwsympa.fcgi; + fastcgi_param SCRIPT_FILENAME ${pkg}/lib/sympa/cgi/wwsympa.fcgi; ''; }) // { "/static-sympa/".alias = "${dataDir}/static_content/"; @@ -550,7 +548,7 @@ in args = [ "flags=hqRu" "user=${user}" - "argv=${pkg}/bin/queue" + "argv=${pkg}/libexec/queue" "\${nexthop}" ]; }; @@ -562,7 +560,7 @@ in args = [ "flags=hqRu" "user=${user}" - "argv=${pkg}/bin/bouncequeue" + "argv=${pkg}/libexec/bouncequeue" "\${nexthop}" ]; }; diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix index 17c3582db0f..8203cb13e50 100644 --- a/nixos/modules/services/misc/nix-daemon.nix +++ b/nixos/modules/services/misc/nix-daemon.nix @@ -376,6 +376,59 @@ in If enabled (the default), checks that Nix can parse the generated nix.conf. ''; }; + + registry = mkOption { + type = types.attrsOf (types.submodule ( + let + inputAttrs = types.attrsOf (types.oneOf [types.str types.int types.bool types.package]); + in + { config, name, ... }: + { options = { + from = mkOption { + type = inputAttrs; + example = { type = "indirect"; id = "nixpkgs"; }; + description = "The flake reference to be rewritten."; + }; + to = mkOption { + type = inputAttrs; + example = { type = "github"; owner = "my-org"; repo = "my-nixpkgs"; }; + description = "The flake reference to which <option>from></option> is to be rewritten."; + }; + flake = mkOption { + type = types.unspecified; + default = null; + example = literalExample "nixpkgs"; + description = '' + The flake input to which <option>from></option> is to be rewritten. + ''; + }; + exact = mkOption { + type = types.bool; + default = true; + description = '' + Whether the <option>from</option> reference needs to match exactly. If set, + a <option>from</option> reference like <literal>nixpkgs</literal> does not + match with a reference like <literal>nixpkgs/nixos-20.03</literal>. + ''; + }; + }; + config = { + from = mkDefault { type = "indirect"; id = name; }; + to = mkIf (config.flake != null) + ({ type = "path"; + path = config.flake.outPath; + } // lib.filterAttrs + (n: v: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash") + config.flake); + }; + } + )); + default = {}; + description = '' + A system-wide flake registry. + ''; + }; + }; }; @@ -390,6 +443,11 @@ in environment.etc."nix/nix.conf".source = nixConf; + environment.etc."nix/registry.json".text = builtins.toJSON { + version = 2; + flakes = mapAttrsToList (n: v: { inherit (v) from to exact; }) cfg.registry; + }; + # List of machines for distributed Nix builds in the format # expected by build-remote.pl. environment.etc."nix/machines" = diff --git a/nixos/modules/services/network-filesystems/netatalk.nix b/nixos/modules/services/network-filesystems/netatalk.nix index 1dd869043f0..5422d4dd4e2 100644 --- a/nixos/modules/services/network-filesystems/netatalk.nix +++ b/nixos/modules/services/network-filesystems/netatalk.nix @@ -98,13 +98,14 @@ in Set of AFP volumes to export. See <literal>man apf.conf</literal> for more information. ''; - example = + example = literalExample '' { srv = { path = "/srv"; "read only" = true; "hosts allow" = "10.1.0.0/16 10.2.1.100 2001:0db8:1234::/48"; }; - }; + } + ''; }; extmap = mkOption { diff --git a/nixos/modules/services/network-filesystems/rsyncd.nix b/nixos/modules/services/network-filesystems/rsyncd.nix index b17ec3aa930..ccad64cfdb2 100644 --- a/nixos/modules/services/network-filesystems/rsyncd.nix +++ b/nixos/modules/services/network-filesystems/rsyncd.nix @@ -74,13 +74,14 @@ in See <command>man rsyncd.conf</command> for options. ''; type = types.attrsOf (types.attrsOf types.str); - example = + example = literalExample '' { srv = { path = "/srv"; "read only" = "yes"; comment = "Public rsync share."; }; - }; + } + ''; }; user = mkOption { diff --git a/nixos/modules/services/network-filesystems/samba.nix b/nixos/modules/services/network-filesystems/samba.nix index a3c22ce6948..a115590ccaa 100644 --- a/nixos/modules/services/network-filesystems/samba.nix +++ b/nixos/modules/services/network-filesystems/samba.nix @@ -189,7 +189,7 @@ in See <command>man smb.conf</command> for options. ''; type = types.attrsOf (types.attrsOf types.unspecified); - example = + example = literalExample '' { public = { path = "/srv/public"; "read only" = true; @@ -197,7 +197,8 @@ in "guest ok" = "yes"; comment = "Public samba share."; }; - }; + } + ''; }; }; diff --git a/nixos/modules/services/networking/3proxy.nix b/nixos/modules/services/networking/3proxy.nix index 26aa1667946..ae8a4958ca9 100644 --- a/nixos/modules/services/networking/3proxy.nix +++ b/nixos/modules/services/networking/3proxy.nix @@ -334,10 +334,12 @@ in { nsrecord = mkOption { type = types.attrsOf types.str; default = { }; - example = { - "files.local" = "192.168.1.12"; - "site.local" = "192.168.1.43"; - }; + example = literalExample '' + { + "files.local" = "192.168.1.12"; + "site.local" = "192.168.1.43"; + } + ''; description = "Adds static nsrecords."; }; }; diff --git a/nixos/modules/services/networking/dnscache.nix b/nixos/modules/services/networking/dnscache.nix index d123bca9321..d06032daecc 100644 --- a/nixos/modules/services/networking/dnscache.nix +++ b/nixos/modules/services/networking/dnscache.nix @@ -61,10 +61,12 @@ in { Table of {hostname: server} pairs to use as authoritative servers for hosts (and subhosts). If entry for @ is not specified predefined list of root servers is used. ''; - example = { - "@" = ["8.8.8.8" "8.8.4.4"]; - "example.com" = ["192.168.100.100"]; - }; + example = literalExample '' + { + "@" = ["8.8.8.8" "8.8.4.4"]; + "example.com" = ["192.168.100.100"]; + } + ''; }; forwardOnly = mkOption { diff --git a/nixos/modules/services/mail/magic-wormhole-mailbox-server.nix b/nixos/modules/services/networking/magic-wormhole-mailbox-server.nix index 09d357cd2b6..09d357cd2b6 100644 --- a/nixos/modules/services/mail/magic-wormhole-mailbox-server.nix +++ b/nixos/modules/services/networking/magic-wormhole-mailbox-server.nix diff --git a/nixos/modules/services/networking/mullvad-vpn.nix b/nixos/modules/services/networking/mullvad-vpn.nix new file mode 100644 index 00000000000..cc98414257c --- /dev/null +++ b/nixos/modules/services/networking/mullvad-vpn.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.mullvad-vpn; +in +with lib; +{ + options.services.mullvad-vpn.enable = mkOption { + type = types.bool; + default = false; + description = '' + This option enables Mullvad VPN daemon. + ''; + }; + + config = mkIf cfg.enable { + boot.kernelModules = [ "tun" ]; + + systemd.services.mullvad-daemon = { + description = "Mullvad VPN daemon"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network.target" ]; + after = [ + "network-online.target" + "NetworkManager.service" + "systemd-resolved.service" + ]; + path = [ + pkgs.iproute + # Needed for ping + "/run/wrappers" + ]; + serviceConfig = { + StartLimitBurst = 5; + StartLimitIntervalSec = 20; + ExecStart = "${pkgs.mullvad-vpn}/bin/mullvad-daemon -v --disable-stdout-timestamps"; + Restart = "always"; + RestartSec = 1; + }; + }; + }; + + meta.maintainers = [ maintainers.xfix ]; +} diff --git a/nixos/modules/services/networking/ndppd.nix b/nixos/modules/services/networking/ndppd.nix index e015f76f622..77e979a8a42 100644 --- a/nixos/modules/services/networking/ndppd.nix +++ b/nixos/modules/services/networking/ndppd.nix @@ -43,7 +43,7 @@ let timeout = mkOption { type = types.int; description = '' - Controls how long to wait for a Neighbor Advertisment Message before + Controls how long to wait for a Neighbor Advertisment Message before invalidating the entry, in milliseconds. ''; default = 500; @@ -51,7 +51,7 @@ let ttl = mkOption { type = types.int; description = '' - Controls how long a valid or invalid entry remains in the cache, in + Controls how long a valid or invalid entry remains in the cache, in milliseconds. ''; default = 30000; @@ -142,7 +142,11 @@ in { messages, and respond to them according to a set of rules. ''; default = {}; - example = { eth0.rules."1111::/64" = {}; }; + example = literalExample '' + { + eth0.rules."1111::/64" = {}; + } + ''; }; }; diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index e817f295a44..6f24141b33c 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -131,6 +131,10 @@ let in { + meta = { + maintainers = teams.freedesktop.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/networking/pixiecore.nix b/nixos/modules/services/networking/pixiecore.nix new file mode 100644 index 00000000000..0e32f182e2a --- /dev/null +++ b/nixos/modules/services/networking/pixiecore.nix @@ -0,0 +1,134 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.pixiecore; +in +{ + meta.maintainers = with maintainers; [ bbigras danderson ]; + + options = { + services.pixiecore = { + enable = mkEnableOption "Pixiecore"; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Open ports (67, 69 UDP and 4011, 'port', 'statusPort' TCP) in the firewall for Pixiecore. + ''; + }; + + mode = mkOption { + description = "Which mode to use"; + default = "boot"; + type = types.enum [ "api" "boot" ]; + }; + + debug = mkOption { + type = types.bool; + default = false; + description = "Log more things that aren't directly related to booting a recognized client"; + }; + + dhcpNoBind = mkOption { + type = types.bool; + default = false; + description = "Handle DHCP traffic without binding to the DHCP server port"; + }; + + kernel = mkOption { + type = types.str or types.path; + default = ""; + description = "Kernel path. Ignored unless mode is set to 'boot'"; + }; + + initrd = mkOption { + type = types.str or types.path; + default = ""; + description = "Initrd path. Ignored unless mode is set to 'boot'"; + }; + + cmdLine = mkOption { + type = types.str; + default = ""; + description = "Kernel commandline arguments. Ignored unless mode is set to 'boot'"; + }; + + listen = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "IPv4 address to listen on"; + }; + + port = mkOption { + type = types.port; + default = 80; + description = "Port to listen on for HTTP"; + }; + + statusPort = mkOption { + type = types.port; + default = 80; + description = "HTTP port for status information (can be the same as --port)"; + }; + + apiServer = mkOption { + type = types.str; + example = "localhost:8080"; + description = "host:port to connect to the API. Ignored unless mode is set to 'api'"; + }; + + extraArguments = mkOption { + type = types.listOf types.str; + default = []; + description = "Additional command line arguments to pass to Pixiecore"; + }; + }; + }; + + config = mkIf cfg.enable { + users.groups.pixiecore = {}; + users.users.pixiecore = { + description = "Pixiecore daemon user"; + group = "pixiecore"; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ 4011 cfg.port cfg.statusPort ]; + allowedUDPPorts = [ 67 69 ]; + }; + + systemd.services.pixiecore = { + description = "Pixiecore server"; + after = [ "network.target"]; + wants = [ "network.target"]; + wantedBy = [ "multi-user.target"]; + serviceConfig = { + User = "pixiecore"; + Restart = "always"; + AmbientCapabilities = [ "cap_net_bind_service" ] ++ optional cfg.dhcpNoBind "cap_net_raw"; + ExecStart = + let + argString = + if cfg.mode == "boot" + then [ "boot" cfg.kernel ] + ++ optional (cfg.initrd != "") cfg.initrd + ++ optional (cfg.cmdLine != "") "--cmdline=${lib.escapeShellArg cfg.cmdLine}" + else [ "api" cfg.apiServer ]; + in + '' + ${pkgs.pixiecore}/bin/pixiecore \ + ${lib.escapeShellArgs argString} \ + ${optionalString cfg.debug "--debug"} \ + ${optionalString cfg.dhcpNoBind "--dhcp-no-bind"} \ + --listen-addr ${lib.escapeShellArg cfg.listen} \ + --port ${toString cfg.port} \ + --status-port ${toString cfg.statusPort} \ + ${escapeShellArgs cfg.extraArguments} + ''; + }; + }; + }; +} diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix index 4ff9c486059..13a1a897c5e 100644 --- a/nixos/modules/services/networking/strongswan.nix +++ b/nixos/modules/services/networking/strongswan.nix @@ -4,7 +4,7 @@ let inherit (builtins) toFile; inherit (lib) concatMapStringsSep concatStringsSep mapAttrsToList - mkIf mkEnableOption mkOption types; + mkIf mkEnableOption mkOption types literalExample; cfg = config.services.strongswan; @@ -79,19 +79,21 @@ in connections = mkOption { type = types.attrsOf (types.attrsOf types.str); default = {}; - example = { - "%default" = { - keyexchange = "ikev2"; - keyingtries = "1"; - }; - roadwarrior = { - auto = "add"; - leftcert = "/run/keys/moonCert.pem"; - leftid = "@moon.strongswan.org"; - leftsubnet = "10.1.0.0/16"; - right = "%any"; - }; - }; + example = literalExample '' + { + "%default" = { + keyexchange = "ikev2"; + keyingtries = "1"; + }; + roadwarrior = { + auto = "add"; + leftcert = "/run/keys/moonCert.pem"; + leftid = "@moon.strongswan.org"; + leftsubnet = "10.1.0.0/16"; + right = "%any"; + }; + } + ''; description = '' A set of connections and their options for the ‘conn xxx’ sections of the <filename>ipsec.conf</filename> file. diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix index 5b3eb6f04b4..e717d78feed 100644 --- a/nixos/modules/services/networking/syncthing.nix +++ b/nixos/modules/services/networking/syncthing.nix @@ -169,12 +169,14 @@ in { description = '' folders which should be shared by syncthing. ''; - example = { - "/home/user/sync" = { - id = "syncme"; - devices = [ "bigbox" ]; - }; - }; + example = literalExample '' + { + "/home/user/sync" = { + id = "syncme"; + devices = [ "bigbox" ]; + }; + } + ''; type = types.attrsOf (types.submodule ({ name, ... }: { options = { diff --git a/nixos/modules/services/networking/wg-quick.nix b/nixos/modules/services/networking/wg-quick.nix index b770d47d269..ff1bdeed9f4 100644 --- a/nixos/modules/services/networking/wg-quick.nix +++ b/nixos/modules/services/networking/wg-quick.nix @@ -302,7 +302,7 @@ in { ###### implementation config = mkIf (cfg.interfaces != {}) { - boot.extraModulePackages = [ kernel.wireguard ]; + boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard; environment.systemPackages = [ pkgs.wireguard-tools ]; # This is forced to false for now because the default "--validmark" rpfilter we apply on reverse path filtering # breaks the wg-quick routing because wireguard packets leave with a fwmark from wireguard. diff --git a/nixos/modules/services/web-apps/moinmoin.nix b/nixos/modules/services/web-apps/moinmoin.nix index 0fee64be0bb..dc7abce2a5c 100644 --- a/nixos/modules/services/web-apps/moinmoin.nix +++ b/nixos/modules/services/web-apps/moinmoin.nix @@ -299,5 +299,5 @@ in ]))); }; - meta.maintainers = with lib.maintainers; [ b42 ]; + meta.maintainers = with lib.maintainers; [ mmilata ]; } diff --git a/nixos/modules/services/web-apps/youtrack.nix b/nixos/modules/services/web-apps/youtrack.nix index 830edac20ba..b4d653d2d77 100644 --- a/nixos/modules/services/web-apps/youtrack.nix +++ b/nixos/modules/services/web-apps/youtrack.nix @@ -46,9 +46,11 @@ in https://www.jetbrains.com/help/youtrack/standalone/YouTrack-Java-Start-Parameters.html for more information. ''; - example = { - "jetbrains.youtrack.overrideRootPassword" = "tortuga"; - }; + example = literalExample '' + { + "jetbrains.youtrack.overrideRootPassword" = "tortuga"; + } + ''; type = types.attrsOf types.str; }; diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix index 41a364322ef..ac8e70c52bc 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -57,6 +57,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + options = { services.gnome3 = { diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index 4ff7b05ae9a..d39b4d64904 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -8,6 +8,10 @@ in { + meta = { + maintainers = with maintainers; [ worldofpeace ]; + }; + imports = [ # added 2019-08-18 # needed to preserve some semblance of UI familarity diff --git a/nixos/modules/services/x11/display-managers/account-service-util.nix b/nixos/modules/services/x11/display-managers/account-service-util.nix index 1dbe703b566..2b08c62d0ad 100644 --- a/nixos/modules/services/x11/display-managers/account-service-util.nix +++ b/nixos/modules/services/x11/display-managers/account-service-util.nix @@ -3,6 +3,7 @@ , gobject-introspection , python3 , wrapGAppsHook +, lib }: python3.pkgs.buildPythonApplication { @@ -36,4 +37,8 @@ python3.pkgs.buildPythonApplication { cp $src $out/bin/set-session chmod +x $out/bin/set-session ''; + + meta = with lib; { + maintainers = with maintainers; [ worldofpeace ]; + }; } diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index 428ca191fd8..2a7a19e7695 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -54,14 +54,6 @@ let exec &> >(tee ~/.xsession-errors) ''} - # Start PulseAudio if enabled. - ${optionalString (config.hardware.pulseaudio.enable) '' - # Publish access credentials in the root window. - if ${config.hardware.pulseaudio.package.out}/bin/pulseaudio --dump-modules | grep module-x11-publish &> /dev/null; then - ${config.hardware.pulseaudio.package.out}/bin/pactl load-module module-x11-publish "display=$DISPLAY" - fi - ''} - # Tell systemd about our $DISPLAY and $XAUTHORITY. # This is needed by the ssh-agent unit. # diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index e0ac47bb766..9b4cca56d7f 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -38,6 +38,10 @@ in { + meta = { + maintainers = teams.gnome.members; + }; + ###### interface options = { diff --git a/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix b/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix index 77c94114e6d..087c6b9c38a 100644 --- a/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix +++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix @@ -10,6 +10,10 @@ let in { + meta = { + maintainers = with maintainers; [ worldofpeace ]; + }; + options = { services.xserver.displayManager.lightdm.greeters.pantheon = { diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index cb7b5f95958..479548863b4 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -69,6 +69,10 @@ let in { + meta = { + maintainers = with maintainers; [ worldofpeace ]; + }; + # Note: the order in which lightdm greeter modules are imported # here determines the default: later modules (if enable) are # preferred. diff --git a/nixos/modules/tasks/filesystems/zfs.nix b/nixos/modules/tasks/filesystems/zfs.nix index 07225ee88ff..43347161a84 100644 --- a/nixos/modules/tasks/filesystems/zfs.nix +++ b/nixos/modules/tasks/filesystems/zfs.nix @@ -433,6 +433,7 @@ in services.zfs.zed.settings = { ZED_EMAIL_PROG = mkDefault "${pkgs.mailutils}/bin/mail"; + PATH = lib.makeBinPath [ packages.zfsUser pkgs.utillinux pkgs.gawk pkgs.gnused pkgs.gnugrep pkgs.coreutils pkgs.curl ]; }; environment.etc = genAttrs diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 02de5801da2..dad211ef55b 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -609,9 +609,11 @@ in bindMounts = mkOption { type = with types; loaOf (submodule bindMountOpts); default = {}; - example = { "/home" = { hostPath = "/home/alice"; - isReadOnly = false; }; - }; + example = literalExample '' + { "/home" = { hostPath = "/home/alice"; + isReadOnly = false; }; + } + ''; description = '' diff --git a/nixos/tests/os-prober.nix b/nixos/tests/os-prober.nix index 5407a62339f..6a38f5ca531 100644 --- a/nixos/tests/os-prober.nix +++ b/nixos/tests/os-prober.nix @@ -51,6 +51,8 @@ let hashed-mirrors = connect-timeout = 1 ''; + # save some memory + documentation.enable = false; }; # /etc/nixos/configuration.nix for the vm configFile = pkgs.writeText "configuration.nix" '' |