diff options
Diffstat (limited to 'nixos/modules/config')
-rw-r--r-- | nixos/modules/config/fonts/fontconfig.nix | 4 | ||||
-rw-r--r-- | nixos/modules/config/fonts/fontdir.nix | 2 | ||||
-rw-r--r-- | nixos/modules/config/fonts/fonts.nix | 47 | ||||
-rw-r--r-- | nixos/modules/config/fonts/ghostscript.nix | 30 | ||||
-rw-r--r-- | nixos/modules/config/fonts/packages.nix | 43 | ||||
-rw-r--r-- | nixos/modules/config/i18n.nix | 1 | ||||
-rw-r--r-- | nixos/modules/config/nix-channel.nix | 108 | ||||
-rw-r--r-- | nixos/modules/config/nix-flakes.nix | 95 | ||||
-rw-r--r-- | nixos/modules/config/nix-remote-build.nix | 226 | ||||
-rw-r--r-- | nixos/modules/config/nix.nix | 379 | ||||
-rw-r--r-- | nixos/modules/config/qt.nix | 3 | ||||
-rw-r--r-- | nixos/modules/config/swap.nix | 5 | ||||
-rw-r--r-- | nixos/modules/config/update-users-groups.pl | 4 |
13 files changed, 874 insertions, 73 deletions
diff --git a/nixos/modules/config/fonts/fontconfig.nix b/nixos/modules/config/fonts/fontconfig.nix index 2eee5cd34d063..5e2e054f7c4ef 100644 --- a/nixos/modules/config/fonts/fontconfig.nix +++ b/nixos/modules/config/fonts/fontconfig.nix @@ -42,7 +42,7 @@ let # looking things up. makeCacheConf = { }: let - makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; }; + makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.packages; }; cache = makeCache pkgs.fontconfig; cache32 = makeCache pkgs.pkgsi686Linux.fontconfig; in @@ -51,7 +51,7 @@ let <!DOCTYPE fontconfig SYSTEM 'urn:fontconfig:fonts.dtd'> <fontconfig> <!-- Font directories --> - ${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)} + ${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.packages)} ${optionalString (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) '' <!-- Pre-generated font caches --> <cachedir>${cache}</cachedir> diff --git a/nixos/modules/config/fonts/fontdir.nix b/nixos/modules/config/fonts/fontdir.nix index 9d41463c9470d..3b5eaf5b2d7f1 100644 --- a/nixos/modules/config/fonts/fontdir.nix +++ b/nixos/modules/config/fonts/fontdir.nix @@ -9,7 +9,7 @@ let x11Fonts = pkgs.runCommand "X11-fonts" { preferLocalBuild = true; } '' mkdir -p "$out/share/X11/fonts" font_regexp='.*\.\(ttf\|ttc\|otb\|otf\|pcf\|pfa\|pfb\|bdf\)\(\.gz\)?' - find ${toString config.fonts.fonts} -regex "$font_regexp" \ + find ${toString config.fonts.packages} -regex "$font_regexp" \ -exec ln -sf -t "$out/share/X11/fonts" '{}' \; cd "$out/share/X11/fonts" ${optionalString cfg.decompressFonts '' diff --git a/nixos/modules/config/fonts/fonts.nix b/nixos/modules/config/fonts/fonts.nix deleted file mode 100644 index 87cf837e7c80c..0000000000000 --- a/nixos/modules/config/fonts/fonts.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.fonts; - - defaultFonts = - [ pkgs.dejavu_fonts - pkgs.freefont_ttf - pkgs.gyre-fonts # TrueType substitutes for standard PostScript fonts - pkgs.liberation_ttf - pkgs.unifont - pkgs.noto-fonts-emoji - ]; -in -{ - imports = [ - (mkRemovedOptionModule [ "fonts" "enableCoreFonts" ] "Use fonts.fonts = [ pkgs.corefonts ]; instead.") - ]; - - options = { - - fonts = { - - # TODO: find another name for it. - fonts = mkOption { - type = types.listOf types.path; - default = []; - example = literalExpression "[ pkgs.dejavu_fonts ]"; - description = lib.mdDoc "List of primary font paths."; - }; - - enableDefaultFonts = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Enable a basic set of fonts providing several font styles - and families and reasonable coverage of Unicode. - ''; - }; - }; - - }; - - config = { fonts.fonts = mkIf cfg.enableDefaultFonts defaultFonts; }; -} diff --git a/nixos/modules/config/fonts/ghostscript.nix b/nixos/modules/config/fonts/ghostscript.nix index c284c4a0b0ab1..c41fcdaaa329d 100644 --- a/nixos/modules/config/fonts/ghostscript.nix +++ b/nixos/modules/config/fonts/ghostscript.nix @@ -3,31 +3,21 @@ with lib; { - options = { - - fonts = { - - enableGhostscriptFonts = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Whether to add the fonts provided by Ghostscript (such as - various URW fonts and the “Base-14” Postscript fonts) to the - list of system fonts, making them available to X11 - applications. - ''; - }; - + fonts.enableGhostscriptFonts = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to add the fonts provided by Ghostscript (such as + various URW fonts and the “Base-14” Postscript fonts) to the + list of system fonts, making them available to X11 + applications. + ''; }; }; - config = mkIf config.fonts.enableGhostscriptFonts { - - fonts.fonts = [ "${pkgs.ghostscript}/share/ghostscript/fonts" ]; - + fonts.packages = [ "${pkgs.ghostscript}/share/ghostscript/fonts" ]; }; - } diff --git a/nixos/modules/config/fonts/packages.nix b/nixos/modules/config/fonts/packages.nix new file mode 100644 index 0000000000000..46907d5411ca5 --- /dev/null +++ b/nixos/modules/config/fonts/packages.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.fonts; +in +{ + imports = [ + (lib.mkRemovedOptionModule [ "fonts" "enableCoreFonts" ] "Use fonts.packages = [ pkgs.corefonts ]; instead.") + (lib.mkRenamedOptionModule [ "fonts" "enableDefaultFonts" ] [ "fonts" "enableDefaultPackages" ]) + (lib.mkRenamedOptionModule [ "fonts" "fonts" ] [ "fonts" "packages" ]) + ]; + + options = { + fonts = { + packages = lib.mkOption { + type = with lib.types; listOf path; + default = []; + example = lib.literalExpression "[ pkgs.dejavu_fonts ]"; + description = lib.mdDoc "List of primary font packages."; + }; + + enableDefaultPackages = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc '' + Enable a basic set of fonts providing several styles + and families and reasonable coverage of Unicode. + ''; + }; + }; + }; + + config = { + fonts.packages = lib.mkIf cfg.enableDefaultPackages (with pkgs; [ + dejavu_fonts + freefont_ttf + gyre-fonts # TrueType substitutes for standard PostScript fonts + liberation_ttf + unifont + noto-fonts-emoji + ]); + }; +} diff --git a/nixos/modules/config/i18n.nix b/nixos/modules/config/i18n.nix index b1efc00773dc5..b19d38091e75b 100644 --- a/nixos/modules/config/i18n.nix +++ b/nixos/modules/config/i18n.nix @@ -66,6 +66,7 @@ with lib; (builtins.map (l: (replaceStrings [ "utf8" "utf-8" "UTF8" ] [ "UTF-8" "UTF-8" "UTF-8" ] l) + "/UTF-8") ( [ "C.UTF-8" + "en_US.UTF-8" config.i18n.defaultLocale ] ++ (attrValues (filterAttrs (n: v: n != "LANGUAGE") config.i18n.extraLocaleSettings)) )) diff --git a/nixos/modules/config/nix-channel.nix b/nixos/modules/config/nix-channel.nix new file mode 100644 index 0000000000000..3f8e088ede929 --- /dev/null +++ b/nixos/modules/config/nix-channel.nix @@ -0,0 +1,108 @@ +/* + Manages the things that are needed for a traditional nix-channel based + configuration to work. + + See also + - ./nix.nix + - ./nix-flakes.nix + */ +{ config, lib, ... }: +let + inherit (lib) + mkDefault + mkIf + mkOption + stringAfter + types + ; + + cfg = config.nix; + +in +{ + options = { + nix = { + channel = { + enable = mkOption { + description = lib.mdDoc '' + Whether the `nix-channel` command and state files are made available on the machine. + + The following files are initialized when enabled: + - `/nix/var/nix/profiles/per-user/root/channels` + - `/root/.nix-channels` + - `$HOME/.nix-defexpr/channels` (on login) + + Disabling this option will not remove the state files from the system. + ''; + type = types.bool; + default = true; + }; + }; + + nixPath = mkOption { + type = types.listOf types.str; + default = + if cfg.channel.enable + then [ + "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos" + "nixos-config=/etc/nixos/configuration.nix" + "/nix/var/nix/profiles/per-user/root/channels" + ] + else [ ]; + defaultText = '' + if nix.channel.enable + then [ + "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos" + "nixos-config=/etc/nixos/configuration.nix" + "/nix/var/nix/profiles/per-user/root/channels" + ] + else []; + ''; + description = lib.mdDoc '' + The default Nix expression search path, used by the Nix + evaluator to look up paths enclosed in angle brackets + (e.g. `<nixpkgs>`). + ''; + }; + }; + + system = { + defaultChannel = mkOption { + internal = true; + type = types.str; + default = "https://nixos.org/channels/nixos-unstable"; + description = lib.mdDoc "Default NixOS channel to which the root user is subscribed."; + }; + }; + }; + + config = mkIf cfg.enable { + + environment.extraInit = + mkIf cfg.channel.enable '' + if [ -e "$HOME/.nix-defexpr/channels" ]; then + export NIX_PATH="$HOME/.nix-defexpr/channels''${NIX_PATH:+:$NIX_PATH}" + fi + ''; + + environment.extraSetup = mkIf (!cfg.channel.enable) '' + rm --force $out/bin/nix-channel + ''; + + # NIX_PATH has a non-empty default according to Nix docs, so we don't unset + # it when empty. + environment.sessionVariables = { + NIX_PATH = cfg.nixPath; + }; + + nix.settings.nix-path = mkIf (! cfg.channel.enable) (mkDefault ""); + + system.activationScripts.nix-channel = mkIf cfg.channel.enable + (stringAfter [ "etc" "users" ] '' + # Subscribe the root user to the NixOS channel by default. + if [ ! -e "/root/.nix-channels" ]; then + echo "${config.system.defaultChannel} nixos" > "/root/.nix-channels" + fi + ''); + }; +} diff --git a/nixos/modules/config/nix-flakes.nix b/nixos/modules/config/nix-flakes.nix new file mode 100644 index 0000000000000..242d8d3b82b79 --- /dev/null +++ b/nixos/modules/config/nix-flakes.nix @@ -0,0 +1,95 @@ +/* + Manages the flake registry. + + See also + - ./nix.nix + - ./nix-channel.nix + */ +{ config, lib, ... }: +let + inherit (lib) + filterAttrs + literalExpression + mapAttrsToList + mkDefault + mkIf + mkOption + types + ; + + cfg = config.nix; + +in +{ + options = { + nix = { + registry = mkOption { + type = types.attrsOf (types.submodule ( + let + referenceAttrs = with types; attrsOf (oneOf [ + str + int + bool + path + package + ]); + in + { config, name, ... }: + { + options = { + from = mkOption { + type = referenceAttrs; + example = { type = "indirect"; id = "nixpkgs"; }; + description = lib.mdDoc "The flake reference to be rewritten."; + }; + to = mkOption { + type = referenceAttrs; + example = { type = "github"; owner = "my-org"; repo = "my-nixpkgs"; }; + description = lib.mdDoc "The flake reference {option}`from` is rewritten to."; + }; + flake = mkOption { + type = types.nullOr types.attrs; + default = null; + example = literalExpression "nixpkgs"; + description = lib.mdDoc '' + The flake input {option}`from` is rewritten to. + ''; + }; + exact = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Whether the {option}`from` reference needs to match exactly. If set, + a {option}`from` reference like `nixpkgs` does not + match with a reference like `nixpkgs/nixos-20.03`. + ''; + }; + }; + config = { + from = mkDefault { type = "indirect"; id = name; }; + to = mkIf (config.flake != null) (mkDefault ( + { + type = "path"; + path = config.flake.outPath; + } // filterAttrs + (n: _: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash") + config.flake + )); + }; + } + )); + default = { }; + description = lib.mdDoc '' + A system-wide flake registry. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + environment.etc."nix/registry.json".text = builtins.toJSON { + version = 2; + flakes = mapAttrsToList (n: v: { inherit (v) from to exact; }) cfg.registry; + }; + }; +} diff --git a/nixos/modules/config/nix-remote-build.nix b/nixos/modules/config/nix-remote-build.nix new file mode 100644 index 0000000000000..98c8fc06d2eec --- /dev/null +++ b/nixos/modules/config/nix-remote-build.nix @@ -0,0 +1,226 @@ +/* + Manages the remote build configuration, /etc/nix/machines + + See also + - ./nix.nix + - nixos/modules/services/system/nix-daemon.nix + */ +{ config, lib, ... }: + +let + inherit (lib) + any + concatMapStrings + concatStringsSep + filter + getVersion + mkIf + mkMerge + mkOption + optional + optionalString + types + versionAtLeast + ; + + cfg = config.nix; + + nixPackage = cfg.package.out; + + isNixAtLeast = versionAtLeast (getVersion nixPackage); + + buildMachinesText = + concatMapStrings + (machine: + (concatStringsSep " " ([ + "${optionalString (machine.protocol != null) "${machine.protocol}://"}${optionalString (machine.sshUser != null) "${machine.sshUser}@"}${machine.hostName}" + (if machine.system != null then machine.system else if machine.systems != [ ] then concatStringsSep "," machine.systems else "-") + (if machine.sshKey != null then machine.sshKey else "-") + (toString machine.maxJobs) + (toString machine.speedFactor) + (let res = (machine.supportedFeatures ++ machine.mandatoryFeatures); + in if (res == []) then "-" else (concatStringsSep "," res)) + (let res = machine.mandatoryFeatures; + in if (res == []) then "-" else (concatStringsSep "," machine.mandatoryFeatures)) + ] + ++ optional (isNixAtLeast "2.4pre") (if machine.publicHostKey != null then machine.publicHostKey else "-"))) + + "\n" + ) + cfg.buildMachines; + +in +{ + options = { + nix = { + buildMachines = mkOption { + type = types.listOf (types.submodule { + options = { + hostName = mkOption { + type = types.str; + example = "nixbuilder.example.org"; + description = lib.mdDoc '' + The hostname of the build machine. + ''; + }; + protocol = mkOption { + type = types.enum [ null "ssh" "ssh-ng" ]; + default = "ssh"; + example = "ssh-ng"; + description = lib.mdDoc '' + The protocol used for communicating with the build machine. + Use `ssh-ng` if your remote builder and your + local Nix version support that improved protocol. + + Use `null` when trying to change the special localhost builder + without a protocol which is for example used by hydra. + ''; + }; + system = mkOption { + type = types.nullOr types.str; + default = null; + example = "x86_64-linux"; + description = lib.mdDoc '' + The system type the build machine can execute derivations on. + Either this attribute or {var}`systems` must be + present, where {var}`system` takes precedence if + both are set. + ''; + }; + systems = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "x86_64-linux" "aarch64-linux" ]; + description = lib.mdDoc '' + The system types the build machine can execute derivations on. + Either this attribute or {var}`system` must be + present, where {var}`system` takes precedence if + both are set. + ''; + }; + sshUser = mkOption { + type = types.nullOr types.str; + default = null; + example = "builder"; + description = lib.mdDoc '' + The username to log in as on the remote host. This user must be + able to log in and run nix commands non-interactively. It must + also be privileged to build derivations, so must be included in + {option}`nix.settings.trusted-users`. + ''; + }; + sshKey = mkOption { + type = types.nullOr types.str; + default = null; + example = "/root/.ssh/id_buildhost_builduser"; + description = lib.mdDoc '' + The path to the SSH private key with which to authenticate on + the build machine. The private key must not have a passphrase. + If null, the building user (root on NixOS machines) must have an + appropriate ssh configuration to log in non-interactively. + + Note that for security reasons, this path must point to a file + in the local filesystem, *not* to the nix store. + ''; + }; + maxJobs = mkOption { + type = types.int; + default = 1; + description = lib.mdDoc '' + The number of concurrent jobs the build machine supports. The + build machine will enforce its own limits, but this allows hydra + to schedule better since there is no work-stealing between build + machines. + ''; + }; + speedFactor = mkOption { + type = types.int; + default = 1; + description = lib.mdDoc '' + The relative speed of this builder. This is an arbitrary integer + that indicates the speed of this builder, relative to other + builders. Higher is faster. + ''; + }; + mandatoryFeatures = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "big-parallel" ]; + description = lib.mdDoc '' + A list of features mandatory for this builder. The builder will + be ignored for derivations that don't require all features in + this list. All mandatory features are automatically included in + {var}`supportedFeatures`. + ''; + }; + supportedFeatures = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "kvm" "big-parallel" ]; + description = lib.mdDoc '' + A list of features supported by this builder. The builder will + be ignored for derivations that require features not in this + list. + ''; + }; + publicHostKey = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc '' + The (base64-encoded) public host key of this builder. The field + is calculated via {command}`base64 -w0 /etc/ssh/ssh_host_type_key.pub`. + If null, SSH will use its regular known-hosts file when connecting. + ''; + }; + }; + }); + default = [ ]; + description = lib.mdDoc '' + This option lists the machines to be used if distributed builds are + enabled (see {option}`nix.distributedBuilds`). + Nix will perform derivations on those machines via SSH by copying the + inputs to the Nix store on the remote machine, starting the build, + then copying the output back to the local Nix store. + ''; + }; + + distributedBuilds = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to distribute builds to the machines listed in + {option}`nix.buildMachines`. + ''; + }; + }; + }; + + # distributedBuilds does *not* inhibit /etc/machines generation; caller may + # override that nix option. + config = mkIf cfg.enable { + assertions = + let badMachine = m: m.system == null && m.systems == [ ]; + in + [ + { + assertion = !(any badMachine cfg.buildMachines); + message = '' + At least one system type (via <varname>system</varname> or + <varname>systems</varname>) must be set for every build machine. + Invalid machine specifications: + '' + " " + + (concatStringsSep "\n " + (map (m: m.hostName) + (filter (badMachine) cfg.buildMachines))); + } + ]; + + # List of machines for distributed Nix builds + environment.etc."nix/machines" = + mkIf (cfg.buildMachines != [ ]) { + text = buildMachinesText; + }; + + # Legacy configuration conversion. + nix.settings = mkIf (!cfg.distributedBuilds) { builders = null; }; + }; +} diff --git a/nixos/modules/config/nix.nix b/nixos/modules/config/nix.nix new file mode 100644 index 0000000000000..cee4f54db0cb5 --- /dev/null +++ b/nixos/modules/config/nix.nix @@ -0,0 +1,379 @@ +/* + Manages /etc/nix.conf. + + See also + - ./nix-channel.nix + - ./nix-flakes.nix + - ./nix-remote-build.nix + - nixos/modules/services/system/nix-daemon.nix + */ +{ config, lib, pkgs, ... }: + +let + inherit (lib) + concatStringsSep + boolToString + escape + floatToString + getVersion + isBool + isDerivation + isFloat + isInt + isList + isString + literalExpression + mapAttrsToList + mkAfter + mkDefault + mkIf + mkOption + mkRenamedOptionModuleWith + optionalString + optionals + strings + systems + toPretty + types + versionAtLeast + ; + + cfg = config.nix; + + nixPackage = cfg.package.out; + + isNixAtLeast = versionAtLeast (getVersion nixPackage); + + legacyConfMappings = { + useSandbox = "sandbox"; + buildCores = "cores"; + maxJobs = "max-jobs"; + sandboxPaths = "extra-sandbox-paths"; + binaryCaches = "substituters"; + trustedBinaryCaches = "trusted-substituters"; + binaryCachePublicKeys = "trusted-public-keys"; + autoOptimiseStore = "auto-optimise-store"; + requireSignedBinaryCaches = "require-sigs"; + trustedUsers = "trusted-users"; + allowedUsers = "allowed-users"; + systemFeatures = "system-features"; + }; + + semanticConfType = with types; + let + confAtom = nullOr + (oneOf [ + bool + int + float + str + path + package + ]) // { + description = "Nix config atom (null, bool, int, float, str, path or package)"; + }; + in + attrsOf (either confAtom (listOf confAtom)); + + nixConf = + assert isNixAtLeast "2.2"; + let + + mkValueString = v: + if v == null then "" + else if isInt v then toString v + else if isBool v then boolToString v + else if isFloat v then floatToString v + else if isList v then toString v + else if isDerivation v then toString v + else if builtins.isPath v then toString v + else if isString v then v + else if strings.isConvertibleWithToString v then toString v + else abort "The nix conf value: ${toPretty {} v} can not be encoded"; + + mkKeyValue = k: v: "${escape [ "=" ] k} = ${mkValueString v}"; + + mkKeyValuePairs = attrs: concatStringsSep "\n" (mapAttrsToList mkKeyValue attrs); + + in + pkgs.writeTextFile { + name = "nix.conf"; + text = '' + # WARNING: this file is generated from the nix.* options in + # your NixOS configuration, typically + # /etc/nixos/configuration.nix. Do not edit it! + ${mkKeyValuePairs cfg.settings} + ${cfg.extraOptions} + ''; + checkPhase = lib.optionalString cfg.checkConfig ( + if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then '' + echo "Ignoring validation for cross-compilation" + '' + else '' + echo "Validating generated nix.conf" + ln -s $out ./nix.conf + set -e + set +o pipefail + NIX_CONF_DIR=$PWD \ + ${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net"} \ + ${optionalString (isNixAtLeast "2.4pre") "--option experimental-features nix-command"} \ + |& sed -e 's/^warning:/error:/' \ + | (! grep '${if cfg.checkAllErrors then "^error:" else "^error: unknown setting"}') + set -o pipefail + ''); + }; + +in +{ + imports = [ + (mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "useChroot" ]; to = [ "nix" "useSandbox" ]; }) + (mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "chrootDirs" ]; to = [ "nix" "sandboxPaths" ]; }) + ] ++ + mapAttrsToList + (oldConf: newConf: + mkRenamedOptionModuleWith { + sinceRelease = 2205; + from = [ "nix" oldConf ]; + to = [ "nix" "settings" newConf ]; + }) + legacyConfMappings; + + options = { + nix = { + checkConfig = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + If enabled, checks that Nix can parse the generated nix.conf. + ''; + }; + + checkAllErrors = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + If enabled, checks the nix.conf parsing for any kind of error. When disabled, checks only for unknown settings. + ''; + }; + + extraOptions = mkOption { + type = types.lines; + default = ""; + example = '' + keep-outputs = true + keep-derivations = true + ''; + description = lib.mdDoc "Additional text appended to {file}`nix.conf`."; + }; + + settings = mkOption { + type = types.submodule { + freeformType = semanticConfType; + + options = { + max-jobs = mkOption { + type = types.either types.int (types.enum [ "auto" ]); + default = "auto"; + example = 64; + description = lib.mdDoc '' + This option defines the maximum number of jobs that Nix will try to + build in parallel. The default is auto, which means it will use all + available logical cores. It is recommend to set it to the total + number of logical cores in your system (e.g., 16 for two CPUs with 4 + cores each and hyper-threading). + ''; + }; + + auto-optimise-store = mkOption { + type = types.bool; + default = false; + example = true; + description = lib.mdDoc '' + If set to true, Nix automatically detects files in the store that have + identical contents, and replaces them with hard links to a single copy. + This saves disk space. If set to false (the default), you can still run + nix-store --optimise to get rid of duplicate files. + ''; + }; + + cores = mkOption { + type = types.int; + default = 0; + example = 64; + description = lib.mdDoc '' + This option defines the maximum number of concurrent tasks during + one build. It affects, e.g., -j option for make. + The special value 0 means that the builder should use all + available CPU cores in the system. Some builds may become + non-deterministic with this option; use with care! Packages will + only be affected if enableParallelBuilding is set for them. + ''; + }; + + sandbox = mkOption { + type = types.either types.bool (types.enum [ "relaxed" ]); + default = true; + description = lib.mdDoc '' + If set, Nix will perform builds in a sandboxed environment that it + will set up automatically for each build. This prevents impurities + in builds by disallowing access to dependencies outside of the Nix + store by using network and mount namespaces in a chroot environment. + + This is enabled by default even though it has a possible performance + impact due to the initial setup time of a sandbox for each build. It + doesn't affect derivation hashes, so changing this option will not + trigger a rebuild of packages. + + When set to "relaxed", this option permits derivations that set + `__noChroot = true;` to run outside of the sandboxed environment. + Exercise caution when using this mode of operation! It is intended to + be a quick hack when building with packages that are not easily setup + to be built reproducibly. + ''; + }; + + extra-sandbox-paths = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "/dev" "/proc" ]; + description = lib.mdDoc '' + Directories from the host filesystem to be included + in the sandbox. + ''; + }; + + substituters = mkOption { + type = types.listOf types.str; + description = lib.mdDoc '' + List of binary cache URLs used to obtain pre-built binaries + of Nix packages. + + By default https://cache.nixos.org/ is added. + ''; + }; + + trusted-substituters = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "https://hydra.nixos.org/" ]; + description = lib.mdDoc '' + List of binary cache URLs that non-root users can use (in + addition to those specified using + {option}`nix.settings.substituters`) by passing + `--option binary-caches` to Nix commands. + ''; + }; + + require-sigs = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + If enabled (the default), Nix will only download binaries from binary caches if + they are cryptographically signed with any of the keys listed in + {option}`nix.settings.trusted-public-keys`. If disabled, signatures are neither + required nor checked, so it's strongly recommended that you use only + trustworthy caches and https to prevent man-in-the-middle attacks. + ''; + }; + + trusted-public-keys = mkOption { + type = types.listOf types.str; + example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; + description = lib.mdDoc '' + List of public keys used to sign binary caches. If + {option}`nix.settings.trusted-public-keys` is enabled, + then Nix will use a binary from a binary cache if and only + if it is signed by *any* of the keys + listed here. By default, only the key for + `cache.nixos.org` is included. + ''; + }; + + trusted-users = mkOption { + type = types.listOf types.str; + default = [ "root" ]; + example = [ "root" "alice" "@wheel" ]; + description = lib.mdDoc '' + A list of names of users that have additional rights when + connecting to the Nix daemon, such as the ability to specify + additional binary caches, or to import unsigned NARs. You + can also specify groups by prefixing them with + `@`; for instance, + `@wheel` means all users in the wheel + group. + ''; + }; + + system-features = mkOption { + type = types.listOf types.str; + example = [ "kvm" "big-parallel" "gccarch-skylake" ]; + description = lib.mdDoc '' + The set of features supported by the machine. Derivations + can express dependencies on system features through the + `requiredSystemFeatures` attribute. + + By default, pseudo-features `nixos-test`, `benchmark`, + and `big-parallel` used in Nixpkgs are set, `kvm` + is also included if it is available. + ''; + }; + + allowed-users = mkOption { + type = types.listOf types.str; + default = [ "*" ]; + example = [ "@wheel" "@builders" "alice" "bob" ]; + description = lib.mdDoc '' + A list of names of users (separated by whitespace) that are + allowed to connect to the Nix daemon. As with + {option}`nix.settings.trusted-users`, you can specify groups by + prefixing them with `@`. Also, you can + allow all users by specifying `*`. The + default is `*`. Note that trusted users are + always allowed to connect. + ''; + }; + }; + }; + default = { }; + example = literalExpression '' + { + use-sandbox = true; + show-trace = true; + + system-features = [ "big-parallel" "kvm" "recursive-nix" ]; + sandbox-paths = { "/bin/sh" = "''${pkgs.busybox-sandbox-shell.out}/bin/busybox"; }; + } + ''; + description = lib.mdDoc '' + Configuration for Nix, see + <https://nixos.org/manual/nix/stable/command-ref/conf-file.html> or + {manpage}`nix.conf(5)` for available options. + The value declared here will be translated directly to the key-value pairs Nix expects. + + You can use {command}`nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.nix.settings` + to view the current value. By default it is empty. + + Nix configurations defined under {option}`nix.*` will be translated and applied to this + option. In addition, configuration specified in {option}`nix.extraOptions` will be appended + verbatim to the resulting config file. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + environment.etc."nix/nix.conf".source = nixConf; + nix.settings = { + trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; + substituters = mkAfter [ "https://cache.nixos.org/" ]; + system-features = mkDefault ( + [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++ + optionals (pkgs.stdenv.hostPlatform ? gcc.arch) ( + # a builder can run code for `gcc.arch` and inferior architectures + [ "gccarch-${pkgs.stdenv.hostPlatform.gcc.arch}" ] ++ + map (x: "gccarch-${x}") (systems.architectures.inferiors.${pkgs.stdenv.hostPlatform.gcc.arch} or []) + ) + ); + }; + }; +} diff --git a/nixos/modules/config/qt.nix b/nixos/modules/config/qt.nix index cf4e9621d70dd..2b09281e467f9 100644 --- a/nixos/modules/config/qt.nix +++ b/nixos/modules/config/qt.nix @@ -19,7 +19,7 @@ let pkgs.qgnomeplatform-qt6 pkgs.adwaita-qt6 ] - else if isQtStyle then [ pkgs.libsForQt5.qtstyleplugins ] + else if isQtStyle then [ pkgs.libsForQt5.qtstyleplugins pkgs.qt6Packages.qt6gtk2 ] else if isQt5ct then [ pkgs.libsForQt5.qt5ct pkgs.qt6Packages.qt6ct ] else if isLxqt then [ pkgs.lxqt.lxqt-qtplugin pkgs.lxqt.lxqt-config ] else if isKde then [ pkgs.libsForQt5.plasma-integration pkgs.libsForQt5.systemsettings ] @@ -86,6 +86,7 @@ in "adwaita-qt" "adwaita-qt6" ["libsForQt5" "qtstyleplugins"] + ["qt6Packages" "qt6gtk2"] ]; description = lib.mdDoc '' Selects the style to use for Qt applications. diff --git a/nixos/modules/config/swap.nix b/nixos/modules/config/swap.nix index 0a7e45bffb267..8989a64082643 100644 --- a/nixos/modules/config/swap.nix +++ b/nixos/modules/config/swap.nix @@ -252,6 +252,11 @@ in let realDevice' = escapeSystemdPath sw.realDevice; in nameValuePair "mkswap-${sw.deviceName}" { description = "Initialisation of swap device ${sw.device}"; + # The mkswap service fails for file-backed swap devices if the + # loop module has not been loaded before the service runs. + # We add an ordering constraint to run after systemd-modules-load to + # avoid this race condition. + after = [ "systemd-modules-load.service" ]; wantedBy = [ "${realDevice'}.swap" ]; before = [ "${realDevice'}.swap" ]; path = [ pkgs.util-linux pkgs.e2fsprogs ] diff --git a/nixos/modules/config/update-users-groups.pl b/nixos/modules/config/update-users-groups.pl index 54352a517a24d..75c343523e275 100644 --- a/nixos/modules/config/update-users-groups.pl +++ b/nixos/modules/config/update-users-groups.pl @@ -147,7 +147,7 @@ foreach my $g (@{$spec->{groups}}) { if (defined $existing) { $g->{gid} = $existing->{gid} if !defined $g->{gid}; if ($g->{gid} != $existing->{gid}) { - dry_print("warning: not applying", "warning: would not apply", "GID change of group ‘$name’ ($existing->{gid} -> $g->{gid})"); + dry_print("warning: not applying", "warning: would not apply", "GID change of group ‘$name’ ($existing->{gid} -> $g->{gid}) in /etc/group"); $g->{gid} = $existing->{gid}; } $g->{password} = $existing->{password}; # do we want this? @@ -209,7 +209,7 @@ foreach my $u (@{$spec->{users}}) { if (defined $existing) { $u->{uid} = $existing->{uid} if !defined $u->{uid}; if ($u->{uid} != $existing->{uid}) { - dry_print("warning: not applying", "warning: would not apply", "UID change of user ‘$name’ ($existing->{uid} -> $u->{uid})"); + dry_print("warning: not applying", "warning: would not apply", "UID change of user ‘$name’ ($existing->{uid} -> $u->{uid}) in /etc/passwd"); $u->{uid} = $existing->{uid}; } } else { |